The efipart_realstrategy function (which performs I/O in the UEFI boot loader) has an integer underflow when the I/O operation starts after the end of the disk. This normally causes a crash.
Created attachment 182226 [details] Patch to fix the problem Review for fix: https://reviews.freebsd.org/D10559
A commit references this bug: Author: allanjude Date: Sat Jul 1 20:25:22 UTC 2017 New revision: 320553 URL: https://svnweb.freebsd.org/changeset/base/320553 Log: Integer underflow in efipart_realstrategy when I/O starts after end of disk This fixes an integer underflow in efipart_realstrategy, which causes crashes when an I/O operation's start point is after the end of the disk. This can happen when trying to detect filesystems on very small disks. This can occur if a BIOS freebsd-boot partition exists on a system when the EFI loader is being used. PR: 219000 Submitted by: Eric McCorkle <eric@metricspace.net> Reviewed by: cem (previous version), tsoome (previous version) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D10559 Changes: head/sys/boot/efi/libefi/efipart.c
A commit references this bug: Author: kevans Date: Sun Feb 11 02:27:52 UTC 2018 New revision: 329114 URL: https://svnweb.freebsd.org/changeset/base/329114 Log: MFC Loader Fixes 2017q3: r320547,r320553,r321621,r321844,r321969,r321991, r322037,r322038,r322039,r322040,r322056,r322074,r322542,r322592,r322593, r322896,r322923,r323671,r322930,r322931,r322932,r322933,r322934,r322935, r322936,r322937,r322938,r322939,r322941,r323062,r323063,r323064,r323065, r323100,r323131,r323174,r323258,r323261,r323272,r323367,r323379,r323389, r323407,r323428,r323436,r323494,r323496,r323497,r323541,r323554,r323589, r323707,r323867,r323885,r323886,r323895,r323896,r323897,r323905,r323906, r323907,r323908,r323909,r323952,r323991,r324099,r324558,r326445,r326609, r326610 This batch includes a special kludge to fix powerpc loader build; <stdlib.h> was included after <stand.h> there, causing problems with DEBUG_MALLOC bits. Include <stdlib.h> a little bit earlier to fix the build with the intention of removing this when eventually libsa silently replaces stdlib.h with stand.h. r320547: Link EFI/uboot loaders with -znotext r320553: Integer underflow in efipart_realstrategy when I/O starts after end of disk r321621: Always set the receive mask in loader.efi. r321844: Clean up style in print_state(..) and pager_printf(..) r321969: Fix the return types for printf and putchar to match their libc r321991: Revert r321969 r322037: Add stpcpy and stpncpy to libstand r322038: Add definitions and utilities for EFI drivers r322039: Move EFI ZFS functions to libefi r322040: Add EFI utility functions to libefi r322056: Move EFI fmtdev functionality to libefi r322074: libefi/time.c cstyle cleanup r322542: loader.efi: repace XXX with real comments in trap.c r322592: Remove unused defines. r322593: Define proposed GUID for FreeBSD boot loader variables. r322896: Make spinconsole platform independent and hook it up into EFI loader r322923: Hide length of geli passphrase during boot. r323671: Fix language used in the r322923. r322930: Move efi_main into efi/loader r322931: Cleanup efi_main return type r322932: Use the loader.efi conventions for the various EFI tables. r322933: No need for MK_ZFS around these: they are by their nature only active when MK_ZFS is true. r322934: _STAND is sometimes defined on the command line. Make the define here match. r322935: Fix warnings due to type mismatch. r322936: Remove useless 'static' for an enum definition. r322937: Forward declare struct dsk to avoid warnings when building libi386. r322938: Link in libefi for boot1 r322939: Use efi_devpath_str for debug path info. r322941: Eliminate redunant device path matching. r323062: Make efichar.c routines available to libefi. r323063: boot1.efi: print more info about where boot1.efi is loaded from r323064: Exit rather than panic for most errors. r323065: Save where we're booted from r323100: libstand: nfs_readlink() should return proper return code r323131: Revert r322941: Eliminate redundant device matching functions r323174: Fix loader bug causing too many pages allocation when bootloader is U-Boot r323258: ucs2len r323261: Fix armv6 build r323272: Be consistent and do return (1); r323367: Mark init_chroot and init_script variables as deprecated. r323379: It's been pointed out that init_script at least is useful w/o r323389: loader.efi: chain loader should provide proper device handle r323407: boot1 generate-fat: generate all templates at once r323428: r323389 breaks the kernel build when WITHOUT_ZFS is defined in src.conf r323436: boot1: remove BOOT1_MAXSIZE default value r323494: loader should support large_dnode r323496: libstand: tftp_open() can leak pkt on error r323497: libefi: efipart_open should check