Blame SOURCES/cve-2017-13693.patch

0fb27e
From 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 Mon Sep 17 00:00:00 2001
0fb27e
From: Seunghun Han <kkamagui@gmail.com>
0fb27e
Date: Wed, 19 Jul 2017 16:47:53 +0900
0fb27e
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in dswstate.c
0fb27e
0fb27e
I found an ACPI cache leak in ACPI early termination and boot continuing case.
0fb27e
0fb27e
When early termination occurs due to malicious ACPI table, Linux kernel
0fb27e
terminates ACPI function and continues to boot process. While kernel terminates
0fb27e
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
0fb27e
0fb27e
Boot log of ACPI operand cache leak is as follows:
0fb27e
>[    0.585957] ACPI: Added _OSI(Module Device)
0fb27e
>[    0.587218] ACPI: Added _OSI(Processor Device)
0fb27e
>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
0fb27e
>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)
0fb27e
>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
0fb27e
>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
0fb27e
>[    0.597858] ACPI: Unable to start the ACPI Interpreter
0fb27e
>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
0fb27e
>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
0fb27e
>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
0fb27e
>[    0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
0fb27e
>[    0.609177] Call Trace:
0fb27e
>[    0.610063]  ? dump_stack+0x5c/0x81
0fb27e
>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0
0fb27e
>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27
0fb27e
>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10
0fb27e
>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b
0fb27e
>[    0.619293]  ? acpi_terminate+0xa/0x14
0fb27e
>[    0.620394]  ? acpi_init+0x2af/0x34f
0fb27e
>[    0.621616]  ? __class_create+0x4c/0x80
0fb27e
>[    0.623412]  ? video_setup+0x7f/0x7f
0fb27e
>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27
0fb27e
>[    0.625861]  ? do_one_initcall+0x4e/0x1a0
0fb27e
>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f
0fb27e
>[    0.628972]  ? rest_init+0x80/0x80
0fb27e
>[    0.630043]  ? kernel_init+0xa/0x100
0fb27e
>[    0.631084]  ? ret_from_fork+0x25/0x30
0fb27e
>[    0.633343] vgaarb: loaded
0fb27e
>[    0.635036] EDAC MC: Ver: 3.0.0
0fb27e
>[    0.638601] PCI: Probing PCI hardware
0fb27e
>[    0.639833] PCI host bridge to bus 0000:00
0fb27e
>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
0fb27e
> ... Continue to boot and log is omitted ...
0fb27e
0fb27e
I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
0fb27e
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
0fb27e
function uses walk_state->operand_index for start position of the top, but
0fb27e
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
0fb27e
Therefore, this causes acpi operand memory leak.
0fb27e
0fb27e
This cache leak causes a security threat because an old kernel (<= 4.9) shows
0fb27e
memory locations of kernel functions in stack dump. Some malicious users
0fb27e
could use this information to neutralize kernel ASLR.
0fb27e
0fb27e
I made a patch to fix ACPI operand cache leak.
0fb27e
0fb27e
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
0fb27e
0fb27e
Github-Location: https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732
0fb27e
---
0fb27e
 source/components/dispatcher/dsutils.c | 9 ++++++++-
0fb27e
 1 file changed, 8 insertions(+), 1 deletion(-)
0fb27e
0fb27e
Index: acpica-unix2-20180209/source/components/dispatcher/dsutils.c
0fb27e
===================================================================
0fb27e
--- acpica-unix2-20180209.orig/source/components/dispatcher/dsutils.c
0fb27e
+++ acpica-unix2-20180209/source/components/dispatcher/dsutils.c
0fb27e
@@ -761,6 +761,8 @@ AcpiDsCreateOperands (
0fb27e
     ACPI_PARSE_OBJECT       *Arguments[ACPI_OBJ_NUM_OPERANDS];
0fb27e
     UINT32                  ArgCount = 0;
0fb27e
     UINT32                  Index = WalkState->NumOperands;
0fb27e
+    UINT32                  PrevNumOperands = WalkState->NumOperands;
0fb27e
+    UINT32                  NewNumOperands;
0fb27e
     UINT32                  i;
0fb27e
 
0fb27e
 
0fb27e
@@ -793,6 +795,7 @@ AcpiDsCreateOperands (
0fb27e
 
0fb27e
     /* Create the interpreter arguments, in reverse order */
0fb27e
 
0fb27e
+    NewNumOperands = Index;
0fb27e
     Index--;
0fb27e
     for (i = 0; i < ArgCount; i++)
0fb27e
     {
0fb27e
@@ -820,7 +823,11 @@ Cleanup:
0fb27e
      * pop everything off of the operand stack and delete those
0fb27e
      * objects
0fb27e
      */
0fb27e
-    AcpiDsObjStackPopAndDelete (ArgCount, WalkState);
0fb27e
+    WalkState->NumOperands = i;
0fb27e
+    AcpiDsObjStackPopAndDelete (NewNumOperands, WalkState);
0fb27e
+
0fb27e
+    /* Restore operand count */
0fb27e
+    WalkState->NumOperands = PrevNumOperands;
0fb27e
 
0fb27e
     ACPI_EXCEPTION ((AE_INFO, Status, "While creating Arg %u", Index));
0fb27e
     return_ACPI_STATUS (Status);