Linux Kernel Kexec IMA Buffer Sanity Check Vulnerability

A vulnerability in the Linux kernel's x86 architecture handling of kexec can lead to a kernel panic. When booting a second-stage kernel via kexec with a memory-limiting command line, the physical range for the IMA (Integrity Measurement Architecture) measurement list may extend beyond the available RAM, causing a page fault. This issue does not occur on other architectures, which already perform the necessary validation. The vulnerability disrupts the proper carrying forward of the IMA measurement log, potentially leading to failures in attestation.

Impact

Exploitation of this vulnerability causes a kernel panic due to a page fault error, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, boot a second-stage kernel using kexec with a command line that limits the available memory. This can be done by specifying a 'mem' parameter that truncates the RAM. The IMA measurement list, which is carried over from the previous kernel, may then be restored from a physical address that falls outside the available memory, leading to a page fault and a kernel panic.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.