From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D1E1F211935B9 for ; Tue, 20 Nov 2018 22:17:34 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2018 22:17:34 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,260,1539673200"; d="scan'208";a="110287691" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga002.jf.intel.com with ESMTP; 20 Nov 2018 22:17:34 -0800 Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 20 Nov 2018 22:17:33 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 20 Nov 2018 22:17:33 -0800 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.117]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.161]) with mapi id 14.03.0415.000; Wed, 21 Nov 2018 14:17:31 +0800 From: "Wu, Hao A" To: "Gao, Liming" , "edk2-devel@lists.01.org" CC: Laszlo Ersek , "Yao, Jiewen" , "Zeng, Star" Thread-Topic: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass Thread-Index: AQHUfWKpXLg0h37Ntk2xP7dJizIKGKVZQn0AgACGRvA= Date: Wed, 21 Nov 2018 06:17:31 +0000 Message-ID: References: <20181116041242.37604-1-hao.a.wu@intel.com> <20181116041242.37604-2-hao.a.wu@intel.com> <4A89E2EF3DFEDB4C8BFDE51014F606A14E36F861@SHSMSX104.ccr.corp.intel.com> In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E36F861@SHSMSX104.ccr.corp.intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] Fix bounds check bypass X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2018 06:17:35 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Got it. Since the patches have already been checked in. I will follow this style ne= xt time. Best Regards, Hao Wu > -----Original Message----- > From: Gao, Liming > Sent: Wednesday, November 21, 2018 2:16 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Wu, Hao A; Laszlo Ersek; Yao, Jiewen; Zeng, Star > Subject: RE: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE- > 2017-5753] Fix bounds check bypass >=20 > Hao: > In previous discussion, the suggested subject style is > MdeModulePkg/SmmCorePerfLib: Fix bounds check bypass(CVE-2017-5753). >=20 > Thanks > Liming > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Hao Wu > > Sent: Friday, November 16, 2018 12:13 PM > > To: edk2-devel@lists.01.org > > Cc: Wu, Hao A ; Laszlo Ersek ; > Yao, Jiewen ; Zeng, Star > > > > Subject: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE- > 2017-5753] Fix bounds check bypass > > > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194 > > > > Speculative execution is used by processor to avoid having to wait for > > data to arrive from memory, or for previous operations to finish, the > > processor may speculate as to what will be executed. > > > > If the speculation is incorrect, the speculatively executed instruction= s > > might leave hints such as which memory locations have been brought into > > cache. Malicious actors can use the bounds check bypass method (code > > gadgets with controlled external inputs) to infer data values that have > > been used in speculative operations to reveal secrets which should not > > otherwise be accessed. > > > > This commit will focus on the SMI handler(s) registered within the > > SmmCorePerformanceLib and insert AsmLfence API to mitigate the > bounds > > check bypass issue. > > > > For SMI handler SmmPerformanceHandlerEx(): > > > > Under "case SMM_PERF_FUNCTION_GET_GAUGE_DATA :", > > 'SmmPerfCommData->LogEntryKey' can be a potential cross boundary > access of > > the 'CommBuffer' (controlled external inputs) during speculative > > execution. This cross boundary access is then assign to parameter > > 'LogEntryKey'. And the value of 'LogEntryKey' can be inferred by code: > > > > CopyMem ( > > (UINT8 *) &GaugeDataEx[Index], > > (UINT8 *) &GaugeEntryExArray[LogEntryKey++], > > sizeof (GAUGE_DATA_ENTRY_EX) > > ); > > > > One can observe which part of the content within 'GaugeEntryExArray' wa= s > > brought into cache to possibly reveal the value of 'LogEntryKey'. > > > > Hence, this commit adds a AsmLfence() after the boundary/range checks > of > > 'CommBuffer' to prevent the speculative execution. > > > > And there is 1 similar case for SMI handler SmmPerformanceHandler() as > > well. This commit also handles it. > > > > A more detailed explanation of the purpose of commit is under the > > 'Bounds check bypass mitigation' section of the below link: > > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > > > > And the document at: > > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vuln > > erabilities.pdf > > > > Cc: Star Zeng > > Cc: Jiewen Yao > > Cc: Laszlo Ersek > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Hao Wu > > --- > > > MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLi > b.c | 16 +++++++++++++++- > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > diff --git > a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformance > Lib.c > > > b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformance > Lib.c > > index cd1f1a5d5f..63c1eea3a2 100644 > > --- > a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformance > Lib.c > > +++ > b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformance > Lib.c > > @@ -16,7 +16,7 @@ > > > > SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive > untrusted input and do basic validation. > > > > -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
> > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> > This program and the accompanying materials > > are licensed and made available under the terms and conditions of the > BSD License > > which accompanies this distribution. The full text of the license may= be > found at > > @@ -538,6 +538,13 @@ SmmPerformanceHandlerEx ( > > break; > > } > > > > + // > > + // The AsmLfence() call here is to ensure the previous range/co= ntent > > + // checks for the CommBuffer have been completed before calling > > + // CopyMem(). > > + // > > + AsmLfence (); > > + > > GaugeEntryExArray =3D (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); > > > > for (Index =3D 0; Index < NumberOfEntries; Index++) { > > @@ -650,6 +657,13 @@ SmmPerformanceHandler ( > > break; > > } > > > > + // > > + // The AsmLfence() call here is to ensure the previous range/co= ntent > > + // checks for the CommBuffer have been completed before calling > > + // CopyMem(). > > + // > > + AsmLfence (); > > + > > GaugeEntryExArray =3D (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); > > > > for (Index =3D 0; Index < NumberOfEntries; Index++) { > > -- > > 2.12.0.windows.1 > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel