Package: acpica-unix / 20190509-1

Metadata

Package Version Patches format
acpica-unix 20190509-1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix_ftbfs_debian kfreebsd.patch | (download)

source/include/platform/acenv.h | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

---
big endian.patch | (download)

source/common/acfileio.c | 16 10 + 6 - 0 !
source/common/dmswitch.c | 9 7 + 2 - 0 !
source/common/dmtable.c | 28 16 + 12 - 0 !
source/common/dmtables.c | 20 13 + 7 - 0 !
source/common/dmtbdump.c | 51 29 + 22 - 0 !
source/common/dmtbdump1.c | 196 116 + 80 - 0 !
source/common/dmtbdump2.c | 291 173 + 118 - 0 !
source/common/dmtbdump3.c | 72 45 + 27 - 0 !
source/compiler/aslanalyze.c | 4 2 + 2 - 0 !
source/compiler/aslcodegen.c | 109 65 + 44 - 0 !
source/compiler/asllookup.c | 8 6 + 2 - 0 !
source/compiler/aslmain.c | 12 0 + 12 - 0 !
source/compiler/aslopcodes.c | 4 3 + 1 - 0 !
source/compiler/aslrestype1.c | 68 47 + 21 - 0 !
source/compiler/aslrestype1i.c | 38 24 + 14 - 0 !
source/compiler/aslrestype2.c | 41 32 + 9 - 0 !
source/compiler/aslrestype2d.c | 134 76 + 58 - 0 !
source/compiler/aslrestype2e.c | 39 27 + 12 - 0 !
source/compiler/aslrestype2q.c | 117 75 + 42 - 0 !
source/compiler/aslrestype2s.c | 147 100 + 47 - 0 !
source/compiler/aslrestype2w.c | 127 75 + 52 - 0 !
source/compiler/dtfield.c | 22 21 + 1 - 0 !
source/compiler/dtsubtable.c | 19 17 + 2 - 0 !
source/compiler/dttable1.c | 100 65 + 35 - 0 !
source/compiler/dttable2.c | 52 38 + 14 - 0 !
source/components/disassembler/dmbuffer.c | 21 14 + 7 - 0 !
source/components/disassembler/dmopcode.c | 24 18 + 6 - 0 !
source/components/disassembler/dmresrcl.c | 53 32 + 21 - 0 !
source/components/disassembler/dmresrcl2.c | 87 56 + 31 - 0 !
source/components/disassembler/dmresrcs.c | 15 11 + 4 - 0 !
source/components/dispatcher/dsfield.c | 16 16 + 0 - 0 !
source/components/events/evgpeblk.c | 7 5 + 2 - 0 !
source/components/hardware/hwregs.c | 2 1 + 1 - 0 !
source/components/hardware/hwvalid.c | 7 6 + 1 - 0 !
source/components/namespace/nsaccess.c | 4 3 + 1 - 0 !
source/components/namespace/nsparse.c | 5 3 + 2 - 0 !
source/components/tables/tbdata.c | 4 3 + 1 - 0 !
source/components/tables/tbfadt.c | 36 25 + 11 - 0 !
source/components/tables/tbfind.c | 5 4 + 1 - 0 !
source/components/tables/tbprint.c | 16 11 + 5 - 0 !
source/components/tables/tbutils.c | 16 9 + 7 - 0 !
source/components/tables/tbxface.c | 5 4 + 1 - 0 !
source/components/tables/tbxfload.c | 4 3 + 1 - 0 !
source/include/acmacros.h | 37 27 + 10 - 0 !
source/include/platform/aclinux.h | 5 5 + 0 - 0 !
source/tools/acpiexec/aetables.c | 61 42 + 19 - 0 !
46 files changed, 1380 insertions(+), 774 deletions(-)

---
unaligned.patch | (download)

source/components/executer/exoparg2.c | 12 9 + 3 - 0 !
source/include/actypes.h | 27 13 + 14 - 0 !
2 files changed, 22 insertions(+), 17 deletions(-)

---
fix_ftbfs_debian hurd.patch | (download)

source/include/platform/acenv.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
add testing.patch | (download)

Makefile | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

---
OPT_LDFLAGS.patch | (download)

generate/unix/Makefile.config | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

---
int format.patch | (download)

source/compiler/aslerror.c | 2 1 + 1 - 0 !
source/compiler/aslopt.c | 2 1 + 1 - 0 !
source/compiler/aslprepkg.c | 2 1 + 1 - 0 !
source/components/debugger/dbexec.c | 2 1 + 1 - 0 !
source/components/dispatcher/dsmthdat.c | 4 2 + 2 - 0 !
source/components/dispatcher/dsutils.c | 2 1 + 1 - 0 !
source/components/dispatcher/dswscope.c | 4 2 + 2 - 0 !
source/components/events/evgpe.c | 2 1 + 1 - 0 !
source/components/executer/exdump.c | 2 1 + 1 - 0 !
source/components/executer/exfldio.c | 4 2 + 2 - 0 !
source/components/executer/exnames.c | 4 2 + 2 - 0 !
source/components/hardware/hwregs.c | 2 1 + 1 - 0 !
source/components/tables/tbfadt.c | 6 3 + 3 - 0 !
source/components/tables/tbxfroot.c | 6 3 + 3 - 0 !
source/components/utilities/utownerid.c | 2 1 + 1 - 0 !
15 files changed, 23 insertions(+), 23 deletions(-)

---
f23 harden.patch | (download)

generate/unix/Makefile.config | 2 2 + 0 - 0 !
generate/unix/iasl/Makefile | 13 7 + 6 - 0 !
2 files changed, 9 insertions(+), 6 deletions(-)

---
template.patch | (download)

tests/templates/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
ppc64le.patch | (download)

source/include/platform/aclinux.h | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---
arm7hl.patch | (download)

source/include/acmacros.h | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

---
big endian v2.patch | (download)

source/compiler/asllookup.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---
simple 64bit.patch | (download)

source/include/platform/aclinux.h | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 stop listing all 64bit architectures
 Check __LP64__ instead of maintaining a list of all
 64bit architectures.
mips be fix.patch | (download)

source/compiler/aslparseop.c | 11 10 + 1 - 0 !
source/include/platform/aclinux.h | 2 0 + 2 - 0 !
2 files changed, 10 insertions(+), 3 deletions(-)

---
cve 2017 13693.patch | (download)

source/components/dispatcher/dsutils.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch] acpi: acpica: fix acpi operand cache leak in dswstate.c

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.585957] ACPI: Added _OSI(Module Device)
>[    0.587218] ACPI: Added _OSI(Processor Device)
>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
>[    0.597858] ACPI: Unable to start the ACPI Interpreter
>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.609177] Call Trace:
>[    0.610063]  ? dump_stack+0x5c/0x81
>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10
>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.619293]  ? acpi_terminate+0xa/0x14
>[    0.620394]  ? acpi_init+0x2af/0x34f
>[    0.621616]  ? __class_create+0x4c/0x80
>[    0.623412]  ? video_setup+0x7f/0x7f
>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.625861]  ? do_one_initcall+0x4e/0x1a0
>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f
>[    0.628972]  ? rest_init+0x80/0x80
>[    0.630043]  ? kernel_init+0xa/0x100
>[    0.631084]  ? ret_from_fork+0x25/0x30
>[    0.633343] vgaarb: loaded
>[    0.635036] EDAC MC: Ver: 3.0.0
>[    0.638601] PCI: Probing PCI hardware
>[    0.639833] PCI host bridge to bus 0000:00
>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
function uses walk_state->operand_index for start position of the top, but
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732

cve 2017 13694.patch | (download)

source/components/parser/psobject.c | 44 16 + 28 - 0 !
1 file changed, 16 insertions(+), 28 deletions(-)

 [patch] acpi: acpica: fix acpi parse and parseext cache leaks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I'm Seunghun Han, and I work for National Security Research Institute of
South Korea.

I have been doing a research on ACPI and found an ACPI cache leak in ACPI
early abort cases.

Boot log of ACPI cache leak is as follows:
[    0.352414] ACPI: Added _OSI(Module Device)
[    0.353182] ACPI: Added _OSI(Processor Device)
[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)
[    0.356028] ACPI: Unable to start the ACPI Interpreter
[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects
[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #10
[    0.361273] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.361873] Call Trace:
[    0.362243]  ? dump_stack+0x5c/0x81
[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27
[    0.363296]  ? acpi_os_delete_cache+0xa/0x10
[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.364000]  ? acpi_terminate+0xa/0x14
[    0.364000]  ? acpi_init+0x2af/0x34f
[    0.364000]  ? __class_create+0x4c/0x80
[    0.364000]  ? video_setup+0x7f/0x7f
[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.364000]  ? do_one_initcall+0x4e/0x1a0
[    0.364000]  ? kernel_init_freeable+0x189/0x20a
[    0.364000]  ? rest_init+0xc0/0xc0
[    0.364000]  ? kernel_init+0xa/0x100
[    0.364000]  ? ret_from_fork+0x25/0x30

I analyzed this memory leak in detail. I found that “Acpi-State” cache and
“Acpi-Parse” cache were merged because the size of cache objects was same
slab cache size.

