From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+111748+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 5D0B67803D2
	for <rebecca@openfw.io>; Mon, 27 Nov 2023 18:18:43 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=PdI/vxRx4rIKFw9ybAcG5yGoDu3NM3GoOyK2L1OMUtM=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20140610; t=1701109122; v=1;
 b=kXr3103Xt7MKpe9DuEVhtUkl8E4fCy0zdAmvmi98tRPYnaHQekQ3UsGi/0L4swjkaOSzp2ol
 gc1XZY/k4nmQBoKvlHbr3x5v3sYapB9jTAw6i59IqdZQAWYliZ8IQcxSsGWck60xKBsZ1Znh3wL
 1/EI3vE0cUePDZfpYvslKTLI=
X-Received: by 127.0.0.2 with SMTP id KK2uYY7687511x25YfkhHRhq; Mon, 27 Nov 2023 10:18:42 -0800
X-Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179])
 by mx.groups.io with SMTP id smtpd.web10.102527.1701109118665477031
 for <devel@edk2.groups.io>;
 Mon, 27 Nov 2023 10:18:38 -0800
X-Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-5c194b111d6so3367928a12.0
        for <devel@edk2.groups.io>; Mon, 27 Nov 2023 10:18:38 -0800 (PST)
X-Gm-Message-State: MJ8Oi6wOwzs1YeM07gSv9PaNx7686176AA=
X-Google-Smtp-Source: AGHT+IHykZp49GEDfssiqnP+fVjNli8vKyUBTAfOmdBoj3uUSO0cdTRTdppkKCwOyniUXZspngR6QQ==
X-Received: by 2002:a17:90a:34cd:b0:285:6490:82bc with SMTP id m13-20020a17090a34cd00b00285649082bcmr13763092pjf.15.1701109117876;
        Mon, 27 Nov 2023 10:18:37 -0800 (PST)
X-Received: from localhost.localdomain ([50.46.253.1])
        by smtp.gmail.com with ESMTPSA id c6-20020a170902c1c600b001cfd0ed1604sm2013259plc.87.2023.11.27.10.18.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 27 Nov 2023 10:18:37 -0800 (PST)
From: "Taylor Beebe" <taylor.d.beebe@gmail.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Dandan Bi <dandan.bi@intel.com>
Subject: [edk2-devel] [PATCH v5 11/16] MdeModulePkg: Fix MAT SplitTable() Logic
Date: Mon, 27 Nov 2023 10:18:09 -0800
Message-ID: <20231127181818.411-12-taylor.d.beebe@gmail.com>
In-Reply-To: <20231127181818.411-1-taylor.d.beebe@gmail.com>
References: <20231127181818.411-1-taylor.d.beebe@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,taylor.d.beebe@gmail.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
Content-Transfer-Encoding: 8bit
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=kXr3103X;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

SplitTable() does not properly handle the case where there is
an odd number of code regions within a loaded image. When there are
an odd number of code regions, at least one image region descriptor
is overwritten with uninitialized memory which has caused crashes
in the right conditions.

This failure cases is documented extensively in the following bugzilla:
https://bugzilla.tianocore.org/show_bug.cgi?id=4492

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Dandan Bi <dandan.bi@intel.com>
Signed-off-by: Taylor Beebe <taylor.d.beebe@gmail.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
---
 MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.c | 40 ++++++++++----------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.c b/MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.c
index 9d4082280bf5..379eb0c6cccd 100644
--- a/MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.c
+++ b/MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.c
@@ -463,11 +463,12 @@ SplitTable (
 {
   INTN   IndexOld;
   INTN   IndexNew;
+  INTN   IndexNewStarting;
   UINTN  MaxSplitRecordCount;
   UINTN  RealSplitRecordCount;
-  UINTN  TotalSplitRecordCount;
+  UINTN  TotalSkippedRecords;
 
-  TotalSplitRecordCount = 0;
+  TotalSkippedRecords = 0;
   //
   // Let old record point to end of valid MemoryMap buffer.
   //
@@ -475,7 +476,8 @@ SplitTable (
   //
   // Let new record point to end of full MemoryMap buffer.
   //
-  IndexNew = ((*MemoryMapSize) / DescriptorSize) - 1 + NumberOfAdditionalDescriptors;
+  IndexNew         = ((*MemoryMapSize) / DescriptorSize) - 1 + NumberOfAdditionalDescriptors;
+  IndexNewStarting = IndexNew;
   for ( ; IndexOld >= 0; IndexOld--) {
     MaxSplitRecordCount = GetMaxSplitRecordCount ((EFI_MEMORY_DESCRIPTOR *)((UINT8 *)MemoryMap + IndexOld * DescriptorSize), ImageRecordList);
     //
@@ -489,16 +491,14 @@ SplitTable (
                              DescriptorSize,
                              ImageRecordList
                              );
-    //
-    // Adjust IndexNew according to real split.
-    //
-    CopyMem (
-      ((UINT8 *)MemoryMap + (IndexNew + MaxSplitRecordCount - RealSplitRecordCount) * DescriptorSize),
-      ((UINT8 *)MemoryMap + IndexNew * DescriptorSize),
-      RealSplitRecordCount * DescriptorSize
-      );
-    IndexNew               = IndexNew + MaxSplitRecordCount - RealSplitRecordCount;
-    TotalSplitRecordCount += RealSplitRecordCount;
+
+    // If we didn't utilize all the extra allocated descriptor slots, set the physical address of the unused slots
+    // to MAX_ADDRESS so they are moved to the bottom of the list when sorting.
+    for ( ; RealSplitRecordCount < MaxSplitRecordCount; RealSplitRecordCount++) {
+      ((EFI_MEMORY_DESCRIPTOR *)((UINT8 *)MemoryMap + ((IndexNew + RealSplitRecordCount + 1) * DescriptorSize)))->PhysicalStart = MAX_ADDRESS;
+      TotalSkippedRecords++;
+    }
+
     IndexNew--;
   }
 
@@ -507,16 +507,16 @@ SplitTable (
   //
   CopyMem (
     MemoryMap,
-    (UINT8 *)MemoryMap + (NumberOfAdditionalDescriptors - TotalSplitRecordCount) * DescriptorSize,
-    (*MemoryMapSize) + TotalSplitRecordCount * DescriptorSize
+    (UINT8 *)MemoryMap + ((IndexNew + 1) * DescriptorSize),
+    (IndexNewStarting - IndexNew) * DescriptorSize
     );
 
-  *MemoryMapSize = (*MemoryMapSize) + DescriptorSize * TotalSplitRecordCount;
+  //
+  // Sort from low to high to filter out the MAX_ADDRESS records.
+  //
+  SortMemoryMap (MemoryMap, (IndexNewStarting - IndexNew) * DescriptorSize, DescriptorSize);
 
-  //
-  // Sort from low to high (Just in case)
-  //
-  SortMemoryMap (MemoryMap, *MemoryMapSize, DescriptorSize);
+  *MemoryMapSize = (IndexNewStarting - IndexNew - TotalSkippedRecords) * DescriptorSize;
 
   return;
 }
-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111748): https://edk2.groups.io/g/devel/message/111748
Mute This Topic: https://groups.io/mt/102834918/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-