Paulo, + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4)) {
I don’t understand why you check both ebp and ebp+4, I think it’s enough to only check EBP (saved stack pointer address) Jeff 发件人: Paulo Alcantara<mailto:pa...@paulo.ac> 发送时间: 2017年12月29日 12:41 收件人: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> 抄送: Laszlo Ersek<mailto:ler...@redhat.com>; Eric Dong<mailto:eric.d...@intel.com> 主题: [edk2] [RFC v4 5/6] UefiCpuPkg/CpuExceptionHandlerLib: Ensure valid frame/stack pointers Validate all possible memory dereferences during stack traces in IA32 and X64 CPU exceptions. Contributed-under: TianoCore Contribution Agreement 1.1 Cc: Eric Dong <eric.d...@intel.com> Cc: Laszlo Ersek <ler...@redhat.com> Requested-by: Brian Johnson <brian.john...@hpe.com> Requested-by: Jiewen Yao <jiewen....@intel.com> Signed-off-by: Paulo Alcantara <pa...@paulo.ac> --- UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c | 143 +++++++++++++++++++- UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c | 75 +++++++++- 2 files changed, 210 insertions(+), 8 deletions(-) diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c index 25e02fbbc1..9b52d4f6d2 100644 --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchExceptionHandler.c @@ -398,6 +398,96 @@ DumpCpuContext ( ); } +/** + Check if a logical address is valid. + + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. + @param[in] SegmentSelector Segment selector. + @param[in] Offset Offset or logical address. +**/ +STATIC +BOOLEAN +IsLogicalAddressValid ( + IN EFI_SYSTEM_CONTEXT SystemContext, + IN UINT16 SegmentSelector, + IN UINTN Offset + ) +{ + IA32_SEGMENT_DESCRIPTOR *SegmentDescriptor; + UINT32 SegDescBase; + UINT32 SegDescLimit; + UINTN SegDescLimitInBytes; + + // + // Check for valid input parameters + // + if (SegmentSelector == 0 || Offset == 0) { + return FALSE; + } + + // + // Check whether to look for a segment descriptor in GDT or LDT table + // + if ((SegmentSelector & BIT2) == 0) { + // + // Get segment descriptor from GDT table + // + SegmentDescriptor = + (IA32_SEGMENT_DESCRIPTOR *)( + (UINTN)SystemContext.SystemContextIa32->Gdtr[0] + + ((SegmentSelector >> 3) * 8) + ); + } else { + // + // Get segment descriptor from LDT table + // + SegmentDescriptor = + (IA32_SEGMENT_DESCRIPTOR *)( + (UINTN)SystemContext.SystemContextIa32->Ldtr + + ((SegmentSelector >> 3) * 8) + ); + } + + // + // Get segment descriptor's base address + // + SegDescBase = SegmentDescriptor->Bits.BaseLow | + (SegmentDescriptor->Bits.BaseMid << 16) | + (SegmentDescriptor->Bits.BaseHigh << 24); + + // + // Get segment descriptor's limit + // + SegDescLimit = SegmentDescriptor->Bits.LimitLow | + (SegmentDescriptor->Bits.LimitHigh << 16); + + // + // Calculate segment descriptor's limit in bytes + // + if (SegmentDescriptor->Bits.G == 1) { + SegDescLimitInBytes = (UINTN)SegDescLimit * SIZE_4KB; + } else { + SegDescLimitInBytes = SegDescLimit; + } + + // + // Make sure to not access beyond a segment limit boundary + // + if (Offset + SegDescBase > SegDescLimitInBytes) { + return FALSE; + } + + // + // Check if the translated logical address (or linear address) is valid + // + return IsLinearAddressValid ( + SystemContext.SystemContextIa32->Cr0, + SystemContext.SystemContextIa32->Cr3, + SystemContext.SystemContextIa32->Cr4, + Offset + SegDescBase + ); +} + /** Dump stack trace. @@ -459,6 +549,20 @@ DumpStackTrace ( InternalPrintMessage ("\nCall trace:\n"); for (;;) { + // + // Check for valid frame pointer + // + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame " + "pointer at 0x%08x\n", __FUNCTION__, Ebp); + break; + } + // // Print stack frame in the following format: // @@ -588,6 +692,16 @@ DumpImageModuleNames ( // Walk through call stack and find next module names // for (;;) { + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)Ebp + 4)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame " + "pointer at 0x%08x\n", __FUNCTION__, Ebp); + } + // // Set EIP with return address from current stack frame // @@ -651,16 +765,23 @@ DumpImageModuleNames ( /** Dump stack contents. - @param[in] CurrentEsp Current stack pointer address. + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. @param[in] UnwoundStacksCount Count of unwound stack frames. **/ STATIC VOID DumpStackContents ( - IN UINT32 CurrentEsp, - IN INTN UnwoundStacksCount + IN EFI_SYSTEM_CONTEXT