[packages/acpica.git] / cve-2017-13694.patch

From 4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0 Mon Sep 17 00:00:00 2001
From: Seunghun Han <kkamagui@gmail.com>
Date: Fri, 23 Jun 2017 14:19:48 +0900
Subject: [PATCH] acpi: acpica: fix acpi parse and parseext cache leaks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I'm Seunghun Han, and I work for National Security Research Institute of
South Korea.

I have been doing a research on ACPI and found an ACPI cache leak in ACPI
early abort cases.

Boot log of ACPI cache leak is as follows:
[    0.352414] ACPI: Added _OSI(Module Device)
[    0.353182] ACPI: Added _OSI(Processor Device)
[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)
[    0.356028] ACPI: Unable to start the ACPI Interpreter
[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects
[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #10
[    0.361273] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.361873] Call Trace:
[    0.362243]  ? dump_stack+0x5c/0x81
[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27
[    0.363296]  ? acpi_os_delete_cache+0xa/0x10
[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.364000]  ? acpi_terminate+0xa/0x14
[    0.364000]  ? acpi_init+0x2af/0x34f
[    0.364000]  ? __class_create+0x4c/0x80
[    0.364000]  ? video_setup+0x7f/0x7f
[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.364000]  ? do_one_initcall+0x4e/0x1a0
[    0.364000]  ? kernel_init_freeable+0x189/0x20a
[    0.364000]  ? rest_init+0xc0/0xc0
[    0.364000]  ? kernel_init+0xa/0x100
[    0.364000]  ? ret_from_fork+0x25/0x30

I analyzed this memory leak in detail. I found that “Acpi-State” cache and
“Acpi-Parse” cache were merged because the size of cache objects was same
slab cache size.

I finally found “Acpi-Parse” cache and “Acpi-ParseExt” cache were leaked
using SLAB_NEVER_MERGE flag in kmem_cache_create() function.

Real ACPI cache leak point is as follows:
[    0.360101] ACPI: Added _OSI(Module Device)
[    0.360101] ACPI: Added _OSI(Processor Device)
[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)
[    0.364016] ACPI: Unable to start the ACPI Interpreter
[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects
[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.371256] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.372000] Call Trace:
[    0.372000]  ? dump_stack+0x5c/0x81
[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? acpi_os_delete_cache+0xa/0x10
[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b
[    0.372000]  ? acpi_terminate+0xa/0x14
[    0.372000]  ? acpi_init+0x2af/0x34f
[    0.372000]  ? __class_create+0x4c/0x80
[    0.372000]  ? video_setup+0x7f/0x7f
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? do_one_initcall+0x4e/0x1a0
[    0.372000]  ? kernel_init_freeable+0x189/0x20a
[    0.372000]  ? rest_init+0xc0/0xc0
[    0.372000]  ? kernel_init+0xa/0x100
[    0.372000]  ? ret_from_fork+0x25/0x30
[    0.388039] kmem_cache_destroy Acpi-ParseExt: Slab cache still has objects
[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.390557] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.392000] Call Trace:
[    0.392000]  ? dump_stack+0x5c/0x81
[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? acpi_os_delete_cache+0xa/0x10
[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.392000]  ? acpi_terminate+0xa/0x14
[    0.392000]  ? acpi_init+0x2af/0x34f
[    0.392000]  ? __class_create+0x4c/0x80
[    0.392000]  ? video_setup+0x7f/0x7f
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? do_one_initcall+0x4e/0x1a0
[    0.392000]  ? kernel_init_freeable+0x189/0x20a
[    0.392000]  ? rest_init+0xc0/0xc0
[    0.392000]  ? kernel_init+0xa/0x100
[    0.392000]  ? ret_from_fork+0x25/0x30

When early abort is occurred due to invalid ACPI information, Linux kernel
terminates ACPI by calling acpi_terminate() function. The function calls
acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_
cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache).

But the deletion codes in acpi_ut_delete_caches() function only delete
slab caches using kmem_cache_destroy() function, therefore the cache
objects should be flushed before acpi_ut_delete_caches() function.

“Acpi-Parse” cache and “Acpi-ParseExt” cache are used in an AML parse
function, acpi_ps_parse_loop(). The function should have flush codes to
handle an error state due to invalid AML codes.

This cache leak has a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

To fix ACPI cache leak for enhancing security, I made a patch which has
flush codes in acpi_ps_parse_loop() function.

I hope that this patch improves the security of Linux kernel.

Thank you.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0

---
 source/components/parser/psobject.c | 44 ++++++++++++++-----------------------
 1 file changed, 16 insertions(+), 28 deletions(-)

Index: acpica-unix-20191213/source/components/parser/psobject.c
===================================================================
--- acpica-unix-20191213.orig/source/components/parser/psobject.c
+++ acpica-unix-20191213/source/components/parser/psobject.c
@@ -707,7 +707,8 @@ AcpiPsCompleteFinalOp (
     ACPI_PARSE_OBJECT       *Op,
     ACPI_STATUS             Status)
 {
-    ACPI_STATUS             Status2;
+    ACPI_STATUS             ReturnStatus = AE_OK;
+    BOOLEAN                 Ascending = TRUE;
 
 
     ACPI_FUNCTION_TRACE_PTR (PsCompleteFinalOp, WalkState);
@@ -724,7 +725,7 @@ AcpiPsCompleteFinalOp (
     {
         if (Op)
         {
-            if (WalkState->AscendingCallback != NULL)
+            if (Ascending && WalkState->AscendingCallback != NULL)
             {
                 WalkState->Op = Op;
                 WalkState->OpInfo = AcpiPsGetOpcodeInfo (Op->Common.AmlOpcode);
@@ -743,41 +744,28 @@ AcpiPsCompleteFinalOp (
 
                 if (Status == AE_CTRL_TERMINATE)
                 {
-                    Status = AE_OK;
-
-                    /* Clean up */
-                    do
-                    {
-                        if (Op)
-                        {
-                            Status2 = AcpiPsCompleteThisOp (WalkState, Op);
-                            if (ACPI_FAILURE (Status2))
-                            {
-                                return_ACPI_STATUS (Status2);
-                            }
-                        }
-
-                        AcpiPsPopScope (&(WalkState->ParserState), &Op,
-                            &WalkState->ArgTypes, &WalkState->ArgCount);
-
-                    } while (Op);
-
-                    return_ACPI_STATUS (Status);
+                    Ascending = FALSE;
+                    ReturnStatus = AE_CTRL_TERMINATE;
                 }
 
                 else if (ACPI_FAILURE (Status))
                 {
                     /* First error is most important */
 
-                    (void) AcpiPsCompleteThisOp (WalkState, Op);
-                    return_ACPI_STATUS (Status);
+                    Ascending = FALSE;
+                    ReturnStatus = Status;
                 }
             }
 
-            Status2 = AcpiPsCompleteThisOp (WalkState, Op);
-            if (ACPI_FAILURE (Status2))
+            Status = AcpiPsCompleteThisOp (WalkState, Op);
+            if (ACPI_FAILURE (Status))
             {
-                return_ACPI_STATUS (Status2);
+                Ascending = FALSE;
+                if (ACPI_SUCCESS (ReturnStatus) ||
+                    ReturnStatus == AE_CTRL_TERMINATE)
+                {
+                    ReturnStatus = Status;
+                }
             }
         }
 
@@ -786,5 +774,5 @@ AcpiPsCompleteFinalOp (
 
     } while (Op);
 
-    return_ACPI_STATUS (Status);
+    return_ACPI_STATUS (ReturnStatus);
 }
Commit	Line	Data
25d7dd99 JB	1	From 4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0 Mon Sep 17 00:00:00 2001
	2	From: Seunghun Han <kkamagui@gmail.com>
	3	Date: Fri, 23 Jun 2017 14:19:48 +0900
	4	Subject: [PATCH] acpi: acpica: fix acpi parse and parseext cache leaks
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	I'm Seunghun Han, and I work for National Security Research Institute of
	10	South Korea.
	11
	12	I have been doing a research on ACPI and found an ACPI cache leak in ACPI
	13	early abort cases.
	14
	15	Boot log of ACPI cache leak is as follows:
	16	[ 0.352414] ACPI: Added _OSI(Module Device)
	17	[ 0.353182] ACPI: Added _OSI(Processor Device)
	18	[ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)
	19	[ 0.353182] ACPI: Added _OSI(Processor Aggregator Device)
	20	[ 0.356028] ACPI: Unable to start the ACPI Interpreter
	21	[ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
	22	[ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects
	23	[ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W
	24	4.12.0-rc4-next-20170608+ #10
	25	[ 0.361273] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
	26	VirtualBox 12/01/2006
	27	[ 0.361873] Call Trace:
	28	[ 0.362243] ? dump_stack+0x5c/0x81
	29	[ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0
	30	[ 0.362944] ? acpi_sleep_proc_init+0x27/0x27
	31	[ 0.363296] ? acpi_os_delete_cache+0xa/0x10
	32	[ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b
	33	[ 0.364000] ? acpi_terminate+0xa/0x14
	34	[ 0.364000] ? acpi_init+0x2af/0x34f
	35	[ 0.364000] ? __class_create+0x4c/0x80
	36	[ 0.364000] ? video_setup+0x7f/0x7f
	37	[ 0.364000] ? acpi_sleep_proc_init+0x27/0x27
	38	[ 0.364000] ? do_one_initcall+0x4e/0x1a0
	39	[ 0.364000] ? kernel_init_freeable+0x189/0x20a
	40	[ 0.364000] ? rest_init+0xc0/0xc0
	41	[ 0.364000] ? kernel_init+0xa/0x100
	42	[ 0.364000] ? ret_from_fork+0x25/0x30
	43
	44	I analyzed this memory leak in detail. I found that “Acpi-State” cache and
	45	“Acpi-Parse” cache were merged because the size of cache objects was same
	46	slab cache size.
	47
	48	I finally found “Acpi-Parse” cache and “Acpi-ParseExt” cache were leaked
	49	using SLAB_NEVER_MERGE flag in kmem_cache_create() function.
	50
	51	Real ACPI cache leak point is as follows:
	52	[ 0.360101] ACPI: Added _OSI(Module Device)
	53	[ 0.360101] ACPI: Added _OSI(Processor Device)
	54	[ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)
	55	[ 0.361043] ACPI: Added _OSI(Processor Aggregator Device)
	56	[ 0.364016] ACPI: Unable to start the ACPI Interpreter
	57	[ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
	58	[ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects
	59	[ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W
	60	4.12.0-rc4-next-20170608+ #8
	61	[ 0.371256] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
	62	VirtualBox 12/01/2006
	63	[ 0.372000] Call Trace:
	64	[ 0.372000] ? dump_stack+0x5c/0x81
65	[ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0
66	[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27
67	[ 0.372000] ? acpi_os_delete_cache+0xa/0x10
68	[ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b
69	[ 0.372000] ? acpi_terminate+0xa/0x14
70	[ 0.372000] ? acpi_init+0x2af/0x34f
71	[ 0.372000] ? __class_create+0x4c/0x80
72	[ 0.372000] ? video_setup+0x7f/0x7f
73	[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27
74	[ 0.372000] ? do_one_initcall+0x4e/0x1a0
75	[ 0.372000] ? kernel_init_freeable+0x189/0x20a
76	[ 0.372000] ? rest_init+0xc0/0xc0
77	[ 0.372000] ? kernel_init+0xa/0x100
78	[ 0.372000] ? ret_from_fork+0x25/0x30
79	[ 0.388039] kmem_cache_destroy Acpi-ParseExt: Slab cache still has objects
80	[ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W
81	4.12.0-rc4-next-20170608+ #8
82	[ 0.390557] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
83	VirtualBox 12/01/2006
84	[ 0.392000] Call Trace:
85	[ 0.392000] ? dump_stack+0x5c/0x81
86	[ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0
87	[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27
88	[ 0.392000] ? acpi_os_delete_cache+0xa/0x10
89	[ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b
90	[ 0.392000] ? acpi_terminate+0xa/0x14
