tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-30 00:54:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

UefiCpuPkg/CpuMpPei: Enable paging and set NP flag to avoid TOCTOU (CVE-2019-11098)

Browse Source 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1614

To avoid the TOCTOU, enable paging and set Not Present flag so when
access any code in the flash range, it will trigger #PF exception.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
This commit is contained in:
Guomin Jiang 2020-07-02 13:03:34 +08:00 committed by mergify[bot]
parent 012809cdca
commit d7c9de51d2
2 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
UefiCpuPkg/CpuMpPei/CpuMpPei.inf
View File

@ -46,6 +46,9 @@
BaseMemoryLib BaseMemoryLib
CpuLib CpuLib
[Guids]
gEdkiiMigratedFvInfoGuid ## SOMETIMES_CONSUMES ## HOB
[Ppis] [Ppis]
gEfiPeiMpServicesPpiGuid ## PRODUCES gEfiPeiMpServicesPpiGuid ## PRODUCES
gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES gEfiSecPlatformInformationPpiGuid ## SOMETIMES_CONSUMES

32
UefiCpuPkg/CpuMpPei/CpuPaging.c
View File

@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/MemoryAllocationLib.h> #include <Library/MemoryAllocationLib.h>
#include <Library/CpuLib.h> #include <Library/CpuLib.h>
#include <Library/BaseLib.h> #include <Library/BaseLib.h>
#include <Guid/MigratedFvInfo.h>
#include "CpuMpPei.h" #include "CpuMpPei.h"
@ -602,9 +603,11 @@ MemoryDiscoveredPpiNotifyCallback (
IN VOID *Ppi IN VOID *Ppi
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
BOOLEAN InitStackGuard; BOOLEAN InitStackGuard;
BOOLEAN InterruptState; BOOLEAN InterruptState;
EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
EFI_PEI_HOB_POINTERS Hob;
if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
InterruptState = SaveAndDisableInterrupts (); InterruptState = SaveAndDisableInterrupts ();
@ -619,9 +622,14 @@ MemoryDiscoveredPpiNotifyCallback (
// the task switch (for the sake of stack switch). // the task switch (for the sake of stack switch).
// //
InitStackGuard = FALSE; InitStackGuard = FALSE;
if (IsIa32PaeSupported () && PcdGetBool (PcdCpuStackGuard)) { Hob.Raw = NULL;
if (IsIa32PaeSupported ()) {
Hob.Raw = GetFirstGuidHob (&gEdkiiMigratedFvInfoGuid);
InitStackGuard = PcdGetBool (PcdCpuStackGuard);
}
if (InitStackGuard || Hob.Raw != NULL) {
EnablePaging (); EnablePaging ();
InitStackGuard = TRUE;
} }
Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices); Status = InitializeCpuMpWorker ((CONST EFI_PEI_SERVICES **)PeiServices);
@ -631,6 +639,20 @@ MemoryDiscoveredPpiNotifyCallback (
SetupStackGuardPage (); SetupStackGuardPage ();
} }
while (Hob.Raw != NULL) {
MigratedFvInfo = GET_GUID_HOB_DATA (Hob);
//
// Enable #PF exception, so if the code access SPI after disable NEM, it will generate
// the exception to avoid potential vulnerability.
//
ConvertMemoryPageAttributes (MigratedFvInfo->FvOrgBase, MigratedFvInfo->FvLength, 0);
Hob.Raw = GET_NEXT_HOB (Hob);
Hob.Raw = GetNextGuidHob (&gEdkiiMigratedFvInfoGuid, Hob.Raw);
}
CpuFlushTlb ();
return Status; return Status;
} }