From owner-freebsd-bugs@FreeBSD.ORG Sat Feb 14 15:20:38 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D8BF4F4 for ; Sat, 14 Feb 2015 15:20:38 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED675BE7 for ; Sat, 14 Feb 2015 15:20:37 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t1EFKbPf047332 for ; Sat, 14 Feb 2015 15:20:37 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 197641] UEFI loader creates invalid device path Date: Sat, 14 Feb 2015 15:20:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cmruffin@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2015 15:20:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197641 Bug ID: 197641 Summary: UEFI loader creates invalid device path Product: Base System Version: 10.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cmruffin@gmail.com Created attachment 152971 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=152971&action=edit original device path The UEFI loader on the 10.1 release install disk (disc1) modifies an existing EFI_DEVICE_PATH_PROTOCOL instance in an apparent attempt to truncate the device path. In doing so it creates an invalid device path. The original UEFI device path is represented textually as follows: PciRoot(0x0)/Pci(0x18,0x0)/Sata(0x0,0x0,0x0)/CDROM(0x0,0x14,0x4) The last node in the path has a length of 0x18. The loader (for unknown reasons) truncates the device path to: PciRoot(0x0)/Pci(0x18,0x0)/Sata(0x0,0x0,0x0) It seems to attempt to transform the last node to an END_DEVICE_PATH node by overwriting the last node of the device path to have a EFI_DEVICE_PATH_PROTOCOL->Type and SubType as follows: #define END_DEVICE_PATH_TYPE 0x7f #define END_ENTIRE_DEVICE_PATH_SUBTYPE 0xFF However, it leaves the length of the node unmodified, so that it does not have a length of 4 as required for an END_DEVICE_PATH structure, per UEFI 2.4.0 $9.3.1, Table 40 "Device Path End Structure" A later call to the boot service LocateDevicePath() sees this device path as invalid device path and throws an assert. It ins't clear the purpose behind truncating the device path. In general I would not recommend modifying data structures allocated by the firmware. But, it isn't clear what the intent of the code is. At a minimum the loader should not be creating the invalid device path. The loader is loaded into memory at 75349000, and the device path modification happens at address 7536bf59. -- You are receiving this mail because: You are the assignee for the bug.