diff mbox series

[SRU,oem-5.6] ACPI: configfs: Disallow loading ACPI tables when locked down

Message ID 20200916202540.400780-1-cascardo@canonical.com
State New
Headers show
Series [SRU,oem-5.6] ACPI: configfs: Disallow loading ACPI tables when locked down | expand

Commit Message

Thadeu Lima de Souza Cascardo Sept. 16, 2020, 8:25 p.m. UTC
From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Like other vectors already patched, this one here allows the root
user to load ACPI tables, which enables arbitrary physical address
writes, which in turn makes it possible to disable lockdown.

Prevents this by checking the lockdown status before allowing a new
ACPI table to be installed. The link in the trailer shows a PoC of
how this might be used.

Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
(cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354)
CVE-2020-15780
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 drivers/acpi/acpi_configfs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Stefan Bader Sept. 17, 2020, 7:48 a.m. UTC | #1
On 16.09.20 22:25, Thadeu Lima de Souza Cascardo wrote:
> From: "Jason A. Donenfeld" <Jason@zx2c4.com>
> 
> Like other vectors already patched, this one here allows the root
> user to load ACPI tables, which enables arbitrary physical address
> writes, which in turn makes it possible to disable lockdown.
> 
> Prevents this by checking the lockdown status before allowing a new
> ACPI table to be installed. The link in the trailer shows a PoC of
> how this might be used.
> 
> Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
> Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> (cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354)
> CVE-2020-15780
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

sob order

>  drivers/acpi/acpi_configfs.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
> index ece8c1a921cc..88c8af455ea3 100644
> --- a/drivers/acpi/acpi_configfs.c
> +++ b/drivers/acpi/acpi_configfs.c
> @@ -11,6 +11,7 @@
>  #include <linux/module.h>
>  #include <linux/configfs.h>
>  #include <linux/acpi.h>
> +#include <linux/security.h>
>  
>  #include "acpica/accommon.h"
>  #include "acpica/actables.h"
> @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
>  {
>  	const struct acpi_table_header *header = data;
>  	struct acpi_table *table;
> -	int ret;
> +	int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> +
> +	if (ret)
> +		return ret;
>  
>  	table = container_of(cfg, struct acpi_table, cfg);
>  
>
Colin King Sept. 17, 2020, 8:19 a.m. UTC | #2
On 16/09/2020 21:25, Thadeu Lima de Souza Cascardo wrote:
> From: "Jason A. Donenfeld" <Jason@zx2c4.com>
> 
> Like other vectors already patched, this one here allows the root
> user to load ACPI tables, which enables arbitrary physical address
> writes, which in turn makes it possible to disable lockdown.
> 
> Prevents this by checking the lockdown status before allowing a new
> ACPI table to be installed. The link in the trailer shows a PoC of
> how this might be used.
> 
> Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
> Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> (cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354)
> CVE-2020-15780
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  drivers/acpi/acpi_configfs.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
> index ece8c1a921cc..88c8af455ea3 100644
> --- a/drivers/acpi/acpi_configfs.c
> +++ b/drivers/acpi/acpi_configfs.c
> @@ -11,6 +11,7 @@
>  #include <linux/module.h>
>  #include <linux/configfs.h>
>  #include <linux/acpi.h>
> +#include <linux/security.h>
>  
>  #include "acpica/accommon.h"
>  #include "acpica/actables.h"
> @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
>  {
>  	const struct acpi_table_header *header = data;
>  	struct acpi_table *table;
> -	int ret;
> +	int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> +
> +	if (ret)
> +		return ret;
>  
>  	table = container_of(cfg, struct acpi_table, cfg);
>  
> 
Clean cherry pick, makes sense. Regression potential is hard to spot,
apart from users trying to do this when locked down and not being able
to do so anymore.

Acked-by: Colin Ian King <colin.king@canonical.com>
Timo Aaltonen Sept. 22, 2020, 11:53 a.m. UTC | #3
On 16.9.2020 23.25, Thadeu Lima de Souza Cascardo wrote:
> From: "Jason A. Donenfeld" <Jason@zx2c4.com>
> 
> Like other vectors already patched, this one here allows the root
> user to load ACPI tables, which enables arbitrary physical address
> writes, which in turn makes it possible to disable lockdown.
> 
> Prevents this by checking the lockdown status before allowing a new
> ACPI table to be installed. The link in the trailer shows a PoC of
> how this might be used.
> 
> Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
> Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> (cherry picked from commit 75b0cea7bf307f362057cc778efe89af4c615354)
> CVE-2020-15780
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  drivers/acpi/acpi_configfs.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
> index ece8c1a921cc..88c8af455ea3 100644
> --- a/drivers/acpi/acpi_configfs.c
> +++ b/drivers/acpi/acpi_configfs.c
> @@ -11,6 +11,7 @@
>  #include <linux/module.h>
>  #include <linux/configfs.h>
>  #include <linux/acpi.h>
> +#include <linux/security.h>
>  
>  #include "acpica/accommon.h"
>  #include "acpica/actables.h"
> @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
>  {
>  	const struct acpi_table_header *header = data;
>  	struct acpi_table *table;
> -	int ret;
> +	int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> +
> +	if (ret)
> +		return ret;
>  
>  	table = container_of(cfg, struct acpi_table, cfg);
>  
> 

applied to oem-5.6, thanks
diff mbox series

Patch

diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
index ece8c1a921cc..88c8af455ea3 100644
--- a/drivers/acpi/acpi_configfs.c
+++ b/drivers/acpi/acpi_configfs.c
@@ -11,6 +11,7 @@ 
 #include <linux/module.h>
 #include <linux/configfs.h>
 #include <linux/acpi.h>
+#include <linux/security.h>
 
 #include "acpica/accommon.h"
 #include "acpica/actables.h"
@@ -28,7 +29,10 @@  static ssize_t acpi_table_aml_write(struct config_item *cfg,
 {
 	const struct acpi_table_header *header = data;
 	struct acpi_table *table;
-	int ret;
+	int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
+
+	if (ret)
+		return ret;
 
 	table = container_of(cfg, struct acpi_table, cfg);