• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2016 Linux Test Project.
4  */
5 
6 /*
7  * DESCRIPTION
8  *
9  * Total s390 2^31 addr space is 0x80000000.
10  *
11  *     0x80000000 - 0x10000000 = 0x70000000
12  *
13  * 0x70000000 is a valid positive intptr_t and adding it to the current offset
14  * produces a valid uintptr_t without overflow (since the MSB being set is OK),
15  * but that is irrelevant for s390 since it has 31-bit pointers and not 32-bit
16  * pointers. Consequently, the brk syscall behaves incorrectly with the invalid
17  * address and changes the program break to the overflowed address. The glibc
18  * part of the implementation detects this overflow and returns a failure with
19  * ENOMEM, but does not reset the program break.
20  *
21  * So the bug is in sbrk as well as the brk syscall. brk() should validate the
22  * address being passed and return an error. sbrk() should not result in a brk
23  * call at all for an invalid address. One could argue in favour of fixing brk
24  * in glibc, but it should be the kernel since one could call the syscall
25  * directly without using the glibc entry points.
26  *
27  * The kernel part was fixed on v3.15 by commits:
28  *     473a06572fcd (s390/compat: convert system call wrappers to C part 02)
29  *
30  * Note:
31  *     The reproducer should be built(gcc -m31) in 32bit on s390 platform
32  *
33  */
34 
35 #include <stdio.h>
36 #include <unistd.h>
37 #include "lapi/abisize.h"
38 #include "tst_test.h"
39 
sbrk_test(void)40 static void sbrk_test(void)
41 {
42 #if defined(__s390__) && defined(TST_ABI32)
43 	void *ret1, *ret2;
44 
45 	/* set bkr to 0x10000000 */
46 	tst_res(TINFO, "initial brk: %d", brk((void *)0x10000000));
47 
48 	/* add 0x10000000, up to total of 0x20000000 */
49 	tst_res(TINFO, "sbrk increm: %p", sbrk(0x10000000));
50 	ret1 = sbrk(0);
51 
52 	/* sbrk() returns -1 on s390, but still does overflowed brk() */
53 	tst_res(TINFO, "sbrk increm: %p", sbrk(0x70000000));
54 	ret2 = sbrk(0);
55 
56 	if (ret1 != ret2) {
57 		tst_res(TFAIL, "Bug! sbrk: %p", ret2);
58 		return;
59 	}
60 
61 	tst_res(TPASS, "sbrk verify: %p", ret2);
62 #else
63 	tst_res(TCONF, "Only works in 32bit on s390 series system");
64 #endif
65 }
66 
67 static struct tst_test test = {
68 	.test_all = sbrk_test,
69 	.tags = (const struct tst_tag[]) {
70 		{"linux-git", "473a06572fcd"},
71 		{}
72 	}
73 };
74