Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]ACPICA: fix acpi operand cache leak in dswstate.c[EOL][EOL]ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732[EOL][EOL]I found an ACPI cache leak in ACPI early termination and boot continuing case.[EOL][EOL]When early termination occurs due to malicious ACPI table, Linux kernel[EOL]terminates ACPI function and continues to boot process. While kernel terminates[EOL]ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.[EOL][EOL]Boot log of ACPI operand cache leak is as follows:[EOL]>[    0.585957] ACPI: Added _OSI(Module Device)[EOL]>[    0.587218] ACPI: Added _OSI(Processor Device)[EOL]>[    0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)[EOL]>[    0.589790] ACPI: Added _OSI(Processor Aggregator Device)[EOL]>[    0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)[EOL]>[    0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)[EOL]>[    0.597858] ACPI: Unable to start the ACPI Interpreter[EOL]>[    0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)[EOL]>[    0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects[EOL]>[    0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26[EOL]>[    0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006[EOL]>[    0.609177] Call Trace:[EOL]>[    0.610063]  ? dump_stack+0x5c/0x81[EOL]>[    0.611118]  ? kmem_cache_destroy+0x1aa/0x1c0[EOL]>[    0.612632]  ? acpi_sleep_proc_init+0x27/0x27[EOL]>[    0.613906]  ? acpi_os_delete_cache+0xa/0x10[EOL]>[    0.617986]  ? acpi_ut_delete_caches+0x3f/0x7b[EOL]>[    0.619293]  ? acpi_terminate+0xa/0x14[EOL]>[    0.620394]  ? acpi_init+0x2af/0x34f[EOL]>[    0.621616]  ? __class_create+0x4c/0x80[EOL]>[    0.623412]  ? video_setup+0x7f/0x7f[EOL]>[    0.624585]  ? acpi_sleep_proc_init+0x27/0x27[EOL]>[    0.625861]  ? do_one_initcall+0x4e/0x1a0[EOL]>[    0.627513]  ? kernel_init_freeable+0x19e/0x21f[EOL]>[    0.628972]  ? rest_init+0x80/0x80[EOL]>[    0.630043]  ? kernel_init+0xa/0x100[EOL]>[    0.631084]  ? ret_from_fork+0x25/0x30[EOL]>[    0.633343] vgaarb: loaded[EOL]>[    0.635036] EDAC MC: Ver: 3.0.0[EOL]>[    0.638601] PCI: Probing PCI hardware[EOL]>[    0.639833] PCI host bridge to bus 0000:00[EOL]>[    0.641031] pci_bus 0000:00: root bus resource [io  0x0000-0xffff][EOL]> ... Continue to boot and log is omitted ...[EOL][EOL]I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_[EOL]delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()[EOL]function uses walk_state->operand_index for start position of the top, but[EOL]acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.[EOL]Therefore, this causes acpi operand memory leak.[EOL][EOL]This cache leak causes a security threat because an old kernel (<= 4.9) shows[EOL]memory locations of kernel functions in stack dump. Some malicious users[EOL]could use this information to neutralize kernel ASLR.[EOL][EOL]I made a patch to fix ACPI operand cache leak.

CREATE(Triage):(User=admin) [CVE-2025-38345 (https://nvd.nist.gov/vuln/detail/CVE-2025-38345)