My First Kernel Patch - Part 2

Introduction

This journal entry was written by me, Brandon Nolet, in the context that I’m patching a kernel right now due to the SACK Panic vulnerability.

Disclaimer

This post contains unexplained material. This post assumes the reader possesses a certain level of knowledge related to computing and software.

First Time

When I started this miniseries, I was naive, inexperienced, and wholly ignorant about the kernel patching process. This has only changed a bit. The first time I wrote a kernel patching post (2 days ago) I figured it would be a single post-type thing. I was sorely mistaken.

Not only is this not going to be a single post thing. I think this might actually become a ten-part piece. Tonight’s progress will certainly be an indication. Either this series ends with me having a patched kernel or it ends with me giving up on it and waiting until Canonical comes out with their updates.

Oh, and even if it does fully compile, there’s no guarantee that I don’t leave my system in an irreparable state. That’s while I’ll be taking a snapshot of the VPS I’m patching before applying the new kernel.

The Present

I applied the patches but it seems one didn’t fully apply. I don’t think it’ll be a huge issue, but we shall see. For more details, here are the offending lines:

patching file net/ipv4/tcp_output.c
Hunk #1 FAILED at 1459.
1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/tcp_output.c.rej

After I applied the patches, I followed a few more steps mentioned here. As I said in the previous post, things were taking way too long on the VPS so I moved the compilation process to my home computer. This meant that when copying the configuration file I had to do that from the VPS to my home machine. I’m not running the same version of Ubuntu as my VPS.

Reading around, I’m finding that I need a few more packages on top of what’s recommended in the stackoverflow thread. So far what’s not been installed was `libelf-dev`.

I found out that that package was needed when it was pointed out to me when running `make` on the kernel source for the first time.


Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel

Missed Package Installed

So now that I’ve installed that package, let’s see what happens…

I got a few errors. They are the following:


error: #error New address family defined, please update secclass_map.
make[5]: *** [scripts/Makefile.host:90: scripts/selinux/mdp/mdp] Error 1
make[4]: *** [scripts/Makefile.build:604: scripts/selinux/mdp] Error 2
make[3]: *** [scripts/Makefile.build:604: scripts/selinux] Error 2
make[3]: *** [scripts/Makefile.build:604: scripts/mod] Error
/bin/bash: ./scripts/ubuntu-retpoline-extract-one: No such file or directory
make[3]: *** [scripts/Makefile.build:433: arch/x86/purgatory/stack.o] Error 127
make[3]: *** [scripts/Makefile.build:330: arch/x86/purgatory/purgatory.o] Error 127
make[3]: *** [scripts/Makefile.build:433: arch/x86/purgatory/setup-x86_64.o] Error 127
make[2]: *** [arch/x86/Makefile:261: archprepare] Error 2
make[2]: *** [Makefile:589: scripts] Error 2
make[1]: *** [scripts/package/Makefile:88: deb-pkg] Error 2
make: *** [Makefile:1389: deb-pkg] Error 2

I’m going to start by taking a whack at the New address family error. Many sources are pointing out an issue with glibc. Turned out to be able to fix the issue with a patch located at the end of this webpage. I attempted another compilation and received the following errors:


make[4]: *** [scripts/Makefile.build:332: scripts/mod/empty.o] Error 127
make[3]: *** [scripts/Makefile.build:604: scripts/mod] Error 2
make[2]: *** [Makefile:589: scripts] Error 2
make[1]: *** [scripts/package/Makefile:88: deb-pkg] Error 2
make: *** [Makefile:1389: deb-pkg] Error 2

Looks like some similar stuff compared to the last one, but I notice there are certainly less errors. Let’s tackle that error 127. Wait, looks like that patch didn’t work, and it was just a fluke. THE NEW ADDRESS ERROR HAS RETURNED.

Without Modifications

So @geniusmusing has posed the fact that his programs always have compiled on first try, because he refuses to make any changes before the first compile.

just to make sure if it fails later it is me not something else.

I’m going to re-clone the kernel source and compile right away, to see what happens. Time to download 6.7 million objects. This time I’m actually looking through the TUI and exploring some of these options that I can set. Maybe there’s something useful in here that I missed previously.

New Guide

Nothing particularly interesting here. Tried compiling without the patches, and got the same errors. Is it possible that this source is tainted? I don’t know, but instead of trying to same thing over and over again, let’s try this.

So far the kernel has been compiling for at least 10 minutes. I didn’t expect it to take this long but I’m happy to see the terminal just go up and up and up and up. Turns out I was also missing some packages. Those packages are `libsigsegv2 m4 flex libbison-dev bison ccache libfl2 libfl-dev`.

Conclusion

Welp, my partner is home and this is probably going to continue for a while. I’ll let you all know how it finishes tomorrow!