From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 3764F74003D for ; Fri, 18 Apr 2025 16:00:54 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=wryyePI00NcGVYxxsNiV3MN4SpXZy8/gx8LvMc6B/K8=; c=relaxed/simple; d=groups.io; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:msip_labels:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type; s=20240830; t=1744992053; v=1; x=1745251252; b=vOAEYzrX4bnK7uOEoNodWp8HLBDRt3iS8/B2Bo16tOWfLq5z81oiMhM08kjphwEzgxlPWue+ 3suD6tHM1BBqES8Uiih01zzg3FySopxgf9BfpCoGPyspN8RiNvXMkZb2EwPj79u6iZQKlp1a4Gs FYMkWYjt09Ph3HCeJm02Pchp31GiCfSAPvF5evb3+lbc5IfXSLFF/uPTaZ/0ABgLhVj5P1my2nl iOCIqDX/OfMrUhFEQMTuQn0q9p6gFwOU7tO+kLOocEEpG7ohdecIEaafqT7KTTXqapo1R0CnrG/ vNyt3OCRSIhgqMTvlVsDsWhWMftkJfMUIFx+gzsWSByqg== X-Received: by 127.0.0.2 with SMTP id L62vYY7687511x2x8dhnvXGL; Fri, 18 Apr 2025 09:00:52 -0700 X-Received: from SJ2PR03CU001.outbound.protection.outlook.com (SJ2PR03CU001.outbound.protection.outlook.com [52.101.43.128]) by mx.groups.io with SMTP id smtpd.web11.7354.1744961410440002485 for ; Fri, 18 Apr 2025 00:30:10 -0700 X-Received: from CH3PR21MB4517.namprd21.prod.outlook.com (2603:10b6:610:21b::17) by CH3PR21MB4037.namprd21.prod.outlook.com (2603:10b6:610:1a9::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8655.14; Fri, 18 Apr 2025 07:30:07 +0000 X-Received: from CH3PR21MB4517.namprd21.prod.outlook.com ([fe80::7bdd:bb65:8eb1:f082]) by CH3PR21MB4517.namprd21.prod.outlook.com ([fe80::7bdd:bb65:8eb1:f082%4]) with mapi id 15.20.8678.011; Fri, 18 Apr 2025 07:30:06 +0000 From: "Kun Qin via groups.io" To: "Ni, Ray" CC: "Kinney, Michael D" , "devel@edk2.groups.io" , "Ni, Ray" Subject: Re: [edk2-devel] A bug in the SmmCommunication V3 logic Thread-Topic: A bug in the SmmCommunication V3 logic Thread-Index: AQHbsCxo5nQBH4RMRk+1qEepe02xqLOpBL4Q Date: Fri, 18 Apr 2025 07:30:06 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7199950a-a9af-4e88-86e5-b41f15734340;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2025-04-18T07:21:47Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Tag=10, 3, 0, 1; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CH3PR21MB4517:EE_|CH3PR21MB4037:EE_ x-ms-office365-filtering-correlation-id: fde0a9af-cc24-4a4f-6aa1-08dd7e4ad77c x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: =?us-ascii?Q?pkCX74VXU/pxtdR8QOm91+FnpXZcLbbO0jOSgB2he9ZCPdBpLFoEIoyfCJBr?= =?us-ascii?Q?QavCWPxJXjF0rSg0CR5ne3M6hKXZU1q9r8lyE0nZbJtf10pVx2mFoU/5yNkJ?= =?us-ascii?Q?5vB7NlXD9jR5OO8I1DURa5edyTW22rIahewkOQXWkfVak57sVj80/5Gxy5yO?= =?us-ascii?Q?+TvPSWpXVVPTUlYYDpwb5G3UmhUTNQYpwGA2N0Uz54qh9PY3li5SF5IwdzZm?= =?us-ascii?Q?ZTjNko1VYOTeYzeJQcDT6Ozkz6y62ksf+KmzHMTtaQ65Lx9Dv6PDXQSUzmna?= =?us-ascii?Q?rEve9fCfgKwCsIkkUmxjBipjZEXCiWBoXXiAyAPTBtRnWdJYSitGvwUa+1Eq?= =?us-ascii?Q?/jgC8+V9YMuskyJpLvhPlD4j0Q+0sp1l64M1/GXf3LrRD7/60yoaNDkNHVsk?= =?us-ascii?Q?ytbEC/zlP/iIBzfd4O8PBaA+B1hudIEmGUL4js4qsLzSvRUx3Xy+HZtCYN75?= =?us-ascii?Q?N5gzxXn0t9zM00uHOkEcx4tvT8nGB5Y1xHrFP+4nluLlL3KoQnqIbQakNYgF?= =?us-ascii?Q?7yay/ZiuLuEbAKYm/zrMyVu31tMczTUgFcjyKfuhcPicxKl6xKtQpHslu+6q?= =?us-ascii?Q?pb4YFmbgKLyhyQGOblUU41bdx08R4Vep/pQJIRHprW58GPoRWFedq0RpFAZM?