1 /*
2 * Copyright (c) 2016 Linux Test Project.
3 *
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, either version 3 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>.
16 */
17
18 /*
19 * DESCRIPTION
20 *
21 * Total s390 2^31 addr space is 0x80000000.
22 *
23 * 0x80000000 - 0x10000000 = 0x70000000
24 *
25 * 0x70000000 is a valid positive intptr_t and adding it to the current offset
26 * produces a valid uintptr_t without overflow (since the MSB being set is OK),
27 * but that is irrelevant for s390 since it has 31-bit pointers and not 32-bit
28 * pointers. Consequently, the brk syscall behaves incorrectly with the invalid
29 * address and changes the program break to the overflowed address. The glibc
30 * part of the implementation detects this overflow and returns a failure with
31 * ENOMEM, but does not reset the program break.
32 *
33 * So the bug is in sbrk as well as the brk syscall. brk() should validate the
34 * address being passed and return an error. sbrk() should not result in a brk
35 * call at all for an invalid address. One could argue in favour of fixing brk
36 * in glibc, but it should be the kernel since one could call the syscall
37 * directly without using the glibc entry points.
38 *
39 * The kernel part was fixed on v3.15 by commits:
40 * 473a06572fcd (s390/compat: convert system call wrappers to C part 02)
41 *
42 * Note:
43 * The reproducer should be built(gcc -m31) in 32bit on s390 platform
44 *
45 */
46
47 #include <stdio.h>
48 #include <unistd.h>
49 #include "tst_test.h"
50
sbrk_test(void)51 static void sbrk_test(void)
52 {
53 #if defined(__s390__) && __WORDSIZE == 32
54 void *ret1, *ret2;
55
56 /* set bkr to 0x10000000 */
57 tst_res(TINFO, "initial brk: %d", brk((void *)0x10000000));
58
59 /* add 0x10000000, up to total of 0x20000000 */
60 tst_res(TINFO, "sbrk increm: %p", sbrk(0x10000000));
61 ret1 = sbrk(0);
62
63 /* sbrk() returns -1 on s390, but still does overflowed brk() */
64 tst_res(TINFO, "sbrk increm: %p", sbrk(0x70000000));
65 ret2 = sbrk(0);
66
67 if (ret1 != ret2) {
68 tst_res(TFAIL, "Bug! sbrk: %p", ret2);
69 return;
70 }
71
72 tst_res(TPASS, "sbrk verify: %p", ret2);
73 #else
74 tst_res(TCONF, "Only works in 32bit on s390 series system");
75 #endif
76 }
77
78 static struct tst_test test = {
79 .tid = "sbrk03",
80 .test_all = sbrk_test,
81 };
82