Overflow in UEFI Variable Reclaim Function

Lenovo Security Advisory: LEN-2014-009

Potential Impact: Elevation of Privilege or Denial of Service

Severity: Medium

Summary:

The EDK1 UEFI reference implementation contains a buffer overflow vulnerability.

Description:[Taken from US-CERT advisory]

The open source EDK1 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Commercial UEFI implementations may incorporate portions of the EDK1 source code.

According to Rafal Wojtczuk and Corey Kallenberg, a buffer overflow vulnerability exists in the Edk1/source/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c source file. Corey Kallenberg describes the vulnerability as follows:

"UEFI utilizes various non-volatile variables to communicate information back and forth between the operating system and the firmware; for instance, boot order, platform language, etc. These non-volatile variables are stored in a file-system like region on the SPI flash chip. This file-system supports many operations such as deleting existing variables, creating new variables, and defragmenting the variable region in order to reclaim unused space. This latter operation is important to ensure that large variables can be created in the event the variable region is resource constrained and fragmented with many unused “free slots.”

We have discovered a buffer overflow associated with this “reclaim” operation [in FSVariable.c] .

In the reclaim operation, there is assumption that by following the chain of variables (by NextVariable = GetNextVariablePtr (Variable), that essentially adds Variable’s size to it), we do not jump out of the variable store bounds.

In particular, in line 352, the CurrPtr can extend beyond the legitimate boundaries of the variable region. Ultimately in line 350, we can end up with a memory corruption via buffer overflow."

Product Impact: