From nobody Mon Dec 23 17:46:33 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 151597585819163.39440088359834; Sun, 14 Jan 2018 16:24:18 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 4377C222DDBE5; Sun, 14 Jan 2018 16:18:51 -0800 (PST) Received: from mail.paulo.ac (mail.paulo.ac [34.238.86.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4205F222DDBE5 for ; Sun, 14 Jan 2018 16:18:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.paulo.ac (Postfix) with ESMTP id 56CD7C08892; Mon, 15 Jan 2018 00:24:07 +0000 (UTC) Received: from mail.paulo.ac ([127.0.0.1]) by localhost (mail.paulo.ac [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNcuhf-aEiZ0; Mon, 15 Jan 2018 00:24:04 +0000 (UTC) Received: from thor.domain.name (177.204.15.215.dynamic.adsl.gvt.net.br [177.204.15.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.paulo.ac (Postfix) with ESMTPSA id 7BBD0C0888F; Mon, 15 Jan 2018 00:24:00 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=34.238.86.106; helo=mail.paulo.ac; envelope-from=paulo@paulo.ac; receiver=edk2-devel@lists.01.org X-Virus-Scanned: amavisd-new at paulo.ac X-Spam-Flag: NO X-Spam-Score: -1.099 X-Spam-Level: X-Spam-Status: No, score=-1.099 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: mail.paulo.ac (amavisd-new); dkim=pass (1024-bit key) header.d=paulo.ac DKIM-Filter: OpenDKIM Filter v2.11.0 mail.paulo.ac 7BBD0C0888F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default; t=1515975841; bh=+0u0SitUTFfsMcMFH40UAXyNLeZjh9CnuXDF236fhrM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:In-Reply-To: References:From; b=L/6BFmE0a5XQi2F0159hP1A/TEYxxlS/SvMYgrEzI3SZPxcoCbw93AA5Y+SdPea0j TwIvF4BBLGWokry9vMLy1y6EJShL4l558lAHTfGYr7wB4VYBITKm0aDNFwJS3Ugblz oJEX8afjMpA77o4CrCnH3o15bLDCg1CF+efJeRNc= From: Paulo Alcantara To: edk2-devel@lists.01.org Date: Sun, 14 Jan 2018 22:23:33 -0200 Message-Id: <5cc6968f2c67232ca29b99cd81f8ac5d754ba8dc.1515974582.git.paulo@paulo.ac> X-Mailer: git-send-email 2.14.3 In-Reply-To: References: In-Reply-To: References: Subject: [edk2] [RFC v5 5/8] UefiCpuPkg/CpuExceptionHandlerLib: Ensure valid frame/stack pointers X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laszlo Ersek , Eric Dong MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Validate all possible memory dereferences during stack traces in IA32 and X64 CPU exceptions. Contributed-under: TianoCore Contribution Agreement 1.1 Cc: Eric Dong Cc: Laszlo Ersek Requested-by: Brian Johnson Requested-by: Jiewen Yao Signed-off-by: Paulo Alcantara --- UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c | 14= 9 +++++++++++++++++++- UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c | 7= 5 +++++++++- 2 files changed, 216 insertions(+), 8 deletions(-) diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHa= ndler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandl= er.c index c5d6ea0939..3b92512b92 100644 --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c @@ -14,6 +14,11 @@ =20 #include "CpuExceptionCommon.h" =20 +// +// IA32 Segment Selector bit definitions +// +#define IA32_SEGSEL_TI BIT2 + /** Return address map of exception handler template so that C code can gene= rate exception tables. @@ -398,6 +403,97 @@ DumpCpuContext ( ); } =20 +/** + Check if a logical address is valid. + + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. + @param[in] SegmentSelector Segment selector. + @param[in] Offset Offset or logical address. +**/ +STATIC +BOOLEAN +IsLogicalAddressValid ( + IN EFI_SYSTEM_CONTEXT SystemContext, + IN UINT16 SegmentSelector, + IN UINTN Offset + ) +{ + IA32_SEGMENT_DESCRIPTOR *SegmentDescriptor; + UINT32 SegDescBase; + UINT32 SegDescLimit; + UINT64 SegDescLimitInBytes; + + // + // Check for valid input parameters + // + if (SegmentSelector =3D=3D 0 || Offset =3D=3D 0) { + return FALSE; + } + + // + // Look for a segment descriptor in a GDT or LDT table depending on TI + // (Table Indicator) bit in segment selector. + // + if ((SegmentSelector & IA32_SEGSEL_TI) =3D=3D 0) { + // + // Get segment descriptor from GDT table + // + SegmentDescriptor =3D + (IA32_SEGMENT_DESCRIPTOR *)( + (UINTN)SystemContext.SystemContextIa32->Gdtr[0] + + (SegmentSelector & ~7) + ); + } else { + // + // Get segment descriptor from LDT table + // + SegmentDescriptor =3D + (IA32_SEGMENT_DESCRIPTOR *)( + (UINTN)SystemContext.SystemContextIa32->Ldtr + + (SegmentSelector & ~7) + ); + } + + // + // Get segment descriptor's base address + // + SegDescBase =3D SegmentDescriptor->Bits.BaseLow | + (SegmentDescriptor->Bits.BaseMid << 16) | + (SegmentDescriptor->Bits.BaseHigh << 24); + + // + // Get segment descriptor's limit + // + SegDescLimit =3D SegmentDescriptor->Bits.LimitLow | + (SegmentDescriptor->Bits.LimitHigh << 16); + + // + // Calculate segment descriptor's limit in bytes + // + if (SegmentDescriptor->Bits.G =3D=3D 1) { + SegDescLimitInBytes =3D (UINT64)SegDescLimit * SIZE_4KB + (SIZE_4KB - = 1); + } else { + SegDescLimitInBytes =3D SegDescLimit; + } + + // + // Make sure to not access beyond a segment limit boundary + // + if ((UINT64)Offset + SegDescBase > SegDescLimitInBytes) { + return FALSE; + } + + // + // Check if the translated logical address (or linear address) is valid + // + return IsLinearAddressValid ( + SystemContext.SystemContextIa32->Cr0, + SystemContext.SystemContextIa32->Cr3, + SystemContext.SystemContextIa32->Cr4, + Offset + SegDescBase + ); +} + /** Dump stack trace. =20 @@ -470,6 +566,20 @@ DumpStacktrace ( InternalPrintMessage ("\nCall trace:\n"); =20 for (;;) { + // + // Check for valid frame pointer + // + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%08x\n", __FUNCTION__, Ebp); + break; + } + // // Print stack frame in the following format: // @@ -610,6 +720,16 @@ DumpImageModuleNames ( // Walk through call stack and find next module names // for (;;) { + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%08x\n", __FUNCTION__, Ebp); + } + // // Set EIP with return address from current stack frame // @@ -673,16 +793,23 @@ DumpImageModuleNames ( /** Dump stack contents. =20 - @param[in] CurrentEsp Current stack pointer address. + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. @param[in] UnwoundStacksCount Count of unwound stack frames. **/ STATIC VOID DumpStackContents ( - IN UINT32 CurrentEsp, - IN INTN UnwoundStacksCount + IN EFI_SYSTEM_CONTEXT SystemContext, + IN INTN UnwoundStacksCount ) { + UINT32 CurrentEsp; + + // + // Get current stack pointer + // + CurrentEsp =3D SystemContext.SystemContextIa32->Esp; + // // Check for proper stack alignment // @@ -696,6 +823,20 @@ DumpStackContents ( // InternalPrintMessage ("\nStack dump:\n"); while (UnwoundStacksCount-- > 0) { + // + // Check for a valid stack pointer address + // + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)CurrentEsp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)CurrentEsp + 4)) { + InternalPrintMessage ("%a: attempted to dereference an invalid stack= " + "pointer at 0x%08x\n", __FUNCTION__, CurrentEs= p); + break; + } + InternalPrintMessage ( "0x%08x: %08x %08x\n", CurrentEsp, @@ -742,5 +883,5 @@ DumpImageAndCpuContent ( // // Dump stack contents // - DumpStackContents (SystemContext.SystemContextIa32->Esp, UnwoundStacksCo= unt); + DumpStackContents (SystemContext, UnwoundStacksCount); } diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHan= dler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler= .c index 523dce95c9..c81f4c00eb 100644 --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c @@ -401,16 +401,26 @@ DumpCpuContext ( /** Dump stack contents. =20 - @param[in] CurrentRsp Current stack pointer address. + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. @param[in] UnwoundStacksCount Count of unwound stack frames. **/ STATIC VOID DumpStackContents ( - IN UINT64 CurrentRsp, - IN INTN UnwoundStacksCount + IN EFI_SYSTEM_CONTEXT SystemContext, + IN INTN UnwoundStacksCount ) { + UINT64 CurrentRsp; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; + + // + // Get current stack pointer + // + CurrentRsp =3D SystemContext.SystemContextX64->Rsp; + // // Check for proper stack pointer alignment // @@ -419,11 +429,28 @@ DumpStackContents ( return; } =20 + // + // Get system control registers + // + Cr0 =3D SystemContext.SystemContextX64->Cr0; + Cr3 =3D SystemContext.SystemContextX64->Cr3; + Cr4 =3D SystemContext.SystemContextX64->Cr4; + // // Dump out stack contents // InternalPrintMessage ("\nStack dump:\n"); while (UnwoundStacksCount-- > 0) { + // + // Check for a valid stack pointer address + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp + 8)) { + InternalPrintMessage ("%a: attempted to dereference an invalid stack= " + "pointer at 0x%016lx\n", __FUNCTION__, Current= Rsp); + break; + } + InternalPrintMessage ( "0x%016lx: %016lx %016lx\n", CurrentRsp, @@ -459,6 +486,9 @@ DumpImageModuleNames ( CHAR8 *PdbFileName; UINT64 Rbp; UINTN LastImageBase; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; =20 // // Set current RIP address @@ -527,10 +557,27 @@ DumpImageModuleNames ( InternalPrintMessage ("%a\n", PdbAbsoluteFilePath); } =20 + // + // Get system control registers + // + Cr0 =3D SystemContext.SystemContextX64->Cr0; + Cr3 =3D SystemContext.SystemContextX64->Cr3; + Cr4 =3D SystemContext.SystemContextX64->Cr4; + // // Walk through call stack and find next module names // for (;;) { + // + // Check for a valid frame pointer + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%016lx\n", __FUNCTION__, Rbp); + break; + } + // // Set RIP with return address from current stack frame // @@ -617,6 +664,9 @@ DumpStacktrace ( UINT64 Rbp; UINTN ImageBase; CHAR8 *PdbFileName; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; =20 // // Set current RIP address @@ -656,12 +706,29 @@ DumpStacktrace ( // *UnwoundStacksCount =3D 1; =20 + // + // Get system control registers + // + Cr0 =3D SystemContext.SystemContextX64->Cr0; + Cr3 =3D SystemContext.SystemContextX64->Cr3; + Cr4 =3D SystemContext.SystemContextX64->Cr4; + // // Print out back trace // InternalPrintMessage ("\nCall trace:\n"); =20 for (;;) { + // + // Check for valid frame pointer + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame= " + "pointer at 0x%016lx\n", __FUNCTION__, Rbp); + break; + } + // // Print stack frame in the following format: // @@ -749,5 +816,5 @@ DumpImageAndCpuContent ( // // Dump stack contents // - DumpStackContents (SystemContext.SystemContextX64->Rsp, UnwoundStacksCou= nt); + DumpStackContents (SystemContext, UnwoundStacksCount); } --=20 2.14.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel