From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=eric.dong@intel.com; receiver=edk2-devel@lists.01.org Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 44F9C21A07A80 for ; Sun, 18 Nov 2018 17:20:39 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Nov 2018 17:20:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,250,1539673200"; d="scan'208";a="275028151" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga005.jf.intel.com with ESMTP; 18 Nov 2018 17:20:38 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sun, 18 Nov 2018 17:20:38 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.84]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.161]) with mapi id 14.03.0415.000; Mon, 19 Nov 2018 09:20:36 +0800 From: "Dong, Eric" To: "Wu, Hao A" , "edk2-devel@lists.01.org" CC: "Wu, Hao A" , Laszlo Ersek , "Yao, Jiewen" , "Zhang, Chao B" , "Zeng, Star" Thread-Topic: [edk2] [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: [CVE-2017-5753] Fix bounds check bypass Thread-Index: AQHUfWKpT7sr6l1k7UifB4rsNIzWg6VWUU8g Date: Mon, 19 Nov 2018 01:20:35 +0000 Message-ID: References: <20181116041242.37604-1-hao.a.wu@intel.com> <20181116041242.37604-3-hao.a.wu@intel.com> In-Reply-To: <20181116041242.37604-3-hao.a.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: [CVE-2017-5753] Fix bounds check bypass X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2018 01:20:39 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Eric Dong > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Hao Wu > Sent: Friday, November 16, 2018 12:13 PM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A ; Laszlo Ersek ; > Yao, Jiewen ; Zhang, Chao B > ; Zeng, Star > Subject: [edk2] [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: [CVE-2017- > 5753] Fix bounds check bypass >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1194 >=20 > Speculative execution is used by processor to avoid having to wait for > data to arrive from memory, or for previous operations to finish, the > processor may speculate as to what will be executed. >=20 > If the speculation is incorrect, the speculatively executed instructions > might leave hints such as which memory locations have been brought into > cache. Malicious actors can use the bounds check bypass method (code > gadgets with controlled external inputs) to infer data values that have > been used in speculative operations to reveal secrets which should not > otherwise be accessed. >=20 > This commit will focus on the SMI handler(s) registered within the > OpalPasswordSupportLib and insert AsmLfence API to mitigate the bounds > check bypass issue. >=20 > For SMI handler SmmOpalPasswordHandler(): >=20 > Under "case SMM_FUNCTION_SET_OPAL_PASSWORD:", > '&DeviceBuffer->OpalDevicePath' can points to a potential cross boundary > access of the 'CommBuffer' (controlled external inputs) during speculativ= e > execution. This cross boundary access pointer is later passed as paramete= r > 'DevicePath' into function OpalSavePasswordToSmm(). >=20 > Within function OpalSavePasswordToSmm(), 'DevicePathLen' is an access to > the content in 'DevicePath' and can be inferred by code: > "CompareMem (&List->OpalDevicePath, DevicePath, DevicePathLen)". One > can > observe which part of the content within either '&List->OpalDevicePath' o= r > 'DevicePath' was brought into cache to possibly reveal the value of > 'DevicePathLen'. >=20 > Hence, this commit adds a AsmLfence() after the boundary/range checks of > 'CommBuffer' to prevent the speculative execution. >=20 > A more detailed explanation of the purpose of commit is under the > 'Bounds check bypass mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation >=20 > And the document at: > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vulnerabilities.pdf >=20 > Cc: Star Zeng > Cc: Chao Zhang > Cc: Jiewen Yao > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu > --- > SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c | 7 > ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) >=20 > diff --git > a/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > b/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > index e377e9ca79..1c3bfffb86 100644 > --- > a/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > +++ > b/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > @@ -1,7 +1,7 @@ > /** @file > Implementation of Opal password support library. >=20 > -Copyright (c) 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the BS= D > License > which accompanies this distribution. The full text of the license may b= e > found at > @@ -706,6 +706,11 @@ SmmOpalPasswordHandler ( > Status =3D EFI_INVALID_PARAMETER; > goto EXIT; > } > + // > + // The AsmLfence() call here is to ensure the above range checks f= or the > + // CommBuffer have been completed before calling into > OpalSavePasswordToSmm(). > + // > + AsmLfence (); >=20 > Status =3D OpalSavePasswordToSmm (&DeviceBuffer->OpalDevicePath, > DeviceBuffer->Password, DeviceBuffer->PasswordLength); > break; > -- > 2.12.0.windows.1 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel