public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org, feng.tian@intel.com
Cc: Hao Wu <hao.a.wu@intel.com>
Subject: [PATCH v2 01/10] MdeModulePkg NvmExpressDxe: Avoid crashing 'Mode' during OpenProtocol
Date: Thu,  1 Sep 2016 10:32:58 +0800	[thread overview]
Message-ID: <1472697187-16092-2-git-send-email-hao.a.wu@intel.com> (raw)
In-Reply-To: <1472697187-16092-1-git-send-email-hao.a.wu@intel.com>

The gBS->OpenProtocol() calls to open EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL
in NvmExpress.c will crash the data in 'Mode' field of
'Private->Passthru'.

The third parameter of gBS->OpenProtocol() is an output parameter that
stores the address where a pointer to the corresponding Protocol
Interface. The current code mistakenly pass '&Private->Passthru' (a
pointer of the EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL) as the third
parameter. This will crash the data in 'Mode' filed.

Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c
index cb25b3e..255fa2b 100644
--- a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c
+++ b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c
@@ -76,6 +76,7 @@ EnumerateNvmeDevNamespace (
   UINT32                                LbaFmtIdx;
   UINT8                                 Sn[21];
   UINT8                                 Mn[41];
+  VOID                                  *DummyInterface;
 
   NewDevicePathNode = NULL;
   DevicePath        = NULL;
@@ -264,7 +265,7 @@ EnumerateNvmeDevNamespace (
     gBS->OpenProtocol (
            Private->ControllerHandle,
            &gEfiNvmExpressPassThruProtocolGuid,
-           (VOID **) &Private->Passthru,
+           (VOID **) &DummyInterface,
            Private->DriverBindingHandle,
            Device->DeviceHandle,
            EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER
@@ -392,10 +393,10 @@ UnregisterNvmeNamespace (
   EFI_STATUS                               Status;
   EFI_BLOCK_IO_PROTOCOL                    *BlockIo;
   NVME_DEVICE_PRIVATE_DATA                 *Device;
-  NVME_CONTROLLER_PRIVATE_DATA             *Private;
   EFI_STORAGE_SECURITY_COMMAND_PROTOCOL    *StorageSecurity;
   BOOLEAN                                  IsEmpty;
   EFI_TPL                                  OldTpl;
+  VOID                                     *DummyInterface;
 
   BlockIo = NULL;
 
@@ -412,7 +413,6 @@ UnregisterNvmeNamespace (
   }
 
   Device  = NVME_DEVICE_PRIVATE_DATA_FROM_BLOCK_IO (BlockIo);
-  Private = Device->Controller;
 
   //
   // Wait for the device's asynchronous I/O queue to become empty.
@@ -460,7 +460,7 @@ UnregisterNvmeNamespace (
     gBS->OpenProtocol (
            Controller,
            &gEfiNvmExpressPassThruProtocolGuid,
-           (VOID **) &Private->Passthru,
+           (VOID **) &DummyInterface,
            This->DriverBindingHandle,
            Handle,
            EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER
@@ -490,7 +490,7 @@ UnregisterNvmeNamespace (
       gBS->OpenProtocol (
         Controller,
         &gEfiNvmExpressPassThruProtocolGuid,
-        (VOID **) &Private->Passthru,
+        (VOID **) &DummyInterface,
         This->DriverBindingHandle,
         Handle,
         EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER
-- 
1.9.5.msysgit.0



  reply	other threads:[~2016-09-01  2:33 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-01  2:32 [PATCH v2 00/10] Fix some bugs in NvmExpressDxe driver Hao Wu
2016-09-01  2:32 ` Hao Wu [this message]
2016-09-01  2:32 ` [PATCH v2 02/10] MdeModulePkg NvmExpressDxe: Refine BuildDevicePath API to follow spec Hao Wu
2016-09-01  2:33 ` [PATCH v2 03/10] MdeModulePkg NvmExpressDxe: Refine GetNameSpace " Hao Wu
2016-09-01  2:33 ` [PATCH v2 04/10] MdeModulePkg NvmExpressDxe: Refine GetNextNamespace " Hao Wu
2016-09-01  2:33 ` [PATCH v2 05/10] MdeModulePkg NvmExpressDxe: Add buffer alignment check in PassThru API Hao Wu
2016-09-01  2:33 ` [PATCH v2 06/10] MdeModulePkg NvmExpressDxe: Add check on the attributes of NVME controller Hao Wu
2016-09-01  2:33 ` [PATCH v2 07/10] MdeModulePkg NvmExpressDxe: Add check for command packet in PassThru Hao Wu
2016-09-01  2:33 ` [PATCH v2 08/10] MdeModulePkg NvmExpressDxe: Add NamespaceId validity check " Hao Wu
2016-09-01  2:33 ` [PATCH v2 09/10] MdeModulePkg NvmExpressDxe: Fix 'Event' won't be signaled for Admin cmds Hao Wu
2016-09-01  2:33 ` [PATCH v2 10/10] MdeModulePkg NvmExpressDxe: Set the non-blocking I/O feature support bit Hao Wu
2016-09-06  7:13 ` [PATCH v2 00/10] Fix some bugs in NvmExpressDxe driver Tian, Feng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1472697187-16092-2-git-send-email-hao.a.wu@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox