From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id E2F5B7803CE for ; Thu, 30 May 2024 05:07:53 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=J4vJqttX7d4WVipXqgHhHgoymUlzm0NnHb9SYOQiMk0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Thread-Index:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding:Content-Language; s=20240206; t=1717045673; v=1; b=t6omHRh6+hhdujbuzz3RyXOYhjkJ8R2NH/lre7cCewYNufBGKyx66gGv78I1sROE202cNsUt RRKFBDnfRLScN5NCI/KEOPh3VpAzyxJnXjRDe3o/Cxlm9/zMn2FJwd0Dtqd/pAyzeiv9HQvlRZI jJnrwckH37CRyoTLOQMS6r09Jl/mcSJiYASTGpYIyytY9Qp1DsTNA5D60+2vtnk1CPg44GR00M1 +JamkbUYB4p8B1SOijM6FCsa43rrqC9oazdAyWW7eFqGGeLLu2x6F5hkiJ/Cgfb57AMoKUN/xA8 w/RqmWxn/dLoTLcIP2cikQ9UFaz5OuOXFifet72vAhtmA== X-Received: by 127.0.0.2 with SMTP id lAFaYY7687511xv2obt2aEQX; Wed, 29 May 2024 22:07:52 -0700 X-Received: from cxsh.intel-email.com (cxsh.intel-email.com [121.46.250.151]) by mx.groups.io with SMTP id smtpd.web11.966.1717045671420245790 for ; Wed, 29 May 2024 22:07:51 -0700 X-Received: from cxsh.intel-email.com (localhost [127.0.0.1]) by cxsh.intel-email.com (Postfix) with ESMTP id 8EED1DDA7C0 for ; Thu, 30 May 2024 13:07:49 +0800 (CST) X-Received: from localhost (localhost [127.0.0.1]) by cxsh.intel-email.com (Postfix) with ESMTP id 8A591DDA7A9 for ; Thu, 30 May 2024 13:07:49 +0800 (CST) X-Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by cxsh.intel-email.com (Postfix) with SMTP id C454DDDA7C1 for ; Thu, 30 May 2024 13:07:45 +0800 (CST) X-Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP(SSL) for ; Thu, 30 May 2024 13:07:41 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming via groups.io" To: "'Gerd Hoffmann'" , , Cc: "'Ard Biesheuvel'" References: <20240524054512.523329-1-douglas.flick@microsoft.com> In-Reply-To: Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHYzIDAwLzIwXSBOZXR3b3JrUGtnOiBDVkUtMjAyMy00NTIzNiBhbmQgQ1ZFLTIwMjMtNDUyMzc=?= Date: Thu, 30 May 2024 13:07:45 +0800 Message-ID: <00e401dab24f$4eccdc20$ec669460$@byosoft.com.cn> MIME-Version: 1.0 Thread-Index: AQKDb+eujiMXEG5By6JZvHytBKYtfAG5Xj9BsE/ygeA= Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 29 May 2024 22:07:52 -0700 Resent-From: gaoliming@byosoft.com.cn Reply-To: devel@edk2.groups.io,gaoliming@byosoft.com.cn List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 1ydGTcrqk5oGT51jJgjk9Z59x7686176AA= Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=t6omHRh6; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io If ASSERT trigs the exception, could call stack show each caller? Thanks Liming > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: Gerd Hoffmann > =B7=A2=CB=CD=CA=B1=BC=E4: 2024=C4=EA5=D4=C229=C8=D5 21:09 > =CA=D5=BC=FE=C8=CB: devel@edk2.groups.io; dougflick@microsoft.com > =B3=AD=CB=CD: Liming Gao ; Ard Biesheuvel > > =D6=F7=CC=E2: Re: [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-4523= 6 and > CVE-2023-45237 >=20 > On Thu, May 23, 2024 at 10:44:52PM GMT, Doug Flick via groups.io wrote: > > > > > REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores= - edk-ii- > ipv6-network-stack.html > > > > This patch series patches the following CVEs: > > - CVE-2023-45236: Predictable TCP Initial Sequence Numbers > > - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator >=20 > Ok, looks like there is some more fallout from this patch series which I > havn't seen in my initial testing. It does not always happen, didn't > figure yet what exactly triggers the behavior. But in some cases there > is quite some network stack activity, apparently done by > EVT_SIGNAL_EXIT_BOOT_SERVICES event handlers ... >=20 > With the debug patch below applied the tail of the ovmf log looks like > this: >=20 > VirtioRngExitBoot: Context=3D0x7D73D798 > Hash2ServiceBindingDestroyChild - Invalid handle > MnpServiceBindingDestroyChild: Failed to uninstall the ManagedNetwork > protocol, Invalid Parameter. > Support(): UNDI3.1 found on handle 7D461118 > Support(): supported on 7D461118 > Start(): UNDI3.1 found >=20 > snp->undi.start() 1h:8000h > InstallProtocolInterface: 7AB33A91-ACE5-4326-B572-E7EE33D39F16 > 7CE872C0 > InstallProtocolInterface: F44C00EE-1F2C-4A00-AA09-1C9F3E0800A3 > 7CE7D020 > Failed to generate random data using secure algorithm 0: Unsupported > Failed to generate random data using secure algorithm 1: Unsupported > Failed to generate random data using secure algorithm 2: Unsupported > Failed to generate random data using secure algorithm 3: Unsupported > VirtioRngGetRNG: not ready > Failed to generate random data using secure algorithm 4: Device Error >=20 > ASSERT_EFI_ERROR (Status =3D Device Error) > ASSERT > /home/kraxel/projects/edk2/NetworkPkg/Library/DxeNetLib/DxeNetLib.c(965): > !(((INTN)(RETURN_STATUS)(Status)) < 0) >=20 > The VirtioRngDxe EVT_SIGNAL_EXIT_BOOT_SERVICES handler resets the > device, to make sure it will stop any DMA. >=20 > Once the reset is done the device can't deliver random numbers any more, > but the network code wants some. So with the debug patch an assert is > triggered, without the debug patch the system simply hangs because the > virtio-rng device wouldn't answer request sent by the driver. >=20 > I'm wondering what the network code is actually doing here in the first > place? It apparently /installs/ protocols in the > EVT_SIGNAL_EXIT_BOOT_SERVICES handler? I don't think this is how things > are supposed to work ... >=20 > take care, > Gerd >=20 > ------------------------- cut here ------------------------- > diff --git a/OvmfPkg/VirtioRngDxe/VirtioRng.h > b/OvmfPkg/VirtioRngDxe/VirtioRng.h > index 2da99540a208..3519521d6ab5 100644 > --- a/OvmfPkg/VirtioRngDxe/VirtioRng.h > +++ b/OvmfPkg/VirtioRngDxe/VirtioRng.h > @@ -33,6 +33,7 @@ typedef struct { > VRING Ring; // VirtioRingInit 2 > EFI_RNG_PROTOCOL Rng; // VirtioRngInit 1 > VOID *RingMap; // VirtioRingMap > 2 > + BOOLEAN Ready; > } VIRTIO_RNG_DEV; >=20 > #define VIRTIO_ENTROPY_SOURCE_FROM_RNG(RngPointer) \ > diff --git a/OvmfPkg/VirtioNetDxe/Events.c b/OvmfPkg/VirtioNetDxe/Events.= c > index 75a9644f749c..36e3eed4617c 100644 > --- a/OvmfPkg/VirtioNetDxe/Events.c > +++ b/OvmfPkg/VirtioNetDxe/Events.c > @@ -77,7 +77,7 @@ VirtioNetExitBoot ( > // > VNET_DEV *Dev; >=20 > - DEBUG ((DEBUG_VERBOSE, "%a: Context=3D0x%p\n", __func__, Context)); > + DEBUG ((DEBUG_INFO, "%a: Context=3D0x%p\n", __func__, Context)); > Dev =3D Context; > if (Dev->Snm.State =3D=3D EfiSimpleNetworkInitialized) { > Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0); > diff --git a/OvmfPkg/VirtioRngDxe/VirtioRng.c > b/OvmfPkg/VirtioRngDxe/VirtioRng.c > index 069aed148af1..370c9ac8f1de 100644 > --- a/OvmfPkg/VirtioRngDxe/VirtioRng.c > +++ b/OvmfPkg/VirtioRngDxe/VirtioRng.c > @@ -156,6 +156,10 @@ VirtioRngGetRNG ( > } >=20 > Dev =3D VIRTIO_ENTROPY_SOURCE_FROM_RNG (This); > + if (!Dev->Ready) { > + DEBUG ((DEBUG_INFO, "%a: not ready\n", __func__)); > + return EFI_DEVICE_ERROR; > + } > // > // Map Buffer's system physical address to device address > // > @@ -382,6 +386,7 @@ VirtioRngInit ( > // > Dev->Rng.GetInfo =3D VirtioRngGetInfo; > Dev->Rng.GetRNG =3D VirtioRngGetRNG; > + Dev->Ready =3D TRUE; >=20 > return EFI_SUCCESS; >=20 > @@ -414,8 +419,8 @@ VirtioRngUninit ( > // VIRTIO_CFG_WRITE() returns, the host will have learned to stay away from > // the old comms area. > // > + Dev->Ready =3D FALSE; > Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0); > - > Dev->VirtIo->UnmapSharedBuffer (Dev->VirtIo, Dev->RingMap); >=20 > VirtioRingUninit (Dev->VirtIo, &Dev->Ring); > @@ -435,7 +440,7 @@ VirtioRngExitBoot ( > { > VIRTIO_RNG_DEV *Dev; >=20 > - DEBUG ((DEBUG_VERBOSE, "%a: Context=3D0x%p\n", __func__, Context)); > + DEBUG ((DEBUG_INFO, "%a: Context=3D0x%p\n", __func__, Context)); > // > // Reset the device. This causes the hypervisor to forget about the virtio > // ring. > @@ -444,6 +449,7 @@ VirtioRngExitBoot ( > // executing after ExitBootServices() is permitted to overwrite it. > // > Dev =3D Context; > + Dev->Ready =3D FALSE; > Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0); > } >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119379): https://edk2.groups.io/g/devel/message/119379 Mute This Topic: https://groups.io/mt/106383321/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-