Project

General

Profile

Actions

Bug #522

closed

`region_overlap()` function might not work as expected due to an integer overflow in `region_end()` function.

Added by Vadim Zaliva 10 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
coreboot common code
Target version:
Start date:
12/27/2023
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Affected OS:

Description

region_overlap() function checks whether or not two memory regions overlap. Memory regions are represented as a region struct that contains the region's offset and size. This function then relies on region_end() function to compute the end of the region. region_end() function is susceptible to an integer overflow, which might result in the incorrect behaviour of region_overlap() function.

An example of inputs that lead to wrong behaviour:

struct region r1 = {SIZE_MAX - 10, 20};
struct region r2 = {SIZE_MAX - 20, 15};

It returns 0, but since the regions actually overlap, it should return 1.

region_overlap() function is used in smm_region_overlaps_handler() function, which is itself used in SMI handlers to validate address values that come from an untrusted environment. This is necessary to prevent security vulnerabilities such as described in BARing the System by Yuriy Bulygin, Oleksandr Bazhaniuk et al.

We do not have an example of an exploit based on this incorrect behaviour and are aware of the existence of one. However, theoretically, this could lead to security vulnerabilities.

This bug was found during an ongoing Coreboot Formal Verification Project, which aims to prove some important security properties of the coreboot’s SMI handler for the Gemini Lake/Octopus platform using Coq proof assistant and Verified Software Toolchain framework.


Files

diff.txt (930 Bytes) diff.txt Valerii Huhnin, 12/27/2023 07:01 PM
Actions

Also available in: Atom PDF