Blame view
scripts/leaking_addresses.pl
12.8 KB
136fc5c41 scripts: add leak... |
1 |
#!/usr/bin/env perl |
4f19048fd treewide: Replace... |
2 |
# SPDX-License-Identifier: GPL-2.0-only |
136fc5c41 scripts: add leak... |
3 4 |
# # (c) 2017 Tobin C. Harding <me@tobin.cc> |
136fc5c41 scripts: add leak... |
5 |
# |
1410fe4ee leaking_addresses... |
6 |
# leaking_addresses.pl: Scan the kernel for potential leaking addresses. |
136fc5c41 scripts: add leak... |
7 8 9 |
# - Scans dmesg output. # - Walks directory tree and parses each file (for each directory in @DIRS). # |
136fc5c41 scripts: add leak... |
10 11 |
# Use --debug to output path before parsing, this is useful to find files that # cause the script to choke. |
136fc5c41 scripts: add leak... |
12 |
|
472c9e108 leaking_addresses... |
13 14 15 16 17 18 19 |
# # When the system is idle it is likely that most files under /proc/PID will be # identical for various processes. Scanning _all_ the PIDs under /proc is # unnecessary and implies that we are thoroughly scanning /proc. This is _not_ # the case because there may be ways userspace can trigger creation of /proc # files that leak addresses but were not present during a scan. For these two # reasons we exclude all PID directories under /proc except '1/' |
136fc5c41 scripts: add leak... |
20 21 22 23 24 25 26 27 |
use warnings; use strict; use POSIX; use File::Basename; use File::Spec; use Cwd 'abs_path'; use Term::ANSIColor qw(:constants); use Getopt::Long qw(:config no_auto_abbrev); |
62139c124 leaking_addresses... |
28 |
use Config; |
87e375885 leaking_addresses... |
29 |
use bigint qw/hex/; |
2f042c93a leaking_addresses... |
30 |
use feature 'state'; |
136fc5c41 scripts: add leak... |
31 32 |
my $P = $0; |
136fc5c41 scripts: add leak... |
33 34 35 |
# Directories to scan. my @DIRS = ('/proc', '/sys'); |
dd98c252a leaking_addresses... |
36 37 |
# Timer for parsing each file, in seconds. my $TIMEOUT = 10; |
1410fe4ee leaking_addresses... |
38 39 40 |
# Kernel addresses vary by architecture. We can only auto-detect the following # architectures (using `uname -m`). (flag --32-bit overrides auto-detection.) my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'x86'); |
62139c124 leaking_addresses... |
41 |
|
136fc5c41 scripts: add leak... |
42 43 44 |
# Command line options. my $help = 0; my $debug = 0; |
d09bd8da8 leaking_addresses... |
45 46 47 |
my $raw = 0; my $output_raw = ""; # Write raw results to file. my $input_raw = ""; # Read raw results from file instead of scanning. |
d09bd8da8 leaking_addresses... |
48 49 50 |
my $suppress_dmesg = 0; # Don't show dmesg in output. my $squash_by_path = 0; # Summary report grouped by absolute path. my $squash_by_filename = 0; # Summary report grouped by filename. |
f9d2a42da leaking_addresses... |
51 |
my $kernel_config_file = ""; # Kernel configuration file. |
1410fe4ee leaking_addresses... |
52 53 |
my $opt_32bit = 0; # Scan 32-bit kernel. my $page_offset_32bit = 0; # Page offset for 32-bit kernel. |
136fc5c41 scripts: add leak... |
54 |
|
b401f56f3 leaking_addresses... |
55 56 57 58 |
# Skip these absolute paths. my @skip_abs = ( '/proc/kmsg', '/proc/device-tree', |
2ad742939 leaking_addresses... |
59 |
'/proc/1/syscall', |
b401f56f3 leaking_addresses... |
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
'/sys/firmware/devicetree', '/sys/kernel/debug/tracing/trace_pipe', '/sys/kernel/security/apparmor/revision'); # Skip these under any subdirectory. my @skip_any = ( 'pagemap', 'events', 'access', 'registers', 'snapshot_raw', 'trace_pipe_raw', 'ptmx', 'trace_pipe', 'fd', 'usbmon'); |
136fc5c41 scripts: add leak... |
76 77 78 79 80 81 |
sub help { my ($exitcode) = @_; print << "EOM"; |
d09bd8da8 leaking_addresses... |
82 |
|
136fc5c41 scripts: add leak... |
83 |
Usage: $P [OPTIONS] |
136fc5c41 scripts: add leak... |
84 85 |
Options: |
15d60a35b leaking_addresses... |
86 87 88 89 90 91 |
-o, --output-raw=<file> Save results for future processing. -i, --input-raw=<file> Read results from file instead of scanning. --raw Show raw results (default). --suppress-dmesg Do not show dmesg results. --squash-by-path Show one result per unique path. --squash-by-filename Show one result per unique filename. |
f9d2a42da leaking_addresses... |
92 |
--kernel-config-file=<file> Kernel configuration file (e.g /boot/config) |
1410fe4ee leaking_addresses... |
93 94 |
--32-bit Scan 32-bit kernel. --page-offset-32-bit=o Page offset (for 32-bit kernel 0xABCD1234). |
15d60a35b leaking_addresses... |
95 |
-d, --debug Display debugging output. |
9ac060a70 leaking_addresses... |
96 |
-h, --help Display this help and exit. |
d09bd8da8 leaking_addresses... |
97 |
|
1410fe4ee leaking_addresses... |
98 |
Scans the running kernel for potential leaking addresses. |
136fc5c41 scripts: add leak... |
99 100 101 102 103 104 |
EOM exit($exitcode); } GetOptions( |
136fc5c41 scripts: add leak... |
105 106 |
'd|debug' => \$debug, 'h|help' => \$help, |
d09bd8da8 leaking_addresses... |
107 108 109 110 111 112 |
'o|output-raw=s' => \$output_raw, 'i|input-raw=s' => \$input_raw, 'suppress-dmesg' => \$suppress_dmesg, 'squash-by-path' => \$squash_by_path, 'squash-by-filename' => \$squash_by_filename, 'raw' => \$raw, |
f9d2a42da leaking_addresses... |
113 |
'kernel-config-file=s' => \$kernel_config_file, |
1410fe4ee leaking_addresses... |
114 115 |
'32-bit' => \$opt_32bit, 'page-offset-32-bit=o' => \$page_offset_32bit, |
136fc5c41 scripts: add leak... |
116 117 118 |
) or help(1); help(0) if ($help); |
d09bd8da8 leaking_addresses... |
119 120 121 122 123 124 125 126 127 128 129 130 131 |
if ($input_raw) { format_output($input_raw); exit(0); } if (!$input_raw and ($squash_by_path or $squash_by_filename)) { printf " Summary reporting only available with --input-raw=<file> "; printf "(First run scan with --output-raw=<file>.) "; exit(128); } |
1410fe4ee leaking_addresses... |
132 |
if (!(is_supported_architecture() or $opt_32bit or $page_offset_32bit)) { |
62139c124 leaking_addresses... |
133 134 135 136 137 138 139 140 141 142 143 |
printf " Script does not support your architecture, sorry. "; printf " Currently we support: "; foreach(@SUPPORTED_ARCHITECTURES) { printf "\t%s ", $_; } |
6efb74582 leaking_addresses... |
144 145 |
printf(" "); |
62139c124 leaking_addresses... |
146 |
|
1410fe4ee leaking_addresses... |
147 148 149 150 151 152 |
printf("If you are running a 32-bit architecture you may use: "); printf(" \t--32-bit or --page-offset-32-bit=<page offset> "); |
6efb74582 leaking_addresses... |
153 154 155 |
my $archname = `uname -m`; printf("Machine hardware name (`uname -m`): %s ", $archname); |
62139c124 leaking_addresses... |
156 157 158 |
exit(129); } |
d09bd8da8 leaking_addresses... |
159 160 161 162 163 |
if ($output_raw) { open my $fh, '>', $output_raw or die "$0: $output_raw: $! "; select $fh; } |
136fc5c41 scripts: add leak... |
164 165 166 167 |
parse_dmesg(); walk(@DIRS); exit 0; |
136fc5c41 scripts: add leak... |
168 169 170 171 |
sub dprint { printf(STDERR @_) if $debug; } |
62139c124 leaking_addresses... |
172 173 |
sub is_supported_architecture { |
1410fe4ee leaking_addresses... |
174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 |
return (is_x86_64() or is_ppc64() or is_ix86_32()); } sub is_32bit { # Allow --32-bit or --page-offset-32-bit to override if ($opt_32bit or $page_offset_32bit) { return 1; } return is_ix86_32(); } sub is_ix86_32 { |
5e4bac34e leaking_addresses... |
189 |
state $arch = `uname -m`; |
1410fe4ee leaking_addresses... |
190 191 192 193 194 195 |
chomp $arch; if ($arch =~ m/i[3456]86/) { return 1; } return 0; |
62139c124 leaking_addresses... |
196 |
} |
5eb0da056 leaking_addresses... |
197 |
sub is_arch |
62139c124 leaking_addresses... |
198 |
{ |
5eb0da056 leaking_addresses... |
199 200 201 202 203 204 205 206 207 |
my ($desc) = @_; my $arch = `uname -m`; chomp $arch; if ($arch eq $desc) { return 1; } return 0; } |
62139c124 leaking_addresses... |
208 |
|
5eb0da056 leaking_addresses... |
209 210 |
sub is_x86_64 { |
5e4bac34e leaking_addresses... |
211 212 |
state $is = is_arch('x86_64'); return $is; |
62139c124 leaking_addresses... |
213 214 215 216 |
} sub is_ppc64 { |
5e4bac34e leaking_addresses... |
217 218 |
state $is = is_arch('ppc64'); return $is; |
62139c124 leaking_addresses... |
219 |
} |
f9d2a42da leaking_addresses... |
220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 |
# Gets config option value from kernel config file. # Returns "" on error or if config option not found. sub get_kernel_config_option { my ($option) = @_; my $value = ""; my $tmp_file = ""; my @config_files; # Allow --kernel-config-file to override. if ($kernel_config_file ne "") { @config_files = ($kernel_config_file); } elsif (-R "/proc/config.gz") { my $tmp_file = "/tmp/tmpkconf"; if (system("gunzip < /proc/config.gz > $tmp_file")) { |
0f2994333 leaking_addresses... |
236 237 |
dprint("system(gunzip < /proc/config.gz) failed "); |
f9d2a42da leaking_addresses... |
238 239 240 241 242 243 244 245 246 247 248 |
return ""; } else { @config_files = ($tmp_file); } } else { my $file = '/boot/config-' . `uname -r`; chomp $file; @config_files = ($file, '/boot/config'); } foreach my $file (@config_files) { |
0f2994333 leaking_addresses... |
249 250 |
dprint("parsing config file: $file "); |
f9d2a42da leaking_addresses... |
251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 |
$value = option_from_file($option, $file); if ($value ne "") { last; } } if ($tmp_file ne "") { system("rm -f $tmp_file"); } return $value; } # Parses $file and returns kernel configuration option value. sub option_from_file { my ($option, $file) = @_; my $str = ""; my $val = ""; open(my $fh, "<", $file) or return ""; while (my $line = <$fh> ) { if ($line =~ /^$option/) { ($str, $val) = split /=/, $line; chomp $val; last; } } close $fh; return $val; } |
136fc5c41 scripts: add leak... |
283 284 |
sub is_false_positive { |
7e5758f7f leaking_addresses... |
285 |
my ($match) = @_; |
1410fe4ee leaking_addresses... |
286 287 288 289 290 |
if (is_32bit()) { return is_false_positive_32bit($match); } # 64 bit false positives. |
7e5758f7f leaking_addresses... |
291 292 293 294 |
if ($match =~ '\b(0x)?(f|F){16}\b' or $match =~ '\b(0x)?0{16}\b') { return 1; } |
136fc5c41 scripts: add leak... |
295 |
|
87e375885 leaking_addresses... |
296 297 |
if (is_x86_64() and is_in_vsyscall_memory_region($match)) { return 1; |
7e5758f7f leaking_addresses... |
298 |
} |
136fc5c41 scripts: add leak... |
299 |
|
7e5758f7f leaking_addresses... |
300 |
return 0; |
136fc5c41 scripts: add leak... |
301 |
} |
1410fe4ee leaking_addresses... |
302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 |
sub is_false_positive_32bit { my ($match) = @_; state $page_offset = get_page_offset(); if ($match =~ '\b(0x)?(f|F){8}\b') { return 1; } if (hex($match) < $page_offset) { return 1; } return 0; } # returns integer value sub get_page_offset { my $page_offset; my $default_offset = 0xc0000000; # Allow --page-offset-32bit to override. if ($page_offset_32bit != 0) { return $page_offset_32bit; } $page_offset = get_kernel_config_option('CONFIG_PAGE_OFFSET'); if (!$page_offset) { return $default_offset; } return $page_offset; } |
87e375885 leaking_addresses... |
335 336 337 338 339 340 341 342 343 344 |
