From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3032921C8EFB5 for ; Wed, 24 Oct 2018 20:02:52 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Oct 2018 20:02:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,422,1534834800"; d="scan'208";a="85396197" Received: from shzintpr03.sh.intel.com (HELO [10.7.209.51]) ([10.239.4.100]) by orsmga006.jf.intel.com with ESMTP; 24 Oct 2018 20:02:49 -0700 To: Jian J Wang , edk2-devel@lists.01.org Cc: Michael D Kinney , Ruiyu Ni , Jiewen Yao , Laszlo Ersek , star.zeng@intel.com References: <20181024052620.4088-1-jian.j.wang@intel.com> <20181024052620.4088-3-jian.j.wang@intel.com> From: "Zeng, Star" Message-ID: <860d3863-7a4b-3a46-a01d-ffeac374c583@intel.com> Date: Thu, 25 Oct 2018 11:02:19 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20181024052620.4088-3-jian.j.wang@intel.com> Subject: Re: [PATCH v3 2/6] MdeModulePkg: introduce UEFI freed-memory guard bit in HeapGuard PCD X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 03:02:52 -0000 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 2018/10/24 13:26, Jian J Wang wrote: >> v3 changes: >> a. split from v2 #1 patch file. >> b. refine the commit message and title. > > UAF (Use-After-Free) memory issue is kind of illegal access to memory > which has been freed. It can be detected by a new freed-memory guard > enforced onto freed memory. > > BIT4 of following PCD is used to enable the freed-memory guard feature. > > gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask > > Please note this feature is for debug purpose and should not be enabled Suggest also adding this information into the PCD description. Pool/page heap guard also has same condition, right? If yes, we can have a generic sentence for whole PCD. With this addressed, Reviewed-by: Star Zeng . Thanks, Star > in product BIOS, and cannot be enabled with pool/page heap guard at the > same time. It's disabled by default. > > Cc: Star Zeng > Cc: Michael D Kinney > Cc: Jiewen Yao > Cc: Ruiyu Ni > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Jian J Wang > --- > MdeModulePkg/MdeModulePkg.dec | 6 ++++++ > MdeModulePkg/MdeModulePkg.uni | 4 +++- > 2 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec > index 2009dbc5fd..255b92ea67 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -1011,14 +1011,20 @@ > gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPoolType|0x0|UINT64|0x30001053 > > ## This mask is to control Heap Guard behavior. > + # > # Note that due to the limit of pool memory implementation and the alignment > # requirement of UEFI spec, BIT7 is a try-best setting which cannot guarantee > # that the returned pool is exactly adjacent to head guard page or tail guard > # page. > + # > + # Note that UEFI freed-memory guard and pool/page guard cannot be enabled > + # at the same time. > + # > # BIT0 - Enable UEFI page guard.
> # BIT1 - Enable UEFI pool guard.
> # BIT2 - Enable SMM page guard.
> # BIT3 - Enable SMM pool guard.
> + # BIT4 - Enable UEFI freed-memory guard (Use-After-Free memory detection).
> # BIT6 - Enable non-stop mode.
> # BIT7 - The direction of Guard Page for Pool Guard. > # 0 - The returned pool is near the tail guard page.
> diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni > index 9d2e473fa9..e72b893509 100644 > --- a/MdeModulePkg/MdeModulePkg.uni > +++ b/MdeModulePkg/MdeModulePkg.uni > @@ -1227,11 +1227,13 @@ > "Note that due to the limit of pool memory implementation and the alignment\n" > "requirement of UEFI spec, BIT7 is a try-best setting which cannot guarantee\n" > "that the returned pool is exactly adjacent to head guard page or tail guard\n" > - "page.\n" > + "page.\n\n" > + "Note that UEFI freed-memory guard and pool/page guard cannot be enabled at the same time.\n\n" > " BIT0 - Enable UEFI page guard.
\n" > " BIT1 - Enable UEFI pool guard.
\n" > " BIT2 - Enable SMM page guard.
\n" > " BIT3 - Enable SMM pool guard.
\n" > + " BIT4 - Enable UEFI freed-memory guard (Use-After-Free memory detection).
\n" > " BIT7 - The direction of Guard Page for Pool Guard.\n" > " 0 - The returned pool is near the tail guard page.
\n" > " 1 - The returned pool is near the head guard page.
" >