On 06/28/16 14:43, Michael Brown wrote: > On 28/06/16 13:34, Michael Brown wrote: >> On 28/06/16 13:30, Laszlo Ersek wrote: >>> On 06/24/16 06:39, Gary Lin wrote: >>>> It seems that iPXE didn't initialize Scope, so the value was assigned >>>> randomly (sort of). >>>> >>>> diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c >>>> index 0ea970e..4b5aa9a 100644 >>>> --- a/src/interface/efi/efi_hii.c >>>> +++ b/src/interface/efi/efi_hii.c >>>> @@ -119,6 +119,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder >>>> *ifr, unsigned int opcode, >>>> /* Fill in opcode header */ >>>> op->OpCode = opcode; >>>> op->Length = len; >>>> + op->Scope = 0; >>>> >>>> return op; >>>> } >>>> >>>> After applying this patch, the crash never happened again. >>> >>> Awesome! Can you please send this patch to ipxe-devel? (Although I can >>> see Michael is on the address list anyway -- good!) >> >> Got it; thank you! >> >> Will check the related code; it may make sense to have efi_ifr_op() >> always zero the whole of the newly allocated space first. > > I think the following patch should fix the problem (and also avoid any > potential uninitialised-data problems in callers of efi_ifr_op()): > > diff --git a/src/interface/efi/efi_hii.c b/src/interface/efi/efi_hii.c > index 0ea970e..506fc88 100644 > --- a/src/interface/efi/efi_hii.c > +++ b/src/interface/efi/efi_hii.c > @@ -117,6 +117,7 @@ static void * efi_ifr_op ( struct efi_ifr_builder > *ifr, unsigned int opcode, > ifr->ops_len = new_ops_len; > > /* Fill in opcode header */ > + memset ( op, 0, len ); > op->OpCode = opcode; > op->Length = len; > > > Please let me know if this works.
Gary, can you please check this? You seem to have a mostly working reproducer environment for the issue. Thanks! Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
