UefiCpuPkg/PiSmmCpuDxeSmm: Fix buffer overflow issue.

The size for the array of mSmmMpSyncData->CpuData[] is 0 ~
mMaxNumberOfCpus -1. But current code may use
mSmmMpSyncData->CpuData[mMaxNumberOfCpus].

This patch fixed this issue.

Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Eric Dong <eric.dong@intel.com>

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
index 35951cc43e149815d96b5827d506b6bbe55ad39a..4808045f71adf39ce8612e5753291687e27a306b 100644 (file)
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
@@ -137,7 +137,7 @@ ReleaseAllAPs (
 {\r
   UINTN                             Index;\r
 \r
-  for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+  for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
     if (IsPresentAp (Index)) {\r
       ReleaseSemaphore (mSmmMpSyncData->CpuData[Index].Run);\r
     }\r
@@ -170,7 +170,7 @@ AllCpusInSmmWithExceptions (
 \r
   CpuData = mSmmMpSyncData->CpuData;\r
   ProcessorInfo = gSmmCpuPrivate->ProcessorInfo;\r
-  for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+  for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
     if (!(*(CpuData[Index].Present)) && ProcessorInfo[Index].ProcessorId != INVALID_APIC_ID) {\r
       if (((Exceptions & ARRIVAL_EXCEPTION_DELAYED) != 0) && SmmCpuFeaturesGetSmmRegister (Index, SmmRegSmmDelayed) != 0) {\r
         continue;\r
@@ -305,7 +305,7 @@ SmmWaitForApArrival (
     //\r
     // Send SMI IPIs to bring outside processors in\r
     //\r
-    for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+    for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
       if (!(*(mSmmMpSyncData->CpuData[Index].Present)) && gSmmCpuPrivate->ProcessorInfo[Index].ProcessorId != INVALID_APIC_ID) {\r
         SendSmiIpi ((UINT32)gSmmCpuPrivate->ProcessorInfo[Index].ProcessorId);\r
       }\r
@@ -361,7 +361,7 @@ WaitForAllAPsNotBusy (
 {\r
   UINTN                             Index;\r
 \r
-  for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+  for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
     //\r
     // Ignore BSP and APs which not call in SMM.\r
     //\r
@@ -617,7 +617,7 @@ BSPHandler (
     //\r
     while (TRUE) {\r
       PresentCount = 0;\r
-      for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+      for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
         if (*(mSmmMpSyncData->CpuData[Index].Present)) {\r
           PresentCount ++;\r
         }\r
@@ -1301,7 +1301,7 @@ InternalSmmStartupAllAPs (
   }\r
 \r
   CpuCount = 0;\r
-  for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+  for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
     if (IsPresentAp (Index)) {\r
       CpuCount ++;\r
 \r
@@ -1333,13 +1333,13 @@ InternalSmmStartupAllAPs (
   // Here code always use AcquireSpinLock instead of AcquireSpinLockOrFail for not\r
   // block mode.\r
   //\r
-  for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+  for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
     if (IsPresentAp (Index)) {\r
       AcquireSpinLock (mSmmMpSyncData->CpuData[Index].Busy);\r
     }\r
   }\r
 \r
-  for (Index = mMaxNumberOfCpus; Index-- > 0;) {\r
+  for (Index = 0; Index < mMaxNumberOfCpus; Index++) {\r
     if (IsPresentAp (Index)) {\r
       mSmmMpSyncData->CpuData[Index].Procedure = (EFI_AP_PROCEDURE2) Procedure;\r
       mSmmMpSyncData->CpuData[Index].Parameter = ProcedureArguments;\r