From 08b74a000942a380fe028845f92cd3a0dee827d5 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 6 May 2024 03:02:38 +0200
Subject: Adding debian version 4.19.249-2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 ...fs-Disallow-loading-ACPI-tables-when-lock.patch | 44 ++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch

(limited to 'debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch')

diff --git a/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
new file mode 100644
index 000000000..4970a4bd4
--- /dev/null
+++ b/debian/patches/features/all/lockdown/ACPI-configfs-Disallow-loading-ACPI-tables-when-lock.patch
@@ -0,0 +1,44 @@
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 15 Jun 2020 04:43:32 -0600
+Subject: ACPI: configfs: Disallow loading ACPI tables when locked down
+Origin: https://git.kernel.org/linus/75b0cea7bf307f362057cc778efe89af4c615354
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15780
+
+Like other vectors already patched, this one here allows the root
+user to load ACPI tables, which enables arbitrary physical address
+writes, which in turn makes it possible to disable lockdown.
+
+Prevents this by checking the lockdown status before allowing a new
+ACPI table to be installed. The link in the trailer shows a PoC of
+how this might be used.
+
+Link: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[Salvatore Bonaccorso: Backport to v4.19.y: Use kernel_is_locked_down instead
+of security_locked_down]
+---
+ drivers/acpi/acpi_configfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_configfs.c
++++ b/drivers/acpi/acpi_configfs.c
+@@ -14,6 +14,7 @@
+ #include <linux/module.h>
+ #include <linux/configfs.h>
+ #include <linux/acpi.h>
++#include <linux/security.h>
+ 
+ #include "acpica/accommon.h"
+ #include "acpica/actables.h"
+@@ -33,6 +34,9 @@ static ssize_t acpi_table_aml_write(stru
+ 	struct acpi_table *table;
+ 	int ret;
+ 
++	if (kernel_is_locked_down("Modifying ACPI tables"))
++		return -EPERM;
++
+ 	table = container_of(cfg, struct acpi_table, cfg);
+ 
+ 	if (table->header) {
-- 
cgit v1.2.3