[linux.git] / scripts / leaking_addresses.pl

#!/usr/bin/env perl
# SPDX-License-Identifier: GPL-2.0-only
#
# (c) 2017 Tobin C. Harding <[email protected]>
#
# leaking_addresses.pl: Scan the kernel for potential leaking addresses.
#  - Scans dmesg output.
#  - Walks directory tree and parses each file (for each directory in @DIRS).
#
# Use --debug to output path before parsing, this is useful to find files that
# cause the script to choke.

#
# When the system is idle it is likely that most files under /proc/PID will be
# identical for various processes.  Scanning _all_ the PIDs under /proc is
# unnecessary and implies that we are thoroughly scanning /proc.  This is _not_
# the case because there may be ways userspace can trigger creation of /proc
# files that leak addresses but were not present during a scan.  For these two
# reasons we exclude all PID directories under /proc except '1/'

use warnings;
use strict;
use POSIX;
use File::Basename;
use File::Spec;
use Cwd 'abs_path';
use Term::ANSIColor qw(:constants);
use Getopt::Long qw(:config no_auto_abbrev);
use Config;
use bigint qw/hex/;
use feature 'state';

my $P = $0;

# Directories to scan.
my @DIRS = ('/proc', '/sys');

# Timer for parsing each file, in seconds.
my $TIMEOUT = 10;

# Kernel addresses vary by architecture.  We can only auto-detect the following
# architectures (using `uname -m`).  (flag --32-bit overrides auto-detection.)
my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'x86');

# Command line options.
my $help = 0;
my $debug = 0;
my $raw = 0;
my $output_raw = "";	# Write raw results to file.
my $input_raw = "";	# Read raw results from file instead of scanning.
my $suppress_dmesg = 0;		# Don't show dmesg in output.
my $squash_by_path = 0;		# Summary report grouped by absolute path.
my $squash_by_filename = 0;	# Summary report grouped by filename.
my $kernel_config_file = "";	# Kernel configuration file.
my $opt_32bit = 0;		# Scan 32-bit kernel.
my $page_offset_32bit = 0;	# Page offset for 32-bit kernel.

# Skip these absolute paths.
my @skip_abs = (
	'/proc/kmsg',
	'/proc/device-tree',
	'/proc/1/syscall',
	'/sys/firmware/devicetree',
	'/sys/kernel/tracing/trace_pipe',
	'/sys/kernel/debug/tracing/trace_pipe',
	'/sys/kernel/security/apparmor/revision');

# Skip these under any subdirectory.
my @skip_any = (
	'pagemap',
	'events',
	'access',
	'registers',
	'snapshot_raw',
	'trace_pipe_raw',
	'ptmx',
	'trace_pipe',
	'fd',
	'usbmon');

sub help
{
	my ($exitcode) = @_;

	print << "EOM";

Usage: $P [OPTIONS]

Options:

	-o, --output-raw=<file>		Save results for future processing.
	-i, --input-raw=<file>		Read results from file instead of scanning.
	      --raw			Show raw results (default).
	      --suppress-dmesg		Do not show dmesg results.
	      --squash-by-path		Show one result per unique path.
	      --squash-by-filename	Show one result per unique filename.
	--kernel-config-file=<file>     Kernel configuration file (e.g /boot/config)
	--32-bit			Scan 32-bit kernel.
	--page-offset-32-bit=o		Page offset (for 32-bit kernel 0xABCD1234).
	-d, --debug			Display debugging output.
	-h, --help			Display this help and exit.

Scans the running kernel for potential leaking addresses.

EOM
	exit($exitcode);
}

GetOptions(
	'd|debug'		=> \$debug,
	'h|help'		=> \$help,
	'o|output-raw=s'        => \$output_raw,
	'i|input-raw=s'         => \$input_raw,
	'suppress-dmesg'        => \$suppress_dmesg,
	'squash-by-path'        => \$squash_by_path,
	'squash-by-filename'    => \$squash_by_filename,
	'raw'                   => \$raw,
	'kernel-config-file=s'	=> \$kernel_config_file,
	'32-bit'		=> \$opt_32bit,
	'page-offset-32-bit=o'	=> \$page_offset_32bit,
) or help(1);

help(0) if ($help);

if ($input_raw) {
	format_output($input_raw);
	exit(0);
}

if (!$input_raw and ($squash_by_path or $squash_by_filename)) {
	printf "\nSummary reporting only available with --input-raw=<file>\n";
	printf "(First run scan with --output-raw=<file>.)\n";
	exit(128);
}

if (!(is_supported_architecture() or $opt_32bit or $page_offset_32bit)) {
	printf "\nScript does not support your architecture, sorry.\n";
	printf "\nCurrently we support: \n\n";
	foreach(@SUPPORTED_ARCHITECTURES) {
		printf "\t%s\n", $_;
	}
	printf("\n");

	printf("If you are running a 32-bit architecture you may use:\n");
	printf("\n\t--32-bit or --page-offset-32-bit=<page offset>\n\n");

	my $archname = `uname -m`;
	printf("Machine hardware name (`uname -m`): %s\n", $archname);

	exit(129);
}

if ($output_raw) {
	open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n";
	select $fh;
}

parse_dmesg();
walk(@DIRS);

exit 0;

sub dprint
{
	printf(STDERR @_) if $debug;
}

sub is_supported_architecture
{
	return (is_x86_64() or is_ppc64() or is_ix86_32());
}

sub is_32bit
{
	# Allow --32-bit or --page-offset-32-bit to override
	if ($opt_32bit or $page_offset_32bit) {
		return 1;
	}

	return is_ix86_32();
}

sub is_ix86_32
{
       state $arch = `uname -m`;

       chomp $arch;
       if ($arch =~ m/i[3456]86/) {
               return 1;
       }
       return 0;
}

sub is_arch
{
       my ($desc) = @_;
       my $arch = `uname -m`;

       chomp $arch;
       if ($arch eq $desc) {
               return 1;
       }
       return 0;
}

sub is_x86_64
{
	state $is = is_arch('x86_64');
	return $is;
}

sub is_ppc64
{
	state $is = is_arch('ppc64');
	return $is;
}

# Gets config option value from kernel config file.
# Returns "" on error or if config option not found.
sub get_kernel_config_option
{
	my ($option) = @_;
	my $value = "";
	my $tmp_file = "";
	my @config_files;

	# Allow --kernel-config-file to override.
	if ($kernel_config_file ne "") {
		@config_files = ($kernel_config_file);
	} elsif (-R "/proc/config.gz") {
		my $tmp_file = "/tmp/tmpkconf";

		if (system("gunzip < /proc/config.gz > $tmp_file")) {
			dprint("system(gunzip < /proc/config.gz) failed\n");
			return "";
		} else {
			@config_files = ($tmp_file);
		}
	} else {
		my $file = '/boot/config-' . `uname -r`;
		chomp $file;
		@config_files = ($file, '/boot/config');
	}

	foreach my $file (@config_files) {
		dprint("parsing config file: $file\n");
		$value = option_from_file($option, $file);
		if ($value ne "") {
			last;
		}
	}

	if ($tmp_file ne "") {
		system("rm -f $tmp_file");
	}

	return $value;
}

# Parses $file and returns kernel configuration option value.
sub option_from_file
{
	my ($option, $file) = @_;
	my $str = "";
	my $val = "";

	open(my $fh, "<", $file) or return "";
	while (my $line = <$fh> ) {
		if ($line =~ /^$option/) {
			($str, $val) = split /=/, $line;
			chomp $val;
			last;
		}
	}

	close $fh;
	return $val;
}

sub is_false_positive
{
	my ($match) = @_;

	if (is_32bit()) {
		return is_false_positive_32bit($match);
	}

	# 64 bit false positives.

	if ($match =~ '\b(0x)?(f|F){16}\b' or
	    $match =~ '\b(0x)?0{16}\b') {
		return 1;
	}

	if (is_x86_64() and is_in_vsyscall_memory_region($match)) {
		return 1;
	}

	return 0;
}

sub is_false_positive_32bit
{
       my ($match) = @_;
       state $page_offset = get_page_offset();

       if ($match =~ '\b(0x)?(f|F){8}\b') {
               return 1;
       }

       if (hex($match) < $page_offset) {
               return 1;
       }

       return 0;
}

# returns integer value
sub get_page_offset
{
       my $page_offset;
       my $default_offset = 0xc0000000;

       # Allow --page-offset-32bit to override.
       if ($page_offset_32bit != 0) {
               return $page_offset_32bit;
       }

       $page_offset = get_kernel_config_option('CONFIG_PAGE_OFFSET');
       if (!$page_offset) {
	       return $default_offset;
       }
       return $page_offset;
}

sub is_in_vsyscall_memory_region
{
	my ($match) = @_;

	my $hex = hex($match);
	my $region_min = hex("0xffffffffff600000");
	my $region_max = hex("0xffffffffff601000");

	return ($hex >= $region_min and $hex <= $region_max);
}

# True if argument potentially contains a kernel address.
sub may_leak_address
{
	my ($line) = @_;
	my $address_re;

	# Signal masks.
	if ($line =~ '^SigBlk:' or
	    $line =~ '^SigIgn:' or
	    $line =~ '^SigCgt:') {
		return 0;
	}

	if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or
	    $line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') {
		return 0;
	}

