CVE-2024-49858: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49858 affects the Linux kernel's TPM event log handling in the EFI stub. The vulnerability was discovered on October 21, 2024, and involves a memory management issue where the TPM event log table, a Linux-specific construct, is improperly handled during memory allocation (NVD). The vulnerability affects multiple versions of the Linux kernel, including versions up to 5.10.227, 5.11 to 5.15.168, 5.16 to 6.1.113, 6.2 to 6.6.54, 6.7 to 6.10.13, and 6.11 to 6.11.2 (NVD).

The vulnerability stems from the use of EFILOADERDATA for memory allocation in the TPM event log table. The data produced by the GetEventLog() boot service is cached in memory and passed to the OS using an EFI configuration table. The issue occurs because the region is left unreserved in the E820 memory map constructed by the EFI stub, and this memory description is passed to the incoming kernel by kexec, which remains unaware that the region should be reserved (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

While the utility of the TPM2 event log after a kexec is questionable, any corruption of the memory region might cause the parsing code to malfunction and crash the kernel (Kernel Patch). This primarily affects system stability and availability.

The vulnerability has been fixed by changing the memory allocation type from EFILOADERDATA to EFIACPIRECLAIM_MEMORY, which is always treated as reserved by the E820 conversion logic (Kernel Patch). Multiple Linux distributions have released patches, including Ubuntu which has fixed the issue in versions 24.10, 24.04 LTS, and 22.04 LTS (Ubuntu).