From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web12.590.1650574243287745884 for ; Thu, 21 Apr 2022 13:50:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=IdkM4Ij1; spf=pass (domain: gmail.com, ip: 209.85.215.176, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f176.google.com with SMTP id t4so5645110pgc.1 for ; Thu, 21 Apr 2022 13:50:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language :from:to:cc:references:in-reply-to:content-transfer-encoding; bh=Z8NgJfHaqKnmsiZ+YeT5dsZwkMk4GCiUy3TfllHvlAA=; b=IdkM4Ij1oyU/bNe0vL3O6+sSWN1hecugq9dv0W+wv2h36KU7JZxHtnUW6bFBTJ7woR fIVlc0KBA2zAXRb3F4es1hlLuduOELzUV8usBmhxpioI7HtMyXeh2cf8jIOi790zdGun FMqz5uy4UIqyei3D2WqBTeST25SjlMdTe8GlEvlLPZHVF7CKutb2fmK/sFg+Yj3+RDW2 PzRljyfzrKygOTfo5qCMmjEOyZ6GVo5ws4NtuRovTtmi5FNotmYiiwdQw41KE5b9GE8R qy4U2TffwLMB/gGMP7N0s+Hp6XupMJvEEkYkQaWDn4H5L/Ofgd2ij7BZMNEMJMBy7zhC 013g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:cc:references:in-reply-to :content-transfer-encoding; bh=Z8NgJfHaqKnmsiZ+YeT5dsZwkMk4GCiUy3TfllHvlAA=; b=QRkEPtfSdF80wTQbOLxfjljb49yt7rJNaYhMUOWe3EbBZTEFD7+DcXVzYqSufHcdLi oJ/gy5Obii6wGWc1xmepELgncj67qYQO6JJtyHU9eBn7Gf4svqYIVl6dGkQ++TxX9G/R mZg2+LBdI5qP4y8Ln8hphq68WQQkM0zs6OPm0to/HV2OhSxMTM2jHehOHytx0RYmqDdh rSGqBtJyEx+se1LflBQEJMatvApMLxarUOT7AbwMZXW0mWcFQoJ/Czpg0UT1PCwOwcYi +uqG2X/i3PECZTM7RCmJulcg+YAjVFN1LAtlUbeFqLNul7TS9eM7NhsWMvRtrlCIFk90 /UMA== X-Gm-Message-State: AOAM531gLcjgFBjbc4Gz8ayRJSUR6VaTDM8lMVHOy9atYbZygq+eeuxe F+8xKesWRMz8DN99fYGck3awUEeokk4= X-Google-Smtp-Source: ABdhPJzJOyGMVb0CRWK6+4zKpuE4dO999LQDUsSEeILTgVOFErjgWtiIsRMVz1j0id9QFZFC40mFgQ== X-Received: by 2002:a62:6c6:0:b0:505:6713:d584 with SMTP id 189-20020a6206c6000000b005056713d584mr1453641pfg.24.1650574242440; Thu, 21 Apr 2022 13:50:42 -0700 (PDT) Return-Path: Received: from ?IPV6:2001:4898:d8:33:9dba:567e:4f47:4ce0? ([2001:4898:80e8:7:1dd6:567e:4f47:4ce0]) by smtp.gmail.com with ESMTPSA id y26-20020a056a00181a00b004fe3a6f02cesm7515pfa.85.2022.04.21.13.50.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 21 Apr 2022 13:50:41 -0700 (PDT) Message-ID: <4931e585-58ff-d4f8-0976-2522b097b848@gmail.com> Date: Thu, 21 Apr 2022 13:50:40 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: =?UTF-8?B?UmU6IOWbnuWkjTogW2VkazItZGV2ZWxdIFtQQVRDSCB2MSAxLzFdIE1kZU1vZHVsZVBrZzogUGlTbW1Db3JlOiBJbnNwZWN0IG1lbW9yeSBndWFyZGVkIHdpdGggcG9vbCBoZWFkZXJz?= From: "Kun Qin" To: devel@edk2.groups.io, 'Eric Dong' , 'Jiewen Yao' , 'Ray Ni' , 'Jian J Wang' Cc: gaoliming References: <20220316035954.1146-1-kuqin12@gmail.com> <20220316035954.1146-2-kuqin12@gmail.com> <018301d83a66$6b769b80$4263d280$@byosoft.com.cn> <64a33401-2a1d-2f75-79e7-a287e337bb5f@gmail.com> In-Reply-To: <64a33401-2a1d-2f75-79e7-a287e337bb5f@gmail.com> Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi SMM maintainers, A gentle ping on this. Could you please provide some feedback on the fix below for allocating 0 sized pool when heap guard it on? Thanks in advance, Kun On 3/28/2022 2:57 PM, Kun Qin wrote: > Thanks, Liming. > > SMM owners/authors, > > Could you please also review the original issue and this patch to > provide feedback? > > Thanks, > Kun > > On 3/17/2022 6:20 PM, gaoliming wrote: >> Reviewed-by: Liming Gao >> >>> -----邮件原件----- >>> 发件人: devel@edk2.groups.io 代表 Kun Qin >>> 发送时间: 2022年3月16日 12:00 >>> 收件人: devel@edk2.groups.io >>> 抄送: Jiewen Yao ; Eric Dong >>> ; >>> Ray Ni ; Jian J Wang ; >>> Liming Gao >>> >>> 主题: [edk2-devel] [PATCH v1 1/1] MdeModulePkg: PiSmmCore: Inspect >>> memory guarded with pool headers >>> >>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3488 >>> >>> Current free pool routine from PiSmmCore will inspect memory guard >>> status >>> for target buffer without considering pool headers. This could lead to >>> `IsMemoryGuarded` function to return incorrect results. >>> >>> In that sense, allocating a 0 sized pool could cause an allocated >>> buffer >>> directly points into a guard page, which is legal. However, trying to >>> free this pool will cause the routine changed in this commit to read XP >>> pages, which leads to page fault. >>> >>> This change will inspect memory guarded with pool headers. This can >>> avoid >>> errors when a pool content happens to be on a page boundary. >>> >>> Cc: Jiewen Yao >>> Cc: Eric Dong >>> Cc: Ray Ni >>> Cc: Jian J Wang >>> Cc: Liming Gao >>> >>> Signed-off-by: Kun Qin >>> --- >>>   MdeModulePkg/Core/PiSmmCore/Pool.c | 10 +++++----- >>>   1 file changed, 5 insertions(+), 5 deletions(-) >>> >>> diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c >>> b/MdeModulePkg/Core/PiSmmCore/Pool.c >>> index 96ebe811c669..e1ff40a8ea55 100644 >>> --- a/MdeModulePkg/Core/PiSmmCore/Pool.c >>> +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c >>> @@ -382,11 +382,6 @@ SmmInternalFreePool ( >>>       return EFI_INVALID_PARAMETER; >>>     } >>> >>> -  MemoryGuarded = IsHeapGuardEnabled () && >>> -                  IsMemoryGuarded >>> ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer); >>> -  HasPoolTail = !(MemoryGuarded && >>> -                  ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == >>> 0)); >>> - >>>     FreePoolHdr = (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1); >>>     ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE); >>>     ASSERT (!FreePoolHdr->Header.Available); >>> @@ -394,6 +389,11 @@ SmmInternalFreePool ( >>>       return EFI_INVALID_PARAMETER; >>>     } >>> >>> +  MemoryGuarded = IsHeapGuardEnabled () && >>> +                  IsMemoryGuarded >>> ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHdr); >>> +  HasPoolTail = !(MemoryGuarded && >>> +                  ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == >>> 0)); >>> + >>>     if (HasPoolTail) { >>>       PoolTail = HEAD_TO_TAIL (&FreePoolHdr->Header); >>>       ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE); >>> -- >>> 2.35.1.windows.2 >>> >>> >>> >>> >>> >> >>