From: "Ard Biesheuvel" <ardb@kernel.org>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: Strange behavior between GCC 11 and GCC 12
Date: Fri, 14 Apr 2023 23:39:35 +0200 [thread overview]
Message-ID: <CAMj1kXGxCLSJWVPHxYyKnJLkxLh+PeberSY2jcaGFYRqg2nXdA@mail.gmail.com> (raw)
In-Reply-To: <7f0f5f8e-09c7-4ae4-ffca-1a7c322949a8@amd.com>
On Fri, 14 Apr 2023 at 22:23, Tom Lendacky <thomas.lendacky@amd.com> wrote:
>
> I've been trying to debug a problem I'm seeing when I moved to the GCC 12
> compiler. Under SEV it results in the guest crashing.
>
> I narrowed the issue down to the call to TemporaryRamMigration() in
> PeiCheckAndSwitchStack() of MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c.
>
> I get this output on GCC11:
> Old Stack size 32768, New stack size 131072
> Stack Hob: BaseAddress=0x3BF76000 Length=0x20000
> Heap Offset = 0x3B786000 Stack Offset = 0x3B776000
> *** DEBUG: PeiCheckAndSwitchStack:851 - SecCoreData=3BF95D20
> TemporaryRamMigration(0x810000, 0x3BF8E000, 0x10000)
> *** DEBUG: PeiCheckAndSwitchStack:871 - SecCoreData=3BF95D20
>
> and everything is good.
>
> However, I get this output on GCC12:
> Old Stack size 32768, New stack size 131072
> Stack Hob: BaseAddress=0x3BF76000 Length=0x20000
> Heap Offset = 0x3B786000 Stack Offset = 0x3B776000
> *** DEBUG: PeiCheckAndSwitchStack:851 - SecCoreData=3BF95D20
> TemporaryRamMigration(0x810000, 0x3BF8E000, 0x10000)
> *** DEBUG: PeiCheckAndSwitchStack:871 - SecCoreData=7770BD20
> MMIO using encrypted memory: 7770BD48
> !!!! X64 Exception Type - 0D(#GP - General Protection) CPU Apic ID - 00000000 !!!!
>
> and terminate because SecCoreData has been corrupted and points to an
> address in an MMIO range (this is an SEV-ES/SEV-SNP example).
>
> As near as I can tell from looking at the object code, on GCC12 it looks
> like the SecCoreData value is stored in the RBP register, which appears to
> be getting corrupted when calling TemporaryRamMigration().
>
> Does anyone have any thoughts on this?
>
The stack switching logic in OvmfPkg/Sec/SecMain.c looks highly dubious to me.
LongJump() can be used to do a long return, i.e., it allows to return
from several levels deep in the call stack to back up to where
SetJump() was called. However, using LongJump() to return to the
caller with a different stack is, quite frankly, insane, and I'm
surprised it didn't break a lot sooner.
In this particular case, RBX gets updated along with RSP, presumably
because the code assumes it is being used as a frame pointer? Are you
building with -fomit-frame-pointer perhaps?
next prev parent reply other threads:[~2023-04-14 21:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-14 20:23 Strange behavior between GCC 11 and GCC 12 Lendacky, Thomas
2023-04-14 21:39 ` Lendacky, Thomas
2023-04-17 9:24 ` Gerd Hoffmann
2023-04-14 21:39 ` Ard Biesheuvel [this message]
2023-04-14 21:50 ` Lendacky, Thomas
2023-04-15 0:49 ` [edk2-devel] " Ni, Ray
[not found] ` <1755F557A60CA0E1.29871@groups.io>
2023-04-15 5:04 ` Ni, Ray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMj1kXGxCLSJWVPHxYyKnJLkxLh+PeberSY2jcaGFYRqg2nXdA@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox