new file mode 100644

@@ -0,0 +1,110 @@

+From 3b2d69114fefa474fca542e51119036dceb4aa6f Mon Sep 17 00:00:00 2001

+From: Seunghun Han <kkamagui@gmail.com>

+Date: Wed, 26 Apr 2017 16:18:08 +0800

+Subject: [PATCH] ACPICA: Namespace: fix operand cache leak

+

+ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6

+

+I found some ACPI operand cache leaks in ACPI early abort cases.

+

+Boot log of ACPI operand cache leak is as follows:

+>[    0.174332] ACPI: Added _OSI(Module Device)

+>[    0.175504] ACPI: Added _OSI(Processor Device)

+>[    0.176010] ACPI: Added _OSI(3.0 _SCP Extensions)

+>[    0.177032] ACPI: Added _OSI(Processor Aggregator Device)

+>[    0.178284] ACPI: SCI (IRQ16705) allocation failed

+>[    0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install

+System Control Interrupt handler (20160930/evevent-131)

+>[    0.180008] ACPI: Unable to start the ACPI Interpreter

+>[    0.181125] ACPI Error: Could not remove SCI handler

+(20160930/evmisc-281)

+>[    0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has

+objects

+>[    0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2

+>[    0.186820] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS

+virtual_box 12/01/2006

+>[    0.188000] Call Trace:

+>[    0.188000]  ? dump_stack+0x5c/0x7d

+>[    0.188000]  ? kmem_cache_destroy+0x224/0x230

+>[    0.188000]  ? acpi_sleep_proc_init+0x22/0x22

+>[    0.188000]  ? acpi_os_delete_cache+0xa/0xd

+>[    0.188000]  ? acpi_ut_delete_caches+0x3f/0x7b

+>[    0.188000]  ? acpi_terminate+0x5/0xf

+>[    0.188000]  ? acpi_init+0x288/0x32e

+>[    0.188000]  ? __class_create+0x4c/0x80

+>[    0.188000]  ? video_setup+0x7a/0x7a

+>[    0.188000]  ? do_one_initcall+0x4e/0x1b0

+>[    0.188000]  ? kernel_init_freeable+0x194/0x21a

+>[    0.188000]  ? rest_init+0x80/0x80

+>[    0.188000]  ? kernel_init+0xa/0x100

+>[    0.188000]  ? ret_from_fork+0x25/0x30

+

+When early abort is occurred due to invalid ACPI information, Linux kernel

+terminates ACPI by calling acpi_terminate() function. The function calls

+acpi_ns_terminate() function to delete namespace data and ACPI operand cache

+(acpi_gbl_module_code_list).

+

+But the deletion code in acpi_ns_terminate() function is wrapped in

+ACPI_EXEC_APP definition, therefore the code is only executed when the

+definition exists. If the define doesn't exist, ACPI operand cache

+(acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log.

+

+This causes a security threat because the old kernel (<= 4.9) shows memory

+locations of kernel functions in stack dump, therefore kernel ASLR can be

+neutralized.

+

+To fix ACPI operand leak for enhancing security, I made a patch which

+removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for

+executing the deletion code unconditionally.

+

+Link: https://github.com/acpica/acpica/commit/a23325b2

+Signed-off-by: Seunghun Han <kkamagui@gmail.com>

+Signed-off-by: Lv Zheng <lv.zheng@intel.com>

+Signed-off-by: Bob Moore <robert.moore@intel.com>

+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

+---

+ drivers/acpi/acpica/nsutils.c | 23 +++++++++--------------

+ 1 file changed, 9 insertions(+), 14 deletions(-)

+

+diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c

+index 6616767..b5a2914 100644

+--- a/drivers/acpi/acpica/nsutils.c

+@@ -594,25 +594,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle)

+ void acpi_ns_terminate(void)

+ {

+ 	acpi_status status;

++	union acpi_operand_object *prev;

++	union acpi_operand_object *next;

+ 

+ 	ACPI_FUNCTION_TRACE(ns_terminate);

+ 

+-#ifdef ACPI_EXEC_APP

+-	{

+-		union acpi_operand_object *prev;

+-		union acpi_operand_object *next;

++	/* Delete any module-level code blocks */

+ 

+-		/* Delete any module-level code blocks */

+-

+-		next = acpi_gbl_module_code_list;

+-		while (next) {

+-			prev = next;

+-			next = next->method.mutex;

+-			prev->method.mutex = NULL;	/* Clear the Mutex (cheated) field */

+-			acpi_ut_remove_reference(prev);

+-		}

++	next = acpi_gbl_module_code_list;

++	while (next) {

++		prev = next;

++		next = next->method.mutex;

++		prev->method.mutex = NULL;	/* Clear the Mutex (cheated) field */

++		acpi_ut_remove_reference(prev);

+ 	}

+-#endif

+ 

+ 	/*

+ 	 * Free the entire namespace -- all nodes and all objects

+-- 

+2.7.4

+

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-esx

 Version:        4.9.52

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -36,6 +36,8 @@ Patch19:        06-pv-ops-boot_clock.patch

 Patch20:        07-vmware-only.patch

 Patch21:        vmware-balloon-late-initcall.patch

 Patch22:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

+# Fix CVE-2017-11472

+Patch23:        ACPICA-Namespace-fix-operand-cache-leak.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod-devel

@@ -94,6 +96,7 @@ The Linux package contains the Linux kernel doc files

 %patch20 -p1

 %patch21 -p1

 %patch22 -p1

+%patch23 -p1

 %build

 # patch vmw_balloon driver

@@ -190,6 +193,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2

+-   Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)

 *   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1

 -   Version update

 *   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.52

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -47,6 +47,8 @@ Patch26:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 Patch27:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch28:        0002-allow-also-ecb-cipher_null.patch

 Patch29:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

+# Fix CVE-2017-11472

+Patch30:        ACPICA-Namespace-fix-operand-cache-leak.patch

 # NSX requirements (should be removed)

 Patch99:        LKCM.patch

 BuildRequires:  bc

@@ -143,6 +145,7 @@ EOF

 %patch27 -p1

 %patch28 -p1

 %patch29 -p1

+%patch30 -p1

 pushd ..

 %patch99 -p0

@@ -258,6 +261,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2

+-   Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)

 *   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1

 -   Version update

 *   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:        4.9.52

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -44,6 +44,8 @@ Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 Patch24:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch25:        0002-allow-also-ecb-cipher_null.patch

 Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

+# Fix CVE-2017-11472

+Patch27:        ACPICA-Namespace-fix-operand-cache-leak.patch

 BuildRequires:  bc

 BuildRequires:  kbd

@@ -139,6 +141,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch24 -p1

 %patch25 -p1

 %patch26 -p1

+%patch27 -p1

 %build

 make mrproper

@@ -298,6 +301,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2

+-   Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)

 *   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1

 -   Version update

 *   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2