From patchwork Thu Aug 24 05:11:35 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seunghun Han X-Patchwork-Id: 9919053 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 13EBB60353 for ; Thu, 24 Aug 2017 05:12:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0657F28B3F for ; Thu, 24 Aug 2017 05:12:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EF2F928B47; Thu, 24 Aug 2017 05:12:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C920E28B41 for ; Thu, 24 Aug 2017 05:12:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751038AbdHXFMx (ORCPT ); Thu, 24 Aug 2017 01:12:53 -0400 Received: from mail-pg0-f67.google.com ([74.125.83.67]:34399 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750806AbdHXFMw (ORCPT ); Thu, 24 Aug 2017 01:12:52 -0400 Received: by mail-pg0-f67.google.com with SMTP id p14so2303136pgd.1; Wed, 23 Aug 2017 22:12:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=K4mpm0tREJx9Epvlqlw4iK1putD842drhxZoiKnM+tQ=; b=LP5BpJCo792vEVred+1tbAcrN8/NRxuRV7r8ifgXT8htzxTPP2GwnVu12s+bA4CzQ+ +px+WkixCgvZEN2vEfd9f7s1/P+UV7mbeQbd4OYmnEQD12sN3GvDVDQUkef7mDhe8Rqi z59UlWA1W0sXRFpNNzV2NmgrpFQBj9s7YSM4YiajEIy33/oIrJ9BRDHM8Mwe/Ruezllz cMEwQR9nssSA7LA7xqbEBqt2LtjL26iR99IQEwMd31uDc0yKXQ7UDqC9UPMdvatVWJJR ruWzzF6svK8zj0m16l1ebskzMLNDpFs7h4f54Bk79fGB7do22aCyENzZE1MlzBVb8c9i jjiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=K4mpm0tREJx9Epvlqlw4iK1putD842drhxZoiKnM+tQ=; b=bRGnhoSExjGhvjqSdab8XTOA5avHCUykpt2x3AeF29UenBC+z46hZYFWcCqJz+hAke /42L/F5qide3GRcQqNn2YgxRbzBOEeBUrndlj/lrJw0F2bm+kscnBqfD6DCNuyxuumYy MxSBmBXNtaWizuG49UIYZPc6VTGlXdwNpL/8zeMXtZzL7uqeXoagbabyFiMtDO6Hudno 9ogsESWywdUlRe1DVLhBauMsuyHZOdlGzcWrNMSd6oRaTS1oCX/K4syYgFpgDjoiaGta z0j6f/St9COJ28DvYuJ0b+7f+Myamw29AJKEre2k2PWTicsE6s4yogfUvLbPxrRcysmt aPTA== X-Gm-Message-State: AHYfb5heNoXjtHyScxnqCzBUfMgNgXrkM3+DoEI3ElhRF0XMR2ZmQ9rm 9k3Pdcmh6+Ilxg== X-Received: by 10.84.229.77 with SMTP id d13mr5643126pln.67.1503551571870; Wed, 23 Aug 2017 22:12:51 -0700 (PDT) Received: from localhost.localdomain ([175.203.71.232]) by smtp.gmail.com with ESMTPSA id r9sm5425362pfd.126.2017.08.23.22.12.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Aug 2017 22:12:51 -0700 (PDT) From: Seunghun Han To: lv.zheng@intel.com Cc: robert.moore@intel.com, rafael.j.wysocki@intel.com, linux-acpi@vger.kernel.org, devel@acpica.org, linux-kernel@vger.kernel.org, security@kernel.org, Seunghun Han Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in dsutils.c Date: Thu, 24 Aug 2017 14:11:35 +0900 Message-Id: <1503551495-33286-1-git-send-email-kkamagui@gmail.com> X-Mailer: git-send-email 2.1.4 Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination is occurred due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.585957] ACPI: Added _OSI(Module Device) >[ 0.587218] ACPI: Added _OSI(Processor Device) >[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) >[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) >[ 0.597858] ACPI: Unable to start the ACPI Interpreter >[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) >[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 >[ 0.609177] Call Trace: >[ 0.610063] ? dump_stack+0x5c/0x81 >[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 >[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.619293] ? acpi_terminate+0xa/0x14 >[ 0.620394] ? acpi_init+0x2af/0x34f >[ 0.621616] ? __class_create+0x4c/0x80 >[ 0.623412] ? video_setup+0x7f/0x7f >[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.625861] ? do_one_initcall+0x4e/0x1a0 >[ 0.627513] ? kernel_init_freeable+0x19e/0x21f >[ 0.628972] ? rest_init+0x80/0x80 >[ 0.630043] ? kernel_init+0xa/0x100 >[ 0.631084] ? ret_from_fork+0x25/0x30 >[ 0.633343] vgaarb: loaded >[ 0.635036] EDAC MC: Ver: 3.0.0 >[ 0.638601] PCI: Probing PCI hardware >[ 0.639833] PCI host bridge to bus 0000:00 >[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() function uses walk_state->operand_index for start position of the top, but acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak. Signed-off-by: Seunghun Han --- drivers/acpi/acpica/dsutils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpica/dsutils.c b/drivers/acpi/acpica/dsutils.c index 0dabd9b..2c8a060 100644 --- a/drivers/acpi/acpica/dsutils.c +++ b/drivers/acpi/acpica/dsutils.c @@ -705,6 +705,8 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, union acpi_parse_object *arguments[ACPI_OBJ_NUM_OPERANDS]; u32 arg_count = 0; u32 index = walk_state->num_operands; + u32 prev_num_operands = walk_state->num_operands; + u32 new_num_operands; u32 i; ACPI_FUNCTION_TRACE_PTR(ds_create_operands, first_arg); @@ -733,6 +735,7 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, /* Create the interpreter arguments, in reverse order */ + new_num_operands = index; index--; for (i = 0; i < arg_count; i++) { arg = arguments[index]; @@ -757,7 +760,11 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, * pop everything off of the operand stack and delete those * objects */ - acpi_ds_obj_stack_pop_and_delete(arg_count, walk_state); + walk_state->num_operands = i; + acpi_ds_obj_stack_pop_and_delete(new_num_operands, walk_state); + + /* Restore operand count */ + walk_state->num_operands = prev_num_operands; ACPI_EXCEPTION((AE_INFO, status, "While creating Arg %u", index)); return_ACPI_STATUS(status);