BRLY-DVA-2025-011
Multiple SMM memory corruption vulnerabilities in SMM module on Gigabyte device (SMRAM write).
CVE ID
CVE-2025-7029
Vendors Affected
Gigabyte
Products Affected
GA-H110M-S2HP+54 more
Summary
BINARLY REsearch team has discovered multiple memory corruption vulnerabilities in Gigabyte device firmware that could allow a potential attacker to write fixed or predictable data to an attacker-controlled address.
Image preview
Potential Impact
An attacker could exploit this vulnerability to elevate privileges from ring 0 to ring -2 and execute arbitrary code in System Management Mode, an environment more privileged than and completely isolated from the operating system (OS). Running arbitrary code in SMM also bypasses SMM-based SPI flash protections against modification, which can help an attacker to install a firmware backdoor/implant. Such malicious code in the firmware could persist through operating system reinstallations. In addition, this vulnerability could potentially be used by malicious actors to bypass security mechanisms provided by UEFI firmware, such as Secure Boot and some types of memory isolation for hypervisors.
Image preview
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-DVA-2025-011
- CERT/CC assigned CVE identifier: CVE-2025-7029
- CERT/CC assigned case number: VU#746790
- CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Image preview
Affected firmware
| Device name | Unpacked firmware SHA256 | Firmware version | OEM | IBV | Module name | Module GUID | Module SHA256 | Module kind |
|---|---|---|---|---|---|---|---|---|
GA-H110M-S2HP | 994b7948e7f2dae555b7583d62f53e50f536007174912916601edb095e426323 | F22f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-S2V | 70a8b83f5d994d7212abd63a76152b453a4f7abb81fddafb818e76b7d5cee36b | F26a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-S2V DDR3 | c97f85235f5a847f2ca724de6a81e21116e233cea8d1a155c92f1e3c5b3f8d06 | F21e (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-DS2V DDR3 | be48b3217fa95d5eda53176c447ee272ddab8f4d830532a459cc3f83c5262d03 | F22a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-DS2 | bd2f57c225546f722da8092788300a7e8ba2cb7c11957e5babff27636a07df3b | FCa (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-B150M-D2V | 82b07d2619db0a3b87cce846fdb2cba66b83dd34fa363b9aeb8dc879dbf87c95 | F22f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-S2H DDR3 | a73ceb7d1ec1d00176eba6d4c80190fccf47bc0d3fb91505224330056d049e8c | F21a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-A | 751f5cc128f9ad5b0bec137a4916d81f40920abeb1964fbae7c490de787211af | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-Gaming 3 | 699b8e12fa06ef7e3d81ab2fc708ed8dd3b38d09dcafa3aa348108dead071b97 | F26a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-S2 | 02a1d3acd57937d8e36aeaf2bf7b3faf6ae75dfa21e67d10d36c1fd5f0e5a428 | F27b (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110N | c21b941fae4d8f38264a9914f2109d954577e83ad8ec503780d75f1920d393f3 | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-S2 DDR3 | d1c32a7614fa1aac2604d9e406148f1ef5f987da4d3f602cf183273b418757f0 | F20g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-WW | f6d15aa2b1b32e41989cc3843f02f5c35bb9771582b3c6010781dd3c506bbd46 | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-H DDR3 | 4ff101b31cb9bfc50a3d68a08d97d00e45ea6cb3c705826c890a1a0ded3e0675 | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-DS2V | 987c13aa767ae4f90fe575b68d5205f9cffe542c6a2a31b5469f6337c995d4dc | F25b (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-S2H | c3fe1addbed5e3277ef6e8f800f26413e268b351b0a7c3428691a60840437bd9 | F26g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-H110M-H (rev. 1.0/1.1/1.2) | f6998f13871a34e66036e3955495304bc4bf9e2107c4e692b01023ae6a306adc | F28a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f942126be3313d89e6448d151806db64b163651b890822fc66f074e85a3176d5 | SmmModule |
