Virtualization
/
edk2
mirror of https://gitlab.com/qemu-project/edk2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

MdeModulePkg: DxeCore: Fix Use-After-Free guard causing page fault 

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2411

With Use-After-Free heap guard feature enabled, the DxeCore would blindly
attempt to "level-up" when the `GuardAllFreedPages` inspect a non-max
level table entry from the last loop. This could cause the next round of
inspection to dereference a potentially null pointer and as such causing
a page fault.

This change adds a null pointer check to prevent such case from happening.

Cc: Liming Gao <gaoliming@byosoft.com.cn>

Signed-off-by: Kun Qin <kun.qin@microsoft.com>
This commit is contained in:
Kun Qin 2024-07-16 15:50:01 -07:00 committed by mergify[bot]
parent 0adc868b36
commit cee9d1b16b
1 changed files with 28 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
MdeModulePkg/Core/Dxe/Mem/HeapGuard.c
View File

@ -1406,34 +1406,39 @@ GuardAllFreedPages (
TableEntry = ((UINT64 *)(UINTN)(Tables[Level]))[Indices[Level]];
Address = Addresses[Level];
if (Level < GUARDED_HEAP_MAP_TABLE_DEPTH - 1) {
Level += 1;
Tables[Level] = TableEntry;
Addresses[Level] = Address;
Indices[Level] = 0;
continue;
if (TableEntry == 0) {
GuardPageNumber = 0;
GuardPage = (UINT64)-1;
} else {
BitIndex = 1;
while (BitIndex != 0) {
if ((TableEntry & BitIndex) != 0) {
if (GuardPage == (UINT64)-1) {
GuardPage = Address;
if (Level < GUARDED_HEAP_MAP_TABLE_DEPTH - 1) {
Level += 1;
Tables[Level] = TableEntry;
Addresses[Level] = Address;
Indices[Level] = 0;
continue;
} else {
BitIndex = 1;
while (BitIndex != 0) {
if ((TableEntry & BitIndex) != 0) {
if (GuardPage == (UINT64)-1) {
GuardPage = Address;
}
++GuardPageNumber;
} else if (GuardPageNumber > 0) {
GuardFreedPages (GuardPage, GuardPageNumber);
GuardPageNumber = 0;
GuardPage = (UINT64)-1;
}
++GuardPageNumber;
} else if (GuardPageNumber > 0) {
GuardFreedPages (GuardPage, GuardPageNumber);
GuardPageNumber = 0;
GuardPage = (UINT64)-1;
}
if (TableEntry == 0) {
break;
}
if (TableEntry == 0) {
break;
Address += EFI_PAGES_TO_SIZE (1);
BitIndex = LShiftU64 (BitIndex, 1);
}
Address += EFI_PAGES_TO_SIZE (1);
BitIndex = LShiftU64 (BitIndex, 1);
}
}
}