From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hao.a.wu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.115; helo=mga14.intel.com;
 envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 03B9D21160A17
 for <edk2-devel@lists.01.org>; Sat, 29 Sep 2018 22:30:06 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 29 Sep 2018 22:30:06 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,322,1534834800"; d="scan'208";a="261591785"
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.19])
 by orsmga005.jf.intel.com with ESMTP; 29 Sep 2018 22:28:46 -0700
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>
Date: Sun, 30 Sep 2018 13:28:43 +0800
Message-Id: <20180930052843.13840-1-hao.a.wu@intel.com>
X-Mailer: git-send-email 2.12.0.windows.1
Subject: [PATCH v1][edk2-platforms/devel-MinPlatform] MinPlatformPkg/Test: [CVE-2017-5753] Fix bounds check bypass
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Sep 2018 05:30:07 -0000

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within
TestPointCheckLib & TestPointLib and insert AsmLfence API to mitigate the
bounds check bypass issue.

A. For SMI handler TestPointSmmHandler() within TestPointCheckLib:

Under "case TEST_POINT_SMM_COMMUNICATION_FUNC_ID_UEFI_GCD_MAP_INFO:",
'CommBuffer' (controlled external inputs) is passed into function
TestPointSmmReadyToBootSmmPageProtectionHandler().

Within function TestPointSmmReadyToBootSmmPageProtectionHandler(), the
contents in 'CommBuffer' will be copied into 'CommData'. But if the size
and sanity checks for the communication buffer is speculatively bypassed,
'(UINTN)CommData + CommData->UefiMemoryMapOffset)' can potentially point
to cross boundary area of 'CommData'. This pointer is then passed into
function TestPointCheckSmmCommunicationBuffer() as 'UefiMemoryMap'.

Within function TestPointCheckSmmCommunicationBuffer(),
'MemoryMap->PhysicalStart' can be a potential cross boundary access. And
its value can be inferred by function calls sequence:

TestPointCheckPageTable() via 'BaseAddress'
GetPageTableEntry() via 'BaseAddress'. Then one can observe which part of
the content within arrays 'L4PageTable', 'L3PageTable', 'L2PageTable' or
'L1PageTable', was brought into cache to possibly reveal the value.

B. For SMI handler SmmTestPointSmiHandler() within TestPointLib:

Under "case SMI_HANDLER_TEST_POINT_COMMAND_GET_DATA_BY_OFFSET:",
'CommBuffer' (controlled external inputs) is passed into function
SmmTestPointSmiHandlerGetDataByOffset().

Within function SmmTestPointSmiHandlerGetDataByOffset(), the contents in
'CommBuffer' will be copied into 'SmiHandlerTestPointGetDataByOffset'. But
if the size and sanity checks for the communication buffer is
speculatively bypassed, 'SmiHandlerTestPointGetDataByOffset.DataSize' can
be a potential cross boundary access.

Then in function SmiHandlerTestPointCopyData(), this value can be inferred
by code:
  CopyMem(
    DataBuffer,
    (UINT8 *)InputData + *DataOffset,
    (UINTN)*DataSize
    );
One can observe which part of the content within 'DataBuffer' was brought
into cache to possibly reveal the cross bounary access value.

Hence, this commit adds AsmLfence() calls after the boundary/range checks
of the communication buffer to prevent the speculative execution.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c | 7 +++++++
 Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c | 8 +++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
index b40469b278..dc40dae6d5 100644
--- a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
+++ b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
@@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <PiSmm.h>
 #include <Library/TestPointCheckLib.h>
 #include <Library/TestPointLib.h>
+#include <Library/BaseLib.h>
 #include <Library/DebugLib.h>
 #include <Library/BaseMemoryLib.h>
 #include <Library/MemoryAllocationLib.h>
@@ -374,6 +375,12 @@ TestPointSmmReadyToBootSmmPageProtectionHandler (
   }
 
   if (CommData->UefiMemoryMapSize != 0) {
+    //
+    // The AsmLfence() call here is to ensure the previous range/content checks
+    // for the CommBuffer (copied in to CommData) have been completed before
+    // calling into TestPointCheckSmmCommunicationBuffer().
+    //
+    AsmLfence ();
     Result = TRUE;
 
     Status = TestPointCheckSmmCommunicationBuffer (
diff --git a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c
index cce0538832..b4757da046 100644
--- a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c
+++ b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c
@@ -251,7 +251,13 @@ SmmTestPointSmiHandlerGetDataByOffset (
     SmiHandlerTestPointParameterGetDataByOffset->Header.ReturnStatus = (UINT64)(INT64)(INTN)Status;
     goto Done;
   }
-  
+
+  //
+  // The AsmLfence() call here is to ensure the previous range/content checks
+  // for the CommBuffer have been completed before calling into
+  // SmiHandlerTestPointCopyData().
+  //
+  AsmLfence ();
   SmiHandlerTestPointCopyData (
     Data,
     DataSize,
-- 
2.12.0.windows.1