audk/UefiCpuPkg
Star Zeng cf574f0a18 UefiCpuPkg PiSmmCpuDxeSmm: Only support IN/OUT IO save state read (CVE-2018-12182)
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1136
CVE: CVE-2018-12182

Customer met system hang-up during serial port loopback test in OS.
It is a corner case happened with one CPU core doing "out dx,al" and
another CPU core(s) doing "rep outs dx,byte ptr [rsi]".

Detailed code flow is as below.

1. Serial port loopback test in OS.
One CPU core: "out dx,al" -> Writing B2h, SMI will happen.
Another CPU core(s): "rep outs dx,byte ptr [rsi]".

2. SMI happens to enter SMM.
"out dx" (SMM_IO_TYPE_OUT_DX) is saved as I/O instruction type in
SMRAM save state for CPU doing "out dx,al".
"rep outs dx" (SMM_IO_TYPE_REP_OUTS) is saved as I/O instruction
type and rsi is save as I/O Memory Address in SMRAM save state for
CPU doing "rep outs dx, byte ptr [rsi]".

NOTE: I/O Memory Address (rsi) is a virtual address mapped by
OS/Virtual Machine.

3. Some SMM code calls EFI_SMM_CPU_PROTOCOL.ReadSaveState() with
EFI_SMM_SAVE_STATE_REGISTER_IO and parse data returned.

For example:
https://github.com/tianocore/edk2/blob/master/QuarkSocPkg/
QuarkNorthCluster/Smm/DxeSmm/QncSmmDispatcher/QNC/QNCSmmSw.c#L76

4. SmmReadSaveState() is executed to read save state for
EFI_SMM_SAVE_STATE_REGISTER_IO.

- The SmmReadSaveState() function in
  "UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c" calls the
  SmmCpuFeaturesReadSaveStateRegister() function, from the platform's
  SmmCpuFeaturesLib instance.

- If that platform-specific function returns EFI_UNSUPPORTED, then
  PiSmmCpuDxeSmm falls back to the common function
  ReadSaveStateRegister(), defined in file
  "UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c".

Current ReadSaveStateRegister() in
UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c is trying to copy data
from I/O Memory Address for EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX,
PF will happen as SMM page table does not know and cover this
OS/Virtual Machine virtual address.

Same case is for SmmCpuFeaturesReadSaveStateRegister() in platform-
specific SmmCpuFeaturesLib instance if it has similar implementation
to read save state for EFI_SMM_SAVE_STATE_REGISTER_IO with
EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX.

Same case is for "ins", 'outs' and 'rep ins'.

So to fix the problem, this patch updates the code to only support
IN/OUT, but not INS/OUTS/REP INS/REP OUTS for SmmReadSaveState().

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2019-05-14 15:54:57 +08:00
..
Application/Cpuid UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
CpuDxe UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
CpuFeatures UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
CpuIo2Dxe UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
CpuIo2Smm UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
CpuIoPei UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
CpuMpPei UefiCpuPkg/CpuMpPei: Add missing CpuLib class 2019-04-30 16:39:34 -07:00
CpuS3DataDxe UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
Include UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
Library UefiCpuPkg: Remove double \r 2019-05-13 08:45:22 +08:00
PiSmmCommunication UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
PiSmmCpuDxeSmm UefiCpuPkg PiSmmCpuDxeSmm: Only support IN/OUT IO save state read (CVE-2018-12182) 2019-05-14 15:54:57 +08:00
ResetVector UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
SecCore UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
Universal/Acpi/S3Resume2Pei UefiCpuPkg: Remove PcdFrameworkCompatibilitySupport usage 2019-05-09 09:42:55 +08:00
UefiCpuPkg.dec UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
UefiCpuPkg.dsc UefiCpuPkg/MpInitLibUp: Add uniprocessor MpInitLib 2019-04-30 16:39:34 -07:00
UefiCpuPkg.uni UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00
UefiCpuPkgExtra.uni UefiCpuPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:28 -07:00