evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/acpi
History
Seunghun Han dfcb739c20 ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c 
[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ]

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.464168] ACPI: Added _OSI(Module Device)
>[    0.467022] ACPI: Added _OSI(Processor Device)
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.497683] ACPI: Interpreter enabled
>[    0.499385] ACPI: (supports S0)
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
>[    0.529668] Call Trace:
>[    0.530811]  ? dump_stack+0x5c/0x81
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.537237]  ? acpi_terminate+0xa/0x14
>[    0.538701]  ? acpi_init+0x2af/0x34f
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
>[    0.546202]  ? rest_init+0x80/0x80
>[    0.547513]  ? kernel_init+0xa/0x100
>[    0.548817]  ? ret_from_fork+0x25/0x30
>[    0.550587] vgaarb: loaded
>[    0.551716] EDAC MC: Ver: 3.0.0
>[    0.553744] PCI: Probing PCI hardware
>[    0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found acpi_ns_evaluate() function
only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
also not null. Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-30 07:49:11 +02:00
..
acpica ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c 2018-05-30 07:49:11 +02:00
apei ACPI: APEI / ERST: Fix missing error handling in erst_reader() 2018-01-02 20:33:19 +01:00
pmic ACPI / PMIC: xpower: Fix power_table addresses 2018-03-24 10:58:45 +01:00
ac.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
acpi_apd.c ACPI: Remove clk.h include 2015-07-20 10:52:45 -07:00
acpi_cmos_rtc.c ACPI / RTC: Fix CMOS RTC opregion handler accesses to wrong addresses 2014-09-08 15:38:41 +02:00
acpi_extlog.c ACPI and power management updates for 3.17-rc1 2014-08-06 20:34:19 -07:00
acpi_ipmi.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
acpi_lpat.c ACPI / LPAT: Common table processing functions 2015-01-29 21:02:10 +08:00
acpi_lpss.c PM / PCI / ACPI: Kick devices that might have been reset by firmware 2015-10-14 02:17:34 +02:00
acpi_memhotplug.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
acpi_pad.c ACPI: acpi_pad: Fix memory leak in power saving threads 2018-05-30 07:49:09 +02:00
acpi_platform.c ACPI: Do not create a platform_device for IOAPIC/IOxAPIC 2017-04-08 09:53:31 +02:00
acpi_pnp.c ACPI / scan: constify first argument of struct acpi_scan_handler::match 2015-09-15 02:56:29 +02:00
acpi_processor.c ACPI / processor: Avoid reserving IO regions too early 2018-01-31 12:06:09 +01:00
acpi_video.c ACPI / video: skip evaluating _DOD when it does not exist 2017-03-26 12:13:17 +02:00
battery.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
battery.h ACPI / battery: move some ACPI_BATTERY_* definitions to header 2014-03-19 01:57:46 +01:00
bgrt.c acpi: bgrt: fix build error due to attribute change 2013-08-22 08:34:39 -07:00
blacklist.c ACPI / blacklist: Make Dell Latitude 3350 ethernet work 2017-03-30 09:35:20 +02:00
bus.c ACPI / processor: Request native thermal interrupt handling via _OSC 2016-05-11 11:21:26 +02:00
button.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
cm_sbs.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
container.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
cppc_acpi.c ACPI / CPPC: Prevent cpc_desc_ptr points to the invalid data 2016-09-07 08:32:38 +02:00
custom_method.c ACPI: Clean up inclusions of ACPI header files 2013-12-07 01:03:14 +01:00
debugfs.c ACPI: fix acpi_debugfs_init prototype 2015-08-07 02:55:18 +02:00
device_pm.c PM / PCI / ACPI: Kick devices that might have been reset by firmware 2015-10-14 02:17:34 +02:00
device_sysfs.c ACPI / bus: Leave modalias empty for devices which are not present 2018-02-03 17:04:27 +01:00
dock.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
