From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8339A2115C318 for ; Fri, 28 Sep 2018 23:11:48 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Sep 2018 23:11:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,318,1534834800"; d="scan'208";a="94513076" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by fmsmga001.fm.intel.com with ESMTP; 28 Sep 2018 23:11:45 -0700 Received: from fmsmsx157.amr.corp.intel.com (10.18.116.73) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 28 Sep 2018 23:11:44 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX157.amr.corp.intel.com (10.18.116.73) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 28 Sep 2018 23:11:44 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.140]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.183]) with mapi id 14.03.0319.002; Sat, 29 Sep 2018 14:11:42 +0800 From: "Zeng, Star" To: "Wu, Hao A" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" , "Zeng, Star" Thread-Topic: [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass Thread-Index: AQHUVJbY8RSKZ85R7kq3yobKVAQ2IqUGzVKQ Date: Sat, 29 Sep 2018 06:11:41 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103BBF5E8E@shsmsx102.ccr.corp.intel.com> References: <20180925061259.31680-1-hao.a.wu@intel.com> <20180925061259.31680-4-hao.a.wu@intel.com> In-Reply-To: <20180925061259.31680-4-hao.a.wu@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds check bypass X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2018 06:11:48 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Star Zeng -----Original Message----- From: Wu, Hao A=20 Sent: Tuesday, September 25, 2018 2:13 PM To: edk2-devel@lists.01.org Cc: Wu, Hao A ; Yao, Jiewen ; Zen= g, Star Subject: [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix bounds= check bypass REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194 Speculative execution is used by processor to avoid having to wait for data= to arrive from memory, or for previous operations to finish, the processor= may speculate as to what will be executed. If the speculation is incorrect, the speculatively executed instructions mi= ght leave hints such as which memory locations have been brought into cache= . Malicious actors can use the bounds check bypass method (code gadgets wit= h controlled external inputs) to infer data values that have been used in s= peculative operations to reveal secrets which should not otherwise be acces= sed. This commit will focus on the SMI handler(s) registered within the SmmLockB= ox driver and insert AsmLfence API to mitigate the bounds check bypass issu= e. For SMI handler SmmLockBoxHandler(): Under "case EFI_SMM_LOCK_BOX_COMMAND_SAVE:", the 'CommBuffer' (controlled e= xternal inputs) is passed to function SmmLockBoxSave(). 'TempLockBoxParameterSave.Length' can be a potential cross boundary access = of the 'CommBuffer' during speculative execution. This cross boundary acces= s is later passed as parameter 'Length' into function SaveLockBox(). Within function SaveLockBox(), the value of 'Length' can be inferred by code: "CopyMem ((VOID *)(UINTN)SmramBuffer, (VOID *)(UINTN)Buffer, Length);". One can observe which part of the content within 'Buffer' was brought into = cache to possibly reveal the value of 'Length'. Hence, this commit adds a AsmLfence() after the boundary/range checks of 'C= ommBuffer' to prevent the speculative execution. And there is a similar case under "case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:" function SmmLockBoxUpdate() as well. This commits also handles it. A more detailed explanation of the purpose of commit is under the 'Bounds c= heck bypass mitigation' section of the below link: https://software.intel.com/security-software-guidance/insights/host-firmwar= e-speculative-execution-side-channel-mitigation And the document at: https://software.intel.com/security-software-guidance/api-app/sites/default= /files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf Cc: Jiewen Yao Cc: Star Zeng Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c b/MdeMo= dulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c index 5a11743cb9..c1c9aa5663 100644 --- a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c +++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c @@ -76,6 +76,11 @@ SmmLockBoxSave ( LockBoxParameterSave->Header.ReturnStatus =3D (UINT64)EFI_ACCESS_DENIE= D; return ; } + // + // The AsmLfence() call here is to ensure the above range check for=20 + the // CommBuffer have been completed before calling into SaveLockBox(). + // + AsmLfence (); =20 // // Save data @@ -160,6 +165,11 @@ SmmLockBoxUpdate ( LockBoxParameterUpdate->Header.ReturnStatus =3D (UINT64)EFI_ACCESS_DEN= IED; return ; } + // + // The AsmLfence() call here is to ensure the above range check for=20 + the // CommBuffer have been completed before calling into UpdateLockBox(= ). + // + AsmLfence (); =20 // // Update data -- 2.12.0.windows.1