From: "Gao, Liming" <liming.gao@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Wu, Hao A" <hao.a.wu@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Zeng, Star" <star.zeng@intel.com>
Subject: Re: [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass
Date: Wed, 21 Nov 2018 06:16:06 +0000 [thread overview]
Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E36F861@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <20181116041242.37604-2-hao.a.wu@intel.com>
Hao:
In previous discussion, the suggested subject style is MdeModulePkg/SmmCorePerfLib: Fix bounds check bypass(CVE-2017-5753).
Thanks
Liming
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Hao Wu
> Sent: Friday, November 16, 2018 12:13 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zeng, Star
> <star.zeng@intel.com>
> Subject: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass
>
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
>
> Speculative execution is used by processor to avoid having to wait for
> data to arrive from memory, or for previous operations to finish, the
> processor may speculate as to what will be executed.
>
> If the speculation is incorrect, the speculatively executed instructions
> might leave hints such as which memory locations have been brought into
> cache. Malicious actors can use the bounds check bypass method (code
> gadgets with controlled external inputs) to infer data values that have
> been used in speculative operations to reveal secrets which should not
> otherwise be accessed.
>
> This commit will focus on the SMI handler(s) registered within the
> SmmCorePerformanceLib and insert AsmLfence API to mitigate the bounds
> check bypass issue.
>
> For SMI handler SmmPerformanceHandlerEx():
>
> Under "case SMM_PERF_FUNCTION_GET_GAUGE_DATA :",
> 'SmmPerfCommData->LogEntryKey' can be a potential cross boundary access of
> the 'CommBuffer' (controlled external inputs) during speculative
> execution. This cross boundary access is then assign to parameter
> 'LogEntryKey'. And the value of 'LogEntryKey' can be inferred by code:
>
> CopyMem (
> (UINT8 *) &GaugeDataEx[Index],
> (UINT8 *) &GaugeEntryExArray[LogEntryKey++],
> sizeof (GAUGE_DATA_ENTRY_EX)
> );
>
> One can observe which part of the content within 'GaugeEntryExArray' was
> brought into cache to possibly reveal the value of 'LogEntryKey'.
>
> Hence, this commit adds a AsmLfence() after the boundary/range checks of
> 'CommBuffer' to prevent the speculative execution.
>
> And there is 1 similar case for SMI handler SmmPerformanceHandler() as
> well. This commit also handles it.
>
> A more detailed explanation of the purpose of commit is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
>
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vuln
> erabilities.pdf
>
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
> MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c | 16 +++++++++++++++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> index cd1f1a5d5f..63c1eea3a2 100644
> --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> @@ -16,7 +16,7 @@
>
> SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation.
>
> -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD License
> which accompanies this distribution. The full text of the license may be found at
> @@ -538,6 +538,13 @@ SmmPerformanceHandlerEx (
> break;
> }
>
> + //
> + // The AsmLfence() call here is to ensure the previous range/content
> + // checks for the CommBuffer have been completed before calling
> + // CopyMem().
> + //
> + AsmLfence ();
> +
> GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
>
> for (Index = 0; Index < NumberOfEntries; Index++) {
> @@ -650,6 +657,13 @@ SmmPerformanceHandler (
> break;
> }
>
> + //
> + // The AsmLfence() call here is to ensure the previous range/content
> + // checks for the CommBuffer have been completed before calling
> + // CopyMem().
> + //
> + AsmLfence ();
> +
> GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
>
> for (Index = 0; Index < NumberOfEntries; Index++) {
> --
> 2.12.0.windows.1
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2018-11-21 6:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-16 4:12 [PATCH v2 0/2][UDK branches][CVE-2017-5753] Additional Bounds Check Bypass issue in SMI handlers Hao Wu
2018-11-16 4:12 ` [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass Hao Wu
2018-11-16 4:40 ` Zeng, Star
2018-11-21 6:16 ` Gao, Liming [this message]
2018-11-21 6:17 ` Wu, Hao A
2018-11-16 4:12 ` [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: " Hao Wu
2018-11-19 1:20 ` Dong, Eric
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A89E2EF3DFEDB4C8BFDE51014F606A14E36F861@SHSMSX104.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox