[Bug 197641] UEFI loader creates invalid device path

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Feb 14 15:20:38 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197641

            Bug ID: 197641
           Summary: UEFI loader creates invalid device path
           Product: Base System
           Version: 10.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cmruffin at gmail.com

Created attachment 152971
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=152971&action=edit
original device path

The UEFI loader on the 10.1 release install disk (disc1) modifies an
existing EFI_DEVICE_PATH_PROTOCOL instance in an apparent attempt to
truncate the device path.  In doing so it creates an invalid device
path.

The original UEFI device path is represented textually as follows:
PciRoot(0x0)/Pci(0x18,0x0)/Sata(0x0,0x0,0x0)/CDROM(0x0,0x14,0x4)

The last node in the path has a length of 0x18.

The loader (for unknown reasons) truncates the device path to:
PciRoot(0x0)/Pci(0x18,0x0)/Sata(0x0,0x0,0x0)

It seems to attempt to transform the last node to an END_DEVICE_PATH
node by overwriting the last node of the device path to have a
EFI_DEVICE_PATH_PROTOCOL->Type and SubType as follows:

#define END_DEVICE_PATH_TYPE                 0x7f
#define END_ENTIRE_DEVICE_PATH_SUBTYPE       0xFF

However, it leaves the length of the node unmodified, so that it does
not have a length of 4 as required for an END_DEVICE_PATH structure,
per UEFI 2.4.0 $9.3.1, Table 40 "Device Path End Structure" 

A later call to the boot service LocateDevicePath() sees this device
path as invalid device path and throws an assert.

It ins't clear the purpose behind truncating the device path.  In
general I would not recommend modifying data structures allocated by
the firmware.  But, it isn't clear what the intent of the code is.

At a minimum the loader should not be creating the invalid device path.

The loader is loaded into memory at 75349000, and the device path
modification happens at address 7536bf59.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list