From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.12704.1617719209761795465 for ; Tue, 06 Apr 2021 07:26:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=CEjiPfnG; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617719208; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=v+L0jkZ1KxYM3TckAGcYkJFzHDyMzFzWQns9eeAnIPg=; b=CEjiPfnGXYqn7NpLUUAUU9vIDCOdy+6vF5uqOvnxBwv7CHiKE4WgKWn3ElG5YgGVb5B+Rv 5xg2uj0qMR/KdeVuRHR7qqi0/n/GfKYVQ5CYR2h0beZQofKPqe5W6FpETkAyQH6n8KvgJW 2Q5RQI2eyVyR1zZ3jTq6Hzvx3eSpKh4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-468-RN8b1MCwNua80qpG98Q03g-1; Tue, 06 Apr 2021 10:26:43 -0400 X-MC-Unique: RN8b1MCwNua80qpG98Q03g-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 16CC0100E325; Tue, 6 Apr 2021 14:26:42 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-115-134.ams2.redhat.com [10.36.115.134]) by smtp.corp.redhat.com (Postfix) with ESMTP id 56A86627DA; Tue, 6 Apr 2021 14:26:40 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM shadow stack overflow To: devel@edk2.groups.io, jiewen.yao@intel.com, "Sheng, W" , "Ni, Ray" Cc: "Dong, Eric" , "Kumar, Rahul1" , "Feng, Roger" References: <20210326060413.7760-1-w.sheng@intel.com> From: "Laszlo Ersek" Message-ID: Date: Tue, 6 Apr 2021 16:26:39 +0200 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=iso-2022-jp Content-Language: en-US Content-Transfer-Encoding: 7bit Ray, On 03/29/21 07:13, Yao, Jiewen wrote: > Thank you very much! > > Reviewed-by: Jiewen Yao can you please review and merge this patch? You were the UefiCpuPkg reviewer on the following two commits as well: 3eb69b081c68 ("UefiCpuPkg/PiSmmCpu: Add Shadow Stack Support for X86 SMM.", 2019-02-28) ef91b07388e1 ("UefiCpuPkg/PiSmmCpuDxeSmm: Fix SMM stack offset is not correct", 2021-03-02) Thanks Laszlo > >> -----Original Message----- >> From: Sheng, W >> Sent: Friday, March 26, 2021 2:33 PM >> To: Yao, Jiewen ; devel@edk2.groups.io >> Cc: Dong, Eric ; Ni, Ray ; Laszlo Ersek >> ; Kumar, Rahul1 ; Feng, Roger >> >> Subject: RE: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM >> shadow stack overflow >> >> Hi Jiewen, >> In current code, if SMM stack guard is enabled, there is a guard page at the top >> of SMM shadow stack. >> If SMM shadow stack overflow Happens, it will touch the guard page, and >> trigger the #PF exception. >> In this patch, I will check the PFAddress in SmiPFHandler(), if it belongs to the >> range of SMM shadow stack guard page, I will show the error message. >> >> unit test: >> I use recursive function to do the test. In each function call, it will push the >> return address to the SMM shadow stack. >> When the loop reaches to a certain amount, it will finally touch the guard page, >> and trigger #PF exception. >> >> Thank you >> BR >> Sheng Wei >> >>> -----Original Message----- >>> From: Yao, Jiewen >>> Sent: 2021年3月26日 14:14 >>> To: Sheng, W ; devel@edk2.groups.io >>> Cc: Dong, Eric ; Ni, Ray ; Laszlo >>> Ersek ; Kumar, Rahul1 ; >>> Feng, Roger >>> Subject: RE: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM >>> shadow stack overflow >>> >>> Hi >>> Would you please share the info on how you do unit test for the new added >>> code? >>> >>> Thank you >>> >>>> -----Original Message----- >>>> From: Sheng, W >>>> Sent: Friday, March 26, 2021 2:04 PM >>>> To: devel@edk2.groups.io >>>> Cc: Dong, Eric ; Ni, Ray ; >>>> Laszlo Ersek ; Kumar, Rahul1 >>>> ; Yao, Jiewen ; Feng, >>>> Roger >>>> Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Support detect SMM >>> shadow >>>> stack overflow >>>> >>>> Use SMM stack guard feature to detect SMM shadow stack overflow. >>>> >>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3280 >>>> >>>> Signed-off-by: Sheng Wei >>>> Cc: Eric Dong >>>> Cc: Ray Ni >>>> Cc: Laszlo Ersek >>>> Cc: Rahul Kumar >>>> Cc: Jiewen Yao >>>> Cc: Roger Feng >>>> --- >>>> UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c | 9 ++++++++- >>>> 1 file changed, 8 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c >>>> b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c >>>> index 07e7ea70de..6902584b1f 100644 >>>> --- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c >>>> +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/PageTbl.c >>>> @@ -1016,6 +1016,7 @@ SmiPFHandler ( >>>> { >>>> UINTN PFAddress; >>>> UINTN GuardPageAddress; >>>> + UINTN ShadowStackGuardPageAddress; >>>> UINTN CpuIndex; >>>> >>>> ASSERT (InterruptType == EXCEPT_IA32_PAGE_FAULT); @@ -1032,7 >>>> +1033,7 @@ SmiPFHandler ( >>>> } >>>> >>>> // >>>> - // If a page fault occurs in SMRAM range, it might be in a SMM >>>> stack guard page, >>>> + // If a page fault occurs in SMRAM range, it might be in a SMM >>>> + stack/shadow >>>> stack guard page, >>>> // or SMM page protection violation. >>>> // >>>> if ((PFAddress >= mCpuHotPlugData.SmrrBase) && @@ -1040,10 +1041,16 >>>> @@ SmiPFHandler ( >>>> DumpCpuContext (InterruptType, SystemContext); >>>> CpuIndex = GetCpuIndex (); >>>> GuardPageAddress = (mSmmStackArrayBase + EFI_PAGE_SIZE + >>> CpuIndex >>>> * (mSmmStackSize + mSmmShadowStackSize)); >>>> + ShadowStackGuardPageAddress = (mSmmStackArrayBase + >>> mSmmStackSize >>>> + EFI_PAGE_SIZE + CpuIndex * (mSmmStackSize + >>> mSmmShadowStackSize)); >>>> if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && >>>> (PFAddress >= GuardPageAddress) && >>>> (PFAddress < (GuardPageAddress + EFI_PAGE_SIZE))) { >>>> DEBUG ((DEBUG_ERROR, "SMM stack overflow!\n")); >>>> + } else if ((FeaturePcdGet (PcdCpuSmmStackGuard)) && >>>> + (mSmmShadowStackSize > 0) && >>>> + (PFAddress >= ShadowStackGuardPageAddress) && >>>> + (PFAddress < (ShadowStackGuardPageAddress + EFI_PAGE_SIZE))) { >>>> + DEBUG ((DEBUG_ERROR, "SMM shadow stack overflow!\n")); >>>> } else { >>>> if ((SystemContext.SystemContextX64->ExceptionData & >>>> IA32_PF_EC_ID) != >>>> 0) { >>>> DEBUG ((DEBUG_ERROR, "SMM exception at execution (0x%lx)\n", >>>> PFAddress)); >>>> -- >>>> 2.16.2.windows.1 > > > > > >