Linux Kernel APEI/GHES Memory Corruption Vulnerability

A vulnerability in the Linux kernel's APEI/GHES component can lead to memory corruption. The issue arises because the logic in the 'ghes_new()' function allows the allocation of error status records based on the number of pages indicated in the CPER BIOS table. This can result in records larger than the maximum allowed size of 64KB. If a firmware sends data exceeding the allocated memory, it causes a kernel paging request error, leading to a crash. The vulnerability has been addressed by modifying the allocation logic to consider the actual allocated memory when checking CPER lengths.

Impact

Exploitation of this vulnerability causes a kernel crash due to an unhandled paging request, which can lead to a denial of service.

Reproduction

The vulnerability can be reproduced by using a version of the Linux kernel that includes the vulnerable 'ghes_new()' logic. When a bad firmware sends an error status block larger than the allocated memory, the kernel will crash with a paging request error. This can be observed in a QEMU virtual machine environment.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.