From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.14746.1594626431702849089 for ; Mon, 13 Jul 2020 00:47:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=aiWxlPhW; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jian.j.wang@intel.com) IronPort-SDR: JTK90IAozZdg/uI9NoTEk2uedFqP0EJ2Ng2fM9fgReNErT+EPrOfn2TdJtw2L+LIrZsaNZAU6L ai7OKkUozZ4g== X-IronPort-AV: E=McAfee;i="6000,8403,9680"; a="147688856" X-IronPort-AV: E=Sophos;i="5.75,346,1589266800"; d="scan'208";a="147688856" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jul 2020 00:47:11 -0700 IronPort-SDR: RN+Nwdhc/UowKSV7R+YilITRWugHvaBX2tOWdOD9PkWxWP2DaB9HauEDslrvZX7DI4MxOZoWk8 Za8O+wiVwrWQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,346,1589266800"; d="scan'208";a="299114701" Received: from orsmsx102.amr.corp.intel.com ([10.22.225.129]) by orsmga002.jf.intel.com with ESMTP; 13 Jul 2020 00:47:10 -0700 Received: from orsmsx153.amr.corp.intel.com (10.22.226.247) by ORSMSX102.amr.corp.intel.com (10.22.225.129) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 13 Jul 2020 00:47:10 -0700 Received: from ORSEDG002.ED.cps.intel.com (10.7.248.5) by ORSMSX153.amr.corp.intel.com (10.22.226.247) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 13 Jul 2020 00:47:10 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.172) by edgegateway.intel.com (134.134.137.101) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 13 Jul 2020 00:47:10 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hkwMgoQqEXbT/KkJBH6oFoe/dFZK3J5OE66epPThfWX4fVnLO7dZrC3gZDXmumq8qxz5Ukb4fm3QZGi8h7OE7lHC6sl6ftYz1U0LcQfPgy+yx+HRaeV+81tfYqgpD8avrt4HCfuWwE/IYKEcPlZ3C8LEjvLmFOTLAxUVN0HvlUk7922aNHBL8h+HPZqNhwd4G2mDJ5FMfxAXnlY3c7uqvfBoZtQDbVxBR4vr6q9hCSyxPMvldY450+dyoMhrfvou2j10E1ak7iHz8o0i7HEfCuXiZ2l4lHWgpPFMMaExvYy0DY91oqfxd0I1XpwejO5yExg5EU3v3McI+mSQbkaS1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R5Am3WGatN2v5xwK+zCybEUPb1X5OfyX8kW7EPSCEYk=; b=iR+ZL+jT4kqa98kJ6Y2euxrYCs15FWSwOLnNymK80Vm2Lj0S9zgepAQQINsz2Uft/kMELNq3v8jNaDvQ37kNALBXdMyjLxdP4AnrvlR4fNqQTmuGdNYgBq2gBR5qHrBfYAYN5TCot2fIEA6u9H0kZmpT3vvGBFBTc3soGgD98c7GCgHurwDOP4XP6zf7FyreKiFE9BRpPiSVrChhjV/f2krKwWVcwDLPKyqx5I8q8FEMgL95pegonsH8dc2/R0Do6SNHiWVRWuf4jsjbB8GQJ6TGH1PKq8ngfxa1+tgxVbZTToc5ug7/GJdlYH0fwmi3pIX9RTG3UIlJjKGIqlS0YA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R5Am3WGatN2v5xwK+zCybEUPb1X5OfyX8kW7EPSCEYk=; b=aiWxlPhWW9MIp8lMVjE0mrzLDROrODiiHacS2CGnSR64IvifgjlxM1uvsfxSclj9JrGBNbAVln5ak4D44CM37wWd+c3rYSduWClUSPrrtf7Y8wL+nZSugyfXS07P1iIi5e4PDgvXLA6Oa97tP6HhG0KQNGofdhqy4so3JI6eftw= Received: from SN6PR11MB3312.namprd11.prod.outlook.com (2603:10b6:805:c8::14) by SA0PR11MB4592.namprd11.prod.outlook.com (2603:10b6:806:98::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.22; Mon, 13 Jul 2020 07:47:07 +0000 Received: from SN6PR11MB3312.namprd11.prod.outlook.com ([fe80::31f6:24c6:99f0:33d2]) by SN6PR11MB3312.namprd11.prod.outlook.com ([fe80::31f6:24c6:99f0:33d2%6]) with mapi id 15.20.3174.025; Mon, 13 Jul 2020 07:47:07 +0000 From: "Wang, Jian J" To: "devel@edk2.groups.io" , "Jiang, Guomin" CC: "Dong, Eric" , "Ni, Ray" , "Laszlo Ersek" , "Kumar, Rahul1" Subject: Re: [edk2-devel] [PATCH v5 7/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Thread-Topic: [edk2-devel] [PATCH v5 7/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) Thread-Index: AQHWVZRNRmUOGduGnE6VFbA+Yf1XmKkFHq3g Date: Mon, 13 Jul 2020 07:47:07 +0000 Message-ID: References: <20200709015645.336-1-guomin.jiang@intel.com> <20200709015645.336-8-guomin.jiang@intel.com> In-Reply-To: <20200709015645.336-8-guomin.jiang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiM2JhNTU4NTQtYzNmNi00YTU3LWI0MTUtYjMzZTYwMjFkYzlhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiMnhLR2JSU1wvdzllRE11YisxQXhQZTM3K3VBQlc5R21VMTI0WGhmc1lHNGtlOWFONmVtano4dzZFMzBuUk9Wd2IifQ== dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows x-ctpclassification: CTP_NT authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.147.194] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 48607d21-7f28-4da8-69c8-08d82700f174 x-ms-traffictypediagnostic: SA0PR11MB4592: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5797; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: DHY+eoWmeuMdRLWBQustQYkdgQRGw9b2EsVe9W1r5KQmjVCXeoJVQd7hhkSVflfPbZMwho9gfnYgkkhetNzLVFxv1+VA196+B8s3l31bdXROLKr78fS2jOyxBLiOWLCV3Ao6fWLs11Wd7ENXGAAoAmFIEtSdx/PZSTe8+geaJxt3HYcrh6W6MZEv53moafvkwBMujXs4zyL0NPZlmZ3hP8qdPe8twh3741LSsl+uyYmQycK/RfhjpbBuzWc6f/9iKmtZWw3+8NyVh8c8OaoLaOmUecgPn4RoDAJMwU4lZVl6fkjq5iDq9ME5L1wEc/FBs2HobA8B7XmTPMM8CmLMMuun9pYlkhImh0heUBXqUt6zlPwscR8WiMg+u+yAamEzOMU79smWgaMQ3ytbGwIdZA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR11MB3312.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(6029001)(4636009)(396003)(39860400002)(376002)(346002)(136003)(366004)(55016002)(19627235002)(5660300002)(7696005)(316002)(966005)(86362001)(186003)(2906002)(26005)(52536014)(53546011)(6506007)(478600001)(6636002)(9686003)(66556008)(66446008)(66476007)(64756008)(71200400001)(4326008)(66946007)(76116006)(83380400001)(107886003)(8936002)(33656002)(110136005)(8676002)(54906003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: CPxUte9DViojjp5fYBI2FAPLM7Ot8tZFPGrUQeLxw0O1UE07jCWLpBMzFIAW917C0un+80FB2YpugEoyjS7n0t0O3t9ztJUkgFwoxHtgMcRFxVEUrLx40iOT400gLws7MHmdZT1AYaE44ydQBqs4ArDhGdAqsgevigJzeANafr4UPCna24/dMKZKhvWvxB5avhtmgw6wspVVBviCtBCO4KEMiCNZRH03amB1qwdwPA6z7IFVFtfL64Ka2Hqp2SpbFQA3//CEFY6iQhQ1oE2VmEpY//sQeTv8JU0JXTUnTC1v8X9S29M5dPF+fxy6aOXAr0PWPieJXgxKdcMN2mNqidXaKcAqG+vTzIwm88h+qSfjY7mGSKjJwkjt+lqvfzAZ3RHcf3AkgJETPSBM52MBPE1d/lP/lcEVLfmlVu9H7Sc4DYQE1W6hKUt8yxlFc1R/P5BLZpJlORiJI3f3Re1/9rgBv08bNfkshA9mOUbmABLIUt8wvlHC0Lu6n0b/bSsZ MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN6PR11MB3312.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 48607d21-7f28-4da8-69c8-08d82700f174 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2020 07:47:07.6087 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: RzppNAtBkVIMzdYcwgopCHmNek0IBJ/CpPR6P7h03JQt7wsDW6FEwhcGmDkcJpTH8ePz/T8lD57tL2fuh7/VJQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4592 Return-Path: jian.j.wang@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Guomin, > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Guomin > Jiang > Sent: Thursday, July 09, 2020 9:57 AM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Ni, Ray ; Laszlo= Ersek > ; Kumar, Rahul1 > Subject: [edk2-devel] [PATCH v5 7/9] UefiCpuPkg/CpuMpPei: Enable paging = and > set NP flag to avoid TOCTOU (CVE-2019-11098) >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D1614 >=20 > To avoid the TOCTOU, enable paging and set Not Present flag so when > access any code in the flash range, it will trigger #NP exception. It's #PF, not #NP. >=20 > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Signed-off-by: Guomin Jiang > Acked-by: Laszlo Ersek > --- > UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 +++ > UefiCpuPkg/CpuMpPei/CpuPaging.c | 26 ++++++++++++++++++++++++-- > 2 files changed, 27 insertions(+), 2 deletions(-) >=20 > diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > index f4d11b861f77..7e511325d8b8 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > @@ -46,6 +46,9 @@ [LibraryClasses] > BaseMemoryLib > CpuLib >=20 > +[Guids] > + gEdkiiMigratedFvInfoGuid = ## > SOMETIMES_CONSUMES ## HOB > + > [Ppis] > gEfiPeiMpServicesPpiGuid ## PRODUCES > gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES > diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c > b/UefiCpuPkg/CpuMpPei/CpuPaging.c > index 3bf0574b34c6..04a16fb2b620 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c > +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c > @@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include > #include > #include > +#include >=20 > #include "CpuMpPei.h" >=20 > @@ -605,6 +606,8 @@ MemoryDiscoveredPpiNotifyCallback ( > EFI_STATUS Status; > BOOLEAN InitStackGuard; > BOOLEAN InterruptState; > + EDKII_MIGRATED_FV_INFO *MigratedFvInfo; > + EFI_PEI_HOB_POINTERS Hob; >=20 Please align the variable names. > if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { > InterruptState =3D SaveAndDisableInterrupts (); > @@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback ( > // the task switch (for the sake of stack switch). > // > InitStackGuard =3D FALSE; > - if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) { > + Hob.Raw =3D NULL; > + if (IsIa32PaeSupported ()) { > + Hob.Raw =3D GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid); > + InitStackGuard =3D PcdGetBool (PcdCpuStackGuard); > + } > + PcdMigrateTemporaryRamFirmwareVolumes is only effective along with PcdShadowPeimOnBoot or PcdShadowPeimOnS3Boot in PeiCore. Using it here without other two doesn't make sense. Need further discussion to clarify the usage of all of them. > + if (InitStackGuard || Hob.Raw !=3D NULL) { > EnablePaging (); > - InitStackGuard =3D TRUE; > } >=20 > Status =3D InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServi= ces); > @@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback ( > SetupStackGuardPage (); > } >=20 > + while (Hob.Raw !=3D NULL) { > + MigratedFvInfo =3D GET_GUID_HOB_DATA (Hob); > + > + // > + // Enable #NP exception, so if the code access after disable NEM, i= t will > generate It's #PF, not #NP. > + // to avoid potential vulnerability. > + // > + ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, > MigratedFvInfo->FvLength, 0); > + > + Hob.Raw =3D GET_NEXT_HOB (Hob); > + Hob.Raw =3D GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw); > + } > + CpuFlushTlb (); > + > return Status; > } >=20 > -- > 2.25.1.windows.1 >=20 >=20 >=20