[edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

[edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

[Heinrich Schuchardt]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1976

CreateEventEx() may lead to a change in the memory map causing an
EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. So in BBTestCreateEventEx_Func_Sub3() we
should only check for events triggered after the events have been set up.

Among other changes commit c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3) tried to adjust the event recording logic in
NotifyFunctionTplEx() to account for this.

The commit did not consider that CloseEvent() will release memory and
equally lead to EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. NotifyFunctionTplEx()
does not check the limits of the buffer. So a buffer overrun occurs in this
case.

The easiest way to account for memory map changes by CreateEventEx() is to
initialize the event invocation records after setting up the events.

Moving the check of the event sequence to before CloseEvent() ensures that
we only measure the events we are interested in.

In function NotifyFunctionTplEx() check the index against the buffer
limits. Stop recording after MAX_TEST_EVENT_NUM events.

Fixes: c093702f98ad (""uefi-sct/SctPkg:Fix flaw in BBTestCreateEventEx_Func_Sub3)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
v2:
	Move closing and freeing of events after the assertion. This ensures
	that memory changes resulting from CloseEvent() do not change the
	test results.
---
 ...rTaskPriorityServicesBBTestCreateEventEx.c | 35 +++++++-----
 .../BlackBoxTest/Support.c                    | 55 +++++--------------
 2 files changed, 35 insertions(+), 55 deletions(-)

diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
index 4a8e44e2..2b119ff0 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
@@ -918,12 +918,11 @@ BBTestCreateEventEx_Func_Sub3 (
   UINTN               Buffer[MAX_TEST_EVENT_NUM + MAX_TEST_EVENT_NUM*2];
 
   //
-  // Initialize Buffer as SIGNAL_CONTEXT
+  // Initialize the event index. The event invocation records will be
+  // initialized later.
   //
   for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {
     Buffer[Index] = Index;
-    Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);
-    Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);
   }
 
   //
@@ -976,7 +975,17 @@ BBTestCreateEventEx_Func_Sub3 (
     gtBS->CloseEvent (Event[1]);
     return Status;
   }
-  
+
+  //
+  // CreateEventEx() may lead to a change in the memory map and trigger
+  // EFI_EVENT_GROUP_MEMORY_MAP_CHANGE itself. So initialize the event
+  // invocation records after creating the events.
+  //
+  for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {
+    Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);
+    Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);
+  }
+
   //
   // Call AllocatePage to change the memorymap
   //
@@ -998,14 +1007,6 @@ BBTestCreateEventEx_Func_Sub3 (
 	
   gtBS->RestoreTPL (OldTpl);
 
-  //
-  // Close all the events created and Free the pages
-  //
-  gtBS->CloseEvent (Event[0]);
-  gtBS->CloseEvent (Event[1]);
-  gtBS->CloseEvent (Event[2]);
-  gtBS->FreePages (Memory, 2);
-
   //
   // Compare the notify order
   //
@@ -1030,9 +1031,17 @@ BBTestCreateEventEx_Func_Sub3 (
                  Buffer[MAX_TEST_EVENT_NUM + 5]
                  );
 
+  //
+  // Close all the events created and Free the pages
+  //
+  gtBS->CloseEvent (Event[0]);
+  gtBS->CloseEvent (Event[1]);
+  gtBS->CloseEvent (Event[2]);
+  gtBS->FreePages (Memory, 2);
+
   //
   // Done
   //
   return EFI_SUCCESS;
 }
-#endif
\ No newline at end of file
+#endif
diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
index c702f84d..0c900a3e 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
@@ -58,58 +58,29 @@ NotifyFunctionTplEx(
   EFI_TPL   OldTpl;
   UINTN     EventIndex;
   UINTN     Index;
-  
+
   if (Context != NULL) {
     Buffer = Context;
 
     EventIndex = Buffer[0];
 
