From patchwork Wed Jun 14 11:08:10 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Seunghun Han <kkamagui@gmail.com>
X-Patchwork-Id: 9786125
Return-Path: <linux-acpi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2082A602C9 for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 14 Jun 2017 11:09:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 19CF3285DA
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 14 Jun 2017 11:09:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0E168285E7; Wed, 14 Jun 2017 11:09:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 71BF0285DA
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 14 Jun 2017 11:09:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751771AbdFNLJu (ORCPT
	<rfc822;patchwork-linux-acpi@patchwork.kernel.org>);
	Wed, 14 Jun 2017 07:09:50 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:34786 "EHLO
	mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750756AbdFNLJs (ORCPT
	<rfc822; linux-acpi@vger.kernel.org>); Wed, 14 Jun 2017 07:09:48 -0400
Received: by mail-pf0-f196.google.com with SMTP id d5so14016015pfe.1;
	Wed, 14 Jun 2017 04:09:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=P5du9gUX0FGP8jIvGpQg09m+enAZ1+wRq3OkVtaGhSo=;
	b=PAL5fr5iWMR3rXQLXDUm6rOLLF+FHOZC4oCCTw2QahJYCoCHoLtwwcvx4yXPj2QMBr
	33bFyC/5VmLlZeIn93o26c9k8NYvdAaxOXmPMbwP1AEXP3NdJe1ssJh/O6sz/19OEzIO
	Sl09Q8MGzOhXRUHdRrPPPrKHWO/opM+C2BOHfmW1a0EC7Wsrv9wdpR494j6rhIB1fH0L
	+uhw2i+zipcg723Lj5mnJwVXG9W7TNHe3SeLQE/8HN63twikHdnCSEf3mi/5QNVKL+ev
	j9QDW3y/gfgLr+ubmpTYsGc1RV4/BmctXnC4D7bUvOLvI93TmN5WFoWEgy0FOQqaFczo
	cU+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=P5du9gUX0FGP8jIvGpQg09m+enAZ1+wRq3OkVtaGhSo=;
	b=mgq9Q376BwpGsOFpyfkLqyzp09pLNYU5nLRksjG/lRvhgW/rcCp35flvYUax4ls9zU
	UbkMw501lZ+D+c/8RWu5dbSsRMgofwRzFZKr2Q9wgyM1RNDPuE6H7ANI3yllpVerSWZX
	9SGet7lVzsGdwIv03ZP4u/HnNJlRtJt1urRElYGv6veFLKMv6owEgnqfMYnmOVG8RmI7
	wr9giYGP+mF5V/hB7tLQWLe0CrJxRGr0edNC8GWMzkK/aUz4tTlDxc8v0BzJ71QmjovA
	MKB2ocGlt5uWJ9+PGi9IbQ2Za1pits+8j6egcRQpQXEy7RNoV1DudvQ1YdYh5kM+gunU
	vP+w==
X-Gm-Message-State: AKS2vOwFEdeEIQC30HhjVuEPFOvLlYB8m4xWd0LIMWlmDneIEkhvA+Xm
	qd1Pq+fdVFLvUw==
X-Received: by 10.98.142.17 with SMTP id k17mr38970pfe.139.1497438587956;
	Wed, 14 Jun 2017 04:09:47 -0700 (PDT)
Received: from localhost.localdomain ([175.203.71.232])
	by smtp.gmail.com with ESMTPSA id
	189sm1440128pgj.67.2017.06.14.04.09.44
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 14 Jun 2017 04:09:46 -0700 (PDT)
From: Seunghun Han <kkamagui@gmail.com>
To: lv.zheng@intel.com, robert.moore@intel.com, rafael.j.wysocki@intel.com
Cc: linux-acpi@vger.kernel.org, devel@acpica.org,
	linux-kernel@vger.kernel.org, Seunghun Han <kkamagui@gmail.com>
Subject: [PATCH] acpi: acpica: fix acpi parse and parseext cache leaks
Date: Wed, 14 Jun 2017 20:08:10 +0900
Message-Id: <1497438490-22268-1-git-send-email-kkamagui@gmail.com>
X-Mailer: git-send-email 2.1.4
MIME-Version: 1.0
Sender: linux-acpi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-acpi.vger.kernel.org>
X-Mailing-List: linux-acpi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

I'm Seunghun Han, and I work for National Security Research Institute of
South Korea.

I have been doing a research on ACPI and found an ACPI cache leak in ACPI
early abort cases.

Boot log of ACPI cache leak is as follows:
[    0.352414] ACPI: Added _OSI(Module Device)
[    0.353182] ACPI: Added _OSI(Processor Device)
[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)
[    0.356028] ACPI: Unable to start the ACPI Interpreter
[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects
[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #10
[    0.361273] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.361873] Call Trace:
[    0.362243]  ? dump_stack+0x5c/0x81
[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27
[    0.363296]  ? acpi_os_delete_cache+0xa/0x10
[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.364000]  ? acpi_terminate+0xa/0x14
[    0.364000]  ? acpi_init+0x2af/0x34f
[    0.364000]  ? __class_create+0x4c/0x80
[    0.364000]  ? video_setup+0x7f/0x7f
[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.364000]  ? do_one_initcall+0x4e/0x1a0
[    0.364000]  ? kernel_init_freeable+0x189/0x20a
[    0.364000]  ? rest_init+0xc0/0xc0
[    0.364000]  ? kernel_init+0xa/0x100
[    0.364000]  ? ret_from_fork+0x25/0x30

I analyzed this memory leak detailed. I found that “Acpi-State” cache and
“Acpi-Parse” cache were merged because the size of cache objects was same
slab cache size.

I finally found “Acpi-Parse” cache and “Acpi-ParseExt” cache were leaked
using SLAB_NEVER_MERGE flag in kmem_cache_create() function.

Real ACPI cache leak point is as follows:
[    0.360101] ACPI: Added _OSI(Module Device)
[    0.360101] ACPI: Added _OSI(Processor Device)
[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)
[    0.364016] ACPI: Unable to start the ACPI Interpreter
[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects
[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.371256] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.372000] Call Trace:
[    0.372000]  ? dump_stack+0x5c/0x81
[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? acpi_os_delete_cache+0xa/0x10
[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b
[    0.372000]  ? acpi_terminate+0xa/0x14
[    0.372000]  ? acpi_init+0x2af/0x34f
[    0.372000]  ? __class_create+0x4c/0x80
[    0.372000]  ? video_setup+0x7f/0x7f
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? do_one_initcall+0x4e/0x1a0
[    0.372000]  ? kernel_init_freeable+0x189/0x20a
[    0.372000]  ? rest_init+0xc0/0xc0
[    0.372000]  ? kernel_init+0xa/0x100
[    0.372000]  ? ret_from_fork+0x25/0x30
[    0.388039] kmem_cache_destroy Acpi-ParseExt: Slab cache still has objects
[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.390557] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.392000] Call Trace:
[    0.392000]  ? dump_stack+0x5c/0x81
[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? acpi_os_delete_cache+0xa/0x10
[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.392000]  ? acpi_terminate+0xa/0x14
[    0.392000]  ? acpi_init+0x2af/0x34f
[    0.392000]  ? __class_create+0x4c/0x80
[    0.392000]  ? video_setup+0x7f/0x7f
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? do_one_initcall+0x4e/0x1a0
[    0.392000]  ? kernel_init_freeable+0x189/0x20a
[    0.392000]  ? rest_init+0xc0/0xc0
[    0.392000]  ? kernel_init+0xa/0x100
[    0.392000]  ? ret_from_fork+0x25/0x30

When early abort is occurred due to invalid ACPI information, Linux kernel
terminates ACPI by calling acpi_terminate() function. The function calls
acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_
cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache).

But the deletion codes in acpi_ut_delete_caches() function only delete
slab caches using kmem_cache_destroy() function, therefore the cache
objects should be flushed before acpi_ut_delete_caches() function.

“Acpi-Parse” cache and “Acpi-ParseExt” cache are used in an AML parse
function, acpi_ps_parse_loop(). The function should have flush codes to
handle an error state due to invalid AML codes.

This cache leak has a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

To fix ACPI cache leak for enhancing security, I made a patch which has
flush codes in acpi_ps_parse_loop() function.

I hope that this patch improves the security of Linux kernel.

Thank you.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
---
 drivers/acpi/acpica/psloop.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/acpi/acpica/psloop.c b/drivers/acpi/acpica/psloop.c
index b422400..5d06383 100644
--- a/drivers/acpi/acpica/psloop.c
+++ b/drivers/acpi/acpica/psloop.c
@@ -658,5 +658,18 @@ acpi_status acpi_ps_parse_loop(struct acpi_walk_state *walk_state)
 	}			/* while parser_state->Aml */
 
 	status = acpi_ps_complete_final_op(walk_state, op, status);
+	if (ACPI_FAILURE(status)) {
+		/* Flush pushed op objects */
+
+		do {
+			acpi_ps_pop_scope(&(walk_state->parser_state), &op,
+					  &walk_state->arg_types,
+					  &walk_state->arg_count);
+			if (op) {
+				acpi_ps_complete_this_op(walk_state, op);
+			}
+		} while (op);
+	}
+
 	return_ACPI_STATUS(status);
 }