CVE-2024-49858 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption

The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using an EFI configuration table.

The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved.

Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability described in CVE-2024-49858 resides within the Linux kernel's efistub implementation and specifically addresses how TPM event log data is handled during the boot process and subsequent kernel transitions. This issue manifests in the interaction between EFI firmware interfaces and the Linux kernel's memory management systems, particularly when utilizing the kexec mechanism for kernel loading. The problem stems from improper memory reservation handling that could lead to critical system instability.

The technical flaw occurs in the efistub subsystem where TPM event log data is cached in memory using the EFI_LOADER_DATA attribute. This attribute designation fails to properly reserve the memory region within the E820 memory map that the EFI stub constructs. When the system subsequently uses kexec to load a new kernel, this memory region remains unreserved and becomes available for allocation, potentially causing corruption of the TPM event log data. The E820 memory map conversion logic does not treat EFI_LOADER_DATA regions as reserved, creating a mismatch between the firmware's memory management expectations and the kernel's memory allocation strategies. This memory reservation inconsistency represents a classic case of improper resource management that violates fundamental memory safety principles.

The operational impact of this vulnerability extends beyond simple data corruption to potentially causing kernel crashes during the boot process or when parsing TPM event log data. The TPM event log table serves as a critical component for system integrity verification and security auditing, particularly in trusted computing environments. When the memory region containing this data becomes corrupted due to improper reservation, the kernel's parsing code may encounter malformed data structures that cause unexpected behavior or complete system failure. This vulnerability affects systems utilizing kexec for kernel transitions and particularly impacts environments where TPM2 event logs are critical for security validation. The issue demonstrates how seemingly minor memory management decisions can have cascading effects on system stability and security posture.

The recommended mitigation involves changing the memory reservation attribute from EFI_LOADER_DATA to EFI_ACPI_RECLAIM_MEMORY for TPM event log data. This change ensures that the memory region is properly treated as reserved during E820 map construction and subsequent kexec operations. The EFI_ACPI_RECLAIM_MEMORY attribute is specifically designed to be recognized by the E820 conversion logic and always treated as reserved, preventing the memory from being allocated to other system components. This approach aligns with security best practices for memory management in trusted computing environments and addresses the core issue identified in the vulnerability. The fix directly resolves the memory reservation conflict that leads to potential corruption and system instability, providing a robust solution that maintains the integrity of TPM event log data throughout the boot process and kernel transitions.

This vulnerability classification aligns with CWE-125: Out-of-Bounds Read and CWE-787: Out of Bounds Write, as improper memory reservation can lead to memory corruption that affects system stability. The issue also relates to ATT&CK technique T1547.004: Virtualization/Sandbox Evasion, as improper memory handling can affect system integrity verification mechanisms. The fix demonstrates proper memory management practices and aligns with industry standards for secure kernel development and memory reservation protocols in EFI environments.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00213

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!