ok github.com/google/syzkaller/dashboard/app (cached)
? github.com/google/syzkaller/dashboard/dashapi [no test files]
ok github.com/google/syzkaller/executor 1.033s
ok github.com/google/syzkaller/pkg/ast 1.617s
ok github.com/google/syzkaller/pkg/bisect 46.233s
ok github.com/google/syzkaller/pkg/build 0.125s
ok github.com/google/syzkaller/pkg/compiler 9.141s
ok github.com/google/syzkaller/pkg/config (cached)
ok github.com/google/syzkaller/pkg/cover (cached)
? github.com/google/syzkaller/pkg/cover/backend [no test files]
--- FAIL: TestGenerate (5.10s)
--- FAIL: TestGenerate/freebsd/386 (0.74s)
csource_test.go:52: seed=1613065041497043173
--- FAIL: TestGenerate/freebsd/386/4 (0.42s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (; iter < 10; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:332:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor090928706 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/0 (0.48s)
csource_test.go:108: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
if (setsid() == -1)
exit(1);
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_one(void)
{
intptr_t res = 0;
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
syscall(SYS_flock, (intptr_t)r[2], 8);
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:181:10: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor981335236 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/12 (0.49s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:true Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
int valid = addr < prog_start || addr > prog_end;
if (sig == SIGBUS) {
valid = 1;
}
if (skip && valid) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) ({ int ok = 1; __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } else ok = 0; __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); ok; })
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
NONFAILING(memcpy((void*)0x10000080, "/$\\\273}/%\000", 8));
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
NONFAILING(*(uint32_t*)0x10000100 = 0xc);
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
NONFAILING(memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024));
NONFAILING(memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32));
NONFAILING(*(uint32_t*)0x10000660 = -1);
NONFAILING(*(uint8_t*)0x10000664 = 4);
NONFAILING(*(uint32_t*)0x10000668 = 0x10000140);
NONFAILING(memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221));
NONFAILING(*(uint64_t*)0x1000066c = 0xfffffffffffffff9);
NONFAILING(*(uint64_t*)0x10000674 = 3);
NONFAILING(*(uint64_t*)0x1000067c = 6);
NONFAILING(*(uint64_t*)0x10000684 = 4);
NONFAILING(*(uint64_t*)0x1000068c = 0x1679);
NONFAILING(*(uint64_t*)0x10000694 = 4);
NONFAILING(*(uint64_t*)0x1000069c = 9);
NONFAILING(*(uint32_t*)0x100006a4 = 6);
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
NONFAILING(*(uint32_t*)0x10000700 = 5);
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
NONFAILING(*(uint8_t*)0x10000000 = 0);
NONFAILING(*(uint8_t*)0x10000001 = 0);
NONFAILING(*(uint8_t*)0x10000002 = 0);
NONFAILING(*(uint8_t*)0x10000003 = 0);
NONFAILING(*(uint8_t*)0x10000004 = 0);
NONFAILING(*(uint8_t*)0x10000005 = 0);
NONFAILING(*(uint8_t*)0x10000006 = -1);
NONFAILING(*(uint8_t*)0x10000007 = -1);
NONFAILING(*(uint8_t*)0x10000008 = -1);
NONFAILING(*(uint8_t*)0x10000009 = -1);
NONFAILING(*(uint8_t*)0x1000000a = -1);
NONFAILING(*(uint8_t*)0x1000000b = -1);
NONFAILING(*(uint16_t*)0x1000000c = htobe16(0x88a8));
NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3));
NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1));
NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12));
NONFAILING(*(uint16_t*)0x10000010 = htobe16(0x8100));
NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3));
NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1));
NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12));
NONFAILING(*(uint16_t*)0x10000014 = htobe16(0x806));
NONFAILING(*(uint16_t*)0x10000016 = htobe16(1));
NONFAILING(*(uint16_t*)0x10000018 = htobe16(0x800));
NONFAILING(*(uint8_t*)0x1000001a = 6);
NONFAILING(*(uint8_t*)0x1000001b = 4);
NONFAILING(*(uint16_t*)0x1000001c = htobe16(4));
NONFAILING(*(uint8_t*)0x1000001e = 0xaa);
NONFAILING(*(uint8_t*)0x1000001f = 0xaa);
NONFAILING(*(uint8_t*)0x10000020 = 0xaa);
NONFAILING(*(uint8_t*)0x10000021 = 0xaa);
NONFAILING(*(uint8_t*)0x10000022 = 0xaa);
NONFAILING(*(uint8_t*)0x10000023 = 0xaa);
NONFAILING(*(uint32_t*)0x10000024 = htobe32(0xe0000001));
NONFAILING(*(uint8_t*)0x10000028 = 0xaa);
NONFAILING(*(uint8_t*)0x10000029 = 0xaa);
NONFAILING(*(uint8_t*)0x1000002a = 0xaa);
NONFAILING(*(uint8_t*)0x1000002b = 0xaa);
NONFAILING(*(uint8_t*)0x1000002c = 0xaa);
NONFAILING(*(uint8_t*)0x1000002d = 0xbb);
NONFAILING(*(uint32_t*)0x1000002e = htobe32(0x81));
break;
case 11:
NONFAILING(memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53));
NONFAILING(syz_execute_func(0x10000040));
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
install_segv_handler();
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:364:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor513782969 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/7 (0.66s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:10 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 500);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 15000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:332:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor589094227 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/5 (0.80s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:332:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor464520248 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/6 (0.82s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static unsigned long long procid;
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
for (procid = 0; procid < 4; procid++) {
if (fork() == 0) {
use_temporary_dir();
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}
<stdin>:334:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor408088726 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/15 (0.81s)
csource_test.go:108: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:true Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static unsigned long long procid;
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
int i, call, thread;
int collide = 0;
again:
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
if (collide && (call % 2) == 0)
break;
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
if (!collide) {
collide = 1;
goto again;
}
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
for (procid = 0; procid < 2; procid++) {
if (fork() == 0) {
use_temporary_dir();
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}
<stdin>:344:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor721884413 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/14 (0.96s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:true}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
fprintf(stderr, "### start\n");
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0);
if (res != -1)
r[1] = res;
break;
case 2:
res = syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0);
if (res != -1)
r[2] = res;
break;
case 4:
res = syscall(SYS_flock, (intptr_t)r[2], 8);
fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
res = syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0);
break;
case 6:
res = syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
res = syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
res = syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
res = syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
(void)res;
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
res = -1;
errno = EFAULT;
res = syz_execute_func(0x10000040);
fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0);
break;
case 12:
(void)res;
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:339:17: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
res = syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor171310647 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/3 (0.90s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void loop(void)
{
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:251:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor399885866 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/13 (0.94s)
csource_test.go:108: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:true Trace:false}
program:
r0 = kqueue()
r1 = dup2(0xffffffffffffffff, r0)
freebsd11_fstat(r1, &(0x7f0000000000))
r2 = socket$inet_udp(0x2, 0x2, 0x0)
flock(r2, 0x8)
extattr_delete_fd(r2, 0x1, &(0x7f0000000080)='/$\\\xbb}/%\x00')
freebsd12_closefrom(r2)
getsockopt$inet_mreqsrc(r2, 0x0, 0x46, &(0x7f00000000c0)={@empty, @local, @multicast1}, &(0x7f0000000100)=0xc)
ioctl$DIOCRGETASTATS(r1, 0xc4504447, &(0x7f0000000240)={{"a1740ea9d3dde8c7f900973c9f7b4d36d59465aeefb6c31e1a1a93c666ba8b20a55e6aff30d06ef3b2e7d1e2f30d84af84130cd2e27c4f2ee2154517f289b262e070daabfe225447b9f8c4acb69f59336d096ade1d70f6d69098c451493a1fa41090f53baf2d0c5f7a10c83d29398d9dbe527304a42db05b7a3226d432d34ae0a091b58e26261254c970d80dc96f04943b864c8748843567bab2ba79db4f588d203e016149e21e413f3f416901083f9286aaa727a49d72c769829e8024354fc324a99067a7b7da16f7644d96dc3c57c10e1a751a99acfaf14508c6dcc54ef43f74363f4f6f417c33dd2749f6f10d3c704a5876a135f227cca90af85ef182256ed221c38e0c50677a802d6002f50e481167eccb1758b77bdde2a3d2465f147ab979875cb125b067cd37043d0513bcbdc5e79b208f7c2d6383e2284a58a5db5e955c71fe9cb3d122c0c7e7c47353f29b8e49065f973fdb9dae899acd12e59a4fff41fe3978415a5a6d5a55f590111195ba73cfb332f80ecf85c3ff957183cecd2bf069904dc8daf35f54e8847fec3e0f928b06a5355b3c1989283ddea2e77bfc50af6365dc505a6538d4ec5cff65090ff09b12f800ebce602ab635607a88ba3eeb916ce6031fc26c0fa7272200a9980d707796b6c917a79206d2c4c09ea418fca9db36f6ac0daf5902352c7de03af42c3d1ff5079455ace7b7120a004db7138300acf97e39fe51ccb6ce64386500a2f95b617fbc352a25f120b4a7c7cf1d28ea6c4b1b371553e9223051ef978d879df74e5975121fc80060b82392bd626293980cdcc501d542384573a83f3a1a06aee53a60a292aa1ab1147cbab6ef8d6af2173d0258b0327528a396af20d66c8d33d02493a7ad292f04787588ee1b5c4a9c313b18decfe3036601816c95e1887f077d523ffd3b73c91708d67499ff77089ea0f00365b2a358af83d381ecea944241af6a591941834c4630f6d0993da63a85ae2081904ea82ef82eda3a7e7389b31558fc3e05708a30cf1de742cefc54d4f379ae012c24ddef2afb5c77abd18a0da9ac383028bd3e31431613b5f0a5583093824c7b2056517773ed26f653740156f7a50aaa532123d6701835396ce55d9b50661e05f1e664ed043ce985023ea40b74e9f986c136d0c24eda683818cb5ddc7cdd6c8599c4816044343de06d88af6f9e03e365536636c76a05ef7da19d2b9d2b1cb85b23319efa812c95a91ab8e49bb3037f29ce6f08eaf005853a8267368108ec4aacf059d2da96d1af79c5f32f19086118d6396d4b1167eae4aab7ed8764dd9dd9c43d9aee44ecd8d0be380d536aa32de9f662fdf27ff65e0c6d4fffcf2f9140f168939283dda7b48b4cc6294fb7d03f21ef35c346b6fd7ef2dad0f0f65781404966cf523865242e71cfc74de893e38504b4a762801909b3239a554eb9060af95c", "0d99967cebff11ef0b6140841d5e74214120d79da45b56cdfcbc94e237769157", 0xffffffff, 0x4}, &(0x7f0000000140)="b4bcbbfe0b7f0b0eae45a1e2bd081ec52f7c6e44801b510f94b5f8065209b9fc618c2d192d48fc4647e0bb40c2f39eb0dce48c65889321d353b6079ece97867d3718595bc4eca1e13d71e9d50c861f4f9b60e4c2f10d205774d210efd3795646c0be0f22d33a4ff542362855c3b1153eded80eb08456da9224e5d2f3354918fd7c56e7b4a059689286adc6784581e02f42a695721a228c0d2d44bc8d03ffb6d49816bdc187551d3c79672374ebe80b58ffbe18c6adb87fea88bc586ffed5d47f47a2431c506efba20bcf3e558733d3896a674abb2f9ddc351084e990fa", 0xfffffffffffffff9, 0x3, 0x6, 0x4, 0x1679, 0x4, 0x9, 0x6})
setsockopt$inet_sctp_SCTP_AUTO_ASCONF(0xffffffffffffffff, 0x84, 0x18, &(0x7f0000000700)=0x5, 0x4)
syz_emit_ethernet(0x32, &(0x7f0000000000)={@empty, @broadcast, [{[{0x88a8, 0x7, 0x1}], {0x8100, 0x2, 0x0, 0x4}}], {@arp={0x806, @ether_ipv4={0x1, 0x800, 0x6, 0x4, 0x4, @local, @multicast1, @remote, @rand_addr=0x81}}}})
syz_execute_func(&(0x7f0000000040)="c4e135d13128cb6767f3a53ef22e828f0000000000c4c2d59084c81e9100000f0e0fa2c4e16c5dc9646616c4c27d7884ad56c2d556")
syz_extract_tcp_res(&(0x7f0000000080), 0x40, 0x7)
csource_test.go:109: failed to build program:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void kill_and_wait(int pid, int* status)
{
kill(pid, SIGKILL);
while (waitpid(-1, status, 0) != pid) {
}
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static void __attribute__((noinline)) remove_dir(const char* dir)
{
DIR* dp = opendir(dir);
if (dp == NULL) {
if (errno == EACCES) {
if (rmdir(dir))
exit(1);
return;
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
if (unlink(filename))
exit(1);
}
closedir(dp);
if (rmdir(dir))
exit(1);
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
pthread_mutex_t mu;
pthread_cond_t cv;
int state;
} event_t;
static void event_init(event_t* ev)
{
if (pthread_mutex_init(&ev->mu, 0))
exit(1);
if (pthread_cond_init(&ev->cv, 0))
exit(1);
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
if (ev->state)
exit(1);
ev->state = 1;
pthread_mutex_unlock(&ev->mu);
pthread_cond_broadcast(&ev->cv);
}
static void event_wait(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
while (!ev->state)
pthread_cond_wait(&ev->cv, &ev->mu);
pthread_mutex_unlock(&ev->mu);
}
static int event_isset(event_t* ev)
{
pthread_mutex_lock(&ev->mu);
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
pthread_mutex_lock(&ev->mu);
for (;;) {
if (ev->state)
break;
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
pthread_cond_timedwait(&ev->cv, &ev->mu, &ts);
now = current_time_ms();
if (now - start > timeout)
break;
}
int res = ev->state;
pthread_mutex_unlock(&ev->mu);
return res;
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static void sandbox_common()
{
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
}
static void loop();
static int do_sandbox_none(void)
{
sandbox_common();
loop();
return 0;
}
static long syz_execute_func(volatile long text)
{
((void (*)(void))(text))();
return 0;
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
int i, call, thread;
for (call = 0; call < 13; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS 0
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000) {
continue;
}
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
res = syscall(SYS_kqueue);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(SYS_dup2, -1, (intptr_t)r[0]);
if (res != -1)
r[1] = res;
break;
case 2:
syscall(SYS_freebsd11_fstat, (intptr_t)r[1], 0x10000000);
break;
case 3:
res = syscall(SYS_socket, 2, 2, 0);
if (res != -1)
r[2] = res;
break;
case 4:
syscall(SYS_flock, (intptr_t)r[2], 8);
break;
case 5:
memcpy((void*)0x10000080, "/$\\\273}/%\000", 8);
