From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web11.7291.1689168381059379578
 for <devel@edk2.groups.io>;
 Wed, 12 Jul 2023 06:26:21 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=d6ztgFU8;
 spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1689168380;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=HW0fzxF5nroKTe6XEytpq0cVUAQRYpTpxxVHY8CxOcI=;
	b=d6ztgFU8OOCrSijJpNG/lRI3+8xG4M4jSqaWCfjoLSbs8bZGk48PihCPte+2MJbrOl7PGJ
	eJjJ4ARa2n2L5nbNUtdSTyQiduH778LckVKw4rYrRNyQw+V5q0Uw3FF+aMfLmtGP5MEDad
	6nMe13pQNeWTabqqssahTvxC3xHe954=
Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-66-Dvz6NiTQN8eDwwOosyNgnA-1; Wed, 12 Jul 2023 09:26:16 -0400
X-MC-Unique: Dvz6NiTQN8eDwwOosyNgnA-1
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7509529AB3EE;
	Wed, 12 Jul 2023 13:26:16 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.193.252])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4930C492B01;
	Wed, 12 Jul 2023 13:26:16 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id A723A1800632; Wed, 12 Jul 2023 15:26:14 +0200 (CEST)
Date: Wed, 12 Jul 2023 15:26:14 +0200
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: devel@edk2.groups.io
Subject: Re: heap/page guard broken on aarch64
Message-ID: <uylhozyupscbpjqco5mgnyrmeceobhbhl5vxw5mrbrglq2aefl@dhyp6xzioho7>
References: <uohzj3bb2n2fhmojdol5p4v2mfslvavr3ntjufe3ll26h5xn5y@baa37hrbeccr>
 <CAMj1kXHszFoXUAzjP1ydewh1sSxBDyS8qDBMo7gN121c+e4Sgg@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAMj1kXHszFoXUAzjP1ydewh1sSxBDyS8qDBMo7gN121c+e4Sgg@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Jul 12, 2023 at 02:03:37PM +0200, Ard Biesheuvel wrote:
> On Wed, 12 Jul 2023 at 10:41, Gerd Hoffmann <kraxel@redhat.com> wrote:
> >
> >         PcdHeapGuardPageType=0x7e
> >         PcdHeapGuardPoolType=0x7e

> This looks like the debug 'poison' value is applied to the freed guard
> page before the EFI_MEMORY_RP permission is removed.
> 
> I wonder if the 'IsGuarded' logic in CoreFreePoolI is wrong here: this
> is runtime memory, which is rounded up to 64k granularity on AArch64,
> and I would not be surprised if that code is buggy.

Looks plausible to me.  Tried fix AdjustPoolHeadF() to use granularity
instead of efi page size, that alone didn't make the firmware boot
though.

Clearing the two runtime memory type bits (0x7e -> 0x1e) makes the
firmware boot.

take care,
  Gerd