From nobody Sun Feb  8 22:48:50 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+52504+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+52504+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1577088643; cv=none;
	d=zohomail.com; s=zohoarc;
	b=L9W98kYEnMAN1A52PuCMtwXU2Z4o0T07jwAHao3VegtnPbVY4s6ttuAUCnLW7MkK6cl4dM+GCylCc/sPY2GDTTs2RSMCNXAApNj+psYITEwB6tNIMgJTsqW+QAbcO3iWuLWf26TFea3diE8l0SIZQfBCmtbjwOoYyVMADvo57OM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1577088643;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=2TmjKmuNRO1cPboQrzhmO9bNWBov1bY1AAcGkR/vONc=;
	b=OyYZO67M4k/9azrbL6eR2vjtqj1NKlkcDhZmmh8MLN1So8Rgo0NHDWxZMxOiOYKnsdXNpjwxrX8xLsIqJH+8XfUgH1l5F5vn2eRZsvr47CMQL0bK4+aVj0jdwuqiMdHemiXa+ezNXQ0cXDdUm3V3BuoxBSxQ3f5y40lwrWYolSI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+52504+1787277+3901457@groups.io;
	dmarc=fail header.from=<eric.dong@intel.com> (p=none dis=none)
 header.from=<eric.dong@intel.com>
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1577088643173973.6728680915897;
 Mon, 23 Dec 2019 00:10:43 -0800 (PST)
Return-Path: <bounce+27952+52504+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id YNoiYY1788612xqNEqixW4KN;
 Mon, 23 Dec 2019 00:10:42 -0800
X-Received: from mga04.intel.com (mga04.intel.com [])
 by mx.groups.io with SMTP id smtpd.web11.769.1577088640334442260
 for <devel@edk2.groups.io>;
 Mon, 23 Dec 2019 00:10:42 -0800
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
X-Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 23 Dec 2019 00:10:41 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,346,1571727600";
   d="scan'208";a="214172797"
X-Received: from ydong10-desktop.ccr.corp.intel.com ([10.239.158.133])
  by fmsmga008.fm.intel.com with ESMTP; 23 Dec 2019 00:10:41 -0800
From: "Dong, Eric" <eric.dong@intel.com>
To: devel@edk2.groups.io
Cc: Ray Ni <ray.ni@intel.com>,
	Laszlo Ersek <lersek@redhat.com>
Subject: [edk2-devel] [PATCH v3 2/2] UefiCpuPkg/PiSmmCpuDxeSmm: Fix buffer
 overflow issue.
Date: Mon, 23 Dec 2019 16:10:37 +0800
Message-Id: <20191223081037.1565-3-eric.dong@intel.com>
In-Reply-To: <20191223081037.1565-1-eric.dong@intel.com>
References: <20191223081037.1565-1-eric.dong@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,eric.dong@intel.com
X-Gm-Message-State: YlXDl04hHLbHIziLrvHZGZedx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1577088642;
 bh=p7nnze6oJLGYvs5bPDg29k+OEn1AxtYl7vw4eBhB3S8=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=avKXMQYoXG2mEvNIsn3mW9qDLDTHQKdv/9/DYow/24nsiZL1KRRz8d33/dNTAFGWYLe
 /HqXIptokdHiMDtObBBKB5wwWe/jEClkufnqZyh2T/YKSlnfUPj/LO/gpAepYo35sGvfp
 cOWN/b6lFkDSiA1+xM9idE1W0DRIL15JTXI=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

The size for the array of mSmmMpSyncData->CpuData[] is 0 ~
mMaxNumberOfCpus -1. But current code may use
mSmmMpSyncData->CpuData[mMaxNumberOfCpus].

This patch fixed this issue.

Reviewed-by: Ray Ni <ray.ni@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Eric Dong <eric.dong@intel.com>
---
 UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c b/UefiCpuPkg/PiSmmCpuDxe=
Smm/MpService.c
index 35951cc43e..4808045f71 100644
--- a/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
+++ b/UefiCpuPkg/PiSmmCpuDxeSmm/MpService.c
@@ -137,7 +137,7 @@ ReleaseAllAPs (
 {
   UINTN                             Index;
=20
-  for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+  for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
     if (IsPresentAp (Index)) {
       ReleaseSemaphore (mSmmMpSyncData->CpuData[Index].Run);
     }
@@ -170,7 +170,7 @@ AllCpusInSmmWithExceptions (
=20
   CpuData =3D mSmmMpSyncData->CpuData;
   ProcessorInfo =3D gSmmCpuPrivate->ProcessorInfo;
-  for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+  for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
     if (!(*(CpuData[Index].Present)) && ProcessorInfo[Index].ProcessorId !=
=3D INVALID_APIC_ID) {
       if (((Exceptions & ARRIVAL_EXCEPTION_DELAYED) !=3D 0) && SmmCpuFeatu=
resGetSmmRegister (Index, SmmRegSmmDelayed) !=3D 0) {
         continue;
@@ -305,7 +305,7 @@ SmmWaitForApArrival (
     //
     // Send SMI IPIs to bring outside processors in
     //
-    for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+    for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
       if (!(*(mSmmMpSyncData->CpuData[Index].Present)) && gSmmCpuPrivate->=
ProcessorInfo[Index].ProcessorId !=3D INVALID_APIC_ID) {
         SendSmiIpi ((UINT32)gSmmCpuPrivate->ProcessorInfo[Index].Processor=
Id);
       }
@@ -361,7 +361,7 @@ WaitForAllAPsNotBusy (
 {
   UINTN                             Index;
=20
-  for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+  for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
     //
     // Ignore BSP and APs which not call in SMM.
     //
@@ -617,7 +617,7 @@ BSPHandler (
     //
     while (TRUE) {
       PresentCount =3D 0;
-      for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+      for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
         if (*(mSmmMpSyncData->CpuData[Index].Present)) {
           PresentCount ++;
         }
@@ -1301,7 +1301,7 @@ InternalSmmStartupAllAPs (
   }
=20
   CpuCount =3D 0;
-  for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+  for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
     if (IsPresentAp (Index)) {
       CpuCount ++;
=20
@@ -1333,13 +1333,13 @@ InternalSmmStartupAllAPs (
   // Here code always use AcquireSpinLock instead of AcquireSpinLockOrFail=
 for not
   // block mode.
   //
-  for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+  for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
     if (IsPresentAp (Index)) {
       AcquireSpinLock (mSmmMpSyncData->CpuData[Index].Busy);
     }
   }
=20
-  for (Index =3D mMaxNumberOfCpus; Index-- > 0;) {
+  for (Index =3D 0; Index < mMaxNumberOfCpus; Index++) {
     if (IsPresentAp (Index)) {
       mSmmMpSyncData->CpuData[Index].Procedure =3D (EFI_AP_PROCEDURE2) Pro=
cedure;
       mSmmMpSyncData->CpuData[Index].Parameter =3D ProcedureArguments;
--=20
2.23.0.windows.1


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#52504): https://edk2.groups.io/g/devel/message/52504
Mute This Topic: https://groups.io/mt/69227574/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-