From patchwork Wed Jul 19 07:07:23 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seunghun Han <kkamagui@gmail.com>
X-Patchwork-Id: 9850567
Return-Path: <linux-acpi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2C83660388 for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 19 Jul 2017 07:08:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1AD65285F5
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 19 Jul 2017 07:08:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0EF3728600; Wed, 19 Jul 2017 07:08:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 895D1285F5
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Wed, 19 Jul 2017 07:08:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752799AbdGSHIl (ORCPT
	<rfc822;patchwork-linux-acpi@patchwork.kernel.org>);
	Wed, 19 Jul 2017 03:08:41 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:35655 "EHLO
	mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751376AbdGSHIk (ORCPT
	<rfc822; linux-acpi@vger.kernel.org>); Wed, 19 Jul 2017 03:08:40 -0400
Received: by mail-pf0-f196.google.com with SMTP id q85so5456352pfq.2;
	Wed, 19 Jul 2017 00:08:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=ZbeTYNcAvC2pVnCqf6cyoBTl+duErLRB6zFPaicdtH0=;
	b=hGjhheLpP+vdt5FVlJ3Y9O7cSlcFcLThCpRJXvtqsenXthOOLxlYjLyzaCUHSWzSUR
	8E3ROE0bG6jRRQTFiE8bQzK1PM9MKa39LaYhBH2CD7QeyiVcj1CTW5xp5QolKHzRMUci
	YTrWpscJdbf0HWxqJNexQmIO9QUk0YROehubs93WnscoYEGfq8h0wKxM1vFWbPf4STdj
	GPXD3fxLennayofLNamhtgl50IHMoqErazfWbosebLBegEmEvTkj2sLHt4M6yQWRd9tH
	YgXFJrWACvH4X2VtMJAQrTfXv2T27PXbHd9gsNuqpZx9u72o+l4tt20agPPJKKDRRzFn
	5H5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=ZbeTYNcAvC2pVnCqf6cyoBTl+duErLRB6zFPaicdtH0=;
	b=fPVOp7w6pUsyzhbcy8S8yhR2+/sGgxMZ8zPbLUY3cYsddnBzzvc0xOJ+HrFRP0mXpf
	NX38RLBebFaep7ryhLembkC0/egQJXOsfBVXNn9wa1cxth/qz3Ab0lrkIA9LlwFlLn0u
	oD1zOq23lHr6MHoJfCnp4cjxbyul/mOYDLHHlXdthiDTD/HItjzeZzBtfX9TW5ewjiIg
	K32m5k+FuUiuvvT2igncM3aBd8ABq0o0iEOASxQyEv/aOMKeJHyyKM7s8A1SnvDUx+yI
	Hj9/PA4kAC/N2denWm+/dnQ81HVu+qGcIveaAGLZceHYr/ACz8SRqZK2682QI5xrPDT+
	C5Cg==
X-Gm-Message-State: AIVw113egC/qIHgwIC1xr7XNOSDwz+f+3cJuBJ5sa13n1VTlzy+0Xgor
	vanIoweqdIjvMg==
X-Received: by 10.84.224.141 with SMTP id s13mr1716784plj.212.1500448119698;
	Wed, 19 Jul 2017 00:08:39 -0700 (PDT)
Received: from localhost.localdomain ([175.203.71.232])
	by smtp.gmail.com with ESMTPSA id
	v17sm11855041pgn.4.2017.07.19.00.08.36
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 19 Jul 2017 00:08:38 -0700 (PDT)
From: Seunghun Han <kkamagui@gmail.com>
To: Lv Zheng <lv.zheng@intel.com>
Cc: Robert Moore <robert.moore@intel.com>,
	"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
	linux-acpi@vger.kernel.org, devel@acpica.org,
	linux-kernel@vger.kernel.org, security@kernel.org,
	Seunghun Han <kkamagui@gmail.com>
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c
Date: Wed, 19 Jul 2017 16:07:23 +0900
Message-Id: <1500448043-137615-1-git-send-email-kkamagui@gmail.com>
X-Mailer: git-send-email 2.1.4
Sender: linux-acpi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-acpi.vger.kernel.org>
X-Mailing-List: linux-acpi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.464168] ACPI: Added _OSI(Module Device)
>[    0.467022] ACPI: Added _OSI(Processor Device)
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.497683] ACPI: Interpreter enabled
>[    0.499385] ACPI: (supports S0)
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.529668] Call Trace:
>[    0.530811]  ? dump_stack+0x5c/0x81
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.537237]  ? acpi_terminate+0xa/0x14
>[    0.538701]  ? acpi_init+0x2af/0x34f
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
>[    0.546202]  ? rest_init+0x80/0x80
>[    0.547513]  ? kernel_init+0xa/0x100
>[    0.548817]  ? ret_from_fork+0x25/0x30
>[    0.550587] vgaarb: loaded
>[    0.551716] EDAC MC: Ver: 3.0.0
>[    0.553744] PCI: Probing PCI hardware
>[    0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found acpi_ns_evaluate() function
only removes info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and info->return_object is
also not null. Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
---
 drivers/acpi/acpica/nseval.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/acpi/acpica/nseval.c b/drivers/acpi/acpica/nseval.c
index d22167c..f13d3cf 100644
--- a/drivers/acpi/acpica/nseval.c
+++ b/drivers/acpi/acpica/nseval.c
@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi_evaluate_info *info)
 		/* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */
 
 		status = AE_OK;
+	} else if (ACPI_FAILURE(status)) {
+
+		/* If return_object exists, delete it */
+
+		if (info->return_object) {
+			acpi_ut_remove_reference(info->return_object);
+			info->return_object = NULL;
+		}
 	}
 
 	ACPI_DEBUG_PRINT((ACPI_DB_NAMES,