Re: [edk2] [PATCH v1][edk2-platforms/devel-MinPlatform] MinPlatformPkg/Test: [CVE-2017-5753] Fix bounds check bypass

[Yao, Jiewen]

Reviewed-by: jiewen@intel.com

> -Original Message-
> From: Wu, Hao A
> Sent: Sunday, September 30, 2018 1:29 PM
> To: edk2-devel@lists.01.org
> Cc: Wu, Hao A ; Yao, Jiewen 
> Subject: [PATCH v1][edk2-platforms/devel-MinPlatform]
> MinPlatformPkg/Test: [CVE-2017-5753] Fix bounds check bypass
> 
> Speculative execution is used by processor to avoid having to wait for
> data to arrive from memory, or for previous operations to finish, the
> processor may speculate as to what will be executed.
> 
> If the speculation is incorrect, the speculatively executed instructions
> might leave hints such as which memory locations have been brought into
> cache. Malicious actors can use the bounds check bypass method (code
> gadgets with controlled external inputs) to infer data values that have
> been used in speculative operations to reveal secrets which should not
> otherwise be accessed.
> 
> This commit will focus on the SMI handler(s) registered within
> TestPointCheckLib & TestPointLib and insert AsmLfence API to mitigate the
> bounds check bypass issue.
> 
> A. For SMI handler TestPointSmmHandler() within TestPointCheckLib:
> 
> Under "case
> TEST_POINT_SMM_COMMUNICATION_FUNC_ID_UEFI_GCD_MAP_INFO:",
> 'CommBuffer' (controlled external inputs) is passed into function
> TestPointSmmReadyToBootSmmPageProtectionHandler().
> 
> Within function TestPointSmmReadyToBootSmmPageProtectionHandler(),
> the
> contents in 'CommBuffer' will be copied into 'CommData'. But if the size
> and sanity checks for the communication buffer is speculatively bypassed,
> '(UINTN)CommData + CommData->UefiMemoryMapOffset)' can potentially
> point
> to cross boundary area of 'CommData'. This pointer is then passed into
> function TestPointCheckSmmCommunicationBuffer() as 'UefiMemoryMap'.
> 
> Within function TestPointCheckSmmCommunicationBuffer(),
> 'MemoryMap->PhysicalStart' can be a potential cross boundary access. And
> its value can be inferred by function calls sequence:
> 
> TestPointCheckPageTable() via 'BaseAddress'
> GetPageTableEntry() via 'BaseAddress'. Then one can observe which part of
> the content within arrays 'L4PageTable', 'L3PageTable', 'L2PageTable' or
> 'L1PageTable', was brought into cache to possibly reveal the value.
> 
> B. For SMI handler SmmTestPointSmiHandler() within TestPointLib:
> 
> Under "case
> SMI_HANDLER_TEST_POINT_COMMAND_GET_DATA_BY_OFFSET:",
> 'CommBuffer' (controlled external inputs) is passed into function
> SmmTestPointSmiHandlerGetDataByOffset().
> 
> Within function SmmTestPointSmiHandlerGetDataByOffset(), the contents in
> 'CommBuffer' will be copied into 'SmiHandlerTestPointGetDataByOffset'. But
> if the size and sanity checks for the communication buffer is
> speculatively bypassed, 'SmiHandlerTestPointGetDataByOffset.DataSize' can
> be a potential cross boundary access.
> 
> Then in function SmiHandlerTestPointCopyData(), this value can be inferred
> by code:
>   CopyMem(
> DataBuffer,
> (UINT8 *)InputData + *DataOffset,
> (UINTN)*DataSize
> );
> One can observe which part of the content within 'DataBuffer' was brought
> into cache to possibly reveal the cross bounary access value.
> 
> Hence, this commit adds AsmLfence() calls after the boundary/range checks
> of the communication buffer to prevent the speculative execution.
> 
> A more detailed explanation of the purpose of commit is under the
> 'Bounds check bypass mitigation' section of the below link:
> https://software.intel.com/security-software-guidance/insights/host-firmw
> are-speculative-execution-side-channel-mitigation
> 
> And the document at:
> https://software.intel.com/security-software-guidance/api-app/sites/defaul
> t/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
> 
> Cc: Jiewen Yao 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Hao Wu 
> ---
> 
> Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPoi
> ntCheckLib.c | 7 +++
> 
> Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCo
> mmunication.c | 8 +++-
>  2 files changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestP
> ointCheckLib.c
> b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestP
> ointCheckLib.c
> index b40469b278..dc40dae6d5 100644
> ---
> a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestP
> ointCheckLib.c
> +++
> b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestP
> ointCheckLib.c
> @@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF
> ANY KIND, EITHER EXPRESS OR IMPLIED.
>  #include 
>  #include 
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -374,6 +375,12 @@
> TestPointSmmReadyToBootSmmPageProtectionHandler (
>}
> 
>if (CommData->UefiMemoryMapSize != 0) {
> +//
> +// The AsmLfence() call here is to ensure the previous range/content
> checks
> +// for 

[edk2] [PATCH v1][edk2-platforms/devel-MinPlatform] MinPlatformPkg/Test: [CVE-2017-5753] Fix bounds check bypass

[Hao Wu]

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within
TestPointCheckLib & TestPointLib and insert AsmLfence API to mitigate the
bounds check bypass issue.

A. For SMI handler TestPointSmmHandler() within TestPointCheckLib:

Under "case TEST_POINT_SMM_COMMUNICATION_FUNC_ID_UEFI_GCD_MAP_INFO:",
'CommBuffer' (controlled external inputs) is passed into function
TestPointSmmReadyToBootSmmPageProtectionHandler().

Within function TestPointSmmReadyToBootSmmPageProtectionHandler(), the
contents in 'CommBuffer' will be copied into 'CommData'. But if the size
and sanity checks for the communication buffer is speculatively bypassed,
'(UINTN)CommData + CommData->UefiMemoryMapOffset)' can potentially point
to cross boundary area of 'CommData'. This pointer is then passed into
function TestPointCheckSmmCommunicationBuffer() as 'UefiMemoryMap'.

Within function TestPointCheckSmmCommunicationBuffer(),
'MemoryMap->PhysicalStart' can be a potential cross boundary access. And
its value can be inferred by function calls sequence:

TestPointCheckPageTable() via 'BaseAddress'
GetPageTableEntry() via 'BaseAddress'. Then one can observe which part of
the content within arrays 'L4PageTable', 'L3PageTable', 'L2PageTable' or
'L1PageTable', was brought into cache to possibly reveal the value.

B. For SMI handler SmmTestPointSmiHandler() within TestPointLib:

Under "case SMI_HANDLER_TEST_POINT_COMMAND_GET_DATA_BY_OFFSET:",
'CommBuffer' (controlled external inputs) is passed into function
SmmTestPointSmiHandlerGetDataByOffset().

Within function SmmTestPointSmiHandlerGetDataByOffset(), the contents in
'CommBuffer' will be copied into 'SmiHandlerTestPointGetDataByOffset'. But
if the size and sanity checks for the communication buffer is
speculatively bypassed, 'SmiHandlerTestPointGetDataByOffset.DataSize' can
be a potential cross boundary access.

Then in function SmiHandlerTestPointCopyData(), this value can be inferred
by code:
  CopyMem(
DataBuffer,
(UINT8 *)InputData + *DataOffset,
(UINTN)*DataSize
);
One can observe which part of the content within 'DataBuffer' was brought
into cache to possibly reveal the cross bounary access value.

Hence, this commit adds AsmLfence() calls after the boundary/range checks
of the communication buffer to prevent the speculative execution.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Jiewen Yao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu 
---
 
Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
 | 7 +++
 
Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c
 | 8 +++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git 
a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
 
b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
index b40469b278..dc40dae6d5 100644
--- 
a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
+++ 
b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointCheckLib/SmmTestPointCheckLib.c
@@ -14,6 +14,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -374,6 +375,12 @@ TestPointSmmReadyToBootSmmPageProtectionHandler (
   }
 
   if (CommData->UefiMemoryMapSize != 0) {
+//
+// The AsmLfence() call here is to ensure the previous range/content checks
+// for the CommBuffer (copied in to CommData) have been completed before
+// calling into TestPointCheckSmmCommunicationBuffer().
+//
+AsmLfence ();
 Result = TRUE;
 
 Status = TestPointCheckSmmCommunicationBuffer (
diff --git 
a/Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c
 
b/Platform/Intel/MinPlatformPkg/Test/Library/TestPointLib/SmmTestPointCommunication.c
index cce0538832..b4757da046 100644
---