From nobody Wed May 15 14:13:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+87619+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+87619+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1647403216; cv=none; d=zohomail.com; s=zohoarc; b=l7s8rtGjnTz89xLzhVL780kjCQKoyeQR/lcQNTV4Zmj+nR2HYVtMcmDTCCnuakQuxxTz9YEi4oDIitcIeiHyOgr//IDOdSt6Y5jKlyZGGKI39m1v7NgIEBH1icTtySbaqOXrJZ2temIz1xHuqVpEJyGbU6WGZywds64RjRMZp+0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647403216; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=aXGgD7lTJYi0K3oRADV5vQQhkZqu/qt8OEBxvKs0+D0=; b=Iyr/j2390iKINsaAaNfHEEzA9D/8ylwy/0WgGbnHQjrJBi6Ft5Q7cwIkm+oWI3Xgk+UZPJSu2DtftFz7qcb6gbYhO2K7dT14Y8WAe7hommfxtK+khQ92zw1CXJ7+ykGgphmBv/2g/RSw1rBg0Ia78CGfgdZaYOWXJgP0z1EMw7o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+87619+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1647403216740117.50097760408175; Tue, 15 Mar 2022 21:00:16 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id WCDfYY1788612xLU7fcHaoza; Tue, 15 Mar 2022 21:00:16 -0700 X-Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web12.20880.1647403215765908752 for ; Tue, 15 Mar 2022 21:00:15 -0700 X-Received: by mail-pf1-f181.google.com with SMTP id z16so2212123pfh.3 for ; Tue, 15 Mar 2022 21:00:15 -0700 (PDT) X-Gm-Message-State: ZIQCoJ0GlCqtmJKyOlxfR2pox1787277AA= X-Google-Smtp-Source: ABdhPJytVVUomL9bqi0vOS0MrGdAQdikjHJK8ThnbxqsdVZLnKJddb/7ZsDEhRaDZqMzD3+hUjstBQ== X-Received: by 2002:a05:6a00:17a6:b0:4f7:d375:ac4c with SMTP id s38-20020a056a0017a600b004f7d375ac4cmr12693379pfg.19.1647403215145; Tue, 15 Mar 2022 21:00:15 -0700 (PDT) X-Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id l2-20020a056a0016c200b004f7e3181a41sm768664pfc.98.2022.03.15.21.00.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Mar 2022 21:00:14 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Eric Dong , Ray Ni , Jian J Wang , Liming Gao Subject: [edk2-devel] [PATCH v1 1/1] MdeModulePkg: PiSmmCore: Inspect memory guarded with pool headers Date: Tue, 15 Mar 2022 20:59:54 -0700 Message-Id: <20220316035954.1146-2-kuqin12@gmail.com> In-Reply-To: <20220316035954.1146-1-kuqin12@gmail.com> References: <20220316035954.1146-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1647403216; bh=RSJaHbsB75rkSTm3vuaEQUHmKdgOjFg6+1mR9ohh8eQ=; h=Cc:Date:From:Reply-To:Subject:To; b=H7Vu3HNRO1DG3Rif51T+i/sTwMoJMXNbygwj4XDS/GxOev2sl0/QLAZ1PFhyF1eDiiE KWyusHxgkjV9H3pVwHwL9fGRj7d+g5efjOeX9AUDayqfTRkgWaxYRNHZ52sQ9RS617dCr qI7Pb/5HKnx7AbJPonXBThlRl+T6EI4f6Dk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1647403217305100004 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3488 Current free pool routine from PiSmmCore will inspect memory guard status for target buffer without considering pool headers. This could lead to `IsMemoryGuarded` function to return incorrect results. In that sense, allocating a 0 sized pool could cause an allocated buffer directly points into a guard page, which is legal. However, trying to free this pool will cause the routine changed in this commit to read XP pages, which leads to page fault. This change will inspect memory guarded with pool headers. This can avoid errors when a pool content happens to be on a page boundary. Cc: Jiewen Yao Cc: Eric Dong Cc: Ray Ni Cc: Jian J Wang Cc: Liming Gao Signed-off-by: Kun Qin Reviewed-by: Jian J Wang Reviewed-by: Liming Gao --- MdeModulePkg/Core/PiSmmCore/Pool.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c b/MdeModulePkg/Core/PiSmmCo= re/Pool.c index 96ebe811c669..e1ff40a8ea55 100644 --- a/MdeModulePkg/Core/PiSmmCore/Pool.c +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c @@ -382,11 +382,6 @@ SmmInternalFreePool ( return EFI_INVALID_PARAMETER; } =20 - MemoryGuarded =3D IsHeapGuardEnabled () && - IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer); - HasPoolTail =3D !(MemoryGuarded && - ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) =3D=3D 0)); - FreePoolHdr =3D (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1); ASSERT (FreePoolHdr->Header.Signature =3D=3D POOL_HEAD_SIGNATURE); ASSERT (!FreePoolHdr->Header.Available); @@ -394,6 +389,11 @@ SmmInternalFreePool ( return EFI_INVALID_PARAMETER; } =20 + MemoryGuarded =3D IsHeapGuardEnabled () && + IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHd= r); + HasPoolTail =3D !(MemoryGuarded && + ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) =3D=3D 0)); + if (HasPoolTail) { PoolTail =3D HEAD_TO_TAIL (&FreePoolHdr->Header); ASSERT (PoolTail->Signature =3D=3D POOL_TAIL_SIGNATURE); --=20 2.35.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#87619): https://edk2.groups.io/g/devel/message/87619 Mute This Topic: https://groups.io/mt/89815350/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-