From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754569AbdKJWMv (ORCPT ); Fri, 10 Nov 2017 17:12:51 -0500 Received: from mail-pf0-f182.google.com ([209.85.192.182]:46528 "EHLO mail-pf0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753977AbdKJWMt (ORCPT ); Fri, 10 Nov 2017 17:12:49 -0500 X-Google-Smtp-Source: AGs4zMYZdeXhlYP38gcsGLfNaDGxEzRNmTgre0CYVs8pmH8EqyrFbOsup/RGIiKNErVJ6sfrOoMeFQ== Subject: Re: [kernel-hardening] [PATCH v4] scripts: add leaking_addresses.pl To: Michael Ellerman , "Tobin C. Harding" , kernel-hardening@lists.openwall.com Cc: "Jason A. Donenfeld" , "Theodore Ts'o" , Linus Torvalds , Kees Cook , Paolo Bonzini , Tycho Andersen , "Roberts, William C" , Tejun Heo , Jordan Glover , Greg KH , Petr Mladek , Joe Perches , Ian Campbell , Sergey Senozhatsky , Catalin Marinas , Will Deacon , Steven Rostedt , Chris Fries , Dave Weinstein , Daniel Micay , Djalal Harouni , linux-kernel@vger.kernel.org, Network Development , David Miller References: <1510050731-32446-1-git-send-email-me@tobin.cc> <87k1z12cof.fsf@concordia.ellerman.id.au> From: Frank Rowand Message-ID: <7fa01b32-4db0-3742-067b-955969020953@gmail.com> Date: Fri, 10 Nov 2017 14:12:46 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <87k1z12cof.fsf@concordia.ellerman.id.au> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Michael, Tobin, On 11/08/17 04:10, Michael Ellerman wrote: > "Tobin C. Harding" writes: >> Currently we are leaking addresses from the kernel to user space. This >> script is an attempt to find some of those leakages. Script parses >> `dmesg` output and /proc and /sys files for hex strings that look like >> kernel addresses. >> >> Only works for 64 bit kernels, the reason being that kernel addresses >> on 64 bit kernels have 'ffff' as the leading bit pattern making greping >> possible. > > That doesn't work super well on other architectures :D > > I don't speak perl but presumably you can check the arch somehow and > customise the regex? > > ... >> +# Return _all_ non false positive addresses from $line. >> +sub extract_addresses >> +{ >> + my ($line) = @_; >> + my $address = '\b(0x)?ffff[[:xdigit:]]{12}\b'; > > On 64-bit powerpc (ppc64/ppc64le) we'd want: > > + my $address = '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b'; > > >> +# Do not parse these files (absolute path). >> +my @skip_parse_files_abs = ('/proc/kmsg', >> + '/proc/kcore', >> + '/proc/fs/ext4/sdb1/mb_groups', >> + '/proc/1/fd/3', >> + '/sys/kernel/debug/tracing/trace_pipe', >> + '/sys/kernel/security/apparmor/revision'); > > Can you add: > > /sys/firmware/devicetree > > and/or /proc/device-tree (which is a symlink to the above). /proc/device-tree is a symlink to /sys/firmware/devicetree/base /sys/firmware contains fdt -- the flattened device tree that was passed to the kernel on boot devicetree/base/ -- the data that is currently in the live device tree. This live device tree is represented as directories and files beneath base/ The information in fdt is directly available in the kernel source tree (possible exception: the bootloader may have modified the fdt, possibly to add/modify the boot command line, add memory size). The information in devicetree/base/ is directly available in the kernel source tree for _most_ architectures, with the same possible exception for the bootloader. ppc64 may also modify this information dynamically after the system is booted. When overlay support is working, overlay device trees will also be able to modify this information dynamically (and again, this information will be directly available in the kernel source tree). Not having read the code in leaking_addresses.pl, trusting that the comments are correct, it seems that /sys/firmware should be in @skip_walk_dirs_abs instead of putting /sys/firmware/devicetree in @skip_parse_files_abs. > We should also start restricting access to that because it may have > potentially interesting physical addresses in it, but that will break > existing tools, so it will need to be opt-in and done over time. > > cheers > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Frank Rowand Subject: Re: [kernel-hardening] [PATCH v4] scripts: add leaking_addresses.pl Date: Fri, 10 Nov 2017 14:12:46 -0800 Message-ID: <7fa01b32-4db0-3742-067b-955969020953@gmail.com> References: <1510050731-32446-1-git-send-email-me@tobin.cc> <87k1z12cof.fsf@concordia.ellerman.id.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: "Jason A. Donenfeld" , Theodore Ts'o , Linus Torvalds , Kees Cook , Paolo Bonzini , Tycho Andersen , "Roberts, William C" , Tejun Heo , Jordan Glover , Greg KH , Petr Mladek , Joe Perches , Ian Campbell , Sergey Senozhatsky , Catalin Marinas , Will Deacon , Steven Rostedt , Chris Fries , Dave Weinstein , Daniel Micay , "Tobin C. Harding" , kernel-hardening@lists.openwall.com Return-path: In-Reply-To: <87k1z12cof.fsf@concordia.ellerman.id.au> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Hi Michael, Tobin, On 11/08/17 04:10, Michael Ellerman wrote: > "Tobin C. Harding" writes: >> Currently we are leaking addresses from the kernel to user space. This >> script is an attempt to find some of those leakages. Script parses >> `dmesg` output and /proc and /sys files for hex strings that look like >> kernel addresses. >> >> Only works for 64 bit kernels, the reason being that kernel addresses >> on 64 bit kernels have 'ffff' as the leading bit pattern making greping >> possible. > > That doesn't work super well on other architectures :D > > I don't speak perl but presumably you can check the arch somehow and > customise the regex? > > ... >> +# Return _all_ non false positive addresses from $line. >> +sub extract_addresses >> +{ >> + my ($line) = @_; >> + my $address = '\b(0x)?ffff[[:xdigit:]]{12}\b'; > > On 64-bit powerpc (ppc64/ppc64le) we'd want: > > + my $address = '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b'; > > >> +# Do not parse these files (absolute path). >> +my @skip_parse_files_abs = ('/proc/kmsg', >> + '/proc/kcore', >> + '/proc/fs/ext4/sdb1/mb_groups', >> + '/proc/1/fd/3', >> + '/sys/kernel/debug/tracing/trace_pipe', >> + '/sys/kernel/security/apparmor/revision'); > > Can you add: > > /sys/firmware/devicetree > > and/or /proc/device-tree (which is a symlink to the above). /proc/device-tree is a symlink to /sys/firmware/devicetree/base /sys/firmware contains fdt -- the flattened device tree that was passed to the kernel on boot devicetree/base/ -- the data that is currently in the live device tree. This live device tree is represented as directories and files beneath base/ The information in fdt is directly available in the kernel source tree (possible exception: the bootloader may have modified the fdt, possibly to add/modify the boot command line, add memory size). The information in devicetree/base/ is directly available in the kernel source tree for _most_ architectures, with the same possible exception for the bootloader. ppc64 may also modify this information dynamically after the system is booted. When overlay support is working, overlay device trees will also be able to modify this information dynamically (and again, this information will be directly available in the kernel source tree). Not having read the code in leaking_addresses.pl, trusting that the comments are correct, it seems that /sys/firmware should be in @skip_walk_dirs_abs instead of putting /sys/firmware/devicetree in @skip_parse_files_abs. > We should also start restricting access to that because it may have > potentially interesting physical addresses in it, but that will break > existing tools, so it will need to be opt-in and done over time. > > cheers >