1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later
2f08c3bdfSopenharmony_ci/*
3f08c3bdfSopenharmony_ci * Copyright (c) 2016 Linux Test Project.
4f08c3bdfSopenharmony_ci */
5f08c3bdfSopenharmony_ci
6f08c3bdfSopenharmony_ci/*
7f08c3bdfSopenharmony_ci * DESCRIPTION
8f08c3bdfSopenharmony_ci *
9f08c3bdfSopenharmony_ci * Total s390 2^31 addr space is 0x80000000.
10f08c3bdfSopenharmony_ci *
11f08c3bdfSopenharmony_ci *     0x80000000 - 0x10000000 = 0x70000000
12f08c3bdfSopenharmony_ci *
13f08c3bdfSopenharmony_ci * 0x70000000 is a valid positive intptr_t and adding it to the current offset
14f08c3bdfSopenharmony_ci * produces a valid uintptr_t without overflow (since the MSB being set is OK),
15f08c3bdfSopenharmony_ci * but that is irrelevant for s390 since it has 31-bit pointers and not 32-bit
16f08c3bdfSopenharmony_ci * pointers. Consequently, the brk syscall behaves incorrectly with the invalid
17f08c3bdfSopenharmony_ci * address and changes the program break to the overflowed address. The glibc
18f08c3bdfSopenharmony_ci * part of the implementation detects this overflow and returns a failure with
19f08c3bdfSopenharmony_ci * ENOMEM, but does not reset the program break.
20f08c3bdfSopenharmony_ci *
21f08c3bdfSopenharmony_ci * So the bug is in sbrk as well as the brk syscall. brk() should validate the
22f08c3bdfSopenharmony_ci * address being passed and return an error. sbrk() should not result in a brk
23f08c3bdfSopenharmony_ci * call at all for an invalid address. One could argue in favour of fixing brk
24f08c3bdfSopenharmony_ci * in glibc, but it should be the kernel since one could call the syscall
25f08c3bdfSopenharmony_ci * directly without using the glibc entry points.
26f08c3bdfSopenharmony_ci *
27f08c3bdfSopenharmony_ci * The kernel part was fixed on v3.15 by commits:
28f08c3bdfSopenharmony_ci *     473a06572fcd (s390/compat: convert system call wrappers to C part 02)
29f08c3bdfSopenharmony_ci *
30f08c3bdfSopenharmony_ci * Note:
31f08c3bdfSopenharmony_ci *     The reproducer should be built(gcc -m31) in 32bit on s390 platform
32f08c3bdfSopenharmony_ci *
33f08c3bdfSopenharmony_ci */
34f08c3bdfSopenharmony_ci
35f08c3bdfSopenharmony_ci#include <stdio.h>
36f08c3bdfSopenharmony_ci#include <unistd.h>
37f08c3bdfSopenharmony_ci#include "lapi/abisize.h"
38f08c3bdfSopenharmony_ci#include "tst_test.h"
39f08c3bdfSopenharmony_ci
40f08c3bdfSopenharmony_cistatic void sbrk_test(void)
41f08c3bdfSopenharmony_ci{
42f08c3bdfSopenharmony_ci#if defined(__s390__) && defined(TST_ABI32)
43f08c3bdfSopenharmony_ci	void *ret1, *ret2;
44f08c3bdfSopenharmony_ci
45f08c3bdfSopenharmony_ci	/* set bkr to 0x10000000 */
46f08c3bdfSopenharmony_ci	tst_res(TINFO, "initial brk: %d", brk((void *)0x10000000));
47f08c3bdfSopenharmony_ci
48f08c3bdfSopenharmony_ci	/* add 0x10000000, up to total of 0x20000000 */
49f08c3bdfSopenharmony_ci	tst_res(TINFO, "sbrk increm: %p", sbrk(0x10000000));
50f08c3bdfSopenharmony_ci	ret1 = sbrk(0);
51f08c3bdfSopenharmony_ci
52f08c3bdfSopenharmony_ci	/* sbrk() returns -1 on s390, but still does overflowed brk() */
53f08c3bdfSopenharmony_ci	tst_res(TINFO, "sbrk increm: %p", sbrk(0x70000000));
54f08c3bdfSopenharmony_ci	ret2 = sbrk(0);
55f08c3bdfSopenharmony_ci
56f08c3bdfSopenharmony_ci	if (ret1 != ret2) {
57f08c3bdfSopenharmony_ci		tst_res(TFAIL, "Bug! sbrk: %p", ret2);
58f08c3bdfSopenharmony_ci		return;
59f08c3bdfSopenharmony_ci	}
60f08c3bdfSopenharmony_ci
61f08c3bdfSopenharmony_ci	tst_res(TPASS, "sbrk verify: %p", ret2);
62f08c3bdfSopenharmony_ci#else
63f08c3bdfSopenharmony_ci	tst_res(TCONF, "Only works in 32bit on s390 series system");
64f08c3bdfSopenharmony_ci#endif
65f08c3bdfSopenharmony_ci}
66f08c3bdfSopenharmony_ci
67f08c3bdfSopenharmony_cistatic struct tst_test test = {
68f08c3bdfSopenharmony_ci	.test_all = sbrk_test,
69f08c3bdfSopenharmony_ci	.tags = (const struct tst_tag[]) {
70f08c3bdfSopenharmony_ci		{"linux-git", "473a06572fcd"},
71f08c3bdfSopenharmony_ci		{}
72f08c3bdfSopenharmony_ci	}
73f08c3bdfSopenharmony_ci};
74