SMM: Validate more user-provided pointers
Mitigate issues presented in "Digging Into The Core of Boot" found by
"Yuriy Bulygin" and "Oleksandr Bazhaniuk" at RECON-MTL-2017.
Validate user-provided pointers using the newly-added functions.
This protects SMM from ring0 attacks.
Change-Id: I8a347ccdd20816924bf1bceb3b24bf7b22309312
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41086
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
diff --git a/src/soc/intel/broadwell/smihandler.c b/src/soc/intel/broadwell/smihandler.c
index 86be400..8dbb40f 100644
--- a/src/soc/intel/broadwell/smihandler.c
+++ b/src/soc/intel/broadwell/smihandler.c
@@ -100,6 +100,10 @@
reg_base = (void *)((uintptr_t)pci_read_config32(SA_DEV_IGD,
PCI_BASE_ADDRESS_0) & ~0xf);
+ /* Validate pointer before using it */
+ if (smm_points_to_smram(reg_base, PCH_PP_OFF_DELAYS + sizeof(uint32_t)))
+ return;
+
/* Check if backlight is enabled */
pp_ctrl = read32(reg_base + PCH_PP_CONTROL);
if (!(pp_ctrl & EDP_BLC_ENABLE))
@@ -341,6 +345,10 @@
if (state) {
/* EBX in the state save contains the GNVS pointer */
gnvs = (struct global_nvs *)((u32)state->rbx);
+ if (smm_points_to_smram(gnvs, sizeof(*gnvs))) {
+ printk(BIOS_ERR, "SMI#: ERROR: GNVS overlaps SMM\n");
+ return;
+ }
smm_initialized = 1;
printk(BIOS_DEBUG, "SMI#: Setting GNVS to %p\n", gnvs);
}