MdeModulePkg: DxeCore: Fix Use-After-Free guard causing page fault

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2411 With Use-After-Free heap guard feature enabled, the DxeCore would blindly attempt to "level-up" when the `GuardAllFreedPages` inspect a non-max level table entry from the last loop. This could cause the next round of inspection to dereference a potentially null pointer and as such causing a page fault. This change adds a null pointer check to prevent such case from happening. Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Kun Qin <kun.qin@microsoft.com>
2024-07-16 15:50:01 -07:00 · 2024-07-16 15:50:01 -07:00 · cee9d1b16b
parent 0adc868b36
commit cee9d1b16b
1 changed files with 28 additions and 23 deletions
--- a/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c
+++ b/MdeModulePkg/Core/Dxe/Mem/HeapGuard.c
@ -1406,34 +1406,39 @@ GuardAllFreedPages (
      TableEntry = ((UINT64 *)(UINTN)(Tables[Level]))[Indices[Level]];
      Address    = Addresses[Level];
-      if (Level < GUARDED_HEAP_MAP_TABLE_DEPTH - 1) {
+      if (TableEntry == 0) {
-        Level           += 1;
+        GuardPageNumber = 0;
-        Tables[Level]    = TableEntry;
+        GuardPage       = (UINT64)-1;
        Addresses[Level] = Address;
        Indices[Level]   = 0;
        continue;
      } else {
-        BitIndex = 1;
+        if (Level < GUARDED_HEAP_MAP_TABLE_DEPTH - 1) {
-        while (BitIndex != 0) {
+          Level           += 1;
-          if ((TableEntry & BitIndex) != 0) {
+          Tables[Level]    = TableEntry;
-            if (GuardPage == (UINT64)-1) {
+          Addresses[Level] = Address;
-              GuardPage = Address;
+          Indices[Level]   = 0;
          continue;
        } else {
          BitIndex = 1;
          while (BitIndex != 0) {
            if ((TableEntry & BitIndex) != 0) {
              if (GuardPage == (UINT64)-1) {
                GuardPage = Address;
              }
              ++GuardPageNumber;
            } else if (GuardPageNumber > 0) {
              GuardFreedPages (GuardPage, GuardPageNumber);
              GuardPageNumber = 0;
              GuardPage       = (UINT64)-1;
            }
-            ++GuardPageNumber;
+            if (TableEntry == 0) {
-          } else if (GuardPageNumber > 0) {
+              break;
-            GuardFreedPages (GuardPage, GuardPageNumber);
+            }
            GuardPageNumber = 0;
            GuardPage       = (UINT64)-1;
          }
-          if (TableEntry == 0) {
+            Address += EFI_PAGES_TO_SIZE (1);
-            break;
+            BitIndex = LShiftU64 (BitIndex, 1);
          }
          Address += EFI_PAGES_TO_SIZE (1);
          BitIndex = LShiftU64 (BitIndex, 1);
        }
      }
    }