public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wu, Hao A" <hao.a.wu@intel.com>
To: "Zeng, Star" <star.zeng@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass
Date: Sat, 29 Sep 2018 06:21:00 +0000	[thread overview]
Message-ID: <B80AF82E9BFB8E4FBD8C89DA810C6A0931E5DE26@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <0C09AFA07DD0434D9E2A0C6AEB0483103BBF5E78@shsmsx102.ccr.corp.intel.com>

> -----Original Message-----
> From: Zeng, Star
> Sent: Saturday, September 29, 2018 2:11 PM
> To: Wu, Hao A; edk2-devel@lists.01.org
> Cc: Yao, Jiewen; Zeng, Star
> Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-
> 5753]Fix bounds check bypass
> 
> Please double check whether the AsmLfence calling should be before the line
> below.
> 
>         PrivateData = (VOID *)&SmmFtwWriteHeader->Data[Length];

Hi,

The above code is getting the address of a possible cross bounday access
during the speculative execution.

I also checked that the subsequent usage of 'PrivateData' does not have a
code pattern of the 'Bounds check bypass' issue. So I think the
AsmLfence() is not needed here.

Best Regards,
Hao Wu

> 
> 
> Thanks,
> Star
> -----Original Message-----
> From: Wu, Hao A
> Sent: Tuesday, September 25, 2018 2:13 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zeng, Star <star.zeng@intel.com>
> Subject: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-
> 5753]Fix bounds check bypass
> 
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
> 
> Speculative execution is used by processor to avoid having to wait for data to
> arrive from memory, or for previous operations to finish, the processor may
> speculate as to what will be executed.
> 
> If the speculation is incorrect, the speculatively executed instructions might
> leave hints such as which memory locations have been brought into cache.
> Malicious actors can use the bounds check bypass method (code gadgets with
> controlled external inputs) to infer data values that have been used in
> speculative operations to reveal secrets which should not otherwise be
> accessed.
> 
> This commit will focus on the SMI handler(s) registered within the
> FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the bounds
> check bypass issue.
> 
> For SMI handler SmmFaultTolerantWriteHandler():
> 
> Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be
> a potential cross boundary access of the 'CommBuffer' (controlled external
> inputs) during speculative execution. This cross boundary access is later passed
> as parameter 'Length' into function FtwWrite().
> 
> Within function FtwWrite(), the value of 'Length' can be inferred by code:
> "CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which part
> of the content within 'Buffer' was brought into cache to possibly reveal the
> value of 'Length'.
> 
> Hence, this commit adds a AsmLfence() after the boundary/range checks of
> 'CommBuffer' to prevent the speculative execution.
> 
> A more detailed explanation of the purpose of commit is under the 'Bounds
> check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmware-
> speculative-execution-side-channel-mitigation
> 
> And the document at:
> https://software.intel.com/security-software-guidance/api-
> app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-
> vulnerabilities.pdf
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> | 7 +++++++
>  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf
> | 1 +
>  2 files changed, 8 insertions(+)
> 
> diff --git
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> index 632313f076..27fcab19b6 100644
> ---
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
> +++
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm
> +++ .c
> @@ -57,6 +57,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY
> KIND, EITHER EXPRESS OR IMPLIED.
>  #include <PiSmm.h>
>  #include <Library/SmmServicesTableLib.h>  #include <Library/SmmMemLib.h>
> +#include <Library/BaseLib.h>
>  #include <Protocol/SmmSwapAddressRange.h>  #include
> "FaultTolerantWrite.h"
>  #include "FaultTolerantWriteSmmCommon.h"
> @@ -417,6 +418,12 @@ SmmFaultTolerantWriteHandler (
>                   &SmmFvbHandle
>                   );
>        if (!EFI_ERROR (Status)) {
> +        //
> +        // The AsmLfence() call here is to ensure the previous range/content
> +        // checks for the CommBuffer have been completed before calling into
> +        // FtwWrite().
> +        //
> +        AsmLfence ();
>          Status = FtwWrite(
>                     &mFtwDevice->FtwInstance,
>                     SmmFtwWriteHeader->Lba, diff --git
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.in
> f
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.in
> f
> index 85d109e8d9..606cc2266b 100644
> ---
> a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.in
> f
> +++
> b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm
> +++ .inf
> @@ -55,6 +55,7 @@
>    PcdLib
>    ReportStatusCodeLib
>    SmmMemLib
> +  BaseLib
> 
>  [Guids]
>    #
> --
> 2.12.0.windows.1



  reply	other threads:[~2018-09-29  6:21 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-25  6:12 [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Hao Wu
2018-09-25  6:12 ` [PATCH v2 1/5] MdePkg/BaseLib: Add new AsmLfence API Hao Wu
2018-09-25 13:00   ` Laszlo Ersek
2018-09-26  1:13     ` Wu, Hao A
2018-09-29  2:33   ` Gao, Liming
2018-09-25  6:12 ` [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass Hao Wu
2018-09-29  6:11   ` Zeng, Star
2018-09-29  6:21     ` Wu, Hao A [this message]
2018-09-29  6:25       ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 3/5] MdeModulePkg/SmmLockBox: [CVE-2017-5753] Fix " Hao Wu
2018-09-29  6:11   ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 4/5] MdeModulePkg/Variable: " Hao Wu
2018-09-29  6:13   ` Zeng, Star
2018-09-25  6:12 ` [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: " Hao Wu
2018-09-25 12:08   ` Laszlo Ersek
2018-09-26  1:00     ` Wu, Hao A
2018-09-26  0:46   ` Dong, Eric
2018-09-25 20:51 ` [PATCH v2 0/5] [CVE-2017-5753] Bounds Check Bypass issue in SMI handlers Laszlo Ersek
2018-09-25 20:57   ` Laszlo Ersek
2018-09-26  1:17     ` Wu, Hao A
2018-09-28 13:13 ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B80AF82E9BFB8E4FBD8C89DA810C6A0931E5DE26@SHSMSX104.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox