CVE-2025-7028
An attacker could exploit this vulnerability to elevate privileges from ring 0 to ring -2 and execute arbitrary code in System Management Mode, an environment more privileged than and completely isolated from the operating system (OS). Running arbitrary code in SMM also bypasses SMM-based SPI flash protections against modification, which can help an attacker to install a firmware backdoor/implant. Such malicious code in the firmware could persist through operating system reinstallations. In addition, this vulnerability could potentially be used by malicious actors to bypass security mechanisms provided by UEFI firmware, such as Secure Boot and some types of memory isolation for hypervisors.
This vulnerability was detected by the Deep Vulnerability Analysis (DVA) component from Binarly Platform
Let's consider the module 290fde7f0f7f3c1a39a4345a99cea4165b74e7c63e3f46590610664fcf49f359.
The pseudocode of the vulnerable function at 0x1A50 is shown below (SwSmiInputValue: 0x20):
EFI_STATUS SwSmiHandler(
EFI_HANDLE DispatchHandle,
const void *Context,
EFI_SMM_SW_CONTEXT *CommBuffer,
UINTN *CommBufferSize)
{
UINTN SwSmiCpuIndex;
UINT8 CommandPort;
EFI_STATUS Status;
UINT64 Data;
void (*SMIFlashPreHandlerFunc)(UINT64, FUNC_BLOCK *);
FUNC_BLOCK *FuncBlock;
UINTN PreHandlerFuncIndex;
UINT64 Rem0;
UINT64 Rem1;
void (*SMIFlashEndHandlerFunc)();
UINTN Index;
void (*SMIFlashPreUpdateFunc)();
UINTN FlashPreUpdateFuncIndex;
void (*SMIFlashPreHandlerFunc0)(UINT64, FUNC_BLOCK *);
UINTN PostHandlerFuncIndex;
UINT32 RbxRegister;
UINT32 RcxRegister;
RcxRegister = 0;
RbxRegister = 0;
if ( !CommBuffer )
return 0;
if ( !CommBufferSize )
return 0;
SwSmiCpuIndex = CommBuffer->SwSmiCpuIndex;
CommandPort = CommBuffer->CommandPort;
if ( CommBuffer->SwSmiCpuIndex == -1 )
return 0;
gEfiSmmCpuProtocol->ReadSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CommBuffer->SwSmiCpuIndex,
&RbxRegister);
Status = gEfiSmmCpuProtocol->ReadSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RCX,
SwSmiCpuIndex,
&RcxRegister);
Data = RbxRegister;
SMIFlashHandlerFunc0 = gSMIFlashHandlerFuncs[0];
// FuncBlock is attacker controlled and unchecked pointer
FuncBlock = (RbxRegister + (RcxRegister << 32));
PreHandlerFuncIndex = 0;
// SMIFlashPreHandlerFuncs is empty
while...
Rem0 = CommandPort - 32;
switch ( CommandPort )
{
case SMIFLASH_ENABLE_FLASH:
SMIFlashPreUpdateFunc = gSMIFlashPreUpdateFuncs[0];
FlashPreUpdateFuncIndex = 0;
while ( SMIFlashPreUpdateFunc )
{
SMIFlashPreUpdateFunc();
SMIFlashPreUpdateFunc = *(&gSMIFlashPreUpdateFuncs[1] + FlashPreUpdateFuncIndex++);
}
(gAmiSmmFlashProtocol->DeviceWriteEnable)(Rem0);
break;
case SMIFLASH_READ_FLASH:
// vulnerable function
ReadFlash(FuncBlock);
break;
case SMIFLASH_ERASE_FLASH:
// vulnerable function
EraseFlash(FuncBlock);
break;
case SMIFLASH_WRITE_FLASH:
// vulnerable function
WriteFlash(FuncBlock);
break;
default:
Rem1 = CommandPort - SMIFLASH_DISABLE_FLASH;
if ( CommandPort == SMIFLASH_DISABLE_FLASH )
{
SMIFlashEndHandlerFunc = gSMIFlashEndHandlerFuncs[0];
Index = 0;
while ( SMIFlashEndHandlerFunc )
{
SMIFlashEndHandlerFunc();
SMIFlashEndHandlerFunc = *(&gSMIFlashEndHandlerFuncs[1] + Index++);
}
gAmiSmmFlashProtocol->DeviceWriteDisable();
}
else if ( CommandPort == SMIFLASH_GET_FLASH_INFO )
{
// vulnerable function
GetFlashInfo((INFO_BLOCK *)FuncBlock);
}
break;
}
// gSMIFlashHandlerFuncs is empty
SMIFlashHandlerFunc1 = gSMIFlashHandlerFuncs[1];
PostHandlerFuncIndex = 0;
while...
return Status;
}As we can see from the pseudocode, FuncBlock is controlled by the attacker. Depending on the CommandPort (which is also controlled by the attacker), the following functions can be called with the FuncBlock parameter:
All of the above functions contain write operations to a FuncBlock buffer (which may point to SMRAM since it is not checked).
EFI_STATUS ReadFlash(FUNC_BLOCK *FuncBlock)
{
EFI_STATUS Status;
// SMRAM write via Read API function as FuncBlock->BufAddr nested pointer is not checked
Status = (gAmiSmmFlashProtocol->Read)(FuncBlock->BlockAddr - 0x500000, FuncBlock->BlockSize, FuncBlock->BufAddr);
// SMRAM write
FuncBlock->ErrorCode = EFI_ERROR(Status) != 0;
return Status;
}The ReadFlash allows an attacker to corrupt SMRAM in 2 ways:
gAmiSmmFlashProtocol->Read when FuncBlock->BufAddr points to SMRAMFuncBlock->ErrorCode when FuncBlock points to SMRAMEFI_STATUS EraseFlash(FUNC_BLOCK *FuncBlock)
{
EFI_STATUS Status;
UINT64 FlashAddress;
FlashAddress = FuncBlock->BlockAddr - g500000h;
LODWORD(FlashAddress) = FlashAddress & 0xFFFFF000;
Status = (gAmiSmmFlashProtocol->Erase)(FlashAddress, 0x1000);
// SMRAM write
FuncBlock->ErrorCode = EFI_ERROR(Status) != 0;
return Status;
}The EraseFlash allows an attacker to corrupt SMRAM using write to FuncBlock->ErrorCode when FuncBlock points to SMRAM.
EFI_STATUS WriteFlash(FUNC_BLOCK *FuncBlock)
{
EFI_STATUS Status; // rax
// SMRAM read via Write API function as FuncBlock->BufAddr nested pointer is not checked,
// allowing an attacker to write SMRAM content to flash and then read it from there
Status = (gAmiSmmFlashProtocol->Write)(FuncBlock->BlockAddr - g500000h, FuncBlock->BlockSize, FuncBlock->BufAddr);
// SMRAM write
FuncBlock->ErrorCode = EFI_ERROR(Status) != 0;
return Status;
}The WriteFlash allows an attacker to corrupt SMRAM using write to FuncBlock->ErrorCode when FuncBlock points to SMRAM.
This function also allows the content of the SMRAM to be dumped using gAmiSmmFlashProtocol->Write if FuncBlock->BufAddr points to SMRAM (allowing an attacker to write SMRAM content to flash and then read it from there).
EFI_STATUS GetFlashInfo(INFO_BLOCK *InfoBlock)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]
__outbyte(0x80, 0x25);
Size = InfoBlock->Length - 0x10;
InfoBlock->Version = 0xB; // SMRAM write
Block = &InfoBlock->Blocks;
InfoBlock->Implemented = 0; // SMRAM write
InfoBlock->BiosRomSize = 0; // SMRAM write
*&InfoBlock->BaseBlockSize = 0; // SMRAM write
InfoBlock->TotalBlocks = 0x500; // SMRAM write
if ( Size < 0x2D00 )
{
InfoBlock->Implemented = 1; // SMRAM write
return 0;
}
Status = gSmst->SmmAllocatePool(EfiRuntimeServicesData, 2 * gNumberOfRomLayout, &StartBlock);
if ( !EFI_ERROR(Status) )
{
Status = gSmst->SmmAllocatePool(EfiRuntimeServicesData, 2 * gNumberOfRomLayout, &EndBlock);
if ( !EFI_ERROR(Status) )
{
NumberOfRomLayout = gNumberOfRomLayout;
Index = 0;
if ( gNumberOfRomLayout )
{
BlockIndex = 0;
do
{
++Index;
Res = RomLayout[BlockIndex].Offset >> 12;
StartBlock[BlockIndex] = Res;
EndBlock[BlockIndex] = Res + (RomLayout[BlockIndex].Size >> 12) - 1;
NumberOfRomLayout = gNumberOfRomLayout;
BlockIndex = Index;
}
while ( Index < gNumberOfRomLayout );
}
Start = StartBlock;
End = EndBlock;
NcbType = gNumberOfNcb + 0x7F;
for ( i = 0; i < 0x500; ++i )
{
Block->BlockSize = 4096; // SMRAM write
Element = 0;
Block->StartAddress = i << 12; // SMRAM write
if ( NumberOfRomLayout )
{
ElementIndex = 0;
while ( i < Start[ElementIndex] || i > End[ElementIndex] )
{
ElementIndex = ++Element;
if ( Element >= NumberOfRomLayout )
goto _Next;
}
Block->Type = RomLayout[Element].Type;// SMRAM write
}
...
}
}
return Status;
}The GetFlashInfo allows an attacker to corrupt SMRAM using writes to InfoBlock it points to SMRAM.
This vulnerability is subject to a 90 day disclosure period. After 90 days or when a patch has been made generally available (whichever comes first) the advisory will be publicly disclosed.
BINARLY REsearch team
