From a91434eeb6830345b78667ed961efff51f940f5d Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 29 Aug 2020 14:14:51 +0200 Subject: [PATCH] ACPI: configfs: Disallow loading ACPI tables when locked down (CVE-2020-15780) This is not a problem for the Debian built binary packages as we do not enable CONFIG_ACPI_CONFIGFS. Though this is in place in case at some point this config option would be (unlikely) enabled or for custom builds. --- debian/changelog | 2 + ...sallow-loading-ACPI-tables-when-lock.patch | 44 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 47 insertions(+) create mode 100644 debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch diff --git a/debian/changelog b/debian/changelog index e7a83b196..ed4281c21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -620,6 +620,8 @@ linux (4.19.142-1) UNRELEASED; urgency=medium 4.19.142 * [rt] Refresh "Split IRQ-off and zone->lock while freeing pages from PCP list #1" for context changes in 4.19.142 + * ACPI: configfs: Disallow loading ACPI tables when locked down + (CVE-2020-15780) -- Salvatore Bonaccorso Tue, 04 Aug 2020 16:33:40 +0200 diff --git a/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch new file mode 100644 index 000000000..4970a4bd4 --- /dev/null +++ b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch @@ -0,0 +1,44 @@ +From: "Jason A. Donenfeld" +Date: Mon, 15 Jun 2020 04:43:32 -0600 +Subject: ACPI: configfs: Disallow loading ACPI tables when locked down +Origin: https://git.kernel.org/linus/75b0cea7bf307f362057cc778efe89af4c615354 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15780 + +Like other vectors already patched, this one here allows the root +user to load ACPI tables, which enables arbitrary physical address +writes, which in turn makes it possible to disable lockdown. + +Prevents this by checking the lockdown status before allowing a new +ACPI table to be installed. The link in the trailer shows a PoC of +how this might be used. + +Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh +Cc: 5.4+ # 5.4+ +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Rafael J. Wysocki +[Salvatore Bonaccorso: Backport to v4.19.y: Use kernel_is_locked_down instead +of security_locked_down] +--- + drivers/acpi/acpi_configfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_configfs.c ++++ b/drivers/acpi/acpi_configfs.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "acpica/accommon.h" + #include "acpica/actables.h" +@@ -33,6 +34,9 @@ static ssize_t acpi_table_aml_write(stru + struct acpi_table *table; + int ret; + ++ if (kernel_is_locked_down("Modifying ACPI tables")) ++ return -EPERM; ++ + table = container_of(cfg, struct acpi_table, cfg); + + if (table->header) { diff --git a/debian/patches/series b/debian/patches/series index c8a13255f..99578b307 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -137,6 +137,7 @@ features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc. features/all/lockdown/enable-cold-boot-attack-mitigation.patch features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch +features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch # until the "kernel_lockdown.7" manual page exists features/all/lockdown/lockdown-refer-to-debian-wiki-until-manual-page-exists.patch