Google Git
Sign in
fuchsia / third_party / edk2 / b00c4c12944418a7587acf9ff0edb8d1cfc43be4
commitb00c4c12944418a7587acf9ff0edb8d1cfc43be4[log] [tgz]
authorHao Wu <hao.a.wu@intel.com>Thu Nov 15 13:45:29 2018 +0800
committerHao Wu <hao.a.wu@intel.com>Thu Nov 15 15:40:31 2018 +0800
tree0565719de8974c69dd20d5f0e0fb6c2e669c8510
parent169f560a0f9dd485fda70fabd69baf7bd389ddcb [diff]
MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.

For SMI handler SmmVariableHandler():

Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.

This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.

Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.

And there are 1 similar case under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" as well. This commits also
handles it.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit e83d841fdc2878959185c4c6cc38a7a1e88377a4)
1 file changed
tree: 0565719de8974c69dd20d5f0e0fb6c2e669c8510
  1. AppPkg/
  2. ArmPkg/
  3. ArmPlatformPkg/
  4. BaseTools/
  5. BeagleBoardPkg/
  6. Conf/
  7. CryptoPkg/
  8. DuetPkg/
  9. EdkCompatibilityPkg/
  10. EdkShellBinPkg/
  11. EdkShellPkg/
  12. EmbeddedPkg/
  13. EmulatorPkg/
  14. FatBinPkg/
  15. IntelFrameworkModulePkg/
  16. IntelFrameworkPkg/
  17. IntelFspPkg/
  18. IntelFspWrapperPkg/
  19. MdeModulePkg/
  20. MdePkg/
  21. NetworkPkg/
  22. Nt32Pkg/
  23. Omap35xxPkg/
  24. OptionRomPkg/
  25. OvmfPkg/
  26. PcAtChipsetPkg/
  27. PerformancePkg/
  28. SecurityPkg/
  29. ShellBinPkg/
  30. ShellPkg/
  31. SourceLevelDebugPkg/
  32. StdLib/
  33. StdLibPrivateInternalFiles/
  34. UefiCpuPkg/
  35. UnixPkg/
  36. Vlv2DeviceRefCodePkg/
  37. Vlv2TbltDevicePkg/
  38. BuildNotes2.txt
  39. Edk2Setup.bat
  40. edksetup.bat
  41. edksetup.sh