From nobody Sun May 5 23:29:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+40408+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+40408+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1557465386; cv=none; d=zoho.com; s=zohoarc; b=myuofIC3ICwBd0Cd1ij4a+pk0VsuE0vgLgknTtL6iHjsOghEn/QI6IiGVqLiBhIu9CCbXryEmv5w4Q1YQizFrAsRcBnYqwwDG348K6Bgan/dT1CO5g1Kh82OMLgzgVuM4kxlDWMcSrWcnXLFJAI6QQtZNRukEHCs7pTBbffj7Ig= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1557465386; h=Cc:Date:From:List-Id:List-Unsubscribe:Message-ID:Reply-To:Sender:Subject:To:ARC-Authentication-Results; bh=aec9AWlNp3RMO6CLRs+N18XwTpL9WXCEQYDZgM02/SM=; b=P2zsFhR9N6gX2a63YxTti2RWKd2iGm7Rpq+b7LHqDDxdmABaEAaMrTAlsKm0cqVcyXKiWm1ut/DAr4Fnl2FzqTeLL+bUHub9/Bychb2loLELkSHo9dEAXjFtbGdd2biT2MY1/TNHLASrBVL895q0WuICrOSubDNI3SJgSIKCdvA= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+40408+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1557465386086118.69755070934116; Thu, 9 May 2019 22:16:26 -0700 (PDT) Return-Path: X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by groups.io with SMTP; Thu, 09 May 2019 22:16:24 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 May 2019 22:16:24 -0700 X-ExtLoop1: 1 X-Received: from shwdeopenpsi777.ccr.corp.intel.com ([10.239.158.28]) by fmsmga007.fm.intel.com with ESMTP; 09 May 2019 22:16:23 -0700 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Star Zeng , Eric Dong , Ray Ni , Laszlo Ersek Subject: [edk2-devel] [PATCH] UefiCpuPkg PiSmmCpuDxeSmm: Only support IN/OUT IO save state read (CVE-2018-12182) Date: Fri, 10 May 2019 13:16:15 +0800 Message-Id: <20190510051615.318124-1-jian.j.wang@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jian.j.wang@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1557465384; bh=5GK3neh1fv9JH/VMSYHAQ0VeXvOF8v7nxSmEjuNr2i8=; h=Cc:Date:From:Reply-To:Subject:To; b=EN3zbtfseOdg8QpU3XWEG9/dalZA1ARkbvWSG43BAtMHVZMi9ZqhXpoCnJFtIyIUR86 wFvV9XuBxYIMW8fYb4k8Mi7kQyr+v+DqkTxHgvSmsgTZjiIIakzk8gIu44273A/xz7vWG namoslc07Mrn3SWPKJSBEInAFYRWYisLsK0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Star Zeng BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1136 CVE: CVE-2018-12182 Customer met system hang-up during serial port loopback test in OS. It is a corner case happened with one CPU core doing "out dx,al" and another CPU core(s) doing "rep outs dx,byte ptr [rsi]". Detailed code flow is as below. 1. Serial port loopback test in OS. One CPU core: "out dx,al" -> Writing B2h, SMI will happen. Another CPU core(s): "rep outs dx,byte ptr [rsi]". 2. SMI happens to enter SMM. "out dx" (SMM_IO_TYPE_OUT_DX) is saved as I/O instruction type in SMRAM save state for CPU doing "out dx,al". "rep outs dx" (SMM_IO_TYPE_REP_OUTS) is saved as I/O instruction type and rsi is save as I/O Memory Address in SMRAM save state for CPU doing "rep outs dx, byte ptr [rsi]". NOTE: I/O Memory Address (rsi) is a virtual address mapped by OS/Virtual Machine. 