UefiCpuPkg/CpuExceptionHandlerLib: Fix wrong use of relative addressing

HookAfterStubHeader is copied before execution. Thus, relative
addressing cannot safely be used for anything outside the copy range.
Fix the reference of HookAfterStubHeaderEnd to be absolute.

This change alone violates an undocumented requirement that
HookAfterStubHeader and AsmIdtVector are structurally equivalent (their
respective sizes in particular). Resolve this by treating them (and in
particular their sizes) independently.

UefiCpuPkg/Library/CpuExceptionHandlerLib/CpuExceptionCommon.h

@@ -58,6 +58,7 @@ typedef struct {
   UINTN    ExceptionStart;
   UINTN    ExceptionStubHeaderSize;
   UINTN    HookAfterStubHeaderStart;
+  UINTN    HookAfterStubHeaderSize;
 } EXCEPTION_HANDLER_TEMPLATE_MAP;
 
 typedef struct {

UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ExceptionHandlerAsm.nasm

@@ -446,6 +446,7 @@ ASM_PFX(AsmGetTemplateAddressMap):
     mov dword [ebx],      AsmIdtVectorBegin
     mov dword [ebx + 0x4], (AsmIdtVectorEnd - AsmIdtVectorBegin) / NUM_VECTORS
     mov dword [ebx + 0x8], HookAfterStubBegin
+    mov dword [ebx + 0xC], HookAfterStubHeaderEnd - HookAfterStubBegin
 
     popad
     pop     ebp

UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ExceptionTssEntryAsm.nasm

@@ -382,6 +382,7 @@ ASM_PFX(AsmGetTssTemplateMap):
     mov dword [ebx],       ASM_PFX(ExceptionTaskSwtichEntry0)
     mov dword [ebx + 0x4], (AsmExceptionEntryEnd - AsmExceptionEntryBegin) / 32
     mov dword [ebx + 0x8], 0
+    mov dword [ebx + 0xC], 0
 
     popad
     pop     ebp

UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiDxeSmmCpuException.c

@@ -206,7 +206,7 @@ UpdateIdtTable (
         CopyMem (
           (VOID *)ReservedVectors[Index].HookAfterStubHeaderCode,
           (VOID *)TemplateMap->HookAfterStubHeaderStart,
-          TemplateMap->ExceptionStubHeaderSize
+          TemplateMap->HookAfterStubHeaderSize
           );
         AsmVectorNumFixup (
           (VOID *)ReservedVectors[Index].HookAfterStubHeaderCode,
@@ -279,7 +279,7 @@ InitializeCpuExceptionHandlersWorker (
 
   IdtTable = (IA32_IDT_GATE_DESCRIPTOR *)IdtDescriptor.Base;
   AsmGetTemplateAddressMap (&TemplateMap);
-  ASSERT (TemplateMap.ExceptionStubHeaderSize <= HOOKAFTER_STUB_SIZE);
+  ASSERT (TemplateMap.HookAfterStubHeaderSize <= HOOKAFTER_STUB_SIZE);
 
   UpdateIdtTable (IdtTable, &TemplateMap, ExceptionHandlerData);
 

UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ExceptionHandlerAsm.nasm

@@ -65,6 +65,7 @@ AsmIdtVectorBegin:
 %rep  NUM_VECTORS
     push    strict dword %[Vector] ; This instruction pushes sign-extended 8-byte value on stack
     push    rax
+    ; This code is not copied, thus relative addressing is safe.
     lea     rax, [ASM_PFX(CommonInterruptEntry)]
     jmp     rax
 %assign Vector Vector+1
@@ -75,7 +76,9 @@ HookAfterStubHeaderBegin:
     push    strict dword 0      ; 0 will be fixed
 VectorNum:
     push    rax
-    lea     rax, [HookAfterStubHeaderEnd]
+    ; This code is copied, thus relative addressing would not be safe and we
+    ; need to utilize the absolute address.
+    mov     rax, HookAfterStubHeaderEnd
     jmp     rax
 HookAfterStubHeaderEnd:
     mov     rax, rsp
@@ -463,6 +466,8 @@ ASM_PFX(AsmGetTemplateAddressMap):
     mov     qword [rcx + 0x8],  (AsmIdtVectorEnd - AsmIdtVectorBegin) / NUM_VECTORS
     lea     rax, [HookAfterStubHeaderBegin]
     mov     qword [rcx + 0x10], rax
+    mov     qword [rcx + 0x18], HookAfterStubHeaderEnd - HookAfterStubHeaderBegin
+
     ret
 
 ;-------------------------------------------------------------------------------------