search

intel / ccc-linux-guest-hardening

Linux Security Hardening for Confidential Compute
https://intel.github.io/ccc-linux-guest-hardening-docs
MIT License
66 stars 14 forks source link

KASAN: null-ptr-deref in range [x-y] RIP: acpi_button_notify #101

Open ereshetova opened 1 year ago

ereshetova commented 1 year ago

Found in 6.0-rc2 via BOOT_REST_INIT harness.

PCI: Fatal: No config space access function found ACPI Error: No installed handler for fixed event - PM_Timer (0), disabling (20220331/evevent-255) ACPI Error: No installed handler for fixed event - PowerButton (2), disabling (20220331/evevent-255) ACPI Error: No installed handler for fixed event - SleepButton (3), disabling (20220331/evevent-255) ACPI Error: Could not enable GlobalLock event (20220331/evxfevnt-182) ACPI Warning: Could not enable fixed event - GlobalLock (1) (20220331/evxface-618) ACPI Error: No response from Global Lock hardware, disabling lock (20220331/evglock-59) ACPI Error: No handler or method for GPE 04, disabling event (20220331/evgpe-839) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.LPT._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.COM1._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.COM2._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKA._CRS due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKA._CRS due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKA._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKB._CRS due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKB._CRS due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKB._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKC._CRS due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKC._CRS due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKC._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKD._CRS due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKD._CRS due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKD._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: No handler or method for GPE 07, disabling event (20220331/evgpe-839) ACPI Error: No installed handler for fixed event - PM_Timer (0), disabling (20220331/evevent-255) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.LPT._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.COM1._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.COM2._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKA._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKB._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKC._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKD._STA due to previous error (AE_ERROR) (20220331/psparse-529) PCI: System does not support PCI ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.LPT._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.PCI0.ISA.LPT._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.COM1._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.PCI0.ISA.COM1._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.PCI0.ISA.COM2._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.PCI0.ISA.COM2._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKA._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKA._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKB._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKB._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKC._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKC._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: AE_ERROR, During region initialization: [PCI_Config] (20220331/evregion-192) ACPI Error: Aborting method _SB.LNKD._STA due to previous error (AE_ERROR) (20220331/psparse-529) ACPI Error: Method execution failed _SB.LNKD._STA due to previous error (AE_ERROR) (20220331/uteval-68) ACPI Error: No handler or method for GPE 04, disabling event (20220331/evgpe-839) ACPI Error: No handler or method for GPE 07, disabling event (20220331/evgpe-839) ACPI Error: No installed handler for fixed event - RealTimeClock (4), disabling (20220331/evevent-255) ACPI Error: No handler or method for GPE 03, disabling event (20220331/evgpe-839) ACPI Error: No handler or method for GPE 05, disabling event (20220331/evgpe-839) ACPI Error: No handler or method for GPE 07, disabling event (20220331/evgpe-839) ACPI Error: Could not enable PowerButton event (20220331/evxfevnt-182) ACPI Warning: Could not enable fixed event - PowerButton (2) (20220331/evxface-618) button: probe of LNXPWRBN:00 failed with error -22 general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: kacpi_notify acpi_os_execute_deferred RIP: 0010:acpi_button_notify (drivers/acpi/button.c:414) Code: c1 ea 03 48 83 ec 08 80 3c 02 00 0f 85 32 02 00 00 49 8b 9c 24 60 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e8 01 00 00 83 3b 05 75 44 48

All code 0: c1 ea 03 shr $0x3,%edx 3: 48 83 ec 08 sub $0x8,%rsp 7: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) b: 0f 85 32 02 00 00 jne 0x243 11: 49 8b 9c 24 60 02 00 mov 0x260(%r12),%rbx 18: 00 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 48 89 da mov %rbx,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction 2e: 84 c0 test %al,%al 30: 74 08 je 0x3a 32: 3c 03 cmp $0x3,%al 34: 0f 8e e8 01 00 00 jle 0x222 3a: 83 3b 05 cmpl $0x5,(%rbx) 3d: 75 44 jne 0x83 3f: 48 rex.W

Code starting with the faulting instruction

0: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax 4: 84 c0 test %al,%al 6: 74 08 je 0x10 8: 3c 03 cmp $0x3,%al a: 0f 8e e8 01 00 00 jle 0x1f8 10: 83 3b 05 cmpl $0x5,(%rbx) 13: 75 44 jne 0x59 15: 48 rex.W RSP: 0000:ffffc9000018fd38 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888006bb8a60 RBP: ffffc9000018fd68 R08: 0000000000000001 R09: ffffed1000f2676b R10: ffff888007933b57 R11: ffffed1000f2676a R12: ffff888006bb8800 R13: ffffffff81e94760 R14: ffff8880066e8e60 R15: ffff88802d0ff705 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:

? acpi_notify_device (drivers/acpi/bus.c:543 drivers/acpi/bus.c:553) acpi_notify_device_fixed (drivers/acpi/bus.c:554) acpi_os_execute_deferred (drivers/acpi/osl.c:851) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in: ---[ end trace 0000000000000000 ]---