Add patch "ACPICA: Namespace: fix operand cache leak" (mainline commit
3b2d69114fefa474fca542e51119036dceb4aa6f) to fix CVE-2017-11472.
Change-Id: I9e472aa9e35f8a97b829039c94bf2f417576426b
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3935
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,110 @@ |
0 |
+From 3b2d69114fefa474fca542e51119036dceb4aa6f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Seunghun Han <kkamagui@gmail.com> |
|
2 |
+Date: Wed, 26 Apr 2017 16:18:08 +0800 |
|
3 |
+Subject: [PATCH] ACPICA: Namespace: fix operand cache leak |
|
4 |
+ |
|
5 |
+ACPICA commit a23325b2e583556eae88ed3f764e457786bf4df6 |
|
6 |
+ |
|
7 |
+I found some ACPI operand cache leaks in ACPI early abort cases. |
|
8 |
+ |
|
9 |
+Boot log of ACPI operand cache leak is as follows: |
|
10 |
+>[ 0.174332] ACPI: Added _OSI(Module Device) |
|
11 |
+>[ 0.175504] ACPI: Added _OSI(Processor Device) |
|
12 |
+>[ 0.176010] ACPI: Added _OSI(3.0 _SCP Extensions) |
|
13 |
+>[ 0.177032] ACPI: Added _OSI(Processor Aggregator Device) |
|
14 |
+>[ 0.178284] ACPI: SCI (IRQ16705) allocation failed |
|
15 |
+>[ 0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install |
|
16 |
+System Control Interrupt handler (20160930/evevent-131) |
|
17 |
+>[ 0.180008] ACPI: Unable to start the ACPI Interpreter |
|
18 |
+>[ 0.181125] ACPI Error: Could not remove SCI handler |
|
19 |
+(20160930/evmisc-281) |
|
20 |
+>[ 0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has |
|
21 |
+objects |
|
22 |
+>[ 0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2 |
|
23 |
+>[ 0.186820] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS |
|
24 |
+virtual_box 12/01/2006 |
|
25 |
+>[ 0.188000] Call Trace: |
|
26 |
+>[ 0.188000] ? dump_stack+0x5c/0x7d |
|
27 |
+>[ 0.188000] ? kmem_cache_destroy+0x224/0x230 |
|
28 |
+>[ 0.188000] ? acpi_sleep_proc_init+0x22/0x22 |
|
29 |
+>[ 0.188000] ? acpi_os_delete_cache+0xa/0xd |
|
30 |
+>[ 0.188000] ? acpi_ut_delete_caches+0x3f/0x7b |
|
31 |
+>[ 0.188000] ? acpi_terminate+0x5/0xf |
|
32 |
+>[ 0.188000] ? acpi_init+0x288/0x32e |
|
33 |
+>[ 0.188000] ? __class_create+0x4c/0x80 |
|
34 |
+>[ 0.188000] ? video_setup+0x7a/0x7a |
|
35 |
+>[ 0.188000] ? do_one_initcall+0x4e/0x1b0 |
|
36 |
+>[ 0.188000] ? kernel_init_freeable+0x194/0x21a |
|
37 |
+>[ 0.188000] ? rest_init+0x80/0x80 |
|
38 |
+>[ 0.188000] ? kernel_init+0xa/0x100 |
|
39 |
+>[ 0.188000] ? ret_from_fork+0x25/0x30 |
|
40 |
+ |
|
41 |
+When early abort is occurred due to invalid ACPI information, Linux kernel |
|
42 |
+terminates ACPI by calling acpi_terminate() function. The function calls |
|
43 |
+acpi_ns_terminate() function to delete namespace data and ACPI operand cache |
|
44 |
+(acpi_gbl_module_code_list). |
|
45 |
+ |
|
46 |
+But the deletion code in acpi_ns_terminate() function is wrapped in |
|
47 |
+ACPI_EXEC_APP definition, therefore the code is only executed when the |
|
48 |
+definition exists. If the define doesn't exist, ACPI operand cache |
|
49 |
+(acpi_gbl_module_code_list) is leaked, and stack dump is shown in kernel log. |
|
50 |
+ |
|
51 |
+This causes a security threat because the old kernel (<= 4.9) shows memory |
|
52 |
+locations of kernel functions in stack dump, therefore kernel ASLR can be |
|
53 |
+neutralized. |
|
54 |
+ |
|
55 |
+To fix ACPI operand leak for enhancing security, I made a patch which |
|
56 |
+removes the ACPI_EXEC_APP define in acpi_ns_terminate() function for |
|
57 |
+executing the deletion code unconditionally. |
|
58 |
+ |
|
59 |
+Link: https://github.com/acpica/acpica/commit/a23325b2 |
|
60 |
+Signed-off-by: Seunghun Han <kkamagui@gmail.com> |
|
61 |
+Signed-off-by: Lv Zheng <lv.zheng@intel.com> |
|
62 |
+Signed-off-by: Bob Moore <robert.moore@intel.com> |
|
63 |
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> |
|
64 |
+--- |
|
65 |
+ drivers/acpi/acpica/nsutils.c | 23 +++++++++-------------- |
|
66 |
+ 1 file changed, 9 insertions(+), 14 deletions(-) |
|
67 |
+ |
|
68 |
+diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c |
|
69 |
+index 6616767..b5a2914 100644 |
|
70 |
+--- a/drivers/acpi/acpica/nsutils.c |
|
71 |
+@@ -594,25 +594,20 @@ struct acpi_namespace_node *acpi_ns_validate_handle(acpi_handle handle) |
|
72 |
+ void acpi_ns_terminate(void) |
|
73 |
+ { |
|
74 |
+ acpi_status status; |
|
75 |
++ union acpi_operand_object *prev; |
|
76 |
++ union acpi_operand_object *next; |
|
77 |
+ |
|
78 |
+ ACPI_FUNCTION_TRACE(ns_terminate); |
|
79 |
+ |
|
80 |
+-#ifdef ACPI_EXEC_APP |
|
81 |
+- { |
|
82 |
