From nobody Sun May 5 12:51:22 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 151496915783687.98610056286361; Wed, 3 Jan 2018 00:45:57 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id E2DB8222A54E0; Wed, 3 Jan 2018 00:40:45 -0800 (PST) Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-oln040092003021.outbound.protection.outlook.com [40.92.3.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4D71021CB2E27 for ; Wed, 3 Jan 2018 00:40:42 -0800 (PST) Received: from SN1NAM02FT013.eop-nam02.prod.protection.outlook.com (10.152.72.54) by SN1NAM02HT206.eop-nam02.prod.protection.outlook.com (10.152.73.242) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.302.6; Wed, 3 Jan 2018 08:45:44 +0000 Received: from CO2PR19MB0137.namprd19.prod.outlook.com (10.152.72.51) by SN1NAM02FT013.mail.protection.outlook.com (10.152.72.98) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.345.12 via Frontend Transport; Wed, 3 Jan 2018 08:45:44 +0000 Received: from CO2PR19MB0137.namprd19.prod.outlook.com ([10.161.82.25]) by CO2PR19MB0137.namprd19.prod.outlook.com ([10.161.82.25]) with mapi id 15.20.0366.009; Wed, 3 Jan 2018 08:45:44 +0000 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=40.92.3.21; helo=nam02-bl2-obe.outbound.protection.outlook.com; envelope-from=vanjeff_919@hotmail.com; receiver=edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZidS3i43qaFH6i7Zhnr8b2i7JubBLpJ7eM+rNG8bv2A=; b=NCfRC+nT7VRNbM6zkBBE1DMZoFucJHSny+wNb69nflxkOlNeH42T5d/qQbsf0BNVT0D1+jKQOmYOgxdhc1caXhbr/Nk8xyhHWDe2oe0ZqcufMpplBsECeT2Oo1AeLLIyI0+NOZ7re1hWqImRMvnoBZSSV9lhXEnmd0AXxkdChVPqNKaExX68PejMGAJGylkngm9I5rApH1Wmm/h35xR0B1jEodM0/JyC/MktQSj91RpzF4uBNQQUzfGnXCiHvaVmf6v1Q0d/zcRped9M5jtDGNfqAFiw0iQY7xU/TsrjJLkrTox8Gsd/0+yRnlh+uA8GIDmllYr/KsGG/0pTewctFA== From: Fan Jeff To: Paulo Alcantara , "edk2-devel@lists.01.org" Thread-Topic: [edk2] [RFC v4 5/6] UefiCpuPkg/CpuExceptionHandlerLib: Ensure valid frame/stack pointers Thread-Index: AQHTgF9FmnVwdVyQSEem57W+ARlF5KNh3NqE Date: Wed, 3 Jan 2018 08:45:44 +0000 Message-ID: References: , <836f7f2205e91c16d7c427c5b6e127f4a4dfa62e.1514517573.git.paulo@paulo.ac> In-Reply-To: <836f7f2205e91c16d7c427c5b6e127f4a4dfa62e.1514517573.git.paulo@paulo.ac> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:6C3DFE044D1B89A73E69134D42CAA9CFFCC209A8FF45D16FAA01224C9316FCA7; UpperCasedChecksum:96518E06ED12CDBB867301DD139E4CA65435882FB914AAFF28AB700AE1A8D28F; SizeAsReceived:7335; Count:47 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [K9rHiYNxJHSy71n6SGtgyFUo0LHv9yb4] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN1NAM02HT206; 6:TsZoiXABkLiPUSMPmCMJAOL/NRd+ztdFoY9PUJIKIKTPhyycq9HJQJTRh4M2rjS3ZcBLxwcp3H9lYUGYK66X+frhmkNM032OVD/8Zp9mdDYPHOAgR7Us/afNOiwcpJxNXpBvkQLi7PO4+zpoCfz62I4mSZHburVhrzRmZdWjDrEVl/b02NZc0Ux5aB8eechgqD7IoWZK/D7a1w5BDnH1L/KcJTfCpvtki8vb/b9NxeH8m1lHzkTMQZvDo/YOFKvOXCdTk4w8dwugu8B2tjavt5/9fFkd8wAoPLjSlXBiTARQmX8sYDQQXV3eQyQ7n/Jz+8pIpxJyHV4sqME5MILGniBLfZHI2JfCgTgndUbnVSA=; 5:2428n4rN0PC4gJH69P99nwrjJ0b8EYXL6aFgKmSIV/1owhnJk8GIA7zfBzFhe5qWt1N4hoAte8zCzgi8GdPwdwFmANDk1eC1JcH+ei/NU6ky6DzAFCHqPlhOGvQVbD7jZ7wOPV4DcPrXdFcCraVLIHZIOjjH4Cv/JbVw7ACi4Ns=; 24:7GNSSYXOo7BDHaYHS5maP3T1DcqUyAopJE7GFtBMru+apv3ZQD1VBlQ68evHJNTUk706HMi0n2E51i5YhcLCFvCdDKixjjtXtDJLimYkpAs=; 7:2WToRjnE+2Zcw3Itw4rstOupn/riN2CRRY5LKOKb/NXhapvx+FmM1Q0tbq2a9XCl6ueP4i5NGYPTJz2hjxWDoAIQrFvGZq25yLpMA7wlFpCA4iOUhvWWmpKSg8lHc6cseugOIP/XwOkp7kUfkQukGOLHXp+C5EmDYBZamLUMSMKtm6G/+KfE4semkiwf5qsJd3KaukKaeGlHPU6+UpalDzPkY1bD5LSLRp/FgTWGmRkzjuHmzAD9Bj1gfIJiUilQ x-incomingheadercount: 47 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:(222181515654134); BCL:0; PCL:0; RULEID:(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:SN1NAM02HT206; x-ms-traffictypediagnostic: SN1NAM02HT206: x-ms-office365-filtering-correlation-id: 6b0aab4d-87e3-4b27-2742-08d5528660bd x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:SN1NAM02HT206; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SN1NAM02HT206; x-forefront-prvs: 0541031FF6 x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:SN1NAM02HT206; H:CO2PR19MB0137.namprd19.prod.outlook.com; FPR:; SPF:None; LANG:; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6b0aab4d-87e3-4b27-2742-08d5528660bd X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2018 08:45:44.4272 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM02HT206 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 Subject: [edk2] =?gb2312?b?tPC4tDogIFtSRkMgdjQgNS82XSBVZWZpQ3B1UGtnL0Nw?= =?gb2312?b?dUV4Y2VwdGlvbkhhbmRsZXJMaWI6IEVuc3VyZSB2YWxpZCBmcmFtZS9zdGFj?= =?gb2312?b?ayBwb2ludGVycw==?= X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laszlo Ersek , Eric Dong Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Paulo, + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4)) { I don=E2=80=99t understand why you check both ebp and ebp+4, I think it=E2= =80=99s enough to only check EBP (saved stack pointer address) Jeff =E5=8F=91=E4=BB=B6=E4=BA=BA: Paulo Alcantara =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2017=E5=B9=B412=E6=9C=8829=E6=97=A5 1= 2:41 =E6=94=B6=E4=BB=B6=E4=BA=BA: edk2-devel@lists.01.org =E6=8A=84=E9=80=81: Laszlo Ersek; Eric Dong =E4=B8=BB=E9=A2=98: [edk2] [RFC v4 5/6] UefiCpuPkg/CpuExceptionHandlerLib: = Ensure valid frame/stack pointers Validate all possible memory dereferences during stack traces in IA32 and X64 CPU exceptions. Contributed-under: TianoCore Contribution Agreement 1.1 Cc: Eric Dong Cc: Laszlo Ersek Requested-by: Brian Johnson Requested-by: Jiewen Yao Signed-off-by: Paulo Alcantara --- UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c | 14= 3 +++++++++++++++++++- UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c | 7= 5 +++++++++- 2 files changed, 210 insertions(+), 8 deletions(-) diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHa= ndler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandl= er.c index 25e02fbbc1..9b52d4f6d2 100644 --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c @@ -398,6 +398,96 @@ DumpCpuContext ( ); } +/** + Check if a logical address is valid. + + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. + @param[in] SegmentSelector Segment selector. + @param[in] Offset Offset or logical address. +**/ +STATIC +BOOLEAN +IsLogicalAddressValid ( + IN EFI_SYSTEM_CONTEXT SystemContext, + IN UINT16 SegmentSelector, + IN UINTN Offset + ) +{ + IA32_SEGMENT_DESCRIPTOR *SegmentDescriptor; + UINT32 SegDescBase; + UINT32 SegDescLimit; + UINTN SegDescLimitInBytes; + + // + // Check for valid input parameters + // + if (SegmentSelector =3D=3D 0 || Offset =3D=3D 0) { + return FALSE; + } + + // + // Check whether to look for a segment descriptor in GDT or LDT table + // + if ((SegmentSelector & BIT2) =3D=3D 0) { + // + // Get segment descriptor from GDT table + // + SegmentDescriptor =3D + (IA32_SEGMENT_DESCRIPTOR *)( + (UINTN)SystemContext.SystemContextIa32->Gdtr[0] + + ((SegmentSelector >> 3) * 8) + ); + } else { + // + // Get segment descriptor from LDT table + // + SegmentDescriptor =3D + (IA32_SEGMENT_DESCRIPTOR *)( + (UINTN)SystemContext.SystemContextIa32->Ldtr + + ((SegmentSelector >> 3) * 8) + ); + } + + // + // Get segment descriptor's base address + // + SegDescBase =3D SegmentDescriptor->Bits.BaseLow | + (SegmentDescriptor->Bits.BaseMid << 16) | + (SegmentDescriptor->Bits.BaseHigh << 24); + + // + // Get segment descriptor's limit + // + SegDescLimit =3D SegmentDescriptor->Bits.LimitLow | + (SegmentDescriptor->Bits.LimitHigh << 16); + + // + // Calculate segment descriptor's limit in bytes + // + if (SegmentDescriptor->Bits.G =3D=3D 1) { + SegDescLimitInBytes =3D (UINTN)SegDescLimit * SIZE_4KB; + } else { + SegDescLimitInBytes =3D SegDescLimit; + } + + // + // Make sure to not access beyond a segment limit boundary + // + if (Offset + SegDescBase > SegDescLimitInBytes) { + return FALSE; + } + + // + // Check if the translated logical address (or linear address) is valid + // + return IsLinearAddressValid ( + SystemContext.SystemContextIa32->Cr0, + SystemContext.SystemContextIa32->Cr3, + SystemContext.SystemContextIa32->Cr4, + Offset + SegDescBase + ); +} + /** Dump stack trace. @@ -459,6 +549,20 @@ DumpStackTrace ( InternalPrintMessage ("\nCall trace:\n"); for (;;) { + // + // Check for valid frame pointer + // + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%08x\n", __FUNCTION__, Ebp); + break; + } + // // Print stack frame in the following format: // @@ -588,6 +692,16 @@ DumpImageModuleNames ( // Walk through call stack and find next module names // for (;;) { + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%08x\n", __FUNCTION__, Ebp); + } + // // Set EIP with return address from current stack frame // @@ -651,16 +765,23 @@ DumpImageModuleNames ( /** Dump stack contents. - @param[in] CurrentEsp Current stack pointer address. + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. @param[in] UnwoundStacksCount Count of unwound stack frames. **/ STATIC VOID DumpStackContents ( - IN UINT32 CurrentEsp, - IN INTN UnwoundStacksCount + IN EFI_SYSTEM_CONTEXT SystemContext, + IN INTN UnwoundStacksCount ) { + UINT32 CurrentEsp; + + // + // Get current stack pointer + // + CurrentEsp =3D SystemContext.SystemContextIa32->Esp; + // // Check for proper stack alignment // @@ -674,6 +795,20 @@ DumpStackContents ( // InternalPrintMessage ("\nStack dump:\n"); while (UnwoundStacksCount-- > 0) { + // + // Check for a valid stack pointer address + // + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)CurrentEsp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)CurrentEsp + 4)) { + InternalPrintMessage ("%a: attempted to dereference an invalid stack= " + "pointer at 0x%08x\n", __FUNCTION__, CurrentEs= p); + break; + } + InternalPrintMessage ( "0x%08x: %08x %08x\n", CurrentEsp, @@ -720,5 +855,5 @@ DumpImageAndCpuContent ( // // Dump stack contents // - DumpStackContents (SystemContext.SystemContextIa32->Esp, UnwoundStacksCo= unt); + DumpStackContents (SystemContext, UnwoundStacksCount); } diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHan= dler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler= .c index d3a3878b3d..8067c34122 100644 --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c @@ -401,16 +401,26 @@ DumpCpuContext ( /** Dump stack contents. - @param[in] CurrentRsp Current stack pointer address. + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. @param[in] UnwoundStacksCount Count of unwound stack frames. **/ STATIC VOID DumpStackContents ( - IN UINT64 CurrentRsp, - IN INTN UnwoundStacksCount + IN EFI_SYSTEM_CONTEXT SystemContext, + IN INTN UnwoundStacksCount ) { + UINT64 CurrentRsp; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; + + // + // Get current stack pointer + // + CurrentRsp =3D SystemContext.SystemContextX64->Rsp; + // // Check for proper stack pointer alignment // @@ -419,11 +429,28 @@ DumpStackContents ( return; } + // + // Get system control registers + // + Cr0 =3D SystemContext.SystemContextX64->Cr0; + Cr3 =3D SystemContext.SystemContextX64->Cr3; + Cr4 =3D SystemContext.SystemContextX64->Cr4; + // // Dump out stack contents // InternalPrintMessage ("\nStack dump:\n"); while (UnwoundStacksCount-- > 0) { + // + // Check for a valid stack pointer address + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp + 8)) { + InternalPrintMessage ("%a: attempted to dereference an invalid stack= " + "pointer at 0x%016lx\n", __FUNCTION__, Current= Rsp); + break; + } + InternalPrintMessage ( "0x%016lx: %016lx %016lx\n", CurrentRsp, @@ -457,6 +484,9 @@ DumpImageModuleNames ( CHAR8 *PdbFileName; UINT64 Rbp; UINTN LastImageBase; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; // // Set current RIP address @@ -516,10 +546,27 @@ DumpImageModuleNames ( InternalPrintMessage ("%a\n", PdbAbsoluteFilePath); } + // + // Get system control registers + // + Cr0 =3D SystemContext.SystemContextX64->Cr0; + Cr3 =3D SystemContext.SystemContextX64->Cr3; + Cr4 =3D SystemContext.SystemContextX64->Cr4; + // // Walk through call stack and find next module names // for (;;) { + // + // Check for a valid frame pointer + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%016lx\n", __FUNCTION__, Rbp); + break; + } + // // Set RIP with return address from current stack frame // @@ -604,6 +651,9 @@ DumpStackTrace ( UINT64 Rbp; UINTN ImageBase; CHAR8 *PdbFileName; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; // // Set current RIP address @@ -634,12 +684,29 @@ DumpStackTrace ( // *UnwoundStacksCount =3D 1; + // + // Get system control registers + // + Cr0 =3D SystemContext.SystemContextX64->Cr0; + Cr3 =3D SystemContext.SystemContextX64->Cr3; + Cr4 =3D SystemContext.SystemContextX64->Cr4; + // // Print out back trace // InternalPrintMessage ("\nCall trace:\n"); for (;;) { + // + // Check for valid frame pointer + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%016lx\n", __FUNCTION__, Rbp); + break; + } + // // Print stack frame in the following format: // @@ -727,5 +794,5 @@ DumpImageAndCpuContent ( // // Dump stack contents // - DumpStackContents (SystemContext.SystemContextX64->Rsp, UnwoundStacksCou= nt); + DumpStackContents (SystemContext, UnwoundStacksCount); } -- 2.14.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel