From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.107.244.89]) by mx.groups.io with SMTP id smtpd.web12.445.1592410783719071532 for ; Wed, 17 Jun 2020 09:19:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@vmware.com header.s=selector2 header.b=W0mOVuez; spf=pass (domain: vmware.com, ip: 40.107.244.89, mailfrom: awarkentin@vmware.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IVaHTIQTfDIsPh9AqQKtu+AY1UrfarlbE+qKe/+ZcvGrJNPKsV0hAL4BThfghRXENFskaawLNVCLOU8C1p+TtgSHVspl2JjOmb30FX0WMOitk75hvIwAkeTSXU0Wxtl84joWQx3NwArvMvdcS7KENteeT0lGg49qqmiWmL0PZ+tEkYXwA4+0417MxlaaRQe+S/TEfevecXLDsMbPk3PZgA5cOaG73McBl1Kodlc2hu0qRUxSyhLq5I4COFm83AB3M8FHmBezNxDA3k89lUaAZ5Il98DiOHP+P6dKM0kyWYnpsVz4EOUiFDHpj3sEO5+XYO3+s3HT7NIUUY6E2FWIbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/kl5F0L0H2zmv1jJw6Xi+R6UDujuG3WwyQmW6JwSstQ=; b=fCQtPtXlWm3Q1XYvxOhj8IatzooadDtp9oanM8rIr+cLAoy0Iw1a+eYrpRpJ54MZf4mGLw5UIOMa95bfaP1A4NUrHz2XNfHQY3gKJXJw2Bq+EHxJ47ddNA5ocxfNurnnYmf+Rvz1oTY0oNd1wo7bfL1xTF77q9ECGSyQUQDB5nHIHF5ve/3UlbURKMqvUb5avUdcuH2exUqUQgMBsoLDfUjbu+9UHJpytHmWYLSwPQmDr0qi524PSyPgIdJ1R3teX6HD0wjLOtawsoXdWNmFsSiTswSOgRyLdyVr8/dYFM279QU6uTmT9WSvZXPxRVgbkDJBePz6iFTCgUm52WiMIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vmware.com; dmarc=pass action=none header.from=vmware.com; dkim=pass header.d=vmware.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/kl5F0L0H2zmv1jJw6Xi+R6UDujuG3WwyQmW6JwSstQ=; b=W0mOVueztQOrMnjExZ2PyvAqeeCcCgAeTeSg1ByUQ9oCC/5M0opzAX3T1Fen09aporM5b98FmpiVdDCYaXGsGrvobu4jQ0pPIyjLxoa0G5eeeRwn2/trsa7e//ZU0ZQ7D+Xbw5snvGgN+f5OYmxs9XI4jDrAqL/zUgqq7dxucP4= Received: from BN6PR05MB3411.namprd05.prod.outlook.com (2603:10b6:405:43::23) by BN7PR05MB4193.namprd05.prod.outlook.com (2603:10b6:406:86::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.10; Wed, 17 Jun 2020 16:19:41 +0000 Received: from BN6PR05MB3411.namprd05.prod.outlook.com ([fe80::e1ef:31eb:c802:aef0]) by BN6PR05MB3411.namprd05.prod.outlook.com ([fe80::e1ef:31eb:c802:aef0%3]) with mapi id 15.20.3109.018; Wed, 17 Jun 2020 16:19:41 +0000 From: "Andrei Warkentin" To: "devel@edk2.groups.io" , "ard.biesheuvel@arm.com" CC: "leif@nuviainc.com" , "pete@akeo.ie" , "jeremy.linton@arm.com" , "Samer.El-Haj-Mahmoud@arm.com" Subject: Re: [edk2-devel] [PATCH] EmbeddedPkg/NonCoherentDmaLib: avoid dereferencing bogus buffer address Thread-Topic: [edk2-devel] [PATCH] EmbeddedPkg/NonCoherentDmaLib: avoid dereferencing bogus buffer address Thread-Index: AQHWRL1fXDJOAN5WhE6VSLT5ff5216jc/IaS Date: Wed, 17 Jun 2020 16:19:41 +0000 Message-ID: References: <20200617153824.1175136-1-ard.biesheuvel@arm.com> In-Reply-To: <20200617153824.1175136-1-ard.biesheuvel@arm.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=vmware.com; x-originating-ip: [98.214.99.181] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f4cf7b19-677d-478a-5459-08d812da3d69 x-ms-traffictypediagnostic: BN7PR05MB4193: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3968; x-forefront-prvs: 04371797A5 x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 4yeU7fbOLNizjpguIQxksTUh/A+7yWGDAPOBB8phtAfqB54FDICJwzdZRvtOS+dg8zz3LD4Iq4iqoKwMg+D0jlsfJEuu8HQPtC4sqxgkYWJlpTQ9wtAQrftLvEDXFvIvu0VuMovV9UMrd9yEYfPJY45IGAyJALflNz3Y4eBT5SU2Sd2s2qgGKmPxo/UaNRgfAXftY3dAmsPV8/GSQLkRnvan0PmnyBIT6lvnZ05jFcKFf6qcKX1ycKC7nyTtvQPxEjKK87GrztYvXRG0EajeGykz10TrS5e3zp90+Zt3dxU7e/ijE2dRN5uk1QFbIpxQQ6B/7fxZrfm0j8m6SI8cskMK2g8stg0XZpq9vwAJKa+4p16f4/Z3GvUxhh3K6Wb9RRQ5YgnGySf0/PZ3sf3l9A== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR05MB3411.namprd05.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(39860400002)(136003)(346002)(366004)(376002)(8676002)(966005)(71200400001)(26005)(66946007)(76116006)(66446008)(478600001)(7696005)(66476007)(66556008)(83380400001)(2906002)(166002)(8936002)(45080400002)(6506007)(53546011)(64756008)(86362001)(52536014)(5660300002)(19627405001)(316002)(4326008)(186003)(55016002)(54906003)(9686003)(110136005)(33656002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata: cv20Yi5ZdxTZUKrFNM1JOlknUbJglCnvMs336Fq0+r/tD856sK5cr6wSx6OMSXCU9y5jMzmvfK/6cD61kmWZQZ1Biu+ka74npW0Ck5sTyrl7IVpILa7S0Uc22WNps+UA4f5tt0kC626FikQ05OkYswUdaHhf87qxxNENQdEVcaUVxfYwWB0cB/v3PP7vY4v385IVvrfUjz39RpHPFTYaZe0MczwQ7A5lBQDCA3u+c1POvzXXyYwEAL3kWGQyCT7Atf7pOXZ8SOFHLWY3mIEYp9ZajhA+anRrQ0rvxwIm56jjvK9UABbgJoaswqcMSpLLwo7g35HYmNHvW58JQLPsnrap9Q8kJn7xWRA0t5lbDXtB2zCOBeZyfNSqxi9kmuAjOGGKus83fkw5+5sCYe9skGXRewKV41Ywhu05rIUZjecEE4U0YMyHuFY/9meAGc0Op3YhBaCMg3CHiGUIRidY1FV0kiIN2WxEUoucYPGxIQXxIaylnA4TKsv6iRG2ZL2H x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN6PR05MB3411.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f4cf7b19-677d-478a-5459-08d812da3d69 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2020 16:19:41.4948 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: oJ22HI9705koFtutICSndh08Fuz2YadRmQtDZhJgQMbxVyNUhU3Rca0+1OutNBIqp+QFAG9+wpD3kQkVbS4UNw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR05MB4193 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BN6PR05MB34119E2B593724364933A0A2B99A0BN6PR05MB3411namp_" --_000_BN6PR05MB34119E2B593724364933A0A2B99A0BN6PR05MB3411namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Andrei Warkentin ________________________________ From: devel@edk2.groups.io on behalf of Ard Biesheuv= el via groups.io Sent: Wednesday, June 17, 2020 10:38 AM To: devel@edk2.groups.io Cc: leif@nuviainc.com ; pete@akeo.ie ; And= rei Warkentin ; jeremy.linton@arm.com ; Samer.El-Haj-Mahmoud@arm.com ; Ard= Biesheuvel Subject: [edk2-devel] [PATCH] EmbeddedPkg/NonCoherentDmaLib: avoid derefere= ncing bogus buffer address The bounce buffering code in NonCoherentDmaLib copies data into the bounce buffer using CopyMem(), but passes Map->HostAddress as the source of the copy before it has been assigned its correct value. Signed-off-by: Ard Biesheuvel --- EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c b/Em= beddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c index 115345765435..9c8ef5bfb533 100644 --- a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c +++ b/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c @@ -225,8 +225,7 @@ DmaMap ( } if (Map->Operation =3D=3D MapOperationBusMasterRead) { - CopyMem (Map->BufferAddress, (VOID *)(UINTN)Map->HostAddress, - *NumberOfBytes); + CopyMem (Map->BufferAddress, (VOID *)(UINTN)HostAddress, *NumberOfBy= tes); } mCpu->FlushDataCache (mCpu, (UINTN)Map->BufferAddress, AllocSize, EfiCpuFlushTypeWriteBack); -- 2.27.0 -=3D-=3D-=3D-=3D-=3D-=3D Groups.io Links: You receive all messages sent to this group. View/Reply Online (#61421): https://nam04.safelinks.protection.outlook.com/= ?url=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F61421&data= =3D02%7C01%7Cawarkentin%40vmware.com%7Ce0cab9a2b8a74880b69f08d812d48073%7Cb= 39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637280051185406598&sdata=3DNy= lhdsdCkUdiGZZB6ya0pCMs8vYFb8tpdjW29q1dJAQ%3D&reserved=3D0 Mute This Topic: https://nam04.safelinks.protection.outlook.com/?url=3Dhttp= s%3A%2F%2Fgroups.io%2Fmt%2F74939973%2F4387333&data=3D02%7C01%7Cawarkent= in%40vmware.com%7Ce0cab9a2b8a74880b69f08d812d48073%7Cb39138ca3cee4b4aa4d6cd= 83d9dd62f0%7C0%7C0%7C637280051185406598&sdata=3D2Wv1bPYhk2Ac32ItKenF9bm= ig5t%2FKJuTFVWZacFZvY8%3D&reserved=3D0 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A= %2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&data=3D02%7C01%7Cawarkentin%40= vmware.com%7Ce0cab9a2b8a74880b69f08d812d48073%7Cb39138ca3cee4b4aa4d6cd83d9d= d62f0%7C0%7C0%7C637280051185406598&sdata=3D4Yp5s5IOCF%2BY6OwqcDZmcmgn1c= rE9MxuL3TnHEGSMsM%3D&reserved=3D0 [awarkentin@vmware.com] -=3D-=3D-=3D-=3D-=3D-=3D --_000_BN6PR05MB34119E2B593724364933A0A2B99A0BN6PR05MB3411namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Reviewed-by: Andrei Warkentin <awarkentin@vmware.com>
From: devel@edk2.groups.io = <devel@edk2.groups.io> on behalf of Ard Biesheuvel via groups.io <= ard.biesheuvel=3Darm.com@groups.io>
Sent: Wednesday, June 17, 2020 10:38 AM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: leif@nuviainc.com <leif@nuviainc.com>; pete@akeo.ie <pe= te@akeo.ie>; Andrei Warkentin <awarkentin@vmware.com>; jeremy.lint= on@arm.com <jeremy.linton@arm.com>; Samer.El-Haj-Mahmoud@arm.com <= Samer.El-Haj-Mahmoud@arm.com>; Ard Biesheuvel <ard.biesheuvel@arm.com= >
Subject: [edk2-devel] [PATCH] EmbeddedPkg/NonCoherentDmaLib: avoid d= ereferencing bogus buffer address
 
The bounce buffering code in NonCoherentDmaLib cop= ies data into the
bounce buffer using CopyMem(), but passes Map->HostAddress as the
source of the copy before it has been assigned its correct value.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
---
 EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c | 3 +--=
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c b/Em= beddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c
index 115345765435..9c8ef5bfb533 100644
--- a/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c
+++ b/EmbeddedPkg/Library/NonCoherentDmaLib/NonCoherentDmaLib.c=
@@ -225,8 +225,7 @@ DmaMap (
     }

 

     if (Map->Operation =3D=3D MapOperationBusMaster= Read) {

-      CopyMem (Map->BufferAddress, (VOID *)(UI= NTN)Map->HostAddress,

-        *NumberOfBytes);

+      CopyMem (Map->BufferAddress, (VOID *= )(UINTN)HostAddress, *NumberOfBytes);

     }

     mCpu->FlushDataCache (mCpu, (UINTN)Map->Buff= erAddress, AllocSize,

             Ef= iCpuFlushTypeWriteBack);

--
2.27.0


-=3D-=3D-=3D-=3D-=3D-=3D
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#61421): https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Fmessage%2F61421&amp;data=3D02%7C01%7Cawarkentin%4= 0vmware.com%7Ce0cab9a2b8a74880b69f08d812d48073%7Cb39138ca3cee4b4aa4d6cd83d9= dd62f0%7C0%7C0%7C637280051185406598&amp;sdata=3DNylhdsdCkUdiGZZB6ya0pCM= s8vYFb8tpdjW29q1dJAQ%3D&amp;reserved=3D0
Mute This Topic: https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgroups.= io%2Fmt%2F74939973%2F4387333&amp;data=3D02%7C01%7Cawarkentin%40vmware.c= om%7Ce0cab9a2b8a74880b69f08d812d48073%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C= 0%7C0%7C637280051185406598&amp;sdata=3D2Wv1bPYhk2Ac32ItKenF9bmig5t%2FKJ= uTFVWZacFZvY8%3D&amp;reserved=3D0
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Funsub&amp;data=3D02%7C01%7Cawarkentin%40vmware.co= m%7Ce0cab9a2b8a74880b69f08d812d48073%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0= %7C0%7C637280051185406598&amp;sdata=3D4Yp5s5IOCF%2BY6OwqcDZmcmgn1crE9Mx= uL3TnHEGSMsM%3D&amp;reserved=3D0  [awarkentin@vmware.com]
-=3D-=3D-=3D-=3D-=3D-=3D

--_000_BN6PR05MB34119E2B593724364933A0A2B99A0BN6PR05MB3411namp_--