> -----Original Message----- > From: edk2-devel [mailto:[email protected]] On Behalf Of Laszlo > Ersek > Sent: Tuesday, September 25, 2018 8:09 PM > To: Wu, Hao A; [email protected] > Cc: Kinney, Michael D; Yao, Jiewen; Dong, Eric > Subject: Re: [edk2] [PATCH v2 5/5] UefiCpuPkg/PiSmmCpuDxeSmm: [CVE-2017- > 5753] Fix bounds check bypass > > On 09/25/18 08:12, Hao Wu wrote: > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194 > > > > Speculative execution is used by processor to avoid having to wait for > > data to arrive from memory, or for previous operations to finish, the > > processor may speculate as to what will be executed. > > > > If the speculation is incorrect, the speculatively executed instructions > > might leave hints such as which memory locations have been brought into > > cache. Malicious actors can use the bounds check bypass method (code > > gadgets with controlled external inputs) to infer data values that have > > been used in speculative operations to reveal secrets which should not > > otherwise be accessed. > > > > It is possible for SMI handler(s) to call EFI_SMM_CPU_PROTOCOL service > > ReadSaveState() and use the content in the 'CommBuffer' (controlled > > external inputs) as the 'CpuIndex'. So this commit will insert AsmLfence > > API to mitigate the bounds check bypass issue within SmmReadSaveState(). > > > > For SmmReadSaveState(): > > > > The 'CpuIndex' will be passed into function ReadSaveStateRegister(). And > > then in to ReadSaveStateRegisterByIndex(). > > > > With the call: > > ReadSaveStateRegisterByIndex ( > > CpuIndex, > > SMM_SAVE_STATE_REGISTER_IOMISC_INDEX, > > sizeof(IoMisc.Uint32), > > &IoMisc.Uint32 > > ); > > > > The 'IoMisc' can be a cross boundary access during speculative execution. > > Later, 'IoMisc' is used as the index to access buffers 'mSmmCpuIoWidth' > > and 'mSmmCpuIoType'. One can observe which part of the content within > > those buffers was brought into cache to possibly reveal the value of > > 'IoMisc'. > > > > Hence, this commit adds a AsmLfence() after the check of 'CpuIndex' > > within function SmmReadSaveState() to prevent the speculative execution. > > > > A more detailed explanation of the purpose of commit is under the > > 'Bounds check bypass mitigation' section of the below link: > > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > > > > And the document at: > > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vulnerabilities.pdf > > > > Cc: Laszlo Ersek <[email protected]> > > Cc: Jiewen Yao <[email protected]> > > Cc: Michael D Kinney <[email protected]> > > Cc: Eric Dong <[email protected]> > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Hao Wu <[email protected]> > > > > cb pismm > > Before you push this version (or when preparing a v3, if necessary), > please remove the above stray text, from the end of the commit message. >
Thanks for the spot, I will remove this dummy line from the log message. Best Regards, Hao Wu > I've now looked over this series. I didn't try to verify whether the > lfence instructions had been added at right places, or whether they had > been added at *all* the right places. However, structurally the series > looks OK to me. > > series > Acked-by: Laszlo Ersek <[email protected]> > > I will follow up with regression test results. > > Thanks > Laszlo > > > --- > > UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > index fbf74e8d90..19979d5418 100644 > > --- a/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c > > @@ -237,6 +237,11 @@ SmmReadSaveState ( > > if ((CpuIndex >= gSmst->NumberOfCpus) || (Buffer == NULL)) { > > return EFI_INVALID_PARAMETER; > > } > > + // > > + // The AsmLfence() call here is to ensure the above check for the > > CpuIndex > > + // has been completed before the execution of subsequent codes. > > + // > > + AsmLfence (); > > > > // > > // Check for special EFI_SMM_SAVE_STATE_REGISTER_PROCESSOR_ID > > > > _______________________________________________ > edk2-devel mailing list > [email protected] > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
