From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <star.zeng@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.115; helo=mga14.intel.com;
 envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 3032921C8EFB5
 for <edk2-devel@lists.01.org>; Wed, 24 Oct 2018 20:02:52 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
 by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 24 Oct 2018 20:02:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,422,1534834800"; d="scan'208";a="85396197"
Received: from shzintpr03.sh.intel.com (HELO [10.7.209.51]) ([10.239.4.100])
 by orsmga006.jf.intel.com with ESMTP; 24 Oct 2018 20:02:49 -0700
To: Jian J Wang <jian.j.wang@intel.com>, edk2-devel@lists.01.org
Cc: Michael D Kinney <michael.d.kinney@intel.com>,
 Ruiyu Ni <ruiyu.ni@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
 Laszlo Ersek <lersek@redhat.com>, star.zeng@intel.com
References: <20181024052620.4088-1-jian.j.wang@intel.com>
 <20181024052620.4088-3-jian.j.wang@intel.com>
From: "Zeng, Star" <star.zeng@intel.com>
Message-ID: <860d3863-7a4b-3a46-a01d-ffeac374c583@intel.com>
Date: Thu, 25 Oct 2018 11:02:19 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20181024052620.4088-3-jian.j.wang@intel.com>
Subject: Re: [PATCH v3 2/6] MdeModulePkg: introduce UEFI freed-memory guard bit in HeapGuard PCD
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Oct 2018 03:02:52 -0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 2018/10/24 13:26, Jian J Wang wrote:
>> v3 changes:
>> a. split from v2 #1 patch file.
>> b. refine the commit message and title.
> 
> UAF (Use-After-Free) memory issue is kind of illegal access to memory
> which has been freed. It can be detected by a new freed-memory guard
> enforced onto freed memory.
> 
> BIT4 of following PCD is used to enable the freed-memory guard feature.
> 
>    gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask
> 
> Please note this feature is for debug purpose and should not be enabled

Suggest also adding this information into the PCD description.
Pool/page heap guard also has same condition, right?
If yes, we can have a generic sentence for whole PCD.

With this addressed, Reviewed-by: Star Zeng <star.zeng@intel.com>.


Thanks,
Star

> in product BIOS, and cannot be enabled with pool/page heap guard at the
> same time. It's disabled by default.
> 
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
>   MdeModulePkg/MdeModulePkg.dec | 6 ++++++
>   MdeModulePkg/MdeModulePkg.uni | 4 +++-
>   2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
> index 2009dbc5fd..255b92ea67 100644
> --- a/MdeModulePkg/MdeModulePkg.dec
> +++ b/MdeModulePkg/MdeModulePkg.dec
> @@ -1011,14 +1011,20 @@
>     gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPoolType|0x0|UINT64|0x30001053
>   
>     ## This mask is to control Heap Guard behavior.
> +  #
>     # Note that due to the limit of pool memory implementation and the alignment
>     # requirement of UEFI spec, BIT7 is a try-best setting which cannot guarantee
>     # that the returned pool is exactly adjacent to head guard page or tail guard
>     # page.
> +  #
> +  # Note that UEFI freed-memory guard and pool/page guard cannot be enabled
> +  # at the same time.
> +  #
>     #   BIT0 - Enable UEFI page guard.<BR>
>     #   BIT1 - Enable UEFI pool guard.<BR>
>     #   BIT2 - Enable SMM page guard.<BR>
>     #   BIT3 - Enable SMM pool guard.<BR>
> +  #   BIT4 - Enable UEFI freed-memory guard (Use-After-Free memory detection).<BR>
>     #   BIT6 - Enable non-stop mode.<BR>
>     #   BIT7 - The direction of Guard Page for Pool Guard.
>     #          0 - The returned pool is near the tail guard page.<BR>
> diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
> index 9d2e473fa9..e72b893509 100644
> --- a/MdeModulePkg/MdeModulePkg.uni
> +++ b/MdeModulePkg/MdeModulePkg.uni
> @@ -1227,11 +1227,13 @@
>                                                                                               "Note that due to the limit of pool memory implementation and the alignment\n"
>                                                                                               "requirement of UEFI spec, BIT7 is a try-best setting which cannot guarantee\n"
>                                                                                               "that the returned pool is exactly adjacent to head guard page or tail guard\n"
> -                                                                                            "page.\n"
> +                                                                                            "page.\n\n"
> +                                                                                            "Note that UEFI freed-memory guard and pool/page guard cannot be enabled at the same time.\n\n"
>                                                                                               "   BIT0 - Enable UEFI page guard.<BR>\n"
>                                                                                               "   BIT1 - Enable UEFI pool guard.<BR>\n"
>                                                                                               "   BIT2 - Enable SMM page guard.<BR>\n"
>                                                                                               "   BIT3 - Enable SMM pool guard.<BR>\n"
> +                                                                                            "   BIT4 - Enable UEFI freed-memory guard (Use-After-Free memory detection).<BR>\n"
>                                                                                               "   BIT7 - The direction of Guard Page for Pool Guard.\n"
>                                                                                               "          0 - The returned pool is near the tail guard page.<BR>\n"
>                                                                                               "          1 - The returned pool is near the head guard page.<BR>"
>