Linux Kernel Buffer Allocation Vulnerability in EFI STMM Driver

A vulnerability exists in the Linux kernel's EFI STMM driver due to improper buffer allocation for communication with the Trusted Execution Environment (TEE). The function 'setup_mm_hdr()' allocates a buffer using 'kmalloc()', which does not guarantee contiguous pages as required by 'tee_shm_register_kernel_buf()'. This mismatch can lead to memory corruption or kernel bugs, a problem exacerbated by recent changes in the memory allocator. The vulnerability has been present since the introduction of the TEE-based EFI variable driver, but the incorrect allocation method was introduced in a prior version.

Impact

The vulnerability can cause memory corruption or various kernel bugs, particularly in the context of the EFI STMM driver.

Reproduction

The vulnerability can be reproduced by using the EFI STMM driver with the incorrect buffer allocation method. This can be done by loading a kernel version that includes the TEE-based EFI variable driver but does not yet apply the fix for the buffer allocation issue. Once the driver is active, the improper allocation will lead to the expected memory corruption or kernel bugs.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed by changing the buffer allocation method to use 'alloc_pages_exact()' instead of 'kmalloc()'.