ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 1.127s ok github.com/google/syzkaller/pkg/ast 2.279s ok github.com/google/syzkaller/pkg/bisect 66.656s ok github.com/google/syzkaller/pkg/build 2.141s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 10.355s ok github.com/google/syzkaller/pkg/config (cached) ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (6.48s) --- FAIL: TestGenerate/freebsd/386 (1.22s) csource_test.go:67: seed=1603795687300660541 --- FAIL: TestGenerate/freebsd/386/0 (0.83s) csource_test.go:123: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); syscall(SYS_shmctl, 0, 0, 0); memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; syscall(SYS_fchdir, (intptr_t)r[0]); memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :200:16: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor566683688 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/12 (1.51s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:true Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :349:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor795615196 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/6 (1.02s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:4 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :349:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor406538289 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/8 (1.37s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:setuid Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, WUNTRACED) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); char pwbuf[1024]; struct passwd *pw, pwres; if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw) exit(1); if (setgroups(0, NULL)) exit(1); if (setgid(pw->pw_gid)) exit(1); if (setuid(pw->pw_uid)) exit(1); loop(); exit(1); } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_setuid(); return 0; } :370:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor131576203 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/7 (1.82s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); loop(); return 0; } :318:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor460378478 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/10 (1.58s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); do_sandbox_none(); return 0; } :294:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor974578165 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/4 (2.10s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :347:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor420802256 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/13 (0.84s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:true} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); res = syscall(SYS_mkdirat, -1, 0x10000000, 4); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); break; case 1: res = syscall(SYS_shmctl, 0, 0, 0); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); res = syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = res; break; case 4: res = syscall(SYS_fchdir, (intptr_t)r[0]); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); res = syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); res = syscall(SYS_rename, 0x10000200, 0x10000240); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; res = syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); break; case 8: res = syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: *(uint32_t*)0x100003c0 = 4; res = syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); (void)res; break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); res = -1; errno = EFAULT; res = syz_execute_func(0x10000140); fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0); break; case 12: (void)res; break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :351:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor946073583 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/2 (1.61s) csource_test.go:123: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :355:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor335167618 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/3 (1.35s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: mkdirat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x4) shmctl$IPC_RMID(0x0, 0x0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000040)="5d74bda1c6faf7ed1da348f3fe51da8b4b57df85e10099805473e4430717df6942b6222f5c5501c59e396880184224c2384624d02bf0c19e0f3da46c8b4edb29b95361a80b94d015b991bed47983eb5f935fcacad2045bcbca6b7c17f2adeae5bda3d635a4c3f37e11d4f3d9e65e4cb3254d550ae7a27464d281ddb797fed8962e1dd551b6d12b40f92d97f3cc57905a7280f273e734af4378e07ab0ac1ce702db1083fb2b30d6c61d52e8b839cc8a31cc2b95e0bf3e855bb7f049c5f80395b2cdde790ff09c24c687") r0 = freebsd12_shm_open(&(0x7f0000000140)='./file0\x00', 0x800, 0x84) fchdir(r0) ioctl$DIOCGETRULES(0xffffffffffffffff, 0xcbe04406, &(0x7f0000000180)="3ba960cd2002ee912ab89d70b3198f9bdf0632c41dc9b26fc868415f72c419e3a545de1df756b07a982133e5944e0d3b490c4d5cf8e609d12f0e206a7c12a6a65fb02732450180353266c2159858b7d98fa6db7d05834f23") rename(&(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='./file0\x00') getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x103, &(0x7f0000000280)={0x0, 0x7e, "0f7d7a5804403eec8164e919dfd4e351b49a4af825559cf724bc44ba4dc13666ea2a7b385134f4157271a4099ba96c43c8414ab9312e82befd945c8d504880c78b6390db1269092647d137c232d93aa216037f485c12a21b332db7e2ae3fd4e555d7a355bb606463160033fcc503ff22ee4f221b78503c59c0bb3720a6f2"}, &(0x7f0000000340)=0x86) mprotect(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0xcbc8aa5da4d12c96) getsockopt$inet6_udplite(0xffffffffffffffff, 0x88, 0x2, &(0x7f0000000380), &(0x7f00000003c0)=0x4) syz_emit_ethernet(0x12d, &(0x7f0000000000)={@empty, @empty, [{[], {0x8100, 0x7, 0x0, 0x4}}], {@ipv4={0x800, {{0xc, 0x4, 0x1, 0x5, 0x11b, 0x65, 0x1, 0x0, 0x5a, 0x0, @multicast1, @empty, {[@end, @end, @timestamp={0x44, 0x10, 0x32, 0x3, 0x9, [{[], 0x2}, {[@empty], 0x3}]}, @ra={0x94, 0x6, 0x8}, @noop]}}, @generic="5c1cf073cfe909c6afe4c61fec1be43e8cc318ea6993048dae4784f94d2582e3f4b6424ea90eedb47f76041f063310b3463f16f891a46a040c93d68d53cdaa151f0e1cf94a76c2243bdd34dc2ba29c022daef02c4f01e83deb324746de26abc9b6a218bb44a18bc9a2106b4b068a65057da3bb9721c6e650384ea1f32aecfb304e3de65bedf8a68b6d672444db3745d673bda9d797752df9948795b8b4d3ad2119abedfb4b99d6aee1ed72561d35c6f7c35d2abb15dc221354e03abfec53102a5db508dc9105d5499730ce3c11fe85ce52c1866732c98b131631490d501b160817ff9dd85cede22b37f00a"}}}}) syz_execute_func(&(0x7f0000000140)="660f38257687c4c319026e65708fe840853906673e65660f3a0dff0066660f2913360f0fae2ab90000bbd392d55f00000f38cd4ca103670fb993f7b5c4c129f16c3800") syz_extract_tcp_res(&(0x7f00000001c0), 0x4, 0x83dd) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_mkdirat, -1, 0x10000000, 4); break; case 1: syscall(SYS_shmctl, 0, 0, 0); break; case 2: memcpy((void*)0x10000040, "\x5d\x74\xbd\xa1\xc6\xfa\xf7\xed\x1d\xa3\x48\xf3\xfe\x51\xda\x8b\x4b\x57\xdf\x85\xe1\x00\x99\x80\x54\x73\xe4\x43\x07\x17\xdf\x69\x42\xb6\x22\x2f\x5c\x55\x01\xc5\x9e\x39\x68\x80\x18\x42\x24\xc2\x38\x46\x24\xd0\x2b\xf0\xc1\x9e\x0f\x3d\xa4\x6c\x8b\x4e\xdb\x29\xb9\x53\x61\xa8\x0b\x94\xd0\x15\xb9\x91\xbe\xd4\x79\x83\xeb\x5f\x93\x5f\xca\xca\xd2\x04\x5b\xcb\xca\x6b\x7c\x17\xf2\xad\xea\xe5\xbd\xa3\xd6\x35\xa4\xc3\xf3\x7e\x11\xd4\xf3\xd9\xe6\x5e\x4c\xb3\x25\x4d\x55\x0a\xe7\xa2\x74\x64\xd2\x81\xdd\xb7\x97\xfe\xd8\x96\x2e\x1d\xd5\x51\xb6\xd1\x2b\x40\xf9\x2d\x97\xf3\xcc\x57\x90\x5a\x72\x80\xf2\x73\xe7\x34\xaf\x43\x78\xe0\x7a\xb0\xac\x1c\xe7\x02\xdb\x10\x83\xfb\x2b\x30\xd6\xc6\x1d\x52\xe8\xb8\x39\xcc\x8a\x31\xcc\x2b\x95\xe0\xbf\x3e\x85\x5b\xb7\xf0\x49\xc5\xf8\x03\x95\xb2\xcd\xde\x79\x0f\xf0\x9c\x24\xc6\x87", 201); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000040); break; case 3: memcpy((void*)0x10000140, "./file0\000", 8); res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); if (res != -1) r[0] = res; break; case 4: syscall(SYS_fchdir, (intptr_t)r[0]); break; case 5: memcpy((void*)0x10000180, "\x3b\xa9\x60\xcd\x20\x02\xee\x91\x2a\xb8\x9d\x70\xb3\x19\x8f\x9b\xdf\x06\x32\xc4\x1d\xc9\xb2\x6f\xc8\x68\x41\x5f\x72\xc4\x19\xe3\xa5\x45\xde\x1d\xf7\x56\xb0\x7a\x98\x21\x33\xe5\x94\x4e\x0d\x3b\x49\x0c\x4d\x5c\xf8\xe6\x09\xd1\x2f\x0e\x20\x6a\x7c\x12\xa6\xa6\x5f\xb0\x27\x32\x45\x01\x80\x35\x32\x66\xc2\x15\x98\x58\xb7\xd9\x8f\xa6\xdb\x7d\x05\x83\x4f\x23", 88); syscall(SYS_ioctl, -1, 0xcbe04406, 0x10000180); break; case 6: memcpy((void*)0x10000200, "./file0\000", 8); memcpy((void*)0x10000240, "./file0\000", 8); syscall(SYS_rename, 0x10000200, 0x10000240); break; case 7: *(uint32_t*)0x10000280 = 0; *(uint32_t*)0x10000284 = 0x7e; memcpy((void*)0x10000288, "\x0f\x7d\x7a\x58\x04\x40\x3e\xec\x81\x64\xe9\x19\xdf\xd4\xe3\x51\xb4\x9a\x4a\xf8\x25\x55\x9c\xf7\x24\xbc\x44\xba\x4d\xc1\x36\x66\xea\x2a\x7b\x38\x51\x34\xf4\x15\x72\x71\xa4\x09\x9b\xa9\x6c\x43\xc8\x41\x4a\xb9\x31\x2e\x82\xbe\xfd\x94\x5c\x8d\x50\x48\x80\xc7\x8b\x63\x90\xdb\x12\x69\x09\x26\x47\xd1\x37\xc2\x32\xd9\x3a\xa2\x16\x03\x7f\x48\x5c\x12\xa2\x1b\x33\x2d\xb7\xe2\xae\x3f\xd4\xe5\x55\xd7\xa3\x55\xbb\x60\x64\x63\x16\x00\x33\xfc\xc5\x03\xff\x22\xee\x4f\x22\x1b\x78\x50\x3c\x59\xc0\xbb\x37\x20\xa6\xf2", 126); *(uint32_t*)0x10000340 = 0x86; syscall(SYS_getsockopt, -1, 0x84, 0x103, 0x10000280, 0x10000340); break; case 8: syscall(SYS_mprotect, 0x10fff000, 0x1000, 0xa4d12c96); break; case 9: *(uint32_t*)0x100003c0 = 4; syscall(SYS_getsockopt, -1, 0x88, 2, 0x10000380, 0x100003c0); break; case 10: *(uint8_t*)0x10000000 = 0; *(uint8_t*)0x10000001 = 0; *(uint8_t*)0x10000002 = 0; *(uint8_t*)0x10000003 = 0; *(uint8_t*)0x10000004 = 0; *(uint8_t*)0x10000005 = 0; *(uint8_t*)0x10000006 = 0; *(uint8_t*)0x10000007 = 0; *(uint8_t*)0x10000008 = 0; *(uint8_t*)0x10000009 = 0; *(uint8_t*)0x1000000a = 0; *(uint8_t*)0x1000000b = 0; *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 4, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000012, 0xc, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000012, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000013, 1, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000013, 5, 2, 6); *(uint16_t*)0x10000014 = htobe16(0x11b); *(uint16_t*)0x10000016 = htobe16(0x65); *(uint16_t*)0x10000018 = htobe16(1); *(uint8_t*)0x1000001a = 0; *(uint8_t*)0x1000001b = 0x5a; *(uint16_t*)0x1000001c = htobe16(0); *(uint32_t*)0x1000001e = htobe32(0xe0000001); *(uint32_t*)0x10000022 = htobe32(0); *(uint8_t*)0x10000026 = 0; *(uint8_t*)0x10000027 = 0; *(uint8_t*)0x10000028 = 0x44; *(uint8_t*)0x10000029 = 0x10; *(uint8_t*)0x1000002a = 0x32; STORE_BY_BITMASK(uint8_t, , 0x1000002b, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x1000002b, 9, 4, 4); *(uint32_t*)0x1000002c = htobe32(2); *(uint32_t*)0x10000030 = htobe32(0); *(uint32_t*)0x10000034 = htobe32(3); *(uint8_t*)0x10000038 = 0x94; *(uint8_t*)0x10000039 = 6; *(uint32_t*)0x1000003a = htobe32(8); *(uint8_t*)0x1000003e = 1; memcpy((void*)0x10000042, "\x5c\x1c\xf0\x73\xcf\xe9\x09\xc6\xaf\xe4\xc6\x1f\xec\x1b\xe4\x3e\x8c\xc3\x18\xea\x69\x93\x04\x8d\xae\x47\x84\xf9\x4d\x25\x82\xe3\xf4\xb6\x42\x4e\xa9\x0e\xed\xb4\x7f\x76\x04\x1f\x06\x33\x10\xb3\x46\x3f\x16\xf8\x91\xa4\x6a\x04\x0c\x93\xd6\x8d\x53\xcd\xaa\x15\x1f\x0e\x1c\xf9\x4a\x76\xc2\x24\x3b\xdd\x34\xdc\x2b\xa2\x9c\x02\x2d\xae\xf0\x2c\x4f\x01\xe8\x3d\xeb\x32\x47\x46\xde\x26\xab\xc9\xb6\xa2\x18\xbb\x44\xa1\x8b\xc9\xa2\x10\x6b\x4b\x06\x8a\x65\x05\x7d\xa3\xbb\x97\x21\xc6\xe6\x50\x38\x4e\xa1\xf3\x2a\xec\xfb\x30\x4e\x3d\xe6\x5b\xed\xf8\xa6\x8b\x6d\x67\x24\x44\xdb\x37\x45\xd6\x73\xbd\xa9\xd7\x97\x75\x2d\xf9\x94\x87\x95\xb8\xb4\xd3\xad\x21\x19\xab\xed\xfb\x4b\x99\xd6\xae\xe1\xed\x72\x56\x1d\x35\xc6\xf7\xc3\x5d\x2a\xbb\x15\xdc\x22\x13\x54\xe0\x3a\xbf\xec\x53\x10\x2a\x5d\xb5\x08\xdc\x91\x05\xd5\x49\x97\x30\xce\x3c\x11\xfe\x85\xce\x52\xc1\x86\x67\x32\xc9\x8b\x13\x16\x31\x49\x0d\x50\x1b\x16\x08\x17\xff\x9d\xd8\x5c\xed\xe2\x2b\x37\xf0\x0a", 235); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x10000012, 48); *(uint16_t*)0x1000001c = csum_inet_digest(&csum_1); break; case 11: memcpy((void*)0x10000140, "\x66\x0f\x38\x25\x76\x87\xc4\xc3\x19\x02\x6e\x65\x70\x8f\xe8\x40\x85\x39\x06\x67\x3e\x65\x66\x0f\x3a\x0d\xff\x00\x66\x66\x0f\x29\x13\x36\x0f\x0f\xae\x2a\xb9\x00\x00\xbb\xd3\x92\xd5\x5f\x00\x00\x0f\x38\xcd\x4c\xa1\x03\x67\x0f\xb9\x93\xf7\xb5\xc4\xc1\x29\xf1\x6c\x38\x00", 67); syz_execute_func(0x10000140); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :267:17: error: use of undeclared identifier 'SYS_freebsd12_shm_open' res = syscall(SYS_freebsd12_shm_open, 0x10000140, 0x800, 0x84); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor927199492 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/5 (1.80s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/11 (1.84s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/9 (1.10s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/14 (2.57s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/1 (1.25s) csource_test.go:121: FAIL FAIL github.com/google/syzkaller/pkg/csource 15.688s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 1.688s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 4.676s ok github.com/google/syzkaller/pkg/ipc 6.152s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro 1.684s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 66.983s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.243s ok github.com/google/syzkaller/pkg/vcs 7.616s ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux (cached) ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 1.438s ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ? github.com/google/syzkaller/tools/syz-kconf [no test files] ok github.com/google/syzkaller/tools/syz-linter 3.754s ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 11.229s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL