From patchwork Fri Feb 17 00:40:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seunghun Han X-Patchwork-Id: 9578561 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CBD4B6049F for ; Fri, 17 Feb 2017 00:41:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B70392868F for ; Fri, 17 Feb 2017 00:41:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A9F5128699; Fri, 17 Feb 2017 00:41:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 317C02868F for ; Fri, 17 Feb 2017 00:41:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753785AbdBQAlf (ORCPT ); Thu, 16 Feb 2017 19:41:35 -0500 Received: from mail-pf0-f195.google.com ([209.85.192.195]:34404 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753530AbdBQAle (ORCPT ); Thu, 16 Feb 2017 19:41:34 -0500 Received: by mail-pf0-f195.google.com with SMTP id o64so2718792pfb.1 for ; Thu, 16 Feb 2017 16:41:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=qnSzD0mSOu9woqYbm5pLrh4u6cVM0dJWVM88Hll8ba4=; b=eEbtzltIoQI+p0w5RxFBuaiuBlvQDcVNKj5P/Do2gM1Po9tzmUlpXLJoUnf472aD+Z fAcqNS3dwEXAuUwuLZO/estCl3CNsmUZaDh4QgsgEQOdN5mFzlkrH4ShIJ4Pre55cV1R wmSEgCr9vD2q2RrL8oXoZ17kgh6oXBCXW3HewVNatp3UKvsbbxuTOfQ1YRWPNkr4fJhn q8101PZpI4Ey3YiZPp1JvenUgathaojRreaKqIKToJs6j6V/+L/BB7wDLnQ+6oZeFkEt QQZBBkQkvk9I5RzF3phi9bt58+m/2U7dRHQbL/SbJJJMK9UNE7cI/KgnsCJeDWjKa3cg PUFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=qnSzD0mSOu9woqYbm5pLrh4u6cVM0dJWVM88Hll8ba4=; b=P8zgjJjKXd++TVz1uuhqUyOd7n4oAHdC30+kRxyzOrRjoI7NlPhK8M7N5DdT8qe1d5 g2fuBanYfxrICu7o1ATK2ex92AU9pQIQSqSRJasxPCsAhC9/wVnlsV4qKdPgfSdJa50b WSe5vPpsJUloiYyyeHavUi1HZhQoQ3c340DdG56G9K8jp2+oaZCcBfo5lWTml7yWA3HB J033V6M13OmSLb4swRU5GWWdTUCdZ58017LWF5GMukldYOgcQp03NabotYyLnccHMDmH 7xSGHiPavth1UhPAtCaFqHzX1HZNKeoiDxpf8bfjdwJP270nBAAICed9vKReeFWnMr3r acYQ== X-Gm-Message-State: AMke39nag24cENt5YnC8V2sD39zLTbMjqKEVJWA/EFJfA5sYM0HaRF7dUUXkcfNFmSiczA== X-Received: by 10.98.72.88 with SMTP id v85mr6061412pfa.54.1487292093869; Thu, 16 Feb 2017 16:41:33 -0800 (PST) Received: from localhost.localdomain ([175.203.71.232]) by smtp.gmail.com with ESMTPSA id s24sm15823732pgo.25.2017.02.16.16.41.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 16 Feb 2017 16:41:32 -0800 (PST) From: Seunghun Han To: linux-acpi@vger.kernel.org Cc: devel@acpica.org, Seunghun Han Subject: [PATCH v2] acpi: acpica: fix acpi operand cache leak Date: Fri, 17 Feb 2017 09:40:03 +0900 Message-Id: <1487292003-25769-1-git-send-email-kkamagui@gmail.com> X-Mailer: git-send-email 2.1.4 Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and making a handcrafted ACPI table for my research. Errors of handcrafted ACPI tables are handled well in Linux kernel while boot process, and Linux kernel goes well without critical problems. But I found some ACPI operand cache leaks in ACPI early abort cases. Boot log of ACPI operand cache leak is as follows: >[ 0.174332] ACPI: Added _OSI(Module Device) >[ 0.175504] ACPI: Added _OSI(Processor Device) >[ 0.176010] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.177032] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.178284] ACPI: SCI (IRQ16705) allocation failed >[ 0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install System Control Interrupt handler (20160930/evevent-131) >[ 0.180008] ACPI: Unable to start the ACPI Interpreter >[ 0.181125] ACPI Error: Could not remove SCI handler (20160930/evmisc-281) >[ 0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2 >[ 0.186820] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 >[ 0.188000] Call Trace: >[ 0.188000] ? dump_stack+0x5c/0x7d >[ 0.188000] ? kmem_cache_destroy+0x224/0x230 >[ 0.188000] ? acpi_sleep_proc_init+0x22/0x22 >[ 0.188000] ? acpi_os_delete_cache+0xa/0xd >[ 0.188000] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.188000] ? acpi_terminate+0x5/0xf >[ 0.188000] ? acpi_init+0x288/0x32e >[ 0.188000] ? __class_create+0x4c/0x80 >[ 0.188000] ? video_setup+0x7a/0x7a >[ 0.188000] ? do_one_initcall+0x4e/0x1b0 >[ 0.188000] ? kernel_init_freeable+0x194/0x21a >[ 0.188000] ? rest_init+0x80/0x80 >[ 0.188000] ? kernel_init+0xa/0x100 >[ 0.188000] ? ret_from_fork+0x25/0x30 When early abort is occurred due to invalid ACPI information, Linux kernel terminates ACPI by calling acpi_terminate() function. The function calls acpi_ns_terminate() function to delete namespace data and ACPI operand cache (acpi_gbl_module_code_list). But the deletion code in acpi_ns_terminate() function is wrapped in ACPI_EXEC_APP definition, therefore the code is only executed when the definition exists. If the define doesn't exist, ACPI operand cache (acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log. This causes a security threat because the old kernel (<= 4.9) shows memory locations of kernel functions in stack dump, therefore kernel ASLR can be neutralized. To fix ACPI operand leak for enhancing security, I made a patch which removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for executing the deletion code unconditionally. I hope that this patch improves the security of Linux kernel. Thank you. Signed-off-by: Seunghun Han --- Changes since v1: move position of variables to remove compile warning. drivers/acpi/acpica/nsutils.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c index 691814d..943702d 100644 --- a/drivers/acpi/acpica/nsutils.c +++ b/drivers/acpi/acpica/nsutils.c @@ -594,25 +594,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle) void acpi_ns_terminate(void) { acpi_status status; + union acpi_operand_object *prev; + union acpi_operand_object *next; ACPI_FUNCTION_TRACE(ns_terminate); -#ifdef ACPI_EXEC_APP - { - union acpi_operand_object *prev; - union acpi_operand_object *next; + /* Delete any module-level code blocks */ - /* Delete any module-level code blocks */ - - next = acpi_gbl_module_code_list; - while (next) { - prev = next; - next = next->method.mutex; - prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ - acpi_ut_remove_reference(prev); - } + next = acpi_gbl_module_code_list; + while (next) { + prev = next; + next = next->method.mutex; + prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ + acpi_ut_remove_reference(prev); } -#endif /* * Free the entire namespace -- all nodes and all objects