hw/arm_gic.c: Ignore attempts to complete nonexistent IRQs

Ignore attempts to complete non-existent IRQs; this fixes a buffer
overrun if the guest writes a bad value to the GICC_EOIR register.
(This case is UNPREDICTABLE so ignoring it is a valid choice.)
Note that doing nothing if the guest writes 1023 to this register
is not in fact a change in behaviour: the old code would also
always do nothing in this case but in a non-obvious way.
(The buffer overrun was noted by Coverity, see bug 887883.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
This commit is contained in:
Peter Maydell 2011-12-01 19:37:17 +01:00 committed by Andrzej Zaborowski
parent 21d89f841a
commit 217bfb445b

View File

@ -215,9 +215,19 @@ static void gic_complete_irq(gic_state * s, int cpu, int irq)
int update = 0; int update = 0;
int cm = 1 << cpu; int cm = 1 << cpu;
DPRINTF("EOI %d\n", irq); DPRINTF("EOI %d\n", irq);
if (irq >= GIC_NIRQ) {
/* This handles two cases:
* 1. If software writes the ID of a spurious interrupt [ie 1023]
* to the GICC_EOIR, the GIC ignores that write.
* 2. If software writes the number of a non-existent interrupt
* this must be a subcase of "value written does not match the last
* valid interrupt value read from the Interrupt Acknowledge
* register" and so this is UNPREDICTABLE. We choose to ignore it.
*/
return;
}
if (s->running_irq[cpu] == 1023) if (s->running_irq[cpu] == 1023)
return; /* No active IRQ. */ return; /* No active IRQ. */
if (irq != 1023) {
/* Mark level triggered interrupts as pending if they are still /* Mark level triggered interrupts as pending if they are still
raised. */ raised. */
if (!GIC_TEST_TRIGGER(irq) && GIC_TEST_ENABLED(irq, cm) if (!GIC_TEST_TRIGGER(irq) && GIC_TEST_ENABLED(irq, cm)
@ -226,7 +236,6 @@ static void gic_complete_irq(gic_state * s, int cpu, int irq)
GIC_SET_PENDING(irq, cm); GIC_SET_PENDING(irq, cm);
update = 1; update = 1;
} }
}
if (irq != s->running_irq[cpu]) { if (irq != s->running_irq[cpu]) {
/* Complete an IRQ that is not currently running. */ /* Complete an IRQ that is not currently running. */
int tmp = s->running_irq[cpu]; int tmp = s->running_irq[cpu];