From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web12.456.1594230854361216610 for ; Wed, 08 Jul 2020 10:54:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bD6EeUvY; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1594230853; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dxitnyQcO7wN+X/c/DnzodVojr4zWSaHTktBfLzUtkk=; b=bD6EeUvYkavPV0EzFvoROHgdgzhwo46kdjEg4QUAT/0yttEGz7c8fXGtZgGBeO91lnxOhr K2pU32U+OVD+Ij1tS9+68CXlPpDpnUqzJCK0cnaocGKe4nl+juqvLOxmvDOVe8k+s1asdh RsUKFNFU/efk8gOBXF8MZXMFP2YJuZE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-72-et1BIY8rM4iOoIzueZWz8g-1; Wed, 08 Jul 2020 13:54:09 -0400 X-MC-Unique: et1BIY8rM4iOoIzueZWz8g-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A2DDC107B265; Wed, 8 Jul 2020 17:54:08 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-73.ams2.redhat.com [10.36.112.73]) by smtp.corp.redhat.com (Postfix) with ESMTP id 841575C1D6; Wed, 8 Jul 2020 17:54:07 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v4 7/9] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098) To: devel@edk2.groups.io, guomin.jiang@intel.com Cc: Eric Dong , Ray Ni , Rahul Kumar References: <20200708081059.691-1-guomin.jiang@intel.com> <20200708081059.691-8-guomin.jiang@intel.com> From: "Laszlo Ersek" Message-ID: Date: Wed, 8 Jul 2020 19:54:06 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200708081059.691-8-guomin.jiang@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/08/20 10:10, Guomin Jiang wrote: > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614 > > To avoid the TOCTOU, enable paging and set Not Present flag so when > access any code in the flash range, it will trigger #NP exception. > > Cc: Eric Dong > Cc: Ray Ni > Cc: Laszlo Ersek > Cc: Rahul Kumar > Signed-off-by: Guomin Jiang > --- > UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 +++ > UefiCpuPkg/CpuMpPei/CpuPaging.c | 26 ++++++++++++++++++++++++-- > 2 files changed, 27 insertions(+), 2 deletions(-) > > diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > index f4d11b861f77..7e511325d8b8 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > +++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf > @@ -46,6 +46,9 @@ [LibraryClasses] > BaseMemoryLib > CpuLib > > +[Guids] > + gEdkiiMigratedFvInfoGuid ## SOMETIMES_CONSUMES ## HOB > + > [Ppis] > gEfiPeiMpServicesPpiGuid ## PRODUCES > gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES > diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c > index 3bf0574b34c6..04a16fb2b620 100644 > --- a/UefiCpuPkg/CpuMpPei/CpuPaging.c > +++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c > @@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include > #include > #include > +#include > > #include "CpuMpPei.h" > > @@ -605,6 +606,8 @@ MemoryDiscoveredPpiNotifyCallback ( > EFI_STATUS Status; > BOOLEAN InitStackGuard; > BOOLEAN InterruptState; > + EDKII_MIGRATED_FV_INFO *MigratedFvInfo; > + EFI_PEI_HOB_POINTERS Hob; > > if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { > InterruptState = SaveAndDisableInterrupts (); > @@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback ( > // the task switch (for the sake of stack switch). > // > InitStackGuard = FALSE; > - if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) { > + Hob.Raw = NULL; > + if (IsIa32PaeSupported ()) { > + Hob.Raw = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid); > + InitStackGuard = PcdGetBool (PcdCpuStackGuard); > + } > + > + if (InitStackGuard || Hob.Raw != NULL) { > EnablePaging (); > - InitStackGuard = TRUE; > } > > Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices); > @@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback ( > SetupStackGuardPage (); > } > > + while (Hob.Raw != NULL) { > + MigratedFvInfo = GET_GUID_HOB_DATA (Hob); > + > + // > + // Enable #NP exception, so if the code access after disable NEM, it will generate > + // to avoid potential vulnerability. > + // > + ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0); > + > + Hob.Raw = GET_NEXT_HOB (Hob); > + Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw); > + } > + CpuFlushTlb (); > + > return Status; > } > > Acked-by: Laszlo Ersek