Google Git
Sign in
fuchsia / third_party / edk2 / refs/heads/upstream/UDK2015
commitf7defccaecd625f77225abbbce7658ed02af21c4[log] [tgz]
authorHao Wu <hao.a.wu@intel.com>Fri Nov 09 10:10:43 2018 +0800
committerHao Wu <hao.a.wu@intel.com>Wed Nov 21 09:33:45 2018 +0800
treecce89e66eb5f88583424f54a66ceddfccd8a0345
parent72d299c376f7f9df2e65c9015020218614ba145b [diff]
SecurityPkg/OpalPWSupportLib: [CVE-2017-5753] Fix bounds check bypass

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194

Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.

If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.

This commit will focus on the SMI handler(s) registered within the
OpalPasswordSupportLib and insert AsmLfence API to mitigate the bounds
check bypass issue.

For SMI handler SmmOpalPasswordHandler():

Under "case SMM_FUNCTION_SET_OPAL_PASSWORD:",
'&DeviceBuffer->OpalDevicePath' can points to a potential cross boundary
access of the 'CommBuffer' (controlled external inputs) during speculative
execution. This cross boundary access pointer is later passed as parameter
'DevicePath' into function OpalSavePasswordToSmm().

Within function OpalSavePasswordToSmm(), 'DevicePathLen' is an access to
the content in 'DevicePath' and can be inferred by code:
"CompareMem (&List->OpalDevicePath, DevicePath, DevicePathLen)". One can
observe which part of the content within either '&List->OpalDevicePath' or
'DevicePath' was brought into cache to possibly reveal the value of
'DevicePathLen'.

Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.

A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation

And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
1 file changed
tree: cce89e66eb5f88583424f54a66ceddfccd8a0345
  1. AppPkg/
  2. ArmPkg/
  3. ArmPlatformPkg/
  4. ArmVirtPkg/
  5. BaseTools/
  6. BeagleBoardPkg/
  7. Conf/
  8. CorebootModulePkg/
  9. CorebootPayloadPkg/
  10. CryptoPkg/
  11. DuetPkg/
  12. EdkCompatibilityPkg/
  13. EdkShellBinPkg/
  14. EdkShellPkg/
  15. EmbeddedPkg/
  16. EmulatorPkg/
  17. FatBinPkg/
  18. IntelFrameworkModulePkg/
  19. IntelFrameworkPkg/
  20. IntelFsp2Pkg/
  21. IntelFsp2WrapperPkg/
  22. IntelFspPkg/
  23. IntelFspWrapperPkg/
  24. IntelSiliconPkg/
  25. MdeModulePkg/
  26. MdePkg/
  27. NetworkPkg/
  28. Nt32Pkg/
  29. Omap35xxPkg/
  30. OptionRomPkg/
  31. OvmfPkg/
  32. PcAtChipsetPkg/
  33. PerformancePkg/
  34. SecurityPkg/
  35. ShellBinPkg/
  36. ShellPkg/
  37. SourceLevelDebugPkg/
  38. StdLib/
  39. StdLibPrivateInternalFiles/
  40. UefiCpuPkg/
  41. UnixPkg/
  42. Vlv2DeviceRefCodePkg/
  43. Vlv2TbltDevicePkg/
  44. .gitignore
  45. BuildNotes2.txt
  46. Edk2Setup.bat
  47. edksetup.bat
  48. edksetup.sh
  49. Maintainers.txt