Blame view
scripts/leaking_addresses.pl
12.9 KB
136fc5c41 scripts: add leak... |
1 2 3 4 5 |
#!/usr/bin/env perl # # (c) 2017 Tobin C. Harding <me@tobin.cc> # Licensed under the terms of the GNU GPL License version 2 # |
1410fe4ee leaking_addresses... |
6 |
# leaking_addresses.pl: Scan the kernel for potential leaking addresses. |
136fc5c41 scripts: add leak... |
7 8 9 |
# - Scans dmesg output. # - Walks directory tree and parses each file (for each directory in @DIRS). # |
136fc5c41 scripts: add leak... |
10 11 |
# Use --debug to output path before parsing, this is useful to find files that # cause the script to choke. |
136fc5c41 scripts: add leak... |
12 |
|
472c9e108 leaking_addresses... |
13 14 15 16 17 18 19 |
# # When the system is idle it is likely that most files under /proc/PID will be # identical for various processes. Scanning _all_ the PIDs under /proc is # unnecessary and implies that we are thoroughly scanning /proc. This is _not_ # the case because there may be ways userspace can trigger creation of /proc # files that leak addresses but were not present during a scan. For these two # reasons we exclude all PID directories under /proc except '1/' |
136fc5c41 scripts: add leak... |
20 21 22 23 24 25 26 27 |
use warnings; use strict; use POSIX; use File::Basename; use File::Spec; use Cwd 'abs_path'; use Term::ANSIColor qw(:constants); use Getopt::Long qw(:config no_auto_abbrev); |
62139c124 leaking_addresses... |
28 |
use Config; |
87e375885 leaking_addresses... |
29 |
use bigint qw/hex/; |
2f042c93a leaking_addresses... |
30 |
use feature 'state'; |
136fc5c41 scripts: add leak... |
31 32 |
my $P = $0; |
136fc5c41 scripts: add leak... |
33 34 35 |
# Directories to scan. my @DIRS = ('/proc', '/sys'); |
dd98c252a leaking_addresses... |
36 37 |
# Timer for parsing each file, in seconds. my $TIMEOUT = 10; |
1410fe4ee leaking_addresses... |
38 39 40 |
# Kernel addresses vary by architecture. We can only auto-detect the following # architectures (using `uname -m`). (flag --32-bit overrides auto-detection.) my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'x86'); |
62139c124 leaking_addresses... |
41 |
|
136fc5c41 scripts: add leak... |
42 43 44 |
# Command line options. my $help = 0; my $debug = 0; |
d09bd8da8 leaking_addresses... |
45 46 47 |
my $raw = 0; my $output_raw = ""; # Write raw results to file. my $input_raw = ""; # Read raw results from file instead of scanning. |
d09bd8da8 leaking_addresses... |
48 49 50 |
my $suppress_dmesg = 0; # Don't show dmesg in output. my $squash_by_path = 0; # Summary report grouped by absolute path. my $squash_by_filename = 0; # Summary report grouped by filename. |
f9d2a42da leaking_addresses... |
51 |
my $kernel_config_file = ""; # Kernel configuration file. |
1410fe4ee leaking_addresses... |
52 53 |
my $opt_32bit = 0; # Scan 32-bit kernel. my $page_offset_32bit = 0; # Page offset for 32-bit kernel. |
136fc5c41 scripts: add leak... |
54 |
|
b401f56f3 leaking_addresses... |
55 56 57 58 |
# Skip these absolute paths. my @skip_abs = ( '/proc/kmsg', '/proc/device-tree', |
2ad742939 leaking_addresses... |
59 |
'/proc/1/syscall', |
b401f56f3 leaking_addresses... |
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
'/sys/firmware/devicetree', '/sys/kernel/debug/tracing/trace_pipe', '/sys/kernel/security/apparmor/revision'); # Skip these under any subdirectory. my @skip_any = ( 'pagemap', 'events', 'access', 'registers', 'snapshot_raw', 'trace_pipe_raw', 'ptmx', 'trace_pipe', 'fd', 'usbmon'); |
136fc5c41 scripts: add leak... |
76 77 78 79 80 81 |
sub help { my ($exitcode) = @_; print << "EOM"; |
d09bd8da8 leaking_addresses... |
82 |
|
136fc5c41 scripts: add leak... |
83 |
Usage: $P [OPTIONS] |
136fc5c41 scripts: add leak... |
84 85 |
Options: |
15d60a35b leaking_addresses... |
86 87 88 89 90 91 |
-o, --output-raw=<file> Save results for future processing. -i, --input-raw=<file> Read results from file instead of scanning. --raw Show raw results (default). --suppress-dmesg Do not show dmesg results. --squash-by-path Show one result per unique path. --squash-by-filename Show one result per unique filename. |
f9d2a42da leaking_addresses... |
92 |
--kernel-config-file=<file> Kernel configuration file (e.g /boot/config) |
1410fe4ee leaking_addresses... |
93 94 |
--32-bit Scan 32-bit kernel. --page-offset-32-bit=o Page offset (for 32-bit kernel 0xABCD1234). |
15d60a35b leaking_addresses... |
95 96 |
-d, --debug Display debugging output. -h, --help, --version Display this help and exit. |
d09bd8da8 leaking_addresses... |
97 |
|
1410fe4ee leaking_addresses... |
98 |
Scans the running kernel for potential leaking addresses. |
136fc5c41 scripts: add leak... |
99 100 101 102 103 104 |
EOM exit($exitcode); } GetOptions( |
136fc5c41 scripts: add leak... |
105 106 |
'd|debug' => \$debug, 'h|help' => \$help, |
d09bd8da8 leaking_addresses... |
107 108 109 110 111 112 113 |
'version' => \$help, 'o|output-raw=s' => \$output_raw, 'i|input-raw=s' => \$input_raw, 'suppress-dmesg' => \$suppress_dmesg, 'squash-by-path' => \$squash_by_path, 'squash-by-filename' => \$squash_by_filename, 'raw' => \$raw, |
f9d2a42da leaking_addresses... |
114 |
'kernel-config-file=s' => \$kernel_config_file, |
1410fe4ee leaking_addresses... |
115 116 |
'32-bit' => \$opt_32bit, 'page-offset-32-bit=o' => \$page_offset_32bit, |
136fc5c41 scripts: add leak... |
117 118 119 |
) or help(1); help(0) if ($help); |
d09bd8da8 leaking_addresses... |
120 121 122 123 124 125 126 127 128 129 130 131 132 |
if ($input_raw) { format_output($input_raw); exit(0); } if (!$input_raw and ($squash_by_path or $squash_by_filename)) { printf " Summary reporting only available with --input-raw=<file> "; printf "(First run scan with --output-raw=<file>.) "; exit(128); } |
1410fe4ee leaking_addresses... |
133 |
if (!(is_supported_architecture() or $opt_32bit or $page_offset_32bit)) { |
62139c124 leaking_addresses... |
134 135 136 137 138 139 140 141 142 143 144 |
printf " Script does not support your architecture, sorry. "; printf " Currently we support: "; foreach(@SUPPORTED_ARCHITECTURES) { printf "\t%s ", $_; } |
6efb74582 leaking_addresses... |
145 146 |
printf(" "); |
62139c124 leaking_addresses... |
147 |
|
1410fe4ee leaking_addresses... |
148 149 150 151 152 153 |
printf("If you are running a 32-bit architecture you may use: "); printf(" \t--32-bit or --page-offset-32-bit=<page offset> "); |
6efb74582 leaking_addresses... |
154 155 156 |
my $archname = `uname -m`; printf("Machine hardware name (`uname -m`): %s ", $archname); |
62139c124 leaking_addresses... |
157 158 159 |
exit(129); } |
d09bd8da8 leaking_addresses... |
160 161 162 163 164 |
if ($output_raw) { open my $fh, '>', $output_raw or die "$0: $output_raw: $! "; select $fh; } |
136fc5c41 scripts: add leak... |
165 166 167 168 |
parse_dmesg(); walk(@DIRS); exit 0; |
136fc5c41 scripts: add leak... |
169 170 171 172 |
sub dprint { printf(STDERR @_) if $debug; } |
62139c124 leaking_addresses... |
173 174 |
sub is_supported_architecture { |
1410fe4ee leaking_addresses... |
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 |
return (is_x86_64() or is_ppc64() or is_ix86_32()); } sub is_32bit { # Allow --32-bit or --page-offset-32-bit to override if ($opt_32bit or $page_offset_32bit) { return 1; } return is_ix86_32(); } sub is_ix86_32 { |
5e4bac34e leaking_addresses... |
190 |
state $arch = `uname -m`; |
1410fe4ee leaking_addresses... |
191 192 193 194 195 196 |
chomp $arch; if ($arch =~ m/i[3456]86/) { return 1; } return 0; |
62139c124 leaking_addresses... |
197 |
} |
5eb0da056 leaking_addresses... |
198 |
sub is_arch |
62139c124 leaking_addresses... |
199 |
{ |
5eb0da056 leaking_addresses... |
200 201 202 203 204 205 206 207 208 |
my ($desc) = @_; my $arch = `uname -m`; chomp $arch; if ($arch eq $desc) { return 1; } return 0; } |
62139c124 leaking_addresses... |
209 |
|
5eb0da056 leaking_addresses... |
210 211 |
sub is_x86_64 { |
5e4bac34e leaking_addresses... |
212 213 |
state $is = is_arch('x86_64'); return $is; |
62139c124 leaking_addresses... |
214 215 216 217 |
} sub is_ppc64 { |
5e4bac34e leaking_addresses... |
218 219 |
state $is = is_arch('ppc64'); return $is; |
62139c124 leaking_addresses... |
220 |
} |
f9d2a42da leaking_addresses... |
221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 |
# Gets config option value from kernel config file. # Returns "" on error or if config option not found. sub get_kernel_config_option { my ($option) = @_; my $value = ""; my $tmp_file = ""; my @config_files; # Allow --kernel-config-file to override. if ($kernel_config_file ne "") { @config_files = ($kernel_config_file); } elsif (-R "/proc/config.gz") { my $tmp_file = "/tmp/tmpkconf"; if (system("gunzip < /proc/config.gz > $tmp_file")) { dprint "$0: system(gunzip < /proc/config.gz) failed "; return ""; } else { @config_files = ($tmp_file); } } else { my $file = '/boot/config-' . `uname -r`; chomp $file; @config_files = ($file, '/boot/config'); } foreach my $file (@config_files) { dprint("parsing config file: %s ", $file); $value = option_from_file($option, $file); if ($value ne "") { last; } } if ($tmp_file ne "") { system("rm -f $tmp_file"); } return $value; } # Parses $file and returns kernel configuration option value. sub option_from_file { my ($option, $file) = @_; my $str = ""; my $val = ""; open(my $fh, "<", $file) or return ""; while (my $line = <$fh> ) { if ($line =~ /^$option/) { ($str, $val) = split /=/, $line; chomp $val; last; } } close $fh; return $val; } |
136fc5c41 scripts: add leak... |
284 285 |
sub is_false_positive { |
7e5758f7f leaking_addresses... |
286 |
my ($match) = @_; |
1410fe4ee leaking_addresses... |
287 288 289 290 291 |
if (is_32bit()) { return is_false_positive_32bit($match); } # 64 bit false positives. |
7e5758f7f leaking_addresses... |
292 293 294 295 |
if ($match =~ '\b(0x)?(f|F){16}\b' or $match =~ '\b(0x)?0{16}\b') { return 1; } |
136fc5c41 scripts: add leak... |
296 |
|
87e375885 leaking_addresses... |
297 298 |
if (is_x86_64() and is_in_vsyscall_memory_region($match)) { return 1; |
7e5758f7f leaking_addresses... |
299 |
} |
136fc5c41 scripts: add leak... |
300 |
|
7e5758f7f leaking_addresses... |
301 |
return 0; |
136fc5c41 scripts: add leak... |
302 |
} |
1410fe4ee leaking_addresses... |
303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 |
sub is_false_positive_32bit { my ($match) = @_; state $page_offset = get_page_offset(); if ($match =~ '\b(0x)?(f|F){8}\b') { return 1; } if (hex($match) < $page_offset) { return 1; } return 0; } # returns integer value sub get_page_offset { my $page_offset; my $default_offset = 0xc0000000; # Allow --page-offset-32bit to override. if ($page_offset_32bit != 0) { return $page_offset_32bit; } $page_offset = get_kernel_config_option('CONFIG_PAGE_OFFSET'); if (!$page_offset) { return $default_offset; } return $page_offset; } |
87e375885 leaking_addresses... |
336 337 338 339 340 341 342 343 344 345 |
sub is_in_vsyscall_memory_region { my ($match) = @_; my $hex = hex($match); my $region_min = hex("0xffffffffff600000"); my $region_max = hex("0xffffffffff601000"); return ($hex >= $region_min and $hex <= $region_max); } |
136fc5c41 scripts: add leak... |
346 347 348 |
# True if argument potentially contains a kernel address. sub may_leak_address { |
7e5758f7f leaking_addresses... |
349 |
my ($line) = @_; |
62139c124 leaking_addresses... |
350 |
my $address_re; |
136fc5c41 scripts: add leak... |
351 |
|
7e5758f7f leaking_addresses... |
352 353 |
# Signal masks. if ($line =~ '^SigBlk:' or |
a11949ec2 leaking_addresses... |
354 |
$line =~ '^SigIgn:' or |
7e5758f7f leaking_addresses... |
355 356 357 |
$line =~ '^SigCgt:') { return 0; } |
136fc5c41 scripts: add leak... |
358 |
|
7e5758f7f leaking_addresses... |
359 360 |
if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or $line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') { |
136fc5c41 scripts: add leak... |
361 |
return 0; |
7e5758f7f leaking_addresses... |
362 |
} |
136fc5c41 scripts: add leak... |
363 |
|
2f042c93a leaking_addresses... |
364 |
$address_re = get_address_re(); |
2306a6774 leaking_addresses... |
365 |
while ($line =~ /($address_re)/g) { |
7e5758f7f leaking_addresses... |
366 367 368 369 |
if (!is_false_positive($1)) { return 1; } } |
136fc5c41 scripts: add leak... |
370 |
|
7e5758f7f leaking_addresses... |
371 |
return 0; |
136fc5c41 scripts: add leak... |
372 |
} |
2f042c93a leaking_addresses... |
373 374 |
sub get_address_re { |
1410fe4ee leaking_addresses... |
375 |
if (is_ppc64()) { |
2f042c93a leaking_addresses... |
376 |
return '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b'; |
1410fe4ee leaking_addresses... |
377 378 |
} elsif (is_32bit()) { return '\b(0x)?[[:xdigit:]]{8}\b'; |
2f042c93a leaking_addresses... |
379 |
} |
1410fe4ee leaking_addresses... |
380 381 |
return get_x86_64_re(); |
2f042c93a leaking_addresses... |
382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 |
} sub get_x86_64_re { # We handle page table levels but only if explicitly configured using # CONFIG_PGTABLE_LEVELS. If config file parsing fails or config option # is not found we default to using address regular expression suitable # for 4 page table levels. state $ptl = get_kernel_config_option('CONFIG_PGTABLE_LEVELS'); if ($ptl == 5) { return '\b(0x)?ff[[:xdigit:]]{14}\b'; } return '\b(0x)?ffff[[:xdigit:]]{12}\b'; } |
136fc5c41 scripts: add leak... |
397 398 399 400 401 402 403 404 405 406 407 408 409 410 |
sub parse_dmesg { open my $cmd, '-|', 'dmesg'; while (<$cmd>) { if (may_leak_address($_)) { print 'dmesg: ' . $_; } } close $cmd; } # True if we should skip this path. sub skip { |
b401f56f3 leaking_addresses... |
411 |
my ($path) = @_; |
136fc5c41 scripts: add leak... |
412 |
|
b401f56f3 leaking_addresses... |
413 |
foreach (@skip_abs) { |
136fc5c41 scripts: add leak... |
414 415 416 417 |
return 1 if (/^$path$/); } my($filename, $dirs, $suffix) = fileparse($path); |
b401f56f3 leaking_addresses... |
418 |
foreach (@skip_any) { |
136fc5c41 scripts: add leak... |
419 420 421 422 423 |
return 1 if (/^$filename$/); } return 0; } |
dd98c252a leaking_addresses... |
424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 |
sub timed_parse_file { my ($file) = @_; eval { local $SIG{ALRM} = sub { die "alarm " }; # NB: required. alarm $TIMEOUT; parse_file($file); alarm 0; }; if ($@) { die unless $@ eq "alarm "; # Propagate unexpected errors. printf STDERR "timed out parsing: %s ", $file; } } |
136fc5c41 scripts: add leak... |
444 445 446 447 448 449 450 |
sub parse_file { my ($file) = @_; if (! -R $file) { return; } |
e2858cadd leaking_addresses... |
451 452 453 |
if (! -T $file) { return; } |
136fc5c41 scripts: add leak... |
454 455 456 457 458 459 460 461 |
open my $fh, "<", $file or return; while ( <$fh> ) { if (may_leak_address($_)) { print $file . ': ' . $_; } } close $fh; } |
c73dff595 leaking_addresses... |
462 463 464 465 466 467 468 469 470 471 |
# Checks if the actual path name is leaking a kernel address. sub check_path_for_leaks { my ($path) = @_; if (may_leak_address($path)) { printf("Path name may contain address: $path "); } } |
136fc5c41 scripts: add leak... |
472 473 474 475 |
# Recursively walk directory tree. sub walk { my @dirs = @_; |
136fc5c41 scripts: add leak... |
476 477 |
while (my $pwd = shift @dirs) { |
136fc5c41 scripts: add leak... |
478 479 480 481 482 483 484 485 486 |
next if (!opendir(DIR, $pwd)); my @files = readdir(DIR); closedir(DIR); foreach my $file (@files) { next if ($file eq '.' or $file eq '..'); my $path = "$pwd/$file"; next if (-l $path); |
472c9e108 leaking_addresses... |
487 488 489 |
# skip /proc/PID except /proc/1 next if (($path =~ /^\/proc\/[0-9]+$/) && ($path !~ /^\/proc\/1$/)); |
b401f56f3 leaking_addresses... |
490 |
next if (skip($path)); |
c73dff595 leaking_addresses... |
491 |
check_path_for_leaks($path); |
136fc5c41 scripts: add leak... |
492 493 |
if (-d $path) { push @dirs, $path; |
b401f56f3 leaking_addresses... |
494 |
next; |
136fc5c41 scripts: add leak... |
495 |
} |
b401f56f3 leaking_addresses... |
496 497 498 499 |
dprint "parsing: $path "; timed_parse_file($path); |
136fc5c41 scripts: add leak... |
500 501 502 |
} } } |
d09bd8da8 leaking_addresses... |
503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 |
sub format_output { my ($file) = @_; # Default is to show raw results. if ($raw or (!$squash_by_path and !$squash_by_filename)) { dump_raw_output($file); return; } my ($total, $dmesg, $paths, $files) = parse_raw_file($file); printf " Total number of results from scan (incl dmesg): %d ", $total; if (!$suppress_dmesg) { print_dmesg($dmesg); } if ($squash_by_filename) { squash_by($files, 'filename'); } if ($squash_by_path) { squash_by($paths, 'path'); } } sub dump_raw_output { my ($file) = @_; open (my $fh, '<', $file) or die "$0: $file: $! "; while (<$fh>) { if ($suppress_dmesg) { if ("dmesg:" eq substr($_, 0, 6)) { next; } } print $_; } close $fh; } sub parse_raw_file { my ($file) = @_; my $total = 0; # Total number of lines parsed. my @dmesg; # dmesg output. my %files; # Unique filenames containing leaks. my %paths; # Unique paths containing leaks. open (my $fh, '<', $file) or die "$0: $file: $! "; while (my $line = <$fh>) { $total++; if ("dmesg:" eq substr($line, 0, 6)) { push @dmesg, $line; next; } cache_path(\%paths, $line); cache_filename(\%files, $line); } return $total, \@dmesg, \%paths, \%files; } sub print_dmesg { my ($dmesg) = @_; print " dmesg output: "; if (@$dmesg == 0) { print "<no results> "; return; } foreach(@$dmesg) { my $index = index($_, ': '); $index += 2; # skid ': ' print substr($_, $index); } } sub squash_by { my ($ref, $desc) = @_; print " Results squashed by $desc (excl dmesg). "; print "Displaying [<number of results> <$desc>], <example result> "; if (keys %$ref == 0) { print "<no results> "; return; } foreach(keys %$ref) { my $lines = $ref->{$_}; my $length = @$lines; printf "[%d %s] %s", $length, $_, @$lines[0]; } } sub cache_path { my ($paths, $line) = @_; my $index = index($line, ': '); my $path = substr($line, 0, $index); $index += 2; # skip ': ' add_to_cache($paths, $path, substr($line, $index)); } sub cache_filename { my ($files, $line) = @_; my $index = index($line, ': '); my $path = substr($line, 0, $index); my $filename = basename($path); $index += 2; # skip ': ' add_to_cache($files, $filename, substr($line, $index)); } sub add_to_cache { my ($cache, $key, $value) = @_; if (!$cache->{$key}) { $cache->{$key} = (); } push @{$cache->{$key}}, $value; } |