Skip to content

diedromeo/Patch-Diff-Research

Repository files navigation

Patch-Diff-Research

Patch-Diff-Research

Reverse engineering the fix. For each vulnerability: the vulnerable code, the patched code, the diff, and a clear explanation of why the fix actually works.

License CI SemVer


🎯 What this is

Patch-diffing turns a vendor fix into a root-cause understanding. Each study takes the public vulnerable and patched releases of a project and walks the delta:

Section Question it answers
Root cause What flawed assumption or missing check created the bug?
Vulnerable code The exact pre-patch code path, annotated
The patch The upstream commit / diff that fixed it
Why the fix works How the change closes the primitive — and edge cases
Regression risk What the fix might break; how upstream tested it

🗂️ Study structure (contract)

studies/<project>-CVE-YYYY-NNNNN/
├── README.md              # The analysis (sections above)
├── vulnerable/            # Minimal excerpt of the pre-patch code (with source ref)
├── patched/               # Post-patch code excerpt
├── diff/                  # Annotated unified diff + upstream commit link
└── docs/                  # Call-graph / data-flow diagrams

Code excerpts are minimal, attributed to their upstream source and license, and included strictly for analysis and education.

🔬 Method

  1. Pin the last-vulnerable and first-patched tags from the upstream repo.
  2. Isolate the security-relevant hunk (ignore unrelated churn).
  3. Trace the data/control flow into the vulnerable primitive.
  4. Explain the fix and verify the primitive is genuinely closed.
  5. Cross-link the runnable reproduction in CVE-Labs-2025-2026.

🧭 Status

⏳ Studies land alongside each CVE lab. See CHANGELOG.md.

🧭 Portfolio

Part of the diedromeo security portfolio.

📄 License

MIT for the analysis and tooling. Third-party code excerpts remain under their original upstream licenses, as noted per study.

About

Vulnerable-vs-patched reverse engineering: root cause, vulnerable code, the fix, and why it works.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors