X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=MdeModulePkg%2FCore%2FDxe%2FMisc%2FMemoryProtection.c;h=2f7e490af18feac5fbe9753f9678e1d0c0c30b45;hp=070228bc7265685b911d7f54f258900d1eef7ece;hb=7fef06af4ec100f3f8856e3fa08ef067a9fd40d2;hpb=d4731a98a3a5ddc2fed73d2998884f2cbee44ba9
diff --git a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
index 070228bc72..2f7e490af1 100644
--- a/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
+++ b/MdeModulePkg/Core/Dxe/Misc/MemoryProtection.c
@@ -19,7 +19,7 @@
Once the image is unloaded, the protection is removed automatically.
-Copyright (c) 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -48,6 +48,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include
#include "DxeMain.h"
+#include "Mem/HeapGuard.h"
#define CACHE_ATTRIBUTE_MASK (EFI_MEMORY_UC | EFI_MEMORY_WC | EFI_MEMORY_WT | EFI_MEMORY_WB | EFI_MEMORY_UCE | EFI_MEMORY_WP)
#define MEMORY_ATTRIBUTE_MASK (EFI_MEMORY_RP | EFI_MEMORY_XP | EFI_MEMORY_RO)
@@ -74,6 +75,8 @@ UINT32 mImageProtectionPolicy;
extern LIST_ENTRY mGcdMemorySpaceMap;
+STATIC LIST_ENTRY mProtectedImageRecordList;
+
/**
Sort code section in image record, based upon CodeSegmentBase from low to high.
@@ -238,13 +241,10 @@ SetUefiImageMemoryAttributes (
Set UEFI image protection attributes.
@param[in] ImageRecord A UEFI image record
- @param[in] Protect TRUE: Protect the UEFI image.
- FALSE: Unprotect the UEFI image.
**/
VOID
SetUefiImageProtectionAttributes (
- IN IMAGE_PROPERTIES_RECORD *ImageRecord,
- IN BOOLEAN Protect
+ IN IMAGE_PROPERTIES_RECORD *ImageRecord
)
{
IMAGE_PROPERTIES_RECORD_CODE_SECTION *ImageRecordCodeSection;
@@ -253,7 +253,6 @@ SetUefiImageProtectionAttributes (
LIST_ENTRY *ImageRecordCodeSectionList;
UINT64 CurrentBase;
UINT64 ImageEnd;
- UINT64 Attribute;
ImageRecordCodeSectionList = &ImageRecord->CodeSegmentList;
@@ -276,29 +275,19 @@ SetUefiImageProtectionAttributes (
//
// DATA
//
- if (Protect) {
- Attribute = EFI_MEMORY_XP;
- } else {
- Attribute = 0;
- }
SetUefiImageMemoryAttributes (
CurrentBase,
ImageRecordCodeSection->CodeSegmentBase - CurrentBase,
- Attribute
+ EFI_MEMORY_XP
);
}
//
// CODE
//
- if (Protect) {
- Attribute = EFI_MEMORY_RO;
- } else {
- Attribute = 0;
- }
SetUefiImageMemoryAttributes (
ImageRecordCodeSection->CodeSegmentBase,
ImageRecordCodeSection->CodeSegmentSize,
- Attribute
+ EFI_MEMORY_RO
);
CurrentBase = ImageRecordCodeSection->CodeSegmentBase + ImageRecordCodeSection->CodeSegmentSize;
}
@@ -310,15 +299,10 @@ SetUefiImageProtectionAttributes (
//
// DATA
//
- if (Protect) {
- Attribute = EFI_MEMORY_XP;
- } else {
- Attribute = 0;
- }
SetUefiImageMemoryAttributes (
CurrentBase,
ImageEnd - CurrentBase,
- Attribute
+ EFI_MEMORY_XP
);
}
return ;
@@ -401,18 +385,15 @@ FreeImageRecord (
}
/**
- Protect or unprotect UEFI image common function.
+ Protect UEFI PE/COFF image.
@param[in] LoadedImage The loaded image protocol
@param[in] LoadedImageDevicePath The loaded image device path protocol
- @param[in] Protect TRUE: Protect the UEFI image.
- FALSE: Unprotect the UEFI image.
