blob: 1b0e9e9a2ddce5a3377ded7dad656202586339dc [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright 2018, Michael Ellerman, IBM Corp.
*
* Test that an out-of-bounds branch to counter behaves as expected.
*/
#include <setjmp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <ucontext.h>
#include <unistd.h>
#include "utils.h"
#define BAD_NIP 0x788c545a18000000ull
static struct pt_regs signal_regs;
static jmp_buf setjmp_env;
static void save_regs(ucontext_t *ctxt)
{
struct pt_regs *regs = ctxt->uc_mcontext.regs;
memcpy(&signal_regs, regs, sizeof(signal_regs));
}
static void segv_handler(int signum, siginfo_t *info, void *ctxt_v)
{
save_regs(ctxt_v);
longjmp(setjmp_env, 1);
}
static void usr2_handler(int signum, siginfo_t *info, void *ctxt_v)
{
save_regs(ctxt_v);
}
static int ok(void)
{
printf("Everything is OK in here.\n");
return 0;
}
#define REG_POISON 0x5a5aUL
#define POISONED_REG(n) ((REG_POISON << 48) | ((n) << 32) | (REG_POISON << 16) | (n))
static inline void poison_regs(void)
{
#define POISON_REG(n) \
"lis " __stringify(n) "," __stringify(REG_POISON) ";" \
"addi " __stringify(n) "," __stringify(n) "," __stringify(n) ";" \
"sldi " __stringify(n) "," __stringify(n) ", 32 ;" \
"oris " __stringify(n) "," __stringify(n) "," __stringify(REG_POISON) ";" \
"addi " __stringify(n) "," __stringify(n) "," __stringify(n) ";"
asm (POISON_REG(15)
POISON_REG(16)
POISON_REG(17)
POISON_REG(18)
POISON_REG(19)
POISON_REG(20)
POISON_REG(21)
POISON_REG(22)
POISON_REG(23)
POISON_REG(24)
POISON_REG(25)
POISON_REG(26)
POISON_REG(27)
POISON_REG(28)
POISON_REG(29)
: // inputs
: // outputs
: "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25",
"26", "27", "28", "29"
);
#undef POISON_REG
}
static int check_regs(void)
{
unsigned long i;
for (i = 15; i <= 29; i++)
FAIL_IF(signal_regs.gpr[i] != POISONED_REG(i));
printf("Regs OK\n");
return 0;
}
static void dump_regs(void)
{
for (int i = 0; i < 32; i += 4) {
printf("r%02d 0x%016lx r%02d 0x%016lx " \
"r%02d 0x%016lx r%02d 0x%016lx\n",
i, signal_regs.gpr[i],
i+1, signal_regs.gpr[i+1],
i+2, signal_regs.gpr[i+2],
i+3, signal_regs.gpr[i+3]);
}
}
int test_wild_bctr(void)
{
int (*func_ptr)(void);
struct sigaction segv = {
.sa_sigaction = segv_handler,
.sa_flags = SA_SIGINFO
};
struct sigaction usr2 = {
.sa_sigaction = usr2_handler,
.sa_flags = SA_SIGINFO
};
FAIL_IF(sigaction(SIGSEGV, &segv, NULL));
FAIL_IF(sigaction(SIGUSR2, &usr2, NULL));
bzero(&signal_regs, sizeof(signal_regs));
if (setjmp(setjmp_env) == 0) {
func_ptr = ok;
func_ptr();
kill(getpid(), SIGUSR2);
printf("Regs before:\n");
dump_regs();
bzero(&signal_regs, sizeof(signal_regs));
poison_regs();
func_ptr = (int (*)(void))BAD_NIP;
func_ptr();
FAIL_IF(1); /* we didn't segv? */
}
FAIL_IF(signal_regs.nip != BAD_NIP);
printf("All good - took SEGV as expected branching to 0x%llx\n", BAD_NIP);
dump_regs();
FAIL_IF(check_regs());
return 0;
}
int main(void)
{
return test_harness(test_wild_bctr, "wild_bctr");
}