In the Linux kernel, the following vulnerability has been resolved:
EFI/CPER: don't go past the ARM processor CPER record buffer
There's a logic inside GHES/CPER to detect if the section_length
is too small, but it doesn't detect if it is too big.
Currently, if the firmware receives an ARM processor CPER record
stating that a section length is big, kernel will blindly trust
section_length, producing a very long dump. For instance, a 67
bytes record with ERR_INFO_NUM set 46198 and section length
set to 854918320 would dump a lot of data going a way past the
firmware memory-mapped area.
Fix it by adding a logic to prevent it to go past the buffer
if ERR_INFO_NUM is too big, making it report instead:
[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
[Hardware Error]: event severity: recoverable
[Hardware Error]: Error 0, type: recoverable
[Hardware Error]: section_type: ARM processor error
[Hardware Error]: MIDR: 0xff304b2f8476870a
[Hardware Error]: section length: 854918320, CPER size: 67
[Hardware Error]: section length is too big
[Hardware Error]: firmware-generated error record is incorrect
[Hardware Error]: ERR_INFO_NUM is 46198
[ rjw: Subject and changelog tweaks ]
A vulnerability in the Linux kernel's EFI/CPER handler allows firmware to specify excessively large ARM processor error record sections, causing the kernel to read past buffer boundaries and dump excessive memory. This occurs when ERR_INFO_NUM values are manipulated to exceed actual buffer size, potentially exposing sensitive kernel memory.
تكمن الثغرة في معالج GHES/CPER بنواة Linux حيث لا يتحقق من أن طول القسم المعلن من قبل البرنامج الثابت لا يتجاوز حجم المخزن المؤقت الفعلي. عندما يقوم البرنامج الثابت بتعيين قيمة كبيرة جداً لـ ERR_INFO_NUM وطول القسم، يقوم النواة بقراءة الذاكرة خارج الحدود المخصصة.
A vulnerability in the Linux kernel's EFI/CPER handler allows firmware to specify excessively large ARM processor error record sections, causing the kernel to read past buffer boundaries and dump excessive memory. This occurs when ERR_INFO_NUM values are manipulated to exceed actual buffer size, potentially exposing sensitive kernel memory.
Update the Linux kernel to the patched version that includes bounds checking for ARM processor CPER record section lengths. Verify that ERR_INFO_NUM validation prevents reading beyond allocated buffer boundaries. Apply security patches from your Linux distribution vendor immediately.
قم بتحديث نواة Linux إلى الإصدار المصحح الذي يتضمن فحص الحدود لأطوال قسم سجلات ARM CPER. تحقق من أن التحقق من صحة ERR_INFO_NUM يمنع القراءة خارج حدود المخزن المؤقت المخصص. طبق تصحيحات الأمان من موزع توزيعة Linux الخاص بك على الفور.