I just hit the CR ASSERT [1] in CoreValidateHandle(). It looks like the IHANDLE was a use after free as it was a Pool buffer that was to small to be an IHANDLE and it did not have a valid handle.

I’m trying to understand why it is safe to walk the gHandleList without a lock? Seems like a local could cache a pointer and an event could remove a handle and Link would point to a stale handle?

Kind of feels like I’m missing something?

[1] https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Dxe/Hand/Handle.c#L64

	EFI_STATUS
	CoreValidateHandle (
	IN EFI_HANDLE UserHandle
	)
	{
	IHANDLE *Handle;
	LIST_ENTRY *Link;

	if (UserHandle == NULL) {
	return EFI_INVALID_PARAMETER;
	}

	for (Link = gHandleList.BackLink; Link != &gHandleList; Link = Link->BackLink) {
	Handle = CR (Link, IHANDLE, AllHandles, EFI_HANDLE_SIGNATURE);
	if (Handle == (IHANDLE *) UserHandle) {
	return EFI_SUCCESS;
	}
	}

	return EFI_INVALID_PARAMETER;
	}

Thanks,

Andrew Fish