From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+110922+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 80F31941ED7
	for <rebecca@openfw.io>; Wed,  8 Nov 2023 20:00:16 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=o0TWhEDXJNdbvonTmpljrqhLXM0sGBVpi1pcdnoch1g=;
 c=relaxed/simple; d=groups.io;
 h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1699473615; v=1;
 b=mBKggXE4EiunqiRiWYv9znzmSEr6C9YYp6k2zTHO17hTDyTD8g4P7UDgB1mA3YHaxZTDeOLp
 wldrTuRIul3yf+3wQ/ZrvNU37lDU51iHs0ZJyqtQ2ArhMmIxsxjpiZ5hUD5OzioA+KyAViNE3nW
 9700TwuO1hLxdi8vZFxHOCxk=
X-Received: by 127.0.0.2 with SMTP id q4ehYY7687511xZbLce8Klzz; Wed, 08 Nov 2023 12:00:15 -0800
X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web11.24849.1699473614289272342
 for <devel@edk2.groups.io>;
 Wed, 08 Nov 2023 12:00:14 -0800
X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-288-OtxUJ3KzPaiBybxPJJ2abg-1; Wed,
 08 Nov 2023 15:00:09 -0500
X-MC-Unique: OtxUJ3KzPaiBybxPJJ2abg-1
X-Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 951DB3826D28;
	Wed,  8 Nov 2023 20:00:08 +0000 (UTC)
X-Received: from [10.39.192.41] (unknown [10.39.192.41])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 580FA2166B26;
	Wed,  8 Nov 2023 20:00:07 +0000 (UTC)
Message-ID: <abb096c1-1acf-4d16-9065-092e4d28b4fc@redhat.com>
Date: Wed, 8 Nov 2023 21:00:05 +0100
MIME-Version: 1.0
Subject: Re: [edk2-devel] [PATCH v4 2/4] StandaloneMmPkg/Core: Fix potential memory leak issue
To: devel@edk2.groups.io, wei6.xu@intel.com
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
 Sami Mujawar <sami.mujawar@arm.com>, Ray Ni <ray.ni@intel.com>
References: <cover.1699253390.git.wei6.xu@intel.com>
 <0fc3e43cd76b1893282f7152faf1d330be9de02c.1699253390.git.wei6.xu@intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
In-Reply-To: <0fc3e43cd76b1893282f7152faf1d330be9de02c.1699253390.git.wei6.xu@intel.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: UeYuP46Zy8wURTKoU48azFGNx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=mBKggXE4;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

On 11/6/23 08:52, Xu, Wei6 wrote:
> In MmCoreFfsFindMmDriver(),
> - ScratchBuffer is not freed in the error return path that DstBuffer page
> allocation fails. Free ScratchBuffer before return with error.
> - If the decoded buffer is identical to the data in InputSection,
> ExtractGuidedSectionDecode() will change the value of DstBuffer rather
> than changing the contents of the buffer that DstBuffer points at, in
> which case freeing DstBuffer is wrong. Introduce a local variable
> AllocatedDstBuffer for buffer free, free AllocatedDstBuffer immediately
> if it is not used.
>=20
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
> ---
>  StandaloneMmPkg/Core/FwVol.c | 31 ++++++++++++++++++++++---------
>  1 file changed, 22 insertions(+), 9 deletions(-)
>=20
> diff --git a/StandaloneMmPkg/Core/FwVol.c b/StandaloneMmPkg/Core/FwVol.c
> index e1e20ffd14ac..c3054ef751ed 100644
> --- a/StandaloneMmPkg/Core/FwVol.c
> +++ b/StandaloneMmPkg/Core/FwVol.c
> @@ -84,6 +84,7 @@ MmCoreFfsFindMmDriver (
>    UINT32                      DstBufferSize;
>    VOID                        *ScratchBuffer;
>    UINT32                      ScratchBufferSize;
> +  VOID                        *AllocatedDstBuffer;
>    VOID                        *DstBuffer;
>    UINT16                      SectionAttribute;
>    UINT32                      AuthenticationStatus;
> @@ -148,25 +149,35 @@ MmCoreFfsFindMmDriver (
>      //
>      // Allocate destination buffer, extra one page for adjustment
>      //
> -    DstBuffer =3D (VOID *)(UINTN)AllocatePages (EFI_SIZE_TO_PAGES (DstBu=
fferSize));
> -    if (DstBuffer =3D=3D NULL) {
> +    AllocatedDstBuffer =3D (VOID *)(UINTN)AllocatePages (EFI_SIZE_TO_PAG=
ES (DstBufferSize));
> +    if (AllocatedDstBuffer =3D=3D NULL) {
> +      FreePages (ScratchBuffer, EFI_SIZE_TO_PAGES (ScratchBufferSize));
>        return EFI_OUT_OF_RESOURCES;
>      }
> =20
>      //
>      // Call decompress function
>      //
> -    Status =3D ExtractGuidedSectionDecode (
> -               Section,
> -               &DstBuffer,
> -               ScratchBuffer,
> -               &AuthenticationStatus
> -               );
> +    DstBuffer =3D AllocatedDstBuffer;
> +    Status    =3D ExtractGuidedSectionDecode (
> +                  Section,
> +                  &DstBuffer,
> +                  ScratchBuffer,
> +                  &AuthenticationStatus
> +                  );
>      FreePages (ScratchBuffer, EFI_SIZE_TO_PAGES (ScratchBufferSize));
>      if (EFI_ERROR (Status)) {
>        goto FreeDstBuffer;
>      }
> =20
> +    //
> +    // Free allocated DstBuffer if it is not used
> +    //
> +    if (DstBuffer !=3D AllocatedDstBuffer) {
> +      FreePages (AllocatedDstBuffer, EFI_SIZE_TO_PAGES (DstBufferSize));
> +      AllocatedDstBuffer =3D NULL;
> +    }
> +
>      DEBUG ((
>        DEBUG_INFO,
>        "Processing compressed firmware volume (AuthenticationStatus =3D=
=3D %x)\n",
> @@ -210,7 +221,9 @@ MmCoreFfsFindMmDriver (
>    return EFI_SUCCESS;
> =20
>  FreeDstBuffer:
> -  FreePages (DstBuffer, EFI_SIZE_TO_PAGES (DstBufferSize));
> +  if (AllocatedDstBuffer !=3D NULL) {
> +    FreePages (AllocatedDstBuffer, EFI_SIZE_TO_PAGES (DstBufferSize));
> +  }
> =20
>    return Status;
>  }

Right, if AllocatedDstBuffer is needed, then we free it only upon error;
otherwise, we free it early on, so that it's released upon both error
and success.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110922): https://edk2.groups.io/g/devel/message/110922
Mute This Topic: https://groups.io/mt/102416000/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562=
12/xyzzy [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-