)]}'
{
  "commit": "f7defccaecd625f77225abbbce7658ed02af21c4",
  "tree": "cce89e66eb5f88583424f54a66ceddfccd8a0345",
  "parents": [
    "72d299c376f7f9df2e65c9015020218614ba145b"
  ],
  "author": {
    "name": "Hao Wu",
    "email": "hao.a.wu@intel.com",
    "time": "Fri Nov 09 10:10:43 2018 +0800"
  },
  "committer": {
    "name": "Hao Wu",
    "email": "hao.a.wu@intel.com",
    "time": "Wed Nov 21 09:33:45 2018 +0800"
  },
  "message": "SecurityPkg/OpalPWSupportLib: [CVE-2017-5753] Fix bounds check bypass\n\nREF:https://bugzilla.tianocore.org/show_bug.cgi?id\u003d1194\n\nSpeculative execution is used by processor to avoid having to wait for\ndata to arrive from memory, or for previous operations to finish, the\nprocessor may speculate as to what will be executed.\n\nIf the speculation is incorrect, the speculatively executed instructions\nmight leave hints such as which memory locations have been brought into\ncache. Malicious actors can use the bounds check bypass method (code\ngadgets with controlled external inputs) to infer data values that have\nbeen used in speculative operations to reveal secrets which should not\notherwise be accessed.\n\nThis commit will focus on the SMI handler(s) registered within the\nOpalPasswordSupportLib and insert AsmLfence API to mitigate the bounds\ncheck bypass issue.\n\nFor SMI handler SmmOpalPasswordHandler():\n\nUnder \"case SMM_FUNCTION_SET_OPAL_PASSWORD:\",\n\u0027\u0026DeviceBuffer-\u003eOpalDevicePath\u0027 can points to a potential cross boundary\naccess of the \u0027CommBuffer\u0027 (controlled external inputs) during speculative\nexecution. This cross boundary access pointer is later passed as parameter\n\u0027DevicePath\u0027 into function OpalSavePasswordToSmm().\n\nWithin function OpalSavePasswordToSmm(), \u0027DevicePathLen\u0027 is an access to\nthe content in \u0027DevicePath\u0027 and can be inferred by code:\n\"CompareMem (\u0026List-\u003eOpalDevicePath, DevicePath, DevicePathLen)\". One can\nobserve which part of the content within either \u0027\u0026List-\u003eOpalDevicePath\u0027 or\n\u0027DevicePath\u0027 was brought into cache to possibly reveal the value of\n\u0027DevicePathLen\u0027.\n\nHence, this commit adds a AsmLfence() after the boundary/range checks of\n\u0027CommBuffer\u0027 to prevent the speculative execution.\n\nA more detailed explanation of the purpose of commit is under the\n\u0027Bounds check bypass mitigation\u0027 section of the below link:\nhttps://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation\n\nAnd the document at:\nhttps://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf\n\nCc: Star Zeng \u003cstar.zeng@intel.com\u003e\nCc: Chao Zhang \u003cchao.b.zhang@intel.com\u003e\nCc: Jiewen Yao \u003cjiewen.yao@intel.com\u003e\nContributed-under: TianoCore Contribution Agreement 1.1\nSigned-off-by: Hao Wu \u003chao.a.wu@intel.com\u003e\nReviewed-by: Eric Dong \u003ceric.dong@intel.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "e377e9ca797643d6d1b9f31338e17076b1400556",
      "old_mode": 33188,
      "old_path": "SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c",
      "new_id": "1c3bfffb8689f368b2256d56efda706ea0a88a24",
      "new_mode": 33188,
      "new_path": "SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.c"
    }
  ]
}