evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/acpi/acpica
History
Seunghun Han dfcb739c20 ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c 
[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ]

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.464168] ACPI: Added _OSI(Module Device)
>[    0.467022] ACPI: Added _OSI(Processor Device)
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.497683] ACPI: Interpreter enabled
>[    0.499385] ACPI: (supports S0)
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461)
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006
>[    0.529668] Call Trace:
>[    0.530811]  ? dump_stack+0x5c/0x81
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.537237]  ? acpi_terminate+0xa/0x14
>[    0.538701]  ? acpi_init+0x2af/0x34f
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
>[    0.546202]  ? rest_init+0x80/0x80
>[    0.547513]  ? kernel_init+0xa/0x100
>[    0.548817]  ? ret_from_fork+0x25/0x30
>[    0.550587] vgaarb: loaded
>[    0.551716] EDAC MC: Ver: 3.0.0
>[    0.553744] PCI: Probing PCI hardware
>[    0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found acpi_ns_evaluate() function
only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is
also not null. Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-30 07:49:11 +02:00
..
acapps.h ACPICA: iASL: General cleanup of the file suffix #defines 2015-10-22 02:01:12 +02:00
accommon.h ACPICA: Split C library prototypes to new header 2015-07-01 23:17:56 +02:00
acdebug.h ACPICA: Remove unnecessary conditional compilation 2015-10-22 02:01:11 +02:00
acdispat.h ACPICA: Dispatcher: Move stack traversal code to dispatcher 2015-07-23 23:09:06 +02:00
acevents.h
acglobal.h ACPICA: Debugger: Add thread ID support so that single step mode can only apply to the debugger thread 2015-10-22 02:05:05 +02:00
achware.h
acinterp.h ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
aclocal.h ACPICA: Debugger: Add thread ID support so that single step mode can only apply to the debugger thread 2015-10-22 02:05:05 +02:00
acmacros.h ACPICA: Cleanup use of NEGATIVE and POSITIVE defines 2015-07-23 23:09:08 +02:00
acnamesp.h ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
acobject.h ACPICA: Executer: Add back pointing reference of method operand 2015-07-23 23:09:06 +02:00
acopcode.h ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
acparser.h ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
acpredef.h ACPICA: ACPI 6.0: Add support for new predefined names. 2015-05-22 03:22:19 +02:00
acresrc.h ACPICA: Update Resource descriptor dump module. 2015-04-14 14:51:53 +02:00
acstruct.h ACPICA: Parser: Cleanup aml_offset in struct acpi_walk_state 2015-07-23 23:09:06 +02:00
actables.h ACPICA: Tables: Fix FADT dependency regression 2015-10-14 22:48:13 +02:00
acutils.h ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
amlcode.h ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
amlresrc.h
dbcmds.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbconvert.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbdisply.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbexec.c ACPICA: Debugger: Fix dead lock issue ocurred in single stepping mode 2015-10-22 02:05:06 +02:00
dbfileio.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbhistry.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbinput.c ACPICA: Debugger: Fix "terminate" command by cleaning up subsystem shutdown logic 2015-10-22 02:05:05 +02:00
dbmethod.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbnames.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbobject.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbstats.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbtest.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbutils.c ACPICA: Linuxize: Export debugger files to Linux 2015-10-22 02:04:28 +02:00
dbxface.c ACPICA: Debugger: Add thread ID support so that single step mode can only apply to the debugger thread 2015-10-22 02:05:05 +02:00
dsargs.c ACPICA: Dispatcher: Cleanup union acpi_operand_object's AML address assignments 2015-07-23 23:09:06 +02:00
dscontrol.c ACPICA: Make the max-number-of-loops runtime configurable 2015-08-25 23:11:32 +02:00
dsdebug.c ACPICA: Debugger: Cleanup debugging outputs to dump name path without trailing underscores 2015-08-25 23:11:33 +02:00
dsfield.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
dsinit.c ACPICA: Table handling: Cleanup and update debug output for tools 2015-08-25 23:11:32 +02:00
