[MdeModulePkg] SetVirtualAddressMap() crashed due to DxeReportStatusCodeLib assuming the state of the BootService Memory at runtime.


Andrew Fish
 

I was messing about with an ExitBootServices test that fills boot services memory with 0xAFAFAFAFAFAFAFAF (It was Vincent's idea to use my Initials but it has the handy property of being a non-cononical address and causes on GP fault on X64) and SetVirtualAddressMap() started crashing.

It looks like this code is assuming the 1st call to ReportStatus code will not happen at runtime. This is not the case for the RuntimeDxe driver.
https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Library/DxeReportStatusCodeLib/ReportStatusCodeLib.c#L43
VOID
InternalGetReportStatusCode (
VOID
)
{
EFI_STATUS Status;

if (mReportStatusCodeLibStatusCodeProtocol != NULL) {
return;
}

//
// Check gBS just in case ReportStatusCode is called before gBS is initialized.
//
if (gBS != NULL && gBS->LocateProtocol != NULL) {
Status = gBS->LocateProtocol (&gEfiStatusCodeRuntimeProtocolGuid, NULL, (VOID**) &mReportStatusCodeLibStatusCodeProtocol);
if (EFI_ERROR (Status)) {
mReportStatusCodeLibStatusCodeProtocol = NULL;
}
}
}

I'm guessing this seems to work due to:https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c#L803

//
// Zero out the Boot Service Table
//
ZeroMem (gBS, sizeof (EFI_BOOT_SERVICES));


Thus if I'm looking at this code correctly it only looks like it works at Runtime since it is depending on the value of a boot services memory buffer not changing. This is not a valid assumption as that code is owned by the caller of ExitBootServices, so it should be legal for my test to change the value.

I wanted to get a few more eyes on this prior to filling a bug?

Thanks,

Andrew Fish

Join devel@edk2.groups.io to automatically receive all group messages.