     //
-    // The special code check for the BBTestCreateEventEx_Func_Sub3
-    // Besides AllocatePages(), CreateEventEx() may trigger the memorymap
-    // change when it is out of resource in memory pool
-    // Use SIGNAL_CONTEXT to block possible enter triggered by CreateEventEx
-    //
-    if (EventIndex != 2 && Buffer[4] == (UINTN)(SIGNAL_CONTEXT))
-      return;
-
-    //
-    // It is the code execution path as expect
-    // The overall layout buffer as below
-    // Buffer[0] [1] [2] store 1st/2nd/3rd event index (start from 0)
-    // Buffer[3] [5] [7] store the index of event notified
-    // Buffer[4] [6] [8] store the tpl of notification function of 1st/2nd/3rd event notified
+    // The event's context is offset by EventIndex from the true buffer start.
+    // Skip over the MAX_TEST_EVENT_NUM leading index entries.
+    // A maximum of MAX_TEST_EVENT_NUM events can be recorded.
     //
-    // since 3rd event is created at notify tpl, 1nd/2rd event at callback
-    // EventIndex should be 2 here for the first enter
-    // Because Context points to Buffer[2] and value(EventIndex) is 2
-    // To initial the Buffer to 0xFF
-    //
-
-    if (EventIndex == 2 && Buffer[1] == (UINTN)(SIGNAL_CONTEXT)) {
-      for (Index=1; Index<MAX_TEST_EVENT_NUM*2+1; Index++) {
-        Buffer[Index] = (UINTN)(0xFF);
+    for (Index = MAX_TEST_EVENT_NUM-EventIndex;
+         Index < 3*MAX_TEST_EVENT_NUM-EventIndex; Index += 2) {
+      if (Buffer[Index] == (UINTN)(SIGNAL_CONTEXT)) {
+        OldTpl = gtBS->RaiseTPL (TPL_HIGH_LEVEL);
+        gtBS->RestoreTPL (OldTpl);
+
+        Buffer[Index] = EventIndex;
+        Buffer[Index+1] = OldTpl;
+        return;
       }
     }
-
-    Index = 3-EventIndex;
-
-    while (1) {     
-      if (Buffer[Index] == (UINTN)(0xFF)) {
-        break;
-      } else {
-        Index += 2;
-      }
-    }
-    
-    OldTpl = gtBS->RaiseTPL (TPL_HIGH_LEVEL);
-    gtBS->RestoreTPL (OldTpl);
-
-    Buffer[Index] = EventIndex;
-    Buffer[Index+1] = OldTpl;
   }
-
-  return;
 }
 #endif
 
-- 
2.20.1

Re: [edk2-devel] [edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

[Eric Jin]

Heinrich,

Could you please provide your company/organization info in copyright part?
I could help to add it when I push the patch.

With that - Reviewed by: Eric Jin <eric.jin@intel.com>

Best Regards
Eric

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Heinrich Schuchardt
Sent: Thursday, September 12, 2019 3:41 AM
To: EDK II Development <devel@edk2.groups.io>
Cc: Jin, Eric <eric.jin@intel.com>; Supreeth Venkatesh <supreeth.venkatesh@arm.com>; Stephano Cetola <stephano.cetola@linux.intel.com>; Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [edk2-devel] [edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1976

CreateEventEx() may lead to a change in the memory map causing an EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. So in BBTestCreateEventEx_Func_Sub3() we should only check for events triggered after the events have been set up.

Among other changes commit c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3) tried to adjust the event recording logic in
NotifyFunctionTplEx() to account for this.

The commit did not consider that CloseEvent() will release memory and equally lead to EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. NotifyFunctionTplEx() does not check the limits of the buffer. So a buffer overrun occurs in this case.

The easiest way to account for memory map changes by CreateEventEx() is to initialize the event invocation records after setting up the events.

Moving the check of the event sequence to before CloseEvent() ensures that we only measure the events we are interested in.

In function NotifyFunctionTplEx() check the index against the buffer limits. Stop recording after MAX_TEST_EVENT_NUM events.

Fixes: c093702f98ad (""uefi-sct/SctPkg:Fix flaw in BBTestCreateEventEx_Func_Sub3)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
v2:
	Move closing and freeing of events after the assertion. This ensures
	that memory changes resulting from CloseEvent() do not change the
	test results.
---
 ...rTaskPriorityServicesBBTestCreateEventEx.c | 35 +++++++-----
 .../BlackBoxTest/Support.c                    | 55 +++++--------------
 2 files changed, 35 insertions(+), 55 deletions(-)

diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
index 4a8e44e2..2b119ff0 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPrior
+++ ityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateE
+++ ventEx.c
@@ -918,12 +918,11 @@ BBTestCreateEventEx_Func_Sub3 (
   UINTN               Buffer[MAX_TEST_EVENT_NUM + MAX_TEST_EVENT_NUM*2];    //-  // Initialize Buffer as SIGNAL_CONTEXT+  // Initialize the event index. The event invocation records will be+  // initialized later.
   //   for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {     Buffer[Index] = Index;-    Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);-    Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);   }    //@@ -976,7 +975,17 @@ BBTestCreateEventEx_Func_Sub3 (
     gtBS->CloseEvent (Event[1]);     return Status;   }-  ++  //+  // CreateEventEx() may lead to a change in the memory map and trigger+  // EFI_EVENT_GROUP_MEMORY_MAP_CHANGE itself. So initialize the event+  // invocation records after creating the events.+  //+  for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {+    Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);+    Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);+  }+   //   // Call AllocatePage to change the memorymap   //@@ -998,14 +1007,6 @@ BBTestCreateEventEx_Func_Sub3 (
 	   gtBS->RestoreTPL (OldTpl); -  //-  // Close all the events created and Free the pages-  //-  gtBS->CloseEvent (Event[0]);-  gtBS->CloseEvent (Event[1]);-  gtBS->CloseEvent (Event[2]);-  gtBS->FreePages (Memory, 2);-   //   // Compare the notify order   //@@ -1030,9 +1031,17 @@ BBTestCreateEventEx_Func_Sub3 (
                  Buffer[MAX_TEST_EVENT_NUM + 5]                  ); +  //+  // Close all the events created and Free the pages+  //+  gtBS->CloseEvent (Event[0]);+  gtBS->CloseEvent (Event[1]);+  gtBS->CloseEvent (Event[2]);+  gtBS->FreePages (Memory, 2);+   //   // Done   //   return EFI_SUCCESS; }-#endif
\ No newline at end of file
+#endif
diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
index c702f84d..0c900a3e 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPrior
+++ ityServices/BlackBoxTest/Support.c
@@ -58,58 +58,29 @@ NotifyFunctionTplEx(
   EFI_TPL   OldTpl;   UINTN     EventIndex;   UINTN     Index;-  +   if (Context != NULL) {     Buffer = Context;      EventIndex = Buffer[0];      //-    // The special code check for the BBTestCreateEventEx_Func_Sub3-    // Besides AllocatePages(), CreateEventEx() may trigger the memorymap-    // change when it is out of resource in memory pool-    // Use SIGNAL_CONTEXT to block possible enter triggered by CreateEventEx-    //-    if (EventIndex != 2 && Buffer[4] == (UINTN)(SIGNAL_CONTEXT))-      return;--    //-    // It is the code execution path as expect-    // The overall layout buffer as below-    // Buffer[0] [1] [2] store 1st/2nd/3rd event index (start from 0)-    // Buffer[3] [5] [7] store the index of event notified-    // Buffer[4] [6] [8] store the tpl of notification function of 1st/2nd/3rd event notified+    // The event's context is offset by EventIndex from the true buffer start.+    // Skip over the MAX_TEST_EVENT_NUM leading index entries.+    // A maximum of MAX_TEST_EVENT_NUM events can be recorded.     //-    // since 3rd event is created at notify tpl, 1nd/2rd event at callback-    // EventIndex should be 2 here for the first enter-    // Because Context points to Buffer[2] and value(EventIndex) is 2-    // To initial the Buffer to 0xFF-    //--    if (EventIndex == 2 && Buffer[1] == (UINTN)(SIGNAL_CONTEXT)) {-      for (Index=1; Index<MAX_TEST_EVENT_NUM*2+1; Index++) {-        Buffer[Index] = (UINTN)(0xFF);+    for (Index = MAX_TEST_EVENT_NUM-EventIndex;+         Index < 3*MAX_TEST_EVENT_NUM-EventIndex; Index += 2) {+      if (Buffer[Index] == (UINTN)(SIGNAL_CONTEXT)) {+        OldTpl = gtBS->RaiseTPL (TPL_HIGH_LEVEL);+        gtBS->RestoreTPL (OldTpl);++        Buffer[Index] = EventIndex;+        Buffer[Index+1] = OldTpl;+        return;       }     }--    Index = 3-EventIndex;--    while (1) {     -      if (Buffer[Index] == (UINTN)(0xFF)) {-        break;-      } else {-        Index += 2;-      }-    }-    -    OldTpl = gtBS->RaiseTPL (TPL_HIGH_LEVEL);-    gtBS->RestoreTPL (OldTpl);--    Buffer[Index] = EventIndex;-    Buffer[Index+1] = OldTpl;   }--  return; } #endif -- 
2.20.1


-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#47137): https://edk2.groups.io/g/devel/message/47137
Mute This Topic: https://groups.io/mt/34107548/1787343
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [eric.jin@intel.com] -=-=-=-=-=-=

Re: [edk2-devel] [edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

[Eric Jin]

Pushed at 7c812553bfe69906b773d08c1e869044683c69a6

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Eric Jin
Sent: Thursday, September 12, 2019 10:32 AM
To: devel@edk2.groups.io; xypron.glpk@gmx.de
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>; Stephano Cetola <stephano.cetola@linux.intel.com>
Subject: Re: [edk2-devel] [edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

Heinrich,

Could you please provide your company/organization info in copyright part?
I could help to add it when I push the patch.

With that - Reviewed by: Eric Jin <eric.jin@intel.com>

Best Regards
Eric

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Heinrich Schuchardt
Sent: Thursday, September 12, 2019 3:41 AM
To: EDK II Development <devel@edk2.groups.io>
Cc: Jin, Eric <eric.jin@intel.com>; Supreeth Venkatesh <supreeth.venkatesh@arm.com>; Stephano Cetola <stephano.cetola@linux.intel.com>; Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [edk2-devel] [edk2-test] [PATCH v2 1/1] uefi-sct/SctPkg: buffer overflow in NotifyFunctionTplEx()

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1976

CreateEventEx() may lead to a change in the memory map causing an EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. So in BBTestCreateEventEx_Func_Sub3() we should only check for events triggered after the events have been set up.

Among other changes commit c093702f98ad (""uefi-sct/SctPkg:Fix flaw in
BBTestCreateEventEx_Func_Sub3) tried to adjust the event recording logic in
NotifyFunctionTplEx() to account for this.

The commit did not consider that CloseEvent() will release memory and equally lead to EFI_EVENT_GROUP_MEMORY_MAP_CHANGE. NotifyFunctionTplEx() does not check the limits of the buffer. So a buffer overrun occurs in this case.

The easiest way to account for memory map changes by CreateEventEx() is to initialize the event invocation records after setting up the events.

Moving the check of the event sequence to before CloseEvent() ensures that we only measure the events we are interested in.

In function NotifyFunctionTplEx() check the index against the buffer limits. Stop recording after MAX_TEST_EVENT_NUM events.

Fixes: c093702f98ad (""uefi-sct/SctPkg:Fix flaw in BBTestCreateEventEx_Func_Sub3)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
v2:
	Move closing and freeing of events after the assertion. This ensures
	that memory changes resulting from CloseEvent() do not change the
	test results.
---
 ...rTaskPriorityServicesBBTestCreateEventEx.c | 35 +++++++-----
 .../BlackBoxTest/Support.c                    | 55 +++++--------------
 2 files changed, 35 insertions(+), 55 deletions(-)

diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
index 4a8e44e2..2b119ff0 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPrior
+++ ityServices/BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateE
+++ ventEx.c
@@ -918,12 +918,11 @@ BBTestCreateEventEx_Func_Sub3 (
   UINTN               Buffer[MAX_TEST_EVENT_NUM + MAX_TEST_EVENT_NUM*2];    //-  // Initialize Buffer as SIGNAL_CONTEXT+  // Initialize the event index. The event invocation records will be+  // initialized later.
   //   for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {     Buffer[Index] = Index;-    Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);-    Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);   }    //@@ -976,7 +975,17 @@ BBTestCreateEventEx_Func_Sub3 (
     gtBS->CloseEvent (Event[1]);     return Status;   }-  ++  //+  // CreateEventEx() may lead to a change in the memory map and trigger+  // EFI_EVENT_GROUP_MEMORY_MAP_CHANGE itself. So initialize the event+  // invocation records after creating the events.+  //+  for (Index = 0; Index < MAX_TEST_EVENT_NUM; Index ++) {+    Buffer[Index + MAX_TEST_EVENT_NUM + Index] = (UINTN)(SIGNAL_CONTEXT);+    Buffer[Index + MAX_TEST_EVENT_NUM + 1 + Index] = (UINTN)(SIGNAL_CONTEXT);+  }+   //   // Call AllocatePage to change the memorymap   //@@ -998,14 +1007,6 @@ BBTestCreateEventEx_Func_Sub3 (
 	   gtBS->RestoreTPL (OldTpl); -  //-  // Close all the events created and Free the pages-  //-  gtBS->CloseEvent (Event[0]);-  gtBS->CloseEvent (Event[1]);-  gtBS->CloseEvent (Event[2]);-  gtBS->FreePages (Memory, 2);-   //   // Compare the notify order   //@@ -1030,9 +1031,17 @@ BBTestCreateEventEx_Func_Sub3 (
                  Buffer[MAX_TEST_EVENT_NUM + 5]                  ); +  //+  // Close all the events created and Free the pages+  //+  gtBS->CloseEvent (Event[0]);+  gtBS->CloseEvent (Event[1]);+  gtBS->CloseEvent (Event[2]);+  gtBS->FreePages (Memory, 2);+   //   // Done   //   return EFI_SUCCESS; }-#endif
\ No newline at end of file
+#endif
diff --git a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
index c702f84d..0c900a3e 100644
--- a/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/BlackBoxTest/Support.c
+++ b/uefi-sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPrior
+++ ityServices/BlackBoxTest/Support.c
@@ -58,58 +58,29 @@ NotifyFunctionTplEx(
   EFI_TPL   OldTpl;   UINTN     EventIndex;   UINTN     Index;-  +   if (Context != NULL) {     Buffer = Context;      EventIndex = Buffer[0];      //-    // The special code check for the BBTestCreateEventEx_Func_Sub3-    // Besides AllocatePages(), CreateEventEx() may trigger the memorymap-    // change when it is out of resource in memory pool-    // Use SIGNAL_CONTEXT to block possible enter triggered by CreateEventEx-    //-    if (EventIndex != 2 && Buffer[4] == (UINTN)(SIGNAL_CONTEXT))-      return;--    //-    // It is the code execution path as expect-    // The overall layout buffer as below-    // Buffer[0] [1] [2] store 1st/2nd/3rd event index (start from 0)-    // Buffer[3] [5] [7] store the index of event notified-    // Buffer[4] [6] [8] store the tpl of notification function of 1st/2nd/3rd event notified+    // The event's context is offset by EventIndex from the true buffer start.+    // Skip over the MAX_TEST_EVENT_NUM leading index entries.+    // A maximum of MAX_TEST_EVENT_NUM events can be recorded.     //-    // since 3rd event is created at notify tpl, 1nd/2rd event at callback-    // EventIndex should be 2 here for the first enter-    // Because Context points to Buffer[2] and value(EventIndex) is 2-    // To initial the Buffer to 0xFF-    //--    if (EventIndex == 2 && Buffer[1] == (UINTN)(SIGNAL_CONTEXT)) {-      for (Index=1; Index<MAX_TEST_EVENT_NUM*2+1; Index++) {-        Buffer[Index] = (UINTN)(0xFF);+    for (Index = MAX_TEST_EVENT_NUM-EventIndex;+         Index < 3*MAX_TEST_EVENT_NUM-EventIndex; Index += 2) {+      if (Buffer[Index] == (UINTN)(SIGNAL_CONTEXT)) {+        OldTpl = gtBS->RaiseTPL (TPL_HIGH_LEVEL);+        gtBS->RestoreTPL (OldTpl);++        Buffer[Index] = EventIndex;+        Buffer[Index+1] = OldTpl;+        return;       }     }--    Index = 3-EventIndex;--    while (1) {     -      if (Buffer[Index] == (UINTN)(0xFF)) {-        break;-      } else {-        Index += 2;-      }-    }-    -    OldTpl = gtBS->RaiseTPL (TPL_HIGH_LEVEL);-    gtBS->RestoreTPL (OldTpl);--    Buffer[Index] = EventIndex;-    Buffer[Index+1] = OldTpl;   }--  return; } #endif -- 
2.20.1


-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#47137): https://edk2.groups.io/g/devel/message/47137
Mute This Topic: https://groups.io/mt/34107548/1787343
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [eric.jin@intel.com] -=-=-=-=-=-=