CVE-2023-40238: LogoFAIL issue in BmpDecoderDxe - Insyde InsydeH2O kernel leads to integer signedness error and potential data overflow

Summary: A recently discovered vulnerability (CVE-2023-40238) in the BmpDecoderDxe component of the Insyde InsydeH2O kernel affects certain Lenovo devices. This flaw, known as LogoFAIL, involves potentially copying data to arbitrary addresses because of an integer signedness error that occurs during the parsing of crafted BMP logo files. The affected kernel versions include 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47.

Exploit Details

The vulnerable component, BmpDecoderDxe, is designed to handle the decoding of BMP image files during the DXE (Driver eXecution Environment) phase of UEFI (Unified Extensible Firmware Interface) execution. The flaw in question arises during the handling of RLE4 or RLE8 compressed BMP files, where an integer signedness error involving the PixelHeight and PixelWidth values can lead to a situation in which data is copied to an unintended address.

A code snippet showcasing this vulnerability is as follows

// Vulnerable function in BmpDecoderDxe.c
UINTN
EFIAPI
BmpDecoderGetInfo (
  IN  VOID                            *Source,
  IN  UINT32                          SourceSize,
  OUT UINT32                          *ImageWidth,
  OUT UINT32                          *ImageHeight
  )
{
  EFI_STATUS                    Status;
  BMP_IMAGE_HEADER              *BmpImageHeader;
  UINTN                         ImageFileSize;
  
  ...
  
  *ImageWidth = (UINT32) BmpImageHeader->PixelWidth;
  *ImageHeight = (UINT32) (BmpImageHeader->PixelHeight & BIT31 ? \
                           -(INT32)(BmpImageHeader->PixelHeight & ~BIT31) : \
                           BmpImageHeader->PixelHeight);
  
  ...
}

The issue stems from the use of signed 32-bit integer variables (INT32) when handling the PixelHeight and PixelWidth values read from the BMP image file. Due to the nature of the vulnerability, an attacker could create a specially crafted BMP logo file that, when processed by BmpDecoderDxe, would trigger this integer signedness error and lead to unwanted behavior or a potential exploit.

To fully understand the scope and impact of this vulnerability, the following original references should be consulted:

- CVE-2023-40238
- Insyde InsydeH2O
- Unified Extensible Firmware Interface (UEFI)

Mitigations for this LogoFAIL issue include updating the Insyde InsydeH2O kernel to a version that has the vulnerability patched and avoiding the use of untrusted BMP image files during the DXE phase of UEFI execution. It is essential to ensure that proper security practices are in place to prevent potentially devastating exploits from taking advantage of this vulnerability.

Timeline

Published on: 12/07/2023 04:15:06 UTC
Last modified on: 12/16/2023 01:15:07 UTC