MdeModulePkg/Core: add freed-memory guard feature
Freed-memory guard is used to detect UAF (Use-After-Free) memory issue which is illegal access to memory which has been freed. The principle behind is similar to pool guard feature, that is we'll turn all pool memory allocation to page allocation and mark them to be not-present once they are freed. This also implies that, once a page is allocated and freed, it cannot be re-allocated. This will bring another issue, which is that there's risk that memory space will be used out. To address it, the memory service add logic to put part (at most 64 pages a time) of freed pages back into page pool, so that the memory service can still have memory to allocate, when all memory space have been allocated once. This is called memory promotion. The promoted pages are always from the eldest pages which haven been freed. This feature brings another problem is that memory map descriptors will be increased enormously (200+ -> 2000+). One of change in this patch is to update MergeMemoryMap() in file PropertiesTable.c to allow merge freed pages back into the memory map. Now the number can stay at around 510. Cc: Star Zeng <star.zeng@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
/** @file
|
||||
Data type, macros and function prototypes of heap guard feature.
|
||||
|
||||
Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
|
||||
Copyright (c) 2017-2018, Intel Corporation. All rights reserved.<BR>
|
||||
This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
@@ -160,6 +160,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
//
|
||||
#define GUARD_HEAP_TYPE_PAGE BIT0
|
||||
#define GUARD_HEAP_TYPE_POOL BIT1
|
||||
#define GUARD_HEAP_TYPE_FREED BIT4
|
||||
#define GUARD_HEAP_TYPE_ALL \
|
||||
(GUARD_HEAP_TYPE_PAGE|GUARD_HEAP_TYPE_POOL|GUARD_HEAP_TYPE_FREED)
|
||||
|
||||
//
|
||||
// Debug message level
|
||||
@@ -392,11 +395,13 @@ AdjustPoolHeadF (
|
||||
/**
|
||||
Check to see if the heap guard is enabled for page and/or pool allocation.
|
||||
|
||||
@param[in] GuardType Specify the sub-type(s) of Heap Guard.
|
||||
|
||||
@return TRUE/FALSE.
|
||||
**/
|
||||
BOOLEAN
|
||||
IsHeapGuardEnabled (
|
||||
VOID
|
||||
UINT8 GuardType
|
||||
);
|
||||
|
||||
/**
|
||||
@@ -407,6 +412,62 @@ HeapGuardCpuArchProtocolNotify (
|
||||
VOID
|
||||
);
|
||||
|
||||
/**
|
||||
This function checks to see if the given memory map descriptor in a memory map
|
||||
can be merged with any guarded free pages.
|
||||
|
||||
@param MemoryMapEntry A pointer to a descriptor in MemoryMap.
|
||||
@param MaxAddress Maximum address to stop the merge.
|
||||
|
||||
@return VOID
|
||||
|
||||
**/
|
||||
VOID
|
||||
MergeGuardPages (
|
||||
IN EFI_MEMORY_DESCRIPTOR *MemoryMapEntry,
|
||||
IN EFI_PHYSICAL_ADDRESS MaxAddress
|
||||
);
|
||||
|
||||
/**
|
||||
Record freed pages as well as mark them as not-present, if enabled.
|
||||
|
||||
@param[in] BaseAddress Base address of just freed pages.
|
||||
@param[in] Pages Number of freed pages.
|
||||
|
||||
@return VOID.
|
||||
**/
|
||||
VOID
|
||||
EFIAPI
|
||||
GuardFreedPagesChecked (
|
||||
IN EFI_PHYSICAL_ADDRESS BaseAddress,
|
||||
IN UINTN Pages
|
||||
);
|
||||
|
||||
/**
|
||||
Put part (at most 64 pages a time) guarded free pages back to free page pool.
|
||||
|
||||
Freed memory guard is used to detect Use-After-Free (UAF) memory issue, which
|
||||
makes use of 'Used then throw away' way to detect any illegal access to freed
|
||||
memory. The thrown-away memory will be marked as not-present so that any access
|
||||
to those memory (after free) will be caught by page-fault exception.
|
||||
|
||||
The problem is that this will consume lots of memory space. Once no memory
|
||||
left in pool to allocate, we have to restore part of the freed pages to their
|
||||
normal function. Otherwise the whole system will stop functioning.
|
||||
|
||||
@param StartAddress Start address of promoted memory.
|
||||
@param EndAddress End address of promoted memory.
|
||||
|
||||
@return TRUE Succeeded to promote memory.
|
||||
@return FALSE No free memory found.
|
||||
|
||||
**/
|
||||
BOOLEAN
|
||||
PromoteGuardedFreePages (
|
||||
OUT EFI_PHYSICAL_ADDRESS *StartAddress,
|
||||
OUT EFI_PHYSICAL_ADDRESS *EndAddress
|
||||
);
|
||||
|
||||
extern BOOLEAN mOnGuarding;
|
||||
|
||||
#endif
|
||||
|
Reference in New Issue
Block a user