Ruiyu Ni [Thu, 13 Sep 2018 08:09:10 +0000 (16:09 +0800)]
MdeModulePkg/UsbMouse: Don't access key codes when length is wrong
Per USB HID spec, the buffer holding key codes should at least 3-byte
long.
Today's code assumes that the key codes buffer length is longer than
3-byte and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 3-byte.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Steven Shi <steven.shi@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
Ruiyu Ni [Thu, 13 Sep 2018 08:06:52 +0000 (16:06 +0800)]
MdeModulePkg/AbsPointer: Don't access key codes when length is wrong
Per USB HID spec, the buffer holding key codes should at least 3-byte
long.
Today's code assumes that the key codes buffer length is longer than
3-byte and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 3-byte.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Steven Shi <steven.shi@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
Ruiyu Ni [Thu, 13 Sep 2018 07:49:23 +0000 (15:49 +0800)]
MdeModulePkg/UsbKb: Don't access key codes when length is wrong
Per USB HID spec, the buffer holding key codes should be 8-byte
long.
Today's code assumes that the key codes buffer length is 8-byte
long and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 8-byte.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Steven Shi <steven.shi@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
Ruiyu Ni [Thu, 27 Sep 2018 08:34:36 +0000 (16:34 +0800)]
MdeModulePkg/UsbBus: Fix out-of-bound read access to descriptors
Today's implementation reads the Type/Length field in the USB
descriptors data without checking whether the offset to read is
beyond the data boundary.
The patch fixes this issue.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
Ruiyu Ni [Tue, 11 Sep 2018 10:13:05 +0000 (18:13 +0800)]
MdeModulePkg/UsbMass: Fix integer overflow when BlockSize is 1
UsbBootReadWriteBlocks() and UsbBootReadWriteBlocks16() use a UINT16
local variable to hold the value of
USB_BOOT_MAX_CARRY_SIZE (=0x10000) / BlockSize.
When BlockSize is 1, the UINT16 local variable is set to 0x10000
but the high-16 bits are truncated resulting the final value be 0.
It causes the while-loop in the two functions accesses 0 block in
each loop, resulting the loop never ends.
The patch fixes the two functions to make sure no integer overflow
happens.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Steven Shi <steven.shi@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
Wonkyu Kim [Mon, 15 Oct 2018 22:44:45 +0000 (06:44 +0800)]
CorebootPayloadPkg: don't use serial output for Release build
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Wonkyu Kim <wonkyu.kim@intel.com> Reviewed-by: Maurice Ma <maurice.ma@intel.com> Reviewed-by: Benjamin You <benjamin.you@intel.com>
zhijufan [Mon, 15 Oct 2018 01:02:31 +0000 (09:02 +0800)]
BaseTools: Add check for the string type whether is same
Relational and equality operators require both operands to be of
the same type.
Treat the string 'A' and "A" as same type, but for "A" and L"A"
are not same type since one is general string, another is unicode
string.
The commit 84a52d4d030185a44f2d8736142c6f0b19c6e9b1 will introduce
the new issue "Invalid offset value for Dynamic Vpd PCD". This patch
will fix the new issue, add 'DEFAULT' sku in to the AvailableSkuIdSet
variable.
BaseTools: Convert string value of void* pcd in command line to array.
For void* type pcd in command line, if its value is string, then
convert the string value to array format. For example,
build --pcd gUefiOvmfPkgTokenSpaceGuid.PcdTest="c",
convert the pcd value from "c" to "{0x63,0x00}".
BaseTools: add ASSERT checker for array buffer value assignment.
V3:
Update the error message for array checker.
V2:
1. Add comments for each ASSERT.
2. ASSERT need to skip the case of array size of array as zero. For
example, TestArray[] in struct in header file.
V1:
For structure PCD,
1. use compiler time assert to check the array index, report error
if array index exceeds the array number.
2. use compiler time assert to check the array size, report error
if the user declared size in header file is smaller than the user
defined in DEC/DSC file.
There are five check not necessary in logic ,just for pass static
analysis. More detail please refer to comment in code.
And the rest changes are all accepted by owner, they are reasonable.
BaseTools: Add --uefi option to enable UefiCompress method
Add one new option --uefi to enable UefiCompress.
(re-add this patch since it be reverted in Python3 migration patches,
but this patch is not related with Python3)
Yonghong Zhu [Mon, 15 Oct 2018 06:51:55 +0000 (14:51 +0800)]
BaseTools: Enhance the *P Flag display for Structure Pcd
Cover the case:
1.only define the structure Pcd in DEC file, it should not have any
Flag.
2.In the DEC file and DSC file only have the PCD's default value, and
without the field value, it should have *P Flag.
(re-add this patch since it be reverted in Python3 migration patches,
but this patch is not related with Python3)
Yunhua Feng [Wed, 10 Oct 2018 06:54:49 +0000 (14:54 +0800)]
BaseTools: increment build generate inf file lost .depex file
increment build generate inf file in output directory lost .depex file info.
(re-add this patch since it be reverted in Python3 migration patches,
but this check is not related with Python3)
the PyUtility is not used, so we remove it.
(re-add this patch since it be reverted in Python3 migration patches,
but this check is not related with Python3)
Eric Dong [Mon, 15 Oct 2018 00:30:37 +0000 (08:30 +0800)]
UefiCpuPkg/S3Resume2Pei: disable paging before creating new page table.
V5:
1. Add ASSERT to indicate this assumption that environment is 32 bit mode.
2. Add description in INF about this driver's expected result
in different environment.
V4:
Only disable paging when it is enabled.
V3 changes:
No need to change inf file.
V2 changes:
Only disable paging in 32 bit mode, no matter it is enable or not.
V1 changes:
PEI Stack Guard needs to enable paging. This might cause #GP if code
trying to write CR3 register with PML4 page table while the processor
is enabled with PAE paging.
Simply disabling paging before updating CR3 can solve this conflict.
Python3 migration is the fundamental change. It requires every developer
to install Python3. Before this migration, the well communication and wide
verification must be done. But now, most people is not aware of this change,
and not try it. So, Python3 migration is reverted and be moved to edk2-staging
Python3 branch for the edk2 user evaluation.
Yonghong Zhu [Tue, 9 Oct 2018 08:12:35 +0000 (16:12 +0800)]
BaseTools: Not compare the VOID* difference in the DSC and DEC file
For structure Pcd, the type defined in the DEC file is the struct name
while if this Pcd used in the DSC file, it should add VOID* keywords
when it have max size info. so this patch filter the type compare for
this case.
Yonghong Zhu [Thu, 11 Oct 2018 07:04:41 +0000 (15:04 +0800)]
BaseTools: Enhance the *P Flag display for Structure Pcd
Cover the case:
1.only define the structure Pcd in DEC file, it should not have any
Flag.
2.In the DEC file and DSC file only have the PCD's default value, and
without the field value, it should have *P Flag.
Yunhua Feng [Fri, 24 Aug 2018 08:39:14 +0000 (16:39 +0800)]
BaseTools: Fix some build and report file issue
1. increment build not skip make file when not change any file
2. report file generate abundant blank line
3. Build encounter Database is locked on some platform, using database
auto commit
4. Fv BaseAddress must have if set
Yunhua Feng [Tue, 14 Aug 2018 07:57:47 +0000 (15:57 +0800)]
BaseTools: change the Division Operator in the expression
PEP 238 -- Changing the Division Operator
x/y to return a reasonable approximation of the mathematical result
of the division ("true division")
x//y to return the floor ("floor division")
Sami Mujawar [Tue, 9 Oct 2018 15:35:22 +0000 (16:35 +0100)]
ArmPkg: Add support for GICv4
Updated Redistributor base calculation to allow for the fact that
GICv4 has 2 additional 64KB frames (for VLPI and a reserved frame).
The code now tests the VLPIS bit in the GIC Redistributor Type
Register (GICR_TYPER) and calculates the Redistributor granularity
accordingly.
The code changes are:
GICR_TYPER register fields, etc, added to the header.
Loop updated to pay attention to GICR_TYPER.Last.
Derive frame "stride" size from GICR_TYPER.VLPIS.
Note: The assumption is that the redistributors are adjacent for
all CPUs. However this may not be the case for NUMA systems.
Jeff Brasen [Tue, 9 Oct 2018 17:50:36 +0000 (01:50 +0800)]
MdeModulePkg/SdMmcPciHcDxe: Add controller version defines
Add SDHCI controller defines, this is useful as the version in the
register does not explictly map to a specification version. For example
vesion 4.10 of the specification is version 0x04.
When converting DebugPort device path from text,
current code use VENDOR_DEFINED_MESSAGING_DEVICE_PATH structure
for Debug port device node.
typedef struct {
EFI_DEVICE_PATH_PROTOCOL Header;
EFI_GUID Guid;
UINT8 VendorDefinedData[1];
} VENDOR_DEFINED_MESSAGING_DEVICE_PATH;
And Debugport Device Path is a vendor-defined messaging
device path with no data, only a GUID. So it's better to
use VENDOR_DEVICE_PATH to create the Debug port device node.
typedef struct {
EFI_DEVICE_PATH_PROTOCOL Header;
EFI_GUID Guid;
} VENDOR_DEVICE_PATH;
Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
The loop that removes "xxxx\..\" errs when multiple "\.." sequences are
in the path. Before this change the code would modify a path like
"FS0:\efi\tools\..\.." to "FS0:\efi\\.." and then to "FS0:\efi\", but
the correct path is "FS0:\".
You can test the effect of this change in the shell by setting the
current directory to something like FS0:\efi\boot and then executing
the command "ls ..\..". Before the change you will see the files in
the FS0:\efi directory; after the change, you will see the files in
the root directory of FS0:.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jim Dailey <jim_dailey@dell.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
Guo, Dongao [Wed, 10 Oct 2018 07:39:03 +0000 (15:39 +0800)]
MdeModulePkg/RegularExpressionDxe:disable wraning to pass gcc4.8 build
There are three warnings reported by GCC 4.8 and the later GCC release
are workaround with them.
And all the three warnings are invalid,so I just disable warnings rather
than fix them at now.
Following is the analysis from Laszlo Ersek.
(1)
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c: In
> function 'compile_length_tree':
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regcomp.c:1516:7:
> warning: 'len' may be used uninitialized in this function
> [-Wmaybe-uninitialized]
> int len;
> ^
I think this is an invalid warning; the type of the controlling expression
(node->type) is enum GimmickType, and the case labels cover all values of
the enum. An assert(0) could be added, I guess, but again, upstream
Oniguruma would be justified to reject the idea.
(2)
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c: In
> function 'parse_callout_args.isra.10.constprop.30':
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c:6753:25:
> warning: 'rl' may be used uninitialized in this function
> [-Wmaybe-uninitialized]
> vals[n].l = rl;
> ^
This warning is invalid, given:
6749 if (cn > 0) {
6750 long rl;
6751 r = parse_long(enc, buf, bufend, 1, LONG_MAX, &rl);
6752 if (r == ONIG_NORMAL) {
6753 vals[n].l = rl;
Because parse_long() only returns ONIG_NORMAL after it sets (*rl).
(3)
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c: In
> function 'parse_callout_of_name.constprop.29':
> MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma/regparse.c:6861:38:
> warning: 'tag_end' may be used uninitialized in this function
> [-Wmaybe-uninitialized]
> if (! is_allowed_callout_tag_name(enc, tag_start, tag_end))
This warning is also invalid, given:
6852 if (c == '[') {
6853 if (PEND) return ONIGERR_END_PATTERN_IN_GROUP;
6854 tag_start = p;
6855 while (! PEND) {
6856 if (PEND) return ONIGERR_END_PATTERN_IN_GROUP;
6857 tag_end = p;
6858 PFETCH_S(c);
6859 if (c == ']') break;
6860 }
6861 if (! is_allowed_callout_tag_name(enc, tag_start, tag_end))
6862 return ONIGERR_INVALID_CALLOUT_TAG_NAME;
6863
To see that, first we should note:
#define PEND (p < end ? 0 : 1)
therefore PEND doesn't change if neither "p" nor "end" change.
Second, when we reach line 6855 (the "while") for the very first time,
(!PEND) is certainly true (i.e., PEND is false), because otherwise we
would have bailed at line 6853. Therefore we reach line 6857, and assign
"tag_end". Regardless of whether we iterate zero or more *additional*
times around the loop, "tag_end" will have been set, whenever we reach
line 6861.
Currently, the implementation of EFI_PCI_IO_PROTOCOL::GetLocation()
in NonDiscoverablePciDeviceDxe returns the same set of dummy values
for each instance of the NON_DISCOVERABLE_DEVICE protocol that it
attaches itself to. However, this turns out to be causing problems
in cases where software (such as the ARM Compliance Test Suite [ACS])
attempts to use these values to uniquely identify controllers, since
the collisions create ambiguity in this regard.
So let's modify GetLocation() to return an arbitrary bus/device tuple
on segment 0xff instead. This is guaranteed not to clash with other
non-discoverable PCI devices, and highly unlikely to clash with real
PCIe devices.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Marcin Wojtas <mw@semihalf.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
According to UEFI spec,for ACPI Expanded Device Path
when HID=PNP0A03 or CID=PNP0A03 and HID != PNP0A08,
the device path node can be displayed as: PciRoot(UID|UIDSTR)
When HID=PNP0A08 or CID=PNP0A08, the device path node can be
displayed as: PcieRoot(UID|UIDSTR). But current code miss the
code logic.
This commit is to do the enhancement.
Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
According to UEFI Spec, for ACPI Expanded Device Path,
when HIDSTR=empty, CIDSTR=empty, UID STR!=empty,
the ACPI Expanded Device Path node can be displayed as
AcpiExp(HID,CID,UIDSTR) format.
And if UID is 0 and UIDSTR is empty, then use AcpiEx format.
This patch is to correct the condition check to follow UEFI
Spec when convert the device path node to the AcpiExp text
format.
Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
According to UEFI Spec, ACPI Expanded Device Path can be display
AcpiEx(HID|HIDSTR,(CID|CIDSTR,UID|UIDSTR)), but current code display
UID|UIDSTR before CID|CIDSTR.
This patch is to fix this issue.
Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
According to UEFI spec, the string expression of UTF8 vendor
device node should be displayed as: VenUtf8(). Current code
display it as: VenUft8() by mistake when convert device
path node to text.
This commit is to fix this bug.
Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>
When covert IFR binary to EFI_IFR_CHECKBOX structure,
Current code has following incorrect code logic:
IfrCheckBox = (EFI_IFR_CHECKBOX *) (IfrOpHdr + 1);
The correct one should be:
IfrCheckBox = (EFI_IFR_CHECKBOX *) IfrOpHdr;
1. The bug is in function "UpdateDefaultSettingInFormPackage()"
which is to update the default setting of some HII Questions
in the IFR binary data. So it only has impact when platform
overrides default setting in HII VarStore through DynamicHii
PCD setting in Platform DSC file. If platform doesn't
override default setting, it has no impact.
2. The implementation updates the "Flags" filed in the
EFI_IFR_CHECKBOX structure to update the default
setting of checkbox.
If using "IfrCheckBox = (EFI_IFR_CHECKBOX *) (IfrOpHdr + 1);"
when wants to update the " Flags" filed in checkbox,
but in fact it will update the opcode binary
data(opcode binary length) behind checkbox binary.
And then it will cause Browser can't parse the IFR
binary data correctly. And then the possible symptom
is that some HII Question and forms may be not parsed
and then cannot be shown.
This is for conformance with the TCG "Platform Reset Attack Mitigation
Specification". Because clearing the CPU caches at boot doesn't impact
performance significantly, do it unconditionally, for simplicity's
sake.
Flush the cache on all logical processors, thanks to
EFI_PEI_MP_SERVICES_PPI and CacheMaintenanceLib.
Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Julien Grall <julien.grall@linaro.org>
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
[lersek@redhat.com: remove bogus Message-Id line from commit msg]
ShellPkg: Create a homefilesystem environment variable
Create a homefilesystem environment variable whose value is the file
system on which the executing shell is located. For example: "FS14:".
This eliminates the need for people to have to try and find the "boot"
file system in their startup script. After this change they can simply
execute %homefilesystem% to set the cwd to the root of the file system
where the shell is located.
A future enhancement could be to add "homefilesystem" to the list of
predefined, read-only variables listed in the EfiShellSetEnv function of
file ShellProtocol.c
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
It is possible for SMI handler(s) to call EFI_SMM_CPU_PROTOCOL service
ReadSaveState() and use the content in the 'CommBuffer' (controlled
external inputs) as the 'CpuIndex'. So this commit will insert AsmLfence
API to mitigate the bounds check bypass issue within SmmReadSaveState().
For SmmReadSaveState():
The 'CpuIndex' will be passed into function ReadSaveStateRegister(). And
then in to ReadSaveStateRegisterByIndex().
With the call:
ReadSaveStateRegisterByIndex (
CpuIndex,
SMM_SAVE_STATE_REGISTER_IOMISC_INDEX,
sizeof(IoMisc.Uint32),
&IoMisc.Uint32
);
The 'IoMisc' can be a cross boundary access during speculative execution.
Later, 'IoMisc' is used as the index to access buffers 'mSmmCpuIoWidth'
and 'mSmmCpuIoType'. One can observe which part of the content within
those buffers was brought into cache to possibly reveal the value of
'IoMisc'.
Hence, this commit adds a AsmLfence() after the check of 'CpuIndex'
within function SmmReadSaveState() to prevent the speculative execution.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmVariableHandler():
Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.
This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there are 2 similar cases under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" and
"case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:" as well.
This commits also handles them.
Also, under "case SMM_VARIABLE_FUNCTION_SET_VARIABLE:",
'(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize' points to
the 'CommBuffer' (with some offset) and then passed as parameter 'Data' to
function VariableServiceSetVariable().
Within function VariableServiceSetVariable(), there is a sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor for the data pointed by 'Data'.
If this check is speculatively bypassed, potential cross-boundary data
access for 'Data' is possible to be revealed via the below function calls
sequence during speculative execution:
AuthVariableLibProcessVariable()
ProcessVarWithPk() or ProcessVarWithKek()
Within function ProcessVarWithPk() or ProcessVarWithKek(), for the code
"PayloadSize = DataSize - AUTHINFO2_SIZE (Data);", 'AUTHINFO2_SIZE (Data)'
can be a cross boundary access during speculative execution.
Then, 'PayloadSize' is possible to be revealed by the function call
sequence:
Hence, this commit adds a AsmLfence() after the sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor upon 'Data' within function
VariableServiceSetVariable() to prevent the speculative execution.
Also, please note that the change made within function
VariableServiceSetVariable() will affect DXE as well. However, since we
only focuses on the SMM codes, the commit will introduce a new module
internal function called VariableLoadFence() to handle this. This internal
function will have 2 implementations (1 for SMM, 1 for DXE). For the SMM
implementation, it is a wrapper to call the AsmLfence() API; for the DXE
implementation, it is empty.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
SmmLockBox driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmLockBoxHandler():
Under "case EFI_SMM_LOCK_BOX_COMMAND_SAVE:", the 'CommBuffer' (controlled
external inputs) is passed to function SmmLockBoxSave().
'TempLockBoxParameterSave.Length' can be a potential cross boundary access
of the 'CommBuffer' during speculative execution. This cross boundary
access is later passed as parameter 'Length' into function SaveLockBox().
Within function SaveLockBox(), the value of 'Length' can be inferred by
code:
"CopyMem ((VOID *)(UINTN)SmramBuffer, (VOID *)(UINTN)Buffer, Length);".
One can observe which part of the content within 'Buffer' was brought into
cache to possibly reveal the value of 'Length'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there is a similar case under "case EFI_SMM_LOCK_BOX_COMMAND_UPDATE:"
function SmmLockBoxUpdate() as well. This commits also handles it.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
FaultTolerantWriteDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmFaultTolerantWriteHandler():
Under "case FTW_FUNCTION_WRITE:", 'SmmFtwWriteHeader->Length' can be a
potential cross boundary access of the 'CommBuffer' (controlled external
inputs) during speculative execution. This cross boundary access is later
passed as parameter 'Length' into function FtwWrite().
Within function FtwWrite(), the value of 'Length' can be inferred by code:
"CopyMem (MyBuffer + Offset, Buffer, Length);". One can observe which part
of the content within 'Buffer' was brought into cache to possibly reveal
the value of 'Length'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
This commit will add a new BaseLib API AsmLfence(). This API will perform
a serializing operation on all load-from-memory instructions that were
issued prior to the call of this function. Please note that this API is
only available on IA-32 and x64.
The purpose of adding this API is to mitigate of the [CVE-2017-5753]
Bounds Check Bypass issue when untrusted data are being processed within
SMM. More details can be referred at the 'Bounds check bypass mitigation'
section at the below link:
The PCDs below are unused, so they have been removed from inf.
gEfiShellPkgTokenSpaceGuid.PcdShellFileOperationSize
gEfiMdePkgTokenSpaceGuid.PcdMaximumUnicodeStringLength
shenglei [Tue, 28 Aug 2018 02:57:55 +0000 (10:57 +0800)]
ShellPkg/DpDynamicCommand: Remove unused PCDs
The PCDs below are unused, so they have been removed from inf.
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize in DpApp.inf
gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize in
DpDynamicCommand.inf