CVE-2022-33982 DMA attacks on the Int15ServiceSmm parameter buffer could lead to a TOCTOU attack on the SMI handler and lead to SMRAM corruption.
The address of the interface for the software SMI handler is hardcoded in the driver, which makes it easy for an attacker to control where in memory the SMI handler will be called from. An attacker could control the address of the SMI handler such that it will cause a buffer overflow and thus a denial of service condition. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23 CWE-367 As of Kernel 4.4, the CONFIG_DMESG_DUMP_EXPLICIT flag is enabled by default. This flag makes it possible for a user to dump the contents of the DMA map when dma_map_page() is called. Dumping DMA maps is dangerous because DMA maps can be used to allocate virtual memory pages that do not exist on physical memory. An attacker could use this information to launch a denial of service attack against the driver she is debugging. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23 CWE-119
Software Description: CVE-2022-33982
The address of the interface for the software SMI handler is hardcoded in the driver, which makes it easy for an attacker to control where in memory the SMI handler will be called from. An attacker could control the address of the SMI handler such that it will cause a buffer overflow and thus a denial of service condition. This issue was discovered by Insyde engineering during a security review. 
This issue is fixed in Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23 CWE-367
Software Design Flaws
One of the most basic software design flaws is a poorly written interface. There is no way to avoid this problem, but it can be mitigated by placing a check on how many times an application calls a function. For example, if one function in an application called another function 100 times, that would be indicative of poor software design.
Another flaw is the lack of input validation before returning user input to the calling code. In this case, an attacker could provide input to the program which will cause a crash or other problems for the user. This issue was discovered by Insyde engineering during a security review.
References:
- CVE-2022-33982
- CVE-2022-33989
- CVE-2022-33990
The address of the interface for the software SMI handler is hardcoded in the driver, which makes it easy for an attacker to control where in memory the SMI handler will be called from. An attacker could control the address of the SMI handler such that it will cause a buffer overflow and thus a denial of service condition. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23 CWE-367 As of Kernel 4.4, the CONFIG_DMESG_DUMP_EXPLICIT flag is enabled by default. This flag makes it possible for a user to dump the contents of the DMA map when dma_map_page() is called. Dumping DMA maps is dangerous because DMA maps can be used to allocate virtual memory pages that do not exist on physical memory. An attacker could use this information to launch a denial of service attack against the driver she is debugging
Timeline
Published on: 11/14/2022 23:15:00 UTC
Last modified on: 11/18/2022 16:01:00 UTC