cve/published/2024/CVE-2024-35803.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35803: x86/efistub: Call mixed mode boot services on the firmware's stack

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/efistub: Call mixed mode boot services on the firmware's stack

 Normally, the EFI stub calls into the EFI boot services using the stack
 that was live when the stub was entered. According to the UEFI spec,
 this stack needs to be at least 128k in size - this might seem large but
 all asynchronous processing and event handling in EFI runs from the same
 stack and so quite a lot of space may be used in practice.

 In mixed mode, the situation is a bit different: the bootloader calls
 the 32-bit EFI stub entry point, which calls the decompressor's 32-bit
 entry point, where the boot stack is set up, using a fixed allocation
 of 16k. This stack is still in use when the EFI stub is started in
 64-bit mode, and so all calls back into the EFI firmware will be using
 the decompressor's limited boot stack.

 Due to the placement of the boot stack right after the boot heap, any
 stack overruns have gone unnoticed. However, commit

   5c4feadb0011983b ("x86/decompressor: Move global symbol references to C code")

 moved the definition of the boot heap into C code, and now the boot
 stack is placed right at the base of BSS, where any overruns will
 corrupt the end of the .data section.

 While it would be possible to work around this by increasing the size of
 the boot stack, doing so would affect all x86 systems, and mixed mode
 systems are a tiny (and shrinking) fraction of the x86 installed base.

 So instead, record the firmware stack pointer value when entering from
 the 32-bit firmware, and switch to this stack every time a EFI boot
 service call is made.

 The Linux kernel CVE team has assigned CVE-2024-35803 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.84 with commit 2149f8a56e2ed345c7a4d022a79f6b8fc53ae926
 	Fixed in 6.6.24 with commit 930775060ca348b8665f60eef14b204172d14f31
 	Fixed in 6.7.12 with commit fba7ee7187581b5bc222003e73e2592b398bb06d
 	Fixed in 6.8.3 with commit 725351c036452b7db5771a7bed783564bc4b99cc
 	Fixed in 6.9 with commit cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35803
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/boot/compressed/efi_mixed.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926
 	https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31
 	https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d
 	https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc
 	https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35803: x86/efistub: Call mixed mode boot services on the firmware's stack

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/efistub: Call mixed mode boot services on the firmware's stack

	Normally, the EFI stub calls into the EFI boot services using the stack
	that was live when the stub was entered. According to the UEFI spec,
	this stack needs to be at least 128k in size - this might seem large but
	all asynchronous processing and event handling in EFI runs from the same
	stack and so quite a lot of space may be used in practice.

	In mixed mode, the situation is a bit different: the bootloader calls
	the 32-bit EFI stub entry point, which calls the decompressor's 32-bit
	entry point, where the boot stack is set up, using a fixed allocation
	of 16k. This stack is still in use when the EFI stub is started in
	64-bit mode, and so all calls back into the EFI firmware will be using
	the decompressor's limited boot stack.

	Due to the placement of the boot stack right after the boot heap, any
	stack overruns have gone unnoticed. However, commit

	5c4feadb0011983b ("x86/decompressor: Move global symbol references to C code")

	moved the definition of the boot heap into C code, and now the boot
	stack is placed right at the base of BSS, where any overruns will
	corrupt the end of the .data section.

	While it would be possible to work around this by increasing the size of
	the boot stack, doing so would affect all x86 systems, and mixed mode
	systems are a tiny (and shrinking) fraction of the x86 installed base.

	So instead, record the firmware stack pointer value when entering from
	the 32-bit firmware, and switch to this stack every time a EFI boot
	service call is made.

	The Linux kernel CVE team has assigned CVE-2024-35803 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.84 with commit 2149f8a56e2ed345c7a4d022a79f6b8fc53ae926
	Fixed in 6.6.24 with commit 930775060ca348b8665f60eef14b204172d14f31
	Fixed in 6.7.12 with commit fba7ee7187581b5bc222003e73e2592b398bb06d
	Fixed in 6.8.3 with commit 725351c036452b7db5771a7bed783564bc4b99cc
	Fixed in 6.9 with commit cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35803
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/boot/compressed/efi_mixed.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926
	https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31
	https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d
	https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc
	https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02