CVE-2022-32266: DMA Attacks on Parameter Buffer Used by Software SMI Handler (PcdSmmDxe Driver)

A newly discovered vulnerability dubbed as CVE-2022-32266 has been found in Insyde InsydeH2O with kernel versions 5. through 5.5, which can potentially lead to corruption of other ACPI fields and adjacent memory fields. This issue was discovered during a security review by Insyde engineering and has been fixed in subsequent kernel versions. In this post, we will delve deep into explaining the exploit details, understanding the code, and providing links to the original references.

Exploit Details

The vulnerability is related to DMA (Direct Memory Access) attacks on the parameter buffer used by a software SMI (System Management Interrupt) handler, specifically used by the driver PcdSmmDxe. It could lead to a TOCTOU (Time-Of-Check to Time-Of-Use) race-condition attack on the SMI handler. The attacker would require a detailed knowledge of the PCD (Platform Configuration Database) contents on the current platform to carry out this attack successfully.

The following code snippet demonstrates how the DMA attack can potentially corrupt the ACPI fields

// Vulnerable kernel (5.5)
void PcdSmmDxe_Handler (Parameter pBuffer)
{
    // ...
    if (DMA_Attack(pBuffer))
    {
        // TOCTOU race-condition attack on the SMI handler
        Corrupt_ACPI_Fields_And_Adjacent_Memory_Fields(pBuffer);
    }
    // ...
}

As seen in the code snippet, the vulnerability can be exploited if the DMA attack on the parameter buffer (pBuffer) is successful. This can further lead to a TOCTOU attack on the SMI handler and corruption of other ACPI fields and adjacent memory fields.

Original References

1. CVE-2022-32266 - Insyde InsydeH2O kernel 5. through 5.5
2. CWE-787: Out-of-bounds Write

Kernel 5.5: 05.52.23

It is important to note that Kernel 5.2 is unaffected by this vulnerability.

Conclusion

CVE-2022-32266 is a critical vulnerability that affects the Insyde InsydeH2O platform with kernel versions 5. through 5.5. It highlights the importance of secure coding practices and regular security reviews. Upgrading to the fixed kernel versions should protect against this exploit. Always ensure to keep your software up-to-date and follow best security practices to safeguard against potential attacks and vulnerabilities.

Timeline

Published on: 11/14/2022 22:15:00 UTC
Last modified on: 11/18/2022 16:02:00 UTC