A vulnerability has recently been discovered in the Linux kernel, specifically surrounding the efivarfs filesystem. The vulnerability lies in the handling of the SetVariable function when it is not supported by the firmware. Consequently, this can lead to a kernel crash if someone remounts the filesystem as Read-Write (RW). This post will discuss the details of this vulnerability, including code snippets, original references, and an exploit demonstration.

Vulnerability Details

The aforementioned vulnerability (CVE-2023-52463) is triggered when SetVariable is not supported by the firmware at runtime, and as a result, no callback is assigned for the function. In this case, the efivarfs is mounted as ReadOnly (RO) to prevent any call to the function. However, the permission flags are never checked when remounting the filesystem as RW. This situation can lead to a crash, as demonstrated below:

$ mount -o remount,rw /sys/firmware/efi/efivars
$ efi-updatevar -f PK.auth PK

The output snippet demonstrates the kernel crash

[...]
[  303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
[...]

Vulnerability Fix

To mitigate this vulnerability, a .reconfigure() function has been added to the fs_operations, which can be used to assess the requested flags. If the firmware does not implement SetVariable at runtime, then anything that is not ReadOnly (RO) is denied. The fix, therefore, effectively forces the efivarfs filesystem to remain ReadOnly (RO) when remounting if SetVariable is not supported.

Conclusion

The Linux kernel vulnerability CVE-2023-52463 has now been resolved, ensuring that efivarfs remains RO when remounting if SetVariable is not supported by the firmware, thus preventing kernel crashes. It is recommended to apply this patch to your systems to avoid any potential exploitation of the vulnerability.

1. Linux Kernel Mailing List - efivarfs: force RO when remounting if SetVariable is not supported
2. CVE-2023-52463 - National Vulnerability Database

Stay informed and keep your systems patched and up to date to avoid potential security risks posed by such vulnerabilities.

Timeline

Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/17/2024 20:05:08 UTC