mirror of
https://git.proxmox.com/git/mirror_edk2
synced 2025-12-26 06:13:27 +00:00
322d827c0f
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=601 When installing configuration table and the original gDxeCoreST->ConfigurationTable[] buffer happen to be not big enough to add a new table, the CoreInstallConfigurationTable() enter the branch of line 113 in InstallConfigurationTable.c to free the old gDxeCoreST->ConfigurationTable[] buffer and allocate a new bigger one. The problem happens at line 139 CoreFreePool(), which is to free the old gDxeCoreST->ConfigurationTable[] buffer. The CoreFreePool()'s behavior is to free the buffer firstly, then call the InstallMemoryAttributesTableOnMemoryAllocation (PoolType) to update the EfiRuntimeServices type memory info, the CoreInstallConfigurationTable() will be re-entered by CoreFreePool() in its calling stack, then use-after-free read error will happen at line 59 of InstallConfigurationTable.c and use-after-free write error will happen at line 151 and 152 of InstallConfigurationTable.c. The patch is to update System table to the new table pointer before calling CoreFreePool() to free the old table. The case above is in DxeCore, but not in PiSmmCore. The change in PiSmmCore is to be consistent with DxeCore. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Steven Shi <steven.shi@intel.com> Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Steven Shi <steven.shi@intel.com> |
||
|---|---|---|
| .. | ||
| Dispatcher | ||
| DxeMain | ||
| Event | ||
| FwVol | ||
| FwVolBlock | ||
| Gcd | ||
| Hand | ||
| Image | ||
| Library | ||
| Mem | ||
| Misc | ||
| SectionExtraction | ||
| DxeCore.uni | ||
| DxeCoreExtra.uni | ||
| DxeMain.h | ||
| DxeMain.inf | ||