From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=jian.j.wang@intel.com; receiver=edk2-devel@lists.01.org Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5799220954BAB for ; Wed, 14 Mar 2018 18:03:22 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Mar 2018 18:09:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,308,1517904000"; d="scan'208";a="208351931" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga005.jf.intel.com with ESMTP; 14 Mar 2018 18:09:45 -0700 Received: from fmsmsx116.amr.corp.intel.com (10.18.116.20) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 14 Mar 2018 18:09:45 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx116.amr.corp.intel.com (10.18.116.20) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 14 Mar 2018 18:09:44 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.235]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.129]) with mapi id 14.03.0319.002; Thu, 15 Mar 2018 09:09:42 +0800 From: "Wang, Jian J" To: "Wang, Jian J" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" , "Dong, Eric" , "Zeng, Star" Thread-Topic: [edk2] [PATCH] MdeModulePkg/Core: allow HeapGuard even before CpuArchProtocol installed Thread-Index: AQHTu28VlywnS+F3VE+eDR4JZEOGaKPQfWGg Date: Thu, 15 Mar 2018 01:09:42 +0000 Message-ID: References: <20180314083127.17964-1-jian.j.wang@intel.com> In-Reply-To: <20180314083127.17964-1-jian.j.wang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTZhNzE2MTAtNWI2NC00YTBkLThiNzktNDg5Nzk1YjRjZWI5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJSODBoT0pMaWU3RE9Zc1pOeUN1N2FZazZTMitHNTljZ2N1QWlFNVlnQkFSK2hCU3BHbFUyRU1ZajMzZDR3WjBZIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] MdeModulePkg/Core: allow HeapGuard even before CpuArchProtocol installed X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 01:03:22 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable There's a bit operation error found in 32-bit platform. I'll send a v2 patc= h later. Regards, Jian > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ji= an J > Wang > Sent: Wednesday, March 14, 2018 4:31 PM > To: edk2-devel@lists.01.org > Cc: Yao, Jiewen ; Dong, Eric ; > Zeng, Star > Subject: [edk2] [PATCH] MdeModulePkg/Core: allow HeapGuard even before > CpuArchProtocol installed >=20 > Due to the fact that HeapGuard needs CpuArchProtocol to update page > attributes, the feature is normally enabled after CpuArchProtocol is > installed. Since there're some drivers are loaded before CpuArchProtocl, > they cannot make use HeapGuard feature to detect potential issues. >=20 > This patch fixes above situation by updating the DXE core to skip the > NULL check against global gCpu in the IsMemoryTypeToGuard(), and adding > NULL check against gCpu in SetGuardPage() and UnsetGuardPage() to make > sure that they can be called but do nothing. This will allow HeapGuard to > record all guarded memory without setting the related Guard pages to not- > present. >=20 > Once the CpuArchProtocol is installed, a protocol notify will be called > to complete the work of setting Guard pages to not-present. >=20 > Please note that above changes will cause a #PF in GCD code during cleanu= p > of map entries, which is initiated by CpuDxe driver to update real mtrr > and paging attributes back to GCD. During that time, CpuDxe doesn't allow > GCD to update memory attributes and then any Guard page cannot be unset. > As a result, this will prevent Guarded memory from freeing during memory > map cleanup. >=20 > The solution is to avoid allocating guarded memory as memory map entries > in GCD code. It's done by setting global mOnGuarding to TRUE before memor= y > allocation and setting it back to FALSE afterwards in GCD function > CoreAllocateGcdMapEntry(). >=20 > Cc: Star Zeng > Cc: Eric Dong > Cc: Jiewen Yao > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Jian J Wang > --- > MdeModulePkg/Core/Dxe/Gcd/Gcd.c | 10 ++ > MdeModulePkg/Core/Dxe/Mem/HeapGuard.c | 132 > +++++++++++++++++++++++++- > MdeModulePkg/Core/Dxe/Mem/HeapGuard.h | 8 ++ > MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c | 5 + > 4 files changed, 154 insertions(+), 1 deletion(-) >=20 > diff --git a/MdeModulePkg/Core/Dxe/Gcd/Gcd.c > b/MdeModulePkg/Core/Dxe/Gcd/Gcd.c > index 8fbc3d282c..77f4adb4bc 100644 > --- a/MdeModulePkg/Core/Dxe/Gcd/Gcd.c > +++ b/MdeModulePkg/Core/Dxe/Gcd/Gcd.c > @@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. >=20 > #include "DxeMain.h" > #include "Gcd.h" > +#include "Mem/HeapGuard.h" >=20 > #define MINIMUM_INITIAL_MEMORY_SIZE 0x10000 >=20 > @@ -391,12 +392,21 @@ CoreAllocateGcdMapEntry ( > IN OUT EFI_GCD_MAP_ENTRY **BottomEntry > ) > { > + // > + // Set to mOnGuarding to TRUE before memory allocation. This will make= sure > + // that the entry memory is not "guarded" by HeapGuard. Otherwise it m= ight > + // cause problem when it's freed (if HeapGuard is enabled). > + // > + mOnGuarding =3D TRUE; > *TopEntry =3D AllocateZeroPool (sizeof (EFI_GCD_MAP_ENTRY)); > + mOnGuarding =3D FALSE; > if (*TopEntry =3D=3D NULL) { > return EFI_OUT_OF_RESOURCES; > } >=20 > + mOnGuarding =3D TRUE; > *BottomEntry =3D AllocateZeroPool (sizeof (EFI_GCD_MAP_ENTRY)); > + mOnGuarding =3D FALSE; > if (*BottomEntry =3D=3D NULL) { > CoreFreePool (*TopEntry); > return EFI_OUT_OF_RESOURCES; > diff --git a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c > b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c > index 19245049c2..de2c468b83 100644 > --- a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c > +++ b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c > @@ -576,6 +576,10 @@ SetGuardPage ( > IN EFI_PHYSICAL_ADDRESS BaseAddress > ) > { > + if (gCpu =3D=3D NULL) { > + return; > + } > + > // > // Set flag to make sure allocating memory without GUARD for page tabl= e > // operation; otherwise infinite loops could be caused. > @@ -606,6 +610,10 @@ UnsetGuardPage ( > { > UINT64 Attributes; >=20 > + if (gCpu =3D=3D NULL) { > + return; > + } > + > // > // Once the Guard page is unset, it will be freed back to memory pool.= NX > // memory protection must be restored for this page if NX is enabled f= or free > @@ -652,7 +660,7 @@ IsMemoryTypeToGuard ( > UINT64 ConfigBit; > BOOLEAN InSmm; >=20 > - if (gCpu =3D=3D NULL || AllocateType =3D=3D AllocateAddress) { > + if (AllocateType =3D=3D AllocateAddress) { > return FALSE; > } >=20 > @@ -1160,6 +1168,128 @@ CoreConvertPagesWithGuard ( > return CoreConvertPages (Start, NumberOfPages, NewType); > } >=20 > +/** > + Set all Guard pages which cannot be set before CPU Arch Protocol insta= lled. > +**/ > +VOID > +SetAllGuardPages ( > + VOID > + ) > +{ > + UINTN Entries[GUARDED_HEAP_MAP_TABLE_DEPTH]; > + UINTN Shifts[GUARDED_HEAP_MAP_TABLE_DEPTH]; > + UINTN Indices[GUARDED_HEAP_MAP_TABLE_DEPTH]; > + UINT64 Tables[GUARDED_HEAP_MAP_TABLE_DEPTH]; > + UINT64 Addresses[GUARDED_HEAP_MAP_TABLE_DEPTH]; > + UINT64 TableEntry; > + UINT64 Address; > + UINT64 GuardPage; > + INTN Level; > + UINTN Index; > + BOOLEAN OnGuarding; > + > + if (mGuardedMemoryMap =3D=3D 0 || > + mMapLevel =3D=3D 0 || > + mMapLevel > GUARDED_HEAP_MAP_TABLE_DEPTH) { > + return; > + } > + > + CopyMem (Entries, mLevelMask, sizeof (Entries)); > + CopyMem (Shifts, mLevelShift, sizeof (Shifts)); > + > + SetMem (Tables, sizeof(Tables), 0); > + SetMem (Addresses, sizeof(Addresses), 0); > + SetMem (Indices, sizeof(Indices), 0); > + > + Level =3D GUARDED_HEAP_MAP_TABLE_DEPTH - mMapLevel; > + Tables[Level] =3D mGuardedMemoryMap; > + Address =3D 0; > + OnGuarding =3D FALSE; > + > + DEBUG_CODE ( > + DumpGuardedMemoryBitmap (); > + ); > + > + while (TRUE) { > + if (Indices[Level] > Entries[Level]) { > + Tables[Level] =3D 0; > + Level -=3D 1; > + } else { > + > + TableEntry =3D ((UINT64 *)(UINTN)(Tables[Level]))[Indices[Level]]= ; > + Address =3D Addresses[Level]; > + > + if (TableEntry =3D=3D 0) { > + > + OnGuarding =3D FALSE; > + > + } else if (Level < GUARDED_HEAP_MAP_TABLE_DEPTH - 1) { > + > + Level +=3D 1; > + Tables[Level] =3D TableEntry; > + Addresses[Level] =3D Address; > + Indices[Level] =3D 0; > + > + continue; > + > + } else { > + > + Index =3D 0; > + while (Index < GUARDED_HEAP_MAP_ENTRY_BITS) { > + if ((TableEntry & 1) =3D=3D 1) { > + if (OnGuarding) { > + GuardPage =3D 0; > + } else { > + GuardPage =3D Address - EFI_PAGE_SIZE; > + } > + OnGuarding =3D TRUE; > + } else { > + if (OnGuarding) { > + GuardPage =3D Address; > + } else { > + GuardPage =3D 0; > + } > + OnGuarding =3D FALSE; > + } > + > + if (GuardPage !=3D 0) { > + SetGuardPage (GuardPage); > + } > + > + if (TableEntry =3D=3D 0) { > + break; > + } > + > + TableEntry =3D RShiftU64 (TableEntry, 1); > + Address +=3D EFI_PAGE_SIZE; > + Index +=3D 1; > + } > + } > + } > + > + if (Level < (GUARDED_HEAP_MAP_TABLE_DEPTH - (INTN)mMapLevel)) { > + break; > + } > + > + Indices[Level] +=3D 1; > + Address =3D (Level =3D=3D 0) ? 0 : Addresses[Level - 1]; > + Addresses[Level] =3D Address | LShiftU64(Indices[Level], Shifts[Leve= l]); > + > + } > +} > + > +/** > + Notify function used to set all Guard pages before CPU Arch Protocol i= nstalled. > +**/ > +VOID > +HeapGuardCpuArchProtocolNotify ( > + VOID > + ) > +{ > + ASSERT (gCpu !=3D NULL); > + SetAllGuardPages (); > +} > + > /** > Helper function to convert a UINT64 value in binary to a string. >=20 > diff --git a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.h > b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.h > index 7208ab1437..8c34692439 100644 > --- a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.h > +++ b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.h > @@ -399,6 +399,14 @@ IsHeapGuardEnabled ( > VOID > ); >=20 > +/** > + Notify function used to set all Guard pages after CPU Arch Protocol in= stalled. > +**/ > +VOID > +HeapGuardCpuArchProtocolNotify ( > + VOID > + ); > + > extern BOOLEAN mOnGuarding; >=20 > #endif > diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > index 407aece807..2f7e490af1 100644 > --- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > +++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c > @@ -1001,6 +1001,11 @@ MemoryProtectionCpuArchProtocolNotify ( > InitializeDxeNxMemoryProtectionPolicy (); > } >=20 > + // > + // Call notify function meant for Heap Guard. > + // > + HeapGuardCpuArchProtocolNotify (); > + > if (mImageProtectionPolicy =3D=3D 0) { > return; > } > -- > 2.16.2.windows.1 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel