leaking_addresses.pl 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706
  1. #!/usr/bin/env perl
  2. # SPDX-License-Identifier: GPL-2.0-only
  3. #
  4. # (c) 2017 Tobin C. Harding <me@tobin.cc>
  5. #
  6. # leaking_addresses.pl: Scan the kernel for potential leaking addresses.
  7. # - Scans dmesg output.
  8. # - Walks directory tree and parses each file (for each directory in @DIRS).
  9. #
  10. # Use --debug to output path before parsing, this is useful to find files that
  11. # cause the script to choke.
  12. #
  13. # When the system is idle it is likely that most files under /proc/PID will be
  14. # identical for various processes. Scanning _all_ the PIDs under /proc is
  15. # unnecessary and implies that we are thoroughly scanning /proc. This is _not_
  16. # the case because there may be ways userspace can trigger creation of /proc
  17. # files that leak addresses but were not present during a scan. For these two
  18. # reasons we exclude all PID directories under /proc except '1/'
  19. use warnings;
  20. use strict;
  21. use POSIX;
  22. use File::Basename;
  23. use File::Spec;
  24. use File::Temp qw/tempfile/;
  25. use Cwd 'abs_path';
  26. use Term::ANSIColor qw(:constants);
  27. use Getopt::Long qw(:config no_auto_abbrev);
  28. use Config;
  29. use bigint qw/hex/;
  30. use feature 'state';
  31. my $P = $0;
  32. # Directories to scan.
  33. my @DIRS = ('/proc', '/sys');
  34. # Timer for parsing each file, in seconds.
  35. my $TIMEOUT = 10;
  36. # Kernel addresses vary by architecture. We can only auto-detect the following
  37. # architectures (using `uname -m`). (flag --32-bit overrides auto-detection.)
  38. my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'x86');
  39. # Command line options.
  40. my $help = 0;
  41. my $debug = 0;
  42. my $raw = 0;
  43. my $output_raw = ""; # Write raw results to file.
  44. my $input_raw = ""; # Read raw results from file instead of scanning.
  45. my $suppress_dmesg = 0; # Don't show dmesg in output.
  46. my $squash_by_path = 0; # Summary report grouped by absolute path.
  47. my $squash_by_filename = 0; # Summary report grouped by filename.
  48. my $kallsyms_file = ""; # Kernel symbols file.
  49. my $kernel_config_file = ""; # Kernel configuration file.
  50. my $opt_32bit = 0; # Scan 32-bit kernel.
  51. my $page_offset_32bit = 0; # Page offset for 32-bit kernel.
  52. my @kallsyms = ();
  53. # Skip these absolute paths.
  54. my @skip_abs = (
  55. '/proc/kmsg',
  56. '/proc/device-tree',
  57. '/proc/1/syscall',
  58. '/sys/firmware/devicetree',
  59. '/sys/kernel/tracing/trace_pipe',
  60. '/sys/kernel/debug/tracing/trace_pipe',
  61. '/sys/kernel/security/apparmor/revision');
  62. # Skip these under any subdirectory.
  63. my @skip_any = (
  64. 'pagemap',
  65. 'events',
  66. 'access',
  67. 'registers',
  68. 'snapshot_raw',
  69. 'trace_pipe_raw',
  70. 'ptmx',
  71. 'trace_pipe',
  72. 'fd',
  73. 'usbmon');
  74. sub help
  75. {
  76. my ($exitcode) = @_;
  77. print << "EOM";
  78. Usage: $P [OPTIONS]
  79. Options:
  80. -o, --output-raw=<file> Save results for future processing.
  81. -i, --input-raw=<file> Read results from file instead of scanning.
  82. --raw Show raw results (default).
  83. --suppress-dmesg Do not show dmesg results.
  84. --squash-by-path Show one result per unique path.
  85. --squash-by-filename Show one result per unique filename.
  86. --kernel-config-file=<file> Kernel configuration file (e.g /boot/config)
  87. --kallsyms=<file> Read kernel symbol addresses from file (for
  88. scanning binary files).
  89. --32-bit Scan 32-bit kernel.
  90. --page-offset-32-bit=o Page offset (for 32-bit kernel 0xABCD1234).
  91. -d, --debug Display debugging output.
  92. -h, --help Display this help and exit.
