Out-of-bounds Read in DXE driver.
BINARLY efiXplorer team has discovered a OOB Read vulnerability in DXE driver. Improper validation on JPEG marker length leads to multiple OOB Read operations during JPEG file processing in AMI firmware
Image preview
Potential Impact
This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during JPEG file processing.
Image preview
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-021
- CVSS v3.1: 3.2 Low AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Image preview
Affected modules
| Module name | Module GUID | Module SHA256 |
|---|---|---|
AMITSE | b1da0adf-4f77-4070-a88e-bffe1c60529a | 439e73d391b7f7540f6faa58afdc2722bda250468d4a4f7f5f84228c1f77ddbe |
Image preview
Vulnerability description
The pseudocode of the vulnerable function is shown below:
__int64 __fastcall GetDimensions(_BYTE *Image)
{
char v2; // di
unsigned __int8 v3; // r10
unsigned __int8 v4; // bl
unsigned __int8 MarkerType; // cl
__int64 v6; // rax
__int64 v8; // rax
char v9; // al
_BYTE *v10; // rdx
_QWORD *v11; // r8
unsigned __int8 v12; // r9
__int64 v13; // rdx
__int64 v14; // r11
unsigned __int16 Len; // [rsp+30h] [rbp+8h]
v2 = 0;
v3 = 0;
v4 = 0;
if ( *Image != 0xFF || Image[1] != 0xD8 )
return 0i64;
while ( 1 )
{
MarkerType = Image[1];
if ( MarkerType != 0xD8 )
break;
Image += 2;
LABEL_27:
if ( *Image != 0xFF )
return 0i64;
}
if ( MarkerType == 0xD9 )
goto LABEL_30;
if ( !MarkerType )
return 0i64;
if ( (MarkerType & 0xF0) == 0xE0 )
{
LABEL_26:
v9 = Image[3];
v10 = Image + 2;
LOBYTE(Len) = v9;
HIBYTE(Len) = *v10;
// BRLY-LOGOFAIL-2023-021: Image pointer is updated with value coming from the image (Len), without validation
Image = &v10[Len];
goto LABEL_27;
}
if ( MarkerType == 0xC0 )
{
v2 |= 2u;
qword_95FC0 = (Image + 2);
goto LABEL_26;
}
if ( MarkerType == 0xC4 )
{
v6 = v3++;
qword_96560[v6] = (Image + 4);
goto LABEL_26;
}
if ( (MarkerType & 0xF0) == 0xC0 )
{
if ( MarkerType > 0xC0u && MarkerType < 0xD0u )
return 0i64;
goto LABEL_26;
}
if ( MarkerType != 0xDA )
{
if ( MarkerType == 0xDB )
{
v8 = v4++;
qword_95EA0[v8] = (Image + 4);
}
else if ( MarkerType == 0xDD )
{
LOBYTE(word_95490) = Image[5];
HIBYTE(word_95490) = Image[4];
}
else if ( (MarkerType & 0xF8) != 0xD0
&& (MarkerType == 0xDC || MarkerType == 0xDE || MarkerType == 0xDF || (MarkerType + 16) > 0xEu) )
{
return 0i64;
}
goto LABEL_26;
}
qword_95F10 = (Image + 14);
LABEL_30:
if ( v4 == 1 )
{
v4 = 2;
qword_95EA8 = qword_95EA0[0] + 65;
}
if ( v3 == 1 )
{
v11 = &unk_96568;
do
{
v12 = 0;
v13 = 0i64;
v14 = qword_96560[v3 - 1];
do
v12 += *(v14 + v13++ + 1);
while ( v13 < 16 );
++v3;
*v11++ = v12 + v14 + 17;
}
while ( v3 < 4u );
}
if ( v3 != 4 || v4 != 2 || (v2 & 2) == 0 )
return 0i64;
sub_5D26C(2u, 4u);
return 1i64;
}
As we can see from the pseudocode, the JPEG Marker length, read from the image and stored in variable Len, is used to update the value of ImagePtr without any validation. The attacker can arbitrarly set wLen thus making ImagePtr point anywhere in memory.
Image preview
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
| Disclosure Activity | Date (YYYY-mm-dd) |
|---|---|
Lenovo PSIRT is notified | 2023-06-21 |
Lenovo ID (LEN-132940) is assigned | 2023-06-22 |
CERT/CC is notified | 2023-07-10 |
AMI PSIRT confirmed reported issues | 2023-10-05 |
AMI PSIRT assigned CVE ID | 2023-12-01 |
BINARLY public disclosure date | 2024-06-19 |
Image preview
Acknowledgements
Image preview
See if you are impacted now with our Firmware Vulnerability Scanner
Find Vulnerabilities, Generate SBOMs & CBOMs