lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c26f6cbc705a939c31c6da96a8100c7e6a02d30c.camel@intel.com>
Date:   Tue, 3 Jan 2023 02:17:43 +0000
From:   "Zhang, Rui" <rui.zhang@...el.com>
To:     "rjw@...ysocki.net" <rjw@...ysocki.net>,
        "linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>
CC:     "zh.nvgt@...il.com" <zh.nvgt@...il.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ACPI: Drop the custom_method debugfs interface

On Mon, 2023-01-02 at 18:05 +0100, Rafael J. Wysocki wrote:
> From: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
> 
> The ACPI custom_method debugfs interface is security-sensitive and
> concurrent access to it is broken [1].
> 
> Moreover, the recipe for preparing a customized version of a given
> control method has changed at one point due to ACPICA changes, which
> has not been reflected in its documentation, so whoever used it
> before
> has had to adapt an no problems with it have been reported.
> 
> The latter likely means that the number of its users is limited at
> best
> and attempting to fix the issues mentioned above is likely not worth
> the
> effort.  Moreover, if it gets broken in the process, the breakage may
> not
> be readily discovered, so deleting it altogheher appeares to be a
> better
> option.
> 
> Accordingly, drop custom_method along with its (outdated anyway)
> documentation.
> 
> Link: 
> https://lore.kernel.org/linux-acpi/20221227063335.61474-1-zh.nvgt@gmail.com/
> # [1]
> Reported-by: Hang Zhang <zh.nvgt@...il.com>
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
> ---
>  Documentation/firmware-guide/acpi/method-customizing.rst |   89 ----
> --------

Documentation/firmware-guide/acpi/index.rst
needs to be updated as well.

thanks,
rui

>  drivers/acpi/Kconfig                                     |   14 --
>  drivers/acpi/Makefile                                    |    1 
>  drivers/acpi/custom_method.c                             |  103 ----
> -----------
>  4 files changed, 207 deletions(-)
> 
> Index: linux-pm/drivers/acpi/Kconfig
> ===================================================================
> --- linux-pm.orig/drivers/acpi/Kconfig
> +++ linux-pm/drivers/acpi/Kconfig
> @@ -444,20 +444,6 @@ config ACPI_HED
>  	  which is used to report some hardware errors notified via
>  	  SCI, mainly the corrected errors.
>  
> -config ACPI_CUSTOM_METHOD
> -	tristate "Allow ACPI methods to be inserted/replaced at run
> time"
> -	depends on DEBUG_FS
> -	help
> -	  This debug facility allows ACPI AML methods to be inserted
> and/or
> -	  replaced without rebooting the system. For details refer to:
> -	  Documentation/firmware-guide/acpi/method-customizing.rst.
> -
> -	  NOTE: This option is security sensitive, because it allows
> arbitrary
> -	  kernel memory to be written to by root (uid=0) users,
> allowing them
> -	  to bypass certain security measures (e.g. if root is not
> allowed to
> -	  load additional kernel modules after boot, this feature may
> be used
> -	  to override that restriction).
> -
>  config ACPI_BGRT
>  	bool "Boottime Graphics Resource Table support"
>  	depends on EFI && (X86 || ARM64)
> Index: linux-pm/drivers/acpi/Makefile
> ===================================================================
> --- linux-pm.orig/drivers/acpi/Makefile
> +++ linux-pm/drivers/acpi/Makefile
> @@ -101,7 +101,6 @@ obj-$(CONFIG_ACPI_SBS)		+= sbshc.o
>  obj-$(CONFIG_ACPI_SBS)		+= sbs.o
>  obj-$(CONFIG_ACPI_HED)		+= hed.o
>  obj-$(CONFIG_ACPI_EC_DEBUGFS)	+= ec_sys.o
> -obj-$(CONFIG_ACPI_CUSTOM_METHOD)+= custom_method.o
>  obj-$(CONFIG_ACPI_BGRT)		+= bgrt.o
>  obj-$(CONFIG_ACPI_CPPC_LIB)	+= cppc_acpi.o
>  obj-$(CONFIG_ACPI_SPCR_TABLE)	+= spcr.o
> Index: linux-pm/drivers/acpi/custom_method.c
> ===================================================================
> --- linux-pm.orig/drivers/acpi/custom_method.c
> +++ /dev/null
> @@ -1,103 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0-only
> -/*
> - * custom_method.c - debugfs interface for customizing ACPI control
> method
> - */
> -
> -#include <linux/init.h>
> -#include <linux/module.h>
> -#include <linux/kernel.h>
> -#include <linux/uaccess.h>
> -#include <linux/debugfs.h>
> -#include <linux/acpi.h>
> -#include <linux/security.h>
> -
> -#include "internal.h"
> -
> -MODULE_LICENSE("GPL");
> -
> -static struct dentry *cm_dentry;
> -
> -/* /sys/kernel/debug/acpi/custom_method */
> -
> -static ssize_t cm_write(struct file *file, const char __user
> *user_buf,
> -			size_t count, loff_t *ppos)
> -{
> -	static char *buf;
> -	static u32 max_size;
> -	static u32 uncopied_bytes;
> -
> -	struct acpi_table_header table;
> -	acpi_status status;
> -	int ret;
> -
> -	ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
> -	if (ret)
> -		return ret;
> -
> -	if (!(*ppos)) {
> -		/* parse the table header to get the table length */
> -		if (count <= sizeof(struct acpi_table_header))
> -			return -EINVAL;
> -		if (copy_from_user(&table, user_buf,
> -				   sizeof(struct acpi_table_header)))
> -			return -EFAULT;
> -		uncopied_bytes = max_size = table.length;
> -		/* make sure the buf is not allocated */
> -		kfree(buf);
> -		buf = kzalloc(max_size, GFP_KERNEL);
> -		if (!buf)
> -			return -ENOMEM;
> -	}
> -
> -	if (buf == NULL)
> -		return -EINVAL;
> -
> -	if ((*ppos > max_size) ||
> -	    (*ppos + count > max_size) ||
> -	    (*ppos + count < count) ||
> -	    (count > uncopied_bytes)) {
> -		kfree(buf);
> -		buf = NULL;
> -		return -EINVAL;
> -	}
> -
> -	if (copy_from_user(buf + (*ppos), user_buf, count)) {
> -		kfree(buf);
> -		buf = NULL;
> -		return -EFAULT;
> -	}
> -
> -	uncopied_bytes -= count;
> -	*ppos += count;
> -
> -	if (!uncopied_bytes) {
> -		status = acpi_install_method(buf);
> -		kfree(buf);
> -		buf = NULL;
> -		if (ACPI_FAILURE(status))
> -			return -EINVAL;
> -		add_taint(TAINT_OVERRIDDEN_ACPI_TABLE,
> LOCKDEP_NOW_UNRELIABLE);
> -	}
> -
> -	return count;
> -}
> -
> -static const struct file_operations cm_fops = {
> -	.write = cm_write,
> -	.llseek = default_llseek,
> -};
> -
> -static int __init acpi_custom_method_init(void)
> -{
> -	cm_dentry = debugfs_create_file("custom_method", S_IWUSR,
> -					acpi_debugfs_dir, NULL,
> &cm_fops);
> -	return 0;
> -}
> -
> -static void __exit acpi_custom_method_exit(void)
> -{
> -	debugfs_remove(cm_dentry);
> -}
> -
> -module_init(acpi_custom_method_init);
> -module_exit(acpi_custom_method_exit);
> Index: linux-pm/Documentation/firmware-guide/acpi/method-
> customizing.rst
> ===================================================================
> --- linux-pm.orig/Documentation/firmware-guide/acpi/method-
> customizing.rst
> +++ /dev/null
> @@ -1,89 +0,0 @@
> -.. SPDX-License-Identifier: GPL-2.0
> -
> -=======================================
> -Linux ACPI Custom Control Method How To
> -=======================================
> -
> -:Author: Zhang Rui <rui.zhang@...el.com>
> -
> -
> -Linux supports customizing ACPI control methods at runtime.
> -
> -Users can use this to:
> -
> -1. override an existing method which may not work correctly,
> -   or just for debugging purposes.
> -2. insert a completely new method in order to create a missing
> -   method such as _OFF, _ON, _STA, _INI, etc.
> -
> -For these cases, it is far simpler to dynamically install a single
> -control method rather than override the entire DSDT, because kernel
> -rebuild/reboot is not needed and test result can be got in minutes.
> -
> -.. note::
> -
> -  - Only ACPI METHOD can be overridden, any other object types like
> -    "Device", "OperationRegion", are not recognized. Methods
> -    declared inside scope operators are also not supported.
> -
> -  - The same ACPI control method can be overridden for many times,
> -    and it's always the latest one that used by Linux/kernel.
> -
> -  - To get the ACPI debug object output (Store (AAAA, Debug)),
> -    please run::
> -
> -      echo 1 > /sys/module/acpi/parameters/aml_debug_output
> -
> -
> -1. override an existing method
> -==============================
> -a) get the ACPI table via ACPI sysfs I/F. e.g. to get the DSDT,
> -   just run "cat /sys/firmware/acpi/tables/DSDT > /tmp/dsdt.dat"
> -b) disassemble the table by running "iasl -d dsdt.dat".
> -c) rewrite the ASL code of the method and save it in a new file,
> -d) package the new file (psr.asl) to an ACPI table format.
> -   Here is an example of a customized \_SB._AC._PSR method::
> -
> -      DefinitionBlock ("", "SSDT", 1, "", "", 0x20080715)
> -      {
> -         Method (\_SB_.AC._PSR, 0, NotSerialized)
> -         {
> -            Store ("In AC _PSR", Debug)
> -            Return (ACON)
> -         }
> -      }
> -
> -   Note that the full pathname of the method in ACPI namespace
> -   should be used.
> -e) assemble the file to generate the AML code of the method.
> -   e.g. "iasl -vw 6084 psr.asl" (psr.aml is generated as a result)
> -   If parameter "-vw 6084" is not supported by your iASL compiler,
> -   please try a newer version.
> -f) mount debugfs by "mount -t debugfs none /sys/kernel/debug"
> -g) override the old method via the debugfs by running
> -   "cat /tmp/psr.aml > /sys/kernel/debug/acpi/custom_method"
> -
> -2. insert a new method
> -======================
> -This is easier than overriding an existing method.
> -We just need to create the ASL code of the method we want to
> -insert and then follow the step c) ~ g) in section 1.
> -
> -3. undo your changes
> -====================
> -The "undo" operation is not supported for a new inserted method
> -right now, i.e. we can not remove a method currently.
> -For an overridden method, in order to undo your changes, please
> -save a copy of the method original ASL code in step c) section 1,
> -and redo step c) ~ g) to override the method with the original one.
> -
> -
> -.. note:: We can use a kernel with multiple custom ACPI method
> running,
> -   But each individual write to debugfs can implement a SINGLE
> -   method override. i.e. if we want to insert/override multiple
> -   ACPI methods, we need to redo step c) ~ g) for multiple times.
> -
> -.. note:: Be aware that root can mis-use this driver to modify
> arbitrary
> -   memory and gain additional rights, if root's privileges got
> -   restricted (for example if root is not allowed to load additional
> -   modules after boot).
> 
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