From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: suse.com, ip: 195.135.221.5, mailfrom: glin@suse.com) Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) by groups.io with SMTP; Tue, 16 Apr 2019 19:10:30 -0700 Received: from emea4-mta.ukb.novell.com ([10.120.13.87]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Wed, 17 Apr 2019 04:10:27 +0200 Received: from GaryWorkstation (nwb-a10-snat.microfocus.com [10.120.13.202]) by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted); Wed, 17 Apr 2019 03:10:13 +0100 Date: Wed, 17 Apr 2019 10:10:05 +0800 From: "Gary Lin" To: devel@edk2.groups.io, ard.biesheuvel@linaro.org Cc: jian.j.wang@intel.com, hao.a.wu@intel.com, ray.ni@intel.com Subject: Re: [edk2-devel] [PATCH] MdeModulePkg/UefiBootManagerLib: fix crash on uninitialized ExitData Message-ID: <20190417021005.GI21677@GaryWorkstation> References: <20190416202935.32297-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 In-Reply-To: <20190416202935.32297-1-ard.biesheuvel@linaro.org> User-Agent: Mutt/1.11.3 (2019-02-01) Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 16, 2019 at 01:29:35PM -0700, Ard Biesheuvel wrote: > As reported by Gary, the recent LoadImage/StartImage changes to > accommodate dispatching PE/COFF images built for foreign architectures > may result in a crash when loading an IA32 option ROM into a X64 VM > running OVMF: > > Loading driver at 0x0007E537000 EntryPoint=0x0007E53C06D 8086100e.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 7F003B98 > ProtectUefiImageCommon - 0x7F002BC0 > - 0x000000007E537000 - 0x000000000009F900 > Image type IA32 can't be started on X64 UEFI system. > ASSERT MdeModulePkg/Core/Dxe/Mem/Pool.c(698): Head->Signature == ((('p') | > ('h' << 8)) | ((('d') | ('0' << 8)) << 16)) || Head->Signature > == ((('p') | ('h' << 8)) | ((('d') | ('1' << 8)) << 16)) > > This turns out to be caused by the deferred image loading code in BDS, > which doesn't check the result code of gBS->StartImage(), and ends up > trying to free an uninitialized pointer. So ensure ExitData is initialized > before the call. > The fix works for me. Tested-by: Gary Lin > Signed-off-by: Ard Biesheuvel > --- > MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c > index fc8775dfa419..cf99de5b924a 100644 > --- a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c > +++ b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c > @@ -502,6 +502,7 @@ EfiBootManagerDispatchDeferredImages ( > // a 5 Minute period > // > gBS->SetWatchdogTimer (5 * 60, 0x0000, 0x00, NULL); > + ExitData = NULL; > Status = gBS->StartImage (ImageHandle, &ExitDataSize, &ExitData); > if (ExitData != NULL) { > FreePool (ExitData); > -- > 2.17.1 > > > > >