port-vax/60064: vax: typo in compat_13_machdep.c: sp =- 8 should be sp -= 8

["pyhirricturtle%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60064
>Category:       port-vax
>Synopsis:       vax: typo in compat_13_machdep.c: sp =- 8 should be sp -= 8
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-vax-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 07 19:10:01 +0000 2026
>Originator:     FireTurtle
>Release:        NetBSD 10 (also present in -current trunk)
>Organization:
>Environment:
System: NetBSD/vax
>Description:
In sys/arch/vax/vax/compat_13_machdep.c, function setupstack_oldsigcontext(), line 194:

    sp =- 8;

This is parsed by the C compiler as sp = (-8) -- i.e., assignment of the constant -8 to sp. The intended expression is sp -= 8 (subtract 8 from the stack pointer to make room for the trampoline PC).

The bug has been present since the file was created in 2009 (rev 1.1, committed by mjf). It corrupts the stack pointer during signal delivery on VAX when using the NetBSD 1.3 compat sigcontext path, setting sp to an absolute address of -8 (0xFFFFFFF8) rather than adjusting it relative to the current frame. Found by static analysis tooling. The COMPAT_13 signal delivery path is rarely exercised, which likely explains why the bug went undetected.
>How-To-Repeat:
Audit the source -- the intent from the surrounding comment ("Point stack pointer at pc in trampoline") makes it clear that subtraction is meant. The archaic =op syntax (pre-K&R C) is accepted silently by some compilers, masking the bug.
>Fix:
--- a/sys/arch/vax/vax/compat_13_machdep.c
+++ b/sys/arch/vax/vax/compat_13_machdep.c
@@ -191,7 +191,7 @@
 mutex_exit(p->p_lock);
 
 /* Point stack pointer at pc in trampoline.  */
-sp =- 8;
+sp -= 8;
 
 error = copyout(&tramp, (char *)tramp.scp - sizeof(tramp), sizeof(tramp)) != 0 ||
     copyout(&sigctx, (void *)tramp.scp, sizeof(sigctx)) != 0;