GHSA-2689-5P89-6J3J: Stack-Based Out-of-Bounds Write in UEFI Firmware Parser Tiano Decompressor

The uefi-firmware-parser project provides tools for parsing, extracting, and reconstructing UEFI firmware volumes. A critical component of this ecosystem is the decompression engine, which handles proprietary and standard firmware compression algorithms. The Tiano compression algorithm, a variant used extensively within UEFI environments, is implemented natively in the parser to enable inspection of compressed firmware sections.

Version 1.13 of the parser addresses a critical stack-based buffer overflow (CWE-121) within this Tiano decompression implementation. The vulnerability resides specifically in the MakeTable function, which is responsible for constructing Huffman coding tables during the decompression initialization phase.

This flaw originates from a missing bounds check on attacker-controlled bit lengths supplied within the compressed stream. Consequently, an attacker can trigger an out-of-bounds write on a stack-allocated array. The security impact includes arbitrary code execution within the context of the parser process or persistent denial of service.

The root cause of GHSA-2689-5P89-6J3J lies in the trust placed upon the structural metadata of the compressed Tiano bitstream. The MakeTable function processes frequency and bit-length arrays extracted directly from the compressed payload to rebuild the Huffman tree required for decompression.

During this phase, the function allocates a local array, Count[17], on the stack. This array is intended to track the frequency of symbols corresponding to specific bit lengths. The design assumes that the maximum valid bit length in the Tiano specification is 16, hence the array size of 17.

The parsing loop iterates over the BitLen array, incrementing the value in the Count array at the index specified by the current bit length. The implementation fails to validate that the provided bit length falls within the expected 0 to 16 range before performing the array access. If an attacker supplies a BitLen value greater than 16, the function accesses memory beyond the bounds of the Count array.

The vulnerable logic is encapsulated in a tight loop within the MakeTable function located in uefi_firmware/compression/Tiano/Decompress.c. The code iterates NumOfChar times, performing an unverified stack array access based entirely on the parsed values.

for (Index = 0; Index < NumOfChar; Index++) {
    Count[BitLen[Index]]++; // Vulnerability: No bounds check
}

The patch implemented in version 1.13 introduces an explicit boundary check before the array increment operation. By enforcing a hard limit on the value of BitLen[Index], the code guarantees that the index will never exceed the designated size of the Count array.

for (Index = 0; Index < NumOfChar; Index++) {
    if (BitLen[Index] > 16) {
        return (UINT16) BAD_TABLE;
    }
    Count[BitLen[Index]]++;
}

In addition to this specific fix, the patch authors backported several related hardening measures from the upstream EDK2 project. These include loop bounds enforcement for ReadPTLen and ReadCLen variables, consistency checks ensuring Start[Len] + Weight[Len] does not exceed maximum table lengths, and explicit type casts to prevent undefined behavior during bitwise operations.

Exploiting this vulnerability requires the creation of a specialized UEFI firmware volume. The attacker must compress a section of the volume using the Tiano algorithm and manually manipulate the embedded Huffman table definitions to supply abnormal BitLen values.

The exploitation primitive provided by this vulnerability is an out-of-bounds increment operation, rather than a direct arbitrary write. The vulnerable statement Count[BitLen[Index]]++ increments the specific byte or word at the calculated offset. To hijack execution flow, an attacker must precisely align the index to target a stored return address or function pointer residing further down the stack.

The attacker must then trigger the increment operation multiple times to mutate the target memory address to point to their controlled payload. This requires careful arrangement of the BitLen array to loop the required number of times over the precise offset. While constrained compared to a direct write primitive, this technique is reliably exploitable in environments lacking robust stack protection mechanisms.

The primary impact of this vulnerability is Remote Code Execution (RCE) in the execution context of the uefi-firmware-parser application. While the parser is not typically deployed as a network-facing daemon, it is heavily utilized in automated firmware analysis pipelines, continuous integration systems, and specialized security research environments.

If an automated system uses this parser to analyze untrusted firmware images submitted by users or extracted from external hardware, the vulnerability serves as a highly effective initial access vector. The execution of arbitrary code allows the attacker to pivot into the internal analysis network, access sensitive intellectual property, or compromise downstream automated systems.

In scenarios where exploit mitigation technologies prevent reliable code execution, the memory corruption guarantees a fatal crash of the parser process. This results in a Denial of Service (DoS) condition, halting automated analysis pipelines or causing localized system instability during critical forensic investigations.

The definitive remediation for GHSA-2689-5P89-6J3J is upgrading the uefi-firmware-parser dependency to version 1.13 or later. This release contains the direct fix for the MakeTable out-of-bounds write alongside necessary architectural hardening of the Tiano compression implementation.

For environments where immediate dependency updates are not feasible, organizations must employ structural defense-in-depth measures. The firmware parser should be executed strictly within a constrained environment, such as an isolated container or a restricted sandbox with minimal system privileges.

Implementing strict resource limits and disabling network access for the parsing process will significantly reduce the blast radius of a successful exploitation attempt. Organizations should also audit their firmware ingestion pipelines to ensure untrusted binaries are fully isolated prior to any automated analysis or decompression routines.