From 9f8f11513a5db45b224f764525eae9c64fcfe360 Mon Sep 17 00:00:00 2001 From: Patrick Rudolph Date: Wed, 6 May 2020 11:58:45 +0200 Subject: SMM: Validate more user-provided pointers Mitigate issues presented in "Digging Into The Core of Boot" found by "Yuriy Bulygin" and "Oleksandr Bazhaniuk" at RECON-MTL-2017. Validate user-provided pointers using the newly-added functions. This protects SMM from ring0 attacks. Change-Id: I8a347ccdd20816924bf1bceb3b24bf7b22309312 Signed-off-by: Patrick Rudolph Signed-off-by: Christian Walter Reviewed-on: https://review.coreboot.org/c/coreboot/+/41086 Tested-by: build bot (Jenkins) Reviewed-by: Tim Wawrzynczak --- src/mainboard/lenovo/t60/smihandler.c | 37 ++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 14 deletions(-) (limited to 'src/mainboard/lenovo') diff --git a/src/mainboard/lenovo/t60/smihandler.c b/src/mainboard/lenovo/t60/smihandler.c index fe732a32b5..69ffe33209 100644 --- a/src/mainboard/lenovo/t60/smihandler.c +++ b/src/mainboard/lenovo/t60/smihandler.c @@ -2,6 +2,7 @@ #include #include +#include #include #include #include @@ -16,24 +17,32 @@ static void mainboard_smi_brightness_down(void) { - u8 *bar; - if ((bar = (u8 *)pci_read_config32(PCI_DEV(1, 0, 0), 0x18))) { - printk(BIOS_DEBUG, "bar: %08X, level %02X\n", (unsigned int)bar, *(bar+LVTMA_BL_MOD_LEVEL)); - *(bar+LVTMA_BL_MOD_LEVEL) &= 0xf0; - if (*(bar+LVTMA_BL_MOD_LEVEL) > 0x10) - *(bar+LVTMA_BL_MOD_LEVEL) -= 0x10; - } + uint32_t reg32 = pci_read_config32(PCI_DEV(1, 0, 0), PCI_BASE_ADDRESS_2) & ~0xf; + u8 *bar = (void *)(uintptr_t)reg32; + + /* Validate pointer before using it */ + if (!bar || smm_points_to_smram(bar, LVTMA_BL_MOD_LEVEL + sizeof(uint8_t))) + return; + + printk(BIOS_DEBUG, "bar: %p, level %02X\n", bar, *(bar+LVTMA_BL_MOD_LEVEL)); + *(bar+LVTMA_BL_MOD_LEVEL) &= 0xf0; + if (*(bar+LVTMA_BL_MOD_LEVEL) > 0x10) + *(bar+LVTMA_BL_MOD_LEVEL) -= 0x10; } static void mainboard_smi_brightness_up(void) { - u8 *bar; - if ((bar = (u8 *)pci_read_config32(PCI_DEV(1, 0, 0), 0x18))) { - printk(BIOS_DEBUG, "bar: %08X, level %02X\n", (unsigned int)bar, *(bar+LVTMA_BL_MOD_LEVEL)); - *(bar+LVTMA_BL_MOD_LEVEL) |= 0x0f; - if (*(bar+LVTMA_BL_MOD_LEVEL) < 0xf0) - *(bar+LVTMA_BL_MOD_LEVEL) += 0x10; - } + uint32_t reg32 = pci_read_config32(PCI_DEV(1, 0, 0), PCI_BASE_ADDRESS_2) & ~0xf; + u8 *bar = (void *)(uintptr_t)reg32; + + /* Validate pointer before using it */ + if (!bar || smm_points_to_smram(bar, LVTMA_BL_MOD_LEVEL + sizeof(uint8_t))) + return; + + printk(BIOS_DEBUG, "bar: %p, level %02X\n", bar, *(bar+LVTMA_BL_MOD_LEVEL)); + *(bar+LVTMA_BL_MOD_LEVEL) |= 0x0f; + if (*(bar+LVTMA_BL_MOD_LEVEL) < 0xf0) + *(bar+LVTMA_BL_MOD_LEVEL) += 0x10; } int mainboard_io_trap_handler(int smif) -- cgit v1.2.3