From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from nat-hk.nvidia.com (nat-hk.nvidia.com [203.18.50.4]) by mx.groups.io with SMTP id smtpd.web10.14707.1585151265697935106 for ; Wed, 25 Mar 2020 08:47:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@nvidia.com header.s=n1 header.b=PMkNR19i; spf=pass (domain: nvidia.com, ip: 203.18.50.4, mailfrom: ashishsingha@nvidia.com) Received: from hkpgpgate101.nvidia.com (Not Verified[10.18.92.9]) by nat-hk.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA) id ; Wed, 25 Mar 2020 23:47:43 +0800 Received: from HKMAIL101.nvidia.com ([10.18.16.10]) by hkpgpgate101.nvidia.com (PGP Universal service); Wed, 25 Mar 2020 08:47:43 -0700 X-PGP-Universal: processed; by hkpgpgate101.nvidia.com on Wed, 25 Mar 2020 08:47:43 -0700 Received: from HKMAIL102.nvidia.com (10.18.16.11) by HKMAIL101.nvidia.com (10.18.16.10) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 25 Mar 2020 15:47:42 +0000 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.172) by HKMAIL102.nvidia.com (10.18.16.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 25 Mar 2020 15:47:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WrxWeVWezppqnPE/dwqWSD5yilI2O64pWbuiqLyOEmLWhvBWgyskcWAFDaIpiv5ABtwGnyf+C6q1SLhjoVB2mhkL0d++Col3O336bp+oIPaZGdu9xWI1BEH4JQyR4tQjKp4spJy+doKWO8xOx7+8XvmxibMOlmoRKipE5HLZTHv0tE/wgXt7ny4OgeWitKJLEc8kBxF2qBtbJmajplY1EwmDEIk0VnenEwot9ivURVRlKrD3bfI0vKg1sFtymp4KzGueAHQNSYa5eMHd1RREWeCAoYDsWLjh6LJrZEyq9WLXwOLNx6mj3b/R8sLEvyA5cDQZU1NcTVXyMZsQKqmHMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9UCv8c8RlLeqSIeo4UEt9VIv/V9AVdNGlD1KEThKmdg=; b=ObbTE9egCTZ2Onr4FWUrJvYyZPLYrNnYGXLDpCmtEFHFlSKZ4uj2bWtYP38sYIk0eO3tkU/dV231QZHQ1A+x4uws+Gx4hlKGHbP9Be1bIO722nO0czYaX4jNxId6Hpw0wbVpLfpHxz2iMPfjLP4hjAe59PbG2hWFpHXvuzzm2J3PuRz0AAUN/afBlaoCTpH0bH2DzWm85qzhcveQ6v2572JB/I2xeOB/RZIeaSGxfCOk52IR+fU0mo3mBQRwsWg5WJpKjYaBh2zf0F8DDCGhgbSlPuMHudChazDxB5yIAQWytNg08WXSrjD+/e/BUJ0bgZA51JE9h60Nhhsn9YC9zg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none Received: from MW3PR12MB4457.namprd12.prod.outlook.com (2603:10b6:303:2e::20) by MW3PR12MB4474.namprd12.prod.outlook.com (2603:10b6:303:2e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.20; Wed, 25 Mar 2020 15:47:39 +0000 Received: from MW3PR12MB4457.namprd12.prod.outlook.com ([fe80::d477:5c8e:2e4e:5481]) by MW3PR12MB4457.namprd12.prod.outlook.com ([fe80::d477:5c8e:2e4e:5481%4]) with mapi id 15.20.2835.023; Wed, 25 Mar 2020 15:47:39 +0000 From: "Ashish Singhal" To: Ard Biesheuvel , "devel@edk2.groups.io" CC: Laszlo Ersek , Leif Lindholm Subject: Re: [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion when freeing page tables Thread-Topic: [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion when freeing page tables Thread-Index: AQHWArq+5To/saWfwE6o9awmDuunpahZc7Oc Date: Wed, 25 Mar 2020 15:47:39 +0000 Message-ID: References: <20200325152940.1492-1-ard.biesheuvel@linaro.org>,<20200325152940.1492-2-ard.biesheuvel@linaro.org> In-Reply-To: <20200325152940.1492-2-ard.biesheuvel@linaro.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=ashishsingha@nvidia.com; x-originating-ip: [216.228.112.22] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 9b38c350-8148-44f5-12f3-08d7d0d3d907 x-ms-traffictypediagnostic: MW3PR12MB4474: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:361; x-forefront-prvs: 0353563E2B x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(376002)(366004)(39860400002)(396003)(136003)(346002)(5660300002)(110136005)(19627405001)(52536014)(54906003)(33656002)(76116006)(7696005)(66476007)(66556008)(316002)(19627235002)(8676002)(66946007)(81166006)(71200400001)(86362001)(81156014)(478600001)(4326008)(186003)(9686003)(55016002)(26005)(6506007)(53546011)(64756008)(2906002)(8936002)(66446008);DIR:OUT;SFP:1101;SCL:1;SRVR:MW3PR12MB4474;H:MW3PR12MB4457.namprd12.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords; received-spf: None (protection.outlook.com: nvidia.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: zGd8CAW8D11O+d4u3Pzn9h3inbfZARx9um7dAyOuRo6qtg/MrAbfmrFB7hLMG/YEF4QZ1R1oIflWin3JAVNTQgySJGqC1q7fuvybHjP5Gvwnl8c3htbzrQ37ncq4cyOS7aQXHVJJoKRo8cdb8AyElC5Ea153A2VmSn+nBd75gXwmWAqqX7EOapWnNeOAO2+aw5ys8YmdqNUy4InjsPGsQXa9Lf4FTVUxOU9NnrxbbSxSTFrSPTg8IlQCddm6MmNhaNm8L73pVc0i1r+JlWj82uzlN714AurGAo47+ZScQ5XoUsfGU36pVmhc3fBkQY6mwvmb0INwHp//WZLCMEJkF47Fu1Jfql1ZPdAfE9jqv6RHXA59IbIG6X2YwkXJhKa1Mp7BOhDOTrZjJK+siFwzEr1/QRqk+FWfO1GxIOGhLhjSYFU6Ggk0mrr0157Xp1+J x-ms-exchange-antispam-messagedata: Ex/WAZe6Y1SwK/UVaCa7SHSs8E/wal6gqCfGkBO504hqXUUXYZVIxl1AZarmfnq2q2q5FAnoBmhBz4BcfwMuGlBnRkbx6cAr+dLPlupn4fnOw6+dfThW5PRfq+Oo1EdKmyk6wrr7kkytOabvnGFTEQ== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 9b38c350-8148-44f5-12f3-08d7d0d3d907 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2020 15:47:39.2656 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: qVBTNH1mx5PrBQdKh5e+aPJYmzJfwED+a3CXA3sX/IiZJFQL8SqEk8EN61zyZoRPWVwt5zAzre9b5Vjic61XZg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR12MB4474 Return-Path: ashishsingha@nvidia.com X-OriginatorOrg: Nvidia.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1585151263; bh=Oti1MCb4a8NF39pA2PSJ4pwgfI9SkWnJ5E3Z7+8s7Bw=; h=X-PGP-Universal:ARC-Seal:ARC-Message-Signature: ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic: Thread-Index:Date:Message-ID:References:In-Reply-To: Accept-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: authentication-results:x-originating-ip:x-ms-publictraffictype: x-ms-office365-filtering-correlation-id:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-ms-oob-tlc-oobclassifiers: x-forefront-prvs:x-forefront-antispam-report:received-spf: x-ms-exchange-senderadcheck:x-microsoft-antispam: x-microsoft-antispam-message-info: x-ms-exchange-antispam-messagedata:x-ms-exchange-transport-forked: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped:X-OriginatorOrg: Content-Language:Content-Type; b=PMkNR19iOIs2GTEGHx1Qmbc1GuBgoudnNrCEl2Fhhd96JPfG6K0AXW0KiLMy9b6OM +H8XM525u7SVl05ylHY4nWI+9u/nTMvBouDKRTOeSZYiN/m9EVpK6sejm7y1qDTwEu SMwnlGkw3c8mH/4vcIqkGMBFWxeqjikYJ8R+mHJuUbcpqX4+U4ytQHZb+5WwmGInRd nkunmTVzTfqzcEFL9QnR/B6oeh5r89wSEek2Yhh84cz0TyzoWCBTN8X+3ZL9thwXEE E5mAPbvouctJhdvczBVPl3l0vEO9QAJxujF8rJKUIzo7p8C4e2U6WoDDmHbobXpelG c0W4UAYzG/iuw== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MW3PR12MB4457778D45F0D166EF873391BACE0MW3PR12MB4457namp_" --_000_MW3PR12MB4457778D45F0D166EF873391BACE0MW3PR12MB4457namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ashish Singhal Tested-by: Ashish Singhal ________________________________ From: Ard Biesheuvel Sent: Wednesday, March 25, 2020 9:29 AM To: devel@edk2.groups.io Cc: Ard Biesheuvel ; Laszlo Ersek ; Leif Lindholm ; Ashish Singhal Subject: [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion when fr= eeing page tables External email: Use caution opening links or