[RTEMS Project] #4955: sparc: Potential stack corruption in uniprocessor configurations during start multitasking

RTEMS trac trac at rtems.org
Wed Sep 20 06:54:57 UTC 2023 

#4955: sparc: Potential stack corruption in uniprocessor configurations during
start multitasking
------------------------------+-----------------------------
  Reporter:  Sebastian Huber  |      Owner:  Sebastian Huber
      Type:  defect           |     Status:  assigned
  Priority:  normal           |  Milestone:  6.1
 Component:  arch/sparc       |    Version:  6
  Severity:  critical         |   Keywords:  qualification
Blocked By:                   |   Blocking:
------------------------------+-----------------------------
 The system initialization uses the interrupt stack. A first level
 interrupt shall never interrupt a context which uses the interrupt stack.
 Such a use would lead to stack corruption and undefined system behaviour.
 Unfortunately, in uniprocessor configurations this is the case right now.
 Multiprocessing is started using _CPU_Context_restore(). The caller of
 this function (_Thread_Start_multitasking()) uses the interrupt stack.
 Later we have in cpukit/score/cpu/sparc/cpu_asm.S:
 {{{
         mov     %g1, %psr                     ! restore status register
 and
                                               ! **** ENABLE TRAPS ****

         ld      [%o1 + G5_OFFSET], %g5        ! restore the global
 registers
         ld      [%o1 + G7_OFFSET], %g7

         ! Load thread specific ISR dispatch prevention flag
         ld      [%o1 + ISR_DISPATCH_DISABLE_STACK_OFFSET], %o2
         ! Store it to memory later to use the cycles

         ldd     [%o1 + L0_OFFSET], %l0        ! restore the local
 registers
         ldd     [%o1 + L2_OFFSET], %l2
         ldd     [%o1 + L4_OFFSET], %l4
         ldd     [%o1 + L6_OFFSET], %l6

         ! Now restore thread specific ISR dispatch prevention flag
         st      %o2, [%g6 + PER_CPU_ISR_DISPATCH_DISABLE]

         ldd     [%o1 + I0_OFFSET], %i0        ! restore the input
 registers
         ldd     [%o1 + I2_OFFSET], %i2
         ldd     [%o1 + I4_OFFSET], %i4
         ldd     [%o1 + I6_FP_OFFSET], %i6

         ldd     [%o1 + O6_SP_OFFSET], %o6     ! restore the output
 registers
 }}}
 Between the ENABLE TRAPS and the restore of the output registers, we still
 use the stack of the caller and interrupts may be enabled. If an interrupt
 happens in this code block, the interrupt stack is concurrently used which
 may lead to a crash.

--
Ticket URL: <http://devel.rtems.org/ticket/4955>
RTEMS Project <http://www.rtems.org/>
RTEMS Project

More information about the bugs mailing list