diff options
author | Patrick Rudolph <patrick.rudolph@9elements.com> | 2020-05-06 11:58:45 +0200 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2020-08-21 07:51:07 +0000 |
commit | 9f8f11513a5db45b224f764525eae9c64fcfe360 (patch) | |
tree | be1b5a603cc8d19e96ef0bf31037e9975c6a6c8b /src/soc/intel/common/block | |
parent | 37ac368c780568628e45c6fa93aaa55a2030c06b (diff) | |
download | coreboot-9f8f11513a5db45b224f764525eae9c64fcfe360.tar.xz |
SMM: Validate more user-provided pointers
Mitigate issues presented in "Digging Into The Core of Boot" found by
"Yuriy Bulygin" and "Oleksandr Bazhaniuk" at RECON-MTL-2017.
Validate user-provided pointers using the newly-added functions.
This protects SMM from ring0 attacks.
Change-Id: I8a347ccdd20816924bf1bceb3b24bf7b22309312
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41086
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Diffstat (limited to 'src/soc/intel/common/block')
-rw-r--r-- | src/soc/intel/common/block/smm/smihandler.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c index 7bd17c3e78..4998532837 100644 --- a/src/soc/intel/common/block/smm/smihandler.c +++ b/src/soc/intel/common/block/smm/smihandler.c @@ -373,6 +373,10 @@ void smihandler_southbridge_apmc( /* EBX in the state save contains the GNVS pointer */ uint32_t reg_ebx = save_state_ops->get_reg(state, RBX); gnvs = (struct global_nvs *)(uintptr_t)reg_ebx; + if (smm_points_to_smram(gnvs, sizeof(*gnvs))) { + printk(BIOS_ERR, "SMI#: ERROR: GNVS overlaps SMM\n"); + return; + } smm_initialized = 1; printk(BIOS_DEBUG, "SMI#: Setting GNVS to %p\n", gnvs); } |