From 9ace660bae651b1e07ddfbd1e37d6ae2a11165a7 Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Mon, 21 Jun 2021 12:43:33 +0100
Subject: [PATCH] Add arm64 patch to tweak section layout and stop crashing
 problems

Upstream issue #371. Closes: #990082, #990190
---
 debian/changelog                             |   7 +
 debian/patches/fix_arm64_rela_sections.patch | 132 +++++++++++++++++++
 debian/patches/series                        |   1 +
 3 files changed, 140 insertions(+)
 create mode 100644 debian/patches/fix_arm64_rela_sections.patch

diff --git a/debian/changelog b/debian/changelog
index 3e344ad..d727cc7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+shim (15.4-6) UNRELEASED; urgency=high
+
+  * Add arm64 patch to tweak section layout and stop crashing
+    problems. Upstream issue #371. Closes: #990082, #990190
+
+ -- Steve McIntyre <93sam@debian.org>  Tue, 22 Jun 2021 22:16:54 +0100
+
 shim (15.4-5) unstable; urgency=medium
 
   * Add defensive code around calls to db_get. Don't fail if they
diff --git a/debian/patches/fix_arm64_rela_sections.patch b/debian/patches/fix_arm64_rela_sections.patch
new file mode 100644
index 0000000..523bd33
--- /dev/null
+++ b/debian/patches/fix_arm64_rela_sections.patch
@@ -0,0 +1,132 @@
+From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 16 Jun 2021 16:13:32 +0800
+Subject: [PATCH] arm/aa64: fix the size of .rela* sections
+
+The previous commit(*) merged .rel* and .dyn* into .rodata, and this
+made ld to generate the wrong size for .rela* sections that covered
+other unrelated sections. When the EFI image was loaded, _relocate()
+went through the unexpected data and may cause unexpected crash.
+This commit moves .rel* and .dyn* out of .rodata in the ld script but
+also moves the related variables, such as _evrodata, _rodata_size,
+and _rodata_vsize, to the end of the new .dyn section, so that the
+crafted pe-coff section header for .rodata still covers our new
+.rela and .dyn sections.
+
+(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
+
+Fix issue: https://github.com/rhboot/shim/issues/371
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ Makefile            |  4 ++--
+ elf_aarch64_efi.lds | 24 ++++++++++++++++--------
+ elf_arm_efi.lds     | 24 ++++++++++++++++--------
+ 3 files changed, 34 insertions(+), 18 deletions(-)
+
+Index: shim.git/Makefile
+===================================================================
+--- shim.git.orig/Makefile
++++ shim.git/Makefile
+@@ -244,7 +244,7 @@ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ 		-j .dynamic -j .rodata -j .rel* \
+ 		-j .rela* -j .reloc -j .eh_frame \
+-		-j .vendor_cert -j .sbat \
++		-j .vendor_cert -j .dyn -j .sbat \
+ 		$(FORMAT) $< $@
+ 	# I am tired of wasting my time fighting binutils timestamp code.
+ 	dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
+@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1)
+ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
+ 		-j .dynamic -j .rodata -j .rel* \
+-		-j .rela* -j .reloc -j .eh_frame -j .sbat \
++		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
+ 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		-j .note.gnu.build-id \
+Index: shim.git/elf_aarch64_efi.lds
+===================================================================
+--- shim.git.orig/elf_aarch64_efi.lds
++++ shim.git/elf_aarch64_efi.lds
+@@ -70,21 +70,29 @@ SECTIONS
+   .rodata :
+   {
+     _rodata = .;
+-    *(.rela.dyn)
+-    *(.rela.plt)
+-    *(.rela.got)
+-    *(.rela.data)
+-    *(.rela.data*)
+-
+     *(.rodata*)
+     *(.srodata)
+-    *(.dynsym)
+-    *(.dynstr)
+     . = ALIGN(16);
+     *(.note.gnu.build-id)
+     . = ALIGN(4096);
+     *(.vendor_cert)
+     *(.data.ident)
++    . = ALIGN(4096);
++  }
++  . = ALIGN(4096);
++  .rela :
++  {
++    *(.rela.dyn)
++    *(.rela.plt)
++    *(.rela.got)
++    *(.rela.data)
++    *(.rela.data*)
++  }
++  . = ALIGN(4096);
++  .dyn :
++  {
++    *(.dynsym)
++    *(.dynstr)
+     _evrodata = .;
+     . = ALIGN(4096);
+   }
+Index: shim.git/elf_arm_efi.lds
+===================================================================
+--- shim.git.orig/elf_arm_efi.lds
++++ shim.git/elf_arm_efi.lds
+@@ -70,21 +70,29 @@ SECTIONS
+   .rodata :
+   {
+     _rodata = .;
+-    *(.rel.dyn)
+-    *(.rel.plt)
+-    *(.rel.got)
+-    *(.rel.data)
+-    *(.rel.data*)
+-
+     *(.rodata*)
+     *(.srodata)
+-    *(.dynsym)
+-    *(.dynstr)
+     . = ALIGN(16);
+     *(.note.gnu.build-id)
+     . = ALIGN(4096);
+     *(.vendor_cert)
+     *(.data.ident)
++    . = ALIGN(4096);
++  }
++  . = ALIGN(4096);
++  .rela :
++  {
++    *(.rela.dyn)
++    *(.rela.plt)
++    *(.rela.got)
++    *(.rela.data)
++    *(.rela.data*)
++  }
++  . = ALIGN(4096);
++  .dyn :
++  {
++    *(.dynsym)
++    *(.dynstr)
+     _evrodata = .;
+     . = ALIGN(4096);
+   }
diff --git a/debian/patches/series b/debian/patches/series
index 20e12aa..eecb8c2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-import_one_mok_state.patch
 fix-broken-ia32-reloc.patch
 MOK-BootServicesData.patch
 Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
+fix_arm64_rela_sections.patch