Skip to content

Commit

Permalink
SysCall: Fixed memory corruption in IA32.
Browse files Browse the repository at this point in the history
  • Loading branch information
Mikhail Krichanov committed Mar 18, 2024
1 parent 4e3ca3c commit 1b8b868
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 56 deletions.
36 changes: 18 additions & 18 deletions MdeModulePkg/Core/Dxe/SysCall/BootServices.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,21 +251,21 @@ CallBootService (
IN RING3_STACK *UserRsp
)
{
EFI_STATUS Status;
EFI_STATUS StatusBS;
UINT64 Attributes;
VOID *Interface;
EFI_GUID *CoreProtocol;
UINT32 MemoryCoreSize;
UINTN Argument4;
UINTN Argument5;
UINTN Argument6;
UINT32 Index;
VOID **UserArgList;
VOID *CoreArgList[MAX_LIST];
EFI_HANDLE CoreHandle;
VOID *Ring3Pages;
UINT32 PagesNumber;
EFI_STATUS Status;
EFI_STATUS StatusBS;
UINT64 Attributes;
VOID *Interface;
EFI_GUID *CoreProtocol;
UINT32 MemoryCoreSize;
UINTN Argument4;
UINTN Argument5;
UINTN Argument6;
UINT32 Index;
VOID **UserArgList;
VOID *CoreArgList[MAX_LIST];
EFI_HANDLE CoreHandle;
UINT32 PagesNumber;
EFI_PHYSICAL_ADDRESS Ring3Pages;

EFI_DRIVER_BINDING_PROTOCOL *CoreDriverBinding;
EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *CoreSimpleFileSystem;
Expand Down Expand Up @@ -649,17 +649,17 @@ CallBootService (
AllocateAnyPages,
EfiRing3MemoryType,
PagesNumber,
(EFI_PHYSICAL_ADDRESS *)&Ring3Pages
&Ring3Pages
);
if (EFI_ERROR (Status)) {
return Status;
}

CopyMem (Ring3Pages, (VOID *)Argument5, Argument4 * sizeof (EFI_HANDLE *));
CopyMem ((VOID *)(UINTN)Ring3Pages, (VOID *)Argument5, Argument4 * sizeof (EFI_HANDLE *));

FreePool ((VOID *)Argument5);

*(EFI_HANDLE **)UserRsp->Arguments[5] = (EFI_HANDLE *)Ring3Pages;
*(EFI_HANDLE **)UserRsp->Arguments[5] = (EFI_HANDLE *)(UINTN)Ring3Pages;
}
EnableSMAP ();

Expand Down
9 changes: 7 additions & 2 deletions MdeModulePkg/Core/Dxe/SysCall/Initialization.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ InitializeRing3 (
EFI_STATUS Status;
VOID *TopOfStack;
UINTN SizeOfStack;
EFI_PHYSICAL_ADDRESS Physical;

//
// Set Ring3 EntryPoint and BootServices.
Expand All @@ -39,13 +40,15 @@ InitializeRing3 (
AllocateAnyPages,
EfiRing3MemoryType,
EFI_SIZE_TO_PAGES (sizeof (RING3_DATA)),
(EFI_PHYSICAL_ADDRESS *)&gRing3Data
&Physical
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Core: Failed to allocate memory for Ring3Data.\n"));
return Status;
}

gRing3Data = (RING3_DATA *)(UINTN)Physical;

CopyMem ((VOID *)gRing3Data, (VOID *)Image->Info.SystemTable, sizeof (EFI_SYSTEM_TABLE));

Status = Image->EntryPoint (ImageHandle, (EFI_SYSTEM_TABLE *)gRing3Data);
Expand All @@ -59,7 +62,7 @@ InitializeRing3 (
AllocateAnyPages,
EfiRing3MemoryType,
RING3_INTERFACES_PAGES,
(EFI_PHYSICAL_ADDRESS *)&gRing3Interfaces
&Physical
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Core: Failed to allocate memory for Ring3Interfaces.\n"));
Expand All @@ -70,6 +73,8 @@ InitializeRing3 (
return Status;
}

gRing3Interfaces = (VOID *)(UINTN)Physical;

SizeOfStack = EFI_SIZE_TO_PAGES (USER_STACK_SIZE) * EFI_PAGE_SIZE;

//
Expand Down
75 changes: 39 additions & 36 deletions MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,24 +85,24 @@ Ring3Copy (
IN UINT32 Size
)
{
EFI_STATUS Status;
VOID *Ring3;
EFI_STATUS Status;
EFI_PHYSICAL_ADDRESS Ring3;

Status = CoreAllocatePages (
AllocateAnyPages,
EfiRing3MemoryType,
1,
(EFI_PHYSICAL_ADDRESS *)&Ring3
&Ring3
);
if (EFI_ERROR (Status)) {
return NULL;
}

DisableSMAP ();
CopyMem (Ring3, Core, Size);
CopyMem ((VOID *)(UINTN)Ring3, Core, Size);
EnableSMAP ();

return Ring3;
return (VOID *)(UINTN)Ring3;
}

EFI_STATUS
Expand Down Expand Up @@ -237,7 +237,7 @@ CoreFileRead (
RING3_EFI_FILE_PROTOCOL *File;
UINTN *Ring3BufferSize;
VOID *Ring3Buffer;
VOID *Ring3Pages;
EFI_PHYSICAL_ADDRESS Ring3Pages;
UINT32 PagesNumber;

if ((This == NULL) || (BufferSize == NULL)) {
Expand All @@ -246,28 +246,28 @@ CoreFileRead (

File = (RING3_EFI_FILE_PROTOCOL *)This;
Ring3Buffer = NULL;
Ring3Pages = NULL;
Ring3Pages = 0;

PagesNumber = (UINT32)EFI_SIZE_TO_PAGES (sizeof (UINTN *) + *BufferSize);

Status = CoreAllocatePages (
AllocateAnyPages,
EfiRing3MemoryType,
PagesNumber,
(EFI_PHYSICAL_ADDRESS *)&Ring3Pages
&Ring3Pages
);
if (EFI_ERROR (Status)) {
return Status;
}

Ring3BufferSize = (UINTN *)Ring3Pages;
Ring3BufferSize = (UINTN *)(UINTN)Ring3Pages;

DisableSMAP ();
*Ring3BufferSize = *BufferSize;
EnableSMAP ();

if (Buffer != NULL) {
Ring3Buffer = (VOID *)((UINTN *)Ring3Pages + 1);
Ring3Buffer = (VOID *)((UINTN *)(UINTN)Ring3Pages + 1);
}

Status = GoToRing3 (
Expand All @@ -286,7 +286,7 @@ CoreFileRead (
*BufferSize = *Ring3BufferSize;
EnableSMAP ();

CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber);
CoreFreePages (Ring3Pages, PagesNumber);

return Status;
}
Expand Down Expand Up @@ -333,27 +333,27 @@ CoreFileGetPosition (
{
EFI_STATUS Status;
RING3_EFI_FILE_PROTOCOL *File;
UINT64 *Ring3Position;
EFI_PHYSICAL_ADDRESS Ring3Position;

if ((This == NULL) || (Position == NULL)) {
return EFI_INVALID_PARAMETER;
}

File = (RING3_EFI_FILE_PROTOCOL *)This;
Ring3Position = NULL;
Ring3Position = 0;

Status = CoreAllocatePages (
AllocateAnyPages,
EfiRing3MemoryType,
1,
(EFI_PHYSICAL_ADDRESS *)&Ring3Position
&Ring3Position
);
if (EFI_ERROR (Status)) {
return Status;
}

DisableSMAP ();
*Ring3Position = *Position;
*(UINT64 *)(UINTN)Ring3Position = *Position;
EnableSMAP ();

Status = GoToRing3 (
Expand All @@ -364,10 +364,10 @@ CoreFileGetPosition (
);

DisableSMAP ();
*Position = *Ring3Position;
*Position = *(UINT64 *)(UINTN)Ring3Position;
EnableSMAP ();

CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Position, 1);
CoreFreePages (Ring3Position, 1);

return Status;
}
Expand All @@ -387,7 +387,7 @@ CoreFileGetInfo (
EFI_GUID *Ring3InformationType;
UINTN *Ring3BufferSize;
VOID *Ring3Buffer;
VOID *Ring3Pages;
EFI_PHYSICAL_ADDRESS Ring3Pages;
UINT32 PagesNumber;

if ((This == NULL) || (BufferSize == NULL)) {
Expand All @@ -397,28 +397,28 @@ CoreFileGetInfo (
File = (RING3_EFI_FILE_PROTOCOL *)This;
Ring3Buffer = NULL;
Ring3InformationType = NULL;
Ring3Pages = NULL;
Ring3Pages = 0;

PagesNumber = (UINT32)EFI_SIZE_TO_PAGES (sizeof (UINTN *) + *BufferSize + sizeof (EFI_GUID));

Status = CoreAllocatePages (
AllocateAnyPages,
EfiRing3MemoryType,
PagesNumber,
(EFI_PHYSICAL_ADDRESS *)&Ring3Pages
&Ring3Pages
);
if (EFI_ERROR (Status)) {
return Status;
}

Ring3BufferSize = (UINTN *)Ring3Pages;
Ring3BufferSize = (UINTN *)(UINTN)Ring3Pages;

