MdeModulePkg PiSmmCore: Enhance SMM FreePool to catch buffer overflow
This solution is equivalent to DXE core. AllocatePool() allocates POOL_TAIL after the buffer. This POOL_TAIL is checked at FreePool(). If the there is buffer overflow, the issue can be caught at FreePool(). This patch could also handle the eight-byte aligned allocation requirement. The discussion related to the eight-byte aligned allocation requirement is at https://lists.01.org/pipermail/edk2-devel/2017-April/009995.html. According to the PI spec (Vol 4, Section 3.2 SmmAllocatePool()): The SmmAllocatePool() function ... All allocations are eight-byte aligned. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Hao Wu <hao.a.wu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Hao Wu <hao.a.wu@intel.com>
This commit is contained in:
@@ -1196,12 +1196,28 @@ extern LIST_ENTRY mSmmMemoryMap;
|
||||
//
|
||||
#define MAX_POOL_INDEX (MAX_POOL_SHIFT - MIN_POOL_SHIFT + 1)
|
||||
|
||||
#define POOL_HEAD_SIGNATURE SIGNATURE_32('p','h','d','0')
|
||||
|
||||
typedef struct {
|
||||
UINTN Size;
|
||||
BOOLEAN Available;
|
||||
EFI_MEMORY_TYPE Type;
|
||||
UINT32 Signature;
|
||||
BOOLEAN Available;
|
||||
EFI_MEMORY_TYPE Type;
|
||||
UINTN Size;
|
||||
} POOL_HEADER;
|
||||
|
||||
#define POOL_TAIL_SIGNATURE SIGNATURE_32('p','t','a','l')
|
||||
|
||||
typedef struct {
|
||||
UINT32 Signature;
|
||||
UINT32 Reserved;
|
||||
UINTN Size;
|
||||
} POOL_TAIL;
|
||||
|
||||
#define POOL_OVERHEAD (sizeof(POOL_HEADER) + sizeof(POOL_TAIL))
|
||||
|
||||
#define HEAD_TO_TAIL(a) \
|
||||
((POOL_TAIL *) (((CHAR8 *) (a)) + (a)->Size - sizeof(POOL_TAIL)));
|
||||
|
||||
typedef struct {
|
||||
POOL_HEADER Header;
|
||||
LIST_ENTRY Link;
|
||||
|
Reference in New Issue
Block a user