UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098)

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

To avoid the TOCTOU, enable paging and set Not Present flag so when
access any code in the flash range, it will trigger #PF exception.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
index f4d11b861f77c1ff51fcb0788f710b10696595ad..7e511325d8b8bed18413759dbe5cd4dabe46edcd 100644 (file)
--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
@@ -46,6 +46,9 @@
   BaseMemoryLib\r
   CpuLib\r
 \r
+[Guids]\r
+  gEdkiiMigratedFvInfoGuid                                             ## SOMETIMES_CONSUMES     ## HOB\r
+\r
 [Ppis]\r
   gEfiPeiMpServicesPpiGuid                      ## PRODUCES\r
   gEfiSecPlatformInformationPpiGuid             ## SOMETIMES_CONSUMES\r

diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
index 3bf0574b34c6cbe342573d633977a7d39403f265..8ab7dfcce3a00c025a4580eeff9363559594fe29 100644 (file)
--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
+++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/MemoryAllocationLib.h>\r
 #include <Library/CpuLib.h>\r
 #include <Library/BaseLib.h>\r
+#include <Guid/MigratedFvInfo.h>\r
 \r
 #include "CpuMpPei.h"\r
 \r
@@ -602,9 +603,11 @@ MemoryDiscoveredPpiNotifyCallback (
   IN VOID                       *Ppi\r
   )\r
 {\r
-  EFI_STATUS  Status;\r
-  BOOLEAN     InitStackGuard;\r
-  BOOLEAN     InterruptState;\r
+  EFI_STATUS              Status;\r
+  BOOLEAN                 InitStackGuard;\r
+  BOOLEAN                 InterruptState;\r
+  EDKII_MIGRATED_FV_INFO  *MigratedFvInfo;\r
+  EFI_PEI_HOB_POINTERS    Hob;\r
 \r
   if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {\r
     InterruptState = SaveAndDisableInterrupts ();\r
@@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback (
   // the task switch (for the sake of stack switch).\r
   //\r
   InitStackGuard = FALSE;\r
-  if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) {\r
+  Hob.Raw = NULL;\r
+  if (IsIa32PaeSupported ()) {\r
+    Hob.Raw  = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid);\r
+    InitStackGuard = PcdGetBool (PcdCpuStackGuard);\r
+  }\r
+\r
+  if (InitStackGuard || Hob.Raw != NULL) {\r
     EnablePaging ();\r
-    InitStackGuard = TRUE;\r
   }\r
 \r
   Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices);\r
@@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback (
     SetupStackGuardPage ();\r
   }\r
 \r
+  while (Hob.Raw != NULL) {\r
+    MigratedFvInfo = GET_GUID_HOB_DATA (Hob);\r
+\r
+    //\r
+    // Enable #PF exception, so if the code access SPI after disable NEM, it will generate\r
+    // the exception to avoid potential vulnerability.\r
+    //\r
+    ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0);\r
+\r
+    Hob.Raw = GET_NEXT_HOB (Hob);\r
+    Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw);\r
+  }\r
+  CpuFlushTlb ();\r
+\r
   return Status;\r
 }\r
 \r