ACK/Cmnt: [PATCH 2/2] ACPICA: Namespace: fix operand cache leak

Stefan Bader stefan.bader at canonical.com
Mon Jul 23 13:31:10 UTC 2018 

On 20.07.2018 14:20, Colin King wrote:
> From: Seunghun Han <kkamagui at gmail.com>
> 
> CVE-2017-11472
> 
> ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6
> 
> I found some ACPI operand cache leaks in ACPI early abort cases.
> 
> Boot log of ACPI operand cache leak is as follows:
>> [    0.174332] ACPI: Added _OSI(Module Device)
>> [    0.175504] ACPI: Added _OSI(Processor Device)
>> [    0.176010] ACPI: Added _OSI(3.0 _SCP Extensions)
>> [    0.177032] ACPI: Added _OSI(Processor Aggregator Device)
>> [    0.178284] ACPI: SCI (IRQ16705) allocation failed
>> [    0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install
> System Control Interrupt handler (20160930/evevent-131)
>> [    0.180008] ACPI: Unable to start the ACPI Interpreter
>> [    0.181125] ACPI Error: Could not remove SCI handler
> (20160930/evmisc-281)
>> [    0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has
> objects
>> [    0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2
>> [    0.186820] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS
> virtual_box 12/01/2006
>> [    0.188000] Call Trace:
>> [    0.188000]  ? dump_stack+0x5c/0x7d
>> [    0.188000]  ? kmem_cache_destroy+0x224/0x230
>> [    0.188000]  ? acpi_sleep_proc_init+0x22/0x22
>> [    0.188000]  ? acpi_os_delete_cache+0xa/0xd
>> [    0.188000]  ? acpi_ut_delete_caches+0x3f/0x7b
>> [    0.188000]  ? acpi_terminate+0x5/0xf
>> [    0.188000]  ? acpi_init+0x288/0x32e
>> [    0.188000]  ? __class_create+0x4c/0x80
>> [    0.188000]  ? video_setup+0x7a/0x7a
>> [    0.188000]  ? do_one_initcall+0x4e/0x1b0
>> [    0.188000]  ? kernel_init_freeable+0x194/0x21a
>> [    0.188000]  ? rest_init+0x80/0x80
>> [    0.188000]  ? kernel_init+0xa/0x100
>> [    0.188000]  ? ret_from_fork+0x25/0x30
> 
> When early abort is occurred due to invalid ACPI information, Linux kernel
> terminates ACPI by calling acpi_terminate() function. The function calls
> acpi_ns_terminate() function to delete namespace data and ACPI operand cache
> (acpi_gbl_module_code_list).
> 
> But the deletion code in acpi_ns_terminate() function is wrapped in
> ACPI_EXEC_APP definition, therefore the code is only executed when the
> definition exists. If the define doesn't exist, ACPI operand cache
> (acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log.
> 
> This causes a security threat because the old kernel (<= 4.9) shows memory
> locations of kernel functions in stack dump, therefore kernel ASLR can be
> neutralized.
> 
> To fix ACPI operand leak for enhancing security, I made a patch which
> removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for
> executing the deletion code unconditionally.
> 
> Link: https://github.com/acpica/acpica/commit/a23325b2
> Signed-off-by: Seunghun Han <kkamagui at gmail.com>
> Signed-off-by: Lv Zheng <lv.zheng at intel.com>
> Signed-off-by: Bob Moore <robert.moore at intel.com>
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki at intel.com>
> (clean upstream cherry pick of commit 3b2d69114fefa474fca542e51119036dceb4aa6f)
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

-> (cherry picked from commit 3b2d69114fefa474fca542e51119036dceb4aa6f)

>  drivers/acpi/acpica/nsutils.c | 23 +++++++++--------------
>  1 file changed, 9 insertions(+), 14 deletions(-)
> 
> diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c
> index aca30b2..617b3c0 100644
> --- a/drivers/acpi/acpica/nsutils.c
> +++ b/drivers/acpi/acpica/nsutils.c
> @@ -594,25 +594,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle)
>  void acpi_ns_terminate(void)
>  {
>  	acpi_status status;
> +	union acpi_operand_object *prev;
> +	union acpi_operand_object *next;
>  
>  	ACPI_FUNCTION_TRACE(ns_terminate);
>  
> -#ifdef ACPI_EXEC_APP
> -	{
> -		union acpi_operand_object *prev;
> -		union acpi_operand_object *next;
> +	/* Delete any module-level code blocks */
>  
> -		/* Delete any module-level code blocks */
> -
> -		next = acpi_gbl_module_code_list;
> -		while (next) {
> -			prev = next;
> -			next = next->method.mutex;
> -			prev->method.mutex = NULL;	/* Clear the Mutex (cheated) field */
> -			acpi_ut_remove_reference(prev);
> -		}
> +	next = acpi_gbl_module_code_list;
> +	while (next) {
> +		prev = next;
> +		next = next->method.mutex;
> +		prev->method.mutex = NULL;	/* Clear the Mutex (cheated) field */
> +		acpi_ut_remove_reference(prev);
>  	}
> -#endif
>  
>  	/*
>  	 * Free the entire namespace -- all nodes and all objects
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180723/0bbf562c/attachment.sig>

More information about the kernel-team mailing list