* [RFC] scripts: add leaking_addresses.pl
@ 2017-10-19 6:34 Tobin C. Harding
2017-10-19 12:44 ` Steven Rostedt
2017-10-19 15:19 ` Petr Mladek
0 siblings, 2 replies; 5+ messages in thread
From: Tobin C. Harding @ 2017-10-19 6:34 UTC (permalink / raw)
To: kernel-hardening
Cc: Tobin C. Harding, Jason A. Donenfeld, Theodore Ts'o,
Linus Torvalds, Kees Cook, Paolo Bonzini, Tycho Andersen,
Roberts, William C, Tejun Heo, Jordan Glover, Greg KH,
Petr Mladek, Joe Perches, Ian Campbell, Sergey Senozhatsky,
Catalin Marinas, Will Deacon, Steven Rostedt, Chris Fries,
Dave Weinstein, Daniel Micay, Djalal Harouni, linux-kernel
Currently we are leaking addresses from the kernel to user space. This
script as an attempt to find those leakages. Script parses `dmesg`
output and /proc and /sys files for suspicious entries.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
My usual disclaimer; I am a long way from being a Perl monger, any tips,
however trivial, most welcome.
Parses dmesg output first then;
Algorithm walks the directory tree of /proc and /sys, opens each file
for reading and parses file line by line. We therefore need to skip
certain files;
- binary files.
- relay large files of fixed format that _definitely_ won't leak.
- non-readable files.
Since I do not know procfs or sysfs extensively I set `DEBUG = 1` within
the script (causes output of file name before parsing) and checked each
file it choked on. Obviously this means there are going to be a bunch of
other files not present on my system. Either more files to skip or a
suggestion of a better way to do this most appreciated.
Like I said, happy to take suggestions, abuse, tweaks etc
Thanks in advance for taking the time to look at this. Oh, I didn't
comment on my regex skills, no further comment required ;)
thanks,
Tobin.
scripts/leaking_addresses.pl | 139 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
create mode 100755 scripts/leaking_addresses.pl
diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
new file mode 100755
index 000000000000..940547b716e3
--- /dev/null
+++ b/scripts/leaking_addresses.pl
@@ -0,0 +1,139 @@
+#!/usr/bin/env perl
+#
+# leaking_addresses.pl scan kernel for potential leaking addresses.
+
+use warnings;
+use strict;
+use File::Basename;
+use feature 'say';
+
+my $DEBUG = 0;
+my @dirs = ('/proc', '/sys');
+
+parse_dmesg();
+
+foreach(@dirs)
+{
+ walk($_);
+}
+
+exit 0;
+
+#
+# TODO
+#
+# - Add support for 32 bit architectures.
+#
+sub may_leak_address
+{
+ my $line = $_[0];
+ my $regex = 'ffff[a-fA-F0-9]{12}';
+ my $mask = 'ffffffffffffffff';
+
+ if ($line =~ /$mask/) {
+ return
+ }
+
+ if ($line =~ /$regex/) {
+ return 1;
+ }
+ return;
+}
+
+sub parse_dmesg
+{
+ my $line;
+ open my $cmd, '-|', 'dmesg';
+ while ($line = <$cmd>) {
+ if (may_leak_address($line)) {
+ print 'dmesg: ' . $line;
+ }
+ }
+ close $cmd;
+}
+
+# We should skip these files
+sub skip_file
+{
+ my $path = $_[0];
+
+ my @skip_paths = ('/proc/kmsg', '/proc/kcore', '/proc/kallsyms',
+ '/proc/fs/ext4/sdb1/mb_groups', '/sys/kernel/debug/tracing/trace_pipe',
+ '/sys/kernel/security/apparmor/revision');
+ my @skip_files = ('pagemap', 'events', 'access','registers', 'snapshot_raw',
+ 'trace_pipe_raw', 'trace_pipe');
+
+ foreach(@skip_paths) {
+ if ($_ eq $_[0]) {
+ return 1;
+ }
+ }
+
+ my($filename, $dirs, $suffix) = fileparse($path);
+
+ foreach(@skip_files) {
+ if ($_ eq $filename) {
+ return 1;
+ }
+ }
+
+ return;
+}
+
+sub parse_file
+{
+ my $file = $_[0];
+
+ if (! -R $file) {
+ return;
+ }
+
+ if (skip_file($file)) {
+ if ($DEBUG == 1) {
+ print "skipping file: $file\n";
+ }
+ return;
+ }
+ if ($DEBUG == 1) {
+ print "parsing $file\n";
+ }
+
+ open my $fh, $file or return;
+
+ while( my $line = <$fh>) {
+ if (may_leak_address($line)) {
+ print $file . ': ' . $line;
+ }
+ }
+
+ close $fh;
+}
+
+# Recursively walk directory tree
+sub walk
+{
+ my @dirs = ($_[0]);
+ my %seen;
+
+ while (my $pwd = shift @dirs) {
+ if (!opendir(DIR,"$pwd")) {
+ print STDERR "Cannot open $pwd\n";
+ next;
+ }
+ my @files = readdir(DIR);
+ closedir(DIR);
+ foreach my $file (@files) {
+ next if ($file eq '.' or $file eq '..');
+
+ my $path = "$pwd/$file";
+ next if (-l $path);
+
+ if (-d $path and !$seen{$path}) {
+ $seen{$path} = 1;
+ push @dirs, "$path";
+ } else {
+ parse_file("$path");
+ }
+ }
+ }
+}
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [RFC] scripts: add leaking_addresses.pl
2017-10-19 6:34 [RFC] scripts: add leaking_addresses.pl Tobin C. Harding
@ 2017-10-19 12:44 ` Steven Rostedt
2017-10-19 20:22 ` Tobin C. Harding
2017-10-19 15:19 ` Petr Mladek
1 sibling, 1 reply; 5+ messages in thread
From: Steven Rostedt @ 2017-10-19 12:44 UTC (permalink / raw)
To: Tobin C. Harding
Cc: kernel-hardening, Jason A. Donenfeld, Theodore Ts'o,
Linus Torvalds, Kees Cook, Paolo Bonzini, Tycho Andersen,
Roberts, William C, Tejun Heo, Jordan Glover, Greg KH,
Petr Mladek, Joe Perches, Ian Campbell, Sergey Senozhatsky,
Catalin Marinas, Will Deacon, Chris Fries, Dave Weinstein,
Daniel Micay, Djalal Harouni, linux-kernel
On Thu, 19 Oct 2017 17:34:44 +1100
"Tobin C. Harding" <me@tobin.cc> wrote:
>
> My usual disclaimer; I am a long way from being a Perl monger, any tips,
I'm a semi Perl monger.
> however trivial, most welcome.
>
> Parses dmesg output first then;
>
> Algorithm walks the directory tree of /proc and /sys, opens each file
> for reading and parses file line by line. We therefore need to skip
> certain files;
>
> - binary files.
> - relay large files of fixed format that _definitely_ won't leak.
"relay large files"? What do the files relay with? ;-)
> - non-readable files.
>
> Since I do not know procfs or sysfs extensively I set `DEBUG = 1` within
> the script (causes output of file name before parsing) and checked each
> file it choked on. Obviously this means there are going to be a bunch of
> other files not present on my system. Either more files to skip or a
> suggestion of a better way to do this most appreciated.
>
> Like I said, happy to take suggestions, abuse, tweaks etc
abuse accepted.
>
> Thanks in advance for taking the time to look at this. Oh, I didn't
> comment on my regex skills, no further comment required ;)
>
> thanks,
> Tobin.
>
> scripts/leaking_addresses.pl | 139 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 139 insertions(+)
> create mode 100755 scripts/leaking_addresses.pl
>
> diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
> new file mode 100755
> index 000000000000..940547b716e3
> --- /dev/null
> +++ b/scripts/leaking_addresses.pl
> @@ -0,0 +1,139 @@
> +#!/usr/bin/env perl
> +#
> +# leaking_addresses.pl scan kernel for potential leaking addresses.
> +
> +use warnings;
> +use strict;
> +use File::Basename;
> +use feature 'say';
> +
> +my $DEBUG = 0;
> +my @dirs = ('/proc', '/sys');
> +
> +parse_dmesg();
> +
> +foreach(@dirs)
> +{
> + walk($_);
> +}
> +
> +exit 0;
> +
> +#
> +# TODO
> +#
> +# - Add support for 32 bit architectures.
I wonder if it is OK to add to the banner or just afterward what the
word size of the computer is. You could also search for strings like
amd64 in the banner.
> +#
> +sub may_leak_address
> +{
> + my $line = $_[0];
I usually do:
my ($line) = $@;
But either is fine.
> + my $regex = 'ffff[a-fA-F0-9]{12}';
try
my $regex = '\b(0x)?ffff[[:xdigit:]]{12}\b';
The \b is to match non word characters.
=ffffdeadbeef1234
0xffffdeadbeef1234
=0xffffdeadBEEF1234
all match
aoeuffffdeeadbeef1234
does not match.
> + my $mask = 'ffffffffffffffff';
my $mask = '\b(0[xX])?(fF){16}\b'
> +
> + if ($line =~ /$mask/) {
> + return
> + }
> +
> + if ($line =~ /$regex/) {
> + return 1;
> + }
> + return;
> +}
> +
> +sub parse_dmesg
> +{
> + my $line;
> + open my $cmd, '-|', 'dmesg';
> + while ($line = <$cmd>) {
> + if (may_leak_address($line)) {
> + print 'dmesg: ' . $line;
> + }
> + }
Remove $line:
while (<$cmd>) {
if (may_leak_address($_)) {
print 'dmesg: '. $_;
}
}
> + close $cmd;
> +}
> +
> +# We should skip these files
> +sub skip_file
> +{
> + my $path = $_[0];
> +
> + my @skip_paths = ('/proc/kmsg', '/proc/kcore', '/proc/kallsyms',
> + '/proc/fs/ext4/sdb1/mb_groups', '/sys/kernel/debug/tracing/trace_pipe',
> + '/sys/kernel/security/apparmor/revision');
> + my @skip_files = ('pagemap', 'events', 'access','registers', 'snapshot_raw',
> + 'trace_pipe_raw', 'trace_pipe');
> +
> + foreach(@skip_paths) {
> + if ($_ eq $_[0]) {
does the above work? Shouldn't that be $path?
> + return 1;
you could also do:
return 1 if (/^$path$/);
> + }
> + }
> +
> + my($filename, $dirs, $suffix) = fileparse($path);
> +
> + foreach(@skip_files) {
> + if ($_ eq $filename) {
if (/^$filename$/) {
also works. You could also do:
return 1 if (/^$filename$/);
> + return 1;
> + }
> + }
> +
> + return;
> +}
> +
> +sub parse_file
> +{
> + my $file = $_[0];
> +
> + if (! -R $file) {
> + return;
> + }
> +
> + if (skip_file($file)) {
> + if ($DEBUG == 1) {
> + print "skipping file: $file\n";
> + }
> + return;
> + }
> + if ($DEBUG == 1) {
> + print "parsing $file\n";
> + }
To keep from having to do the above, I usually have:
sub dprint {
return if ($DEBUG != 1);
print $@;
}
May not even need the $@ part. But then you can just use dprint instead
of the test case and print.
> +
> + open my $fh, $file or return;
> +
> + while( my $line = <$fh>) {
Again, you don't need the $line.
> + if (may_leak_address($line)) {
> + print $file . ': ' . $line;
> + }
> + }
> +
> + close $fh;
> +}
> +
> +# Recursively walk directory tree
> +sub walk
> +{
> + my @dirs = ($_[0]);
Does the above work? What about:
my @dirs = @_;
?
Oh, you have a foreach(@dirs) calling the walk.
That's probably why it didn't work. Or is it because of the stack usage
below?
-- Steve
> + my %seen;
> +
> + while (my $pwd = shift @dirs) {
> + if (!opendir(DIR,"$pwd")) {
> + print STDERR "Cannot open $pwd\n";
> + next;
> + }
> + my @files = readdir(DIR);
> + closedir(DIR);
> + foreach my $file (@files) {
> + next if ($file eq '.' or $file eq '..');
> +
> + my $path = "$pwd/$file";
> + next if (-l $path);
> +
> + if (-d $path and !$seen{$path}) {
> + $seen{$path} = 1;
> + push @dirs, "$path";
> + } else {
> + parse_file("$path");
> + }
> + }
> + }
> +}
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [RFC] scripts: add leaking_addresses.pl
2017-10-19 12:44 ` Steven Rostedt
@ 2017-10-19 20:22 ` Tobin C. Harding
0 siblings, 0 replies; 5+ messages in thread
From: Tobin C. Harding @ 2017-10-19 20:22 UTC (permalink / raw)
To: Steven Rostedt
Cc: kernel-hardening, Jason A. Donenfeld, Theodore Ts'o,
Linus Torvalds, Kees Cook, Paolo Bonzini, Tycho Andersen,
Roberts, William C, Tejun Heo, Jordan Glover, Greg KH,
Petr Mladek, Joe Perches, Ian Campbell, Sergey Senozhatsky,
Catalin Marinas, Will Deacon, Chris Fries, Dave Weinstein,
Daniel Micay, Djalal Harouni, linux-kernel
On Thu, Oct 19, 2017 at 08:44:31AM -0400, Steven Rostedt wrote:
> On Thu, 19 Oct 2017 17:34:44 +1100
> "Tobin C. Harding" <me@tobin.cc> wrote:
>
> >
> > My usual disclaimer; I am a long way from being a Perl monger, any tips,
>
> I'm a semi Perl monger.
>
> > however trivial, most welcome.
> >
> > Parses dmesg output first then;
> >
> > Algorithm walks the directory tree of /proc and /sys, opens each file
> > for reading and parses file line by line. We therefore need to skip
> > certain files;
> >
> > - binary files.
> > - relay large files of fixed format that _definitely_ won't leak.
>
> "relay large files"? What do the files relay with? ;-)
:) All bugs are shallow to enough eyes eh.
Good tips, thank you. V2 to come.
thanks,
Tobin.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC] scripts: add leaking_addresses.pl
2017-10-19 6:34 [RFC] scripts: add leaking_addresses.pl Tobin C. Harding
2017-10-19 12:44 ` Steven Rostedt
@ 2017-10-19 15:19 ` Petr Mladek
2017-10-19 20:23 ` Tobin C. Harding
1 sibling, 1 reply; 5+ messages in thread
From: Petr Mladek @ 2017-10-19 15:19 UTC (permalink / raw)
To: Tobin C. Harding
Cc: kernel-hardening, Jason A. Donenfeld, Theodore Ts'o,
Linus Torvalds, Kees Cook, Paolo Bonzini, Tycho Andersen,
Roberts, William C, Tejun Heo, Jordan Glover, Greg KH,
Joe Perches, Ian Campbell, Sergey Senozhatsky, Catalin Marinas,
Will Deacon, Steven Rostedt, Chris Fries, Dave Weinstein,
Daniel Micay, Djalal Harouni, linux-kernel
On Thu 2017-10-19 17:34:44, Tobin C. Harding wrote:
> diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
> new file mode 100755
> index 000000000000..940547b716e3
> --- /dev/null
> +++ b/scripts/leaking_addresses.pl
> @@ -0,0 +1,139 @@
> +#!/usr/bin/env perl
> +#
> +# leaking_addresses.pl scan kernel for potential leaking addresses.
> +
> +use warnings;
> +use strict;
> +use File::Basename;
> +use feature 'say';
It seems that the 'say' feature is not used at the end.
> +my $DEBUG = 0;
> +my @dirs = ('/proc', '/sys');
> +
> +parse_dmesg();
> +
> +foreach(@dirs)
> +{
> + walk($_);
> +}
> +
> +exit 0;
> +
> +#
> +# TODO
> +#
> +# - Add support for 32 bit architectures.
> +#
> +sub may_leak_address
> +{
> + my $line = $_[0];
> + my $regex = 'ffff[a-fA-F0-9]{12}';
> + my $mask = 'ffffffffffffffff';
> +
> + if ($line =~ /$mask/) {
> + return
I would personally return 0; instead of nothing.
Well, I am used to reading C and not perl ;-)
Also I wonder if we really need to define the pattern
as a variable. It might be better to use it directly
in the regex and put a comment above, e.g.
# Ignore addresses that say nothing
if ($line =~ /ffffffffffffffff/ or
$line =~ /0000000000000000/) {
return 0;
> + }
> +
> + if ($line =~ /$regex/) {
> + return 1;
> + }
> + return;
> +}
> +
> +sub parse_dmesg
> +{
> + my $line;
> + open my $cmd, '-|', 'dmesg';
> + while ($line = <$cmd>) {
> + if (may_leak_address($line)) {
> + print 'dmesg: ' . $line;
> + }
> + }
> + close $cmd;
> +}
> +
> +# We should skip these files
> +sub skip_file
> +{
> + my $path = $_[0];
> +
> + my @skip_paths = ('/proc/kmsg', '/proc/kcore', '/proc/kallsyms',
> + '/proc/fs/ext4/sdb1/mb_groups', '/sys/kernel/debug/tracing/trace_pipe',
> + '/sys/kernel/security/apparmor/revision');
I would suggest to put each directory on a separate line.
It is easier to review and patch.
> + my @skip_files = ('pagemap', 'events', 'access','registers', 'snapshot_raw',
> + 'trace_pipe_raw', 'trace_pipe');
Same here.
> +
> + foreach(@skip_paths) {
> + if ($_ eq $_[0]) {
> + return 1;
> + }
> + }
> +
> + my($filename, $dirs, $suffix) = fileparse($path);
> +
> + foreach(@skip_files) {
> + if ($_ eq $filename) {
> + return 1;
> + }
> + }
> +
> + return;
> +}
> +
> +sub parse_file
> +{
> + my $file = $_[0];
> +
> + if (! -R $file) {
> + return;
> + }
> +
> + if (skip_file($file)) {
> + if ($DEBUG == 1) {
> + print "skipping file: $file\n";
> + }
> + return;
> + }
> + if ($DEBUG == 1) {
> + print "parsing $file\n";
> + }
> +
> + open my $fh, $file or return;
> +
> + while( my $line = <$fh>) {
> + if (may_leak_address($line)) {
> + print $file . ': ' . $line;
> + }
> + }
> +
> + close $fh;
> +}
> +
> +# Recursively walk directory tree
> +sub walk
> +{
> + my @dirs = ($_[0]);
> + my %seen;
> +
> + while (my $pwd = shift @dirs) {
> + if (!opendir(DIR,"$pwd")) {
> + print STDERR "Cannot open $pwd\n";
I would print the error only when $DEBUG = 1.
If a directory cannot be opened, it does not leak anything.
Same for opened files.
IMHO, it would make sense to show only real problems.
Otherwise people would have troubles to interpret it.
> + next;
> + }
> + my @files = readdir(DIR);
> + closedir(DIR);
> + foreach my $file (@files) {
> + next if ($file eq '.' or $file eq '..');
> +
> + my $path = "$pwd/$file";
> + next if (-l $path);
> +
> + if (-d $path and !$seen{$path}) {
> + $seen{$path} = 1;
How is it possible to see a path twice, please?
> + push @dirs, "$path";
> + } else {
> + parse_file("$path");
> + }
> + }
> + }
> +}
Best Regards,
Petr
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [RFC] scripts: add leaking_addresses.pl
2017-10-19 15:19 ` Petr Mladek
@ 2017-10-19 20:23 ` Tobin C. Harding
0 siblings, 0 replies; 5+ messages in thread
From: Tobin C. Harding @ 2017-10-19 20:23 UTC (permalink / raw)
To: Petr Mladek
Cc: kernel-hardening, Jason A. Donenfeld, Theodore Ts'o,
Linus Torvalds, Kees Cook, Paolo Bonzini, Tycho Andersen,
Roberts, William C, Tejun Heo, Jordan Glover, Greg KH,
Joe Perches, Ian Campbell, Sergey Senozhatsky, Catalin Marinas,
Will Deacon, Steven Rostedt, Chris Fries, Dave Weinstein,
Daniel Micay, Djalal Harouni, linux-kernel
On Thu, Oct 19, 2017 at 05:19:49PM +0200, Petr Mladek wrote:
> On Thu 2017-10-19 17:34:44, Tobin C. Harding wrote:
[snip]
Good tips, thank you. Will merge every ones suggestions. V2 to come.
thanks,
Tobin.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-10-19 20:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-19 6:34 [RFC] scripts: add leaking_addresses.pl Tobin C. Harding
2017-10-19 12:44 ` Steven Rostedt
2017-10-19 20:22 ` Tobin C. Harding
2017-10-19 15:19 ` Petr Mladek
2017-10-19 20:23 ` Tobin C. Harding
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox