From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id E5CCD940FCB for ; Sat, 19 Apr 2025 03:32:13 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=9QoRFeeLz34ONj8TreaX0WcD/FskaXfbfJfOqWwYERg=; c=relaxed/simple; d=groups.io; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:msip_labels:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type; s=20240830; t=1745033533; v=1; x=1745292732; b=q67/eedE8PpDT/Cu8tDtS815m15PQZ9EKdMbhceKU///MpdB2R7q1gtJKrg/2ycrrIFk3A9w KWaHYe9rTtDiL1sIrCgQESFSulJnZz1D5+mE5bxojdHI2nON4a2lPkoctQVHETnKxGZtjF004KK YNBe5+qnihZ7t0DEO6fQakUm2+e+YByqCr2o8yllPj12PnnukRbGOv/IlB7YIbLy2OEl+aU4Pwe 4mSZ1ffEyJuHVril/qfIn+j9hB9rd3+czSPLcsqA456KM1Ps/FhyXiDZDvqqflc7d1r9uV94sat Aiz5cYnMuPjtUE/BoMNhqxv5o0ZApXpmvBP0ihk6F2NBg== X-Received: by 127.0.0.2 with SMTP id hdqcYY7687511xNZHXZfYMPp; Fri, 18 Apr 2025 20:32:12 -0700 X-Received: from BN8PR05CU002.outbound.protection.outlook.com (BN8PR05CU002.outbound.protection.outlook.com [52.101.57.132]) by mx.groups.io with SMTP id smtpd.web10.2572.1745000738304314357 for ; Fri, 18 Apr 2025 11:25:38 -0700 X-Received: from CH3PR21MB4517.namprd21.prod.outlook.com (2603:10b6:610:21b::17) by CH3PR21MB4620.namprd21.prod.outlook.com (2603:10b6:610:26a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.16; Fri, 18 Apr 2025 18:25:33 +0000 X-Received: from CH3PR21MB4517.namprd21.prod.outlook.com ([fe80::7bdd:bb65:8eb1:f082]) by CH3PR21MB4517.namprd21.prod.outlook.com ([fe80::7bdd:bb65:8eb1:f082%4]) with mapi id 15.20.8678.011; Fri, 18 Apr 2025 18:25:33 +0000 From: "Kun Qin via groups.io" To: "Kinney, Michael D" , "Ni, Ray" CC: "devel@edk2.groups.io" , "Ni, Ray" Subject: Re: [edk2-devel] A bug in the SmmCommunication V3 logic Thread-Topic: A bug in the SmmCommunication V3 logic Thread-Index: AQHbsCxo5nQBH4RMRk+1qEepe02xqLOpBL4QgACO8lCAAComQA== Date: Fri, 18 Apr 2025 18:25:33 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7199950a-a9af-4e88-86e5-b41f15734340;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2025-04-18T07:21:47Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Tag=10, 3, 0, 1; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CH3PR21MB4517:EE_|CH3PR21MB4620:EE_ x-ms-office365-filtering-correlation-id: 3729c8ad-9f3b-48e6-c25c-08dd7ea66819 x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: =?us-ascii?Q?YhGS+qOD0UhRH06XRVcKQXFSu5VMQZ2BrhL53sJ+yd/izOe+vN+ZPyp+RtoU?= =?us-ascii?Q?N+tsWzGCMZrDZmB8QWrnnC3tZzGiMv57cfYrz32bdhd6yi2FI5VSC0scA5Fn?= =?us-ascii?Q?WGvisu5/Q4jXFQUGD4gbSCUxPjdM7BH51QRUublMhH0eqdMunebP1AHv2K/7?= =?us-ascii?Q?KyV3Pvrj75uMqFZppPhJqxXVbUyTB5aS27bbcOutHZsLIbZSXPs+TGQjkRfL?= =?us-ascii?Q?sHYFYLtUtSxAOkNGY3nt2pn0uBAKWU39lSRsLc3+ZxZzw1MPBRPKmDpXUgXf?= =?us-ascii?Q?zLuWy3OyHf3R7Q95+UjGMH0GCe7fw5/DLy1NSUUpYFWpq/t2ChrcrOud6xir?= =?us-ascii?Q?xgl6yapyVoU4gaKbjZYaIjeb30NGPS8RwIY8bZaj2+r/RLu743/zTKoPO65h?= =?us-ascii?Q?zfWCVln5RNPRc4GMTfrEqtKSIavqVmT0FJjeppJAexdFGAyamww5FDa06OHF?= =?us-ascii?Q?LY8i/eYNE9CEBXvSEdHMGVEB2joDeRM3SNpR8SUcHOIBT7Xvsdwk2EutZ3Op?= =?us-ascii?Q?v1Y64DGsTIYRXHxxlmMK0isHoBHxDfbgGtEH7mLRn3XsZy1m3uAxbu8Zp3m/?= =?us-ascii?Q?TQcJASHculRD+kKKjckMg5YQDxbzdY8zms9lw0poahCoQdoYrKyupq7zGobX?= =?us-ascii?Q?mRzRnkY8uiZDqiRS8ELukoGqPTJaykixhTkzCnfhz1UXxAuYBBdkqFxkTkwW?= =?us-ascii?Q?1IyF7lx22FPbzVETrp83HRHL96vZKrGzWQ7dvu9Xuf2Z4/UoY/GTR1z/ZGI3?= =?us-ascii?Q?cRkBPX+YlLPhbv52HxB/LtNZpU/pXlB3y7fEG3cc80f0BIm7mmycwJtmJW7R?= =?us-ascii?Q?o4OYhAr2vtwaag6FZ+VTJ3YPM6Za2iCAzJWSsYVcRRJxEMWQzXdGAewYlpuK?= =?us-ascii?Q?puijVEr7MPOLBzUJM6if7iBuVh4mcRjd5G+yr9i73nc14In3qEP66lQBrnt7?= =?us-ascii?Q?P0VWHAURu93+hrXvS7NdnFNnjCDTU0T5Xsz/0M41moNxH1AWQchaNrP2jm7/?= =?us-ascii?Q?8OXIsDVE8YD7sQybenrhAq+SY5VAM5vKiZebkw238Yp9L+PajONNC5ooBK/R?= =?us-ascii?Q?7hxlbcjTR65nkQbcefA+20s7UfB1k8QzCFCdFGAji5eC5XQvbFBEPum/+fol?= =?us-ascii?Q?BgvJiGBWk55VvlbdOkGg8HbRpkkcsoNabGpFH9UNE22+7g+P3j85xEvSuQDn?= =?us-ascii?Q?yBQgYzfdCAkFHPszVLty25QzgxdzQY+NMrASnKiUGPsQb6ilgNz4XSo7YkcD?= =?us-ascii?Q?MdXcX1g4p0E0/SH3Xu1nbg6R/t8rqhgy14L5vyRW06ZeVGkkx033uQeHs94x?= =?us-ascii?Q?ARwjn8h/+DkfVmSIJX6/YvmiWNG8TqnWQgzOV1F+LLcp5nHA5RlE6/Rq3FS+?= =?us-ascii?Q?HKao6kR1VWrYCM/L14UY8z5l4bOIaDI9yab3Vm5ObK/iUQuMKIuStdoofK76?= =?us-ascii?Q?WdHNzla2HdGW1/doQSVwADb77zIvTXTz2tWG/qlM2dXQY1EDItqOTOBETEYW?= =?us-ascii?Q?aMdTCbxnX8ysPls=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?VYX1SmnkPpJqlMJ1tEUJjo5cQopWNHNugGBb7+i31cP0Mr2qe4lPQDlMDYfu?= =?us-ascii?Q?l/ywkQaH63YLnmoCRuAt2LPBCYjFsfIGh3vLMDcS0ZcfzPblTWwFEkeIlpQ+?= =?us-ascii?Q?NyzWMQcnfEqjFxYhSXXKpi8gdEVgj5SxivgeG54RwUmRu/hrAuvMZcbDeXoF?= =?us-ascii?Q?uzxWMl1/KVrjOqDGirBYoyXZV391jWckpI3Wh5W2/lMLadzKatnFdq+34H4B?= =?us-ascii?Q?aSXSt+Vw41tbDYeqztfcsE9+uGN0IFwh2bOVwzF9Zu1cPyVm4ci2VZs5rNr5?= =?us-ascii?Q?k00UZnBzEMPt+rrCjHBlTEEZx4vaO+7hhP/0u1iJXn3j+klwl12mxF47H0+f?= =?us-ascii?Q?qcJNzgc4xV8zolkkOQwi0KfreIz8nx0GDYGt+kMZF3uuvuyzmCt8WNaBm0xC?= =?us-ascii?Q?giNo/nCjM+Te+Iq0YedejiKK7mdiziqK+NuEeweCHbSebFQ+djDYNgVGlvLb?= =?us-ascii?Q?Or/+Gb5lxgzKrB44q88hlXhjuIufVHRv1dX2cb37Xeu5Eu3o+ZYKqXE6sHiJ?= =?us-ascii?Q?CD/S2jXIJRskti6L0jSwrbNrIJPHTAbY8Fl4KqZIaIttrzcZpTIZAzACGEUS?= =?us-ascii?Q?Hsf9Sywjgb8q8bQdnYVb57bCu9S+nMNnpbNCXo08snTK0gbeIS0l2v4fOQkv?= =?us-ascii?Q?bSLdGsqF8HwjEqGk8CJiyqsMFKMgI1BPBM3fNsisirkMR2yjg6q3+/eJZgkn?= =?us-ascii?Q?hsQ0JcOwtFmA1xap49NPf2USXOofOSscLZE7dYr0iEr+lnGzd335jyCRTjSL?= =?us-ascii?Q?IFv/UJnLrG/jgM5IH2877MeVTp/bVQLBU+ggD5zTsZsqbLeCK17l7r686uxb?= =?us-ascii?Q?PC63y1Ds9gEoBXC02h58fzDjHaCn9sWvqlU1oyl5Bn8T5w/vXS8UP72QF0ZE?= =?us-ascii?Q?1ZeCFeEosWcxF7x6dpfeipse0i2nDDn74S2tzKf1XFYXFuM8Hqyd0J9woMI+?= =?us-ascii?Q?+N6jCTKKjdIW1tg6IFMjleeNIJDtFGas2KPgZ6dUJH1Ef8qzFBamlGJVzZtZ?= =?us-ascii?Q?lM62coF10QB/Zfl5rIbGp+dY+7ZluKcNAc9UwuwgHMJ9Retl+gcG7NFSkqbF?= =?us-ascii?Q?MioSxB9VSMa3aVNUHMD1sbpUt+R0srXVLDcRRg6+YYavTJTBdq96GNEisZbM?= =?us-ascii?Q?gRuVkpEKaF4PDbq/5qfF6Bp2/X00Np3deHacJ5rwn/LGRs68LpX/VvVlTVqD?= =?us-ascii?Q?j0h0B13gp6j2DUb9sKVChehf9YSJij32qFi3wldqgPH+Mtaiq1JB2iEt/7Lp?= =?us-ascii?Q?ZK4NIGjL5YZNvf+HxsWF7CS7iFTP6CE5inQP+byg3pSDmKWiGfkwqyQ4zKkj?= =?us-ascii?Q?Z/uHTVjZUenp6LmU5MY3M+wxSChSAE/FBBvmZB7cKerzMw1c8rvh5xTzPZWU?= =?us-ascii?Q?HH00MrF/xwdUvP1jZu25SjSELkJakkLxEKOGwmNw57YgI8p0uPQkt7fEnXz6?= =?us-ascii?Q?1/M1zqrorFTb9Jk9cae81ocBoaOQeJMkkvyA0j+mR97ZN86mpqY3D6lcM4Qp?= =?us-ascii?Q?woYCE32cbUKWHa3q094mpPmBUUAo5K3MPU1imBw8/L+abKLS5PoaFoEEOKks?= =?us-ascii?Q?CiHIKukxLS9Hsn/kvqwN04lo2q2NLcpZjaRUToo4pqEUf6gkgna+5zRePBe4?= =?us-ascii?Q?vYjFgKK066O7R8cgQ8jRBxI=3D?= MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CH3PR21MB4517.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3729c8ad-9f3b-48e6-c25c-08dd7ea66819 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2025 18:25:33.2588 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: nUYGjbrqS8+Qp/NVUVszXXUM2juI0ewbg5lv0KvLbpBEoCtbE088KsWou1/9K1US++LFJ0rHs0HZ4XQ098i0bw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR21MB4620 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 18 Apr 2025 20:32:11 -0700 Resent-From: Kun.Qin@microsoft.com Reply-To: devel@edk2.groups.io,Kun.Qin@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: r8Q2vKageC2pFE1loFC5YDeAx7686176AA= Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CH3PR21MB4517687A98103E5DFA8B6987E9BF2CH3PR21MB4517namp_" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240830 header.b="q67/eedE"; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io --_000_CH3PR21MB4517687A98103E5DFA8B6987E9BF2CH3PR21MB4517namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Mike, Thanks for the explanation. That makes sense. I confirmed the issue on PiSm= mIpl side. A patch should be available some time today after I test both tr= aditional MM and Standalone MM paths. Regards, Kun From: Kinney, Michael D Sent: Friday, April 18, 2025 8:59 AM To: Kun Qin ; Ni, Ray Cc: devel@edk2.groups.io; Ni, Ray ; Kinney, Michael D Subject: [EXTERNAL] RE: A bug in the SmmCommunication V3 logic Hi Kun, I think the reason it may have always worked is for the case where SmmCommu= nicationCommunicate() at runtime after SetVirtualAddressMap() and CommSize = is not NULL. In that case, CommunicateHeader that points to CommBuffer is = never dereferenced and a call to mSmmControl2->Trigger() is made. If CommSize is NULL, then MessageLength field of CommunicateHeader would be= dereferenced as a physical address at OS runtime after SetVirtualAddressMa= p() and a page fault would occur. My guess is that CommSize is never NULL,= and that is why we have been lucky. With the addition of the check for the V3 GUID, the HeaderGuid field of Com= municateHeader is always dereferenced. So if CommunicateHeader is a physic= al address at OS Runtime after SetVirtualAddressMap(), then a page fault wi= ll always occur. No more luck. Mike From: Kun Qin > Sent: Friday, April 18, 2025 12:30 AM To: Ni, Ray > Cc: Kinney, Michael D >; devel@edk2.groups.io; Ni, Ray > Subject: RE: A bug in the SmmCommunication V3 logic Hi Ray, I will verify the code first thing tomorrow morning. But I just looked at t= he code flow before the change, it seems that SmmCommunicationMmCommunicate= 2 is also using physical address, and the common routine will deference the= pointer to read message length as well. I just checked variable runtime dr= iver did not convert the input physical pointer. Would that cause the same = issue? Did I miss something or we have lucked out all along? Regards, Kun From: Ni, Ray > Sent: Thursday, April 17, 2025 11:45 PM To: Kun Qin > Cc: Kinney, Michael D >; devel@edk2.groups.io; Ni, Ray > Subject: [EXTERNAL] A bug in the SmmCommunication V3 logic Hi Qin, I think there is a bug in the SmmCommunication protocol implementation. All 3 communication protocol calls go to the same communicate() function th= at tests the HeaderGuid against the V3 GUID. But when the call is from runtime, reading the HeaderGuid using the physica= l address of communication buffer would cause page fault. The virtual addre= ss should be used. The bug was not there without your patch because the communicate routines h= appened not to read any bytes from the communication buffer but simply pass= the address to SMM. SMM expects the physical address because the virtual-t= o-physical mapping in SMM is identical. The bug exists in both the SmmIpl.c in MdeModulePkg and the MmCommunication= Dxe.c in StandaloneMmPkg. The bug would cause OS boot failure if there is any communication protocol = invocation after ExitBootService. I guess the bug might not be there in your first version of patch, but was = introduced when I asked you to consolidate the logic together. Can you kindly reproduce it locally and send out a fix after confirming? Thanks, Ray -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#121270): https://edk2.groups.io/g/devel/message/121270 Mute This Topic: https://groups.io/mt/112327494/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --_000_CH3PR21MB4517687A98103E5DFA8B6987E9BF2CH3PR21MB4517namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Mike,

 

Thanks for the explanation. That makes sense. I con= firmed the issue on PiSmmIpl side. A patch should be available some time to= day after I test both traditional MM and Standalone MM paths.

 

Regards,

Kun

 

From: Kinney, Michael D <michael.= d.kinney@intel.com>
Sent: Friday, April 18, 2025 8:59 AM
To: Kun Qin <Kun.Qin@microsoft.com>; Ni, Ray <ray.ni@intel.= com>
Cc: devel@edk2.groups.io; Ni, Ray <ray.ni@intel.com>; Kinney, = Michael D <michael.d.kinney@intel.com>
Subject: [EXTERNAL] RE: A bug in the SmmCommunication V3 logic<= /o:p>

 

Hi Kun,<= /span>

 

I think the reason = it may have always worked is for the case where SmmCommunicationCommunicate= () at runtime after SetVirtualAddressMap() and CommSize is not NULL.  = In that case, CommunicateHeader that points to CommBuffer is never dereferenced and a call to mSmmControl2->Trigger= () is made.

 

If CommSize is NULL= , then MessageLength field of CommunicateHeader would be dereferenced as a = physical address at OS runtime after SetVirtualAddressMap() and a page faul= t would occur.  My guess is that CommSize is never NULL, and that is why we have been lucky.

 

With the addition o= f the check for the V3 GUID, the HeaderGuid field of CommunicateHeader is a= lways dereferenced.  So if CommunicateHeader is a physical address at = OS Runtime after SetVirtualAddressMap(), then a page fault will always occur.  No more luck.=

 

Mike

 

From: Kun Qin <Kun.Qin@microsoft.com>
Sent: Friday, April 18, 2025 12:30 AM
To: Ni, Ray <ray.ni@intel.com= >
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io; Ni, Ray &= lt;ray.ni@intel.com>
Subject: RE: A bug in the SmmCommunication V3 logic

 

Hi Ray,

 

I will verify the code first thing tomorrow morning= . But I just looked at the code flow before the change, it seems that SmmCo= mmunicationMmCommunicate2 is also using physical address, and the common routine will deference the pointer to read message= length as well. I just checked variable runtime driver did not convert the= input physical pointer. Would that cause the same issue? Did I miss someth= ing or we have lucked out all along?

 

Regards,

Kun

 

From: Ni, Ray <ray.ni@intel.com>
Sent: Thursday, April 17, 2025 11:45 PM
To: Kun Qin <Kun.Qin@mic= rosoft.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io; Ni, Ray &= lt;ray.ni@intel.com>
Subject: [EXTERNAL] A bug in the SmmCommunication V3 logic

 

Hi Qin,=

I think= there is a bug in the SmmCommunication protocol implementation.=

&n= bsp;

All 3 c= ommunication protocol calls go to the same communicate() function that test= s the HeaderGuid against the V3 GUID.

But whe= n the call is from runtime, reading the HeaderGuid using the physical addre= ss of communication buffer would cause page fault. The virtual address shou= ld be used.

The bug= was not there without your patch because the communicate routines happened= not to read any bytes from the communication buffer but simply pass the ad= dress to SMM. SMM expects the physical address because the virtual-to-physical mapping in SMM is identical.<= /o:p>

&n= bsp;

The bug= exists in both the SmmIpl.c in MdeModulePkg and the MmCommunicationDxe.c i= n StandaloneMmPkg.

The bug= would cause OS boot failure if there is any communication protocol invocat= ion after ExitBootService.

&n= bsp;

I guess= the bug might not be there in your first version of patch, but was introdu= ced when I asked you to consolidate the logic together.

&n= bsp;

Can you= kindly reproduce it locally and send out a fix after confirming?

&n= bsp;

Thanks,=

Ray

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#121270) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--_000_CH3PR21MB4517687A98103E5DFA8B6987E9BF2CH3PR21MB4517namp_--