[edk2-devel] [edk2-test] [PATCH 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1976
CreateEventEx() may lead to a change in the memory map causing an
EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. So in BBTestCreateEventEx_Func_Sub3() we
should only check for events triggered after the events have been set up.
Among other changes commit c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3) tried to adjust the event recording logic in
NotifyFunctionTplEx() to account for this.
The commit did not consider that CloseEvent() will release memory and
equally lead to EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. NotifyFunctionTplEx()
does not check the limits of the buffer. So a buffer overrun occurs in this
case.
The easiest way to account for memory map changes by CreateEventEx() is to
initialize the event invocation records after setting up the events.
In function NotifyFunctionTplEx() check the index against the buffer
limits. Stop recording after MAX_TEST_EVENT_NUM events.
Fixes: c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3)
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Heinrich Schuchardt
---
...rTaskPriorityServicesBBTestCreateEventEx.c | 19 +--
.../BlackBoxTest/Support.c| 55 +--
2 files changed, 27 insertions(+), 47 deletions(-)
diff --git
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
index 4a8e44e2..40af6c07 100644
---
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
+++
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
@@ -918,12 +918,11 @@ BBTestCreateEventEx_Func_Sub3 (
UINTN Buffer[MAX_TEST_EVENT_NUM + MAX_TEST_EVENT_NUM*2];
//
- // Initialize Buffer as SIGNAL_CONTEXT
+ // Initialize the event index. The event invocation records will be
+ // initialized later.
//
for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {
Buffer[Index] = Index;
-Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);
-Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);
}
//
@@ -976,7 +975,17 @@ BBTestCreateEventEx_Func_Sub3 (
gtBS->CloseEvent (Event[1]);
return Status;
}
-
+
+ //
+ // CreateEventEx() may lead to a change in the memory map and trigger
+ // EFI_EVENT_GROUP_MEMORY_MAP_CHANGE itself. So initialize the event
+ // invocation records after creating the events.
+ //
+ for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {
+Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);
+Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);
+ }
+
//
// Call AllocatePage to change the memorymap
//
@@ -1035,4 +1044,4 @@ BBTestCreateEventEx_Func_Sub3 (
//
return EFI_SUCCESS;
}
-#endif
\ No newline at end of file
+#endif
diff --git
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
index c702f84d..0c900a3e 100644
---
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
+++
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
@@ -58,58 +58,29 @@ NotifyFunctionTplEx(
EFI_TPL OldTpl;
UINTN EventIndex;
UINTN Index;
-
+
if (Context != NULL) {
Buffer = Context;
EventIndex = Buffer[0];
//
-// The special code check for the BBTestCreateEventEx_Func_Sub3
-// Besides AllocatePages(), CreateEventEx() may trigger the memorymap
-// change when it is out of resource in memory pool
-// Use SIGNAL_CONTEXT to block possible enter triggered by CreateEventEx
-//
-if (EventIndex != 2 && Buffer[4] == (UINTN)(SIGNAL_CONTEXT))
- return;
-
-//
-// It is the code execution path as expect
-// The overall layout buffer as below
-// Buffer[0] [1] [2] store 1st/2nd/3rd event index (start from 0)
-// Buffer[3] [5] [7] store the index of event notified
-// Buffer[4] [6] [8] store the tpl of notification function of 1st/2nd/3rd
event notified
+// The event's context is offset by EventIndex from the true buffer start.
+// Skip over the MAX_TEST_EVENT_NUM leading index entries.
+// A maximum of MAX_TEST_EVENT_NUM events can be recorded.
//
-// since 3rd event is created at notify tpl, 1nd/2rd event at callback
-// EventIndex should be 2 here for the first enter
-// Because Context points to Buffer[2] and va
Re: [edk2-devel] [edk2-test] [PATCH 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()
Heinrich,
Good catch.
How about to check the notify order before the operation to close all the
events created and Free the pages ?
It doesn't impact the result because the patch already enhances the index check
against the buffer limits. But it will ensure correct execution sequence in the
sub3 even the Notification change later.
With that: Reviewed-by: Eric Jin
Best Regards
Eric
-Original Message-
From: Heinrich Schuchardt
Sent: Tuesday, September 3, 2019 9:24 PM
To: EDK II Development
Cc: Jin, Eric ; Supreeth Venkatesh
; Stephano Cetola
; Heinrich Schuchardt
Subject: [edk2-test] [PATCH 1/1] uefi-sct/SctPkg: buffer overflow in
NotifyFunctionTplEx()
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1976
CreateEventEx() may lead to a change in the memory map causing an
EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. So in BBTestCreateEventEx_Func_Sub3() we
should only check for events triggered after the events have been set up.
Among other changes commit c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3) tried to adjust the event recording logic in
NotifyFunctionTplEx() to account for this.
The commit did not consider that CloseEvent() will release memory and equally
lead to EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. NotifyFunctionTplEx() does not check
the limits of the buffer. So a buffer overrun occurs in this case.
The easiest way to account for memory map changes by CreateEventEx() is to
initialize the event invocation records after setting up the events.
In function NotifyFunctionTplEx() check the index against the buffer limits.
Stop recording after MAX_TEST_EVENT_NUM events.
Fixes: c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3)
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Heinrich Schuchardt
---
...rTaskPriorityServicesBBTestCreateEventEx.c | 19 +--
.../BlackBoxTest/Support.c| 55 +--
2 files changed, 27 insertions(+), 47 deletions(-)
diff --git
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
index 4a8e44e2..40af6c07 100644
---
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPrior
+++ ityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateE
+++ ventEx.c
@@ -918,12 +918,11 @@ BBTestCreateEventEx_Func_Sub3 (
UINTN Buffer[MAX_TEST_EVENT_NUM + MAX_TEST_EVENT_NUM*2];
//- // Initialize Buffer as SIGNAL_CONTEXT+ // Initialize the event index.
The event invocation records will be+ // initialized later.
// for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {
Buffer[Index] = Index;-Buffer[Index + MAX_TEST_EVENT_NUM + Index] =
(UINTN)(SIGNAL_CONTEXT);-Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] =
(UINTN)(SIGNAL_CONTEXT); }//@@ -976,7 +975,17 @@
BBTestCreateEventEx_Func_Sub3 (
gtBS->CloseEvent (Event[1]); return Status; }- ++ //+ //
CreateEventEx() may lead to a change in the memory map and trigger+ //
EFI_EVENT_GROUP_MEMORY_MAP_CHANGE itself. So initialize the event+ //
invocation records after creating the events.+ //+ for (Index = 0; Index <
MAX_TEST_EVENT_NUM; Index ++) {+Buffer[Index + MAX_TEST_EVENT_NUM + Index]
= (UINTN)(SIGNAL_CONTEXT);+Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] =
(UINTN)(SIGNAL_CONTEXT);+ }+ // // Call AllocatePage to change the
memorymap //@@ -1035,4 +1044,4 @@ BBTestCreateEventEx_Func_Sub3 (
// return EFI_SUCCESS; }-#endif
\ No newline at end of file
+#endif
diff --git
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
index c702f84d..0c900a3e 100644
---
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPrior
+++ ityServices/BlackBoxTest/Support.c
@@ -58,58 +58,29 @@ NotifyFunctionTplEx(
EFI_TPL OldTpl; UINTN EventIndex; UINTN Index;- + if
(Context != NULL) { Buffer = Context; EventIndex = Buffer[0]; //-
// The special code check for the BBTestCreateEventEx_Func_Sub3-//
Besides AllocatePages(), CreateEventEx() may trigger the memorymap-//
change when it is out of resource in memory pool-// Use SIGNAL_CONTEXT to
block possible enter triggered by CreateEventEx-//-if (EventIndex != 2
&& Buffer[4] == (UINTN)(SIGNAL_CONTEXT))- return;--//-// It is the
code execution path as exp
