Bug 1592148 - pxeboot shim crash using newer edk2 firmware
Summary: pxeboot shim crash using newer edk2 firmware
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: shim-unsigned-aarch64
Version: 29
Hardware: aarch64
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ARMTracker 1603594
TreeView+ depends on / blocked
 
Reported: 2018-06-17 21:23 UTC by Mark Salter
Modified: 2019-08-21 15:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1603594 (view as bug list)
Environment:
Last Closed:


Attachments (Terms of Use)
Patch to move DEFAULT_LOADER_CHAR into writable data section (2.56 KB, patch)
2018-06-17 21:27 UTC, Mark Salter
no flags Details | Diff

Description Mark Salter 2018-06-17 21:23:16 UTC
Description of problem:

I have an AMD Seattle board (aarch64) running with fairly new upstream edk2 firmware. Under the right circumstances (alignment, section flags, etc), this firmware will mark text sections of EFI objects read-only. Trying to install rawhide via pxeboot, I hit the following:

>>Start PXE over IPv4..
  Station IP address is 192.168.0.12

  Server IP address is 192.168.0.1
  NBP filename is pxelinux/bootaa64.efi
  NBP filesize is 858216 Bytes
 Downloading NBP file...

  NBP file downloaded successfully.
Loading driver at 0x083F823B000 EntryPoint=0x083F823C000
Loading driver at 0x083F823B000 EntryPoint=0x083F823C000 


Synchronous Exception at 0x00000083F8243B64
PC 0x0083F8243B64
PC 0x0083F8244468
PC 0x0083F82446FC
PC 0x0083F8241754
PC 0x0083F8241B24
PC 0x0083F8242B4C
PC 0x0083F823C030
PC 0x0083FF624B98 (0x0083FF61E000+0x00006B98) [ 1] DxeCore.dll
PC 0x0083F8315388 (0x0083F82FE000+0x00017388) [ 2] UiApp.dll
PC 0x0083F83218FC (0x0083F82FE000+0x000238FC) [ 2] UiApp.dll
PC 0x0083FB7183B0 (0x0083FB6FC000+0x0001C3B0) [ 3] SetupBrowser.dll
PC 0x0083FB719178 (0x0083FB6FC000+0x0001D178) [ 3] SetupBrowser.dll
PC 0x0083FB6FE064 (0x0083FB6FC000+0x00002064) [ 3] SetupBrowser.dll
PC 0x0083F82FFCE8 (0x0083F82FE000+0x00001CE8) [ 4] UiApp.dll
PC 0x0083F8301538 (0x0083F82FE000+0x00003538) [ 4] UiApp.dll
PC 0x0083F830145C (0x0083F82FE000+0x0000345C) [ 4] UiApp.dll
PC 0x0083F82FF880 (0x0083F82FE000+0x00001880) [ 4] UiApp.dll
PC 0x0083F82FF064 (0x0083F82FE000+0x00001064) [ 4] UiApp.dll
PC 0x0083FF624B98 (0x0083FF61E000+0x00006B98) [ 5] DxeCore.dll
PC 0x0083F86D215C (0x0083F86BC000+0x0001615C) [ 6] BdsDxe.dll
PC 0x0083F86D7E54 (0x0083F86BC000+0x0001BE54) [ 6] BdsDxe.dll
PC 0x0083F86BF360 (0x0083F86BC000+0x00003360) [ 6] BdsDxe.dll
PC 0x0083FF620494 (0x0083FF61E000+0x00002494) [ 7] DxeCore.dll
PC 0x0083FF61F414 (0x0083FF61E000+0x00001414) [ 7] DxeCore.dll
PC 0x0083FF61F024 (0x0083FF61E000+0x00001024) [ 7] DxeCore.dll
[ 1] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll
[ 2] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Application/UiApp/UiApp/DEBUG/UiApp.dll
[ 3] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe/DEBUG/SetupBrowser.dll
[ 4] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Application/UiApp/UiApp/DEBUG/UiApp.dll
[ 5] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll
[ 6] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Universal/BdsDxe/BdsDxe/DEBUG/BdsDxe.dll
[ 7] /home/msalter/work/amd/edk2/Build/Overdrive/DEBUG_GCC49/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll

  X0 0x00000083F82B2718   X1 0x000000000000002F   X2 0x0000000000000000   X3 0x00000083F82DE700
  X4 0x0000000000000030   X5 0x0000000000000000   X6 0x00000083FF6479B0   X7 0x0000000000000000
  X8 0x00000083FC01F588   X9 0x0000000200000000  X10 0x00000083F8410000  X11 0x00000083F8410FFF
 X12 0x0000000000000000  X13 0x000000000000000E  X14 0x0000000000000403  X15 0x000000000009FE90
 X16 0x00000083FF61D800  X17 0x0000000000000000  X18 0x0000000000000000  X19 0x0000000000000013
 X20 0x0000000000000000  X21 0x0000000000000000  X22 0x0000000000000000  X23 0x0000000000000000
 X24 0x0000000000000000  X25 0x0000000000000000  X26 0x0000000000000000  X27 0x0000000000000000
 X28 0x0000000000000000   FP 0x00000083FF61D5E0   LR 0x00000083F8244468  

  V0 0xAFAFAFAFAFAFAFAF AFAFAFAFAFAFAFAF   V1 0x6D6D732F626D732F 0000000000003030
  V2 0x0000000000003030 3030306330654075   V3 0x0000000100000001 0000000000000000
  V4 0x0000000000000000 0000000000000000   V5 0x4010040140100401 4010040140100401
  V6 0x0000000001010000 0000000001010000   V7 0x0000040C00020000 0000000000000000
  V8 0x0000000000000000 00400000A0000000   V9 0x0000000000000000 0000000000000090
 V10 0x0000000000000000 0000000000000000  V11 0x0000000000000000 0000000000000000
 V12 0x0000000000000000 0000000000002080  V13 0x0000000000000000 0040000008000000
 V14 0x0000000000000000 0001000010010000  V15 0x0000000000000000 0000000010000000
 V16 0x0000010000022800 8000000000001034  V17 0x0102000008000000 0000010808000000
 V18 0x2141800101600000 0002000000000000  V19 0x8802044600000200 0000800000000000
 V20 0x4A18000000400800 0000000000002000  V21 0x0001800801200004 0000000800000000
 V22 0x8000C84202020000 0000000000400000  V23 0x0422000110804200 0000030080000000
 V24 0x0000000000004000 0000000000000000  V25 0x0000043008000100 0000000000000000
 V26 0x84000C2A00000010 0000000000800000  V27 0x1073012400006000 0000000080800000
 V28 0x0010000000000100 0000020000000000  V29 0x4108000000404220 0000000400200808
 V30 0x2023040300000000 0800000000840000  V31 0x2251660200000000 0000000000000000

  SP 0x00000083FF61D5C0  ELR 0x00000083F8243B64  SPSR 0x60000209  FPSR 0x00000000
 ESR 0x9600004F          FAR 0x00000083F82B2718

 ESR : EC 0x25  IL 0x1  ISS 0x0000004F

Data abort: Permission fault, third level

So firmware loads the shim and jumps to its entry point and it eventually hits the permission fault. The backtrace for the shim looks like:

  Synchronous Exception at 0x00000083F8243B64
  PC 0x0083F8243B64 in translate_slashes
  PC 0x0083F8244468 in parseDhcp4
  PC 0x0083F82446FC in parseNetbootinfo
  PC 0x0083F8241754 in start_image
  PC 0x0083F8241B24 in init_grub
  PC 0x0083F8242B4C in efi_main
  PC 0x0083F823C030 in _start

translate_slashes is passed DEFAULT_LOADER_CHAR which is a string literal that translate_slashes then tries to write into causing the permission fault.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

The code which writes to a string literal has been around in shim for a while now. The other piece of the puzzle was a change to gnu-efi which split text and data into separate sections and set text read-only flags. This went into gnu-efi 3.0.6 so only those shims built with gnu-efi-3.0.6 or later have their text section read-only.

Comment 1 Mark Salter 2018-06-17 21:27:17 UTC
Created attachment 1452455 [details]
Patch to move DEFAULT_LOADER_CHAR into writable data section

Here's a patch which fixes the problem for me.

Comment 2 Jan Kurik 2018-08-14 10:29:35 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 3 Adam Williamson 2019-08-20 23:11:39 UTC
This still happening for you, Mark? Because I'm just setting up PXE install testing in openQA and it seems to be happening to me there - x86_64 BIOS and UEFI tests and ppc64 test work OK, aarch64 test blows up with 'Synchronous Exception'...

Comment 4 Mark Salter 2019-08-21 15:56:25 UTC
Yes, still happening.


Note You need to log in before you can comment on or make changes to this bug.