Advisory ID:
BRLY-2025-016

Stack overflow vulnerability in SMI handler on Lenovo device

July 29, 2025
Severity:
High
CVSS Score
8.2
Public Disclosure Date:
July 29, 2025
CVE ID:

CVE-2025-4425

Summary

BINARLY REsearch team has discovered a stack overflow vulnerability in the SMI handler in Lenovo device firmware that could allow a potential attacker to write controlled data to stack buffer.
Vendors Affected Icon

Vendors Affected

Lenovo
Insyde
Lenovo
,
Insyde
,
Affected Products icon

Affected Products

Multiple

Potential Impact

An attacker could exploit this vulnerability to elevate privileges from ring 0 to ring -2 and execute arbitrary code in System Management Mode, an environment more privileged than and completely isolated from the operating system (OS). Running arbitrary code in SMM also bypasses SMM-based SPI flash protections against modification, which can help an attacker to install a firmware backdoor/implant. Such malicious code in the firmware could persist through operating system reinstallations. In addition, this vulnerability could potentially be used by malicious actors to bypass security mechanisms provided by UEFI firmware, such as Secure Boot and some types of memory isolation for hypervisors.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2025-016
  • Lenovo PSIRT assigned CVE identifier: CVE-2025-4425
  • Lenovo advisory: LEN-201013
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected firmware with confirmed impact by BINARLY team

Device name Firmware version OEM IBV Module name
ideacentre-aio-3-24arr9 O6KKT12A (2025-01-16) Lenovo Insyde EfiSmiServices
ideacentre-aio-3-24irh9 O6AKT1DA/1.0.0.29 (2024-08-09) Lenovo Insyde EfiSmiServices
yoga-aio-9-32irh8 O62KT24A (2024-08-08) Lenovo Insyde EfiSmiServices

Vulnerability description

Let's consider the module 87cafb102629124735c2e506956606875378e8c4d7b32ed8abc95e79fafd4657.

This module contains custom logic to register SMI handlers (callbacks) using EFI_L05_SMM_SW_SMI_INTERFACE_PROTOCOL:

EFI_STATUS RegisterCallbackFunctions()
{
  UINTN Offset;
  EFI_STATUS Status;
  EFI_L05_SMM_SW_SMI_INTERFACE_PROTOCOL *EfiL05SmmSwSmiInterfaceProtocol;

  Offset = 0;
  EfiL05SmmSwSmiInterfaceProtocol = 0;
  Status0 = gSmst->SmmLocateProtocol(&EFI_SMM_CPU_PROTOCOL_GUID, 0, &gEfiSmmCpuProtocol);
  if ( EFI_SUCCESS(Status) )
  {
    Status0 = gSmst->SmmLocateProtocol(&EFI_SMM_VARIABLE_PROTOCOL_GUID, 0, &gEfiSmmVariableProtocol);
    if ( EFI_SUCCESS(Status) )
    {
      Status0 = gSmst->SmmLocateProtocol(
                  &EFI_L05_SMM_SW_SMI_INTERFACE_PROTOCOL_GUID,
                  0,
                  &EfiL05SmmSwSmiInterfaceProtocol);
      if ( EFI_SUCCESS(Status) )
      {
        do
        {
          Status = EfiL05SmmSwSmiInterfaceProtocol->RegisterCallbackFunction(
                     EfiL05SmmSwSmiInterfaceProtocol,
                     0x20,
                     FeatureCallbackType,
                     *(&gCallbacksTable.Function + Offset));
          if ( Status == EFI_OUT_OF_RESOURCES )
            break;
          Offset += 16;
        }
        while ( Offset < 0x30 );
        CalculateCrc32Table();
        return Status;
      }
    }
  }
  return Status0;
}

In result all handlers from gCallbacksTable will be registered in the following loop (with SwSmiNum = 0x20):

do
{
  Status = EfiL05SmmSwSmiInterfaceProtocol->RegisterCallbackFunction(
              EfiL05SmmSwSmiInterfaceProtocol,
              0x20,
              FeatureCallbackType,
              *(&gCallbacksTable.Function + Offset));
  if ( Status == EFI_OUT_OF_RESOURCES )
    break;
  Offset += 16;
}
while ( Offset < 0x30 );

gCallbacksTable contains 3 SMI handlers:

.data:00000000000030C0 ; CALLBACK_ITEM gCallbacksTable
.data:00000000000030C0 gCallbacksTable CALLBACK_ITEM <4, offset Callback04>
.data:00000000000030C0                                         ; DATA XREF: RegisterCallbackFunctions+83↑o
.data:00000000000030D0                 CALLBACK_ITEM <0Fh, offset Callback0F>
.data:00000000000030E0                 CALLBACK_ITEM <0B8h, offset CallbackB8>

The pseudocode of Callback0F function is shown below:

MACRO_EFI Callback04(UINTN CpuIndex)
{
  PARAM_BUFFER *Param;
  UINTN Index;
  PARAM_BUFFER_VARIABLE *Var;
  CHAR16 *Name;
  UINT32 NameSize;
  UINT8 *VariableData;
  UINT32 RdiReg;
  UINT32 RsiReg;
  CHAR16 VariableName[128];
  UINT32 RaxReg;
  UINT32 RbxReg;
  UINT32 RcxReg;

  RaxReg = 0;
  RbxReg = 0;
  RcxReg = 0;
  RdiReg = 0;
  RsiReg = 0;
  gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RAX, CpuIndex, &RaxReg);
  gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RBX, CpuIndex, &RbxReg);
  gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RCX, CpuIndex, &RcxReg);
  gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RDI, CpuIndex, &RdiReg);
  gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RSI, CpuIndex, &RsiReg);
  if ( RaxReg != 0x534D0420 )
    return EFI_UNSUPPORTED;
  if ( RbxReg != 0x1323190D || RcxReg != 0xD121F1E )
  {
    RaxReg = 0x80000000;
    gEfiSmmCpuProtocol->WriteSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RAX, CpuIndex, &RaxReg);
    return EFI_UNSUPPORTED;
  }
  Param = RdiReg;
  Index = 0;

  // Attacker-controlled pointer
  Var = (RdiReg + 0x38);

if ( Param->Count )
  {
    do
    {
      ZeroMem(VariableName, 200);
      Name = &Var->VariableName;
      NameSize = Var->VariableNameSize;
      if ( NameSize )
      {
        if ( VariableName != Name )
        {
          // 1. VariableNameSize is not validated -> overflow of VariableName stack buffer
          CopyMem(VariableName, Name, Var->VariableNameSize);
          NameSize = Var->VariableNameSize;
        }
      }
      VariableData = &Var->VariableName + NameSize;
      // 2. SmmSetVariable() is used with attacker-controlled arguments
      // 3. VariableData can point in SMRAM -> SMRAM disclosure
      gEfiSmmVariableProtocol->SmmSetVariable(
        VariableName,
        &Var->VariableGuid,
        VARIABLE_ATTRIBUTE_NV_BS_RT,
        Var->VariableDataSize,
        VariableData);
      ++Index;
      Var = &VariableData[Var->VariableDataSize];
    }
    while ( Index < Param->Count );
  }
  RaxReg = 0;
  gEfiSmmCpuProtocol->WriteSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RAX, CpuIndex, &RaxReg);
  return 0;
}

The RdiReg value (obtained from the RDI register using gEfiSmmCpuProtocol->ReadSaveState) is controlled by the attacker.

The buffer pointed to by Var = (RdiReg + 0x38) has the following structure:

00000000 struct PARAM_BUFFER_VARIABLE
00000000 {
00000000     UINT32 VariableAttributes;
00000004     UINT32 VariableNameSize;
00000008     UINT32 VariableDataSize;
0000000C     EFI_GUID VariableGuid;
0000001C     UINT32 VariableName;
00000020 };

The function performs the following operation to copy data to the stack (into the stack variable VariableName)

// 1. VariableNameSize is not validated -> overflow of VariableName stack buffer
CopyMem(VariableName, Name, Var->VariableNameSize);

Both Name = &Var->VariableName and Var->VariableNameSize are attacker-controlled and unvalidated data. This allows an attacker to overflow the stack buffer with subsequent code execution.

Disclosure timeline

This vulnerability is subject to a 90 day disclosure period. After 90 days or when a patch has been made generally available (whichever comes first) the advisory will be publicly disclosed.

Disclosure Activity Date
Lenovo PSIRT is notified 2025-04-08
Lenovo PSIRT is confirmed issue 2025-06-16
Lenovo PSIRT assigned CVE number 2025-06-16
BINARLY public disclosure date 2025-07-29

Acknowledgements

BINARLY REsearch team

Tags
Lenovo
Insyde
SMM

Related Advisories

No items found.
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner
Scan now
Arrow indicating link