CVE-2024-35803

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to the Linux kernel's EFI stub, which calls into the EFI boot services using the stack that was live when the stub was entered. According to the UEFI spec, this stack needs to be at least 128k in size. In mixed mode, the bootloader calls the 32-bit EFI stub entry point, which calls the decompressor's 32-bit entry point, where the boot stack is set up using a fixed allocation of 16k. This stack is still in use when the EFI stub is started in 64-bit mode, and all calls back into the EFI firmware will be using the decompressor's limited boot stack. Due to the placement of the boot stack, any stack overruns have gone unnoticed. However, a commit moved the definition of the boot heap into C code, and now the boot stack is placed right at the base of BSS, where any overruns will corrupt the end of the .data section. To resolve this, the firmware stack pointer value is recorded when entering from the 32-bit firmware, and switched to this stack every time a EFI boot service call is made.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.