From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <eric.dong@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.93; helo=mga11.intel.com;
 envelope-from=eric.dong@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 44F9C21A07A80
 for <edk2-devel@lists.01.org>; Sun, 18 Nov 2018 17:20:39 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 18 Nov 2018 17:20:38 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,250,1539673200"; d="scan'208";a="275028151"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
 by orsmga005.jf.intel.com with ESMTP; 18 Nov 2018 17:20:38 -0800
Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Sun, 18 Nov 2018 17:20:38 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.84]) by
 SHSMSX103.ccr.corp.intel.com ([169.254.4.161]) with mapi id 14.03.0415.000;
 Mon, 19 Nov 2018 09:20:36 +0800
From: "Dong, Eric" <eric.dong@intel.com>
To: "Wu, Hao A" <hao.a.wu@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Wu, Hao A" <hao.a.wu@intel.com>, Laszlo Ersek <lersek@redhat.com>, "Yao, 
 Jiewen" <jiewen.yao@intel.com>, "Zhang, Chao B" <chao.b.zhang@intel.com>, 
 "Zeng, Star" <star.zeng@intel.com>
Thread-Topic: [edk2] [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib:
 [CVE-2017-5753] Fix bounds check bypass
Thread-Index: AQHUfWKpT7sr6l1k7UifB4rsNIzWg6VWUU8g
Date: Mon, 19 Nov 2018 01:20:35 +0000
Message-ID: <ED077930C258884BBCB450DB737E662259D3E747@shsmsx102.ccr.corp.intel.com>
References: <20181116041242.37604-1-hao.a.wu@intel.com>
 <20181116041242.37604-3-hao.a.wu@intel.com>
In-Reply-To: <20181116041242.37604-3-hao.a.wu@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: [CVE-2017-5753] Fix bounds check bypass
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 01:20:39 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Eric Dong <eric.dong@intel.com>

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Hao Wu
> Sent: Friday, November 16, 2018 12:13 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A <hao.a.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>;
> Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>; Zeng, Star <star.zeng@intel.com>
> Subject: [edk2] [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: [CVE-2017-
> 5753] Fix bounds check bypass
>=20
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194
>=20
> Speculative execution is used by processor to avoid having to wait for
> data to arrive from memory, or for previous operations to finish, the
> processor may speculate as to what will be executed.
>=20
> If the speculation is incorrect, the speculatively executed instructions
> might leave hints such as which memory locations have been brought into
> cache. Malicious actors can use the bounds check bypass method (code
> gadgets with controlled external inputs) to infer data values that have
> been used in speculative operations to reveal secrets which should not
> otherwise be accessed.
>=20
> This commit will focus on the SMI handler(s) registered within the
> OpalPasswordSupportLib and insert AsmLfence API to mitigate the bounds
> check bypass issue.
>=20
> For SMI handler SmmOpalPasswordHandler():
>=20
> Under "case SMM_FUNCTION_SET_OPAL_PASSWORD:",
> '&DeviceBuffer->OpalDevicePath' can points to a potential cross boundary
> access of the 'CommBuffer' (controlled external inputs) during speculativ=
e
> execution. This cross boundary access pointer is later passed as paramete=
r
> 'DevicePath' into function OpalSavePasswordToSmm().
>=20
> Within function OpalSavePasswordToSmm(), 'DevicePathLen' is an access to
> the content in 'DevicePath' and can be inferred by code:
> "CompareMem (&List->OpalDevicePath, DevicePath, DevicePathLen)". One
> can
> observe which part of the content within either '&List->OpalDevicePath' o=
r
> 'DevicePath' was brought into cache to possibly reveal the value of
> 'DevicePathLen'.
>=20
> Hence, this commit adds a AsmLfence() after the boundary/range checks of
> 'CommBuffer' to prevent the speculative execution.
>=20
> A more detailed explanation of the purpose of commit is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-
> firmware-speculative-execution-side-channel-mitigation
>=20
> And the document at:
> https://software.intel.com/security-software-guidance/api-
> app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-
> vulnerabilities.pdf
>=20
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu <hao.a.wu@intel.com>
> ---
>  SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c | 7
> ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>=20
> diff --git
> a/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c
> b/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c
> index e377e9ca79..1c3bfffb86 100644
> ---
> a/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c
> +++
> b/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c
> @@ -1,7 +1,7 @@
>  /** @file
>    Implementation of Opal password support library.
>=20
> -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BS=
D
> License
>  which accompanies this distribution.  The full text of the license may b=
e
> found at
> @@ -706,6 +706,11 @@ SmmOpalPasswordHandler (
>          Status =3D EFI_INVALID_PARAMETER;
>          goto EXIT;
>        }
> +      //
> +      // The AsmLfence() call here is to ensure the above range checks f=
or the
> +      // CommBuffer have been completed before calling into
> OpalSavePasswordToSmm().
> +      //
> +      AsmLfence ();
>=20
>        Status =3D OpalSavePasswordToSmm (&DeviceBuffer->OpalDevicePath,
> DeviceBuffer->Password, DeviceBuffer->PasswordLength);
>        break;
> --
> 2.12.0.windows.1
>=20
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel