CVE-2022-36763: 
NixOS vulnerability analysis and mitigation

EDK2 contains a vulnerability in the Tcg2MeasureGptTable() function (CVE-2022-36763) that was disclosed in January 2024. The vulnerability allows a user to trigger a heap buffer overflow via a local network by exploiting inadequate validation of the GPT Primary Header (TianoCore Advisory).

The vulnerability stems from a lack of validation checks for integer overflows when computing NumberOfPartitionEntries * SizeOfPartitionEntry at multiple locations in the Tcg2MeasureGptTable() function. One exploitation path involves overflowing the EventSize computation at line 251 in SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c, causing AllocateZeroPool() to return a smaller object than expected, leading to a heap-buffer overflow during partition entry copying. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (High) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H (TianoCore Advisory).

The vulnerability can lead to arbitrary code execution in the DXE phase through various attack vectors: corrupting PREV-NEXT pointers for unlink() attacks, overwriting UEFI application code directly through the heap-buffer overflow, or modifying pointers in the BootServices table. By default, all memory is RWX, making this a particularly powerful exploit primitive (TianoCore Advisory).

Patch files were made available through the TianoCore bugzilla (Bug #4117) and were integrated into the February 2024 EDK2 release. Various Linux distributions have also released security updates to address this vulnerability, including Red Hat Enterprise Linux and Fedora (Red Hat Advisory, Fedora Update).