[PATCH] MdeModulePkg/PiSmmCore: Cache CommunicationBuffer info before using it

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Jeff Fan <jeff.fan@intel.com>
To: edk2-devel@lists.01.org
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Feng Tian <feng.tian@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [PATCH] MdeModulePkg/PiSmmCore: Cache CommunicationBuffer info before using it
Date: Fri, 18 Nov 2016 15:01:52 +0800	[thread overview]
Message-ID: <20161118070152.16716-1-jeff.fan@intel.com> (raw)

gSmmCorePrivate->CommunicationBuffer and gSmmCorePrivate->BufferSize locate at
runtime memory region. That means they could be modified by non-SMM code during
runtime.

We should cache them into SMM local variables before we verify them. After
verification, we should use the cached ones directly instead of the ones in
gSmmCorePrivate.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
index b877a33..de8db65 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -432,6 +432,8 @@ SmmEntryPoint (
   EFI_SMM_COMMUNICATE_HEADER  *CommunicateHeader;
   BOOLEAN                     InLegacyBoot;
   BOOLEAN                     IsOverlapped;
+  VOID                        *CommunicationBuffer;
+  UINTN                       BufferSize;
 
   PERF_START (NULL, "SMM", NULL, 0) ;
 
@@ -463,17 +465,19 @@ SmmEntryPoint (
     // Check to see if this is a Synchronous SMI sent through the SMM Communication 
     // Protocol or an Asynchronous SMI
     //
-    if (gSmmCorePrivate->CommunicationBuffer != NULL) {
+    CommunicationBuffer = gSmmCorePrivate->CommunicationBuffer;
+    BufferSize          = gSmmCorePrivate->BufferSize;
+    if (CommunicationBuffer != NULL) {
       //
       // Synchronous SMI for SMM Core or request from Communicate protocol
       //
       IsOverlapped = InternalIsBufferOverlapped (
-                       (UINT8 *) gSmmCorePrivate->CommunicationBuffer,
-                       gSmmCorePrivate->BufferSize,
+                       (UINT8 *) CommunicationBuffer,
+                       BufferSize,
                        (UINT8 *) gSmmCorePrivate,
                        sizeof (*gSmmCorePrivate)
                        );
-      if (!SmmIsBufferOutsideSmmValid ((UINTN)gSmmCorePrivate->CommunicationBuffer, gSmmCorePrivate->BufferSize) || IsOverlapped) {
+      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) {
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
@@ -482,19 +486,19 @@ SmmEntryPoint (
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus = EFI_INVALID_PARAMETER;
       } else {
-        CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)gSmmCorePrivate->CommunicationBuffer;
-        gSmmCorePrivate->BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+        CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer;
+        BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
         Status = SmiManage (
                    &CommunicateHeader->HeaderGuid, 
                    NULL, 
                    CommunicateHeader->Data, 
-                   &gSmmCorePrivate->BufferSize
+                   &BufferSize
                    );
         //
         // Update CommunicationBuffer, BufferSize and ReturnStatus
         // Communicate service finished, reset the pointer to CommBuffer to NULL
         //
-        gSmmCorePrivate->BufferSize += OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+        gSmmCorePrivate->BufferSize = BufferSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus = (Status == EFI_SUCCESS) ? EFI_SUCCESS : EFI_NOT_FOUND;
       }
-- 
2.9.3.windows.2

next             reply	other threads:[~2016-11-18  7:01 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-18  7:01 Jeff Fan [this message]
2016-11-22  6:25 ` [PATCH] MdeModulePkg/PiSmmCore: Cache CommunicationBuffer info before using it Yao, Jiewen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b877a33 dfblob:de8db65 )
 OR (
bs:"[PATCH] MdeModulePkg/PiSmmCore: Cache CommunicationBuffer info before using it" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161118070152.16716-1-jeff.fan@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox