From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 53B081A1E6D for ; Sun, 28 Aug 2016 19:42:42 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga103.jf.intel.com with ESMTP; 28 Aug 2016 19:42:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,594,1464678000"; d="scan'208";a="1021563566" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34]) by orsmga001.jf.intel.com with ESMTP; 28 Aug 2016 19:42:42 -0700 From: Hao Wu To: edk2-devel@lists.01.org, feng.tian@intel.com Cc: Hao Wu Date: Mon, 29 Aug 2016 10:42:21 +0800 Message-Id: <1472438547-9368-2-git-send-email-hao.a.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.0 In-Reply-To: <1472438547-9368-1-git-send-email-hao.a.wu@intel.com> References: <1472438547-9368-1-git-send-email-hao.a.wu@intel.com> Subject: [PATCH 1/7] MdeModulePkg NvmExpressDxe: Avoid crashing 'Mode' during OpenProtocol X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 02:42:42 -0000 The gBS->OpenProtocol() calls to open EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL in NvmExpress.c will crash the data in 'Mode' field of 'Private->Passthru'. The third parameter of gBS->OpenProtocol() is an output parameter that stores the address where a pointer to the corresponding Protocol Interface. The current code mistakenly pass '&Private->Passthru' (a pointer of the EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL) as the third parameter. This will crash the data in 'Mode' filed. Cc: Feng Tian Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c index cb25b3e..255fa2b 100644 --- a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c +++ b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c @@ -76,6 +76,7 @@ EnumerateNvmeDevNamespace ( UINT32 LbaFmtIdx; UINT8 Sn[21]; UINT8 Mn[41]; + VOID *DummyInterface; NewDevicePathNode = NULL; DevicePath = NULL; @@ -264,7 +265,7 @@ EnumerateNvmeDevNamespace ( gBS->OpenProtocol ( Private->ControllerHandle, &gEfiNvmExpressPassThruProtocolGuid, - (VOID **) &Private->Passthru, + (VOID **) &DummyInterface, Private->DriverBindingHandle, Device->DeviceHandle, EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER @@ -392,10 +393,10 @@ UnregisterNvmeNamespace ( EFI_STATUS Status; EFI_BLOCK_IO_PROTOCOL *BlockIo; NVME_DEVICE_PRIVATE_DATA *Device; - NVME_CONTROLLER_PRIVATE_DATA *Private; EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *StorageSecurity; BOOLEAN IsEmpty; EFI_TPL OldTpl; + VOID *DummyInterface; BlockIo = NULL; @@ -412,7 +413,6 @@ UnregisterNvmeNamespace ( } Device = NVME_DEVICE_PRIVATE_DATA_FROM_BLOCK_IO (BlockIo); - Private = Device->Controller; // // Wait for the device's asynchronous I/O queue to become empty. @@ -460,7 +460,7 @@ UnregisterNvmeNamespace ( gBS->OpenProtocol ( Controller, &gEfiNvmExpressPassThruProtocolGuid, - (VOID **) &Private->Passthru, + (VOID **) &DummyInterface, This->DriverBindingHandle, Handle, EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER @@ -490,7 +490,7 @@ UnregisterNvmeNamespace ( gBS->OpenProtocol ( Controller, &gEfiNvmExpressPassThruProtocolGuid, - (VOID **) &Private->Passthru, + (VOID **) &DummyInterface, This->DriverBindingHandle, Handle, EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER -- 1.9.5.msysgit.0