Linux Kernel IMA Buffer Validation Vulnerability in Kexec Boot Process on x86_64

A vulnerability exists in the Linux kernel's IMA (Integrity Measurement Architecture) handling during the kexec boot process on x86_64 systems. When the second-stage kernel is booted with a memory limit command, the IMA measurement buffer from the previous kernel may be accessed incorrectly, leading to a page fault. This issue does not occur on aarch64 architectures, where it has already been fixed. The vulnerability arises because the IMA buffer can fall outside the addressable RAM of the new kernel, causing faults during the early restoration process. The problem has been addressed by introducing a validation helper that ensures the IMA buffer range is within accessible memory bounds.

Impact

Exploitation of this vulnerability causes a page fault, disrupting the kernel's operation and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, boot a second-stage Linux kernel on an x86_64 system using kexec, while specifying a memory limit that restricts access to the IMA measurement buffer from the previous kernel. This can be done by using the 'mem=<size>' option in the kexec command line. The IMA buffer will likely fall outside the addressable RAM, causing a page fault when the kernel attempts to restore the measurements.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.