Re: [edk2] FreePool error: MdeModulePkg\Core\Dxe\Mem\Pool.c(425): CR has Bad Signature

Subject: Re: [edk2] FreePool error: MdeModulePkg\Core\Dxe\Mem\Pool.c(425): CR has Bad Signature

From: Sergey Isakov <isakov-sl@bk.ru>

To: edk2-devel@lists.sourceforge.net

Date: 2014-07-09 06:13:52

But the sequence
UINT8 *buff = (UINT8 *)AllocateZeroPool(len);
FreePool(buff);
assumes that the buff is an array of 0x00 and doesnt contain any signature or data structure.
Isnt it?

On 08 2014 ., at 20:38, Andrew Fish <afish@apple.com> wrote:


On Jul 8, 2014, at 9:15 AM, Sergey Isakov <isakov-sl@bk.ru> wrote:

No Andrew,
hi got a message from this check
 (TYPE *) (_ASSERT (CR has Bad Signature), Record) :  
and not from NULL pointer


Yes this function has an ASSERT(Buffer != NULL); before the CR() macro, so a NULL pointer would yield a different ASSERT in this case.

So I listed out the common cases for generic CR macro failures. It is also possible that some other code has a data corruption issue, but you should always blame your own code 1st.

So for:
Head = CR (Buffer, POOL_HEAD, Data, POOL_HEAD_SIGNATURE);
Buffer is passed in to the function. 
POOL_HEAD is the data structure
Data is the member in POOL_HEAD that Buffer points to. 
POOL_HEAD_SIGNATURE is the value that should be at Head->Signature; 

The POOL_TAIL structure is used to help catch buffer overflows. 

Thanks,

Andrew Fish


#define POOL_HEAD_SIGNATURE   SIGNATURE_32('p','h','d','0')
typedef struct {
  UINT32          Signature;
  UINT32          Reserved;
  EFI_MEMORY_TYPE Type;
  UINTN           Size;
  CHAR8           Data[1];
} POOL_HEAD;

#define SIZE_OF_POOL_HEAD OFFSET_OF(POOL_HEAD,Data)

#define POOL_TAIL_SIGNATURE   SIGNATURE_32('p','t','a','l')
typedef struct {
  UINT32      Signature;
  UINT32      Reserved;
  UINTN       Size;
} POOL_TAIL;


Sergey

On 08 2014 ., at 17:55, Andrew Fish <afish@apple.com> wrote:


On Jul 8, 2014, at 5:53 AM, Sergey Isakov <isakov-sl@bk.ru> wrote:

Hi all,
This is really looks like a bug. See logics:
FreePool(buff) mapped to CoreFreePool(buff) that calls CoreFreePoolI(buff); and we see here
--------------
EFI_STATUS
CoreFreePoolI (
  IN VOID       *Buffer
  )
{
  POOL        *Pool;
  POOL_HEAD   *Head;
  POOL_TAIL   *Tail;
  POOL_FREE   *Free;
  UINTN       Index;
  UINTN       NoPages;
  UINTN       Size;
  CHAR8       *NewPage;
  UINTN       FSize;
  UINTN       Offset;
  BOOLEAN     AllFree;

  ASSERT(Buffer != NULL);
  //
  // Get the head & tail of the pool entry
  //
  Head = CR (Buffer, POOL_HEAD, Data, POOL_HEAD_SIGNATURE);

--------------
BUT!!!  CR macro assumed Buffer to be a record of type POOL_HEAD while we have just an empty space
------
  #define CR(Record, TYPE, Field, TestSignature)                                              \
    (DebugAssertEnabled () && (BASE_CR (Record, TYPE, Field)->Signature != TestSignature)) ?  \
    (TYPE *) (_ASSERT (CR has Bad Signature), Record) :                                       \
    BASE_CR (Record, TYPE, Field)

------
Yes, the empty space is not equal to TestSignature.

I just don't know how deep is this mistake.


Usually that ASSERT means you passed in NULL, a pointer not allocated by AllocatePool(), or the caller underflowed the buffer. 


Sergey


On 08.07.2014, at 14:26, WANG Siyuan wrote:

Dear All,
I use AllocateZeroPool to allocate memory and use FreePool to free:

UINT8 *buff = (UINT8 *)AllocateZeroPool(len);
FreePool(buff);

But I got this error:
ASSERT MdeModulePkg\Core\Dxe\Mem\Pool.c(425): CR has Bad Signature

What is the problem? 
Can I use other method to do this? I use VC tool chain which doesn't support variable length array (UINT8 buff[len]).


Yes AllocateZeroPool() + FreePool() should work. You need to error check that buff is not NULL, as FreePool() will ASSERT if you pass that value in. 

Thanks,

Andrew Fish


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel