Occasionally crashes in _relocate() on arm64

Bug #1928010 reported by dann frazier on 2021-05-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim
New
Unknown
shim (Ubuntu)
Undecided
Unassigned

Bug Description

If I put a hirsute guest in a reboot loop, I find it will eventually crash:

[Bds]Booting ubuntu
FSOpen: Open '\EFI\ubuntu\shimaa64.efi' Success
[Bds] Expand HD(15,GPT,F3395D88-1F07-48B3-AF35-4BF4BC88021F,0x800,0x31801)/\EFI\ubuntu\shimaa64.efi -> PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)/Scsi(0x0,0x0)/HD(15,GPT,F3395D88-1F07-48B3-AF35-4BF4BC88021F,0x800,0x31801)/\EFI\ubuntu\shimaa64.efi
BdsDxe: loading Boot0004 "ubuntu" from HD(15,GPT,F3395D88-1F07-48B3-AF35-4BF4BC88021F,0x800,0x31801)/\EFI\ubuntu\shimaa64.efi
[Security] 3rd party image[0] can be loaded after EndOfDxe: PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)/Scsi(0x0,0x0)/HD(15,GPT,F3395D88-1F07-48B3-AF35-4BF4BC88021F,0x800,0x31801)/\EFI\ubuntu\shimaa64.efi.
InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B BE014040
Loading driver at 0x000BB92E000 EntryPoint=0x000BB92F000
Loading driver at 0x000BB92E000 EntryPoint=0x000BB92F000
InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF BE00D918
ProtectUefiImageCommon - 0xBE014040
  - 0x00000000BB92E000 - 0x00000000000CB000
SetUefiImageMemoryAttributes - 0x00000000BB92E000 - 0x0000000000001000 (0x0000000000004008)
SetUefiImageMemoryAttributes - 0x00000000BB92F000 - 0x0000000000065000 (0x0000000000020008)
SetUefiImageMemoryAttributes - 0x00000000BB994000 - 0x0000000000065000 (0x0000000000004008)
BdsDxe: starting Boot0004 "ubuntu" from HD(15,GPT,F3395D88-1F07-48B3-AF35-4BF4BC88021F,0x800,0x31801)/\EFI\ubuntu\shimaa64.efi

Synchronous Exception at 0x00000000BB9934A8

Synchronous Exception at 0x00000000BB9934A8
PC 0x0000BB9934A8
PC 0x0000BB92F024
PC 0x0000BF56D8A4 (0x0000BF566000+0x000078A4) [ 1] DxeCore.dll
PC 0x0000BF12DC98 (0x0000BF11C000+0x00011C98) [ 2] BdsDxe.dll
PC 0x0000BF11E184 (0x0000BF11C000+0x00002184) [ 2] BdsDxe.dll
PC 0x0000BF11F89C (0x0000BF11C000+0x0000389C) [ 2] BdsDxe.dll
PC 0x0000BF568A38 (0x0000BF566000+0x00002A38) [ 3] DxeCore.dll
PC 0x0000BF567A08 (0x0000BF566000+0x00001A08) [ 3] DxeCore.dll
PC 0x0000BF567024 (0x0000BF566000+0x00001024) [ 3] DxeCore.dll
[ 1] /home/dannf/edk2/Build/ArmVirtQemu-AARCH64/DEBUG_GCC49/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll
[ 2] /home/dannf/edk2/Build/ArmVirtQemu-AARCH64/DEBUG_GCC49/AARCH64/MdeModulePkg/Universal/BdsDxe/BdsDxe/DEBUG/BdsDxe.dll
[ 3] /home/dannf/edk2/Build/ArmVirtQemu-AARCH64/DEBUG_GCC49/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll

  X0 0x00000000BB92E000 X1 0x00000000BB9DC580 X2 0x00000000BB9F88B8 X3 0x0000000000000018
  X4 0x0000000000000748 X5 0x0000000000294B30 X6 0x00000000BF595D50 X7 0x00000000BF143350
  X8 0x0074006E00750062 X9 0x00680073005C0075 X10 0x0073005C00750074 X11 0x0061006D00690068
 X12 0x002E003400360061 X13 0x0000006900660065 X14 0x040402021F0288BC X15 0x00460045005C0036
 X16 0x00000000BF565BA0 X17 0x0000000000000000 X18 0x0000000000000000 X19 0x0000000000000013
 X20 0x0000000000000000 X21 0x0000000000000000 X22 0x0000000000000000 X23 0x0000000000000000
 X24 0x0000000000000000 X25 0x0000000000000000 X26 0x0000000000000000 X27 0x0000000000000000
 X28 0x0000000000000000 FP 0x00000000BF565B80 LR 0x00000000BB92F024

  V0 0xAFAFAFAFAFAFAFAF AFAFAFAFAFAFAFAF V1 0x63702F6666666666 6666666666666666
  V2 0x7363732F322C3140 6567646972622D69 V3 0x0000000000000000 0000000000000000
  V4 0x0000000000100000 0000000000000000 V5 0x4010040140100401 4010040140100401
  V6 0x0010000000000000 0010000000000000 V7 0x0000000000000000 0000000000000000
  V8 0x0000000000000000 0000000000000000 V9 0x0000000000000000 0000000000000000
 V10 0x0000000000000000 0000000000000000 V11 0x0000000000000000 0000000000000000
 V12 0x0000000000000000 0000000000000000 V13 0x0000000000000000 0000000000000000
 V14 0x0000000000000000 0000000000000000 V15 0x0000000000000000 0000000000000000
 V16 0x0000000000000000 0000000000000000 V17 0x0000000000000000 0000000000000000
 V18 0x0000000000000000 0000000000000000 V19 0x0000000000000000 0000000000000000
 V20 0x0000000000000000 0000000000000000 V21 0x0000000000000000 0000000000000000
 V22 0x0000000000000000 0000000000000000 V23 0x0000000000000000 0000000000000000
 V24 0x0000000000000000 0000000000000000 V25 0x0000000000000000 0000000000000000
 V26 0x0000000000000000 0000000000000000 V27 0x0000000000000000 0000000000000000
 V28 0x0000000000000000 0000000000000000 V29 0x0000000000000000 0000000000000000
 V30 0x0000000000000000 0000000000000000 V31 0x0000000000000000 0000000000000000

  SP 0x00000000BF565B80 ELR 0x00000000BB9934A8 SPSR 0x60000205 FPSR 0x00000000
 ESR 0x9600004F FAR 0x00000000BBBC2B30

 ESR : EC 0x25 IL 0x1 ISS 0x0000004F

Data abort: Permission fault, third level

Stack dump:
  00000BF565A80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  00000BF565AA0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  00000BF565AC0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  00000BF565AE0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  00000BF565B00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  00000BF565B20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  00000BF565B40: 0000000000000000 0000000000000000 00000000BF1E9BFC 0000000020000304
  00000BF565B60: 0000000000000000 000000009600004F 00000000BBBC2B30 00000000BF56D87C
> 00000BF565B80: 00000000BF565BA0 00000000BF56D8A4 00000000BE00D298 00000000BF520018
  00000BF565BA0: 00000000BF565C10 00000000BF12DC98 00000000B2D05E00 00000000BDF85060
  00000BF565BC0: 00000000BDF85068 00000000BE00D298 0000000000000000 00000000BF14A258
  00000BF565BE0: 00000000BE014018 00000000BF5B33C0 0000000000000111 00000000BE00D298
  00000BF565C00: 00000000BF14A508 0000000000000000 00000000BF565C90 00000000BF11E184
  00000BF565C20: 00000000BDF82018 00000000BDF85018 0004000201565CB8 00000000BE00D298
  00000BF565C40: 00000000BE014040 00000000BE48D718 00000000000CD148 00000000BF14A258
  00000BF565C60: 0000000000000000 0000000000000004 0000000000000000 00000000BF11E0D4
ASSERT [ArmCpuDxe] /home/dannf/edk2/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(273): ((BOOLEAN)(0==1))

Revision history for this message
dann frazier (dannf) wrote :

By attaching gdb to the guest, I believe I've identified where it's crashing. The executing frame appears to be in the _relocate() function:

reloc_aarch64.c:_relocate()
   case R_AARCH64_RELATIVE:
    addr = (unsigned long *)
     (ldbase + rel->r_offset);
    *addr = ldbase + rel->r_addend;
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    break;

   default:

The previous address points to the following code, which suggests my addresses are sane:
crt0-efi-aarch64.S:
 adrp x1, _DYNAMIC
 add x1, x1, #:lo12:_DYNAMIC
 bl _relocate
                 ^^^^^^^^^
 cbnz x0, 0f

Changed in shim:
status: Unknown → New
Revision history for this message
dann frazier (dannf) wrote :

fyi, there's a patch posted upstream that looks promising:
  https://github.com/rhboot/shim/issues/371#issuecomment-862170542

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.