107 lines
3.5 KiB
Diff
107 lines
3.5 KiB
Diff
From d7c9de51d249ee101b4d90357a4272b36c831047 Mon Sep 17 00:00:00 2001
|
|
From: Guomin Jiang <guomin.jiang@intel.com>
|
|
Date: Thu, 2 Jul 2020 13:03:34 +0800
|
|
Subject: [PATCH] UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid
|
|
TOCTOU (CVE-2019-11098)
|
|
|
|
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614
|
|
|
|
To avoid the TOCTOU, enable paging and set Not Present flag so when
|
|
access any code in the flash range, it will trigger #PF exception.
|
|
|
|
Cc: Eric Dong <eric.dong@intel.com>
|
|
Cc: Ray Ni <ray.ni@intel.com>
|
|
Cc: Laszlo Ersek <lersek@redhat.com>
|
|
Cc: Rahul Kumar <rahul1.kumar@intel.com>
|
|
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
|
|
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
|
|
Reviewed-by: Liming Gao <liming.gao@intel.com>
|
|
---
|
|
UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 3 +++
|
|
UefiCpuPkg/CpuMpPei/CpuPaging.c | 32 +++++++++++++++++++++++++++-----
|
|
2 files changed, 30 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
|
|
index f4d11b861f..7e511325d8 100644
|
|
--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
|
|
+++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
|
|
@@ -46,6 +46,9 @@
|
|
BaseMemoryLib
|
|
CpuLib
|
|
|
|
+[Guids]
|
|
+ gEdkiiMigratedFvInfoGuid ## SOMETIMES_CONSUMES ## HOB
|
|
+
|
|
[Ppis]
|
|
gEfiPeiMpServicesPpiGuid ## PRODUCES
|
|
gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES
|
|
diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
|
|
index 3bf0574b34..8ab7dfcce3 100644
|
|
--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
|
|
+++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
|
|
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
#include <Library/MemoryAllocationLib.h>
|
|
#include <Library/CpuLib.h>
|
|
#include <Library/BaseLib.h>
|
|
+#include <Guid/MigratedFvInfo.h>
|
|
|
|
#include "CpuMpPei.h"
|
|
|
|
@@ -602,9 +603,11 @@ MemoryDiscoveredPpiNotifyCallback (
|
|
IN VOID *Ppi
|
|
)
|
|
{
|
|
- EFI_STATUS Status;
|
|
- BOOLEAN InitStackGuard;
|
|
- BOOLEAN InterruptState;
|
|
+ EFI_STATUS Status;
|
|
+ BOOLEAN InitStackGuard;
|
|
+ BOOLEAN InterruptState;
|
|
+ EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
|
|
+ EFI_PEI_HOB_POINTERS Hob;
|
|
|
|
if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
|
|
InterruptState = SaveAndDisableInterrupts ();
|
|
@@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback (
|
|
// the task switch (for the sake of stack switch).
|
|
//
|
|
InitStackGuard = FALSE;
|
|
- if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) {
|
|
+ Hob.Raw = NULL;
|
|
+ if (IsIa32PaeSupported ()) {
|
|
+ Hob.Raw = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid);
|
|
+ InitStackGuard = PcdGetBool (PcdCpuStackGuard);
|
|
+ }
|
|
+
|
|
+ if (InitStackGuard || Hob.Raw != NULL) {
|
|
EnablePaging ();
|
|
- InitStackGuard = TRUE;
|
|
}
|
|
|
|
Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices);
|
|
@@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback (
|
|
SetupStackGuardPage ();
|
|
}
|
|
|
|
+ while (Hob.Raw != NULL) {
|
|
+ MigratedFvInfo = GET_GUID_HOB_DATA (Hob);
|
|
+
|
|
+ //
|
|
+ // Enable #PF exception, so if the code access SPI after disable NEM, it will generate
|
|
+ // the exception to avoid potential vulnerability.
|
|
+ //
|
|
+ ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0);
|
|
+
|
|
+ Hob.Raw = GET_NEXT_HOB (Hob);
|
|
+ Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw);
|
|
+ }
|
|
+ CpuFlushTlb ();
|
|
+
|
|
return Status;
|
|
}
|
|
|
|
--
|
|
2.27.0
|
|
|