You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker with the ability to modify physical memory can control the value of AcpiS3ResumeRecord->ResumeCount. If the attacker sets the value of ResumeCount to MAX_UINT32 (0xFFFFFFFF), and ResumeCount is subsequently incremented, its new value will be 0 (due to UINT32 overflow). Since there is no check for overflow, when ResumeCount is 0 and passed as the second argument to DivU64x32(), it will trigger a division by 0, and cause a system crash, leading to a DoS.
Summary
Temporary DoS during PEI S3 resume.
This vulnerability is tracked under https://bugzilla.tianocore.org/show_bug.cgi?id=4677.
Binarly BRLY-2023-021
https://github.com/binarly-io/Vulnerability-REsearch/blob/main/EDK2/BRLY-2023-021.md
Details
MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
An attacker with the ability to modify physical memory can control the value of AcpiS3ResumeRecord->ResumeCount. If the attacker sets the value of ResumeCount to MAX_UINT32 (0xFFFFFFFF), and ResumeCount is subsequently incremented, its new value will be 0 (due to UINT32 overflow). Since there is no check for overflow, when ResumeCount is 0 and passed as the second argument to DivU64x32(), it will trigger a division by 0, and cause a system crash, leading to a DoS.
Impact
System crash, leading to a temporary DoS.
Mitigation release plan
Patch file is available now via https://bugzilla.tianocore.org/show_bug.cgi?id=4677.
This patch was integrated in the May 2024 EDK2 release (edk2-stable202405).