Hao: In previous discussion, the suggested subject style is MdeModulePkg/SmmCorePerfLib: Fix bounds check bypass(CVE-2017-5753).
Thanks Liming > -----Original Message----- > From: edk2-devel [mailto:[email protected]] On Behalf Of Hao Wu > Sent: Friday, November 16, 2018 12:13 PM > To: [email protected] > Cc: Wu, Hao A <[email protected]>; Laszlo Ersek <[email protected]>; Yao, > Jiewen <[email protected]>; Zeng, Star > <[email protected]> > Subject: [edk2] [PATCH v2 1/2] MdeModulePkg/SmmCorePerfLib: [CVE-2017-5753] > Fix bounds check bypass > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194 > > Speculative execution is used by processor to avoid having to wait for > data to arrive from memory, or for previous operations to finish, the > processor may speculate as to what will be executed. > > If the speculation is incorrect, the speculatively executed instructions > might leave hints such as which memory locations have been brought into > cache. Malicious actors can use the bounds check bypass method (code > gadgets with controlled external inputs) to infer data values that have > been used in speculative operations to reveal secrets which should not > otherwise be accessed. > > This commit will focus on the SMI handler(s) registered within the > SmmCorePerformanceLib and insert AsmLfence API to mitigate the bounds > check bypass issue. > > For SMI handler SmmPerformanceHandlerEx(): > > Under "case SMM_PERF_FUNCTION_GET_GAUGE_DATA :", > 'SmmPerfCommData->LogEntryKey' can be a potential cross boundary access of > the 'CommBuffer' (controlled external inputs) during speculative > execution. This cross boundary access is then assign to parameter > 'LogEntryKey'. And the value of 'LogEntryKey' can be inferred by code: > > CopyMem ( > (UINT8 *) &GaugeDataEx[Index], > (UINT8 *) &GaugeEntryExArray[LogEntryKey++], > sizeof (GAUGE_DATA_ENTRY_EX) > ); > > One can observe which part of the content within 'GaugeEntryExArray' was > brought into cache to possibly reveal the value of 'LogEntryKey'. > > Hence, this commit adds a AsmLfence() after the boundary/range checks of > 'CommBuffer' to prevent the speculative execution. > > And there is 1 similar case for SMI handler SmmPerformanceHandler() as > well. This commit also handles it. > > A more detailed explanation of the purpose of commit is under the > 'Bounds check bypass mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation > > And the document at: > https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vuln > erabilities.pdf > > Cc: Star Zeng <[email protected]> > Cc: Jiewen Yao <[email protected]> > Cc: Laszlo Ersek <[email protected]> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu <[email protected]> > --- > MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c | 16 > +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git > a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c > b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c > index cd1f1a5d5f..63c1eea3a2 100644 > --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c > +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c > @@ -16,7 +16,7 @@ > > SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted > input and do basic validation. > > -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR> > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> > This program and the accompanying materials > are licensed and made available under the terms and conditions of the BSD > License > which accompanies this distribution. The full text of the license may be > found at > @@ -538,6 +538,13 @@ SmmPerformanceHandlerEx ( > break; > } > > + // > + // The AsmLfence() call here is to ensure the previous range/content > + // checks for the CommBuffer have been completed before calling > + // CopyMem(). > + // > + AsmLfence (); > + > GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); > > for (Index = 0; Index < NumberOfEntries; Index++) { > @@ -650,6 +657,13 @@ SmmPerformanceHandler ( > break; > } > > + // > + // The AsmLfence() call here is to ensure the previous range/content > + // checks for the CommBuffer have been completed before calling > + // CopyMem(). > + // > + AsmLfence (); > + > GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1); > > for (Index = 0; Index < NumberOfEntries; Index++) { > -- > 2.12.0.windows.1 > > _______________________________________________ > edk2-devel mailing list > [email protected] > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
