On Thu, Feb 22, 2024 at 08:24:02AM -0700, Tycho Andersen wrote:
> Hi Kees,
>
> On Sun, Feb 18, 2024 at 09:38:12AM -0800, Kees Cook wrote:
> > Introduce --kallsyms argument for scanning binary files for known symbol
> > addresses. This would have found the exposure in /sys/kernel/notes:
> >
> > $ scripts/leaking_addresses.pl --kallsyms=<(sudo cat /proc/kallsyms)
> > /sys/kernel/notes: hypercall_page @ 156
> > /sys/kernel/notes: xen_hypercall_set_trap_table @ 156
> > /sys/kernel/notes: startup_xen @ 132
> >
> > Signed-off-by: Kees Cook <keesc...@chromium.org>
>
> Patch itself is
>
> Reviewed-by: Tycho Andersen <tander...@netflix.com>
>
> And if you can carry it, that would be great (see below :).
Sure!
> This does bring up some interesting questions. From off-list
> discussions with Tobin, I believe he is not particularly interested in
> maintaining this script any more. I was never set up to do the PRs
> myself, I agreed to be a reviewer to help Tobin out. I'm happy to
> adopt it if that makes sense, but I'm curious about the future of the
> script:
>
> 1. is it useful? (seems like yes if you're adding features)
Yes, LKP runs it as part of 0-day, and it's found leaks in the past[1].
(Though its usage could be improved.)
> 2. does it make sense to live here as a separate thing? should we
> perhaps run it as part of kselftests or similar? I think that e.g.
> 681ff0181bbf ("x86/mm/init/32: Stop printing the virtual memory
> layout") was not discovered with this script, but maybe if we put it
> inline with some other stuff people regularly run more of these would
> fall out? Maybe it makes sense to live somewhere else entirely
> (syzkaller)? I can probably set up some x86/arm64 infra to run it
> regularly, but that won't catch other less popular arches.
We could certainly do that. It would need some work to clean it up,
though -- it seems like it wasn't designed to run as root (which is how
LKP runs it, and likely how at least some CIs would run it).
> 3. perl. I'm mostly not a perl programmer, but would be happy to
> rewrite it in python pending the outcome of discussion above.
I am not a Perl fan either. It does work as-is, though. Address leaks,
while worth fixing, are relatively low priority over all, so I wouldn't
prioritize a rewrite very highly.
-Kees
[1] https://lore.kernel.org/all/20210103142726.GC30643@xsang-OptiPlex-9020/
--
Kees Cook
