Summary
HashPeImageByType() could read out of bound.
This vulnerability was originally reported at https://bugzilla.tianocore.org/show_bug.cgi?id=2214.
Details
HashPeImageByType() is handed an auth blob data pointer and length. This blob comes from a PE file that is not trusted. The code proceeds to read the 2nd byte from the blob, without guaranteeing there are enough bytes to read from. This could read out of bound.
Impact
A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability.
Mitigation release plan
The patch files from bugzilla https://bugzilla.tianocore.org/show_bug.cgi?id=2214 are attached to this GHSA.
The patch is being upstreamed into EDK2. Public PR: #10928
Expect this to be included in the May 2025 stable tag release.
Summary
HashPeImageByType() could read out of bound.
This vulnerability was originally reported at https://bugzilla.tianocore.org/show_bug.cgi?id=2214.
Details
HashPeImageByType() is handed an auth blob data pointer and length. This blob comes from a PE file that is not trusted. The code proceeds to read the 2nd byte from the blob, without guaranteeing there are enough bytes to read from. This could read out of bound.
Impact
A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability.
Mitigation release plan
The patch files from bugzilla https://bugzilla.tianocore.org/show_bug.cgi?id=2214 are attached to this GHSA.
The patch is being upstreamed into EDK2. Public PR: #10928
Expect this to be included in the May 2025 stable tag release.