From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 157DA2115C31D for ; Fri, 28 Sep 2018 23:26:15 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Sep 2018 23:26:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,318,1534834800"; d="scan'208";a="93122643" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga004.fm.intel.com with ESMTP; 28 Sep 2018 23:25:09 -0700 Received: from fmsmsx152.amr.corp.intel.com (10.18.125.5) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 28 Sep 2018 23:25:09 -0700 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX152.amr.corp.intel.com (10.18.125.5) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 28 Sep 2018 23:25:09 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.140]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.27]) with mapi id 14.03.0319.002; Sat, 29 Sep 2018 14:25:07 +0800 From: "Zeng, Star" To: "Wu, Hao A" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" , "Zeng, Star" Thread-Topic: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass Thread-Index: AQHUVJbXhTNuuCJOcUuh/zTrTRjGcKUGzSKA//98wgCAAIb8EA== Date: Sat, 29 Sep 2018 06:25:06 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103BBF5F0D@shsmsx102.ccr.corp.intel.com> References: <20180925061259.31680-1-hao.a.wu@intel.com> <20180925061259.31680-3-hao.a.wu@intel.com> <0C09AFA07DD0434D9E2A0C6AEB0483103BBF5E78@shsmsx102.ccr.corp.intel.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2018 06:26:16 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Got it, thanks. Reviewed-by: Star Zeng Star -----Original Message----- From: Wu, Hao A=20 Sent: Saturday, September 29, 2018 2:21 PM To: Zeng, Star ; edk2-devel@lists.01.org Cc: Yao, Jiewen Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]= Fix bounds check bypass > -----Original Message----- > From: Zeng, Star > Sent: Saturday, September 29, 2018 2:11 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Yao, Jiewen; Zeng, Star > Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017- > 5753]Fix bounds check bypass >=20 > Please double check whether the AsmLfence calling should be before the=20 > line below. >=20 > PrivateData =3D (VOID *)&SmmFtwWriteHeader->Data[Length]; Hi, The above code is getting the address of a possible cross bounday access du= ring the speculative execution. I also checked that the subsequent usage of 'PrivateData' does not have a c= ode pattern of the 'Bounds check bypass' issue. So I think the AsmLfence() is not needed here. Best Regards, Hao Wu >=20 >=20 > Thanks, > Star > -----Original Message----- > From: Wu, Hao A > Sent: Tuesday, September 25, 2018 2:13 PM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A ; Yao, Jiewen=20 > ; Zeng, Star > Subject: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017- > 5753]Fix bounds check bypass >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194 >=20 > Speculative execution is used by processor to avoid having to wait for=20 > data to arrive from memory, or for previous operations to finish, the=20 > processor may speculate as to what will be executed. >=20 > If the speculation is incorrect, the speculatively executed=20 > instructions might leave hints such as which memory locations have been b= rought into cache. > Malicious actors can use the bounds check bypass method (code gadgets=20 > with controlled external inputs) to infer data values that have been=20 > used in speculative operations to reveal secrets which should not=20 > otherwise be accessed. >=20 > This commit will focus on the SMI handler(s) registered within the=20 > FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the=20 > bounds check bypass issue. >=20 > For SMI handler SmmFaultTolerantWriteHandler(): >=20 > Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a=20 > potential cross boundary access of the 'CommBuffer' (controlled=20 > external > inputs) during speculative execution. This cross boundary access is=20 > later passed as parameter 'Length' into function FtwWrite(). >=20 > Within function FtwWrite(), the value of 'Length' can be inferred by code= : > "CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which=20 > part of the content within 'Buffer' was brought into cache to possibly=20 > reveal the value of 'Length'. >=20 > Hence, this commit adds a AsmLfence() after the boundary/range checks=20 > of 'CommBuffer' to prevent the speculative execution. >=20 > A more detailed explanation of the purpose of commit is under the=20 > 'Bounds check bypass mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host-fi > rmware- speculative-execution-side-channel-mitigation >=20 > And the document at: > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass > - > vulnerabilities.pdf >=20 > Cc: Jiewen Yao > Cc: Star Zeng > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu > --- > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > | 7 +++++++ > =20 > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf > | 1 + > 2 files changed, 8 insertions(+) >=20 > diff --git > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > index 632313f076..27fcab19b6 100644 > --- > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > +++ > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm > +++ .c > @@ -57,6 +57,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND,=20 > EITHER EXPRESS OR IMPLIED. > #include > #include #include=20 > > +#include > #include #include=20 > "FaultTolerantWrite.h" > #include "FaultTolerantWriteSmmCommon.h" > @@ -417,6 +418,12 @@ SmmFaultTolerantWriteHandler ( > &SmmFvbHandle > ); > if (!EFI_ERROR (Status)) { > + // > + // The AsmLfence() call here is to ensure the previous range/con= tent > + // checks for the CommBuffer have been completed before calling = into > + // FtwWrite(). > + // > + AsmLfence (); > Status =3D FtwWrite( > &mFtwDevice->FtwInstance, > SmmFtwWriteHeader->Lba, diff --git=20 > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i > n > f > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i > n > f > index 85d109e8d9..606cc2266b 100644 > --- > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i > n > f > +++ > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm > +++ .inf > @@ -55,6 +55,7 @@ > PcdLib > ReportStatusCodeLib > SmmMemLib > + BaseLib >=20 > [Guids] > # > -- > 2.12.0.windows.1