| Message ID | 20180710172825.20738-2-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2017-11473 | expand |
On 10/07/18 18:28, Kleber Sacilotto de Souza wrote: > From: Seunghun Han <kkamagui@gmail.com> > > The bus_irq argument of mp_override_legacy_irq() is used as the index into > the isa_irq_to_gsi[] array. The bus_irq argument originates from > ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI > tables, but is nowhere sanity checked. > > That allows broken or malicious ACPI tables to overwrite memory, which > might cause malfunction, panic or arbitrary code execution. > > Add a sanity check and emit a warning when that triggers. > > [ tglx: Added warning and rewrote changelog ] > > Signed-off-by: Seunghun Han <kkamagui@gmail.com> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: security@kernel.org > Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> > Cc: stable@vger.kernel.org > Signed-off-by: Ingo Molnar <mingo@kernel.org> > > CVE-2017-11473 > (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > arch/x86/kernel/acpi/boot.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c > index 6c0b43bd024b..2c3cd05ba747 100644 > --- a/arch/x86/kernel/acpi/boot.c > +++ b/arch/x86/kernel/acpi/boot.c > @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi) > int pin; > struct mpc_intsrc mp_irq; > > + /* > + * Check bus_irq boundary. > + */ > + if (bus_irq >= NR_IRQS_LEGACY) { > + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); > + return; > + } > + > /* > * Convert 'gsi' to 'ioapic.pin'. > */ > Eeek, can't believe there was no check on that before. Looks good, Acked-by: Colin Ian King <colin.king@canonical.com>
On 10.07.2018 19:28, Kleber Sacilotto de Souza wrote: > From: Seunghun Han <kkamagui@gmail.com> > > The bus_irq argument of mp_override_legacy_irq() is used as the index into > the isa_irq_to_gsi[] array. The bus_irq argument originates from > ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI > tables, but is nowhere sanity checked. > > That allows broken or malicious ACPI tables to overwrite memory, which > might cause malfunction, panic or arbitrary code execution. > > Add a sanity check and emit a warning when that triggers. > > [ tglx: Added warning and rewrote changelog ] > > Signed-off-by: Seunghun Han <kkamagui@gmail.com> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: security@kernel.org > Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> > Cc: stable@vger.kernel.org > Signed-off-by: Ingo Molnar <mingo@kernel.org> > > CVE-2017-11473 > (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > arch/x86/kernel/acpi/boot.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c > index 6c0b43bd024b..2c3cd05ba747 100644 > --- a/arch/x86/kernel/acpi/boot.c > +++ b/arch/x86/kernel/acpi/boot.c > @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi) > int pin; > struct mpc_intsrc mp_irq; > > + /* > + * Check bus_irq boundary. > + */ > + if (bus_irq >= NR_IRQS_LEGACY) { > + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); > + return; > + } > + > /* > * Convert 'gsi' to 'ioapic.pin'. > */ >
Applied to Trusty master-next. ...Juerg On 07/10/2018 07:28 PM, Kleber Sacilotto de Souza wrote: > From: Seunghun Han <kkamagui@gmail.com> > > The bus_irq argument of mp_override_legacy_irq() is used as the index into > the isa_irq_to_gsi[] array. The bus_irq argument originates from > ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI > tables, but is nowhere sanity checked. > > That allows broken or malicious ACPI tables to overwrite memory, which > might cause malfunction, panic or arbitrary code execution. > > Add a sanity check and emit a warning when that triggers. > > [ tglx: Added warning and rewrote changelog ] > > Signed-off-by: Seunghun Han <kkamagui@gmail.com> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: security@kernel.org > Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net> > Cc: stable@vger.kernel.org > Signed-off-by: Ingo Molnar <mingo@kernel.org> > > CVE-2017-11473 > (cherry picked from commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > arch/x86/kernel/acpi/boot.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c > index 6c0b43bd024b..2c3cd05ba747 100644 > --- a/arch/x86/kernel/acpi/boot.c > +++ b/arch/x86/kernel/acpi/boot.c > @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi) > int pin; > struct mpc_intsrc mp_irq; > > + /* > + * Check bus_irq boundary. > + */ > + if (bus_irq >= NR_IRQS_LEGACY) { > + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); > + return; > + } > + > /* > * Convert 'gsi' to 'ioapic.pin'. > */ >
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c index 6c0b43bd024b..2c3cd05ba747 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -918,6 +918,14 @@ void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, u32 gsi) int pin; struct mpc_intsrc mp_irq; + /* + * Check bus_irq boundary. + */ + if (bus_irq >= NR_IRQS_LEGACY) { + pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); + return; + } + /* * Convert 'gsi' to 'ioapic.pin'. */