|
 |
0fb27e |
From 37f2c716f2c6ab14c3ba557a539c3ee3224931b5 Mon Sep 17 00:00:00 2001
|
|
|
0fb27e |
From: Seunghun Han <kkamagui@gmail.com>
|
|
|
0fb27e |
Date: Wed, 19 Jul 2017 17:04:44 +0900
|
|
|
0fb27e |
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c
|
|
|
0fb27e |
|
|
|
0fb27e |
I found an ACPI cache leak in ACPI early termination and boot continuing case.
|
|
|
0fb27e |
|
|
|
0fb27e |
When early termination occurs due to malicious ACPI table, Linux kernel
|
|
|
0fb27e |
terminates ACPI function and continues to boot process. While kernel terminates
|
|
|
0fb27e |
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
|
|
|
0fb27e |
|
|
|
0fb27e |
Boot log of ACPI operand cache leak is as follows:
|
|
|
0fb27e |
>[ 0.464168] ACPI: Added _OSI(Module Device)
|
|
|
0fb27e |
>[ 0.467022] ACPI: Added _OSI(Processor Device)
|
|
|
0fb27e |
>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
|
|
|
0fb27e |
>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device)
|
|
|
0fb27e |
>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
|
|
|
0fb27e |
>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
|
|
|
0fb27e |
>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
|
|
|
0fb27e |
>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
|
|
|
0fb27e |
>[ 0.497683] ACPI: Interpreter enabled
|
|
|
0fb27e |
>[ 0.499385] ACPI: (supports S0)
|
|
|
0fb27e |
>[ 0.501151] ACPI: Using IOAPIC for interrupt routing
|
|
|
0fb27e |
>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
|
|
|
0fb27e |
>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
|
|
|
0fb27e |
>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
|
|
|
0fb27e |
>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
|
|
|
0fb27e |
>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
|
|
|
0fb27e |
>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
|
|
|
0fb27e |
>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
|
|
|
0fb27e |
>[ 0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
|
|
|
0fb27e |
>[ 0.529668] Call Trace:
|
|
|
0fb27e |
>[ 0.530811] ? dump_stack+0x5c/0x81
|
|
|
0fb27e |
>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0
|
|
|
0fb27e |
>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10
|
|
|
0fb27e |
>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b
|
|
|
0fb27e |
>[ 0.537237] ? acpi_terminate+0xa/0x14
|
|
|
0fb27e |
>[ 0.538701] ? acpi_init+0x2af/0x34f
|
|
|
0fb27e |
>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27
|
|
|
0fb27e |
>[ 0.541593] ? do_one_initcall+0x4e/0x1a0
|
|
|
0fb27e |
>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f
|
|
|
0fb27e |
>[ 0.546202] ? rest_init+0x80/0x80
|
|
|
0fb27e |
>[ 0.547513] ? kernel_init+0xa/0x100
|
|
|
0fb27e |
>[ 0.548817] ? ret_from_fork+0x25/0x30
|
|
|
0fb27e |
>[ 0.550587] vgaarb: loaded
|
|
|
0fb27e |
>[ 0.551716] EDAC MC: Ver: 3.0.0
|
|
|
0fb27e |
>[ 0.553744] PCI: Probing PCI hardware
|
|
|
0fb27e |
>[ 0.555038] PCI host bridge to bus 0000:00
|
|
|
0fb27e |
> ... Continue to boot and log is omitted ...
|
|
|
0fb27e |
|
|
|
0fb27e |
I analyzed this memory leak in detail and found AcpiNsEvaluate() function
|
|
|
0fb27e |
only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
|
|
|
0fb27e |
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
|
|
|
0fb27e |
also not null. Therefore, this causes acpi operand memory leak.
|
|
|
0fb27e |
|
|
|
0fb27e |
This cache leak causes a security threat because an old kernel (<= 4.9) shows
|
|
|
0fb27e |
memory locations of kernel functions in stack dump. Some malicious users
|
|
|
0fb27e |
could use this information to neutralize kernel ASLR.
|
|
|
0fb27e |
|
|
|
0fb27e |
I made a patch to fix ACPI operand cache leak.
|
|
|
0fb27e |
|
|
|
0fb27e |
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
|
|
|
0fb27e |
|
|
|
0fb27e |
Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5
|
|
|
0fb27e |
|
|
|
0fb27e |
---
|
|
|
0fb27e |
source/components/namespace/nseval.c | 10 ++++++++++
|
|
|
0fb27e |
1 file changed, 10 insertions(+)
|
|
|
0fb27e |
|
|
|
0fb27e |
Index: acpica-unix2-20180313/source/components/namespace/nseval.c
|
|
|
0fb27e |
===================================================================
|
|
|
0fb27e |
--- acpica-unix2-20180313.orig/source/components/namespace/nseval.c
|
|
|
0fb27e |
+++ acpica-unix2-20180313/source/components/namespace/nseval.c
|
|
|
0fb27e |
@@ -330,6 +330,16 @@ AcpiNsEvaluate (
|
|
|
0fb27e |
Info->ReturnObject = NULL;
|
|
|
0fb27e |
}
|
|
|
0fb27e |
}
|
|
|
0fb27e |
+ else if (ACPI_FAILURE(Status))
|
|
|
0fb27e |
+ {
|
|
|
0fb27e |
+ /* If ReturnObject exists, delete it */
|
|
|
0fb27e |
+
|
|
|
0fb27e |
+ if (Info->ReturnObject)
|
|
|
0fb27e |
+ {
|
|
|
0fb27e |
+ AcpiUtRemoveReference (Info->ReturnObject);
|
|
|
0fb27e |
+ Info->ReturnObject = NULL;
|
|
|
0fb27e |
+ }
|
|
|
0fb27e |
+ }
|
|
|
0fb27e |
|
|
|
0fb27e |
ACPI_DEBUG_PRINT ((ACPI_DB_NAMES,
|
|
|
0fb27e |
"*** Completed evaluation of object %s ***\n",
|