1. 06 Apr, 2018 11 commits
    • Tobin C. Harding's avatar
      leaking_addresses: do not parse binary files · e2858cad
      Tobin C. Harding authored
      Currently script parses binary files.  Since we are scanning for
      readable kernel addresses there is no need to parse binary files.  We
      can use Perl to check if file is binary and skip parsing it if so.
      
      Do not parse binary files.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      e2858cad
    • Tobin C. Harding's avatar
      leaking_addresses: add 32-bit support · 1410fe4e
      Tobin C. Harding authored
      Currently script only supports x86_64 and ppc64.  It would be nice to be
      able to scan 32-bit machines also.  We can add support for 32-bit
      architectures by modifying how we check for false positives, taking
      advantage of the page offset used by the kernel, and using the correct
      regular expression.
      
      Support for 32-bit machines is enabled by the observation that the kernel
      addresses on 32-bit machines are larger [in value] than the page offset.
      We can use this to filter false positives when scanning the kernel for
      leaking addresses.
      
      Programmatic determination of the running architecture is not
      immediately obvious (current 32-bit machines return various strings from
      `uname -m`).  We therefore provide a flag to enable scanning of 32-bit
      kernels.  Also we can check the kernel config file for the offset and if
      not found default to 0xc0000000.  A command line option to parse in the
      page offset is also provided.  We do automatically detect architecture
      if running on ix86.
      
      Add support for 32-bit kernels.  Add a command line option for page
      offset.
      Suggested-by: default avatarKaiwan N Billimoria <kaiwan.billimoria@gmail.com>
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      1410fe4e
    • Tobin C. Harding's avatar
      leaking_addresses: add is_arch() wrapper subroutine · 5eb0da05
      Tobin C. Harding authored
      Currently there is duplicate code when checking the architecture type.
      We can remove the duplication by implementing a wrapper function
      is_arch().
      
      Implement and use wrapper function is_arch().
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      5eb0da05
    • Tobin C. Harding's avatar
      leaking_addresses: use system command to get arch · 6efb7458
      Tobin C. Harding authored
      Currently script uses Perl to get the machine architecture. This can be
      erroneous since Perl uses the architecture of the machine that Perl was
      compiled on not the architecture of the running machine. We should use
      the systems `uname` command instead.
      
      Use `uname -m` instead of Perl to get the machine architecture.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      6efb7458
    • Tobin C. Harding's avatar
      leaking_addresses: add support for 5 page table levels · 2f042c93
      Tobin C. Harding authored
      Currently script only supports 4 page table levels because of the way
      the kernel address regular expression is crafted. We can do better than
      this. Using previously added support for kernel configuration options we
      can get the number of page table levels defined by
      CONFIG_PGTABLE_LEVELS. Using this value a correct regular expression can
      be crafted. This only supports 5 page tables on x86_64.
      
      Add support for 5 page table levels on x86_64.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      2f042c93
    • Tobin C. Harding's avatar
      leaking_addresses: add support for kernel config file · f9d2a42d
      Tobin C. Harding authored
      Features that rely on the ability to get kernel configuration options
      are ready to be implemented in script. In preparation for this we can
      add support for kernel config options as a separate patch to ease
      review.
      
      Add support for locating and parsing kernel configuration file.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      f9d2a42d
    • Tobin C. Harding's avatar
      leaking_addresses: add range check for vsyscall memory · 87e37588
      Tobin C. Harding authored
      Currently script checks only first and last address in the vsyscall
      memory range. We can do better than this. When checking for false
      positives against $match, we can convert $match to a hexadecimal value
      then check if it lies within the range of vsyscall addresses.
      
      Check whole range of vsyscall addresses when checking for false
      positive.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      87e37588
    • Tobin C. Harding's avatar
      leaking_addresses: indent dependant options · 15d60a35
      Tobin C. Harding authored
      A number of the command line options to script are dependant on the
      option --input-raw being set. If we indent these options it makes
      explicit this dependency.
      
      Indent options dependant on --input-raw.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      15d60a35
    • Tobin C. Harding's avatar
      leaking_addresses: remove command examples · 6145de83
      Tobin C. Harding authored
      Currently help output includes command examples. These were cute when we
      first started development of this script but are unnecessary.
      
      Remove command examples.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      6145de83
    • Tobin C. Harding's avatar
      leaking_addresses: remove mention of kptr_restrict · 20cdfb5f
      Tobin C. Harding authored
      leaking_addresses.pl can be run with kptr_restrict==0 now, we don't need
      the comment about setting kptr_restrict any more.
      
      Remove comment suggesting setting kptr_restrict.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      20cdfb5f
    • Tobin C. Harding's avatar
      leaking_addresses: fix typo function not called · 6d23dd9b
      Tobin C. Harding authored
      Currently code uses a check against an undefined variable because the
      variable is a sub routine name and is not evaluated.
      
      Evaluate subroutine; add parenthesis to sub routine name.
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      6d23dd9b
  2. 13 Nov, 2017 9 commits
  3. 06 Nov, 2017 1 commit
    • Tobin C. Harding's avatar
      scripts: add leaking_addresses.pl · 136fc5c4
      Tobin C. Harding authored
      Currently we are leaking addresses from the kernel to user space. This
      script is an attempt to find some of those leakages. Script parses
      `dmesg` output and /proc and /sys files for hex strings that look like
      kernel addresses.
      
      Only works for 64 bit kernels, the reason being that kernel addresses on
      64 bit kernels have 'ffff' as the leading bit pattern making greping
      possible. On 32 kernels we don't have this luxury.
      
      Scripts is _slightly_ smarter than a straight grep, we check for false
      positives (all 0's or all 1's, and vsyscall start/finish addresses).
      
      [ I think there is a lot of room for improvement here, but it's already
        useful, so I'm merging it as-is. The whole "hash %p format" series is
        expected to go into 4.15, but will not fix %x users, and will not
        incentivize people to look at what they are leaking.     - Linus ]
      Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      136fc5c4