From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web12.577.1648504628876029592 for ; Mon, 28 Mar 2022 14:57:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=AR49Lgyw; spf=pass (domain: gmail.com, ip: 209.85.216.52, mailfrom: kuqin12@gmail.com) Received: by mail-pj1-f52.google.com with SMTP id gp15-20020a17090adf0f00b001c7cd11b0b3so469288pjb.3 for ; Mon, 28 Mar 2022 14:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=ad5nXBzG0euyvY++QF9tJAt9o8SvlubExTOcnSrUN3g=; b=AR49LgywbtwHNdOasU6pBIYiFIzDsTDh6Frgb8QGCymyHjGgnqnVVFAz4dKerI0iBU o4w7rF37KqLLe1DQnpZoq36n9YQtrVQqSlIO+D6sT+H1zoFJ0KCLSYGbOGnJJMCTO9hj V11zQTG16Jsax7JabUt5RU2RBuU5PUSV7mFzYZaJSrqgj631crzdu5ZhWADHliT3TlVn dC9c9hECnbEzmP8V9AoAnRv7VeRSwwbsT8BxajQLiCmVcYJDgYbmV+58/AN8kfMz1Ou9 N0hEhTeYO3fauws8f9JBGRC9b9h1jP2Qhqci/qSLEYguPRA6AUbuwjEgHrRGb2HfskRt YcdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=ad5nXBzG0euyvY++QF9tJAt9o8SvlubExTOcnSrUN3g=; b=jevfXi2CTvE3oXyV002B084/a0x+F0hxMBfowgCVqTUb1rpQ5bCOjPEQTGJm7Hm6l4 WGW3T7iHgeKmd1YVvacT23LQla37bLjH2N+Ih9YU4+DgzUrQba52uw/xz0xewRdBI3+e +VcZeeHFKwh7keLMoGqESCoDzM1emGWcdMx3N0ku9QgpuYWf8xiyFKxeLHl5a3qpTt3i /1q73uuWdl9gsCQNPtW0n6LBJK0FwU2tsIPWXoPw2MVbhSNA07dq3I8ollSAaTGrlNSG Z9TqG3fGOquk8LvPzRkSGFCqBUa7yThPG5Y0k+0ttJq2yLFxS1X1A652XW9ER6Jm6QvD LpPA== X-Gm-Message-State: AOAM530dfeJ7p0hxtiWPnksJKOEtg6dqs/hwW6jvZIFwcS3y7a//XX3o VprDKEf0r0EOEI9bvFmvWrk= X-Google-Smtp-Source: ABdhPJwsir2MTpWFDycMtXt5JbnW/q2VxUzlPRPD+kRmSFgdfCF9ghXPquOEOHnswIoK29LTMhzYcA== X-Received: by 2002:a17:90b:3907:b0:1c6:a16b:12e3 with SMTP id ob7-20020a17090b390700b001c6a16b12e3mr1170647pjb.157.1648504628376; Mon, 28 Mar 2022 14:57:08 -0700 (PDT) Return-Path: Received: from ?IPV6:2001:4898:d8:33:bdf8:c9cb:c667:8148? ([2001:4898:80e8:f:3e0c:c9cb:c667:8148]) by smtp.gmail.com with ESMTPSA id gt14-20020a17090af2ce00b001c701e0a129sm432948pjb.38.2022.03.28.14.57.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 28 Mar 2022 14:57:07 -0700 (PDT) Message-ID: <64a33401-2a1d-2f75-79e7-a287e337bb5f@gmail.com> Date: Mon, 28 Mar 2022 14:57:06 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: =?UTF-8?B?UmU6IOWbnuWkjTogW2VkazItZGV2ZWxdIFtQQVRDSCB2MSAxLzFdIE1kZU1vZHVsZVBrZzogUGlTbW1Db3JlOiBJbnNwZWN0IG1lbW9yeSBndWFyZGVkIHdpdGggcG9vbCBoZWFkZXJz?= To: gaoliming , devel@edk2.groups.io Cc: 'Jiewen Yao' , 'Eric Dong' , 'Ray Ni' , 'Jian J Wang' References: <20220316035954.1146-1-kuqin12@gmail.com> <20220316035954.1146-2-kuqin12@gmail.com> <018301d83a66$6b769b80$4263d280$@byosoft.com.cn> From: "Kun Qin" In-Reply-To: <018301d83a66$6b769b80$4263d280$@byosoft.com.cn> Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Thanks, Liming. SMM owners/authors, Could you please also review the original issue and this patch to provide feedback? Thanks, Kun On 3/17/2022 6:20 PM, gaoliming wrote: > Reviewed-by: Liming Gao > >> -----邮件原件----- >> 发件人: devel@edk2.groups.io 代表 Kun Qin >> 发送时间: 2022年3月16日 12:00 >> 收件人: devel@edk2.groups.io >> 抄送: Jiewen Yao ; Eric Dong ; >> Ray Ni ; Jian J Wang ; Liming Gao >> >> 主题: [edk2-devel] [PATCH v1 1/1] MdeModulePkg: PiSmmCore: Inspect >> memory guarded with pool headers >> >> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3488 >> >> Current free pool routine from PiSmmCore will inspect memory guard status >> for target buffer without considering pool headers. This could lead to >> `IsMemoryGuarded` function to return incorrect results. >> >> In that sense, allocating a 0 sized pool could cause an allocated buffer >> directly points into a guard page, which is legal. However, trying to >> free this pool will cause the routine changed in this commit to read XP >> pages, which leads to page fault. >> >> This change will inspect memory guarded with pool headers. This can avoid >> errors when a pool content happens to be on a page boundary. >> >> Cc: Jiewen Yao >> Cc: Eric Dong >> Cc: Ray Ni >> Cc: Jian J Wang >> Cc: Liming Gao >> >> Signed-off-by: Kun Qin >> --- >> MdeModulePkg/Core/PiSmmCore/Pool.c | 10 +++++----- >> 1 file changed, 5 insertions(+), 5 deletions(-) >> >> diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c >> b/MdeModulePkg/Core/PiSmmCore/Pool.c >> index 96ebe811c669..e1ff40a8ea55 100644 >> --- a/MdeModulePkg/Core/PiSmmCore/Pool.c >> +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c >> @@ -382,11 +382,6 @@ SmmInternalFreePool ( >> return EFI_INVALID_PARAMETER; >> } >> >> - MemoryGuarded = IsHeapGuardEnabled () && >> - IsMemoryGuarded >> ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer); >> - HasPoolTail = !(MemoryGuarded && >> - ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == >> 0)); >> - >> FreePoolHdr = (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1); >> ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE); >> ASSERT (!FreePoolHdr->Header.Available); >> @@ -394,6 +389,11 @@ SmmInternalFreePool ( >> return EFI_INVALID_PARAMETER; >> } >> >> + MemoryGuarded = IsHeapGuardEnabled () && >> + IsMemoryGuarded >> ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHdr); >> + HasPoolTail = !(MemoryGuarded && >> + ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == >> 0)); >> + >> if (HasPoolTail) { >> PoolTail = HEAD_TO_TAIL (&FreePoolHdr->Header); >> ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE); >> -- >> 2.35.1.windows.2 >> >> >> >> >> > >