fkie_cve-2024-49858
Vulnerability from fkie_nvd
Published
2024-10-21 13:15
Modified
2024-10-23 16:35
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using an EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/11690d7e76842f29b60fbb5b35bc97d206ea0e83Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/19fd2f2c5fb36b61506d3208474bfd8fdf1cada3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2e6871a632a99d9b9e2ce3a7847acabe99e5a26ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/38d9b07d99b789efb6d8dda21f1aaad636c38993Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5b22c038fb2757c652642933de5664da471f8cb7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/77d48d39e99170b528e4f2e9fc5d1d64cdedd386Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f76b69ab9cf04358266e3cea5748c0c2791fbb08Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB525A44-6338-4857-AD90-EA2860D1AD1F",
              "versionEndExcluding": "5.10.227",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D51C05D-455B-4D8D-89E7-A58E140B864C",
              "versionEndExcluding": "5.15.168",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE",
              "versionEndExcluding": "6.1.113",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976",
              "versionEndExcluding": "6.6.54",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE",
              "versionEndExcluding": "6.10.13",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181",
              "versionEndExcluding": "6.11.2",
              "versionStartIncluding": "6.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefistub/tpm: Use ACPI reclaim memory for event log to avoid corruption\n\nThe TPM event log table is a Linux specific construct, where the data\nproduced by the GetEventLog() boot service is cached in memory, and\npassed on to the OS using an EFI configuration table.\n\nThe use of EFI_LOADER_DATA here results in the region being left\nunreserved in the E820 memory map constructed by the EFI stub, and this\nis the memory description that is passed on to the incoming kernel by\nkexec, which is therefore unaware that the region should be reserved.\n\nEven though the utility of the TPM2 event log after a kexec is\nquestionable, any corruption might send the parsing code off into the\nweeds and crash the kernel. So let\u0027s use EFI_ACPI_RECLAIM_MEMORY\ninstead, which is always treated as reserved by the E820 conversion\nlogic."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: efistub/tpm: Utilizar la memoria de recuperaci\u00f3n ACPI para el registro de eventos para evitar la corrupci\u00f3n La tabla de registro de eventos TPM es una construcci\u00f3n espec\u00edfica de Linux, donde los datos producidos por el servicio de arranque GetEventLog() se almacenan en cach\u00e9 en la memoria y se pasan al sistema operativo mediante una tabla de configuraci\u00f3n EFI. El uso de EFI_LOADER_DATA aqu\u00ed da como resultado que la regi\u00f3n quede sin reservar en el mapa de memoria E820 construido por el stub EFI, y esta es la descripci\u00f3n de memoria que se pasa al kernel entrante por kexec, que por lo tanto no sabe que la regi\u00f3n debe reservarse. Aunque la utilidad del registro de eventos TPM2 despu\u00e9s de un kexec es cuestionable, cualquier corrupci\u00f3n podr\u00eda enviar el c\u00f3digo de an\u00e1lisis a la maleza y bloquear el kernel. As\u00ed que usemos EFI_ACPI_RECLAIM_MEMORY en su lugar, que siempre se trata como reservado por la l\u00f3gica de conversi\u00f3n E820."
    }
  ],
  "id": "CVE-2024-49858",
  "lastModified": "2024-10-23T16:35:10.097",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-21T13:15:06.543",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/11690d7e76842f29b60fbb5b35bc97d206ea0e83"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/19fd2f2c5fb36b61506d3208474bfd8fdf1cada3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2e6871a632a99d9b9e2ce3a7847acabe99e5a26e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/38d9b07d99b789efb6d8dda21f1aaad636c38993"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5b22c038fb2757c652642933de5664da471f8cb7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/77d48d39e99170b528e4f2e9fc5d1d64cdedd386"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f76b69ab9cf04358266e3cea5748c0c2791fbb08"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.