Open
Description
openedon Apr 24, 2024
When using aarch64-unknown-uefi to build the release version of the efi file, some bti instructions are removed, but there are still indirect jumps to the location of the removed bti instructions, such as'BLR X8'.
I tried this code:
#![no_main]
#![no_std]
use log::error;
use uefi::prelude::*;
#[entry]
fn main(_image_handle: Handle, mut system_table: SystemTable<Boot>) -> Status {
uefi_services::init(&mut system_table).unwrap();
error!("Hello world!"); // A BTI fault occurs here
Status::SUCCESS
}.cargo/config.toml
[build]
rustflags = ["-C", "target-feature=+bti", "-Z", "branch-protection=pac-ret"]
Cargo.toml
[package]
name = "helloworld"
version = "0.1.0"
edition = "2021"
[dependencies]
log = "0.4.21"
uefi = "0.27.0"
uefi-services = "0.24.0"
and i build it :
cargo +nightly build -Z build-std=core --target aarch64-unknown-uefi -v --release
rustc --version --verbose:
rustc 1.79.0-nightly (becebb315 2024-04-17)
binary: rustc
commit-hash: becebb3158149a115cad8a402612e25436a7e37b
commit-date: 2024-04-17
host: x86_64-unknown-linux-gnu
release: 1.79.0-nightly
LLVM version: 18.1.3
when I run uefi on board, BTI FAULT occurs:
Synchronous Exception at 0x00000000484F6620
[ 6824.086000s][cpu10]PC 0x0000484F6620
[ 6824.090000s][cpu10]PC 0x0000484F67DC
......
SP 0x000000004FFFF920 ELR 0x00000000484F6620 SPSR 0x20000A05 FPSR 0x00000000
ESR 0x36000002 FAR 0x0000000000000000
[ 6824.353000s][cpu10]
ESR : EC 0x0D IL 0x1 ISS 0x00000002
[ 6824.359000s][cpu10]
BTI FAULT
When I disassembled the efi file, I found that there was no BTI instruction in place of the malfunctioning function.
.text:0000000000010D28 ; =============== S U B R O U T I N E =======================================
.text:0000000000010D28
.text:0000000000010D28
.text:0000000000010D28 ; enum2$<core::result::Result<tuple$<>,core::fmt::Error> > __fastcall _$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$::fmt::h76fbca317d479d82(core::fmt::Arguments *, core::fmt::Formatter *)
.text:0000000000010D28 _ZN59_$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$3fmt17h76fbca317d479d82E
.text:0000000000010D28 ; DATA XREF: _$LT$uefi..logger..Logger$u20$as$u20$log..Log$GT$::log::h16683d6aedc884e0+6C↓o
.text:0000000000010D28 ; _$LT$uefi..logger..Logger$u20$as$u20$log..Log$GT$::log::h16683d6aedc884e0+70↓o ...
.text:0000000000010D28 LDP X8, X1, [X1,#0x20]
.text:0000000000010D2C MOV X2, X0
.text:0000000000010D30 MOV X0, X8
.text:0000000000010D34 B _ZN4core3fmt5write17hb9190e43e7d87d8fE ; core::fmt::write::hb9190e43e7d87d8f
.text:0000000000010D34 ; End of function _$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$::fmt::h76fbca317d479d82
.text:0000000000010D34
.text:0000000000010D38
.text:0000000000010D38 ; =============== S U B R O U T I N E =======================================
The indirect jump function is as follows. I don't remember which BLR X8 instruction jumps to the function above.
.text:0000000000010D38 ; =============== S U B R O U T I N E =======================================
.text:0000000000010D38
.text:0000000000010D38
.text:0000000000010D38 ; enum2$<core::result::Result<tuple$<>,core::fmt::Error> > __fastcall core::fmt::write::hb9190e43e7d87d8f(ref_mut$<dyn$<core::fmt::Write> >, core::fmt::Arguments)
.text:0000000000010D38 _ZN4core3fmt5write17hb9190e43e7d87d8fE ; CODE XREF: core::fmt::Formatter::write_fmt+C↑j
.text:0000000000010D38 ; _$LT$core..fmt..Arguments$u20$as$u20$core..fmt..Display$GT$::fmt::h76fbca317d479d82+C↑j ...
.text:0000000000010D38
.text:0000000000010D38 var_90 = -0x90
.text:0000000000010D38 var_80 = -0x80
.text:0000000000010D38 var_78 = -0x78
.text:0000000000010D38 var_70 = -0x70
.text:0000000000010D38 var_68 = -0x68
.text:0000000000010D38 var_60 = -0x60
.text:0000000000010D38 var_58 = -0x58
.text:0000000000010D38 var_50 = -0x50
.text:0000000000010D38 var_40 = -0x40
.text:0000000000010D38 var_30 = -0x30
.text:0000000000010D38 var_20 = -0x20
.text:0000000000010D38 var_10 = -0x10
.text:0000000000010D38
.text:0000000000010D38 HINT #0x19
.text:0000000000010D3C SUB SP, SP, #0x90
.text:0000000000010D40 STP X20, X19, [SP,#0x90+var_10]
.text:0000000000010D44 LDR X20, [X2,#0x20]
.text:0000000000010D48 MOV W8, #0x20
.text:0000000000010D4C MOV W9, #3
.text:0000000000010D50 STP X30, X27, [SP,#0x90+var_50]
.text:0000000000010D54 STP X26, X25, [SP,#0x90+var_40]
.text:0000000000010D58 STP X24, X23, [SP,#0x90+var_30]
.text:0000000000010D5C STP X22, X21, [SP,#0x90+var_20]
.text:0000000000010D60 STP X1, X8, [SP,#0x90+var_68]
.text:0000000000010D64 STRB W9, [SP,#0x90+var_58]
.text:0000000000010D68 STR XZR, [SP,#0x90+var_90]
.text:0000000000010D6C STR XZR, [SP,#0x90+var_80]
.text:0000000000010D70 STR X0, [SP,#0x90+var_70]
.text:0000000000010D74 CBZ X20, loc_10E1C
.text:0000000000010D78 LDR X8, [X2,#0x28]
.text:0000000000010D7C LDP X22, X23, [X2]
.text:0000000000010D80 LDP X19, X21, [X2,#0x10]
.text:0000000000010D84 LSL X9, X8, #6
.text:0000000000010D88 AND X24, X8, #0x1FFFFFFFFFFFFFFF
.text:0000000000010D8C ADD X26, X22, #8
.text:0000000000010D90 SUB X25, X9, X8,LSL#3
.text:0000000000010D94
.text:0000000000010D94 loc_10D94 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+DC↓j
.text:0000000000010D94 CBZ X25, loc_10E70
.text:0000000000010D98 LDR X2, [X26]
.text:0000000000010D9C CBZ X2, loc_10DB4
.text:0000000000010DA0 LDP X0, X8, [SP,#0x90+var_70]
.text:0000000000010DA4 LDUR X1, [X26,#-8]
.text:0000000000010DA8 LDR X8, [X8,#0x18]
.text:0000000000010DAC BLR X8
.text:0000000000010DB0 TBNZ W0, #0, loc_10E90
.text:0000000000010DB4
.text:0000000000010DB4 loc_10DB4 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+64↑j
.text:0000000000010DB4 LDP W9, W10, [X20,#0x28]
.text:0000000000010DB8 LDRB W8, [X20,#0x30]
.text:0000000000010DBC ADD X2, X20, #0x10
.text:0000000000010DC0 MOV X0, X19 ; result
.text:0000000000010DC4 MOV X1, X21 ; ref$<slice2$<core::fmt::rt::Argument> >
.text:0000000000010DC8 ADD X27, X20, #0x38
.text:0000000000010DCC STRB W8, [SP,#0x90+var_58]
.text:0000000000010DD0 STP W9, W10, [SP,#0x90+var_60]
.text:0000000000010DD4 BL core::fmt::getcount
.text:0000000000010DD8 STP X0, X1, [SP,#0x90+var_90]
.text:0000000000010DDC MOV X0, X19 ; result
.text:0000000000010DE0 MOV X1, X21 ; ref$<slice2$<core::fmt::rt::Argument> >
.text:0000000000010DE4 MOV X2, X20
.text:0000000000010DE8 BL core::fmt::getcount
.text:0000000000010DEC LDR X8, [X20,#0x20]
.text:0000000000010DF0 STR X0, [SP,#0x90+var_80]
.text:0000000000010DF4 STR X1, [SP,#0x90+var_78]
.text:0000000000010DF8 MOV X1, SP
.text:0000000000010DFC ADD X8, X19, X8,LSL#4
.text:0000000000010E00 LDP X0, X9, [X8]
.text:0000000000010E04 BLR X9
.text:0000000000010E08 SUB X25, X25, #0x38
.text:0000000000010E0C ADD X26, X26, #0x10
.text:0000000000010E10 MOV X20, X27
.text:0000000000010E14 TBZ W0, #0, loc_10D94
.text:0000000000010E18 B loc_10E90
.text:0000000000010E1C ; ---------------------------------------------------------------------------
.text:0000000000010E1C
.text:0000000000010E1C loc_10E1C ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+3C↑j
.text:0000000000010E1C LDP X21, X8, [X2,#0x10]
.text:0000000000010E20 MOV X19, XZR
.text:0000000000010E24 LDP X22, X23, [X2]
.text:0000000000010E28 LSL X20, X8, #4
.text:0000000000010E2C AND X24, X8, #0xFFFFFFFFFFFFFFF
.text:0000000000010E30
.text:0000000000010E30 loc_10E30 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+130↓j
.text:0000000000010E30 CMP X20, X19
.text:0000000000010E34 B.EQ loc_10E70
.text:0000000000010E38 ADD X8, X22, X19
.text:0000000000010E3C LDR X2, [X8,#8]
.text:0000000000010E40 CBZ X2, loc_10E58
.text:0000000000010E44 LDP X0, X9, [SP,#0x90+var_70]
.text:0000000000010E48 LDR X1, [X8]
.text:0000000000010E4C LDR X8, [X9,#0x18]
.text:0000000000010E50 BLR X8
.text:0000000000010E54 TBNZ W0, #0, loc_10E90
.text:0000000000010E58
.text:0000000000010E58 loc_10E58 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+108↑j
.text:0000000000010E58 LDP X0, X8, [X21],#0x10
.text:0000000000010E5C MOV X1, SP
.text:0000000000010E60 BLR X8
.text:0000000000010E64 ADD X19, X19, #0x10
.text:0000000000010E68 CBZ W0, loc_10E30
.text:0000000000010E6C B loc_10E90
.text:0000000000010E70 ; ---------------------------------------------------------------------------
.text:0000000000010E70
.text:0000000000010E70 loc_10E70 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f:loc_10D94↑j
.text:0000000000010E70 ; core::fmt::write::hb9190e43e7d87d8f+FC↑j
.text:0000000000010E70 CMP X24, X23
.text:0000000000010E74 B.CS loc_10E98
.text:0000000000010E78 ADD X8, X22, X24,LSL#4
.text:0000000000010E7C LDP X0, X9, [SP,#0x90+var_70]
.text:0000000000010E80 LDP X1, X2, [X8]
.text:0000000000010E84 LDR X8, [X9,#0x18]
.text:0000000000010E88 BLR X8
.text:0000000000010E8C TBZ W0, #0, loc_10E98
.text:0000000000010E90
.text:0000000000010E90 loc_10E90 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+78↑j
.text:0000000000010E90 ; core::fmt::write::hb9190e43e7d87d8f+E0↑j ...
.text:0000000000010E90 MOV W0, #1
.text:0000000000010E94 B loc_10E9C
.text:0000000000010E98 ; ---------------------------------------------------------------------------
.text:0000000000010E98
.text:0000000000010E98 loc_10E98 ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+13C↑j
.text:0000000000010E98 ; core::fmt::write::hb9190e43e7d87d8f+154↑j
.text:0000000000010E98 MOV W0, WZR
.text:0000000000010E9C
.text:0000000000010E9C loc_10E9C ; CODE XREF: core::fmt::write::hb9190e43e7d87d8f+15C↑j
.text:0000000000010E9C LDP X20, X19, [SP,#0x90+var_10]
.text:0000000000010EA0 LDP X22, X21, [SP,#0x90+var_20]
.text:0000000000010EA4 LDP X24, X23, [SP,#0x90+var_30]
.text:0000000000010EA8 LDP X26, X25, [SP,#0x90+var_40]
.text:0000000000010EAC LDP X30, X27, [SP,#0x90+var_50]
.text:0000000000010EB0 ADD SP, SP, #0x90
.text:0000000000010EB4 HINT #0x1D
.text:0000000000010EB8 RET
.text:0000000000010EB8 ; End of function core::fmt::write::hb9190e43e7d87d8f
.text:0000000000010EB8
.text:0000000000010EBC
.text:0000000000010EBC ; =============== S U B R O U T I N E =======================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment