From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mx.groups.io with SMTP id smtpd.web10.5380.1658574581831318818
 for <devel@edk2.groups.io>;
 Sat, 23 Jul 2022 04:09:42 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=UN0Y38e0;
 spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: guomin.jiang@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1658574581; x=1690110581;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=6C3d/Aywp9gaQ87Ohe+RzJ6kbGeJBtvU4utU9kMdtqg=;
  b=UN0Y38e0jBT91AeLtSs0Sum1JcP5GB3MGTm8G002bxF/911bQGJUTP4X
   RnNL7zB/mWZ8VPAFqyuwGw9NeyCb9Wck5aZpH1IyPhqRVrjou3XF+U875
   15OV9D2VMEt4Pz70p8BKFV83nxrZabIrbwZmITrkRSbRDoORddMZaz0jY
   PY4zCI2VZaRlqDbE80WjbbRH+5Qmz+XOlYA08QcEir1FxCQrLpiRekfGn
   1K3DZXYsgTrUAlOOv6qIHxIRrN8ecGPDE/pI95oBOMNi9SnAnTdiGXB+k
   gHwgdEZi+9o/WKVsN55fYcGVhR79D/YFYu6NPAuzeC90CnY6HKtp8jt7e
   w==;
X-IronPort-AV: E=McAfee;i="6400,9594,10416"; a="288218840"
X-IronPort-AV: E=Sophos;i="5.93,188,1654585200"; 
   d="scan'208";a="288218840"
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jul 2022 04:09:41 -0700
X-IronPort-AV: E=Sophos;i="5.93,188,1654585200"; 
   d="scan'208";a="626860985"
Received: from guominji-mobl1.ccr.corp.intel.com ([10.254.211.85])
  by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jul 2022 04:09:39 -0700
From: "Guomin Jiang" <guomin.jiang@intel.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Dandan Bi <dandan.bi@intel.com>,
	Debkumar De <debkumar.de@intel.com>,
	Harry Han <harry.han@intel.com>,
	Catharine West <catharine.west@intel.com>
Subject: [PATCH 1/1] MdeModulePkg/Core: Move Private calculation after TemporaryRamMigration
Date: Sat, 23 Jul 2022 19:09:21 +0800
Message-Id: <20220723110921.668-1-guomin.jiang@intel.com>
X-Mailer: git-send-email 2.37.1.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2639

Move Private calculation after TemporaryRamMigration to avoid calculate
Private twice.

RootCause:
1. ebp is used as Private pointer
2. It is calculated in TemporaryRamMigration again
3. So Private point to the invalid address after second calculation
4. When MigrateMemoryPages consume Private, Segmentation fault happened

Detail analysis can refer
https://bugzilla.tianocore.org/show_bug.cgi?id=2639#c18

Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Debkumar De <debkumar.de@intel.com>
Cc: Harry Han <harry.han@intel.com>
Cc: Catharine West <catharine.west@intel.com>
---
 MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
index 3552feda8f1b..4b6ec00f71bd 100644
--- a/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
+++ b/MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c
@@ -837,17 +837,6 @@ PeiCheckAndSwitchStack (
 
       DEBUG ((DEBUG_INFO, "Heap Offset = 0x%lX Stack Offset = 0x%lX\n", (UINT64)Private->HeapOffset, (UINT64)Private->StackOffset));
 
-      //
-      // Calculate new HandOffTable and PrivateData address in permanent memory's stack
-      //
-      if (StackOffsetPositive) {
-        SecCoreData = (CONST EFI_SEC_PEI_HAND_OFF *)((UINTN)(VOID *)SecCoreData + StackOffset);
-        Private     = (PEI_CORE_INSTANCE *)((UINTN)(VOID *)Private + StackOffset);
-      } else {
-        SecCoreData = (CONST EFI_SEC_PEI_HAND_OFF *)((UINTN)(VOID *)SecCoreData - StackOffset);
-        Private     = (PEI_CORE_INSTANCE *)((UINTN)(VOID *)Private - StackOffset);
-      }
-
       //
       // Temporary Ram Support PPI is provided by platform, it will copy
       // temporary memory to permanent memory and do stack switching.
@@ -861,6 +850,17 @@ PeiCheckAndSwitchStack (
                                 TemporaryRamSize
                                 );
 
+      //
+      // Calculate new HandOffTable and PrivateData address in permanent memory's stack
+      //
+      if (StackOffsetPositive) {
+        SecCoreData = (CONST EFI_SEC_PEI_HAND_OFF *)((UINTN)(VOID *)SecCoreData + StackOffset);
+        Private     = (PEI_CORE_INSTANCE *)((UINTN)(VOID *)Private + StackOffset);
+      } else {
+        SecCoreData = (CONST EFI_SEC_PEI_HAND_OFF *)((UINTN)(VOID *)SecCoreData - StackOffset);
+        Private     = (PEI_CORE_INSTANCE *)((UINTN)(VOID *)Private - StackOffset);
+      }
+
       //
       // Migrate memory pages allocated in pre-memory phase.
       // It could not be called before calling TemporaryRamSupportPpi->TemporaryRamMigration()
-- 
2.26.2.windows.1