From: "Gerd Hoffmann" <kraxel@redhat.com>
To: devel@edk2.groups.io, dougflick@microsoft.com
Cc: Liming Gao <gaoliming@byosoft.com.cn>, Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237
Date: Wed, 29 May 2024 15:09:28 +0200 [thread overview]
Message-ID: <b4irqzx42t2zsnatq46wixrnubqavojjz3qqwpdut24uoqrxyz@am6jsk25ckrd> (raw)
In-Reply-To: <20240524054512.523329-1-douglas.flick@microsoft.com>
On Thu, May 23, 2024 at 10:44:52PM GMT, Doug Flick via groups.io wrote:
>
> REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
>
> This patch series patches the following CVEs:
> - CVE-2023-45236: Predictable TCP Initial Sequence Numbers
> - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator
Ok, looks like there is some more fallout from this patch series which I
havn't seen in my initial testing. It does not always happen, didn't
figure yet what exactly triggers the behavior. But in some cases there
is quite some network stack activity, apparently done by
EVT_SIGNAL_EXIT_BOOT_SERVICES event handlers ...
With the debug patch below applied the tail of the ovmf log looks like
this:
VirtioRngExitBoot: Context=0x7D73D798
Hash2ServiceBindingDestroyChild - Invalid handle
MnpServiceBindingDestroyChild: Failed to uninstall the ManagedNetwork protocol, Invalid Parameter.
Support(): UNDI3.1 found on handle 7D461118
Support(): supported on 7D461118
Start(): UNDI3.1 found
snp->undi.start() 1h:8000h
InstallProtocolInterface: 7AB33A91-ACE5-4326-B572-E7EE33D39F16 7CE872C0
InstallProtocolInterface: F44C00EE-1F2C-4A00-AA09-1C9F3E0800A3 7CE7D020
Failed to generate random data using secure algorithm 0: Unsupported
Failed to generate random data using secure algorithm 1: Unsupported
Failed to generate random data using secure algorithm 2: Unsupported
Failed to generate random data using secure algorithm 3: Unsupported
VirtioRngGetRNG: not ready
Failed to generate random data using secure algorithm 4: Device Error
ASSERT_EFI_ERROR (Status = Device Error)
ASSERT /home/kraxel/projects/edk2/NetworkPkg/Library/DxeNetLib/DxeNetLib.c(965): !(((INTN)(RETURN_STATUS)(Status)) < 0)
The VirtioRngDxe EVT_SIGNAL_EXIT_BOOT_SERVICES handler resets the
device, to make sure it will stop any DMA.
Once the reset is done the device can't deliver random numbers any more,
but the network code wants some. So with the debug patch an assert is
triggered, without the debug patch the system simply hangs because the
virtio-rng device wouldn't answer request sent by the driver.
I'm wondering what the network code is actually doing here in the first
place? It apparently /installs/ protocols in the
EVT_SIGNAL_EXIT_BOOT_SERVICES handler? I don't think this is how things
are supposed to work ...
take care,
Gerd
------------------------- cut here -------------------------
diff --git a/OvmfPkg/VirtioRngDxe/VirtioRng.h b/OvmfPkg/VirtioRngDxe/VirtioRng.h
index 2da99540a208..3519521d6ab5 100644
--- a/OvmfPkg/VirtioRngDxe/VirtioRng.h
+++ b/OvmfPkg/VirtioRngDxe/VirtioRng.h
@@ -33,6 +33,7 @@ typedef struct {
VRING Ring; // VirtioRingInit 2
EFI_RNG_PROTOCOL Rng; // VirtioRngInit 1
VOID *RingMap; // VirtioRingMap 2
+ BOOLEAN Ready;
} VIRTIO_RNG_DEV;
#define VIRTIO_ENTROPY_SOURCE_FROM_RNG(RngPointer) \
diff --git a/OvmfPkg/VirtioNetDxe/Events.c b/OvmfPkg/VirtioNetDxe/Events.c
index 75a9644f749c..36e3eed4617c 100644
--- a/OvmfPkg/VirtioNetDxe/Events.c
+++ b/OvmfPkg/VirtioNetDxe/Events.c
@@ -77,7 +77,7 @@ VirtioNetExitBoot (
//
VNET_DEV *Dev;
- DEBUG ((DEBUG_VERBOSE, "%a: Context=0x%p\n", __func__, Context));
