ACPI: configfs: Disallow loading ACPI tables when locked down

Like other vectors already patched, this one here allows the root user to load ACPI tables, which enables arbitrary physical address writes, which in turn makes it possible to disable lockdown. Prevents this by checking the lockdown status before allowing a new ACPI table to be installed. The link in the trailer shows a PoC of how this might be used. Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh Cc: 5.4+ <stable@vger.kernel.org> # 5.4+ Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
torvalds · Jun 22, 2020 · 75b0cea · 75b0cea
1 parent 4877846
commit 75b0cea
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
@@ -11,6 +11,7 @@
 #include <linux/module.h>
 #include <linux/configfs.h>
 #include <linux/acpi.h>
+#include <linux/security.h>
 
 #include "acpica/accommon.h"
 #include "acpica/actables.h"
@@ -28,7 +29,10 @@ static ssize_t acpi_table_aml_write(struct config_item *cfg,
 {
 	const struct acpi_table_header *header = data;
 	struct acpi_table *table;
-	int ret;
+	int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
+
+	if (ret)
+		return ret;
 
 	table = container_of(cfg, struct acpi_table, cfg);