CVE-2022-33984 - DMA Transactions Resulting in SMRAM Corruption via TOCTOU Attack in SdMmcDevice Software SMI Handler

In this long-read post, we will discuss the details of a recently discovered vulnerability, CVE-2022-33984, related to Direct Memory Access (DMA) transactions in SdMmcDevice Software SMI handler, which could lead to SMRAM corruption through a Time of Check Time of Use (TOCTOU) attack. This vulnerability was identified by Insyde engineering and is based on a general description provided by Intel's iSTARE group. We will also investigate the exploit details and provide information about the patches released to address this issue.

First, let's have a brief background on the key components involved in this vulnerability - DMA, SMRAM, and TOCTOU Attacks.

- Direct Memory Access (DMA) transactions allow certain hardware components to access system memory directly, bypassing the CPU, which results in faster data transfer and more efficient system performance.

- System Management RAM (SMRAM) is a protected memory region used by the System Management Mode (SMM) to store sensitive code and data, which is essential for system security.

- Time of Check Time of Use (TOCTOU) Attacks refer to a class of vulnerabilities where the attacker exploits the time window between the checking of a condition and the use of the corresponding data, leading to potential unauthorized actions.

With this context in mind, let's dive into the details of the vulnerability, CVE-2022-33984.

CVE-2022-33984 Vulnerability Details

The vulnerability is related to DMA transactions targeting input buffers used for the SdMmcDevice software SMI handler. These transactions, if exploited, could cause SMRAM corruption through a TOCTOU attack. The SdMmcDevice driver is responsible for handling Secure Digital (SD) and MultiMediaCard (MMC) storage devices, and the software SMI handler is used for handling System Management Interrupts (SMIs) within the system.

This vulnerability has the potential of giving an attacker unauthorized access to sensitive information and system control.

Assuming a simplified version of the vulnerable SdMmcDevice SMI handler code

void SdMmcDevice_SmiHandler(void) {
    // Check permissions or other conditions
    if (!ConditionMet()) {
        return;
    }

    // Time window between check and use
    // TOCTOU Attack could exploit this window to manipulate data

    // Use input buffers for DMA transactions
    PerformDmaTransaction();
}

An attacker could exploit the time window between the check and use of the input buffers to manipulate data, ultimately corrupting SMRAM.

Kernel 5.5: 05.52.25

It is highly recommended to update your system to an appropriate patched version to mitigate this vulnerability. Details regarding the patches can be found at Insyde Security Pledge link.

In conclusion, the discovery of this vulnerability highlights the importance of securing input buffers for DMA transactions and the continued vigilance of the cybersecurity community in identifying and addressing potential threats. Users are strongly advised to keep their systems up-to-date to protect against such vulnerabilities.

Timeline

Published on: 11/15/2022 00:15:00 UTC
Last modified on: 02/14/2023 12:15:00 UTC