91	[ 0.392000] ? acpi_init+0x2af/0x34f
92	[ 0.392000] ? __class_create+0x4c/0x80
93	[ 0.392000] ? video_setup+0x7f/0x7f
94	[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27
95	[ 0.392000] ? do_one_initcall+0x4e/0x1a0
96	[ 0.392000] ? kernel_init_freeable+0x189/0x20a
97	[ 0.392000] ? rest_init+0xc0/0xc0
98	[ 0.392000] ? kernel_init+0xa/0x100
99	[ 0.392000] ? ret_from_fork+0x25/0x30
100
101	When early abort is occurred due to invalid ACPI information, Linux kernel
102	terminates ACPI by calling acpi_terminate() function. The function calls
103	acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_
104	cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache).
105
106	But the deletion codes in acpi_ut_delete_caches() function only delete
107	slab caches using kmem_cache_destroy() function, therefore the cache
108	objects should be flushed before acpi_ut_delete_caches() function.
109
110	“Acpi-Parse” cache and “Acpi-ParseExt” cache are used in an AML parse
111	function, acpi_ps_parse_loop(). The function should have flush codes to
112	handle an error state due to invalid AML codes.
113
114	This cache leak has a security threat because an old kernel (<= 4.9) shows
115	memory locations of kernel functions in stack dump. Some malicious users
116	could use this information to neutralize kernel ASLR.
117
118	To fix ACPI cache leak for enhancing security, I made a patch which has
119	flush codes in acpi_ps_parse_loop() function.
120
121	I hope that this patch improves the security of Linux kernel.
122
123	Thank you.
124
125	Signed-off-by: Seunghun Han <kkamagui@gmail.com>
126
127	Github-Location: https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0
128
129	---
130	source/components/parser/psobject.c \| 44 ++++++++++++++-----------------------
131	1 file changed, 16 insertions(+), 28 deletions(-)
132
70586bb3	133	Index: acpica-unix-20191213/source/components/parser/psobject.c
25d7dd99	134	===================================================================
70586bb3 JB	135	--- acpica-unix-20191213.orig/source/components/parser/psobject.c
	136	+++ acpica-unix-20191213/source/components/parser/psobject.c
	137	@@ -707,7 +707,8 @@ AcpiPsCompleteFinalOp (
25d7dd99 JB	138	ACPI_PARSE_OBJECT *Op,
	139	ACPI_STATUS Status)
	140	{
	141	- ACPI_STATUS Status2;
	142	+ ACPI_STATUS ReturnStatus = AE_OK;
	143	+ BOOLEAN Ascending = TRUE;
	144
	145
	146	ACPI_FUNCTION_TRACE_PTR (PsCompleteFinalOp, WalkState);
70586bb3	147	@@ -724,7 +725,7 @@ AcpiPsCompleteFinalOp (
25d7dd99 JB	148	{
	149	if (Op)
	150	{
	151	- if (WalkState->AscendingCallback != NULL)
	152	+ if (Ascending && WalkState->AscendingCallback != NULL)
	153	{
	154	WalkState->Op = Op;
	155	WalkState->OpInfo = AcpiPsGetOpcodeInfo (Op->Common.AmlOpcode);
70586bb3	156	@@ -743,41 +744,28 @@ AcpiPsCompleteFinalOp (
25d7dd99 JB	157
	158	if (Status == AE_CTRL_TERMINATE)
	159	{
	160	- Status = AE_OK;
	161	-
	162	- /* Clean up */
	163	- do
	164	- {
	165	- if (Op)
	166	- {
	167	- Status2 = AcpiPsCompleteThisOp (WalkState, Op);
	168	- if (ACPI_FAILURE (Status2))
	169	- {
	170	- return_ACPI_STATUS (Status2);
	171	- }
	172	- }
	173	-
	174	- AcpiPsPopScope (&(WalkState->ParserState), &Op,
	175	- &WalkState->ArgTypes, &WalkState->ArgCount);
	176	-
	177	- } while (Op);
	178	-
	179	- return_ACPI_STATUS (Status);
	180	+ Ascending = FALSE;
	181	+ ReturnStatus = AE_CTRL_TERMINATE;
	182	}
	183
	184	else if (ACPI_FAILURE (Status))
	185	{
	186	/* First error is most important */
	187
	188	- (void) AcpiPsCompleteThisOp (WalkState, Op);
	189	- return_ACPI_STATUS (Status);
	190	+ Ascending = FALSE;
	191	+ ReturnStatus = Status;
	192	}
	193	}
	194
	195	- Status2 = AcpiPsCompleteThisOp (WalkState, Op);
	196	- if (ACPI_FAILURE (Status2))
	197	+ Status = AcpiPsCompleteThisOp (WalkState, Op);
	198	+ if (ACPI_FAILURE (Status))
	199	{
	200	- return_ACPI_STATUS (Status2);
	201	+ Ascending = FALSE;
	202	+ if (ACPI_SUCCESS (ReturnStatus) \|\|
	203	+ ReturnStatus == AE_CTRL_TERMINATE)
	204	+ {
	205	+ ReturnStatus = Status;
	206	+ }
	207	}
	208	}
	209
70586bb3	210	@@ -786,5 +774,5 @@ AcpiPsCompleteFinalOp (
25d7dd99 JB	211
	212	} while (Op);
	213
	214	- return_ACPI_STATUS (Status);
	215	+ return_ACPI_STATUS (ReturnStatus);
	216	}