1 /* 2 * Copyright (c) 2016 Linux Test Project. 3 * 4 * This program is free software: you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation, either version 3 of the License, or 7 * (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program. If not, see <http://www.gnu.org/licenses/>. 16 */ 17 18 /* 19 * DESCRIPTION 20 * 21 * Total s390 2^31 addr space is 0x80000000. 22 * 23 * 0x80000000 - 0x10000000 = 0x70000000 24 * 25 * 0x70000000 is a valid positive intptr_t and adding it to the current offset 26 * produces a valid uintptr_t without overflow (since the MSB being set is OK), 27 * but that is irrelevant for s390 since it has 31-bit pointers and not 32-bit 28 * pointers. Consequently, the brk syscall behaves incorrectly with the invalid 29 * address and changes the program break to the overflowed address. The glibc 30 * part of the implementation detects this overflow and returns a failure with 31 * ENOMEM, but does not reset the program break. 32 * 33 * So the bug is in sbrk as well as the brk syscall. brk() should validate the 34 * address being passed and return an error. sbrk() should not result in a brk 35 * call at all for an invalid address. One could argue in favour of fixing brk 36 * in glibc, but it should be the kernel since one could call the syscall 37 * directly without using the glibc entry points. 38 * 39 * The kernel part was fixed on v3.15 by commits: 40 * 473a06572fcd (s390/compat: convert system call wrappers to C part 02) 41 * 42 * Note: 43 * The reproducer should be built(gcc -m31) in 32bit on s390 platform 44 * 45 */ 46 47 #include <stdio.h> 48 #include <unistd.h> 49 #include "tst_test.h" 50 51 static void sbrk_test(void) 52 { 53 #if defined(__s390__) && __WORDSIZE == 32 54 void *ret1, *ret2; 55 56 /* set bkr to 0x10000000 */ 57 tst_res(TINFO, "initial brk: %d", brk((void *)0x10000000)); 58 59 /* add 0x10000000, up to total of 0x20000000 */ 60 tst_res(TINFO, "sbrk increm: %p", sbrk(0x10000000)); 61 ret1 = sbrk(0); 62 63 /* sbrk() returns -1 on s390, but still does overflowed brk() */ 64 tst_res(TINFO, "sbrk increm: %p", sbrk(0x70000000)); 65 ret2 = sbrk(0); 66 67 if (ret1 != ret2) { 68 tst_res(TFAIL, "Bug! sbrk: %p", ret2); 69 return; 70 } 71 72 tst_res(TPASS, "sbrk verify: %p", ret2); 73 #else 74 tst_res(TCONF, "Only works in 32bit on s390 series system"); 75 #endif 76 } 77 78 static struct tst_test test = { 79 .tid = "sbrk03", 80 .test_all = sbrk_test, 81 }; 82
