From patchwork Mon Jun 15 10:43:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 187937 Delivered-To: patch@linaro.org Received: by 2002:a92:cf06:0:0:0:0:0 with SMTP id c6csp2623570ilo; Mon, 15 Jun 2020 03:44:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVf2jDsQpA7PEa1sATmtHK3MByR3kYRHKK6Qz+H+Es3KXU2wdncnzGro/r6OK7byNGCldI X-Received: by 2002:aa7:d952:: with SMTP id l18mr22819770eds.151.1592217842424; Mon, 15 Jun 2020 03:44:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592217842; cv=none; d=google.com; s=arc-20160816; b=GJ5oswMvtEyv//9Ug5FOtzdNw9QGSN9ABHxEZaaHujZ8ppUvGlbJVtCafls+s+wNgR lO52wx9VHKBH2j2hB5suQdvimWNHTiRLQ/QJ3upCvm7U4Dbwa7Tt+XDZ4dN24EAYQxrh JFSKq2xRKoeBgL9M3l1tKGKUbPmufodj9xaDd9ETqY4uBo8SCUj+/m7Vco9YiiMPseKV rC+kjhn1BgWz6AaPRUiDmgg5TuzGkepnXyTe2VKxpRVM0zPC8QQ/OcyZML2HNwjTIppg O/7Ia44/BMS6DkWQzkd7bhT3WsnmnHXZ50MpCztFhvylNFYY9nb+zUn5MInZOhiNMPDP 0fVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=D+mFdHR504aZqNVggHefohiDsZhSmRM3bcAmuMPcO5s=; b=hc2xDp+2DPRmtjDq98gME0FD47boJWDtwI1/sLDGjKheyVlcQKNvTtFTLJ8njVvdWy 8xRn7HqcPQNLEaSEsF78tsPf4LKxOua/ltrrvEaeL3aj8Ny0DzkLSmq/PjeRdIXl5rBN o+e/tFRD+Ar3ULfA3y7Ex9usLMnjQHj96YhaO+5rH/Apt/SL1MkJI+EtrjiE9ASbEZSs pb1QE+rgEvZ1IJeSSHJa+EAKFD7hWXEBDDo9SkUC1kuFwNGTOQke2HHEYWkFPPMcx3wE Ar2uYXbAuZaGkmqYqiq705z+9BFeaR0ODlWc0o3AeQp39a8XRyEhrYNEh2d9vJOQTMwW dXcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b="3jnAe/G5"; spf=pass (google.com: domain of linux-acpi-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-acpi-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cf23si8779369ejb.540.2020.06.15.03.44.02; Mon, 15 Jun 2020 03:44:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-acpi-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b="3jnAe/G5"; spf=pass (google.com: domain of linux-acpi-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-acpi-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729027AbgFOKoB (ORCPT + 7 others); Mon, 15 Jun 2020 06:44:01 -0400 Received: from mail.zx2c4.com ([192.95.5.64]:57179 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728815AbgFOKoB (ORCPT ); Mon, 15 Jun 2020 06:44:01 -0400 Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 204a99b6; Mon, 15 Jun 2020 10:26:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=W+psDjWP34bkbGREKoNGTKiwX RY=; b=3jnAe/G5QpfRdhmbQNo/KC6yS+10Fj/j0sHOja4aJa6WQEKmPBksnzJPU 4PjH2fbCASselEcm2VspxMQJsm7vJdmi5OpWBVSHAN4aOqvaHH/cuVNHi/MgvhUl cKoFNxP8rKxEg/tUSOW22eCKEj51G3kK1TrAJ37J1QI+Km++MIB+RTymZxgJzuJJ 7rYJzWAjWAPz/vAWSYmgUeCIWy/m0+Kjz6KXLeNA3VZMMiOrB5ocUTK7AI3Zv8Im PwCQeORfydLLuqc+UA86L1DeLEkXqGS59WsJZdn6QY1mTTHbhdYzphppkbgrFHrm gGT5CJMUnpweZZGMpyUJPRipeZSew== Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 22b6c329 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 15 Jun 2020 10:26:09 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org, mjg59@srcf.ucam.org, kernel-hardening@lists.openwall.com Cc: "Jason A. Donenfeld" , stable@vger.kernel.org Subject: [PATCH] acpi: disallow loading configfs acpi tables when locked down Date: Mon, 15 Jun 2020 04:43:32 -0600 Message-Id: <20200615104332.901519-1-Jason@zx2c4.com> In-Reply-To: References: MIME-Version: 1.0 Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org Like other vectors already patched, this one here allows the root user to load ACPI tables, which enables arbitrary physical address writes, which in turn makes it possible to disable lockdown. This patch prevents this by checking the lockdown status before allowing a new ACPI table to be installed. The link in the trailer shows a PoC of how this might be used. Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld --- drivers/acpi/acpi_configfs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- 2.27.0 diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c index ece8c1a921cc..88c8af455ea3 100644 --- a/drivers/acpi/acpi_configfs.c +++ b/drivers/acpi/acpi_configfs.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "acpica/accommon.h" #include "acpica/actables.h" @@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg, { const struct acpi_table_header *header = data; struct acpi_table *table; - int ret; + int ret = security_locked_down(LOCKDOWN_ACPI_TABLES); + + if (ret) + return ret; table = container_of(cfg, struct acpi_table, cfg);