Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2221901imm; Mon, 28 May 2018 04:13:52 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo2/iCwL1MVjkkSXLqhCZhau5qxJ82+1ev0HxKPm8EFQWwh8hXzSlqayTJRo0LPoQGM0p1r X-Received: by 2002:a63:6e84:: with SMTP id j126-v6mr10311614pgc.239.1527506032724; Mon, 28 May 2018 04:13:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527506032; cv=none; d=google.com; s=arc-20160816; b=IFzZbCrv9nEAs0xPtk520S2oOOgzXu1pRe2YfmVHbnatbh6DjrKCNwD9cJUDaBEPqM 2QedjiACABbmEffAtR3WQwnIIHVf9eZIYKc4ETzCe6qdHs4aVZuxOpaY45LKC+5iWfeP 4PFV2PymG1Rt0GXL3QFmTxXKiCGuCerUl2R5WaNjY7pWMbaR7xyYWGJguCU+O02Bf207 qLbycmkbQNMHkjrqpwok9tq/p1AJxn2LAmWm24Fz7FGue4POXUXpoatEFMsO8wyILJAZ pAjP4FMk2dyiE7fA7WfCfj/tVunnZ05YOeaAYeFt4PHQ6pQJwotDqDcJyPChMk4tu+I6 ZPxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=QpVJjkf1mfzu2Xvu9QGx7FO5DxyhJT2sBflJsyx6hEo=; b=O2XXXIubVVX8urhZ6sC8V1H0b6RGr4CMPIyJDa6Bk1I5XInE8AB+7E8NQjs0lZob+N A1zPhMOSbxaFoQpFqH6JRIJHghlJGvuW0qiOeXhvKVry7DDrSo+3Htf4zripy5YYbMs4 Due2/AmaNFal/V3d6ZhvpBBKShWdxwAa/wyMwTy+1MErKvkNVIbqAOTGXBr7lvHUjLDo ifoZspyIz/Dx8MaOJPRe5gl6aPV4qtsB7FCtlBU0+mrTrIcOaWW4PQQFo2O/AdnHx5BJ 5Xtg1Sv7PuSbi6Trk/eggKIAvVlHL4i4iCwr6G90ZBcVde/sXQpJdDJyt758WCxniYd5 1O9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gqvpeO/8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m1-v6si29179459plt.276.2018.05.28.04.13.30; Mon, 28 May 2018 04:13:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gqvpeO/8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1424163AbeE1LM2 (ORCPT + 99 others); Mon, 28 May 2018 07:12:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:60136 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S938038AbeE1LMX (ORCPT ); Mon, 28 May 2018 07:12:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 91BFB206B7; Mon, 28 May 2018 11:12:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527505943; bh=mCifSRMxwWPhQ/nQE/87hJr9rKg2b0Un/BEqygqprVE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gqvpeO/88WkorZTV+BWiCj1uFPsH/xqL35SJr8JTGnA3Y7oFMzNX7IgTxGMJB1bnI qt2k1RaMpDw5QXb10B+kR9Ni0dgEEOQNHxvsdmnLgTFRwrB/59QDzpDOvSM8csHdC9 u+YPoeaMnmcxLfwPDWLJd9rML95ejFbi+FpVd6fc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Seunghun Han , Erik Schmauss , "Rafael J. Wysocki" , Sasha Levin Subject: [PATCH 4.16 154/272] ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c Date: Mon, 28 May 2018 12:03:07 +0200 Message-Id: <20180528100253.836505360@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100240.256525891@linuxfoundation.org> References: <20180528100240.256525891@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Seunghun Han [ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ] I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.464168] ACPI: Added _OSI(Module Device) >[ 0.467022] ACPI: Added _OSI(Processor Device) >[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) >[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) >[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.497683] ACPI: Interpreter enabled >[ 0.499385] ACPI: (supports S0) >[ 0.501151] ACPI: Using IOAPIC for interrupt routing >[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) >[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) >[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) >[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 >[ 0.529668] Call Trace: >[ 0.530811] ? dump_stack+0x5c/0x81 >[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 >[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.537237] ? acpi_terminate+0xa/0x14 >[ 0.538701] ? acpi_init+0x2af/0x34f >[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.541593] ? do_one_initcall+0x4e/0x1a0 >[ 0.543008] ? kernel_init_freeable+0x19e/0x21f >[ 0.546202] ? rest_init+0x80/0x80 >[ 0.547513] ? kernel_init+0xa/0x100 >[ 0.548817] ? ret_from_fork+0x25/0x30 >[ 0.550587] vgaarb: loaded >[ 0.551716] EDAC MC: Ver: 3.0.0 >[ 0.553744] PCI: Probing PCI hardware >[ 0.555038] PCI host bridge to bus 0000:00 > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ns_evaluate() function only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is also not null. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak. Signed-off-by: Seunghun Han Signed-off-by: Erik Schmauss Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/acpi/acpica/nseval.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/drivers/acpi/acpica/nseval.c +++ b/drivers/acpi/acpica/nseval.c @@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ status = AE_OK; + } else if (ACPI_FAILURE(status)) { + + /* If return_object exists, delete it */ + + if (info->return_object) { + acpi_ut_remove_reference(info->return_object); + info->return_object = NULL; + } } ACPI_DEBUG_PRINT((ACPI_DB_NAMES,