From patchwork Tue Jul 10 17:28:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 942117
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41Q8Ld2v4Cz9ryt;
	Wed, 11 Jul 2018 03:28:41 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1fcwRG-0000nZ-5t; Tue, 10 Jul 2018 17:28:34 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1fcwRC-0000nC-7m
	for kernel-team@lists.ubuntu.com; Tue, 10 Jul 2018 17:28:30 +0000
Received: from mail-ed1-f71.google.com ([209.85.208.71])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1fcwRB-0008KK-Vn
	for kernel-team@lists.ubuntu.com; Tue, 10 Jul 2018 17:28:29 +0000
Received: by mail-ed1-f71.google.com with SMTP id t11-v6so8952059edq.1
	for <kernel-team@lists.ubuntu.com>;
	Tue, 10 Jul 2018 10:28:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=m/XVjXsgJrTzR7p8IzvaLCrz9PbK18iKjNcC6vK5m5k=;
	b=XfDKhuO6Bb4EwvEY1/1moVQjrA+EZ8aXsvjSRXO/LCtBwSN1E2IXrBfl27STL9Fe8Z
	QBBaiwdQIau0TCEW0OyxDKIvCe5OLKZQZ/ppnI6D3AQH2m4uwUsBcBJVVqNWQUbZAm/O
	pKpi5lFab/QRKr6HCK58dpDXurUU86N68cvCxO8l9or65gA3iVkF8y9OcDJvEprZXlZr
	nkM1xC1oPZZH/C42AjaHf0a7yFw0/DksDxlCV9/NMEONfRSQ19kRLI5p1CXimb6xFBCP
	iKQ/GdD/oK1o9WSe06jFqry5SXRTDwOszPBImc8YkJc+XizQfPt6DTvqhO0W1lLNFTt4
	M1xQ==
X-Gm-Message-State: APt69E2+6rSKmYloF6+xM67ILwxebSr1bPG18pYwQv7gHpTQt5upTMLY
	uHOEnDy6uXGw328AsRJdCmtLoUVKTzq8eEuzKnFlmWGAHlnVkzeEZVQpoJfqF71wDX65BFAdYHw
	0loGCzl+pom8IHyb6PuYS56K0lsgOOP1GzCuKB7Wgiw==
X-Received: by 2002:a50:f4aa:: with SMTP id
	s39-v6mr27659468edm.262.1531243709391;
	Tue, 10 Jul 2018 10:28:29 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpd2Tb0LPKotDQBGX3k1jNEbGctOgOP5c7kQWfNiHrGloT82vp4ukw0NxiNH2z0XqKlmCmEMLQ==
X-Received: by 2002:a50:f4aa:: with SMTP id
	s39-v6mr27659463edm.262.1531243709209;
	Tue, 10 Jul 2018 10:28:29 -0700 (PDT)
Received: from localhost ([2a02:8109:98c0:1604:7504:6cc9:f396:598d])
	by smtp.gmail.com with ESMTPSA id
	n10-v6sm8381685edr.59.2018.07.10.10.28.28
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 10 Jul 2018 10:28:28 -0700 (PDT)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][PATCH 1/1] x86/acpi: Prevent out of bound access
	caused by broken ACPI tables
Date: Tue, 10 Jul 2018 19:28:25 +0200
Message-Id: <20180710172825.20738-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180710172825.20738-1-kleber.souza@canonical.com>
References: <20180710172825.20738-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Seunghun Han <kkamagui@gmail.com>

The bus_irq argument of mp_override_legacy_irq() is used as the index into
the isa_irq_to_gsi[] array. The bus_irq argument originates from
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
tables, but is nowhere sanity checked.

That allows broken or malicious ACPI tables to overwrite memory, which
might cause malfunction, panic or arbitrary code execution.

Add a sanity check and emit a warning when that triggers.

[ tglx: Added warning and rewrote changelog ]

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: stable@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>

CVE-2017-11473
(cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/kernel/acpi/boot.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
index 6c0b43bd024b..2c3cd05ba747 100644
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi)
 	int pin;
 	struct mpc_intsrc mp_irq;
 
+	/*
+	 * Check bus_irq boundary.
+	 */
+	if (bus_irq >= NR_IRQS_LEGACY) {
+		pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
+		return;
+	}
+
 	/*
 	 * Convert 'gsi' to 'ioapic.pin'.
 	 */