dsmethod.c ACPICA: Dispatcher: Update thread ID for recursive method calls 2016-05-11 11:21:20 +02:00
dsmthdat.c
dsobject.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
dsopcode.c ACPICA: Update parameter validation for data_table_region and load_table 2015-08-25 23:11:31 +02:00
dsutils.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
dswexec.c
dswload.c ACPICA: Dispatcher: Cleanup union acpi_operand_object's AML address assignments 2015-07-23 23:09:06 +02:00
dswload2.c ACPICA: Dispatcher: Cleanup union acpi_operand_object's AML address assignments 2015-07-23 23:09:06 +02:00
dswscope.c
dswstate.c
evevent.c ACPICA: Events: add a return on failure from acpi_hw_register_read 2018-05-30 07:49:11 +02:00
evglock.c
evgpe.c ACPICA: Store GPE register enable masks upfront 2015-04-15 04:00:27 +02:00
evgpeblk.c
evgpeinit.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
evgpeutil.c
evhandler.c
evmisc.c
evregion.c ACPICA: Add additional debug info/statements 2015-08-25 23:11:32 +02:00
evrgnini.c
evsci.c
evxface.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
evxfevnt.c ACPICA: Events: Add runtime stub support for event APIs 2018-04-13 19:50:21 +02:00
evxfgpe.c
evxfregn.c
exconfig.c ACPICA: Update parameter validation for data_table_region and load_table 2015-08-25 23:11:31 +02:00
exconvrt.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
excreate.c ACPICA: Executer: Add back pointing reference of method operand 2015-07-23 23:09:06 +02:00
exdebug.c ACPICA: Executer: Add option to bypass opcode tracing 2015-07-23 23:09:07 +02:00
exdump.c ACPICA: Debugger: Cleanup debugging outputs to dump name path without trailing underscores 2015-08-25 23:11:33 +02:00
exfield.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exfldio.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exmisc.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exmutex.c
exnames.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exoparg1.c
exoparg2.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exoparg3.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exoparg6.c
exprep.c
exregion.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exresnte.c ACPICA: Correctly cleanup after a ACPI table load failure 2015-08-25 23:11:30 +02:00
exresolv.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
exresop.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
exstore.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
exstoren.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
exstorob.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
exsystem.c
exutils.c ACPICA: Utilities: Add _CLS processing 2015-07-01 23:17:53 +02:00
hwacpi.c
hwesleep.c
hwgpe.c ACPICA: Store GPE register enable masks upfront 2015-04-15 04:00:27 +02:00
hwpci.c ACPICA: Hardware: Fix a resource leak issue in acpi_hw_build_pci_list(). 2015-05-22 03:22:20 +02:00
hwregs.c
hwsleep.c
hwtimer.c
hwvalid.c ACPICA: Utilities: Cleanup to convert physical address printing formats. 2015-04-14 14:51:51 +02:00
hwxface.c ACPICA: acpi_get_sleep_type_data: Reduce warnings 2016-10-07 15:23:48 +02:00
hwxfsleep.c ACPICA: Tables: Cleanup to reduce FACS globals 2015-08-25 23:11:31 +02:00
Makefile ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
nsaccess.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
nsalloc.c
nsarguments.c
nsconvert.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
nsdump.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
nsdumpdv.c
nseval.c ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c 2018-05-30 07:49:11 +02:00
nsinit.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
nsload.c ACPICA: Correctly cleanup after a ACPI table load failure 2015-08-25 23:11:30 +02:00
nsnames.c ACPICA: Namespace: Add function to directly return normalized full path 2015-07-23 23:09:06 +02:00
nsobject.c
nsparse.c ACPICA: Dispatcher: Cleanup union acpi_operand_object's AML address assignments 2015-07-23 23:09:06 +02:00
nspredef.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
nsprepkg.c ACPICA: ACPI 6.0: Add support for new predefined names. 2015-05-22 03:22:19 +02:00
nsrepair.c ACPICA: ACPI 6.0: Add support for new predefined names. 2015-05-22 03:22:19 +02:00
nsrepair2.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
nssearch.c ACPICA: Namespace: Change namespace override to avoid node deletion 2015-07-01 23:17:54 +02:00
nsutils.c ACPICA: Namespace: fix operand cache leak 2018-01-31 12:06:10 +01:00
nswalk.c
nsxfeval.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
nsxfname.c ACPICA: Namespace: Add function to directly return normalized full path 2015-07-23 23:09:06 +02:00
nsxfobj.c
psargs.c ACPICA: Dispatcher: Cleanup union acpi_operand_object's AML address assignments 2015-07-23 23:09:06 +02:00
psloop.c ACPICA: Add additional debug info/statements 2015-08-25 23:11:32 +02:00
psobject.c ACPICA: Disassembler: Abort on an invalid/unknown AML opcode 2018-04-13 19:50:21 +02:00
psopcode.c ACPICA: Add infrastructure for External() opcode. 2015-04-14 14:51:54 +02:00
psopinfo.c ACPICA: Parser: Move a couple externals to the proper header. 2015-05-22 03:22:19 +02:00
psparse.c ACPICA: Executer: Add interpreter tracing mode for method tracing facility 2015-07-23 23:09:07 +02:00
psscope.c
pstree.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
psutils.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
pswalk.c
psxface.c ACPICA: Executer: Add interpreter tracing mode for method tracing facility 2015-07-23 23:09:07 +02:00
rsaddr.c
rscalc.c
rscreate.c ACPICA: Namespace: Add function to directly return normalized full path 2015-07-23 23:09:06 +02:00
rsdump.c ACPICA: Remove unnecessary conditional compilation 2015-10-22 02:01:11 +02:00
rsdumpinfo.c
rsinfo.c
rsio.c
rsirq.c
rslist.c
rsmemory.c
rsmisc.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
rsserial.c
rsutils.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
rsxface.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
tbdata.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
tbfadt.c ACPICA: Tables: Fix FADT dependency regression 2015-10-14 22:48:13 +02:00
tbfind.c ACPICA: Update parameter validation for data_table_region and load_table 2015-08-25 23:11:31 +02:00
tbinstal.c ACPICA: Tables: Fix global table list issues by removing fixed table indexes 2015-08-25 23:11:31 +02:00
tbprint.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
tbutils.c ACPICA: Tables: Fix FADT dependency regression 2015-10-14 22:48:13 +02:00
tbxface.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
tbxfload.c ACPICA: Table handling: Cleanup and update debug output for tools 2015-08-25 23:11:32 +02:00
tbxfroot.c ACPICA: Tables: Change acpi_find_root_pointer() to use acpi_physical_address. 2015-04-14 14:51:50 +02:00
utaddress.c ACPICA: Utilities: Cleanup to convert physical address printing formats. 2015-04-14 14:51:51 +02:00
utalloc.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utbuffer.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utcache.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utcopy.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utdebug.c ACPICA: Executer: Add OSL trace hook support 2015-07-23 23:09:07 +02:00
utdecode.c ACPICA: Improve typechecking, both compile-time and runtime 2015-10-22 02:01:12 +02:00
utdelete.c ACPICA: Executer: Add back pointing reference of method operand 2015-07-23 23:09:06 +02:00
uterror.c
uteval.c
utexcep.c
utfileio.c ACPICA: Update exception code for "file not found" error 2015-10-22 02:01:12 +02:00
utglobal.c Revert 'Revert "ACPICA: Permanently set _REV to the value '2'."' 2015-07-03 01:06:04 +02:00
uthex.c ACPICA: ACPI 6.0: Add support for NFIT table. 2015-05-22 03:22:21 +02:00
utids.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utinit.c ACPICA: Debugger: Fix "terminate" command by cleaning up subsystem shutdown logic 2015-10-22 02:05:05 +02:00
utlock.c
utmath.c
utmisc.c ACPICA: Debugger: Cleanup debugging outputs to dump name path without trailing underscores 2015-08-25 23:11:33 +02:00
utmutex.c ACPICA: Debugger: Update mutexes used for multithreaded debugger 2015-10-22 02:01:12 +02:00
utnonansi.c ACPICA: Cleanup use of all non-ANSI local C library functions 2015-07-23 23:09:08 +02:00
utobject.c
utosi.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utownerid.c
utpredef.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utprint.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utresrc.c
utstate.c ACPICA: Utilities: Remove unused acpi_ut_create_pkg_state_and_push(). 2015-04-14 14:51:52 +02:00
utstring.c ACPICA: Cleanup use of all non-ANSI local C library functions 2015-07-23 23:09:08 +02:00
uttrack.c ACPICA: De-macroize calls to standard C library functions 2015-07-01 23:17:55 +02:00
utuuid.c ACPICA: Utilities: Correct conditional compilation definitions. 2015-04-14 14:51:52 +02:00
utxface.c ACPI: Enable build of AML interpreter debugger 2015-10-22 02:05:05 +02:00
utxferror.c ACPICA: iASL/disassembler - fix possible fault for -e option. 2015-05-22 03:22:21 +02:00
utxfinit.c ACPICA: Debugger: Split debugger initialization/termination APIs 2015-08-25 23:11:33 +02:00
utxfmutex.c