the status from disk_open r323541: libefi: efipart_realstrategy rsize pointer may be NULL r323554: Increase EFI boot file size frok 128k to 384k r323589: loader: biosmem.c cstyle cleanup r323707: loader: biosmem allocate heap just below 4GB r323867: libefi: devicename.c cleanups r323885: libefi: efi_devpath_match() should return bool r323886: libefi: efipart.c should use calloc() r323895: libefi: efi_devpath_match local len should be unsigned r323896: r323885 did miss efilib.h update r323897: efilib.h: typo in structure member description r323905: libefi: pdinfo_t pd_unit and pd_open should be unsigned r323906: libefi: efipart_strategy() should return ENXIO when there is no media r323907: libefi: efipart.c cstyle fix for efipart_print_common() r323908: libefi: efipart_hdinfo_add_filepath should check strtol result r323909: libefi: define EISA PNP constants r323952: After the r317886 support for TFTP and NFS can be enable simultaneously. r323991: libefi: efipart_floppy() will should not pass acpi pointer if the HID test fails r324099: Compile loader as Little-Endian on PPC64/POWER8 r324558: Define prototype for exit and ensure references r326445: Fix random() and srandom() prototypes to match the standard. r326609: Make putenv and getenv match the userland definition r326610: Fix random() prototype to match the system. PR: 219000 221001 222215 Relnotes: yes ("The length of the geli passphrase is hidden during boot") Changes: _U stable/11/ stable/11/UPDATING stable/11/lib/libstand/Makefile stable/11/lib/libstand/environment.c stable/11/lib/libstand/libstand.3 stable/11/lib/libstand/nfs.c stable/11/lib/libstand/random.c stable/11/lib/libstand/stand.h stable/11/lib/libstand/tftp.c stable/11/sbin/geom/class/eli/geli.8 stable/11/sbin/geom/class/eli/geom_eli.c stable/11/share/mk/src.opts.mk stable/11/sys/boot/Makefile.inc stable/11/sys/boot/arm/uboot/Makefile stable/11/sys/boot/arm/uboot/conf.c stable/11/sys/boot/common/loader.8 stable/11/sys/boot/efi/boot1/Makefile stable/11/sys/boot/efi/boot1/Makefile.fat stable/11/sys/boot/efi/boot1/boot1.c stable/11/sys/boot/efi/boot1/boot_module.h stable/11/sys/boot/efi/boot1/fat-amd64.tmpl.bz2.uu stable/11/sys/boot/efi/boot1/fat-amd64.tmpl.xz stable/11/sys/boot/efi/boot1/fat-arm.tmpl.bz2.uu stable/11/sys/boot/efi/boot1/fat-arm.tmpl.xz stable/11/sys/boot/efi/boot1/fat-arm64.tmpl.bz2.uu stable/11/sys/boot/efi/boot1/fat-arm64.tmpl.xz stable/11/sys/boot/efi/boot1/fat-i386.tmpl.bz2.uu stable/11/sys/boot/efi/boot1/fat-i386.tmpl.xz stable/11/sys/boot/efi/boot1/generate-fat.sh stable/11/sys/boot/efi/boot1/ufs_module.c stable/11/sys/boot/efi/boot1/zfs_module.c stable/11/sys/boot/efi/include/efi.h stable/11/sys/boot/efi/include/efi_driver_utils.h stable/11/sys/boot/efi/include/efi_drivers.h stable/11/sys/boot/efi/include/efiapi.h stable/11/sys/boot/efi/include/efichar.h stable/11/sys/boot/efi/include/efidevp.h stable/11/sys/boot/efi/include/efilib.h stable/11/sys/boot/efi/include/efiprot.h stable/11/sys/boot/efi/include/efizfs.h stable/11/sys/boot/efi/libefi/Makefile stable/11/sys/boot/efi/libefi/devicename.c stable/11/sys/boot/efi/libefi/devpath.c stable/11/sys/boot/efi/libefi/efi_driver_utils.c stable/11/sys/boot/efi/libefi/efichar.c stable/11/sys/boot/efi/libefi/efinet.c stable/11/sys/boot/efi/libefi/efipart.c stable/11/sys/boot/efi/libefi/efizfs.c stable/11/sys/boot/efi/libefi/errno.c stable/11/sys/boot/efi/libefi/libefi.c stable/11/sys/boot/efi/libefi/time.c stable/11/sys/boot/efi/loader/Makefile stable/11/sys/boot/efi/loader/arch/amd64/Makefile.inc stable/11/sys/boot/efi/loader/arch/amd64/trap.c stable/11/sys/boot/efi/loader/arch/i386/Makefile.inc stable/11/sys/boot/efi/loader/bootinfo.c stable/11/sys/boot/efi/loader/conf.c stable/11/sys/boot/efi/loader/devicename.c stable/11/sys/boot/efi/loader/efi_main.c stable/11/sys/boot/efi/loader/loader_efi.h stable/11/sys/boot/efi/loader/main.c stable/11/sys/boot/geli/geliboot.c stable/11/sys/boot/geli/geliboot.h stable/11/sys/boot/geli/geliboot_crypto.c stable/11/sys/boot/geli/geliboot_internal.h stable/11/sys/boot/geli/pwgets.c stable/11/sys/boot/i386/libi386/Makefile stable/11/sys/boot/i386/libi386/biosdisk.c stable/11/sys/boot/i386/libi386/biosmem.c stable/11/sys/boot/i386/libi386/spinconsole.c stable/11/sys/boot/mips/uboot/conf.c stable/11/sys/boot/powerpc/ofw/conf.c stable/11/sys/boot/powerpc/ofw/ofwfdt.c stable/11/sys/boot/powerpc/uboot/conf.c stable/11/sys/boot/userboot/test/test.c stable/11/sys/boot/userboot/userboot/main.c stable/11/sys/boot/userboot/userboot.h stable/11/sys/boot/zfs/zfsimpl.c stable/11/sys/cddl/boot/zfs/zfsimpl.h stable/11/sys/geom/eli/g_eli.c stable/11/sys/geom/eli/g_eli.h stable/11/sys/geom/eli/g_eli_ctl.c stable/11/usr.sbin/bhyveload/bhyveload.c
There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved. Thanks