From 217bfb445b54db618a30f3a39170bebd9fd9dbf2 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 1 Dec 2011 19:37:17 +0100 Subject: [PATCH] hw/arm_gic.c: Ignore attempts to complete nonexistent IRQs Ignore attempts to complete non-existent IRQs; this fixes a buffer overrun if the guest writes a bad value to the GICC_EOIR register. (This case is UNPREDICTABLE so ignoring it is a valid choice.) Note that doing nothing if the guest writes 1023 to this register is not in fact a change in behaviour: the old code would also always do nothing in this case but in a non-obvious way. (The buffer overrun was noted by Coverity, see bug 887883.) Signed-off-by: Peter Maydell Signed-off-by: Andrzej Zaborowski --- hw/arm_gic.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/hw/arm_gic.c b/hw/arm_gic.c index f3f35164d0..527c9cec39 100644 --- a/hw/arm_gic.c +++ b/hw/arm_gic.c @@ -215,17 +215,26 @@ static void gic_complete_irq(gic_state * s, int cpu, int irq) int update = 0; int cm = 1 << cpu; DPRINTF("EOI %d\n", irq); + if (irq >= GIC_NIRQ) { + /* This handles two cases: + * 1. If software writes the ID of a spurious interrupt [ie 1023] + * to the GICC_EOIR, the GIC ignores that write. + * 2. If software writes the number of a non-existent interrupt + * this must be a subcase of "value written does not match the last + * valid interrupt value read from the Interrupt Acknowledge + * register" and so this is UNPREDICTABLE. We choose to ignore it. + */ + return; + } if (s->running_irq[cpu] == 1023) return; /* No active IRQ. */ - if (irq != 1023) { - /* Mark level triggered interrupts as pending if they are still - raised. */ - if (!GIC_TEST_TRIGGER(irq) && GIC_TEST_ENABLED(irq, cm) - && GIC_TEST_LEVEL(irq, cm) && (GIC_TARGET(irq) & cm) != 0) { - DPRINTF("Set %d pending mask %x\n", irq, cm); - GIC_SET_PENDING(irq, cm); - update = 1; - } + /* Mark level triggered interrupts as pending if they are still + raised. */ + if (!GIC_TEST_TRIGGER(irq) && GIC_TEST_ENABLED(irq, cm) + && GIC_TEST_LEVEL(irq, cm) && (GIC_TARGET(irq) & cm) != 0) { + DPRINTF("Set %d pending mask %x\n", irq, cm); + GIC_SET_PENDING(irq, cm); + update = 1; } if (irq != s->running_irq[cpu]) { /* Complete an IRQ that is not currently running. */