Date: Mon, 13 Nov 2017 10:06:46 +1100 From: "Tobin C. Harding" <me@...in.cc> To: "Kirill A. Shutemov" <kirill@...temov.name> Cc: kernel-hardening@...ts.openwall.com, "Jason A. Donenfeld" <Jason@...c4.com>, Theodore Ts'o <tytso@....edu>, Linus Torvalds <torvalds@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Paolo Bonzini <pbonzini@...hat.com>, Tycho Andersen <tycho@...ker.com>, "Roberts, William C" <william.c.roberts@...el.com>, Tejun Heo <tj@...nel.org>, Jordan Glover <Golden_Miller83@...tonmail.ch>, Greg KH <gregkh@...uxfoundation.org>, Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>, Ian Campbell <ijc@...lion.org.uk>, Sergey Senozhatsky <sergey.senozhatsky@...il.com>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <wilal.deacon@....com>, Steven Rostedt <rostedt@...dmis.org>, Chris Fries <cfries@...gle.com>, Dave Weinstein <olorin@...gle.com>, Daniel Micay <danielmicay@...il.com>, Djalal Harouni <tixxdz@...il.com>, linux-kernel@...r.kernel.org, Network Development <netdev@...r.kernel.org>, David Miller <davem@...emloft.net> Subject: Re: [PATCH v4] scripts: add leaking_addresses.pl On Sun, Nov 12, 2017 at 02:10:07AM +0300, Kirill A. Shutemov wrote: > On Tue, Nov 07, 2017 at 09:32:11PM +1100, Tobin C. Harding wrote: > > Currently we are leaking addresses from the kernel to user space. This > > script is an attempt to find some of those leakages. Script parses > > `dmesg` output and /proc and /sys files for hex strings that look like > > kernel addresses. > > > > Only works for 64 bit kernels, the reason being that kernel addresses > > on 64 bit kernels have 'ffff' as the leading bit pattern making greping > > possible. On 32 kernels we don't have this luxury. > > Well, it's not going to work as well as intented on x86 machine with > 5-level paging. Kernel address space there starts at 0xff10000000000000. > It will still catch pointers to kernel/modules text, but the rest is > outside of 0xffff... space. See Documentation/x86/x86_64/mm.txt. Thanks for the link. So it looks like we need to refactor the kernel address regular expression into a function that takes into account the machine architecture and the number of page table levels. We will need to add this to the false positive checks also. > Not sure if we care. It won't work too for other 64-bit architectrues that > have more than 256TB of virtual address space. Is this because of the virtual memory map? Did you mean 512TB? from mm.txt: ffd4000000000000 - ffd5ffffffffffff (=49 bits) virtual memory map (512TB) Perhaps an option (--terse) that only checks the virtual memory map range (above for 5-level paging) and ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB) for 4-level paging? > Just wanted to point to the limitation. Appreciate it, thanks. Tobin.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.