lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2603831.y6gs7thvtv@aspire.rjw.lan>
Date:   Fri, 24 Feb 2017 12:50:19 +0100
From:   "Rafael J. Wysocki" <rjw@...ysocki.net>
To:     Seunghun Han <kkamagui@...il.com>
Cc:     "Zheng, Lv" <lv.zheng@...el.com>,
        "linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
        "devel@...ica.org" <devel@...ica.org>,
        Robert Moore <robert.moore@...el.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] acpi: acpica: fix acpi operand cache leak

On Friday, February 24, 2017 08:52:42 PM Seunghun Han wrote:
> Hi, Lv Zheng.
> 
> I added my handcrafted ACPI table under your request, because
> "acpidump -c on" and "acpidump -c off" doesn't work.
> 
> 2017-02-21 19:36 GMT+09:00 Seunghun Han <kkamagui@...il.com>:
> > Hello,
> >
> > I attached the test results below,
> >
> > 2017-02-21 9:53 GMT+09:00 Rowafael J. Wysocki <rjw@...ysocki.net>:
> >> On Tuesday, February 21, 2017 12:33:08 AM Zheng, Lv wrote:
> >>> Hi,
> >>>
> >>> > From: linux-acpi-owner@...r.kernel.org [mailto:linux-acpi-owner@...r.kernel.org] On Behalf Of Seunghun
> >>> > Han
> >>> > Subject: [PATCH v2] acpi: acpica: fix acpi operand cache leak
> >>> >
> >>> > I'm Seunghun Han, and I work for National Security Research Institute of
> >>> > South Korea.
> >>> >
> >>> > I have been doing a research on ACPI and making a handcrafted ACPI table
> >>> > for my research.
> >>> > Errors of handcrafted ACPI tables are handled well in Linux kernel while boot
> >>> > process, and Linux kernel goes well without critical problems.
> >>> > But I found some ACPI operand cache leaks in ACPI early abort cases.
> >>> >
> >>> > Boot log of ACPI operand cache leak is as follows:
> >>> > >[    0.174332] ACPI: Added _OSI(Module Device)
> >>> > >[    0.175504] ACPI: Added _OSI(Processor Device)
> >>> > >[    0.176010] ACPI: Added _OSI(3.0 _SCP Extensions)
> >>> > >[    0.177032] ACPI: Added _OSI(Processor Aggregator Device)
> >>> > >[    0.178284] ACPI: SCI (IRQ16705) allocation failed
> >>> > >[    0.179352] ACPI Exception: AE_NOT_ACQUIRED, Unable to install System Control Interrupt handler
> >>> > (20160930/evevent-131)
> >>> > >[    0.180008] ACPI: Unable to start the ACPI Interpreter
> >>> > >[    0.181125] ACPI Error: Could not remove SCI handler (20160930/evmisc-281)
> >>> > >[    0.184068] kmem_cache_destroy Acpi-Operand: Slab cache still has objects
> >>> > >[    0.185358] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.10.0-rc3 #2
> >>> > >[    0.186820] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> >>> > >[    0.188000] Call Trace:
> >>> > >[    0.188000]  ? dump_stack+0x5c/0x7d
> >>> > >[    0.188000]  ? kmem_cache_destroy+0x224/0x230
> >>> > >[    0.188000]  ? acpi_sleep_proc_init+0x22/0x22
> >>> > >[    0.188000]  ? acpi_os_delete_cache+0xa/0xd
> >>> > >[    0.188000]  ? acpi_ut_delete_caches+0x3f/0x7b
> >>> > >[    0.188000]  ? acpi_terminate+0x5/0xf
> >>> > >[    0.188000]  ? acpi_init+0x288/0x32e
> >>> > >[    0.188000]  ? __class_create+0x4c/0x80
> >>> > >[    0.188000]  ? video_setup+0x7a/0x7a
> >>> > >[    0.188000]  ? do_one_initcall+0x4e/0x1b0
> >>> > >[    0.188000]  ? kernel_init_freeable+0x194/0x21a
> >>> > >[    0.188000]  ? rest_init+0x80/0x80
> >>> > >[    0.188000]  ? kernel_init+0xa/0x100
> >>> > >[    0.188000]  ? ret_from_fork+0x25/0x30
> >>>
> >>> I'm more interested in the way of triggering AE_NOT_ACQUIRED error.
> >>> So could you send us the handcrafted ACPI table or both the "acpidump -c on" and "acpidump -c off" output?
> 
> I modified FACP, FACS, APIC table in VirtualBox for Linux.
> Here are raw dumps of table.

So, excuse me, but what's the security issue here?

You hacked your ACPI tables into pieces which requires root privileges anyway.

Thanks,
Rafael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