Initial IRQ stack pointer needs to be in ROM

[andrewboie]

Memory corruption can affect exception handling since for all arches, the stack pointer for handling exceptions is fetched from _kernel. If _kernel is corrupted the stack pointer could get set to some insane value and cause a double fault. However this value doesn't need to be in RAM, it's computed once as K_THREAD_STACK_BUFFER(_interrupt_stack) + CONFIG_ISR_STACK_SIZE and is never touched again. It's essentially a read-only value. It doesn't need to be in RAM.

Remove the irq_stack members from _kernel (for both UP and SMP) and use ROM for it. Initialize a const read-only array at buiild time which contains this information for each CPU, stored in ROM/text region, and have the exception handler read that instead. Do this for all arches.

[mike-scott]

@andrewboie is this true even when using https://github.com/runtimeco/mcuboot ?

[andrewboie]

@mike-scott I don't follow you, please elaborate.
Once set nobody changes the initial IRQ stack pointer in Zephyr. It's just used to set sp when entering a non-nested interrupt or exception.

[mike-scott]

Yeah actually I misread this. I was thinking of the vector table which is reloaded into RAM for the jump from mcuboot to whatever it loads next.

[zephyrbot]

Hi @peter-mitsis, @andyross,

This issue, marked as an Enhancement, was opened a while ago and did not get any traction. It was just assigned to you based on the labels. If you don't consider yourself the right person to address this issue, please re-assing it to the right person.

Please take a moment to review if the issue is still relevant to the project. If it is, please provide feedback and direction on how to move forward. If it is not, has already been addressed, is a duplicate, or is no longer relevant, please close it with a short comment explaining the reason.

@andrewboie you are also encouraged to help moving this issue forward by providing additional information and confirming this request/issue is still relevant to you.

Thanks!

[andyross]

Close this one. On all modern (arch_switch) architectures the ISR entry code is handled at the arch layer, and doesn't/shouldn't depend on the data in _kernel. They will end up as ROMed constants where practical, though there's no way to enforce that globally (and it's impossible anyway on most of the newer architectures as requirements like interrupts out of MMU contexts and nested ISRs mean that entry is always going to involve a bunch of logic based on RAM contents).