ec.c ACPI / EC: Work around method reentrancy limit in ACPICA for _Qxx 2016-08-20 18:09:27 +02:00
ec_sys.c ACPI / EC: Fix broken 64bit big-endian users of 'global_lock' 2015-10-04 11:36:07 +01:00
event.c netlink: make nlmsg_end() and genlmsg_end() void 2015-01-18 01:03:45 -05:00
fan.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
glue.c ACPI / scan: Prefer devices without _HID/_CID for _ADR matching 2018-01-31 12:06:09 +01:00
gsi.c acpi/gsi: Cleanup acpi_register_gsi 2015-10-13 19:01:25 +02:00
hed.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
int340x_thermal.c ACPI: Eliminate CONFIG_.*{, _MODULE} #ifdef in favor of IS_ENABLED() 2015-09-15 03:05:45 +02:00
internal.h ACPI / processor: Request native thermal interrupt handling via _OSC 2016-05-11 11:21:26 +02:00
ioapic.c ACPI: ioapic: Clear on-stack resource before using it 2017-08-30 10:19:29 +02:00
Kconfig Merge branches 'acpica', 'acpi-video' and 'device-properties' 2015-12-04 14:01:17 +01:00
Makefile ACPI: Fix incompatibility with mcount-based function graph tracing 2017-04-08 09:53:31 +02:00
nfit.c acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison) 2017-04-21 09:30:05 +02:00
nfit.h acpi, nfit: check for the correct event code in notifications 2016-10-28 03:01:34 -04:00
numa.c acpi, numa: fix pxm to online numa node associations 2018-03-28 18:40:15 +02:00
nvs.c ACPI: Clean up acpi_os_map/unmap_memory() to eliminate __iomem. 2014-05-27 18:13:08 +02:00
osl.c ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings 2016-06-01 12:15:50 -07:00
pci_irq.c ACPI, PCI, irq: remove redundant check for null string pointer 2018-04-08 11:51:56 +02:00
pci_link.c ACPI / PCI: Remove duplicated penalty on SCI IRQ 2015-09-26 01:53:07 +02:00
pci_root.c x86/PCI/ACPI: Fix regression caused by commit 4d6b4e69a2 2015-12-02 02:30:15 +01:00
pci_slot.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
power.c ACPI / power: Avoid maybe-uninitialized warning 2017-04-27 09:09:33 +02:00
proc.c ACPI: change acpi_sleep_proc_init() to return void 2015-09-15 03:03:15 +02:00
processor_core.c ACPI / processor: Introduce invalid_phys_cpuid() 2015-05-13 23:28:16 +02:00
processor_driver.c ACPI/processor: Replace racy task affinity logic 2018-03-24 10:58:40 +01:00
processor_idle.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
processor_pdc.c ACPI / processor: Introduce invalid_logical_cpuid() 2015-05-13 23:28:14 +02:00
processor_perflib.c ACPI: processor_perflib: Do not send _PPC change notification if not ready 2018-05-30 07:48:56 +02:00
processor_thermal.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
processor_throttling.c ACPI/processor: Replace racy task affinity logic 2018-03-24 10:58:40 +01:00
property.c ACPI / property: Fix subnode lookup scope for data-only subnodes 2015-10-22 00:54:03 +02:00
reboot.c Revert "ACPI: ignore FADT reset-reg-sup flag" 2012-04-20 11:19:35 -07:00
resource.c PCI: ACPI: IA64: fix IO port generic range check 2016-04-12 09:08:37 -07:00
sbs.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
sbshc.c ACPI: sbshc: remove raw pointer from printk() message 2018-02-16 20:09:47 +01:00
sbshc.h
scan.c ACPI / drivers: replace acpi_probe_lock spinlock with mutex 2016-09-07 08:32:45 +02:00
sleep.c ACPI / PM: Runtime resume devices when waking from hibernate 2016-04-12 09:09:03 -07:00
sleep.h ACPI / sleep: Drop acpi_suspend() which is not used 2015-03-18 12:53:21 +01:00
sysfs.c ACPI / sysfs: fix error code in get_status() 2016-09-07 08:32:45 +02:00
tables.c ACPI / tables: test the correct variable 2015-10-15 01:31:24 +02:00
thermal.c linux/thermal.h: rename KELVIN_TO_CELSIUS to DECI_KELVIN_TO_CELSIUS 2015-10-10 11:32:30 +08:00
utils.c ACPI: Remove FSF mailing addresses 2015-07-08 02:27:32 +02:00
video_detect.c ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E 2018-04-24 09:32:06 +02:00
wakeup.c ACPI: Clean up inclusions of ACPI header files 2013-12-07 01:03:14 +01:00