SystemContext, + IN INTN UnwoundStacksCount ) { + UINT32 CurrentEsp; + + // + // Get current stack pointer + // + CurrentEsp = SystemContext.SystemContextIa32->Esp; + // // Check for proper stack alignment // @@ -674,6 +795,20 @@ DumpStackContents ( // InternalPrintMessage ("\nStack dump:\n"); while (UnwoundStacksCount-- > 0) { + // + // Check for a valid stack pointer address + // + if (!IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)CurrentEsp) || + !IsLogicalAddressValid (SystemContext, + SystemContext.SystemContextIa32->Ss, + (UINTN)CurrentEsp + 4)) { + InternalPrintMessage ("%a: attempted to dereference an invalid stack " + "pointer at 0x%08x\n", __FUNCTION__, CurrentEsp); + break; + } + InternalPrintMessage ( "0x%08x: %08x %08x\n", CurrentEsp, @@ -720,5 +855,5 @@ DumpImageAndCpuContent ( // // Dump stack contents // - DumpStackContents (SystemContext.SystemContextIa32->Esp, UnwoundStacksCount); + DumpStackContents (SystemContext, UnwoundStacksCount); } diff --git a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c index d3a3878b3d..8067c34122 100644 --- a/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c +++ b/UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchExceptionHandler.c @@ -401,16 +401,26 @@ DumpCpuContext ( /** Dump stack contents. - @param[in] CurrentRsp Current stack pointer address. + @param[in] SystemContext Pointer to EFI_SYSTEM_CONTEXT. @param[in] UnwoundStacksCount Count of unwound stack frames. **/ STATIC VOID DumpStackContents ( - IN UINT64 CurrentRsp, - IN INTN UnwoundStacksCount + IN EFI_SYSTEM_CONTEXT SystemContext, + IN INTN UnwoundStacksCount ) { + UINT64 CurrentRsp; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; + + // + // Get current stack pointer + // + CurrentRsp = SystemContext.SystemContextX64->Rsp; + // // Check for proper stack pointer alignment // @@ -419,11 +429,28 @@ DumpStackContents ( return; } + // + // Get system control registers + // + Cr0 = SystemContext.SystemContextX64->Cr0; + Cr3 = SystemContext.SystemContextX64->Cr3; + Cr4 = SystemContext.SystemContextX64->Cr4; + // // Dump out stack contents // InternalPrintMessage ("\nStack dump:\n"); while (UnwoundStacksCount-- > 0) { + // + // Check for a valid stack pointer address + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)CurrentRsp + 8)) { + InternalPrintMessage ("%a: attempted to dereference an invalid stack " + "pointer at 0x%016lx\n", __FUNCTION__, CurrentRsp); + break; + } + InternalPrintMessage ( "0x%016lx: %016lx %016lx\n", CurrentRsp, @@ -457,6 +484,9 @@ DumpImageModuleNames ( CHAR8 *PdbFileName; UINT64 Rbp; UINTN LastImageBase; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; // // Set current RIP address @@ -516,10 +546,27 @@ DumpImageModuleNames ( InternalPrintMessage ("%a\n", PdbAbsoluteFilePath); } + // + // Get system control registers + // + Cr0 = SystemContext.SystemContextX64->Cr0; + Cr3 = SystemContext.SystemContextX64->Cr3; + Cr4 = SystemContext.SystemContextX64->Cr4; + // // Walk through call stack and find next module names // for (;;) { + // + // Check for a valid frame pointer + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame " + "pointer at 0x%016lx\n", __FUNCTION__, Rbp); + break; + } + // // Set RIP with return address from current stack frame // @@ -604,6 +651,9 @@ DumpStackTrace ( UINT64 Rbp; UINTN ImageBase; CHAR8 *PdbFileName; + UINTN Cr0; + UINTN Cr3; + UINTN Cr4; // // Set current RIP address @@ -634,12 +684,29 @@ DumpStackTrace ( // *UnwoundStacksCount = 1; + // + // Get system control registers + // + Cr0 = SystemContext.SystemContextX64->Cr0; + Cr3 = SystemContext.SystemContextX64->Cr3; + Cr4 = SystemContext.SystemContextX64->Cr4; + // // Print out back trace // InternalPrintMessage ("\nCall trace:\n"); for (;;) { + // + // Check for valid frame pointer + // + if (!IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp + 8) || + !IsLinearAddressValid (Cr0, Cr3, Cr4, (UINTN)Rbp)) { + InternalPrintMessage ("%a: attempted to dereference an invalid frame " + "pointer at 0x%016lx\n", __FUNCTION__, Rbp); + break; + } + // // Print stack frame in the following format: // @@ -727,5 +794,5 @@ DumpImageAndCpuContent ( // // Dump stack contents // - DumpStackContents (SystemContext.SystemContextX64->Rsp, UnwoundStacksCount); + DumpStackContents (SystemContext, UnwoundStacksCount); } -- 2.14.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel