From: Paulo Alcantara <paulo@paulo.ac>
To: edk2-devel@lists.01.org
Cc: Paulo Alcantara <paulo@paulo.ac>, Eric Dong <eric.dong@intel.com>,
Laszlo Ersek <lersek@redhat.com>
Subject: [RFC v5 5/8] UefiCpuPkg/CpuExceptionHandlerLib: Ensure valid frame/stack pointers
Date: Sun, 14 Jan 2018 22:23:33 -0200 [thread overview]
Message-ID: <5cc6968f2c67232ca29b99cd81f8ac5d754ba8dc.1515974582.git.paulo@paulo.ac> (raw)
In-Reply-To: <cover.1515974582.git.paulo@paulo.ac>
In-Reply-To: <cover.1515974582.git.paulo@paulo.ac>
Validate all possible memory dereferences during stack traces in IA32
and X64 CPU exceptions.
Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Eric Dong <eric.dong@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Requested-by: Brian Johnson <brian.johnson@hpe.com>
Requested-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
---
UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c | 149 +++++++++++++++++++-
UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c | 75 +++++++++-
2 files changed, 216 insertions(+), 8 deletions(-)
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
index c5d6ea0939..3b92512b92 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c
@@ -14,6 +14,11 @@
#include "CpuExceptionCommon.h"
+//
+// IA32 Segment Selector bit definitions
+//
+#define IA32_SEGSEL_TI BIT2
+
/**
Return address map of exception handler template so that C code can generate
exception tables.
@@ -398,6 +403,97 @@ DumpCpuContext (
);
}
+/**
+ Check if a logical address is valid.
+
+ @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT.
+ @param[in] SegmentSelector Segment selector.
+ @param[in] Offset Offset or logical address.
+**/
+STATIC
+BOOLEAN
+IsLogicalAddressValid (
+ IN EFI_SYSTEM_CONTEXT SystemContext,
+ IN UINT16 SegmentSelector,
+ IN UINTN Offset
+ )
+{
+ IA32_SEGMENT_DESCRIPTOR *SegmentDescriptor;
+ UINT32 SegDescBase;
+ UINT32 SegDescLimit;
+ UINT64 SegDescLimitInBytes;
+
+ //
+ // Check for valid input parameters
+ //
+ if (SegmentSelector == 0 || Offset == 0) {
+ return FALSE;
+ }
+
+ //
+ // Look for a segment descriptor in a GDT or LDT table depending on TI
+ // (Table Indicator) bit in segment selector.
+ //
+ if ((SegmentSelector & IA32_SEGSEL_TI) == 0) {
+ //
+ // Get segment descriptor from GDT table
+ //
+ SegmentDescriptor =
+ (IA32_SEGMENT_DESCRIPTOR *)(
+ (UINTN)SystemContext.SystemContextIa32->Gdtr[0] +
+ (SegmentSelector & ~7)
+ );
+ } else {
+ //
+ // Get segment descriptor from LDT table
+ //
+ SegmentDescriptor =
+ (IA32_SEGMENT_DESCRIPTOR *)(
+ (UINTN)SystemContext.SystemContextIa32->Ldtr +
+ (SegmentSelector & ~7)
+ );
+ }
+
+ //
+ // Get segment descriptor's base address
+ //
+ SegDescBase = SegmentDescriptor->Bits.BaseLow |
+ (SegmentDescriptor->Bits.BaseMid << 16) |
+ (SegmentDescriptor->Bits.BaseHigh << 24);
+
+ //
+ // Get segment descriptor's limit
+ //
+ SegDescLimit = SegmentDescriptor->Bits.LimitLow |
+ (SegmentDescriptor->Bits.LimitHigh << 16);
+
+ //
+ // Calculate segment descriptor's limit in bytes
+ //
+ if (SegmentDescriptor->Bits.G == 1) {
+ SegDescLimitInBytes = (UINT64)SegDescLimit * SIZE_4KB + (SIZE_4KB - 1);
+ } else {
+ SegDescLimitInBytes = SegDescLimit;
+ }
+
+ //
+ // Make sure to not access beyond a segment limit boundary
+ //
+ if ((UINT64)Offset + SegDescBase > SegDescLimitInBytes) {
+ return FALSE;
+ }
+
+ //
+ // Check if the translated logical address (or linear address) is valid
+ //
+ return IsLinearAddressValid (
+ SystemContext.SystemContextIa32->Cr0,
+ SystemContext.SystemContextIa32->Cr3,
+ SystemContext.SystemContextIa32->Cr4,
+ Offset + SegDescBase
+ );
+}
+
/**
Dump stack trace.
@@ -470,6 +566,20 @@ DumpStacktrace (
InternalPrintMessage ("\nCall trace:\n");
for (;;) {
+ //
+ // Check for valid frame pointer
+ //
+ if (!IsLogicalAddressValid (SystemContext,
+ SystemContext.SystemContextIa32->Ss,
+ (UINTN)Ebp + 4) ||
+ !IsLogicalAddressValid (SystemContext,
+ SystemContext.SystemContextIa32->Ss,
+ (UINTN)Ebp)) {
+ InternalPrintMessage ("%a: attempted to dereference an invalid frame "
+ "pointer at 0x%08x\n", __FUNCTION__, Ebp);
+ break;
+ }
+
//
// Print stack frame in the following format:
//
@@ -610,6 +720,16 @@ DumpImageModuleNames (
// Walk through call stack and find next module names
//
for (;;) {
+ if (!IsLogicalAddressValid (SystemContext,
+ SystemContext.SystemContextIa32->Ss,
+ (UINTN)Ebp) ||
+ !IsLogicalAddressValid (SystemContext,
+ SystemContext.SystemContextIa32->Ss,
+ (UINTN)Ebp + 4)) {
+ InternalPrintMessage ("%a: attempted to dereference an invalid frame "
+ "pointer at 0x%08x\n", __FUNCTION__, Ebp);
+ }
+
//
// Set EIP with return address from current stack frame
//
@@ -673,16 +793,23 @@ DumpImageModuleNames (
/**
Dump stack contents.
- @param[in] CurrentEsp Current stack pointer address.
+ @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT.
@param[in] UnwoundStacksCount Count of unwound stack frames.
**/
STATIC
VOID
DumpStackContents (
- IN UINT32 CurrentEsp,
- IN INTN UnwoundStacksCount
+ IN EFI_SYSTEM_CONTEXT SystemContext,
+ IN INTN UnwoundStacksCount
)
{
+ UINT32 CurrentEsp;
+
+ //
+ // Get current stack pointer
+ //
+ CurrentEsp = SystemContext.SystemContextIa32->Esp;
+
//
// Check for proper stack alignment
//
@@ -696,6 +823,20 @@ DumpStackContents (
//
InternalPrintMessage ("\nStack dump:\n");
while (UnwoundStacksCount-- > 0) {
+ //
+ // Check for a valid stack pointer address
+ //
+ if (!IsLogicalAddressValid (SystemContext,
+ SystemContext.SystemContextIa32->Ss,
+ (UINTN)CurrentEsp) ||
+ !IsLogicalAddressValid (SystemContext,
+ SystemContext.SystemContextIa32->Ss,
+ (UINTN)CurrentEsp + 4)) {
+ InternalPrintMessage ("%a: attempted to dereference an invalid stack "
+ "pointer at 0x%08x\n", __FUNCTION__, CurrentEsp);
+ break;
+ }
+
InternalPrintMessage (
"0x%08x: %08x %08x\n",
CurrentEsp,
@@ -742,5 +883,5 @@ DumpImageAndCpuContent (
//
// Dump stack contents
//
- DumpStackContents (SystemContext.SystemContextIa32->Esp, UnwoundStacksCount);
+ DumpStackContents (SystemContext, UnwoundStacksCount);
}
diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c
index 523dce95c9..c81f4c00eb 100644
--- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c
+++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c
@@ -401,16 +401,26 @@ DumpCpuContext (
/**
Dump stack contents.
- @param[in] CurrentRsp Current stack pointer address.
+ @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT.
@param[in] UnwoundStacksCount Count of unwound stack frames.
**/
STATIC
VOID
DumpStackContents (
- IN UINT64 CurrentRsp,
- IN INTN UnwoundStacksCount
+ IN EFI_SYSTEM_CONTEXT SystemContext,
+ IN INTN UnwoundStacksCount
)
{
+ UINT64 CurrentRsp;
+ UINTN Cr0;
+ UINTN Cr3;
+ UINTN Cr4;
+
+ //
+ // Get current stack pointer
+ //
+ CurrentRsp = SystemContext.SystemContextX64->Rsp;
+
//
// Check for proper stack pointer alignment
//
@@ -419,11 +429,28 @@ DumpStackContents (
return;
}
+ //
+ // Get system control registers
+ //
+ Cr0 = SystemContext.SystemContextX64->Cr0;
+ Cr3 = SystemContext.SystemContextX64->Cr3;
+ Cr4 = SystemContext.SystemContextX64->Cr4;
+
//
// Dump out stack contents
//
InternalPrintMessage ("\nStack dump:\n");
while (UnwoundStacksCount-- > 0) {
+ //
+ // Check for a valid stack pointer address
+ //
+ if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp) ||
+ !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp + 8)) {
+ InternalPrintMessage ("%a: attempted to dereference an invalid stack "
+ "pointer at 0x%016lx\n", __FUNCTION__, CurrentRsp);
+ break;
+ }
+
InternalPrintMessage (
"0x%016lx: %016lx %016lx\n",
CurrentRsp,
@@ -459,6 +486,9 @@ DumpImageModuleNames (
CHAR8 *PdbFileName;
UINT64 Rbp;
UINTN LastImageBase;
+ UINTN Cr0;
+ UINTN Cr3;
+ UINTN Cr4;
//
// Set current RIP address
@@ -527,10 +557,27 @@ DumpImageModuleNames (
InternalPrintMessage ("%a\n", PdbAbsoluteFilePath);
}
+ //
+ // Get system control registers
+ //
+ Cr0 = SystemContext.SystemContextX64->Cr0;
+ Cr3 = SystemContext.SystemContextX64->Cr3;
+ Cr4 = SystemContext.SystemContextX64->Cr4;
+
//
// Walk through call stack and find next module names
//
for (;;) {
+ //
+ // Check for a valid frame pointer
+ //
+ if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) ||
+ !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) {
+ InternalPrintMessage ("%a: attempted to dereference an invalid frame "
+ "pointer at 0x%016lx\n", __FUNCTION__, Rbp);
+ break;
+ }
+
//
// Set RIP with return address from current stack frame
//
@@ -617,6 +664,9 @@ DumpStacktrace (
UINT64 Rbp;
UINTN ImageBase;
CHAR8 *PdbFileName;
+ UINTN Cr0;
+ UINTN Cr3;
+ UINTN Cr4;
//
// Set current RIP address
@@ -656,12 +706,29 @@ DumpStacktrace (
//
*UnwoundStacksCount = 1;
+ //
+ // Get system control registers
+ //
+ Cr0 = SystemContext.SystemContextX64->Cr0;
+ Cr3 = SystemContext.SystemContextX64->Cr3;
+ Cr4 = SystemContext.SystemContextX64->Cr4;
+
//
// Print out back trace
//
InternalPrintMessage ("\nCall trace:\n");
for (;;) {
+ //
+ // Check for valid frame pointer
+ //
+ if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) ||
+ !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) {
+ InternalPrintMessage ("%a: attempted to dereference an invalid frame "
+ "pointer at 0x%016lx\n", __FUNCTION__, Rbp);
+ break;
+ }
+
//
// Print stack frame in the following format:
//
@@ -749,5 +816,5 @@ DumpImageAndCpuContent (
//
// Dump stack contents
//
- DumpStackContents (SystemContext.SystemContextX64->Rsp, UnwoundStacksCount);
+ DumpStackContents (SystemContext, UnwoundStacksCount);
}
--
2.14.3
next prev parent reply other threads:[~2018-01-15 0:18 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-14 12:47 [RFC 0/1] Stack trace support in X64 exception handling Paulo Alcantara
2017-11-14 12:47 ` [RFC 1/1] UefiCpuPkg/CpuExceptionHandlerLib/X64: Add stack trace support Paulo Alcantara
2017-11-14 14:01 ` Andrew Fish
2017-11-14 14:26 ` 答复: " Fan Jeff
2017-11-14 14:38 ` Andrew Fish
2017-11-14 15:30 ` Paulo Alcantara
2017-11-14 16:51 ` Brian J. Johnson
2017-12-29 3:48 ` [RFC v4 0/6] Stack trace support in X64 exception handling Paulo Alcantara
2017-12-29 4:39 ` [RFC v4 1/6] UefiCpuPkg/CpuExceptionHandlerLib/X64: Add stack trace support Paulo Alcantara
2018-01-03 8:53 ` 答复: " Fan Jeff
2018-01-03 14:51 ` Paulo Alcantara
2017-12-29 4:39 ` [RFC v4 2/6] UefiCpuPkg/CpuExceptionHandlerLib: Export GetPdbFileName() Paulo Alcantara
2017-12-29 4:39 ` [RFC v4 3/6] UefiCpuPkg/CpuExceptionHandlerLib/Ia32: Add stack trace support Paulo Alcantara
2017-12-29 4:39 ` [RFC v4 4/6] UefiCpuPkg/CpuExceptionHandlerLib: Add helper to valid memory addresses Paulo Alcantara
2018-01-03 8:42 ` 答复: " Fan Jeff
2018-01-03 14:45 ` Paulo Alcantara
2018-01-03 16:59 ` Brian J. Johnson
2018-01-04 13:03 ` Paulo Alcantara
2018-01-04 1:36 ` Yao, Jiewen
2018-01-04 1:58 ` Yao, Jiewen
2018-01-04 13:29 ` Paulo Alcantara
2018-01-04 14:35 ` Yao, Jiewen
2018-01-04 15:15 ` Paulo Alcantara
2018-01-04 13:18 ` Paulo Alcantara
2017-12-29 4:39 ` [RFC v4 5/6] UefiCpuPkg/CpuExceptionHandlerLib: Ensure valid frame/stack pointers Paulo Alcantara
2018-01-03 8:45 ` 答复: " Fan Jeff
2018-01-03 14:48 ` Paulo Alcantara
2018-01-04 1:07 ` Yao, Jiewen
2017-12-29 4:39 ` [RFC v4 6/6] UefiCpuPkg/CpuExceptionHandlerLib: Correctly print IP addresses Paulo Alcantara
2018-01-03 8:46 ` 答复: " Fan Jeff
2018-01-04 0:59 ` [RFC v4 0/6] Stack trace support in X64 exception handling Yao, Jiewen
2018-01-04 13:36 ` Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 0/8] " Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 1/8] UefiCpuPkg/CpuExceptionHandlerLib/X64: Add stack trace support Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 2/8] UefiCpuPkg/CpuExceptionHandlerLib: Export GetPdbFileName() Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 3/8] UefiCpuPkg/CpuExceptionHandlerLib/Ia32: Add stack trace support Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 4/8] UefiCpuPkg/CpuExceptionHandlerLib: Add helper to validate memory addresses Paulo Alcantara
