Linux kernel ACPI-centric CVE-2017-13694: Awaiting Analysis

August 25, 2017 ~ hucktech ~ Leave a comment

CVE-2017-13694
Source: MITRE
Last Modified: 08/25/2017
CVE-2017-13694

This vulnerability is currently awaiting analysis.

The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.

https://nvd.nist.gov/vuln/detail/CVE-2017-13694

https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0
https://patchwork.kernel.org/patch/9806085/

FWTS 16.09.00 released

September 12, 2016 ~ hucktech ~ Leave a comment

Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite, on the fwts-announce and other lists.

New Features include:
* lib: acpi: add supports for WPBT
* acpi: wpbt: add ACPI WPBT test
* lib: acpi: add supports for DRTM
* acpi: drtm: add ACPI DRTM test
* lib: fwts_guid: add a compare function
* acpi: nfit: check fields equals 0 for Virtual CD and Disk
* opal: mtd: Add OPAL MTD Validation
* acpi: ACPI Platform check updates
* acpi: fadt: Remove HEADLESS check on reduced hardware
* pci: aspm: Add segment support
* ACPICA: Update to version 20160831

See the full announcement for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.09.00
https://launchpad.net/ubuntu/+source/fwts

ACPICA shipping acpidump.efi

August 29, 2016 ~ hucktech ~ Leave a comment

In recent news on the ACPICA site is:

“AcpiDump for UEFI is now available at Downloads/uefi-support – 26 August, 2016 – 13:57”

The tool acpidump now targets UEFI, in addition to OSes. In addition to shipping source via Github, they ship a zip with prebuilt Intel 32- and 64-bit .efi binaries, no ARM binaries.

https://github.com/acpica/acpica/tree/master/source/tools/acpidump

https://acpica.org/downloads/uefi-support

https://acpica.org/

If there is a place where the above web site’s ‘recent news’ is delivered via RSS or Atom or Twitter or NNTP or some announce mailing list or even Facebook, please leave a Comment. I think I’m not on the right ACPI list or something… Thanks.

ACPI debugger for Linux kernel

November 8, 2015 ~ hucktech ~ Leave a comment

Last Friday, Lv Zheng of Intel sent a 5-part patch to the linux-acpi and linux-kernel mailing lists. Below is documentation excerpt from initial patch:

ACPICA / debugger: Add in-kernel AML debugger support

This patchset enables ACPICA debugger for Linux kernel and implements a userspace utility to access it.

A. Build the AML debugger
In order to build the kernel support of AML debugger, the following kconfig items should be enabled:
CONFIG_ACPI_DEBUG=y
CONFIG_ACPI_DEBUGGER=y
CONFIG_DEBUG_FS=y
CONFIG_ACPI_DEBUGGER_USER=m
The userspace tool can be found at tools/power/acpi/tools/acpidbg. To build this utility, staying in tools folder and type “make acpi”.

B. Load the AML debugger during runtime
In order to use the in-kernel AML debugger, the following command should be executed using root user:
# modprobe acpi_dbg
# mount -t debugfs none /sys/kernel/debug
# acpidbg

C. Batch mode
In order to support scripts, the userspace utility also supports single command batch mode:
# acpidbg -b “help”
# acpidbg -b “tables”
# acpidbg -b “find _LID”
# acpidbg -b “execute \_SB.LID0._LID”
You can find the documentation about the ACPICA debugger commands in:
https://acpica.org/sites/acpica/files/acpica-reference_17.pdf
(The latest document can be found at https://acpica.org/documentation)
And refer to the chapter – ACPICA debugger reference to obtain the full description of the debugger commands. Note that not all commands are supported by an in-kernel AML debugger.

D. Unload the AML debugger during runtime
After terminating all acpidbg instances, the following command can be executed to remove the AML debugger from kernel:
# rmmod acpi_dbg

The following tasks are not completed:
1. .flush() support in the kernel debugger IO driver.
2. multi-commands batch mode.
3. upstream the userspace acpidbg to the ACPICA upstream.

For more information, see the threads on the linux-kernel and linux-acpi mailing lists, run at vger.kernel.org.

ACPI testing with BITS Python

September 3, 2015 ~ hucktech ~ Leave a comment

Recently, Josh Triplett of Intel gave a talk on using BIOS Interface Test Suite (BITS) at LinuxCon North America.
http://events.linuxfoundation.org/events/linuxcon-north-america/program/slides

Demystifying ACPI and EFI via Python and BITS

Click to access bits-with-demo.pdf

BTW, Josh also gave this talk at LinuxConNA’15 as well:

Everything’s a File Descriptor

Click to access fd_0.pdf

I think I’ve mentioned BITS in this blog before. But just in case I’ve not, BITS is a powerful, strange set of BIOS diagnostic tools. BITS started as a BIOS-centric tool, but now includes some UEFI support as well. BITS uses the GRUB boot manager as it’s UI, using GRUB menus for different features, see the screenshots page for a better understanding:
http://biosbits.org/screenshots/

BITS also includes a Python interpreter, so you can do interactive Python, or write scripts to test firmware. BITS has interfaces for BIOS, UEFI, and ACPI data.
http://biosbits.org/scripting/

Jake Edge wrote an excellent follow-up to Josh’s LinuxCON talk, with an article in LWN.net, discussing BITS’s Python for UEFI and ACPI investigations.

In a talk that could easily be seen as a follow-on to his PyCon 2015 talk, Josh Triplett presented at LinuxCon North America on using Python to explore the low-level firmware of today’s systems. The BIOS Implementation Test Suite (BITS) provides an environment that hearkens back to the days of BASIC, PEEK, and POKE, as he demonstrated at PyCon in Montréal in April, but it is much more than that. In Seattle at LinuxCon, he showed that it can also be used to look at and use the EFI and ACPI code in a system—all from Python.

The article is part of LWN.net subscriber-only content, and has been ‘leaked’ (see next URL below), and as the link on the page mentions, an occasional leak isn’t too bad, and helps with subscriptions. If you don’t have a LWN subscription, please think about it, they are probably the best news source for low-level Linux technologies. They have a 1-month free trial.

After reading this article, Laszlo Ersek of Red Hat started up a thread with Josh on the QEMU and UEFI dev mailing lists, with some new ways of thinking about using BITS Python for ACPI testing. Lots of good ideas on this thread, if you care about QEMU, ACPI, AML, or ACPICA tools please read the thread: sorry, I’m too lazy to summarize all of the ACPI nuances in the thread, it’s only a few messages.

Using Python to investigate EFI and ACPI
Newsgroups: gmane.comp.emulators.qemu, gmane.comp.bios.edk2.devel
http://thread.gmane.org/gmane.comp.emulators.qemu/358997

I hope some of the ACPI/AML testing ideas in this thread happen!

More Information:

https://github.com/biosbits/bits

ACPICA releases Version 20150818

August 24, 2015 ~ hucktech ~ Leave a comment

Last week ACPICA.org released a new version of their ACPI code. Version 20150818, released 2015-08-18, has various bugfixes, cleanups and simplifications to the ACPI Disassembler and Debugger, including making the Debugger a fully standalone component. Various new command-line options in the AcpiNames, AcpiExec, iASL/Disassembler, Debugger tools.

Two specific new Disassembler and Debugger commands:

iASL/Disassembler: Implemented a prototype “listing” mode that emits AML that corresponds to each disassembled ASL statement, to simplify debugging.

Debugger: Add option to the “objects” command to display a summary of the current namespace objects (Object type and count). This is displayed if the command is entered with no arguments.

Besides this release, the trunk has some even fresher updates. For full details, see the readme in the source distribution and trunk history.

https://acpica.org/downloads/version-20150717
https://github.com/acpica/acpica/commits/master
https://acpica.org/source
https://github.com/acpica/acpica/