From 1b8b8683bf39b7df6492cd5580f6e58d3b62ea76 Mon Sep 17 00:00:00 2001 From: Mikhail Krichanov Date: Mon, 18 Mar 2024 16:43:42 +0300 Subject: [PATCH] SysCall: Fixed memory corruption in IA32. --- MdeModulePkg/Core/Dxe/SysCall/BootServices.c | 36 ++++----- .../Core/Dxe/SysCall/Initialization.c | 9 ++- .../Core/Dxe/SysCall/SupportedProtocols.c | 75 ++++++++++--------- 3 files changed, 64 insertions(+), 56 deletions(-) diff --git a/MdeModulePkg/Core/Dxe/SysCall/BootServices.c b/MdeModulePkg/Core/Dxe/SysCall/BootServices.c index c0b89ae0e6..ea5940f924 100644 --- a/MdeModulePkg/Core/Dxe/SysCall/BootServices.c +++ b/MdeModulePkg/Core/Dxe/SysCall/BootServices.c @@ -251,21 +251,21 @@ CallBootService ( IN RING3_STACK *UserRsp ) { - EFI_STATUS Status; - EFI_STATUS StatusBS; - UINT64 Attributes; - VOID *Interface; - EFI_GUID *CoreProtocol; - UINT32 MemoryCoreSize; - UINTN Argument4; - UINTN Argument5; - UINTN Argument6; - UINT32 Index; - VOID **UserArgList; - VOID *CoreArgList[MAX_LIST]; - EFI_HANDLE CoreHandle; - VOID *Ring3Pages; - UINT32 PagesNumber; + EFI_STATUS Status; + EFI_STATUS StatusBS; + UINT64 Attributes; + VOID *Interface; + EFI_GUID *CoreProtocol; + UINT32 MemoryCoreSize; + UINTN Argument4; + UINTN Argument5; + UINTN Argument6; + UINT32 Index; + VOID **UserArgList; + VOID *CoreArgList[MAX_LIST]; + EFI_HANDLE CoreHandle; + UINT32 PagesNumber; + EFI_PHYSICAL_ADDRESS Ring3Pages; EFI_DRIVER_BINDING_PROTOCOL *CoreDriverBinding; EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *CoreSimpleFileSystem; @@ -649,17 +649,17 @@ CallBootService ( AllocateAnyPages, EfiRing3MemoryType, PagesNumber, - (EFI_PHYSICAL_ADDRESS *)&Ring3Pages + &Ring3Pages ); if (EFI_ERROR (Status)) { return Status; } - CopyMem (Ring3Pages, (VOID *)Argument5, Argument4 * sizeof (EFI_HANDLE *)); + CopyMem ((VOID *)(UINTN)Ring3Pages, (VOID *)Argument5, Argument4 * sizeof (EFI_HANDLE *)); FreePool ((VOID *)Argument5); - *(EFI_HANDLE **)UserRsp->Arguments[5] = (EFI_HANDLE *)Ring3Pages; + *(EFI_HANDLE **)UserRsp->Arguments[5] = (EFI_HANDLE *)(UINTN)Ring3Pages; } EnableSMAP (); diff --git a/MdeModulePkg/Core/Dxe/SysCall/Initialization.c b/MdeModulePkg/Core/Dxe/SysCall/Initialization.c index 2d965b8a80..3bf1d4d74c 100644 --- a/MdeModulePkg/Core/Dxe/SysCall/Initialization.c +++ b/MdeModulePkg/Core/Dxe/SysCall/Initialization.c @@ -31,6 +31,7 @@ InitializeRing3 ( EFI_STATUS Status; VOID *TopOfStack; UINTN SizeOfStack; + EFI_PHYSICAL_ADDRESS Physical; // // Set Ring3 EntryPoint and BootServices. @@ -39,13 +40,15 @@ InitializeRing3 ( AllocateAnyPages, EfiRing3MemoryType, EFI_SIZE_TO_PAGES (sizeof (RING3_DATA)), - (EFI_PHYSICAL_ADDRESS *)&gRing3Data + &Physical ); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Core: Failed to allocate memory for Ring3Data.\n")); return Status; } + gRing3Data = (RING3_DATA *)(UINTN)Physical; + CopyMem ((VOID *)gRing3Data, (VOID *)Image->Info.SystemTable, sizeof (EFI_SYSTEM_TABLE)); Status = Image->EntryPoint (ImageHandle, (EFI_SYSTEM_TABLE *)gRing3Data); @@ -59,7 +62,7 @@ InitializeRing3 ( AllocateAnyPages, EfiRing3MemoryType, RING3_INTERFACES_PAGES, - (EFI_PHYSICAL_ADDRESS *)&gRing3Interfaces + &Physical ); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Core: Failed to allocate memory for Ring3Interfaces.\n")); @@ -70,6 +73,8 @@ InitializeRing3 ( return Status; } + gRing3Interfaces = (VOID *)(UINTN)Physical; + SizeOfStack = EFI_SIZE_TO_PAGES (USER_STACK_SIZE) * EFI_PAGE_SIZE; // diff --git a/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c b/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c index 4ee53708bb..989ff9d4fa 100644 --- a/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c +++ b/MdeModulePkg/Core/Dxe/SysCall/SupportedProtocols.c @@ -85,24 +85,24 @@ Ring3Copy ( IN UINT32 Size ) { - EFI_STATUS Status; - VOID *Ring3; + EFI_STATUS Status; + EFI_PHYSICAL_ADDRESS Ring3; Status = CoreAllocatePages ( AllocateAnyPages, EfiRing3MemoryType, 1, - (EFI_PHYSICAL_ADDRESS *)&Ring3 + &Ring3 ); if (EFI_ERROR (Status)) { return NULL; } DisableSMAP (); - CopyMem (Ring3, Core, Size); + CopyMem ((VOID *)(UINTN)Ring3, Core, Size); EnableSMAP (); - return Ring3; + return (VOID *)(UINTN)Ring3; } EFI_STATUS @@ -237,7 +237,7 @@ CoreFileRead ( RING3_EFI_FILE_PROTOCOL *File; UINTN *Ring3BufferSize; VOID *Ring3Buffer; - VOID *Ring3Pages; + EFI_PHYSICAL_ADDRESS Ring3Pages; UINT32 PagesNumber; if ((This == NULL) || (BufferSize == NULL)) { @@ -246,7 +246,7 @@ CoreFileRead ( File = (RING3_EFI_FILE_PROTOCOL *)This; Ring3Buffer = NULL; - Ring3Pages = NULL; + Ring3Pages = 0; PagesNumber = (UINT32)EFI_SIZE_TO_PAGES (sizeof (UINTN *) + *BufferSize); @@ -254,20 +254,20 @@ CoreFileRead ( AllocateAnyPages, EfiRing3MemoryType, PagesNumber, - (EFI_PHYSICAL_ADDRESS *)&Ring3Pages + &Ring3Pages ); if (EFI_ERROR (Status)) { return Status; } - Ring3BufferSize = (UINTN *)Ring3Pages; + Ring3BufferSize = (UINTN *)(UINTN)Ring3Pages; DisableSMAP (); *Ring3BufferSize = *BufferSize; EnableSMAP (); if (Buffer != NULL) { - Ring3Buffer = (VOID *)((UINTN *)Ring3Pages + 1); + Ring3Buffer = (VOID *)((UINTN *)(UINTN)Ring3Pages + 1); } Status = GoToRing3 ( @@ -286,7 +286,7 @@ CoreFileRead ( *BufferSize = *Ring3BufferSize; EnableSMAP (); - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber); + CoreFreePages (Ring3Pages, PagesNumber); return Status; } @@ -333,27 +333,27 @@ CoreFileGetPosition ( { EFI_STATUS Status; RING3_EFI_FILE_PROTOCOL *File; - UINT64 *Ring3Position; + EFI_PHYSICAL_ADDRESS Ring3Position; if ((This == NULL) || (Position == NULL)) { return EFI_INVALID_PARAMETER; } File = (RING3_EFI_FILE_PROTOCOL *)This; - Ring3Position = NULL; + Ring3Position = 0; Status = CoreAllocatePages ( AllocateAnyPages, EfiRing3MemoryType, 1, - (EFI_PHYSICAL_ADDRESS *)&Ring3Position + &Ring3Position ); if (EFI_ERROR (Status)) { return Status; } DisableSMAP (); - *Ring3Position = *Position; + *(UINT64 *)(UINTN)Ring3Position = *Position; EnableSMAP (); Status = GoToRing3 ( @@ -364,10 +364,10 @@ CoreFileGetPosition ( ); DisableSMAP (); - *Position = *Ring3Position; + *Position = *(UINT64 *)(UINTN)Ring3Position; EnableSMAP (); - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Position, 1); + CoreFreePages (Ring3Position, 1); return Status; } @@ -387,7 +387,7 @@ CoreFileGetInfo ( EFI_GUID *Ring3InformationType; UINTN *Ring3BufferSize; VOID *Ring3Buffer; - VOID *Ring3Pages; + EFI_PHYSICAL_ADDRESS Ring3Pages; UINT32 PagesNumber; if ((This == NULL) || (BufferSize == NULL)) { @@ -397,7 +397,7 @@ CoreFileGetInfo ( File = (RING3_EFI_FILE_PROTOCOL *)This; Ring3Buffer = NULL; Ring3InformationType = NULL; - Ring3Pages = NULL; + Ring3Pages = 0; PagesNumber = (UINT32)EFI_SIZE_TO_PAGES (sizeof (UINTN *) + *BufferSize + sizeof (EFI_GUID)); @@ -405,20 +405,20 @@ CoreFileGetInfo ( AllocateAnyPages, EfiRing3MemoryType, PagesNumber, - (EFI_PHYSICAL_ADDRESS *)&Ring3Pages + &Ring3Pages ); if (EFI_ERROR (Status)) { return Status; } - Ring3BufferSize = (UINTN *)Ring3Pages; + Ring3BufferSize = (UINTN *)(UINTN)Ring3Pages; DisableSMAP (); *Ring3BufferSize = *BufferSize; EnableSMAP (); if (Buffer != NULL) { - Ring3Buffer = (VOID *)((UINTN *)Ring3Pages + 1); + Ring3Buffer = (VOID *)((UINTN *)(UINTN)Ring3Pages + 1); } if (InformationType != NULL) { @@ -446,7 +446,7 @@ CoreFileGetInfo ( *BufferSize = *Ring3BufferSize; EnableSMAP (); - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber); + CoreFreePages (Ring3Pages, PagesNumber); return Status; } @@ -538,7 +538,7 @@ CoreFileOpen ( RING3_EFI_FILE_PROTOCOL *NewFile; EFI_FILE_PROTOCOL **Ring3NewHandle; CHAR16 *Ring3FileName; - VOID *Ring3Pages; + EFI_PHYSICAL_ADDRESS Ring3Pages; UINT32 PagesNumber; if ((This == NULL) || (NewHandle == NULL) || (FileName == NULL)) { @@ -548,7 +548,7 @@ CoreFileOpen ( File = (RING3_EFI_FILE_PROTOCOL *)This; Ring3NewHandle = NULL; Ring3FileName = NULL; - Ring3Pages = NULL; + Ring3Pages = 0; PagesNumber = (UINT32)EFI_SIZE_TO_PAGES (sizeof (EFI_FILE_PROTOCOL *) + StrSize (FileName)); @@ -556,22 +556,22 @@ CoreFileOpen ( AllocateAnyPages, EfiRing3MemoryType, PagesNumber, - (EFI_PHYSICAL_ADDRESS *)&Ring3Pages + &Ring3Pages ); if (EFI_ERROR (Status)) { *NewHandle = NULL; return Status; } - Ring3NewHandle = (EFI_FILE_PROTOCOL **)Ring3Pages; - Ring3FileName = (CHAR16 *)((EFI_FILE_PROTOCOL **)Ring3Pages + 1); + Ring3NewHandle = (EFI_FILE_PROTOCOL **)(UINTN)Ring3Pages; + Ring3FileName = (CHAR16 *)((EFI_FILE_PROTOCOL **)(UINTN)Ring3Pages + 1); DisableSMAP (); Status = StrCpyS (Ring3FileName, StrLen (FileName) + 1, FileName); EnableSMAP (); if (EFI_ERROR (Status)) { *NewHandle = NULL; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber); + CoreFreePages (Ring3Pages, PagesNumber); return Status; } @@ -586,14 +586,14 @@ CoreFileOpen ( ); if (EFI_ERROR (Status)) { *NewHandle = NULL; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber); + CoreFreePages (Ring3Pages, PagesNumber); return Status; } NewFile = AllocatePool (sizeof (RING3_EFI_FILE_PROTOCOL)); if (NewFile == NULL) { *NewHandle = NULL; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber); + CoreFreePages (Ring3Pages, PagesNumber); return EFI_OUT_OF_RESOURCES; } @@ -619,7 +619,7 @@ CoreFileOpen ( *NewHandle = (EFI_FILE_PROTOCOL *)NewFile; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Pages, PagesNumber); + CoreFreePages (Ring3Pages, PagesNumber); return Status; } @@ -634,6 +634,7 @@ CoreOpenVolume ( EFI_STATUS Status; EFI_FILE_PROTOCOL **Ring3Root; RING3_EFI_FILE_PROTOCOL *File; + EFI_PHYSICAL_ADDRESS Physical; if (Root == NULL) { return EFI_INVALID_PARAMETER; @@ -643,13 +644,15 @@ CoreOpenVolume ( AllocateAnyPages, EfiRing3MemoryType, 1, - (EFI_PHYSICAL_ADDRESS *)&Ring3Root + &Physical ); if (EFI_ERROR (Status)) { *Root = NULL; return Status; } + Ring3Root = (EFI_FILE_PROTOCOL **)(UINTN)Physical; + Status = GoToRing3 ( 2, (VOID *)mRing3SimpleFileSystemProtocol.OpenVolume, @@ -658,14 +661,14 @@ CoreOpenVolume ( ); if (EFI_ERROR (Status)) { *Root = NULL; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Root, 1); + CoreFreePages (Physical, 1); return Status; } File = AllocatePool (sizeof (RING3_EFI_FILE_PROTOCOL)); if (File == NULL) { *Root = NULL; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Root, 1); + CoreFreePages (Physical, 1); return EFI_OUT_OF_RESOURCES; } @@ -707,7 +710,7 @@ CoreOpenVolume ( *Root = (EFI_FILE_PROTOCOL *)File; - CoreFreePages ((EFI_PHYSICAL_ADDRESS)(UINTN)Ring3Root, 1); + CoreFreePages (Physical, 1); return Status; }