From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web10.8883.1616738660798365432 for ; Thu, 25 Mar 2021 23:04:20 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: w.sheng@intel.com) IronPort-SDR: Pv05SRQEddiwacYQGjYH3CeAvC02wRjDin+YvECmv1fWwe/BTVVsycaFhnQx3R7WPgyg9l1zST 3jNoyuciw20Q== X-IronPort-AV: E=McAfee;i="6000,8403,9934"; a="178203881" X-IronPort-AV: E=Sophos;i="5.81,279,1610438400"; d="scan'208";a="178203881" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Mar 2021 23:04:19 -0700 IronPort-SDR: rXy7rPd2SXUeVkwaSqxK7yPe4OY3ANYeDnz7nsafQeVOgyS9qFegfkuO6UyiGID+GGmhCTXMFl 67VpT3SxN4Mw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,279,1610438400"; d="scan'208";a="443178991" Received: from shwdesssddpdwei.ccr.corp.intel.com ([10.239.157.35]) by fmsmga002.fm.intel.com with ESMTP; 25 Mar 2021 23:04:17 -0700 From: "Sheng Wei" To: devel@edk2.groups.io Cc: Eric Dong , Ray Ni , Laszlo Ersek , Rahul Kumar , Jiewen Yao , Roger Feng Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM shadow stack overflow Date: Fri, 26 Mar 2021 14:04:13 +0800 Message-Id: <20210326060413.7760-1-w.sheng@intel.com> X-Mailer: git-send-email 2.16.2.windows.1 Use SMM stack guard feature to detect SMM shadow stack overflow. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3280 Signed-off-by: Sheng Wei Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Cc: Rahul Kumar Cc: Jiewen Yao Cc: Roger Feng --- UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c index 07e7ea70de..6902584b1f 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c @@ -1016,6 +1016,7 @@ SmiPFHandler ( { UINTN PFAddress; UINTN GuardPageAddress; + UINTN ShadowStackGuardPageAddress; UINTN CpuIndex; ASSERT (InterruptType == EXCEPT_IA32_PAGE_FAULT); @@ -1032,7 +1033,7 @@ SmiPFHandler ( } // - // If a page fault occurs in SMRAM range, it might be in a SMM stack guard page, + // If a page fault occurs in SMRAM range, it might be in a SMM stack/shadow stack guard page, // or SMM page protection violation. // if ((PFAddress >= mCpuHotPlugData.SmrrBase) && @@ -1040,10 +1041,16 @@ SmiPFHandler ( DumpCpuContext (InterruptType, SystemContext); CpuIndex = GetCpuIndex (); GuardPageAddress = (mSmmStackArrayBase + EFI_PAGE_SIZE + CpuIndex * (mSmmStackSize + mSmmShadowStackSize)); + ShadowStackGuardPageAddress = (mSmmStackArrayBase + mSmmStackSize + EFI_PAGE_SIZE + CpuIndex * (mSmmStackSize + mSmmShadowStackSize)); if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && (PFAddress >= GuardPageAddress) && (PFAddress < (GuardPageAddress + EFI_PAGE_SIZE))) { DEBUG ((DEBUG_ERROR, "SMM stack overflow!\n")); + } else if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && + (mSmmShadowStackSize > 0) && + (PFAddress >= ShadowStackGuardPageAddress) && + (PFAddress < (ShadowStackGuardPageAddress + EFI_PAGE_SIZE))) { + DEBUG ((DEBUG_ERROR, "SMM shadow stack overflow!\n")); } else { if ((SystemContext.SystemContextX64->ExceptionData & IA32_PF_EC_ID) != 0) { DEBUG ((DEBUG_ERROR, "SMM exception at execution (0x%lx)\n", PFAddress)); -- 2.16.2.windows.1