MdePkg: DebugLib: Check Signature in CR in Release Builds #6242
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
impact:breaking-change
tianocore-assign-reviewers
bot
requested review from
lgao4,
LiuZhiguang001 and
mdkinney
lgao4
approved these changes
Sep 30, 2024
When updating MdePkg's CR macro to enforce signature checking in all usages, it was discovered that EmulatorPkg was initializing a structure without setting the signature for it, causing an error to be returned when CR now checked the signature. This commit updates the graphics stack in EmulatorPkg to set the signature of the data structure and check the return value of the wrapper for the CR macro. Signed-off-by: Oliver Smith-Denny <[email protected]>
The CR macro is used to access an enclosing structure from a pointer within the structure. In DEBUG builds (i.e. when MDEPKG_NDEBUG is not set and debug asserts are enabled), this macro does signature validation checking to ensure that the structure that has been found is the correct structure, based on a signature passed in by the caller. However, if MDEPKG_NDEBUG is set or debug asserts are disabled, no signature validation is performed, meaning that CR may return an invalid structure that the caller believes is valid and has had signature validation on, causing undefined behavior (memory corruption). We should where at all possible have defined behavior, particularly in RELEASE builds, which are what typical platforms will ship to consumers. This patch updates CR to do the signature validation in all scenarios to provide defined behavior from the macro. In the event of a signature failure, CR will either 1) assert if !MDEPKG_NDEBUG and debug asserts are enabled (existing behavior) or 2) return NULL to indicate to the caller that signature validation failed. There exist consumers today who already, erroneously, rely on this behavior. Another macro, BASE_CR, exists for callers who do not wish to perform signature validation. Any code that wishes to avoid the signature validation should move to this macro. Signed-off-by: Oliver Smith-Denny <[email protected]>
|
@lgao4 I have updated this PR with one additional commit that fixes the CI break. There was a bug in EmulatorPkg where it wasn't setting the signature in a structure it was trying to use the CR macro on. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The CR macro is used to access an enclosing structure from a pointer within the structure. In DEBUG builds (i.e. when MDEPKG_NDEBUG is not set and debug asserts are enabled), this macro does signature validation checking to ensure that the structure that has been found is the correct structure, based on a signature passed in by the caller.
However, if MDEPKG_NDEBUG is set or debug asserts are disabled, no signature validation is performed, meaning that CR may return an invalid structure that the caller believes is valid and has had signature validation on, causing undefined behavior (memory corruption). We should where at all possible have defined behavior, particularly in RELEASE builds, which are what typical platforms will ship to consumers.
This patch updates CR to do the signature validation in all scenarios to provide defined behavior from the macro. In the event of a signature failure, CR will either 1) assert if !MDEPKG_NDEBUG and debug asserts are enabled (existing behavior) or 2) return NULL to indicate to the caller that signature validation failed.
There exist consumers today who already, erroneously, rely on this behavior, e.g.
edk2/NetworkPkg/SnpDxe/Transmit.c
Lines 288 to 294 in 2936b7d
Another macro, BASE_CR, exists for callers who do not wish to perform signature validation. Any code that wishes to avoid the signature validation should move to this macro.
This PR also updates EmulatorPkg's graphics stack to add the signature to a structure it is using, a failure that was caught by introducing defined behavior to the CR macro.
How This Was Tested
Tested booting OVMF.
Integration Instructions
This is marked as a breaking change as CR now is expected to return NULL when either MDEPKG_NDEBUG is set or debug asserts are disabled. Consumers should check if CR has returned NULL and handle it appropriately.
In practice, this is not likely to be a breaking change because consumers that are breaking in RELEASE builds here would almost certainly be breaking in DEBUG builds and hitting an assert, although it is possible. This risk is worthwhile, however, because it closes an undefined behavior condition in RELEASE builds. Today's RELEASE build code that breaks here would silently corrupt memory.