From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 2D3ED20945611
 for <edk2-devel@lists.01.org>; Sat,  8 Jul 2017 12:48:46 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id A93BF80465;
 Sat,  8 Jul 2017 19:50:27 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A93BF80465
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=lersek@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com A93BF80465
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-90.phx2.redhat.com
 [10.3.116.90])
 by smtp.corp.redhat.com (Postfix) with ESMTP id B7CAF17153;
 Sat,  8 Jul 2017 19:50:26 +0000 (UTC)
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: edk2-devel-01 <edk2-devel@lists.01.org>
References: <f9557a73-4d7f-beff-35fd-bb5b7b71c6a0@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503A97870B@shsmsx102.ccr.corp.intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <39c19948-4440-a098-e941-960d04362e5a@redhat.com>
Date: Sat, 8 Jul 2017 21:50:25 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503A97870B@shsmsx102.ccr.corp.intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.28]); Sat, 08 Jul 2017 19:50:28 +0000 (UTC)
Subject: Re: memory protection crash in PiSmmCpuDxeSmm, Ia32 build with RAM above 4GB
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2017 19:48:46 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 07/08/17 15:38, Yao, Jiewen wrote:
> Thanks Laszlo. I think this is a special case we did not test before. And it is a bug we need fix.
> 
> Unfortunately, I am out of office these days with limited email access. I just saw the email today.
> 
> 
> I have a quick look at the code.

Thank you for your help, and I'm sorry about disturbing you while you
are out of office.

> I believe we need add below check in UefiCpuPkg\PiSmmCpuDxeSmm\SmmCpuMemoryManagement.c, ConvertMemoryPageAttributes()
> 
> ==========================
> if (BaseAddress > MAX_ADDRESS) {
>   return RETURN_UNSUPPORTED;
> }

Mathematically speaking (not in C expressions), I think
BaseAddress:=(MAX_ADDRESS+1) with Length:=0 is valid as well. (In theory
anyway.)

So I would replace this check as follows:

if ((BaseAddress > 0) && ((BaseAddress - 1) > MAX_ADDRESS)) {
  return RETURN_UNSUPPORTED;
}

> if (Length > MAX_ADDRESS) {
>   return RETURN_UNSUPPORTED;
> }

Mathematically speaking (not in C expressions), I think BaseAddress:=0
with Length:=(MAX_ADDRESS+1) is valid too. (In theory anyway.)

So, I would replace this check as follows:

if ((Length > 0) && ((Length - 1) > MAX_ADDRESS)) {
  return RETURN_UNSUPPORTED;
}

> if ((Length != 0) && (BaseAddress > MAX_ADDRESS - (Length - 1))) {
>   return RETURN_UNSUPPORTED;
> }

Yes, this looks good. And, it would work correctly with the above two
modifications as well; it will accept both of the mentioned "corner cases".

(Anyway I haven't looked at the source, and the difference is purely
theoretical.)

> ==========================
> to filter invalid address in IA32.
> 
> 
> (Well, it is valid for OS, because OS may use PAE to match to lower. But it is invalid for UEFI, because UEFI uses identical address)
> 
> 
> Would you please file an HSD for that?

What does HSD stand for? :)

Either way, I've filed:

https://bugzilla.tianocore.org/show_bug.cgi?id=624

Thank you!
Laszlo


>> -----Original Message-----
>> From: Laszlo Ersek [mailto:lersek@redhat.com]
>> Sent: Saturday, July 8, 2017 10:12 AM
>> To: Yao, Jiewen <jiewen.yao@intel.com>
>> Cc: edk2-devel-01 <edk2-devel@lists.01.org>
>> Subject: memory protection crash in PiSmmCpuDxeSmm, Ia32 build with RAM
>> above 4GB
>>
>> Hi Jiewen,
>>
>> I just noticed that building OvmfIa32.dsc with -D SMM_REQUIRE, and then
>> running the 32-bit guest with 4G RAM (of which 2GB are placed in 64-bit
>> address pace), the guest crashes when PiSmmCpuDxeSmm tries to protect
>> the memory range at 4GB. Please find the log attached (it ends with the
>> crash).
>>
>> Is this expected to work?
>>
>> Thanks
>> Laszlo