From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: None (no SPF record) identity=mailfrom; client-ip=15.233.44.26; helo=g2t2353.austin.hpe.com; envelope-from=brian.johnson@hpe.com; receiver=edk2-devel@lists.01.org Received: from g2t2353.austin.hpe.com (g2t2353.austin.hpe.com [15.233.44.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 1681921CB2E3D for ; Wed, 3 Jan 2018 08:54:33 -0800 (PST) Received: from G4W9119.americas.hpqcorp.net (g4w9119.houston.hp.com [16.210.20.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g2t2353.austin.hpe.com (Postfix) with ESMTPS id 37D9189; Wed, 3 Jan 2018 16:59:36 +0000 (UTC) Received: from G9W8453.americas.hpqcorp.net (2002:10d8:a0d3::10d8:a0d3) by G4W9119.americas.hpqcorp.net (2002:10d2:14d6::10d2:14d6) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 3 Jan 2018 16:59:36 +0000 Received: from NAM03-CO1-obe.outbound.protection.outlook.com (15.241.52.12) by G9W8453.americas.hpqcorp.net (16.216.160.211) with Microsoft SMTP Server (TLS) id 15.0.1178.4 via Frontend Transport; Wed, 3 Jan 2018 16:59:35 +0000 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brian.johnson@hpe.com; Received: from [10.0.2.15] (192.48.192.5) by AT5PR84MB0210.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7405::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.366.8; Wed, 3 Jan 2018 16:59:30 +0000 To: Paulo Alcantara , CC: Laszlo Ersek , Eric Dong References: <32f06077006939f71560970f6abcbbb2062ea5c3.1514517573.git.paulo@paulo.ac> From: "Brian J. Johnson" Message-ID: <27dd187f-3b1b-a325-6fd0-84d78f1ff28f@hpe.com> Date: Wed, 3 Jan 2018 10:59:24 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <32f06077006939f71560970f6abcbbb2062ea5c3.1514517573.git.paulo@paulo.ac> X-Originating-IP: [192.48.192.5] X-ClientProxiedBy: MWHPR22CA0024.namprd22.prod.outlook.com (2603:10b6:300:ef::34) To AT5PR84MB0210.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7405::20) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a0df6752-672b-4b65-ceb4-08d552cb5ccb X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:(222181515654134); BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(8989060)(201703031133081)(201702281549075)(8990040)(5600026)(4604075)(48565401081)(2017052603307)(7153060); SRVR:AT5PR84MB0210; X-Microsoft-Exchange-Diagnostics: 1; AT5PR84MB0210; 3:6r9oSGUVdpkGmjoJsMia+9+iHhCUsEFHIj5jhEh4Gbgodys4DbdftMRlMHVmgn4m5eUFEZXSHSebhVEZ1OiW39vpBnP0ryDsD8/UVNIjtpGLFkrsC1pnafdgl1az9uTdkjo+WWdcvo2UoQkFk+/f0sTVv8T9jzZ4gd1ZAaBVJ5fmkgdbhqGGl/+ity0YRBC7aTp9zUTOeTJfmQkj3pQB8wQqxTefv+/paQFEhXExb5TF/dkvuVn8nZvDEXX+b5UT+IEDcvdLGrSzYqykB1rjEuW7E2ImlyfU6b6w1a+AZ3U=; 25:K9lwdFNB8LrlK4daCauzMcjwYOb1B1ZRrCmhALNeCyi7nGbRaYBnI5soARNz/9pZy7kK4L1vDoa6gjePWTOUMrMk08MFqa4/ofK9dgMGngoopBIClUrGXA1BSzk8mfFy4BzyDbyENci35sEa6WouPy8ypr7hfKSLz+mP2B1xzaMeLpOVPW0KA5RWGbJBEiMW81Us95wvALm4qSmKuCS/If1326oeWIqk8cF0nCwakdcEGHG14KcnOhx98uiziNDKr/6WPR2KRLs1vTsOwmiXugJxUdxWcYDgZM8iHMJG83Ys1wwR485vG11sRHb6GjPYotX9u/X1sef9+FP+SXvAMQ==; 31:Um3+iQEmt01e9n0rFwdwnZ4UF992H3j+8jf1fTdedlb094fu3ntRthNs6tpyVgtdF0OKkpDtn0IyP6lxOYV+CuOLb0q2eKbbnO3SjiOSN3x3yosomXLf3E/mTIHBHMYzKFUVkKgmHtrVKG4StT0Z3qUTn6e2MCpkIFadLXx71b3tTItzGF1lGixVY6HUICxoGVHhajKPs/8H0/4azT3jbrZw5XLsKU5nXGVZ+E0Agvs= X-MS-TrafficTypeDiagnostic: AT5PR84MB0210: X-Microsoft-Exchange-Diagnostics: 1; AT5PR84MB0210; 20:YS6NUzTtCI2iMuwE3Uw8EZ19vgxvZA0/f0hxi1iKgJHroNi1te3wzOiJxZKCZxWPh4UjozO70/yd82DDsMD5O27ZDjSoLjvD5OKcFlHNylRYCQ/hw53iUj1Mt5kuMjd33fJ3xpHO+ca6TwiHMliUxbTgf8/0jNd3uwx78EgR+dQrWmVm7t6qMXjoeOklVnegrbKN15Gx0YtywuEezdN8PTD7GG2pL5w/S0zIUGUL3uviOzmXyIV4iD09c1lCnBkZ/v/2JOrlNWtV6JPDAqdNrInvzhR9spo6MniDAungd4TBgkE0DEUFf+SL2Yn3hciorXOJVDBgRbLjqFwHvgpXKUIsUAObnUYatd9NbVb86NwkE0r1PXrNrpIBVxXWOybZmgNu/FvnjzUcgHicvlqIGctMdEHMp/JJnR54s50ttzL9Ej2GMY3MjaDoRVI2XJ9YclgATtFYa9xtncVmhTTb9atuwSIrC0js73f0tgki9SoO7HTGYpN3PXUEcSo2RWvI; 4:dFSA5Qi8YgXRIjvnJlp05msjOqm0OMMCoJpI/wHg2qATT1N+DCxj4Xi+DEQpVG30+kalMqRYAYh0cglDijDng7kwgS0N3z/L8Qi2mUzBGuXa5n8KE9t03xDu7qL2ElINaNsOf0y/Em5DPTxxY1E0p9qVItiLCdG4Ptlmov3s9GIZXyoQWpsBmM9Ozuv2/kVcNE/gsrkReQTjvvpTZW/a8ejQc7W6PB5ZyUQEGivd2ucNc4XNzSPvuEo9fHtQ/oc3RnM9jeBfYCyOfB9q6VFNB1nzJbLFTzIajmTenihr7PAQNZqRT/GC4p9iSYrzbXgvqPchplYfnjJCIIv4h0o62Bffur+HIkg4BtcwnFIBdCU= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(227479698468861)(222181515654134); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231023)(944501075)(93006095)(93001095)(6055026)(6041268)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:AT5PR84MB0210; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:AT5PR84MB0210; X-Forefront-PRVS: 0541031FF6 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6049001)(39380400002)(376002)(346002)(396003)(366004)(39860400002)(189003)(199004)(24454002)(58126008)(77096006)(53546011)(36756003)(81166006)(81156014)(230700001)(386003)(97736004)(6486002)(59450400001)(64126003)(53936002)(67846002)(16526018)(83506002)(2906002)(229853002)(5660300001)(6116002)(106356001)(50466002)(6246003)(68736007)(47776003)(65956001)(54906003)(8936002)(2950100002)(65826007)(25786009)(7736002)(2486003)(52146003)(105586002)(6666003)(31696002)(4326008)(65806001)(66066001)(86362001)(52116002)(8676002)(23676004)(31686004)(76176011)(305945005)(3846002)(16576012)(316002)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR84MB0210; H:[10.0.2.15]; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: hpe.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtBVDVQUjg0TUIwMjEwOzIzOlV1OTlON0hsRFBvVmV4YUdiamZTc2lOTjRJ?= =?utf-8?B?V3ZTRVJSQXp2ZmRvNWxOYzQzTys1U1A2Y2ZURDE0VnlsYzZxU2pYVzV4SUVZ?= =?utf-8?B?WkFWK05FQUswbjdwRlQ5NDNqVmpSTElDKzVkYjMrak5LczUxdnVucCt0UDFC?= =?utf-8?B?UHA1bUNwWXRpaWY4YlBkZjVTSFZmdVFMVEVoTTZGTHhiMnZHUE83eldhWVZP?= =?utf-8?B?Ym1CNnFkSW8zN0ovdDVnV3NzRTZkNkJpZkw1cVlNRnp2NDVmNVhVd1FOem9a?= =?utf-8?B?bDhlc0t5TVM1ME95eWtmWGsyU0pZWTRDbVlJRlVoVmxjRmVza2toakczVVY5?= =?utf-8?B?TTlGcExYOVp2T1lIQnd2ZWdFVDlTd0FudUh1REJOaiticmVLL0dRTG41bXd2?= =?utf-8?B?TnU0TndCOUIvNFJrY2RRMWxiVG95clhSTUw5QlcyWUs4RjZMdGtFR09DeXcz?= =?utf-8?B?OWJDODZQR0t1UWVNNUprcTltSkFXd3JvVnBDN0NSaGY3dzgvaGUwT1oydS9W?= =?utf-8?B?Qjc0MW5XelB2NEN6WGkxOHpYQm5jRE9wUTh5SmpZV3IwK29FUUF1dlZDTlBQ?= =?utf-8?B?RlBpRS9kbUNLOVJTcG5ZQkhxNExydEFVVDdPeC9xWVdTbVZxUkNvNlE3RnVt?= =?utf-8?B?REJVT1dqWTNMWDYrWFdkKzNHZnowcE45emhIYzhiUzNyVnBLZnk4OUxQZ3pN?= =?utf-8?B?U0dTS0QwSEtReUhjcWx5anAreEd0OGZXWmZLNmdZMnczUVJ5ak40aktNZW80?= =?utf-8?B?aVBXOXFucjhsZTVkSnYyWEVpUmUyY3QxSkM4MndXS0dnRVIvQXBBYVFINEM1?= =?utf-8?B?c1J4cmxzNTZGdWU2Q2N5NEFZbDNpSWRIcGp6M1g0QkF5T1pTVHBlUzhERXZS?= =?utf-8?B?QXhHZVhZTlZ4MkxtQzEvcWxuL1FXeng1Q0dLLzQ5ci9tTHpkMnhEaWxnc2h6?= =?utf-8?B?UXRWU1MxeW52VVlmcTQzWTBoMWxqWEFyK3VzYW1maDFiTHJGL0FDUXlVQUlF?= =?utf-8?B?cWZZMmZPMzIzRDA1Z1FZcTIvc1BhV0RhbjF3RTlaQTNqSEh5MThoUVE2REpl?= =?utf-8?B?c2xsWmF6ZmtVbDZnTU8rUE13Y1JBOTlnMGlYOWh5WkJvZGlEWmtsTm9mb2xh?= =?utf-8?B?d3ZwRGhNU0hGd1NtYlp6TDZUQlN1eE9UN0k4OEhJU0YxZlI3aGI1aVRDZzNR?= =?utf-8?B?Mm44YWIxSm1CUWtPOUMvbDlCYkNoSmRjTFFncFFEK2NwL0NWS3FOU1RjZ1Bv?= =?utf-8?B?R1BuQ1hlemZNaHVOSWdhdGtUWndtSnhSQ0c2N1M5ekNmUUsxVTdWL0EwTDlV?= =?utf-8?B?UlAzZEQ3UHJSblZqdjZPTGpkeU5ucHQwcmhkR3EzN0Vpcjc2R2NtZXhlYjJw?= =?utf-8?B?N3NZQVhjVGdmd1MxMy8rREFrbjU3OWtGL0NBWU8vbjV4SW9PazZJUnRCWGZu?= =?utf-8?B?Tkpta3IvODJUVy9qSU1lV2MxcFg3RGFlcWttV2c1ZVQycnpGT2lWalIxeitX?= =?utf-8?B?ZFY3cWRsbHhUOUpsL1doaEo2cDZLMHFFaW9BeXhFdDNRUjRmN0RBVEcxTmpZ?= =?utf-8?B?VTNGRHlqNGxCYWh3a1ZvcHlHb0JZTU5sRGFMQ2xXa3gzQ3BlOFBZM1lWVXkr?= =?utf-8?B?Z3E4T3VvdUhnMndPUXNrUVBnbStvWVFwdk1lTThFRUg2UmNaOWNjeVBMLzQz?= =?utf-8?B?b3NpLy9nMFhkNlhqNnVLL2xYM09BTmFzSnBzRGllZ2t2czdaNWF6SXh1WjZ2?= =?utf-8?B?MlNZeVdQQ3RzOG13ck42S2sxVWY5bG5uNDFUSFBCbWpNcXdnR0lUZS91WGQy?= =?utf-8?B?d2FleUIwL2FkWFMwbVFBL2F3bUZJREI4aUM2bWRvR3ZUME8wV093aHZBblFG?= =?utf-8?Q?4/QZS8N0sGWTk/jP7mrUZ4yIlWkNv5w1?= X-Microsoft-Exchange-Diagnostics: 1; AT5PR84MB0210; 6:5Ntm5TSIrq2T2QTQsz3IidLRGt7ouMEZjFrnM/nJaVaUUG67tsKeZH9gbDx9XWXNWZ5ANXlUdE6b/iBWiELeCihVHGZxmXhf5fTvZaYQ+MDgoLzy43n1kGGqWPM7wc44l71Fn9kIJl69ue+dXh/4zcD06B0Eb1mbq2Zy5kkVbfvf4sAYzgL5bYfzggGINN/BgIYejy57s3DYd61Yc14znJ/RWo0/wKUZCDfGxRsGI+3mDpDTBzM3lkpHPmMEXdoGcaoaAXmDGP0t+oTgAP+O0Tr06fa6RRwuGyFR5zh8PcxIJvJCDlozj9ROo9/90FwjgpwWhAnW8HDJ86c9HDpPrQNZx7yMVql8UttSDTfjQm4=; 5:jS4c3Wv/8iIp5qL3txs6rWsY9SsWT34rLVXHWa7Anh/ugtUNLzFdtop1vvXWms2eu5m4COnfU6jYdUtpOf8PUAeW4jiwOnkAJ020Ij8OI9ggXzz6sYqpMbYXAgGh0e8NZKoQFpVKSSwNN71mQU2YqufXJOES2n7MQ4JJAYKRJjM=; 24:YofmrNi6/EN/MFebfqCaLUsvNtikX46DBHptAknH54KPjRwULByJcARRamkaD9CcGCnqlpabyqjuIhrxa6G1Fv7K2U28x+MYYsAuErJs2HE=; 7:OylvdXqY+SWOCFPYrnxqwaQx3tJhtEOS8gq6L5CHVyDw9kJevwybGYDZBUp1pYY6z+HzxH1UO4H2SS6lJTjQZa7U7/+z334VZVWBCHcNtFON0Aw4uuRdiISh4EHTQ876cBrosVzwz893nhSdW+zGjS0RGxMrmCq3sGpQSAfa6qbvy0RHpcjsMdtF/Y+9BayUH3uTZwL8sXAAWZ6hLtW0cfiRIuJyO3481cq9ag6cY/5zD/fUKhPzmfhYqI1oxVQu SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jan 2018 16:59:30.8678 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a0df6752-672b-4b65-ceb4-08d552cb5ccb X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR84MB0210 X-OriginatorOrg: hpe.com Subject: Re: [RFC v4 4/6] UefiCpuPkg/CpuExceptionHandlerLib: Add helper to valid memory addresses X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 16:54:34 -0000 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 12/28/2017 10:39 PM, Paulo Alcantara wrote: > + // > + // Check if paging is disabled > + // > + if ((Cr0 & BIT31) == 0) { > + // > + // If CR4.PAE bit is set, then the linear (or physical) address supports > + // only up to 36 bits. > + // > + if (((Cr4 & BIT5) != 0 && (UINT64)LinearAddress > 0xFFFFFFFFFULL) || > + LinearAddress > 0xFFFFFFFF) { > + return FALSE; > + } > + > + return TRUE; > + } Paulo, The logic there doesn't look quite right: if LinearAddress is between 2^32 and 2^36-1, this code will always return FALSE, even if CR4.PAE is set. Shouldn't it be: if ((UINT64)LinearAddress > 0xFFFFFFFFFULL || ((Cr4 & BIT5) == 0 && LinearAddress > 0xFFFFFFFF)) { return FALSE; } (I haven't examined all the code in detail, I just happened to notice this issue.) This bug should get fixed before pushing this series. I also have some more general design questions, which shouldn't hold up pushing the series, but I think merit some discussion: This is great code for validating addresses in general, especially when guard pages are in use for NULL pointers, stack overflow, etc. Thanks for adding it! But for [er]sp and [er]bp validation, don't you really just want to know if the address is in the expected stack range? Maybe the code which sets up the stack could communicate the valid range to CpuExceptionHandlerLib somehow. It could use special debug register values like SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLib.c does. Or perhaps it could use dynamic PCDs (although I don't know that it's a good idea to go looking up PCDs in an exception handler.) Or maybe there's a more straightforward way.... It would have to take AP stacks into account, and probably SetJump/LongJump as well. That may or may not be simpler than the current code.... More generally, I'd like to see some sort of platform-specific callout to further validate addresses. Not all mapped addresses, or addresses up to the architectural limit, are safe to access. For instance, reads to SMRAM outside of SMM will cause exceptions. Also, we wouldn't want to go backtracing through MMIO or MMCFG space: reads there could potentially have side effects on the hardware. The rules can also vary at different points in boot. For example, before memory is initialized, Intel Xeon processors generally execute 32-bit code in cache-as-RAM mode, where the caches are jury-rigged to operate as temporary storage while the memory setup code is running. In CAR mode, only a few address ranges can be accessed without causing machine checks: the cache-as-RAM range containing the stack, heap, and HOB list, the architectural firmware range below 4G, and a few specific MMCFG and MMIO ranges. So I'd like to suggest that you define an AddressValidationLib library class, which provides a routine which takes an address (or an address range?) and an indication of the intended use (memory read, memory write, execute/disassemble code, stack dump, IO, ...), and returns a value specifying if the access is: - safe (IsLinearAddressValid() should return TRUE) - unsafe (IsLinearAddressValid() should return FALSE) - unknown (IsLinearAddressValid() should perform its other tests) You can supply a NULL instance which always returns "unknown" for platforms which don't want to perform their own validation. Thanks, -- Brian J. Johnson Enterprise X86 Lab Hewlett Packard Enterprise brian.johnson@hpe.com