How to determine the minimum Linux Kernel version required for a given vulnerability

Question

I have to track vulnerabilities for a legacyish (3.12) Linux Kernel. For this purpose I'm searching on various sites like NVD for new vulnerabilities. Recently I encountered a problem where the affected version of the vulnerability was described as cpe:/o:linux:linux_kernel:4.4:rc8 and previous versions. But when I compared the sources of the Linux Kernel version 3.12 with the fix for this vulnerability I can see that the modification which caused the vulnerability was applied in a later version. This leads me to the question:

Is there a way to determine the version of the Linux Kernel where a vulnerability was introduced without analyzing the source code manually?

Answer 1

Someone has to analyze the code manually to find out when the vulnerability was introduced. If someone isn't telling you what version it was introduced in (which usually is only the case with high-profile vulnerabilities where someone wants to proudly proclaim how insecure and scary something is), you have to do it yourself. Unfortunately it's not always as simple as a single line with a vulnerability being added, but rather interplay between multiple components leading to an exploitable situation.

Answer 2

The https://www.kernel-exploits.com website is useful in this regard. For example, check out the results for sock_sendpage, CVE-2009-2692:

sock_sendpage

Kernels: 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.30, 2.4.31, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19, 2.6.20, 2.6.21, 2.6.22, 2.6.23, 2.6.24, 2.6.25, 2.6.26, 2.6.27, 2.6.28, 2.6.29, 2.6.30