sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SMM: Validate more user-provided pointers

Browse Source 
Mitigate issues presented in "Digging Into The Core of Boot" found by
"Yuriy Bulygin" and "Oleksandr Bazhaniuk" at RECON-MTL-2017.

Validate user-provided pointers using the newly-added functions.
This protects SMM from ring0 attacks.

Change-Id: I8a347ccdd20816924bf1bceb3b24bf7b22309312
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41086
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
This commit is contained in:
Patrick Rudolph
2020-05-06 11:58:45 +02:00
committed by Patrick Georgi
parent 37ac368c78
commit 9f8f11513a
8 changed files with 58 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/southbridge/intel/bd82x6x/smihandler.c
View File

@@ -4,6 +4,7 @@
#include <arch/io.h>
#include <device/pci_ops.h>
#include <console/console.h>
#include <commonlib/region.h>
#include <device/pci_def.h>
#include <cpu/x86/smm.h>
#include <cpu/intel/em64t101_save_state.h>
@@ -103,6 +104,7 @@ static void xhci_sleep(u8 slp_typ)
xhci_bar = pci_read_config32(PCH_XHCI_DEV, PCI_BASE_ADDRESS_0) & ~0xFUL;
/* FIXME: This looks broken (conditions are always false) */
if ((xhci_bar + 0x4C0) & 1)
pch_iobp_update(0xEC000082, ~0UL, (3 << 2));
if ((xhci_bar + 0x4D0) & 1)
@@ -191,6 +193,11 @@ void southbridge_update_gnvs(u8 apm_cnt, int *smm_done)
if (state) {
/* EBX in the state save contains the GNVS pointer */
gnvs = (struct global_nvs *)((u32)state->rbx);
struct region r = {(uintptr_t)gnvs, sizeof(struct global_nvs)};
if (smm_region_overlaps_handler(&r)) {
printk(BIOS_ERR, "SMI#: ERROR: GNVS overlaps SMM\n");
return;
}
*smm_done = 1;
printk(BIOS_DEBUG, "SMI#: Setting GNVS to %p\n", gnvs);
}

4
src/southbridge/intel/ibexpeak/smihandler.c
View File

@@ -152,6 +152,10 @@ void southbridge_update_gnvs(u8 apm_cnt, int *smm_done)
if (state) {
/* EBX in the state save contains the GNVS pointer */
gnvs = (struct global_nvs *)((u32)state->rbx);
if (smm_points_to_smram(gnvs, sizeof(*gnvs))) {
printk(BIOS_ERR, "SMI#: ERROR: GNVS overlaps SMM\n");
return;
}
*smm_done = 1;
printk(BIOS_DEBUG, "SMI#: Setting GNVS to %p\n", gnvs);
}

4
src/southbridge/intel/lynxpoint/smihandler.c
View File

@@ -314,6 +314,10 @@ static void southbridge_smi_apmc(void)
if (state) {
/* EBX in the state save contains the GNVS pointer */
gnvs = (struct global_nvs *)((u32)state->rbx);
if (smm_points_to_smram(gnvs, sizeof(*gnvs))) {
printk(BIOS_ERR, "SMI#: ERROR: GNVS overlaps SMM\n");
return;
}
smm_initialized = 1;
printk(BIOS_DEBUG, "SMI#: Setting GNVS to %p\n", gnvs);
}