1267f8085SPaul BeesleyAdvisory TFV-8 (CVE-2018-19440) 2267f8085SPaul Beesley=============================== 3267f8085SPaul Beesley 44fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 54fe91230SJoel Hutton| Title | Not saving x0 to x3 registers can leak information from one | 64fe91230SJoel Hutton| | Normal World SMC client to another | 74fe91230SJoel Hutton+================+=============================================================+ 812fc6ba7SPaul Beesley| CVE ID | `CVE-2018-19440`_ | 94fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 104fe91230SJoel Hutton| Date | 27 Nov 2018 | 114fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 124fe91230SJoel Hutton| Versions | All | 134fe91230SJoel Hutton| Affected | | 144fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 154fe91230SJoel Hutton| Configurations | Multiple normal world SMC clients calling into AArch64 BL31 | 164fe91230SJoel Hutton| Affected | | 174fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 184fe91230SJoel Hutton| Impact | Leakage of SMC return values from one normal world SMC | 194fe91230SJoel Hutton| | client to another | 204fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 214fe91230SJoel Hutton| Fix Version | `Pull Request #1710`_ | 224fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 234fe91230SJoel Hutton| Credit | Secmation | 244fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 254fe91230SJoel Hutton 264fe91230SJoel HuttonWhen taking an exception to EL3, BL31 saves the CPU context. The aim is to 274fe91230SJoel Huttonrestore it before returning into the lower exception level software that called 284fe91230SJoel Huttoninto the firmware. However, for an SMC exception, the general purpose registers 294fe91230SJoel Hutton``x0`` to ``x3`` are not part of the CPU context saved on the stack. 304fe91230SJoel Hutton 314fe91230SJoel HuttonAs per the `SMC Calling Convention`_, up to 4 values may be returned to the 324fe91230SJoel Huttoncaller in registers ``x0`` to ``x3``. In TF-A, these return values are written 334fe91230SJoel Huttoninto the CPU context, typically using one of the ``SMC_RETx()`` macros provided 344fe91230SJoel Huttonin the ``include/lib/aarch64/smccc_helpers.h`` header file. 354fe91230SJoel Hutton 364fe91230SJoel HuttonBefore returning to the caller, the ``restore_gp_registers()`` function is 374fe91230SJoel Huttoncalled. It restores the values of all general purpose registers taken from the 384fe91230SJoel HuttonCPU context stored on the stack. This includes registers ``x0`` to ``x3``, as 394fe91230SJoel Huttoncan be seen in the ``lib/el3_runtime/aarch64/context.S`` file at line 339 404fe91230SJoel Hutton(referring to the version of the code as of `commit c385955`_): 414fe91230SJoel Hutton 4229c02529SPaul Beesley:: 434fe91230SJoel Hutton 444fe91230SJoel Hutton /* 454fe91230SJoel Hutton * This function restores all general purpose registers except x30 from the 464fe91230SJoel Hutton * CPU context. x30 register must be explicitly restored by the caller. 474fe91230SJoel Hutton */ 484fe91230SJoel Hutton func restore_gp_registers 494fe91230SJoel Hutton ldp x0, x1, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0] 504fe91230SJoel Hutton ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] 514fe91230SJoel Hutton 524fe91230SJoel HuttonIn the case of an SMC handler that does not use all 4 return values, the 534fe91230SJoel Huttonremaining ones are left unchanged in the CPU context. As a result, 544fe91230SJoel Hutton``restore_gp_registers()`` restores the stale values saved by a previous SMC 554fe91230SJoel Huttonrequest (or asynchronous exception to EL3) that used these return values. 564fe91230SJoel Hutton 574fe91230SJoel HuttonIn the presence of multiple normal world SMC clients, this behaviour might leak 584fe91230SJoel Huttonsome of the return values from one client to another. For example, if a victim 594fe91230SJoel Huttonclient first sends an SMC that returns 4 values, a malicious client may then 604fe91230SJoel Huttonsend a second SMC expecting no return values (for example, a 614fe91230SJoel Hutton``SDEI_EVENT_COMPLETE`` SMC) to get the 4 return values of the victim client. 624fe91230SJoel Hutton 634fe91230SJoel HuttonIn general, the responsibility for mitigating threats due to the presence of 644fe91230SJoel Huttonmultiple normal world SMC clients lies with EL2 software. When present, EL2 654fe91230SJoel Huttonsoftware must trap SMC calls from EL1 software to ensure secure behaviour. 664fe91230SJoel Hutton 674fe91230SJoel HuttonFor this reason, TF-A does not save ``x0`` to ``x3`` in the CPU context on an 684fe91230SJoel HuttonSMC synchronous exception. It has behaved this way since the first version. 694fe91230SJoel Hutton 704fe91230SJoel HuttonWe can confirm that at least upstream KVM-based systems mitigate this threat, 714fe91230SJoel Huttonand are therefore unaffected by this issue. Other EL2 software should be audited 724fe91230SJoel Huttonto assess the impact of this threat. 734fe91230SJoel Hutton 744fe91230SJoel HuttonEL2 software might find mitigating this threat somewhat onerous, because for all 754fe91230SJoel HuttonSMCs it would need to be aware of which return registers contain valid data, so 764fe91230SJoel Huttonit can sanitise any unused return registers. On the other hand, mitigating this 774fe91230SJoel Huttonin EL3 is relatively easy and cheap. Therefore, TF-A will now ensure that no 784fe91230SJoel Huttoninformation is leaked through registers ``x0`` to ``x3``, by preserving the 794fe91230SJoel Huttonregister state over the call. 804fe91230SJoel Hutton 814fe91230SJoel HuttonNote that AArch32 TF-A is not affected by this issue. The SMC handling code in 824fe91230SJoel Hutton``SP_MIN`` already saves all general purpose registers - including ``r0`` to 834fe91230SJoel Hutton``r3``, as can be seen in the ``include/lib/aarch32/smccc_macros.S`` file at 844fe91230SJoel Huttonline 19 (referring to the version of the code as of `commit c385955`_): 854fe91230SJoel Hutton 864fe91230SJoel Hutton.. code:: c 874fe91230SJoel Hutton 884fe91230SJoel Hutton /* 894fe91230SJoel Hutton * Macro to save the General purpose registers (r0 - r12), the banked 904fe91230SJoel Hutton * spsr, lr, sp registers and the `scr` register to the SMC context on entry 914fe91230SJoel Hutton * due a SMC call. The `lr` of the current mode (monitor) is expected to be 924fe91230SJoel Hutton * already saved. The `sp` must point to the `smc_ctx_t` to save to. 934fe91230SJoel Hutton * Additionally, also save the 'pmcr' register as this is updated whilst 944fe91230SJoel Hutton * executing in the secure world. 954fe91230SJoel Hutton */ 964fe91230SJoel Hutton .macro smccc_save_gp_mode_regs 974fe91230SJoel Hutton /* Save r0 - r12 in the SMC context */ 984fe91230SJoel Hutton stm sp, {r0-r12} 994fe91230SJoel Hutton 10012fc6ba7SPaul Beesley.. _CVE-2018-19440: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19440 1014fe91230SJoel Hutton.. _commit c385955: https://github.com/ARM-software/arm-trusted-firmware/commit/c385955 102*3ba55a3cSlaurenw-arm.. _SMC Calling Convention: https://developer.arm.com/docs/den0028/latest 1034fe91230SJoel Hutton.. _Pull Request #1710: https://github.com/ARM-software/arm-trusted-firmware/pull/1710 104