Re: [PATCH v1 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass

["Zeng, Star" <star.zeng@intel.com>]

On 2018/11/16 9:37, Hao Wu wrote:
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
> 
> Speculative execution is used by processor to avoid having to wait for
> data to arrive from memory, or for previous operations to finish, the
> processor may speculate as to what will be executed.
> 
> If the speculation is incorrect, the speculatively executed instructions
> might leave hints such as which memory locations have been brought into
> cache. Malicious actors can use the bounds check bypass method (code
> gadgets with controlled external inputs) to infer data values that have
> been used in speculative operations to reveal secrets which should not
> otherwise be accessed.
> 
> This commit will focus on the SMI handler(s) registered within the
> TBD.

What does the 'TBD' mean here?

Thanks,
Star

> 
> Hence, this commit adds a AsmLfence() after the boundary/range checks of
> 'CommBuffer' to prevent the speculative execution.
> 
> A more detailed explanation of the purpose of commit is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
> 
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
> 
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>   MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c | 16 +++++++++++++++-
>   1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> index cd1f1a5d5f..63c1eea3a2 100644
> --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
> @@ -16,7 +16,7 @@
>   
>    SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation.
>   
> -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
>   This program and the accompanying materials
>   are licensed and made available under the terms and conditions of the BSD License
>   which accompanies this distribution.  The full text of the license may be found at
> @@ -538,6 +538,13 @@ SmmPerformanceHandlerEx (
>            break;
>          }
>   
> +       //
> +       // The AsmLfence() call here is to ensure the previous range/content
> +       // checks for the CommBuffer have been completed before calling
> +       // CopyMem().
> +       //
> +       AsmLfence ();
> +
>          GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
>   
>          for (Index = 0; Index < NumberOfEntries; Index++) {
> @@ -650,6 +657,13 @@ SmmPerformanceHandler (
>            break;
>          }
>   
> +       //
> +       // The AsmLfence() call here is to ensure the previous range/content
> +       // checks for the CommBuffer have been completed before calling
> +       // CopyMem().
> +       //
> +       AsmLfence ();
> +
>          GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
>   
>          for (Index = 0; Index < NumberOfEntries; Index++) {
>