From nobody Mon Dec 23 11:03:06 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1517480146779628.362624583499; Thu, 1 Feb 2018 02:15:46 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 1A9D721E0B9FA; Thu, 1 Feb 2018 02:10:08 -0800 (PST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7C68D21E0B9EA for ; Thu, 1 Feb 2018 02:10:06 -0800 (PST) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Feb 2018 02:15:43 -0800 Received: from ray-dev.ccr.corp.intel.com ([10.239.9.19]) by fmsmga006.fm.intel.com with ESMTP; 01 Feb 2018 02:15:42 -0800 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.93; helo=mga11.intel.com; envelope-from=ruiyu.ni@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,443,1511856000"; d="scan'208";a="200503837" From: Ruiyu Ni To: edk2-devel@lists.01.org Date: Thu, 1 Feb 2018 18:15:39 +0800 Message-Id: <20180201101539.320452-1-ruiyu.ni@intel.com> X-Mailer: git-send-email 2.15.1.windows.2 Subject: [edk2] [PATCH] MdeModulePkg/SmmCore: Fix hang due to already-freed memory deference X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jiewen Yao , Star Zeng MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" SmiHandlerUnRegister() validates the DispatchHandle by checking whether the first 32bit matches to a certain signature (SMI_HANDLER_SIGNATURE). But if a caller calls *UnRegister() twice and the memory freed by first call still contains the signature, the second hang may hang. The patch fixes this issue by locating the DispatchHandle in all SMI handlers, instead of checking the signature. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni Cc: Jiewen Yao Cc: Star Zeng Reviewed-by: Star Zeng --- MdeModulePkg/Core/PiSmmCore/Smi.c | 37 ++++++++++++++++++++++++++++++++---= -- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/MdeModulePkg/Core/PiSmmCore/Smi.c b/MdeModulePkg/Core/PiSmmCor= e/Smi.c index ad483a1877..0c09e7fa10 100644 --- a/MdeModulePkg/Core/PiSmmCore/Smi.c +++ b/MdeModulePkg/Core/PiSmmCore/Smi.c @@ -1,7 +1,7 @@ /** @file SMI management. =20 - Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availa= ble=20 under the terms and conditions of the BSD License which accompanies this=20 distribution. The full text of the license may be found at =20 @@ -276,14 +276,41 @@ SmiHandlerUnRegister ( { SMI_HANDLER *SmiHandler; SMI_ENTRY *SmiEntry; + LIST_ENTRY *EntryLink; + LIST_ENTRY *HandlerLink; =20 - SmiHandler =3D (SMI_HANDLER *) DispatchHandle; - - if (SmiHandler =3D=3D NULL) { + if (DispatchHandle =3D=3D NULL) { return EFI_INVALID_PARAMETER; } =20 - if (SmiHandler->Signature !=3D SMI_HANDLER_SIGNATURE) { + // + // Look for it in root SMI handlers + // + SmiHandler =3D NULL; + for ( HandlerLink =3D GetFirstNode (&mRootSmiEntry.SmiHandlers) + ; !IsNull (&mRootSmiEntry.SmiHandlers, HandlerLink) && (SmiHandler != =3D DispatchHandle) + ; HandlerLink =3D GetNextNode (&mRootSmiEntry.SmiHandlers, HandlerLi= nk) + ) { + SmiHandler =3D CR (HandlerLink, SMI_HANDLER, Link, SMI_HANDLER_SIGNATU= RE); + } + + // + // Look for it in non-root SMI handlers + // + for ( EntryLink =3D GetFirstNode (&mSmiEntryList) + ; !IsNull (&mSmiEntryList, EntryLink) && (SmiHandler !=3D DispatchHa= ndle) + ; EntryLink =3D GetNextNode (&mSmiEntryList, EntryLink) + ) { + SmiEntry =3D CR (EntryLink, SMI_ENTRY, AllEntries, SMI_ENTRY_SIGNATURE= ); + for ( HandlerLink =3D GetFirstNode (&SmiEntry->SmiHandlers) + ; !IsNull (&SmiEntry->SmiHandlers, HandlerLink) && (SmiHandler != =3D DispatchHandle) + ; HandlerLink =3D GetNextNode (&SmiEntry->SmiHandlers, HandlerLink) + ) { + SmiHandler =3D CR (HandlerLink, SMI_HANDLER, Link, SMI_HANDLER_SIGNA= TURE); + } + } + + if (SmiHandler !=3D DispatchHandle) { return EFI_INVALID_PARAMETER; } =20 --=20 2.15.1.windows.2 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel