| Message ID | 20200916202540.400780-1-cascardo@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,oem-5.6] ACPI: configfs: Disallow loading ACPI tables when locked down | expand |
On 16.09.20 22:25, Thadeu Lima de Souza Cascardo wrote: > From: "Jason A. Donenfeld" <Jason@zx2c4.com> > > Like other vectors already patched, this one here allows the root > user to load ACPI tables, which enables arbitrary physical address > writes, which in turn makes it possible to disable lockdown. > > Prevents this by checking the lockdown status before allowing a new > ACPI table to be installed. The link in the trailer shows a PoC of > how this might be used. > > Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh > Cc: 5.4+ <stable@vger.kernel.org> # 5.4+ > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > (cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354) > CVE-2020-15780 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- sob order > drivers/acpi/acpi_configfs.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c > index ece8c1a921cc..88c8af455ea3 100644 > --- a/drivers/acpi/acpi_configfs.c > +++ b/drivers/acpi/acpi_configfs.c > @@ -11,6 +11,7 @@ > #include <linux/module.h> > #include <linux/configfs.h> > #include <linux/acpi.h> > +#include <linux/security.h> > > #include "acpica/accommon.h" > #include "acpica/actables.h" > @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, > { > const struct acpi_table_header *header = data; > struct acpi_table *table; > - int ret; > + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); > + > + if (ret) > + return ret; > > table = container_of(cfg, struct acpi_table, cfg); > >
On 16/09/2020 21:25, Thadeu Lima de Souza Cascardo wrote: > From: "Jason A. Donenfeld" <Jason@zx2c4.com> > > Like other vectors already patched, this one here allows the root > user to load ACPI tables, which enables arbitrary physical address > writes, which in turn makes it possible to disable lockdown. > > Prevents this by checking the lockdown status before allowing a new > ACPI table to be installed. The link in the trailer shows a PoC of > how this might be used. > > Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh > Cc: 5.4+ <stable@vger.kernel.org> # 5.4+ > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > (cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354) > CVE-2020-15780 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > drivers/acpi/acpi_configfs.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c > index ece8c1a921cc..88c8af455ea3 100644 > --- a/drivers/acpi/acpi_configfs.c > +++ b/drivers/acpi/acpi_configfs.c > @@ -11,6 +11,7 @@ > #include <linux/module.h> > #include <linux/configfs.h> > #include <linux/acpi.h> > +#include <linux/security.h> > > #include "acpica/accommon.h" > #include "acpica/actables.h" > @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, > { > const struct acpi_table_header *header = data; > struct acpi_table *table; > - int ret; > + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); > + > + if (ret) > + return ret; > > table = container_of(cfg, struct acpi_table, cfg); > > Clean cherry pick, makes sense. Regression potential is hard to spot, apart from users trying to do this when locked down and not being able to do so anymore. Acked-by: Colin Ian King <colin.king@canonical.com>
On 16.9.2020 23.25, Thadeu Lima de Souza Cascardo wrote: > From: "Jason A. Donenfeld" <Jason@zx2c4.com> > > Like other vectors already patched, this one here allows the root > user to load ACPI tables, which enables arbitrary physical address > writes, which in turn makes it possible to disable lockdown. > > Prevents this by checking the lockdown status before allowing a new > ACPI table to be installed. The link in the trailer shows a PoC of > how this might be used. > > Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh > Cc: 5.4+ <stable@vger.kernel.org> # 5.4+ > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > (cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354) > CVE-2020-15780 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > drivers/acpi/acpi_configfs.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c > index ece8c1a921cc..88c8af455ea3 100644 > --- a/drivers/acpi/acpi_configfs.c > +++ b/drivers/acpi/acpi_configfs.c > @@ -11,6 +11,7 @@ > #include <linux/module.h> > #include <linux/configfs.h> > #include <linux/acpi.h> > +#include <linux/security.h> > > #include "acpica/accommon.h" > #include "acpica/actables.h" > @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, > { > const struct acpi_table_header *header = data; > struct acpi_table *table; > - int ret; > + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); > + > + if (ret) > + return ret; > > table = container_of(cfg, struct acpi_table, cfg); > > applied to oem-5.6, thanks
diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c index ece8c1a921cc..88c8af455ea3 100644 --- a/drivers/acpi/acpi_configfs.c +++ b/drivers/acpi/acpi_configfs.c @@ -11,6 +11,7 @@ #include <linux/module.h> #include <linux/configfs.h> #include <linux/acpi.h> +#include <linux/security.h> #include "acpica/accommon.h" #include "acpica/actables.h" @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, { const struct acpi_table_header *header = data; struct acpi_table *table; - int ret; + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; table = container_of(cfg, struct acpi_table, cfg);