Bug#992518: bullseye-pu: package edk2/2020.11-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#992518: bullseye-pu: package edk2/2020.11-2
From: dann frazier <dannf@dannf.org>
Date: Thu, 19 Aug 2021 11:09:16 -0600
Message-id: <[🔎] 162939295607.963054.7485107125387478250.reportbug@xps13.dannf>
Reply-to: dann frazier <dannf@dannf.org>, 992518@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixes a security issue, CVE-2019-11098.

[ Impact ]
The builds we provide shouldn't be impacted by this vulnerability,
at least not as described by the researchers. However, there maybe
other implications - this is purely cautionary.

[ Tests ]
The built-in autopkgtests (actually the newer ones from unstable that are
more complete than the ones in bullseye).

$ ./debian/tests/shell.py 
test_aavmf (__main__.BootToShellTest) ... ok
test_aavmf32 (__main__.BootToShellTest) ... ok
test_ovmf32_4m_secboot (__main__.BootToShellTest) ... ok
test_ovmf_4m (__main__.BootToShellTest) ... ok
test_ovmf_4m_ms (__main__.BootToShellTest) ... ok
test_ovmf_4m_secboot (__main__.BootToShellTest) ... ok
test_ovmf_ms (__main__.BootToShellTest) ... ok
test_ovmf_pc (__main__.BootToShellTest) ... ok
test_ovmf_q35 (__main__.BootToShellTest) ... ok
test_ovmf_secboot (__main__.BootToShellTest) ... ok

----------------------------------------------------------------------
Ran 10 tests in 53.821s

OK

[ Risks ]
The most likely issue is that we introduce a regression that causes
some VMs to fail to boot.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A cherry pick from upstream that avoids reading GDT from flash.

diff -Nru edk2-2020.11/debian/changelog edk2-2020.11/debian/changelog
--- edk2-2020.11/debian/changelog	2020-12-15 11:42:37.000000000 -0700
+++ edk2-2020.11/debian/changelog	2021-08-18 16:57:56.000000000 -0600
@@ -1,3 +1,9 @@
+edk2 (2020.11-2+deb11u1) bullseye; urgency=medium
+
+  * Address Boot Guard TOCTOU vulnerability (CVE-2019-11098) (Closes: #991495)
+
+ -- dann frazier <dannf@debian.org>  Wed, 18 Aug 2021 16:57:56 -0600
+
 edk2 (2020.11-2) unstable; urgency=medium
 
   * autopkgtest: Add allow-stderr to Restrictions to fix failure.
diff -Nru edk2-2020.11/debian/patches/series edk2-2020.11/debian/patches/series
--- edk2-2020.11/debian/patches/series	2020-12-15 11:42:37.000000000 -0700
+++ edk2-2020.11/debian/patches/series	2021-08-18 16:57:56.000000000 -0600
@@ -3,3 +3,4 @@
 ovmf-vars-generator-Pass-OEM-Strings-to-the-guest.patch
 ovmf-vars-generator-ignore-qemu-warnings.patch
 ovmf-vars-generator-no-defaults.patch
+UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
diff -Nru edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
--- edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch	1969-12-31 17:00:00.000000000 -0700
+++ edk2-2020.11/debian/patches/UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch	2021-08-18 16:57:56.000000000 -0600
@@ -0,0 +1,189 @@
+From f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac Mon Sep 17 00:00:00 2001
+From: Guomin Jiang <guomin.jiang@intel.com>
+Date: Wed, 13 Jan 2021 18:08:09 +0800
+Subject: [PATCH] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to
+ TempRamDone. (CVE-2019-11098)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1614
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3160
+
+The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83db1
+after TempRamDone
+
+So move the action to TempRamDone event to avoid reading GDT from flash.
+
+Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
+Cc: Eric Dong <eric.dong@intel.com>
+Cc: Ray Ni <ray.ni@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Rahul Kumar <rahul1.kumar@intel.com>
+Cc: Debkumar De <debkumar.de@intel.com>
+Cc: Harry Han <harry.han@intel.com>
+Cc: Catharine West <catharine.west@intel.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1614
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991495
+Origin: upstream, https://github.com/tianocore/edk2/commit/f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac
+Last-Updated: 2021-07-26
+
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+index 40729a09b9..3c1bad6470 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c
++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+@@ -429,43 +429,6 @@ GetGdtr (
+   AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer);
+ }
+ 
+-/**
+-  Migrates the Global Descriptor Table (GDT) to permanent memory.
+-
+-  @retval   EFI_SUCCESS           The GDT was migrated successfully.
+-  @retval   EFI_OUT_OF_RESOURCES  The GDT could not be migrated due to lack of available memory.
+-
+-**/
+-EFI_STATUS
+-MigrateGdt (
+-  VOID
+-  )
+-{
+-  EFI_STATUS          Status;
+-  UINTN               GdtBufferSize;
+-  IA32_DESCRIPTOR     Gdtr;
+-  VOID                *GdtBuffer;
+-
+-  AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
+-  GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
+-
+-  Status =  PeiServicesAllocatePool (
+-              GdtBufferSize,
+-              &GdtBuffer
+-              );
+-  ASSERT (GdtBuffer != NULL);
+-  if (EFI_ERROR (Status)) {
+-    return EFI_OUT_OF_RESOURCES;
+-  }
+-
+-  GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
+-  CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
+-  Gdtr.Base = (UINTN) GdtBuffer;
+-  AsmWriteGdtr (&Gdtr);
+-
+-  return EFI_SUCCESS;
+-}
+-
+ /**
+   Initializes CPU exceptions handlers for the sake of stack switch requirement.
+ 
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+index ba829d816e..7444bdb968 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+@@ -67,7 +67,6 @@
+   gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList              ## SOMETIMES_CONSUMES
+   gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize                    ## SOMETIMES_CONSUMES
+   gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize                           ## SOMETIMES_CONSUMES
+-  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes  ## CONSUMES
+ 
+ [Depex]
+   TRUE
+diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
+index 50ad4277af..3e261d6657 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
++++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
+@@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback (
+ {
+   EFI_STATUS              Status;
+   BOOLEAN                 InitStackGuard;
+-  BOOLEAN                 InterruptState;
+   EDKII_MIGRATED_FV_INFO  *MigratedFvInfo;
+   EFI_PEI_HOB_POINTERS    Hob;
+ 
+-  if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+-    InterruptState = SaveAndDisableInterrupts ();
+-    Status = MigrateGdt ();
+-    ASSERT_EFI_ERROR (Status);
+-    SetInterruptState (InterruptState);
+-  }
+-
+   //
+   // Paging must be setup first. Otherwise the exception TSS setup during MP
+   // initialization later will not contain paging information and then fail
+diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf
+index 545781d6b4..ded83beb52 100644
+--- a/UefiCpuPkg/SecCore/SecCore.inf
++++ b/UefiCpuPkg/SecCore/SecCore.inf
+@@ -77,6 +77,7 @@
+ 
+ [Pcd]
+   gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize  ## CONSUMES
++  gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes  ## CONSUMES
+ 
+ [UserExtensions.TianoCore."ExtraFiles"]
+   SecCoreExtra.uni
+diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c
+index 155be49a60..2416c4ce56 100644
+--- a/UefiCpuPkg/SecCore/SecMain.c
++++ b/UefiCpuPkg/SecCore/SecMain.c
+@@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR            mPeiSecPlatformInformationPpi[] = {
+   }
+ };
+ 
++/**
++  Migrates the Global Descriptor Table (GDT) to permanent memory.
++
++  @retval   EFI_SUCCESS           The GDT was migrated successfully.
++  @retval   EFI_OUT_OF_RESOURCES  The GDT could not be migrated due to lack of available memory.
++
++**/
++EFI_STATUS
++MigrateGdt (
++  VOID
++  )
++{
++  EFI_STATUS          Status;
++  UINTN               GdtBufferSize;
++  IA32_DESCRIPTOR     Gdtr;
++  VOID                *GdtBuffer;
++
++  AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
++  GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
++
++  Status =  PeiServicesAllocatePool (
++              GdtBufferSize,
++              &GdtBuffer
++              );
++  ASSERT (GdtBuffer != NULL);
++  if (EFI_ERROR (Status)) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
++  GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
++  CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
++  Gdtr.Base = (UINTN) GdtBuffer;
++  AsmWriteGdtr (&Gdtr);
++
++  return EFI_SUCCESS;
++}
++
+ //
+ // These are IDT entries pointing to 10:FFFFFFE4h.
+ //
+@@ -409,6 +446,14 @@ SecTemporaryRamDone (
+   //
+   State = SaveAndDisableInterrupts ();
+ 
++  //
++  // Migrate GDT before NEM near down
++  //
++  if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
++    Status = MigrateGdt ();
++    ASSERT_EFI_ERROR (Status);
++  }
++
+   //
+   // Disable Temporary RAM after Stack and Heap have been migrated at this point.
+   //
+-- 
+2.32.0
+

Reply to:

Prev by Date: Processed: Re: Bug#992371: transition: opensubdiv
Next by Date: Bug#992330: bullseye-pu: package nova/22.2.2-1+deb11u1 (CVE-2021-3654)
Previous by thread: Bug#992460: marked as done (nmu: gemmi_0.4.5+ds-1 libemf2svg_1.1.0+ds-2)
Next by thread: Processed: tagging 991811
Index(es):
- Date
- Thread