From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E86F222393645 for ; Fri, 2 Feb 2018 01:49:30 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Feb 2018 01:55:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,448,1511856000"; d="scan'208";a="14491686" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga007.jf.intel.com with ESMTP; 02 Feb 2018 01:55:08 -0800 Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 2 Feb 2018 01:55:08 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 2 Feb 2018 01:55:07 -0800 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.127]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.116]) with mapi id 14.03.0319.002; Fri, 2 Feb 2018 17:55:06 +0800 From: "Zeng, Star" To: "Ni, Ruiyu" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" , "Zeng, Star" Thread-Topic: [PATCH] MdeModulePkg/SmmCore: Fix hang due to already-freed memory deference Thread-Index: AQHTm0WjLftssquMMUOLj7ORWdZ1t6OQ4PvA Date: Fri, 2 Feb 2018 09:55:05 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103BA201C4@SHSMSX104.ccr.corp.intel.com> References: <20180201101539.320452-1-ruiyu.ni@intel.com> In-Reply-To: <20180201101539.320452-1-ruiyu.ni@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] MdeModulePkg/SmmCore: Fix hang due to already-freed memory deference X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Feb 2018 09:49:31 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Star Zeng BTW, do you want to say " the second call may hang " instead of " the secon= d hang may hang " in the commit log? Thanks, Star -----Original Message----- From: Ni, Ruiyu=20 Sent: Thursday, February 1, 2018 6:16 PM To: edk2-devel@lists.01.org Cc: Yao, Jiewen ; Zeng, Star Subject: [PATCH] MdeModulePkg/SmmCore: Fix hang due to already-freed memory= deference SmiHandlerUnRegister() validates the DispatchHandle by checking whether the= first 32bit matches to a certain signature (SMI_HANDLER_SIGNATURE). But if a caller calls *UnRegister() twice and the memory freed by first cal= l still contains the signature, the second hang may hang. The patch fixes this issue by locating the DispatchHandle in all SMI handle= rs, instead of checking the signature. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Jiewen Yao Cc: Star Zeng --- MdeModulePkg/Core/PiSmmCore/Smi.c | 37 ++++++++++++++++++++++++++++++++---= -- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/Smi.c b/MdeModulePkg/Core/PiSmmCor= e/Smi.c index ad483a1877..0c09e7fa10 100644 --- a/MdeModulePkg/Core/PiSmmCore/Smi.c +++ b/MdeModulePkg/Core/PiSmmCore/Smi.c @@ -1,7 +1,7 @@ /** @file SMI management. =20 - Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights=20 + reserved.
This program and the accompanying materials are licensed and made availa= ble=20 under the terms and conditions of the BSD License which accompanies this= =20 distribution. The full text of the license may be found at =20 @@ -276,14 +276,41 @@ SmiHandlerUnRegister ( { SMI_HANDLER *SmiHandler; SMI_ENTRY *SmiEntry; + LIST_ENTRY *EntryLink; + LIST_ENTRY *HandlerLink; =20 - SmiHandler =3D (SMI_HANDLER *) DispatchHandle; - - if (SmiHandler =3D=3D NULL) { + if (DispatchHandle =3D=3D NULL) { return EFI_INVALID_PARAMETER; } =20 - if (SmiHandler->Signature !=3D SMI_HANDLER_SIGNATURE) { + // + // Look for it in root SMI handlers + // + SmiHandler =3D NULL; + for ( HandlerLink =3D GetFirstNode (&mRootSmiEntry.SmiHandlers) + ; !IsNull (&mRootSmiEntry.SmiHandlers, HandlerLink) && (SmiHandler != =3D DispatchHandle) + ; HandlerLink =3D GetNextNode (&mRootSmiEntry.SmiHandlers, HandlerLi= nk) + ) { + SmiHandler =3D CR (HandlerLink, SMI_HANDLER, Link,=20 + SMI_HANDLER_SIGNATURE); } + + // + // Look for it in non-root SMI handlers // for ( EntryLink =3D=20 + GetFirstNode (&mSmiEntryList) + ; !IsNull (&mSmiEntryList, EntryLink) && (SmiHandler !=3D DispatchHa= ndle) + ; EntryLink =3D GetNextNode (&mSmiEntryList, EntryLink) + ) { + SmiEntry =3D CR (EntryLink, SMI_ENTRY, AllEntries, SMI_ENTRY_SIGNATURE= ); + for ( HandlerLink =3D GetFirstNode (&SmiEntry->SmiHandlers) + ; !IsNull (&SmiEntry->SmiHandlers, HandlerLink) && (SmiHandler != =3D DispatchHandle) + ; HandlerLink =3D GetNextNode (&SmiEntry->SmiHandlers, HandlerLink= ) + ) { + SmiHandler =3D CR (HandlerLink, SMI_HANDLER, Link, SMI_HANDLER_SIGNA= TURE); + } + } + + if (SmiHandler !=3D DispatchHandle) { return EFI_INVALID_PARAMETER; } =20 -- 2.15.1.windows.2