45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
|
|
Date: Mon, 15 Jun 2020 04:43:32 -0600
|
|
Subject: ACPI: configfs: Disallow loading ACPI tables when locked down
|
|
Origin: https://git.kernel.org/linus/75b0cea7bf307f362057cc778efe89af4c615354
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15780
|
|
|
|
Like other vectors already patched, this one here allows the root
|
|
user to load ACPI tables, which enables arbitrary physical address
|
|
writes, which in turn makes it possible to disable lockdown.
|
|
|
|
Prevents this by checking the lockdown status before allowing a new
|
|
ACPI table to be installed. The link in the trailer shows a PoC of
|
|
how this might be used.
|
|
|
|
Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
|
|
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
|
[Salvatore Bonaccorso: Backport to v4.19.y: Use kernel_is_locked_down instead
|
|
of security_locked_down]
|
|
---
|
|
drivers/acpi/acpi_configfs.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
--- a/drivers/acpi/acpi_configfs.c
|
|
+++ b/drivers/acpi/acpi_configfs.c
|
|
@@ -14,6 +14,7 @@
|
|
#include <linux/module.h>
|
|
#include <linux/configfs.h>
|
|
#include <linux/acpi.h>
|
|
+#include <linux/security.h>
|
|
|
|
#include "acpica/accommon.h"
|
|
#include "acpica/actables.h"
|
|
@@ -33,6 +34,9 @@ static ssize_t acpi_table_aml_write(stru
|
|
struct acpi_table *table;
|
|
int ret;
|
|
|
|
+ if (kernel_is_locked_down("Modifying ACPI tables"))
|
|
+ return -EPERM;
|
|
+
|
|
table = container_of(cfg, struct acpi_table, cfg);
|
|
|
|
if (table->header) {
|