diff options
author | Patrick Rudolph <patrick.rudolph@9elements.com> | 2020-05-06 10:57:01 +0200 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2020-06-17 09:18:05 +0000 |
commit | 2fdabd90382fc468a339201031c21974baa8c1e8 (patch) | |
tree | ffa6b6cc25a278848d376a02a8479e13b897d5c3 /src | |
parent | 41fec869fb3b25fd5bb5b454ab1bf39660ce314d (diff) | |
download | coreboot-2fdabd90382fc468a339201031c21974baa8c1e8.tar.xz |
smmstore: Verify userspace-provided pointer to protect SMM
Use the introduced functions and verify pointers in the SMMSTORE.
Make sure to not overwrite or leak data from SMM and update the
documentation as well.
Change-Id: I70df08657c3fa0f98917742d8e1a6cb1077e3758
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41085
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/drivers/smmstore/smi.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/drivers/smmstore/smi.c b/src/drivers/smmstore/smi.c index 083535c877..b21423e90e 100644 --- a/src/drivers/smmstore/smi.c +++ b/src/drivers/smmstore/smi.c @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0-only */ #include <console/console.h> +#include <commonlib/region.h> +#include <cpu/x86/smm.h> #include <smmstore.h> #include <stddef.h> #include <stdint.h> @@ -10,13 +12,14 @@ * * Legal means: * - not pointing into SMRAM - * - ...? * * returns 0 on success, -1 on failure */ static int range_check(void *start, size_t size) { - // TODO: fill in + if (smm_points_to_smram(start, size)) + return -1; + return 0; } @@ -30,6 +33,9 @@ uint32_t smmstore_exec(uint8_t command, void *param) printk(BIOS_DEBUG, "Reading from SMM store\n"); struct smmstore_params_read *params = param; + if (range_check(params, sizeof(*params)) != 0) + break; + if (range_check(params->buf, params->bufsize) != 0) break; @@ -42,6 +48,8 @@ uint32_t smmstore_exec(uint8_t command, void *param) printk(BIOS_DEBUG, "Appending into SMM store\n"); struct smmstore_params_append *params = param; + if (range_check(params, sizeof(*params)) != 0) + break; if (range_check(params->key, params->keysize) != 0) break; if (range_check(params->val, params->valsize) != 0) |