* [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch buffer overflow @ 2017-04-19 6:06 Star Zeng 2017-04-19 7:26 ` Yao, Jiewen 0 siblings, 1 reply; 3+ messages in thread From: Star Zeng @ 2017-04-19 6:06 UTC (permalink / raw) To: edk2-devel; +Cc: Star Zeng, Jiewen Yao, Hao Wu This solution is equivalent to DXE core. AllocatePool() allocates POOL_TAIL after the buffer. This POOL_TAIL is checked at FreePool(). If the there is buffer overflow, the issue can be caught at FreePool(). This patch could also handle the eight-byte aligned allocation requirement. The discussion related to the eight-byte aligned allocation requirement is at https://lists.01.org/pipermail/edk2-devel/2017-April/009995.html. According to the PI spec (Vol 4, Section 3.2 SmmAllocatePool()): The SmmAllocatePool() function ... All allocations are eight-byte aligned. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Hao Wu <hao.wu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> --- MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 22 ++++++++++++++--- MdeModulePkg/Core/PiSmmCore/Pool.c | 44 +++++++++++++++++++++++++++++++-- 2 files changed, 61 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h index c12805a2dd96..b6f815c68da0 100644 --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h @@ -1196,12 +1196,28 @@ extern LIST_ENTRY mSmmMemoryMap; // #define MAX_POOL_INDEX (MAX_POOL_SHIFT - MIN_POOL_SHIFT + 1) +#define POOL_HEAD_SIGNATURE SIGNATURE_32('p','h','d','0') + typedef struct { - UINTN Size; - BOOLEAN Available; - EFI_MEMORY_TYPE Type; + UINT32 Signature; + BOOLEAN Available; + EFI_MEMORY_TYPE Type; + UINTN Size; } POOL_HEADER; +#define POOL_TAIL_SIGNATURE SIGNATURE_32('p','t','a','l') + +typedef struct { + UINT32 Signature; + UINT32 Reserved; + UINTN Size; +} POOL_TAIL; + +#define POOL_OVERHEAD (sizeof(POOL_HEADER) + sizeof(POOL_TAIL)) + +#define HEAD_TO_TAIL(a) \ + ((POOL_TAIL *) (((CHAR8 *) (a)) + (a)->Size - sizeof(POOL_TAIL))); + typedef struct { POOL_HEADER Header; LIST_ENTRY Link; diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c b/MdeModulePkg/Core/PiSmmCore/Pool.c index 43ce869d1e1a..ebb9f8c49ee9 100644 --- a/MdeModulePkg/Core/PiSmmCore/Pool.c +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c @@ -133,6 +133,7 @@ InternalAllocPoolByIndex ( { EFI_STATUS Status; FREE_POOL_HEADER *Hdr; + POOL_TAIL *Tail; EFI_PHYSICAL_ADDRESS Address; SMM_POOL_TYPE SmmPoolType; @@ -154,18 +155,26 @@ InternalAllocPoolByIndex ( } else { Status = InternalAllocPoolByIndex (PoolType, PoolIndex + 1, &Hdr); if (!EFI_ERROR (Status)) { + Hdr->Header.Signature = 0; Hdr->Header.Size >>= 1; Hdr->Header.Available = TRUE; - Hdr->Header.Type = PoolType; + Hdr->Header.Type = 0; + Tail = HEAD_TO_TAIL(&Hdr->Header); + Tail->Signature = 0; + Tail->Size = 0; InsertHeadList (&mSmmPoolLists[SmmPoolType][PoolIndex], &Hdr->Link); Hdr = (FREE_POOL_HEADER*)((UINT8*)Hdr + Hdr->Header.Size); } } if (!EFI_ERROR (Status)) { + Hdr->Header.Signature = POOL_HEAD_SIGNATURE; Hdr->Header.Size = MIN_POOL_SIZE << PoolIndex; Hdr->Header.Available = FALSE; Hdr->Header.Type = PoolType; + Tail = HEAD_TO_TAIL(&Hdr->Header); + Tail->Signature = POOL_TAIL_SIGNATURE; + Tail->Size = Hdr->Header.Size; } *FreePoolHdr = Hdr; @@ -187,6 +196,7 @@ InternalFreePoolByIndex ( { UINTN PoolIndex; SMM_POOL_TYPE SmmPoolType; + POOL_TAIL *PoolTail; ASSERT ((FreePoolHdr->Header.Size & (FreePoolHdr->Header.Size - 1)) == 0); ASSERT (((UINTN)FreePoolHdr & (FreePoolHdr->Header.Size - 1)) == 0); @@ -195,7 +205,12 @@ InternalFreePoolByIndex ( SmmPoolType = UefiMemoryTypeToSmmPoolType(FreePoolHdr->Header.Type); PoolIndex = (UINTN) (HighBitSet32 ((UINT32)FreePoolHdr->Header.Size) - MIN_POOL_SHIFT); + FreePoolHdr->Header.Signature = 0; FreePoolHdr->Header.Available = TRUE; + FreePoolHdr->Header.Type = 0; + PoolTail = HEAD_TO_TAIL(&FreePoolHdr->Header); + PoolTail->Signature = 0; + PoolTail->Size = 0; ASSERT (PoolIndex < MAX_POOL_INDEX); InsertHeadList (&mSmmPoolLists[SmmPoolType][PoolIndex], &FreePoolHdr->Link); return EFI_SUCCESS; @@ -223,6 +238,7 @@ SmmInternalAllocatePool ( ) { POOL_HEADER *PoolHdr; + POOL_TAIL *PoolTail; FREE_POOL_HEADER *FreePoolHdr; EFI_STATUS Status; EFI_PHYSICAL_ADDRESS Address; @@ -235,7 +251,10 @@ SmmInternalAllocatePool ( return EFI_INVALID_PARAMETER; } - Size += sizeof (*PoolHdr); + // + // Adjust the size by the pool header & tail overhead + // + Size += POOL_OVERHEAD; if (Size > MAX_POOL_SIZE) { Size = EFI_SIZE_TO_PAGES (Size); Status = SmmInternalAllocatePages (AllocateAnyPages, PoolType, Size, &Address); @@ -244,9 +263,13 @@ SmmInternalAllocatePool ( } PoolHdr = (POOL_HEADER*)(UINTN)Address; + PoolHdr->Signature = POOL_HEAD_SIGNATURE; PoolHdr->Size = EFI_PAGES_TO_SIZE (Size); PoolHdr->Available = FALSE; PoolHdr->Type = PoolType; + PoolTail = HEAD_TO_TAIL(PoolHdr); + PoolTail->Signature = POOL_TAIL_SIGNATURE; + PoolTail->Size = PoolHdr->Size; *Buffer = PoolHdr + 1; return Status; } @@ -317,13 +340,30 @@ SmmInternalFreePool ( ) { FREE_POOL_HEADER *FreePoolHdr; + POOL_TAIL *PoolTail; if (Buffer == NULL) { return EFI_INVALID_PARAMETER; } FreePoolHdr = (FREE_POOL_HEADER*)((POOL_HEADER*)Buffer - 1); + ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE); ASSERT (!FreePoolHdr->Header.Available); + PoolTail = HEAD_TO_TAIL(&FreePoolHdr->Header); + ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE); + ASSERT (FreePoolHdr->Header.Size == PoolTail->Size); + + if (FreePoolHdr->Header.Signature != POOL_HEAD_SIGNATURE) { + return EFI_INVALID_PARAMETER; + } + + if (PoolTail->Signature != POOL_TAIL_SIGNATURE) { + return EFI_INVALID_PARAMETER; + } + + if (FreePoolHdr->Header.Size != PoolTail->Size) { + return EFI_INVALID_PARAMETER; + } if (FreePoolHdr->Header.Size > MAX_POOL_SIZE) { ASSERT (((UINTN)FreePoolHdr & EFI_PAGE_MASK) == 0); -- 2.7.0.windows.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch buffer overflow 2017-04-19 6:06 [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch buffer overflow Star Zeng @ 2017-04-19 7:26 ` Yao, Jiewen 2017-04-19 11:23 ` Wu, Hao A 0 siblings, 1 reply; 3+ messages in thread From: Yao, Jiewen @ 2017-04-19 7:26 UTC (permalink / raw) To: Zeng, Star, edk2-devel@lists.01.org; +Cc: Wu, Hao Reviewed-by: jiewen.yao@intel.com > -----Original Message----- > From: Zeng, Star > Sent: Wednesday, April 19, 2017 2:07 PM > To: edk2-devel@lists.01.org > Cc: Zeng, Star <star.zeng@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wu, > Hao <hao.wu@intel.com> > Subject: [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch > buffer overflow > > This solution is equivalent to DXE core. > > AllocatePool() allocates POOL_TAIL after the buffer. > This POOL_TAIL is checked at FreePool(). > If the there is buffer overflow, the issue can be caught at FreePool(). > > This patch could also handle the eight-byte aligned allocation > requirement. The discussion related to the eight-byte aligned > allocation requirement is at > https://lists.01.org/pipermail/edk2-devel/2017-April/009995.html. > > According to the PI spec (Vol 4, Section 3.2 SmmAllocatePool()): > The SmmAllocatePool() function ... All allocations are eight-byte aligned. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Hao Wu <hao.wu@intel.com> > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Star Zeng <star.zeng@intel.com> > --- > MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 22 ++++++++++++++--- > MdeModulePkg/Core/PiSmmCore/Pool.c | 44 > +++++++++++++++++++++++++++++++-- > 2 files changed, 61 insertions(+), 5 deletions(-) > > diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > index c12805a2dd96..b6f815c68da0 100644 > --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > @@ -1196,12 +1196,28 @@ extern LIST_ENTRY mSmmMemoryMap; > // > #define MAX_POOL_INDEX (MAX_POOL_SHIFT - MIN_POOL_SHIFT + 1) > > +#define POOL_HEAD_SIGNATURE SIGNATURE_32('p','h','d','0') > + > typedef struct { > - UINTN Size; > - BOOLEAN Available; > - EFI_MEMORY_TYPE Type; > + UINT32 Signature; > + BOOLEAN Available; > + EFI_MEMORY_TYPE Type; > + UINTN Size; > } POOL_HEADER; > > +#define POOL_TAIL_SIGNATURE SIGNATURE_32('p','t','a','l') > + > +typedef struct { > + UINT32 Signature; > + UINT32 Reserved; > + UINTN Size; > +} POOL_TAIL; > + > +#define POOL_OVERHEAD (sizeof(POOL_HEADER) + sizeof(POOL_TAIL)) > + > +#define HEAD_TO_TAIL(a) \ > + ((POOL_TAIL *) (((CHAR8 *) (a)) + (a)->Size - sizeof(POOL_TAIL))); > + > typedef struct { > POOL_HEADER Header; > LIST_ENTRY Link; > diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c > b/MdeModulePkg/Core/PiSmmCore/Pool.c > index 43ce869d1e1a..ebb9f8c49ee9 100644 > --- a/MdeModulePkg/Core/PiSmmCore/Pool.c > +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c > @@ -133,6 +133,7 @@ InternalAllocPoolByIndex ( > { > EFI_STATUS Status; > FREE_POOL_HEADER *Hdr; > + POOL_TAIL *Tail; > EFI_PHYSICAL_ADDRESS Address; > SMM_POOL_TYPE SmmPoolType; > > @@ -154,18 +155,26 @@ InternalAllocPoolByIndex ( > } else { > Status = InternalAllocPoolByIndex (PoolType, PoolIndex + 1, &Hdr); > if (!EFI_ERROR (Status)) { > + Hdr->Header.Signature = 0; > Hdr->Header.Size >>= 1; > Hdr->Header.Available = TRUE; > - Hdr->Header.Type = PoolType; > + Hdr->Header.Type = 0; > + Tail = HEAD_TO_TAIL(&Hdr->Header); > + Tail->Signature = 0; > + Tail->Size = 0; > InsertHeadList (&mSmmPoolLists[SmmPoolType][PoolIndex], > &Hdr->Link); > Hdr = (FREE_POOL_HEADER*)((UINT8*)Hdr + Hdr->Header.Size); > } > } > > if (!EFI_ERROR (Status)) { > + Hdr->Header.Signature = POOL_HEAD_SIGNATURE; > Hdr->Header.Size = MIN_POOL_SIZE << PoolIndex; > Hdr->Header.Available = FALSE; > Hdr->Header.Type = PoolType; > + Tail = HEAD_TO_TAIL(&Hdr->Header); > + Tail->Signature = POOL_TAIL_SIGNATURE; > + Tail->Size = Hdr->Header.Size; > } > > *FreePoolHdr = Hdr; > @@ -187,6 +196,7 @@ InternalFreePoolByIndex ( > { > UINTN PoolIndex; > SMM_POOL_TYPE SmmPoolType; > + POOL_TAIL *PoolTail; > > ASSERT ((FreePoolHdr->Header.Size & (FreePoolHdr->Header.Size - 1)) == 0); > ASSERT (((UINTN)FreePoolHdr & (FreePoolHdr->Header.Size - 1)) == 0); > @@ -195,7 +205,12 @@ InternalFreePoolByIndex ( > SmmPoolType = > UefiMemoryTypeToSmmPoolType(FreePoolHdr->Header.Type); > > PoolIndex = (UINTN) (HighBitSet32 ((UINT32)FreePoolHdr->Header.Size) - > MIN_POOL_SHIFT); > + FreePoolHdr->Header.Signature = 0; > FreePoolHdr->Header.Available = TRUE; > + FreePoolHdr->Header.Type = 0; > + PoolTail = HEAD_TO_TAIL(&FreePoolHdr->Header); > + PoolTail->Signature = 0; > + PoolTail->Size = 0; > ASSERT (PoolIndex < MAX_POOL_INDEX); > InsertHeadList (&mSmmPoolLists[SmmPoolType][PoolIndex], > &FreePoolHdr->Link); > return EFI_SUCCESS; > @@ -223,6 +238,7 @@ SmmInternalAllocatePool ( > ) > { > POOL_HEADER *PoolHdr; > + POOL_TAIL *PoolTail; > FREE_POOL_HEADER *FreePoolHdr; > EFI_STATUS Status; > EFI_PHYSICAL_ADDRESS Address; > @@ -235,7 +251,10 @@ SmmInternalAllocatePool ( > return EFI_INVALID_PARAMETER; > } > > - Size += sizeof (*PoolHdr); > + // > + // Adjust the size by the pool header & tail overhead > + // > + Size += POOL_OVERHEAD; > if (Size > MAX_POOL_SIZE) { > Size = EFI_SIZE_TO_PAGES (Size); > Status = SmmInternalAllocatePages (AllocateAnyPages, PoolType, Size, > &Address); > @@ -244,9 +263,13 @@ SmmInternalAllocatePool ( > } > > PoolHdr = (POOL_HEADER*)(UINTN)Address; > + PoolHdr->Signature = POOL_HEAD_SIGNATURE; > PoolHdr->Size = EFI_PAGES_TO_SIZE (Size); > PoolHdr->Available = FALSE; > PoolHdr->Type = PoolType; > + PoolTail = HEAD_TO_TAIL(PoolHdr); > + PoolTail->Signature = POOL_TAIL_SIGNATURE; > + PoolTail->Size = PoolHdr->Size; > *Buffer = PoolHdr + 1; > return Status; > } > @@ -317,13 +340,30 @@ SmmInternalFreePool ( > ) > { > FREE_POOL_HEADER *FreePoolHdr; > + POOL_TAIL *PoolTail; > > if (Buffer == NULL) { > return EFI_INVALID_PARAMETER; > } > > FreePoolHdr = (FREE_POOL_HEADER*)((POOL_HEADER*)Buffer - 1); > + ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE); > ASSERT (!FreePoolHdr->Header.Available); > + PoolTail = HEAD_TO_TAIL(&FreePoolHdr->Header); > + ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE); > + ASSERT (FreePoolHdr->Header.Size == PoolTail->Size); > + > + if (FreePoolHdr->Header.Signature != POOL_HEAD_SIGNATURE) { > + return EFI_INVALID_PARAMETER; > + } > + > + if (PoolTail->Signature != POOL_TAIL_SIGNATURE) { > + return EFI_INVALID_PARAMETER; > + } > + > + if (FreePoolHdr->Header.Size != PoolTail->Size) { > + return EFI_INVALID_PARAMETER; > + } > > if (FreePoolHdr->Header.Size > MAX_POOL_SIZE) { > ASSERT (((UINTN)FreePoolHdr & EFI_PAGE_MASK) == 0); > -- > 2.7.0.windows.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch buffer overflow 2017-04-19 7:26 ` Yao, Jiewen @ 2017-04-19 11:23 ` Wu, Hao A 0 siblings, 0 replies; 3+ messages in thread From: Wu, Hao A @ 2017-04-19 11:23 UTC (permalink / raw) To: Yao, Jiewen, Zeng, Star, edk2-devel@lists.01.org Reviewed-by: Hao Wu <hao.a.wu@intel.com> Best Regards, Hao Wu > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Yao, > Jiewen > Sent: Wednesday, April 19, 2017 3:27 PM > To: Zeng, Star; edk2-devel@lists.01.org > Cc: Wu, Hao > Subject: Re: [edk2] [PATCH] MdeModulePkg PiSmmCore: Enhance SMM > FreePool to catch buffer overflow > > Reviewed-by: jiewen.yao@intel.com > > > -----Original Message----- > > From: Zeng, Star > > Sent: Wednesday, April 19, 2017 2:07 PM > > To: edk2-devel@lists.01.org > > Cc: Zeng, Star <star.zeng@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; > Wu, > > Hao <hao.wu@intel.com> > > Subject: [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch > > buffer overflow > > > > This solution is equivalent to DXE core. > > > > AllocatePool() allocates POOL_TAIL after the buffer. > > This POOL_TAIL is checked at FreePool(). > > If the there is buffer overflow, the issue can be caught at FreePool(). > > > > This patch could also handle the eight-byte aligned allocation > > requirement. The discussion related to the eight-byte aligned > > allocation requirement is at > > https://lists.01.org/pipermail/edk2-devel/2017-April/009995.html. > > > > According to the PI spec (Vol 4, Section 3.2 SmmAllocatePool()): > > The SmmAllocatePool() function ... All allocations are eight-byte aligned. > > > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Cc: Hao Wu <hao.wu@intel.com> > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Star Zeng <star.zeng@intel.com> > > --- > > MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 22 ++++++++++++++--- > > MdeModulePkg/Core/PiSmmCore/Pool.c | 44 > > +++++++++++++++++++++++++++++++-- > > 2 files changed, 61 insertions(+), 5 