= =?us-ascii?Q?7C1IgjJLkF4sPCi1TpdXlkSt2KbqtjdOV8E+o8j4n2otiOZWbQyPM0ZW6EFn?= =?us-ascii?Q?6Ya7YZ+w4p+/KmL1FVhA0cBg7IcT3FetfLW3XACADB8CdtN5oeDgTYChukoH?= =?us-ascii?Q?c6g7y+Tmisa18w9FwpPwj3Ho/T6hA7eGMzZJKzu4U27k7pRqZ7zIUfvSuVzJ?= =?us-ascii?Q?N6ITwLzEhjuPDTW8q0fQ6iGOtgIi5ENAXFDuoT1bArGptlTd4qMb8BdfesrG?= =?us-ascii?Q?U/uMemHyjJsxpY3hsWHOmEP3BCwkyjKXYj+sjeEL/vpHVgZCz6/RXrr9PqNI?= =?us-ascii?Q?IGf5q6xu19yPstY2Q/BdOTs7L3tQLs7vmXaqkEeVwUM6k/iubb8szyTuXNtf?= =?us-ascii?Q?nKwhBXE5FwV+legw3EM2nmVYRhGBM8awh/qhzf1IZEQEZaHAlo7MJY8jNttk?= =?us-ascii?Q?nsBLPt8AxmxQjkqbLVFIvjEgmkVKpEOa+XcZSjGmcvxHKNr84quwygSntOzr?= =?us-ascii?Q?HTWrKZ8ejLnCH9sl6XRDgUW8PCAtz+b+C80TwqR94EfIoHuZ0G4tp8+tcjc8?= =?us-ascii?Q?bfNWOj7vvFXY1Uq0p2lWLlTIVaXVqIG3W/JH1pHhy8csaTP0EJWBJKU3tSeD?= =?us-ascii?Q?8NhO6AIuyUaFUX28pmB2jPPLyUl5mjKfqYiBiXlf7bg+Oco/M9b9et2bfSvL?= =?us-ascii?Q?zIKP7+Jgdpm1qYotGFSxFZ1PG6gzAk0Busf26JVzCn/TsKD21u3V+gG2freR?= =?us-ascii?Q?/VRwPCPzcjmFgZHlafIybxXwXq2PPROHjrpnieibqnk5OoIKyioxjT599cBJ?= =?us-ascii?Q?nPO+jO14FYRcasU2ZiFgh/1ZT27mMzChiX+w/3XygnKJJJNvl9QEnlcwo3ha?= =?us-ascii?Q?LMZu0cfg+XKY2eY=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?1wMSvDWwbbDmVxMm2xLqqUxSnww1j6feGn1Wciz0RSHijOB8IirqPC6WGGJA?= =?us-ascii?Q?HvHO6bFjxa8LCnKY6nupTxBEu/wYM5He71rC8l6lXbiEdhodepzn6j0ZJ3OS?= =?us-ascii?Q?zP0onXKl1LfWfMYJkU9Nv6hQclLpjObAMsN4Byh4kHG6STwqqDqHY197xgqe?= =?us-ascii?Q?azHFekLot+dOU1aP2i5JVRLBRFoUnhN0xWdPbCVZu94qaz6HlwpVHZfFj//N?= =?us-ascii?Q?8v2KyBb2dy9ff7iZwSSFden5ka7kA16gWCc+PBhdzFouFb4sOT+wk/gIAXM6?= =?us-ascii?Q?Ld+UbCc9Rtg5zz1X1zCf3t4HncCh48+0nc79kHO3b708bdSegoowvpttGFaT?= =?us-ascii?Q?GM4fxH8W6R3aASu9NuhJWfoO2lBfZguOIVLD5r5+LGZXi5RUNwpYxr6TmKAT?= =?us-ascii?Q?6/baJr2CNXFd0k9k9WG14p1Mw2ykQwKDewyh/Aor/WCUpbdfwMi0kbTFLqRM?= =?us-ascii?Q?uosM2JBxatHhuY/r2JfXA3ziWnnCBzgyc0pxDH5kse0ZOea/MPOnFUgM8IZ7?= =?us-ascii?Q?8RBdfx4SUID+ye5xttdFyxRVoiBHw+joHR4W1T961wPDK8hyqD6IY2rekxjS?= =?us-ascii?Q?d+286j5XqPZXEaRd/QqVhuGBgJT9geLSDPVr4DLooZpopXmTgH1OFtQAMgR9?= =?us-ascii?Q?gj3Ge7h9JRJbRvjqH7fvQU4j6qNFJXhjz6f9OepqE4XApHeeuR5mgQruL+iD?= =?us-ascii?Q?0k/ru4OCT68xEU4Co/s++UWwgQCK7iAkSnH8ihG6rUlD5/IWcLWDSK72QzpV?= =?us-ascii?Q?iMcStu9J+t1OEIk0Px8iAil/EKE3UJXGJ514/nvC04U2PWzMbqmOhSCiLoeX?= =?us-ascii?Q?VfUqmLIg4aSlUKHus2qI2PfsdJcJ1pRfBHLrXDHnT46lAJY4UoYBYJg5Jd35?= =?us-ascii?Q?37581+k3al/vWk9fHY0eH7TH4A6vt4mOKGOZCRGJgoCaSg2XuyLXa7R3/YQj?= =?us-ascii?Q?Wphgb87N8FrRK6jQLJQIttPR8KrfH58lVwAqO452fB5tK2zpgxHGBFQGoybZ?= =?us-ascii?Q?6IgK0rNQ/1eqZVocDX25jfmemdoeaOXoad/1i3dDXHEiAqcvCOzFo3LCtrMs?= =?us-ascii?Q?P6KQ4PBCE3XbW8B8tDNmw1OTi9Kp0ixWRSNgcdxE/SU2zCo5OL92jprAYHA9?= =?us-ascii?Q?4jxChOpWDbAl8KIhj+ZhIirHw/2v4nMA9lmXxL8taWMkp1iwO+GI5hQtxlpC?= =?us-ascii?Q?lgaYk++KIOyJZws2ybuw6/seTuXiGioVqVxqZMhfZVY3WH4IwY3ScJjN1gBy?= =?us-ascii?Q?3urVieCGrfHlX/Eb9xWjxP0Ws2zdAaS1D96A1Bw9BwvgSWqa5aTABVG/ZDQ8?= =?us-ascii?Q?6XFhSx8W0P5zvcypBb/A2y3pqQ1KAukqE4KYinYSZH1CaEh6aOhF+D072Fm/?= =?us-ascii?Q?pdLOV4PfyO25bac+bsHGXvCRaR1xhdfEyOHYDDBrW17LI/+7MfJd+FLNPLhX?= =?us-ascii?Q?kI3JYIHVkICv466F4k4tLI8oo8An/CNHKQcD/zk2cklqwmbtHeQFhKdYBzRl?= =?us-ascii?Q?lEmGJh5emKDnSh2gjnwBNcvqED7vrYRYnRLc3swIryOq8TIUdIIRm4tSxNSz?= =?us-ascii?Q?PLMY6pNL8C7DZC14G93ZmTzOSsHUCcR88xdXs3KkUqcpQcfm1WGruUgP1c0u?= =?us-ascii?Q?Tr5YZM7NJ4QxjIn+hT/+liE=3D?= MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CH3PR21MB4517.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: fde0a9af-cc24-4a4f-6aa1-08dd7e4ad77c X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2025 07:30:06.4319 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: gdHYo/OiIfTNjQmNOEX38KztGnM8kT5ND6zfrH2FBe9MLSHWs/b8RTAQHY4IjFWV3PRux0/Sx8i2Q1nNgnjVFg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR21MB4037 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 18 Apr 2025 09:00:52 -0700 Resent-From: Kun.Qin@microsoft.com Reply-To: devel@edk2.groups.io,Kun.Qin@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: VWQgtaIHDgp1QoDR7aNMk84yx7686176AA= Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CH3PR21MB451727CF4A0B651EC3AB7FE9E9BF2CH3PR21MB4517namp_" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240830 header.b=vOAEYzrX; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io --_000_CH3PR21MB451727CF4A0B651EC3AB7FE9E9BF2CH3PR21MB4517namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Ray, I will verify the code first thing tomorrow morning. But I just looked at t= he code flow before the change, it seems that SmmCommunicationMmCommunicate= 2 is also using physical address, and the common routine will deference the= pointer to read message length as well. I just checked variable runtime dr= iver did not convert the input physical pointer. Would that cause the same = issue? Did I miss something or we have lucked out all along? Regards, Kun From: Ni, Ray Sent: Thursday, April 17, 2025 11:45 PM To: Kun Qin Cc: Kinney, Michael D ; devel@edk2.groups.io; N= i, Ray Subject: [EXTERNAL] A bug in the SmmCommunication V3 logic Hi Qin, I think there is a bug in the SmmCommunication protocol implementation. All 3 communication protocol calls go to the same communicate() function th= at tests the HeaderGuid against the V3 GUID. But when the call is from runtime, reading the HeaderGuid using the physica= l address of communication buffer would cause page fault. The virtual addre= ss should be used. The bug was not there without your patch because the communicate routines h= appened not to read any bytes from the communication buffer but simply pass= the address to SMM. SMM expects the physical address because the virtual-t= o-physical mapping in SMM is identical. The bug exists in both the SmmIpl.c in MdeModulePkg and the MmCommunication= Dxe.c in StandaloneMmPkg. The bug would cause OS boot failure if there is any communication protocol = invocation after ExitBootService. I guess the bug might not be there in your first version of patch, but was = introduced when I asked you to consolidate the logic together. Can you kindly reproduce it locally and send out a fix after confirming? Thanks, Ray -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#121266): https://edk2.groups.io/g/devel/message/121266 Mute This Topic: https://groups.io/mt/112327494/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --_000_CH3PR21MB451727CF4A0B651EC3AB7FE9E9BF2CH3PR21MB4517namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Ray,

 

I will verify the code first thing tomorrow morning= . But I just looked at the code flow before the change, it seems that SmmCo= mmunicationMmCommunicate2 is also using physical address, and the common routine will deference the pointer to read message= length as well. I just checked variable runtime driver did not convert the= input physical pointer. Would that cause the same issue? Did I miss someth= ing or we have lucked out all along?

 

Regards,

Kun

 

From: Ni, Ray <ray.ni@intel.com&g= t;
Sent: Thursday, April 17, 2025 11:45 PM
To: Kun Qin <Kun.Qin@microsoft.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2= .groups.io; Ni, Ray <ray.ni@intel.com>
Subject: [EXTERNAL] A bug in the SmmCommunication V3 logic

 

Hi Qin,=

I think= there is a bug in the SmmCommunication protocol implementation.=

&n= bsp;

All 3 c= ommunication protocol calls go to the same communicate() function that test= s the HeaderGuid against the V3 GUID.

But whe= n the call is from runtime, reading the HeaderGuid using the physical addre= ss of communication buffer would cause page fault. The virtual address shou= ld be used.

The bug= was not there without your patch because the communicate routines happened= not to read any bytes from the communication buffer but simply pass the ad= dress to SMM. SMM expects the physical address because the virtual-to-physical mapping in SMM is identical.<= /o:p>

&n= bsp;

The bug= exists in both the SmmIpl.c in MdeModulePkg and the MmCommunicationDxe.c i= n StandaloneMmPkg.

The bug= would cause OS boot failure if there is any communication protocol invocat= ion after ExitBootService.

&n= bsp;

I guess= the bug might not be there in your first version of patch, but was introdu= ced when I asked you to consolidate the logic together.

&n= bsp;

Can you= kindly reproduce it locally and send out a fix after confirming?

&n= bsp;

Thanks,=

Ray

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#121266) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--_000_CH3PR21MB451727CF4A0B651EC3AB7FE9E9BF2CH3PR21MB4517namp_--