[packages/acpica.git] / cve-2017-13695.patch

From 37f2c716f2c6ab14c3ba557a539c3ee3224931b5 Mon Sep 17 00:00:00 2001
From: Seunghun Han <kkamagui@gmail.com>
Date: Wed, 19 Jul 2017 17:04:44 +0900
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.464168] ACPI: Added _OSI(Module Device)
>[    0.467022] ACPI: Added _OSI(Processor Device)
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.497683] ACPI: Interpreter enabled
>[    0.499385] ACPI: (supports S0)
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.529668] Call Trace:
>[    0.530811]  ? dump_stack+0x5c/0x81
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.537237]  ? acpi_terminate+0xa/0x14
>[    0.538701]  ? acpi_init+0x2af/0x34f
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
>[    0.546202]  ? rest_init+0x80/0x80
>[    0.547513]  ? kernel_init+0xa/0x100
>[    0.548817]  ? ret_from_fork+0x25/0x30
>[    0.550587] vgaarb: loaded
>[    0.551716] EDAC MC: Ver: 3.0.0
>[    0.553744] PCI: Probing PCI hardware
>[    0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found AcpiNsEvaluate() function
only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
also not null. Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5

---
 source/components/namespace/nseval.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

Index: acpica-unix-20191213/source/components/namespace/nseval.c
===================================================================
--- acpica-unix-20191213.orig/source/components/namespace/nseval.c
+++ acpica-unix-20191213/source/components/namespace/nseval.c
@@ -329,6 +329,16 @@ AcpiNsEvaluate (
             Info->ReturnObject = NULL;
         }
     }
+    else if (ACPI_FAILURE(Status)) 
+    {
+        /* If ReturnObject exists, delete it */
+
+        if (Info->ReturnObject) 
+        {
+            AcpiUtRemoveReference (Info->ReturnObject);
+            Info->ReturnObject = NULL;
+        }
+    }
 
     ACPI_DEBUG_PRINT ((ACPI_DB_NAMES,
         "*** Completed evaluation of object %s ***\n",
Commit	Line	Data
25d7dd99 JB	1	From 37f2c716f2c6ab14c3ba557a539c3ee3224931b5 Mon Sep 17 00:00:00 2001
	2	From: Seunghun Han <kkamagui@gmail.com>
	3	Date: Wed, 19 Jul 2017 17:04:44 +0900
	4	Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c
	5
	6	I found an ACPI cache leak in ACPI early termination and boot continuing case.
	7
	8	When early termination occurs due to malicious ACPI table, Linux kernel
	9	terminates ACPI function and continues to boot process. While kernel terminates
	10	ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
	11
	12	Boot log of ACPI operand cache leak is as follows:
	13	>[ 0.464168] ACPI: Added _OSI(Module Device)
	14	>[ 0.467022] ACPI: Added _OSI(Processor Device)
	15	>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
	16	>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device)
	17	>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
	18	>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
	19	>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
	20	>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
	21	>[ 0.497683] ACPI: Interpreter enabled
	22	>[ 0.499385] ACPI: (supports S0)
	23	>[ 0.501151] ACPI: Using IOAPIC for interrupt routing
	24	>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
	25	>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
	26	>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
	27	>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
	28	>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
	29	>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
	30	>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
	31	>[ 0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
	32	>[ 0.529668] Call Trace:
	33	>[ 0.530811] ? dump_stack+0x5c/0x81
	34	>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0
	35	>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10
	36	>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b
	37	>[ 0.537237] ? acpi_terminate+0xa/0x14
	38	>[ 0.538701] ? acpi_init+0x2af/0x34f
	39	>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27
	40	>[ 0.541593] ? do_one_initcall+0x4e/0x1a0
	41	>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f
	42	>[ 0.546202] ? rest_init+0x80/0x80
	43	>[ 0.547513] ? kernel_init+0xa/0x100
	44	>[ 0.548817] ? ret_from_fork+0x25/0x30
	45	>[ 0.550587] vgaarb: loaded
	46	>[ 0.551716] EDAC MC: Ver: 3.0.0
	47	>[ 0.553744] PCI: Probing PCI hardware
	48	>[ 0.555038] PCI host bridge to bus 0000:00
	49	> ... Continue to boot and log is omitted ...
	50
	51	I analyzed this memory leak in detail and found AcpiNsEvaluate() function
	52	only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
	53	occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
	54	also not null. Therefore, this causes acpi operand memory leak.
	55
	56	This cache leak causes a security threat because an old kernel (<= 4.9) shows
	57	memory locations of kernel functions in stack dump. Some malicious users
	58	could use this information to neutralize kernel ASLR.
	59
	60	I made a patch to fix ACPI operand cache leak.
	61
	62	Signed-off-by: Seunghun Han <kkamagui@gmail.com>
	63
	64	Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5
65
66	---
67	source/components/namespace/nseval.c \| 10 ++++++++++
68	1 file changed, 10 insertions(+)
69
70586bb3	70	Index: acpica-unix-20191213/source/components/namespace/nseval.c
25d7dd99	71	===================================================================
70586bb3 JB	72	--- acpica-unix-20191213.orig/source/components/namespace/nseval.c
	73	+++ acpica-unix-20191213/source/components/namespace/nseval.c
	74	@@ -329,6 +329,16 @@ AcpiNsEvaluate (
25d7dd99 JB	75	Info->ReturnObject = NULL;
	76	}
	77	}
	78	+ else if (ACPI_FAILURE(Status))
	79	+ {
	80	+ /* If ReturnObject exists, delete it */
	81	+
	82	+ if (Info->ReturnObject)
	83	+ {
	84	+ AcpiUtRemoveReference (Info->ReturnObject);
	85	+ Info->ReturnObject = NULL;
	86	+ }
	87	+ }
	88
	89	ACPI_DEBUG_PRINT ((ACPI_DB_NAMES,
	90	"* Completed evaluation of object %s *\n",