Header bannerHeader banner
Advisory ID:
BRLY-LOGOFAIL-2023-008

[BRLY-LOGOFAIL-2023-008] Null Pointer Dereference in DXE driver

June 20, 2024
Severity:
Medium
CVSS Score
6
Public Disclosure Date:
June 19, 2024
CVE ID:
CVE-2023-40238

Summary

BINARLY efiXplorer team has discovered a DXE Null Pointer Dereference in Insyde firmware. Usage of uninitialised SOSPtr pointer leads to null pointer dereference (in case when JPEG_SOS is not covered during the parsing) during JPEG file processing in Insyde firmware.

Vendors Affected

Affected Products

Yoga 7 14IAL7
,

Potential Impact

The impact of this vulnerability differs depending on whether the zero page is mapped or not. In the case where the zero page is mapped, it will lead to undefined or unexpected behaviour. Whereas, in the case where the zero page is not mapped, the vulnerability will lead to a Denial of Service (DoS).

Summary

BINARLY efiXplorer team has discovered a DXE Null Pointer Dereference in Insyde firmware. Usage of uninitialised SOSPtr pointer leads to null pointer dereference (in case when JPEG_SOS is not covered during the parsing) during JPEG file processing in Insyde firmware.

Vulnerability Information

     
  • BINARLY internal vulnerability identifier: BRLY-LOGOFAIL-2023-008  
  • Insyde PSIRT assigned CVE identifier: CVE-2023-40238  
  • CVSS v3.1: 6.0 Medium AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Affected modules with confirmed impact by Binarly team

Module name Module GUID Module SHA256
JpegDecoderDxe 2707e46d-dbd7-41c2-9c04-c9fdb8bad86c 2d84dc4c04ebb70719f86f8c9053cab57f4f537f23648192bebc83d397732e2e

Potential impact

The impact of this vulnerability differs depending on whether the zero page is mapped or not. In the case where the zero page is mapped, it will lead to undefined or unexpected behaviour. Whereas, in the case where the zero page is not mapped, the vulnerability will lead to a Denial of Service (DoS).

Vulnerability description

The pseudocode of the vulnerable function is shown below:

char sub_B68()
{
  unsigned __int8 v0; // bl
  char result; // al
  __int64 v2; // r9
  char *v3; // rdx
  char *v4; // r10
  __int64 v5; // r11
  unsigned __int8 i; // r8
  char v7; // r14
  __int64 v8; // rbp
  _WORD *v9; // rsi
  unsigned __int8 v10; // di
  __int64 v11; // rcx

  v0 = 0;
  // SOSPtr[2] -- Invalid read
  // due to unchecked SOSPtr, which may remain uninitialised in InitJfifData() function

  // BRLY-LOGOFAIL-2023-008:  Usage of uninitialised SOSPtr pointer leads to null pointer dereference
  // (in case when JPEG_SOS is not covered during the parsing)
  
  Decoder[0] = &SOSPtr[256 * SOSPtr[2] + 2 + SOSPtr[3]];
  byte_2108 = *Decoder[0]++;
  result = byte_2220;
  byte_2109 = 7;
  if ( byte_2220 )
  {
    v2 = 0i64;
    v3 = &unk_2229;
    v4 = (SOSPtr + 6);
    v5 = byte_2220;
    do
    {
      for ( i = 0; i < *(v3 - 2); ++i )
      {
        if ( *(v3 - 3) )
        {
          v7 = *v3;
          v8 = *(v3 - 3);
          v9 = &Decoder[1] + v2 + 2;
          v10 = i;
          do
          {
            result = *v4;
            v11 = v0++;
            v11 *= 2i64;
            BYTE2(Decoder[v11 + 3]) = v10;
            v10 += 16;
            LOBYTE(Decoder[v11 + 3]) = result;
            BYTE1(Decoder[v11 + 3]) = v7;
            *v9 = 0;
            Decoder[v11 + 4] = v9;
            --v8;
          }
          while ( v8 );
        }
      }
      ++v2;
      v3 += 4;
      v4 += 2;
      --v5;
    }
    while ( v5 );
  }
  byte_210A = v0;
  return result;
}

SOSPtr pointer may remain uninitialised in the InitJfif() function (in case when JPEG_SOS case is not covered during the parsing):

__int64 __fastcall InitJfif(UINT8 *Image, UINTN ImageSize)
{
...
 if ( v6 > 0xC0u && v6 != 0xC4 && v6 <= 0xCFu )
    return 6i64;
  switch ( v6 )
  {
    case 0xC0:
      qword_2218 = ImagePtr;
      result = sub_62C(ImagePtr);
LABEL_35:
      if ( result )
        return result;
      goto LABEL_36;
    case 0xC4:
      result = sub_71C(ImagePtr);
      goto LABEL_35;
    case 0xDA:                                  // JPEG_SOS
      SOSPtr = ImagePtr;
      v12 = ImagePtr[3] + (ImagePtr[2] << 8);
      if ( ((ImagePtr[4] - 1) & 0xFD) != 0 || ImagePtr[(v12 - 1)] || ImagePtr[v12] != 63 || ImagePtr[(v12 + 1)] )
        return 5i64;
      v13 = 0;      
 ...

Thus, a null pointer dereference will occur on the specially crafted JPEG image content. In the case where the null page is mapped, it will result in undefined or unexpected behaviour. On the other hand, if the null page is not mapped, the vulnerability will result in a Denial of Service (DoS).

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2023-06-21
Lenovo ID (LEN-132940) is assigned 2023-06-22
CERT/CC is notified 2023-07-10
Insyde PSIRT confirmed reported issues 2023-09-10
Insyde PSIRT assigned CVE ID 2023-11-27
Insyde advisory release date 2023-12-06
BINARLY public disclosure date 2024-06-19

Acknowledgements

BINARLY efiXplorer team

Tags
Vulnerability
supply chain
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner