From nobody Fri Apr 19 10:20:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89295+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89295+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1650934090; cv=none; d=zohomail.com; s=zohoarc; b=FnuS+EYLxkacMDKPxCzdKZvdM1vxsQdhZx+HrxJyUwKgEbAeptoXYwyjVjKELnU82zcsb5t1zFdfot1PYKoXS6lw1QyfLIgRVkxkW26gu6GmklozLoqWYevuoke3e5SmVR18wv20Yvekl1nw/F3G9JDEgUrhyjyYVizPnfYr5cU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1650934090; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=0hB1hJZUCUOuNAzcgmwsGrSUNZdqtVB2mnCDlv58h5E=; b=LVgCvoYH0LJe0glVP+ivJHZ6kkgeAarC/wXszlixr6myGvrQ4XXYcykgokZQ+BJ5Fn94fs855ys8Iz7t0YINTQqtMN7uzCIrwaheMAeJXqlldLaUyd8FD669fQL4ZyOIHaesGyiRY/K+3ePI0nbEyMZqNTonkOFNENiSr60fm9k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89295+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1650934090349788.794384065922; Mon, 25 Apr 2022 17:48:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id E3GyYY1788612xWLMMiLnSUp; Mon, 25 Apr 2022 17:48:09 -0700 X-Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web09.600.1650934089143480101 for ; Mon, 25 Apr 2022 17:48:09 -0700 X-Received: by mail-pg1-f173.google.com with SMTP id v10so3621991pgl.11 for ; Mon, 25 Apr 2022 17:48:09 -0700 (PDT) X-Gm-Message-State: ckdmHoXmhwyyEdpLApYUnp7Xx1787277AA= X-Google-Smtp-Source: ABdhPJxxXznumj7b/x2rIsezuDrblzzxIR3RcOEIvRJGWOU1EjMZf/da5kEOlDf/JirxEDes6FXl5w== X-Received: by 2002:a63:1066:0:b0:3ab:3de1:9efd with SMTP id 38-20020a631066000000b003ab3de19efdmr6803401pgq.51.1650934088609; Mon, 25 Apr 2022 17:48:08 -0700 (PDT) X-Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id 35-20020a631763000000b0039d93f8c2f0sm10922303pgx.24.2022.04.25.17.48.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Apr 2022 17:48:08 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Eric Dong , Ray Ni , Jian J Wang , Liming Gao Subject: [edk2-devel] [PATCH v2 1/1] MdeModulePkg: PiSmmCore: Inspect memory guarded with pool headers Date: Mon, 25 Apr 2022 17:47:46 -0700 Message-Id: <20220426004746.190-2-kuqin12@gmail.com> In-Reply-To: <20220426004746.190-1-kuqin12@gmail.com> References: <20220426004746.190-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1650934089; bh=grwGLWZW3KHll//qfAEb/d0NX3/3RUCFeQT0xSmYThM=; h=Cc:Date:From:Reply-To:Subject:To; b=xWQof6Rv0T6B555JsrP+NLQbuNzj/cFU8LLMHpV/zcNjJP2c2ZSn7GvtjbxMsh7N4mW PusHGRYlO7CPK/7Loz8NO787jJcXVhtr3nr6ySXqDygZ0TladBqss4h/w3SQYzKNzBEbo aJkP0kO3x2eDIhtMLjAxIU+isVHNZxL9MlQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1650934090971100004 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3488 Current free pool routine from PiSmmCore will inspect memory guard status for target buffer without considering pool headers. This could lead to `IsMemoryGuarded` function to return incorrect results. In that sense, allocating a 0 sized pool could cause an allocated buffer directly points into a guard page, which is legal. However, trying to free this pool will cause the routine changed in this commit to read XP pages, which leads to page fault. This change will inspect memory guarded with pool headers. This can avoid errors when a pool content happens to be on a page boundary. Cc: Jiewen Yao Cc: Eric Dong Cc: Ray Ni Cc: Jian J Wang Cc: Liming Gao Signed-off-by: Kun Qin Reviewed-by: Jian J Wang Reviewed-by: Liming Gao --- Notes: v2: - Added reviewed-by tag [Jian] - Added reviewed-by tag [Liming] MdeModulePkg/Core/PiSmmCore/Pool.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c b/MdeModulePkg/Core/PiSmmCo= re/Pool.c index 96ebe811c669..e1ff40a8ea55 100644 --- a/MdeModulePkg/Core/PiSmmCore/Pool.c +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c @@ -382,11 +382,6 @@ SmmInternalFreePool ( return EFI_INVALID_PARAMETER; } =20 - MemoryGuarded =3D IsHeapGuardEnabled () && - IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer); - HasPoolTail =3D !(MemoryGuarded && - ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) =3D=3D 0)); - FreePoolHdr =3D (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1); ASSERT (FreePoolHdr->Header.Signature =3D=3D POOL_HEAD_SIGNATURE); ASSERT (!FreePoolHdr->Header.Available); @@ -394,6 +389,11 @@ SmmInternalFreePool ( return EFI_INVALID_PARAMETER; } =20 + MemoryGuarded =3D IsHeapGuardEnabled () && + IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHd= r); + HasPoolTail =3D !(MemoryGuarded && + ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) =3D=3D 0)); + if (HasPoolTail) { PoolTail =3D HEAD_TO_TAIL (&FreePoolHdr->Header); ASSERT (PoolTail->Signature =3D=3D POOL_TAIL_SIGNATURE); --=20 2.35.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89295): https://edk2.groups.io/g/devel/message/89295 Mute This Topic: https://groups.io/mt/90699123/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-