[SRU][Trusty][PATCH 0/1] Fix for CVE-2017-11473

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][PATCH 0/1] Fix for CVE-2017-11473

Kleber Souza
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11473.html

  Buffer overflow in the mp_override_legacy_irq() function in
  arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local
  users to gain privileges via a crafted ACPI table.

Clean cherry-pick of the upstream commit.

Seunghun Han (1):
  x86/acpi: Prevent out of bound access caused by broken ACPI tables

 arch/x86/kernel/acpi/boot.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][PATCH 1/1] x86/acpi: Prevent out of bound access caused by broken ACPI tables

Kleber Souza
From: Seunghun Han <[hidden email]>

The bus_irq argument of mp_override_legacy_irq() is used as the index into
the isa_irq_to_gsi[] array. The bus_irq argument originates from
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
tables, but is nowhere sanity checked.

That allows broken or malicious ACPI tables to overwrite memory, which
might cause malfunction, panic or arbitrary code execution.

Add a sanity check and emit a warning when that triggers.

[ tglx: Added warning and rewrote changelog ]

Signed-off-by: Seunghun Han <[hidden email]>
Signed-off-by: Thomas Gleixner <[hidden email]>
Cc: [hidden email]
Cc: "Rafael J. Wysocki" <[hidden email]>
Cc: [hidden email]
Signed-off-by: Ingo Molnar <[hidden email]>

CVE-2017-11473
(cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 arch/x86/kernel/acpi/boot.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
index 6c0b43bd024b..2c3cd05ba747 100644
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi)
  int pin;
  struct mpc_intsrc mp_irq;
 
+ /*
+ * Check bus_irq boundary.
+ */
+ if (bus_irq >= NR_IRQS_LEGACY) {
+ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
+ return;
+ }
+
  /*
  * Convert 'gsi' to 'ioapic.pin'.
  */
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][Trusty][PATCH 1/1] x86/acpi: Prevent out of bound access caused by broken ACPI tables

Colin Ian King-2
On 10/07/18 18:28, Kleber Sacilotto de Souza wrote:

> From: Seunghun Han <[hidden email]>
>
> The bus_irq argument of mp_override_legacy_irq() is used as the index into
> the isa_irq_to_gsi[] array. The bus_irq argument originates from
> ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
> tables, but is nowhere sanity checked.
>
> That allows broken or malicious ACPI tables to overwrite memory, which
> might cause malfunction, panic or arbitrary code execution.
>
> Add a sanity check and emit a warning when that triggers.
>
> [ tglx: Added warning and rewrote changelog ]
>
> Signed-off-by: Seunghun Han <[hidden email]>
> Signed-off-by: Thomas Gleixner <[hidden email]>
> Cc: [hidden email]
> Cc: "Rafael J. Wysocki" <[hidden email]>
> Cc: [hidden email]
> Signed-off-by: Ingo Molnar <[hidden email]>
>
> CVE-2017-11473
> (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  arch/x86/kernel/acpi/boot.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
> index 6c0b43bd024b..2c3cd05ba747 100644
> --- a/arch/x86/kernel/acpi/boot.c
> +++ b/arch/x86/kernel/acpi/boot.c
> @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi)
>   int pin;
>   struct mpc_intsrc mp_irq;
>  
> + /*
> + * Check bus_irq boundary.
> + */
> + if (bus_irq >= NR_IRQS_LEGACY) {
> + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
> + return;
> + }
> +
>   /*
>   * Convert 'gsi' to 'ioapic.pin'.
>   */
>

Eeek, can't believe there was no check on that before. Looks good,

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][PATCH 1/1] x86/acpi: Prevent out of bound access caused by broken ACPI tables

Stefan Bader-2
In reply to this post by Kleber Souza
On 10.07.2018 19:28, Kleber Sacilotto de Souza wrote:

> From: Seunghun Han <[hidden email]>
>
> The bus_irq argument of mp_override_legacy_irq() is used as the index into
> the isa_irq_to_gsi[] array. The bus_irq argument originates from
> ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
> tables, but is nowhere sanity checked.
>
> That allows broken or malicious ACPI tables to overwrite memory, which
> might cause malfunction, panic or arbitrary code execution.
>
> Add a sanity check and emit a warning when that triggers.
>
> [ tglx: Added warning and rewrote changelog ]
>
> Signed-off-by: Seunghun Han <[hidden email]>
> Signed-off-by: Thomas Gleixner <[hidden email]>
> Cc: [hidden email]
> Cc: "Rafael J. Wysocki" <[hidden email]>
> Cc: [hidden email]
> Signed-off-by: Ingo Molnar <[hidden email]>
>
> CVE-2017-11473
> (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  arch/x86/kernel/acpi/boot.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
> index 6c0b43bd024b..2c3cd05ba747 100644
> --- a/arch/x86/kernel/acpi/boot.c
> +++ b/arch/x86/kernel/acpi/boot.c
> @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi)
>   int pin;
>   struct mpc_intsrc mp_irq;
>  
> + /*
> + * Check bus_irq boundary.
> + */
> + if (bus_irq >= NR_IRQS_LEGACY) {
> + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
> + return;
> + }
> +
>   /*
>   * Convert 'gsi' to 'ioapic.pin'.
>   */
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][Trusty][PATCH 1/1] x86/acpi: Prevent out of bound access caused by broken ACPI tables

Juerg Haefliger
In reply to this post by Kleber Souza
Applied to Trusty master-next.

...Juerg

On 07/10/2018 07:28 PM, Kleber Sacilotto de Souza wrote:

> From: Seunghun Han <[hidden email]>
>
> The bus_irq argument of mp_override_legacy_irq() is used as the index into
> the isa_irq_to_gsi[] array. The bus_irq argument originates from
> ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
> tables, but is nowhere sanity checked.
>
> That allows broken or malicious ACPI tables to overwrite memory, which
> might cause malfunction, panic or arbitrary code execution.
>
> Add a sanity check and emit a warning when that triggers.
>
> [ tglx: Added warning and rewrote changelog ]
>
> Signed-off-by: Seunghun Han <[hidden email]>
> Signed-off-by: Thomas Gleixner <[hidden email]>
> Cc: [hidden email]
> Cc: "Rafael J. Wysocki" <[hidden email]>
> Cc: [hidden email]
> Signed-off-by: Ingo Molnar <[hidden email]>
>
> CVE-2017-11473
> (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  arch/x86/kernel/acpi/boot.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
> index 6c0b43bd024b..2c3cd05ba747 100644
> --- a/arch/x86/kernel/acpi/boot.c
> +++ b/arch/x86/kernel/acpi/boot.c
> @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi)
>   int pin;
>   struct mpc_intsrc mp_irq;
>  
> + /*
> + * Check bus_irq boundary.
> + */
> + if (bus_irq >= NR_IRQS_LEGACY) {
> + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
> + return;
> + }
> +
>   /*
>   * Convert 'gsi' to 'ioapic.pin'.
>   */
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team