Fix write un-protecting of kernel memory. p was used uninitialized

at the beginning of the loop.  We need to use cr3 at the start of each
iteration for the top level page directory.

From and ok sf@

2 files changed, 6 insertions, 6 deletions

diff --git a/sys/arch/amd64/stand/efiboot/conf.c b/sys/arch/amd64/stand/efiboot/conf.c
index 07992878d60..cd6f7b56f74 100644
--- a/sys/arch/amd64/stand/efiboot/conf.c
+++ b/sys/arch/amd64/stand/efiboot/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.30 2020/08/27 16:54:23 patrick Exp $	*/
+/*	$OpenBSD: conf.c,v 1.31 2020/09/01 18:03:09 patrick Exp $	*/
 
 /*
  * Copyright (c) 1996 Michael Shalayeff
@@ -40,7 +40,7 @@
 #include "efidev.h"
 #include "efipxe.h"
 
-const char version[] = "3.53";
+const char version[] = "3.54";
 
 #ifdef EFI_DEBUG
 int	debug = 0;
diff --git a/sys/arch/amd64/stand/efiboot/exec_i386.c b/sys/arch/amd64/stand/efiboot/exec_i386.c
index 38f6560c5e6..dc83302a17b 100644
--- a/sys/arch/amd64/stand/efiboot/exec_i386.c
+++ b/sys/arch/amd64/stand/efiboot/exec_i386.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: exec_i386.c,v 1.4 2020/08/27 16:54:23 patrick Exp $	*/
+/*	$OpenBSD: exec_i386.c,v 1.5 2020/09/01 18:03:09 patrick Exp $	*/
 
 /*
  * Copyright (c) 1997-1998 Michael Shalayeff
@@ -248,9 +248,9 @@ protect_writeable(uint64_t addr, size_t len)
 
 	for (addr &= ~(uint64_t)PAGE_MASK; addr < end; addr += PAGE_SIZE) {
 		idx = (addr & L4_MASK) >> L4_SHIFT;
-		if ((p[idx] & PG_RW) == 0)
-			p[idx] |= PG_RW;
-		if (p[idx] & PG_PS)
+		if ((cr3[idx] & PG_RW) == 0)
+			cr3[idx] |= PG_RW;
+		if (cr3[idx] & PG_PS)
 			continue;
 		p = (uint64_t *)(cr3[idx] & PG_FRAME);