From nobody Sat May  4 07:45:23 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+66661+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+66661+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=nvidia.com
ARC-Seal: i=1; a=rsa-sha256; t=1603813984; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Fd7uXeCl3SJ4tiSemsBAqYDsb+/cIndEjro3IuWZ+u5psd1IxHkyiA6Q8dRPv/zQEsu4niJ0SX+TS6DTbWQgsPf2zbnL1yk3r9CgXoRYL1SDliU6pjDAb5Cr6dgUtrkEADoHaTCkBfwkRNpMokcCyWhqD7dG021+EIDS4gTYNkk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1603813984;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=lGHygqJIsUUmZB5ZqgYFjiZi2ahvEmawTAqBC4cDAeY=;
	b=LswZn93UMxXIWggKS4/MwBMXDq+oAMSdPrdcYBGBLSsJQleq+m8MebP2d4PHl8kQvHCFUnO9Dw6b4Lv//nYYKOelVmf9FrU0Ua2smQl/06ZFxIrA6M8enSwgL4HlIt4hr4SsFC0o5F5ulBXGOG2Y9peHT3NkFSGfY1rX5ekZhl4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+66661+1787277+3901457@groups.io;
	dmarc=fail header.from=<jbrasen@nvidia.com> (p=none dis=none)
 header.from=<jbrasen@nvidia.com>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1603813984364220.02842926975268;
 Tue, 27 Oct 2020 08:53:04 -0700 (PDT)
Return-Path: <bounce+27952+66661+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id JU4dYY1788612xBtHalJc226;
 Tue, 27 Oct 2020 08:53:03 -0700
X-Received: from hqnvemgate25.nvidia.com (hqnvemgate25.nvidia.com
 [216.228.121.64])
 by mx.groups.io with SMTP id smtpd.web08.816.1603813977469756662
 for <devel@edk2.groups.io>;
 Tue, 27 Oct 2020 08:52:57 -0700
X-Received: from hqmail.nvidia.com (Not Verified[216.228.121.13]) by
 hqnvemgate25.nvidia.com (using TLS: TLSv1.2, AES256-SHA)
	id <B5f98425c0001>; Tue, 27 Oct 2020 08:53:00 -0700
X-Received: from HQMAIL105.nvidia.com (172.20.187.12) by HQMAIL111.nvidia.com
 (172.20.187.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 27 Oct
 2020 15:52:51 +0000
X-Received: from jbrasen-ux.nvidia.com (10.124.1.5) by mail.nvidia.com
 (172.20.187.12) with Microsoft SMTP Server id 15.0.1473.3 via Frontend
 Transport; Tue, 27 Oct 2020 15:52:51 +0000
From: "Jeff Brasen" <jbrasen@nvidia.com>
To: <devel@edk2.groups.io>
CC: <dandan.bi@intel.com>, <gaoliming@byosoft.com.cn>, <lersek@redhat.com>,
	Jeff Brasen <jbrasen@nvidia.com>
Subject: [edk2-devel] [PATCH v2] MdeModulePkg/Gcd: Check memory allocation
 when initializing memory
Date: Tue, 27 Oct 2020 09:52:47 -0600
Message-ID: 
 <828951b3a28adfb8ae0296a356c10ee5d37616ce.1603813842.git.jbrasen@nvidia.com>
In-Reply-To: <cover.1603813842.git.jbrasen@nvidia.com>
References: <cover.1603813842.git.jbrasen@nvidia.com>
MIME-Version: 1.0
X-NVConfidentiality: public
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jbrasen@nvidia.com
X-Gm-Message-State: uY8AVjLg0LzUYjVfIN06JpNxx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1603813983;
 bh=8/hhMrxLMBxDuScd4bQmAQCEij9fnRT6NPr588aLZx8=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=EDF1qRWpiEx2xFUtWXQJF21YSpPsAvjz5LTxmvUM7ixm2Km0ZOblMD2IBGuZn9Zofit
 JuPOhS74feFNIUh42oogls4rvu66IRZDbXhUOJ1jGwUeWsMq6v3kwZNln4aQCB/jB80iA
 lhRTcKHFTZZz4RlvKNqkXolyE7ac+8ZPiV8=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

CoreInitializeMemoryServices was not checking for any existing memory
allocation created in the HOB producer phase. If there are memory
allocations outside of the region covered by the HOB List then Gcd could
select that region for memory which can result in the memory allocation
to not be handled and memory overwrites.

Signed-off-by: Jeff Brasen <jbrasen@nvidia.com>
---
 MdeModulePkg/Core/Dxe/Gcd/Gcd.c | 60 +++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/MdeModulePkg/Core/Dxe/Gcd/Gcd.c b/MdeModulePkg/Core/Dxe/Gcd/Gc=
d.c
index 2d8c076f7113..4a22ee96b758 100644
--- a/MdeModulePkg/Core/Dxe/Gcd/Gcd.c
+++ b/MdeModulePkg/Core/Dxe/Gcd/Gcd.c
@@ -2097,6 +2097,62 @@ CalculateTotalMemoryBinSizeNeeded (
   return TotalSize;
 }
=20
+/**
+   Find the largest region in the specified region that is not covered by =
an existing memory allocation
+
+   @param BaseAddress   On input start of the region to check.
+                        On output start of the largest free region.
+   @param Length        On input size of region to check.
+                        On output size of the largest free region.
+   @param MemoryHob     Hob pointer for the first memory allocation pointe=
r to check
+**/
+VOID
+FindLargestFreeRegion (
+    IN OUT EFI_PHYSICAL_ADDRESS  *BaseAddress,
+    IN OUT UINT64                *Length,
+    IN EFI_HOB_MEMORY_ALLOCATION *MemoryHob
+    )
+{
+  EFI_PHYSICAL_ADDRESS TopAddress;
+
+  TopAddress =3D *BaseAddress + *Length;
+  while (MemoryHob !=3D NULL) {
+    EFI_PHYSICAL_ADDRESS AllocatedTop;
+
+    AllocatedTop =3D MemoryHob->AllocDescriptor.MemoryBaseAddress + Memory=
Hob->AllocDescriptor.MemoryLength;
+
+    if ((MemoryHob->AllocDescriptor.MemoryBaseAddress >=3D *BaseAddress) &&
+        (AllocatedTop <=3D TopAddress)) {
+      EFI_PHYSICAL_ADDRESS LowerBase;
+      UINT64               LowerSize;
+      EFI_PHYSICAL_ADDRESS UpperBase;
+      UINT64               UpperSize;
+
+      LowerBase =3D *BaseAddress;
+      LowerSize =3D MemoryHob->AllocDescriptor.MemoryBaseAddress - *BaseAd=
dress;
+      UpperBase =3D AllocatedTop;
+      UpperSize =3D TopAddress - AllocatedTop;
+
+      if (LowerSize !=3D 0) {
+        FindLargestFreeRegion (&LowerBase, &LowerSize, (EFI_HOB_MEMORY_ALL=
OCATION *) GetNextHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, GET_NEXT_HOB (Memory=
Hob)));
+      }
+      if (UpperSize !=3D 0) {
+        FindLargestFreeRegion (&UpperBase, &UpperSize, (EFI_HOB_MEMORY_ALL=
OCATION *) GetNextHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, GET_NEXT_HOB (Memory=
Hob)));
+      }
+
+      if (UpperSize >=3D LowerSize) {
+        *Length =3D UpperSize;
+        *BaseAddress =3D UpperBase;
+      } else {
+        *Length =3D LowerSize;
+        *BaseAddress =3D LowerBase;
+      }
+      return;
+    }
+    MemoryHob =3D GetNextHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, GET_NEXT_HOB=
 (MemoryHob));
+  }
+}
+
 /**
   External function. Initializes memory services based on the memory
   descriptor HOBs.  This function is responsible for priming the memory
@@ -2235,6 +2291,7 @@ CoreInitializeMemoryServices (
     Attributes  =3D PhitResourceHob->ResourceAttribute;
     BaseAddress =3D PageAlignAddress (PhitHob->EfiMemoryTop);
     Length      =3D PageAlignLength  (ResourceHob->PhysicalStart + Resourc=
eHob->ResourceLength - BaseAddress);
+    FindLargestFreeRegion (&BaseAddress, &Length, (EFI_HOB_MEMORY_ALLOCATI=
ON *)GetFirstHob (EFI_HOB_TYPE_MEMORY_ALLOCATION));
     if (Length < MinimalMemorySizeNeeded) {
       //
       // If that range is not large enough to intialize the DXE Core, then
@@ -2242,6 +2299,7 @@ CoreInitializeMemoryServices (
       //
       BaseAddress =3D PageAlignAddress (PhitHob->EfiFreeMemoryBottom);
       Length      =3D PageAlignLength  (PhitHob->EfiFreeMemoryTop - BaseAd=
dress);
+      //This region is required to have no memory allocation inside it, sk=
ip check for entries in HOB List
       if (Length < MinimalMemorySizeNeeded) {
         //
         // If that range is not large enough to intialize the DXE Core, th=
en
@@ -2249,6 +2307,7 @@ CoreInitializeMemoryServices (
         //
         BaseAddress =3D PageAlignAddress (ResourceHob->PhysicalStart);
         Length      =3D PageAlignLength  ((UINT64)((UINTN)*HobStart - Base=
Address));
+        FindLargestFreeRegion (&BaseAddress, &Length, (EFI_HOB_MEMORY_ALLO=
CATION *)GetFirstHob (EFI_HOB_TYPE_MEMORY_ALLOCATION));
       }
     }
     break;
@@ -2312,6 +2371,7 @@ CoreInitializeMemoryServices (
       //
       TestedMemoryBaseAddress =3D PageAlignAddress (ResourceHob->PhysicalS=
tart);
       TestedMemoryLength      =3D PageAlignLength  (ResourceHob->PhysicalS=
tart + ResourceHob->ResourceLength - TestedMemoryBaseAddress);
+      FindLargestFreeRegion (&TestedMemoryBaseAddress, &TestedMemoryLength=
, (EFI_HOB_MEMORY_ALLOCATION *)GetFirstHob (EFI_HOB_TYPE_MEMORY_ALLOCATION)=
);
       if (TestedMemoryLength < MinimalMemorySizeNeeded) {
         continue;
       }
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66661): https://edk2.groups.io/g/devel/message/66661
Mute This Topic: https://groups.io/mt/77841478/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-