Security Advisory

15. Buffer Overflows in Capsule Update


During capsule update processing, a loop will continue adding arbitrarily many values from the capsule (Fvb->NumBlocks). After summation, the final value is multiplied by a static size and used to calculate
the size of allocation. This allocation, upon integer overflow, can be small, while the loop that copies data based on values from the capsule will copy a large amount of data. Additionally, the CapsuleCoalesce function also contained an integer overflow during summation of the size of the image and descriptor. This also results in a small allocation but a large copy.



Reported by Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation.


• CERT/CC VU#552286