Package: acpica-unix / 20200925-1

Metadata

Package Version Patches format
acpica-unix 20200925-1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix_ftbfs_debian kfreebsd.patch | (download)

source/include/platform/acenv.h | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

---
0001 Add in basic infrastructure for big endian support.patch | (download)

generate/unix/acpibin/Makefile | 1 1 + 0 - 0 !
generate/unix/acpidump/Makefile | 1 1 + 0 - 0 !
generate/unix/acpiexamples/Makefile | 1 1 + 0 - 0 !
generate/unix/acpiexec/Makefile | 1 1 + 0 - 0 !
generate/unix/acpihelp/Makefile | 1 1 + 0 - 0 !
generate/unix/iasl/Makefile | 1 1 + 0 - 0 !
source/components/utilities/utendian.c | 205 205 + 0 - 0 !
source/include/acutils.h | 26 26 + 0 - 0 !
source/include/platform/aclinux.h | 5 5 + 0 - 0 !
9 files changed, 242 insertions(+)

 [patch 01/40] add in basic infrastructure for big-endian support

This adds in some basic functions -- AcpiUtReadUint32(), for example,
to read a UINT32 value in little-endian form and return it in host-native
format -- along with AcpiUtWriteUint() that writes out an integer in
host-native format as a little-endian value.

But, to do that, I'm adding the functions in a new file: utendian.c.  So,
the header files need fixing, and the makefiles need to be sure to compile
the new code.

However, this sets things up for the future, where endian-aware code can
be added as the need is uncovered.  For now, these functions cover all of
the cases I know about.

Signed-off-by: Al Stone <ahs3@redhat.com>

0002 Modify utility functions to be endian agnostic.patch | (download)

source/common/acfileio.c | 16 10 + 6 - 0 !
source/common/dmtable.c | 8 4 + 4 - 0 !
source/compiler/dtfield.c | 2 1 + 1 - 0 !
source/compiler/dtsubtable.c | 4 2 + 2 - 0 !
source/components/tables/tbprint.c | 13 9 + 4 - 0 !
5 files changed, 26 insertions(+), 17 deletions(-)

 [patch 02/40] modify utility functions to be endian-agnostic

All of the modifications here use the big-endian code previously added
(see utendian.c) to make themselves endian-agnostic; i.e., that the code
does not need to change further to work on both big- and little-endian
machines.

These particular files were changed to handle the reading and writing
of files (the length is often embedded in the binary stream), and to
handle the reading and writing of integer values.  The common cases are
to "read" a 32-bit unsigned int in little-endian format, but convert it
to host-native, and to write a byte, word, double word or quad word value
as little-endian, regardless of host-native format.

Signed-off-by: Al Stone <ahs3@redhat.com>

0003 Always display table header content in human readabl.patch | (download)

source/tools/acpibin/abcompare.c | 13 10 + 3 - 0 !
1 file changed, 10 insertions(+), 3 deletions(-)

 [patch 03/40] always display table header content in human-readable
 form

When comparing two binary data tables, little-endian values are read
from each table header and printed out.  Make sure they show up in a
form that makes sense to humans.

Signed-off-by: Al Stone <ahs3@redhat.com>

0004 Re enable support for big endian machines.patch | (download)

source/compiler/aslmain.c | 12 0 + 12 - 0 !
source/components/namespace/nsutils.c | 7 5 + 2 - 0 !
2 files changed, 5 insertions(+), 14 deletions(-)

 [patch 04/40] re-enable support for big-endian machines

First, disable the big-endian check and fail.  Then, make sure the
namespace gets initialized properly (NB: needed even if we are only
compiling/disassembling data tables).

Signed-off-by: Al Stone <ahs3@redhat.com>

0005 Support MADT aka APIC in a big endian world.patch | (download)

source/common/dmtbdump2.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 05/40] support madt (aka apic) in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0006 Support ASF tables in a big endian world.patch | (download)

source/common/dmtbdump1.c | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 [patch 06/40] support asf! tables in a big-endian world

Read the table length properly and it all works right for big-endian.

Signed-off-by: Al Stone <ahs3@redhat.com>

0007 Support CPEP tables in a big endian world.patch | (download)

source/common/dmtbdump1.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 07/40] support cpep tables in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0008 Support DBG2 table in a big endian world.patch | (download)

source/common/dmtbdump1.c | 35 19 + 16 - 0 !
source/compiler/dttable1.c | 43 27 + 16 - 0 !
2 files changed, 46 insertions(+), 32 deletions(-)

 [patch 08/40] support dbg2 table in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0009 Support DMAR in a big endian world.patch | (download)

source/common/dmtable.c | 4 2 + 2 - 0 !
source/common/dmtbdump1.c | 26 15 + 11 - 0 !
source/compiler/dttable1.c | 12 7 + 5 - 0 !
3 files changed, 24 insertions(+), 18 deletions(-)

 [patch 09/40] support dmar in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0010 Support DRTM in a big endian world.patch | (download)

source/common/dmtbdump1.c | 25 15 + 10 - 0 !
source/compiler/dttable1.c | 6 4 + 2 - 0 !
2 files changed, 19 insertions(+), 12 deletions(-)

 [patch 10/40] support drtm in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0011 Support EINJ in a big endian world.patch | (download)

source/common/dmtbdump1.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 11/40] support einj in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0012 Support ERST in a big endian world.patch | (download)

source/common/dmtbdump1.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 12/40] support erst in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0013 Support FADT aka FACP in a big endian world.patch | (download)

source/common/dmtbdump.c | 25 13 + 12 - 0 !
source/components/tables/tbfadt.c | 34 25 + 9 - 0 !
2 files changed, 38 insertions(+), 21 deletions(-)

 [patch 13/40] support fadt (aka, facp) in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0014 Support most FPDTs in a big endian world.patch | (download)

source/common/dmtbdump1.c | 12 7 + 5 - 0 !
source/compiler/dttable1.c | 4 3 + 1 - 0 !
2 files changed, 10 insertions(+), 6 deletions(-)

 [patch 14/40] support most fpdts in a big-endian world

NB: there is no support for vendor specific records even in
the little-endian version.

Signed-off-by: Al Stone <ahs3@redhat.com>

0015 Support GTDT in a big endian world.patch | (download)

source/common/dmtbdump1.c | 13 9 + 4 - 0 !
source/compiler/dttable1.c | 9 7 + 2 - 0 !
2 files changed, 16 insertions(+), 6 deletions(-)

 [patch 15/40] support gtdt in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0016 Support HEST in a big endian world.patch | (download)

source/common/dmtbdump1.c | 10 6 + 4 - 0 !
source/compiler/dttable1.c | 4 3 + 1 - 0 !
2 files changed, 9 insertions(+), 5 deletions(-)

 [patch 16/40] support hest in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0017 Support RSDT RSD PTR in a big endian world.patch | (download)

source/common/dmtbdump.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch 17/40] support rsdt ('rsd ptr') in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0018 Support XSDT in a big endian world.patch | (download)

source/common/dmtbdump.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch 18/40] support xsdt in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0019 Support SRAT in a big endian world.patch | (download)

source/common/dmtbdump3.c | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 [patch 19/40] support srat in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0020 Support SLIT in a big endian world.patch | (download)

source/common/dmtbdump3.c | 8 5 + 3 - 0 !
source/compiler/dttable2.c | 2 1 + 1 - 0 !
2 files changed, 6 insertions(+), 4 deletions(-)

 [patch 20/40] support slit in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0021 Support MSCT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 21/40] support msct in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0022 Support MPST in a big endian world.patch | (download)

source/common/dmtbdump2.c | 33 19 + 14 - 0 !
source/compiler/dttable2.c | 8 4 + 4 - 0 !
2 files changed, 23 insertions(+), 18 deletions(-)

 [patch 22/40] support mpst in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0023 Support NFIT in a big endian world.patch | (download)

source/common/dmtable.c | 4 2 + 2 - 0 !
source/common/dmtbdump2.c | 47 28 + 19 - 0 !
source/compiler/dttable2.c | 11 8 + 3 - 0 !
3 files changed, 38 insertions(+), 24 deletions(-)

 [patch 23/40] support nfit in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0024 Support SDEV in a big endian world.patch | (download)

source/common/dmtbdump2.c | 50 27 + 23 - 0 !
source/compiler/dttable2.c | 52 38 + 14 - 0 !
2 files changed, 65 insertions(+), 37 deletions(-)

 [patch 24/40] support sdev in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0025 Support HMAT in a big endian world.patch | (download)

source/common/dmtbdump1.c | 70 40 + 30 - 0 !
source/compiler/dttable1.c | 24 19 + 5 - 0 !
2 files changed, 59 insertions(+), 35 deletions(-)

 [patch 25/40] support hmat in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0026 Support PDTT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch 26/40] support pdtt in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0027 Support PPTT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 15 9 + 6 - 0 !
source/compiler/dttable2.c | 7 5 + 2 - 0 !
2 files changed, 14 insertions(+), 8 deletions(-)

 [patch 27/40] support pptt in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0028 Support PCCT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 [patch 28/40] support pcct in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0029 Support WDAT in a big endian world.patch | (download)

source/common/dmtbdump3.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 29/40] support wdat in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0030 Support TCPA in a big endian world.patch | (download)

source/common/dmtbdump3.c | 13 8 + 5 - 0 !
source/compiler/dttable2.c | 4 3 + 1 - 0 !
2 files changed, 11 insertions(+), 6 deletions(-)

 [patch 30/40] support tcpa in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0031 Support STAO in a big endian world.patch | (download)

source/common/dmtbdump3.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch 31/40] support stao in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0032 Support SLIC and MSDM in a big endian world.patch | (download)

source/common/dmtbdump3.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch 32/40] support slic and msdm in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0033 Support MCFG in a big endian world.patch | (download)

source/common/dmtbdump2.c | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 [patch 33/40] support mcfg in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0034 Support LPIT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch 34/40] support lpit in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0035 Support PMTT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 66 37 + 29 - 0 !
source/compiler/dttable2.c | 5 4 + 1 - 0 !
2 files changed, 41 insertions(+), 30 deletions(-)

 [patch 35/40] support pmtt in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0036 Support IORT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 73 43 + 30 - 0 !
source/compiler/dttable1.c | 37 21 + 16 - 0 !
2 files changed, 64 insertions(+), 46 deletions(-)

 [patch 36/40] support iort in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0037 Support IVRS in a big endian world.patch | (download)

source/common/dmtbdump2.c | 25 14 + 11 - 0 !
1 file changed, 14 insertions(+), 11 deletions(-)

 [patch 37/40] support ivrs in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0038 Support TPM2 in a big endian world.patch | (download)

source/common/dmtbdump3.c | 18 10 + 8 - 0 !
source/compiler/dttable2.c | 8 5 + 3 - 0 !
2 files changed, 15 insertions(+), 11 deletions(-)

 [patch 38/40] support tpm2 in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0039 Add partial big endian support for WPBT tables.patch | (download)

source/common/dmtbdump3.c | 8 4 + 4 - 0 !
source/compiler/dttable2.c | 3 2 + 1 - 0 !
2 files changed, 6 insertions(+), 5 deletions(-)

 [patch 1/5] add partial big-endian support for wpbt tables

There's some weirdness here that at present does not warrant
further investigation; this is just a really low priority table.

Signed-off-by: Al Stone <ahs3@redhat.com>

0040 Support DSDT SSDT in a big endian world.patch | (download)

source/common/dmrestag.c | 2 1 + 1 - 0 !
source/common/dmtables.c | 17 11 + 6 - 0 !
source/common/dmtbdump.c | 3 1 + 2 - 0 !
source/compiler/aslcodegen.c | 61 48 + 13 - 0 !
source/compiler/aslopcodes.c | 3 2 + 1 - 0 !
source/compiler/aslrestype1.c | 44 31 + 13 - 0 !
source/compiler/aslrestype1i.c | 33 19 + 14 - 0 !
source/compiler/aslrestype2.c | 20 15 + 5 - 0 !
source/compiler/aslrestype2d.c | 99 57 + 42 - 0 !
source/compiler/aslrestype2e.c | 90 60 + 30 - 0 !
source/compiler/aslrestype2q.c | 81 54 + 27 - 0 !
source/compiler/aslrestype2s.c | 214 181 + 33 - 0 !
source/compiler/aslrestype2w.c | 94 57 + 37 - 0 !
source/components/disassembler/dmbuffer.c | 10 5 + 5 - 0 !
source/components/disassembler/dmopcode.c | 8 4 + 4 - 0 !
source/components/disassembler/dmresrc.c | 2 1 + 1 - 0 !
source/components/disassembler/dmresrcl.c | 43 27 + 16 - 0 !
source/components/disassembler/dmresrcl2.c | 128 75 + 53 - 0 !
source/components/disassembler/dmresrcs.c | 18 11 + 7 - 0 !
source/components/disassembler/dmwalk.c | 2 1 + 1 - 0 !
source/components/dispatcher/dsfield.c | 16 13 + 3 - 0 !
source/components/namespace/nsaccess.c | 2 1 + 1 - 0 !
source/components/namespace/nsnames.c | 2 1 + 1 - 0 !
source/components/namespace/nsparse.c | 6 4 + 2 - 0 !
source/components/namespace/nsutils.c | 7 2 + 5 - 0 !
25 files changed, 682 insertions(+), 323 deletions(-)

 [patch 2/5] support dsdt/ssdt in a big-endian world

0041 Support MTMR in a big endian world.patch | (download)

source/common/dmtbdump2.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 3/5] support mtmr in a big-endian world

Signed-off-by: Al Stone <ahs3@redhat.com>

0042 Support VRTC in a big endian world.patch | (download)

source/common/dmtbdump3.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 4/5] support vrtc in a big-endian world


0043 Support S3PT in a big endian world.patch | (download)

source/common/dmtbdump2.c | 15 9 + 6 - 0 !
source/compiler/dttable2.c | 4 3 + 1 - 0 !
2 files changed, 12 insertions(+), 7 deletions(-)

 [patch 5/5] support s3pt in a big-endian world


0044 Correct an endian ness problem when converting ASL t.patch | (download)

source/compiler/cvparser.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch] correct an endian-ness problem when converting asl to asl+

Signed-off-by: Al Stone <ahs3@redhat.com>

0045 Correct a couple of endianness issues previously uns.patch | (download)

source/compiler/aslanalyze.c | 4 2 + 2 - 0 !
source/compiler/aslrestype1.c | 16 8 + 8 - 0 !
source/compiler/aslrestype1i.c | 2 1 + 1 - 0 !
3 files changed, 11 insertions(+), 11 deletions(-)

 [patch] correct a couple of endianness issues previously unseen

Just odds and ends of some resource types and ASL analysis

Signed-off-by: Al Stone <ahs3@redhat.com>

unaligned.patch | (download)

source/components/executer/exoparg2.c | 12 9 + 3 - 0 !
source/include/actypes.h | 27 13 + 14 - 0 !
2 files changed, 22 insertions(+), 17 deletions(-)

---
fix_ftbfs_debian hurd.patch | (download)

source/include/platform/acenv.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
add testing.patch | (download)

Makefile | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

---
OPT_LDFLAGS.patch | (download)

generate/unix/Makefile.config | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

---
int format.patch | (download)

source/compiler/aslerror.c | 2 1 + 1 - 0 !
source/compiler/aslopt.c | 2 1 + 1 - 0 !
source/compiler/aslprepkg.c | 2 1 + 1 - 0 !
source/components/debugger/dbexec.c | 2 1 + 1 - 0 !
source/components/dispatcher/dsmthdat.c | 4 2 + 2 - 0 !
source/components/dispatcher/dsutils.c | 2 1 + 1 - 0 !
source/components/dispatcher/dswscope.c | 4 2 + 2 - 0 !
source/components/events/evgpe.c | 2 1 + 1 - 0 !
source/components/executer/exdump.c | 2 1 + 1 - 0 !
source/components/executer/exfldio.c | 4 2 + 2 - 0 !
source/components/executer/exnames.c | 4 2 + 2 - 0 !
source/components/hardware/hwregs.c | 2 1 + 1 - 0 !
source/components/tables/tbfadt.c | 6 3 + 3 - 0 !
source/components/tables/tbxfroot.c | 6 3 + 3 - 0 !
source/components/utilities/utownerid.c | 2 1 + 1 - 0 !
15 files changed, 23 insertions(+), 23 deletions(-)

---
f23 harden.patch | (download)

generate/unix/Makefile.config | 2 2 + 0 - 0 !
generate/unix/iasl/Makefile | 17 9 + 8 - 0 !
2 files changed, 11 insertions(+), 8 deletions(-)

---
template.patch | (download)

tests/templates/Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
arm7hl.patch | (download)

source/include/acmacros.h | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

---
cve 2017 13693.patch | (download)

source/components/dispatcher/dsutils.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch] acpi: acpica: fix acpi operand cache leak in dswstate.c

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.585957] ACPI: Added _OSI(Module Device)
>[    0.587218] ACPI: Added _OSI(Processor Device)
>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)
>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)
>[    0.597858] ACPI: Unable to start the ACPI Interpreter
>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.605159] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.609177] Call Trace:
>[    0.610063]  ? dump_stack+0x5c/0x81
>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10
>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.619293]  ? acpi_terminate+0xa/0x14
>[    0.620394]  ? acpi_init+0x2af/0x34f
>[    0.621616]  ? __class_create+0x4c/0x80
>[    0.623412]  ? video_setup+0x7f/0x7f
>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.625861]  ? do_one_initcall+0x4e/0x1a0
>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f
>[    0.628972]  ? rest_init+0x80/0x80
>[    0.630043]  ? kernel_init+0xa/0x100
>[    0.631084]  ? ret_from_fork+0x25/0x30
>[    0.633343] vgaarb: loaded
>[    0.635036] EDAC MC: Ver: 3.0.0
>[    0.638601] PCI: Probing PCI hardware
>[    0.639833] PCI host bridge to bus 0000:00
>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_
delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()
function uses walk_state->operand_index for start position of the top, but
acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.
Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/295/commits/987a3b5cf7175916e2a4b6ea5b8e70f830dfe732

cve 2017 13694.patch | (download)

source/components/parser/psobject.c | 44 16 + 28 - 0 !
1 file changed, 16 insertions(+), 28 deletions(-)

 [patch] acpi: acpica: fix acpi parse and parseext cache leaks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I'm Seunghun Han, and I work for National Security Research Institute of
South Korea.

I have been doing a research on ACPI and found an ACPI cache leak in ACPI
early abort cases.

Boot log of ACPI cache leak is as follows:
[    0.352414] ACPI: Added _OSI(Module Device)
[    0.353182] ACPI: Added _OSI(Processor Device)
[    0.353182] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.353182] ACPI: Added _OSI(Processor Aggregator Device)
[    0.356028] ACPI: Unable to start the ACPI Interpreter
[    0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects
[    0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #10
[    0.361273] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.361873] Call Trace:
[    0.362243]  ? dump_stack+0x5c/0x81
[    0.362591]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.362944]  ? acpi_sleep_proc_init+0x27/0x27
[    0.363296]  ? acpi_os_delete_cache+0xa/0x10
[    0.363646]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.364000]  ? acpi_terminate+0xa/0x14
[    0.364000]  ? acpi_init+0x2af/0x34f
[    0.364000]  ? __class_create+0x4c/0x80
[    0.364000]  ? video_setup+0x7f/0x7f
[    0.364000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.364000]  ? do_one_initcall+0x4e/0x1a0
[    0.364000]  ? kernel_init_freeable+0x189/0x20a
[    0.364000]  ? rest_init+0xc0/0xc0
[    0.364000]  ? kernel_init+0xa/0x100
[    0.364000]  ? ret_from_fork+0x25/0x30

I analyzed this memory leak in detail. I found that “Acpi-State” cache and
“Acpi-Parse” cache were merged because the size of cache objects was same
slab cache size.

I finally found “Acpi-Parse” cache and “Acpi-ParseExt” cache were leaked
using SLAB_NEVER_MERGE flag in kmem_cache_create() function.

Real ACPI cache leak point is as follows:
[    0.360101] ACPI: Added _OSI(Module Device)
[    0.360101] ACPI: Added _OSI(Processor Device)
[    0.360101] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.361043] ACPI: Added _OSI(Processor Aggregator Device)
[    0.364016] ACPI: Unable to start the ACPI Interpreter
[    0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)
[    0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects
[    0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.371256] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.372000] Call Trace:
[    0.372000]  ? dump_stack+0x5c/0x81
[    0.372000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? acpi_os_delete_cache+0xa/0x10
[    0.372000]  ? acpi_ut_delete_caches+0x56/0x7b
[    0.372000]  ? acpi_terminate+0xa/0x14
[    0.372000]  ? acpi_init+0x2af/0x34f
[    0.372000]  ? __class_create+0x4c/0x80
[    0.372000]  ? video_setup+0x7f/0x7f
[    0.372000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.372000]  ? do_one_initcall+0x4e/0x1a0
[    0.372000]  ? kernel_init_freeable+0x189/0x20a
[    0.372000]  ? rest_init+0xc0/0xc0
[    0.372000]  ? kernel_init+0xa/0x100
[    0.372000]  ? ret_from_fork+0x25/0x30
[    0.388039] kmem_cache_destroy Acpi-ParseExt: Slab cache still has objects
[    0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W
4.12.0-rc4-next-20170608+ #8
[    0.390557] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[    0.392000] Call Trace:
[    0.392000]  ? dump_stack+0x5c/0x81
[    0.392000]  ? kmem_cache_destroy+0x1aa/0x1c0
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? acpi_os_delete_cache+0xa/0x10
[    0.392000]  ? acpi_ut_delete_caches+0x6d/0x7b
[    0.392000]  ? acpi_terminate+0xa/0x14
[    0.392000]  ? acpi_init+0x2af/0x34f
[    0.392000]  ? __class_create+0x4c/0x80
[    0.392000]  ? video_setup+0x7f/0x7f
[    0.392000]  ? acpi_sleep_proc_init+0x27/0x27
[    0.392000]  ? do_one_initcall+0x4e/0x1a0
[    0.392000]  ? kernel_init_freeable+0x189/0x20a
[    0.392000]  ? rest_init+0xc0/0xc0
[    0.392000]  ? kernel_init+0xa/0x100
[    0.392000]  ? ret_from_fork+0x25/0x30

When early abort is occurred due to invalid ACPI information, Linux kernel
terminates ACPI by calling acpi_terminate() function. The function calls
acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_
cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache).

But the deletion codes in acpi_ut_delete_caches() function only delete
slab caches using kmem_cache_destroy() function, therefore the cache
objects should be flushed before acpi_ut_delete_caches() function.

“Acpi-Parse” cache and “Acpi-ParseExt” cache are used in an AML parse
function, acpi_ps_parse_loop(). The function should have flush codes to
handle an error state due to invalid AML codes.

This cache leak has a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

To fix ACPI cache leak for enhancing security, I made a patch which has
flush codes in acpi_ps_parse_loop() function.

I hope that this patch improves the security of Linux kernel.

Thank you.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0


cve 2017 13695.patch | (download)

source/components/namespace/nseval.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch] acpi: acpica: fix acpi operand cache leak in nseval.c

I found an ACPI cache leak in ACPI early termination and boot continuing case.

When early termination occurs due to malicious ACPI table, Linux kernel
terminates ACPI function and continues to boot process. While kernel terminates
ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.

Boot log of ACPI operand cache leak is as follows:
>[    0.464168] ACPI: Added _OSI(Module Device)
>[    0.467022] ACPI: Added _OSI(Processor Device)
>[    0.469376] ACPI: Added _OSI(3.0 _SCP Extensions)
>[    0.471647] ACPI: Added _OSI(Processor Aggregator Device)
>[    0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.497683] ACPI: Interpreter enabled
>[    0.499385] ACPI: (supports S0)
>[    0.501151] ACPI: Using IOAPIC for interrupt routing
>[    0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174)
>[    0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461)
>[    0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543)
>[    0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991)
>[    0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
>[    0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26
>[    0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
>[    0.529668] Call Trace:
>[    0.530811]  ? dump_stack+0x5c/0x81
>[    0.532240]  ? kmem_cache_destroy+0x1aa/0x1c0
>[    0.533905]  ? acpi_os_delete_cache+0xa/0x10
>[    0.535497]  ? acpi_ut_delete_caches+0x3f/0x7b
>[    0.537237]  ? acpi_terminate+0xa/0x14
>[    0.538701]  ? acpi_init+0x2af/0x34f
>[    0.540008]  ? acpi_sleep_proc_init+0x27/0x27
>[    0.541593]  ? do_one_initcall+0x4e/0x1a0
>[    0.543008]  ? kernel_init_freeable+0x19e/0x21f
>[    0.546202]  ? rest_init+0x80/0x80
>[    0.547513]  ? kernel_init+0xa/0x100
>[    0.548817]  ? ret_from_fork+0x25/0x30
>[    0.550587] vgaarb: loaded
>[    0.551716] EDAC MC: Ver: 3.0.0
>[    0.553744] PCI: Probing PCI hardware
>[    0.555038] PCI host bridge to bus 0000:00
> ... Continue to boot and log is omitted ...

I analyzed this memory leak in detail and found AcpiNsEvaluate() function
only removes Info->ReturnObject in AE_CTRL_RETURN_VALUE case. But, when errors
occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->ReturnObject is
also not null. Therefore, this causes acpi operand memory leak.

This cache leak causes a security threat because an old kernel (<= 4.9) shows
memory locations of kernel functions in stack dump. Some malicious users
could use this information to neutralize kernel ASLR.

I made a patch to fix ACPI operand cache leak.

Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Github-Location: https://github.com/acpica/acpica/pull/296/commits/37f2c716f2c6ab14c3ba557a539c3ee3224931b5


str trunc warn.patch | (download)

source/compiler/aslanalyze.c | 9 7 + 2 - 0 !
source/compiler/aslpredef.c | 37 25 + 12 - 0 !
source/compiler/aslwalks.c | 8 6 + 2 - 0 !
3 files changed, 38 insertions(+), 16 deletions(-)

---
facp.patch | (download)

source/common/dmtbinfo.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] correct dsdt address field in facp tables

The FADT allows either the DSDT Address or XDSDT Address field to be
zero.  However, the table definition used by the table compiler still
requires the DSDT Address to be non-zero, which is not correct.  So,
remove the DT_NON_ZERO flag from the field.

Signed-off-by: Al Stone <ahs3@redhat.com>