1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright 2018, Michael Ellerman, IBM Corp. 4 * 5 * Test that an out-of-bounds branch to counter behaves as expected. 6 */ 7 8 #include <setjmp.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <sys/mman.h> 13 #include <sys/types.h> 14 #include <sys/wait.h> 15 #include <ucontext.h> 16 #include <unistd.h> 17 18 #include "utils.h" 19 20 21 #define BAD_NIP 0x788c545a18000000ull 22 23 static struct pt_regs signal_regs; 24 static jmp_buf setjmp_env; 25 26 static void save_regs(ucontext_t *ctxt) 27 { 28 struct pt_regs *regs = ctxt->uc_mcontext.regs; 29 30 memcpy(&signal_regs, regs, sizeof(signal_regs)); 31 } 32 33 static void segv_handler(int signum, siginfo_t *info, void *ctxt_v) 34 { 35 save_regs(ctxt_v); 36 longjmp(setjmp_env, 1); 37 } 38 39 static void usr2_handler(int signum, siginfo_t *info, void *ctxt_v) 40 { 41 save_regs(ctxt_v); 42 } 43 44 static int ok(void) 45 { 46 printf("Everything is OK in here.\n"); 47 return 0; 48 } 49 50 #define REG_POISON 0x5a5aUL 51 #define POISONED_REG(n) ((REG_POISON << 48) | ((n) << 32) | (REG_POISON << 16) | (n)) 52 53 static inline void poison_regs(void) 54 { 55 #define POISON_REG(n) \ 56 "lis " __stringify(n) "," __stringify(REG_POISON) ";" \ 57 "addi " __stringify(n) "," __stringify(n) "," __stringify(n) ";" \ 58 "sldi " __stringify(n) "," __stringify(n) ", 32 ;" \ 59 "oris " __stringify(n) "," __stringify(n) "," __stringify(REG_POISON) ";" \ 60 "addi " __stringify(n) "," __stringify(n) "," __stringify(n) ";" 61 62 asm (POISON_REG(15) 63 POISON_REG(16) 64 POISON_REG(17) 65 POISON_REG(18) 66 POISON_REG(19) 67 POISON_REG(20) 68 POISON_REG(21) 69 POISON_REG(22) 70 POISON_REG(23) 71 POISON_REG(24) 72 POISON_REG(25) 73 POISON_REG(26) 74 POISON_REG(27) 75 POISON_REG(28) 76 POISON_REG(29) 77 : // inputs 78 : // outputs 79 : "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", 80 "26", "27", "28", "29" 81 ); 82 #undef POISON_REG 83 } 84 85 static int check_regs(void) 86 { 87 unsigned long i; 88 89 for (i = 15; i <= 29; i++) 90 FAIL_IF(signal_regs.gpr[i] != POISONED_REG(i)); 91 92 printf("Regs OK\n"); 93 return 0; 94 } 95 96 static void dump_regs(void) 97 { 98 for (int i = 0; i < 32; i += 4) { 99 printf("r%02d 0x%016lx r%02d 0x%016lx " \ 100 "r%02d 0x%016lx r%02d 0x%016lx\n", 101 i, signal_regs.gpr[i], 102 i+1, signal_regs.gpr[i+1], 103 i+2, signal_regs.gpr[i+2], 104 i+3, signal_regs.gpr[i+3]); 105 } 106 } 107 108 int test_wild_bctr(void) 109 { 110 int (*func_ptr)(void); 111 struct sigaction segv = { 112 .sa_sigaction = segv_handler, 113 .sa_flags = SA_SIGINFO 114 }; 115 struct sigaction usr2 = { 116 .sa_sigaction = usr2_handler, 117 .sa_flags = SA_SIGINFO 118 }; 119 120 FAIL_IF(sigaction(SIGSEGV, &segv, NULL)); 121 FAIL_IF(sigaction(SIGUSR2, &usr2, NULL)); 122 123 bzero(&signal_regs, sizeof(signal_regs)); 124 125 if (setjmp(setjmp_env) == 0) { 126 func_ptr = ok; 127 func_ptr(); 128 129 kill(getpid(), SIGUSR2); 130 printf("Regs before:\n"); 131 dump_regs(); 132 bzero(&signal_regs, sizeof(signal_regs)); 133 134 poison_regs(); 135 136 func_ptr = (int (*)(void))BAD_NIP; 137 func_ptr(); 138 139 FAIL_IF(1); /* we didn't segv? */ 140 } 141 142 FAIL_IF(signal_regs.nip != BAD_NIP); 143 144 printf("All good - took SEGV as expected branching to 0x%llx\n", BAD_NIP); 145 146 dump_regs(); 147 FAIL_IF(check_regs()); 148 149 return 0; 150 } 151 152 int main(void) 153 { 154 return test_harness(test_wild_bctr, "wild_bctr"); 155 } 156