CVE-2017-13595: operand leak in nseval.c (BZ#1485349)

Signed-off-by: Al Stone <ahs3@redhat.com>
2018-03-08 16:55:21 -07:00 · 2018-03-08 16:55:21 -07:00 · 28da4ec9aa
commit 28da4ec9aa
parent f38dd154ac
2 changed files with 95 additions and 0 deletions
--- a/acpica-tools.spec
+++ b/acpica-tools.spec
@ -38,6 +38,7 @@ Patch11:        be-tpm2.patch
 Patch12:        mips-be-fix.patch
 Patch13:        cve-2017-13693.patch
 Patch14:        cve-2017-13694.patch
 Patch15:        cve-2017-13695.patch
 BuildRequires:  bison patchutils flex
@ -102,6 +103,7 @@ gzip -dc %{SOURCE1} | tar -x --strip-components=1 -f -
 %patch12 -p1 -b .mips-be-fix
 %patch13 -p1 -b .cve-2017-13693
 %patch14 -p1 -b .cve-2017-13694
 %patch15 -p1 -b .cve-2017-13695
 cp -p %{SOURCE2} README.Fedora
 cp -p %{SOURCE3} iasl.1
@ -202,6 +204,9 @@ fi
  fix the leak.  Resolves BZ#1485346.
 - CVE-2017-13694: acpi parse and parseext cache leaks in psobjects.c -- applied
  github patch to fix the leaks.  Resolves BZ#1485348.
 - CVE-2017-13695: operand cache leak in nseval.c -- applied github patch to fix
  the leak.  Resolves BZ#1485349.
 - Security fixes for the CVEs above applied.  Closes BZ#1485355.
 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 20180105-3
 - Escape macros in %%changelog
--- a/cve-2017-13695.patch
+++ b/cve-2017-13695.patch
@ -0,0 +1,90 @@
 From 37f2c716f2c6ab14c3ba557a539c3ee3224931b5 Mon Sep 17 00:00:00 2001
 From: Seunghun Han <kkamagui@gmail.com>
 Date: Wed, 19 Jul 2017 17:04:44 +0900
 Subject: [PATCH] acpi: acpica: fix acpi operand cache leak in nseval.c
 I found an ACPI cache leak in ACPI early termination and boot continuing case.
 When early termination occurs due to malicious ACPI table, Linux kernel
 terminates ACPI function and continues to boot process. While kernel terminates
 ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.
 Boot log of ACPI operand cache leak is as follows:
 >[    0.464168] ACPI: Added _OSI(Module Device)
 >[    0.467022] ACPI: Added _OSI(Processor Device)
 >[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
 >[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
 >[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
 >[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
 >[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
 >[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
 >[    0.497683] ACPI: Interpreter enabled
 >[    0.499385] ACPI: (supports S0)
 >[    0.501151] ACPI: Using IOAPIC for interrupt routing
 >[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
 >[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
 >[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
 >[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
 >[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
 >[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
 >[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
 >[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
 >[    0.529668] Call Trace:
 >[    0.530811]  ? dump_stack+0x5c/0x81
 >[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
 >[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
 >[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
 >[    0.537237]  ? acpi_terminate+0xa/0x14
 >[    0.538701]  ? acpi_init+0x2af/0x34f
 >[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
 >[    0.541593]  ? do_one_initcall+0x4e/0x1a0
 >[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
 >[    0.546202]  ? rest_init+0x80/0x80
 >[    0.547513]  ? kernel_init+0xa/0x100
 >[    0.548817]  ? ret_from_fork+0x25/0x30
 >[    0.550587] vgaarb: loaded
 >[    0.551716] EDAC MC: Ver: 3.0.0
 >[    0.553744] PCI: Probing PCI hardware
 >[    0.555038] PCI host bridge to bus 0000:00
 > ... Continue to boot and log is omitted ...
 I analyzed this memory leak in detail and found AcpiNsEvaluate() function
 only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
 occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
 also not null. Therefore, this causes acpi operand memory leak.
 This cache leak causes a security threat because an old kernel (<= 4.9) shows
 memory locations of kernel functions in stack dump. Some malicious users
 could use this information to neutralize kernel ASLR.
 I made a patch to fix ACPI operand cache leak.
 Signed-off-by: Seunghun Han <kkamagui@gmail.com>
 Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5
 ---
 source/components/namespace/nseval.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 Index: acpica-unix2-20180209/source/components/namespace/nseval.c
 ===================================================================
 --- acpica-unix2-20180209.orig/source/components/namespace/nseval.c
 +++ acpica-unix2-20180209/source/components/namespace/nseval.c
@@ -320,6 +320,16 @@ AcpiNsEvaluate (
         Status = AE_OK;
     }
 +    else if (ACPI_FAILURE(Status)) 
 +    {
 +        /* If ReturnObject exists, delete it */
 +
 +        if (Info->ReturnObject) 
 +        {
 +            AcpiUtRemoveReference (Info->ReturnObject);
 +            Info->ReturnObject = NULL;
 +        }
 +    }
     ACPI_DEBUG_PRINT ((ACPI_DB_NAMES,
         "*** Completed evaluation of object %s ***\n",