From 123b720eeb371e0a31eb727bcf59255b584e355f Mon Sep 17 00:00:00 2001 From: Eric Dong Date: Mon, 23 Dec 2019 14:37:28 +0800 Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Fix buffer overflow issue. The size for the array of mSmmMpSyncData->CpuData[] is 0 ~ mMaxNumberOfCpus -1. But current code may use mSmmMpSyncData->CpuData[mMaxNumberOfCpus]. This patch fixed this issue. Reviewed-by: Ray Ni Cc: Laszlo Ersek Signed-off-by: Eric Dong --- UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c index 35951cc43e..4808045f71 100644 --- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c +++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c @@ -137,7 +137,7 @@ ReleaseAllAPs ( { UINTN Index; - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (IsPresentAp (Index)) { ReleaseSemaphore (mSmmMpSyncData->CpuData[Index].Run); } @@ -170,7 +170,7 @@ AllCpusInSmmWithExceptions ( CpuData = mSmmMpSyncData->CpuData; ProcessorInfo = gSmmCpuPrivate->ProcessorInfo; - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (!(*(CpuData[Index].Present)) && ProcessorInfo[Index].ProcessorId != INVALID_APIC_ID) { if (((Exceptions & ARRIVAL_EXCEPTION_DELAYED) != 0) && SmmCpuFeaturesGetSmmRegister (Index, SmmRegSmmDelayed) != 0) { continue; @@ -305,7 +305,7 @@ SmmWaitForApArrival ( // // Send SMI IPIs to bring outside processors in // - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (!(*(mSmmMpSyncData->CpuData[Index].Present)) && gSmmCpuPrivate->ProcessorInfo[Index].ProcessorId != INVALID_APIC_ID) { SendSmiIpi ((UINT32)gSmmCpuPrivate->ProcessorInfo[Index].ProcessorId); } @@ -361,7 +361,7 @@ WaitForAllAPsNotBusy ( { UINTN Index; - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { // // Ignore BSP and APs which not call in SMM. // @@ -617,7 +617,7 @@ BSPHandler ( // while (TRUE) { PresentCount = 0; - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (*(mSmmMpSyncData->CpuData[Index].Present)) { PresentCount ++; } @@ -1301,7 +1301,7 @@ InternalSmmStartupAllAPs ( } CpuCount = 0; - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (IsPresentAp (Index)) { CpuCount ++; @@ -1333,13 +1333,13 @@ InternalSmmStartupAllAPs ( // Here code always use AcquireSpinLock instead of AcquireSpinLockOrFail for not // block mode. // - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (IsPresentAp (Index)) { AcquireSpinLock (mSmmMpSyncData->CpuData[Index].Busy); } } - for (Index = mMaxNumberOfCpus; Index-- > 0;) { + for (Index = 0; Index < mMaxNumberOfCpus; Index++) { if (IsPresentAp (Index)) { mSmmMpSyncData->CpuData[Index].Procedure = (EFI_AP_PROCEDURE2) Procedure; mSmmMpSyncData->CpuData[Index].Parameter = ProcedureArguments; -- 2.39.2