From nobody Mon Apr 29 06:21:25 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+95573+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+95573+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1666737013; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eEN/HZy8PB6T0x1jLZ/OIR9mKlpjI63z4tqMMxr05sZJrdmf4MDbe1Yy6uVtjX/cuaPZvi3QO45V3wXlmFZLXpiDT+KmfaTD/rUwAYoXxBHZNn35StHp+xAA/xAhhmg71QVNvGjrFMdZtcxP0dSKjp5iFVC9Uj0vWcDSVTWIzo8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1666737013;
 h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=H18UCXo9RHu3TH+RfRvmDE+TGPHVlI7nYNMC07/ZMfQ=;
	b=JoruCpqgn11liEcbOhLuvQjeA7QF7VsrLPTjVmhvYwXjgun/yqFI0sIJZDWDSmafdQ0jP/TmS6pHBt30f8o0ZlSr7AsssGj7mJfO9XVVZV6Xo1vuOI5MiTWcmzEcsyyCd2RQt8JLZEaCF2fAjTezveotGiuYFetqTAw22SjfBB8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+95573+1787277+3901457@groups.io;
	dmarc=fail header.from=<nathaniel.l.desimone@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 16667370130554.351724461135632;
 Tue, 25 Oct 2022 15:30:13 -0700 (PDT)
Return-Path: <bounce+27952+95573+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id wgwGYY1788612xM6CnB8hE3a;
 Tue, 25 Oct 2022 15:30:12 -0700
X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web09.740.1666737011939980863
 for <devel@edk2.groups.io>;
 Tue, 25 Oct 2022 15:30:12 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="287523771"
X-IronPort-AV: E=Sophos;i="5.95,213,1661842800";
   d="scan'208";a="287523771"
X-Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 25 Oct 2022 15:30:11 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="626584051"
X-IronPort-AV: E=Sophos;i="5.95,213,1661842800";
   d="scan'208";a="626584051"
X-Received: from nldesimo-desk1.amr.corp.intel.com ([10.24.80.62])
  by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 25 Oct 2022 15:30:11 -0700
From: "Nate DeSimone" <nathaniel.l.desimone@intel.com>
To: devel@edk2.groups.io
Cc: Liming Gao <gaoliming@byosoft.com.cn>,
	Guomin Jiang <guomin.jiang@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [edk2-devel] [PATCH V4] MdeModulePkg: Memory Corruption Error in
 CapsuleRuntimeDxe
Date: Tue, 25 Oct 2022 15:30:07 -0700
Message-Id: <20221025223007.3853-1-nathaniel.l.desimone@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,nathaniel.l.desimone@intel.com
X-Gm-Message-State: FQ59sMb7mnEhyjCKHwV8Urswx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1666737012;
 bh=88jjdXcNMz661ItlNAIFdIDp9Uv6cTJbaaMwjH46PQ0=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=ODqhB0m1BOgjelIZnI3xAnd3EbKWyWA2UZ7JHFSd+3at2yLBBJZwmYtxDpUQnjnQ3g4
 GjoqUZge7w5uog5hJTCbRIh662VWwRdC4TcUNuY6kTtIjy8IFd5v3vd5gFJSelc3GUR5F
 VGK6Oh43LzKkWwNMqP8sbUKnS7SbcWxgpkY=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1666737014237100001
Content-Type: text/plain; charset="utf-8"

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4112

In AllocateReservedMemoryBelow4G(), if gBS->AllocatePages()
returns an error, and ASSERTs are disabled, then the
function will overwrite memory from 0xFFFFFFFF -> (0xFFFFFFFF + Size).

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Nate DeSimone <nathaniel.l.desimone@intel.com>
---
 .../X64/SaveLongModeContext.c                 | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeConte=
xt.c b/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c
index dab297dd0a..a8c5de8764 100644
--- a/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c
+++ b/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c
@@ -38,6 +38,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
   @param  Size      Size of memory to allocate.
=20
   @return Allocated Address for output.
+  @return NULL - Memory allocation failed.
=20
 **/
 VOID *
@@ -59,7 +60,15 @@ AllocateReservedMemoryBelow4G (
                   Pages,
                   &Address
                   );
-  ASSERT_EFI_ERROR (Status);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "ERROR AllocateReservedMemoryBelow4G(): %r\n", St=
atus));
+    return NULL;
+  }
+
+  if (Address =3D=3D 0) {
+    DEBUG ((DEBUG_ERROR, "ERROR AllocateReservedMemoryBelow4G(): AllocateP=
ages() returned NULL"));
+    return NULL;
+  }
=20
   Buffer =3D (VOID *)(UINTN)Address;
   ZeroMem (Buffer, Size);
@@ -159,14 +168,23 @@ PrepareContextForCapsulePei (
   DEBUG ((DEBUG_INFO, "CapsuleRuntimeDxe X64 TotalPagesNum - 0x%x pages\n"=
, TotalPagesNum));
=20
   LongModeBuffer.PageTableAddress =3D (EFI_PHYSICAL_ADDRESS)(UINTN)Allocat=
eReservedMemoryBelow4G (EFI_PAGES_TO_SIZE (TotalPagesNum));
-  ASSERT (LongModeBuffer.PageTableAddress !=3D 0);
+  if (LongModeBuffer.PageTableAddress =3D=3D 0) {
+    DEBUG ((DEBUG_ERROR, "FATAL ERROR: CapsuleLongModeBuffer cannot be sav=
ed, "));
+    DEBUG ((DEBUG_ERROR, "PageTableAddress allocation failed. Capsule in P=
EI may fail!\n"));
+    return;
+  }
=20
   //
   // Allocate stack
   //
   LongModeBuffer.StackSize        =3D PcdGet32 (PcdCapsulePeiLongModeStack=
Size);
   LongModeBuffer.StackBaseAddress =3D (EFI_PHYSICAL_ADDRESS)(UINTN)Allocat=
eReservedMemoryBelow4G (PcdGet32 (PcdCapsulePeiLongModeStackSize));
-  ASSERT (LongModeBuffer.StackBaseAddress !=3D 0);
+  if (LongModeBuffer.StackBaseAddress =3D=3D 0) {
+    DEBUG ((DEBUG_ERROR, "FATAL ERROR: CapsuleLongModeBuffer cannot be sav=
ed, "));
+    DEBUG ((DEBUG_ERROR, "StackBaseAddress allocation failed. Capsule in P=
EI may fail!\n"));
+    gBS->FreePages (LongModeBuffer.PageTableAddress, TotalPagesNum);
+    return;
+  }
=20
   Status =3D gRT->SetVariable (
                   EFI_CAPSULE_LONG_MODE_BUFFER_NAME,
@@ -189,6 +207,7 @@ PrepareContextForCapsulePei (
       );
   } else {
     DEBUG ((DEBUG_ERROR, "FATAL ERROR: CapsuleLongModeBuffer cannot be sav=
ed: %r. Capsule in PEI may fail!\n", Status));
+    gBS->FreePages (LongModeBuffer.PageTableAddress, TotalPagesNum);
     gBS->FreePages (LongModeBuffer.StackBaseAddress, EFI_SIZE_TO_PAGES (Lo=
ngModeBuffer.StackSize));
   }
 }
--=20
2.27.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95573): https://edk2.groups.io/g/devel/message/95573
Mute This Topic: https://groups.io/mt/94569829/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-