From 906451276ae1b579a75dff751fd2687b3293563d Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Tue, 7 Jul 2015 18:44:27 +0000
Subject: Avoid creating invalid UEFI device path

The UEFI loader on the 10.1 release install disk (disc1) modifies an
existing EFI_DEVICE_PATH_PROTOCOL instance in an apparent attempt to
truncate the device path.  In doing so it creates an invalid device
path.

Perform the equivalent action without modification of structures
allocated by firmware.

PR:		197641
MFC After:	1 week
Submitted by:	Chris Ruffin <chris.ruffin@intel.com>
---
 sys/boot/efi/libefi/efipart.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'sys')

diff --git a/sys/boot/efi/libefi/efipart.c b/sys/boot/efi/libefi/efipart.c
index 13dc0ac17edb..0831a98d69a0 100644
--- a/sys/boot/efi/libefi/efipart.c
+++ b/sys/boot/efi/libefi/efipart.c
@@ -63,13 +63,14 @@ static int
 efipart_init(void) 
 {
 	EFI_BLOCK_IO *blkio;
-	EFI_DEVICE_PATH *devpath, *node;
+	EFI_DEVICE_PATH *devpath, *devpathcpy, *tmpdevpath, *node;
 	EFI_HANDLE *hin, *hout, *aliases, handle;
 	EFI_STATUS status;
 	UINTN sz;
 	CHAR16 *path;
 	u_int n, nin, nout;
 	int err;
+	size_t devpathlen;
 
 	sz = 0;
 	hin = NULL;
@@ -98,9 +99,15 @@ efipart_init(void)
 		if (EFI_ERROR(status)) {
 			continue;
 		}
+
 		node = devpath;
-		while (!IsDevicePathEnd(NextDevicePathNode(node)))
+		devpathlen = DevicePathNodeLength(node);
+		while (!IsDevicePathEnd(NextDevicePathNode(node))) {
 			node = NextDevicePathNode(node);
+			devpathlen += DevicePathNodeLength(node);
+		}
+		devpathlen += DevicePathNodeLength(NextDevicePathNode(node));
+
 		status = BS->HandleProtocol(hin[n], &blkio_guid,
 		    (void**)&blkio);
 		if (EFI_ERROR(status))
@@ -117,10 +124,16 @@ efipart_init(void)
 		 */
 		if (DevicePathType(node) == MEDIA_DEVICE_PATH &&
 		    DevicePathSubType(node) == MEDIA_CDROM_DP) {
-			node->Type = END_DEVICE_PATH_TYPE;
-			node->SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE;
-			status = BS->LocateDevicePath(&blkio_guid, &devpath,
+			devpathcpy = malloc(devpathlen);
+			memcpy(devpathcpy, devpath, devpathlen);
+			node = devpathcpy;
+			while (!IsDevicePathEnd(NextDevicePathNode(node)))
+				node = NextDevicePathNode(node);
+			SetDevicePathEndNode(node);
+			tmpdevpath = devpathcpy;
+			status = BS->LocateDevicePath(&blkio_guid, &tmpdevpath,
 			    &handle);
+			free(devpathcpy);
 			if (EFI_ERROR(status))
 				continue;
 			hout[nout] = handle;
-- 
cgit v1.3