Got it, thanks. Reviewed-by: Star Zeng <star.z...@intel.com>
Star -----Original Message----- From: Wu, Hao A Sent: Saturday, September 29, 2018 2:21 PM To: Zeng, Star <star.z...@intel.com>; edk2-devel@lists.01.org Cc: Yao, Jiewen <jiewen....@intel.com> Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017-5753]Fix bounds check bypass > -----Original Message----- > From: Zeng, Star > Sent: Saturday, September 29, 2018 2:11 PM > To: Wu, Hao A; edk2-devel@lists.01.org > Cc: Yao, Jiewen; Zeng, Star > Subject: RE: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017- > 5753]Fix bounds check bypass > > Please double check whether the AsmLfence calling should be before the > line below. > > PrivateData = (VOID *)&SmmFtwWriteHeader->Data[Length]; Hi, The above code is getting the address of a possible cross bounday access during the speculative execution. I also checked that the subsequent usage of 'PrivateData' does not have a code pattern of the 'Bounds check bypass' issue. So I think the AsmLfence() is not needed here. Best Regards, Hao Wu > > > Thanks, > Star > -----Original Message----- > From: Wu, Hao A > Sent: Tuesday, September 25, 2018 2:13 PM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A <hao.a...@intel.com>; Yao, Jiewen > <jiewen....@intel.com>; Zeng, Star <star.z...@intel.com> > Subject: [PATCH v2 2/5] MdeModulePkg/FaultTolerantWrite:[CVE-2017- > 5753]Fix bounds check bypass > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194 > > Speculative execution is used by processor to avoid having to wait for > data to arrive from memory, or for previous operations to finish, the > processor may speculate as to what will be executed. > > If the speculation is incorrect, the speculatively executed > instructions might leave hints such as which memory locations have been > brought into cache. > Malicious actors can use the bounds check bypass method (code gadgets > with controlled external inputs) to infer data values that have been > used in speculative operations to reveal secrets which should not > otherwise be accessed. > > This commit will focus on the SMI handler(s) registered within the > FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the > bounds check bypass issue. > > For SMI handler SmmFaultTolerantWriteHandler(): > > Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a > potential cross boundary access of the 'CommBuffer' (controlled > external > inputs) during speculative execution. This cross boundary access is > later passed as parameter 'Length' into function FtwWrite(). > > Within function FtwWrite(), the value of 'Length' can be inferred by code: > "CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which > part of the content within 'Buffer' was brought into cache to possibly > reveal the value of 'Length'. > > Hence, this commit adds a AsmLfence() after the boundary/range checks > of 'CommBuffer' to prevent the speculative execution. > > A more detailed explanation of the purpose of commit is under the > 'Bounds check bypass mitigation' section of the below link: > https://software.intel.com/security-software-guidance/insights/host-fi > rmware- speculative-execution-side-channel-mitigation > > And the document at: > https://software.intel.com/security-software-guidance/api- > app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass > - > vulnerabilities.pdf > > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Star Zeng <star.z...@intel.com> > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu <hao.a...@intel.com> > --- > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > | 7 +++++++ > > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf > | 1 + > 2 files changed, 8 insertions(+) > > diff --git > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > index 632313f076..27fcab19b6 100644 > --- > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c > +++ > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm > +++ .c > @@ -57,6 +57,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, > EITHER EXPRESS OR IMPLIED. > #include <PiSmm.h> > #include <Library/SmmServicesTableLib.h> #include > <Library/SmmMemLib.h> > +#include <Library/BaseLib.h> > #include <Protocol/SmmSwapAddressRange.h> #include > "FaultTolerantWrite.h" > #include "FaultTolerantWriteSmmCommon.h" > @@ -417,6 +418,12 @@ SmmFaultTolerantWriteHandler ( > &SmmFvbHandle > ); > if (!EFI_ERROR (Status)) { > + // > + // The AsmLfence() call here is to ensure the previous range/content > + // checks for the CommBuffer have been completed before calling into > + // FtwWrite(). > + // > + AsmLfence (); > Status = FtwWrite( > &mFtwDevice->FtwInstance, > SmmFtwWriteHeader->Lba, diff --git > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i > n > f > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i > n > f > index 85d109e8d9..606cc2266b 100644 > --- > a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.i > n > f > +++ > b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm > +++ .inf > @@ -55,6 +55,7 @@ > PcdLib > ReportStatusCodeLib > SmmMemLib > + BaseLib > > [Guids] > # > -- > 2.12.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel