From: Laszlo Ersek <lersek@redhat.com>
To: Hao Wu <hao.a.wu@intel.com>, edk2-devel@lists.01.org
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>,
Eric Dong <eric.dong@intel.com>
Subject: Re: [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass
Date: Tue, 25 Sep 2018 14:08:43 +0200 [thread overview]
Message-ID: <61e81dd1-31e9-2026-4766-d6b43b6db3e3@redhat.com> (raw)
In-Reply-To: <20180925061259.31680-6-hao.a.wu@intel.com>
On 09/25/18 08:12, Hao Wu wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
>
> Speculative execution is used by processor to avoid having to wait for
> data to arrive from memory, or for previous operations to finish, the
> processor may speculate as to what will be executed.
>
> If the speculation is incorrect, the speculatively executed instructions
> might leave hints such as which memory locations have been brought into
> cache. Malicious actors can use the bounds check bypass method (code
> gadgets with controlled external inputs) to infer data values that have
> been used in speculative operations to reveal secrets which should not
> otherwise be accessed.
>
> It is possible for SMI handler(s) to call EFI_SMM_CPU_PROTOCOL service
> ReadSaveState() and use the content in the 'CommBuffer' (controlled
> external inputs) as the 'CpuIndex'. So this commit will insert AsmLfence
> API to mitigate the bounds check bypass issue within SmmReadSaveState().
>
> For SmmReadSaveState():
>
> The 'CpuIndex' will be passed into function ReadSaveStateRegister(). And
> then in to ReadSaveStateRegisterByIndex().
>
> With the call:
> ReadSaveStateRegisterByIndex (
> CpuIndex,
> SMM_SAVE_STATE_REGISTER_IOMISC_INDEX,
> sizeof(IoMisc.Uint32),
> &IoMisc.Uint32
> );
>
> The 'IoMisc' can be a cross boundary access during speculative execution.
> Later, 'IoMisc' is used as the index to access buffers 'mSmmCpuIoWidth'
> and 'mSmmCpuIoType'. One can observe which part of the content within
> those buffers was brought into cache to possibly reveal the value of
> 'IoMisc'.
>
> Hence, this commit adds a AsmLfence() after the check of 'CpuIndex'
> within function SmmReadSaveState() to prevent the speculative execution.
>
> A more detailed explanation of the purpose of commit is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
>
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
>
> cb pismm
Before you push this version (or when preparing a v3, if necessary),
please remove the above stray text, from the end of the commit message.
I've now looked over this series. I didn't try to verify whether the
lfence instructions had been added at right places, or whether they had
been added at *all* the right places. However, structurally the series
looks OK to me.
series
Acked-by: Laszlo Ersek <lersek@redhat.com>
I will follow up with regression test results.
Thanks
Laszlo
> ---
> UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> index fbf74e8d90..19979d5418 100644
> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> @@ -237,6 +237,11 @@ SmmReadSaveState (
> if ((CpuIndex >= gSmst->NumberOfCpus) || (Buffer == NULL)) {
> return EFI_INVALID_PARAMETER;
> }
> + //
> + // The AsmLfence() call here is to ensure the above check for the CpuIndex
> + // has been completed before the execution of subsequent codes.
> + //
> + AsmLfence ();
>
> //
> // Check for special EFI_SMM_SAVE_STATE_REGISTER_PROCESSOR_ID
>
next prev parent reply other threads:[~2018-09-25 12:08 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-25 6:12 [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Hao Wu
2018-09-25 6:12 ` [PATCH v2 1/5] MdePkg/BaseLib: Add new AsmLfence API Hao Wu
2018-09-25 13:00 ` Laszlo Ersek
2018-09-26 1:13 ` Wu, Hao A
2018-09-29 2:33 ` Gao, Liming
2018-09-25 6:12 ` [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass Hao Wu
2018-09-29 6:11 ` Zeng, Star
2018-09-29 6:21 ` Wu, Hao A
2018-09-29 6:25 ` Zeng, Star
2018-09-25 6:12 ` [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix " Hao Wu
2018-09-29 6:11 ` Zeng, Star
2018-09-25 6:12 ` [PATCH v2 4/5] MdeModulePkg/Variable: " Hao Wu
2018-09-29 6:13 ` Zeng, Star
2018-09-25 6:12 ` [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: " Hao Wu
2018-09-25 12:08 ` Laszlo Ersek [this message]
2018-09-26 1:00 ` Wu, Hao A
2018-09-26 0:46 ` Dong, Eric
2018-09-25 20:51 ` [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Laszlo Ersek
2018-09-25 20:57 ` Laszlo Ersek
2018-09-26 1:17 ` Wu, Hao A
2018-09-28 13:13 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=61e81dd1-31e9-2026-4766-d6b43b6db3e3@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox