corCTF 2023 smm-diary: Ropping in Ring -2

This write-up documents a high-privilege System Management Mode (SMM) vulnerability in an OVMF module used in corCTF 2023 where an unchecked communication buffer pointer allows an arbitrary write from ring 0 into SMRAM. The author analyzes the bug, shows the vulnerable patched module source, explains how to trigger the SMI from kernel space (using ioremap and writing to port 0xB2/0xB3), and provides a kernel driver exploit that ROPs ring -2 to dump a flag from SMRAM.