From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com []) by mx.groups.io with SMTP id smtpd.web10.360.1593666932487247443 for ; Wed, 01 Jul 2020 22:15:52 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: guomin.jiang@intel.com) IronPort-SDR: 7h/YKPXjT/+Uc5B00DvbFtUYZhYwSZN+azVgjFJu/LuNrDbz39dwqrzYq7hcpQQ3XW7RJn0MIa 3ZBapKkrPjVA== X-IronPort-AV: E=McAfee;i="6000,8403,9669"; a="208319104" X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; d="scan'208";a="208319104" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2020 22:15:52 -0700 IronPort-SDR: KSnH+3FrmL4V9Pq2xfUd6u81Zagm/TcMb8eAtFOvGXrZ3JO2XRubux6E6wFrV5D+mcRgX/YA8j pJiu3DCcaMoA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,302,1589266800"; d="scan'208";a="455385080" Received: from guominji-mobl.ccr.corp.intel.com ([10.238.4.95]) by orsmga005.jf.intel.com with ESMTP; 01 Jul 2020 22:15:50 -0700 From: "Guomin Jiang" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Laszlo Ersek , Rahul Kumar Subject: [PATCH v2 9/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Date: Thu, 2 Jul 2020 13:15:25 +0800 Message-Id: <20200702051525.1102-10-guomin.jiang@intel.com> X-Mailer: git-send-email 2.25.1.windows.1 In-Reply-To: <20200702051525.1102-1-guomin.jiang@intel.com> References: <20200702051525.1102-1-guomin.jiang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 To avoid the TOCTOU, enable paging and set Not Present flag so when access any code in the flash range, it will trigger #NP exception. Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Signed-off-by: Guomin Jiang --- UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 +++ UefiCpuPkg/CpuMpPei/CpuPaging.c | 17 +++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf index caead3ce34d4..fd50b55f06cb 100644 --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf @@ -46,6 +46,9 @@ [LibraryClasses] BaseMemoryLib CpuLib +[Guids] + gEdkiiMigratedFvInfoGuid ## SOMETIMES_CONSUMES ## HOB + [Ppis] gEfiPeiMpServicesPpiGuid ## PRODUCES gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c index d0cbebf70bbf..af4069b42cdb 100644 --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c @@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include #include "CpuMpPei.h" @@ -605,6 +606,8 @@ MemoryDiscoveredPpiNotifyCallback ( EFI_STATUS Status; BOOLEAN InitStackGuard; BOOLEAN InterruptState; + EDKII_MIGRATED_FV_INFO *MigratedFvInfo; + EFI_PEI_HOB_POINTERS Hob; InterruptState = SaveAndDisableInterrupts (); Status = MigrateGdt (); @@ -617,9 +620,9 @@ MemoryDiscoveredPpiNotifyCallback ( // the task switch (for the sake of stack switch). // InitStackGuard = FALSE; - if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) { + if (IsIa32PaeSupported ()) { EnablePaging (); - InitStackGuard = TRUE; + InitStackGuard = PcdGetBool (PcdCpuStackGuard); } Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices); @@ -629,6 +632,16 @@ MemoryDiscoveredPpiNotifyCallback ( SetupStackGuardPage (); } + Hob.Raw = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid); + while (Hob.Raw != NULL) { + MigratedFvInfo = GET_GUID_HOB_DATA (Hob); + ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0); + + Hob.Raw = GET_NEXT_HOB (Hob); + Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw); + } + CpuFlushTlb (); + return Status; } -- 2.25.1.windows.1