syscall(SYS_extattr_delete_fd, (intptr_t)r[2], 1, 0x10000080);
break;
case 6:
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
break;
case 7:
*(uint32_t*)0x10000100 = 0xc;
syscall(SYS_getsockopt, (intptr_t)r[2], 0, 0x46, 0x100000c0, 0x10000100);
break;
case 8:
memcpy((void*)0x10000240, "\xa1\x74\x0e\xa9\xd3\xdd\xe8\xc7\xf9\x00\x97\x3c\x9f\x7b\x4d\x36\xd5\x94\x65\xae\xef\xb6\xc3\x1e\x1a\x1a\x93\xc6\x66\xba\x8b\x20\xa5\x5e\x6a\xff\x30\xd0\x6e\xf3\xb2\xe7\xd1\xe2\xf3\x0d\x84\xaf\x84\x13\x0c\xd2\xe2\x7c\x4f\x2e\xe2\x15\x45\x17\xf2\x89\xb2\x62\xe0\x70\xda\xab\xfe\x22\x54\x47\xb9\xf8\xc4\xac\xb6\x9f\x59\x33\x6d\x09\x6a\xde\x1d\x70\xf6\xd6\x90\x98\xc4\x51\x49\x3a\x1f\xa4\x10\x90\xf5\x3b\xaf\x2d\x0c\x5f\x7a\x10\xc8\x3d\x29\x39\x8d\x9d\xbe\x52\x73\x04\xa4\x2d\xb0\x5b\x7a\x32\x26\xd4\x32\xd3\x4a\xe0\xa0\x91\xb5\x8e\x26\x26\x12\x54\xc9\x70\xd8\x0d\xc9\x6f\x04\x94\x3b\x86\x4c\x87\x48\x84\x35\x67\xba\xb2\xba\x79\xdb\x4f\x58\x8d\x20\x3e\x01\x61\x49\xe2\x1e\x41\x3f\x3f\x41\x69\x01\x08\x3f\x92\x86\xaa\xa7\x27\xa4\x9d\x72\xc7\x69\x82\x9e\x80\x24\x35\x4f\xc3\x24\xa9\x90\x67\xa7\xb7\xda\x16\xf7\x64\x4d\x96\xdc\x3c\x57\xc1\x0e\x1a\x75\x1a\x99\xac\xfa\xf1\x45\x08\xc6\xdc\xc5\x4e\xf4\x3f\x74\x36\x3f\x4f\x6f\x41\x7c\x33\xdd\x27\x49\xf6\xf1\x0d\x3c\x70\x4a\x58\x76\xa1\x35\xf2\x27\xcc\xa9\x0a\xf8\x5e\xf1\x82\x25\x6e\xd2\x21\xc3\x8e\x0c\x50\x67\x7a\x80\x2d\x60\x02\xf5\x0e\x48\x11\x67\xec\xcb\x17\x58\xb7\x7b\xdd\xe2\xa3\xd2\x46\x5f\x14\x7a\xb9\x79\x87\x5c\xb1\x25\xb0\x67\xcd\x37\x04\x3d\x05\x13\xbc\xbd\xc5\xe7\x9b\x20\x8f\x7c\x2d\x63\x83\xe2\x28\x4a\x58\xa5\xdb\x5e\x95\x5c\x71\xfe\x9c\xb3\xd1\x22\xc0\xc7\xe7\xc4\x73\x53\xf2\x9b\x8e\x49\x06\x5f\x97\x3f\xdb\x9d\xae\x89\x9a\xcd\x12\xe5\x9a\x4f\xff\x41\xfe\x39\x78\x41\x5a\x5a\x6d\x5a\x55\xf5\x90\x11\x11\x95\xba\x73\xcf\xb3\x32\xf8\x0e\xcf\x85\xc3\xff\x95\x71\x83\xce\xcd\x2b\xf0\x69\x90\x4d\xc8\xda\xf3\x5f\x54\xe8\x84\x7f\xec\x3e\x0f\x92\x8b\x06\xa5\x35\x5b\x3c\x19\x89\x28\x3d\xde\xa2\xe7\x7b\xfc\x50\xaf\x63\x65\xdc\x50\x5a\x65\x38\xd4\xec\x5c\xff\x65\x09\x0f\xf0\x9b\x12\xf8\x00\xeb\xce\x60\x2a\xb6\x35\x60\x7a\x88\xba\x3e\xeb\x91\x6c\xe6\x03\x1f\xc2\x6c\x0f\xa7\x27\x22\x00\xa9\x98\x0d\x70\x77\x96\xb6\xc9\x17\xa7\x92\x06\xd2\xc4\xc0\x9e\xa4\x18\xfc\xa9\xdb\x36\xf6\xac\x0d\xaf\x59\x02\x35\x2c\x7d\xe0\x3a\xf4\x2c\x3d\x1f\xf5\x07\x94\x55\xac\xe7\xb7\x12\x0a\x00\x4d\xb7\x13\x83\x00\xac\xf9\x7e\x39\xfe\x51\xcc\xb6\xce\x64\x38\x65\x00\xa2\xf9\x5b\x61\x7f\xbc\x35\x2a\x25\xf1\x20\xb4\xa7\xc7\xcf\x1d\x28\xea\x6c\x4b\x1b\x37\x15\x53\xe9\x22\x30\x51\xef\x97\x8d\x87\x9d\xf7\x4e\x59\x75\x12\x1f\xc8\x00\x60\xb8\x23\x92\xbd\x62\x62\x93\x98\x0c\xdc\xc5\x01\xd5\x42\x38\x45\x73\xa8\x3f\x3a\x1a\x06\xae\xe5\x3a\x60\xa2\x92\xaa\x1a\xb1\x14\x7c\xba\xb6\xef\x8d\x6a\xf2\x17\x3d\x02\x58\xb0\x32\x75\x28\xa3\x96\xaf\x20\xd6\x6c\x8d\x33\xd0\x24\x93\xa7\xad\x29\x2f\x04\x78\x75\x88\xee\x1b\x5c\x4a\x9c\x31\x3b\x18\xde\xcf\xe3\x03\x66\x01\x81\x6c\x95\xe1\x88\x7f\x07\x7d\x52\x3f\xfd\x3b\x73\xc9\x17\x08\xd6\x74\x99\xff\x77\x08\x9e\xa0\xf0\x03\x65\xb2\xa3\x58\xaf\x83\xd3\x81\xec\xea\x94\x42\x41\xaf\x6a\x59\x19\x41\x83\x4c\x46\x30\xf6\xd0\x99\x3d\xa6\x3a\x85\xae\x20\x81\x90\x4e\xa8\x2e\xf8\x2e\xda\x3a\x7e\x73\x89\xb3\x15\x58\xfc\x3e\x05\x70\x8a\x30\xcf\x1d\xe7\x42\xce\xfc\x54\xd4\xf3\x79\xae\x01\x2c\x24\xdd\xef\x2a\xfb\x5c\x77\xab\xd1\x8a\x0d\xa9\xac\x38\x30\x28\xbd\x3e\x31\x43\x16\x13\xb5\xf0\xa5\x58\x30\x93\x82\x4c\x7b\x20\x56\x51\x77\x73\xed\x26\xf6\x53\x74\x01\x56\xf7\xa5\x0a\xaa\x53\x21\x23\xd6\x70\x18\x35\x39\x6c\xe5\x5d\x9b\x50\x66\x1e\x05\xf1\xe6\x64\xed\x04\x3c\xe9\x85\x02\x3e\xa4\x0b\x74\xe9\xf9\x86\xc1\x36\xd0\xc2\x4e\xda\x68\x38\x18\xcb\x5d\xdc\x7c\xdd\x6c\x85\x99\xc4\x81\x60\x44\x34\x3d\xe0\x6d\x88\xaf\x6f\x9e\x03\xe3\x65\x53\x66\x36\xc7\x6a\x05\xef\x7d\xa1\x9d\x2b\x9d\x2b\x1c\xb8\x5b\x23\x31\x9e\xfa\x81\x2c\x95\xa9\x1a\xb8\xe4\x9b\xb3\x03\x7f\x29\xce\x6f\x08\xea\xf0\x05\x85\x3a\x82\x67\x36\x81\x08\xec\x4a\xac\xf0\x59\xd2\xda\x96\xd1\xaf\x79\xc5\xf3\x2f\x19\x08\x61\x18\xd6\x39\x6d\x4b\x11\x67\xea\xe4\xaa\xb7\xed\x87\x64\xdd\x9d\xd9\xc4\x3d\x9a\xee\x44\xec\xd8\xd0\xbe\x38\x0d\x53\x6a\xa3\x2d\xe9\xf6\x62\xfd\xf2\x7f\xf6\x5e\x0c\x6d\x4f\xff\xcf\x2f\x91\x40\xf1\x68\x93\x92\x83\xdd\xa7\xb4\x8b\x4c\xc6\x29\x4f\xb7\xd0\x3f\x21\xef\x35\xc3\x46\xb6\xfd\x7e\xf2\xda\xd0\xf0\xf6\x57\x81\x40\x49\x66\xcf\x52\x38\x65\x24\x2e\x71\xcf\xc7\x4d\xe8\x93\xe3\x85\x04\xb4\xa7\x62\x80\x19\x09\xb3\x23\x9a\x55\x4e\xb9\x06\x0a\xf9\x5c", 1024);
memcpy((void*)0x10000640, "\x0d\x99\x96\x7c\xeb\xff\x11\xef\x0b\x61\x40\x84\x1d\x5e\x74\x21\x41\x20\xd7\x9d\xa4\x5b\x56\xcd\xfc\xbc\x94\xe2\x37\x76\x91\x57", 32);
*(uint32_t*)0x10000660 = -1;
*(uint8_t*)0x10000664 = 4;
*(uint32_t*)0x10000668 = 0x10000140;
memcpy((void*)0x10000140, "\xb4\xbc\xbb\xfe\x0b\x7f\x0b\x0e\xae\x45\xa1\xe2\xbd\x08\x1e\xc5\x2f\x7c\x6e\x44\x80\x1b\x51\x0f\x94\xb5\xf8\x06\x52\x09\xb9\xfc\x61\x8c\x2d\x19\x2d\x48\xfc\x46\x47\xe0\xbb\x40\xc2\xf3\x9e\xb0\xdc\xe4\x8c\x65\x88\x93\x21\xd3\x53\xb6\x07\x9e\xce\x97\x86\x7d\x37\x18\x59\x5b\xc4\xec\xa1\xe1\x3d\x71\xe9\xd5\x0c\x86\x1f\x4f\x9b\x60\xe4\xc2\xf1\x0d\x20\x57\x74\xd2\x10\xef\xd3\x79\x56\x46\xc0\xbe\x0f\x22\xd3\x3a\x4f\xf5\x42\x36\x28\x55\xc3\xb1\x15\x3e\xde\xd8\x0e\xb0\x84\x56\xda\x92\x24\xe5\xd2\xf3\x35\x49\x18\xfd\x7c\x56\xe7\xb4\xa0\x59\x68\x92\x86\xad\xc6\x78\x45\x81\xe0\x2f\x42\xa6\x95\x72\x1a\x22\x8c\x0d\x2d\x44\xbc\x8d\x03\xff\xb6\xd4\x98\x16\xbd\xc1\x87\x55\x1d\x3c\x79\x67\x23\x74\xeb\xe8\x0b\x58\xff\xbe\x18\xc6\xad\xb8\x7f\xea\x88\xbc\x58\x6f\xfe\xd5\xd4\x7f\x47\xa2\x43\x1c\x50\x6e\xfb\xa2\x0b\xcf\x3e\x55\x87\x33\xd3\x89\x6a\x67\x4a\xbb\x2f\x9d\xdc\x35\x10\x84\xe9\x90\xfa", 221);
*(uint64_t*)0x1000066c = 0xfffffffffffffff9;
*(uint64_t*)0x10000674 = 3;
*(uint64_t*)0x1000067c = 6;
*(uint64_t*)0x10000684 = 4;
*(uint64_t*)0x1000068c = 0x1679;
*(uint64_t*)0x10000694 = 4;
*(uint64_t*)0x1000069c = 9;
*(uint32_t*)0x100006a4 = 6;
syscall(SYS_ioctl, (intptr_t)r[1], 0xc4504447, 0x10000240);
break;
case 9:
*(uint32_t*)0x10000700 = 5;
syscall(SYS_setsockopt, -1, 0x84, 0x18, 0x10000700, 4);
break;
case 10:
*(uint8_t*)0x10000000 = 0;
*(uint8_t*)0x10000001 = 0;
*(uint8_t*)0x10000002 = 0;
*(uint8_t*)0x10000003 = 0;
*(uint8_t*)0x10000004 = 0;
*(uint8_t*)0x10000005 = 0;
*(uint8_t*)0x10000006 = -1;
*(uint8_t*)0x10000007 = -1;
*(uint8_t*)0x10000008 = -1;
*(uint8_t*)0x10000009 = -1;
*(uint8_t*)0x1000000a = -1;
*(uint8_t*)0x1000000b = -1;
*(uint16_t*)0x1000000c = htobe16(0x88a8);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12);
*(uint16_t*)0x10000010 = htobe16(0x8100);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1);
STORE_BY_BITMASK(uint16_t, , 0x10000012, 4, 4, 12);
*(uint16_t*)0x10000014 = htobe16(0x806);
*(uint16_t*)0x10000016 = htobe16(1);
*(uint16_t*)0x10000018 = htobe16(0x800);
*(uint8_t*)0x1000001a = 6;
*(uint8_t*)0x1000001b = 4;
*(uint16_t*)0x1000001c = htobe16(4);
*(uint8_t*)0x1000001e = 0xaa;
*(uint8_t*)0x1000001f = 0xaa;
*(uint8_t*)0x10000020 = 0xaa;
*(uint8_t*)0x10000021 = 0xaa;
*(uint8_t*)0x10000022 = 0xaa;
*(uint8_t*)0x10000023 = 0xaa;
*(uint32_t*)0x10000024 = htobe32(0xe0000001);
*(uint8_t*)0x10000028 = 0xaa;
*(uint8_t*)0x10000029 = 0xaa;
*(uint8_t*)0x1000002a = 0xaa;
*(uint8_t*)0x1000002b = 0xaa;
*(uint8_t*)0x1000002c = 0xaa;
*(uint8_t*)0x1000002d = 0xbb;
*(uint32_t*)0x1000002e = htobe32(0x81);
break;
case 11:
memcpy((void*)0x10000040, "\xc4\xe1\x35\xd1\x31\x28\xcb\x67\x67\xf3\xa5\x3e\xf2\x2e\x82\x8f\x00\x00\x00\x00\x00\xc4\xc2\xd5\x90\x84\xc8\x1e\x91\x00\x00\x0f\x0e\x0f\xa2\xc4\xe1\x6c\x5d\xc9\x64\x66\x16\xc4\xc2\x7d\x78\x84\xad\x56\xc2\xd5\x56", 53);
syz_execute_func(0x10000040);
break;
case 12:
break;
}
}
int main(void)
{
syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
use_temporary_dir();
do_sandbox_none();
return 0;
}
<stdin>:334:11: error: use of undeclared identifier 'SYS_freebsd12_closefrom'
syscall(SYS_freebsd12_closefrom, (intptr_t)r[2]);
^
1 error generated.
compiler invocation: clang [-o /tmp/syz-executor183342977 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow]
--- FAIL: TestGenerate/freebsd/386/9 (0.98s)
csource_test.go:106:
--- FAIL: TestGenerate/freebsd/386/10 (1.02s)
csource_test.go:106:
--- FAIL: TestGenerate/freebsd/386/11 (0.98s)
csource_test.go:106:
--- FAIL: TestGenerate/freebsd/386/8 (0.96s)
csource_test.go:106:
--- FAIL: TestGenerate/freebsd/386/2 (1.08s)
csource_test.go:106:
--- FAIL: TestGenerate/freebsd/386/1 (1.13s)
csource_test.go:106:
FAIL
FAIL github.com/google/syzkaller/pkg/csource 8.373s
ok github.com/google/syzkaller/pkg/db (cached)
? github.com/google/syzkaller/pkg/debugtracer [no test files]
ok github.com/google/syzkaller/pkg/email (cached)
? github.com/google/syzkaller/pkg/gce [no test files]
? github.com/google/syzkaller/pkg/gcs [no test files]
? github.com/google/syzkaller/pkg/hash [no test files]
ok github.com/google/syzkaller/pkg/host 0.927s
? github.com/google/syzkaller/pkg/html [no test files]
ok github.com/google/syzkaller/pkg/ifuzz (cached)
? github.com/google/syzkaller/pkg/ifuzz/iset [no test files]
? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files]
? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files]
? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files]
? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files]
? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files]
ok github.com/google/syzkaller/pkg/instance 0.995s
ok github.com/google/syzkaller/pkg/ipc 3.608s
? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files]
? github.com/google/syzkaller/pkg/kcidb [no test files]
ok github.com/google/syzkaller/pkg/kconfig 0.039s
ok github.com/google/syzkaller/pkg/kd (cached)
ok github.com/google/syzkaller/pkg/log (cached)
ok github.com/google/syzkaller/pkg/mgrconfig (cached)
ok github.com/google/syzkaller/pkg/osutil (cached)
ok github.com/google/syzkaller/pkg/report (cached)
ok github.com/google/syzkaller/pkg/repro (cached)
? github.com/google/syzkaller/pkg/rpctype [no test files]
ok github.com/google/syzkaller/pkg/runtest 44.379s
ok github.com/google/syzkaller/pkg/serializer (cached)
? github.com/google/syzkaller/pkg/signal [no test files]
ok github.com/google/syzkaller/pkg/symbolizer 0.161s
ok github.com/google/syzkaller/pkg/tool (cached)
ok github.com/google/syzkaller/pkg/vcs 6.937s
ok github.com/google/syzkaller/prog (cached)
ok github.com/google/syzkaller/prog/test (cached)
? github.com/google/syzkaller/sys [no test files]
? github.com/google/syzkaller/sys/akaros [no test files]
? github.com/google/syzkaller/sys/akaros/gen [no test files]
? github.com/google/syzkaller/sys/freebsd [no test files]
? github.com/google/syzkaller/sys/freebsd/gen [no test files]
? github.com/google/syzkaller/sys/fuchsia [no test files]
? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files]
? github.com/google/syzkaller/sys/fuchsia/gen [no test files]
? github.com/google/syzkaller/sys/fuchsia/layout [no test files]
ok github.com/google/syzkaller/sys/linux (cached)
? github.com/google/syzkaller/sys/linux/gen [no test files]
? github.com/google/syzkaller/sys/netbsd [no test files]
? github.com/google/syzkaller/sys/netbsd/gen [no test files]
ok github.com/google/syzkaller/sys/openbsd (cached)
? github.com/google/syzkaller/sys/openbsd/gen [no test files]
? github.com/google/syzkaller/sys/syz-extract [no test files]
? github.com/google/syzkaller/sys/syz-sysgen [no test files]
? github.com/google/syzkaller/sys/targets [no test files]
? github.com/google/syzkaller/sys/test [no test files]
? github.com/google/syzkaller/sys/test/gen [no test files]
? github.com/google/syzkaller/sys/trusty [no test files]
? github.com/google/syzkaller/sys/trusty/gen [no test files]
? github.com/google/syzkaller/sys/windows [no test files]
? github.com/google/syzkaller/sys/windows/gen [no test files]
ok github.com/google/syzkaller/syz-ci (cached)
ok github.com/google/syzkaller/syz-fuzzer (cached)
ok github.com/google/syzkaller/syz-hub (cached)
ok github.com/google/syzkaller/syz-hub/state (cached)
ok github.com/google/syzkaller/syz-manager 1.044s
? github.com/google/syzkaller/tools/syz-benchcmp [no test files]
? github.com/google/syzkaller/tools/syz-bisect [no test files]
? github.com/google/syzkaller/tools/syz-build [no test files]
? github.com/google/syzkaller/tools/syz-check [no test files]
? github.com/google/syzkaller/tools/syz-cover [no test files]
? github.com/google/syzkaller/tools/syz-crush [no test files]
? github.com/google/syzkaller/tools/syz-db [no test files]
? github.com/google/syzkaller/tools/syz-execprog [no test files]
? github.com/google/syzkaller/tools/syz-expand [no test files]
? github.com/google/syzkaller/tools/syz-fmt [no test files]
? github.com/google/syzkaller/tools/syz-hubtool [no test files]
? github.com/google/syzkaller/tools/syz-kcidb [no test files]
? github.com/google/syzkaller/tools/syz-kconf [no test files]
ok github.com/google/syzkaller/tools/syz-linter 2.599s
? github.com/google/syzkaller/tools/syz-make [no test files]
? github.com/google/syzkaller/tools/syz-minconfig [no test files]
? github.com/google/syzkaller/tools/syz-mutate [no test files]
? github.com/google/syzkaller/tools/syz-prog2c [no test files]
? github.com/google/syzkaller/tools/syz-reporter [no test files]
? github.com/google/syzkaller/tools/syz-repro [no test files]
? github.com/google/syzkaller/tools/syz-reprolist [no test files]
? github.com/google/syzkaller/tools/syz-runtest [no test files]
? github.com/google/syzkaller/tools/syz-showprio [no test files]
? github.com/google/syzkaller/tools/syz-stress [no test files]
? github.com/google/syzkaller/tools/syz-symbolize [no test files]
? github.com/google/syzkaller/tools/syz-testbuild [no test files]
? github.com/google/syzkaller/tools/syz-trace2syz [no test files]
ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached)
ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached)
? github.com/google/syzkaller/tools/syz-tty [no test files]
? github.com/google/syzkaller/tools/syz-upgrade [no test files]
? github.com/google/syzkaller/tools/syz-usbgen [no test files]
ok github.com/google/syzkaller/vm (cached)
? github.com/google/syzkaller/vm/adb [no test files]
? github.com/google/syzkaller/vm/bhyve [no test files]
? github.com/google/syzkaller/vm/gce [no test files]
? github.com/google/syzkaller/vm/gvisor [no test files]
ok github.com/google/syzkaller/vm/isolated (cached)
? github.com/google/syzkaller/vm/kvm [no test files]
? github.com/google/syzkaller/vm/odroid [no test files]
? github.com/google/syzkaller/vm/qemu [no test files]
ok github.com/google/syzkaller/vm/vmimpl (cached)
? github.com/google/syzkaller/vm/vmm [no test files]
? github.com/google/syzkaller/vm/vmware [no test files]
FAIL