Unvalidated CpuIndex (Arg2) in SMM_START_AP_PROC can cause out of bound writes

[kuqin12]

The supervisor handles the SMM_START_AP_PROC call index. It calls the gMmCoreMmst.MmStartupThisAp() function pointer with 3 arguments provided by userspace. The exact function pointer points to SmmStartupThisAp().

The second argument (Arg2) is seen as a CpuIndex and is used as an index into an array that is being written too. There are no bounds checks to ensure the index is <= the number of CPUs present. In this case, user-space gets to provide an unvalidated index and write user-controlled values almost anywhere in memory.

Fix Recommendation:
Add CpuIndex validation, either to SmmStartupThisAp() or inside the dispatcher when handling SMM_START_AP_PROC.

Acknowledgement:
Thanks to @iljavs for reporting this issue.