SELFOUR-420: Avoid indexing intStateIRQTable with an invalid IRQ

06bd6e00 · Adrian Danis · Sophie Taylor · 603484f9 · 06bd6e00 · 06bd6e00
Commit 06bd6e00 authored 9 years ago by Adrian Danis Committed by Sophie Taylor 9 years ago
--- a/haskell/src/SEL4/Object/Interrupt.lhs
+++ b/haskell/src/SEL4/Object/Interrupt.lhs
@@ -165,22 +165,30 @@ This function is called when the kernel receives an interrupt event.

 > handleInterrupt :: IRQ -> Kernel ()
 > handleInterrupt irq = do
->     st <- getIRQState irq
->     case st of
->         IRQSignal -> do
->             slot <- getIRQSlot irq
->             cap <- getSlotCap slot
->             case cap of
->                 NotificationCap { capNtfnCanSend = True } ->
->                     sendSignal (capNtfnPtr cap) (capNtfnBadge cap)
->                 _ -> doMachineOp $ debugPrint $
->                     "Undelivered interrupt: " ++ show irq
->             doMachineOp $ maskInterrupt True irq
->         IRQTimer -> do
->             timerTick
->             doMachineOp resetTimer
->         IRQInactive -> fail $ "Received disabled IRQ " ++ show irq
->     doMachineOp $ ackInterrupt irq
+>     if (irq > maxIRQ) then doMachineOp $ (do
+        mask, ack and pretend it didn't happen. We assume that because
+        the interrupt controller for the platform returned this IRQ that
+        it is safe to use in mask and ack operations, even though it is
+        above the claimed maxIRQ. i.e. we're assuming maxIRQ is wrong
+>          maskInterrupt True irq
+>          ackInterrupt irq)
+>      else do
+>       st <- getIRQState irq
+>       case st of
+>           IRQSignal -> do
+>               slot <- getIRQSlot irq
+>               cap <- getSlotCap slot
+>               case cap of
+>                   NotificationCap { capNtfnCanSend = True } ->
+>                       sendSignal (capNtfnPtr cap) (capNtfnBadge cap)
+>                   _ -> doMachineOp $ debugPrint $
+>                       "Undelivered interrupt: " ++ show irq
+>               doMachineOp $ maskInterrupt True irq
+>           IRQTimer -> do
+>               timerTick
+>               doMachineOp resetTimer
+>           IRQInactive -> fail $ "Received disabled IRQ " ++ show irq
+>       doMachineOp $ ackInterrupt irq

 \subsection{Accessing the Global State}


--- a/src/object/interrupt.c
+++ b/src/object/interrupt.c
@@ -179,6 +179,16 @@ deletedIRQHandler(irq_t irq)
 void
 handleInterrupt(irq_t irq)
 {
+    if (irq > maxIRQ) {
+        /* mask, ack and pretend it didn't happen. We assume that because
+         * the interrupt controller for the platform returned this IRQ that
+         * it is safe to use in mask and ack operations, even though it is
+         * above the claimed maxIRQ. i.e. we're assuming maxIRQ is wrong */
+        printf("Received IRQ %d, which is above the platforms maxIRQ of %d\n", irq, maxIRQ);
+        maskInterrupt(true, irq);
+        ackInterrupt(irq);
+        return;
+    }
    switch (intStateIRQTable[irq]) {
    case IRQSignal: {
        cap_t cap;