BRLY-LOGOFAIL-2023-014

Out-of-bounds Read in DXE driver.

Public Disclosure Date: Jun 19, 2024

CVE ID

BRLY-LOGOFAIL-2023-014

Summary

BINARLY efiXplorer team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.

Potential Impact

This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during PNG file processing.

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-014
CVSS v3.1: 3.2 Low AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

01Affected modules

02Vulnerability description

03Disclosure timeline

04Acknowledgements

Affected modules

Module name	Module GUID	Module SHA256
AMITSE	b1da0adf-4f77-4070-a88e-bffe1c60529a	439e73d391b7f7540f6faa58afdc2722bda250468d4a4f7f5f84228c1f77ddbe

Vulnerability description

The pseudocode of the vulnerable function is shown below:

unsigned __int8 *GetImageSize()
{
  unsigned int ImageSize; // ebx
  unsigned __int8 *result; // rax
  __int64 ImagePtrCursor; // r9
  unsigned __int8 *v3; // rcx
  __int64 v4; // r10
  __int64 v5; // r9
  unsigned __int8 *v6; // rcx
  __int64 v7; // rdx
  unsigned int Length; // r11d
  unsigned __int8 *v9; // [rsp+30h] [rbp+8h] BYREF

  ImageSize = 8;
  GlobalImagePtr += 8i64;
  result = (unsigned __int8 *)AllocateZeroPool(4ui64);
  v9 = result;
  if ( result )
  {
    ImagePtrCursor = GlobalImagePtr;
    do
    {
      v3 = result;
      v4 = 4i64;
      do
      {
        *v3 = v3[ImagePtrCursor - (_QWORD)result];
        ++v3;
        --v4;
      }
      while ( v4 );
      v5 = ImagePtrCursor + 4;
      v6 = result;
      v7 = 4i64;
      // BRLY-LOGOFAIL-2023-014: Chunk length is added without validation to ImagePtrCursor
      Length = result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8);
      do
      {
        *v6 = v6[v5 - (_QWORD)result];
        ++v6;
        --v7;
      }
      while ( v7 );
      ImageSize += Length + 12;
      ImagePtrCursor = Length + 8i64 + v5;
    }
    while ( result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8) != 1229278788 );
    GlobalImagePtr = ImagePtrCursor;
    sub_4654(&v9);
    return (unsigned __int8 *)ImageSize;
  }
  return result;
}

As we can see from the pseudocode, the variable Length is initialized from a value (result) which is read directly from the image buffer. Length is then used to update the ImagePtrCursor variable pointer without any validation.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity	Date (YYYY-mm-dd)
Lenovo PSIRT is notified	2023-06-21
Lenovo ID (LEN-132940) is assigned	2023-06-22
CERT/CC is notified	2023-07-10
AMI PSIRT confirmed reported issues	2023-10-05
AMI PSIRT assigned CVE ID	2023-12-01
BINARLY public disclosure date	2024-06-19

Acknowledgements

BINARLY efiXplorer team

See if you are impacted now with our Firmware Vulnerability Scanner

Find Vulnerabilities, Generate SBOMs & CBOMs

Scan Now

Module name

Module GUID

Module SHA256

AMITSE

b1da0adf-4f77-4070-a88e-bffe1c60529a

439e73d391b7f7540f6faa58afdc2722bda250468d4a4f7f5f84228c1f77ddbe

unsigned __int8 *GetImageSize() { unsigned int ImageSize; // ebx unsigned __int8 *result; // rax __int64 ImagePtrCursor; // r9 unsigned __int8 *v3; // rcx __int64 v4; // r10 __int64 v5; // r9 unsigned __int8 *v6; // rcx __int64 v7; // rdx unsigned int Length; // r11d unsigned __int8 *v9; // [rsp+30h] [rbp+8h] BYREF ImageSize = 8; GlobalImagePtr += 8i64; result = (unsigned __int8 *)AllocateZeroPool(4ui64); v9 = result; if ( result ) { ImagePtrCursor = GlobalImagePtr; do { v3 = result; v4 = 4i64; do { *v3 = v3[ImagePtrCursor - (_QWORD)result]; ++v3; --v4; } while ( v4 ); v5 = ImagePtrCursor + 4; v6 = result; v7 = 4i64; // BRLY-LOGOFAIL-2023-014: Chunk length is added without validation to ImagePtrCursor Length = result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8); do { *v6 = v6[v5 - (_QWORD)result]; ++v6; --v7; } while ( v7 ); ImageSize += Length + 12; ImagePtrCursor = Length + 8i64 + v5; } while ( result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8) != 1229278788 ); GlobalImagePtr = ImagePtrCursor; sub_4654(&v9); return (unsigned __int8 *)ImageSize; } return result; }

Disclosure Activity

Date (YYYY-mm-dd)

Lenovo PSIRT is notified

2023-06-21

Lenovo ID (LEN-132940) is assigned

2023-06-22

CERT/CC is notified

2023-07-10

AMI PSIRT confirmed reported issues

2023-10-05

AMI PSIRT assigned CVE ID

2023-12-01

BINARLY public disclosure date

2024-06-19

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected modules

Image preview

Vulnerability description

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner

Potential Impact

Image preview

Vulnerability Information

Image preview

Affected modules

Image preview

Vulnerability description

Image preview

Disclosure timeline

Image preview

Acknowledgements

Image preview

See if you are impacted now with our Firmware Vulnerability Scanner