GA-B150M-DS3H DDR3 | f3c9fbfa50f33797edb1aeb6ee842a80754a27cd3588ad1a21ac7f5c568a8e5c | F21f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 5e6229c90667e50f2d17fa3bc603ad20870cfffe82ad6c91e8f2db8628dcb7d2 | SmmModule |
GA-B150M-HD3 DDR3 | b12cc46337079db35d966e3a9cb2a6e9d917855b608c0697241d4fcb7f8c5a36 | F20i (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 5e6229c90667e50f2d17fa3bc603ad20870cfffe82ad6c91e8f2db8628dcb7d2 | SmmModule |
G1.Sniper M7 | 12b7daa9d5c31aa6ebc7c8d4f9c9eddca48744b710536a6d5a3f48e6149ef9a8 | F20h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
GA-B150-HD3P | e53549965fcd59bcfd01b9625bbd75db3e7071c960d0c1cde29ef7c5c1234af1 | F24h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
GA-B150M-Gaming | c745d85d446733dce37dbfcf5676f277dc1309d3e013d6d2b2a0d993c79cb1c5 | F20h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
GA-B150M-D3H | 60bc81eb304d9a41b31d75b5eccfc7123e65fe6918378be4f5cb50de922040f6 | F25d (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
GA-B150-HD3 | 736cf8d99d2f18f77f888eec96e2e40f9f73e71054dbe00ddf3a11139b5d0249 | F23f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
G1.Sniper B7 | 1e246537b19ab61d5c8cd38b89060492c00e43f7bc1264c1b553b9e69fd3bd14 | F22g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
GA-B150M-DS3P | 269eaa94485bdc504e70d4111f04ebcb8d37cfef7dec7c74f0d264df191455a3 | F22f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6b0c585c530aab8211ac120fb16405b3c6e77b4b9e24c24d9f485b0723e4a7b1 | SmmModule |
GA-H110M-DS2 DDR3 | 71f531dc70b947482f0f0ffb7c8fbc010b9977c669c34f1786324ad45d02fbea | F20g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-D3H | eebe1cb67f3b462fe1b3b9a0d007e7f2a5cba50c6033a7afb06ad71a4f84feb8 | F22f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-DS2 (rev. 1.0/1.1/1.2) | ad979a1dd0b2c53da6865a2b558253f976bbcb2cb55a432d3756d1f142f7d27f | F28b (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-B150M-D3V DDR3 | 9a4b972b117ef2044deeab6a7ad338686ea32c911d977d31118d99f0df5ed4f3 | F20h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-S2PV | aa8e9f38c971f023896114a8923e1d19e7492710b5c5085a0f3a5a871e58de7f | F26a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-S2PT | 25ac49a8146a2e15b8a43d7f9cacd9d7c0001045dccd86b4b4a6e37c36ca6ca7 | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-B150M-D3V | 9720c45237f72da087d78ea7993296a489c5652d3329a3eafe3c284cedbf6f34 | F22f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-D3H R2 TPM | e46c4d7c94376280dc2ada886e41614ccc182ad1bdaec61289ea20eaa9ce5320 | F22e (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-D3H R2 | 6262d1e55925221f51fc2340018b844e50a97bebd720e3570f77a2329c70d33e | F24a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110-D3 | 2378fe003520c3e5859d3df2632b31c5600235b59221de769b9674a108eed44a | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-S2PV DDR3 | b8e8ed30d504b2c53c01a6f071e688aa5368f820f020a7128364cc8110d5b85e | F20g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-H110M-S2PH DDR3 | f58364b880ad729699e11e2cfb2bb391698a05414b15353893e5e3a8b632f489 | F20g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 2fd2dd41865feeaf2eda062bbcac350cda92241d30a4db628631658387354adf | SmmModule |
GA-B150-HD3 DDR3 | e07ad45d2fa75695aa4153bdfb6a97a024aa936f42b993ca7580e79b27af3081 | F20h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | df39e626e170adf5c32ac4b89d728792aaca866b0e991e8f096735fddfaab54f | SmmModule |
GA-B150M-D3H DDR3 | 70b02a9a0b6799da4974595bc0827285e99d45945a23b56262b5b25cad19112b | F21a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | df39e626e170adf5c32ac4b89d728792aaca866b0e991e8f096735fddfaab54f | SmmModule |
GA-B150M-D2V DDR3 | df683a33ede644ce98c450fed6ca62df8c15bcad6dffc220217d1ba39e6ae736 | F20g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | df39e626e170adf5c32ac4b89d728792aaca866b0e991e8f096735fddfaab54f | SmmModule |
GA-H110-D3A | 341f6856b671bff0db401269775bc1b87bf275b21265e31a036a6f7f308f6019 | F26a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 48838ce51666fe7d3a754c4470fc7defce346ae6abafafcb2c8ff9aee9757511 | SmmModule |
GA-H110M-S2PH | d526c64c20ac74eb50fa9bdebd221d4495fc6cc2c18a593830f0a221dd0b6d4b | F28b (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 48838ce51666fe7d3a754c4470fc7defce346ae6abafafcb2c8ff9aee9757511 | SmmModule |
GA-B150M-DS3H | c0e187e45d49c2d4034dfd306033a9188c1dda5f39a4fd051f67f87c7a54b832 | F22h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 4aadd4d47062b264576f6b831372a322632819e72ec8fecf1d02546e1236419d | SmmModule |
GA-B150M-HD3 | 01e177c19ae3dcbdd22baf5fc8d4cc6fa0d1fc65a1bcd0deb44c856c122219ca | F22g (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 4aadd4d47062b264576f6b831372a322632819e72ec8fecf1d02546e1236419d | SmmModule |
GA-H110TN-E | 3d5dc407901ef60f47c45fc07c5e03f5b21aeea5a06f5d66a81c3bc50cab00bd | F23f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | bd3f15252d4bb08afef1691f232600598c4aa06a5ef0547b9c901c5ed44f9a07 | SmmModule |
GA-B150N-GSM | 13b758b79966854d2e14ce41e4a1f7e5b0efb009147344a6bf26fcc2393a53c8 | F24b (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f97e40033efcb4833034d197d28bc8af16ec1be3b10b6962afe7594cc957d698 | SmmModule |
GA-B150N Phoenix-WIFI | 133afbddbc0e454e690005903d447f5e993546dee8a73a2acc7e2a6500a70614 | F22f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f97e40033efcb4833034d197d28bc8af16ec1be3b10b6962afe7594cc957d698 | SmmModule |
GA-B150N Phoenix | 6101d4e6403e11fed667e10cfd590b2a408a5c4a29c0e35ba689b2ea0fdc14d8 | F20h (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | f97e40033efcb4833034d197d28bc8af16ec1be3b10b6962afe7594cc957d698 | SmmModule |
GA-H110MSTX-HD3-ZK | a3a46a53f53f77cb27d5a2a56b89acc3136ed594133a03bc8739c0d3d79a1013 | F26a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 7832fa4a89860ba3310c4524526e12c3d61287099b029abc6b72ac2eca70f826 | SmmModule |
GA-H110TN-M | 33b6b0feadbe1f19ec7c2a1400b86413d1398ef8379587109cb6879839d49066 | F23f (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6c091776669dfbde8f1343d42685b3483c8d773a60debf4eb98d2569d817639d | SmmModule |
GA-H110TN-CM | f41a57abad1e09a0ebcfde190980fe281b9629e3f47065387ae0f5707ded11b3 | F26a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 6c091776669dfbde8f1343d42685b3483c8d773a60debf4eb98d2569d817639d | SmmModule |
GA-H110M-M.2 | 6b4ca97176e120f27f3a6f0a5cfc37366f6ceb25008d7946d3001448efd272a8 | F25a (2024-07-31) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | 399a08ddd638be322c9e3adc06b37b6cb89e4f122e0b58c6759949491737b5a7 | SmmModule |
GA-X150M-PRO ECC | fa5d2a56788c1dddd6ceea60fca9a85915600c0869f74fd68f981c9f3ec1032a | F22i (2024-08-14) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | e07a5de6ced42c97783bf81375729c78d4233eaa294820eb2624b83c9dcd644b | SmmModule |
GA-X170-EXTREME ECC | cb1ae9c9063bc8cc4df451ff98f5686f896d2d420f1f6b1c3e220bb6e44319ac | F21h (2024-08-01) | Gigabyte | AMI | OverClockSmiHandler | 4698c2bd-a903-410e-ad1f-5eef3a1ae422 | a4d65270f5ed5ab6bc1c9b050b65aefebac20a1a05ebe828103dcf2798105620 | SmmModule |
Image preview
Vulnerability description
Let's consider the module e07a5de6ced42c97783bf81375729c78d4233eaa294820eb2624b83c9dcd644b.
The pseudocode of the vulnerable function at 0xB10 is shown below (SwSmiInputValue: 0xB2):
EFI_STATUS SwSmiHandler(
EFI_HANDLE DispatchHandle,
const void *Context,
EFI_SMM_SW_CONTEXT *CommBuffer,
UINTN *CommBufferSize)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS NUMPAD "+" TO EXPAND]
...
Value = 0;
DataSize = 0x5F;
Length = 0;
Count = 0;
Status = gEfiSmmVariableProtocol->SmmGetVariable(
L"OcSetup",
&OC_SETUP_VARIABLE_GUID,
&Attributes,
&DataSize,
&OcSetupData);
if ( Status < 0 || !OcSetupData.OverclockingSupport )
return Status;
if ( CommBuffer && CommBufferSize )
CpuIndex = CommBuffer->SwSmiCpuIndex;
if ( CpuIndex == -1 )
return EFI_UNSUPPORTED;
Status = gEfiSmmCpuProtocol->ReadSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&RbxRegister);
Status = gEfiSmmCpuProtocol->ReadSaveState(gEfiSmmCpuProtocol, 4, EFI_SMM_SAVE_STATE_REGISTER_RCX, CpuIndex, &Buffer);
BiosSettingHeader = RbxRegister;
BiosSettingEntries = (RbxRegister + 16);
TurboBoostEnabled = IsTurboBoostEnabled();
ProgrammableTdpLimit = IsProgrammableTdpLimit();
ProgrammableTjOffset = IsProgrammableTjOffset();
if ( Buffer > 2 )
{
Value = 0x8004;
Status0 = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
Status = Status0;
return Status0;
}
if ( !Buffer )
{
Length = 0x110;
Count = 0x20;
if ( TurboBoostEnabled )
{
Length += 8;
++Count;
if ( ProgrammableTdpLimit )
{
Length += 32;
Count += 4;
}
if ( ProgrammableTjOffset )
{
Length += 16;
Count += 2;
if ( gCoreThreadCount > 2 )
{
Length += 16;
Count += 2;
}
}
}
if ( BiosSettingHeader->Signature != '2DB$' )
{
if ( BiosSettingHeader->Signature == '$DB$' )
{
// SMRAM write
BiosSettingHeader->Signature = '2DB$';
BiosSettingHeader->Length = Length;
BiosSettingHeader->MajorRev = 2;
BiosSettingHeader->MinorRev = 0;
Value = 1;
}
else
{
Value = 0x8001;
}
Status0 = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
Status = Status0;
return Status0;
}
if ( BiosSettingHeader->Length > 0xC00 )
{
Value = 0x8008;
Status0 = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
Status = Status0;
return Status0;
}
if ( BiosSettingHeader->Length <= Length )
{
if ( BiosSettingHeader->Length < 0xC )
{
Value = 32771;
Status0 = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
Status = Status0;
return Status0;
}
if ( BiosSettingHeader->Length < Length )
{
// SMRAM write
BiosSettingHeader->Length = Length;
BiosSettingHeader->MajorRev = 2;
BiosSettingHeader->MinorRev = 0;
Value = 32770;
Status0 = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
Status = Status0;
return Status0;
}
Value = 0;
Status = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4u,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
// SMRAM write
BiosSettingHeader->MajorRev = 2;
BiosSettingHeader->MinorRev = 0;
}
else
{
// SMRAM write
BiosSettingHeader->Length = Length;
BiosSettingHeader->MajorRev = 2;
BiosSettingHeader->MinorRev = 0;
Value = 2;
Status = gEfiSmmCpuProtocol->WriteSaveState(
gEfiSmmCpuProtocol,
4,
EFI_SMM_SAVE_STATE_REGISTER_RBX,
CpuIndex,
&Value);
}
// SMRAM write
BiosSettingHeader->Count = Count;
// SMRAM write
BiosSettingEntries->BiosImplementationType = 0x29;
BiosSettingEntries->SettingValue = OcSetupData.EnableGv;
BiosSettingEntries[1].BiosImplementationType = 0;
BiosSettingEntries[1].SettingValue = OcSetupData.CpuRatio;
BiosSettingEntries[2].BiosImplementationType = 7;
BiosSettingEntries[2].SettingValue = OcSetupData.tCL;
BiosSettingEntries[3].BiosImplementationType = 8;
BiosSettingEntries[3].SettingValue = OcSetupData.tRCDtRP;
BiosSettingEntries[4].BiosImplementationType = 0xA;
BiosSettingEntries[4].SettingValue = OcSetupData.tRAS;
BiosSettingEntries[5].BiosImplementationType = 0xB;
if ( OcSetupData.tWR )
BiosSettingEntries[5].SettingValue = OcSetupData.tWR;
else
BiosSettingEntries[5].SettingValue = 0xFFFFFFFE;
BiosSettingEntries[6].BiosImplementationType = 0x15;
BiosSettingEntries[6].SettingValue = OcSetupData.tRFC;
BiosSettingEntries[7].BiosImplementationType = 0x16;
BiosSettingEntries[7].SettingValue = OcSetupData.tRRD;
BiosSettingEntries[8].BiosImplementationType = 0x17;
BiosSettingEntries[8].SettingValue = OcSetupData.tWTR;
BiosSettingEntries[9].BiosImplementationType = 0x19;
BiosSettingEntries[9].SettingValue = OcSetupData.tRTP;
BiosSettingEntries[10].BiosImplementationType = 0x28;
BiosSettingEntries[10].SettingValue = OcSetupData.tFAW;
BiosSettingEntries[11].BiosImplementationType = 0x18;
if ( OcSetupData.NModeSupport )
BiosSettingEntries[11].SettingValue = OcSetupData.NModeSupport;
else
BiosSettingEntries[11].SettingValue = 0xFFFFFFFE;
...
}
if...
if...
return Status;
}
As we can see from the pseudocode, the pointers to the BiosSettingHeader and BiosSettingEntries buffers (where BiosSettingEntries is BiosSettingHeader + 16) are controlled by the attacker as they are derived from the RBX value obtained with gEfiSmmCpuProtocol->ReadSaveState. These buffers are not validated to avoid overlapping with SMRAM.
The function includes multiple write operations to the controlled buffer:
// SMRAM write
BiosSettingHeader->Signature = '2DB$';
BiosSettingHeader->Length = Length;
BiosSettingHeader->MajorRev = 2;
BiosSettingHeader->MinorRev = 0;
...
// SMRAM write
BiosSettingHeader->Count = Count;
// SMRAM write
BiosSettingEntries->BiosImplementationType = 0x29;
BiosSettingEntries->SettingValue = OcSetupData.EnableGv;
BiosSettingEntries[1].BiosImplementationType = 0;
BiosSettingEntries[1].SettingValue = OcSetupData.CpuRatio;
BiosSettingEntries[2].BiosImplementationType = 7;
BiosSettingEntries[2].SettingValue = OcSetupData.tCL;
BiosSettingEntries[3].BiosImplementationType = 8;
BiosSettingEntries[3].SettingValue = OcSetupData.tRCDtRP;
BiosSettingEntries[4].BiosImplementationType = 0xA;
BiosSettingEntries[4].SettingValue = OcSetupData.tRAS;
BiosSettingEntries[5].BiosImplementationType = 0xB;
...
This allows an attacker to corrupt the SMRAM if BiosSettingHeader (RBX) points to SMRAM or just before SMRAM.
Image preview
Disclosure timeline
This vulnerability is subject to a 90 day disclosure period. After 90 days or when a patch has been made generally available (whichever comes first) the advisory will be publicly disclosed.
| Disclosure Activity | Date |
|---|---|
CERT/CC is notified | 2025-04-15 |
Gigabyte confirmed issue | 2025-06-12 |
CERT/CC assigned CVE number | 2025-07-02 |
BINARLY public disclosure date | 2025-07-10 |
Image preview
Acknowledgements
Image preview
References
Image preview
See if you are impacted now with our Firmware Vulnerability Scanner
Find Vulnerabilities, Generate SBOMs & CBOMs