sub is_in_vsyscall_memory_region { my ($match) = @_; my $hex = hex($match); my $region_min = hex("0xffffffffff600000"); my $region_max = hex("0xffffffffff601000"); return ($hex >= $region_min and $hex <= $region_max); } |
136fc5c41 scripts: add leak... |
345 346 347 |
# True if argument potentially contains a kernel address. sub may_leak_address { |
7e5758f7f leaking_addresses... |
348 |
my ($line) = @_; |
62139c124 leaking_addresses... |
349 |
my $address_re; |
136fc5c41 scripts: add leak... |
350 |
|
7e5758f7f leaking_addresses... |
351 352 |
# Signal masks. if ($line =~ '^SigBlk:' or |
a11949ec2 leaking_addresses... |
353 |
$line =~ '^SigIgn:' or |
7e5758f7f leaking_addresses... |
354 355 356 |
$line =~ '^SigCgt:') { return 0; } |
136fc5c41 scripts: add leak... |
357 |
|
7e5758f7f leaking_addresses... |
358 359 |
if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or $line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') { |
136fc5c41 scripts: add leak... |
360 |
return 0; |
7e5758f7f leaking_addresses... |
361 |
} |
136fc5c41 scripts: add leak... |
362 |
|
2f042c93a leaking_addresses... |
363 |
$address_re = get_address_re(); |
2306a6774 leaking_addresses... |
364 |
while ($line =~ /($address_re)/g) { |
7e5758f7f leaking_addresses... |
365 366 367 368 |
if (!is_false_positive($1)) { return 1; } } |
136fc5c41 scripts: add leak... |
369 |
|
7e5758f7f leaking_addresses... |
370 |
return 0; |
136fc5c41 scripts: add leak... |
371 |
} |
2f042c93a leaking_addresses... |
372 373 |
sub get_address_re { |
1410fe4ee leaking_addresses... |
374 |
if (is_ppc64()) { |
2f042c93a leaking_addresses... |
375 |
return '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b'; |
1410fe4ee leaking_addresses... |
376 377 |
} elsif (is_32bit()) { return '\b(0x)?[[:xdigit:]]{8}\b'; |
2f042c93a leaking_addresses... |
378 |
} |
1410fe4ee leaking_addresses... |
379 380 |
return get_x86_64_re(); |
2f042c93a leaking_addresses... |
381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 |
} sub get_x86_64_re { # We handle page table levels but only if explicitly configured using # CONFIG_PGTABLE_LEVELS. If config file parsing fails or config option # is not found we default to using address regular expression suitable # for 4 page table levels. state $ptl = get_kernel_config_option('CONFIG_PGTABLE_LEVELS'); if ($ptl == 5) { return '\b(0x)?ff[[:xdigit:]]{14}\b'; } return '\b(0x)?ffff[[:xdigit:]]{12}\b'; } |
136fc5c41 scripts: add leak... |
396 397 398 399 400 401 402 403 404 405 406 407 408 409 |
sub parse_dmesg { open my $cmd, '-|', 'dmesg'; while (<$cmd>) { if (may_leak_address($_)) { print 'dmesg: ' . $_; } } close $cmd; } # True if we should skip this path. sub skip { |
b401f56f3 leaking_addresses... |
410 |
my ($path) = @_; |
136fc5c41 scripts: add leak... |
411 |
|
b401f56f3 leaking_addresses... |
412 |
foreach (@skip_abs) { |
136fc5c41 scripts: add leak... |
413 414 415 416 |
return 1 if (/^$path$/); } my($filename, $dirs, $suffix) = fileparse($path); |
b401f56f3 leaking_addresses... |
417 |
foreach (@skip_any) { |
136fc5c41 scripts: add leak... |
418 419 420 421 422 |
return 1 if (/^$filename$/); } return 0; } |
dd98c252a leaking_addresses... |
423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 |
sub timed_parse_file { my ($file) = @_; eval { local $SIG{ALRM} = sub { die "alarm " }; # NB: required. alarm $TIMEOUT; parse_file($file); alarm 0; }; if ($@) { die unless $@ eq "alarm "; # Propagate unexpected errors. printf STDERR "timed out parsing: %s ", $file; } } |
136fc5c41 scripts: add leak... |
443 444 445 446 447 448 449 |
sub parse_file { my ($file) = @_; if (! -R $file) { return; } |
e2858cadd leaking_addresses... |
450 451 452 |
if (! -T $file) { return; } |
136fc5c41 scripts: add leak... |
453 454 455 456 457 458 459 460 |
open my $fh, "<", $file or return; while ( <$fh> ) { if (may_leak_address($_)) { print $file . ': ' . $_; } } close $fh; } |
c73dff595 leaking_addresses... |
461 462 463 464 465 466 467 468 469 470 |
# Checks if the actual path name is leaking a kernel address. sub check_path_for_leaks { my ($path) = @_; if (may_leak_address($path)) { printf("Path name may contain address: $path "); } } |
136fc5c41 scripts: add leak... |
471 472 473 474 |
# Recursively walk directory tree. sub walk { my @dirs = @_; |
136fc5c41 scripts: add leak... |
475 476 |
while (my $pwd = shift @dirs) { |
136fc5c41 scripts: add leak... |
477 478 479 480 481 482 483 484 485 |
next if (!opendir(DIR, $pwd)); my @files = readdir(DIR); closedir(DIR); foreach my $file (@files) { next if ($file eq '.' or $file eq '..'); my $path = "$pwd/$file"; next if (-l $path); |
472c9e108 leaking_addresses... |
486 487 488 |
# skip /proc/PID except /proc/1 next if (($path =~ /^\/proc\/[0-9]+$/) && ($path !~ /^\/proc\/1$/)); |
b401f56f3 leaking_addresses... |
489 |
next if (skip($path)); |
c73dff595 leaking_addresses... |
490 |
check_path_for_leaks($path); |
136fc5c41 scripts: add leak... |
491 492 |
if (-d $path) { push @dirs, $path; |
b401f56f3 leaking_addresses... |
493 |
next; |
136fc5c41 scripts: add leak... |
494 |
} |
b401f56f3 leaking_addresses... |
495 |
|
0f2994333 leaking_addresses... |
496 497 |
dprint("parsing: $path "); |
b401f56f3 leaking_addresses... |
498 |
timed_parse_file($path); |
136fc5c41 scripts: add leak... |
499 500 501 |
} } } |
d09bd8da8 leaking_addresses... |
502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 |
sub format_output { my ($file) = @_; # Default is to show raw results. if ($raw or (!$squash_by_path and !$squash_by_filename)) { dump_raw_output($file); return; } my ($total, $dmesg, $paths, $files) = parse_raw_file($file); printf " Total number of results from scan (incl dmesg): %d ", $total; if (!$suppress_dmesg) { print_dmesg($dmesg); } if ($squash_by_filename) { squash_by($files, 'filename'); } if ($squash_by_path) { squash_by($paths, 'path'); } } sub dump_raw_output { my ($file) = @_; open (my $fh, '<', $file) or die "$0: $file: $! "; while (<$fh>) { if ($suppress_dmesg) { if ("dmesg:" eq substr($_, 0, 6)) { next; } } print $_; } close $fh; } sub parse_raw_file { my ($file) = @_; my $total = 0; # Total number of lines parsed. my @dmesg; # dmesg output. my %files; # Unique filenames containing leaks. my %paths; # Unique paths containing leaks. open (my $fh, '<', $file) or die "$0: $file: $! "; while (my $line = <$fh>) { $total++; if ("dmesg:" eq substr($line, 0, 6)) { push @dmesg, $line; next; } cache_path(\%paths, $line); cache_filename(\%files, $line); } return $total, \@dmesg, \%paths, \%files; } sub print_dmesg { my ($dmesg) = @_; print " dmesg output: "; if (@$dmesg == 0) { print "<no results> "; return; } foreach(@$dmesg) { my $index = index($_, ': '); $index += 2; # skid ': ' print substr($_, $index); } } sub squash_by { my ($ref, $desc) = @_; print " Results squashed by $desc (excl dmesg). "; print "Displaying [<number of results> <$desc>], <example result> "; if (keys %$ref == 0) { print "<no results> "; return; } foreach(keys %$ref) { my $lines = $ref->{$_}; my $length = @$lines; printf "[%d %s] %s", $length, $_, @$lines[0]; } } sub cache_path { my ($paths, $line) = @_; my $index = index($line, ': '); my $path = substr($line, 0, $index); $index += 2; # skip ': ' add_to_cache($paths, $path, substr($line, $index)); } sub cache_filename { my ($files, $line) = @_; my $index = index($line, ': '); my $path = substr($line, 0, $index); my $filename = basename($path); $index += 2; # skip ': ' add_to_cache($files, $filename, substr($line, $index)); } sub add_to_cache { my ($cache, $key, $value) = @_; if (!$cache->{$key}) { $cache->{$key} = (); } push @{$cache->{$key}}, $value; } |