	$address_re = get_address_re();
	while ($line =~ /($address_re)/g) {
		if (!is_false_positive($1)) {
			return 1;
		}
	}

	return 0;
}

sub get_address_re
{
	if (is_ppc64()) {
		return '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b';
	} elsif (is_32bit()) {
		return '\b(0x)?[[:xdigit:]]{8}\b';
	}

	return get_x86_64_re();
}

sub get_x86_64_re
{
	# We handle page table levels but only if explicitly configured using
	# CONFIG_PGTABLE_LEVELS.  If config file parsing fails or config option
	# is not found we default to using address regular expression suitable
	# for 4 page table levels.
	state $ptl = get_kernel_config_option('CONFIG_PGTABLE_LEVELS');

	if ($ptl == 5) {
		return '\b(0x)?ff[[:xdigit:]]{14}\b';
	}
	return '\b(0x)?ffff[[:xdigit:]]{12}\b';
}

sub parse_dmesg
{
	open my $cmd, '-|', 'dmesg';
	while (<$cmd>) {
		if (may_leak_address($_)) {
			print 'dmesg: ' . $_;
		}
	}
	close $cmd;
}

# True if we should skip this path.
sub skip
{
	my ($path) = @_;

	foreach (@skip_abs) {
		return 1 if (/^$path$/);
	}

	my($filename, $dirs, $suffix) = fileparse($path);
	foreach (@skip_any) {
		return 1 if (/^$filename$/);
	}

	return 0;
}

sub timed_parse_file
{
	my ($file) = @_;

	eval {
		local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required.
		alarm $TIMEOUT;
		parse_file($file);
		alarm 0;
	};

	if ($@) {
		die unless $@ eq "alarm\n";	# Propagate unexpected errors.
		printf STDERR "timed out parsing: %s\n", $file;
	}
}

sub parse_file
{
	my ($file) = @_;

	if (! -R $file) {
		return;
	}

	if (! -T $file) {
		return;
	}

	open my $fh, "<", $file or return;
	while ( <$fh> ) {
		chomp;
		if (may_leak_address($_)) {
			printf("$file: $_\n");
		}
	}
	close $fh;
}

# Checks if the actual path name is leaking a kernel address.
sub check_path_for_leaks
{
	my ($path) = @_;

	if (may_leak_address($path)) {
		printf("Path name may contain address: $path\n");
	}
}

# Recursively walk directory tree.
sub walk
{
	my @dirs = @_;

	while (my $pwd = shift @dirs) {
		next if (!opendir(DIR, $pwd));
		my @files = readdir(DIR);
		closedir(DIR);

		foreach my $file (@files) {
			next if ($file eq '.' or $file eq '..');

			my $path = "$pwd/$file";
			next if (-l $path);

			# skip /proc/PID except /proc/1
			next if (($path =~ /^\/proc\/[0-9]+$/) &&
				 ($path !~ /^\/proc\/1$/));

			next if (skip($path));

			check_path_for_leaks($path);

			if (-d $path) {
				push @dirs, $path;
				next;
			}

			dprint("parsing: $path\n");
			timed_parse_file($path);
		}
	}
}

sub format_output
{
	my ($file) = @_;

	# Default is to show raw results.
	if ($raw or (!$squash_by_path and !$squash_by_filename)) {
		dump_raw_output($file);
		return;
	}

	my ($total, $dmesg, $paths, $files) = parse_raw_file($file);

	printf "\nTotal number of results from scan (incl dmesg): %d\n", $total;

	if (!$suppress_dmesg) {
		print_dmesg($dmesg);
	}

	if ($squash_by_filename) {
		squash_by($files, 'filename');
	}

	if ($squash_by_path) {
		squash_by($paths, 'path');
	}
}

sub dump_raw_output
{
	my ($file) = @_;

	open (my $fh, '<', $file) or die "$0: $file: $!\n";
	while (<$fh>) {
		if ($suppress_dmesg) {
			if ("dmesg:" eq substr($_, 0, 6)) {
				next;
			}
		}
		print $_;
	}
	close $fh;
}

sub parse_raw_file
{
	my ($file) = @_;

	my $total = 0;          # Total number of lines parsed.
	my @dmesg;              # dmesg output.
	my %files;              # Unique filenames containing leaks.
	my %paths;              # Unique paths containing leaks.

	open (my $fh, '<', $file) or die "$0: $file: $!\n";
	while (my $line = <$fh>) {
		$total++;

		if ("dmesg:" eq substr($line, 0, 6)) {
			push @dmesg, $line;
			next;
		}

		cache_path(\%paths, $line);
		cache_filename(\%files, $line);
	}

	return $total, \@dmesg, \%paths, \%files;
}

sub print_dmesg
{
	my ($dmesg) = @_;

	print "\ndmesg output:\n";

	if (@$dmesg == 0) {
		print "<no results>\n";
		return;
	}

	foreach(@$dmesg) {
		my $index = index($_, ': ');
		$index += 2;    # skid ': '
		print substr($_, $index);
	}
}

sub squash_by
{
	my ($ref, $desc) = @_;

	print "\nResults squashed by $desc (excl dmesg). ";
	print "Displaying [<number of results> <$desc>], <example result>\n";

	if (keys %$ref == 0) {
		print "<no results>\n";
		return;
	}

	foreach(keys %$ref) {
		my $lines = $ref->{$_};
		my $length = @$lines;
		printf "[%d %s] %s", $length, $_, @$lines[0];
	}
}

sub cache_path
{
	my ($paths, $line) = @_;

	my $index = index($line, ': ');
	my $path = substr($line, 0, $index);

	$index += 2;            # skip ': '
	add_to_cache($paths, $path, substr($line, $index));
}

sub cache_filename
{
	my ($files, $line) = @_;

	my $index = index($line, ': ');
	my $path = substr($line, 0, $index);
	my $filename = basename($path);

	$index += 2;            # skip ': '
	add_to_cache($files, $filename, substr($line, $index));
}

sub add_to_cache
{
	my ($cache, $key, $value) = @_;

	if (!$cache->{$key}) {
		$cache->{$key} = ();
	}
	push @{$cache->{$key}}, $value;
}
Commit	Line	Data
136fc5c4	1	#!/usr/bin/env perl
4f19048f	2	# SPDX-License-Identifier: GPL-2.0-only
136fc5c4 TH	3	#
136fc5c4 TH	4	# (c) 2017 Tobin C. Harding <[email protected]>
136fc5c4	5	#
1410fe4e	6	# leaking_addresses.pl: Scan the kernel for potential leaking addresses.
136fc5c4 TH	7	# - Scans dmesg output.
	8	# - Walks directory tree and parses each file (for each directory in @DIRS).
	9	#
136fc5c4 TH	10	# Use --debug to output path before parsing, this is useful to find files that
136fc5c4 TH	11	# cause the script to choke.
136fc5c4	12
472c9e10 TH	13	#
	14	# When the system is idle it is likely that most files under /proc/PID will be
	15	# identical for various processes. Scanning _all_ the PIDs under /proc is
	16	# unnecessary and implies that we are thoroughly scanning /proc. This is _not_
	17	# the case because there may be ways userspace can trigger creation of /proc
	18	# files that leak addresses but were not present during a scan. For these two
	19	# reasons we exclude all PID directories under /proc except '1/'
	20
136fc5c4 TH	21	use warnings;
	22	use strict;
	23	use POSIX;
	24	use File::Basename;
	25	use File::Spec;
	26	use Cwd 'abs_path';
	27	use Term::ANSIColor qw(:constants);
	28	use Getopt::Long qw(:config no_auto_abbrev);
62139c12	29	use Config;
87e37588	30	use bigint qw/hex/;
2f042c93	31	use feature 'state';
136fc5c4 TH	32
136fc5c4 TH	33	my $P = $0;
136fc5c4 TH	34
	35	# Directories to scan.
	36	my @DIRS = ('/proc', '/sys');
	37
dd98c252 TH	38	# Timer for parsing each file, in seconds.
	39	my $TIMEOUT = 10;
	40
1410fe4e TH	41	# Kernel addresses vary by architecture. We can only auto-detect the following
	42	# architectures (using `uname -m`). (flag --32-bit overrides auto-detection.)
	43	my @SUPPORTED_ARCHITECTURES = ('x86_64', 'ppc64', 'x86');
62139c12	44
136fc5c4 TH	45	# Command line options.
	46	my $help = 0;
	47	my $debug = 0;
d09bd8da TH	48	my $raw = 0;
	49	my $output_raw = ""; # Write raw results to file.
	50	my $input_raw = ""; # Read raw results from file instead of scanning.
d09bd8da TH	51	my $suppress_dmesg = 0; # Don't show dmesg in output.
	52	my $squash_by_path = 0; # Summary report grouped by absolute path.
	53	my $squash_by_filename = 0; # Summary report grouped by filename.
f9d2a42d	54	my $kernel_config_file = ""; # Kernel configuration file.
1410fe4e TH	55	my $opt_32bit = 0; # Scan 32-bit kernel.
1410fe4e TH	56	my $page_offset_32bit = 0; # Page offset for 32-bit kernel.
136fc5c4	57
b401f56f TH	58	# Skip these absolute paths.
	59	my @skip_abs = (
	60	'/proc/kmsg',
	61	'/proc/device-tree',
2ad74293	62	'/proc/1/syscall',
b401f56f	63	'/sys/firmware/devicetree',
d1c27c55	64	'/sys/kernel/tracing/trace_pipe',
b401f56f TH	65	'/sys/kernel/debug/tracing/trace_pipe',
	66	'/sys/kernel/security/apparmor/revision');
	67
	68	# Skip these under any subdirectory.
	69	my @skip_any = (
	70	'pagemap',
	71	'events',
	72	'access',
	73	'registers',
	74	'snapshot_raw',
	75	'trace_pipe_raw',
	76	'ptmx',
	77	'trace_pipe',
	78	'fd',
	79	'usbmon');
136fc5c4 TH	80
	81	sub help
	82	{
	83	my ($exitcode) = @_;
	84
	85	print << "EOM";
d09bd8da	86
136fc5c4	87	Usage: $P [OPTIONS]
136fc5c4 TH	88
	89	Options:
	90
15d60a35 TH	91	-o, --output-raw=<file> Save results for future processing.
	92	-i, --input-raw=<file> Read results from file instead of scanning.
	93	--raw Show raw results (default).
	94	--suppress-dmesg Do not show dmesg results.
	95	--squash-by-path Show one result per unique path.
	96	--squash-by-filename Show one result per unique filename.
f9d2a42d	97	--kernel-config-file=<file> Kernel configuration file (e.g /boot/config)
1410fe4e TH	98	--32-bit Scan 32-bit kernel.
1410fe4e TH	99	--page-offset-32-bit=o Page offset (for 32-bit kernel 0xABCD1234).
15d60a35	100	-d, --debug Display debugging output.
9ac060a7	101	-h, --help Display this help and exit.
d09bd8da	102
1410fe4e	103	Scans the running kernel for potential leaking addresses.
136fc5c4 TH	104
	105	EOM
	106	exit($exitcode);
	107	}
	108
	109	GetOptions(
136fc5c4 TH	110	'd\|debug' => \$debug,
136fc5c4 TH	111	'h\|help' => \$help,
d09bd8da TH	112	'o\|output-raw=s' => \$output_raw,
	113	'i\|input-raw=s' => \$input_raw,
	114	'suppress-dmesg' => \$suppress_dmesg,
	115	'squash-by-path' => \$squash_by_path,
	116	'squash-by-filename' => \$squash_by_filename,
	117	'raw' => \$raw,
f9d2a42d	118	'kernel-config-file=s' => \$kernel_config_file,
1410fe4e TH	119	'32-bit' => \$opt_32bit,
1410fe4e TH	120	'page-offset-32-bit=o' => \$page_offset_32bit,
136fc5c4 TH	121	) or help(1);
	122
	123	help(0) if ($help);
	124
d09bd8da TH	125	if ($input_raw) {
	126	format_output($input_raw);
	127	exit(0);
	128	}
	129
	130	if (!$input_raw and ($squash_by_path or $squash_by_filename)) {
	131	printf "\nSummary reporting only available with --input-raw=<file>\n";
	132	printf "(First run scan with --output-raw=<file>.)\n";
	133	exit(128);
	134	}
	135
1410fe4e	136	if (!(is_supported_architecture() or $opt_32bit or $page_offset_32bit)) {
62139c12 TH	137	printf "\nScript does not support your architecture, sorry.\n";
	138	printf "\nCurrently we support: \n\n";
	139	foreach(@SUPPORTED_ARCHITECTURES) {
	140	printf "\t%s\n", $_;
	141	}
6efb7458	142	printf("\n");
62139c12	143
1410fe4e TH	144	printf("If you are running a 32-bit architecture you may use:\n");
	145	printf("\n\t--32-bit or --page-offset-32-bit=<page offset>\n\n");
	146
6efb7458 TH	147	my $archname = `uname -m`;
6efb7458 TH	148	printf("Machine hardware name (`uname -m`): %s\n", $archname);
62139c12 TH	149
	150	exit(129);
	151	}
	152
d09bd8da TH	153	if ($output_raw) {
	154	open my $fh, '>', $output_raw or die "$0: $output_raw: $!\n";
	155	select $fh;
	156	}
	157
136fc5c4 TH	158	parse_dmesg();
	159	walk(@DIRS);
	160
	161	exit 0;
	162
136fc5c4 TH	163	sub dprint
	164	{
	165	printf(STDERR @_) if $debug;
	166	}
	167
62139c12 TH	168	sub is_supported_architecture
62139c12 TH	169	{
1410fe4e TH	170	return (is_x86_64() or is_ppc64() or is_ix86_32());
	171	}
	172
	173	sub is_32bit
	174	{
	175	# Allow --32-bit or --page-offset-32-bit to override
	176	if ($opt_32bit or $page_offset_32bit) {
	177	return 1;
	178	}
	179
	180	return is_ix86_32();
	181	}
	182
	183	sub is_ix86_32
	184	{
5e4bac34	185	state $arch = `uname -m`;
1410fe4e TH	186
	187	chomp $arch;
	188	if ($arch =~ m/i[3456]86/) {
	189	return 1;
	190	}
	191	return 0;
62139c12 TH	192	}
62139c12 TH	193
5eb0da05	194	sub is_arch
62139c12	195	{
5eb0da05 TH	196	my ($desc) = @_;
	197	my $arch = `uname -m`;
	198
	199	chomp $arch;
	200	if ($arch eq $desc) {
	201	return 1;
	202	}
	203	return 0;
	204	}
62139c12	205
5eb0da05 TH	206	sub is_x86_64
5eb0da05 TH	207	{
5e4bac34 TH	208	state $is = is_arch('x86_64');
5e4bac34 TH	209	return $is;
62139c12 TH	210	}
	211
	212	sub is_ppc64
	213	{
5e4bac34 TH	214	state $is = is_arch('ppc64');
5e4bac34 TH	215	return $is;
62139c12 TH	216	}
62139c12 TH	217
f9d2a42d TH	218	# Gets config option value from kernel config file.
	219	# Returns "" on error or if config option not found.
	220	sub get_kernel_config_option
	221	{
	222	my ($option) = @_;
	223	my $value = "";
	224	my $tmp_file = "";
	225	my @config_files;
	226
	227	# Allow --kernel-config-file to override.
	228	if ($kernel_config_file ne "") {
	229	@config_files = ($kernel_config_file);
	230	} elsif (-R "/proc/config.gz") {
	231	my $tmp_file = "/tmp/tmpkconf";
	232
	233	if (system("gunzip < /proc/config.gz > $tmp_file")) {
0f299433	234	dprint("system(gunzip < /proc/config.gz) failed\n");
f9d2a42d TH	235	return "";
	236	} else {
	237	@config_files = ($tmp_file);
	238	}
	239	} else {
	240	my $file = '/boot/config-' . `uname -r`;
	241	chomp $file;
	242	@config_files = ($file, '/boot/config');
	243	}
	244
	245	foreach my $file (@config_files) {
0f299433	246	dprint("parsing config file: $file\n");
f9d2a42d TH	247	$value = option_from_file($option, $file);
	248	if ($value ne "") {
	249	last;
	250	}
	251	}
	252
	253	if ($tmp_file ne "") {
	254	system("rm -f $tmp_file");
	255	}
	256
	257	return $value;
	258	}
	259
	260	# Parses $file and returns kernel configuration option value.
	261	sub option_from_file
	262	{
	263	my ($option, $file) = @_;
	264	my $str = "";
	265	my $val = "";
	266
	267	open(my $fh, "<", $file) or return "";
	268	while (my $line = <$fh> ) {
	269	if ($line =~ /^$option/) {
	270	($str, $val) = split /=/, $line;
	271	chomp $val;
	272	last;
	273	}
	274	}
	275
	276	close $fh;
	277	return $val;
	278	}
	279
136fc5c4 TH	280	sub is_false_positive
136fc5c4 TH	281	{
7e5758f7 TH	282	my ($match) = @_;
7e5758f7 TH	283
1410fe4e TH	284	if (is_32bit()) {
	285	return is_false_positive_32bit($match);
	286	}
	287
	288	# 64 bit false positives.
	289
7e5758f7 TH	290	if ($match =~ '\b(0x)?(f\|F){16}\b' or
	291	$match =~ '\b(0x)?0{16}\b') {
	292	return 1;
	293	}
136fc5c4	294
87e37588 TH	295	if (is_x86_64() and is_in_vsyscall_memory_region($match)) {
87e37588 TH	296	return 1;
7e5758f7	297	}
136fc5c4	298
7e5758f7	299	return 0;
136fc5c4 TH	300	}
136fc5c4 TH	301
1410fe4e TH	302	sub is_false_positive_32bit
	303	{
	304	my ($match) = @_;
	305	state $page_offset = get_page_offset();
	306
	307	if ($match =~ '\b(0x)?(f\|F){8}\b') {
	308	return 1;
	309	}
	310
	311	if (hex($match) < $page_offset) {
	312	return 1;
	313	}
	314
	315	return 0;
	316	}
	317
	318	# returns integer value
	319	sub get_page_offset
	320	{
	321	my $page_offset;
	322	my $default_offset = 0xc0000000;
	323
	324	# Allow --page-offset-32bit to override.
	325	if ($page_offset_32bit != 0) {
	326	return $page_offset_32bit;
	327	}
	328
	329	$page_offset = get_kernel_config_option('CONFIG_PAGE_OFFSET');
	330	if (!$page_offset) {
	331	return $default_offset;
	332	}
	333	return $page_offset;
	334	}
	335
87e37588 TH	336	sub is_in_vsyscall_memory_region
	337	{
	338	my ($match) = @_;
	339
	340	my $hex = hex($match);
	341	my $region_min = hex("0xffffffffff600000");
	342	my $region_max = hex("0xffffffffff601000");
	343
	344	return ($hex >= $region_min and $hex <= $region_max);
	345	}
	346
136fc5c4 TH	347	# True if argument potentially contains a kernel address.
	348	sub may_leak_address
	349	{
7e5758f7	350	my ($line) = @_;
62139c12	351	my $address_re;
136fc5c4	352
7e5758f7 TH	353	# Signal masks.
7e5758f7 TH	354	if ($line =~ '^SigBlk:' or
a11949ec	355	$line =~ '^SigIgn:' or
7e5758f7 TH	356	$line =~ '^SigCgt:') {
	357	return 0;
	358	}
136fc5c4	359
7e5758f7 TH	360	if ($line =~ '\bKEY=[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b' or
7e5758f7 TH	361	$line =~ '\b[[:xdigit:]]{14} [[:xdigit:]]{16} [[:xdigit:]]{16}\b') {
136fc5c4	362	return 0;
7e5758f7	363	}
136fc5c4	364
2f042c93	365	$address_re = get_address_re();
2306a677	366	while ($line =~ /($address_re)/g) {
7e5758f7 TH	367	if (!is_false_positive($1)) {
	368	return 1;
	369	}
	370	}
136fc5c4	371
7e5758f7	372	return 0;
136fc5c4 TH	373	}
136fc5c4 TH	374
2f042c93 TH	375	sub get_address_re
2f042c93 TH	376	{
1410fe4e	377	if (is_ppc64()) {
2f042c93	378	return '\b(0x)?[89abcdef]00[[:xdigit:]]{13}\b';
1410fe4e TH	379	} elsif (is_32bit()) {
1410fe4e TH	380	return '\b(0x)?[[:xdigit:]]{8}\b';
2f042c93	381	}
1410fe4e TH	382
1410fe4e TH	383	return get_x86_64_re();
2f042c93 TH	384	}
	385
	386	sub get_x86_64_re
	387	{
	388	# We handle page table levels but only if explicitly configured using
	389	# CONFIG_PGTABLE_LEVELS. If config file parsing fails or config option
	390	# is not found we default to using address regular expression suitable
	391	# for 4 page table levels.
	392	state $ptl = get_kernel_config_option('CONFIG_PGTABLE_LEVELS');
	393
	394	if ($ptl == 5) {
	395	return '\b(0x)?ff[[:xdigit:]]{14}\b';
	396	}
	397	return '\b(0x)?ffff[[:xdigit:]]{12}\b';
	398	}
	399
136fc5c4 TH	400	sub parse_dmesg
	401	{
	402	open my $cmd, '-\|', 'dmesg';
	403	while (<$cmd>) {
	404	if (may_leak_address($_)) {
	405	print 'dmesg: ' . $_;
	406	}
	407	}
	408	close $cmd;
	409	}
	410
	411	# True if we should skip this path.
	412	sub skip
	413	{
b401f56f	414	my ($path) = @_;
136fc5c4	415
b401f56f	416	foreach (@skip_abs) {
136fc5c4 TH	417	return 1 if (/^$path$/);
	418	}
	419
	420	my($filename, $dirs, $suffix) = fileparse($path);
b401f56f	421	foreach (@skip_any) {
136fc5c4 TH	422	return 1 if (/^$filename$/);
	423	}
	424
	425	return 0;
	426	}
	427
dd98c252 TH	428	sub timed_parse_file
	429	{
	430	my ($file) = @_;
	431
	432	eval {
	433	local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required.
	434	alarm $TIMEOUT;
	435	parse_file($file);
	436	alarm 0;
	437	};
	438
	439	if ($@) {
	440	die unless $@ eq "alarm\n"; # Propagate unexpected errors.
	441	printf STDERR "timed out parsing: %s\n", $file;
	442	}
	443	}
	444
136fc5c4 TH	445	sub parse_file
	446	{
	447	my ($file) = @_;
	448
	449	if (! -R $file) {
	450	return;
	451	}
	452
e2858cad TH	453	if (! -T $file) {
	454	return;
	455	}
	456
136fc5c4 TH	457	open my $fh, "<", $file or return;
136fc5c4 TH	458	while ( <$fh> ) {
cf2a85ef	459	chomp;
136fc5c4	460	if (may_leak_address($_)) {
cf2a85ef	461	printf("$file: $_\n");
136fc5c4 TH	462	}
	463	}
	464	close $fh;
	465	}
	466
c73dff59 TH	467	# Checks if the actual path name is leaking a kernel address.
	468	sub check_path_for_leaks
	469	{
	470	my ($path) = @_;
	471
	472	if (may_leak_address($path)) {
	473	printf("Path name may contain address: $path\n");
	474	}
	475	}
	476
136fc5c4 TH	477	# Recursively walk directory tree.
	478	sub walk
	479	{
	480	my @dirs = @_;
136fc5c4 TH	481
136fc5c4 TH	482	while (my $pwd = shift @dirs) {
136fc5c4 TH	483	next if (!opendir(DIR, $pwd));
	484	my @files = readdir(DIR);
	485	closedir(DIR);
	486
	487	foreach my $file (@files) {
	488	next if ($file eq '.' or $file eq '..');
	489
	490	my $path = "$pwd/$file";
	491	next if (-l $path);
	492
472c9e10 TH	493	# skip /proc/PID except /proc/1
	494	next if (($path =~ /^\/proc\/[0-9]+$/) &&
	495	($path !~ /^\/proc\/1$/));
	496
b401f56f TH	497	next if (skip($path));
b401f56f TH	498
c73dff59 TH	499	check_path_for_leaks($path);
c73dff59 TH	500
136fc5c4 TH	501	if (-d $path) {
136fc5c4 TH	502	push @dirs, $path;
b401f56f	503	next;
136fc5c4	504	}
b401f56f	505
0f299433	506	dprint("parsing: $path\n");
b401f56f	507	timed_parse_file($path);
136fc5c4 TH	508	}
	509	}
	510	}
d09bd8da TH	511
	512	sub format_output
	513	{
	514	my ($file) = @_;
	515
	516	# Default is to show raw results.
	517	if ($raw or (!$squash_by_path and !$squash_by_filename)) {
	518	dump_raw_output($file);
	519	return;
	520	}
	521
	522	my ($total, $dmesg, $paths, $files) = parse_raw_file($file);
	523
	524	printf "\nTotal number of results from scan (incl dmesg): %d\n", $total;
	525
	526	if (!$suppress_dmesg) {
	527	print_dmesg($dmesg);
	528	}
	529
	530	if ($squash_by_filename) {
	531	squash_by($files, 'filename');
	532	}
	533
	534	if ($squash_by_path) {
	535	squash_by($paths, 'path');
	536	}
	537	}
	538
	539	sub dump_raw_output
	540	{
	541	my ($file) = @_;
	542
	543	open (my $fh, '<', $file) or die "$0: $file: $!\n";
	544	while (<$fh>) {
	545	if ($suppress_dmesg) {
	546	if ("dmesg:" eq substr($_, 0, 6)) {
	547	next;
	548	}
	549	}
	550	print $_;
	551	}
	552	close $fh;
	553	}
	554
	555	sub parse_raw_file
	556	{
	557	my ($file) = @_;
	558
	559	my $total = 0; # Total number of lines parsed.
	560	my @dmesg; # dmesg output.
	561	my %files; # Unique filenames containing leaks.
	562	my %paths; # Unique paths containing leaks.
	563
	564	open (my $fh, '<', $file) or die "$0: $file: $!\n";
	565	while (my $line = <$fh>) {
	566	$total++;
	567
	568	if ("dmesg:" eq substr($line, 0, 6)) {
	569	push @dmesg, $line;
	570	next;
	571	}
	572
	573	cache_path(\%paths, $line);
	574	cache_filename(\%files, $line);
575	}
576
577	return $total, \@dmesg, \%paths, \%files;
578	}
579
580	sub print_dmesg
581	{
582	my ($dmesg) = @_;
583
584	print "\ndmesg output:\n";
585
586	if (@$dmesg == 0) {
587	print "<no results>\n";
588	return;
589	}
590
591	foreach(@$dmesg) {
592	my $index = index($_, ': ');
593	$index += 2; # skid ': '
594	print substr($_, $index);
595	}
596	}
597
598	sub squash_by
599	{
600	my ($ref, $desc) = @_;
601
602	print "\nResults squashed by $desc (excl dmesg). ";
603	print "Displaying [<number of results> <$desc>], <example result>\n";
604
605	if (keys %$ref == 0) {
606	print "<no results>\n";
607	return;
608	}
609
610	foreach(keys %$ref) {
611	my $lines = $ref->{$_};
612	my $length = @$lines;
613	printf "[%d %s] %s", $length, $_, @$lines[0];
614	}
615	}
616
617	sub cache_path
618	{
619	my ($paths, $line) = @_;
620
621	my $index = index($line, ': ');
622	my $path = substr($line, 0, $index);
623
624	$index += 2; # skip ': '
625	add_to_cache($paths, $path, substr($line, $index));
626	}
627
628	sub cache_filename
629	{
630	my ($files, $line) = @_;
631
632	my $index = index($line, ': ');
633	my $path = substr($line, 0, $index);
634	my $filename = basename($path);
635
636	$index += 2; # skip ': '
637	add_to_cache($files, $filename, substr($line, $index));
638	}
639
640	sub add_to_cache
641	{
642	my ($cache, $key, $value) = @_;
643
644	if (!$cache->{$key}) {
645	$cache->{$key} = ();
646	}
647	push @{$cache->{$key}}, $value;
648	}