chuzhongyun/CVE-2026-53359-Kernel-Fix

GitHub: chuzhongyun/CVE-2026-53359-Kernel-Fix

一份通过源码编译方式将 Linux 内核升级至 7.1.3 以修复 KVM x86 UAF 漏洞(CVE-2026-53359)的详细操作指南。

Stars: 2 | Forks: 1

[中文](#中文) | [English](#english) ## 中文 # Linux Kernel 7.1.3 升级修复 CVE-2026-53359 教程 ### 1. 简介 本文档记录在 CentOS Stream 8 环境下,通过源码方式升级 Linux Kernel 至 7.1.3,用于修复 **CVE-2026-53359**。 | 项目 | 说明 | |------|------| | **CVE 编号** | CVE-2026-53359 | | **漏洞组件** | Linux Kernel KVM x86 Shadow MMU | | **漏洞类型** | Use After Free (UAF) | | **修复方式** | 升级 Linux Kernel 至包含修复代码的 stable 版本 | **漏洞影响:** KVM x86 Shadow Paging 场景中,异常情况下可能出现释放后的页面仍被 rmap 条目引用,引发内存安全问题。 ### 2. 环境信息 | 项目 | 信息 | |------|------| | 系统 | CentOS Stream 8 | | 升级前内核 | 6.18.8-1.el8.elrepo.x86_64 | | 升级后内核 | 7.1.3 | | 架构 | x86_64 | | 虚拟化 | KVM Intel | **查看当前环境:** cat /etc/os-release uname -r ### 3. 选择源码编译原因 由于本人服务器环境中: - ELRepo Kernel RPM 仓库无法稳定拉取; - 未找到适合当前环境的 RPM 更新包; - 需要直接使用 Linux Kernel 官方 stable 修复版本; **因此采用:** kernel.org 官方 stable 源码编译方式升级内核。 **说明:** 该方案仅为本人服务器环境下的解决方法,不代表所有环境必须使用源码编译。 ### 4. 下载源码 **官方下载:** https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz **下载命令:** wget https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz **上传位置(离线环境):** /root/linux-7.1.3.tar.xz ### 5. 安装编译依赖 dnf groupinstall "Development Tools" -y dnf install -y \ ncurses-devel \ elfutils-libelf-devel \ openssl-devel \ bc \ bison \ flex \ perl \ dwarves ### 6. 解压源码 mkdir -p /usr/src cd /usr/src tar -xf /root/linux-7.1.3.tar.xz cd linux-7.1.3 ls Makefile # 应显示: Makefile ### 7. 使用现有配置 # 复制当前配置 cp /boot/config-$(uname -r) .config # 生成新配置 make olddefconfig # 检查 KVM 配置 grep -E "CONFIG_KVM|CONFIG_KVM_INTEL" .config **预期输出:** CONFIG_KVM=m CONFIG_KVM_X86=m CONFIG_KVM_INTEL=m ### 8. 编译内核 # 查看 CPU 线程数 nproc # 编译(使用所有核心) make -j$(nproc) # 验证内核镜像 ls -lh arch/x86/boot/bzImage ### 9. 安装内核模块 # 安装模块 make modules_install # 验证安装 ls /lib/modules/ # 检查 KVM 模块 find /lib/modules/7.1.3 -name "kvm*.ko*" **预期输出:** kvm.ko kvm-intel.ko kvm-amd.ko ### 10. 安装内核镜像 # 安装内核 make install # 验证安装 ls -lh /boot | grep 7.1.3 **预期输出:** vmlinuz-7.1.3 initramfs-7.1.3.img System.map-7.1.3 ### 11. 更新启动项 # 生成 GRUB 配置 grub2-mkconfig -o /boot/grub2/grub.cfg # 设置默认内核 grubby --set-default /boot/vmlinuz-7.1.3 # 验证默认内核 grubby --default-kernel **预期输出:** /boot/vmlinuz-7.1.3 ### 12. 重启 reboot ### 13. 验证 **查看内核版本:** uname -r # 预期: 7.1.3 **查看 KVM 模块:** lsmod | grep kvm # 预期: kvm_intel, kvm, irqbypass **验证 KVM 模块位置:** modinfo kvm_intel | grep filename # 预期: /lib/modules/7.1.3/kernel/arch/x86/kvm/kvm-intel.ko ### 14. 回滚 **列出可用内核:** grubby --info=ALL | grep kernel **如果新内核有问题,设置旧内核:** grubby --set-default /boot/vmlinuz-6.18.8-1.el8.elrepo.x86_64 reboot ### 15. 最终结果 | 项目 | 升级前 | 升级后 | |------|--------|--------| | 内核版本 | 6.18.8-1.el8.elrepo.x86_64 | 7.1.3 | | KVM 状态 | N/A | 已启用 | | CVE-2026-53359 | 受影响 | 已修复 | ## English # Linux Kernel 7.1.3 Upgrade Guide for CVE-2026-53359 Fix ### 1. Introduction This repository documents the manual Linux Kernel upgrade process for fixing **CVE-2026-53359**. | Item | Description | |------|-------------| | **CVE ID** | CVE-2026-53359 | | **Affected Component** | Linux Kernel KVM x86 Shadow MMU | | **Vulnerability Type** | Use After Free (UAF) | | **Fix Method** | Upgrade Linux Kernel to 7.1.3 from kernel.org stable source | The vulnerability is related to KVM x86 shadow paging. Under specific conditions, freed pages may still be referenced by rmap entries, causing a potential memory safety issue. ### 2. Environment | Item | Value | |------|-------| | OS | CentOS Stream 8 | | Old Kernel | 6.18.8-1.el8.elrepo.x86_64 | | New Kernel | 7.1.3 | | Architecture | x86_64 | | Virtualization | KVM Intel | | Compiler | GCC 8.5 | **Check current environment:** cat /etc/os-release uname -r ### 3. Why Build From Source In my environment: - ELRepo Kernel RPM repository could not be accessed reliably. - I did not find another suitable RPM update method. - I needed to deploy the official Linux Kernel stable release. **Therefore:** I used the official kernel.org stable source code and built Kernel 7.1.3 manually. **Note:** This is my own environment solution, not a mandatory upgrade method for all systems. ### 4. Download Kernel Source **Official source:** https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz **Download:** wget https://cdn.kernel.org/pub/linux/kernel/v7.x/linux-7.1.3.tar.xz **Upload location (if offline):** /root/linux-7.1.3.tar.xz ### 5. Install Build Dependencies dnf groupinstall "Development Tools" -y dnf install -y \ ncurses-devel \ elfutils-libelf-devel \ openssl-devel \ bc \ bison \ flex \ perl \ dwarves \ tar \ xz **Verify compiler:** gcc --version ### 6. Extract Source Code mkdir -p /usr/src cd /usr/src tar -xf /root/linux-7.1.3.tar.xz cd linux-7.1.3 ls Makefile # Should show: Makefile ### 7. Import Existing Kernel Configuration # Copy current kernel configuration cp /boot/config-$(uname -r) .config # Generate new configuration make olddefconfig # Verify KVM configuration grep -E "CONFIG_KVM|CONFIG_KVM_INTEL" .config **Expected output:** CONFIG_KVM=m CONFIG_KVM_X86=m CONFIG_KVM_INTEL=m ### 8. Compile Kernel # Check CPU threads nproc # Compile (use all available cores) make -j$(nproc) # Verify kernel image ls -lh arch/x86/boot/bzImage ### 9. Install Kernel Modules # Install modules make modules_install # Verify installation ls /lib/modules/ # Check KVM modules find /lib/modules/7.1.3 -name "kvm*.ko*" **Expected output:** kvm.ko kvm-intel.ko kvm-amd.ko ### 10. Install Kernel Image # Install kernel make install # Verify installation ls -lh /boot | grep 7.1.3 **Expected output:** vmlinuz-7.1.3 initramfs-7.1.3.img System.map-7.1.3 ### 11. Configure GRUB Bootloader # Generate GRUB configuration grub2-mkconfig -o /boot/grub2/grub.cfg # Set default kernel grubby --set-default /boot/vmlinuz-7.1.3 # Verify default kernel grubby --default-kernel **Expected output:** /boot/vmlinuz-7.1.3 ### 12. Reboot reboot ### 13. Verification After Reboot **Check kernel version:** uname -r # Expected: 7.1.3 **Check KVM modules:** lsmod | grep kvm # Expected: kvm_intel, kvm, irqbypass **Verify KVM module location:** modinfo kvm_intel | grep filename # Expected: /lib/modules/7.1.3/kernel/arch/x86/kvm/kvm-intel.ko ### 14. Rollback Procedure **List available kernels:** grubby --info=ALL | grep kernel **If the new kernel has issues, set old kernel:** grubby --set-default /boot/vmlinuz-6.18.8-1.el8.elrepo.x86_64 reboot ### 15. Final Result | Item | Before | After | |------|--------|-------| | Kernel Version | 6.18.8-1.el8.elrepo.x86_64 | 7.1.3 | | KVM Status | N/A | Enabled | | CVE-2026-53359 | Vulnerable | Remediated | ## License MIT
标签:内核升级, 安全渗透, 漏洞修复, 系统运维, 编译指南, 网络安全培训