I finally found “Acpi-Parse” cache and “Acpi-ParseExt” cache were leaked
using SLAB_NEVER_MERGE flag in kmem_cache_create() function.

Real ACPI cache leak point is as follows:
[    0.360101] ACPI: Added _OSI(Module Device)
[    0.360101] ACPI: Added _OSI(Processor Device)
[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)
[    0.364016] ACPI: Unable to start the ACPI Interpreter
[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects
[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.371256] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.372000] Call Trace:
[    0.372000]  ? dump_stack+0x5c/0x81
[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? acpi_os_delete_cache+0xa/0x10
[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b
[    0.372000]  ? acpi_terminate+0xa/0x14
[    0.372000]  ? acpi_init+0x2af/0x34f
[    0.372000]  ? __class_create+0x4c/0x80
[    0.372000]  ? video_setup+0x7f/0x7f
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? do_one_initcall+0x4e/0x1a0
[    0.372000]  ? kernel_init_freeable+0x189/0x20a
[    0.372000]  ? rest_init+0xc0/0xc0
[    0.372000]  ? kernel_init+0xa/0x100
[    0.372000]  ? ret_from_fork+0x25/0x30
[    0.388039] kmem_cache_destroy Acpi-ParseExt: Slab cache still has objects
[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.390557] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.392000] Call Trace:
[    0.392000]  ? dump_stack+0x5c/0x81
[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? acpi_os_delete_cache+0xa/0x10
[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.392000]  ? acpi_terminate+0xa/0x14
[    0.392000]  ? acpi_init+0x2af/0x34f
[    0.392000]  ? __class_create+0x4c/0x80
[    0.392000]  ? video_setup+0x7f/0x7f
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? do_one_initcall+0x4e/0x1a0
[    0.392000]  ? kernel_init_freeable+0x189/0x20a
[    0.392000]  ? rest_init+0xc0/0xc0
[    0.392000]  ? kernel_init+0xa/0x100
[    0.392000]  ? ret_from_fork+0x25/0x30

When early abort is occurred due to invalid ACPI information, Linux kernel
terminates ACPI by calling acpi_terminate() function. The function calls
acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_
cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache).

But the deletion codes in acpi_ut_delete_caches() function only delete
slab caches using kmem_cache_destroy() function, therefore the cache
objects should be flushed before acpi_ut_delete_caches() function.

“Acpi-Parse” cache and “Acpi-ParseExt” cache are used in an AML parse
function, acpi_ps_parse_loop(). The function should have flush codes to
handle an error state due to invalid AML codes.

This cache leak has a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

To fix ACPI cache leak for enhancing security, I made a patch which has
flush codes in acpi_ps_parse_loop() function.

I hope that this patch improves the security of Linux kernel.

Thank you.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0


cve 2017 13695.patch | (download)

source/components/namespace/nseval.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch] acpi: acpica: fix acpi operand cache leak in nseval.c

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.464168] ACPI: Added _OSI(Module Device)
>[    0.467022] ACPI: Added _OSI(Processor Device)
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.497683] ACPI: Interpreter enabled
>[    0.499385] ACPI: (supports S0)
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.529668] Call Trace:
>[    0.530811]  ? dump_stack+0x5c/0x81
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.537237]  ? acpi_terminate+0xa/0x14
>[    0.538701]  ? acpi_init+0x2af/0x34f
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
>[    0.546202]  ? rest_init+0x80/0x80
>[    0.547513]  ? kernel_init+0xa/0x100
>[    0.548817]  ? ret_from_fork+0x25/0x30
>[    0.550587] vgaarb: loaded
>[    0.551716] EDAC MC: Ver: 3.0.0
>[    0.553744] PCI: Probing PCI hardware
>[    0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found AcpiNsEvaluate() function
only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
also not null. Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5


str trunc warn.patch | (download)

source/compiler/aslanalyze.c | 9 7 + 2 - 0 !
source/compiler/aslpredef.c | 37 25 + 12 - 0 !
source/compiler/aslwalks.c | 8 6 + 2 - 0 !
3 files changed, 38 insertions(+), 16 deletions(-)

---
ptr cast.patch | (download)

source/compiler/aslparseop.c | 4 4 + 0 - 0 !
source/components/tables/tbutils.c | 12 10 + 2 - 0 !
2 files changed, 14 insertions(+), 2 deletions(-)

---
aslcodegen.patch | (download)

source/compiler/aslcodegen.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

---