From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruiyu.ni@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=ruiyu.ni@intel.com;
 receiver=edk2-devel@lists.01.org 
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id DD594223FCF5B
 for <edk2-devel@lists.01.org>; Thu, 15 Mar 2018 23:38:33 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 15 Mar 2018 23:44:58 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.48,313,1517904000"; d="scan'208";a="24992038"
Received: from ray-dev.ccr.corp.intel.com (HELO [10.239.9.4]) ([10.239.9.4])
 by fmsmga008.fm.intel.com with ESMTP; 15 Mar 2018 23:44:57 -0700
To: "Wang, Jian J" <jian.j.wang@intel.com>,
 "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>, "Dong, Eric" <eric.dong@intel.com>, 
 "Zeng, Star" <star.zeng@intel.com>
References: <20180315062202.7456-1-jian.j.wang@intel.com>
 <aa1550cd-44f2-5836-19b3-9fe2536e347a@Intel.com>
 <D827630B58408649ACB04F44C510003624D15C0E@SHSMSX103.ccr.corp.intel.com>
From: "Ni, Ruiyu" <ruiyu.ni@Intel.com>
Message-ID: <ac6c484e-ee95-d9c3-2a71-b46131102e48@Intel.com>
Date: Fri, 16 Mar 2018 14:44:57 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <D827630B58408649ACB04F44C510003624D15C0E@SHSMSX103.ccr.corp.intel.com>
Subject: Re: [PATCH] MdeModulePkg/PiSmmCore: fix #PF caused by freeing read-only memory
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Mar 2018 06:38:34 -0000
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 3/15/2018 3:07 PM, Wang, Jian J wrote:
> DxeCore will only apply EFI_MEMORY_RO to image CODE memory (controlled by
> PcdImageProtectionPolicy). Normally allocated rt_code/bs_code memory won't be
> marked as read-only. So my answer is NO.
> 
> Regards,
> Jian
> 
> 
>> -----Original Message-----
>> From: Ni, Ruiyu
>> Sent: Thursday, March 15, 2018 2:56 PM
>> To: Wang, Jian J <jian.j.wang@intel.com>; edk2-devel@lists.01.org
>> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Dong, Eric <eric.dong@intel.com>;
>> Zeng, Star <star.zeng@intel.com>
>> Subject: Re: [edk2] [PATCH] MdeModulePkg/PiSmmCore: fix #PF caused by
>> freeing read-only memory
>>
>> On 3/15/2018 2:22 PM, Jian J Wang wrote:
>>> SMM core will add a HEADER before each allocated pool memory and clean
>>> up this header once it's freed. If a block of allocated pool is marked
>>> as read-only after allocation (EfiRuntimeServicesCode type of pool in
>>> SMM will always be marked as read-only), #PF exception will be triggered
>>> during memory pool freeing.
>>>
>>> Normally EfiRuntimeServicesCode type of pool should not be freed in the
>>> real world. But some test suites will actually do memory free for all
>>> types of memory for the purpose of functionality and conformance test.
>>> So this issue should be fixed anyway.
>>
>> Does DxeCore have such problem?
>>
>>>
>>> Cc: Star Zeng <star.zeng@intel.com>
>>> Cc: Eric Dong <eric.dong@intel.com>
>>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.1
>>> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
>>> ---
>>>    MdeModulePkg/Core/PiSmmCore/HeapGuard.c | 22
>> ++++++++++++++++++++++
>>>    1 file changed, 22 insertions(+)
>>>
>>> diff --git a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
>> b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
>>> index f9657f9baa..d5556eb79c 100644
>>> --- a/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
>>> +++ b/MdeModulePkg/Core/PiSmmCore/HeapGuard.c
>>> @@ -941,6 +941,7 @@ AdjustMemoryF (
>>>      EFI_PHYSICAL_ADDRESS  MemoryToTest;
>>>      UINTN                 PagesToFree;
>>>      UINT64                GuardBitmap;
>>> +  UINT64                Attributes;
>>>
>>>      if (Memory == NULL || NumberOfPages == NULL || *NumberOfPages == 0)
>> {
>>>        return;
>>> @@ -949,6 +950,27 @@ AdjustMemoryF (
>>>      Start = *Memory;
>>>      PagesToFree = *NumberOfPages;
>>>
>>> +  //
>>> +  // In case the memory to free is marked as read-only (e.g.
>> EfiRuntimeServicesCode).
>>> +  //
>>> +  if (mSmmMemoryAttribute != NULL) {
>>> +    Attributes = 0;
>>> +    mSmmMemoryAttribute->GetMemoryAttributes (
>>> +                           mSmmMemoryAttribute,
>>> +                           Start,
>>> +                           EFI_PAGES_TO_SIZE (PagesToFree),
>>> +                           &Attributes
>>> +                           );
>>> +    if ((Attributes & EFI_MEMORY_RO) != 0) {
>>> +      mSmmMemoryAttribute->ClearMemoryAttributes (
>>> +                             mSmmMemoryAttribute,
>>> +                             Start,
>>> +                             EFI_PAGES_TO_SIZE (PagesToFree),
>>> +                             EFI_MEMORY_RO
>>> +                             );
>>> +    }
>>> +  }
>>> +
>>>      //
>>>      // Head Guard must be one page before, if any.
>>>      //
>>>
>>
>>
>> --
>> Thanks,
>> Ray
Reviewed-by: Ruiyu Ni <ruiyu.ni@intel.com>

-- 
Thanks,
Ray