Blame SOURCES/cve-2017-13693.patch

214d7a
From 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 Mon Sep 17 00:00:00 2001
214d7a
From: Seunghun Han <kkamagui@gmail.com>
214d7a
Date: Wed, 19 Jul 2017 16:47:53 +0900
214d7a
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in dswstate.c
214d7a
214d7a
I found an ACPI cache leak in ACPI early termination and boot continuing case.
214d7a
214d7a
When early termination occurs due to malicious ACPI table, Linux kernel
214d7a
terminates ACPI function and continues to boot process. While kernel terminates
214d7a
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
214d7a
214d7a
Boot log of ACPI operand cache leak is as follows:
214d7a
>[    0.585957] ACPI: Added _OSI(Module Device)
214d7a
>[    0.587218] ACPI: Added _OSI(Processor Device)
214d7a
>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
214d7a
>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)
214d7a
>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
214d7a
>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
214d7a
>[    0.597858] ACPI: Unable to start the ACPI Interpreter
214d7a
>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
214d7a
>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
214d7a
>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
214d7a
>[    0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
214d7a
>[    0.609177] Call Trace:
214d7a
>[    0.610063]  ? dump_stack+0x5c/0x81
214d7a
>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0
214d7a
>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27
214d7a
>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10
214d7a
>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b
214d7a
>[    0.619293]  ? acpi_terminate+0xa/0x14
214d7a
>[    0.620394]  ? acpi_init+0x2af/0x34f
214d7a
>[    0.621616]  ? __class_create+0x4c/0x80
214d7a
>[    0.623412]  ? video_setup+0x7f/0x7f
214d7a
>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27
214d7a
>[    0.625861]  ? do_one_initcall+0x4e/0x1a0
214d7a
>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f
214d7a
>[    0.628972]  ? rest_init+0x80/0x80
214d7a
>[    0.630043]  ? kernel_init+0xa/0x100
214d7a
>[    0.631084]  ? ret_from_fork+0x25/0x30
214d7a
>[    0.633343] vgaarb: loaded
214d7a
>[    0.635036] EDAC MC: Ver: 3.0.0
214d7a
>[    0.638601] PCI: Probing PCI hardware
214d7a
>[    0.639833] PCI host bridge to bus 0000:00
214d7a
>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
214d7a
> ... Continue to boot and log is omitted ...
214d7a
214d7a
I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
214d7a
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
214d7a
function uses walk_state->operand_index for start position of the top, but
214d7a
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
214d7a
Therefore, this causes acpi operand memory leak.
214d7a
214d7a
This cache leak causes a security threat because an old kernel (<= 4.9) shows
214d7a
memory locations of kernel functions in stack dump. Some malicious users
214d7a
could use this information to neutralize kernel ASLR.
214d7a
214d7a
I made a patch to fix ACPI operand cache leak.
214d7a
214d7a
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
214d7a
214d7a
Github-Location: https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732
214d7a
---
214d7a
 source/components/dispatcher/dsutils.c | 9 ++++++++-
214d7a
 1 file changed, 8 insertions(+), 1 deletion(-)
214d7a
214d7a
Index: acpica-unix2-20200925/source/components/dispatcher/dsutils.c
214d7a
===================================================================
214d7a
--- acpica-unix2-20200925.orig/source/components/dispatcher/dsutils.c
214d7a
+++ acpica-unix2-20200925/source/components/dispatcher/dsutils.c
214d7a
@@ -759,6 +759,8 @@ AcpiDsCreateOperands (
214d7a
     ACPI_PARSE_OBJECT       *Arguments[ACPI_OBJ_NUM_OPERANDS];
214d7a
     UINT32                  ArgCount = 0;
214d7a
     UINT32                  Index = WalkState->NumOperands;
214d7a
+    UINT32                  PrevNumOperands = WalkState->NumOperands;
214d7a
+    UINT32                  NewNumOperands;
214d7a
     UINT32                  i;
214d7a
 
214d7a
 
214d7a
@@ -791,6 +793,7 @@ AcpiDsCreateOperands (
214d7a
 
214d7a
     /* Create the interpreter arguments, in reverse order */
214d7a
 
214d7a
+    NewNumOperands = Index;
214d7a
     Index--;
214d7a
     for (i = 0; i < ArgCount; i++)
214d7a
     {
214d7a
@@ -818,7 +821,11 @@ Cleanup:
214d7a
      * pop everything off of the operand stack and delete those
214d7a
      * objects
214d7a
      */
214d7a
-    AcpiDsObjStackPopAndDelete (ArgCount, WalkState);
214d7a
+    WalkState->NumOperands = i;
214d7a
+    AcpiDsObjStackPopAndDelete (NewNumOperands, WalkState);
214d7a
+
214d7a
+    /* Restore operand count */
214d7a
+    WalkState->NumOperands = PrevNumOperands;
214d7a
 
214d7a
     ACPI_EXCEPTION ((AE_INFO, Status, "While creating Arg %u", Index));
214d7a
     return_ACPI_STATUS (Status);