CVE-2020-15780: git/torvalds/linux.git - Linux kernel source tree

author

Jason A. Donenfeld [email protected]

2020-06-15 04:43:32 -0600

committer

Rafael J. Wysocki [email protected]

2020-06-22 16:41:27 +0200

commit

75b0cea7bf307f362057cc778efe89af4c615354 (patch)

tree

5cf01ade1538939c51f63e3831a706bde7984743

parent

48778464bb7d346b47157d21ffde2af6b2d39110 (diff)

download

linux-75b0cea7bf307f362057cc778efe89af4c615354.tar.gz

ACPI: configfs: Disallow loading ACPI tables when locked down

Like other vectors already patched, this one here allows the root user to load ACPI tables, which enables arbitrary physical address writes, which in turn makes it possible to disable lockdown. Prevents this by checking the lockdown status before allowing a new ACPI table to be installed. The link in the trailer shows a PoC of how this might be used. Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh Cc: 5.4+ [email protected] # 5.4+ Signed-off-by: Jason A. Donenfeld [email protected] Signed-off-by: Rafael J. Wysocki [email protected]

-rw-r–r--

drivers/acpi/acpi_configfs.c

6

1 files changed, 5 insertions, 1 deletions

diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
index ece8c1a921cc1…88c8af455ea3f 100644
— a/drivers/acpi/acpi_configfs.c
+++ b/drivers/acpi/acpi_configfs.c

@@ -11,6 +11,7 @@

#include <linux/module.h>

#include <linux/configfs.h>

#include <linux/acpi.h>

+#include <linux/security.h>

#include “acpica/accommon.h”

#include “acpica/actables.h”

@@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,

{

const struct acpi_table_header *header = data;

struct acpi_table *table;

- int ret;

+ int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);

+ if (ret)

+ return ret;

table = container_of(cfg, struct acpi_table, cfg);