From patchwork Mon Jun 15 10:43:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 11604545 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5D690912 for ; Mon, 15 Jun 2020 10:44:13 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id B825D20663 for ; Mon, 15 Jun 2020 10:44:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="3jnAe/G5" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B825D20663 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=zx2c4.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-18979-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 5420 invoked by uid 550); 15 Jun 2020 10:44:11 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5383 invoked from network); 15 Jun 2020 10:44:10 -0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=W+psDjWP34bkbGREKoNGTKiwX RY=; b=3jnAe/G5QpfRdhmbQNo/KC6yS+10Fj/j0sHOja4aJa6WQEKmPBksnzJPU 4PjH2fbCASselEcm2VspxMQJsm7vJdmi5OpWBVSHAN4aOqvaHH/cuVNHi/MgvhUl cKoFNxP8rKxEg/tUSOW22eCKEj51G3kK1TrAJ37J1QI+Km++MIB+RTymZxgJzuJJ 7rYJzWAjWAPz/vAWSYmgUeCIWy/m0+Kjz6KXLeNA3VZMMiOrB5ocUTK7AI3Zv8Im PwCQeORfydLLuqc+UA86L1DeLEkXqGS59WsJZdn6QY1mTTHbhdYzphppkbgrFHrm gGT5CJMUnpweZZGMpyUJPRipeZSew== From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org, mjg59@srcf.ucam.org, kernel-hardening@lists.openwall.com Cc: "Jason A. Donenfeld" , stable@vger.kernel.org Subject: [PATCH] acpi: disallow loading configfs acpi tables when locked down Date: Mon, 15 Jun 2020 04:43:32 -0600 Message-Id: <20200615104332.901519-1-Jason@zx2c4.com> In-Reply-To: References: MIME-Version: 1.0 Like other vectors already patched, this one here allows the root user to load ACPI tables, which enables arbitrary physical address writes, which in turn makes it possible to disable lockdown. This patch prevents this by checking the lockdown status before allowing a new ACPI table to be installed. The link in the trailer shows a PoC of how this might be used. Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld --- drivers/acpi/acpi_configfs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c index ece8c1a921cc..88c8af455ea3 100644 --- a/drivers/acpi/acpi_configfs.c +++ b/drivers/acpi/acpi_configfs.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "acpica/accommon.h" #include "acpica/actables.h" @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, { const struct acpi_table_header *header = data; struct acpi_table *table; - int ret; + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; table = container_of(cfg, struct acpi_table, cfg);