系微安全保證

INSYDE-SA-2024016

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

5.3

2025-05-13

Summary

VariableRuntimeDxe: Unsafe functions may cause buffer over-read.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H

CVE-2024-52877

In VariableRuntimeDxe driver, callback function SmmCreateVariableLockList () calls CreateVariableLockListInSmm (). In CreateVariableLockListInSmm (), it uses StrSize () to get variable name size and it could lead to a buffer over-read. CWE-126

CVE-2024-52878

In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read. CWE-126

CVE-2024-52879

In VariableRuntimeDxe driver, SmmUpdateVariablePropertySmi () is a SMM callback function and it uses StrCmp () to compare variable names. This action may cause a buffer over-read. CWE-126

CVE-2024-52880

In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted. CWE-349

Solution Information

kernel 5.2, Version 05.29.50
kernel 5.3, Version 05.38.50
kernel 5.4, Version 05.46.50
kernel 5.5, Version 05.54.50
kernel 5.6, Version 05.61.50
kernel 5.7, Version 05.70.50

Acknowledgements

Revision History

Revision #

Date

Description

2025-05-13

Initial Release

< Back to Security Pledge