Reviewed-by: Eric Dong <eric.d...@intel.com>
> -----Original Message----- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Hao Wu > Sent: Friday, November 16, 2018 12:13 PM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A <hao.a...@intel.com>; Laszlo Ersek <ler...@redhat.com>; > Yao, Jiewen <jiewen....@intel.com>; Zhang, Chao B > <chao.b.zh...@intel.com>; Zeng, Star <star.z...@intel.com> > Subject: [edk2] [PATCH v2 2/2] SecurityPkg/OpalPWSupportLib: [CVE-2017- > 5753] Fix bounds check bypass > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194 > > Speculative execution is used by processor to avoid having to wait for > data to arrive from memory, or for previous operations to finish, the > processor may speculate as to what will be executed. > > If the speculation is incorrect, the speculatively executed instructions > might leave hints such as which memory locations have been brought into > cache. Malicious actors can use the bounds check bypass method (code > gadgets with controlled external inputs) to infer data values that have > been used in speculative operations to reveal secrets which should not > otherwise be accessed. > > This commit will focus on the SMI handler(s) registered within the > OpalPasswordSupportLib and insert AsmLfence API to mitigate the bounds > check bypass issue. > > For SMI handler SmmOpalPasswordHandler(): > > Under "case SMM_FUNCTION_SET_OPAL_PASSWORD:", > '&DeviceBuffer->OpalDevicePath' can points to a potential cross boundary > access of the 'CommBuffer' (controlled external inputs) during speculative > execution. This cross boundary access pointer is later passed as parameter > 'DevicePath' into function OpalSavePasswordToSmm(). > > Within function OpalSavePasswordToSmm(), 'DevicePathLen' is an access to > the content in 'DevicePath' and can be inferred by code: > "CompareMem (&List->OpalDevicePath, DevicePath, DevicePathLen)". One > can > observe which part of the content within either '&List->OpalDevicePath' or > 'DevicePath' was brought into cache to possibly reveal the value of > 'DevicePathLen'. > > Hence, this commit adds a AsmLfence() after the boundary/range checks of > 'CommBuffer' to prevent the speculative execution. > > A more detailed explanation of the purpose of commit is under the > 'Bounds check bypass mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host- > firmware-speculative-execution-side-channel-mitigation > > And the document at: > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass- > vulnerabilities.pdf > > Cc: Star Zeng <star.z...@intel.com> > Cc: Chao Zhang <chao.b.zh...@intel.com> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Laszlo Ersek <ler...@redhat.com> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu <hao.a...@intel.com> > --- > SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c | 7 > ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git > a/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > b/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > index e377e9ca79..1c3bfffb86 100644 > --- > a/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > +++ > b/SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c > @@ -1,7 +1,7 @@ > /** @file > Implementation of Opal password support library. > > -Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> > +Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR> > This program and the accompanying materials > are licensed and made available under the terms and conditions of the BSD > License > which accompanies this distribution. The full text of the license may be > found at > @@ -706,6 +706,11 @@ SmmOpalPasswordHandler ( > Status = EFI_INVALID_PARAMETER; > goto EXIT; > } > + // > + // The AsmLfence() call here is to ensure the above range checks for > the > + // CommBuffer have been completed before calling into > OpalSavePasswordToSmm(). > + // > + AsmLfence (); > > Status = OpalSavePasswordToSmm (&DeviceBuffer->OpalDevicePath, > DeviceBuffer->Password, DeviceBuffer->PasswordLength); > break; > -- > 2.12.0.windows.1 > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
