* [kernel-hardening] [PATCH] leaking_addresses: add files to skip
@ 2018-01-05 22:59 Tobin C. Harding
2018-01-06 0:11 ` [kernel-hardening] " Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Tobin C. Harding @ 2018-01-05 22:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Tobin C. Harding, kernel-hardening, kaiwan.billimoria
Script currently times out when parsing the following files:
/proc/kallsyms
/proc/sched_debug
/proc/PID/smaps
None of these files leak kernel addresses. We can skip parsing them.
Add entries to list of files to skip.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
scripts/leaking_addresses.pl | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
index ce5d58f3e619..32e2fc9fc8c3 100755
--- a/scripts/leaking_addresses.pl
+++ b/scripts/leaking_addresses.pl
@@ -58,7 +58,9 @@ my @skip_parse_files_abs = ('/proc/kmsg',
'/sys/firmware/devicetree',
'/proc/device-tree',
'/sys/kernel/debug/tracing/trace_pipe',
- '/sys/kernel/security/apparmor/revision');
+ '/sys/kernel/security/apparmor/revision',
+ '/proc/kallsyms',
+ '/proc/sched_debug');
# Do not parse these files under any subdirectory.
my @skip_parse_files_any = ('0',
@@ -71,7 +73,8 @@ my @skip_parse_files_any = ('0',
'snapshot_raw',
'trace_pipe_raw',
'ptmx',
- 'trace_pipe');
+ 'trace_pipe',
+ 'smaps');
# Do not walk these directories (absolute path).
my @skip_walk_dirs_abs = ();
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* [kernel-hardening] Re: [PATCH] leaking_addresses: add files to skip
2018-01-05 22:59 [kernel-hardening] [PATCH] leaking_addresses: add files to skip Tobin C. Harding
@ 2018-01-06 0:11 ` Kees Cook
2018-01-06 1:37 ` Tobin C. Harding
0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2018-01-06 0:11 UTC (permalink / raw)
To: Tobin C. Harding; +Cc: LKML, kernel-hardening, kaiwan.billimoria
On Fri, Jan 5, 2018 at 2:59 PM, Tobin C. Harding <me@tobin.cc> wrote:
> Script currently times out when parsing the following files:
>
> /proc/kallsyms
> /proc/sched_debug
> /proc/PID/smaps
Seems like kallsyms would be one to absolutely scan... it shouldn't
cause hangs either.
-Kees
>
> None of these files leak kernel addresses. We can skip parsing them.
>
> Add entries to list of files to skip.
>
> Signed-off-by: Tobin C. Harding <me@tobin.cc>
> ---
> scripts/leaking_addresses.pl | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl
> index ce5d58f3e619..32e2fc9fc8c3 100755
> --- a/scripts/leaking_addresses.pl
> +++ b/scripts/leaking_addresses.pl
> @@ -58,7 +58,9 @@ my @skip_parse_files_abs = ('/proc/kmsg',
> '/sys/firmware/devicetree',
> '/proc/device-tree',
> '/sys/kernel/debug/tracing/trace_pipe',
> - '/sys/kernel/security/apparmor/revision');
> + '/sys/kernel/security/apparmor/revision',
> + '/proc/kallsyms',
> + '/proc/sched_debug');
>
> # Do not parse these files under any subdirectory.
> my @skip_parse_files_any = ('0',
> @@ -71,7 +73,8 @@ my @skip_parse_files_any = ('0',
> 'snapshot_raw',
> 'trace_pipe_raw',
> 'ptmx',
> - 'trace_pipe');
> + 'trace_pipe',
> + 'smaps');
>
> # Do not walk these directories (absolute path).
> my @skip_walk_dirs_abs = ();
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 3+ messages in thread* [kernel-hardening] Re: [PATCH] leaking_addresses: add files to skip
2018-01-06 0:11 ` [kernel-hardening] " Kees Cook
@ 2018-01-06 1:37 ` Tobin C. Harding
0 siblings, 0 replies; 3+ messages in thread
From: Tobin C. Harding @ 2018-01-06 1:37 UTC (permalink / raw)
To: Kees Cook; +Cc: LKML, kernel-hardening, kaiwan.billimoria
On Fri, Jan 05, 2018 at 04:11:07PM -0800, Kees Cook wrote:
> On Fri, Jan 5, 2018 at 2:59 PM, Tobin C. Harding <me@tobin.cc> wrote:
> > Script currently times out when parsing the following files:
> >
> > /proc/kallsyms
> > /proc/sched_debug
> > /proc/PID/smaps
>
> Seems like kallsyms would be one to absolutely scan... it shouldn't
> cause hangs either.
Haven't we fixed kallsyms now? Do you mean that we should be checking to
see if the scanned kernel has been patched to include the kallsysms
fixes in 4.14? If so perhaps we should add functionality to just check
the first line for an address and warn if one is found. No real reason
to include ever address in kallsyms in the output.
Script doesn't hang but it times out with the default timer (10 seconds).
thanks,
Tobin.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-01-06 1:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-05 22:59 [kernel-hardening] [PATCH] leaking_addresses: add files to skip Tobin C. Harding
2018-01-06 0:11 ` [kernel-hardening] " Kees Cook
2018-01-06 1:37 ` Tobin C. Harding
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).