A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM

We discussed this vulnerability during Episode 198 on 21 March 2023

Effectively, a double-fetch vulnerability in Intel SMM’s SMI handler that could allow a local attacker to escelate into System manage Mode. It recieves a CommBuffer that contains a Data pointer and a size value. This data is attacker controlled, so the first thing it does is some bounds checking to ensure that the buffer entirely stays within user memory and doesn’t point into SMRAM (the SMM’s memory).

Once this check has passed, it creates a local copy of the data and proceeds to find the correct handler for the command. The SPI_FUNCTION_FLASH_READ handler ends up using the Data pointer from the external user-controlled buffer, meaning an attack could modify the pointer between the bounds check being performed and the actual useage of it in the command handler, allowing them to point the buffer or expand the buffer size into SMM memory and corrupt it.