SMM module fails to verify that output pointer is outside SMRAM. Use this to gain arbitrary write on the SMRAM stack and ROP to write flag somewhere outside of SMRAM. Replicate how UEFI modules communicates with and triggers SMM in kernel by mapping in gSmmCorePrivate to interact with the vulnerable module.

Original writeup (https://www.willsroot.io/2023/08/smm-diary-writeup.html).