From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.web12.20880.1647403215765908752
 for <devel@edk2.groups.io>;
 Tue, 15 Mar 2022 21:00:15 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=UAdUkL5k;
 spf=pass (domain: gmail.com, ip: 209.85.210.181, mailfrom: kuqin12@gmail.com)
Received: by mail-pf1-f181.google.com with SMTP id z16so2212123pfh.3
        for <devel@edk2.groups.io>; Tue, 15 Mar 2022 21:00:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=SdanZqm1QzhCihvNe+vDRDWkui0v2RO1QSCXJzHwB0Y=;
        b=UAdUkL5k4liJ3iV+2ADGJ7u+mZFW7e0wi/8u+XDwa/J68QrK118XbG+o3MLd1qACVi
         YlA+O0zJTexOsUSCo5G9AVNnEoZET7PLSAZYr9td09gJj2hdawEqejWKSrvH2wnqPPpH
         qlHirqpF5bWl5E6tpze1Z1Tr169s6rQuFFQ1sMiFcRBCP3RIANPiezOEDHaJa43SkUGm
         UxqocpGv92YbP9LeOGdAFf74MjCKzflr08esCw+pV+5yxJyYz5KXyUCbHJkqLaxOeugl
         B58f7MSWCpeZetc9gH9DoQiCrwTYK2HScrK95RL25Pw6PPn4pkbAPsfATGLF+hcJ63Dl
         3U5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=SdanZqm1QzhCihvNe+vDRDWkui0v2RO1QSCXJzHwB0Y=;
        b=Zu+Bw0TiZuHrkE+LESPWGriqqaAFgj02uB3ci1+o9Xuif1wUKVsYsUU4nf1m0huUdq
         CC7qpKi/2brzlPSQ9z7exksnNXFsJYcgv/QTMvK2C3rbidwCC3WrdeMdbIGOBddgOQxt
         rcJa79UQPovxW/9GCqX4xC8igVklZwhnfH6cbhJhIOhwun6FF0H7YPffvpkqyrTxyigr
         9i8GwKk968tubqgQMhxQhsqq2eRZSe1UaoaHMV76LAgXfBBne3IrSkuwmG7Z5R1oeyWQ
         dgwvdVaEZW3qM8oEebYNvEMlO/fHBG5LU/MQDWvVHrH4pZIXx6jgzAqZlDf72BsDtWq/
         Fdog==
X-Gm-Message-State: AOAM532QE5FBuNZVpCGO3HbtwrRt5KAS+5pgfKpk435PRxe2NrwFet40
	F/Hc8KXiUYtVXMNiSAlpaRC57D/tzO4IrA==
X-Google-Smtp-Source: ABdhPJytVVUomL9bqi0vOS0MrGdAQdikjHJK8ThnbxqsdVZLnKJddb/7ZsDEhRaDZqMzD3+hUjstBQ==
X-Received: by 2002:a05:6a00:17a6:b0:4f7:d375:ac4c with SMTP id s38-20020a056a0017a600b004f7d375ac4cmr12693379pfg.19.1647403215145;
        Tue, 15 Mar 2022 21:00:15 -0700 (PDT)
Return-Path: <kuqin12@gmail.com>
Received: from localhost.localdomain ([50.47.82.110])
        by smtp.gmail.com with ESMTPSA id l2-20020a056a0016c200b004f7e3181a41sm768664pfc.98.2022.03.15.21.00.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Mar 2022 21:00:14 -0700 (PDT)
From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Eric Dong <eric.dong@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>
Subject: [PATCH v1 1/1] MdeModulePkg: PiSmmCore: Inspect memory guarded with pool headers
Date: Tue, 15 Mar 2022 20:59:54 -0700
Message-Id: <20220316035954.1146-2-kuqin12@gmail.com>
X-Mailer: git-send-email 2.35.1.windows.2
In-Reply-To: <20220316035954.1146-1-kuqin12@gmail.com>
References: <20220316035954.1146-1-kuqin12@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3488

Current free pool routine from PiSmmCore will inspect memory guard status
for target buffer without considering pool headers. This could lead to
`IsMemoryGuarded` function to return incorrect results.

In that sense, allocating a 0 sized pool could cause an allocated buffer
directly points into a guard page, which is legal. However, trying to
free this pool will cause the routine changed in this commit to read XP
pages, which leads to page fault.

This change will inspect memory guarded with pool headers. This can avoid
errors when a pool content happens to be on a page boundary.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>

Signed-off-by: Kun Qin <kuqin12@gmail.com>
---
 MdeModulePkg/Core/PiSmmCore/Pool.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c b/MdeModulePkg/Core/PiSmmCore/Pool.c
index 96ebe811c669..e1ff40a8ea55 100644
--- a/MdeModulePkg/Core/PiSmmCore/Pool.c
+++ b/MdeModulePkg/Core/PiSmmCore/Pool.c
@@ -382,11 +382,6 @@ SmmInternalFreePool (
     return EFI_INVALID_PARAMETER;
   }
 
-  MemoryGuarded = IsHeapGuardEnabled () &&
-                  IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer);
-  HasPoolTail = !(MemoryGuarded &&
-                  ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
-
   FreePoolHdr = (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1);
   ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE);
   ASSERT (!FreePoolHdr->Header.Available);
@@ -394,6 +389,11 @@ SmmInternalFreePool (
     return EFI_INVALID_PARAMETER;
   }
 
+  MemoryGuarded = IsHeapGuardEnabled () &&
+                  IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHdr);
+  HasPoolTail = !(MemoryGuarded &&
+                  ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
+
   if (HasPoolTail) {
     PoolTail = HEAD_TO_TAIL (&FreePoolHdr->Header);
     ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE);
-- 
2.35.1.windows.2