Linux acquitted in Samsung laptop UEFI deaths

February 11, 2013 // 11:02 a.m.

Tags: #gnulinux #linux #matthew-garrett #samsung #samsung-laptop #samsung-uefi #uefi #vulnerability

A bug in the BIOS of selected Samsung laptops which can lead to the device becoming unusable has been found to be exploitable under Windows, acquitting Linux as the culprit.

The flaw was first spotted late last month, when a Samsung laptop owner managed to brick two units in a row simply by booting the open-source Linux operating system on them. Indications pointed to a fault in a specific kernel module within Linux, based on code provided by Samsung itself, which was somehow corrupting the UEFI firmware and thus destroying the device until the firmware was re-flashed using factory equipment.

Originally, it had been thought that the flaw was exclusive to Linux, and could be avoided simply by using an alternative operating system, disabling UEFI or preventing the Samsung laptop kernel module from loading.

That is, until it was discovered that the same bug could be triggered in Windows.

Linux developer Matthew Garrett has posted an updated analysis of the flaw, which includes the news that the UEFI bug can be triggered from within Windows as well as Linux. 'I bricked a Samsung laptop today. Unlike most of the reported cases of Samsung laptops refusing to boot, I never booted Linux on it - all experimentation was performed under Windows,' wrote Garrett. 'It seems that the bug we've been seeing is simultaneously simpler in some ways and more complicated in others than we'd previously realised.'

Garrett's experimentation has narrowed the flaw down to overflowing the UEFI variable storage space, which results in the corruption on Linux when the Samsung kernel module created a crash log for writing to UEFI. The same can be achieved on Windows, Garrett explains, using custom code to write 36 random variables to the same UEFI storage area - causing the same crash, and bricking the laptop.

'This is pretty obviously a firmware bug. Writing UEFI variables is expressly permitted by the specification, and there should never be a situation in which an OS can fill the variable store in such a way that the firmware refuses to boot the system,' Garrett explained. 'We've seen similar bugs in Intel's reference code in the past, but they were all fixed early last year.'

The flaw, then, is more serious than first thought. Microsoft's Windows 8 certification requirements include that there is at least 64KB of storage space available in the UEFI - and with Garrett's sample code triggering the flaw at just 36KB of data written, and the Linux error log at a mere 10KB, there's no guarantee that the flaw can't be triggered just by general use of Windows itself.

'For now the safest thing to do is not to use UEFI on any Samsung laptops,' warned Garrett. 'Unfortunately, if you're using Windows, that'll require you to reinstall it from scratch.'