libefiboot Denial-of-Service Vulnerability via Unvalidated Device Path Node Length

A denial-of-service vulnerability has been identified in libefiboot, a component of efivar. The issue arises because the device path node parser in libefiboot does not properly validate the Length field of each node, allowing nodes with a Length less than 4 bytes to be processed. This flaw can be exploited by a local user who provides a specially crafted device path node, leading to infinite recursion, stack exhaustion, and a process crash.

Impact

Exploitation of this vulnerability causes a stack overflow due to unbounded recursion, which exhausts stack memory and leads to a process crash. In some cases, the application's interpreter may terminate a resource-intensive process, potentially exposing sensitive information such as the application's installation path.

Remediation

Applications using the efi_loadopt_is_valid() function should validate the size of the input buffer before passing it to libefiboot. As a library-level fix, the device path iterator should enforce a minimum Length of 4 bytes before allowing recursion.