From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web09.740.1666737011939980863
 for <devel@edk2.groups.io>;
 Tue, 25 Oct 2022 15:30:12 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=B+y8vBMA;
 spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: nathaniel.l.desimone@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1666737011; x=1698273011;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=23jMY1qVNAdvHVv+NeUnMUttLr/AtHizAHt100nJw9U=;
  b=B+y8vBMAybAk4bSUnVLMKy+3j0tXMF8jy1+y/3MeXJUJqBO0NAtQTyf4
   p5L5i/U2EL8XhCKnXjUOnhWyqAOgapH4frGFwPLUaDyWJWGRLVfqmT6mW
   Pr1vrGtIU5ks2TsMP2qcV8Lj/2AQ5NQ5QCraCoBV0AyUzayhxQmN90oln
   BDBE4a2RuBzt2C74gxZLqUE4vxZcLLHrYU0pF0NVjqOkEQJck6JkJiSUS
   3L7Qxlm/LljVCAuKYyIAtGpcurrfSJHEI5OC86cVAc48cbwulJqN4eTwC
   QGfqUkezLyW1zogkuBTkStddBYNkooARARLUvJ7ISUjUdJ3Ao3vXE1fYn
   Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="287523771"
X-IronPort-AV: E=Sophos;i="5.95,213,1661842800"; 
   d="scan'208";a="287523771"
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2022 15:30:11 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="626584051"
X-IronPort-AV: E=Sophos;i="5.95,213,1661842800"; 
   d="scan'208";a="626584051"
Received: from nldesimo-desk1.amr.corp.intel.com ([10.24.80.62])
  by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2022 15:30:11 -0700
From: "Nate DeSimone" <nathaniel.l.desimone@intel.com>
To: devel@edk2.groups.io
Cc: Liming Gao <gaoliming@byosoft.com.cn>,
	Guomin Jiang <guomin.jiang@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [PATCH V4] MdeModulePkg: Memory Corruption Error in CapsuleRuntimeDxe
Date: Tue, 25 Oct 2022 15:30:07 -0700
Message-Id: <20221025223007.3853-1-nathaniel.l.desimone@intel.com>
X-Mailer: git-send-email 2.27.0.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4112

In AllocateReservedMemoryBelow4G(), if gBS->AllocatePages()
returns an error, and ASSERTs are disabled, then the
function will overwrite memory from 0xFFFFFFFF -> (0xFFFFFFFF + Size).

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Nate DeSimone <nathaniel.l.desimone@intel.com>
---
 .../X64/SaveLongModeContext.c                 | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c b/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c
index dab297dd0a..a8c5de8764 100644
--- a/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c
+++ b/MdeModulePkg/Universal/CapsuleRuntimeDxe/X64/SaveLongModeContext.c
@@ -38,6 +38,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
   @param  Size      Size of memory to allocate.
 
   @return Allocated Address for output.
+  @return NULL - Memory allocation failed.
 
 **/
 VOID *
@@ -59,7 +60,15 @@ AllocateReservedMemoryBelow4G (
                   Pages,
                   &Address
                   );
-  ASSERT_EFI_ERROR (Status);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "ERROR AllocateReservedMemoryBelow4G(): %r\n", Status));
+    return NULL;
+  }
+
+  if (Address == 0) {
+    DEBUG ((DEBUG_ERROR, "ERROR AllocateReservedMemoryBelow4G(): AllocatePages() returned NULL"));
+    return NULL;
+  }
 
   Buffer = (VOID *)(UINTN)Address;
   ZeroMem (Buffer, Size);
@@ -159,14 +168,23 @@ PrepareContextForCapsulePei (
   DEBUG ((DEBUG_INFO, "CapsuleRuntimeDxe X64 TotalPagesNum - 0x%x pages\n", TotalPagesNum));
 
   LongModeBuffer.PageTableAddress = (EFI_PHYSICAL_ADDRESS)(UINTN)AllocateReservedMemoryBelow4G (EFI_PAGES_TO_SIZE (TotalPagesNum));
-  ASSERT (LongModeBuffer.PageTableAddress != 0);
+  if (LongModeBuffer.PageTableAddress == 0) {
+    DEBUG ((DEBUG_ERROR, "FATAL ERROR: CapsuleLongModeBuffer cannot be saved, "));
+    DEBUG ((DEBUG_ERROR, "PageTableAddress allocation failed. Capsule in PEI may fail!\n"));
+    return;
+  }
 
   //
   // Allocate stack
   //
   LongModeBuffer.StackSize        = PcdGet32 (PcdCapsulePeiLongModeStackSize);
   LongModeBuffer.StackBaseAddress = (EFI_PHYSICAL_ADDRESS)(UINTN)AllocateReservedMemoryBelow4G (PcdGet32 (PcdCapsulePeiLongModeStackSize));
-  ASSERT (LongModeBuffer.StackBaseAddress != 0);
+  if (LongModeBuffer.StackBaseAddress == 0) {
+    DEBUG ((DEBUG_ERROR, "FATAL ERROR: CapsuleLongModeBuffer cannot be saved, "));
+    DEBUG ((DEBUG_ERROR, "StackBaseAddress allocation failed. Capsule in PEI may fail!\n"));
+    gBS->FreePages (LongModeBuffer.PageTableAddress, TotalPagesNum);
+    return;
+  }
 
   Status = gRT->SetVariable (
                   EFI_CAPSULE_LONG_MODE_BUFFER_NAME,
@@ -189,6 +207,7 @@ PrepareContextForCapsulePei (
       );
   } else {
     DEBUG ((DEBUG_ERROR, "FATAL ERROR: CapsuleLongModeBuffer cannot be saved: %r. Capsule in PEI may fail!\n", Status));
+    gBS->FreePages (LongModeBuffer.PageTableAddress, TotalPagesNum);
     gBS->FreePages (LongModeBuffer.StackBaseAddress, EFI_SIZE_TO_PAGES (LongModeBuffer.StackSize));
   }
 }
-- 
2.27.0.windows.1