Ampere AmpereOne UEFI-MM Driver Buffer Overflow Vulnerability

A buffer overflow vulnerability has been identified in Ampere AmpereOne AC03 devices prior to 3.5.9.3, AC04 devices prior to 4.4.5.2, and AmpereOne M devices prior to 5.4.5.1. The vulnerability arises from an incorrectly formed SMC call to the UEFI-MM Boot Error Record Table driver, which can lead to (1) an out-of-bounds read that leaks Secure-EL0 information to a process in Non-Secure state, or (2) an out-of-bounds write that corrupts Secure or Non-Secure memory, limited to memory mapped to the UEFI-MM Secure Partition by the Secure Partition Manager.

Impact

Exploitation of this vulnerability can cause a buffer overflow, leading to an out-of-bounds read or write. The out-of-bounds read can leak Secure-EL0 information to a Non-Secure process, violating the intended separation between Secure and Non-Secure worlds. The out-of-bounds write can corrupt memory, potentially causing a system hang or allowing privilege escalation.

Remediation

Users are advised to update to AmpereOne AC03 version 3.5.9.3 or newer, AmpereOne AC04 version 4.4.5.2 or newer, or AmpereOne M version 5.4.5.1 or newer.