Insyde Software Corporation Information for VU#533140

Tianocore UEFI implementation reclaim function vulnerable to buffer overflow



Vendor Statement

Insyde has reviewed the Insyde BIOS code and believes the variable store is protected by flash write protections. However Insyde did also fix this coding error in late 2012. These updates were in Tags 03.72.49 and 05.02.49 which was the 2012 work week 49 release. The internal tracking number was IB02960648.

    In 2014 Intel added some additional suggestions to protect the variable store. Insyde has reviewed the suggestions and in late 2014 implemented the additional suggestions. These later updates were available in Tags 03.74.45 and 05.04.45. The internal tracking number was IB02960684.

    OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance.

    End users are advised to contact the manufacturer of their equipment.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References



    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.