MdeModulePkg: Fix use-after-free error in InstallConfigurationTable()

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=601 When installing configuration table and the original gDxeCoreST->ConfigurationTable[] buffer happen to be not big enough to add a new table, the CoreInstallConfigurationTable() enter the branch of line 113 in InstallConfigurationTable.c to free the old gDxeCoreST->ConfigurationTable[] buffer and allocate a new bigger one. The problem happens at line 139 CoreFreePool(), which is to free the old gDxeCoreST->ConfigurationTable[] buffer. The CoreFreePool()'s behavior is to free the buffer firstly, then call the InstallMemoryAttributesTableOnMemoryAllocation (PoolType) to update the EfiRuntimeServices type memory info, the CoreInstallConfigurationTable() will be re-entered by CoreFreePool() in its calling stack, then use-after-free read error will happen at line 59 of InstallConfigurationTable.c and use-after-free write error will happen at line 151 and 152 of InstallConfigurationTable.c. The patch is to update System table to the new table pointer before calling CoreFreePool() to free the old table. The case above is in DxeCore, but not in PiSmmCore. The change in PiSmmCore is to be consistent with DxeCore. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Liming Gao <liming.gao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Steven Shi <steven.shi@intel.com> Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Steven Shi <steven.shi@intel.com>
author: Shi, Steven <steven.shi@intel.com> 2017-05-20 17:05:17 +0800
committer: Star Zeng <star.zeng@intel.com> 2017-06-20 16:55:10 +0800
commit: 322d827c0f41efe14387ee67834ddced09f95c9c (patch)
tree: e795e26752da8f90dad74d288b2fb6476e009a87 /MdeModulePkg/Core/PiSmmCore
parent: 6fbaed1f00fa75de5effd084ea008998fc3cca8b (diff)
download: edk2-322d827c0f41efe14387ee67834ddced09f95c9c.tar.gz
edk2-322d827c0f41efe14387ee67834ddced09f95c9c.tar.bz2
edk2-322d827c0f41efe14387ee67834ddced09f95c9c.zip
1 files changed, 25 insertions, 9 deletions
diff --git a/MdeModulePkg/Core/PiSmmCore/InstallConfigurationTable.c b/MdeModulePkg/Core/PiSmmCore/InstallConfigurationTable.c
index b2f6769c10..867d1ac4b1 100644
--- a/MdeModulePkg/Core/PiSmmCore/InstallConfigurationTable.c
+++ b/MdeModulePkg/Core/PiSmmCore/InstallConfigurationTable.c
@@ -1,7 +1,7 @@
 /** @file
   System Management System Table Services SmmInstallConfigurationTable service
 
-  Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
   This program and the accompanying materials are licensed and made available 
   under the terms and conditions of the BSD License which accompanies this 
   distribution.  The full text of the license may be found at        
@@ -46,6 +46,7 @@ SmmInstallConfigurationTable (
 {
   UINTN                    Index;
   EFI_CONFIGURATION_TABLE  *ConfigurationTable;
+  EFI_CONFIGURATION_TABLE  *OldTable;
 
   //
   // If Guid is NULL, then this operation cannot be performed
@@ -72,7 +73,7 @@ SmmInstallConfigurationTable (
     if (Table != NULL) {
       //
       // If Table is not NULL, then this is a modify operation.
-      // Modify the table enty and return.
+      // Modify the table entry and return.
       //
       ConfigurationTable[Index].VendorTable = Table;
       return EFI_SUCCESS;
@@ -130,15 +131,30 @@ SmmInstallConfigurationTable (
           );
 
         //
-        // Free Old Table
+        // Record the old table pointer.
         //
-        FreePool (gSmmCoreSmst.SmmConfigurationTable);
-      }
+        OldTable = gSmmCoreSmst.SmmConfigurationTable;
 
-      //
-      // Update System Table
-      //
-      gSmmCoreSmst.SmmConfigurationTable = ConfigurationTable;
+        //
+        // As the SmmInstallConfigurationTable() may be re-entered by FreePool() in
+        // its calling stack, updating System table to the new table pointer must
+        // be done before calling FreePool() to free the old table.
+        // It can make sure the gSmmCoreSmst.SmmConfigurationTable point to the new
+        // table and avoid the errors of use-after-free to the old table by the
+        // reenter of SmmInstallConfigurationTable() in FreePool()'s calling stack.
+        //
+        gSmmCoreSmst.SmmConfigurationTable = ConfigurationTable;
+
+        //
+        // Free the old table after updating System Table to the new table pointer.
+        //
+        FreePool (OldTable);
+      } else {
+        //
+        // Update System Table
+        //
+        gSmmCoreSmst.SmmConfigurationTable = ConfigurationTable;
+      }
     }
 
     //
author	Shi, Steven <steven.shi@intel.com>	2017-05-20 17:05:17 +0800
committer	Star Zeng <star.zeng@intel.com>	2017-06-20 16:55:10 +0800
commit	322d827c0f41efe14387ee67834ddced09f95c9c (patch)
tree	e795e26752da8f90dad74d288b2fb6476e009a87 /MdeModulePkg/Core/PiSmmCore
parent	6fbaed1f00fa75de5effd084ea008998fc3cca8b (diff)
download	edk2-322d827c0f41efe14387ee67834ddced09f95c9c.tar.gz edk2-322d827c0f41efe14387ee67834ddced09f95c9c.tar.bz2 edk2-322d827c0f41efe14387ee67834ddced09f95c9c.zip