DisableSMAP ();
*Ring3BufferSize = *BufferSize;
EnableSMAP ();

if (Buffer != NULL) {
Ring3Buffer = (VOID *)((UINTN *)Ring3Pages + 1);
Ring3Buffer = (VOID *)((UINTN *)(UINTN)Ring3Pages + 1);
}

if (InformationType != NULL) {
Expand Down Expand Up @@ -446,7 +446,7 @@ CoreFileGetInfo (
*BufferSize = *Ring3BufferSize;
EnableSMAP ();

CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber);
CoreFreePages (Ring3Pages, PagesNumber);

return Status;
}
Expand Down Expand Up @@ -538,7 +538,7 @@ CoreFileOpen (
RING3_EFI_FILE_PROTOCOL *NewFile;
EFI_FILE_PROTOCOL **Ring3NewHandle;
CHAR16 *Ring3FileName;
VOID *Ring3Pages;
EFI_PHYSICAL_ADDRESS Ring3Pages;
UINT32 PagesNumber;

if ((This == NULL) || (NewHandle == NULL) || (FileName == NULL)) {
Expand All @@ -548,30 +548,30 @@ CoreFileOpen (
File = (RING3_EFI_FILE_PROTOCOL *)This;
Ring3NewHandle = NULL;
Ring3FileName = NULL;
Ring3Pages = NULL;
Ring3Pages = 0;

PagesNumber = (UINT32)EFI_SIZE_TO_PAGES (sizeof (EFI_FILE_PROTOCOL *) + StrSize (FileName));

Status = CoreAllocatePages (
AllocateAnyPages,
EfiRing3MemoryType,
PagesNumber,
(EFI_PHYSICAL_ADDRESS *)&Ring3Pages
&Ring3Pages
);
if (EFI_ERROR (Status)) {
*NewHandle = NULL;
return Status;
}

Ring3NewHandle = (EFI_FILE_PROTOCOL **)Ring3Pages;
Ring3FileName = (CHAR16 *)((EFI_FILE_PROTOCOL **)Ring3Pages + 1);
Ring3NewHandle = (EFI_FILE_PROTOCOL **)(UINTN)Ring3Pages;
Ring3FileName = (CHAR16 *)((EFI_FILE_PROTOCOL **)(UINTN)Ring3Pages + 1);

DisableSMAP ();
Status = StrCpyS (Ring3FileName, StrLen (FileName) + 1, FileName);
EnableSMAP ();
if (EFI_ERROR (Status)) {
*NewHandle = NULL;
CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber);
CoreFreePages (Ring3Pages, PagesNumber);
return Status;
}

Expand All @@ -586,14 +586,14 @@ CoreFileOpen (
);
if (EFI_ERROR (Status)) {
*NewHandle = NULL;
CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber);
CoreFreePages (Ring3Pages, PagesNumber);
return Status;
}

NewFile = AllocatePool (sizeof (RING3_EFI_FILE_PROTOCOL));
if (NewFile == NULL) {
*NewHandle = NULL;
CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber);
CoreFreePages (Ring3Pages, PagesNumber);
return EFI_OUT_OF_RESOURCES;
}

Expand All @@ -619,7 +619,7 @@ CoreFileOpen (

*NewHandle = (EFI_FILE_PROTOCOL *)NewFile;

CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber);
CoreFreePages (Ring3Pages, PagesNumber);

return Status;
}
Expand All @@ -634,6 +634,7 @@ CoreOpenVolume (
EFI_STATUS Status;
EFI_FILE_PROTOCOL **Ring3Root;
RING3_EFI_FILE_PROTOCOL *File;
EFI_PHYSICAL_ADDRESS Physical;

if (Root == NULL) {
return EFI_INVALID_PARAMETER;
Expand All @@ -643,13 +644,15 @@ CoreOpenVolume (
AllocateAnyPages,
EfiRing3MemoryType,
1,
(EFI_PHYSICAL_ADDRESS *)&Ring3Root
&Physical
);
if (EFI_ERROR (Status)) {
*Root = NULL;
return Status;
}

Ring3Root = (EFI_FILE_PROTOCOL **)(UINTN)Physical;

Status = GoToRing3 (
2,
(VOID *)mRing3SimpleFileSystemProtocol.OpenVolume,
Expand All @@ -658,14 +661,14 @@ CoreOpenVolume (
);
if (EFI_ERROR (Status)) {
*Root = NULL;
CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Root, 1);
CoreFreePages (Physical, 1);
return Status;
}

File = AllocatePool (sizeof (RING3_EFI_FILE_PROTOCOL));
if (File == NULL) {
*Root = NULL;
CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Root, 1);
CoreFreePages (Physical, 1);
return EFI_OUT_OF_RESOURCES;
}

Expand Down Expand Up @@ -707,7 +710,7 @@ CoreOpenVolume (

*Root = (EFI_FILE_PROTOCOL *)File;

CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Root, 1);
CoreFreePages (Physical, 1);

return Status;
}

0 comments on commit 1b8b868

Please sign in to comment.