Andrew:
Thanks for your catch. I agree this is an issue. Your fix is good to me.
Reviewed-by: Gao, Liming <[email protected]> Besides, do you find any other
similar case in EDKII packages?
On DxeIpl to init a vector table, first this is done before
CpuExecptionHandlerLIb, and we don't assume that DxeCore always link a real
CpuExecptionHandlerLIb; second, we try to close any windows even if it is small.
Thanks
Liming
From: Andrew Fish [mailto:[email protected]]
Sent: Saturday, June 21, 2014 6:46 AM
To: [email protected]
Subject: [edk2] MdeModulePkg Maintainer: Buffer overflow bug in DXE IPL.
There is a call to PeiServiceAllocatePage() that passes in address of a pointer
(IA32 sizeof (VOID *) == 4), but it casts this to a pointer to
EFI_PHYSICAL_ADDRESS that is always UINT64. This means that 4 bytes of the
stack are overwritten.
https://svn.code.sf.net/p/edk2/code/trunk/edk2/MdeModulePkg/Core/DxeIplPeim/Ia32/DxeLoadFunc.c
X64_IDT_TABLE *IdtTableForX64;
Status = PeiServicesAllocatePages (
EfiBootServicesData,
EFI_SIZE_TO_PAGES(sizeof (X64_IDT_TABLE) + SizeOfTemplate *
IDT_ENTRY_COUNT),
(EFI_PHYSICAL_ADDRESS *) &IdtTableForX64
);
It should be:
IdtTableForX64 = AllocatePages (EFI_SIZE_TO_PAGES(sizeof (X64_IDT_TABLE) +
SizeOfTemplate * IDT_ENTRY_COUNT));
I don't think the bug causes any detectable error, since it is likely that
Index is being over written, and it is set later in the function.
Thanks,
Andrew Fish
PS Also does it make sense for the DXE IPL to init a vector table? It looks
like there are only 1 library call, GetNextGuidHob(), prior to the DXE Core
calling InitializeCpuExceptionHandlers(). So it seems like the window to catch
a bug is very small. There could always be a version of CpuExecptionHandlerLIb
that just does the imp $ (imp .).
https://svn.code.sf.net/p/edk2/code/trunk/edk2/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
VOID
EFIAPI
DxeMain (
IN VOID *HobStart
)
{
EFI_STATUS Status;
EFI_PHYSICAL_ADDRESS MemoryBaseAddress;
UINT64 MemoryLength;
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
UINTN Index;
EFI_HOB_GUID_TYPE *GuidHob;
EFI_VECTOR_HANDOFF_INFO *VectorInfoList;
EFI_VECTOR_HANDOFF_INFO *VectorInfo;
//
// Setup the default exception handlers
//
VectorInfoList = NULL;
GuidHob = GetNextGuidHob (&gEfiVectorHandoffInfoPpiGuid, HobStart);
if (GuidHob != NULL) {
VectorInfoList = (EFI_VECTOR_HANDOFF_INFO *) (GET_GUID_HOB_DATA(GuidHob));
}
Status = InitializeCpuExceptionHandlers (VectorInfoList);
ASSERT_EFI_ERROR (Status);
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel
