[BRLY-LOGOFAIL-2023-014] Out-of-bounds Read in DXE driver

Summary

Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-014
CVSS v3.1: 3.2 Low AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Affected modules with confirmed impact by Binarly REsearch Team

Module name	Module GUID	Module SHA256
AMITSE	b1da0adf-4f77-4070-a88e-bffe1c60529a	439e73d391b7f7540f6faa58afdc2722bda250468d4a4f7f5f84228c1f77ddbe

Potential impact

This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during PNG file processing.

Vulnerability description

The pseudocode of the vulnerable function is shown below:

unsigned __int8 *GetImageSize()
{
  unsigned int ImageSize; // ebx
  unsigned __int8 *result; // rax
  __int64 ImagePtrCursor; // r9
  unsigned __int8 *v3; // rcx
  __int64 v4; // r10
  __int64 v5; // r9
  unsigned __int8 *v6; // rcx
  __int64 v7; // rdx
  unsigned int Length; // r11d
  unsigned __int8 *v9; // [rsp+30h] [rbp+8h] BYREF

  ImageSize = 8;
  GlobalImagePtr += 8i64;
  result = (unsigned __int8 *)AllocateZeroPool(4ui64);
  v9 = result;
  if ( result )
  {
    ImagePtrCursor = GlobalImagePtr;
    do
    {
      v3 = result;
      v4 = 4i64;
      do
      {
        *v3 = v3[ImagePtrCursor - (_QWORD)result];
        ++v3;
        --v4;
      }
      while ( v4 );
      v5 = ImagePtrCursor + 4;
      v6 = result;
      v7 = 4i64;
      // BRLY-LOGOFAIL-2023-014: Chunk length is added without validation to ImagePtrCursor
      Length = result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8);
      do
      {
        *v6 = v6[v5 - (_QWORD)result];
        ++v6;
        --v7;
      }
      while ( v7 );
      ImageSize += Length + 12;
      ImagePtrCursor = Length + 8i64 + v5;
    }
    while ( result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8) != 1229278788 );
    GlobalImagePtr = ImagePtrCursor;
    sub_4654(&v9);
    return (unsigned __int8 *)ImageSize;
  }
  return result;
}

As we can see from the pseudocode, the variable Length is initialized from a value ( result) which is read directly from the image buffer. Length is then used to update the ImagePtrCursor variable pointer without any validation.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity	Date (YYYY-mm-dd)
Lenovo PSIRT is notified	2023-06-21
Lenovo ID (LEN-132940) is assigned	2023-06-22
CERT/CC is notified	2023-07-10
AMI PSIRT confirmed reported issues	2023-10-05
AMI PSIRT assigned CVE ID	2023-12-01
BINARLY public disclosure date	2024-06-19

Acknowledgements

Binarly REsearch Team

[BRLY-LOGOFAIL-2023-014] Out-of-bounds Read in DXE driver

Summary

Vendors Affected

Affected Products

Potential Impact

Summary

Vulnerability Information

Affected modules with confirmed impact by Binarly REsearch Team

Potential impact

Vulnerability description

Disclosure timeline

Acknowledgements

[BRLY-LOGOFAIL-2023-014] Out-of-bounds Read in DXE driver

Summary

Vendors Affected

Affected Products

Potential Impact

Summary

Vulnerability Information

Affected modules with confirmed impact by Binarly REsearch Team

Potential impact

Vulnerability description

Disclosure timeline

Acknowledgements

Related Advisories