+- union acpi_operand_object *prev; |
|
83 |
+- union acpi_operand_object *next; |
|
84 |
++ /* Delete any module-level code blocks */ |
|
85 |
+ |
|
86 |
+- /* Delete any module-level code blocks */ |
|
87 |
+- |
|
88 |
+- next = acpi_gbl_module_code_list; |
|
89 |
+- while (next) { |
|
90 |
+- prev = next; |
|
91 |
+- next = next->method.mutex; |
|
92 |
+- prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ |
|
93 |
+- acpi_ut_remove_reference(prev); |
|
94 |
+- } |
|
95 |
++ next = acpi_gbl_module_code_list; |
|
96 |
++ while (next) { |
|
97 |
++ prev = next; |
|
98 |
++ next = next->method.mutex; |
|
99 |
++ prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ |
|
100 |
++ acpi_ut_remove_reference(prev); |
|
101 |
+ } |
|
102 |
+-#endif |
|
103 |
+ |
|
104 |
+ /* |
|
105 |
+ * Free the entire namespace -- all nodes and all objects |
|
106 |
+-- |
|
107 |
+2.7.4 |
|
108 |
+ |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.9.52 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -36,6 +36,8 @@ Patch19: 06-pv-ops-boot_clock.patch |
36 | 36 |
Patch20: 07-vmware-only.patch |
37 | 37 |
Patch21: vmware-balloon-late-initcall.patch |
38 | 38 |
Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
39 |
+# Fix CVE-2017-11472 |
|
40 |
+Patch23: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
39 | 41 |
BuildRequires: bc |
40 | 42 |
BuildRequires: kbd |
41 | 43 |
BuildRequires: kmod-devel |
... | ... |
@@ -94,6 +96,7 @@ The Linux package contains the Linux kernel doc files |
94 | 94 |
%patch20 -p1 |
95 | 95 |
%patch21 -p1 |
96 | 96 |
%patch22 -p1 |
97 |
+%patch23 -p1 |
|
97 | 98 |
|
98 | 99 |
%build |
99 | 100 |
# patch vmw_balloon driver |
... | ... |
@@ -190,6 +193,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
190 | 190 |
/usr/src/linux-headers-%{uname_r} |
191 | 191 |
|
192 | 192 |
%changelog |
193 |
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2 |
|
194 |
+- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak) |
|
193 | 195 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1 |
194 | 196 |
- Version update |
195 | 197 |
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.9.52 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -47,6 +47,8 @@ Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
47 | 47 |
Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
48 | 48 |
Patch28: 0002-allow-also-ecb-cipher_null.patch |
49 | 49 |
Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
50 |
+# Fix CVE-2017-11472 |
|
51 |
+Patch30: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
50 | 52 |
# NSX requirements (should be removed) |
51 | 53 |
Patch99: LKCM.patch |
52 | 54 |
BuildRequires: bc |
... | ... |
@@ -143,6 +145,7 @@ EOF |
143 | 143 |
%patch27 -p1 |
144 | 144 |
%patch28 -p1 |
145 | 145 |
%patch29 -p1 |
146 |
+%patch30 -p1 |
|
146 | 147 |
|
147 | 148 |
pushd .. |
148 | 149 |
%patch99 -p0 |
... | ... |
@@ -258,6 +261,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
258 | 258 |
/usr/src/linux-headers-%{uname_r} |
259 | 259 |
|
260 | 260 |
%changelog |
261 |
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2 |
|
262 |
+- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak) |
|
261 | 263 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1 |
262 | 264 |
- Version update |
263 | 265 |
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.9.52 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -44,6 +44,8 @@ Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
44 | 44 |
Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
45 | 45 |
Patch25: 0002-allow-also-ecb-cipher_null.patch |
46 | 46 |
Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
47 |
+# Fix CVE-2017-11472 |
|
48 |
+Patch27: ACPICA-Namespace-fix-operand-cache-leak.patch |
|
47 | 49 |
|
48 | 50 |
BuildRequires: bc |
49 | 51 |
BuildRequires: kbd |
... | ... |
@@ -139,6 +141,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
139 | 139 |
%patch24 -p1 |
140 | 140 |
%patch25 -p1 |
141 | 141 |
%patch26 -p1 |
142 |
+%patch27 -p1 |
|
142 | 143 |
|
143 | 144 |
%build |
144 | 145 |
make mrproper |
... | ... |
@@ -298,6 +301,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
298 | 298 |
/usr/share/doc/* |
299 | 299 |
|
300 | 300 |
%changelog |
301 |
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2 |
|
302 |
+- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak) |
|
301 | 303 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1 |
302 | 304 |
- Version update |
303 | 305 |
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2 |