+ DEBUG ((DEBUG_INFO, "%a: Context=0x%p\n", __func__, Context));
Dev = Context;
if (Dev->Snm.State == EfiSimpleNetworkInitialized) {
Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0);
diff --git a/OvmfPkg/VirtioRngDxe/VirtioRng.c b/OvmfPkg/VirtioRngDxe/VirtioRng.c
index 069aed148af1..370c9ac8f1de 100644
--- a/OvmfPkg/VirtioRngDxe/VirtioRng.c
+++ b/OvmfPkg/VirtioRngDxe/VirtioRng.c
@@ -156,6 +156,10 @@ VirtioRngGetRNG (
}
Dev = VIRTIO_ENTROPY_SOURCE_FROM_RNG (This);
+ if (!Dev->Ready) {
+ DEBUG ((DEBUG_INFO, "%a: not ready\n", __func__));
+ return EFI_DEVICE_ERROR;
+ }
//
// Map Buffer's system physical address to device address
//
@@ -382,6 +386,7 @@ VirtioRngInit (
//
Dev->Rng.GetInfo = VirtioRngGetInfo;
Dev->Rng.GetRNG = VirtioRngGetRNG;
+ Dev->Ready = TRUE;
return EFI_SUCCESS;
@@ -414,8 +419,8 @@ VirtioRngUninit (
// VIRTIO_CFG_WRITE() returns, the host will have learned to stay away from
// the old comms area.
//
+ Dev->Ready = FALSE;
Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0);
-
Dev->VirtIo->UnmapSharedBuffer (Dev->VirtIo, Dev->RingMap);
VirtioRingUninit (Dev->VirtIo, &Dev->Ring);
@@ -435,7 +440,7 @@ VirtioRngExitBoot (
{
VIRTIO_RNG_DEV *Dev;
- DEBUG ((DEBUG_VERBOSE, "%a: Context=0x%p\n", __func__, Context));
+ DEBUG ((DEBUG_INFO, "%a: Context=0x%p\n", __func__, Context));
//
// Reset the device. This causes the hypervisor to forget about the virtio
// ring.
@@ -444,6 +449,7 @@ VirtioRngExitBoot (
// executing after ExitBootServices() is permitted to overwrite it.
//
Dev = Context;
+ Dev->Ready = FALSE;
Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0);
}
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119343): https://edk2.groups.io/g/devel/message/119343
Mute This Topic: https://groups.io/mt/106276830/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-05-29 13:09 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto " Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg Doug Flick via groups.io
2024-05-24 5:44 ` [edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng Doug Flick via groups.io
2024-05-24 5:53 ` Yao, Jiewen
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237 Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT() Doug Flick via groups.io
2024-05-24 6:47 ` 回复: " gaoliming via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI Doug Flick via groups.io
2024-05-24 5:45 ` [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit Doug Flick via groups.io
2024-05-24 7:01 ` 回复: [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 gaoliming via groups.io
2024-05-24 7:07 ` Ard Biesheuvel
2024-05-24 9:12 ` 回复: " gaoliming via groups.io
2024-05-24 9:41 ` Ard Biesheuvel
2024-05-24 11:48 ` Gerd Hoffmann
2024-05-24 14:51 ` 回复: " gaoliming via groups.io
2024-05-24 16:50 ` [edk2-devel] " Doug Flick via groups.io
2024-05-25 4:33 ` 回复: " gaoliming via groups.io
[not found] ` <17D27450B424AC2B.30215@groups.io>
2024-05-24 16:00 ` gaoliming via groups.io
2024-05-29 13:09 ` Gerd Hoffmann [this message]
2024-05-30 5:07 ` gaoliming via groups.io
2024-05-30 9:31 ` Gerd Hoffmann
2024-05-30 10:08 ` Michael Brown
2024-05-30 10:33 ` Gerd Hoffmann
2024-05-30 10:49 ` Michael Brown
2024-05-30 11:48 ` Gerd Hoffmann
-- strict thread matches above, loose matches on Subject: below --
2024-05-24 5:44 Doug Flick via groups.io
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4irqzx42t2zsnatq46wixrnubqavojjz3qqwpdut24uoqrxyz@am6jsk25ckrd \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox