On Tue, 2017-11-07 at 21:32 +1100, Tobin C. Harding wrote:
> Currently we are leaking addresses from the kernel to user space.
> This
> script is an attempt to find some of those leakages. Script parses
> `dmesg` output and /proc and /sys files for hex strings that look
> like
> kernel addresses.
>
> Only works for 64 bit kernels, the reason being that kernel addresses
> on 64 bit kernels have '' as the leading bit pattern making
> greping
> possible. On 32 kernels we don't have this luxury.
Tobin C. Harding wrote:
>Only works for 64 bit kernels, the reason being that kernel addresses
>on 64 bit kernels have '' as the leading bit pattern making greping
>possible. On 32 kernels we don't have this luxury.
[RFC] leaking_addresses.pl - enhance it to work for 32-bit kernels as well
(Firstly, apologies if I've got the protocol horribly wrong- should this
be a new thread altogether?)
Ok so, I was interested in figuring - why not have this useful script work
for 32-bit kernel virtual addresses as well (and those systems by
extension).
The approach am considering, pl correct me if I'm way off:
on 32-bit, the kernel macro PAGE_OFFSET will give us the user-kernel split;
(alternatively, could also script up CONFIG_VMSPLIT_[n]G and figure the
split from there.)
For the time being, lets say we go with the "use PAGE_OFFSET" approach and
PAGE_OFFSET = 0xc000 , whch implies we have a 3:1 GB user:kernel split.
So any virtual addresses >= PAGE_OFFSET are kernel virtual addresses (i
know, untrue on some ARM-32 systems!).
As a very early and *far-from-perfect* start, I've enhanced Tobin's Perl
script to take into account 32-bit address space by passing the
parameter '--bit-size='.
The patch below does Not take into account (yet) stuff like:
- exactly which files & dirs should be skipped on 32-bit (will it be
identical to 64-bit?; unsure..)
- it currently hard-codes a global 'PAGE_OFFSET_32BIT=0xc000' , just
so I can test quickly; must figure whether to query it or pass it;
Suggestions?
- the 'false positives'; again, what differs for 32-bit?
(BTW, shouldn't the dmesg 'root=UUID=<...>' line be a false positive
& skipped?).
Also, I must point out that I'm a complete newbie to Perl :-) so, pl excuse
my highly inadequate perl-foo; I rely on you perl gurus out there to fix
and optimize :)
Yes, I've **Very Minimally** tested the patch in it's current form on:
a) a regular (Fedora 26) x86_64 desktop,
b) a (Debian 7) 32-bit kernel (VM) with PAGE_OFFSET=3 Gb
and it seems all right, considering...
Some sample output from test (b), if interested:
=
dmesg: [0.00] found SMP MP-table at [c00f1280] f1280
dmesg: [0.00] Base memory trampoline at [c009b000] 9b000 size 16384
dmesg: [0.00] ACPI: Local APIC address 0xfee0
dmesg: [0.00] free_area_init_node: node 0, pgdat c1418bc0, node_mem_map
dfbfa200
dmesg: [0.00] ACPI: Local APIC address 0xfee0
dmesg: [0.00] ACPI: IOAPIC (id[0x00] address[0xfec0] gsi_base[0])
dmesg: [0.00] IOAPIC[0]: apic_id 0, version 17, address 0xfec0, GSI
0-23
dmesg: [0.00] PERCPU: Embedded 14 pages/cpu @dfbe8000 s33344 r0 d24000
u57344
dmesg: [0.00] fixmap : 0xffd36000 - 0xf000 (2852 kB)
dmesg: [0.00] pkmap : 0xffa0 - 0xffc0 (2048 kB)
dmesg: [0.00] vmalloc : 0xe07fb000 - 0xff9fe000 ( 498 MB)
dmesg: [0.00] lowmem : 0xc000 - 0xdfffb000 ( 511 MB)
dmesg: [0.00] .init : 0xc1421000 - 0xc148c000 ( 428 kB)
[...]
/proc/kallsyms: c10010e8 T _stext
/proc/kallsyms: c1002000 T hypercall_page
/proc/kallsyms: c1003000 t arch_local_save_flags
/proc/kallsyms: c1003007 t arch_local_irq_enable
/proc/kallsyms: c100300e T do_one_initcall
<< ... plenty more kallsyms of course (92.5% of the output to be precise!) ...
>>
/proc/modules: loop 17803 0 - Live 0xe097c000
/proc/modules: crc32c_intel 12659 0 - Live 0xe096e000
/proc/modules: snd_pcm 53461 0 - Live 0xe09f5000
/proc/modules: snd_page_alloc 12867 1 snd_pcm, Live 0xe0957000
/proc/modules: snd_timer 22401 1 snd_pcm, Live 0xe093c000
[...]
/proc/modules: usb_common 12338 1 usbcore, Live 0xe086
/proc/timer_list: .base: dfbeb8b0
/proc/timer_list: #0: , tick_sched_timer, S:01,
hrtimer_start_range_ns, swapper/0/0
[...]
/proc/iomem: f800-fbff : :00:02.0
/proc/iomem: fc00-fcff : :00:02.0
/proc/iomem: fd00-fd03 : :00:03.0
[...]
/proc/11422/syscall: 7 0x 0xbf814618 0xa 0xa 0x0 0x1 0xbf8145b8
0xb7780428
/proc/11422/stack: [] kmap_atomic_prot+0x2f/0xe0
/proc/11422/stack: [] security_task_wait+0xc/0xd
[...]
/proc/bus/input/devices: B: KEY=4 200 3803078 f800d001 fedf ffef
fffe
/proc/1/net/ipv6_route: 00
00
0001 000f 00200200 lo
[...]