public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, guomin.jiang@intel.com
Cc: Eric Dong <eric.dong@intel.com>, Ray Ni <ray.ni@intel.com>,
	Rahul Kumar <rahul1.kumar@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 9/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098)
Date: Fri, 3 Jul 2020 15:11:43 +0200	[thread overview]
Message-ID: <375f9f9d-4474-2c70-81e8-aecbce1e625a@redhat.com> (raw)
In-Reply-To: <20200702051525.1102-10-guomin.jiang@intel.com>

On 07/02/20 07:15, Guomin Jiang wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
> 
> To avoid the TOCTOU, enable paging and set Not Present flag so when
> access any code in the flash range, it will trigger #NP exception.
> 
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
>  UefiCpuPkg/CpuMpPei/CpuMpPei.inf |  3 +++
>  UefiCpuPkg/CpuMpPei/CpuPaging.c  | 17 +++++++++++++++--
>  2 files changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> index caead3ce34d4..fd50b55f06cb 100644
> --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> @@ -46,6 +46,9 @@ [LibraryClasses]
>    BaseMemoryLib
>    CpuLib
>  
> +[Guids]
> +  gEdkiiMigratedFvInfoGuid                                             ## SOMETIMES_CONSUMES     ## HOB
> +
>  [Ppis]
>    gEfiPeiMpServicesPpiGuid                      ## PRODUCES
>    gEfiSecPlatformInformationPpiGuid             ## SOMETIMES_CONSUMES
> diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
> index d0cbebf70bbf..af4069b42cdb 100644
> --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
> +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
> @@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #include <Library/MemoryAllocationLib.h>
>  #include <Library/CpuLib.h>
>  #include <Library/BaseLib.h>
> +#include <Guid/MigratedFvInfo.h>
>  
>  #include "CpuMpPei.h"
>  
> @@ -605,6 +606,8 @@ MemoryDiscoveredPpiNotifyCallback (
>    EFI_STATUS  Status;
>    BOOLEAN     InitStackGuard;
>    BOOLEAN     InterruptState;
> +  EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
> +  EFI_PEI_HOB_POINTERS   Hob;
>  
>    InterruptState = SaveAndDisableInterrupts ();
>    Status = MigrateGdt ();
> @@ -617,9 +620,9 @@ MemoryDiscoveredPpiNotifyCallback (
>    // the task switch (for the sake of stack switch).
>    //
>    InitStackGuard = FALSE;
> -  if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) {
> +  if (IsIa32PaeSupported ()) {
>      EnablePaging ();
> -    InitStackGuard = TRUE;
> +    InitStackGuard = PcdGetBool (PcdCpuStackGuard);
>    }
>  
>    Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices);
> @@ -629,6 +632,16 @@ MemoryDiscoveredPpiNotifyCallback (
>      SetupStackGuardPage ();
>    }
>  
> +  Hob.Raw  = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid);
> +  while (Hob.Raw != NULL) {
> +    MigratedFvInfo = GET_GUID_HOB_DATA (Hob);
> +    ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0);
> +
> +    Hob.Raw = GET_NEXT_HOB (Hob);
> +    Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw);
> +  }
> +  CpuFlushTlb ();
> +
>    return Status;
>  }
>  
> 

(1) This patch calls EnablePaging() even if no
"gEdkiiMigratedFvInfoGuid" HOB exists.

In other words, assume "PcdMigrateTemporaryRamFirmwareVolumes" is FALSE.

- In that case, PeiCore() will not call EvacuateTempRam().

- Consequently, zero "gEdkiiMigratedFvInfoGuid" HOBs are going to be built.

- Consequently, this patch will never call ConvertMemoryPageAttributes()

Why do we call EnablePaging() then (assuming IsIa32PaeSupported()
returns TRUE)?


(2) Consider the opposite case. Assume IsIa32PaeSupported() returns
FALSE. Further assume that at least one "gEdkiiMigratedFvInfoGuid" HOB
exists.

Then ConvertMemoryPageAttributes() will be called, without us ever
calling EnablePaging(). That doesn't seem right.

I suggest:


  BOOLEAN              InitStackGuard;
  EFI_PEI_HOB_POINTERS Hob;

  InitStackGuard = FALSE;
  Hob.Raw = NULL;

  //
  // Both the "stack guard" feature and the "temp RAM evacuation"
  // feature depend on IA32 PAE support.
  //
  if (IsIa32PaeSupported ()) {
    InitStackGuard = PcdGetBool (PcdCpuStackGuard);
    Hob.Raw = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid);
  }

  //
  // If either feature is active, then paging is required; enable it.
  //
  if (InitStackGuard || Hob.Raw != NULL) {
    EnablePaging ();
  }

  /* ... */

  if (InitStackGuard) {
    SetupStackGuardPage ();
  }

  /* note: no need to call GetFirstGuidHob() again! */
  while (Hob.Raw != NULL) {
    /* ... */
  }
  CpuFlushTlb ();


Thanks
Laszlo


  reply	other threads:[~2020-07-03 13:11 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-02  5:15 [PATCH v2 0/9] Migrate Pointer from flash to permanent memory (CVE-2019-11098) Guomin Jiang
2020-07-02  5:15 ` [PATCH v2 1/9] MdeModulePkg/PeiCore: Enable T-RAM evacuation in PeiCore (CVE-2019-11098) Guomin Jiang
2020-07-03 12:22   ` [edk2-devel] " Laszlo Ersek
2020-07-03 13:52   ` Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 2/9] UefiCpuPkg/CpuMpPei: Add GDT and IDT migration support (CVE-2019-11098) Guomin Jiang
2020-07-02  7:36   ` [edk2-devel] " Ni, Ray
2020-07-03 11:36   ` Laszlo Ersek
2020-07-03 11:52     ` Laszlo Ersek
2020-07-03 13:57   ` Laszlo Ersek
2020-07-03 14:33     ` Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 3/9] UefiCpuPkg/SecMigrationPei: Add initial PEIM (CVE-2019-11098) Guomin Jiang
2020-07-03 11:38   ` [edk2-devel] " Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 4/9] MdeModulePkg/DxeIplPeim: Register for shadow on S3 shadowed boot (CVE-2019-11098) Guomin Jiang
2020-07-03 14:00   ` [edk2-devel] " Laszlo Ersek
2020-07-03 14:23     ` Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 5/9] MdeModulePkg/Core: Create Migrated FV Info Hob for calculating hash (CVE-2019-11098) Guomin Jiang
2020-07-03 14:03   ` [edk2-devel] " Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 6/9] SecurityPkg/Tcg2Pei: Use " Guomin Jiang
2020-07-02  5:15 ` [PATCH v2 7/9] MdeModulePkg/Core: Add switch to enable or disable TOCTOU feature (CVE-2019-11098) Guomin Jiang
2020-07-03 12:48   ` [edk2-devel] " Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 8/9] UefiCpuPkg/SecMigrationPei: Add switch to control if produce PPI (CVE-2019-11098) Guomin Jiang
2020-07-03 14:05   ` [edk2-devel] " Laszlo Ersek
2020-07-02  5:15 ` [PATCH v2 9/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Guomin Jiang
2020-07-03 13:11   ` Laszlo Ersek [this message]
2020-07-03 14:06 ` [edk2-devel] [PATCH v2 0/9] Migrate Pointer from flash to permanent memory (CVE-2019-11098) Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=375f9f9d-4474-2c70-81e8-aecbce1e625a@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox