Characteristics, Root Causes, and Detection of Incomplete Security Bug Fixes in the Linux Kernel
Qiang Liu, Wenlong Zhang, Muhui Jiang, Lei Wu, Yajin Zhou
TL;DR
The paper investigates incomplete security bug fixes in the Linux kernel, a phenomenon where patches fail to fully remediate or introduce new issues. It builds the first dataset of incomplete fixes (26 cases across 52 CVEs), performs empirical characterization across pre-, in-, and post-fix stages, and develops a fix-pattern fingerprinting method using FixMiner to detect missing-similar-component incomplete fixes. The study identifies patterns in temporal distribution, remediation lag, vulnerability types, and patch characteristics, and validates the approach by uncovering two previously unknown incomplete fixes in the kernel. The work provides actionable guidance for more complete security patches and demonstrates a practical detection tool with potential to strengthen kernel security workflows.
Abstract
Security bugs in the Linux kernel emerge endlessly and have attracted much attention. However, fixing security bugs in the Linux kernel could be incomplete due to human mistakes. Specifically, an incomplete fix fails to repair all the original security defects in the software, fails to properly repair the original security defects, or introduces new ones. In this paper, we study the fixes of incomplete security bugs in the Linux kernel for the first time, and reveal their characteristics, root causes, as well as detection. We first construct a dataset of incomplete security bug fixes in the Linux kernel and answer the following three questions. What are the characteristics of incomplete security bug fixes in the Linux kernel? What are the root causes behind them? How should they be detected to reduce security risks? We then have the three main insights in the following. (*Due to the notification of arXiv "The Abstract field cannot be longer than 1,920 characters", the appeared Abstract is shortened. For the full Abstract, please download the Article.)