Linux Kernel EFI Graceful Fault Handling Vulnerability After FPU Softirq Changes

A vulnerability in the Linux kernel's EFI handling can lead to system freezes. This issue arises from changes in how the kernel manages floating-point operations during EFI runtime service calls. The problem was introduced in a commit that aimed to improve cryptographic performance by allowing kernel-mode floating-point operations to be safely used in softirqs. However, this change inadvertently caused the EFI fault handler to misinterpret the task context, leading to unhandled page faults on systems with problematic firmware. As a result, instead of a graceful recovery, the system experiences a severe hang.

Impact

Exploitation of this vulnerability causes the system to freeze, creating an unrecoverable hang, particularly on systems with faulty firmware that triggers page faults during EFI calls.

Reproduction

To reproduce this vulnerability, apply the kernel patch that introduces the issue by using 'local_bh_disable()' in the EFI runtime service fault handling. This can be done by modifying the 'arch/x86/platform/efi/quirks.c' file to use 'local_bh_disable()' instead of 'preempt_disable()'. After applying this change, the vulnerability can be triggered by accessing EFI services that cause page faults, such as the 'GetTime()' service, on a system with buggy firmware that generates such faults.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux kernel stable tree.