  93. Scans the running kernel for potential leaking addresses.
  94. EOM
  95. exit($exitcode);
  96. }
  97. GetOptions(
  98. 'd|debug' => \$debug,
  99. 'h|help' => \$help,
  100. 'o|output-raw=s' => \$output_raw,
  101. 'i|input-raw=s' => \$input_raw,
  102. 'suppress-dmesg' => \$suppress_dmesg,
  103. 'squash-by-path' => \$squash_by_path,
  104. 'squash-by-filename' => \$squash_by_filename,
  105. 'raw' => \$raw,
  106. 'kallsyms=s' => \$kallsyms_file,
  107. 'kernel-config-file=s' => \$kernel_config_file,
  108. '32-bit' => \$opt_32bit,
  109. 'page-offset-32-bit=o' => \$page_offset_32bit,
  110. ) or help(1);
  111. help(0) if ($help);
  112. if ($input_raw) {
  113. format_output($input_raw);
  114. exit(0);
  115. }
  116. if (!$input_raw and ($squash_by_path or $squash_by_filename)) {
  117. printf "\nSummary reporting only available with --input-raw=<file>\n";
  118. printf "(First run scan with --output-raw=<file>.)\n";
  119. exit(128);
  120. }
  121. if (!(is_supported_architecture() or $opt_32bit or $page_offset_32bit)) {
  122. printf "\nScript does not support your architecture, sorry.\n";
  123. printf "\nCurrently we support: \n\n";
  124. foreach(@SUPPORTED_ARCHITECTURES) {
  125. printf "\t%s\n", $_;
  126. }
  127. printf("\n");
  128. printf("If you are running a 32-bit architecture you may use:\n");
  129. printf("\n\t--32-bit or --page-offset-32-bit=<page offset>\n\n");
  130. my $archname = `uname -m`;
  131. printf("Machine hardware name (`uname -m`): %s\n", $archname);
  132. exit(129);
  133. }
  134. if ($output_raw) {
  135. open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n";
  136. select $fh;
  137. }
  138. if ($kallsyms_file) {
  139. open my $fh, '<', $kallsyms_file or die "$0: $kallsyms_file: $!\n";
  140. while (<$fh>) {
  141. chomp;
  142. my @entry = split / /, $_;
  143. my $addr_text = $entry[0];
  144. if ($addr_text !~ /^0/) {
  145. # TODO: Why is hex() so impossibly slow?
  146. my $addr = hex($addr_text);
  147. my $symbol = $entry[2];
  148. # Only keep kernel text addresses.
  149. my $long = pack("J", $addr);
  150. my $entry = [$long, $symbol];
  151. push @kallsyms, $entry;
  152. }
  153. }
  154. close $fh;
  155. }
  156. parse_dmesg();
  157. walk(@DIRS);
  158. exit 0;
  159. sub dprint
  160. {
  161. printf(STDERR @_) if $debug;
  162. }
  163. sub is_supported_architecture
  164. {
  165. return (is_x86_64() or is_ppc64() or is_ix86_32());
  166. }
  167. sub is_32bit
  168. {
  169. # Allow --32-bit or --page-offset-32-bit to override
  170. if ($opt_32bit or $page_offset_32bit) {
  171. return 1;
  172. }
  173. return is_ix86_32();
  174. }
  175. sub is_ix86_32
  176. {
  177. state $arch = `uname -m`;
  178. chomp $arch;
  179. if ($arch =~ m/i[3456]86/) {
  180. return 1;
  181. }
  182. return 0;
  183. }
  184. sub is_arch
  185. {
  186. my ($desc) = @_;
  187. my $arch = `uname -m`;
  188. chomp $arch;
  189. if ($arch eq $desc) {
  190. return 1;
  191. }
  192. return 0;
  193. }
  194. sub is_x86_64
  195. {
  196. state $is = is_arch('x86_64');
  197. return $is;
  198. }
  199. sub is_ppc64
  200. {
  201. state $is = is_arch('ppc64');
  202. return $is;
  203. }
  204. # Gets config option value from kernel config file.
  205. # Returns "" on error or if config option not found.
  206. sub get_kernel_config_option
  207. {
  208. my ($option) = @_;
  209. my $value = "";
  210. my $tmp_fh;
  211. my $tmp_file = "";
  212. my @config_files;
  213. # Allow --kernel-config-file to override.
