This is the mail archive of the ecos-bugs@sources.redhat.com mailing list for the eCos project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug 1000170] New: SuperH context switch code vulnerable to stack corruption by ISR

From: bugzilla at ecoscentric dot com
To: ecos-bugs at sources dot redhat dot com
Date: Mon, 18 Apr 2005 09:39:56 +0100 (BST)
Subject: [Bug 1000170] New: SuperH context switch code vulnerable to stack corruption by ISR

http://bugs.ecos.sourceware.org/show_bug.cgi?id=1000170

           Summary: SuperH context switch code vulnerable to stack
                    corruption by ISR
           Product: eCos
           Version: 2.0
          Platform: Other
        OS/Version: SuperH
            Status: UNCONFIRMED
          Severity: critical
          Priority: normal
         Component: HAL
        AssignedTo: jifl@ecoscentric.com
        ReportedBy: michaelb@ieee.org
         QAContact: ecos-bugs@sources.redhat.com


Discovered this in version 2.0, but would seem to be present in the latest CVS  
code as well...  
  
The implementation of hal_thread_load_context for the SuperH architecture  
restores the stack pointer to its old value (pointing to a location above the  
thread context being restored) before it has restored the status register from  
that thread context. Thus if an interrupt occurs after the stack pointer is  
restored, but before the status register is, then it will corrupt the as yet  
unrestored status register value on the stack. The net effect of this is to  
have threads being scheduled with extremely strange interrupt mask values,  
which causes havoc with interrupt handling.  
  
The fix is to delay the restoration of the stack pointer until *all* other  
register values from the thread context have been restored. This ensures that  
the stack pointer satisfies the invariant that the space below it on the stack 
is always unused, thereby making the thread context routine interrupt safe. 
 
The following patch seems to do the trick... 
 
--- hal/sh/arch/v2_0/src/context.S-old  2005-04-18 18:37:13.814931904 +1000 
+++ hal/sh/arch/v2_0/src/context.S      2005-04-15 18:17:52.000000000 +1000 
@@ -155,11 +155,11 @@ 
         lds.l   @r0+,macl               ! macl 
         lds.l   @r0+,pr                 ! pr 
 
-        mov     r3,r15                  ! update stack pointer 
- 
         mov.l   @r0+,r2                 ! SR 
         hal_cpu_int_merge r2,r0,r1      ! restore interrupt state 
 
+        mov     r3,r15                  ! update stack pointer 
+ 
         rts                             ! and return 
          nop



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]