CVE-2022-29264

Vulnerability

In coreboot versions 4.13 through 4.16, the SMM (System Management Mode) relocation handler on application processors (APs) does not properly validate the SMBASE address and allows concurrent relocation of multiple CPUs, leading to potential memory corruption. The issue is addressed by the introduction of the SMM module loader version 2, which adds SMBASE validation and restricts relocation to serial operation [1].

Exploitation

An attacker with local access or the ability to influence system firmware could exploit this by triggering a scenario where multiple APs attempt SMM relocation concurrently. Exploitation requires control over CPU initialization sequences, which may be achieved through malicious firmware updates or physical access.

Impact

Successful exploitation could allow arbitrary code execution in SMM, the highest privileged mode on x86 systems. This could enable an attacker to bypass security protections, install persistent firmware-level malware, or gain full system compromise.

Mitigation

The fix is included in coreboot commit afb7a814783cda12f5b72167163b9109ee1d15a7, which introduces the new SMM loader version 2 [1]. Users should update to coreboot versions incorporating this commit (likely after 4.16). There is no known workaround; mitigation requires patching the firmware.