On Sun, Nov 12, 2017 at 02:10:07AM +0300, Kirill A. Shutemov wrote: > On Tue, Nov 07, 2017 at 09:32:11PM +1100, Tobin C. Harding wrote: > > Currently we are leaking addresses from the kernel to user space. This > > script is an attempt to find some of those leakages. Script parses > > `dmesg` output and /proc and /sys files for hex strings that look like > > kernel addresses. > > > > Only works for 64 bit kernels, the reason being that kernel addresses > > on 64 bit kernels have 'ffff' as the leading bit pattern making greping > > possible. On 32 kernels we don't have this luxury. > > Well, it's not going to work as well as intented on x86 machine with > 5-level paging. Kernel address space there starts at 0xff10000000000000. > It will still catch pointers to kernel/modules text, but the rest is > outside of 0xffff... space. See Documentation/x86/x86_64/mm.txt.
Thanks for the link. So it looks like we need to refactor the kernel address regular expression into a function that takes into account the machine architecture and the number of page table levels. We will need to add this to the false positive checks also. > Not sure if we care. It won't work too for other 64-bit architectrues that > have more than 256TB of virtual address space. Is this because of the virtual memory map? Did you mean 512TB? from mm.txt: ffd4000000000000 - ffd5ffffffffffff (=49 bits) virtual memory map (512TB) Perhaps an option (--terse) that only checks the virtual memory map range (above for 5-level paging) and ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB) for 4-level paging? > Just wanted to point to the limitation. Appreciate it, thanks. Tobin.
