From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web10.17204.1616994834076910864 for ; Sun, 28 Mar 2021 22:13:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=S1EuE6Yi; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiewen.yao@intel.com) IronPort-SDR: TI5RMD557fkaxv6vR3ArO1w8jVDtITTRzx7GfRn/KPz5NbQ6NTwKchwl1PYkirdJ2JSPu7vcZK YEN7YK0G9EuQ== X-IronPort-AV: E=McAfee;i="6000,8403,9937"; a="191508173" X-IronPort-AV: E=Sophos;i="5.81,285,1610438400"; d="scan'208";a="191508173" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2021 22:13:52 -0700 IronPort-SDR: lAgc7VDAU/H6L33Tqn9F9FN/MeTUXtcfSKDdsSZJ6k2vnzcEawrvMKwrpQyC7TqHXUHRVDxfaH PADm12Up5mPg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,285,1610438400"; d="scan'208";a="393022131" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by orsmga002.jf.intel.com with ESMTP; 28 Mar 2021 22:13:52 -0700 Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 28 Mar 2021 22:13:52 -0700 Received: from orsmsx606.amr.corp.intel.com (10.22.229.19) by ORSMSX608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Sun, 28 Mar 2021 22:13:51 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Sun, 28 Mar 2021 22:13:51 -0700 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.176) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Sun, 28 Mar 2021 22:13:51 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Uc9LncAHWemZF1UJMY4jicK8DNAywOKlKkGvlpAA8IXLOMjnuhk281Z4jkiBkYFWSX9/8azr2W1TgFX37ECZJIXvgd/ItDqe6q7gCQH+IqCVLZgFDDO8UF2DBBOrR5wTgRWWbiT/KpisjQJtaTjFXLMdRePlZjcphKtT34he//0wYIMQ1xwJX9qMoFNgcO6KZfZ0OWL1ZTWnwphqt9Ft2fuMwEgBG8fzUg/zZ5IfRNAB8VLYrmA5SedYh0Fr1fEGDabimYMxA+FHY0Oehc35Zxe2CmZj/FCGi6PBa60qpbdEvRskdF5ccTpZB8I3cxbTncRqfamDrLOJbsM7wCztPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oxm8U9nOvomdcT0fTc3NJNPSEhYcq+gjygywTM11qXA=; b=Qobty/4dP4cjoylHMUF0X0FUixA6rC1DSKT0eZLsJVpHSFV9kvunLL6cJgC8BqoGakEeHz3XRuyekOZxXswVVxHC+BFtLG/wuq0/tG5NINj/VysJ3XPcH40XJV64MnE/kBlyM899VFhSl+em1fNwyijpVpAmlWPdB6iQaMEMfQ4NBPKz0LQIXy0c0OeT3W0XOF3P5p35nETEFNAVySrrGdv4d7iV64B0zMxORXEym/qUnud4wEI1JQ4K7Bjx2E8ijxIggmVjxRbTy4dhiEtz1Ry5YDzCo6xnotzG6lebLbYVwr5vJqhtTJI9At9eAi8jOaA9O7o4rNzdhnRD+J0Xuw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oxm8U9nOvomdcT0fTc3NJNPSEhYcq+gjygywTM11qXA=; b=S1EuE6Yi0S3HAJJ3SGywyF2TCNKSTb3d12rMVksff8oPkxraATE6ZC/3LXebSDmTodPplW1KyqOkCx/Pup+TaQ0aEZaGVBRm8o+huNlDX/LIV03QRCj/Wl/LfLV6c4TAQLAifyK+5xkrE6TjcwdXLerOLWE5mLs8+PrqjzwgCZE= Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25) by BY5PR11MB4433.namprd11.prod.outlook.com (2603:10b6:a03:1cb::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Mon, 29 Mar 2021 05:13:50 +0000 Received: from BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132]) by BY5PR11MB4166.namprd11.prod.outlook.com ([fe80::5983:f233:56d6:8132%4]) with mapi id 15.20.3977.033; Mon, 29 Mar 2021 05:13:50 +0000 From: "Yao, Jiewen" To: "Sheng, W" , "devel@edk2.groups.io" CC: "Dong, Eric" , "Ni, Ray" , "Laszlo Ersek" , "Kumar, Rahul1" , "Feng, Roger" Subject: Re: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM shadow stack overflow Thread-Topic: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM shadow stack overflow Thread-Index: AQHXIgXgA0JcWUeBQkaZqybbNApjWqqVygaQgAAFwQCABKCugA== Date: Mon, 29 Mar 2021 05:13:50 +0000 Message-ID: References: <20210326060413.7760-1-w.sheng@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [101.87.139.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 78a67a01-b83d-43b8-17d5-08d8f271707f x-ms-traffictypediagnostic: BY5PR11MB4433: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Ps/PKJ6tH37LV7PaimKoTQBGrkb086L6Xn6GBN+PZ7t/WGI0mOnF8Am7EXfKYT3kOnPy9TJOt2gr97LRmcVRENw3XYaCoPrfYLkStzvSKPZbLXxyBpUtEA12d0+JYRnEjYlX6OETbjgUDuKu/VTvP4dBfagyCuWgUbsLMJ8Ue1DhqZLSild+yLgYwiCD3k2HomhsFbbti2ceKNFAuoO0GNKTJjvBfRjaCiUL7vMtgcPYT/bkvYxrZR5eWGAuwNpXrL5kVk6xqMzymc5M8rxAxHYqIWozgInY3aSf67hTy5DTzwCa3nAE8Lp1KxvhG5gPzDj2+A++vLYRWWPkGErYaOu/5Fwpv+vc9X7SyGQu5bsZAlLw8DBg2LRUuBOXHHOp4TR+1rBVYP8vtz0pqxhoV2O55C6u8OICt/k0asOZK7X73J3bM5J9esf+Zr6lsezu9nixtNjSFULkf/jLOGUCm//Psh4JxJQZUUsJ7el+wPZQvHdMze5AtcRy5L/I+j9uugZXl9MAjnmpttQi1H9d22lxYWibA9MY2VgR0U2dTeybmGDgOzIdBioLW0KZB384JrU5tOCNx8jsPX6RZTST3zP29RAMZw7vwLcrmn/FU0kYsqmC8fS/miQdOy6CL9tNYEThurak+9HM37xwYD+vH9bO+u7yXcQIpRy37QrCVbX+wznKYZ/i6ql53wvTCQxwMn7LWpL0ABr9L7LYl1iSBnbURFA9so/IkAW7/1Vad5UUt2Bbdn0dMbneQspkYcfT x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(346002)(376002)(396003)(136003)(39860400002)(366004)(55016002)(9686003)(19627235002)(7696005)(33656002)(38100700001)(83380400001)(53546011)(71200400001)(6506007)(26005)(110136005)(186003)(86362001)(107886003)(2906002)(4326008)(966005)(66446008)(66556008)(66476007)(64756008)(5660300002)(66946007)(54906003)(8936002)(76116006)(8676002)(478600001)(316002)(52536014);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?iso-2022-jp?B?TUJJSTBJUXhvd1B4cDJoU1oyT1VmZ0syQUY3YlNvZDN3bzBLMW55ZnBD?= =?iso-2022-jp?B?VlBwVlI0ZkpRaTB5M1NxUGxQNDJUMDFLTVVvMDFMcGNOUGtkNDcrNlAw?= =?iso-2022-jp?B?bnJ1RzNuRXdsbG40dGU4eFFrcjBSTFVKYjZPdTNTQk9nZ250dGJsUnJQ?= =?iso-2022-jp?B?UkpHaWdDNjhhOTFXQXBBZVhCV1VWOWxaY1ovakxJWm9EbWF0WDE2aGE5?= =?iso-2022-jp?B?OHoxOXNSWml0dktFUVJGQkkya29oUGdMU2YzMm5RWmxUSVNNNitRWGVG?= =?iso-2022-jp?B?YW9WV0R2VVY0R05Tb05tL1NQOXhsR29JQWN2WE5jRm90TGwrVktZUktF?= =?iso-2022-jp?B?b2NnbWsyQVVsMmJ3NDFPKzFyNGlZL20yT0tVMFJ3SVZvUGI2ZWw5TXlm?= =?iso-2022-jp?B?YUIzWlM3ZzM5UlExZ3ZUcjhjWjJJY0M1Vm5SK3NWN2J4bGw1Ymk4MlBz?= =?iso-2022-jp?B?VlB5VWxMNmRTWFdoUTVHRWRSNUorN083Z0VLQlp3dDJwMkUreVdqbWtj?= =?iso-2022-jp?B?bWxrUjg0by9ScEJTbnVEWEh4R2NPWFJONHQ2d1RONlhGMTRNTGR3eGs2?= =?iso-2022-jp?B?cnhhU0xlbmYzSjZVcXljMkJJc3BwQXgwSkZyckZFN2xGM204YmdOK3RD?= =?iso-2022-jp?B?WlAzQkQ3Rys5clI0dmh6aHZ6ekw4VDdLVEVYdmFTblExUElzR1JGbVE1?= =?iso-2022-jp?B?WnZ4dWFkVEJkL3YxS1pleDN4LzVzWU10NWpYQmF0UjZ6c29TbzRoVGph?= =?iso-2022-jp?B?T1pDdHRNN1ZSMW1Va1czejZFSXVNVWFtN0k2UzBxR0lmMlJ3Z0dIRW5v?= =?iso-2022-jp?B?OFB6VFg2RGNpNktLaGlIVWpFVUh6VjJJTWxDLzdHSmpvS1Z4VjlwMFha?= =?iso-2022-jp?B?cURvdGlHYVUzOUtoSTZSbGtodFgrTlJCa01qcXc3ZFZMVUJsaFFqVklN?= =?iso-2022-jp?B?Y0VqZWsxL29pak8yTHRnTnBDMWowY1hHK2d3dVJNbDgybjNENHVGejZQ?= =?iso-2022-jp?B?aFUwNFF1MXVnYU0zZXkyZjZFd3BZdUQyRHRTWUNSd0lIdWJrZmVUeVhX?= =?iso-2022-jp?B?TkNUaXpLR2UvbHlDZm4rbzlWSDZMMEdLYUh3MVVrb0FWZFJud3EvTDlt?= =?iso-2022-jp?B?OXJINzVqVmZpcFdaZWlvcjd3ZklTa0k5R01uM09KZzUwdno4bmhXMDNq?= =?iso-2022-jp?B?MzBwZXphSXBabnFlUWJIb3lHc1FIY1lONlBVRzRBK3RJYnJxa3p5ZWtk?= =?iso-2022-jp?B?MjZEeldEamY5dGRYandKenhCYklPQ0NFZklPb0tjNHdubjV2VTJTcU9T?= =?iso-2022-jp?B?UFNhditDOUsrcXh5Z0U3QURsUXFiTjNRTjFFSmhpbTMwN0NxbTFMeXlL?= =?iso-2022-jp?B?WUZDQVdORGUxbVc0V1ZBRSswNDB2M2ZJSmU3eDBLRDRhT3ExcTJQMW1o?= =?iso-2022-jp?B?S0YzYi94dzlQOTltNzJiKzNWbko5WG5ZS1VrMDBTYS9iUGdmTmRlTzJq?= =?iso-2022-jp?B?N2F1SjRZOW51MDZjNW5FZ05CSnNCM1BiM3B2bWIrRDZublRJMHFTZU1W?= =?iso-2022-jp?B?N0FlRENycVFLQWdTTUJza1hSck1XT092UnR5Wng0TEpxQ3htbXhRSGlR?= =?iso-2022-jp?B?Z0JCdEhxbm5IS2ppR0V1Y09mUFpDb1BONDkxZnpITVMrTysrNldqZnlP?= =?iso-2022-jp?B?Y2FaWFhtUmZmWVRxUEIwd25UdmdpaTR2aTF2TzRvVER5WkgxWGdGZTJR?= =?iso-2022-jp?B?S3VkQkdpZGFvdjEveEdPOUNzOC9hU0UyZDBtYmhpZWRwZEZTaEJhYWJF?= =?iso-2022-jp?B?ZHV5Z0pvZmJzcnIvT0NpdzRvMk1jRVFZb2xRSWdETHhpWWZjdkluTCsr?= =?iso-2022-jp?B?Nm9vK1FtaS9GdWgvZDVUVFd5MFRZcGs4c1NjVjZScXpFQ2dtbDFSQ2pv?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 78a67a01-b83d-43b8-17d5-08d8f271707f X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2021 05:13:50.3939 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: CGEWnDU1sh0al4UeixLej0CSrTvJ9XSmoZ9mjb0s/s66fhYZSv96jwL/xV8l2pdhGyAJahSaanCDhBGZxmDmCA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4433 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Thank you very much! Reviewed-by: Jiewen Yao > -----Original Message----- > From: Sheng, W > Sent: Friday, March 26, 2021 2:33 PM > To: Yao, Jiewen ; devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo = Ersek > ; Kumar, Rahul1 ; Feng, Roger > > Subject: RE: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM > shadow stack overflow >=20 > Hi Jiewen, > In current code, if SMM stack guard is enabled, there is a guard page at = the top > of SMM shadow stack. > If SMM shadow stack overflow Happens, it will touch the guard page, and > trigger the #PF exception. > In this patch, I will check the PFAddress in SmiPFHandler(), if it belong= s to the > range of SMM shadow stack guard page, I will show the error message. >=20 > unit test: > I use recursive function to do the test. In each function call, it will p= ush the > return address to the SMM shadow stack. > When the loop reaches to a certain amount, it will finally touch the guar= d page, > and trigger #PF exception. >=20 > Thank you > BR > Sheng Wei >=20 > > -----Original Message----- > > From: Yao, Jiewen > > Sent: 2021=1B$BG/=1B(B3=1B$B7n=1B(B26=1B$BF|=1B(B 14:14 > > To: Sheng, W ; devel@edk2.groups.io > > Cc: Dong, Eric ; Ni, Ray ; Laszl= o > > Ersek ; Kumar, Rahul1 ; > > Feng, Roger > > Subject: RE: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM > > shadow stack overflow > > > > Hi > > Would you please share the info on how you do unit test for the new add= ed > > code? > > > > Thank you > > > > > -----Original Message----- > > > From: Sheng, W > > > Sent: Friday, March 26, 2021 2:04 PM > > > To: devel@edk2.groups.io > > > Cc: Dong, Eric ; Ni, Ray ; > > > Laszlo Ersek ; Kumar, Rahul1 > > > ; Yao, Jiewen ; Feng, > > > Roger > > > Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM > > shadow > > > stack overflow > > > > > > Use SMM stack guard feature to detect SMM shadow stack overflow. > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3280 > > > > > > Signed-off-by: Sheng Wei > > > Cc: Eric Dong > > > Cc: Ray Ni > > > Cc: Laszlo Ersek > > > Cc: Rahul Kumar > > > Cc: Jiewen Yao > > > Cc: Roger Feng > > > --- > > > UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 9 ++++++++- > > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > index 07e7ea70de..6902584b1f 100644 > > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c > > > @@ -1016,6 +1016,7 @@ SmiPFHandler ( > > > { > > > UINTN PFAddress; > > > UINTN GuardPageAddress; > > > + UINTN ShadowStackGuardPageAddress; > > > UINTN CpuIndex; > > > > > > ASSERT (InterruptType =3D=3D EXCEPT_IA32_PAGE_FAULT); @@ -1032,7 > > > +1033,7 @@ SmiPFHandler ( > > > } > > > > > > // > > > - // If a page fault occurs in SMRAM range, it might be in a SMM > > > stack guard page, > > > + // If a page fault occurs in SMRAM range, it might be in a SMM > > > + stack/shadow > > > stack guard page, > > > // or SMM page protection violation. > > > // > > > if ((PFAddress >=3D mCpuHotPlugData.SmrrBase) && @@ -1040,10 +1041= ,16 > > > @@ SmiPFHandler ( > > > DumpCpuContext (InterruptType, SystemContext); > > > CpuIndex =3D GetCpuIndex (); > > > GuardPageAddress =3D (mSmmStackArrayBase + EFI_PAGE_SIZE + > > CpuIndex > > > * (mSmmStackSize + mSmmShadowStackSize)); > > > + ShadowStackGuardPageAddress =3D (mSmmStackArrayBase + > > mSmmStackSize > > > + EFI_PAGE_SIZE + CpuIndex * (mSmmStackSize + > > mSmmShadowStackSize)); > > > if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && > > > (PFAddress >=3D GuardPageAddress) && > > > (PFAddress < (GuardPageAddress + EFI_PAGE_SIZE))) { > > > DEBUG ((DEBUG_ERROR, "SMM stack overflow!\n")); > > > + } else if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && > > > + (mSmmShadowStackSize > 0) && > > > + (PFAddress >=3D ShadowStackGuardPageAddress) && > > > + (PFAddress < (ShadowStackGuardPageAddress + EFI_PAGE_SIZE)))= { > > > + DEBUG ((DEBUG_ERROR, "SMM shadow stack overflow!\n")); > > > } else { > > > if ((SystemContext.SystemContextX64->ExceptionData & > > > IA32_PF_EC_ID) !=3D > > > 0) { > > > DEBUG ((DEBUG_ERROR, "SMM exception at execution (0x%lx)\n", > > > PFAddress)); > > > -- > > > 2.16.2.windows.1