From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.11554.1595388713020771818 for ; Tue, 21 Jul 2020 20:31:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=al1ILzkt; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jian.j.wang@intel.com) IronPort-SDR: BmIVhPN6Y67kCHAlBWg6u7AP7ss0fl8G3uQqBM38D5aCyyHLwBMZ0odIS5BfWRoJmrB13jgpOX /W39LNZS7rcg== X-IronPort-AV: E=McAfee;i="6000,8403,9689"; a="168410007" X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; d="scan'208";a="168410007" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jul 2020 20:31:52 -0700 IronPort-SDR: HjulfvDpGmXheJ/VC+bSxqVm7vDukkFXdwKQ+qWSfT4f/PDLOsq1hDq0JL2uxQT3G/uLKV6K9h Jr66JAgkh62A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; d="scan'208";a="487848825" Received: from orsmsx108.amr.corp.intel.com ([10.22.240.6]) by fmsmga006.fm.intel.com with ESMTP; 21 Jul 2020 20:31:51 -0700 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX108.amr.corp.intel.com (10.22.240.6) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 21 Jul 2020 20:31:51 -0700 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 21 Jul 2020 20:31:50 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by orsmsx607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Tue, 21 Jul 2020 20:31:50 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.170) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 21 Jul 2020 20:31:48 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TauP1PqhxxwzACRPv8WVc8doIcsmgCzanf9P6Lnx8F9QRhtajlO2Ch23UQtAonb0MOm11WV4KnV8hjF8twH/fPS1OLlUdkZLjbWNijzrYT0H94nqpqYX8Bbht+dOVZa9akQt5Vld7ngOZb83eYLe0dDzqxGwA5PRHZH3N5OhDURmcaLgpfxz2ymfrCzN+83HvOoE3amVyMqJb4apTbJ7yoy8d39+o9tye9WpyBPNWZEdvWcEpJ2Cjaxu3EFinprxUKdvy66tWt6gpN0OJ22yrwfOL/ha67f38qlXQmP+G7X38eUKdwYfKmcOVlYk0GedZnSl0XJOnuYB3aRrSTcx/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qwwxxACJvgcyX/Ay9GP2k83/rXdmk8p3ePwYhVxTO6w=; b=MeJPYGWvqvd1KuM9WG2xsDhVi2v54EocGJymtlp8Ii1HnvkQ/WsJkhQhxRb/cjBJ6Tr6S50SWq5ETGuCdJKdnvq1jPfaOQCHO6kPG5ODqaAcU6xH4SJFaL2zAbG4AQ6WMzD/YJg5Cj3/YFdHbODyBhtca0shWyJ/NNZtUuxjrT8aGIFGbA22s3tm4mzv1P1jqFn7cB0xAO9QvhB1GuWGbvONidsn2ErN1J4CgHg8L/4sDQdgeR2TA9WG4RimGGcgSFxN5x64494QaQsVxM3aJYqJsI+xeSTSdF5ROWi8OicUYXFySBc6R/+ntClanvxBelizx7v+Iq4aY98zmbd/Dg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qwwxxACJvgcyX/Ay9GP2k83/rXdmk8p3ePwYhVxTO6w=; b=al1ILzktd8QMIVddJ9XzFWsZ4NRHq8RaQ1i6iApVbtnY4IrAd8fmUd5FSWIwtUKL86K5u6eS5NhwGy49thAoA7QUwTTcVLpfhVvlTCInv/lm3pft+HHUv6829yt7S/4Mol86lQMHHU2urv/vQqBjl+k8YOl0ZM1a5BAZ6nL4CqU= Received: from BYAPR11MB3303.namprd11.prod.outlook.com (2603:10b6:a03:18::15) by BYAPR11MB3061.namprd11.prod.outlook.com (2603:10b6:a03:83::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.20; Wed, 22 Jul 2020 03:31:44 +0000 Received: from BYAPR11MB3303.namprd11.prod.outlook.com ([fe80::fc2a:d66e:8c79:6ecd]) by BYAPR11MB3303.namprd11.prod.outlook.com ([fe80::fc2a:d66e:8c79:6ecd%7]) with mapi id 15.20.3195.025; Wed, 22 Jul 2020 03:31:44 +0000 From: "Wang, Jian J" To: "devel@edk2.groups.io" , "Jiang, Guomin" CC: "Dong, Eric" , "Ni, Ray" , "Laszlo Ersek" , "Kumar, Rahul1" Subject: Re: [edk2-devel] [PATCH v6 07/10] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Thread-Topic: [edk2-devel] [PATCH v6 07/10] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Thread-Index: AQHWXolJmmAHgtVuck+7/LQ+sG0vsKkS9CMg Date: Wed, 22 Jul 2020 03:31:44 +0000 Message-ID: References: <20200720113022.675-1-guomin.jiang@intel.com> <20200720113022.675-8-guomin.jiang@intel.com> In-Reply-To: <20200720113022.675-8-guomin.jiang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOWY2NmQ3YjYtNTU3ZS00YjI3LTkxMWYtZTE2MDI5Yzk0YjAyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiT1p6eXFxUHdoeE95NWZJQk02cUtwSDhQdDZHVEc1cE9LZTgrdjlMdUhPRDhiVFJqdTlKM09RdnBjcFpiVjN3VyJ9 dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows x-ctpclassification: CTP_NT authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fd9d163b-df1e-420b-d4ba-08d82defc1d1 x-ms-traffictypediagnostic: BYAPR11MB3061: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7691; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: jg8NyQKY0BTebvo+kgxoAr3VpNn3lN2MByOR/HZP81Xn3QOEKz1RmorwQAI3xY99bMytIC7iDj20987RWzFmNDzqrxGYDePwQUKYbBAxiKZRfifD4lDU7M1oyTCNILDc0yLFuCZAobsUcgq8w5cMSl5lC7uFTqfcDmffX3oSoWtCm2H9Lxu3v/i02b2g72PncEHDGebmcqx/Rq4az0ZNryINC7ihbKpRnM2D0GK7YJcSz3egdirowcfb0FQBTgmddxKrHuAO+Ey/LLP953FvljKNYY0nWYbHt6+EvTeSq1TPeOEeiGcwc4g3sYOQwhWtZ/gfkcbzHz/nhIPssxPfsy1E//lNczodCh28Y+dlZstIshqcCApBJqz+RXJjlFlTAgq6FTFKQObpkRHNDwH03A== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR11MB3303.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(6029001)(4636009)(136003)(396003)(376002)(366004)(39860400002)(346002)(5660300002)(316002)(54906003)(33656002)(9686003)(55016002)(110136005)(53546011)(6506007)(7696005)(52536014)(4326008)(86362001)(478600001)(26005)(186003)(107886003)(966005)(6636002)(76116006)(71200400001)(8936002)(66946007)(83380400001)(8676002)(66476007)(66556008)(64756008)(66446008)(2906002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: vml0fTPu33ftgGfysYzMqbasNnvg4wTYo/3yQBqzddSrsnjxogLSp0fEXuHuIrEoRtLCi2ufaKsbTaKu4JXQZxbrgnZP3nGXLAaCGP6lqubmmir0kexdC3Peie8FPlbdVqisUmAzozI2SyLieKMo28IX4DwzHsElnLscd/hrPyXPHHWlG1fy+RN9hbEhUdcjLjgepheecmmDoReIYvL2ne2acdY5sdBDLtS9+cVRDOSxlgni4pj1jkRap7flXAARXkqli9UusWTJ+6yEsG5Xe4lzYQq1i6Y5qEsgWyQucnxaEZdlJJJz/gjnh9eJl8Xf0TYLIPsit78cgJ2bnl0n+iWtP2MCorQpucccPg1VeNxd911troGFnbjq+Lgk0HGy6mJ+pu8mtEyU2gDvkFkXHuhl4YhI7lF7GpILg1segXUgAvr3xnif2Se06pq02sbM25vNftIN+mBks1+KoqzQ7wBgGeT6eJh+h8KXSgkfoQC4SbMZkZHUg7HehwVRiatp MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3303.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: fd9d163b-df1e-420b-d4ba-08d82defc1d1 X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jul 2020 03:31:44.3783 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4gxVkxyWV3T7/VqSyww2bGXnE1wnOPhzujN6DWIW+NNDPTRvVBv6bkfyM22IcjNoEmZ+pcr0o907xADNGhDcag== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3061 Return-Path: jian.j.wang@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang Regards, Jian > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Guomin > Jiang > Sent: Monday, July 20, 2020 7:30 PM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo= Ersek > ; Kumar, Rahul1 > Subject: [edk2-devel] [PATCH v6 07/10] UefiCpuPkg/CpuMpPei: Enable pagin= g > and set NP flag to avoid TOCTOU (CVE-2019-11098) >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 >=20 > To avoid the TOCTOU, enable paging and set Not Present flag so when > access any code in the flash range, it will trigger #PF exception. >=20 > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Signed-off-by: Guomin Jiang > Acked-by: Laszlo Ersek > --- > UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 +++ > UefiCpuPkg/CpuMpPei/CpuPaging.c | 32 +++++++++++++++++++++++++++----- > 2 files changed, 30 insertions(+), 5 deletions(-) >=20 > diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > index f4d11b861f77..7e511325d8b8 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > @@ -46,6 +46,9 @@ [LibraryClasses] > BaseMemoryLib > CpuLib >=20 > +[Guids] > + gEdkiiMigratedFvInfoGuid = ## > SOMETIMES_CONSUMES ## HOB > + > [Ppis] > gEfiPeiMpServicesPpiGuid ## PRODUCES > gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES > diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c > b/UefiCpuPkg/CpuMpPei/CpuPaging.c > index 3bf0574b34c6..8ab7dfcce3a0 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c > +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c > @@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include > #include > #include > +#include >=20 > #include "CpuMpPei.h" >=20 > @@ -602,9 +603,11 @@ MemoryDiscoveredPpiNotifyCallback ( > IN VOID *Ppi > ) > { > - EFI_STATUS Status; > - BOOLEAN InitStackGuard; > - BOOLEAN InterruptState; > + EFI_STATUS Status; > + BOOLEAN InitStackGuard; > + BOOLEAN InterruptState; > + EDKII_MIGRATED_FV_INFO *MigratedFvInfo; > + EFI_PEI_HOB_POINTERS Hob; >=20 > if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { > InterruptState =3D SaveAndDisableInterrupts (); > @@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback ( > // the task switch (for the sake of stack switch). > // > InitStackGuard =3D FALSE; > - if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) { > + Hob.Raw =3D NULL; > + if (IsIa32PaeSupported ()) { > + Hob.Raw =3D GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid); > + InitStackGuard =3D PcdGetBool (PcdCpuStackGuard); > + } > + > + if (InitStackGuard || Hob.Raw !=3D NULL) { > EnablePaging (); > - InitStackGuard =3D TRUE; > } >=20 > Status =3D InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServi= ces); > @@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback ( > SetupStackGuardPage (); > } >=20 > + while (Hob.Raw !=3D NULL) { > + MigratedFvInfo =3D GET_GUID_HOB_DATA (Hob); > + > + // > + // Enable #PF exception, so if the code access SPI after disable NE= M, it will > generate > + // the exception to avoid potential vulnerability. > + // > + ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, > MigratedFvInfo->FvLength, 0); > + > + Hob.Raw =3D GET_NEXT_HOB (Hob); > + Hob.Raw =3D GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw); > + } > + CpuFlushTlb (); > + > return Status; > } >=20 > -- > 2.25.1.windows.1 >=20 >=20 >=20