From patchwork Mon Jun 15 10:43:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 11604543 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2C903912 for ; Mon, 15 Jun 2020 10:44:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 118A920714 for ; Mon, 15 Jun 2020 10:44:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="3jnAe/G5" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729027AbgFOKoB (ORCPT ); Mon, 15 Jun 2020 06:44:01 -0400 Received: from mail.zx2c4.com ([192.95.5.64]:57179 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728815AbgFOKoB (ORCPT ); Mon, 15 Jun 2020 06:44:01 -0400 Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 204a99b6; Mon, 15 Jun 2020 10:26:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=W+psDjWP34bkbGREKoNGTKiwX RY=; b=3jnAe/G5QpfRdhmbQNo/KC6yS+10Fj/j0sHOja4aJa6WQEKmPBksnzJPU 4PjH2fbCASselEcm2VspxMQJsm7vJdmi5OpWBVSHAN4aOqvaHH/cuVNHi/MgvhUl cKoFNxP8rKxEg/tUSOW22eCKEj51G3kK1TrAJ37J1QI+Km++MIB+RTymZxgJzuJJ 7rYJzWAjWAPz/vAWSYmgUeCIWy/m0+Kjz6KXLeNA3VZMMiOrB5ocUTK7AI3Zv8Im PwCQeORfydLLuqc+UA86L1DeLEkXqGS59WsJZdn6QY1mTTHbhdYzphppkbgrFHrm gGT5CJMUnpweZZGMpyUJPRipeZSew== Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 22b6c329 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 15 Jun 2020 10:26:09 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org, mjg59@srcf.ucam.org, kernel-hardening@lists.openwall.com Cc: "Jason A. Donenfeld" , stable@vger.kernel.org Subject: [PATCH] acpi: disallow loading configfs acpi tables when locked down Date: Mon, 15 Jun 2020 04:43:32 -0600 Message-Id: <20200615104332.901519-1-Jason@zx2c4.com> In-Reply-To: References: MIME-Version: 1.0 Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org Like other vectors already patched, this one here allows the root user to load ACPI tables, which enables arbitrary physical address writes, which in turn makes it possible to disable lockdown. This patch prevents this by checking the lockdown status before allowing a new ACPI table to be installed. The link in the trailer shows a PoC of how this might be used. Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld --- drivers/acpi/acpi_configfs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c index ece8c1a921cc..88c8af455ea3 100644 --- a/drivers/acpi/acpi_configfs.c +++ b/drivers/acpi/acpi_configfs.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "acpica/accommon.h" #include "acpica/actables.h" @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, { const struct acpi_table_header *header = data; struct acpi_table *table; - int ret; + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; table = container_of(cfg, struct acpi_table, cfg);