From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id D7D85740034 for ; Wed, 29 May 2024 13:09:37 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Gbg5ezqmcpc/mFbBblMwf4sXRMKsbsDkJQK3Bgafizs=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20240206; t=1716988177; v=1; b=2gc7gnpvf1KXMyXooWteCCpBKEJT4K5xhR7fowYprZuM0l0bPC0Q2t5GjfFuCr9YdLwhbDAB rlTRyHd9Thb/bFkKzA4ce9x3OzX7nuYSQzACC/fG/KPdOXRpcExP6DMMQnJ4ug8CzWbME7VVaky eVM0dqgaEpeBraw59ZVLTPa7DgiwmYybZYWnqtl/csMRa/OhvQrVJkvMDpcQ+Du+4IdWk0inQmc M8/VhNwbN35k53cQEjP4FoiautQSq+e1xV0dw7+qRFDtf5DUhIMLvNx0vdKqz3scC49eY+C42Zn NBmuXqjKCtn19jr72+zL5ZRiN3Imvl6rEgqVkaiGjr+9w== X-Received: by 127.0.0.2 with SMTP id ZFPNYY7687511xlvOH23tsSb; Wed, 29 May 2024 06:09:36 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.13550.1716988175730941494 for ; Wed, 29 May 2024 06:09:35 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-313-IDp-ms27OqKI2e7z9KKsoA-1; Wed, 29 May 2024 09:09:30 -0400 X-MC-Unique: IDp-ms27OqKI2e7z9KKsoA-1 X-Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 846C5185A780; Wed, 29 May 2024 13:09:30 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.192.101]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 37F911C0D100; Wed, 29 May 2024 13:09:29 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id DCCDE1800DE3; Wed, 29 May 2024 15:09:28 +0200 (CEST) Date: Wed, 29 May 2024 15:09:28 +0200 From: "Gerd Hoffmann" To: devel@edk2.groups.io, dougflick@microsoft.com Cc: Liming Gao , Ard Biesheuvel Subject: Re: [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Message-ID: References: <20240524054512.523329-1-douglas.flick@microsoft.com> MIME-Version: 1.0 In-Reply-To: <20240524054512.523329-1-douglas.flick@microsoft.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 29 May 2024 06:09:35 -0700 Resent-From: kraxel@redhat.com Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 35QT0kREsuaDPmviRswiFgN1x7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=2gc7gnpv; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io On Thu, May 23, 2024 at 10:44:52PM GMT, Doug Flick via groups.io wrote: > > REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html > > This patch series patches the following CVEs: > - CVE-2023-45236: Predictable TCP Initial Sequence Numbers > - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator Ok, looks like there is some more fallout from this patch series which I havn't seen in my initial testing. It does not always happen, didn't figure yet what exactly triggers the behavior. But in some cases there is quite some network stack activity, apparently done by EVT_SIGNAL_EXIT_BOOT_SERVICES event handlers ... With the debug patch below applied the tail of the ovmf log looks like this: VirtioRngExitBoot: Context=0x7D73D798 Hash2ServiceBindingDestroyChild - Invalid handle MnpServiceBindingDestroyChild: Failed to uninstall the ManagedNetwork protocol, Invalid Parameter. Support(): UNDI3.1 found on handle 7D461118 Support(): supported on 7D461118 Start(): UNDI3.1 found snp->undi.start() 1h:8000h InstallProtocolInterface: 7AB33A91-ACE5-4326-B572-E7EE33D39F16 7CE872C0 InstallProtocolInterface: F44C00EE-1F2C-4A00-AA09-1C9F3E0800A3 7CE7D020 Failed to generate random data using secure algorithm 0: Unsupported Failed to generate random data using secure algorithm 1: Unsupported Failed to generate random data using secure algorithm 2: Unsupported Failed to generate random data using secure algorithm 3: Unsupported VirtioRngGetRNG: not ready Failed to generate random data using secure algorithm 4: Device Error ASSERT_EFI_ERROR (Status = Device Error) ASSERT /home/kraxel/projects/edk2/NetworkPkg/Library/DxeNetLib/DxeNetLib.c(965): !