**/
VOID
-ProtectUefiImageCommon (
+ProtectUefiImage (
IN EFI_LOADED_IMAGE_PROTOCOL *LoadedImage,
- IN EFI_DEVICE_PATH_PROTOCOL *LoadedImageDevicePath,
- IN BOOLEAN Protect
+ IN EFI_DEVICE_PATH_PROTOCOL *LoadedImageDevicePath
)
{
VOID *ImageAddress;
@@ -580,10 +561,18 @@ ProtectUefiImageCommon (
}
if (ImageRecord->CodeSegmentCount == 0) {
- DEBUG ((DEBUG_ERROR, "!!!!!!!! ProtectUefiImageCommon - CodeSegmentCount is 0 !!!!!!!!\n"));
+ //
+ // If a UEFI executable consists of a single read+write+exec PE/COFF
+ // section, that isn't actually an error. The image can be launched
+ // alright, only image protection cannot be applied to it fully.
+ //
+ // One example that elicits this is (some) Linux kernels (with the EFI stub
+ // of course).
+ //
+ DEBUG ((DEBUG_WARN, "!!!!!!!! ProtectUefiImageCommon - CodeSegmentCount is 0 !!!!!!!!\n"));
PdbPointer = PeCoffLoaderGetPdbPointer ((VOID*) (UINTN) ImageAddress);
if (PdbPointer != NULL) {
- DEBUG ((DEBUG_ERROR, "!!!!!!!! Image - %a !!!!!!!!\n", PdbPointer));
+ DEBUG ((DEBUG_WARN, "!!!!!!!! Image - %a !!!!!!!!\n", PdbPointer));
}
goto Finish;
}
@@ -609,34 +598,17 @@ ProtectUefiImageCommon (
//
// CPU ARCH present. Update memory attribute directly.
//
- SetUefiImageProtectionAttributes (ImageRecord, Protect);
+ SetUefiImageProtectionAttributes (ImageRecord);
//
- // Clean up
+ // Record the image record in the list so we can undo the protections later
//
- FreeImageRecord (ImageRecord);
+ InsertTailList (&mProtectedImageRecordList, &ImageRecord->Link);
Finish:
return ;
}
-/**
- Protect UEFI image.
-
- @param[in] LoadedImage The loaded image protocol
- @param[in] LoadedImageDevicePath The loaded image device path protocol
-**/
-VOID
-ProtectUefiImage (
- IN EFI_LOADED_IMAGE_PROTOCOL *LoadedImage,
- IN EFI_DEVICE_PATH_PROTOCOL *LoadedImageDevicePath
- )
-{
- if (PcdGet32(PcdImageProtectionPolicy) != 0) {
- ProtectUefiImageCommon (LoadedImage, LoadedImageDevicePath, TRUE);
- }
-}
-
/**
Unprotect UEFI image.
@@ -649,14 +621,36 @@ UnprotectUefiImage (
IN EFI_DEVICE_PATH_PROTOCOL *LoadedImageDevicePath
)
{
+ IMAGE_PROPERTIES_RECORD *ImageRecord;
+ LIST_ENTRY *ImageRecordLink;
+
if (PcdGet32(PcdImageProtectionPolicy) != 0) {
- ProtectUefiImageCommon (LoadedImage, LoadedImageDevicePath, FALSE);
+ for (ImageRecordLink = mProtectedImageRecordList.ForwardLink;
+ ImageRecordLink != &mProtectedImageRecordList;
+ ImageRecordLink = ImageRecordLink->ForwardLink) {
+ ImageRecord = CR (
+ ImageRecordLink,
+ IMAGE_PROPERTIES_RECORD,
+ Link,
+ IMAGE_PROPERTIES_RECORD_SIGNATURE
+ );
+
+ if (ImageRecord->ImageBase == (EFI_PHYSICAL_ADDRESS)(UINTN)LoadedImage->ImageBase) {
+ SetUefiImageMemoryAttributes (ImageRecord->ImageBase,
+ ImageRecord->ImageSize,
+ 0);
+ FreeImageRecord (ImageRecord);
+ return;
+ }
+ }
}
}
/**
Return the EFI memory permission attribute associated with memory
type 'MemoryType' under the configured DXE memory protection policy.
+
+ @param MemoryType Memory type.
**/
STATIC
UINT64
@@ -788,7 +782,7 @@ MergeMemoryMapForProtectionPolicy (
/**
Remove exec permissions from all regions whose type is identified by
- PcdDxeNxMemoryProtectionPolicy
+ PcdDxeNxMemoryProtectionPolicy.
**/
STATIC
VOID
@@ -807,6 +801,9 @@ InitializeDxeNxMemoryProtectionPolicy (
UINT64 Attributes;
LIST_ENTRY *Link;
EFI_GCD_MAP_ENTRY *Entry;
+ EFI_PEI_HOB_POINTERS Hob;
+ EFI_HOB_MEMORY_ALLOCATION *MemoryHob;
+ EFI_PHYSICAL_ADDRESS StackBase;
//
// Get the EFI memory map.
@@ -838,8 +835,45 @@ InitializeDxeNxMemoryProtectionPolicy (
} while (Status == EFI_BUFFER_TOO_SMALL);
ASSERT_EFI_ERROR (Status);
- DEBUG((DEBUG_ERROR, "%a: applying strict permissions to active memory regions\n",
- __FUNCTION__));
+ StackBase = 0;
+ if (PcdGetBool (PcdCpuStackGuard)) {
+ //
+ // Get the base of stack from Hob.
+ //
+ Hob.Raw = GetHobList ();
+ while ((Hob.Raw = GetNextHob (EFI_HOB_TYPE_MEMORY_ALLOCATION, Hob.Raw)) != NULL) {
+ MemoryHob = Hob.MemoryAllocation;
+ if (CompareGuid(&gEfiHobMemoryAllocStackGuid, &MemoryHob->AllocDescriptor.Name)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "%a: StackBase = 0x%016lx StackSize = 0x%016lx\n",
+ __FUNCTION__,
+ MemoryHob->AllocDescriptor.MemoryBaseAddress,
+ MemoryHob->AllocDescriptor.MemoryLength
+ ));
+
+ StackBase = MemoryHob->AllocDescriptor.MemoryBaseAddress;
+ //
+ // Ensure the base of the stack is page-size aligned.
+ //
+ ASSERT ((StackBase & EFI_PAGE_MASK) == 0);
+ break;
+ }
+ Hob.Raw = GET_NEXT_HOB (Hob);
+ }
+
+ //
+ // Ensure the base of stack can be found from Hob when stack guard is
+ // enabled.
+ //
+ ASSERT (StackBase != 0);
+ }
+
+ DEBUG ((
+ DEBUG_INFO,
+ "%a: applying strict permissions to active memory regions\n",
+ __FUNCTION__
+ ));
MergeMemoryMapForProtectionPolicy (MemoryMap, &MemoryMapSize, DescriptorSize);
@@ -853,6 +887,37 @@ InitializeDxeNxMemoryProtectionPolicy (
MemoryMapEntry->PhysicalStart,
LShiftU64 (MemoryMapEntry->NumberOfPages, EFI_PAGE_SHIFT),
Attributes);
+
+ //
+ // Add EFI_MEMORY_RP attribute for page 0 if NULL pointer detection is
+ // enabled.
+ //
+ if (MemoryMapEntry->PhysicalStart == 0 &&
+ PcdGet8 (PcdNullPointerDetectionPropertyMask) != 0) {
+
+ ASSERT (MemoryMapEntry->NumberOfPages > 0);
+ SetUefiImageMemoryAttributes (
+ 0,
+ EFI_PAGES_TO_SIZE (1),
+ EFI_MEMORY_RP | Attributes);
+ }
+
+ //
+ // Add EFI_MEMORY_RP attribute for the first page of the stack if stack
+ // guard is enabled.
+ //
+ if (StackBase != 0 &&
+ (StackBase >= MemoryMapEntry->PhysicalStart &&
+ StackBase < MemoryMapEntry->PhysicalStart +
+ LShiftU64 (MemoryMapEntry->NumberOfPages, EFI_PAGE_SHIFT)) &&
+ PcdGetBool (PcdCpuStackGuard)) {
+
+ SetUefiImageMemoryAttributes (
+ StackBase,
+ EFI_PAGES_TO_SIZE (1),
+ EFI_MEMORY_RP | Attributes);
+ }
+
}
MemoryMapEntry = NEXT_MEMORY_DESCRIPTOR (MemoryMapEntry, DescriptorSize);
}
@@ -863,9 +928,11 @@ InitializeDxeNxMemoryProtectionPolicy (
// accessible, but have not been added to the UEFI memory map (yet).
//
if (GetPermissionAttributeForMemoryType (EfiConventionalMemory) != 0) {
- DEBUG((DEBUG_ERROR,
+ DEBUG ((
+ DEBUG_INFO,
"%a: applying strict permissions to inactive memory regions\n",
- __FUNCTION__));
+ __FUNCTION__
+ ));
CoreAcquireGcdMemoryLock ();
@@ -934,6 +1001,11 @@ MemoryProtectionCpuArchProtocolNotify (
InitializeDxeNxMemoryProtectionPolicy ();
}
+ //
+ // Call notify function meant for Heap Guard.
+ //
+ HeapGuardCpuArchProtocolNotify ();
+
if (mImageProtectionPolicy == 0) {
return;
}
@@ -1002,6 +1074,53 @@ MemoryProtectionExitBootServicesCallback (
}
}
+/**
+ Disable NULL pointer detection after EndOfDxe. This is a workaround resort in
+ order to skip unfixable NULL pointer access issues detected in OptionROM or
+ boot loaders.
+
+ @param[in] Event The Event this notify function registered to.
+ @param[in] Context Pointer to the context data registered to the Event.
+**/
+VOID
+EFIAPI
+DisableNullDetectionAtTheEndOfDxe (
+ EFI_EVENT Event,
+ VOID *Context
+ )
+{
+ EFI_STATUS Status;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR Desc;
+
+ DEBUG ((DEBUG_INFO, "DisableNullDetectionAtTheEndOfDxe(): start\r\n"));
+ //
+ // Disable NULL pointer detection by enabling first 4K page
+ //
+ Status = CoreGetMemorySpaceDescriptor (0, &Desc);
+ ASSERT_EFI_ERROR (Status);
+
+ if ((Desc.Capabilities & EFI_MEMORY_RP) == 0) {
+ Status = CoreSetMemorySpaceCapabilities (
+ 0,
+ EFI_PAGE_SIZE,
+ Desc.Capabilities | EFI_MEMORY_RP
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ Status = CoreSetMemorySpaceAttributes (
+ 0,
+ EFI_PAGE_SIZE,
+ Desc.Attributes & ~EFI_MEMORY_RP
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ CoreCloseEvent (Event);
+ DEBUG ((DEBUG_INFO, "DisableNullDetectionAtTheEndOfDxe(): end\r\n"));
+
+ return;
+}
+
/**
Initialize Memory Protection support.
**/
@@ -1013,10 +1132,13 @@ CoreInitializeMemoryProtection (
{
EFI_STATUS Status;
EFI_EVENT Event;
+ EFI_EVENT EndOfDxeEvent;
VOID *Registration;
mImageProtectionPolicy = PcdGet32(PcdImageProtectionPolicy);
+ InitializeListHead (&mProtectedImageRecordList);
+
//
// Sanity check the PcdDxeNxMemoryProtectionPolicy setting:
// - code regions should have no EFI_MEMORY_XP attribute
@@ -1049,11 +1171,28 @@ CoreInitializeMemoryProtection (
);
ASSERT_EFI_ERROR(Status);
}
+
+ //
+ // Register a callback to disable NULL pointer detection at EndOfDxe
+ //
+ if ((PcdGet8 (PcdNullPointerDetectionPropertyMask) & (BIT0|BIT7))
+ == (BIT0|BIT7)) {
+ Status = CoreCreateEventEx (
+ EVT_NOTIFY_SIGNAL,
+ TPL_NOTIFY,
+ DisableNullDetectionAtTheEndOfDxe,
+ NULL,
+ &gEfiEndOfDxeEventGroupGuid,
+ &EndOfDxeEvent
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
return ;
}
/**
- Returns whether we are currently executing in SMM mode
+ Returns whether we are currently executing in SMM mode.
**/
STATIC
BOOLEAN
@@ -1123,6 +1262,27 @@ ApplyMemoryProtectionPolicy (
return EFI_SUCCESS;
}
+ //
+ // Don't overwrite Guard pages, which should be the first and/or last page,
+ // if any.
+ //
+ if (IsHeapGuardEnabled ()) {
+ if (IsGuardPage (Memory)) {
+ Memory += EFI_PAGE_SIZE;
+ Length -= EFI_PAGE_SIZE;
+ if (Length == 0) {
+ return EFI_SUCCESS;
+ }
+ }
+
+ if (IsGuardPage (Memory + Length - EFI_PAGE_SIZE)) {
+ Length -= EFI_PAGE_SIZE;
+ if (Length == 0) {
+ return EFI_SUCCESS;
+ }
+ }
+ }
+
//
// Update the executable permissions according to the DXE memory
// protection policy, but only if