netbsd-bugs: port-i386/10389: Illegal usage of the stack by exp() etc.

Subject: port-i386/10389: Illegal usage of the stack by exp() etc.
To: None <gnats-bugs@gnats.netbsd.org>
From: Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
List: netbsd-bugs
Date: 06/18/2000 16:27:13
>Number:         10389
>Category:       port-i386
>Synopsis:       Illegal usage of the stack by exp() etc.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 18 16:28:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Takahiro Kambe
>Release:        NetBSD-current 2000/6/14
>Organization:
	
>Environment:
	
System: NetBSD edge.sky.yamashina.kyoto.jp 1.4ZD NetBSD 1.4ZD (CF-M33) #32: Thu Jun 15 08:58:49 JST 2000 taca@edge.sky.yamashina.kyoto.jp:/usr/src/sys/arch/i386/compile/CF-M33 i386


>Description:
	This was reported as PR/1258 of OpenBSD, and already closed:

	On i387, exp(), ceil(), ceilf(), floor(), and floorf() use
	the memory above the stack top.  The area above the stack top is
	volatile if a signal is raised and calls a signal handler.
>How-To-Repeat:
	See the source code.
>Fix:
        Here is a patch.

--- lib/libm/arch/i387/e_exp.S.orig     Sat Jul 27 19:43:55 1996
+++ lib/libm/arch/i387/e_exp.S  Fri Jun  2 18:33:09 2000
@@ -13,11 +13,11 @@
        movl    %esp,%ebp
        subl    $8,%esp

-       fstcw   -12(%ebp)               /* store fpu control word */
-       movw    -12(%ebp),%dx
+       fstcw   -4(%ebp)                /* store fpu control word */
+       movw    -4(%ebp),%dx
        orw     $0x0180,%dx
-       movw    %dx,-16(%ebp)
-       fldcw   -16(%ebp)               /* load modfied control word */
+       movw    %dx,-8(%ebp)
+       fldcw   -8(%ebp)                /* load modfied control word */

        fldl    8(%ebp)
        fldl2e
@@ -32,7 +32,7 @@
        fscale                          /* e^x */
        fstpl   %st(1)

-       fldcw   -12(%ebp)               /* restore original control word */
+       fldcw   -4(%ebp)                /* restore original control word */

        leave
        ret
--- lib/libm/arch/i387/s_ceil.S.orig    Wed Oct 18 17:42:46 1995
+++ lib/libm/arch/i387/s_ceil.S Fri Jun  2 18:37:51 2000
@@ -12,17 +12,17 @@
        movl    %esp,%ebp
        subl    $8,%esp

-       fstcw   -12(%ebp)               /* store fpu control word */
-       movw    -12(%ebp),%dx
+       fstcw   -4(%ebp)                /* store fpu control word */
+       movw    -4(%ebp),%dx
        orw     $0x0800,%dx             /* round towards +oo */
        andw    $0xfbff,%dx
-       movw    %dx,-16(%ebp)
-       fldcw   -16(%ebp)               /* load modfied control word */
+       movw    %dx,-8(%ebp)
+       fldcw   -8(%ebp)                /* load modfied control word */

        fldl    8(%ebp);                /* round */
        frndint

-       fldcw   -12(%ebp)               /* restore original control word */
+       fldcw   -4(%ebp)                /* restore original control word */

        leave
        ret
--- lib/libm/arch/i387/s_ceilf.S.orig   Wed Oct 18 17:42:46 1995
+++ lib/libm/arch/i387/s_ceilf.S        Fri Jun  2 18:38:25 2000
@@ -12,17 +12,17 @@
        movl    %esp,%ebp
        subl    $8,%esp

-       fstcw   -12(%ebp)               /* store fpu control word */
-       movw    -12(%ebp),%dx
+       fstcw   -4(%ebp)                /* store fpu control word */
+       movw    -4(%ebp),%dx
        orw     $0x0800,%dx             /* round towards +oo */
        andw    $0xfbff,%dx
-       movw    %dx,-16(%ebp)
-       fldcw   -16(%ebp)               /* load modfied control word */
+       movw    %dx,-8(%ebp)
+       fldcw   -8(%ebp)                /* load modfied control word */

        flds    8(%ebp);                /* round */
        frndint

-       fldcw   -12(%ebp)               /* restore original control word */
+       fldcw   -4(%ebp)                /* restore original control word */

        leave
        ret
--- lib/libm/arch/i387/s_floor.S.orig   Wed Oct 18 17:42:46 1995
+++ lib/libm/arch/i387/s_floor.S        Fri Jun  2 18:38:51 2000
@@ -12,17 +12,17 @@
        movl    %esp,%ebp
        subl    $8,%esp

-       fstcw   -12(%ebp)               /* store fpu control word */
-       movw    -12(%ebp),%dx
+       fstcw   -4(%ebp)                /* store fpu control word */
+       movw    -4(%ebp),%dx
        orw     $0x0400,%dx             /* round towards -oo */
        andw    $0xf7ff,%dx
-       movw    %dx,-16(%ebp)
-       fldcw   -16(%ebp)               /* load modfied control word */
+       movw    %dx,-8(%ebp)
+       fldcw   -8(%ebp)                /* load modfied control word */

        fldl    8(%ebp);                /* round */
        frndint

-       fldcw   -12(%ebp)               /* restore original control word */
+       fldcw   -4(%ebp)                /* restore original control word */

        leave
        ret
--- lib/libm/arch/i387/s_floorf.S.orig  Wed Oct 18 17:42:46 1995
+++ lib/libm/arch/i387/s_floorf.S       Fri Jun  2 18:39:17 2000
@@ -12,17 +12,17 @@
        movl    %esp,%ebp
        subl    $8,%esp

-       fstcw   -12(%ebp)               /* store fpu control word */
-       movw    -12(%ebp),%dx
+       fstcw   -4(%ebp)                /* store fpu control word */
+       movw    -4(%ebp),%dx
        orw     $0x0400,%dx             /* round towards -oo */
        andw    $0xf7ff,%dx
-       movw    %dx,-16(%ebp)
-       fldcw   -16(%ebp)               /* load modfied control word */
+       movw    %dx,-8(%ebp)
+       fldcw   -8(%ebp)                /* load modfied control word */

        flds    8(%ebp);                /* round */
        frndint

-       fldcw   -12(%ebp)               /* restore original control word */
+       fldcw   -4(%ebp)                /* restore original control word */

        leave
        ret


>Release-Note:
>Audit-Trail:
>Unformatted: