2 # SPDX-License-Identifier: GPL-2.0-only
4 # (c) 2017 Tobin C. Harding <me@tobin.cc>
6 # leaking_addresses.pl: Scan the kernel for potential leaking addresses.
7 # - Scans dmesg output.
8 # - Walks directory tree and parses each file (for each directory in @DIRS).
10 # Use --debug to output path before parsing, this is useful to find files that
11 # cause the script to choke.
14 # When the system is idle it is likely that most files under /proc/PID will be
15 # identical for various processes. Scanning _all_ the PIDs under /proc is
16 # unnecessary and implies that we are thoroughly scanning /proc. This is _not_
17 # the case because there may be ways userspace can trigger creation of /proc
18 # files that leak addresses but were not present during a scan. For these two
19 # reasons we exclude all PID directories under /proc except '1/'
27 use Term::ANSIColor qw(:constants);
28 use Getopt::Long qw(:config no_auto_abbrev);
35 # Directories to scan.
36 my @DIRS = ('/proc', '/sys');
38 # Timer for parsing each file, in seconds.
41 # Kernel addresses vary by architecture. We can only auto-detect the following
42 # architectures (using `uname -m`). (flag --32-bit overrides auto-detection.)
43 my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'x86');
45 # Command line options.
49 my $output_raw = ""; # Write raw results to file.
50 my $input_raw = ""; # Read raw results from file instead of scanning.
51 my $suppress_dmesg = 0; # Don't show dmesg in output.
52 my $squash_by_path = 0; # Summary report grouped by absolute path.
53 my $squash_by_filename = 0; # Summary report grouped by filename.
54 my $kernel_config_file = ""; # Kernel configuration file.
55 my $opt_32bit = 0; # Scan 32-bit kernel.
56 my $page_offset_32bit = 0; # Page offset for 32-bit kernel.
58 # Skip these absolute paths.
63 '/sys/firmware/devicetree',
64 '/sys/kernel/debug/tracing/trace_pipe',
65 '/sys/kernel/security/apparmor/revision');
67 # Skip these under any subdirectory.
90 -o, --output-raw=<file> Save results for future processing.
91 -i, --input-raw=<file> Read results from file instead of scanning.
92 --raw Show raw results (default).
93 --suppress-dmesg Do not show dmesg results.
94 --squash-by-path Show one result per unique path.
95 --squash-by-filename Show one result per unique filename.
96 --kernel-config-file=<file> Kernel configuration file (e.g /boot/config)
97 --32-bit Scan 32-bit kernel.
98 --page-offset-32-bit=o Page offset (for 32-bit kernel 0xABCD1234).
99 -d, --debug Display debugging output.
100 -h, --help Display this help and exit.
102 Scans the running kernel for potential leaking addresses.
109 'd|debug' => \$debug,
111 'o|output-raw=s' => \$output_raw,
112 'i|input-raw=s' => \$input_raw,
113 'suppress-dmesg' => \$suppress_dmesg,
114 'squash-by-path' => \$squash_by_path,
115 'squash-by-filename' => \$squash_by_filename,
117 'kernel-config-file=s' => \$kernel_config_file,
118 '32-bit' => \$opt_32bit,
119 'page-offset-32-bit=o' => \$page_offset_32bit,
125 format_output($input_raw);
129 if (!$input_raw and ($squash_by_path or $squash_by_filename)) {
130 printf "\nSummary reporting only available with --input-raw=<file>\n";
131 printf "(First run scan with --output-raw=<file>.)\n";
135 if (!(is_supported_architecture() or $opt_32bit or $page_offset_32bit)) {
136 printf "\nScript does not support your architecture, sorry.\n";
137 printf "\nCurrently we support: \n\n";
138 foreach(@SUPPORTED_ARCHITECTURES) {
143 printf("If you are running a 32-bit architecture you may use:\n");
144 printf("\n\t--32-bit or --page-offset-32-bit=<page offset>\n\n");
146 my $archname = `uname -m`;
147 printf("Machine hardware name (`uname -m`): %s\n", $archname);
153 open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n";
164 printf(STDERR @_) if $debug;
167 sub is_supported_architecture
169 return (is_x86_64() or is_ppc64() or is_ix86_32());
174 # Allow --32-bit or --page-offset-32-bit to override
175 if ($opt_32bit or $page_offset_32bit) {
184 state $arch = `uname -m`;
187 if ($arch =~ m/i[3456]86/) {
196 my $arch = `uname -m`;
199 if ($arch eq $desc) {
207 state $is = is_arch('x86_64');
213 state $is = is_arch('ppc64');
217 # Gets config option value from kernel config file.
218 # Returns "" on error or if config option not found.
219 sub get_kernel_config_option
226 # Allow --kernel-config-file to override.
227 if ($kernel_config_file ne "") {
228 @config_files = ($kernel_config_file);
229 } elsif (-R "/proc/config.gz") {
230 my $tmp_file = "/tmp/tmpkconf";
232 if (system("gunzip < /proc/config.gz > $tmp_file")) {
233 dprint("system(gunzip < /proc/config.gz) failed\n");
236 @config_files = ($tmp_file);
239 my $file = '/boot/config-' . `uname -r`;
241 @config_files = ($file, '/boot/config');
244 foreach my $file (@config_files) {
245 dprint("parsing config file: $file\n");
246 $value = option_from_file($option, $file);
252 if ($tmp_file ne "") {
253 system("rm -f $tmp_file");
259 # Parses $file and returns kernel configuration option value.
262 my ($option, $file) = @_;
266 open(my $fh, "<", $file) or return "";
267 while (my $line = <$fh> ) {
268 if ($line =~ /^$option/) {
269 ($str, $val) = split /=/, $line;
279 sub is_false_positive
284 return is_false_positive_32bit($match);
287 # 64 bit false positives.
289 if ($match =~ '\b(0x)?(f|F){16}\b' or
290 $match =~ '\b(0x)?0{16}\b') {
294 if (is_x86_64() and is_in_vsyscall_memory_region($match)) {
301 sub is_false_positive_32bit
304 state $page_offset = get_page_offset();
306 if ($match =~ '\b(0x)?(f|F){8}\b') {
310 if (hex($match) < $page_offset) {
317 # returns integer value
321 my $default_offset = 0xc0000000;
323 # Allow --page-offset-32bit to override.
324 if ($page_offset_32bit != 0) {
325 return $page_offset_32bit;
328 $page_offset = get_kernel_config_option('CONFIG_PAGE_OFFSET');
330 return $default_offset;
335 sub is_in_vsyscall_memory_region
339 my $hex = hex($match);
340 my $region_min = hex("0xffffffffff600000");
341 my $region_max = hex("0xffffffffff601000");
343 return ($hex >= $region_min and $hex <= $region_max);
346 # True if argument potentially contains a kernel address.
353 if ($line =~ '^SigBlk:' or
354 $line =~ '^SigIgn:' or
355 $line =~ '^SigCgt:') {
359 if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or
360 $line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') {
364 $address_re = get_address_re();
365 while ($line =~ /($address_re)/g) {
366 if (!is_false_positive($1)) {
377 return '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b';
378 } elsif (is_32bit()) {
379 return '\b(0x)?[[:xdigit:]]{8}\b';
382 return get_x86_64_re();
387 # We handle page table levels but only if explicitly configured using
388 # CONFIG_PGTABLE_LEVELS. If config file parsing fails or config option
389 # is not found we default to using address regular expression suitable
390 # for 4 page table levels.
391 state $ptl = get_kernel_config_option('CONFIG_PGTABLE_LEVELS');
394 return '\b(0x)?ff[[:xdigit:]]{14}\b';
396 return '\b(0x)?ffff[[:xdigit:]]{12}\b';
401 open my $cmd, '-|', 'dmesg';
403 if (may_leak_address($_)) {
404 print 'dmesg: ' . $_;
410 # True if we should skip this path.
415 foreach (@skip_abs) {
416 return 1 if (/^$path$/);
419 my($filename, $dirs, $suffix) = fileparse($path);
420 foreach (@skip_any) {
421 return 1 if (/^$filename$/);
432 local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required.
439 die unless $@ eq "alarm\n"; # Propagate unexpected errors.
440 printf STDERR "timed out parsing: %s\n", $file;
456 open my $fh, "<", $file or return;
458 if (may_leak_address($_)) {
459 print $file . ': ' . $_;
465 # Checks if the actual path name is leaking a kernel address.
466 sub check_path_for_leaks
470 if (may_leak_address($path)) {
471 printf("Path name may contain address: $path\n");
475 # Recursively walk directory tree.
480 while (my $pwd = shift @dirs) {
481 next if (!opendir(DIR, $pwd));
482 my @files = readdir(DIR);
485 foreach my $file (@files) {
486 next if ($file eq '.' or $file eq '..');
488 my $path = "$pwd/$file";
491 # skip /proc/PID except /proc/1
492 next if (($path =~ /^\/proc\/[0-9]+$/) &&
493 ($path !~ /^\/proc\/1$/));
495 next if (skip($path));
497 check_path_for_leaks($path);
504 dprint("parsing: $path\n");
505 timed_parse_file($path);
514 # Default is to show raw results.
515 if ($raw or (!$squash_by_path and !$squash_by_filename)) {
516 dump_raw_output($file);
520 my ($total, $dmesg, $paths, $files) = parse_raw_file($file);
522 printf "\nTotal number of results from scan (incl dmesg): %d\n", $total;
524 if (!$suppress_dmesg) {
528 if ($squash_by_filename) {
529 squash_by($files, 'filename');
532 if ($squash_by_path) {
533 squash_by($paths, 'path');
541 open (my $fh, '<', $file) or die "$0: $file: $!\n";
543 if ($suppress_dmesg) {
544 if ("dmesg:" eq substr($_, 0, 6)) {
557 my $total = 0; # Total number of lines parsed.
558 my @dmesg; # dmesg output.
559 my %files; # Unique filenames containing leaks.
560 my %paths; # Unique paths containing leaks.
562 open (my $fh, '<', $file) or die "$0: $file: $!\n";
563 while (my $line = <$fh>) {
566 if ("dmesg:" eq substr($line, 0, 6)) {
571 cache_path(\%paths, $line);
572 cache_filename(\%files, $line);
575 return $total, \@dmesg, \%paths, \%files;
582 print "\ndmesg output:\n";
585 print "<no results>\n";
590 my $index = index($_, ': ');
591 $index += 2; # skid ': '
592 print substr($_, $index);
598 my ($ref, $desc) = @_;
600 print "\nResults squashed by $desc (excl dmesg). ";
601 print "Displaying [<number of results> <$desc>], <example result>\n";
603 if (keys %$ref == 0) {
604 print "<no results>\n";
608 foreach(keys %$ref) {
609 my $lines = $ref->{$_};
610 my $length = @$lines;
611 printf "[%d %s] %s", $length, $_, @$lines[0];
617 my ($paths, $line) = @_;
619 my $index = index($line, ': ');
620 my $path = substr($line, 0, $index);
622 $index += 2; # skip ': '
623 add_to_cache($paths, $path, substr($line, $index));
628 my ($files, $line) = @_;
630 my $index = index($line, ': ');
631 my $path = substr($line, 0, $index);
632 my $filename = basename($path);
634 $index += 2; # skip ': '
635 add_to_cache($files, $filename, substr($line, $index));
640 my ($cache, $key, $value) = @_;
642 if (!$cache->{$key}) {
645 push @{$cache->{$key}}, $value;