Commit 17702186 authored by Kun Qin's avatar Kun Qin Committed by mergify[bot]
Browse files

MdeModulePkg: PiSmmCore: Inspect memory guarded with pool headers

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3488



Current free pool routine from PiSmmCore will inspect memory guard status
for target buffer without considering pool headers. This could lead to
`IsMemoryGuarded` function to return incorrect results.

In that sense, allocating a 0 sized pool could cause an allocated buffer
directly points into a guard page, which is legal. However, trying to
free this pool will cause the routine changed in this commit to read XP
pages, which leads to page fault.

This change will inspect memory guarded with pool headers. This can avoid
errors when a pool content happens to be on a page boundary.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: default avatarKun Qin <kuqin12@gmail.com>
Reviewed-by: default avatarJian J Wang <jian.j.wang@intel.com>
Reviewed-by: default avatarLiming Gao <gaoliming@byosoft.com.cn>
parent deee7a10
......@@ -382,11 +382,6 @@ SmmInternalFreePool (
return EFI_INVALID_PARAMETER;
}
MemoryGuarded = IsHeapGuardEnabled () &&
IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)Buffer);
HasPoolTail = !(MemoryGuarded &&
((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
FreePoolHdr = (FREE_POOL_HEADER *)((POOL_HEADER *)Buffer - 1);
ASSERT (FreePoolHdr->Header.Signature == POOL_HEAD_SIGNATURE);
ASSERT (!FreePoolHdr->Header.Available);
......@@ -394,6 +389,11 @@ SmmInternalFreePool (
return EFI_INVALID_PARAMETER;
}
MemoryGuarded = IsHeapGuardEnabled () &&
IsMemoryGuarded ((EFI_PHYSICAL_ADDRESS)(UINTN)FreePoolHdr);
HasPoolTail = !(MemoryGuarded &&
((PcdGet8 (PcdHeapGuardPropertyMask) & BIT7) == 0));
if (HasPoolTail) {
PoolTail = HEAD_TO_TAIL (&FreePoolHdr->Header);
ASSERT (PoolTail->Signature == POOL_TAIL_SIGNATURE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment