hw/arm_gic.c: Ignore attempts to complete nonexistent IRQs

Ignore attempts to complete non-existent IRQs; this fixes a buffer overrun if the guest writes a bad value to the GICC_EOIR register. (This case is UNPREDICTABLE so ignoring it is a valid choice.) Note that doing nothing if the guest writes 1023 to this register is not in fact a change in behaviour: the old code would also always do nothing in this case but in a non-obvious way. (The buffer overrun was noted by Coverity, see bug 887883.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
2011-12-01 19:37:17 +01:00 · 2011-12-01 19:37:17 +01:00 · 217bfb445b
parent 21d89f841a
commit 217bfb445b
1 changed files with 18 additions and 9 deletions
--- a/hw/arm_gic.c
+++ b/hw/arm_gic.c
@ -215,17 +215,26 @@ static void gic_complete_irq(gic_state * s, int cpu, int irq)
    int update = 0;
    int cm = 1 << cpu;
    DPRINTF("EOI %d\n", irq);
+    if (irq >= GIC_NIRQ) {
+        /* This handles two cases:
+         * 1. If software writes the ID of a spurious interrupt [ie 1023]
+         * to the GICC_EOIR, the GIC ignores that write.
+         * 2. If software writes the number of a non-existent interrupt
+         * this must be a subcase of "value written does not match the last
+         * valid interrupt value read from the Interrupt Acknowledge
+         * register" and so this is UNPREDICTABLE. We choose to ignore it.
+         */
+        return;
+    }
    if (s->running_irq[cpu] == 1023)
        return; /* No active IRQ.  */
-    if (irq != 1023) {
-        /* Mark level triggered interrupts as pending if they are still
-           raised.  */
-        if (!GIC_TEST_TRIGGER(irq) && GIC_TEST_ENABLED(irq, cm)
-                && GIC_TEST_LEVEL(irq, cm) && (GIC_TARGET(irq) & cm) != 0) {
-            DPRINTF("Set %d pending mask %x\n", irq, cm);
-            GIC_SET_PENDING(irq, cm);
-            update = 1;
-        }
+    /* Mark level triggered interrupts as pending if they are still
+       raised.  */
+    if (!GIC_TEST_TRIGGER(irq) && GIC_TEST_ENABLED(irq, cm)
+        && GIC_TEST_LEVEL(irq, cm) && (GIC_TARGET(irq) & cm) != 0) {
+        DPRINTF("Set %d pending mask %x\n", irq, cm);
+        GIC_SET_PENDING(irq, cm);
+        update = 1;
    }
    if (irq != s->running_irq[cpu]) {
        /* Complete an IRQ that is not currently running.  */