  214. if ($kernel_config_file ne "") {
  215. @config_files = ($kernel_config_file);
  216. } elsif (-R "/proc/config.gz") {
  217. ($tmp_fh, $tmp_file) = tempfile("config.gz-XXXXXX",
  218. UNLINK => 1);
  219. if (system("gunzip < /proc/config.gz > $tmp_file")) {
  220. dprint("system(gunzip < /proc/config.gz) failed\n");
  221. return "";
  222. } else {
  223. @config_files = ($tmp_file);
  224. }
  225. } else {
  226. my $file = '/boot/config-' . `uname -r`;
  227. chomp $file;
  228. @config_files = ($file, '/boot/config');
  229. }
  230. foreach my $file (@config_files) {
  231. dprint("parsing config file: $file\n");
  232. $value = option_from_file($option, $file);
  233. if ($value ne "") {
  234. last;
  235. }
  236. }
  237. return $value;
  238. }
  239. # Parses $file and returns kernel configuration option value.
  240. sub option_from_file
  241. {
  242. my ($option, $file) = @_;
  243. my $str = "";
  244. my $val = "";
  245. open(my $fh, "<", $file) or return "";
  246. while (my $line = <$fh> ) {
  247. if ($line =~ /^$option/) {
  248. ($str, $val) = split /=/, $line;
  249. chomp $val;
  250. last;
  251. }
  252. }
  253. close $fh;
  254. return $val;
  255. }
  256. sub is_false_positive
  257. {
  258. my ($match) = @_;
  259. if (is_32bit()) {
  260. return is_false_positive_32bit($match);
  261. }
  262. # Ignore 64 bit false positives:
  263. # 0xfffffffffffffff[0-f]
  264. # 0x0000000000000000
  265. if ($match =~ '\b(0x)?(f|F){15}[0-9a-f]\b' or
  266. $match =~ '\b(0x)?0{16}\b') {
  267. return 1;
  268. }
  269. if (is_x86_64() and is_in_vsyscall_memory_region($match)) {
  270. return 1;
  271. }
  272. return 0;
  273. }
  274. sub is_false_positive_32bit
  275. {
  276. my ($match) = @_;
  277. state $page_offset = get_page_offset();
  278. if ($match =~ '\b(0x)?(f|F){7}[0-9a-f]\b') {
  279. return 1;
  280. }
  281. if (hex($match) < $page_offset) {
  282. return 1;
  283. }
  284. return 0;
  285. }
  286. # returns integer value
  287. sub get_page_offset
  288. {
  289. my $page_offset;
  290. my $default_offset = 0xc0000000;
  291. # Allow --page-offset-32bit to override.
  292. if ($page_offset_32bit != 0) {
  293. return $page_offset_32bit;
  294. }
  295. $page_offset = get_kernel_config_option('CONFIG_PAGE_OFFSET');
  296. if (!$page_offset) {
  297. return $default_offset;
  298. }
  299. return $page_offset;
  300. }
  301. sub is_in_vsyscall_memory_region
  302. {
  303. my ($match) = @_;
  304. my $hex = hex($match);
  305. my $region_min = hex("0xffffffffff600000");
  306. my $region_max = hex("0xffffffffff601000");
  307. return ($hex >= $region_min and $hex <= $region_max);
  308. }
  309. # True if argument potentially contains a kernel address.
  310. sub may_leak_address
  311. {
  312. my ($path, $line) = @_;
  313. my $address_re;
  314. # Ignore Signal masks.
  315. if ($line =~ '^SigBlk:' or
  316. $line =~ '^SigIgn:' or
  317. $line =~ '^SigCgt:') {
  318. return 0;
  319. }
  320. # Ignore input device reporting.
  321. # /proc/bus/input/devices: B: KEY=402000000 3803078f800d001 feffffdfffefffff fffffffffffffffe
  322. # /sys/devices/platform/i8042/serio0/input/input1/uevent: KEY=402000000 3803078f800d001 feffffdfffefffff fffffffffffffffe
  323. # /sys/devices/platform/i8042/serio0/input/input1/capabilities/key: 402000000 3803078f800d001 feffffdfffefffff fffffffffffffffe
  324. if ($line =~ '\bKEY=[[:xdigit:]]{9,14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or
  325. ($path =~ '\bkey$' and
  326. $line =~ '\b[[:xdigit:]]{9,14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b')) {
  327. return 0;
  328. }
  329. $address_re = get_address_re();
  330. while ($line =~ /($address_re)/g) {
  331. if (!is_false_positive($1)) {
  332. return 1;
  333. }
  334. }
  335. return 0;
  336. }
  337. sub get_address_re
  338. {
  339. if (is_ppc64()) {
  340. return '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b';
  341. } elsif (is_32bit()) {
  342. return '\b(0x)?[[:xdigit:]]{8}\b';
  343. }
  344. return get_x86_64_re();
  345. }
  346. sub get_x86_64_re
  347. {
  348. # We handle page table levels but only if explicitly configured using
  349. # CONFIG_PGTABLE_LEVELS. If config file parsing fails or config option
  350. # is not found we default to using address regular expression suitable
  351. # for 4 page table levels.
  352. state $ptl = get_kernel_config_option('CONFIG_PGTABLE_LEVELS');
  353. if ($ptl == 5) {
  354. return '\b(0x)?ff[[:xdigit:]]{14}\b';
  355. }
  356. return '\b(0x)?ffff[[:xdigit:]]{12}\b';
  357. }
  358. sub parse_dmesg
  359. {
  360. open my $cmd, '-|', 'dmesg';
  361. while (<$cmd>) {
  362. if (may_leak_address("dmesg", $_)) {
  363. print 'dmesg: ' . $_;
  364. }
  365. }
  366. close $cmd;
  367. }
  368. # True if we should skip this path.
  369. sub skip
  370. {
  371. my ($path) = @_;
  372. foreach (@skip_abs) {
  373. return 1 if (/^$path$/);
  374. }
  375. my($filename, $dirs, $suffix) = fileparse($path);
  376. foreach (@skip_any) {
  377. return 1 if (/^$filename$/);
  378. }
  379. return 0;
  380. }
  381. sub timed_parse_file
  382. {
  383. my ($file) = @_;
  384. eval {
  385. local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required.
  386. alarm $TIMEOUT;
  387. parse_file($file);
  388. alarm 0;
  389. };
  390. if ($@) {
  391. die unless $@ eq "alarm\n"; # Propagate unexpected errors.
  392. printf STDERR "timed out parsing: %s\n", $file;
  393. }
  394. }
  395. sub parse_binary
  396. {
  397. my ($file) = @_;
  398. open my $fh, "<:raw", $file or return;
  399. local $/ = undef;
  400. my $bytes = <$fh>;
  401. close $fh;
  402. foreach my $entry (@kallsyms) {
  403. my $addr = $entry->[0];
  404. my $symbol = $entry->[1];
  405. my $offset = index($bytes, $addr);
  406. if ($offset != -1) {
  407. printf("$file: $symbol @ $offset\n");
  408. }
  409. }
  410. }
  411. sub parse_file
  412. {
  413. my ($file) = @_;
  414. if (! -R $file) {
  415. return;
  416. }
  417. if (! -T $file) {
  418. if ($file =~ m|^/sys/kernel/btf/| or
  419. $file =~ m|^/sys/devices/pci| or
  420. $file =~ m|^/sys/firmware/efi/efivars/| or
  421. $file =~ m|^/proc/bus/pci/|) {
  422. return;
  423. }
  424. if (scalar @kallsyms > 0) {
  425. parse_binary($file);
  426. }
  427. return;
  428. }
  429. open my $fh, "<", $file or return;
  430. while ( <$fh> ) {
  431. chomp;
  432. if (may_leak_address($file, $_)) {
  433. printf("$file: $_\n");
  434. }
  435. }
  436. close $fh;
  437. }
  438. # Checks if the actual path name is leaking a kernel address.
  439. sub check_path_for_leaks
  440. {
  441. my ($path) = @_;
  442. if (may_leak_address($path, $path)) {
  443. printf("Path name may contain address: $path\n");
  444. }
  445. }
  446. # Recursively walk directory tree.