(((INTN)(RETURN_STATUS)(Status)) < 0) The VirtioRngDxe EVT_SIGNAL_EXIT_BOOT_SERVICES handler resets the device, to make sure it will stop any DMA. Once the reset is done the device can't deliver random numbers any more, but the network code wants some. So with the debug patch an assert is triggered, without the debug patch the system simply hangs because the virtio-rng device wouldn't answer request sent by the driver. I'm wondering what the network code is actually doing here in the first place? It apparently /installs/ protocols in the EVT_SIGNAL_EXIT_BOOT_SERVICES handler? I don't think this is how things are supposed to work ... take care, Gerd ------------------------- cut here ------------------------- diff --git a/OvmfPkg/VirtioRngDxe/VirtioRng.h b/OvmfPkg/VirtioRngDxe/VirtioRng.h index 2da99540a208..3519521d6ab5 100644 --- a/OvmfPkg/VirtioRngDxe/VirtioRng.h +++ b/OvmfPkg/VirtioRngDxe/VirtioRng.h @@ -33,6 +33,7 @@ typedef struct { VRING Ring; // VirtioRingInit 2 EFI_RNG_PROTOCOL Rng; // VirtioRngInit 1 VOID *RingMap; // VirtioRingMap 2 + BOOLEAN Ready; } VIRTIO_RNG_DEV; #define VIRTIO_ENTROPY_SOURCE_FROM_RNG(RngPointer) \ diff --git a/OvmfPkg/VirtioNetDxe/Events.c b/OvmfPkg/VirtioNetDxe/Events.c index 75a9644f749c..36e3eed4617c 100644 --- a/OvmfPkg/VirtioNetDxe/Events.c +++ b/OvmfPkg/VirtioNetDxe/Events.c @@ -77,7 +77,7 @@ VirtioNetExitBoot ( // VNET_DEV *Dev; - DEBUG ((DEBUG_VERBOSE, "%a: Context=0x%p\n", __func__, Context)); + DEBUG ((DEBUG_INFO, "%a: Context=0x%p\n", __func__, Context)); Dev = Context; if (Dev->Snm.State == EfiSimpleNetworkInitialized) { Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0); diff --git a/OvmfPkg/VirtioRngDxe/VirtioRng.c b/OvmfPkg/VirtioRngDxe/VirtioRng.c index 069aed148af1..370c9ac8f1de 100644 --- a/OvmfPkg/VirtioRngDxe/VirtioRng.c +++ b/OvmfPkg/VirtioRngDxe/VirtioRng.c @@ -156,6 +156,10 @@ VirtioRngGetRNG ( } Dev = VIRTIO_ENTROPY_SOURCE_FROM_RNG (This); + if (!Dev->Ready) { + DEBUG ((DEBUG_INFO, "%a: not ready\n", __func__)); + return EFI_DEVICE_ERROR; + } // // Map Buffer's system physical address to device address // @@ -382,6 +386,7 @@ VirtioRngInit ( // Dev->Rng.GetInfo = VirtioRngGetInfo; Dev->Rng.GetRNG = VirtioRngGetRNG; + Dev->Ready = TRUE; return EFI_SUCCESS; @@ -414,8 +419,8 @@ VirtioRngUninit ( // VIRTIO_CFG_WRITE() returns, the host will have learned to stay away from // the old comms area. // + Dev->Ready = FALSE; Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0); - Dev->VirtIo->UnmapSharedBuffer (Dev->VirtIo, Dev->RingMap); VirtioRingUninit (Dev->VirtIo, &Dev->Ring); @@ -435,7 +440,7 @@ VirtioRngExitBoot ( { VIRTIO_RNG_DEV *Dev; - DEBUG ((DEBUG_VERBOSE, "%a: Context=0x%p\n", __func__, Context)); + DEBUG ((DEBUG_INFO, "%a: Context=0x%p\n", __func__, Context)); // // Reset the device. This causes the hypervisor to forget about the virtio // ring. @@ -444,6 +449,7 @@ VirtioRngExitBoot ( // executing after ExitBootServices() is permitted to overwrite it. // Dev = Context; + Dev->Ready = FALSE; Dev->VirtIo->SetDeviceStatus (Dev->VirtIo, 0); } -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119343): https://edk2.groups.io/g/devel/message/119343 Mute This Topic: https://groups.io/mt/106276830/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-