public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wu, Hao A" <hao.a.wu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>,
	"Dong, Eric" <eric.dong@intel.com>
Subject: Re: [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-5753] Fix bounds check bypass
Date: Wed, 26 Sep 2018 01:00:46 +0000	[thread overview]
Message-ID: <B80AF82E9BFB8E4FBD8C89DA810C6A0931E5AB20@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <61e81dd1-31e9-2026-4766-d6b43b6db3e3@redhat.com>

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo
> Ersek
> Sent: Tuesday, September 25, 2018 8:09 PM
> To: Wu, Hao A; edk2-devel@lists.01.org
> Cc: Kinney, Michael D; Yao, Jiewen; Dong, Eric
> Subject: Re: [edk2] [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017-
> 5753] Fix bounds check bypass
> 
> On 09/25/18 08:12, Hao Wu wrote:
> > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
> >
> > Speculative execution is used by processor to avoid having to wait for
> > data to arrive from memory, or for previous operations to finish, the
> > processor may speculate as to what will be executed.
> >
> > If the speculation is incorrect, the speculatively executed instructions
> > might leave hints such as which memory locations have been brought into
> > cache. Malicious actors can use the bounds check bypass method (code
> > gadgets with controlled external inputs) to infer data values that have
> > been used in speculative operations to reveal secrets which should not
> > otherwise be accessed.
> >
> > It is possible for SMI handler(s) to call EFI_SMM_CPU_PROTOCOL service
> > ReadSaveState() and use the content in the 'CommBuffer' (controlled
> > external inputs) as the 'CpuIndex'. So this commit will insert AsmLfence
> > API to mitigate the bounds check bypass issue within SmmReadSaveState().
> >
> > For SmmReadSaveState():
> >
> > The 'CpuIndex' will be passed into function ReadSaveStateRegister(). And
> > then in to ReadSaveStateRegisterByIndex().
> >
> > With the call:
> > ReadSaveStateRegisterByIndex (
> >   CpuIndex,
> >   SMM_SAVE_STATE_REGISTER_IOMISC_INDEX,
> >   sizeof(IoMisc.Uint32),
> >   &IoMisc.Uint32
> >   );
> >
> > The 'IoMisc' can be a cross boundary access during speculative execution.
> > Later, 'IoMisc' is used as the index to access buffers 'mSmmCpuIoWidth'
> > and 'mSmmCpuIoType'. One can observe which part of the content within
> > those buffers was brought into cache to possibly reveal the value of
> > 'IoMisc'.
> >
> > Hence, this commit adds a AsmLfence() after the check of 'CpuIndex'
> > within function SmmReadSaveState() to prevent the speculative execution.
> >
> > A more detailed explanation of the purpose of commit is under the
> > 'Bounds check bypass mitigation' section of the below link:
> > https://software.intel.com/security-software-guidance/insights/host-
> firmware-speculative-execution-side-channel-mitigation
> >
> > And the document at:
> > https://software.intel.com/security-software-guidance/api-
> app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-
> vulnerabilities.pdf
> >
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Eric Dong <eric.dong@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> >
> > cb pismm
> 
> Before you push this version (or when preparing a v3, if necessary),
> please remove the above stray text, from the end of the commit message.
> 

Thanks for the spot, I will remove this dummy line from the log message.

Best Regards,
Hao Wu

> I've now looked over this series. I didn't try to verify whether the
> lfence instructions had been added at right places, or whether they had
> been added at *all* the right places. However, structurally the series
> looks OK to me.
> 
> series
> Acked-by: Laszlo Ersek <lersek@redhat.com>
> 
> I will follow up with regression test results.
> 
> Thanks
> Laszlo
> 
> > ---
> >  UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> > index fbf74e8d90..19979d5418 100644
> > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c
> > @@ -237,6 +237,11 @@ SmmReadSaveState (
> >    if ((CpuIndex >= gSmst->NumberOfCpus) || (Buffer == NULL)) {
> >      return EFI_INVALID_PARAMETER;
> >    }
> > +  //
> > +  // The AsmLfence() call here is to ensure the above check for the CpuIndex
> > +  // has been completed before the execution of subsequent codes.
> > +  //
> > +  AsmLfence ();
> >
> >    //
> >    // Check for special EFI_SMM_SAVE_STATE_REGISTER_PROCESSOR_ID
> >
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel


  reply	other threads:[~2018-09-26  1:03 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-25  6:12 [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Hao Wu
2018-09-25  6:12 ` [PATCH v2 1/5] MdePkg/BaseLib: Add new AsmLfence API Hao Wu
2018-09-25 13:00   ` Laszlo Ersek
2018-09-26  1:13     ` Wu, Hao A
2018-09-29  2:33   ` Gao, Liming
2018-09-25  6:12 ` [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass Hao Wu
2018-09-29  6:11   ` Zeng, Star
2018-09-29  6:21     ` Wu, Hao A
2018-09-29  6:25       ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix " Hao Wu
2018-09-29  6:11   ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 4/5] MdeModulePkg/Variable: " Hao Wu
2018-09-29  6:13   ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: " Hao Wu
2018-09-25 12:08   ` Laszlo Ersek
2018-09-26  1:00     ` Wu, Hao A [this message]
2018-09-26  0:46   ` Dong, Eric
2018-09-25 20:51 ` [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Laszlo Ersek
2018-09-25 20:57   ` Laszlo Ersek
2018-09-26  1:17     ` Wu, Hao A
2018-09-28 13:13 ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B80AF82E9BFB8E4FBD8C89DA810C6A0931E5AB20@SHSMSX104.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox