Al Stone 28da4e
From 37f2c716f2c6ab14c3ba557a539c3ee3224931b5 Mon Sep 17 00:00:00 2001
Al Stone 28da4e
From: Seunghun Han <kkamagui@gmail.com>
Al Stone 28da4e
Date: Wed, 19 Jul 2017 17:04:44 +0900
Al Stone 28da4e
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c
Al Stone 28da4e
Al Stone 28da4e
I found an ACPI cache leak in ACPI early termination and boot continuing case.
Al Stone 28da4e
Al Stone 28da4e
When early termination occurs due to malicious ACPI table, Linux kernel
Al Stone 28da4e
terminates ACPI function and continues to boot process. While kernel terminates
Al Stone 28da4e
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
Al Stone 28da4e
Al Stone 28da4e
Boot log of ACPI operand cache leak is as follows:
Al Stone 28da4e
>[    0.464168] ACPI: Added _OSI(Module Device)
Al Stone 28da4e
>[    0.467022] ACPI: Added _OSI(Processor Device)
Al Stone 28da4e
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
Al Stone 28da4e
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
Al Stone 28da4e
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
Al Stone 28da4e
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
Al Stone 28da4e
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
Al Stone 28da4e
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
Al Stone 28da4e
>[    0.497683] ACPI: Interpreter enabled
Al Stone 28da4e
>[    0.499385] ACPI: (supports S0)
Al Stone 28da4e
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
Al Stone 28da4e
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
Al Stone 28da4e
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
Al Stone 28da4e
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
Al Stone 28da4e
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
Al Stone 28da4e
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
Al Stone 28da4e
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
Al Stone 28da4e
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
Al Stone 28da4e
>[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Al Stone 28da4e
>[    0.529668] Call Trace:
Al Stone 28da4e
>[    0.530811]  ? dump_stack+0x5c/0x81
Al Stone 28da4e
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
Al Stone 28da4e
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
Al Stone 28da4e
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
Al Stone 28da4e
>[    0.537237]  ? acpi_terminate+0xa/0x14
Al Stone 28da4e
>[    0.538701]  ? acpi_init+0x2af/0x34f
Al Stone 28da4e
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
Al Stone 28da4e
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
Al Stone 28da4e
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
Al Stone 28da4e
>[    0.546202]  ? rest_init+0x80/0x80
Al Stone 28da4e
>[    0.547513]  ? kernel_init+0xa/0x100
Al Stone 28da4e
>[    0.548817]  ? ret_from_fork+0x25/0x30
Al Stone 28da4e
>[    0.550587] vgaarb: loaded
Al Stone 28da4e
>[    0.551716] EDAC MC: Ver: 3.0.0
Al Stone 28da4e
>[    0.553744] PCI: Probing PCI hardware
Al Stone 28da4e
>[    0.555038] PCI host bridge to bus 0000:00
Al Stone 28da4e
> ... Continue to boot and log is omitted ...
Al Stone 28da4e
Al Stone 28da4e
I analyzed this memory leak in detail and found AcpiNsEvaluate() function
Al Stone 28da4e
only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
Al Stone 28da4e
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
Al Stone 28da4e
also not null. Therefore, this causes acpi operand memory leak.
Al Stone 28da4e
Al Stone 28da4e
This cache leak causes a security threat because an old kernel (<= 4.9) shows
Al Stone 28da4e
memory locations of kernel functions in stack dump. Some malicious users
Al Stone 28da4e
could use this information to neutralize kernel ASLR.
Al Stone 28da4e
Al Stone 28da4e
I made a patch to fix ACPI operand cache leak.
Al Stone 28da4e
Al Stone 28da4e
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Al Stone 28da4e
Al Stone 28da4e
Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5
Al Stone 28da4e
Al Stone 28da4e
---
Al Stone 28da4e
 source/components/namespace/nseval.c | 10 ++++++++++
Al Stone 28da4e
 1 file changed, 10 insertions(+)
Al Stone 28da4e
Al Stone 28da4e
Index: acpica-unix2-20180209/source/components/namespace/nseval.c
Al Stone 28da4e
===================================================================
Al Stone 28da4e
--- acpica-unix2-20180209.orig/source/components/namespace/nseval.c
Al Stone 28da4e
+++ acpica-unix2-20180209/source/components/namespace/nseval.c
Al Stone 28da4e
@@ -320,6 +320,16 @@ AcpiNsEvaluate (
Al Stone 28da4e
 
Al Stone 28da4e
         Status = AE_OK;
Al Stone 28da4e
     }
Al Stone 28da4e
+    else if (ACPI_FAILURE(Status)) 
Al Stone 28da4e
+    {
Al Stone 28da4e
+        /* If ReturnObject exists, delete it */
Al Stone 28da4e
+
Al Stone 28da4e
+        if (Info->ReturnObject) 
Al Stone 28da4e
+        {
Al Stone 28da4e
+            AcpiUtRemoveReference (Info->ReturnObject);
Al Stone 28da4e
+            Info->ReturnObject = NULL;
Al Stone 28da4e
+        }
Al Stone 28da4e
+    }
Al Stone 28da4e
 
Al Stone 28da4e
     ACPI_DEBUG_PRINT ((ACPI_DB_NAMES,
Al Stone 28da4e
         "*** Completed evaluation of object %s ***\n",