A tool to test SMI handlers for pointer validation vulnerabilities


Usage: chipsec_main -m tools.smm.smm_ptr -l log.txt \ [-a <mode>,<config_file>|<smic_start:smic_end>,<size>,<address>]

  • mode: SMI fuzzing mode

    • config = use SMI configuration file <config_file>

    • fuzz = fuzz all SMI handlers with code in the range <smic_start:smic_end>

    • fuzzmore = fuzz mode + pass 2nd-order pointers within buffer to SMI handlers

    • scan = fuzz mode + time measurement to identify SMIs that trigger long-running code paths

  • size: size of the memory buffer (in Hex)

  • address: physical address of memory buffer to pass in GP regs to SMI handlers (in Hex)

    • smram = option passes address of SMRAM base (system may hang in this mode!)

In config mode, SMI configuration file should have the following format

SMI_code=<SMI code> or *
SMI_data=<SMI data> or *
RAX=<value of RAX> or * or PTR or VAL
RBX=<value of RBX> or * or PTR or VAL
RCX=<value of RCX> or * or PTR or VAL
RDX=<value of RDX> or * or PTR or VAL
RSI=<value of RSI> or * or PTR or VAL
RDI=<value of RDI> or * or PTR or VAL
[PTR_OFFSET=<offset to pointer in the buffer>]
[SIG_OFFSET=<offset to signature in the buffer>]
[Name=<SMI name>]
[Desc=<SMI description>]


  • []: optional line

  • *: Don’t Care (the module will replace * with 0x0)

  • PTR: Physical address SMI handler will write to (the module will replace PTR with physical address provided as a command-line argument)

  • VAL: Value SMI handler will write to PTR address (the module will replace VAL with hardcoded _FILL_VALUE_xx)


>>> -m tools.smm.smm_ptr
>>> -m tools.smm.smm_ptr -a fuzzmore,0x0:0xFF -l smm.log
>>> -m tools.smm.smm_ptr -a scan,0x0:0xff


  • This is a potentially destructive test