BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1136
CVE: CVE-2018-12182
Customer met system hang-up during serial port loopback test in OS.
It is a corner case happened with one CPU core doing "out dx,al" and
another CPU core(s) doing "rep outs dx,byte ptr [rsi]".
Detailed code flow is as below.
1. Serial port loopback test in OS.
One CPU core: "out dx,al" -> Writing B2h, SMI will happen.
Another CPU core(s): "rep outs dx,byte ptr [rsi]".
2. SMI happens to enter SMM.
"out dx" (SMM_IO_TYPE_OUT_DX) is saved as I/O instruction type in
SMRAM save state for CPU doing "out dx,al".
"rep outs dx" (SMM_IO_TYPE_REP_OUTS) is saved as I/O instruction
type and rsi is save as I/O Memory Address in SMRAM save state for
CPU doing "rep outs dx, byte ptr [rsi]".
NOTE: I/O Memory Address (rsi) is a virtual address mapped by
OS/Virtual Machine.
3. Some SMM code calls EFI_SMM_CPU_PROTOCOL.ReadSaveState() with
EFI_SMM_SAVE_STATE_REGISTER_IO and parse data returned.
For example:
https://github.com/tianocore/edk2/blob/master/QuarkSocPkg/
QuarkNorthCluster/Smm/DxeSmm/QncSmmDispatcher/QNC/QNCSmmSw.c#L76
4. SmmReadSaveState() is executed to read save state for
EFI_SMM_SAVE_STATE_REGISTER_IO.
- The SmmReadSaveState() function in
"UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c" calls the
SmmCpuFeaturesReadSaveStateRegister() function, from the platform's
SmmCpuFeaturesLib instance.
- If that platform-specific function returns EFI_UNSUPPORTED, then
PiSmmCpuDxeSmm falls back to the common function
ReadSaveStateRegister(), defined in file
"UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c".
Current ReadSaveStateRegister() in
UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c is trying to copy data
from I/O Memory Address for EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX,
PF will happen as SMM page table does not know and cover this
OS/Virtual Machine virtual address.
Same case is for SmmCpuFeaturesReadSaveStateRegister() in platform-
specific SmmCpuFeaturesLib instance if it has similar implementation
to read save state for EFI_SMM_SAVE_STATE_REGISTER_IO with
EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX.
Same case is for "ins", 'outs' and 'rep ins'.
So to fix the problem, this patch updates the code to only support
IN/OUT, but not INS/OUTS/REP INS/REP OUTS for SmmReadSaveState().
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
None of the .c/.h in Arm/ are used any more => remove them.
Also merge the CC flags for MSFT ARM and ARM64, since these are the
only archs we support for this package.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Pete Batard <pete@akeo.ie>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
These files have \r\n line endings, but a few lines use \r\r\n which
is not a valid line ending. These lines were causing problems for git
and other tools.
Signed-off-by: Joe Richey <joerichey@google.com>
Review-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1752
This patch is to fix the code bug in StructurePcd overall
value assignment logic. If a Pcd Array size is fixed but the
size of actual value in Dsc or Dec is bigger than the Pcd
array size, the tool will report error about such setting and
stop build.
The patch is tested minplatform, Ovmf, structure pcd regression test
These tests are build pass. The patch also tested the following cases.
Our cases focused on PcdArraySize. 1.flexiable PcdArraySize.
2.Fixed PcdArraySize, Pcd overall value exceeds the size of PcdArray.
3.Fixed PcdArraySize, Pcd overall value Not exceeds the size of PcdArray.
Signed-off-by: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Update the QemuVideoDxe driver to not depend on the
OptionRomPkg to support moving OptionRomPkg to the
edk2-platforms repository.
The only dependency on the OptionRomPkg is the use of
PcdDriverSupportedEfiVersion to set the version value in the
EFI Driver Supported EFI Version Protocol.
Quoting the UEFI-2.8 spec, "This protocol is required for EFI
drivers that are *on* PCI and other plug in cards" (emphasis ours).
However, QemuVideoDxe is always part of the OVMF platform firmware,
and is never read by PciBusDxe from the PCI ROM BAR of QEMU's
emulated graphics cards.
Since this protocol does not apply to QEMU environment, remove
both the PCD and the installation of the EFI Driver Supported EFI
Version Protocol.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Add batch scripts to generate the LVFS compatible capsule
update driver.
Add DSC/FDF files to build capsules and invoke post build
shell scripts for Linux build environments.
Make versions consistent.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
In preparation for moving Vlv2TbltDevicePkg to the
edk2-platforms repository, the batch scripts used to build
this platform are updated to not make any assumptions about
the directory location of Vlv2TbltDevicePkg.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
Update the binary file that contains the default configuration
settings. This file is generated using FCE.exe during a
Windows build and this binary file needs to be updated when
there are changes to the configuration setting layout or
configuration setting default values.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
Add the PcdInitSmm module that should not have been
removed. This module performs actions at Exit Boot
Services to place devices in an OS compatible state.
Without this module, some versions of Linux can not
boot.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
The NumberOfEnabledProcessors parameter to the MP Services
Protocol service GetNumberOfProcessors() is not optional and is
not allowed to be NULL. Add the CpuEnabledCount local variable
and pass it into GetNumberOfProcessors().
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
Add the arch protocols gEfiVariableArchProtocolGuid and
gEfiVariableWriteArchProtocolGuid to the dependency expression
for the AcpiPlatform module to guarantee that the variables
that AcpiPlatform depends upon are set before they are used by
this module.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
Change the type of the local variable Size in the function
AcpiPlatformEntryPoint() from UINT32 to UINTN. This local
variable is passed into the function ReadSection() that returns
a value of type UINTN. Using type UINT32 can potentially
corrupt an adjacent local on the stack.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
If the FLASH device cannot be erased or written, then the
flag FlashError is set to TRUE.
Add the missing logic to return an error if FlashError
is TRUE. The missing logic was found from a GCC build that
noticed a local variable was declared and assigned, but was
not being used.
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Zailiang Sun <zailiang.sun@intel.com>
Reviewed-by: Yi Qian <yi.qian@intel.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1721
Remove two inf files form EmulatorPkg.
About IntelFrameworkModulePkg/Universal/StatusCode/Pei/StatusCodePei.inf,
this inf file is not included in the EmulaotrPkg.fdf,
which means the StatusCodePei.inf does't work at all,
so it is ok to remove it from EmulatorPkg.
About IntelFrameworkModulePkg/Bus/Pci/IdeBusDxe/IdeBusDxe.inf,
in the inf file, we can see it consumes gEfiIdeControllerInitProtocolGuid.
there are only two inf files in the edk project that produce this Protocol,
as belows:
PcAtChipsetPkg\Bus\Pci\IdeControllerDxe\IdeControllerDxe.inf
MdeModulePkg\Bus\Pci\SataControllerDxe\SataControllerDxe.inf
However, neither of them is included in the EmulatorPkg.dsc.
It means the IdeBusDxe.inf can't work at all,
so it is ok to remove it from EmulatorPkg.
Signed-off-by: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
DEPEX from PEI storage stack.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1777
BootInRecoveryMode Ppi dependency should be removed from PEI storage stack
drivers. Besides recovery, more features are using the storage stack.
Platform can apply Ppi dependency in Recovery FV which contains full
storage driver stack. Platform storage stack modules, such as host
controller init PEI module, should also remove this dependency.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1777
BootInRecoveryMode Ppi dependency should be removed from PEI storage stack
drivers. Besides recovery, more features are using the storage stack.
Platform can apply Ppi dependency in Recovery FV which contains full
storage driver stack. Platform storage stack modules, such as host
controller init PEI module, should also remove this dependency.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
This reverts commit df7c81b5b2.
In commint df7c81b5b219c9,used a function to test python module
But the Boolean value of the return value of this function is the
opposite of the Correct result, resulting in an unexpected result
Cc: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Zhiju.Fan <zhijux.fan@intel.com>
Reviewed-by: Bob Feng <bob.c.feng@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=1782
After change behavior to send BlockSid command at EndOfDxe point,
check device ownership command will return un-authority error, it
finally caused opal driver can't show "Enable Feature" menu.
Update the code logic to send detect device ownership command
before send BlockSID command.
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
