commit 6fe39780140f9f429c97a71ca3bfa4e16e779793
author Hao Wu <hao.a.wu@intel.com> Fri Aug 26 14:39:37 2016 +0800
committer Hao Wu <hao.a.wu@intel.com> Tue Sep 06 15:31:12 2016 +0800
tree 8bfc79e662e3f84e99277cb94fc36d537a08c4a0
parent bc54e50e0fe03c570014f363b547426913e92449

MdeModulePkg NvmExpressDxe: Avoid crashing 'Mode' during OpenProtocol

The gBS->OpenProtocol() calls to open EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL
in NvmExpress.c will crash the data in 'Mode' field of
'Private->Passthru'.

The third parameter of gBS->OpenProtocol() is an output parameter that
stores the address where a pointer to the corresponding Protocol
Interface. The current code mistakenly pass '&Private->Passthru' (a
pointer of the EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL) as the third
parameter. This will crash the data in 'Mode' filed.

Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>

MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c

diff --git a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c
index cb25b3e..255fa2b 100644
--- a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c
+++ b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpress.c
@@ -76,6 +76,7 @@
   UINT32                                LbaFmtIdx;

   UINT8                                 Sn[21];

   UINT8                                 Mn[41];

+  VOID                                  *DummyInterface;

 

   NewDevicePathNode = NULL;

   DevicePath        = NULL;

@@ -264,7 +265,7 @@
     gBS->OpenProtocol (

            Private->ControllerHandle,

            &gEfiNvmExpressPassThruProtocolGuid,

-           (VOID **) &Private->Passthru,

+           (VOID **) &DummyInterface,

            Private->DriverBindingHandle,

            Device->DeviceHandle,

            EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER

@@ -392,10 +393,10 @@
   EFI_STATUS                               Status;

   EFI_BLOCK_IO_PROTOCOL                    *BlockIo;

   NVME_DEVICE_PRIVATE_DATA                 *Device;

-  NVME_CONTROLLER_PRIVATE_DATA             *Private;

   EFI_STORAGE_SECURITY_COMMAND_PROTOCOL    *StorageSecurity;

   BOOLEAN                                  IsEmpty;

   EFI_TPL                                  OldTpl;

+  VOID                                     *DummyInterface;

 

   BlockIo = NULL;

 

@@ -412,7 +413,6 @@
   }

 

   Device  = NVME_DEVICE_PRIVATE_DATA_FROM_BLOCK_IO (BlockIo);

-  Private = Device->Controller;

 

   //

   // Wait for the device's asynchronous I/O queue to become empty.

@@ -460,7 +460,7 @@
     gBS->OpenProtocol (

            Controller,

            &gEfiNvmExpressPassThruProtocolGuid,

-           (VOID **) &Private->Passthru,

+           (VOID **) &DummyInterface,

            This->DriverBindingHandle,

            Handle,

            EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER

@@ -490,7 +490,7 @@
       gBS->OpenProtocol (

         Controller,

         &gEfiNvmExpressPassThruProtocolGuid,

-        (VOID **) &Private->Passthru,

+        (VOID **) &DummyInterface,

         This->DriverBindingHandle,

         Handle,

         EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER