diff options
| author | Kun Qin <kuqin12@gmail.com> | 2022-04-26 08:47:46 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2022-05-13 00:51:41 +0000 |
| commit | 17702186b56209842e002235c29ffec5ed69745a (patch) | |
| tree | 2e1867193a892f1ac6f861e86fde93294085d330 /MdeModulePkg | |
| parent | deee7a100b2539d8a302c6d37344b507f8312faa (diff) | |
| download | edk2-17702186b56209842e002235c29ffec5ed69745a.zip edk2-17702186b56209842e002235c29ffec5ed69745a.tar.gz edk2-17702186b56209842e002235c29ffec5ed69745a.tar.bz2 | |
MdeModulePkg: PiSmmCore: Inspect memory guarded with pool headers
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3488
Current free pool routine from PiSmmCore will inspect memory guard status
for target buffer without considering pool headers. This could lead to
`IsMemoryGuarded` function to return incorrect results.
In that sense, allocating a 0 sized pool could cause an allocated buffer
directly points into a guard page, which is legal. However, trying to
free this pool will cause the routine changed in this commit to read XP
pages, which leads to page fault.
This change will inspect memory guarded with pool headers. This can avoid
errors when a pool content happens to be on a page boundary.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Kun Qin <kuqin12@gmail.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Diffstat (limited to 'MdeModulePkg')
| -rw-r--r-- | MdeModulePkg/Core/PiSmmCore/Pool.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/MdeModulePkg/Core/PiSmmCore/Pool.c b/MdeModulePkg/Core/PiSmmCore/Pool.c index 96ebe81..e1ff40a 100644 --- a/MdeModulePkg/Core/PiSmmCore/Pool.c +++ b/MdeModulePkg/Core/PiSmmCore/Pool.c @@ -382,11 +382,6 @@ SmmInternalFreePool ( return EFI_INVALID_PARAMETER;
}
- MemoryGuarded = IsHeapGuardEnabled () &&
- IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer);
- HasPoolTail = !(MemoryGuarded &&
- ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
-
FreePoolHdr = (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1);
ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE);
ASSERT (!FreePoolHdr->Header.Available);
@@ -394,6 +389,11 @@ SmmInternalFreePool ( return EFI_INVALID_PARAMETER;
}
+ MemoryGuarded = IsHeapGuardEnabled () &&
+ IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHdr);
+ HasPoolTail = !(MemoryGuarded &&
+ ((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
+
if (HasPoolTail) {
PoolTail = HEAD_TO_TAIL (&FreePoolHdr->Header);
ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE);
|