]>
Commit | Line | Data |
---|---|---|
136fc5c4 TH |
1 | #!/usr/bin/env perl |
2 | # | |
3 | # (c) 2017 Tobin C. Harding <me@tobin.cc> | |
4 | # Licensed under the terms of the GNU GPL License version 2 | |
5 | # | |
6 | # leaking_addresses.pl: Scan 64 bit kernel for potential leaking addresses. | |
7 | # - Scans dmesg output. | |
8 | # - Walks directory tree and parses each file (for each directory in @DIRS). | |
9 | # | |
136fc5c4 TH |
10 | # Use --debug to output path before parsing, this is useful to find files that |
11 | # cause the script to choke. | |
12 | # | |
13 | # You may like to set kptr_restrict=2 before running script | |
14 | # (see Documentation/sysctl/kernel.txt). | |
15 | ||
16 | use warnings; | |
17 | use strict; | |
18 | use POSIX; | |
19 | use File::Basename; | |
20 | use File::Spec; | |
21 | use Cwd 'abs_path'; | |
22 | use Term::ANSIColor qw(:constants); | |
23 | use Getopt::Long qw(:config no_auto_abbrev); | |
62139c12 | 24 | use Config; |
136fc5c4 TH |
25 | |
26 | my $P = $0; | |
27 | my $V = '0.01'; | |
28 | ||
29 | # Directories to scan. | |
30 | my @DIRS = ('/proc', '/sys'); | |
31 | ||
62139c12 TH |
32 | # Script can only grep for kernel addresses on the following architectures. If |
33 | # your architecture is not listed here and has a grep'able kernel address please | |
34 | # consider submitting a patch. | |
35 | my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64'); | |
36 | ||
136fc5c4 TH |
37 | # Command line options. |
38 | my $help = 0; | |
39 | my $debug = 0; | |
d09bd8da TH |
40 | my $raw = 0; |
41 | my $output_raw = ""; # Write raw results to file. | |
42 | my $input_raw = ""; # Read raw results from file instead of scanning. | |
43 | ||
44 | my $suppress_dmesg = 0; # Don't show dmesg in output. | |
45 | my $squash_by_path = 0; # Summary report grouped by absolute path. | |
46 | my $squash_by_filename = 0; # Summary report grouped by filename. | |
136fc5c4 TH |
47 | |
48 | # Do not parse these files (absolute path). | |
49 | my @skip_parse_files_abs = ('/proc/kmsg', | |
50 | '/proc/kcore', | |
51 | '/proc/fs/ext4/sdb1/mb_groups', | |
52 | '/proc/1/fd/3', | |
1c1e3be0 TH |
53 | '/sys/firmware/devicetree', |
54 | '/proc/device-tree', | |
136fc5c4 TH |
55 | '/sys/kernel/debug/tracing/trace_pipe', |
56 | '/sys/kernel/security/apparmor/revision'); | |
57 | ||
a284733e | 58 | # Do not parse these files under any subdirectory. |
136fc5c4 TH |
59 | my @skip_parse_files_any = ('0', |
60 | '1', | |
61 | '2', | |
62 | 'pagemap', | |
63 | 'events', | |
64 | 'access', | |
65 | 'registers', | |
66 | 'snapshot_raw', | |
67 | 'trace_pipe_raw', | |
68 | 'ptmx', | |
69 | 'trace_pipe'); | |
70 | ||
71 | # Do not walk these directories (absolute path). | |
72 | my @skip_walk_dirs_abs = (); | |
73 | ||
74 | # Do not walk these directories under any subdirectory. | |
75 | my @skip_walk_dirs_any = ('self', | |
76 | 'thread-self', | |
77 | 'cwd', | |
78 | 'fd', | |
1c1e3be0 | 79 | 'usbmon', |
136fc5c4 TH |
80 | 'stderr', |
81 | 'stdin', | |
82 | 'stdout'); | |
83 | ||
84 | sub help | |
85 | { | |
86 | my ($exitcode) = @_; | |
87 | ||
88 | print << "EOM"; | |
d09bd8da | 89 | |
136fc5c4 TH |
90 | Usage: $P [OPTIONS] |
91 | Version: $V | |
92 | ||
93 | Options: | |
94 | ||
d09bd8da TH |
95 | -o, --output-raw=<file> Save results for future processing. |
96 | -i, --input-raw=<file> Read results from file instead of scanning. | |
97 | --raw Show raw results (default). | |
98 | --suppress-dmesg Do not show dmesg results. | |
99 | --squash-by-path Show one result per unique path. | |
100 | --squash-by-filename Show one result per unique filename. | |
101 | -d, --debug Display debugging output. | |
102 | -h, --help, --version Display this help and exit. | |
103 | ||
104 | Examples: | |
105 | ||
106 | # Scan kernel and dump raw results. | |
107 | $0 | |
108 | ||
109 | # Scan kernel and save results to file. | |
110 | $0 --output-raw scan.out | |
111 | ||
112 | # View summary report. | |
113 | $0 --input-raw scan.out --squash-by-filename | |
136fc5c4 | 114 | |
136fc5c4 TH |
115 | Scans the running (64 bit) kernel for potential leaking addresses. |
116 | ||
117 | EOM | |
118 | exit($exitcode); | |
119 | } | |
120 | ||
121 | GetOptions( | |
136fc5c4 TH |
122 | 'd|debug' => \$debug, |
123 | 'h|help' => \$help, | |
d09bd8da TH |
124 | 'version' => \$help, |
125 | 'o|output-raw=s' => \$output_raw, | |
126 | 'i|input-raw=s' => \$input_raw, | |
127 | 'suppress-dmesg' => \$suppress_dmesg, | |
128 | 'squash-by-path' => \$squash_by_path, | |
129 | 'squash-by-filename' => \$squash_by_filename, | |
130 | 'raw' => \$raw, | |
136fc5c4 TH |
131 | ) or help(1); |
132 | ||
133 | help(0) if ($help); | |
134 | ||
d09bd8da TH |
135 | if ($input_raw) { |
136 | format_output($input_raw); | |
137 | exit(0); | |
138 | } | |
139 | ||
140 | if (!$input_raw and ($squash_by_path or $squash_by_filename)) { | |
141 | printf "\nSummary reporting only available with --input-raw=<file>\n"; | |
142 | printf "(First run scan with --output-raw=<file>.)\n"; | |
143 | exit(128); | |
144 | } | |
145 | ||
62139c12 TH |
146 | if (!is_supported_architecture()) { |
147 | printf "\nScript does not support your architecture, sorry.\n"; | |
148 | printf "\nCurrently we support: \n\n"; | |
149 | foreach(@SUPPORTED_ARCHITECTURES) { | |
150 | printf "\t%s\n", $_; | |
151 | } | |
152 | ||
153 | my $archname = $Config{archname}; | |
154 | printf "\n\$ perl -MConfig -e \'print \"\$Config{archname}\\n\"\'\n"; | |
155 | printf "%s\n", $archname; | |
156 | ||
157 | exit(129); | |
158 | } | |
159 | ||
d09bd8da TH |
160 | if ($output_raw) { |
161 | open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n"; | |
162 | select $fh; | |
163 | } | |
164 | ||
136fc5c4 TH |
165 | parse_dmesg(); |
166 | walk(@DIRS); | |
167 | ||
168 | exit 0; | |
169 | ||
136fc5c4 TH |
170 | sub dprint |
171 | { | |
172 | printf(STDERR @_) if $debug; | |
173 | } | |
174 | ||
62139c12 TH |
175 | sub is_supported_architecture |
176 | { | |
177 | return (is_x86_64() or is_ppc64()); | |
178 | } | |
179 | ||
180 | sub is_x86_64 | |
181 | { | |
182 | my $archname = $Config{archname}; | |
183 | ||
184 | if ($archname =~ m/x86_64/) { | |
185 | return 1; | |
186 | } | |
187 | return 0; | |
188 | } | |
189 | ||
190 | sub is_ppc64 | |
191 | { | |
192 | my $archname = $Config{archname}; | |
193 | ||
194 | if ($archname =~ m/powerpc/ and $archname =~ m/64/) { | |
195 | return 1; | |
196 | } | |
197 | return 0; | |
198 | } | |
199 | ||
136fc5c4 TH |
200 | sub is_false_positive |
201 | { | |
7e5758f7 TH |
202 | my ($match) = @_; |
203 | ||
204 | if ($match =~ '\b(0x)?(f|F){16}\b' or | |
205 | $match =~ '\b(0x)?0{16}\b') { | |
206 | return 1; | |
207 | } | |
136fc5c4 | 208 | |
62139c12 TH |
209 | if (is_x86_64) { |
210 | # vsyscall memory region, we should probably check against a range here. | |
211 | if ($match =~ '\bf{10}600000\b' or | |
212 | $match =~ '\bf{10}601000\b') { | |
213 | return 1; | |
214 | } | |
7e5758f7 | 215 | } |
136fc5c4 | 216 | |
7e5758f7 | 217 | return 0; |
136fc5c4 TH |
218 | } |
219 | ||
220 | # True if argument potentially contains a kernel address. | |
221 | sub may_leak_address | |
222 | { | |
7e5758f7 | 223 | my ($line) = @_; |
62139c12 | 224 | my $address_re; |
136fc5c4 | 225 | |
7e5758f7 TH |
226 | # Signal masks. |
227 | if ($line =~ '^SigBlk:' or | |
228 | $line =~ '^SigCgt:') { | |
229 | return 0; | |
230 | } | |
136fc5c4 | 231 | |
7e5758f7 TH |
232 | if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or |
233 | $line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') { | |
136fc5c4 | 234 | return 0; |
7e5758f7 | 235 | } |
136fc5c4 | 236 | |
62139c12 TH |
237 | # One of these is guaranteed to be true. |
238 | if (is_x86_64()) { | |
239 | $address_re = '\b(0x)?ffff[[:xdigit:]]{12}\b'; | |
240 | } elsif (is_ppc64()) { | |
241 | $address_re = '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b'; | |
242 | } | |
243 | ||
244 | while (/($address_re)/g) { | |
7e5758f7 TH |
245 | if (!is_false_positive($1)) { |
246 | return 1; | |
247 | } | |
248 | } | |
136fc5c4 | 249 | |
7e5758f7 | 250 | return 0; |
136fc5c4 TH |
251 | } |
252 | ||
253 | sub parse_dmesg | |
254 | { | |
255 | open my $cmd, '-|', 'dmesg'; | |
256 | while (<$cmd>) { | |
257 | if (may_leak_address($_)) { | |
258 | print 'dmesg: ' . $_; | |
259 | } | |
260 | } | |
261 | close $cmd; | |
262 | } | |
263 | ||
264 | # True if we should skip this path. | |
265 | sub skip | |
266 | { | |
267 | my ($path, $paths_abs, $paths_any) = @_; | |
268 | ||
269 | foreach (@$paths_abs) { | |
270 | return 1 if (/^$path$/); | |
271 | } | |
272 | ||
273 | my($filename, $dirs, $suffix) = fileparse($path); | |
274 | foreach (@$paths_any) { | |
275 | return 1 if (/^$filename$/); | |
276 | } | |
277 | ||
278 | return 0; | |
279 | } | |
280 | ||
281 | sub skip_parse | |
282 | { | |
283 | my ($path) = @_; | |
284 | return skip($path, \@skip_parse_files_abs, \@skip_parse_files_any); | |
285 | } | |
286 | ||
287 | sub parse_file | |
288 | { | |
289 | my ($file) = @_; | |
290 | ||
291 | if (! -R $file) { | |
292 | return; | |
293 | } | |
294 | ||
295 | if (skip_parse($file)) { | |
296 | dprint "skipping file: $file\n"; | |
297 | return; | |
298 | } | |
299 | dprint "parsing: $file\n"; | |
300 | ||
301 | open my $fh, "<", $file or return; | |
302 | while ( <$fh> ) { | |
303 | if (may_leak_address($_)) { | |
304 | print $file . ': ' . $_; | |
305 | } | |
306 | } | |
307 | close $fh; | |
308 | } | |
309 | ||
310 | ||
311 | # True if we should skip walking this directory. | |
312 | sub skip_walk | |
313 | { | |
314 | my ($path) = @_; | |
315 | return skip($path, \@skip_walk_dirs_abs, \@skip_walk_dirs_any) | |
316 | } | |
317 | ||
318 | # Recursively walk directory tree. | |
319 | sub walk | |
320 | { | |
321 | my @dirs = @_; | |
136fc5c4 TH |
322 | |
323 | while (my $pwd = shift @dirs) { | |
324 | next if (skip_walk($pwd)); | |
325 | next if (!opendir(DIR, $pwd)); | |
326 | my @files = readdir(DIR); | |
327 | closedir(DIR); | |
328 | ||
329 | foreach my $file (@files) { | |
330 | next if ($file eq '.' or $file eq '..'); | |
331 | ||
332 | my $path = "$pwd/$file"; | |
333 | next if (-l $path); | |
334 | ||
335 | if (-d $path) { | |
336 | push @dirs, $path; | |
337 | } else { | |
338 | parse_file($path); | |
339 | } | |
340 | } | |
341 | } | |
342 | } | |
d09bd8da TH |
343 | |
344 | sub format_output | |
345 | { | |
346 | my ($file) = @_; | |
347 | ||
348 | # Default is to show raw results. | |
349 | if ($raw or (!$squash_by_path and !$squash_by_filename)) { | |
350 | dump_raw_output($file); | |
351 | return; | |
352 | } | |
353 | ||
354 | my ($total, $dmesg, $paths, $files) = parse_raw_file($file); | |
355 | ||
356 | printf "\nTotal number of results from scan (incl dmesg): %d\n", $total; | |
357 | ||
358 | if (!$suppress_dmesg) { | |
359 | print_dmesg($dmesg); | |
360 | } | |
361 | ||
362 | if ($squash_by_filename) { | |
363 | squash_by($files, 'filename'); | |
364 | } | |
365 | ||
366 | if ($squash_by_path) { | |
367 | squash_by($paths, 'path'); | |
368 | } | |
369 | } | |
370 | ||
371 | sub dump_raw_output | |
372 | { | |
373 | my ($file) = @_; | |
374 | ||
375 | open (my $fh, '<', $file) or die "$0: $file: $!\n"; | |
376 | while (<$fh>) { | |
377 | if ($suppress_dmesg) { | |
378 | if ("dmesg:" eq substr($_, 0, 6)) { | |
379 | next; | |
380 | } | |
381 | } | |
382 | print $_; | |
383 | } | |
384 | close $fh; | |
385 | } | |
386 | ||
387 | sub parse_raw_file | |
388 | { | |
389 | my ($file) = @_; | |
390 | ||
391 | my $total = 0; # Total number of lines parsed. | |
392 | my @dmesg; # dmesg output. | |
393 | my %files; # Unique filenames containing leaks. | |
394 | my %paths; # Unique paths containing leaks. | |
395 | ||
396 | open (my $fh, '<', $file) or die "$0: $file: $!\n"; | |
397 | while (my $line = <$fh>) { | |
398 | $total++; | |
399 | ||
400 | if ("dmesg:" eq substr($line, 0, 6)) { | |
401 | push @dmesg, $line; | |
402 | next; | |
403 | } | |
404 | ||
405 | cache_path(\%paths, $line); | |
406 | cache_filename(\%files, $line); | |
407 | } | |
408 | ||
409 | return $total, \@dmesg, \%paths, \%files; | |
410 | } | |
411 | ||
412 | sub print_dmesg | |
413 | { | |
414 | my ($dmesg) = @_; | |
415 | ||
416 | print "\ndmesg output:\n"; | |
417 | ||
418 | if (@$dmesg == 0) { | |
419 | print "<no results>\n"; | |
420 | return; | |
421 | } | |
422 | ||
423 | foreach(@$dmesg) { | |
424 | my $index = index($_, ': '); | |
425 | $index += 2; # skid ': ' | |
426 | print substr($_, $index); | |
427 | } | |
428 | } | |
429 | ||
430 | sub squash_by | |
431 | { | |
432 | my ($ref, $desc) = @_; | |
433 | ||
434 | print "\nResults squashed by $desc (excl dmesg). "; | |
435 | print "Displaying [<number of results> <$desc>], <example result>\n"; | |
436 | ||
437 | if (keys %$ref == 0) { | |
438 | print "<no results>\n"; | |
439 | return; | |
440 | } | |
441 | ||
442 | foreach(keys %$ref) { | |
443 | my $lines = $ref->{$_}; | |
444 | my $length = @$lines; | |
445 | printf "[%d %s] %s", $length, $_, @$lines[0]; | |
446 | } | |
447 | } | |
448 | ||
449 | sub cache_path | |
450 | { | |
451 | my ($paths, $line) = @_; | |
452 | ||
453 | my $index = index($line, ': '); | |
454 | my $path = substr($line, 0, $index); | |
455 | ||
456 | $index += 2; # skip ': ' | |
457 | add_to_cache($paths, $path, substr($line, $index)); | |
458 | } | |
459 | ||
460 | sub cache_filename | |
461 | { | |
462 | my ($files, $line) = @_; | |
463 | ||
464 | my $index = index($line, ': '); | |
465 | my $path = substr($line, 0, $index); | |
466 | my $filename = basename($path); | |
467 | ||
468 | $index += 2; # skip ': ' | |
469 | add_to_cache($files, $filename, substr($line, $index)); | |
470 | } | |
471 | ||
472 | sub add_to_cache | |
473 | { | |
474 | my ($cache, $key, $value) = @_; | |
475 | ||
476 | if (!$cache->{$key}) { | |
477 | $cache->{$key} = (); | |
478 | } | |
479 | push @{$cache->{$key}}, $value; | |
480 | } |