| Message ID | 20180720122021.14182-2-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2017-11472 | expand |
On 20.07.2018 14:20, Colin King wrote: > From: Bob Moore <robert.moore@intel.com> > > CVE-2017-11472 - this CVE depends on this commit applied first ^ please do not add comments here > > ACPICA commit 74094ca9f51e2652a9b5f01722d8640a653cc75a > > For _REG methods and module-level code blocks. > For acpiexec, add deletion of module-level blocks in case > of an early abort. > > Link: https://github.com/acpica/acpica/commit/74094ca9 > Signed-off-by: Bob Moore <robert.moore@intel.com> > Signed-off-by: Lv Zheng <lv.zheng@intel.com> > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > (clean upstream cherry pick of commit 25823e784aac78964ada0e49efe2766d2aeb9fa4) > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- If additional text is added behind the CVE number it will be taken as part of the changelog description and then start its own section. The best place to add comments is either below the "---" or after the sha1 reference (which also needs fixing). so like (cherry picked from commit 25823e784aac78964ada0e49efe2766d2aeb9fa4) [cking: pre-req for actual fix] > drivers/acpi/acpica/aclocal.h | 7 +++++++ > drivers/acpi/acpica/evregion.c | 22 ++++++++++++++++++---- > drivers/acpi/acpica/nseval.c | 3 ++- > drivers/acpi/acpica/nsutils.c | 17 +++++++++++++++++ > drivers/acpi/acpica/psloop.c | 14 +++++++++++++- > 5 files changed, 57 insertions(+), 6 deletions(-) > > diff --git a/drivers/acpi/acpica/aclocal.h b/drivers/acpi/acpica/aclocal.h > index 53ed1a8..e231f6b 100644 > --- a/drivers/acpi/acpica/aclocal.h > +++ b/drivers/acpi/acpica/aclocal.h > @@ -392,6 +392,13 @@ struct acpi_simple_repair_info { > > #define ACPI_NUM_RTYPES 5 /* Number of actual object types */ > > +/* Info for running the _REG methods */ > + > +struct acpi_reg_walk_info { > + acpi_adr_space_type space_id; > + u32 reg_run_count; > +}; > + > /***************************************************************************** > * > * Event typedefs and structs > diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c > index 144cbb9..6e6e8119 100644 > --- a/drivers/acpi/acpica/evregion.c > +++ b/drivers/acpi/acpica/evregion.c > @@ -600,9 +600,17 @@ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, > acpi_adr_space_type space_id) > { > acpi_status status; > + struct acpi_reg_walk_info info; > > ACPI_FUNCTION_TRACE(ev_execute_reg_methods); > > + info.space_id = space_id; > + info.reg_run_count = 0; > + > + ACPI_DEBUG_PRINT_RAW((ACPI_DB_NAMES, > + " Running _REG methods for SpaceId %s\n", > + acpi_ut_get_region_name(info.space_id))); > + > /* > * Run all _REG methods for all Operation Regions for this space ID. This > * is a separate walk in order to handle any interdependencies between > @@ -611,7 +619,7 @@ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, > */ > status = acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, ACPI_UINT32_MAX, > ACPI_NS_WALK_UNLOCK, acpi_ev_reg_run, > - NULL, &space_id, NULL); > + NULL, &info, NULL); > > /* Special case for EC: handle "orphan" _REG methods with no region */ > > @@ -619,6 +627,11 @@ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, > acpi_ev_orphan_ec_reg_method(node); > } > > + ACPI_DEBUG_PRINT_RAW((ACPI_DB_NAMES, > + " Executed %u _REG methods for SpaceId %s\n", > + info.reg_run_count, > + acpi_ut_get_region_name(info.space_id))); > + > return_ACPI_STATUS(status); > } > > @@ -638,10 +651,10 @@ acpi_ev_reg_run(acpi_handle obj_handle, > { > union acpi_operand_object *obj_desc; > struct acpi_namespace_node *node; > - acpi_adr_space_type space_id; > acpi_status status; > + struct acpi_reg_walk_info *info; > > - space_id = *ACPI_CAST_PTR(acpi_adr_space_type, context); > + info = ACPI_CAST_PTR(struct acpi_reg_walk_info, context); > > /* Convert and validate the device handle */ > > @@ -670,13 +683,14 @@ acpi_ev_reg_run(acpi_handle obj_handle, > > /* Object is a Region */ > > - if (obj_desc->region.space_id != space_id) { > + if (obj_desc->region.space_id != info->space_id) { > > /* This region is for a different address space, just ignore it */ > > return (AE_OK); > } > > + info->reg_run_count++; > status = acpi_ev_execute_reg_method(obj_desc, ACPI_REG_CONNECT); > return (status); > } > diff --git a/drivers/acpi/acpica/nseval.c b/drivers/acpi/acpica/nseval.c > index 963ceef..1722d6d 100644 > --- a/drivers/acpi/acpica/nseval.c > +++ b/drivers/acpi/acpica/nseval.c > @@ -465,7 +465,8 @@ acpi_ns_exec_module_code(union acpi_operand_object *method_obj, > > status = acpi_ns_evaluate(info); > > - ACPI_DEBUG_PRINT((ACPI_DB_INIT, "Executed module-level code at %p\n", > + ACPI_DEBUG_PRINT((ACPI_DB_INIT_NAMES, > + "Executed module-level code at %p\n", > method_obj->method.aml_start)); > > /* Delete a possible implicit return value (in slack mode) */ > diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c > index 4a0665b..aca30b2 100644 > --- a/drivers/acpi/acpica/nsutils.c > +++ b/drivers/acpi/acpica/nsutils.c > @@ -597,6 +597,23 @@ void acpi_ns_terminate(void) > > ACPI_FUNCTION_TRACE(ns_terminate); > > +#ifdef ACPI_EXEC_APP > + { > + union acpi_operand_object *prev; > + union acpi_operand_object *next; > + > + /* Delete any module-level code blocks */ > + > + next = acpi_gbl_module_code_list; > + while (next) { > + prev = next; > + next = next->method.mutex; > + prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ > + acpi_ut_remove_reference(prev); > + } > + } > +#endif > + > /* > * Free the entire namespace -- all nodes and all objects > * attached to the nodes > diff --git a/drivers/acpi/acpica/psloop.c b/drivers/acpi/acpica/psloop.c > index 065b44a..94f53da 100644 > --- a/drivers/acpi/acpica/psloop.c > +++ b/drivers/acpi/acpica/psloop.c > @@ -324,6 +324,8 @@ acpi_ps_link_module_code(union acpi_parse_object *parent_op, > union acpi_operand_object *method_obj; > struct acpi_namespace_node *parent_node; > > + ACPI_FUNCTION_TRACE(ps_link_module_code); > + > /* Get the tail of the list */ > > prev = next = acpi_gbl_module_code_list; > @@ -343,9 +345,13 @@ acpi_ps_link_module_code(union acpi_parse_object *parent_op, > > method_obj = acpi_ut_create_internal_object(ACPI_TYPE_METHOD); > if (!method_obj) { > - return; > + return_VOID; > } > > + ACPI_DEBUG_PRINT((ACPI_DB_PARSE, > + "Create/Link new code block: %p\n", > + method_obj)); > + > if (parent_op->common.node) { > parent_node = parent_op->common.node; > } else { > @@ -370,8 +376,14 @@ acpi_ps_link_module_code(union acpi_parse_object *parent_op, > prev->method.mutex = method_obj; > } > } else { > + ACPI_DEBUG_PRINT((ACPI_DB_PARSE, > + "Appending to existing code block: %p\n", > + prev)); > + > prev->method.aml_length += aml_length; > } > + > + return_VOID; > } > > /******************************************************************************* >
diff --git a/drivers/acpi/acpica/aclocal.h b/drivers/acpi/acpica/aclocal.h index 53ed1a8..e231f6b 100644 --- a/drivers/acpi/acpica/aclocal.h +++ b/drivers/acpi/acpica/aclocal.h @@ -392,6 +392,13 @@ struct acpi_simple_repair_info { #define ACPI_NUM_RTYPES 5 /* Number of actual object types */ +/* Info for running the _REG methods */ + +struct acpi_reg_walk_info { + acpi_adr_space_type space_id; + u32 reg_run_count; +}; + /***************************************************************************** * * Event typedefs and structs diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c index 144cbb9..6e6e8119 100644 --- a/drivers/acpi/acpica/evregion.c +++ b/drivers/acpi/acpica/evregion.c @@ -600,9 +600,17 @@ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, acpi_adr_space_type space_id) { acpi_status status; + struct acpi_reg_walk_info info; ACPI_FUNCTION_TRACE(ev_execute_reg_methods); + info.space_id = space_id; + info.reg_run_count = 0; + + ACPI_DEBUG_PRINT_RAW((ACPI_DB_NAMES, + " Running _REG methods for SpaceId %s\n", + acpi_ut_get_region_name(info.space_id))); + /* * Run all _REG methods for all Operation Regions for this space ID. This * is a separate walk in order to handle any interdependencies between @@ -611,7 +619,7 @@ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, */ status = acpi_ns_walk_namespace(ACPI_TYPE_ANY, node, ACPI_UINT32_MAX, ACPI_NS_WALK_UNLOCK, acpi_ev_reg_run, - NULL, &space_id, NULL); + NULL, &info, NULL); /* Special case for EC: handle "orphan" _REG methods with no region */ @@ -619,6 +627,11 @@ acpi_ev_execute_reg_methods(struct acpi_namespace_node *node, acpi_ev_orphan_ec_reg_method(node); } + ACPI_DEBUG_PRINT_RAW((ACPI_DB_NAMES, + " Executed %u _REG methods for SpaceId %s\n", + info.reg_run_count, + acpi_ut_get_region_name(info.space_id))); + return_ACPI_STATUS(status); } @@ -638,10 +651,10 @@ acpi_ev_reg_run(acpi_handle obj_handle, { union acpi_operand_object *obj_desc; struct acpi_namespace_node *node; - acpi_adr_space_type space_id; acpi_status status; + struct acpi_reg_walk_info *info; - space_id = *ACPI_CAST_PTR(acpi_adr_space_type, context); + info = ACPI_CAST_PTR(struct acpi_reg_walk_info, context); /* Convert and validate the device handle */ @@ -670,13 +683,14 @@ acpi_ev_reg_run(acpi_handle obj_handle, /* Object is a Region */ - if (obj_desc->region.space_id != space_id) { + if (obj_desc->region.space_id != info->space_id) { /* This region is for a different address space, just ignore it */ return (AE_OK); } + info->reg_run_count++; status = acpi_ev_execute_reg_method(obj_desc, ACPI_REG_CONNECT); return (status); } diff --git a/drivers/acpi/acpica/nseval.c b/drivers/acpi/acpica/nseval.c index 963ceef..1722d6d 100644 --- a/drivers/acpi/acpica/nseval.c +++ b/drivers/acpi/acpica/nseval.c @@ -465,7 +465,8 @@ acpi_ns_exec_module_code(union acpi_operand_object *method_obj, status = acpi_ns_evaluate(info); - ACPI_DEBUG_PRINT((ACPI_DB_INIT, "Executed module-level code at %p\n", + ACPI_DEBUG_PRINT((ACPI_DB_INIT_NAMES, + "Executed module-level code at %p\n", method_obj->method.aml_start)); /* Delete a possible implicit return value (in slack mode) */ diff --git a/drivers/acpi/acpica/nsutils.c b/drivers/acpi/acpica/nsutils.c index 4a0665b..aca30b2 100644 --- a/drivers/acpi/acpica/nsutils.c +++ b/drivers/acpi/acpica/nsutils.c @@ -597,6 +597,23 @@ void acpi_ns_terminate(void) ACPI_FUNCTION_TRACE(ns_terminate); +#ifdef ACPI_EXEC_APP + { + union acpi_operand_object *prev; + union acpi_operand_object *next; + + /* Delete any module-level code blocks */ + + next = acpi_gbl_module_code_list; + while (next) { + prev = next; + next = next->method.mutex; + prev->method.mutex = NULL; /* Clear the Mutex (cheated) field */ + acpi_ut_remove_reference(prev); + } + } +#endif + /* * Free the entire namespace -- all nodes and all objects * attached to the nodes diff --git a/drivers/acpi/acpica/psloop.c b/drivers/acpi/acpica/psloop.c index 065b44a..94f53da 100644 --- a/drivers/acpi/acpica/psloop.c +++ b/drivers/acpi/acpica/psloop.c @@ -324,6 +324,8 @@ acpi_ps_link_module_code(union acpi_parse_object *parent_op, union acpi_operand_object *method_obj; struct acpi_namespace_node *parent_node; + ACPI_FUNCTION_TRACE(ps_link_module_code); + /* Get the tail of the list */ prev = next = acpi_gbl_module_code_list; @@ -343,9 +345,13 @@ acpi_ps_link_module_code(union acpi_parse_object *parent_op, method_obj = acpi_ut_create_internal_object(ACPI_TYPE_METHOD); if (!method_obj) { - return; + return_VOID; } + ACPI_DEBUG_PRINT((ACPI_DB_PARSE, + "Create/Link new code block: %p\n", + method_obj)); + if (parent_op->common.node) { parent_node = parent_op->common.node; } else { @@ -370,8 +376,14 @@ acpi_ps_link_module_code(union acpi_parse_object *parent_op, prev->method.mutex = method_obj; } } else { + ACPI_DEBUG_PRINT((ACPI_DB_PARSE, + "Appending to existing code block: %p\n", + prev)); + prev->method.aml_length += aml_length; } + + return_VOID; } /*******************************************************************************