3. Some SMM code calls EFI_SMM_CPU_PROTOCOL.ReadSaveState() with EFI_SMM_SAVE_STATE_REGISTER_IO and parse data returned. For example: https://github.com/tianocore/edk2/blob/master/QuarkSocPkg/ QuarkNorthCluster/Smm/DxeSmm/QncSmmDispatcher/QNC/QNCSmmSw.c#L76 4. SmmReadSaveState() is executed to read save state for EFI_SMM_SAVE_STATE_REGISTER_IO. - The SmmReadSaveState() function in "UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c" calls the SmmCpuFeaturesReadSaveStateRegister() function, from the platform's SmmCpuFeaturesLib instance. - If that platform-specific function returns EFI_UNSUPPORTED, then PiSmmCpuDxeSmm falls back to the common function ReadSaveStateRegister(), defined in file "UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c". Current ReadSaveStateRegister() in UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c is trying to copy data from I/O Memory Address for EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX, PF will happen as SMM page table does not know and cover this OS/Virtual Machine virtual address. Same case is for SmmCpuFeaturesReadSaveStateRegister() in platform- specific SmmCpuFeaturesLib instance if it has similar implementation to read save state for EFI_SMM_SAVE_STATE_REGISTER_IO with EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX. Same case is for "ins", 'outs' and 'rep ins'. So to fix the problem, this patch updates the code to only support IN/OUT, but not INS/OUTS/REP INS/REP OUTS for SmmReadSaveState(). Cc: Eric Dong Cc: Ray Ni Cc: Laszlo Ersek Signed-off-by: Star Zeng Reviewed-by: Laszlo Ersek --- UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c b/UefiCpuPkg/PiSmmC= puDxeSmm/SmramSaveState.c index 26e365eabc..08cb9c05cf 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c @@ -360,7 +360,6 @@ ReadSaveStateRegister ( UINT32 SmmRevId; SMRAM_SAVE_STATE_IOMISC IoMisc; EFI_SMM_SAVE_STATE_IO_INFO *IoInfo; - VOID *IoMemAddr; =20 // // Check for special EFI_SMM_SAVE_STATE_REGISTER_LMA @@ -406,6 +405,14 @@ ReadSaveStateRegister ( return EFI_NOT_FOUND; } =20 + // + // Only support IN/OUT, but not INS/OUTS/REP INS/REP OUTS. + // + if ((mSmmCpuIoType[IoMisc.Bits.Type] !=3D EFI_SMM_SAVE_STATE_IO_TYPE_I= NPUT) && + (mSmmCpuIoType[IoMisc.Bits.Type] !=3D EFI_SMM_SAVE_STATE_IO_TYPE_O= UTPUT)) { + return EFI_UNSUPPORTED; + } + // // Compute index for the I/O Length and I/O Type lookup tables // @@ -425,13 +432,7 @@ ReadSaveStateRegister ( IoInfo->IoPort =3D (UINT16)IoMisc.Bits.Port; IoInfo->IoWidth =3D mSmmCpuIoWidth[IoMisc.Bits.Length].IoWidth; IoInfo->IoType =3D mSmmCpuIoType[IoMisc.Bits.Type]; - if (IoInfo->IoType =3D=3D EFI_SMM_SAVE_STATE_IO_TYPE_INPUT || IoInfo->= IoType =3D=3D EFI_SMM_SAVE_STATE_IO_TYPE_OUTPUT) { - ReadSaveStateRegister (CpuIndex, EFI_SMM_SAVE_STATE_REGISTER_RAX, mS= mmCpuIoWidth[IoMisc.Bits.Length].Width, &IoInfo->IoData); - } - else { - ReadSaveStateRegisterByIndex(CpuIndex, SMM_SAVE_STATE_REGISTER_IOMEM= ADDR_INDEX, sizeof(IoMemAddr), &IoMemAddr); - CopyMem(&IoInfo->IoData, IoMemAddr, mSmmCpuIoWidth[IoMisc.Bits.Lengt= h].Width); - } + ReadSaveStateRegister (CpuIndex, EFI_SMM_SAVE_STATE_REGISTER_RAX, mSmm= CpuIoWidth[IoMisc.Bits.Length].Width, &IoInfo->IoData); return EFI_SUCCESS; } =20 --=20 2.17.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#40408): https://edk2.groups.io/g/devel/message/40408 Mute This Topic: https://groups.io/mt/31573867/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-