CVE-2022-29279 - How Untrusted Pointers Led to SMRAM and OS Memory Tampering in InsydeH2O Kernel

If you're in the UEFI BIOS world, or just want to understand how a simple mistake with pointers can open the door to serious security breaches, then CVE-2022-29279 is worth your attention. This vulnerability, discovered by Insyde during a security review, highlights how handling pointers without proper validation can allow attackers to mess with sensitive memory regions like SMRAM (System Management RAM) and operating system memory. In this long read, we’ll break down what happened, show some code, point to the original fix, and explain how an attacker might abuse it.

Kernel 5.5: version 05.52.17

- Official Advisory: Insyde SA-2022062

Basic Background

Modern systems use UEFI (Unified Extensible Firmware Interface) firmware as the interface between the hardware and the operating system. InsydeH2O is a popular UEFI BIOS implementation found in many laptops and devices.

The SdHostDriver and SdMmcDevice components are responsible for handling SD and MMC storage, like those tiny memory cards you find everywhere. These components interact closely with hardware and need to process data passed in from the OS, drivers, or other firmware code.

What Happened? The Pointer Problem

At its core, the problem is improper handling of pointers received from untrusted sources. If code in the BIOS or firmware is given a pointer (i.e., a memory address) and just uses it without validation, that gives an opportunity for an attacker to pass in a pointer pointing to anywhere — including protected memory like SMRAM or OS memory space.

Normally, only highly privileged code should have access to these areas. But if an attacker can trick the firmware into accessing or modifying them, the integrity and security of the system is compromised.

Example Code Pattern

Here’s a *simplified* example showing the kind of dangerous code that can lead to this vulnerability:

// Untrusted buffer pointer from input
EFI_STATUS HandleRequest(REQUEST *request) {
    void *buf = request->Buffer;
    UINTN len = request->Length;

    // Dangerous: blindly trust the buffer pointer
    CopyMemory((void *)SENSITIVE_DATA, buf, len);

    // Alternatively, writing into an untrusted pointer
    CopyMemory(buf, (void *)SENSITIVE_DATA, len);

    return EFI_SUCCESS;
}

In these patterns, if buf is under control of an attacker, they could make it point

- To SMRAM: Overwrite SMM code/data to hijack system management interrupts

The Exploit: How Attackers Could Abuse This

Attackers typically need some way to provide a crafted pointer to the vulnerable function. In UEFI land, this sometimes means exploiting poorly protected protocols, drivers, or service calls exposed by the firmware (especially in early boot stages, or via DXE/SMM drivers).

Scenario

1. Gain Early Code Execution: The attacker finds a way to run code in pre-boot or hand-off a bad pointer to BIOS code (e.g., through an EFI app or malicious Option ROM).
2. Send Crafted Pointer: The attacker sends a pointer that refers to protected memory (like SMRAM or critical OS structures).
3. Trigger Vulnerable Function: The vulnerable driver or protocol (here, SdHostDriver/SdMmcDevice) executes a memory operation (read/write) using that pointer.
4. Memory Tampering: The system copies data to/from protected areas, breaking security guarantees.

If the attacker can write into SMRAM, they could install persistent SMM “rootkits” — meaning their code would survive OS reinstalls and run below the radar even with Secure Boot enabled!

Good code pattern (pseudo-code)

if(IsInTrustedRange(buf)) {
    CopyMemory(GOOD_BUF, buf, len);
} else {
    return EFI_ACCESS_DENIED;
}

This sort of check is now implemented in patched versions.

Versions Fixed

If your product contains InsydeH2O UEFI/BIOS, you are vulnerable unless your firmware is based on the following or later revisions (according to Insyde/Linux Security Advisory SA-2022062):

Kernel 5.5: version 05.52.17

If your BIOS came before these, ask your vendor for an update.

Original References

- Insyde Security Advisory SA-2022062
- Mitre CVE-2022-29279 *(listing only, no deep details)*

Conclusion

CVE-2022-29279 is a classic example of how pointer safety in low-level firmware is critical for system security. Just as buffer overflows and unchecked input can topple user-mode applications, so can blindly using pointers bring down the security walls protecting a machine before the OS even boots.

If you’re a firmware developer or security researcher, always treat pointers from outside your trust boundary as hostile — and validate everything!

Timeline

Published on: 11/15/2022 22:15:00 UTC
Last modified on: 11/23/2022 17:27:00 UTC