Received: by 10.223.164.202 with SMTP id h10csp293073wrb; Wed, 22 Nov 2017 21:14:55 -0800 (PST) X-Google-Smtp-Source: AGs4zMaCAAUTHTmIHSzV0QaTUQlsdD30LB6KCF2K68/rM6BMfojnwLNLFFqrm0EACX+DcWobJKaS X-Received: by 10.98.249.67 with SMTP id g3mr3905770pfm.197.1511414095759; Wed, 22 Nov 2017 21:14:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511414095; cv=none; d=google.com; s=arc-20160816; b=jcb4dB4E+RPkC2m7wKt/gpD6/EXku+F80Zo3uvZxPilEoj5/OSj6k4/Kf2WGgin1Sz txxLf/0fJanxvWedl2ElGzrzBZyfnFQcyVD6tTBbjIo7m9Csq6Z/V2RRQhVkuvDaHUdU I0iRPghZrEPNIBrVZIUrTDeNTpc1iZL3xR1/VGH5gdE14otmNzXJwZs0EKI2p71CrBe1 sNt/2pKhafBHKP7bwAkfyf3eaEZ8qAl1w79SX8xSO0gxAfIeqnA0qZnhSMSLkat7U44v OZ/PAX206lL/tjOdfrIXc1pX7cg+AkPbjZ1RTk1C6MicY0DkedFBnXCN/zXWBJ2s/3Yr 3FMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :date:cc:to:from:subject:message-id:dkim-signature :arc-authentication-results; bh=3XbmrdPsx3owFiidhpmNeEVS04votzKQmFxksdXA1Wg=; b=JhQ5HokC/sosejK2w3uosHLWbsLPdoMIdh66qCcY5dfJk+PAuoIFIELSO9gGmFC9VY EM6s3UKo+x0ILznmvGaV+0rqA1AZUf8qB2QufXw+JO83DHoSo+USkv6/Zy1uW0UcBJJV SYVCC8Wh8dT2l8f+rxOpAsMnWJvA5KtUMejCkVnIRzhwMyi4ycyfi+n/4NSMXl/+/jhU isWgwQ560asex+lvibDzWajfhTyfAN1bgZvVItlaHBv+vMQg4PfTfiBQtdxOLgjAiaN6 ZaCsYKgSyMQIDlIjw2AWfbB6o3+euEEzOyGhjQPd1XLp4iylQGVYZ7Rg8s47qzVGIvdw sH2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jqSKqlx/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 7si1516311ple.586.2017.11.22.21.14.44; Wed, 22 Nov 2017 21:14:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jqSKqlx/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751952AbdKWFOH (ORCPT + 77 others); Thu, 23 Nov 2017 00:14:07 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:37668 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750724AbdKWFOF (ORCPT ); Thu, 23 Nov 2017 00:14:05 -0500 Received: by mail-it0-f68.google.com with SMTP id m191so8924970itg.2 for ; Wed, 22 Nov 2017 21:14:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=3XbmrdPsx3owFiidhpmNeEVS04votzKQmFxksdXA1Wg=; b=jqSKqlx/wfddWyVYSMCh2HmMTm0+a3wtd48RpfQXslasNEOfMK6CcRM51L1CRG7loR Plx6/Y+aecDHohUw5AhYRQ3brB6guk6b+5N0ETbnS+YutTHE1CSiC2HCkg2bqQ3w67JC DuA0nTfsnJHsmzbbxvtBFLytLn6WnAuvnxtCxCqzvGU8S5XPDvl02yHDiS7ajiQHwRNl 69Kgs53FitlMsUvbQWEnSFzu51UuidY47z0lDWFG7dezQIgU0nFghDznd7huvMxfF7fh xYbkPJDHuwnLdliHlI/+7iLPIRtkS8fpI0WU+SjOyb7zfzNicvxlfs5WCCdU3AviOJPu zbuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=3XbmrdPsx3owFiidhpmNeEVS04votzKQmFxksdXA1Wg=; b=eaQ0xDPVC5+4gOkaJtbHIuGZS/IyZ6P9zFphtSWz8upUzF2b98BEeuIGdD9eRgsAaL ++XEt20NfM0dJqU93giVZF98kp/UF0kzApWHiULMugFp2onZiAWQOINpKTWlg7AeNZxs 3b6BcBaMpzLzP9kRuM/e9kPKzwPIr7qqe39dP/gMcFAD8xZ87yGKPpg5UgKD5yXWqjn1 7Zw8cj42ZoX57m6IMUGvPMqzS3TmA3834/Jo7ATp2QuPZEC1pXdFFr0ILZWspAT7gsd1 l3sBx1uTjxiOlYRgvWffNScyYeRqHmQQ7/JhT9YHCCipibGHkeW6ekJC9Eg651/pBdZD gw/w== X-Gm-Message-State: AJaThX6Ab4NyzLqup5ZLywHjI+ZahOkXUH+30Tywa1UsiVnHgjmbW9uS /twVZCgrt/vL4iVQm7i5LUEbGr9Q X-Received: by 10.36.131.200 with SMTP id d191mr9935266ite.97.1511414044796; Wed, 22 Nov 2017 21:14:04 -0800 (PST) Received: from klaptop ([49.207.58.167]) by smtp.gmail.com with ESMTPSA id f202sm2072336itc.36.2017.11.22.21.14.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 22 Nov 2017 21:14:04 -0800 (PST) Message-ID: <1511414040.12425.11.camel@gmail.com> Subject: [PATCH 1/2] scripts: leaking_addresses: add support for 32-bit kernel addresses From: kaiwan.billimoria@gmail.com To: "Tobin C. Harding" Cc: linux-kernel@vger.kernel.org, "kernel-hardening@lists.openwall.com" Date: Thu, 23 Nov 2017 10:44:00 +0530 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.2 (3.26.2-1.fc27) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The current leaking_addresses.pl script only supports showing "leaked" 64-bit kernel virtual addresses. This patch adds support for showing "leaked" 32-bit kernel virtual addresses. It also takes into account Tobin's feedback on the previous iteration. (Note: this patch is meant to apply on the 'leaks' branch of Tobin's tree). Briefly, the way it works- once it detects we're running on an i'x'86 platform, (where x=3|4|5|6), it takes this arch into account for checking. The essential rationale: if virt-addr >= PAGE_OFFSET => it's a kernel virtual address. This version programatically queries and sets PAGE_OFFSET based on the /boot/config-$(uname -r) content. If, for any reason, this file cannot be used, we fallback to requesting the user to pass PAGE_OFFSET as a parameter. Pending/TODO: - support for ARM-32 Feedback welcome.. Signed-off-by: Kaiwan N Billimoria --- diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl index 865c07649dff..0566f8055ec5 100755 --- a/scripts/leaking_addresses.pl +++ b/scripts/leaking_addresses.pl @@ -2,10 +2,10 @@ # # (c) 2017 Tobin C. Harding # (c) 2017 Kaiwan N Billimoria (ix86 support) - + # Licensed under the terms of the GNU GPL License version 2 # -# leaking_addresses.pl: Scan 64 bit kernel for potential leaking addresses. +# leaking_addresses.pl: Scan 32/64 bit kernel for potential leaking addresses. # - Scans dmesg output. # - Walks directory tree and parses each file (for each directory in @DIRS). # @@ -14,7 +14,7 @@ # # You may like to set kptr_restrict=2 before running script # (see Documentation/sysctl/kernel.txt). - +# use warnings; use strict; use POSIX; @@ -37,7 +37,7 @@ my $TIMEOUT = 10; # Script can only grep for kernel addresses on the following architectures. If # your architecture is not listed here and has a grep'able kernel address please # consider submitting a patch. -my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64'); +my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'i[3456]86'); # Command line options. my $help = 0; @@ -49,6 +49,12 @@ my $input_raw = ""; # Read raw results from file instead of scanning. my $suppress_dmesg = 0; # Don't show dmesg in output. my $squash_by_path = 0; # Summary report grouped by absolute path. my $squash_by_filename = 0; # Summary report grouped by filename. +my $page_offset_param = 0; # 32-bit: overrides value of PAGE_OFFSET_32BIT + +my $bit_size = 64; # Check 64-bit kernel addresses by default +my $kconfig_file = '/boot/config-'.`uname -r`; +$kconfig_file =~ s/\R*//g; +my $PAGE_OFFSET_32BIT = 0xc0000000; # Do not parse these files (absolute path). my @skip_parse_files_abs = ('/proc/kmsg', @@ -99,10 +105,11 @@ Options: -o, --output-raw= Save results for future processing. -i, --input-raw= Read results from file instead of scanning. - --raw Show raw results (default). - --suppress-dmesg Do not show dmesg results. - --squash-by-path Show one result per unique path. - --squash-by-filename Show one result per unique filename. + --raw Show raw results (default). + --suppress-dmesg Do not show dmesg results. + --squash-by-path Show one result per unique path. + --squash-by-filename Show one result per unique filename. + --page-offset= PAGE_OFFSET value (for 32-bit kernels). -d, --debug Display debugging output. -h, --help, --version Display this help and exit. @@ -117,7 +124,7 @@ Examples: # View summary report. $0 --input-raw scan.out --squash-by-filename -Scans the running (64 bit) kernel for potential leaking addresses. +Scans the running (32 or 64 bit) kernel for potential leaking addresses. EOM exit($exitcode); @@ -133,10 +140,16 @@ GetOptions( 'squash-by-path' => \$squash_by_path, 'squash-by-filename' => \$squash_by_filename, 'raw' => \$raw, + 'page-offset=o' => \$page_offset_param, ) or help(1); help(0) if ($help); +sub dprint +{ + printf(STDERR @_) if $debug; +} + if ($input_raw) { format_output($input_raw); exit(0); @@ -162,6 +175,24 @@ if (!is_supported_architecture()) { exit(129); } +dprint "Detected arch : $bit_size bits\n"; + +if ($bit_size == 32) { + # Parameter --page-offset passed? if Y, override with it + if ($page_offset_param != 0) { + $PAGE_OFFSET_32BIT = $page_offset_param; + } else { + $PAGE_OFFSET_32BIT = eval parse_kconfig($kconfig_file, "CONFIG_PAGE_OFFSET"); + if ($PAGE_OFFSET_32BIT == 0) { + printf "$P: Fatal Error :: couldn't parse CONFIG_PAGE_OFFSET, aborting...\n"; + printf " [Detail :: arch=32-bit, kconfig file=$kconfig_file]\n\n"; + printf "You can pass it as a parameter via the --page-offset= option switch.\n"; + exit(1); + } + } + dprint "PAGE_OFFSET = 0x%X\n", $PAGE_OFFSET_32BIT; +} + if ($output_raw) { open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n"; select $fh; @@ -172,14 +203,9 @@ walk(@DIRS); exit 0; -sub dprint -{ - printf(STDERR @_) if $debug; -} - sub is_supported_architecture { - return (is_x86_64() or is_ppc64()); + return (is_x86_64() or is_ppc64() or is_ix86_32()); } sub is_x86_64 @@ -187,6 +213,7 @@ sub is_x86_64 my $archname = $Config{archname}; if ($archname =~ m/x86_64/) { + $bit_size = 64; return 1; } return 0; @@ -197,6 +224,19 @@ sub is_ppc64 my $archname = $Config{archname}; if ($archname =~ m/powerpc/ and $archname =~ m/64/) { + $bit_size = 64; + return 1; + } + return 0; +} + +# 32-bit x86: is_i'x'86_32() ; where is [3 or 4 or 5 or 6] +sub is_ix86_32 +{ + my $archname = $Config{archname}; + + if ($archname =~ m/i[3456]86-linux/) { + $bit_size = 32; return 1; } return 0; @@ -217,6 +257,14 @@ sub is_false_positive $match =~ '\bf{10}601000\b') { return 1; } + } elsif ($bit_size == 32) { + my $addr32 = eval hex($match); + if ($addr32 < $PAGE_OFFSET_32BIT ) { + return 1; + } + if ($match =~ '\b(0x)?(f|F){8}\b') { + return 1; + } } return 0; @@ -245,6 +293,8 @@ sub may_leak_address $address_re = '\b(0x)?ffff[[:xdigit:]]{12}\b'; } elsif (is_ppc64()) { $address_re = '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b'; + } elsif (is_ix86_32()) { + $address_re = '\b(0x)?[[:xdigit:]]{8}\b'; } while (/($address_re)/g) { @@ -501,3 +551,28 @@ sub add_to_cache } push @{$cache->{$key}}, $value; } + +sub parse_kconfig +{ + my ($file,$config) = @_; + my $str; + my $val=NULL; + + if (! -R $file) { + return NULL; + } + + open my $fh, "<", $file or return; + while (my $line = <$fh> ) { + if ($line =~ /^$config/) { + ($str,$val) = split /=/, $line; + } + } + close $fh; + + if ($val eq NULL) { + return NULL; + } + $val =~ s/\R*//g; + return $val; +} From 1585151503041385781@xxx Sun Nov 26 17:44:36 +0000 2017 X-GM-THRID: 1585151503041385781 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread