[edk2-devel] Is CoreValidateHandle() safe?
Andrew Fish via groups.io
afish=apple.com at groups.io
Tue Jan 12 00:03:51 UTC 2021
I just hit the CR ASSERT [1] in CoreValidateHandle(). It looks like the IHANDLE was a use after free as it was a Pool buffer that was to small to be an IHANDLE and it did not have a valid handle.
I’m trying to understand why it is safe to walk the gHandleList without a lock? Seems like a local could cache a pointer and an event could remove a handle and Link would point to a stale handle?
Kind of feels like I’m missing something?
[1] https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Dxe/Hand/Handle.c#L64
EFI_STATUS
CoreValidateHandle (
IN EFI_HANDLE UserHandle
)
{
IHANDLE *Handle;
LIST_ENTRY *Link;
if (UserHandle == NULL) {
return EFI_INVALID_PARAMETER;
}
for (Link = gHandleList.BackLink; Link != &gHandleList; Link = Link->BackLink) {
Handle = CR (Link, IHANDLE, AllHandles, EFI_HANDLE_SIGNATURE);
if (Handle == (IHANDLE *) UserHandle) {
return EFI_SUCCESS;
}
}
return EFI_INVALID_PARAMETER;
}
Thanks,
Andrew Fish
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#70129): https://edk2.groups.io/g/devel/message/70129
Mute This Topic: https://groups.io/mt/79612010/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20210111/a653ca97/attachment.htm>
More information about the edk2-devel-archive
mailing list