CVE-2022-48769 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

efi: runtime: avoid EFIv2 runtime services on Apple x86 machines

Aditya reports [0] that his recent MacbookPro crashes in the firmware
when using the variable services at runtime. The culprit appears to be a call to QueryVariableInfo(), which we did not use to call on Apple x86 machines in the past as they only upgraded from EFI v1.10 to EFI v2.40 firmware fairly recently, and QueryVariableInfo() (along with UpdateCapsule() et al) was added in EFI v2.00.

The only runtime service introduced in EFI v2.00 that we actually use in Linux is QueryVariableInfo(), as the capsule based ones are optional, generally not used at runtime (all the LVFS/fwupd firmware update infrastructure uses helper EFI programs that invoke capsule update at boot time, not runtime), and not implemented by Apple machines in the first place. QueryVariableInfo() is used to 'safely' set variables, i.e., only when there is enough space. This prevents machines with buggy firmwares from corrupting their NVRAMs when they run out of space.

Given that Apple machines have been using EFI v1.10 services only for the longest time (the EFI v2.0 spec was released in 2006, and Linux support for the newly introduced runtime services was added in 2011, but the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only), let's avoid the EFI v2.0 ones on all Apple x86 machines.

[0] https://lore.kernel.org/all/[email protected]/

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability described in CVE-2022-48769 represents a critical compatibility issue within the Linux kernel's EFI runtime services implementation specifically affecting Apple x86-based machines. This flaw stems from the kernel's improper handling of EFI v2.0 runtime services on hardware that officially supports only EFI v1.10 specifications. The issue manifests as system crashes during firmware operations when the kernel attempts to utilize the QueryVariableInfo() function, which was introduced in EFI v2.00 specifications from 2006. This function serves as a safety mechanism to prevent NVRAM corruption by checking available space before variable updates, but its implementation on Apple hardware causes instability due to firmware incompatibility.

The technical root cause lies in the kernel's runtime service selection logic that fails to properly account for the firmware version discrepancies on Apple x86 machines. Despite these machines having firmware versions that officially support only EFI v1.10, the Linux kernel was attempting to invoke EFI v2.00 functions including QueryVariableInfo() that were not properly implemented or supported by Apple's firmware implementations. This creates a scenario where the kernel's attempt to use modern EFI features results in system instability and crashes, particularly when the kernel tries to perform variable management operations during runtime. The vulnerability specifically affects systems where the EFI firmware claims to be v1.10 but the kernel attempts to use v2.00 runtime services that Apple's firmware does not properly support.

From an operational perspective, this vulnerability impacts the stability and reliability of Linux installations on Apple x86 hardware, particularly affecting systems such as the MacBook Pro 12,1 released in 2015. The crash occurs during firmware variable operations and can potentially lead to complete system failure during critical operations like firmware updates or system configuration changes. The issue is particularly concerning because it affects the fundamental EFI runtime services that Linux uses for maintaining system state and configuration across reboots. This vulnerability directly impacts the Linux kernel's ability to provide stable runtime services on Apple hardware, potentially causing data loss or system corruption during variable management operations.

The fix implemented addresses this by explicitly avoiding EFI v2.00 runtime services on all Apple x86 machines, reverting to the EFI v1.10 compatible functions that have been properly supported by Apple's firmware implementations. This approach aligns with the principle of maintaining compatibility with the actual firmware capabilities rather than attempting to use newer features that may not be properly implemented. The solution follows established security practices by ensuring that software operates within the bounds of supported hardware capabilities. The mitigation strategy specifically targets the QueryVariableInfo() function which was identified as the primary culprit in the crashes, while maintaining support for other EFI services that are properly implemented on Apple hardware. This approach reduces the attack surface and ensures stable operation of the Linux kernel on Apple x86 systems.

This vulnerability classification aligns with CWE-119 which deals with improper restriction of operations within a defined access scope, and relates to ATT&CK technique T1059.001 for command and scripting interpreter. The issue demonstrates the importance of firmware compatibility verification in kernel design and highlights how modern software features can inadvertently cause problems when deployed on hardware with limited firmware support. The fix demonstrates proper adherence to the principle of least privilege by ensuring that the kernel only uses features that are properly supported by the target hardware platform, thereby reducing the potential for system instability and security-related issues that could arise from attempting to use unsupported features.

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!