attachments FreePageTablesRecursive () traverses the page table tree depth first to free all pages that it finds, without taking into account the level at which it is operating. Since TT_TYPE_TABLE_ENTRY aliases TT_TYPE_BLOCK_ENTRY_LEVEL3, we cannot distinguish table entries from block entries unless we take the level into account, and so we may be dereferencing garbage if we happen to try and free a hierarchy of page tables that has level 3 pages in it. Let's fix this by passing the level into FreePageTablesRecursive (), and limit the recursion to levels < 3. Signed-off-by: Ard Biesheuvel --- =20ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 18 ++++++++++++----= -- =201 file changed, 12 insertions(+), 6 deletions(-) diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Li= brary/ArmMmuLib/AArch64/ArmMmuLibCore.c index a43d468b73ca..d78918cf7ba8 100644 --- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c +++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c @@ -142,15 +142,21 @@ ReplaceTableEntry ( =20STATIC =20VOID =20FreePageTablesRecursive ( - IN UINT64 *TranslationTable + IN UINT64 *TranslationTable, + IN UINTN Level =20 ) =20{ =20 UINTN Index; - for (Index =3D 0; Index < TT_ENTRY_COUNT; Index++) { - if ((TranslationTable[Index] & TT_TYPE_MASK) =3D=3D TT_TYPE_TABLE_EN= TRY) { - FreePageTablesRecursive ((VOID *)(UINTN)(TranslationTable[Index] &= - TT_ADDRESS_MASK_BLOCK_ENT= RY)); + ASSERT (Level <=3D 3); + + if (Level < 3) { + for (Index =3D 0; Index < TT_ENTRY_COUNT; Index++) { + if ((TranslationTable[Index] & TT_TYPE_MASK) =3D=3D TT_TYPE_TABLE_= ENTRY) { + FreePageTablesRecursive ((VOID *)(UINTN)(TranslationTable[Index]= =20& + TT_ADDRESS_MASK_BLOCK_E= NTRY), + Level + 1); + } =20 } =20 } =20 FreePages (TranslationTable, 1); @@ -254,7 +260,7 @@ UpdateRegionMappingRecursive ( =20 // possible for existing table entries, since we cannot reve= rt the =20 // modifications we made to the subhierarchy it represents.)= =20 // - FreePageTablesRecursive (TranslationTable); + FreePageTablesRecursive (TranslationTable, Level + 1); =20 } =20 return Status; =20 } -- 2.17.1 -------------------------------------------------------------------------= ---------- This email message is for the sole use of the intended recipient(s) and m= ay contain confidential information. Any unauthorized review, use, disclosure or di= stribution is prohibited. If you are not the intended recipient, please contact the= =20sender by reply email and destroy all copies of the original message. -------------------------------------------------------------------------= ---------- --_000_MW3PR12MB4457778D45F0D166EF873391BACE0MW3PR12MB4457namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Reviewed-by: =20Ashish Singhal <ashishsingha@nvidia.com>
Tested-by:= =20Ashish Singhal <ashishsingha@nvidia.com>
From: Ard Biesheuvel &l= t;ard.biesheuvel@linaro.org>
Sent: Wednesday, March 25, 2020 9:29 AM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>; Laszlo Ersek= =20<lersek@redhat.com>; Leif Lindholm <leif@nuviainc.com>; As= hish Singhal <ashishsingha@nvidia.com>
Subject: [PATCH v3 1/3] ArmPkg/ArmMmuLib AARCH64: limit recursion = when freeing page tables
 
External email: Use caution opening links or att= achments


FreePageTablesRecursive () traverses the page table tree depth first
to free all pages that it finds, without taking into account the
level at which it is operating.

Since TT_TYPE_TABLE_ENTRY aliases TT_TYPE_BLOCK_ENTRY_LEVEL3, we cannot distinguish table entries from block entries unless we take the level
= into account, and so we may be dereferencing garbage if we happen to
try and free a hierarchy of page tables that has level 3 pages in it.
=
Let's fix this by passing the level into FreePageTablesRecursive (),
and limit the recursion to levels < 3.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c | 18 ++= 3;+++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c b/ArmPkg/Li= brary/ArmMmuLib/AArch64/ArmMmuLibCore.c
index a43d468b73ca..d78918cf7ba8 100644
--- a/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
+++ b/ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c
@@ -142,15 +142,21 @@ ReplaceTableEntry (
 STATIC
 VOID
 FreePageTablesRecursive (
-  IN  UINT64  *TranslationTable
+  IN  UINT64  *TranslationTable,
+  IN  UINTN   Level
   )
 {
   UINTN   Index;

-  for (Index =3D 0; Index < TT_ENTRY_COUNT; Index++) { -    if ((TranslationTable[Index] & TT_TYPE_MASK) =3D=3D= =20TT_TYPE_TABLE_ENTRY) {
-      FreePageTablesRecursive ((VOID *)(UINTN)(= TranslationTable[Index] &
-            =             &= nbsp;           &n= bsp;          TT_ADDRESS_MAS= K_BLOCK_ENTRY));
+  ASSERT (Level <=3D 3);
+
+  if (Level < 3) {
+    for (Index =3D 0; Index < TT_ENTRY_COUNT; Inde= x++) {
+      if ((TranslationTable[Index] & TT= _TYPE_MASK) =3D=3D TT_TYPE_TABLE_ENTRY) {
+        FreePageTablesRecursive (= (VOID *)(UINTN)(TranslationTable[Index] &
+           &n= bsp;           &nb= sp;           &nbs= p;            = ; TT_ADDRESS_MASK_BLOCK_ENTRY),
+           &n= bsp;           &nb= sp;         Level + 1);
+      }
     }
   }
   FreePages (TranslationTable, 1);
@@ -254,7 +260,7 @@ UpdateRegionMappingRecursive (
           // possible = for existing table entries, since we cannot revert the
           // modificat= ions we made to the subhierarchy it represents.)
           //
-          FreePageTablesRec= ursive (TranslationTable);
+          FreePageTable= sRecursive (TranslationTable, Level + 1);
         }
         return Status;
       }
--
2.17.1

This email message is for the sole use of the intended recipient(s) = and may=20 contain confidential information.  Any unauthorized review, use, dis= closure=20 or distribution is prohibited.  If you are not the intended recipien= t,=20 please contact the sender by reply email and destroy all copies of the or= iginal=20 message.
--_000_MW3PR12MB4457778D45F0D166EF873391BACE0MW3PR12MB4457namp_--