3 # (c) 2017 Tobin C. Harding <me@tobin.cc>
4 # Licensed under the terms of the GNU GPL License version 2
6 # leaking_addresses.pl: Scan 64 bit kernel for potential leaking addresses.
7 # - Scans dmesg output.
8 # - Walks directory tree and parses each file (for each directory in @DIRS).
10 # Use --debug to output path before parsing, this is useful to find files that
11 # cause the script to choke.
13 # You may like to set kptr_restrict=2 before running script
14 # (see Documentation/sysctl/kernel.txt).
22 use Term::ANSIColor qw(:constants);
23 use Getopt::Long qw(:config no_auto_abbrev);
29 # Directories to scan.
30 my @DIRS = ('/proc', '/sys');
32 # Timer for parsing each file, in seconds.
35 # Script can only grep for kernel addresses on the following architectures. If
36 # your architecture is not listed here and has a grep'able kernel address please
37 # consider submitting a patch.
38 my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64');
40 # Command line options.
44 my $output_raw = ""; # Write raw results to file.
45 my $input_raw = ""; # Read raw results from file instead of scanning.
47 my $suppress_dmesg = 0; # Don't show dmesg in output.
48 my $squash_by_path = 0; # Summary report grouped by absolute path.
49 my $squash_by_filename = 0; # Summary report grouped by filename.
51 # Do not parse these files (absolute path).
52 my @skip_parse_files_abs = ('/proc/kmsg',
54 '/proc/fs/ext4/sdb1/mb_groups',
56 '/sys/firmware/devicetree',
58 '/sys/kernel/debug/tracing/trace_pipe',
59 '/sys/kernel/security/apparmor/revision');
61 # Do not parse these files under any subdirectory.
62 my @skip_parse_files_any = ('0',
74 # Do not walk these directories (absolute path).
75 my @skip_walk_dirs_abs = ();
77 # Do not walk these directories under any subdirectory.
78 my @skip_walk_dirs_any = ('self',
98 -o, --output-raw=<file> Save results for future processing.
99 -i, --input-raw=<file> Read results from file instead of scanning.
100 --raw Show raw results (default).
101 --suppress-dmesg Do not show dmesg results.
102 --squash-by-path Show one result per unique path.
103 --squash-by-filename Show one result per unique filename.
104 -d, --debug Display debugging output.
105 -h, --help, --version Display this help and exit.
109 # Scan kernel and dump raw results.
112 # Scan kernel and save results to file.
113 $0 --output-raw scan.out
115 # View summary report.
116 $0 --input-raw scan.out --squash-by-filename
118 Scans the running (64 bit) kernel for potential leaking addresses.
125 'd|debug' => \$debug,
128 'o|output-raw=s' => \$output_raw,
129 'i|input-raw=s' => \$input_raw,
130 'suppress-dmesg' => \$suppress_dmesg,
131 'squash-by-path' => \$squash_by_path,
132 'squash-by-filename' => \$squash_by_filename,
139 format_output($input_raw);
143 if (!$input_raw and ($squash_by_path or $squash_by_filename)) {
144 printf "\nSummary reporting only available with --input-raw=<file>\n";
145 printf "(First run scan with --output-raw=<file>.)\n";
149 if (!is_supported_architecture()) {
150 printf "\nScript does not support your architecture, sorry.\n";
151 printf "\nCurrently we support: \n\n";
152 foreach(@SUPPORTED_ARCHITECTURES) {
156 my $archname = $Config{archname};
157 printf "\n\$ perl -MConfig -e \'print \"\$Config{archname}\\n\"\'\n";
158 printf "%s\n", $archname;
164 open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n";
175 printf(STDERR @_) if $debug;
178 sub is_supported_architecture
180 return (is_x86_64() or is_ppc64());
185 my $archname = $Config{archname};
187 if ($archname =~ m/x86_64/) {
195 my $archname = $Config{archname};
197 if ($archname =~ m/powerpc/ and $archname =~ m/64/) {
203 sub is_false_positive
207 if ($match =~ '\b(0x)?(f|F){16}\b' or
208 $match =~ '\b(0x)?0{16}\b') {
213 # vsyscall memory region, we should probably check against a range here.
214 if ($match =~ '\bf{10}600000\b' or
215 $match =~ '\bf{10}601000\b') {
223 # True if argument potentially contains a kernel address.
230 if ($line =~ '^SigBlk:' or
231 $line =~ '^SigIgn:' or
232 $line =~ '^SigCgt:') {
236 if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or
237 $line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') {
241 # One of these is guaranteed to be true.
243 $address_re = '\b(0x)?ffff[[:xdigit:]]{12}\b';
244 } elsif (is_ppc64()) {
245 $address_re = '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b';
248 while (/($address_re)/g) {
249 if (!is_false_positive($1)) {
259 open my $cmd, '-|', 'dmesg';
261 if (may_leak_address($_)) {
262 print 'dmesg: ' . $_;
268 # True if we should skip this path.
271 my ($path, $paths_abs, $paths_any) = @_;
273 foreach (@$paths_abs) {
274 return 1 if (/^$path$/);
277 my($filename, $dirs, $suffix) = fileparse($path);
278 foreach (@$paths_any) {
279 return 1 if (/^$filename$/);
288 return skip($path, \@skip_parse_files_abs, \@skip_parse_files_any);
296 local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required.
303 die unless $@ eq "alarm\n"; # Propagate unexpected errors.
304 printf STDERR "timed out parsing: %s\n", $file;
316 if (skip_parse($file)) {
317 dprint "skipping file: $file\n";
320 dprint "parsing: $file\n";
322 open my $fh, "<", $file or return;
324 if (may_leak_address($_)) {
325 print $file . ': ' . $_;
332 # True if we should skip walking this directory.
336 return skip($path, \@skip_walk_dirs_abs, \@skip_walk_dirs_any)
339 # Recursively walk directory tree.
344 while (my $pwd = shift @dirs) {
345 next if (skip_walk($pwd));
346 next if (!opendir(DIR, $pwd));
347 my @files = readdir(DIR);
350 foreach my $file (@files) {
351 next if ($file eq '.' or $file eq '..');
353 my $path = "$pwd/$file";
359 timed_parse_file($path);
369 # Default is to show raw results.
370 if ($raw or (!$squash_by_path and !$squash_by_filename)) {
371 dump_raw_output($file);
375 my ($total, $dmesg, $paths, $files) = parse_raw_file($file);
377 printf "\nTotal number of results from scan (incl dmesg): %d\n", $total;
379 if (!$suppress_dmesg) {
383 if ($squash_by_filename) {
384 squash_by($files, 'filename');
387 if ($squash_by_path) {
388 squash_by($paths, 'path');
396 open (my $fh, '<', $file) or die "$0: $file: $!\n";
398 if ($suppress_dmesg) {
399 if ("dmesg:" eq substr($_, 0, 6)) {
412 my $total = 0; # Total number of lines parsed.
413 my @dmesg; # dmesg output.
414 my %files; # Unique filenames containing leaks.
415 my %paths; # Unique paths containing leaks.
417 open (my $fh, '<', $file) or die "$0: $file: $!\n";
418 while (my $line = <$fh>) {
421 if ("dmesg:" eq substr($line, 0, 6)) {
426 cache_path(\%paths, $line);
427 cache_filename(\%files, $line);
430 return $total, \@dmesg, \%paths, \%files;
437 print "\ndmesg output:\n";
440 print "<no results>\n";
445 my $index = index($_, ': ');
446 $index += 2; # skid ': '
447 print substr($_, $index);
453 my ($ref, $desc) = @_;
455 print "\nResults squashed by $desc (excl dmesg). ";
456 print "Displaying [<number of results> <$desc>], <example result>\n";
458 if (keys %$ref == 0) {
459 print "<no results>\n";
463 foreach(keys %$ref) {
464 my $lines = $ref->{$_};
465 my $length = @$lines;
466 printf "[%d %s] %s", $length, $_, @$lines[0];
472 my ($paths, $line) = @_;
474 my $index = index($line, ': ');
475 my $path = substr($line, 0, $index);
477 $index += 2; # skip ': '
478 add_to_cache($paths, $path, substr($line, $index));
483 my ($files, $line) = @_;
485 my $index = index($line, ': ');
486 my $path = substr($line, 0, $index);
487 my $filename = basename($path);
489 $index += 2; # skip ': '
490 add_to_cache($files, $filename, substr($line, $index));
495 my ($cache, $key, $value) = @_;
497 if (!$cache->{$key}) {
500 push @{$cache->{$key}}, $value;
git.samba.org / sfrench / cifs-2.6.git / blob