Re: [kernel-hardening] [PATCH v4] scripts: add leaking_addresses.pl
From: Frank Rowand
Date: Fri Nov 10 2017 - 17:12:53 EST
Hi Michael, Tobin,
On 11/08/17 04:10, Michael Ellerman wrote:
> "Tobin C. Harding" <me@xxxxxxxx> writes:
>> Currently we are leaking addresses from the kernel to user space. This
>> script is an attempt to find some of those leakages. Script parses
>> `dmesg` output and /proc and /sys files for hex strings that look like
>> kernel addresses.
>>
>> Only works for 64 bit kernels, the reason being that kernel addresses
>> on 64 bit kernels have 'ffff' as the leading bit pattern making greping
>> possible.
>
> That doesn't work super well on other architectures :D
>
> I don't speak perl but presumably you can check the arch somehow and
> customise the regex?
>
> ...
>> +# Return _all_ non false positive addresses from $line.
>> +sub extract_addresses
>> +{
>> + my ($line) = @_;
>> + my $address = '\b(0x)?ffff[[:xdigit:]]{12}\b';
>
> On 64-bit powerpc (ppc64/ppc64le) we'd want:
>
> + my $address = '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b';
>
>
>> +# Do not parse these files (absolute path).
>> +my @skip_parse_files_abs = ('/proc/kmsg',
>> + '/proc/kcore',
>> + '/proc/fs/ext4/sdb1/mb_groups',
>> + '/proc/1/fd/3',
>> + '/sys/kernel/debug/tracing/trace_pipe',
>> + '/sys/kernel/security/apparmor/revision');
>
> Can you add:
>
> /sys/firmware/devicetree
>
> and/or /proc/device-tree (which is a symlink to the above).
/proc/device-tree is a symlink to /sys/firmware/devicetree/base
/sys/firmware contains
fdt -- the flattened device tree that was passed to the
kernel on boot
devicetree/base/ -- the data that is currently in the live device tree.
This live device tree is represented as directories
and files beneath base/
The information in fdt is directly available in the kernel source tree
(possible exception: the bootloader may have modified the fdt, possibly
to add/modify the boot command line, add memory size).
The information in devicetree/base/ is directly available in the kernel
source tree for _most_ architectures, with the same possible exception
for the bootloader. ppc64 may also modify this information dynamically
after the system is booted. When overlay support is working, overlay
device trees will also be able to modify this information dynamically
(and again, this information will be directly available in the kernel
source tree).
Not having read the code in leaking_addresses.pl, trusting that the
comments are correct, it seems that /sys/firmware should be in
@skip_walk_dirs_abs instead of putting /sys/firmware/devicetree
in @skip_parse_files_abs.
> We should also start restricting access to that because it may have
> potentially interesting physical addresses in it, but that will break
> existing tools, so it will need to be opt-in and done over time.
>
> cheers
>