Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bti instruction is removed in release version #124314

Open
ggj-1213 opened this issue Apr 24, 2024 · 5 comments
Open

bti instruction is removed in release version #124314

ggj-1213 opened this issue Apr 24, 2024 · 5 comments
Labels
A-target-feature Area: Enabling/disabling target features like AVX, Neon, etc. C-bug Category: This is a bug. O-AArch64 Armv8-A or later processors in AArch64 mode PG-exploit-mitigations Project group: Exploit mitigations T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.

Comments

@ggj-1213
Copy link

ggj-1213 commented Apr 24, 2024
edited

When using aarch64-unknown-uefi to build the release version of the efi file, some bti instructions are removed, but there are still indirect jumps to the location of the removed bti instructions, such as'BLR X8'.

I tried this code:

#![no_main]
#![no_std]

use log::error;
use uefi::prelude::*;

#[entry]
fn main(_image_handle: Handle, mut system_table: SystemTable<Boot>) -> Status {
    uefi_services::init(&mut system_table).unwrap();
    error!("Hello world!"); // A BTI fault occurs here
    Status::SUCCESS
}

.cargo/config.toml

[build]
rustflags = ["-C", "target-feature=+bti", "-Z", "branch-protection=pac-ret"]

Cargo.toml

[package]
name = "helloworld"
version = "0.1.0"
edition = "2021"

[dependencies]
log = "0.4.21"
uefi = "0.27.0"
uefi-services = "0.24.0"

and i build it :

cargo +nightly build -Z build-std=core --target aarch64-unknown-uefi -v --release

rustc --version --verbose:

rustc 1.79.0-nightly (becebb315 2024-04-17)
binary: rustc
commit-hash: becebb3158149a115cad8a402612e25436a7e37b
commit-date: 2024-04-17
host: x86_64-unknown-linux-gnu
release: 1.79.0-nightly
LLVM version: 18.1.3

when I run uefi on board, BTI FAULT occurs:

Synchronous Exception at 0x00000000484F6620
[ 6824.086000s][cpu10]PC 0x0000484F6620
[ 6824.090000s][cpu10]PC 0x0000484F67DC
......
  SP 0x000000004FFFF920  ELR 0x00000000484F6620  SPSR 0x20000A05  FPSR 0x00000000
 ESR 0x36000002          FAR 0x0000000000000000
[ 6824.353000s][cpu10]
 ESR : EC 0x0D  IL 0x1  ISS 0x00000002
[ 6824.359000s][cpu10]
 BTI FAULT

When I disassembled the efi file, I found that there was no BTI instruction in place of the malfunctioning function.

.text:0000000000010D28 ; =============== S U B R O U T I N E =======================================
.text:0000000000010D28
.text:0000000000010D28
.text:0000000000010D28 ; enum2$<core::result::Result<tuple$<>,core::fmt::Error> > __fastcall _$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$::fmt::h76fbca317d479d82(core::fmt::Arguments *, core::fmt::Formatter *)
.text:0000000000010D28 _ZN59_$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$3fmt17h76fbca317d479d82E
.text:0000000000010D28                                         ; DATA XREF: _$LT$uefi..logger..Logger$u20$as$u20$log..Log$GT$::log::h16683d6aedc884e0+6C↓o
.text:0000000000010D28                                         ; _$LT$uefi..logger..Logger$u20$as$u20$log..Log$GT$::log::h16683d6aedc884e0+70↓o ...
.text:0000000000010D28                 LDP             X8, X1, [X1,#0x20]
.text:0000000000010D2C                 MOV             X2, X0
.text:0000000000010D30                 MOV             X0, X8
.text:0000000000010D34                 B               _ZN4core3fmt5write17hb9190e43e7d87d8fE ; core::fmt::write::hb9190e43e7d87d8f
.text:0000000000010D34 ; End of function _$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$::fmt::h76fbca317d479d82
.text:0000000000010D34
.text:0000000000010D38
.text:0000000000010D38 ; =============== S U B R O U T I N E =======================================

The indirect jump function is as follows. I don't remember which BLR X8 instruction jumps to the function above.

.text:0000000000010D38 ; =============== S U B R O U T I N E =======================================
.text:0000000000010D38
.text:0000000000010D38
.text:0000000000010D38 ; enum2$<core::result::Result<tuple$<>,core::fmt::Error> > __fastcall core::fmt::write::hb9190e43e7d87d8f(ref_mut$<dyn$<core::fmt::Write> >, core::fmt::Arguments)
.text:0000000000010D38 _ZN4core3fmt5write17hb9190e43e7d87d8fE  ; CODE XREF: core::fmt::Formatter::write_fmt+C↑j
.text:0000000000010D38                                         ; _$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$::fmt::h76fbca317d479d82+C↑j ...
.text:0000000000010D38
.text:0000000000010D38 var_90          = -0x90
.text:0000000000010D38 var_80          = -0x80
.text:0000000000010D38 var_78          = -0x78
.text:0000000000010D38 var_70          = -0x70
.text:0000000000010D38 var_68          = -0x68
.text:0000000000010D38 var_60          = -0x60
.text:0000000000010D38 var_58          = -0x58
.text:0000000000010D38 var_50          = -0x50
.text:0000000000010D38 var_40          = -0x40
.text:0000000000010D38 var_30          = -0x30
.text:0000000000010D38 var_20          = -0x20
.text:0000000000010D38 var_10          = -0x10
.text:0000000000010D38
.text:0000000000010D38                 HINT            #0x19
.text:0000000000010D3C                 SUB             SP, SP, #0x90
.text:0000000000010D40                 STP             X20, X19, [SP,#0x90+var_10]
.text:0000000000010D44                 LDR             X20, [X2,#0x20]
.text:0000000000010D48                 MOV             W8, #0x20
.text:0000000000010D4C                 MOV             W9, #3
.text:0000000000010D50                 STP             X30, X27, [SP,#0x90+var_50]
.text:0000000000010D54                 STP             X26, X25, [SP,#0x90+var_40]
.text:0000000000010D58                 STP             X24, X23, [SP,#0x90+var_30]
.text:0000000000010D5C                 STP             X22, X21, [SP,#0x90+var_20]
.text:0000000000010D60                 STP             X1, X8, [SP,#0x90+var_68]
.text:0000000000010D64                 STRB            W9, [SP,#0x90+var_58]
.text:0000000000010D68                 STR             XZR, [SP,#0x90+var_90]
.text:0000000000010D6C                 STR             XZR, [SP,#0x90+var_80]
.text:0000000000010D70                 STR             X0, [SP,#0x90+var_70]
.text:0000000000010D74                 CBZ             X20, loc_10E1C
.text:0000000000010D78                 LDR             X8, [X2,#0x28]
.text:0000000000010D7C                 LDP             X22, X23, [X2]
.text:0000000000010D80                 LDP             X19, X21, [X2,#0x10]
.text:0000000000010D84                 LSL             X9, X8, #6
.text:0000000000010D88                 AND             X24, X8, #0x1FFFFFFFFFFFFFFF
.text:0000000000010D8C                 ADD             X26, X22, #8
.text:0000000000010D90                 SUB             X25, X9, X8,LSL#3
.text:0000000000010D94
.text:0000000000010D94 loc_10D94                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+DC↓j
.text:0000000000010D94                 CBZ             X25, loc_10E70
.text:0000000000010D98                 LDR             X2, [X26]
.text:0000000000010D9C                 CBZ             X2, loc_10DB4
.text:0000000000010DA0                 LDP             X0, X8, [SP,#0x90+var_70]
.text:0000000000010DA4                 LDUR            X1, [X26,#-8]
.text:0000000000010DA8                 LDR             X8, [X8,#0x18]
.text:0000000000010DAC                 BLR             X8
.text:0000000000010DB0                 TBNZ            W0, #0, loc_10E90
.text:0000000000010DB4
.text:0000000000010DB4 loc_10DB4                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+64↑j
.text:0000000000010DB4                 LDP             W9, W10, [X20,#0x28]
.text:0000000000010DB8                 LDRB            W8, [X20,#0x30]
.text:0000000000010DBC                 ADD             X2, X20, #0x10
.text:0000000000010DC0                 MOV             X0, X19 ; result
.text:0000000000010DC4                 MOV             X1, X21 ; ref$<slice2$<core::fmt::rt::Argument> >
.text:0000000000010DC8                 ADD             X27, X20, #0x38
.text:0000000000010DCC                 STRB            W8, [SP,#0x90+var_58]
.text:0000000000010DD0                 STP             W9, W10, [SP,#0x90+var_60]
.text:0000000000010DD4                 BL              core::fmt::getcount
.text:0000000000010DD8                 STP             X0, X1, [SP,#0x90+var_90]
.text:0000000000010DDC                 MOV             X0, X19 ; result
.text:0000000000010DE0                 MOV             X1, X21 ; ref$<slice2$<core::fmt::rt::Argument> >
.text:0000000000010DE4                 MOV             X2, X20
.text:0000000000010DE8                 BL              core::fmt::getcount
.text:0000000000010DEC                 LDR             X8, [X20,#0x20]
.text:0000000000010DF0                 STR             X0, [SP,#0x90+var_80]
.text:0000000000010DF4                 STR             X1, [SP,#0x90+var_78]
.text:0000000000010DF8                 MOV             X1, SP
.text:0000000000010DFC                 ADD             X8, X19, X8,LSL#4
.text:0000000000010E00                 LDP             X0, X9, [X8]
.text:0000000000010E04                 BLR             X9
.text:0000000000010E08                 SUB             X25, X25, #0x38
.text:0000000000010E0C                 ADD             X26, X26, #0x10
.text:0000000000010E10                 MOV             X20, X27
.text:0000000000010E14                 TBZ             W0, #0, loc_10D94
.text:0000000000010E18                 B               loc_10E90
.text:0000000000010E1C ; ---------------------------------------------------------------------------
.text:0000000000010E1C
.text:0000000000010E1C loc_10E1C                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+3C↑j
.text:0000000000010E1C                 LDP             X21, X8, [X2,#0x10]
.text:0000000000010E20                 MOV             X19, XZR
.text:0000000000010E24                 LDP             X22, X23, [X2]
.text:0000000000010E28                 LSL             X20, X8, #4
.text:0000000000010E2C                 AND             X24, X8, #0xFFFFFFFFFFFFFFF
.text:0000000000010E30
.text:0000000000010E30 loc_10E30                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+130↓j
.text:0000000000010E30                 CMP             X20, X19
.text:0000000000010E34                 B.EQ            loc_10E70
.text:0000000000010E38                 ADD             X8, X22, X19
.text:0000000000010E3C                 LDR             X2, [X8,#8]
.text:0000000000010E40                 CBZ             X2, loc_10E58
.text:0000000000010E44                 LDP             X0, X9, [SP,#0x90+var_70]
.text:0000000000010E48                 LDR             X1, [X8]
.text:0000000000010E4C                 LDR             X8, [X9,#0x18]
.text:0000000000010E50                 BLR             X8
.text:0000000000010E54                 TBNZ            W0, #0, loc_10E90
.text:0000000000010E58
.text:0000000000010E58 loc_10E58                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+108↑j
.text:0000000000010E58                 LDP             X0, X8, [X21],#0x10
.text:0000000000010E5C                 MOV             X1, SP
.text:0000000000010E60                 BLR             X8
.text:0000000000010E64                 ADD             X19, X19, #0x10
.text:0000000000010E68                 CBZ             W0, loc_10E30
.text:0000000000010E6C                 B               loc_10E90
.text:0000000000010E70 ; ---------------------------------------------------------------------------
.text:0000000000010E70
.text:0000000000010E70 loc_10E70                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f:loc_10D94↑j
.text:0000000000010E70                                         ; core::fmt::write::hb9190e43e7d87d8f+FC↑j
.text:0000000000010E70                 CMP             X24, X23
.text:0000000000010E74                 B.CS            loc_10E98
.text:0000000000010E78                 ADD             X8, X22, X24,LSL#4
.text:0000000000010E7C                 LDP             X0, X9, [SP,#0x90+var_70]
.text:0000000000010E80                 LDP             X1, X2, [X8]
.text:0000000000010E84                 LDR             X8, [X9,#0x18]
.text:0000000000010E88                 BLR             X8
.text:0000000000010E8C                 TBZ             W0, #0, loc_10E98
.text:0000000000010E90
.text:0000000000010E90 loc_10E90                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+78↑j
.text:0000000000010E90                                         ; core::fmt::write::hb9190e43e7d87d8f+E0↑j ...
.text:0000000000010E90                 MOV             W0, #1
.text:0000000000010E94                 B               loc_10E9C
.text:0000000000010E98 ; ---------------------------------------------------------------------------
.text:0000000000010E98
.text:0000000000010E98 loc_10E98                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+13C↑j
.text:0000000000010E98                                         ; core::fmt::write::hb9190e43e7d87d8f+154↑j
.text:0000000000010E98                 MOV             W0, WZR
.text:0000000000010E9C
.text:0000000000010E9C loc_10E9C                               ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+15C↑j
.text:0000000000010E9C                 LDP             X20, X19, [SP,#0x90+var_10]
.text:0000000000010EA0                 LDP             X22, X21, [SP,#0x90+var_20]
.text:0000000000010EA4                 LDP             X24, X23, [SP,#0x90+var_30]
.text:0000000000010EA8                 LDP             X26, X25, [SP,#0x90+var_40]
.text:0000000000010EAC                 LDP             X30, X27, [SP,#0x90+var_50]
.text:0000000000010EB0                 ADD             SP, SP, #0x90
.text:0000000000010EB4                 HINT            #0x1D
.text:0000000000010EB8                 RET
.text:0000000000010EB8 ; End of function core::fmt::write::hb9190e43e7d87d8f
.text:0000000000010EB8
.text:0000000000010EBC
.text:0000000000010EBC ; =============== S U B R O U T I N E =======================================
@ggj-1213 ggj-1213 added the C-bug Category: This is a bug. label Apr 24, 2024
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Apr 24, 2024
@ggj-1213
Copy link
Author

ggj-1213 commented Apr 24, 2024
edited

Maybe it's a problem with llvm. I also create an issue in the llvm project.

@workingjubilee workingjubilee added O-AArch64 Armv8-A or later processors in AArch64 mode PG-exploit-mitigations Project group: Exploit mitigations A-target-feature Area: Enabling/disabling target features like AVX, Neon, etc. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Apr 24, 2024
@workingjubilee
Copy link
Contributor

@ggj-1213 Does the problem remain if you use -Zbuild-std to rebuild the stdlib?

@ggj-1213
Copy link
Author

@ggj-1213 Does the problem remain if you use -Zbuild-std to rebuild the stdlib?

I build it using the following command, I have used the -Z build-std=core option.
cargo +nightly build -Z build-std=core --target aarch64-unknown-uefi -v --release
You mean build it with:
cargo +nightly build -Z build-std --target aarch64-unknown-uefi -v --release
I used this command to build it. The result is the same.

@workingjubilee
Copy link
Contributor

Ah, thank you for the information.

@ggj-1213 Was this fixed?

@jieyouxu jieyouxu removed the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Apr 28, 2024
@jieyouxu
Copy link
Contributor

I'm going to reopen this issue because AFAICT there's no indication it was fixed. If it was actually fixed, please do share how you resolved it and then we can close it knowing that it was fixed. Even if this is an upstream LLVM bug, we'd still want to track it.

@jieyouxu jieyouxu reopened this Apr 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-target-feature Area: Enabling/disabling target features like AVX, Neon, etc. C-bug Category: This is a bug. O-AArch64 Armv8-A or later processors in AArch64 mode PG-exploit-mitigations Project group: Exploit mitigations T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jieyouxu @workingjubilee @rustbot @ggj-1213