Board index Linux FAQ's

Moderator: chandranjoy

How To Patch Running Linux Kernel?

Postby chandranjoy » Mon Mar 22, 2010 4:24 pm

Patching production kernel is a risky business. Following procedure will help you to explain you to apply a linux kernel patch.

Step # 1: Make sure your product is affected
First find out if your product is affected by reported exploit. For example, vmsplice() but only affects RHEL 5.x but RHEL 4.x,3.x, and 2.1.x are not affected at all. You can always obtain this information by visiting vendors bug reporting system called bugzilla. Also make sure bug affects your architectures. For example, a bug may only affect 64 bit or 32 bit platform.

Step # 2: Apply patch
You better apply and test patch in a test environment. Please note that some vendors such as Redhat and Suse modifies or backports kernel. So it is good idea to apply patch to their kernel source code tree. Otherwise you can always grab and apply patch to latest kernel version.

Step # 3: How do I apply kernel patch?
[Warning examples may crash your computer] WARNING!These instructions require having the skills of a sysadmin. Personally, I avoid recompiling any kernel unless absolutely necessary. Most our production boxes (over 1400+) are powered by mix of RHEL 4 and 5. Wrong kernel option can disable hardware or may not boot system at all. If you don't understand the internal kernel dependencies don't try this on a production box.

Change directory to your kernel source code:
# cd linux-2.6.xx.yy

Download and save patch file as fix.vmsplice.exploit.patch:
# cat fix.vmsplice.exploit.patch

Output:
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!len))
break;
error = -EFAULT;
- if (unlikely(!base))
+ if (!access_ok(VERIFY_READ, base, len))
break;

/*


Before applying the patch do the dry-run as follows,
#patch --dry-run -p1 -i fix.vmsplice.exploit.patch


At last, if the dry-run is giving good result, do this and enjoy the compilation.

Now apply patch using patch command, enter:
# patch < fix.vmsplice.exploit.patch -p1

Now recompile and install Linux kernel.


Other Method

How to Apply Kernel Patches
With each new kernel release, there is a corresponding 'patch' The simplest way to patch your kernel is to follow the directions in the Kernel HOWTO - Patching your kernel.

How to Apply the Unofficial Kernel Patches
Patches are easy to apply, once you understand a few simple concepts:

* Patches are usually for a specific version of the kernel. This means old patches may not work with newer kernels.
* Patches are generally built from 'clean' unpatched kernel sources. So, one patch may make a change that causes other patches to fail.
* Patches are not part of the released kernel tree, thus do not be suprised it they don't work. Always keep a backup of your original kernel source!

Now, on to applying the patches. Normally all you need to do is simply issue the following command:

patch -p0 < patch-file-name-here


This should be done from the/usr/src directory.

Sometimes, the patch authors do not include the full path to the files that are being patched, in this case you will need to change to the directory that contains the file. Simply look at the patch file, in the first few lines you should see something like this:

--- drivres/block/rd.c.orig Tue Jul 2 17:08:41 1996
+++ drivres/block/rd.c Mon Sep 30 19:24:06 1996


This tells you that the file being patched is drivers/block/rd.c and the relative path from the /usr/src/ directory is included. But if you see something like this:

--- isdn_common.c~ Fri Nov 22 21:33:10 1996
+++ isdn_common.c Mon Mar 31 01:46:57 1997


This tells you that you will need to find the file isdn_common.c and change to the directory containing this file before you apply the patch.
chandranjoy
Site Admin
 
Posts: 283
Joined: Fri Oct 23, 2009 11:19 pm

Return to FAQ's

Who is online

Users browsing this forum: No registered users and 1 guest


cron