ACPI: configfs: Disallow loading ACPI tables when locked down (CVE-2020-15780)
This is not a problem for the Debian built binary packages as we do not enable CONFIG_ACPI_CONFIGFS. Though this is in place in case at some point this config option would be (unlikely) enabled or for custom builds.
This commit is contained in:
parent
046742d201
commit
a91434eeb6
|
@ -620,6 +620,8 @@ linux (4.19.142-1) UNRELEASED; urgency=medium
|
||||||
4.19.142
|
4.19.142
|
||||||
* [rt] Refresh "Split IRQ-off and zone->lock while freeing pages from PCP
|
* [rt] Refresh "Split IRQ-off and zone->lock while freeing pages from PCP
|
||||||
list #1" for context changes in 4.19.142
|
list #1" for context changes in 4.19.142
|
||||||
|
* ACPI: configfs: Disallow loading ACPI tables when locked down
|
||||||
|
(CVE-2020-15780)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 04 Aug 2020 16:33:40 +0200
|
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 04 Aug 2020 16:33:40 +0200
|
||||||
|
|
||||||
|
|
44
debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
vendored
Normal file
44
debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
|
||||||
|
Date: Mon, 15 Jun 2020 04:43:32 -0600
|
||||||
|
Subject: ACPI: configfs: Disallow loading ACPI tables when locked down
|
||||||
|
Origin: https://git.kernel.org/linus/75b0cea7bf307f362057cc778efe89af4c615354
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15780
|
||||||
|
|
||||||
|
Like other vectors already patched, this one here allows the root
|
||||||
|
user to load ACPI tables, which enables arbitrary physical address
|
||||||
|
writes, which in turn makes it possible to disable lockdown.
|
||||||
|
|
||||||
|
Prevents this by checking the lockdown status before allowing a new
|
||||||
|
ACPI table to be installed. The link in the trailer shows a PoC of
|
||||||
|
how this might be used.
|
||||||
|
|
||||||
|
Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
|
||||||
|
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
|
||||||
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
||||||
|
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
||||||
|
[Salvatore Bonaccorso: Backport to v4.19.y: Use kernel_is_locked_down instead
|
||||||
|
of security_locked_down]
|
||||||
|
---
|
||||||
|
drivers/acpi/acpi_configfs.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/acpi/acpi_configfs.c
|
||||||
|
+++ b/drivers/acpi/acpi_configfs.c
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
#include <linux/module.h>
|
||||||
|
#include <linux/configfs.h>
|
||||||
|
#include <linux/acpi.h>
|
||||||
|
+#include <linux/security.h>
|
||||||
|
|
||||||
|
#include "acpica/accommon.h"
|
||||||
|
#include "acpica/actables.h"
|
||||||
|
@@ -33,6 +34,9 @@ static ssize_t acpi_table_aml_write(stru
|
||||||
|
struct acpi_table *table;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ if (kernel_is_locked_down("Modifying ACPI tables"))
|
||||||
|
+ return -EPERM;
|
||||||
|
+
|
||||||
|
table = container_of(cfg, struct acpi_table, cfg);
|
||||||
|
|
||||||
|
if (table->header) {
|
|
@ -137,6 +137,7 @@ features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.
|
||||||
features/all/lockdown/enable-cold-boot-attack-mitigation.patch
|
features/all/lockdown/enable-cold-boot-attack-mitigation.patch
|
||||||
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
|
features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
|
||||||
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
|
features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
|
||||||
# until the "kernel_lockdown.7" manual page exists
|
# until the "kernel_lockdown.7" manual page exists
|
||||||
features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch
|
features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue