commit 9f8f11513a5db45b224f764525eae9c64fcfe360
author Patrick Rudolph <patrick.rudolph@9elements.com> Wed May 06 11:58:45 2020 +0200
committer Patrick Georgi <pgeorgi@google.com> Fri Aug 21 07:51:07 2020 +0000
tree be1b5a603cc8d19e96ef0bf31037e9975c6a6c8b
parent 37ac368c780568628e45c6fa93aaa55a2030c06b

SMM: Validate more user-provided pointers

Mitigate issues presented in "Digging Into The Core of Boot" found by
"Yuriy Bulygin" and "Oleksandr Bazhaniuk" at RECON-MTL-2017.

Validate user-provided pointers using the newly-added functions.
This protects SMM from ring0 attacks.

Change-Id: I8a347ccdd20816924bf1bceb3b24bf7b22309312
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41086
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>

src/soc/intel/broadwell/smihandler.c

diff --git a/src/soc/intel/broadwell/smihandler.c b/src/soc/intel/broadwell/smihandler.c
index 86be400..8dbb40f 100644
--- a/src/soc/intel/broadwell/smihandler.c
+++ b/src/soc/intel/broadwell/smihandler.c
@@ -100,6 +100,10 @@
 	reg_base = (void *)((uintptr_t)pci_read_config32(SA_DEV_IGD,
 		PCI_BASE_ADDRESS_0) & ~0xf);
 
+	/* Validate pointer before using it */
+	if (smm_points_to_smram(reg_base, PCH_PP_OFF_DELAYS + sizeof(uint32_t)))
+		return;
+
 	/* Check if backlight is enabled */
 	pp_ctrl = read32(reg_base + PCH_PP_CONTROL);
 	if (!(pp_ctrl & EDP_BLC_ENABLE))
@@ -341,6 +345,10 @@
 		if (state) {
 			/* EBX in the state save contains the GNVS pointer */
 			gnvs = (struct global_nvs *)((u32)state->rbx);
+			if (smm_points_to_smram(gnvs, sizeof(*gnvs))) {
+				printk(BIOS_ERR, "SMI#: ERROR: GNVS overlaps SMM\n");
+				return;
+			}
 			smm_initialized = 1;
 			printk(BIOS_DEBUG, "SMI#: Setting GNVS to %p\n", gnvs);
 		}