rpms/acpica-tools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2017-13593: patch fixes operand cache leak in dsutils.c (BZ#1485346)

Browse Source 
Signed-off-by: Al Stone <ahs3@redhat.com>
This commit is contained in:
Al Stone 2018-03-08 16:44:52 -07:00
parent 3d460541b0
commit 1b212f811a
2 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
acpica-tools.spec
View File

@ -36,6 +36,7 @@ Patch9: big-endian-v2.patch
Patch10: simple-64bit.patch Patch10: simple-64bit.patch
Patch11: be-tpm2.patch Patch11: be-tpm2.patch
Patch12: mips-be-fix.patch Patch12: mips-be-fix.patch
Patch13: cve-2017-13693.patch
BuildRequires: bison patchutils flex BuildRequires: bison patchutils flex
@ -98,6 +99,7 @@ gzip -dc %{SOURCE1} | tar -x --strip-components=1 -f -
%patch10 -p1 -b .simple-64bit %patch10 -p1 -b .simple-64bit
%patch11 -p1 -b .be-tpm2 %patch11 -p1 -b .be-tpm2
%patch12 -p1 -b .mips-be-fix %patch12 -p1 -b .mips-be-fix
%patch13 -p1 -b .cve-2017-13693
cp -p %{SOURCE2} README.Fedora cp -p %{SOURCE2} README.Fedora
cp -p %{SOURCE3} iasl.1 cp -p %{SOURCE3} iasl.1
@ -194,6 +196,8 @@ fi
%changelog %changelog
* Tue Mar 6 2018 Al Stone <ahs3@redhat.com> - 20180209-1 * Tue Mar 6 2018 Al Stone <ahs3@redhat.com> - 20180209-1
- Update to 20180209 source tree, including patch refeshes. Closes BZ#1544048 - Update to 20180209 source tree, including patch refeshes. Closes BZ#1544048
- CVE-2017-13693: operand cache leak in dsutils.c -- applied github patch to
fix the leak. Resolves BZ#1485346.
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 20180105-3 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 20180105-3
- Escape macros in %%changelog - Escape macros in %%changelog

99
cve-2017-13693.patch Normal file
View File

@ -0,0 +1,99 @@
From 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 Mon Sep 17 00:00:00 2001
From: Seunghun Han <kkamagui@gmail.com>
Date: Wed, 19 Jul 2017 16:47:53 +0900
Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in dswstate.c
I found an ACPI cache leak in ACPI early termination and boot continuing case.
When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
Boot log of ACPI operand cache leak is as follows:
>[ 0.585957] ACPI: Added _OSI(Module Device)
>[ 0.587218] ACPI: Added _OSI(Processor Device)
>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device)
>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
>[ 0.597858] ACPI: Unable to start the ACPI Interpreter
>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[ 0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[ 0.609177] Call Trace:
>[ 0.610063] ? dump_stack+0x5c/0x81
>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0
>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27
>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10
>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b
>[ 0.619293] ? acpi_terminate+0xa/0x14
>[ 0.620394] ? acpi_init+0x2af/0x34f
>[ 0.621616] ? __class_create+0x4c/0x80
>[ 0.623412] ? video_setup+0x7f/0x7f
>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27
>[ 0.625861] ? do_one_initcall+0x4e/0x1a0
>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f
>[ 0.628972] ? rest_init+0x80/0x80
>[ 0.630043] ? kernel_init+0xa/0x100
>[ 0.631084] ? ret_from_fork+0x25/0x30
>[ 0.633343] vgaarb: loaded
>[ 0.635036] EDAC MC: Ver: 3.0.0
>[ 0.638601] PCI: Probing PCI hardware
>[ 0.639833] PCI host bridge to bus 0000:00
>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff]
> ... Continue to boot and log is omitted ...
I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
function uses walk_state->operand_index for start position of the top, but
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
Therefore, this causes acpi operand memory leak.
This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.
I made a patch to fix ACPI operand cache leak.
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Github-Location: https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732
---
source/components/dispatcher/dsutils.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Index: acpica-unix2-20180209/source/components/dispatcher/dsutils.c
===================================================================
--- acpica-unix2-20180209.orig/source/components/dispatcher/dsutils.c
+++ acpica-unix2-20180209/source/components/dispatcher/dsutils.c
@@ -761,6 +761,8 @@ AcpiDsCreateOperands (
ACPI_PARSE_OBJECT *Arguments[ACPI_OBJ_NUM_OPERANDS];
UINT32 ArgCount = 0;
UINT32 Index = WalkState->NumOperands;
+ UINT32 PrevNumOperands = WalkState->NumOperands;
+ UINT32 NewNumOperands;
UINT32 i;
@@ -793,6 +795,7 @@ AcpiDsCreateOperands (
/* Create the interpreter arguments, in reverse order */
+ NewNumOperands = Index;
Index--;
for (i = 0; i < ArgCount; i++)
{
@@ -820,7 +823,11 @@ Cleanup:
* pop everything off of the operand stack and delete those
* objects
*/
- AcpiDsObjStackPopAndDelete (ArgCount, WalkState);
+ WalkState->NumOperands = i;
+ AcpiDsObjStackPopAndDelete (NewNumOperands, WalkState);
+
+ /* Restore operand count */
+ WalkState->NumOperands = PrevNumOperands;
ACPI_EXCEPTION ((AE_INFO, Status, "While creating Arg %u", Index));
return_ACPI_STATUS (Status);