madisongh / kernel-cve-tool Goto Github PK

I found a case where the above grep pattern (for the subject) results in the CVE being reported as fixed, when in fact it is not fixed. The result differs from what www.linuxkernelcves.com reports for the same CVE.

When analysing the stable-5.10.y kernel, the issue shows up for CVE-2021-4037.

1. Note the issue is in the XFS filesystem, and it is fixed in 5.12 kernel, however it has not been backported to earlier kernels
2. However a very similar issue in CEPH was fixed in 5.16, and that fix was backported to 5.10.y

The problem arises because the commit message for (2) includes the subject line of commit (1), even though (2) does not fix (1). So git log --grep matches and the CVE is classified as Fixed, when it should be Unfixed.

I am not sure how common this situation is, but I figured I'd report it. Perhaps the intention was to search only the subject lines?

This conversion to integer fails on tags such as v5.10.106-rt64 (which comes from the linux-stable-rt.git repository).
One possible solution is to just ignore the extra suffix:

sublevel = int(re.split('[-.]', tag)[2])

Another potential idea would be to let git sort the tags, and then just take the last one:

git tag -l --sort=version:refname v{}.{}.*