RefindPlusRepo RefindPlus Null Pointer Dereference Vulnerability in APFS I/O Library

A null pointer dereference vulnerability has been identified in RefindPlusRepo RefindPlus version 0.14.2.AB. This issue occurs in the 'InternalApfsTranslateBlock' function within the file 'Library/RP_ApfsLib/RP_ApfsIo.c'. The vulnerability arises because the 'InternalApfsTranslateBlock' function can return a NULL value, which is then dereferenced, potentially leading to a crash. This vulnerability can be exploited locally.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash or unexpected termination of the application.

Reproduction

The vulnerability can be reproduced by calling the 'InternalApfsTranslateBlock' function with a 'PrivateData' parameter that results in a NULL return value. This can be done within the 'ApfsReadJumpStart' function, where the 'PrivateData' is not properly validated before being used. The 'InternalApfsTranslateBlock' function is expected to return a valid pointer, but under certain conditions, it returns NULL. When the caller attempts to use this NULL pointer, it leads to a dereference error.

Remediation

Users are advised to update to the latest version of RefindPlus, where this vulnerability has been addressed. The patch is available in the commit '4d35125ca689a255647e9033dd60c257d26df7cb'.