UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098)

[mirror_edk2.git] / UefiCpuPkg / CpuMpPei / CpuPaging.c

diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
index 3bf0574b34c6cbe342573d633977a7d39403f265..8ab7dfcce3a00c025a4580eeff9363559594fe29 100644 (file)
--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
+++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/MemoryAllocationLib.h>\r
 #include <Library/CpuLib.h>\r
 #include <Library/BaseLib.h>\r
+#include <Guid/MigratedFvInfo.h>\r
 \r
 #include "CpuMpPei.h"\r
 \r
@@ -602,9 +603,11 @@ MemoryDiscoveredPpiNotifyCallback (
   IN VOID                       *Ppi\r
   )\r
 {\r
-  EFI_STATUS  Status;\r
-  BOOLEAN     InitStackGuard;\r
-  BOOLEAN     InterruptState;\r
+  EFI_STATUS              Status;\r
+  BOOLEAN                 InitStackGuard;\r
+  BOOLEAN                 InterruptState;\r
+  EDKII_MIGRATED_FV_INFO  *MigratedFvInfo;\r
+  EFI_PEI_HOB_POINTERS    Hob;\r
 \r
   if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {\r
     InterruptState = SaveAndDisableInterrupts ();\r
@@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback (
   // the task switch (for the sake of stack switch).\r
   //\r
   InitStackGuard = FALSE;\r
-  if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) {\r
+  Hob.Raw = NULL;\r
+  if (IsIa32PaeSupported ()) {\r
+    Hob.Raw  = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid);\r
+    InitStackGuard = PcdGetBool (PcdCpuStackGuard);\r
+  }\r
+\r
+  if (InitStackGuard || Hob.Raw != NULL) {\r
     EnablePaging ();\r
-    InitStackGuard = TRUE;\r
   }\r
 \r
   Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices);\r
@@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback (
     SetupStackGuardPage ();\r
   }\r
 \r
+  while (Hob.Raw != NULL) {\r
+    MigratedFvInfo = GET_GUID_HOB_DATA (Hob);\r
+\r
+    //\r
+    // Enable #PF exception, so if the code access SPI after disable NEM, it will generate\r
+    // the exception to avoid potential vulnerability.\r
+    //\r
+    ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0);\r
+\r
+    Hob.Raw = GET_NEXT_HOB (Hob);\r
+    Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw);\r
+  }\r
+  CpuFlushTlb ();\r
+\r
   return Status;\r
 }\r
 \r