  447. sub walk
  448. {
  449. my @dirs = @_;
  450. while (my $pwd = shift @dirs) {
  451. next if (!opendir(DIR, $pwd));
  452. my @files = readdir(DIR);
  453. closedir(DIR);
  454. foreach my $file (@files) {
  455. next if ($file eq '.' or $file eq '..');
  456. my $path = "$pwd/$file";
  457. next if (-l $path);
  458. # skip /proc/PID except /proc/1
  459. next if (($path =~ /^\/proc\/[0-9]+$/) &&
  460. ($path !~ /^\/proc\/1$/));
  461. next if (skip($path));
  462. check_path_for_leaks($path);
  463. if (-d $path) {
  464. push @dirs, $path;
  465. next;
  466. }
  467. dprint("parsing: $path\n");
  468. timed_parse_file($path);
  469. }
  470. }
  471. }
  472. sub format_output
  473. {
  474. my ($file) = @_;
  475. # Default is to show raw results.
  476. if ($raw or (!$squash_by_path and !$squash_by_filename)) {
  477. dump_raw_output($file);
  478. return;
  479. }
  480. my ($total, $dmesg, $paths, $files) = parse_raw_file($file);
  481. printf "\nTotal number of results from scan (incl dmesg): %d\n", $total;
  482. if (!$suppress_dmesg) {
  483. print_dmesg($dmesg);
  484. }
  485. if ($squash_by_filename) {
  486. squash_by($files, 'filename');
  487. }
  488. if ($squash_by_path) {
  489. squash_by($paths, 'path');
  490. }
  491. }
  492. sub dump_raw_output
  493. {
  494. my ($file) = @_;
  495. open (my $fh, '<', $file) or die "$0: $file: $!\n";
  496. while (<$fh>) {
  497. if ($suppress_dmesg) {
  498. if ("dmesg:" eq substr($_, 0, 6)) {
  499. next;
  500. }
  501. }
  502. print $_;
  503. }
  504. close $fh;
  505. }
  506. sub parse_raw_file
  507. {
  508. my ($file) = @_;
  509. my $total = 0; # Total number of lines parsed.
  510. my @dmesg; # dmesg output.
  511. my %files; # Unique filenames containing leaks.
  512. my %paths; # Unique paths containing leaks.
  513. open (my $fh, '<', $file) or die "$0: $file: $!\n";
  514. while (my $line = <$fh>) {
  515. $total++;
  516. if ("dmesg:" eq substr($line, 0, 6)) {
  517. push @dmesg, $line;
  518. next;
  519. }
  520. cache_path(\%paths, $line);
  521. cache_filename(\%files, $line);
  522. }
  523. return $total, \@dmesg, \%paths, \%files;
  524. }
  525. sub print_dmesg
  526. {
  527. my ($dmesg) = @_;
  528. print "\ndmesg output:\n";
  529. if (@$dmesg == 0) {
  530. print "<no results>\n";
  531. return;
  532. }
  533. foreach(@$dmesg) {
  534. my $index = index($_, ': ');
  535. $index += 2; # skid ': '
  536. print substr($_, $index);
  537. }
  538. }
  539. sub squash_by
  540. {
  541. my ($ref, $desc) = @_;
  542. print "\nResults squashed by $desc (excl dmesg). ";
  543. print "Displaying [<number of results> <$desc>], <example result>\n";
  544. if (keys %$ref == 0) {
  545. print "<no results>\n";
  546. return;
  547. }
  548. foreach(keys %$ref) {
  549. my $lines = $ref->{$_};
  550. my $length = @$lines;
  551. printf "[%d %s] %s", $length, $_, @$lines[0];
  552. }
  553. }
  554. sub cache_path
  555. {
  556. my ($paths, $line) = @_;
  557. my $index = index($line, ': ');
  558. my $path = substr($line, 0, $index);
  559. $index += 2; # skip ': '
  560. add_to_cache($paths, $path, substr($line, $index));
  561. }
  562. sub cache_filename
  563. {
  564. my ($files, $line) = @_;
  565. my $index = index($line, ': ');
  566. my $path = substr($line, 0, $index);
  567. my $filename = basename($path);
  568. $index += 2; # skip ': '
  569. add_to_cache($files, $filename, substr($line, $index));
  570. }
  571. sub add_to_cache
  572. {
  573. my ($cache, $key, $value) = @_;
  574. if (!$cache->{$key}) {
  575. $cache->{$key} = ();
  576. }
  577. push @{$cache->{$key}}, $value;
  578. }