From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jeff.fan@intel.com>
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 9080F81EBA
 for <edk2-devel@lists.01.org>; Thu, 17 Nov 2016 23:01:52 -0800 (PST)
Received: from orsmga004.jf.intel.com ([10.7.209.38])
 by orsmga105.jf.intel.com with ESMTP; 17 Nov 2016 23:01:57 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.31,655,1473145200"; d="scan'208";a="32143525"
Received: from jfan12-desk.ccr.corp.intel.com ([10.239.9.5])
 by orsmga004.jf.intel.com with ESMTP; 17 Nov 2016 23:01:56 -0800
From: Jeff Fan <jeff.fan@intel.com>
To: edk2-devel@lists.01.org
Cc: Jiewen Yao <jiewen.yao@intel.com>, Feng Tian <feng.tian@intel.com>,
 Michael D Kinney <michael.d.kinney@intel.com>
Date: Fri, 18 Nov 2016 15:01:52 +0800
Message-Id: <20161118070152.16716-1-jeff.fan@intel.com>
X-Mailer: git-send-email 2.9.3.windows.2
Subject: [PATCH] MdeModulePkg/PiSmmCore: Cache CommunicationBuffer info before using it
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2016 07:01:52 -0000

gSmmCorePrivate->CommunicationBuffer and gSmmCorePrivate->BufferSize locate at
runtime memory region. That means they could be modified by non-SMM code during
runtime.

We should cache them into SMM local variables before we verify them. After
verification, we should use the cached ones directly instead of the ones in
gSmmCorePrivate.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
index b877a33..de8db65 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -432,6 +432,8 @@ SmmEntryPoint (
   EFI_SMM_COMMUNICATE_HEADER  *CommunicateHeader;
   BOOLEAN                     InLegacyBoot;
   BOOLEAN                     IsOverlapped;
+  VOID                        *CommunicationBuffer;
+  UINTN                       BufferSize;
 
   PERF_START (NULL, "SMM", NULL, 0) ;
 
@@ -463,17 +465,19 @@ SmmEntryPoint (
     // Check to see if this is a Synchronous SMI sent through the SMM Communication 
     // Protocol or an Asynchronous SMI
     //
-    if (gSmmCorePrivate->CommunicationBuffer != NULL) {
+    CommunicationBuffer = gSmmCorePrivate->CommunicationBuffer;
+    BufferSize          = gSmmCorePrivate->BufferSize;
+    if (CommunicationBuffer != NULL) {
       //
       // Synchronous SMI for SMM Core or request from Communicate protocol
       //
       IsOverlapped = InternalIsBufferOverlapped (
-                       (UINT8 *) gSmmCorePrivate->CommunicationBuffer,
-                       gSmmCorePrivate->BufferSize,
+                       (UINT8 *) CommunicationBuffer,
+                       BufferSize,
                        (UINT8 *) gSmmCorePrivate,
                        sizeof (*gSmmCorePrivate)
                        );
-      if (!SmmIsBufferOutsideSmmValid ((UINTN)gSmmCorePrivate->CommunicationBuffer, gSmmCorePrivate->BufferSize) || IsOverlapped) {
+      if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) {
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
@@ -482,19 +486,19 @@ SmmEntryPoint (
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus = EFI_INVALID_PARAMETER;
       } else {
-        CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)gSmmCorePrivate->CommunicationBuffer;
-        gSmmCorePrivate->BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+        CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer;
+        BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
         Status = SmiManage (
                    &CommunicateHeader->HeaderGuid, 
                    NULL, 
                    CommunicateHeader->Data, 
-                   &gSmmCorePrivate->BufferSize
+                   &BufferSize
                    );
         //
         // Update CommunicationBuffer, BufferSize and ReturnStatus
         // Communicate service finished, reset the pointer to CommBuffer to NULL
         //
-        gSmmCorePrivate->BufferSize += OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+        gSmmCorePrivate->BufferSize = BufferSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
         gSmmCorePrivate->CommunicationBuffer = NULL;
         gSmmCorePrivate->ReturnStatus = (Status == EFI_SUCCESS) ? EFI_SUCCESS : EFI_NOT_FOUND;
       }
-- 
2.9.3.windows.2