15. Buffer Overflows in Capsule Update

Description:
During capsule update processing, a loop will continue adding arbitrarily many values from the capsule (Fvb->NumBlocks). After summation, the final value is multiplied by a static size and used to calculate
the size of allocation. This allocation, upon integer overflow, can be small, while the loop that copies data based on values from the capsule will copy a large amount of data. Additionally, the CapsuleCoalesce function also contained an integer overflow during summation of the size of the image and descriptor. This also results in a small allocation but a large copy.
Recommendation:
These issues are addressed by SVN https://sourceforge.net/p/edk2/code/15136 and https://sourceforge.net/p/edk2/code/15137.
Acknowledgements:
Reported by Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation.
References:
• CERT/CC VU#552286

14. Boot Failure Related to UEFI Variable Usage

16. Boot Failure Related to TPM Measurements

Last modified 2yr ago