deletions(-) > > > > diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > > b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > > index c12805a2dd96..b6f815c68da0 100644 > > --- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > > +++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h > > @@ -1196,12 +1196,28 @@ extern LIST_ENTRY mSmmMemoryMap; > > // > > #define MAX_POOL_INDEX (MAX_POOL_SHIFT - MIN_POOL_SHIFT + 1) > > > > +#define POOL_HEAD_SIGNATURE SIGNATURE_32('p','h','d','0') > > + > > typedef struct { > > - UINTN Size; > > - BOOLEAN Available; > > - EFI_MEMORY_TYPE Type; > > + UINT32 Signature; > > + BOOLEAN Available; > > + EFI_MEMORY_TYPE Type; > > + UINTN Size; > > } POOL_HEADER; > > > > +#define POOL_TAIL_SIGNATURE SIGNATURE_32('p','t','a','l') > > + > > +typedef struct { > > + UINT32 Signature; > > + UINT32 Reserved; > > + UINTN Size; > > +} POOL_TAIL; > > + > > +#define POOL_OVERHEAD (sizeof(POOL_HEADER) + sizeof(POOL_TAIL)) > > + > > +#define HEAD_TO_TAIL(a) \ > > + ((POOL_TAIL *) (((CHAR8 *) (a)) + (a)->Size - sizeof(POOL_TAIL))); > > + > > typedef struct { > > POOL_HEADER Header; > > LIST_ENTRY Link; > > diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c > > b/MdeModulePkg/Core/PiSmmCore/Pool.c > > index 43ce869d1e1a..ebb9f8c49ee9 100644 > > --- a/MdeModulePkg/Core/PiSmmCore/Pool.c > > +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c > > @@ -133,6 +133,7 @@ InternalAllocPoolByIndex ( > > { > > EFI_STATUS Status; > > FREE_POOL_HEADER *Hdr; > > + POOL_TAIL *Tail; > > EFI_PHYSICAL_ADDRESS Address; > > SMM_POOL_TYPE SmmPoolType; > > > > @@ -154,18 +155,26 @@ InternalAllocPoolByIndex ( > > } else { > > Status = InternalAllocPoolByIndex (PoolType, PoolIndex + 1, &Hdr); > > if (!EFI_ERROR (Status)) { > > + Hdr->Header.Signature = 0; > > Hdr->Header.Size >>= 1; > > Hdr->Header.Available = TRUE; > > - Hdr->Header.Type = PoolType; > > + Hdr->Header.Type = 0; > > + Tail = HEAD_TO_TAIL(&Hdr->Header); > > + Tail->Signature = 0; > > + Tail->Size = 0; > > InsertHeadList (&mSmmPoolLists[SmmPoolType][PoolIndex], > > &Hdr->Link); > > Hdr = (FREE_POOL_HEADER*)((UINT8*)Hdr + Hdr->Header.Size); > > } > > } > > > > if (!EFI_ERROR (Status)) { > > + Hdr->Header.Signature = POOL_HEAD_SIGNATURE; > > Hdr->Header.Size = MIN_POOL_SIZE << PoolIndex; > > Hdr->Header.Available = FALSE; > > Hdr->Header.Type = PoolType; > > + Tail = HEAD_TO_TAIL(&Hdr->Header); > > + Tail->Signature = POOL_TAIL_SIGNATURE; > > + Tail->Size = Hdr->Header.Size; > > } > > > > *FreePoolHdr = Hdr; > > @@ -187,6 +196,7 @@ InternalFreePoolByIndex ( > > { > > UINTN PoolIndex; > > SMM_POOL_TYPE SmmPoolType; > > + POOL_TAIL *PoolTail; > > > > ASSERT ((FreePoolHdr->Header.Size & (FreePoolHdr->Header.Size - 1)) == 0); > > ASSERT (((UINTN)FreePoolHdr & (FreePoolHdr->Header.Size - 1)) == 0); > > @@ -195,7 +205,12 @@ InternalFreePoolByIndex ( > > SmmPoolType = > > UefiMemoryTypeToSmmPoolType(FreePoolHdr->Header.Type); > > > > PoolIndex = (UINTN) (HighBitSet32 ((UINT32)FreePoolHdr->Header.Size) - > > MIN_POOL_SHIFT); > > + FreePoolHdr->Header.Signature = 0; > > FreePoolHdr->Header.Available = TRUE; > > + FreePoolHdr->Header.Type = 0; > > + PoolTail = HEAD_TO_TAIL(&FreePoolHdr->Header); > > + PoolTail->Signature = 0; > > + PoolTail->Size = 0; > > ASSERT (PoolIndex < MAX_POOL_INDEX); > > InsertHeadList (&mSmmPoolLists[SmmPoolType][PoolIndex], > > &FreePoolHdr->Link); > > return EFI_SUCCESS; > > @@ -223,6 +238,7 @@ SmmInternalAllocatePool ( > > ) > > { > > POOL_HEADER *PoolHdr; > > + POOL_TAIL *PoolTail; > > FREE_POOL_HEADER *FreePoolHdr; > > EFI_STATUS Status; > > EFI_PHYSICAL_ADDRESS Address; > > @@ -235,7 +251,10 @@ SmmInternalAllocatePool ( > > return EFI_INVALID_PARAMETER; > > } > > > > - Size += sizeof (*PoolHdr); > > + // > > + // Adjust the size by the pool header & tail overhead > > + // > > + Size += POOL_OVERHEAD; > > if (Size > MAX_POOL_SIZE) { > > Size = EFI_SIZE_TO_PAGES (Size); > > Status = SmmInternalAllocatePages (AllocateAnyPages, PoolType, Size, > > &Address); > > @@ -244,9 +263,13 @@ SmmInternalAllocatePool ( > > } > > > > PoolHdr = (POOL_HEADER*)(UINTN)Address; > > + PoolHdr->Signature = POOL_HEAD_SIGNATURE; > > PoolHdr->Size = EFI_PAGES_TO_SIZE (Size); > > PoolHdr->Available = FALSE; > > PoolHdr->Type = PoolType; > > + PoolTail = HEAD_TO_TAIL(PoolHdr); > > + PoolTail->Signature = POOL_TAIL_SIGNATURE; > > + PoolTail->Size = PoolHdr->Size; > > *Buffer = PoolHdr + 1; > > return Status; > > } > > @@ -317,13 +340,30 @@ SmmInternalFreePool ( > > ) > > { > > FREE_POOL_HEADER *FreePoolHdr; > > + POOL_TAIL *PoolTail; > > > > if (Buffer == NULL) { > > return EFI_INVALID_PARAMETER; > > } > > > > FreePoolHdr = (FREE_POOL_HEADER*)((POOL_HEADER*)Buffer - 1); > > + ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE); > > ASSERT (!FreePoolHdr->Header.Available); > > + PoolTail = HEAD_TO_TAIL(&FreePoolHdr->Header); > > + ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE); > > + ASSERT (FreePoolHdr->Header.Size == PoolTail->Size); > > + > > + if (FreePoolHdr->Header.Signature != POOL_HEAD_SIGNATURE) { > > + return EFI_INVALID_PARAMETER; > > + } > > + > > + if (PoolTail->Signature != POOL_TAIL_SIGNATURE) { > > + return EFI_INVALID_PARAMETER; > > + } > > + > > + if (FreePoolHdr->Header.Size != PoolTail->Size) { > > + return EFI_INVALID_PARAMETER; > > + } > > > > if (FreePoolHdr->Header.Size > MAX_POOL_SIZE) { > > ASSERT (((UINTN)FreePoolHdr & EFI_PAGE_MASK) == 0); > > -- > > 2.7.0.windows.1 > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-04-19 11:23 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-04-19 6:06 [PATCH] MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch buffer overflow Star Zeng 2017-04-19 7:26 ` Yao, Jiewen 2017-04-19 11:23 ` Wu, Hao A
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox