From patchwork Wed Jul 19 07:40:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seunghun Han X-Patchwork-Id: 9850651 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 813E660392 for ; Wed, 19 Jul 2017 07:41:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7007E285FD for ; Wed, 19 Jul 2017 07:41:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 64C5928600; Wed, 19 Jul 2017 07:41:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D9861285FD for ; Wed, 19 Jul 2017 07:41:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752759AbdGSHlo (ORCPT ); Wed, 19 Jul 2017 03:41:44 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:35243 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752190AbdGSHln (ORCPT ); Wed, 19 Jul 2017 03:41:43 -0400 Received: by mail-pf0-f194.google.com with SMTP id q85so5549215pfq.2; Wed, 19 Jul 2017 00:41:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=2m3sUAcxrDm6i9xmT9SJKl4z6XQADa/AufpTdtFFu/A=; b=JRTP+RiBfoygCwFsRQIffQaTQIviSe+Fepv5RsArhi0Yqv6mlEZvdbKdqyqk9+3LcW 3hmXqZyYpkt1+MMfxcJ9EQgaS9gyCja08q+9jdINzUzYcGTnFHzQJOirMaZ+RDahTXa4 KBKCr5p0D6D14lRb6sAFlYP1QP66bwvoMj+96ndWP4HPlvCV1aDDkf8LSypnfv+aIj61 ehfcw7N7OGx5tSUG6KjYXN1ENgO8zC5x+QSqTbZfMIg+a+LKbGlZEAKM5hj/pUcVbDeH /5bCxjtOofaIQIoR2qsDh4eiHIP5LcT42eEJjIk/lPxZogm/CqIteIUeDj+m5oKsNEv4 qzfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=2m3sUAcxrDm6i9xmT9SJKl4z6XQADa/AufpTdtFFu/A=; b=rRe/TXucIUXAhjyztUkoTVqPdigbLzfvcYzlwgC76Zkis1mRzAB/s1IUgGTCesKgOb pYK+ohsF7jMFZlVJZRB9jKx7dG9VMtix2E5crKJcTQnNKcAz+3HbwNaqt571gJZJHyPp O8xq/end2mBbe0qa4REkMqkC74iIYocqhoa9Ok//RQY95HRl9Y0bAakg8ME+Hmo19K/m cVMBN/PYWrVcUokvW2Vimn5dExxRMZxkhRmFtUAT89gFc4tn+XqZTxoezF1jT4WupggC Uk/Ta4rOjgmqb8g74yJxMXoSH2KtATf7Var2HrlUbLJVdPdDccNwSZ/JkN2hapn7Wh4z eTWw== X-Gm-Message-State: AIVw111pRL3MGsnUJvlVIg+0Yv92fodA8zDI+dUqTq1Ltkmb0jTkbMzW JuXellk9nnV6tQ== X-Received: by 10.84.211.137 with SMTP id c9mr1811172pli.96.1500450103192; Wed, 19 Jul 2017 00:41:43 -0700 (PDT) Received: from localhost.localdomain ([175.203.71.232]) by smtp.gmail.com with ESMTPSA id f23sm9136535pfd.107.2017.07.19.00.41.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 19 Jul 2017 00:41:42 -0700 (PDT) From: Seunghun Han To: Lv Zheng Cc: Robert Moore , "Rafael J. Wysocki" , linux-acpi@vger.kernel.org, devel@acpica.org, linux-kernel@vger.kernel.org, security@kernel.org, Seunghun Han Subject: [PATCH V2] acpi: acpica: fix acpi operand cache leak in dswstate.c Date: Wed, 19 Jul 2017 16:40:28 +0900 Message-Id: <1500450028-14236-1-git-send-email-kkamagui@gmail.com> X-Mailer: git-send-email 2.1.4 Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination is occurred due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.585957] ACPI: Added _OSI(Module Device) >[ 0.587218] ACPI: Added _OSI(Processor Device) >[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) >[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) >[ 0.597858] ACPI: Unable to start the ACPI Interpreter >[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) >[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 >[ 0.609177] Call Trace: >[ 0.610063] ? dump_stack+0x5c/0x81 >[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 >[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.619293] ? acpi_terminate+0xa/0x14 >[ 0.620394] ? acpi_init+0x2af/0x34f >[ 0.621616] ? __class_create+0x4c/0x80 >[ 0.623412] ? video_setup+0x7f/0x7f >[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.625861] ? do_one_initcall+0x4e/0x1a0 >[ 0.627513] ? kernel_init_freeable+0x19e/0x21f >[ 0.628972] ? rest_init+0x80/0x80 >[ 0.630043] ? kernel_init+0xa/0x100 >[ 0.631084] ? ret_from_fork+0x25/0x30 >[ 0.633343] vgaarb: loaded >[ 0.635036] EDAC MC: Ver: 3.0.0 >[ 0.638601] PCI: Probing PCI hardware >[ 0.639833] PCI host bridge to bus 0000:00 >[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() function uses walk_state->operand_index for start position of the top, but acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak. Signed-off-by: Seunghun Han --- Changes since V1: move stack_top into loop and change loop condition. drivers/acpi/acpica/dswstate.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/acpi/acpica/dswstate.c b/drivers/acpi/acpica/dswstate.c index da111a1..882a3d1 100644 --- a/drivers/acpi/acpica/dswstate.c +++ b/drivers/acpi/acpica/dswstate.c @@ -402,7 +402,8 @@ void acpi_ds_obj_stack_pop_and_delete(u32 pop_count, struct acpi_walk_state *walk_state) { - s32 i; + u32 i; + s32 stack_top; union acpi_operand_object *obj_desc; ACPI_FUNCTION_NAME(ds_obj_stack_pop_and_delete); @@ -411,7 +412,11 @@ acpi_ds_obj_stack_pop_and_delete(u32 pop_count, return; } - for (i = (s32)pop_count - 1; i >= 0; i--) { + /* Calculate curruent top of the stack */ + + stack_top = (s32)walk_state->num_operands + walk_state->operand_index - 1; + + for (i = 0; i < pop_count ; i++) { if (walk_state->num_operands == 0) { return; } @@ -419,11 +424,12 @@ acpi_ds_obj_stack_pop_and_delete(u32 pop_count, /* Pop the stack and delete an object if present in this stack entry */ walk_state->num_operands--; - obj_desc = walk_state->operands[i]; + obj_desc = walk_state->operands[stack_top]; if (obj_desc) { - acpi_ut_remove_reference(walk_state->operands[i]); - walk_state->operands[i] = NULL; + acpi_ut_remove_reference(walk_state->operands[stack_top]); + walk_state->operands[stack_top] = NULL; } + stack_top--; } ACPI_DEBUG_PRINT((ACPI_DB_EXEC, "Count=%X State=%p #Ops=%X\n",