From patchwork Wed Jul 19 06:37:17 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seunghun Han <kkamagui@gmail.com>
X-Patchwork-Id: 9850553
Return-Path: <linux-acpi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0D39D602C8 for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 19 Jul 2017 06:39:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F048D285AF
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 19 Jul 2017 06:39:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E441E28607; Wed, 19 Jul 2017 06:39:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D048B285AF
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 19 Jul 2017 06:39:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753168AbdGSGjB (ORCPT
	<rfc822;patchwork-linux-acpi@patchwork.kernel.org>);
	Wed, 19 Jul 2017 02:39:01 -0400
Received: from mail-pg0-f68.google.com ([74.125.83.68]:36360 "EHLO
	mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752958AbdGSGjA (ORCPT
	<rfc822; linux-acpi@vger.kernel.org>); Wed, 19 Jul 2017 02:39:00 -0400
Received: by mail-pg0-f68.google.com with SMTP id y129so5748533pgy.3;
	Tue, 18 Jul 2017 23:39:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=zw7c5e+8ZUw4+pn8ClcR51o54lkUPILWBDmL6gqA1vs=;
	b=EaomA0T4yZgrlut2lAWU0KaeLyijUQLkGXzf3ufVVVoWimAUElzUH/FoHiB17Ww3U8
	pAfevBmS0zvK1R/HlkjTXS+eAJOSGLUxo/FcVaFPj5/94H8ODmwlK7+TwQP/GloqSINH
	U7k2i6+lLs8atG/MQJxMs8DjsxArJ6orDptZKNG+QgVtBW/UtNVLCJ/o47Tr6qUVHjZc
	4vygZeFZSESFn/xFK0jbHP1nUgkOp/Rt5Cn54QfKaskXFtxJGg5Jds6OfuKUaafM3CbJ
	iUMuBCRQx6e8RYzAkJAmxutDXXUEhMRIZTp/ecByAcaDisLfYi9UhkdGYNoLiovBVtMo
	PPRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=zw7c5e+8ZUw4+pn8ClcR51o54lkUPILWBDmL6gqA1vs=;
	b=R0c+nd3hXESLvleZ0HKbHK3JGZqBelDnh4KBpA38isL/l+zldIwpzWgKoU3ouIOZci
	mtpdpynKn5cC8kbc4HAxzoaZs4c/hGj8MeXlQMUzN4EprlF0EjIH/KEHONsnAyT7O6Js
	g0lFDidMr/iR/VpejsGPkKKh4idsFctqIqlBC2kfRWDMj8Xf3GSHNrPDlBK09zsuOesX
	D2eRdd/Fg/6vBCe+4YZ+Q0bqeajOlpY/vJ2dO8QmAD52mq+sISIleVp6cZGZWhj369ki
	W64ykM8vScaLBDPmlMQddhltUlghVY0b6xnp01KqVzjlfhJ7fwFCAuZjKKN1qmLRRZbx
	1+iw==
X-Gm-Message-State: AIVw11053Zy27Y2zKeYovLAgp+y72jxkY7hwhvCFIaYdgkmr+sszN/y8
	VOkosRS5v4vvSxKhLKQ=
X-Received: by 10.99.121.77 with SMTP id u74mr1471940pgc.107.1500446340265;
	Tue, 18 Jul 2017 23:39:00 -0700 (PDT)
Received: from localhost.localdomain ([175.203.71.232])
	by smtp.gmail.com with ESMTPSA id
	w70sm9094190pfd.15.2017.07.18.23.38.57
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 18 Jul 2017 23:38:59 -0700 (PDT)
From: Seunghun Han <kkamagui@gmail.com>
To: Lv Zheng <lv.zheng@intel.com>
Cc: Robert Moore <robert.moore@intel.com>,
	"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
	linux-acpi@vger.kernel.org, devel@acpica.org,
	linux-kernel@vger.kernel.org, security@kernel.org,
	Seunghun Han <kkamagui@gmail.com>
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in dswstate.c
Date: Wed, 19 Jul 2017 15:37:17 +0900
Message-Id: <1500446237-113706-1-git-send-email-kkamagui@gmail.com>
X-Mailer: git-send-email 2.1.4
Sender: linux-acpi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-acpi.vger.kernel.org>
X-Mailing-List: linux-acpi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination is occurred due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.585957] ACPI: Added _OSI(Module Device)
>[    0.587218] ACPI: Added _OSI(Processor Device)
>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
>[    0.597858] ACPI: Unable to start the ACPI Interpreter
>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.609177] Call Trace:
>[    0.610063]  ? dump_stack+0x5c/0x81
>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10
>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.619293]  ? acpi_terminate+0xa/0x14
>[    0.620394]  ? acpi_init+0x2af/0x34f
>[    0.621616]  ? __class_create+0x4c/0x80
>[    0.623412]  ? video_setup+0x7f/0x7f
>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.625861]  ? do_one_initcall+0x4e/0x1a0
>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f
>[    0.628972]  ? rest_init+0x80/0x80
>[    0.630043]  ? kernel_init+0xa/0x100
>[    0.631084]  ? ret_from_fork+0x25/0x30
>[    0.633343] vgaarb: loaded
>[    0.635036] EDAC MC: Ver: 3.0.0
>[    0.638601] PCI: Probing PCI hardware
>[    0.639833] PCI host bridge to bus 0000:00
>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
function uses walk_state->operand_index for start position of the top, but
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
---
 drivers/acpi/acpica/dswstate.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/acpi/acpica/dswstate.c b/drivers/acpi/acpica/dswstate.c
index da111a1..fde6d78 100644
--- a/drivers/acpi/acpica/dswstate.c
+++ b/drivers/acpi/acpica/dswstate.c
@@ -403,6 +403,7 @@ acpi_ds_obj_stack_pop_and_delete(u32 pop_count,
 				 struct acpi_walk_state *walk_state)
 {
 	s32 i;
+	s32 stack_top;
 	union acpi_operand_object *obj_desc;
 
 	ACPI_FUNCTION_NAME(ds_obj_stack_pop_and_delete);
@@ -411,7 +412,11 @@ acpi_ds_obj_stack_pop_and_delete(u32 pop_count,
 		return;
 	}
 
-	for (i = (s32)pop_count - 1; i >= 0; i--) {
+	/* Calculate curruent top of the stack */
+
+	stack_top = (s32)walk_state->num_operands + walk_state->operand_index - 1;
+
+	for (i = stack_top; i >= 0; i--) {
 		if (walk_state->num_operands == 0) {
 			return;
 		}