From 1b212f811a2beff190f779b152c0e0b216cce371 Mon Sep 17 00:00:00 2001 From: Al Stone Date: Thu, 8 Mar 2018 16:44:52 -0700 Subject: [PATCH] CVE-2017-13593: patch fixes operand cache leak in dsutils.c (BZ#1485346) Signed-off-by: Al Stone --- acpica-tools.spec | 4 ++ cve-2017-13693.patch | 99 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 cve-2017-13693.patch diff --git a/acpica-tools.spec b/acpica-tools.spec index 43d696d..2a3a3e8 100644 --- a/acpica-tools.spec +++ b/acpica-tools.spec @@ -36,6 +36,7 @@ Patch9: big-endian-v2.patch Patch10: simple-64bit.patch Patch11: be-tpm2.patch Patch12: mips-be-fix.patch +Patch13: cve-2017-13693.patch BuildRequires: bison patchutils flex @@ -98,6 +99,7 @@ gzip -dc %{SOURCE1} | tar -x --strip-components=1 -f - %patch10 -p1 -b .simple-64bit %patch11 -p1 -b .be-tpm2 %patch12 -p1 -b .mips-be-fix +%patch13 -p1 -b .cve-2017-13693 cp -p %{SOURCE2} README.Fedora cp -p %{SOURCE3} iasl.1 @@ -194,6 +196,8 @@ fi %changelog * Tue Mar 6 2018 Al Stone - 20180209-1 - Update to 20180209 source tree, including patch refeshes. Closes BZ#1544048 +- CVE-2017-13693: operand cache leak in dsutils.c -- applied github patch to + fix the leak. Resolves BZ#1485346. * Fri Feb 09 2018 Igor Gnatenko - 20180105-3 - Escape macros in %%changelog diff --git a/cve-2017-13693.patch b/cve-2017-13693.patch new file mode 100644 index 0000000..baded1a --- /dev/null +++ b/cve-2017-13693.patch @@ -0,0 +1,99 @@ +From 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Wed, 19 Jul 2017 16:47:53 +0900 +Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in dswstate.c + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.585957] ACPI: Added _OSI(Module Device) +>[ 0.587218] ACPI: Added _OSI(Processor Device) +>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) +>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) +>[ 0.597858] ACPI: Unable to start the ACPI Interpreter +>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +>[ 0.609177] Call Trace: +>[ 0.610063] ? dump_stack+0x5c/0x81 +>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.619293] ? acpi_terminate+0xa/0x14 +>[ 0.620394] ? acpi_init+0x2af/0x34f +>[ 0.621616] ? __class_create+0x4c/0x80 +>[ 0.623412] ? video_setup+0x7f/0x7f +>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.625861] ? do_one_initcall+0x4e/0x1a0 +>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f +>[ 0.628972] ? rest_init+0x80/0x80 +>[ 0.630043] ? kernel_init+0xa/0x100 +>[ 0.631084] ? ret_from_fork+0x25/0x30 +>[ 0.633343] vgaarb: loaded +>[ 0.635036] EDAC MC: Ver: 3.0.0 +>[ 0.638601] PCI: Probing PCI hardware +>[ 0.639833] PCI host bridge to bus 0000:00 +>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ +delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() +function uses walk_state->operand_index for start position of the top, but +acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. +Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Signed-off-by: Seunghun Han + +Github-Location: https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 +--- + source/components/dispatcher/dsutils.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: acpica-unix2-20180209/source/components/dispatcher/dsutils.c +=================================================================== +--- acpica-unix2-20180209.orig/source/components/dispatcher/dsutils.c ++++ acpica-unix2-20180209/source/components/dispatcher/dsutils.c +@@ -761,6 +761,8 @@ AcpiDsCreateOperands ( + ACPI_PARSE_OBJECT *Arguments[ACPI_OBJ_NUM_OPERANDS]; + UINT32 ArgCount = 0; + UINT32 Index = WalkState->NumOperands; ++ UINT32 PrevNumOperands = WalkState->NumOperands; ++ UINT32 NewNumOperands; + UINT32 i; + + +@@ -793,6 +795,7 @@ AcpiDsCreateOperands ( + + /* Create the interpreter arguments, in reverse order */ + ++ NewNumOperands = Index; + Index--; + for (i = 0; i < ArgCount; i++) + { +@@ -820,7 +823,11 @@ Cleanup: + * pop everything off of the operand stack and delete those + * objects + */ +- AcpiDsObjStackPopAndDelete (ArgCount, WalkState); ++ WalkState->NumOperands = i; ++ AcpiDsObjStackPopAndDelete (NewNumOperands, WalkState); ++ ++ /* Restore operand count */ ++ WalkState->NumOperands = PrevNumOperands; + + ACPI_EXCEPTION ((AE_INFO, Status, "While creating Arg %u", Index)); + return_ACPI_STATUS (Status);