2018-01-15 0:23 ` Paulo Alcantara [this message]
2018-01-15 0:23 ` [RFC v5 6/8] UefiCpuPkg/CpuExceptionHandlerLib: Correctly print IP addresses Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 7/8] UefiCpuPkg/CpuExceptionHandlerLib: Validate memory address ranges Paulo Alcantara
2018-01-15 0:23 ` [RFC v5 8/8] UefiCpuPkg/CpuExceptionHandlerLib: Add early check in DumpStackContents Paulo Alcantara
2018-01-17 12:57 ` [RFC v5 0/8] Stack trace support in X64 exception handling Yao, Jiewen
2018-01-17 22:48 ` Yao, Jiewen
2018-01-19 0:09 ` Paulo Alcantara
2018-01-19 0:02 ` Paulo Alcantara
2018-01-19 0:15 ` Paulo Alcantara
2018-01-29 13:38 ` Paulo Alcantara
2018-01-31 5:56 ` Yao, Jiewen
2018-01-31 19:05 ` Paulo Alcantara
2017-11-14 13:21 ` [RFC 0/1] " Paulo Alcantara
2017-11-14 14:03 ` 答复: " Fan Jeff
2017-11-14 14:12 ` 答复: " Fan Jeff
2017-11-14 15:37 ` Paulo Alcantara
2017-11-14 16:33 ` Brian J. Johnson
2017-11-14 17:23 ` Andrew Fish
2017-11-14 17:41 ` Brian J. Johnson
2017-11-14 17:56 ` Paulo Alcantara
2017-11-15 13:21 ` 答复: 答复: " Fan Jeff
2017-11-15 14:41 ` Paulo Alcantara
2017-11-15 14:52 ` 答复: " Fan Jeff
2017-11-16 1:18 ` [RFC v2 0/3] " Paulo Alcantara
2017-11-16 1:18 ` [RFC v2 1/3] UefiCpuPkg/CpuExceptionHandlerLib/X64: Add stack trace support Paulo Alcantara
2017-11-16 1:57 ` Yao, Jiewen
2017-11-16 22:13 ` Paulo Alcantara
2017-11-17 3:43 ` Yao, Jiewen
2017-11-20 14:51 ` Paulo Alcantara
2017-11-16 15:43 ` Brian J. Johnson
2017-11-16 22:19 ` Paulo Alcantara
2017-11-16 1:18 ` [RFC v2 2/3] UefiCpuPkg/CpuExceptionHandlerLib: Export GetPdbFileName() Paulo Alcantara
2017-11-16 1:18 ` [RFC v2 3/3] UefiCpuPkg/CpuExceptionHandlerLib/Ia32: Add stack trace support Paulo Alcantara
2017-11-16 1:46 ` [RFC v2 0/3] Stack trace support in X64 exception handling Paulo Alcantara
2017-11-16 5:01 ` Andrew Fish
2017-11-16 22:02 ` Paulo Alcantara
2017-11-16 21:56 ` [RFC v3 " Paulo Alcantara
2017-11-16 21:56 ` [RFC v3 1/3] UefiCpuPkg/CpuExceptionHandlerLib/X64: Add stack trace support Paulo Alcantara
2017-11-17 7:24 ` 答复: " Fan Jeff
2017-11-20 14:59 ` Paulo Alcantara
2017-11-23 14:27 ` 答复: " Fan Jeff
2017-11-23 18:34 ` Andrew Fish
2017-11-23 19:49 ` Fan Jeff
2017-11-16 21:56 ` [RFC v3 2/3] UefiCpuPkg/CpuExceptionHandlerLib: Export GetPdbFileName() Paulo Alcantara
2017-11-16 21:56 ` [RFC v3 3/3] UefiCpuPkg/CpuExceptionHandlerLib/Ia32: Add stack trace support Paulo Alcantara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5cc6968f2c67232ca29b99cd81f8ac5d754ba8dc.1515974582.git.paulo@paulo.ac \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox