CVE-2022-29278: Compromising System Security Through Incorrect Pointer Checks in NvmExpressDxe Driver

Following the recent discovery by Insyde, a critical security vulnerability identified as CVE-2022-29278 has been found in the NvmExpressDxe driver when it comes to improper pointer checks. If exploited, this flaw can lead to tampering with SMRAM (System Management RAM) and OS (Operating System) memory.

In this post, we will delve into the details of this vulnerability, including a code snippet that demonstrates the issue, how the exploit works, links to the original references, and recommendations to ensure the security of your system.

Exploit Details

The CVE-2022-29278 vulnerability stems from incorrect pointer checks within the NvmExpressDxe driver. Due to these improper checks, an attacker can tamper with SMRAM and OS memory, potentially compromising system security.

Here's a code snippet that demonstrates this vulnerability

// [NvmExpressDxe driver code]

VOID NvmeReadWrite(IN EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL* This, IN BOOLEAN isRead, IN UINT64 Lba, IN UINT32 BlockCount, IN OUT VOID* Buffer) {
    EFI_STATUS Status;
    UINT32 BytesTransferred;

    // [1] Check input buffer pointer
    if(Buffer == NULL) {
        return EFI_INVALID_PARAMETER;
    }

    // [2] Perform Read/Write operation
    BytesTransferred = BlockCount * This->Media->BlockSize;
    Status = isRead ? ReadBlocks(This, Lba, BytesTransferred, Buffer) : WriteBlocks(This, Lba, BytesTransferred, Buffer);

    // [3] Check operation result
    if(EFI_ERROR(Status) || Status == EFI_INVALID_PARAMETER) {
        return Status;
    }
}

In the code snippet above, the NvmeReadWrite() function lacks a proper check for the Buffer input pointer. As a result, a malicious entity can exploit this flaw to tamper with both SMRAM and OS memory.

Original References

Insyde's Security Pledge (SA-2022061) announced the detection and identification of this vulnerability.
More information can be found using the following link: https://www.insyde.com/security-pledge/SA-2022061

Recommendations & Fixed Versions

To protect your systems from this critical vulnerability, it is highly recommended that you upgrade your kernel to one of the fixed versions listed below:

Conclusion

It is crucial to maintain the security and integrity of your systems by keeping up to date with the latest kernel versions and ensuring all software fixes and security patches are implemented. By upgrading your kernel to the fixed versions mentioned above, you can secure your device from the exploitation of the CVE-2022-29278 vulnerability in the NvmExpressDxe driver.

Timeline

Published on: 11/15/2022 22:15:00 UTC
Last modified on: 11/29/2022 14:27:00 UTC