From patchwork Fri Jun 7 14:17:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cornelia Huck X-Patchwork-Id: 1111949 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45L56F0Xgsz9sNd for ; Sat, 8 Jun 2019 00:49:56 +1000 (AEST) Received: from localhost ([::1]:48414 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hZGBh-0000vj-5W for incoming@patchwork.ozlabs.org; Fri, 07 Jun 2019 10:49:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52927) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hZFh8-0003Wi-SR for qemu-devel@nongnu.org; Fri, 07 Jun 2019 10:18:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hZFh6-0003Dl-Ju for qemu-devel@nongnu.org; Fri, 07 Jun 2019 10:18:14 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53440) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hZFh6-0003Ah-Cm; Fri, 07 Jun 2019 10:18:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A3500309B146; Fri, 7 Jun 2019 14:18:10 +0000 (UTC) Received: from localhost (dhcp-192-191.str.redhat.com [10.33.192.191]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4E1036840F; Fri, 7 Jun 2019 14:18:10 +0000 (UTC) From: Cornelia Huck To: Peter Maydell Date: Fri, 7 Jun 2019 16:17:03 +0200 Message-Id: <20190607141727.29018-11-cohuck@redhat.com> In-Reply-To: <20190607141727.29018-1-cohuck@redhat.com> References: <20190607141727.29018-1-cohuck@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Fri, 07 Jun 2019 14:18:10 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL v2 10/34] s390x/tcg: Store only the necessary amount of doublewords for STFLE X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Liebler , David Hildenbrand , Andreas Krebbel , Richard Henderson , qemu-devel@nongnu.org, qemu-s390x@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" From: David Hildenbrand The PoP (z14, 7-382) says: Doublewords to the right of the doubleword in which the highest-numbered facility bit is assigned for a model may or may not be stored. However, stack protection in certain binaries can't deal with that. "gzip" example code: f1b4: a7 08 00 03 lhi %r0,3 f1b8: b2 b0 f0 a0 stfle 160(%r15) f1bc: e3 20 f0 b2 00 90 llgc %r2,178(%r15) f1c2: c0 2b 00 00 00 01 nilf %r2,1 f1c8: b2 4f 00 10 ear %r1,%a0 f1cc: b9 14 00 22 lgfr %r2,%r2 f1d0: eb 11 00 20 00 0d sllg %r1,%r1,32 f1d6: b2 4f 00 11 ear %r1,%a1 f1da: d5 07 f0 b8 10 28 clc 184(8,%r15),40(%r1) f1e0: a7 74 00 06 jne f1ec f1e4: eb ef f1 30 00 04 lmg %r14,%r15,304(%r15) f1ea: 07 fe br %r14 f1ec: c0 e5 ff ff 9d 6e brasl %r14,2cc8 <__stack_chk_fail@plt> In QEMU, we currently have: max_bytes = 24 the code asks for (3 + 1) doublewords == 32 bytes. If we write 32 bytes instead of only 24, and return "2 + 1" doublewords ("one less than the number of doulewords needed to contain all of the facility bits"), the example code detects a stack corruption. In my opinion, the code is wrong. However, it seems to work fine on real machines. So let's limit storing to the minimum of the requested and the maximum doublewords. Cc: Stefan Liebler Cc: Andreas Krebbel Reviewed-by: Richard Henderson Signed-off-by: David Hildenbrand --- target/s390x/misc_helper.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c index 34476134a407..10aa617cf9c5 100644 --- a/target/s390x/misc_helper.c +++ b/target/s390x/misc_helper.c @@ -678,7 +678,13 @@ uint32_t HELPER(stfle)(CPUS390XState *env, uint64_t addr) prepare_stfl(); max_bytes = ROUND_UP(used_stfl_bytes, 8); - for (i = 0; i < count_bytes; ++i) { + + /* + * The PoP says that doublewords beyond the highest-numbered facility + * bit may or may not be stored. However, existing hardware appears to + * not store the words, and existing software depend on that. + */ + for (i = 0; i < MIN(count_bytes, max_bytes); ++i) { cpu_stb_data_ra(env, addr + i, stfl_bytes[i], ra); }