From: "Zeng, Star" <star.zeng@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>, "Zeng, Star" <star.zeng@intel.com>
Subject: Re: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
Date: Sat, 29 Sep 2018 06:25:06 +0000 [thread overview]
Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103BBF5F0D@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <B80AF82E9BFB8E4FBD8C89DA810C6A0931E5DE26@SHSMSX104.ccr.corp.intel.com>
Got it, thanks.
Reviewed-by: Star Zeng <star.zeng@intel.com>
Star
-----Original Message-----
From: Wu, Hao A
Sent: Saturday, September 29, 2018 2:21 PM
To: Zeng, Star <star.zeng@intel.com>; edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>
Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
> -----Original Message-----
> From: Zeng, Star
> Sent: Saturday, September 29, 2018 2:11 PM
> To: Wu, Hao A; edk2-devel@lists.01.org
> Cc: Yao, Jiewen; Zeng, Star
> Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-
> 5753]Fix bounds check bypass
>
> Please double check whether the AsmLfence calling should be before the
> line below.
>
> PrivateData = (VOID *)&SmmFtwWriteHeader->Data[Length];
Hi,
The above code is getting the address of a possible cross bounday access during the speculative execution.
I also checked that the subsequent usage of 'PrivateData' does not have a code pattern of the 'Bounds check bypass' issue. So I think the
AsmLfence() is not needed here.
Best Regards,
Hao Wu
>
>
> Thanks,
> Star
> -----Original Message-----
> From: Wu, Hao A
> Sent: Tuesday, September 25, 2018 2:13 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>
> Subject: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-
> 5753]Fix bounds check bypass
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
>
> Speculative execution is used by processor to avoid having to wait for
> data to arrive from memory, or for previous operations to finish, the
> processor may speculate as to what will be executed.
>
> If the speculation is incorrect, the speculatively executed
> instructions might leave hints such as which memory locations have been brought into cache.
> Malicious actors can use the bounds check bypass method (code gadgets
> with controlled external inputs) to infer data values that have been
> used in speculative operations to reveal secrets which should not
> otherwise be accessed.
>
> This commit will focus on the SMI handler(s) registered within the
> FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the
> bounds check bypass issue.
>
> For SMI handler SmmFaultTolerantWriteHandler():
>
> Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a
> potential cross boundary access of the 'CommBuffer' (controlled
> external
> inputs) during speculative execution. This cross boundary access is
> later passed as parameter 'Length' into function FtwWrite().
>
> Within function FtwWrite(), the value of 'Length' can be inferred by code:
> "CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which
> part of the content within 'Buffer' was brought into cache to possibly
> reveal the value of 'Length'.
>
> Hence, this commit adds a AsmLfence() after the boundary/range checks
> of 'CommBuffer' to prevent the speculative execution.
>
> A more detailed explanation of the purpose of commit is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-fi
> rmware- speculative-execution-side-channel-mitigation
>
> And the document at:
> https://software.intel.com/security-software-guidance/api-
> app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass
> -
> vulnerabilities.pdf
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> | 7 +++++++
>
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf
> | 1 +
> 2 files changed, 8 insertions(+)
>
> diff --git
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> index 632313f076..27fcab19b6 100644
> ---
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> +++
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm
> +++ .c
> @@ -57,6 +57,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND,
> EITHER EXPRESS OR IMPLIED.
> #include <PiSmm.h>
> #include <Library/SmmServicesTableLib.h> #include
> <Library/SmmMemLib.h>
> +#include <Library/BaseLib.h>
> #include <Protocol/SmmSwapAddressRange.h> #include
> "FaultTolerantWrite.h"
> #include "FaultTolerantWriteSmmCommon.h"
> @@ -417,6 +418,12 @@ SmmFaultTolerantWriteHandler (
> &SmmFvbHandle
> );
> if (!EFI_ERROR (Status)) {
> + //
> + // The AsmLfence() call here is to ensure the previous range/content
> + // checks for the CommBuffer have been completed before calling into
> + // FtwWrite().
> + //
> + AsmLfence ();
> Status = FtwWrite(
> &mFtwDevice->FtwInstance,
> SmmFtwWriteHeader->Lba, diff --git
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i
> n
> f
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i
> n
> f
> index 85d109e8d9..606cc2266b 100644
> ---
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i
> n
> f
> +++
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm
> +++ .inf
> @@ -55,6 +55,7 @@
> PcdLib
> ReportStatusCodeLib
> SmmMemLib
> + BaseLib
>
> [Guids]
> #
> --
> 2.12.0.windows.1
next prev parent reply other threads:[~2018-09-29 6:26 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-25 6:12 [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Hao Wu
2018-09-25 6:12 ` [PATCH v2 1/5] MdePkg/BaseLib: Add new AsmLfence API Hao Wu
2018-09-25 13:00 ` Laszlo Ersek
2018-09-26 1:13 ` Wu, Hao A
2018-09-29 2:33 ` Gao, Liming
2018-09-25 6:12 ` [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass Hao Wu
2018-09-29 6:11 ` Zeng, Star
2018-09-29 6:21 ` Wu, Hao A
2018-09-29 6:25 ` Zeng, Star [this message]
2018-09-25 6:12 ` [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix " Hao Wu
2018-09-29 6:11 ` Zeng, Star
2018-09-25 6:12 ` [PATCH v2 4/5] MdeModulePkg/Variable: " Hao Wu
2018-09-29 6:13 ` Zeng, Star
2018-09-25 6:12 ` [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: " Hao Wu
2018-09-25 12:08 ` Laszlo Ersek
2018-09-26 1:00 ` Wu, Hao A
2018-09-26 0:46 ` Dong, Eric
2018-09-25 20:51 ` [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Laszlo Ersek
2018-09-25 20:57 ` Laszlo Ersek
2018-09-26 1:17 ` Wu, Hao A
2018-09-28 13:13 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0C09AFA07DD0434D9E2A0C6AEB0483103BBF5F0D@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox