From nobody Mon Dec 23 14:07:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1515466574768665.1615768313568; Mon, 8 Jan 2018 18:56:14 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 21D3521F833A9; Mon, 8 Jan 2018 18:51:03 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7D14A2035D32C for ; Mon, 8 Jan 2018 18:51:00 -0800 (PST) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2018 18:56:11 -0800 Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.147]) by orsmga003.jf.intel.com with ESMTP; 08 Jan 2018 18:56:09 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,334,1511856000"; d="scan'208";a="18548749" From: Jiaxin Wu To: edk2-devel@lists.01.org Date: Tue, 9 Jan 2018 10:56:05 +0800 Message-Id: <1515466566-13136-2-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <1515466566-13136-1-git-send-email-jiaxin.wu@intel.com> References: <1515466566-13136-1-git-send-email-jiaxin.wu@intel.com> Subject: [edk2] [Patch 1/2] MdeModulePkg/IScsiDxe: Set ExitBootServiceEvent to NULL after close it. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ye Ting , Fu Siyuan , Wu Jiaxin MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" There are two place to close the ISCSI ExitBootServiceEvent: One is IScsiOnExitBootService callback function. Another is ISCSI driver stop() function. When OS loader triggers ExitBootServiceEvent, firstly, the exit boot service callback function will close and free the ExitBootServiceEvent, then second= ly the system will call ISCSI driver stop() function, the ExitBootServiceEvent will be closed and freed again, the use-after-free memory access happens. This issue is recorded at https://bugzilla.tianocore.org/show_bug.cgi?id=3D= 742. This patch is to resolve the issue. Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin Reviewed-by: Fu Siyuan --- MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c b/MdeModul= ePkg/Universal/Network/IScsiDxe/IScsiMisc.c index ae202c3..29dfe94 100644 --- a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c +++ b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c @@ -1,9 +1,9 @@ /** @file Miscellaneous routines for iSCSI driver. =20 -Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -622,13 +622,14 @@ IScsiCleanDriverData ( &Private->IScsiExtScsiPassThru ); } =20 EXIT: - - gBS->CloseEvent (Private->ExitBootServiceEvent); - + if (Private->ExitBootServiceEvent !=3D NULL) { + gBS->CloseEvent (Private->ExitBootServiceEvent); + } + =20 FreePool (Private); return Status; } =20 /** @@ -870,12 +871,15 @@ IScsiOnExitBootService ( ) { ISCSI_DRIVER_DATA *Private; =20 Private =3D (ISCSI_DRIVER_DATA *) Context; + =20 gBS->CloseEvent (Private->ExitBootServiceEvent); =20 + Private->ExitBootServiceEvent =3D NULL; + IScsiSessionAbort (&Private->Session); } =20 /** Tests whether a controller handle is being managed by IScsi driver. --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon Dec 23 14:07:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1515466577062812.1068865004727; Mon, 8 Jan 2018 18:56:17 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8679921F833C1; Mon, 8 Jan 2018 18:51:04 -0800 (PST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 932572035D321 for ; Mon, 8 Jan 2018 18:51:02 -0800 (PST) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2018 18:56:13 -0800 Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.147]) by orsmga003.jf.intel.com with ESMTP; 08 Jan 2018 18:56:11 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,334,1511856000"; d="scan'208";a="18548754" From: Jiaxin Wu To: edk2-devel@lists.01.org Date: Tue, 9 Jan 2018 10:56:06 +0800 Message-Id: <1515466566-13136-3-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <1515466566-13136-1-git-send-email-jiaxin.wu@intel.com> References: <1515466566-13136-1-git-send-email-jiaxin.wu@intel.com> Subject: [edk2] [Patch 2/2] NetworkPkg/IScsiDxe: Set ExitBootServiceEvent to NULL after close it. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ye Ting , Fu Siyuan , Wu Jiaxin MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" There are two place to close the ISCSI ExitBootServiceEvent: One is IScsiOnExitBootService callback function. Another is ISCSI driver stop() function. When OS loader triggers ExitBootServiceEvent, firstly, the exit boot service callback function will close and free the ExitBootServiceEvent, then second= ly the system will call ISCSI driver stop() function, the ExitBootServiceEvent will be closed and freed again, the use-after-free memory access happens. This issue is recorded at https://bugzilla.tianocore.org/show_bug.cgi?id=3D= 742. This patch is to resolve the issue. Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin Reviewed-by: Fu Siyuan --- NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMis= c.c index 9e4164c..9b26147 100644 --- a/NetworkPkg/IScsiDxe/IScsiMisc.c +++ b/NetworkPkg/IScsiDxe/IScsiMisc.c @@ -1,9 +1,9 @@ /** @file Miscellaneous routines for iSCSI driver. =20 -Copyright (c) 2004 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at http://opensource.org/licenses/bsd-license.php =20 @@ -1796,12 +1796,13 @@ IScsiCleanDriverData ( mPrivate->OneSessionEstablished =3D FALSE; } } =20 EXIT: - - gBS->CloseEvent (Private->ExitBootServiceEvent); + if (Private->ExitBootServiceEvent !=3D NULL) { + gBS->CloseEvent (Private->ExitBootServiceEvent);=20 + } =20 mCallbackInfo->Current =3D NULL; =20 FreePool (Private); return Status; @@ -2483,12 +2484,15 @@ IScsiOnExitBootService ( ) { ISCSI_DRIVER_DATA *Private; =20 Private =3D (ISCSI_DRIVER_DATA *) Context; + =20 gBS->CloseEvent (Private->ExitBootServiceEvent); - + =20 + Private->ExitBootServiceEvent =3D NULL; + =20 if (Private->Session !=3D NULL) { IScsiSessionAbort (Private->Session); } } =20 --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel