sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MdeModulePkg/Core: add freed-memory guard feature

Browse Source 
Freed-memory guard is used to detect UAF (Use-After-Free) memory issue
which is illegal access to memory which has been freed. The principle
behind is similar to pool guard feature, that is we'll turn all pool
memory allocation to page allocation and mark them to be not-present
once they are freed.

This also implies that, once a page is allocated and freed, it cannot
be re-allocated. This will bring another issue, which is that there's
risk that memory space will be used out. To address it, the memory
service add logic to put part (at most 64 pages a time) of freed pages
back into page pool, so that the memory service can still have memory
to allocate, when all memory space have been allocated once. This is
called memory promotion. The promoted pages are always from the eldest
pages which haven been freed.

This feature brings another problem is that memory map descriptors will
be increased enormously (200+ -> 2000+). One of change in this patch
is to update MergeMemoryMap() in file PropertiesTable.c to allow merge
freed pages back into the memory map. Now the number can stay at around
510.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
This commit is contained in:
Jian J Wang
2018-10-24 12:47:45 +08:00
parent bb685071c2
commit 63ebde8ef6
6 changed files with 525 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
MdeModulePkg/Core/Dxe/Mem/HeapGuard.h
View File

@@ -1,7 +1,7 @@
/** @file
Data type, macros and function prototypes of heap guard feature.
Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2017-2018, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -160,6 +160,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
#define GUARD_HEAP_TYPE_PAGE BIT0
#define GUARD_HEAP_TYPE_POOL BIT1
#define GUARD_HEAP_TYPE_FREED BIT4
#define GUARD_HEAP_TYPE_ALL \
(GUARD_HEAP_TYPE_PAGE|GUARD_HEAP_TYPE_POOL|GUARD_HEAP_TYPE_FREED)
//
// Debug message level
@@ -392,11 +395,13 @@ AdjustPoolHeadF (
/**
Check to see if the heap guard is enabled for page and/or pool allocation.
@param[in] GuardType Specify the sub-type(s) of Heap Guard.
@return TRUE/FALSE.
**/
BOOLEAN
IsHeapGuardEnabled (
VOID
UINT8 GuardType
);
/**
@@ -407,6 +412,62 @@ HeapGuardCpuArchProtocolNotify (
VOID
);
/**
This function checks to see if the given memory map descriptor in a memory map
can be merged with any guarded free pages.
@param MemoryMapEntry A pointer to a descriptor in MemoryMap.
@param MaxAddress Maximum address to stop the merge.
@return VOID
**/
VOID
MergeGuardPages (
IN EFI_MEMORY_DESCRIPTOR *MemoryMapEntry,
IN EFI_PHYSICAL_ADDRESS MaxAddress
);
/**
Record freed pages as well as mark them as not-present, if enabled.
@param[in] BaseAddress Base address of just freed pages.
@param[in] Pages Number of freed pages.
@return VOID.
**/
VOID
EFIAPI
GuardFreedPagesChecked (
IN EFI_PHYSICAL_ADDRESS BaseAddress,
IN UINTN Pages
);
/**
Put part (at most 64 pages a time) guarded free pages back to free page pool.
Freed memory guard is used to detect Use-After-Free (UAF) memory issue, which
makes use of 'Used then throw away' way to detect any illegal access to freed
memory. The thrown-away memory will be marked as not-present so that any access
to those memory (after free) will be caught by page-fault exception.
The problem is that this will consume lots of memory space. Once no memory
left in pool to allocate, we have to restore part of the freed pages to their
normal function. Otherwise the whole system will stop functioning.
@param StartAddress Start address of promoted memory.
@param EndAddress End address of promoted memory.
@return TRUE Succeeded to promote memory.
@return FALSE No free memory found.
**/
BOOLEAN
PromoteGuardedFreePages (
OUT EFI_PHYSICAL_ADDRESS *StartAddress,
OUT EFI_PHYSICAL_ADDRESS *EndAddress
);
extern BOOLEAN mOnGuarding;
#endif