? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/dashboard/app 0.078s ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ? github.com/google/syzkaller/pkg/html/pages [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ? github.com/google/syzkaller/pkg/signal [no test files] ? github.com/google/syzkaller/pkg/testutil [no test files] ? github.com/google/syzkaller/pkg/tools [no test files] ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/darwin/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ? github.com/google/syzkaller/syz-runner [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbed [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/executor 6.936s ok github.com/google/syzkaller/pkg/asset 0.063s ok github.com/google/syzkaller/pkg/ast 0.531s ok github.com/google/syzkaller/pkg/auth (cached) ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ok github.com/google/syzkaller/pkg/bisect 8.178s ok github.com/google/syzkaller/pkg/build 5.714s ok github.com/google/syzkaller/pkg/compiler 3.634s ok github.com/google/syzkaller/pkg/config (cached) --- FAIL: TestReportGenerator (3.40s) --- FAIL: TestReportGenerator/netbsd-amd64 (0.00s) --- FAIL: TestReportGenerator/netbsd-amd64/no-coverage (0.02s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64no-coverage4261006176/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64no-coverage4261006176/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/bad-pcs (0.03s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64bad-pcs2552259245/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64bad-pcs2552259245/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/good (0.04s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64good957978256/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64good957978256/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/no-pcs (0.04s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64no-pcs675090437/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64no-pcs675090437/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/no-debug-info (0.07s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64no-debug-info3015873859/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64no-debug-info3015873859/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error FAIL FAIL github.com/google/syzkaller/pkg/cover 3.970s ok github.com/google/syzkaller/pkg/cover/backend 0.401s --- FAIL: TestGenerate (2.93s) --- FAIL: TestGenerate/netbsd/amd64 (0.03s) testutil.go:33: seed=1684164629702283453 testutil.go:33: seed=1684164629727069370 --- FAIL: TestGenerate/netbsd/amd64/single_syz_execute_func (0.11s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_execute_func(&(0x7f0000000000)="460f15a8f9ea0000f3ac263e3e3e0f188700100000daccc4a2f1ad7a99c461cd6316660fda1a6742f7ec4372050f0d41da") csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); memcpy((void*)0x20000000, "\x46\x0f\x15\xa8\xf9\xea\x00\x00\xf3\xac\x26\x3e\x3e\x3e\x0f\x18\x87\x00\x10\x00\x00\xda\xcc\xc4\xa2\xf1\xad\x7a\x99\xc4\x61\xcd\x63\x16\x66\x0f\xda\x1a\x67\x42\xf7\xec\x43\x72\x05\x0f\x0d\x41\xda", 49); syz_execute_func(0x20000000); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor1330325846 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_emit_ethernet (0.19s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_emit_ethernet(0xb9, &(0x7f0000000000)="88c811c8d28f64837505707ae195b477eb4a443c6f2feaf8fe20e49c169b1c2b168cc83d8a4e61726fe51bfcce8c731100b6cd63e1a28aa85c544701a33f0620443827b32a7b61d3fb6c6563756fe173d20ce5af71284ebd222130eb222a59cfd0f429b0e76a98039c319081f804bda5a637d38eef6015d0f401ae8181a72679a86fcb83406611cb1b0bf93eae00362dcfea696c01f039c3e3e5cfb01179e4a58306259f653723ccbf80db743f611ce4aa6f148eb34ce0710d") csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2954368364 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_usb_disconnect (0.22s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_usb_disconnect(0xffffffffffffffff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); syz_usb_disconnect(-1); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor3485856560 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_extract_tcp_res (0.23s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_extract_tcp_res(&(0x7f0000000000), 0xffff, 0x6) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor154751720 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/16 (0.24s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __utimes50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x5, 0x6}) (fail_nth: 1) __getfh30(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=""/164, &(0x7f0000000180)=0x5) (async) r0 = open(&(0x7f00000001c0)='./file0\x00', 0x80, 0x100) (rerun: 4) preadv(r0, &(0x7f0000000400)=[{&(0x7f0000000200)}, {&(0x7f0000000240)=""/44, 0x2c}, {&(0x7f0000000280)=""/178, 0xb2}, {&(0x7f0000000340)=""/177, 0xb1}], 0x4, 0x6) r1 = open(&(0x7f0000000440)='./file0\x00', 0x1000000, 0x0) ioctl$WSDISPLAYIO_LINEBYTES(r1, 0x4004575f, &(0x7f0000000480)) compat_14_shmctl$IPC_STAT(0x0, 0x2, &(0x7f00000005c0)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)="3956ea187715b364f078d22529010e881c15c4ac905a9b741377a29b3f3fd079dcb31dd9078105605ab6c33582b04ecd1c5a5abda9a069cffc19b623cc7e6ca30ea644af2f9ff3f041485f48d1b5f6ed0235468e741f3634e6eda358c8f7352473f5ce3b37d5d91ed29d5a2a2e99c624ae17d13e54a403f2b179e43ac281c4246974151fbcb79220047b0174dd3236784c581a21e229a71f2283fd0bb1810cc554da71c721a7df2f74dc3b6baae1635c72ad1a07dfe655cdf7e52774ef46b5372d0fa1cad8a288a74d34964db96760e2cf8586f2ea7dad"}) fchmodat(r0, &(0x7f0000000600)='./file0\x00', 0x800, 0x500) __getfh30(&(0x7f0000000640)='./file0\x00', &(0x7f0000000680)=""/173, &(0x7f0000000740)=0x48000) recvfrom$unix(r0, &(0x7f0000000780)=""/127, 0x7f, 0x9080, 0x0, 0x0) syz_emit_ethernet(0xa8, &(0x7f0000000000)="7cdc7f3d7523bc457cc7061f4218d205a9121313b3382a24390756c28e681e8ae64f9faefb9773a6088d8507b9f588abff90ed553d01e60af1ce4d9db1ae174c74afd76b975ec8e14ed2ecf1ea152061fe82fe634d1d1d20bfd25ca07d9ce4531e9c745c512bd468865e81abeaffeae134bea52451f13a61092e1d81780479ec9ce32bde5b1f03166d656fa34cd18fc1fbd00b1632fbd99d303f0c69398bc4dae4c54a53cb9abee5") syz_execute_func(&(0x7f00000000c0)="c4217d2800673642d9f6c4a1d45e7bf2c44171d30ec462a104d5660f6e5600420f01eec4214d67560ed8b0df1cc1f1c4e17ee64c5b06") syz_extract_tcp_res(&(0x7f0000000100), 0x0, 0x8) syz_usb_connect(0x0, 0x5bc, &(0x7f0000000140)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5aa, 0x1, 0x0, 0x4d, 0x0, 0x5, [{{0x9, 0x4, 0x7f, 0x2, 0x10, 0x0, 0x0, 0x0, 0x1f, [@cdc_ncm={{0xa, 0x24, 0x6, 0x0, 0x1, "c31ca1665e"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0xfffffe01, 0x7fff, 0xfe01, 0x1}, {0x6, 0x24, 0x1a, 0x101}, [@country_functional={0x6, 0x24, 0x7, 0xfd, 0x1000}, @acm={0x4, 0x24, 0x2, 0xf}, @call_mgmt={0x5, 0x24, 0x1, 0x3, 0xd0}, @dmm={0x7, 0x24, 0x14, 0x5, 0x9}]}, @generic={0xba, 0xb, "fe82f412bde13cfe9a7c58428cb9c3a085528b59210545973bdc2aa0c21153e71c9f065bbef110ef76911ae14a69050c92640446799fa1dc7aa0c243c215b0afa1309900f0be311c8259db4122e479aa5291ed38ba4b00ce42693f27395216818197276335cc1c977550da0a1f62519c184c228c94bcc63e4bda51b0deedcd99e26844ea31953103142c05bb4f68263771ca791acfb8e6f1b7e1c8c6b47a7290ee50a6d9d6c64f7e2018c62bd45d9d9326861a01e0593026"}], [{{0x9, 0x5, 0x9, 0x10, 0xbf7, 0x80, 0x3, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0xb6}]}}, {{0x9, 0x5, 0x5, 0x3, 0x20, 0x5, 0x8, 0xf5, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x81, 0x5}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x1f, 0x2, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x3, 0x8001}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x74, 0x4}]}}, {{0x9, 0x5, 0x6, 0x4, 0x20, 0xc3, 0x4, 0x30, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x0, 0x1}, @generic={0x9e, 0x21, "1a0380c07acd2903333b9ee1a73421f88915a3939a28a2a21a53be2ea907f73f40513cd60a484a95155348fd7cd7928796335066c54fa273655eed763577efa806a489ed9ee1473ce85f420c0c527764aefdd88e116ca338e920cea4645fa6005fecea1ab9cfc4aa74fee4f55192f612d98fd96cb5404152c5d352118853a9f7026a95e6ddd19c24df1a2f9ab247ef37a063b2ed773755b9766a0a47"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x400, 0x2, 0x7b, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x8, 0x8}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x40, 0x1f}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x0, 0x6}}, {{0x9, 0x5, 0xc, 0x0, 0x200, 0x7f, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x42, 0x0, 0x3}]}}, {{0x9, 0x5, 0x6, 0x1, 0x10, 0x7f, 0x6, 0x20, [@generic={0x3e, 0x24, "3279e68b3107ce57e93f9b3d336fefa9de179b08505c0edd9edf7339466085554d34e4571b470f40aacb1c79140c88fce17873e9a606d0d0ae191306"}, @generic={0x19, 0x23, "a5c0a892c2b95a227dc6623c0b74310c155d862f239e16"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x20, 0x2, 0x81, 0x40, [@generic={0xe6, 0x30, "5dc526386b6e274ce9c060656dd756e8d6bae3de5b6d899add115e5c8359a147fc3b4630114b017fe4e9d7c9f92e32d1988c0ccb1ed7621114fa2c225280ef03024e75e1fae3e646ffe71a417afedcdc061eba0b1dfa91ec7ae5aa5f96e15c4c72ff5fb57f5033f1fc1c99b8ee5502c3217a1123b5c0df2dd8574ea1a54fe11e8e3aa570a93cb20ceef3f3b3b5343b0af5cae6d05f2bf9044d71b2c3abf277629bcc887b3086a1d691243f2ca2b15d6388a748f30b9ba3bc4d473dc28c196c2ebd244e8af69d1a6d4def0eca62e1a807d4cfc5ac9ae27560149a869eaf4e46a7fdc70375"}]}}, {{0x9, 0x5, 0x0, 0x8, 0x400, 0x1f, 0xe5, 0x1, [@generic={0xd8, 0x2, "3be1779519825a94f8786d27a30f8bffd73797ba274dc1f21db7c91692bff3a9456978712d40e5e6936159b174f76212043d5f7dac45574235de4773cf1c00aaa9d04d86331fe261d5a57af86ed97ca305af1e3346ea1bbb851e813632d2e69ec04110cefc29ae7dbc2a5799f9cf8ce398b53c1f7257832c7fc4cd89f052561fb26835f90970e97fcf52aea2dda0d72fd1050a982b5afbd94f73cb505b7533f8ded2e5cfb6d87ce6ef2d369754cb9d76362181e6b7c08e868a8bb6837feb00a4192093ff8033aa6371eb0222ff0b4ce7337b40d23039"}, @generic={0xb0, 0x4, "5377b0a3d6fabe2be486710049d6514c7aadcd0d30db7f39c5e143b8216b9bbe9eb3ed55ce71026b96ff08eb3b057e8d6283e65686383eab4513ee1bf6348adf1bff30e34df44157705f0843ad96a2905b4d6ef0b81f89708ba1b3af113d5c16f6d53cf38682914f1816e141b0a51d38710450a2c5f0c5987ca7870d11e920bbc23d036a1df5892fc0d59f6379eebfccaff8fc1cc5696f4325e9c3ec3ca29b78b476ba61af6b5143f00f394ae2a5"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x3ff, 0x9, 0x6, 0x9}}, {{0x9, 0x5, 0x6, 0x0, 0x3ff, 0x1f, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x400, 0x2, 0x8, 0x6}}, {{0x9, 0x5, 0x4, 0x2, 0x8, 0x3f, 0x0, 0x9, [@generic={0x7b, 0x7, "faafe139e2c26d2a37c4bd0f570be6f1afe1e7dd3129bb4e93e1d91fecda5292b1b868e1467f14d99bb5d8a9eaf4b585ce939b3be95537637d10a5c31b791161025fb03a9f97cbaf12c2d3fa969062fda625226a7844fc5dd3f779063035ace5c837de731f2d7420f534b5f8abba9a749a2544434a21de8c68"}]}}, {{0x9, 0x5, 0xe, 0x10, 0x8, 0x1, 0x1, 0x95}}, {{0x9, 0x5, 0x8, 0x8, 0x40, 0x4, 0x5}}]}}]}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000700)={0xa, 0x6, 0x50, 0x14, 0x28, 0x6, 0x28, 0x9}, 0x51, &(0x7f0000000740)={0x5, 0xf, 0x51, 0x6, [@ptm_cap={0x3}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x8, 0x10, 0xff, 0x6, 0x1000, 0x40}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "c16ee167a2c7694cf8e1bb43a90ffc24"}, @ssp_cap={0x24, 0x10, 0xa, 0xff, 0x6, 0x400, 0xf88f, 0xfffa, [0x0, 0xc0c0, 0x60, 0xff3f00, 0xfff0, 0xff0000]}, @ptm_cap={0x3}]}, 0x2, [{0xd8, &(0x7f00000007c0)=@string={0xd8, 0x3, "e4e51994186235f6dd685b5af9c790d2c6ac3b9c71acc8be67689e27dbea32effdb2e68b21875172f656ee58ca782e43ca108c5ed0f6b3666249b103518f49bfe2cd201b7ba816c344f3e240d81e0ccee4c11fb860c61f7be1abaf0b22343009174c7cdf9ddec7031242854a0e957f6b85e0c4eef6643022a8d960c0720f8a6328f7ffd76f08ec6a4c5a8bcd4eca63cdaf03d245cae284cf01fa3a581def6e67efdfce679100dc6d9e7e3b8f8aeddfabaef5fe479123d0d0bb2f8ef7cecd3fc18b19a7243b718dd27fb2687ccb8acfdeb741cd7317c0"}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x414}}]}) syz_usb_disconnect(0xffffffffffffffff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___getfh30 #define SYS___getfh30 395 #endif #ifndef SYS___utimes50 #define SYS___utimes50 420 #endif #ifndef SYS_compat_14_shmctl #define SYS_compat_14_shmctl 229 #endif #ifndef SYS_fchmodat #define SYS_fchmodat 463 #endif #ifndef SYS_ioctl #define SYS_ioctl 54 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_preadv #define SYS_preadv 289 #endif #ifndef SYS_recvfrom #define SYS_recvfrom 29 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); *(uint64_t*)0x20000040 = 5; *(uint64_t*)0x20000048 = 6; inject_fault(1); syscall(SYS___utimes50, 0x20000000ul, 0x20000040ul); break; case 1: memcpy((void*)0x20000080, "./file0\000", 8); *(uint64_t*)0x20000180 = 5; syscall(SYS___getfh30, 0x20000080ul, 0x200000c0ul, 0x20000180ul); break; case 2: memcpy((void*)0x200001c0, "./file0\000", 8); res = syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); { int i; for(i = 0; i < 4; i++) { syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); } } if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20000400 = 0x20000200; *(uint64_t*)0x20000408 = 0; *(uint64_t*)0x20000410 = 0x20000240; *(uint64_t*)0x20000418 = 0x2c; *(uint64_t*)0x20000420 = 0x20000280; *(uint64_t*)0x20000428 = 0xb2; *(uint64_t*)0x20000430 = 0x20000340; *(uint64_t*)0x20000438 = 0xb1; syscall(SYS_preadv, r[0], 0x20000400ul, 4ul, 6ul); break; case 4: memcpy((void*)0x20000440, "./file0\000", 8); res = syscall(SYS_open, 0x20000440ul, 0x1000000ul, 0ul); if (res != -1) r[1] = res; break; case 5: syscall(SYS_ioctl, r[1], 0x4004575ful, 0x20000480ul); break; case 6: *(uint64_t*)0x200005f8 = 0x200004c0; memcpy((void*)0x200004c0, "\x39\x56\xea\x18\x77\x15\xb3\x64\xf0\x78\xd2\x25\x29\x01\x0e\x88\x1c\x15\xc4\xac\x90\x5a\x9b\x74\x13\x77\xa2\x9b\x3f\x3f\xd0\x79\xdc\xb3\x1d\xd9\x07\x81\x05\x60\x5a\xb6\xc3\x35\x82\xb0\x4e\xcd\x1c\x5a\x5a\xbd\xa9\xa0\x69\xcf\xfc\x19\xb6\x23\xcc\x7e\x6c\xa3\x0e\xa6\x44\xaf\x2f\x9f\xf3\xf0\x41\x48\x5f\x48\xd1\xb5\xf6\xed\x02\x35\x46\x8e\x74\x1f\x36\x34\xe6\xed\xa3\x58\xc8\xf7\x35\x24\x73\xf5\xce\x3b\x37\xd5\xd9\x1e\xd2\x9d\x5a\x2a\x2e\x99\xc6\x24\xae\x17\xd1\x3e\x54\xa4\x03\xf2\xb1\x79\xe4\x3a\xc2\x81\xc4\x24\x69\x74\x15\x1f\xbc\xb7\x92\x20\x04\x7b\x01\x74\xdd\x32\x36\x78\x4c\x58\x1a\x21\xe2\x29\xa7\x1f\x22\x83\xfd\x0b\xb1\x81\x0c\xc5\x54\xda\x71\xc7\x21\xa7\xdf\x2f\x74\xdc\x3b\x6b\xaa\xe1\x63\x5c\x72\xad\x1a\x07\xdf\xe6\x55\xcd\xf7\xe5\x27\x74\xef\x46\xb5\x37\x2d\x0f\xa1\xca\xd8\xa2\x88\xa7\x4d\x34\x96\x4d\xb9\x67\x60\xe2\xcf\x85\x86\xf2\xea\x7d\xad", 215); syscall(SYS_compat_14_shmctl, 0, 2ul, 0x200005c0ul); break; case 7: memcpy((void*)0x20000600, "./file0\000", 8); syscall(SYS_fchmodat, r[0], 0x20000600ul, 0x800ul, 0x500ul); break; case 8: memcpy((void*)0x20000640, "./file0\000", 8); *(uint64_t*)0x20000740 = 0x48000; syscall(SYS___getfh30, 0x20000640ul, 0x20000680ul, 0x20000740ul); break; case 9: syscall(SYS_recvfrom, r[0], 0x20000780ul, 0x7ful, 0x9080ul, 0ul, 0ul); break; case 10: memcpy((void*)0x200000c0, "\xc4\x21\x7d\x28\x00\x67\x36\x42\xd9\xf6\xc4\xa1\xd4\x5e\x7b\xf2\xc4\x41\x71\xd3\x0e\xc4\x62\xa1\x04\xd5\x66\x0f\x6e\x56\x00\x42\x0f\x01\xee\xc4\x21\x4d\x67\x56\x0e\xd8\xb0\xdf\x1c\xc1\xf1\xc4\xe1\x7e\xe6\x4c\x5b\x06", 54); syz_execute_func(0x200000c0); break; case 11: *(uint8_t*)0x20000140 = 0x12; *(uint8_t*)0x20000141 = 1; *(uint16_t*)0x20000142 = 0x201; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 0x10; *(uint16_t*)0x20000148 = 0; *(uint16_t*)0x2000014a = 0; *(uint16_t*)0x2000014c = 0; *(uint8_t*)0x2000014e = 1; *(uint8_t*)0x2000014f = 2; *(uint8_t*)0x20000150 = 3; *(uint8_t*)0x20000151 = 1; *(uint8_t*)0x20000152 = 9; *(uint8_t*)0x20000153 = 2; *(uint16_t*)0x20000154 = 0x5aa; *(uint8_t*)0x20000156 = 1; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0x4d; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 5; *(uint8_t*)0x2000015b = 9; *(uint8_t*)0x2000015c = 4; *(uint8_t*)0x2000015d = 0x7f; *(uint8_t*)0x2000015e = 2; *(uint8_t*)0x2000015f = 0x10; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0x1f; *(uint8_t*)0x20000164 = 0xa; *(uint8_t*)0x20000165 = 0x24; *(uint8_t*)0x20000166 = 6; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 1; memcpy((void*)0x20000169, "\xc3\x1c\xa1\x66\x5e", 5); *(uint8_t*)0x2000016e = 5; *(uint8_t*)0x2000016f = 0x24; *(uint8_t*)0x20000170 = 0; *(uint16_t*)0x20000171 = 6; *(uint8_t*)0x20000173 = 0xd; *(uint8_t*)0x20000174 = 0x24; *(uint8_t*)0x20000175 = 0xf; *(uint8_t*)0x20000176 = 1; *(uint32_t*)0x20000177 = 0xfffffe01; *(uint16_t*)0x2000017b = 0x7fff; *(uint16_t*)0x2000017d = 0xfe01; *(uint8_t*)0x2000017f = 1; *(uint8_t*)0x20000180 = 6; *(uint8_t*)0x20000181 = 0x24; *(uint8_t*)0x20000182 = 0x1a; *(uint16_t*)0x20000183 = 0x101; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 6; *(uint8_t*)0x20000187 = 0x24; *(uint8_t*)0x20000188 = 7; *(uint8_t*)0x20000189 = 0xfd; *(uint16_t*)0x2000018a = 0x1000; *(uint8_t*)0x2000018c = 4; *(uint8_t*)0x2000018d = 0x24; *(uint8_t*)0x2000018e = 2; *(uint8_t*)0x2000018f = 0xf; *(uint8_t*)0x20000190 = 5; *(uint8_t*)0x20000191 = 0x24; *(uint8_t*)0x20000192 = 1; *(uint8_t*)0x20000193 = 3; *(uint8_t*)0x20000194 = 0xd0; *(uint8_t*)0x20000195 = 7; *(uint8_t*)0x20000196 = 0x24; *(uint8_t*)0x20000197 = 0x14; *(uint16_t*)0x20000198 = 5; *(uint16_t*)0x2000019a = 9; *(uint8_t*)0x2000019c = 0xba; *(uint8_t*)0x2000019d = 0xb; memcpy((void*)0x2000019e, "\xfe\x82\xf4\x12\xbd\xe1\x3c\xfe\x9a\x7c\x58\x42\x8c\xb9\xc3\xa0\x85\x52\x8b\x59\x21\x05\x45\x97\x3b\xdc\x2a\xa0\xc2\x11\x53\xe7\x1c\x9f\x06\x5b\xbe\xf1\x10\xef\x76\x91\x1a\xe1\x4a\x69\x05\x0c\x92\x64\x04\x46\x79\x9f\xa1\xdc\x7a\xa0\xc2\x43\xc2\x15\xb0\xaf\xa1\x30\x99\x00\xf0\xbe\x31\x1c\x82\x59\xdb\x41\x22\xe4\x79\xaa\x52\x91\xed\x38\xba\x4b\x00\xce\x42\x69\x3f\x27\x39\x52\x16\x81\x81\x97\x27\x63\x35\xcc\x1c\x97\x75\x50\xda\x0a\x1f\x62\x51\x9c\x18\x4c\x22\x8c\x94\xbc\xc6\x3e\x4b\xda\x51\xb0\xde\xed\xcd\x99\xe2\x68\x44\xea\x31\x95\x31\x03\x14\x2c\x05\xbb\x4f\x68\x26\x37\x71\xca\x79\x1a\xcf\xb8\xe6\xf1\xb7\xe1\xc8\xc6\xb4\x7a\x72\x90\xee\x50\xa6\xd9\xd6\xc6\x4f\x7e\x20\x18\xc6\x2b\xd4\x5d\x9d\x93\x26\x86\x1a\x01\xe0\x59\x30\x26", 184); *(uint8_t*)0x20000256 = 9; *(uint8_t*)0x20000257 = 5; *(uint8_t*)0x20000258 = 9; *(uint8_t*)0x20000259 = 0x10; *(uint16_t*)0x2000025a = 0xbf7; *(uint8_t*)0x2000025c = 0x80; *(uint8_t*)0x2000025d = 3; *(uint8_t*)0x2000025e = 0x80; *(uint8_t*)0x2000025f = 7; *(uint8_t*)0x20000260 = 0x25; *(uint8_t*)0x20000261 = 1; *(uint8_t*)0x20000262 = 1; *(uint8_t*)0x20000263 = 0x81; *(uint16_t*)0x20000264 = 0xb6; *(uint8_t*)0x20000266 = 9; *(uint8_t*)0x20000267 = 5; *(uint8_t*)0x20000268 = 5; *(uint8_t*)0x20000269 = 3; *(uint16_t*)0x2000026a = 0x20; *(uint8_t*)0x2000026c = 5; *(uint8_t*)0x2000026d = 8; *(uint8_t*)0x2000026e = 0xf5; *(uint8_t*)0x2000026f = 7; *(uint8_t*)0x20000270 = 0x25; *(uint8_t*)0x20000271 = 1; *(uint8_t*)0x20000272 = 3; *(uint8_t*)0x20000273 = 0x81; *(uint16_t*)0x20000274 = 5; *(uint8_t*)0x20000276 = 9; *(uint8_t*)0x20000277 = 5; *(uint8_t*)0x20000278 = 3; *(uint8_t*)0x20000279 = 1; *(uint16_t*)0x2000027a = 0x40; *(uint8_t*)0x2000027c = 0x1f; *(uint8_t*)0x2000027d = 2; *(uint8_t*)0x2000027e = 0; *(uint8_t*)0x2000027f = 7; *(uint8_t*)0x20000280 = 0x25; *(uint8_t*)0x20000281 = 1; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 3; *(uint16_t*)0x20000284 = 0x8001; *(uint8_t*)0x20000286 = 7; *(uint8_t*)0x20000287 = 0x25; *(uint8_t*)0x20000288 = 1; *(uint8_t*)0x20000289 = 3; *(uint8_t*)0x2000028a = 0x74; *(uint16_t*)0x2000028b = 4; *(uint8_t*)0x2000028d = 9; *(uint8_t*)0x2000028e = 5; *(uint8_t*)0x2000028f = 6; *(uint8_t*)0x20000290 = 4; *(uint16_t*)0x20000291 = 0x20; *(uint8_t*)0x20000293 = 0xc3; *(uint8_t*)0x20000294 = 4; *(uint8_t*)0x20000295 = 0x30; *(uint8_t*)0x20000296 = 7; *(uint8_t*)0x20000297 = 0x25; *(uint8_t*)0x20000298 = 1; *(uint8_t*)0x20000299 = 0x80; *(uint8_t*)0x2000029a = 0; *(uint16_t*)0x2000029b = 1; *(uint8_t*)0x2000029d = 0x9e; *(uint8_t*)0x2000029e = 0x21; memcpy((void*)0x2000029f, "\x1a\x03\x80\xc0\x7a\xcd\x29\x03\x33\x3b\x9e\xe1\xa7\x34\x21\xf8\x89\x15\xa3\x93\x9a\x28\xa2\xa2\x1a\x53\xbe\x2e\xa9\x07\xf7\x3f\x40\x51\x3c\xd6\x0a\x48\x4a\x95\x15\x53\x48\xfd\x7c\xd7\x92\x87\x96\x33\x50\x66\xc5\x4f\xa2\x73\x65\x5e\xed\x76\x35\x77\xef\xa8\x06\xa4\x89\xed\x9e\xe1\x47\x3c\xe8\x5f\x42\x0c\x0c\x52\x77\x64\xae\xfd\xd8\x8e\x11\x6c\xa3\x38\xe9\x20\xce\xa4\x64\x5f\xa6\x00\x5f\xec\xea\x1a\xb9\xcf\xc4\xaa\x74\xfe\xe4\xf5\x51\x92\xf6\x12\xd9\x8f\xd9\x6c\xb5\x40\x41\x52\xc5\xd3\x52\x11\x88\x53\xa9\xf7\x02\x6a\x95\xe6\xdd\xd1\x9c\x24\xdf\x1a\x2f\x9a\xb2\x47\xef\x37\xa0\x63\xb2\xed\x77\x37\x55\xb9\x76\x6a\x0a\x47", 156); *(uint8_t*)0x2000033b = 9; *(uint8_t*)0x2000033c = 5; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0xc; *(uint16_t*)0x2000033f = 0x400; *(uint8_t*)0x20000341 = 2; *(uint8_t*)0x20000342 = 0x7b; *(uint8_t*)0x20000343 = 0x27; *(uint8_t*)0x20000344 = 7; *(uint8_t*)0x20000345 = 0x25; *(uint8_t*)0x20000346 = 1; *(uint8_t*)0x20000347 = 0x80; *(uint8_t*)0x20000348 = 8; *(uint16_t*)0x20000349 = 8; *(uint8_t*)0x2000034b = 7; *(uint8_t*)0x2000034c = 0x25; *(uint8_t*)0x2000034d = 1; *(uint8_t*)0x2000034e = 0x81; *(uint8_t*)0x2000034f = 0x40; *(uint16_t*)0x20000350 = 0x1f; *(uint8_t*)0x20000352 = 9; *(uint8_t*)0x20000353 = 5; *(uint8_t*)0x20000354 = 0x80; *(uint8_t*)0x20000355 = 8; *(uint16_t*)0x20000356 = 8; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 6; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 9; *(uint8_t*)0x2000035c = 5; *(uint8_t*)0x2000035d = 0xc; *(uint8_t*)0x2000035e = 0; *(uint16_t*)0x2000035f = 0x200; *(uint8_t*)0x20000361 = 0x7f; *(uint8_t*)0x20000362 = 8; *(uint8_t*)0x20000363 = 8; *(uint8_t*)0x20000364 = 7; *(uint8_t*)0x20000365 = 0x25; *(uint8_t*)0x20000366 = 1; *(uint8_t*)0x20000367 = 0x42; *(uint8_t*)0x20000368 = 0; *(uint16_t*)0x20000369 = 3; *(uint8_t*)0x2000036b = 9; *(uint8_t*)0x2000036c = 5; *(uint8_t*)0x2000036d = 6; *(uint8_t*)0x2000036e = 1; *(uint16_t*)0x2000036f = 0x10; *(uint8_t*)0x20000371 = 0x7f; *(uint8_t*)0x20000372 = 6; *(uint8_t*)0x20000373 = 0x20; *(uint8_t*)0x20000374 = 0x3e; *(uint8_t*)0x20000375 = 0x24; memcpy((void*)0x20000376, "\x32\x79\xe6\x8b\x31\x07\xce\x57\xe9\x3f\x9b\x3d\x33\x6f\xef\xa9\xde\x17\x9b\x08\x50\x5c\x0e\xdd\x9e\xdf\x73\x39\x46\x60\x85\x55\x4d\x34\xe4\x57\x1b\x47\x0f\x40\xaa\xcb\x1c\x79\x14\x0c\x88\xfc\xe1\x78\x73\xe9\xa6\x06\xd0\xd0\xae\x19\x13\x06", 60); *(uint8_t*)0x200003b2 = 0x19; *(uint8_t*)0x200003b3 = 0x23; memcpy((void*)0x200003b4, "\xa5\xc0\xa8\x92\xc2\xb9\x5a\x22\x7d\xc6\x62\x3c\x0b\x74\x31\x0c\x15\x5d\x86\x2f\x23\x9e\x16", 23); *(uint8_t*)0x200003cb = 9; *(uint8_t*)0x200003cc = 5; *(uint8_t*)0x200003cd = 1; *(uint8_t*)0x200003ce = 0; *(uint16_t*)0x200003cf = 0x20; *(uint8_t*)0x200003d1 = 2; *(uint8_t*)0x200003d2 = 0x81; *(uint8_t*)0x200003d3 = 0x40; *(uint8_t*)0x200003d4 = 0xe6; *(uint8_t*)0x200003d5 = 0x30; memcpy((void*)0x200003d6, "\x5d\xc5\x26\x38\x6b\x6e\x27\x4c\xe9\xc0\x60\x65\x6d\xd7\x56\xe8\xd6\xba\xe3\xde\x5b\x6d\x89\x9a\xdd\x11\x5e\x5c\x83\x59\xa1\x47\xfc\x3b\x46\x30\x11\x4b\x01\x7f\xe4\xe9\xd7\xc9\xf9\x2e\x32\xd1\x98\x8c\x0c\xcb\x1e\xd7\x62\x11\x14\xfa\x2c\x22\x52\x80\xef\x03\x02\x4e\x75\xe1\xfa\xe3\xe6\x46\xff\xe7\x1a\x41\x7a\xfe\xdc\xdc\x06\x1e\xba\x0b\x1d\xfa\x91\xec\x7a\xe5\xaa\x5f\x96\xe1\x5c\x4c\x72\xff\x5f\xb5\x7f\x50\x33\xf1\xfc\x1c\x99\xb8\xee\x55\x02\xc3\x21\x7a\x11\x23\xb5\xc0\xdf\x2d\xd8\x57\x4e\xa1\xa5\x4f\xe1\x1e\x8e\x3a\xa5\x70\xa9\x3c\xb2\x0c\xee\xf3\xf3\xb3\xb5\x34\x3b\x0a\xf5\xca\xe6\xd0\x5f\x2b\xf9\x04\x4d\x71\xb2\xc3\xab\xf2\x77\x62\x9b\xcc\x88\x7b\x30\x86\xa1\xd6\x91\x24\x3f\x2c\xa2\xb1\x5d\x63\x88\xa7\x48\xf3\x0b\x9b\xa3\xbc\x4d\x47\x3d\xc2\x8c\x19\x6c\x2e\xbd\x24\x4e\x8a\xf6\x9d\x1a\x6d\x4d\xef\x0e\xca\x62\xe1\xa8\x07\xd4\xcf\xc5\xac\x9a\xe2\x75\x60\x14\x9a\x86\x9e\xaf\x4e\x46\xa7\xfd\xc7\x03\x75", 228); *(uint8_t*)0x200004ba = 9; *(uint8_t*)0x200004bb = 5; *(uint8_t*)0x200004bc = 0; *(uint8_t*)0x200004bd = 8; *(uint16_t*)0x200004be = 0x400; *(uint8_t*)0x200004c0 = 0x1f; *(uint8_t*)0x200004c1 = 0xe5; *(uint8_t*)0x200004c2 = 1; *(uint8_t*)0x200004c3 = 0xd8; *(uint8_t*)0x200004c4 = 2; memcpy((void*)0x200004c5, "\x3b\xe1\x77\x95\x19\x82\x5a\x94\xf8\x78\x6d\x27\xa3\x0f\x8b\xff\xd7\x37\x97\xba\x27\x4d\xc1\xf2\x1d\xb7\xc9\x16\x92\xbf\xf3\xa9\x45\x69\x78\x71\x2d\x40\xe5\xe6\x93\x61\x59\xb1\x74\xf7\x62\x12\x04\x3d\x5f\x7d\xac\x45\x57\x42\x35\xde\x47\x73\xcf\x1c\x00\xaa\xa9\xd0\x4d\x86\x33\x1f\xe2\x61\xd5\xa5\x7a\xf8\x6e\xd9\x7c\xa3\x05\xaf\x1e\x33\x46\xea\x1b\xbb\x85\x1e\x81\x36\x32\xd2\xe6\x9e\xc0\x41\x10\xce\xfc\x29\xae\x7d\xbc\x2a\x57\x99\xf9\xcf\x8c\xe3\x98\xb5\x3c\x1f\x72\x57\x83\x2c\x7f\xc4\xcd\x89\xf0\x52\x56\x1f\xb2\x68\x35\xf9\x09\x70\xe9\x7f\xcf\x52\xae\xa2\xdd\xa0\xd7\x2f\xd1\x05\x0a\x98\x2b\x5a\xfb\xd9\x4f\x73\xcb\x50\x5b\x75\x33\xf8\xde\xd2\xe5\xcf\xb6\xd8\x7c\xe6\xef\x2d\x36\x97\x54\xcb\x9d\x76\x36\x21\x81\xe6\xb7\xc0\x8e\x86\x8a\x8b\xb6\x83\x7f\xeb\x00\xa4\x19\x20\x93\xff\x80\x33\xaa\x63\x71\xeb\x02\x22\xff\x0b\x4c\xe7\x33\x7b\x40\xd2\x30\x39", 214); *(uint8_t*)0x2000059b = 0xb0; *(uint8_t*)0x2000059c = 4; memcpy((void*)0x2000059d, "\x53\x77\xb0\xa3\xd6\xfa\xbe\x2b\xe4\x86\x71\x00\x49\xd6\x51\x4c\x7a\xad\xcd\x0d\x30\xdb\x7f\x39\xc5\xe1\x43\xb8\x21\x6b\x9b\xbe\x9e\xb3\xed\x55\xce\x71\x02\x6b\x96\xff\x08\xeb\x3b\x05\x7e\x8d\x62\x83\xe6\x56\x86\x38\x3e\xab\x45\x13\xee\x1b\xf6\x34\x8a\xdf\x1b\xff\x30\xe3\x4d\xf4\x41\x57\x70\x5f\x08\x43\xad\x96\xa2\x90\x5b\x4d\x6e\xf0\xb8\x1f\x89\x70\x8b\xa1\xb3\xaf\x11\x3d\x5c\x16\xf6\xd5\x3c\xf3\x86\x82\x91\x4f\x18\x16\xe1\x41\xb0\xa5\x1d\x38\x71\x04\x50\xa2\xc5\xf0\xc5\x98\x7c\xa7\x87\x0d\x11\xe9\x20\xbb\xc2\x3d\x03\x6a\x1d\xf5\x89\x2f\xc0\xd5\x9f\x63\x79\xee\xbf\xcc\xaf\xf8\xfc\x1c\xc5\x69\x6f\x43\x25\xe9\xc3\xec\x3c\xa2\x9b\x78\xb4\x76\xba\x61\xaf\x6b\x51\x43\xf0\x0f\x39\x4a\xe2\xa5", 174); *(uint8_t*)0x2000064b = 9; *(uint8_t*)0x2000064c = 5; *(uint8_t*)0x2000064d = 1; *(uint8_t*)0x2000064e = 0x10; *(uint16_t*)0x2000064f = 0x3ff; *(uint8_t*)0x20000651 = 9; *(uint8_t*)0x20000652 = 6; *(uint8_t*)0x20000653 = 9; *(uint8_t*)0x20000654 = 9; *(uint8_t*)0x20000655 = 5; *(uint8_t*)0x20000656 = 6; *(uint8_t*)0x20000657 = 0; *(uint16_t*)0x20000658 = 0x3ff; *(uint8_t*)0x2000065a = 0x1f; *(uint8_t*)0x2000065b = 6; *(uint8_t*)0x2000065c = 7; *(uint8_t*)0x2000065d = 9; *(uint8_t*)0x2000065e = 5; *(uint8_t*)0x2000065f = 0x80; *(uint8_t*)0x20000660 = 0xc; *(uint16_t*)0x20000661 = 0x400; *(uint8_t*)0x20000663 = 2; *(uint8_t*)0x20000664 = 8; *(uint8_t*)0x20000665 = 6; *(uint8_t*)0x20000666 = 9; *(uint8_t*)0x20000667 = 5; *(uint8_t*)0x20000668 = 4; *(uint8_t*)0x20000669 = 2; *(uint16_t*)0x2000066a = 8; *(uint8_t*)0x2000066c = 0x3f; *(uint8_t*)0x2000066d = 0; *(uint8_t*)0x2000066e = 9; *(uint8_t*)0x2000066f = 0x7b; *(uint8_t*)0x20000670 = 7; memcpy((void*)0x20000671, "\xfa\xaf\xe1\x39\xe2\xc2\x6d\x2a\x37\xc4\xbd\x0f\x57\x0b\xe6\xf1\xaf\xe1\xe7\xdd\x31\x29\xbb\x4e\x93\xe1\xd9\x1f\xec\xda\x52\x92\xb1\xb8\x68\xe1\x46\x7f\x14\xd9\x9b\xb5\xd8\xa9\xea\xf4\xb5\x85\xce\x93\x9b\x3b\xe9\x55\x37\x63\x7d\x10\xa5\xc3\x1b\x79\x11\x61\x02\x5f\xb0\x3a\x9f\x97\xcb\xaf\x12\xc2\xd3\xfa\x96\x90\x62\xfd\xa6\x25\x22\x6a\x78\x44\xfc\x5d\xd3\xf7\x79\x06\x30\x35\xac\xe5\xc8\x37\xde\x73\x1f\x2d\x74\x20\xf5\x34\xb5\xf8\xab\xba\x9a\x74\x9a\x25\x44\x43\x4a\x21\xde\x8c\x68", 121); *(uint8_t*)0x200006ea = 9; *(uint8_t*)0x200006eb = 5; *(uint8_t*)0x200006ec = 0xe; *(uint8_t*)0x200006ed = 0x10; *(uint16_t*)0x200006ee = 8; *(uint8_t*)0x200006f0 = 1; *(uint8_t*)0x200006f1 = 1; *(uint8_t*)0x200006f2 = 0x95; *(uint8_t*)0x200006f3 = 9; *(uint8_t*)0x200006f4 = 5; *(uint8_t*)0x200006f5 = 8; *(uint8_t*)0x200006f6 = 8; *(uint16_t*)0x200006f7 = 0x40; *(uint8_t*)0x200006f9 = 4; *(uint8_t*)0x200006fa = 5; *(uint8_t*)0x200006fb = 0; *(uint32_t*)0x20000900 = 0xa; *(uint64_t*)0x20000904 = 0x20000700; *(uint8_t*)0x20000700 = 0xa; *(uint8_t*)0x20000701 = 6; *(uint16_t*)0x20000702 = 0x50; *(uint8_t*)0x20000704 = 0x14; *(uint8_t*)0x20000705 = 0x28; *(uint8_t*)0x20000706 = 6; *(uint8_t*)0x20000707 = 0x28; *(uint8_t*)0x20000708 = 9; *(uint8_t*)0x20000709 = 0; *(uint32_t*)0x2000090c = 0x51; *(uint64_t*)0x20000910 = 0x20000740; *(uint8_t*)0x20000740 = 5; *(uint8_t*)0x20000741 = 0xf; *(uint16_t*)0x20000742 = 0x51; *(uint8_t*)0x20000744 = 6; *(uint8_t*)0x20000745 = 3; *(uint8_t*)0x20000746 = 0x10; *(uint8_t*)0x20000747 = 0xb; *(uint8_t*)0x20000748 = 3; *(uint8_t*)0x20000749 = 0x10; *(uint8_t*)0x2000074a = 0xb; *(uint8_t*)0x2000074b = 0xb; *(uint8_t*)0x2000074c = 0x10; *(uint8_t*)0x2000074d = 1; *(uint8_t*)0x2000074e = 8; *(uint16_t*)0x2000074f = 0x10; *(uint8_t*)0x20000751 = -1; *(uint8_t*)0x20000752 = 6; *(uint16_t*)0x20000753 = 0x1000; *(uint8_t*)0x20000755 = 0x40; *(uint8_t*)0x20000756 = 0x14; *(uint8_t*)0x20000757 = 0x10; *(uint8_t*)0x20000758 = 4; *(uint8_t*)0x20000759 = 0; memcpy((void*)0x2000075a, "\xc1\x6e\xe1\x67\xa2\xc7\x69\x4c\xf8\xe1\xbb\x43\xa9\x0f\xfc\x24", 16); *(uint8_t*)0x2000076a = 0x24; *(uint8_t*)0x2000076b = 0x10; *(uint8_t*)0x2000076c = 0xa; *(uint8_t*)0x2000076d = -1; STORE_BY_BITMASK(uint32_t, , 0x2000076e, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000076e, 0x400, 5, 27); *(uint16_t*)0x20000772 = 0xf88f; *(uint16_t*)0x20000774 = 0xfffa; *(uint32_t*)0x20000776 = 0; *(uint32_t*)0x2000077a = 0xc0c0; *(uint32_t*)0x2000077e = 0x60; *(uint32_t*)0x20000782 = 0xff3f00; *(uint32_t*)0x20000786 = 0xfff0; *(uint32_t*)0x2000078a = 0xff0000; *(uint8_t*)0x2000078e = 3; *(uint8_t*)0x2000078f = 0x10; *(uint8_t*)0x20000790 = 0xb; *(uint32_t*)0x20000918 = 2; *(uint32_t*)0x2000091c = 0xd8; *(uint64_t*)0x20000920 = 0x200007c0; *(uint8_t*)0x200007c0 = 0xd8; *(uint8_t*)0x200007c1 = 3; memcpy((void*)0x200007c2, "\xe4\xe5\x19\x94\x18\x62\x35\xf6\xdd\x68\x5b\x5a\xf9\xc7\x90\xd2\xc6\xac\x3b\x9c\x71\xac\xc8\xbe\x67\x68\x9e\x27\xdb\xea\x32\xef\xfd\xb2\xe6\x8b\x21\x87\x51\x72\xf6\x56\xee\x58\xca\x78\x2e\x43\xca\x10\x8c\x5e\xd0\xf6\xb3\x66\x62\x49\xb1\x03\x51\x8f\x49\xbf\xe2\xcd\x20\x1b\x7b\xa8\x16\xc3\x44\xf3\xe2\x40\xd8\x1e\x0c\xce\xe4\xc1\x1f\xb8\x60\xc6\x1f\x7b\xe1\xab\xaf\x0b\x22\x34\x30\x09\x17\x4c\x7c\xdf\x9d\xde\xc7\x03\x12\x42\x85\x4a\x0e\x95\x7f\x6b\x85\xe0\xc4\xee\xf6\x64\x30\x22\xa8\xd9\x60\xc0\x72\x0f\x8a\x63\x28\xf7\xff\xd7\x6f\x08\xec\x6a\x4c\x5a\x8b\xcd\x4e\xca\x63\xcd\xaf\x03\xd2\x45\xca\xe2\x84\xcf\x01\xfa\x3a\x58\x1d\xef\x6e\x67\xef\xdf\xce\x67\x91\x00\xdc\x6d\x9e\x7e\x3b\x8f\x8a\xed\xdf\xab\xae\xf5\xfe\x47\x91\x23\xd0\xd0\xbb\x2f\x8e\xf7\xce\xcd\x3f\xc1\x8b\x19\xa7\x24\x3b\x71\x8d\xd2\x7f\xb2\x68\x7c\xcb\x8a\xcf\xde\xb7\x41\xcd\x73\x17\xc0", 214); *(uint32_t*)0x20000928 = 4; *(uint64_t*)0x2000092c = 0x200008c0; *(uint8_t*)0x200008c0 = 4; *(uint8_t*)0x200008c1 = 3; *(uint16_t*)0x200008c2 = 0x414; syz_usb_connect(0, 0x5bc, 0x20000140, 0x20000900); break; case 12: syz_usb_disconnect(-1); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); for (procid = 0; procid < 2; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor4060661909 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/4 (0.21s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __utimes50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x5, 0x6}) (fail_nth: 1) __getfh30(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=""/164, &(0x7f0000000180)=0x5) (async) r0 = open(&(0x7f00000001c0)='./file0\x00', 0x80, 0x100) (rerun: 4) preadv(r0, &(0x7f0000000400)=[{&(0x7f0000000200)}, {&(0x7f0000000240)=""/44, 0x2c}, {&(0x7f0000000280)=""/178, 0xb2}, {&(0x7f0000000340)=""/177, 0xb1}], 0x4, 0x6) r1 = open(&(0x7f0000000440)='./file0\x00', 0x1000000, 0x0) ioctl$WSDISPLAYIO_LINEBYTES(r1, 0x4004575f, &(0x7f0000000480)) compat_14_shmctl$IPC_STAT(0x0, 0x2, &(0x7f00000005c0)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)="3956ea187715b364f078d22529010e881c15c4ac905a9b741377a29b3f3fd079dcb31dd9078105605ab6c33582b04ecd1c5a5abda9a069cffc19b623cc7e6ca30ea644af2f9ff3f041485f48d1b5f6ed0235468e741f3634e6eda358c8f7352473f5ce3b37d5d91ed29d5a2a2e99c624ae17d13e54a403f2b179e43ac281c4246974151fbcb79220047b0174dd3236784c581a21e229a71f2283fd0bb1810cc554da71c721a7df2f74dc3b6baae1635c72ad1a07dfe655cdf7e52774ef46b5372d0fa1cad8a288a74d34964db96760e2cf8586f2ea7dad"}) fchmodat(r0, &(0x7f0000000600)='./file0\x00', 0x800, 0x500) __getfh30(&(0x7f0000000640)='./file0\x00', &(0x7f0000000680)=""/173, &(0x7f0000000740)=0x48000) recvfrom$unix(r0, &(0x7f0000000780)=""/127, 0x7f, 0x9080, 0x0, 0x0) syz_emit_ethernet(0xa8, &(0x7f0000000000)="7cdc7f3d7523bc457cc7061f4218d205a9121313b3382a24390756c28e681e8ae64f9faefb9773a6088d8507b9f588abff90ed553d01e60af1ce4d9db1ae174c74afd76b975ec8e14ed2ecf1ea152061fe82fe634d1d1d20bfd25ca07d9ce4531e9c745c512bd468865e81abeaffeae134bea52451f13a61092e1d81780479ec9ce32bde5b1f03166d656fa34cd18fc1fbd00b1632fbd99d303f0c69398bc4dae4c54a53cb9abee5") syz_execute_func(&(0x7f00000000c0)="c4217d2800673642d9f6c4a1d45e7bf2c44171d30ec462a104d5660f6e5600420f01eec4214d67560ed8b0df1cc1f1c4e17ee64c5b06") syz_extract_tcp_res(&(0x7f0000000100), 0x0, 0x8) syz_usb_connect(0x0, 0x5bc, &(0x7f0000000140)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5aa, 0x1, 0x0, 0x4d, 0x0, 0x5, [{{0x9, 0x4, 0x7f, 0x2, 0x10, 0x0, 0x0, 0x0, 0x1f, [@cdc_ncm={{0xa, 0x24, 0x6, 0x0, 0x1, "c31ca1665e"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0xfffffe01, 0x7fff, 0xfe01, 0x1}, {0x6, 0x24, 0x1a, 0x101}, [@country_functional={0x6, 0x24, 0x7, 0xfd, 0x1000}, @acm={0x4, 0x24, 0x2, 0xf}, @call_mgmt={0x5, 0x24, 0x1, 0x3, 0xd0}, @dmm={0x7, 0x24, 0x14, 0x5, 0x9}]}, @generic={0xba, 0xb, "fe82f412bde13cfe9a7c58428cb9c3a085528b59210545973bdc2aa0c21153e71c9f065bbef110ef76911ae14a69050c92640446799fa1dc7aa0c243c215b0afa1309900f0be311c8259db4122e479aa5291ed38ba4b00ce42693f27395216818197276335cc1c977550da0a1f62519c184c228c94bcc63e4bda51b0deedcd99e26844ea31953103142c05bb4f68263771ca791acfb8e6f1b7e1c8c6b47a7290ee50a6d9d6c64f7e2018c62bd45d9d9326861a01e0593026"}], [{{0x9, 0x5, 0x9, 0x10, 0xbf7, 0x80, 0x3, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0xb6}]}}, {{0x9, 0x5, 0x5, 0x3, 0x20, 0x5, 0x8, 0xf5, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x81, 0x5}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x1f, 0x2, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x3, 0x8001}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x74, 0x4}]}}, {{0x9, 0x5, 0x6, 0x4, 0x20, 0xc3, 0x4, 0x30, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x0, 0x1}, @generic={0x9e, 0x21, "1a0380c07acd2903333b9ee1a73421f88915a3939a28a2a21a53be2ea907f73f40513cd60a484a95155348fd7cd7928796335066c54fa273655eed763577efa806a489ed9ee1473ce85f420c0c527764aefdd88e116ca338e920cea4645fa6005fecea1ab9cfc4aa74fee4f55192f612d98fd96cb5404152c5d352118853a9f7026a95e6ddd19c24df1a2f9ab247ef37a063b2ed773755b9766a0a47"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x400, 0x2, 0x7b, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x8, 0x8}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x40, 0x1f}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x0, 0x6}}, {{0x9, 0x5, 0xc, 0x0, 0x200, 0x7f, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x42, 0x0, 0x3}]}}, {{0x9, 0x5, 0x6, 0x1, 0x10, 0x7f, 0x6, 0x20, [@generic={0x3e, 0x24, "3279e68b3107ce57e93f9b3d336fefa9de179b08505c0edd9edf7339466085554d34e4571b470f40aacb1c79140c88fce17873e9a606d0d0ae191306"}, @generic={0x19, 0x23, "a5c0a892c2b95a227dc6623c0b74310c155d862f239e16"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x20, 0x2, 0x81, 0x40, [@generic={0xe6, 0x30, "5dc526386b6e274ce9c060656dd756e8d6bae3de5b6d899add115e5c8359a147fc3b4630114b017fe4e9d7c9f92e32d1988c0ccb1ed7621114fa2c225280ef03024e75e1fae3e646ffe71a417afedcdc061eba0b1dfa91ec7ae5aa5f96e15c4c72ff5fb57f5033f1fc1c99b8ee5502c3217a1123b5c0df2dd8574ea1a54fe11e8e3aa570a93cb20ceef3f3b3b5343b0af5cae6d05f2bf9044d71b2c3abf277629bcc887b3086a1d691243f2ca2b15d6388a748f30b9ba3bc4d473dc28c196c2ebd244e8af69d1a6d4def0eca62e1a807d4cfc5ac9ae27560149a869eaf4e46a7fdc70375"}]}}, {{0x9, 0x5, 0x0, 0x8, 0x400, 0x1f, 0xe5, 0x1, [@generic={0xd8, 0x2, "3be1779519825a94f8786d27a30f8bffd73797ba274dc1f21db7c91692bff3a9456978712d40e5e6936159b174f76212043d5f7dac45574235de4773cf1c00aaa9d04d86331fe261d5a57af86ed97ca305af1e3346ea1bbb851e813632d2e69ec04110cefc29ae7dbc2a5799f9cf8ce398b53c1f7257832c7fc4cd89f052561fb26835f90970e97fcf52aea2dda0d72fd1050a982b5afbd94f73cb505b7533f8ded2e5cfb6d87ce6ef2d369754cb9d76362181e6b7c08e868a8bb6837feb00a4192093ff8033aa6371eb0222ff0b4ce7337b40d23039"}, @generic={0xb0, 0x4, "5377b0a3d6fabe2be486710049d6514c7aadcd0d30db7f39c5e143b8216b9bbe9eb3ed55ce71026b96ff08eb3b057e8d6283e65686383eab4513ee1bf6348adf1bff30e34df44157705f0843ad96a2905b4d6ef0b81f89708ba1b3af113d5c16f6d53cf38682914f1816e141b0a51d38710450a2c5f0c5987ca7870d11e920bbc23d036a1df5892fc0d59f6379eebfccaff8fc1cc5696f4325e9c3ec3ca29b78b476ba61af6b5143f00f394ae2a5"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x3ff, 0x9, 0x6, 0x9}}, {{0x9, 0x5, 0x6, 0x0, 0x3ff, 0x1f, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x400, 0x2, 0x8, 0x6}}, {{0x9, 0x5, 0x4, 0x2, 0x8, 0x3f, 0x0, 0x9, [@generic={0x7b, 0x7, "faafe139e2c26d2a37c4bd0f570be6f1afe1e7dd3129bb4e93e1d91fecda5292b1b868e1467f14d99bb5d8a9eaf4b585ce939b3be95537637d10a5c31b791161025fb03a9f97cbaf12c2d3fa969062fda625226a7844fc5dd3f779063035ace5c837de731f2d7420f534b5f8abba9a749a2544434a21de8c68"}]}}, {{0x9, 0x5, 0xe, 0x10, 0x8, 0x1, 0x1, 0x95}}, {{0x9, 0x5, 0x8, 0x8, 0x40, 0x4, 0x5}}]}}]}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000700)={0xa, 0x6, 0x50, 0x14, 0x28, 0x6, 0x28, 0x9}, 0x51, &(0x7f0000000740)={0x5, 0xf, 0x51, 0x6, [@ptm_cap={0x3}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x8, 0x10, 0xff, 0x6, 0x1000, 0x40}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "c16ee167a2c7694cf8e1bb43a90ffc24"}, @ssp_cap={0x24, 0x10, 0xa, 0xff, 0x6, 0x400, 0xf88f, 0xfffa, [0x0, 0xc0c0, 0x60, 0xff3f00, 0xfff0, 0xff0000]}, @ptm_cap={0x3}]}, 0x2, [{0xd8, &(0x7f00000007c0)=@string={0xd8, 0x3, "e4e51994186235f6dd685b5af9c790d2c6ac3b9c71acc8be67689e27dbea32effdb2e68b21875172f656ee58ca782e43ca108c5ed0f6b3666249b103518f49bfe2cd201b7ba816c344f3e240d81e0ccee4c11fb860c61f7be1abaf0b22343009174c7cdf9ddec7031242854a0e957f6b85e0c4eef6643022a8d960c0720f8a6328f7ffd76f08ec6a4c5a8bcd4eca63cdaf03d245cae284cf01fa3a581def6e67efdfce679100dc6d9e7e3b8f8aeddfabaef5fe479123d0d0bb2f8ef7cecd3fc18b19a7243b718dd27fb2687ccb8acfdeb741cd7317c0"}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x414}}]}) syz_usb_disconnect(0xffffffffffffffff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___getfh30 #define SYS___getfh30 395 #endif #ifndef SYS___utimes50 #define SYS___utimes50 420 #endif #ifndef SYS_compat_14_shmctl #define SYS_compat_14_shmctl 229 #endif #ifndef SYS_fchmodat #define SYS_fchmodat 463 #endif #ifndef SYS_ioctl #define SYS_ioctl 54 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_preadv #define SYS_preadv 289 #endif #ifndef SYS_recvfrom #define SYS_recvfrom 29 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); *(uint64_t*)0x20000040 = 5; *(uint64_t*)0x20000048 = 6; inject_fault(1); syscall(SYS___utimes50, 0x20000000ul, 0x20000040ul); break; case 1: memcpy((void*)0x20000080, "./file0\000", 8); *(uint64_t*)0x20000180 = 5; syscall(SYS___getfh30, 0x20000080ul, 0x200000c0ul, 0x20000180ul); break; case 2: memcpy((void*)0x200001c0, "./file0\000", 8); res = syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); { int i; for(i = 0; i < 4; i++) { syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); } } if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20000400 = 0x20000200; *(uint64_t*)0x20000408 = 0; *(uint64_t*)0x20000410 = 0x20000240; *(uint64_t*)0x20000418 = 0x2c; *(uint64_t*)0x20000420 = 0x20000280; *(uint64_t*)0x20000428 = 0xb2; *(uint64_t*)0x20000430 = 0x20000340; *(uint64_t*)0x20000438 = 0xb1; syscall(SYS_preadv, r[0], 0x20000400ul, 4ul, 6ul); break; case 4: memcpy((void*)0x20000440, "./file0\000", 8); res = syscall(SYS_open, 0x20000440ul, 0x1000000ul, 0ul); if (res != -1) r[1] = res; break; case 5: syscall(SYS_ioctl, r[1], 0x4004575ful, 0x20000480ul); break; case 6: *(uint64_t*)0x200005f8 = 0x200004c0; memcpy((void*)0x200004c0, "\x39\x56\xea\x18\x77\x15\xb3\x64\xf0\x78\xd2\x25\x29\x01\x0e\x88\x1c\x15\xc4\xac\x90\x5a\x9b\x74\x13\x77\xa2\x9b\x3f\x3f\xd0\x79\xdc\xb3\x1d\xd9\x07\x81\x05\x60\x5a\xb6\xc3\x35\x82\xb0\x4e\xcd\x1c\x5a\x5a\xbd\xa9\xa0\x69\xcf\xfc\x19\xb6\x23\xcc\x7e\x6c\xa3\x0e\xa6\x44\xaf\x2f\x9f\xf3\xf0\x41\x48\x5f\x48\xd1\xb5\xf6\xed\x02\x35\x46\x8e\x74\x1f\x36\x34\xe6\xed\xa3\x58\xc8\xf7\x35\x24\x73\xf5\xce\x3b\x37\xd5\xd9\x1e\xd2\x9d\x5a\x2a\x2e\x99\xc6\x24\xae\x17\xd1\x3e\x54\xa4\x03\xf2\xb1\x79\xe4\x3a\xc2\x81\xc4\x24\x69\x74\x15\x1f\xbc\xb7\x92\x20\x04\x7b\x01\x74\xdd\x32\x36\x78\x4c\x58\x1a\x21\xe2\x29\xa7\x1f\x22\x83\xfd\x0b\xb1\x81\x0c\xc5\x54\xda\x71\xc7\x21\xa7\xdf\x2f\x74\xdc\x3b\x6b\xaa\xe1\x63\x5c\x72\xad\x1a\x07\xdf\xe6\x55\xcd\xf7\xe5\x27\x74\xef\x46\xb5\x37\x2d\x0f\xa1\xca\xd8\xa2\x88\xa7\x4d\x34\x96\x4d\xb9\x67\x60\xe2\xcf\x85\x86\xf2\xea\x7d\xad", 215); syscall(SYS_compat_14_shmctl, 0, 2ul, 0x200005c0ul); break; case 7: memcpy((void*)0x20000600, "./file0\000", 8); syscall(SYS_fchmodat, r[0], 0x20000600ul, 0x800ul, 0x500ul); break; case 8: memcpy((void*)0x20000640, "./file0\000", 8); *(uint64_t*)0x20000740 = 0x48000; syscall(SYS___getfh30, 0x20000640ul, 0x20000680ul, 0x20000740ul); break; case 9: syscall(SYS_recvfrom, r[0], 0x20000780ul, 0x7ful, 0x9080ul, 0ul, 0ul); break; case 10: memcpy((void*)0x200000c0, "\xc4\x21\x7d\x28\x00\x67\x36\x42\xd9\xf6\xc4\xa1\xd4\x5e\x7b\xf2\xc4\x41\x71\xd3\x0e\xc4\x62\xa1\x04\xd5\x66\x0f\x6e\x56\x00\x42\x0f\x01\xee\xc4\x21\x4d\x67\x56\x0e\xd8\xb0\xdf\x1c\xc1\xf1\xc4\xe1\x7e\xe6\x4c\x5b\x06", 54); syz_execute_func(0x200000c0); break; case 11: *(uint8_t*)0x20000140 = 0x12; *(uint8_t*)0x20000141 = 1; *(uint16_t*)0x20000142 = 0x201; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 0x10; *(uint16_t*)0x20000148 = 0; *(uint16_t*)0x2000014a = 0; *(uint16_t*)0x2000014c = 0; *(uint8_t*)0x2000014e = 1; *(uint8_t*)0x2000014f = 2; *(uint8_t*)0x20000150 = 3; *(uint8_t*)0x20000151 = 1; *(uint8_t*)0x20000152 = 9; *(uint8_t*)0x20000153 = 2; *(uint16_t*)0x20000154 = 0x5aa; *(uint8_t*)0x20000156 = 1; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0x4d; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 5; *(uint8_t*)0x2000015b = 9; *(uint8_t*)0x2000015c = 4; *(uint8_t*)0x2000015d = 0x7f; *(uint8_t*)0x2000015e = 2; *(uint8_t*)0x2000015f = 0x10; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0x1f; *(uint8_t*)0x20000164 = 0xa; *(uint8_t*)0x20000165 = 0x24; *(uint8_t*)0x20000166 = 6; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 1; memcpy((void*)0x20000169, "\xc3\x1c\xa1\x66\x5e", 5); *(uint8_t*)0x2000016e = 5; *(uint8_t*)0x2000016f = 0x24; *(uint8_t*)0x20000170 = 0; *(uint16_t*)0x20000171 = 6; *(uint8_t*)0x20000173 = 0xd; *(uint8_t*)0x20000174 = 0x24; *(uint8_t*)0x20000175 = 0xf; *(uint8_t*)0x20000176 = 1; *(uint32_t*)0x20000177 = 0xfffffe01; *(uint16_t*)0x2000017b = 0x7fff; *(uint16_t*)0x2000017d = 0xfe01; *(uint8_t*)0x2000017f = 1; *(uint8_t*)0x20000180 = 6; *(uint8_t*)0x20000181 = 0x24; *(uint8_t*)0x20000182 = 0x1a; *(uint16_t*)0x20000183 = 0x101; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 6; *(uint8_t*)0x20000187 = 0x24; *(uint8_t*)0x20000188 = 7; *(uint8_t*)0x20000189 = 0xfd; *(uint16_t*)0x2000018a = 0x1000; *(uint8_t*)0x2000018c = 4; *(uint8_t*)0x2000018d = 0x24; *(uint8_t*)0x2000018e = 2; *(uint8_t*)0x2000018f = 0xf; *(uint8_t*)0x20000190 = 5; *(uint8_t*)0x20000191 = 0x24; *(uint8_t*)0x20000192 = 1; *(uint8_t*)0x20000193 = 3; *(uint8_t*)0x20000194 = 0xd0; *(uint8_t*)0x20000195 = 7; *(uint8_t*)0x20000196 = 0x24; *(uint8_t*)0x20000197 = 0x14; *(uint16_t*)0x20000198 = 5; *(uint16_t*)0x2000019a = 9; *(uint8_t*)0x2000019c = 0xba; *(uint8_t*)0x2000019d = 0xb; memcpy((void*)0x2000019e, "\xfe\x82\xf4\x12\xbd\xe1\x3c\xfe\x9a\x7c\x58\x42\x8c\xb9\xc3\xa0\x85\x52\x8b\x59\x21\x05\x45\x97\x3b\xdc\x2a\xa0\xc2\x11\x53\xe7\x1c\x9f\x06\x5b\xbe\xf1\x10\xef\x76\x91\x1a\xe1\x4a\x69\x05\x0c\x92\x64\x04\x46\x79\x9f\xa1\xdc\x7a\xa0\xc2\x43\xc2\x15\xb0\xaf\xa1\x30\x99\x00\xf0\xbe\x31\x1c\x82\x59\xdb\x41\x22\xe4\x79\xaa\x52\x91\xed\x38\xba\x4b\x00\xce\x42\x69\x3f\x27\x39\x52\x16\x81\x81\x97\x27\x63\x35\xcc\x1c\x97\x75\x50\xda\x0a\x1f\x62\x51\x9c\x18\x4c\x22\x8c\x94\xbc\xc6\x3e\x4b\xda\x51\xb0\xde\xed\xcd\x99\xe2\x68\x44\xea\x31\x95\x31\x03\x14\x2c\x05\xbb\x4f\x68\x26\x37\x71\xca\x79\x1a\xcf\xb8\xe6\xf1\xb7\xe1\xc8\xc6\xb4\x7a\x72\x90\xee\x50\xa6\xd9\xd6\xc6\x4f\x7e\x20\x18\xc6\x2b\xd4\x5d\x9d\x93\x26\x86\x1a\x01\xe0\x59\x30\x26", 184); *(uint8_t*)0x20000256 = 9; *(uint8_t*)0x20000257 = 5; *(uint8_t*)0x20000258 = 9; *(uint8_t*)0x20000259 = 0x10; *(uint16_t*)0x2000025a = 0xbf7; *(uint8_t*)0x2000025c = 0x80; *(uint8_t*)0x2000025d = 3; *(uint8_t*)0x2000025e = 0x80; *(uint8_t*)0x2000025f = 7; *(uint8_t*)0x20000260 = 0x25; *(uint8_t*)0x20000261 = 1; *(uint8_t*)0x20000262 = 1; *(uint8_t*)0x20000263 = 0x81; *(uint16_t*)0x20000264 = 0xb6; *(uint8_t*)0x20000266 = 9; *(uint8_t*)0x20000267 = 5; *(uint8_t*)0x20000268 = 5; *(uint8_t*)0x20000269 = 3; *(uint16_t*)0x2000026a = 0x20; *(uint8_t*)0x2000026c = 5; *(uint8_t*)0x2000026d = 8; *(uint8_t*)0x2000026e = 0xf5; *(uint8_t*)0x2000026f = 7; *(uint8_t*)0x20000270 = 0x25; *(uint8_t*)0x20000271 = 1; *(uint8_t*)0x20000272 = 3; *(uint8_t*)0x20000273 = 0x81; *(uint16_t*)0x20000274 = 5; *(uint8_t*)0x20000276 = 9; *(uint8_t*)0x20000277 = 5; *(uint8_t*)0x20000278 = 3; *(uint8_t*)0x20000279 = 1; *(uint16_t*)0x2000027a = 0x40; *(uint8_t*)0x2000027c = 0x1f; *(uint8_t*)0x2000027d = 2; *(uint8_t*)0x2000027e = 0; *(uint8_t*)0x2000027f = 7; *(uint8_t*)0x20000280 = 0x25; *(uint8_t*)0x20000281 = 1; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 3; *(uint16_t*)0x20000284 = 0x8001; *(uint8_t*)0x20000286 = 7; *(uint8_t*)0x20000287 = 0x25; *(uint8_t*)0x20000288 = 1; *(uint8_t*)0x20000289 = 3; *(uint8_t*)0x2000028a = 0x74; *(uint16_t*)0x2000028b = 4; *(uint8_t*)0x2000028d = 9; *(uint8_t*)0x2000028e = 5; *(uint8_t*)0x2000028f = 6; *(uint8_t*)0x20000290 = 4; *(uint16_t*)0x20000291 = 0x20; *(uint8_t*)0x20000293 = 0xc3; *(uint8_t*)0x20000294 = 4; *(uint8_t*)0x20000295 = 0x30; *(uint8_t*)0x20000296 = 7; *(uint8_t*)0x20000297 = 0x25; *(uint8_t*)0x20000298 = 1; *(uint8_t*)0x20000299 = 0x80; *(uint8_t*)0x2000029a = 0; *(uint16_t*)0x2000029b = 1; *(uint8_t*)0x2000029d = 0x9e; *(uint8_t*)0x2000029e = 0x21; memcpy((void*)0x2000029f, "\x1a\x03\x80\xc0\x7a\xcd\x29\x03\x33\x3b\x9e\xe1\xa7\x34\x21\xf8\x89\x15\xa3\x93\x9a\x28\xa2\xa2\x1a\x53\xbe\x2e\xa9\x07\xf7\x3f\x40\x51\x3c\xd6\x0a\x48\x4a\x95\x15\x53\x48\xfd\x7c\xd7\x92\x87\x96\x33\x50\x66\xc5\x4f\xa2\x73\x65\x5e\xed\x76\x35\x77\xef\xa8\x06\xa4\x89\xed\x9e\xe1\x47\x3c\xe8\x5f\x42\x0c\x0c\x52\x77\x64\xae\xfd\xd8\x8e\x11\x6c\xa3\x38\xe9\x20\xce\xa4\x64\x5f\xa6\x00\x5f\xec\xea\x1a\xb9\xcf\xc4\xaa\x74\xfe\xe4\xf5\x51\x92\xf6\x12\xd9\x8f\xd9\x6c\xb5\x40\x41\x52\xc5\xd3\x52\x11\x88\x53\xa9\xf7\x02\x6a\x95\xe6\xdd\xd1\x9c\x24\xdf\x1a\x2f\x9a\xb2\x47\xef\x37\xa0\x63\xb2\xed\x77\x37\x55\xb9\x76\x6a\x0a\x47", 156); *(uint8_t*)0x2000033b = 9; *(uint8_t*)0x2000033c = 5; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0xc; *(uint16_t*)0x2000033f = 0x400; *(uint8_t*)0x20000341 = 2; *(uint8_t*)0x20000342 = 0x7b; *(uint8_t*)0x20000343 = 0x27; *(uint8_t*)0x20000344 = 7; *(uint8_t*)0x20000345 = 0x25; *(uint8_t*)0x20000346 = 1; *(uint8_t*)0x20000347 = 0x80; *(uint8_t*)0x20000348 = 8; *(uint16_t*)0x20000349 = 8; *(uint8_t*)0x2000034b = 7; *(uint8_t*)0x2000034c = 0x25; *(uint8_t*)0x2000034d = 1; *(uint8_t*)0x2000034e = 0x81; *(uint8_t*)0x2000034f = 0x40; *(uint16_t*)0x20000350 = 0x1f; *(uint8_t*)0x20000352 = 9; *(uint8_t*)0x20000353 = 5; *(uint8_t*)0x20000354 = 0x80; *(uint8_t*)0x20000355 = 8; *(uint16_t*)0x20000356 = 8; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 6; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 9; *(uint8_t*)0x2000035c = 5; *(uint8_t*)0x2000035d = 0xc; *(uint8_t*)0x2000035e = 0; *(uint16_t*)0x2000035f = 0x200; *(uint8_t*)0x20000361 = 0x7f; *(uint8_t*)0x20000362 = 8; *(uint8_t*)0x20000363 = 8; *(uint8_t*)0x20000364 = 7; *(uint8_t*)0x20000365 = 0x25; *(uint8_t*)0x20000366 = 1; *(uint8_t*)0x20000367 = 0x42; *(uint8_t*)0x20000368 = 0; *(uint16_t*)0x20000369 = 3; *(uint8_t*)0x2000036b = 9; *(uint8_t*)0x2000036c = 5; *(uint8_t*)0x2000036d = 6; *(uint8_t*)0x2000036e = 1; *(uint16_t*)0x2000036f = 0x10; *(uint8_t*)0x20000371 = 0x7f; *(uint8_t*)0x20000372 = 6; *(uint8_t*)0x20000373 = 0x20; *(uint8_t*)0x20000374 = 0x3e; *(uint8_t*)0x20000375 = 0x24; memcpy((void*)0x20000376, "\x32\x79\xe6\x8b\x31\x07\xce\x57\xe9\x3f\x9b\x3d\x33\x6f\xef\xa9\xde\x17\x9b\x08\x50\x5c\x0e\xdd\x9e\xdf\x73\x39\x46\x60\x85\x55\x4d\x34\xe4\x57\x1b\x47\x0f\x40\xaa\xcb\x1c\x79\x14\x0c\x88\xfc\xe1\x78\x73\xe9\xa6\x06\xd0\xd0\xae\x19\x13\x06", 60); *(uint8_t*)0x200003b2 = 0x19; *(uint8_t*)0x200003b3 = 0x23; memcpy((void*)0x200003b4, "\xa5\xc0\xa8\x92\xc2\xb9\x5a\x22\x7d\xc6\x62\x3c\x0b\x74\x31\x0c\x15\x5d\x86\x2f\x23\x9e\x16", 23); *(uint8_t*)0x200003cb = 9; *(uint8_t*)0x200003cc = 5; *(uint8_t*)0x200003cd = 1; *(uint8_t*)0x200003ce = 0; *(uint16_t*)0x200003cf = 0x20; *(uint8_t*)0x200003d1 = 2; *(uint8_t*)0x200003d2 = 0x81; *(uint8_t*)0x200003d3 = 0x40; *(uint8_t*)0x200003d4 = 0xe6; *(uint8_t*)0x200003d5 = 0x30; memcpy((void*)0x200003d6, "\x5d\xc5\x26\x38\x6b\x6e\x27\x4c\xe9\xc0\x60\x65\x6d\xd7\x56\xe8\xd6\xba\xe3\xde\x5b\x6d\x89\x9a\xdd\x11\x5e\x5c\x83\x59\xa1\x47\xfc\x3b\x46\x30\x11\x4b\x01\x7f\xe4\xe9\xd7\xc9\xf9\x2e\x32\xd1\x98\x8c\x0c\xcb\x1e\xd7\x62\x11\x14\xfa\x2c\x22\x52\x80\xef\x03\x02\x4e\x75\xe1\xfa\xe3\xe6\x46\xff\xe7\x1a\x41\x7a\xfe\xdc\xdc\x06\x1e\xba\x0b\x1d\xfa\x91\xec\x7a\xe5\xaa\x5f\x96\xe1\x5c\x4c\x72\xff\x5f\xb5\x7f\x50\x33\xf1\xfc\x1c\x99\xb8\xee\x55\x02\xc3\x21\x7a\x11\x23\xb5\xc0\xdf\x2d\xd8\x57\x4e\xa1\xa5\x4f\xe1\x1e\x8e\x3a\xa5\x70\xa9\x3c\xb2\x0c\xee\xf3\xf3\xb3\xb5\x34\x3b\x0a\xf5\xca\xe6\xd0\x5f\x2b\xf9\x04\x4d\x71\xb2\xc3\xab\xf2\x77\x62\x9b\xcc\x88\x7b\x30\x86\xa1\xd6\x91\x24\x3f\x2c\xa2\xb1\x5d\x63\x88\xa7\x48\xf3\x0b\x9b\xa3\xbc\x4d\x47\x3d\xc2\x8c\x19\x6c\x2e\xbd\x24\x4e\x8a\xf6\x9d\x1a\x6d\x4d\xef\x0e\xca\x62\xe1\xa8\x07\xd4\xcf\xc5\xac\x9a\xe2\x75\x60\x14\x9a\x86\x9e\xaf\x4e\x46\xa7\xfd\xc7\x03\x75", 228); *(uint8_t*)0x200004ba = 9; *(uint8_t*)0x200004bb = 5; *(uint8_t*)0x200004bc = 0; *(uint8_t*)0x200004bd = 8; *(uint16_t*)0x200004be = 0x400; *(uint8_t*)0x200004c0 = 0x1f; *(uint8_t*)0x200004c1 = 0xe5; *(uint8_t*)0x200004c2 = 1; *(uint8_t*)0x200004c3 = 0xd8; *(uint8_t*)0x200004c4 = 2; memcpy((void*)0x200004c5, "\x3b\xe1\x77\x95\x19\x82\x5a\x94\xf8\x78\x6d\x27\xa3\x0f\x8b\xff\xd7\x37\x97\xba\x27\x4d\xc1\xf2\x1d\xb7\xc9\x16\x92\xbf\xf3\xa9\x45\x69\x78\x71\x2d\x40\xe5\xe6\x93\x61\x59\xb1\x74\xf7\x62\x12\x04\x3d\x5f\x7d\xac\x45\x57\x42\x35\xde\x47\x73\xcf\x1c\x00\xaa\xa9\xd0\x4d\x86\x33\x1f\xe2\x61\xd5\xa5\x7a\xf8\x6e\xd9\x7c\xa3\x05\xaf\x1e\x33\x46\xea\x1b\xbb\x85\x1e\x81\x36\x32\xd2\xe6\x9e\xc0\x41\x10\xce\xfc\x29\xae\x7d\xbc\x2a\x57\x99\xf9\xcf\x8c\xe3\x98\xb5\x3c\x1f\x72\x57\x83\x2c\x7f\xc4\xcd\x89\xf0\x52\x56\x1f\xb2\x68\x35\xf9\x09\x70\xe9\x7f\xcf\x52\xae\xa2\xdd\xa0\xd7\x2f\xd1\x05\x0a\x98\x2b\x5a\xfb\xd9\x4f\x73\xcb\x50\x5b\x75\x33\xf8\xde\xd2\xe5\xcf\xb6\xd8\x7c\xe6\xef\x2d\x36\x97\x54\xcb\x9d\x76\x36\x21\x81\xe6\xb7\xc0\x8e\x86\x8a\x8b\xb6\x83\x7f\xeb\x00\xa4\x19\x20\x93\xff\x80\x33\xaa\x63\x71\xeb\x02\x22\xff\x0b\x4c\xe7\x33\x7b\x40\xd2\x30\x39", 214); *(uint8_t*)0x2000059b = 0xb0; *(uint8_t*)0x2000059c = 4; memcpy((void*)0x2000059d, "\x53\x77\xb0\xa3\xd6\xfa\xbe\x2b\xe4\x86\x71\x00\x49\xd6\x51\x4c\x7a\xad\xcd\x0d\x30\xdb\x7f\x39\xc5\xe1\x43\xb8\x21\x6b\x9b\xbe\x9e\xb3\xed\x55\xce\x71\x02\x6b\x96\xff\x08\xeb\x3b\x05\x7e\x8d\x62\x83\xe6\x56\x86\x38\x3e\xab\x45\x13\xee\x1b\xf6\x34\x8a\xdf\x1b\xff\x30\xe3\x4d\xf4\x41\x57\x70\x5f\x08\x43\xad\x96\xa2\x90\x5b\x4d\x6e\xf0\xb8\x1f\x89\x70\x8b\xa1\xb3\xaf\x11\x3d\x5c\x16\xf6\xd5\x3c\xf3\x86\x82\x91\x4f\x18\x16\xe1\x41\xb0\xa5\x1d\x38\x71\x04\x50\xa2\xc5\xf0\xc5\x98\x7c\xa7\x87\x0d\x11\xe9\x20\xbb\xc2\x3d\x03\x6a\x1d\xf5\x89\x2f\xc0\xd5\x9f\x63\x79\xee\xbf\xcc\xaf\xf8\xfc\x1c\xc5\x69\x6f\x43\x25\xe9\xc3\xec\x3c\xa2\x9b\x78\xb4\x76\xba\x61\xaf\x6b\x51\x43\xf0\x0f\x39\x4a\xe2\xa5", 174); *(uint8_t*)0x2000064b = 9; *(uint8_t*)0x2000064c = 5; *(uint8_t*)0x2000064d = 1; *(uint8_t*)0x2000064e = 0x10; *(uint16_t*)0x2000064f = 0x3ff; *(uint8_t*)0x20000651 = 9; *(uint8_t*)0x20000652 = 6; *(uint8_t*)0x20000653 = 9; *(uint8_t*)0x20000654 = 9; *(uint8_t*)0x20000655 = 5; *(uint8_t*)0x20000656 = 6; *(uint8_t*)0x20000657 = 0; *(uint16_t*)0x20000658 = 0x3ff; *(uint8_t*)0x2000065a = 0x1f; *(uint8_t*)0x2000065b = 6; *(uint8_t*)0x2000065c = 7; *(uint8_t*)0x2000065d = 9; *(uint8_t*)0x2000065e = 5; *(uint8_t*)0x2000065f = 0x80; *(uint8_t*)0x20000660 = 0xc; *(uint16_t*)0x20000661 = 0x400; *(uint8_t*)0x20000663 = 2; *(uint8_t*)0x20000664 = 8; *(uint8_t*)0x20000665 = 6; *(uint8_t*)0x20000666 = 9; *(uint8_t*)0x20000667 = 5; *(uint8_t*)0x20000668 = 4; *(uint8_t*)0x20000669 = 2; *(uint16_t*)0x2000066a = 8; *(uint8_t*)0x2000066c = 0x3f; *(uint8_t*)0x2000066d = 0; *(uint8_t*)0x2000066e = 9; *(uint8_t*)0x2000066f = 0x7b; *(uint8_t*)0x20000670 = 7; memcpy((void*)0x20000671, "\xfa\xaf\xe1\x39\xe2\xc2\x6d\x2a\x37\xc4\xbd\x0f\x57\x0b\xe6\xf1\xaf\xe1\xe7\xdd\x31\x29\xbb\x4e\x93\xe1\xd9\x1f\xec\xda\x52\x92\xb1\xb8\x68\xe1\x46\x7f\x14\xd9\x9b\xb5\xd8\xa9\xea\xf4\xb5\x85\xce\x93\x9b\x3b\xe9\x55\x37\x63\x7d\x10\xa5\xc3\x1b\x79\x11\x61\x02\x5f\xb0\x3a\x9f\x97\xcb\xaf\x12\xc2\xd3\xfa\x96\x90\x62\xfd\xa6\x25\x22\x6a\x78\x44\xfc\x5d\xd3\xf7\x79\x06\x30\x35\xac\xe5\xc8\x37\xde\x73\x1f\x2d\x74\x20\xf5\x34\xb5\xf8\xab\xba\x9a\x74\x9a\x25\x44\x43\x4a\x21\xde\x8c\x68", 121); *(uint8_t*)0x200006ea = 9; *(uint8_t*)0x200006eb = 5; *(uint8_t*)0x200006ec = 0xe; *(uint8_t*)0x200006ed = 0x10; *(uint16_t*)0x200006ee = 8; *(uint8_t*)0x200006f0 = 1; *(uint8_t*)0x200006f1 = 1; *(uint8_t*)0x200006f2 = 0x95; *(uint8_t*)0x200006f3 = 9; *(uint8_t*)0x200006f4 = 5; *(uint8_t*)0x200006f5 = 8; *(uint8_t*)0x200006f6 = 8; *(uint16_t*)0x200006f7 = 0x40; *(uint8_t*)0x200006f9 = 4; *(uint8_t*)0x200006fa = 5; *(uint8_t*)0x200006fb = 0; *(uint32_t*)0x20000900 = 0xa; *(uint64_t*)0x20000904 = 0x20000700; *(uint8_t*)0x20000700 = 0xa; *(uint8_t*)0x20000701 = 6; *(uint16_t*)0x20000702 = 0x50; *(uint8_t*)0x20000704 = 0x14; *(uint8_t*)0x20000705 = 0x28; *(uint8_t*)0x20000706 = 6; *(uint8_t*)0x20000707 = 0x28; *(uint8_t*)0x20000708 = 9; *(uint8_t*)0x20000709 = 0; *(uint32_t*)0x2000090c = 0x51; *(uint64_t*)0x20000910 = 0x20000740; *(uint8_t*)0x20000740 = 5; *(uint8_t*)0x20000741 = 0xf; *(uint16_t*)0x20000742 = 0x51; *(uint8_t*)0x20000744 = 6; *(uint8_t*)0x20000745 = 3; *(uint8_t*)0x20000746 = 0x10; *(uint8_t*)0x20000747 = 0xb; *(uint8_t*)0x20000748 = 3; *(uint8_t*)0x20000749 = 0x10; *(uint8_t*)0x2000074a = 0xb; *(uint8_t*)0x2000074b = 0xb; *(uint8_t*)0x2000074c = 0x10; *(uint8_t*)0x2000074d = 1; *(uint8_t*)0x2000074e = 8; *(uint16_t*)0x2000074f = 0x10; *(uint8_t*)0x20000751 = -1; *(uint8_t*)0x20000752 = 6; *(uint16_t*)0x20000753 = 0x1000; *(uint8_t*)0x20000755 = 0x40; *(uint8_t*)0x20000756 = 0x14; *(uint8_t*)0x20000757 = 0x10; *(uint8_t*)0x20000758 = 4; *(uint8_t*)0x20000759 = 0; memcpy((void*)0x2000075a, "\xc1\x6e\xe1\x67\xa2\xc7\x69\x4c\xf8\xe1\xbb\x43\xa9\x0f\xfc\x24", 16); *(uint8_t*)0x2000076a = 0x24; *(uint8_t*)0x2000076b = 0x10; *(uint8_t*)0x2000076c = 0xa; *(uint8_t*)0x2000076d = -1; STORE_BY_BITMASK(uint32_t, , 0x2000076e, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000076e, 0x400, 5, 27); *(uint16_t*)0x20000772 = 0xf88f; *(uint16_t*)0x20000774 = 0xfffa; *(uint32_t*)0x20000776 = 0; *(uint32_t*)0x2000077a = 0xc0c0; *(uint32_t*)0x2000077e = 0x60; *(uint32_t*)0x20000782 = 0xff3f00; *(uint32_t*)0x20000786 = 0xfff0; *(uint32_t*)0x2000078a = 0xff0000; *(uint8_t*)0x2000078e = 3; *(uint8_t*)0x2000078f = 0x10; *(uint8_t*)0x20000790 = 0xb; *(uint32_t*)0x20000918 = 2; *(uint32_t*)0x2000091c = 0xd8; *(uint64_t*)0x20000920 = 0x200007c0; *(uint8_t*)0x200007c0 = 0xd8; *(uint8_t*)0x200007c1 = 3; memcpy((void*)0x200007c2, "\xe4\xe5\x19\x94\x18\x62\x35\xf6\xdd\x68\x5b\x5a\xf9\xc7\x90\xd2\xc6\xac\x3b\x9c\x71\xac\xc8\xbe\x67\x68\x9e\x27\xdb\xea\x32\xef\xfd\xb2\xe6\x8b\x21\x87\x51\x72\xf6\x56\xee\x58\xca\x78\x2e\x43\xca\x10\x8c\x5e\xd0\xf6\xb3\x66\x62\x49\xb1\x03\x51\x8f\x49\xbf\xe2\xcd\x20\x1b\x7b\xa8\x16\xc3\x44\xf3\xe2\x40\xd8\x1e\x0c\xce\xe4\xc1\x1f\xb8\x60\xc6\x1f\x7b\xe1\xab\xaf\x0b\x22\x34\x30\x09\x17\x4c\x7c\xdf\x9d\xde\xc7\x03\x12\x42\x85\x4a\x0e\x95\x7f\x6b\x85\xe0\xc4\xee\xf6\x64\x30\x22\xa8\xd9\x60\xc0\x72\x0f\x8a\x63\x28\xf7\xff\xd7\x6f\x08\xec\x6a\x4c\x5a\x8b\xcd\x4e\xca\x63\xcd\xaf\x03\xd2\x45\xca\xe2\x84\xcf\x01\xfa\x3a\x58\x1d\xef\x6e\x67\xef\xdf\xce\x67\x91\x00\xdc\x6d\x9e\x7e\x3b\x8f\x8a\xed\xdf\xab\xae\xf5\xfe\x47\x91\x23\xd0\xd0\xbb\x2f\x8e\xf7\xce\xcd\x3f\xc1\x8b\x19\xa7\x24\x3b\x71\x8d\xd2\x7f\xb2\x68\x7c\xcb\x8a\xcf\xde\xb7\x41\xcd\x73\x17\xc0", 214); *(uint32_t*)0x20000928 = 4; *(uint64_t*)0x2000092c = 0x200008c0; *(uint8_t*)0x200008c0 = 4; *(uint8_t*)0x200008c1 = 3; *(uint16_t*)0x200008c2 = 0x414; syz_usb_connect(0, 0x5bc, 0x20000140, 0x20000900); break; case 12: syz_usb_disconnect(-1); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor3214078431 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/12 (0.26s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __utimes50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x5, 0x6}) (fail_nth: 1) __getfh30(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=""/164, &(0x7f0000000180)=0x5) (async) r0 = open(&(0x7f00000001c0)='./file0\x00', 0x80, 0x100) (rerun: 4) preadv(r0, &(0x7f0000000400)=[{&(0x7f0000000200)}, {&(0x7f0000000240)=""/44, 0x2c}, {&(0x7f0000000280)=""/178, 0xb2}, {&(0x7f0000000340)=""/177, 0xb1}], 0x4, 0x6) r1 = open(&(0x7f0000000440)='./file0\x00', 0x1000000, 0x0) ioctl$WSDISPLAYIO_LINEBYTES(r1, 0x4004575f, &(0x7f0000000480)) compat_14_shmctl$IPC_STAT(0x0, 0x2, &(0x7f00000005c0)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)="3956ea187715b364f078d22529010e881c15c4ac905a9b741377a29b3f3fd079dcb31dd9078105605ab6c33582b04ecd1c5a5abda9a069cffc19b623cc7e6ca30ea644af2f9ff3f041485f48d1b5f6ed0235468e741f3634e6eda358c8f7352473f5ce3b37d5d91ed29d5a2a2e99c624ae17d13e54a403f2b179e43ac281c4246974151fbcb79220047b0174dd3236784c581a21e229a71f2283fd0bb1810cc554da71c721a7df2f74dc3b6baae1635c72ad1a07dfe655cdf7e52774ef46b5372d0fa1cad8a288a74d34964db96760e2cf8586f2ea7dad"}) fchmodat(r0, &(0x7f0000000600)='./file0\x00', 0x800, 0x500) __getfh30(&(0x7f0000000640)='./file0\x00', &(0x7f0000000680)=""/173, &(0x7f0000000740)=0x48000) recvfrom$unix(r0, &(0x7f0000000780)=""/127, 0x7f, 0x9080, 0x0, 0x0) syz_emit_ethernet(0xa8, &(0x7f0000000000)="7cdc7f3d7523bc457cc7061f4218d205a9121313b3382a24390756c28e681e8ae64f9faefb9773a6088d8507b9f588abff90ed553d01e60af1ce4d9db1ae174c74afd76b975ec8e14ed2ecf1ea152061fe82fe634d1d1d20bfd25ca07d9ce4531e9c745c512bd468865e81abeaffeae134bea52451f13a61092e1d81780479ec9ce32bde5b1f03166d656fa34cd18fc1fbd00b1632fbd99d303f0c69398bc4dae4c54a53cb9abee5") syz_execute_func(&(0x7f00000000c0)="c4217d2800673642d9f6c4a1d45e7bf2c44171d30ec462a104d5660f6e5600420f01eec4214d67560ed8b0df1cc1f1c4e17ee64c5b06") syz_extract_tcp_res(&(0x7f0000000100), 0x0, 0x8) syz_usb_connect(0x0, 0x5bc, &(0x7f0000000140)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5aa, 0x1, 0x0, 0x4d, 0x0, 0x5, [{{0x9, 0x4, 0x7f, 0x2, 0x10, 0x0, 0x0, 0x0, 0x1f, [@cdc_ncm={{0xa, 0x24, 0x6, 0x0, 0x1, "c31ca1665e"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0xfffffe01, 0x7fff, 0xfe01, 0x1}, {0x6, 0x24, 0x1a, 0x101}, [@country_functional={0x6, 0x24, 0x7, 0xfd, 0x1000}, @acm={0x4, 0x24, 0x2, 0xf}, @call_mgmt={0x5, 0x24, 0x1, 0x3, 0xd0}, @dmm={0x7, 0x24, 0x14, 0x5, 0x9}]}, @generic={0xba, 0xb, "fe82f412bde13cfe9a7c58428cb9c3a085528b59210545973bdc2aa0c21153e71c9f065bbef110ef76911ae14a69050c92640446799fa1dc7aa0c243c215b0afa1309900f0be311c8259db4122e479aa5291ed38ba4b00ce42693f27395216818197276335cc1c977550da0a1f62519c184c228c94bcc63e4bda51b0deedcd99e26844ea31953103142c05bb4f68263771ca791acfb8e6f1b7e1c8c6b47a7290ee50a6d9d6c64f7e2018c62bd45d9d9326861a01e0593026"}], [{{0x9, 0x5, 0x9, 0x10, 0xbf7, 0x80, 0x3, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0xb6}]}}, {{0x9, 0x5, 0x5, 0x3, 0x20, 0x5, 0x8, 0xf5, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x81, 0x5}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x1f, 0x2, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x3, 0x8001}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x74, 0x4}]}}, {{0x9, 0x5, 0x6, 0x4, 0x20, 0xc3, 0x4, 0x30, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x0, 0x1}, @generic={0x9e, 0x21, "1a0380c07acd2903333b9ee1a73421f88915a3939a28a2a21a53be2ea907f73f40513cd60a484a95155348fd7cd7928796335066c54fa273655eed763577efa806a489ed9ee1473ce85f420c0c527764aefdd88e116ca338e920cea4645fa6005fecea1ab9cfc4aa74fee4f55192f612d98fd96cb5404152c5d352118853a9f7026a95e6ddd19c24df1a2f9ab247ef37a063b2ed773755b9766a0a47"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x400, 0x2, 0x7b, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x8, 0x8}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x40, 0x1f}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x0, 0x6}}, {{0x9, 0x5, 0xc, 0x0, 0x200, 0x7f, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x42, 0x0, 0x3}]}}, {{0x9, 0x5, 0x6, 0x1, 0x10, 0x7f, 0x6, 0x20, [@generic={0x3e, 0x24, "3279e68b3107ce57e93f9b3d336fefa9de179b08505c0edd9edf7339466085554d34e4571b470f40aacb1c79140c88fce17873e9a606d0d0ae191306"}, @generic={0x19, 0x23, "a5c0a892c2b95a227dc6623c0b74310c155d862f239e16"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x20, 0x2, 0x81, 0x40, [@generic={0xe6, 0x30, "5dc526386b6e274ce9c060656dd756e8d6bae3de5b6d899add115e5c8359a147fc3b4630114b017fe4e9d7c9f92e32d1988c0ccb1ed7621114fa2c225280ef03024e75e1fae3e646ffe71a417afedcdc061eba0b1dfa91ec7ae5aa5f96e15c4c72ff5fb57f5033f1fc1c99b8ee5502c3217a1123b5c0df2dd8574ea1a54fe11e8e3aa570a93cb20ceef3f3b3b5343b0af5cae6d05f2bf9044d71b2c3abf277629bcc887b3086a1d691243f2ca2b15d6388a748f30b9ba3bc4d473dc28c196c2ebd244e8af69d1a6d4def0eca62e1a807d4cfc5ac9ae27560149a869eaf4e46a7fdc70375"}]}}, {{0x9, 0x5, 0x0, 0x8, 0x400, 0x1f, 0xe5, 0x1, [@generic={0xd8, 0x2, "3be1779519825a94f8786d27a30f8bffd73797ba274dc1f21db7c91692bff3a9456978712d40e5e6936159b174f76212043d5f7dac45574235de4773cf1c00aaa9d04d86331fe261d5a57af86ed97ca305af1e3346ea1bbb851e813632d2e69ec04110cefc29ae7dbc2a5799f9cf8ce398b53c1f7257832c7fc4cd89f052561fb26835f90970e97fcf52aea2dda0d72fd1050a982b5afbd94f73cb505b7533f8ded2e5cfb6d87ce6ef2d369754cb9d76362181e6b7c08e868a8bb6837feb00a4192093ff8033aa6371eb0222ff0b4ce7337b40d23039"}, @generic={0xb0, 0x4, "5377b0a3d6fabe2be486710049d6514c7aadcd0d30db7f39c5e143b8216b9bbe9eb3ed55ce71026b96ff08eb3b057e8d6283e65686383eab4513ee1bf6348adf1bff30e34df44157705f0843ad96a2905b4d6ef0b81f89708ba1b3af113d5c16f6d53cf38682914f1816e141b0a51d38710450a2c5f0c5987ca7870d11e920bbc23d036a1df5892fc0d59f6379eebfccaff8fc1cc5696f4325e9c3ec3ca29b78b476ba61af6b5143f00f394ae2a5"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x3ff, 0x9, 0x6, 0x9}}, {{0x9, 0x5, 0x6, 0x0, 0x3ff, 0x1f, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x400, 0x2, 0x8, 0x6}}, {{0x9, 0x5, 0x4, 0x2, 0x8, 0x3f, 0x0, 0x9, [@generic={0x7b, 0x7, "faafe139e2c26d2a37c4bd0f570be6f1afe1e7dd3129bb4e93e1d91fecda5292b1b868e1467f14d99bb5d8a9eaf4b585ce939b3be95537637d10a5c31b791161025fb03a9f97cbaf12c2d3fa969062fda625226a7844fc5dd3f779063035ace5c837de731f2d7420f534b5f8abba9a749a2544434a21de8c68"}]}}, {{0x9, 0x5, 0xe, 0x10, 0x8, 0x1, 0x1, 0x95}}, {{0x9, 0x5, 0x8, 0x8, 0x40, 0x4, 0x5}}]}}]}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000700)={0xa, 0x6, 0x50, 0x14, 0x28, 0x6, 0x28, 0x9}, 0x51, &(0x7f0000000740)={0x5, 0xf, 0x51, 0x6, [@ptm_cap={0x3}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x8, 0x10, 0xff, 0x6, 0x1000, 0x40}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "c16ee167a2c7694cf8e1bb43a90ffc24"}, @ssp_cap={0x24, 0x10, 0xa, 0xff, 0x6, 0x400, 0xf88f, 0xfffa, [0x0, 0xc0c0, 0x60, 0xff3f00, 0xfff0, 0xff0000]}, @ptm_cap={0x3}]}, 0x2, [{0xd8, &(0x7f00000007c0)=@string={0xd8, 0x3, "e4e51994186235f6dd685b5af9c790d2c6ac3b9c71acc8be67689e27dbea32effdb2e68b21875172f656ee58ca782e43ca108c5ed0f6b3666249b103518f49bfe2cd201b7ba816c344f3e240d81e0ccee4c11fb860c61f7be1abaf0b22343009174c7cdf9ddec7031242854a0e957f6b85e0c4eef6643022a8d960c0720f8a6328f7ffd76f08ec6a4c5a8bcd4eca63cdaf03d245cae284cf01fa3a581def6e67efdfce679100dc6d9e7e3b8f8aeddfabaef5fe479123d0d0bb2f8ef7cecd3fc18b19a7243b718dd27fb2687ccb8acfdeb741cd7317c0"}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x414}}]}) syz_usb_disconnect(0xffffffffffffffff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___getfh30 #define SYS___getfh30 395 #endif #ifndef SYS___utimes50 #define SYS___utimes50 420 #endif #ifndef SYS_compat_14_shmctl #define SYS_compat_14_shmctl 229 #endif #ifndef SYS_fchmodat #define SYS_fchmodat 463 #endif #ifndef SYS_ioctl #define SYS_ioctl 54 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_preadv #define SYS_preadv 289 #endif #ifndef SYS_recvfrom #define SYS_recvfrom 29 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); *(uint64_t*)0x20000040 = 5; *(uint64_t*)0x20000048 = 6; inject_fault(1); syscall(SYS___utimes50, 0x20000000ul, 0x20000040ul); break; case 1: memcpy((void*)0x20000080, "./file0\000", 8); *(uint64_t*)0x20000180 = 5; syscall(SYS___getfh30, 0x20000080ul, 0x200000c0ul, 0x20000180ul); break; case 2: memcpy((void*)0x200001c0, "./file0\000", 8); res = syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); { int i; for(i = 0; i < 4; i++) { syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); } } if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20000400 = 0x20000200; *(uint64_t*)0x20000408 = 0; *(uint64_t*)0x20000410 = 0x20000240; *(uint64_t*)0x20000418 = 0x2c; *(uint64_t*)0x20000420 = 0x20000280; *(uint64_t*)0x20000428 = 0xb2; *(uint64_t*)0x20000430 = 0x20000340; *(uint64_t*)0x20000438 = 0xb1; syscall(SYS_preadv, r[0], 0x20000400ul, 4ul, 6ul); break; case 4: memcpy((void*)0x20000440, "./file0\000", 8); res = syscall(SYS_open, 0x20000440ul, 0x1000000ul, 0ul); if (res != -1) r[1] = res; break; case 5: syscall(SYS_ioctl, r[1], 0x4004575ful, 0x20000480ul); break; case 6: *(uint64_t*)0x200005f8 = 0x200004c0; memcpy((void*)0x200004c0, "\x39\x56\xea\x18\x77\x15\xb3\x64\xf0\x78\xd2\x25\x29\x01\x0e\x88\x1c\x15\xc4\xac\x90\x5a\x9b\x74\x13\x77\xa2\x9b\x3f\x3f\xd0\x79\xdc\xb3\x1d\xd9\x07\x81\x05\x60\x5a\xb6\xc3\x35\x82\xb0\x4e\xcd\x1c\x5a\x5a\xbd\xa9\xa0\x69\xcf\xfc\x19\xb6\x23\xcc\x7e\x6c\xa3\x0e\xa6\x44\xaf\x2f\x9f\xf3\xf0\x41\x48\x5f\x48\xd1\xb5\xf6\xed\x02\x35\x46\x8e\x74\x1f\x36\x34\xe6\xed\xa3\x58\xc8\xf7\x35\x24\x73\xf5\xce\x3b\x37\xd5\xd9\x1e\xd2\x9d\x5a\x2a\x2e\x99\xc6\x24\xae\x17\xd1\x3e\x54\xa4\x03\xf2\xb1\x79\xe4\x3a\xc2\x81\xc4\x24\x69\x74\x15\x1f\xbc\xb7\x92\x20\x04\x7b\x01\x74\xdd\x32\x36\x78\x4c\x58\x1a\x21\xe2\x29\xa7\x1f\x22\x83\xfd\x0b\xb1\x81\x0c\xc5\x54\xda\x71\xc7\x21\xa7\xdf\x2f\x74\xdc\x3b\x6b\xaa\xe1\x63\x5c\x72\xad\x1a\x07\xdf\xe6\x55\xcd\xf7\xe5\x27\x74\xef\x46\xb5\x37\x2d\x0f\xa1\xca\xd8\xa2\x88\xa7\x4d\x34\x96\x4d\xb9\x67\x60\xe2\xcf\x85\x86\xf2\xea\x7d\xad", 215); syscall(SYS_compat_14_shmctl, 0, 2ul, 0x200005c0ul); break; case 7: memcpy((void*)0x20000600, "./file0\000", 8); syscall(SYS_fchmodat, r[0], 0x20000600ul, 0x800ul, 0x500ul); break; case 8: memcpy((void*)0x20000640, "./file0\000", 8); *(uint64_t*)0x20000740 = 0x48000; syscall(SYS___getfh30, 0x20000640ul, 0x20000680ul, 0x20000740ul); break; case 9: syscall(SYS_recvfrom, r[0], 0x20000780ul, 0x7ful, 0x9080ul, 0ul, 0ul); break; case 10: memcpy((void*)0x200000c0, "\xc4\x21\x7d\x28\x00\x67\x36\x42\xd9\xf6\xc4\xa1\xd4\x5e\x7b\xf2\xc4\x41\x71\xd3\x0e\xc4\x62\xa1\x04\xd5\x66\x0f\x6e\x56\x00\x42\x0f\x01\xee\xc4\x21\x4d\x67\x56\x0e\xd8\xb0\xdf\x1c\xc1\xf1\xc4\xe1\x7e\xe6\x4c\x5b\x06", 54); syz_execute_func(0x200000c0); break; case 11: *(uint8_t*)0x20000140 = 0x12; *(uint8_t*)0x20000141 = 1; *(uint16_t*)0x20000142 = 0x201; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 0x10; *(uint16_t*)0x20000148 = 0; *(uint16_t*)0x2000014a = 0; *(uint16_t*)0x2000014c = 0; *(uint8_t*)0x2000014e = 1; *(uint8_t*)0x2000014f = 2; *(uint8_t*)0x20000150 = 3; *(uint8_t*)0x20000151 = 1; *(uint8_t*)0x20000152 = 9; *(uint8_t*)0x20000153 = 2; *(uint16_t*)0x20000154 = 0x5aa; *(uint8_t*)0x20000156 = 1; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0x4d; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 5; *(uint8_t*)0x2000015b = 9; *(uint8_t*)0x2000015c = 4; *(uint8_t*)0x2000015d = 0x7f; *(uint8_t*)0x2000015e = 2; *(uint8_t*)0x2000015f = 0x10; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0x1f; *(uint8_t*)0x20000164 = 0xa; *(uint8_t*)0x20000165 = 0x24; *(uint8_t*)0x20000166 = 6; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 1; memcpy((void*)0x20000169, "\xc3\x1c\xa1\x66\x5e", 5); *(uint8_t*)0x2000016e = 5; *(uint8_t*)0x2000016f = 0x24; *(uint8_t*)0x20000170 = 0; *(uint16_t*)0x20000171 = 6; *(uint8_t*)0x20000173 = 0xd; *(uint8_t*)0x20000174 = 0x24; *(uint8_t*)0x20000175 = 0xf; *(uint8_t*)0x20000176 = 1; *(uint32_t*)0x20000177 = 0xfffffe01; *(uint16_t*)0x2000017b = 0x7fff; *(uint16_t*)0x2000017d = 0xfe01; *(uint8_t*)0x2000017f = 1; *(uint8_t*)0x20000180 = 6; *(uint8_t*)0x20000181 = 0x24; *(uint8_t*)0x20000182 = 0x1a; *(uint16_t*)0x20000183 = 0x101; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 6; *(uint8_t*)0x20000187 = 0x24; *(uint8_t*)0x20000188 = 7; *(uint8_t*)0x20000189 = 0xfd; *(uint16_t*)0x2000018a = 0x1000; *(uint8_t*)0x2000018c = 4; *(uint8_t*)0x2000018d = 0x24; *(uint8_t*)0x2000018e = 2; *(uint8_t*)0x2000018f = 0xf; *(uint8_t*)0x20000190 = 5; *(uint8_t*)0x20000191 = 0x24; *(uint8_t*)0x20000192 = 1; *(uint8_t*)0x20000193 = 3; *(uint8_t*)0x20000194 = 0xd0; *(uint8_t*)0x20000195 = 7; *(uint8_t*)0x20000196 = 0x24; *(uint8_t*)0x20000197 = 0x14; *(uint16_t*)0x20000198 = 5; *(uint16_t*)0x2000019a = 9; *(uint8_t*)0x2000019c = 0xba; *(uint8_t*)0x2000019d = 0xb; memcpy((void*)0x2000019e, "\xfe\x82\xf4\x12\xbd\xe1\x3c\xfe\x9a\x7c\x58\x42\x8c\xb9\xc3\xa0\x85\x52\x8b\x59\x21\x05\x45\x97\x3b\xdc\x2a\xa0\xc2\x11\x53\xe7\x1c\x9f\x06\x5b\xbe\xf1\x10\xef\x76\x91\x1a\xe1\x4a\x69\x05\x0c\x92\x64\x04\x46\x79\x9f\xa1\xdc\x7a\xa0\xc2\x43\xc2\x15\xb0\xaf\xa1\x30\x99\x00\xf0\xbe\x31\x1c\x82\x59\xdb\x41\x22\xe4\x79\xaa\x52\x91\xed\x38\xba\x4b\x00\xce\x42\x69\x3f\x27\x39\x52\x16\x81\x81\x97\x27\x63\x35\xcc\x1c\x97\x75\x50\xda\x0a\x1f\x62\x51\x9c\x18\x4c\x22\x8c\x94\xbc\xc6\x3e\x4b\xda\x51\xb0\xde\xed\xcd\x99\xe2\x68\x44\xea\x31\x95\x31\x03\x14\x2c\x05\xbb\x4f\x68\x26\x37\x71\xca\x79\x1a\xcf\xb8\xe6\xf1\xb7\xe1\xc8\xc6\xb4\x7a\x72\x90\xee\x50\xa6\xd9\xd6\xc6\x4f\x7e\x20\x18\xc6\x2b\xd4\x5d\x9d\x93\x26\x86\x1a\x01\xe0\x59\x30\x26", 184); *(uint8_t*)0x20000256 = 9; *(uint8_t*)0x20000257 = 5; *(uint8_t*)0x20000258 = 9; *(uint8_t*)0x20000259 = 0x10; *(uint16_t*)0x2000025a = 0xbf7; *(uint8_t*)0x2000025c = 0x80; *(uint8_t*)0x2000025d = 3; *(uint8_t*)0x2000025e = 0x80; *(uint8_t*)0x2000025f = 7; *(uint8_t*)0x20000260 = 0x25; *(uint8_t*)0x20000261 = 1; *(uint8_t*)0x20000262 = 1; *(uint8_t*)0x20000263 = 0x81; *(uint16_t*)0x20000264 = 0xb6; *(uint8_t*)0x20000266 = 9; *(uint8_t*)0x20000267 = 5; *(uint8_t*)0x20000268 = 5; *(uint8_t*)0x20000269 = 3; *(uint16_t*)0x2000026a = 0x20; *(uint8_t*)0x2000026c = 5; *(uint8_t*)0x2000026d = 8; *(uint8_t*)0x2000026e = 0xf5; *(uint8_t*)0x2000026f = 7; *(uint8_t*)0x20000270 = 0x25; *(uint8_t*)0x20000271 = 1; *(uint8_t*)0x20000272 = 3; *(uint8_t*)0x20000273 = 0x81; *(uint16_t*)0x20000274 = 5; *(uint8_t*)0x20000276 = 9; *(uint8_t*)0x20000277 = 5; *(uint8_t*)0x20000278 = 3; *(uint8_t*)0x20000279 = 1; *(uint16_t*)0x2000027a = 0x40; *(uint8_t*)0x2000027c = 0x1f; *(uint8_t*)0x2000027d = 2; *(uint8_t*)0x2000027e = 0; *(uint8_t*)0x2000027f = 7; *(uint8_t*)0x20000280 = 0x25; *(uint8_t*)0x20000281 = 1; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 3; *(uint16_t*)0x20000284 = 0x8001; *(uint8_t*)0x20000286 = 7; *(uint8_t*)0x20000287 = 0x25; *(uint8_t*)0x20000288 = 1; *(uint8_t*)0x20000289 = 3; *(uint8_t*)0x2000028a = 0x74; *(uint16_t*)0x2000028b = 4; *(uint8_t*)0x2000028d = 9; *(uint8_t*)0x2000028e = 5; *(uint8_t*)0x2000028f = 6; *(uint8_t*)0x20000290 = 4; *(uint16_t*)0x20000291 = 0x20; *(uint8_t*)0x20000293 = 0xc3; *(uint8_t*)0x20000294 = 4; *(uint8_t*)0x20000295 = 0x30; *(uint8_t*)0x20000296 = 7; *(uint8_t*)0x20000297 = 0x25; *(uint8_t*)0x20000298 = 1; *(uint8_t*)0x20000299 = 0x80; *(uint8_t*)0x2000029a = 0; *(uint16_t*)0x2000029b = 1; *(uint8_t*)0x2000029d = 0x9e; *(uint8_t*)0x2000029e = 0x21; memcpy((void*)0x2000029f, "\x1a\x03\x80\xc0\x7a\xcd\x29\x03\x33\x3b\x9e\xe1\xa7\x34\x21\xf8\x89\x15\xa3\x93\x9a\x28\xa2\xa2\x1a\x53\xbe\x2e\xa9\x07\xf7\x3f\x40\x51\x3c\xd6\x0a\x48\x4a\x95\x15\x53\x48\xfd\x7c\xd7\x92\x87\x96\x33\x50\x66\xc5\x4f\xa2\x73\x65\x5e\xed\x76\x35\x77\xef\xa8\x06\xa4\x89\xed\x9e\xe1\x47\x3c\xe8\x5f\x42\x0c\x0c\x52\x77\x64\xae\xfd\xd8\x8e\x11\x6c\xa3\x38\xe9\x20\xce\xa4\x64\x5f\xa6\x00\x5f\xec\xea\x1a\xb9\xcf\xc4\xaa\x74\xfe\xe4\xf5\x51\x92\xf6\x12\xd9\x8f\xd9\x6c\xb5\x40\x41\x52\xc5\xd3\x52\x11\x88\x53\xa9\xf7\x02\x6a\x95\xe6\xdd\xd1\x9c\x24\xdf\x1a\x2f\x9a\xb2\x47\xef\x37\xa0\x63\xb2\xed\x77\x37\x55\xb9\x76\x6a\x0a\x47", 156); *(uint8_t*)0x2000033b = 9; *(uint8_t*)0x2000033c = 5; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0xc; *(uint16_t*)0x2000033f = 0x400; *(uint8_t*)0x20000341 = 2; *(uint8_t*)0x20000342 = 0x7b; *(uint8_t*)0x20000343 = 0x27; *(uint8_t*)0x20000344 = 7; *(uint8_t*)0x20000345 = 0x25; *(uint8_t*)0x20000346 = 1; *(uint8_t*)0x20000347 = 0x80; *(uint8_t*)0x20000348 = 8; *(uint16_t*)0x20000349 = 8; *(uint8_t*)0x2000034b = 7; *(uint8_t*)0x2000034c = 0x25; *(uint8_t*)0x2000034d = 1; *(uint8_t*)0x2000034e = 0x81; *(uint8_t*)0x2000034f = 0x40; *(uint16_t*)0x20000350 = 0x1f; *(uint8_t*)0x20000352 = 9; *(uint8_t*)0x20000353 = 5; *(uint8_t*)0x20000354 = 0x80; *(uint8_t*)0x20000355 = 8; *(uint16_t*)0x20000356 = 8; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 6; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 9; *(uint8_t*)0x2000035c = 5; *(uint8_t*)0x2000035d = 0xc; *(uint8_t*)0x2000035e = 0; *(uint16_t*)0x2000035f = 0x200; *(uint8_t*)0x20000361 = 0x7f; *(uint8_t*)0x20000362 = 8; *(uint8_t*)0x20000363 = 8; *(uint8_t*)0x20000364 = 7; *(uint8_t*)0x20000365 = 0x25; *(uint8_t*)0x20000366 = 1; *(uint8_t*)0x20000367 = 0x42; *(uint8_t*)0x20000368 = 0; *(uint16_t*)0x20000369 = 3; *(uint8_t*)0x2000036b = 9; *(uint8_t*)0x2000036c = 5; *(uint8_t*)0x2000036d = 6; *(uint8_t*)0x2000036e = 1; *(uint16_t*)0x2000036f = 0x10; *(uint8_t*)0x20000371 = 0x7f; *(uint8_t*)0x20000372 = 6; *(uint8_t*)0x20000373 = 0x20; *(uint8_t*)0x20000374 = 0x3e; *(uint8_t*)0x20000375 = 0x24; memcpy((void*)0x20000376, "\x32\x79\xe6\x8b\x31\x07\xce\x57\xe9\x3f\x9b\x3d\x33\x6f\xef\xa9\xde\x17\x9b\x08\x50\x5c\x0e\xdd\x9e\xdf\x73\x39\x46\x60\x85\x55\x4d\x34\xe4\x57\x1b\x47\x0f\x40\xaa\xcb\x1c\x79\x14\x0c\x88\xfc\xe1\x78\x73\xe9\xa6\x06\xd0\xd0\xae\x19\x13\x06", 60); *(uint8_t*)0x200003b2 = 0x19; *(uint8_t*)0x200003b3 = 0x23; memcpy((void*)0x200003b4, "\xa5\xc0\xa8\x92\xc2\xb9\x5a\x22\x7d\xc6\x62\x3c\x0b\x74\x31\x0c\x15\x5d\x86\x2f\x23\x9e\x16", 23); *(uint8_t*)0x200003cb = 9; *(uint8_t*)0x200003cc = 5; *(uint8_t*)0x200003cd = 1; *(uint8_t*)0x200003ce = 0; *(uint16_t*)0x200003cf = 0x20; *(uint8_t*)0x200003d1 = 2; *(uint8_t*)0x200003d2 = 0x81; *(uint8_t*)0x200003d3 = 0x40; *(uint8_t*)0x200003d4 = 0xe6; *(uint8_t*)0x200003d5 = 0x30; memcpy((void*)0x200003d6, "\x5d\xc5\x26\x38\x6b\x6e\x27\x4c\xe9\xc0\x60\x65\x6d\xd7\x56\xe8\xd6\xba\xe3\xde\x5b\x6d\x89\x9a\xdd\x11\x5e\x5c\x83\x59\xa1\x47\xfc\x3b\x46\x30\x11\x4b\x01\x7f\xe4\xe9\xd7\xc9\xf9\x2e\x32\xd1\x98\x8c\x0c\xcb\x1e\xd7\x62\x11\x14\xfa\x2c\x22\x52\x80\xef\x03\x02\x4e\x75\xe1\xfa\xe3\xe6\x46\xff\xe7\x1a\x41\x7a\xfe\xdc\xdc\x06\x1e\xba\x0b\x1d\xfa\x91\xec\x7a\xe5\xaa\x5f\x96\xe1\x5c\x4c\x72\xff\x5f\xb5\x7f\x50\x33\xf1\xfc\x1c\x99\xb8\xee\x55\x02\xc3\x21\x7a\x11\x23\xb5\xc0\xdf\x2d\xd8\x57\x4e\xa1\xa5\x4f\xe1\x1e\x8e\x3a\xa5\x70\xa9\x3c\xb2\x0c\xee\xf3\xf3\xb3\xb5\x34\x3b\x0a\xf5\xca\xe6\xd0\x5f\x2b\xf9\x04\x4d\x71\xb2\xc3\xab\xf2\x77\x62\x9b\xcc\x88\x7b\x30\x86\xa1\xd6\x91\x24\x3f\x2c\xa2\xb1\x5d\x63\x88\xa7\x48\xf3\x0b\x9b\xa3\xbc\x4d\x47\x3d\xc2\x8c\x19\x6c\x2e\xbd\x24\x4e\x8a\xf6\x9d\x1a\x6d\x4d\xef\x0e\xca\x62\xe1\xa8\x07\xd4\xcf\xc5\xac\x9a\xe2\x75\x60\x14\x9a\x86\x9e\xaf\x4e\x46\xa7\xfd\xc7\x03\x75", 228); *(uint8_t*)0x200004ba = 9; *(uint8_t*)0x200004bb = 5; *(uint8_t*)0x200004bc = 0; *(uint8_t*)0x200004bd = 8; *(uint16_t*)0x200004be = 0x400; *(uint8_t*)0x200004c0 = 0x1f; *(uint8_t*)0x200004c1 = 0xe5; *(uint8_t*)0x200004c2 = 1; *(uint8_t*)0x200004c3 = 0xd8; *(uint8_t*)0x200004c4 = 2; memcpy((void*)0x200004c5, "\x3b\xe1\x77\x95\x19\x82\x5a\x94\xf8\x78\x6d\x27\xa3\x0f\x8b\xff\xd7\x37\x97\xba\x27\x4d\xc1\xf2\x1d\xb7\xc9\x16\x92\xbf\xf3\xa9\x45\x69\x78\x71\x2d\x40\xe5\xe6\x93\x61\x59\xb1\x74\xf7\x62\x12\x04\x3d\x5f\x7d\xac\x45\x57\x42\x35\xde\x47\x73\xcf\x1c\x00\xaa\xa9\xd0\x4d\x86\x33\x1f\xe2\x61\xd5\xa5\x7a\xf8\x6e\xd9\x7c\xa3\x05\xaf\x1e\x33\x46\xea\x1b\xbb\x85\x1e\x81\x36\x32\xd2\xe6\x9e\xc0\x41\x10\xce\xfc\x29\xae\x7d\xbc\x2a\x57\x99\xf9\xcf\x8c\xe3\x98\xb5\x3c\x1f\x72\x57\x83\x2c\x7f\xc4\xcd\x89\xf0\x52\x56\x1f\xb2\x68\x35\xf9\x09\x70\xe9\x7f\xcf\x52\xae\xa2\xdd\xa0\xd7\x2f\xd1\x05\x0a\x98\x2b\x5a\xfb\xd9\x4f\x73\xcb\x50\x5b\x75\x33\xf8\xde\xd2\xe5\xcf\xb6\xd8\x7c\xe6\xef\x2d\x36\x97\x54\xcb\x9d\x76\x36\x21\x81\xe6\xb7\xc0\x8e\x86\x8a\x8b\xb6\x83\x7f\xeb\x00\xa4\x19\x20\x93\xff\x80\x33\xaa\x63\x71\xeb\x02\x22\xff\x0b\x4c\xe7\x33\x7b\x40\xd2\x30\x39", 214); *(uint8_t*)0x2000059b = 0xb0; *(uint8_t*)0x2000059c = 4; memcpy((void*)0x2000059d, "\x53\x77\xb0\xa3\xd6\xfa\xbe\x2b\xe4\x86\x71\x00\x49\xd6\x51\x4c\x7a\xad\xcd\x0d\x30\xdb\x7f\x39\xc5\xe1\x43\xb8\x21\x6b\x9b\xbe\x9e\xb3\xed\x55\xce\x71\x02\x6b\x96\xff\x08\xeb\x3b\x05\x7e\x8d\x62\x83\xe6\x56\x86\x38\x3e\xab\x45\x13\xee\x1b\xf6\x34\x8a\xdf\x1b\xff\x30\xe3\x4d\xf4\x41\x57\x70\x5f\x08\x43\xad\x96\xa2\x90\x5b\x4d\x6e\xf0\xb8\x1f\x89\x70\x8b\xa1\xb3\xaf\x11\x3d\x5c\x16\xf6\xd5\x3c\xf3\x86\x82\x91\x4f\x18\x16\xe1\x41\xb0\xa5\x1d\x38\x71\x04\x50\xa2\xc5\xf0\xc5\x98\x7c\xa7\x87\x0d\x11\xe9\x20\xbb\xc2\x3d\x03\x6a\x1d\xf5\x89\x2f\xc0\xd5\x9f\x63\x79\xee\xbf\xcc\xaf\xf8\xfc\x1c\xc5\x69\x6f\x43\x25\xe9\xc3\xec\x3c\xa2\x9b\x78\xb4\x76\xba\x61\xaf\x6b\x51\x43\xf0\x0f\x39\x4a\xe2\xa5", 174); *(uint8_t*)0x2000064b = 9; *(uint8_t*)0x2000064c = 5; *(uint8_t*)0x2000064d = 1; *(uint8_t*)0x2000064e = 0x10; *(uint16_t*)0x2000064f = 0x3ff; *(uint8_t*)0x20000651 = 9; *(uint8_t*)0x20000652 = 6; *(uint8_t*)0x20000653 = 9; *(uint8_t*)0x20000654 = 9; *(uint8_t*)0x20000655 = 5; *(uint8_t*)0x20000656 = 6; *(uint8_t*)0x20000657 = 0; *(uint16_t*)0x20000658 = 0x3ff; *(uint8_t*)0x2000065a = 0x1f; *(uint8_t*)0x2000065b = 6; *(uint8_t*)0x2000065c = 7; *(uint8_t*)0x2000065d = 9; *(uint8_t*)0x2000065e = 5; *(uint8_t*)0x2000065f = 0x80; *(uint8_t*)0x20000660 = 0xc; *(uint16_t*)0x20000661 = 0x400; *(uint8_t*)0x20000663 = 2; *(uint8_t*)0x20000664 = 8; *(uint8_t*)0x20000665 = 6; *(uint8_t*)0x20000666 = 9; *(uint8_t*)0x20000667 = 5; *(uint8_t*)0x20000668 = 4; *(uint8_t*)0x20000669 = 2; *(uint16_t*)0x2000066a = 8; *(uint8_t*)0x2000066c = 0x3f; *(uint8_t*)0x2000066d = 0; *(uint8_t*)0x2000066e = 9; *(uint8_t*)0x2000066f = 0x7b; *(uint8_t*)0x20000670 = 7; memcpy((void*)0x20000671, "\xfa\xaf\xe1\x39\xe2\xc2\x6d\x2a\x37\xc4\xbd\x0f\x57\x0b\xe6\xf1\xaf\xe1\xe7\xdd\x31\x29\xbb\x4e\x93\xe1\xd9\x1f\xec\xda\x52\x92\xb1\xb8\x68\xe1\x46\x7f\x14\xd9\x9b\xb5\xd8\xa9\xea\xf4\xb5\x85\xce\x93\x9b\x3b\xe9\x55\x37\x63\x7d\x10\xa5\xc3\x1b\x79\x11\x61\x02\x5f\xb0\x3a\x9f\x97\xcb\xaf\x12\xc2\xd3\xfa\x96\x90\x62\xfd\xa6\x25\x22\x6a\x78\x44\xfc\x5d\xd3\xf7\x79\x06\x30\x35\xac\xe5\xc8\x37\xde\x73\x1f\x2d\x74\x20\xf5\x34\xb5\xf8\xab\xba\x9a\x74\x9a\x25\x44\x43\x4a\x21\xde\x8c\x68", 121); *(uint8_t*)0x200006ea = 9; *(uint8_t*)0x200006eb = 5; *(uint8_t*)0x200006ec = 0xe; *(uint8_t*)0x200006ed = 0x10; *(uint16_t*)0x200006ee = 8; *(uint8_t*)0x200006f0 = 1; *(uint8_t*)0x200006f1 = 1; *(uint8_t*)0x200006f2 = 0x95; *(uint8_t*)0x200006f3 = 9; *(uint8_t*)0x200006f4 = 5; *(uint8_t*)0x200006f5 = 8; *(uint8_t*)0x200006f6 = 8; *(uint16_t*)0x200006f7 = 0x40; *(uint8_t*)0x200006f9 = 4; *(uint8_t*)0x200006fa = 5; *(uint8_t*)0x200006fb = 0; *(uint32_t*)0x20000900 = 0xa; *(uint64_t*)0x20000904 = 0x20000700; *(uint8_t*)0x20000700 = 0xa; *(uint8_t*)0x20000701 = 6; *(uint16_t*)0x20000702 = 0x50; *(uint8_t*)0x20000704 = 0x14; *(uint8_t*)0x20000705 = 0x28; *(uint8_t*)0x20000706 = 6; *(uint8_t*)0x20000707 = 0x28; *(uint8_t*)0x20000708 = 9; *(uint8_t*)0x20000709 = 0; *(uint32_t*)0x2000090c = 0x51; *(uint64_t*)0x20000910 = 0x20000740; *(uint8_t*)0x20000740 = 5; *(uint8_t*)0x20000741 = 0xf; *(uint16_t*)0x20000742 = 0x51; *(uint8_t*)0x20000744 = 6; *(uint8_t*)0x20000745 = 3; *(uint8_t*)0x20000746 = 0x10; *(uint8_t*)0x20000747 = 0xb; *(uint8_t*)0x20000748 = 3; *(uint8_t*)0x20000749 = 0x10; *(uint8_t*)0x2000074a = 0xb; *(uint8_t*)0x2000074b = 0xb; *(uint8_t*)0x2000074c = 0x10; *(uint8_t*)0x2000074d = 1; *(uint8_t*)0x2000074e = 8; *(uint16_t*)0x2000074f = 0x10; *(uint8_t*)0x20000751 = -1; *(uint8_t*)0x20000752 = 6; *(uint16_t*)0x20000753 = 0x1000; *(uint8_t*)0x20000755 = 0x40; *(uint8_t*)0x20000756 = 0x14; *(uint8_t*)0x20000757 = 0x10; *(uint8_t*)0x20000758 = 4; *(uint8_t*)0x20000759 = 0; memcpy((void*)0x2000075a, "\xc1\x6e\xe1\x67\xa2\xc7\x69\x4c\xf8\xe1\xbb\x43\xa9\x0f\xfc\x24", 16); *(uint8_t*)0x2000076a = 0x24; *(uint8_t*)0x2000076b = 0x10; *(uint8_t*)0x2000076c = 0xa; *(uint8_t*)0x2000076d = -1; STORE_BY_BITMASK(uint32_t, , 0x2000076e, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000076e, 0x400, 5, 27); *(uint16_t*)0x20000772 = 0xf88f; *(uint16_t*)0x20000774 = 0xfffa; *(uint32_t*)0x20000776 = 0; *(uint32_t*)0x2000077a = 0xc0c0; *(uint32_t*)0x2000077e = 0x60; *(uint32_t*)0x20000782 = 0xff3f00; *(uint32_t*)0x20000786 = 0xfff0; *(uint32_t*)0x2000078a = 0xff0000; *(uint8_t*)0x2000078e = 3; *(uint8_t*)0x2000078f = 0x10; *(uint8_t*)0x20000790 = 0xb; *(uint32_t*)0x20000918 = 2; *(uint32_t*)0x2000091c = 0xd8; *(uint64_t*)0x20000920 = 0x200007c0; *(uint8_t*)0x200007c0 = 0xd8; *(uint8_t*)0x200007c1 = 3; memcpy((void*)0x200007c2, "\xe4\xe5\x19\x94\x18\x62\x35\xf6\xdd\x68\x5b\x5a\xf9\xc7\x90\xd2\xc6\xac\x3b\x9c\x71\xac\xc8\xbe\x67\x68\x9e\x27\xdb\xea\x32\xef\xfd\xb2\xe6\x8b\x21\x87\x51\x72\xf6\x56\xee\x58\xca\x78\x2e\x43\xca\x10\x8c\x5e\xd0\xf6\xb3\x66\x62\x49\xb1\x03\x51\x8f\x49\xbf\xe2\xcd\x20\x1b\x7b\xa8\x16\xc3\x44\xf3\xe2\x40\xd8\x1e\x0c\xce\xe4\xc1\x1f\xb8\x60\xc6\x1f\x7b\xe1\xab\xaf\x0b\x22\x34\x30\x09\x17\x4c\x7c\xdf\x9d\xde\xc7\x03\x12\x42\x85\x4a\x0e\x95\x7f\x6b\x85\xe0\xc4\xee\xf6\x64\x30\x22\xa8\xd9\x60\xc0\x72\x0f\x8a\x63\x28\xf7\xff\xd7\x6f\x08\xec\x6a\x4c\x5a\x8b\xcd\x4e\xca\x63\xcd\xaf\x03\xd2\x45\xca\xe2\x84\xcf\x01\xfa\x3a\x58\x1d\xef\x6e\x67\xef\xdf\xce\x67\x91\x00\xdc\x6d\x9e\x7e\x3b\x8f\x8a\xed\xdf\xab\xae\xf5\xfe\x47\x91\x23\xd0\xd0\xbb\x2f\x8e\xf7\xce\xcd\x3f\xc1\x8b\x19\xa7\x24\x3b\x71\x8d\xd2\x7f\xb2\x68\x7c\xcb\x8a\xcf\xde\xb7\x41\xcd\x73\x17\xc0", 214); *(uint32_t*)0x20000928 = 4; *(uint64_t*)0x2000092c = 0x200008c0; *(uint8_t*)0x200008c0 = 4; *(uint8_t*)0x200008c1 = 3; *(uint16_t*)0x200008c2 = 0x414; syz_usb_connect(0, 0x5bc, 0x20000140, 0x20000900); break; case 12: syz_usb_disconnect(-1); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2495809646 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/15 (0.27s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __utimes50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x5, 0x6}) (fail_nth: 1) __getfh30(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=""/164, &(0x7f0000000180)=0x5) (async) r0 = open(&(0x7f00000001c0)='./file0\x00', 0x80, 0x100) (rerun: 4) preadv(r0, &(0x7f0000000400)=[{&(0x7f0000000200)}, {&(0x7f0000000240)=""/44, 0x2c}, {&(0x7f0000000280)=""/178, 0xb2}, {&(0x7f0000000340)=""/177, 0xb1}], 0x4, 0x6) r1 = open(&(0x7f0000000440)='./file0\x00', 0x1000000, 0x0) ioctl$WSDISPLAYIO_LINEBYTES(r1, 0x4004575f, &(0x7f0000000480)) compat_14_shmctl$IPC_STAT(0x0, 0x2, &(0x7f00000005c0)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)="3956ea187715b364f078d22529010e881c15c4ac905a9b741377a29b3f3fd079dcb31dd9078105605ab6c33582b04ecd1c5a5abda9a069cffc19b623cc7e6ca30ea644af2f9ff3f041485f48d1b5f6ed0235468e741f3634e6eda358c8f7352473f5ce3b37d5d91ed29d5a2a2e99c624ae17d13e54a403f2b179e43ac281c4246974151fbcb79220047b0174dd3236784c581a21e229a71f2283fd0bb1810cc554da71c721a7df2f74dc3b6baae1635c72ad1a07dfe655cdf7e52774ef46b5372d0fa1cad8a288a74d34964db96760e2cf8586f2ea7dad"}) fchmodat(r0, &(0x7f0000000600)='./file0\x00', 0x800, 0x500) __getfh30(&(0x7f0000000640)='./file0\x00', &(0x7f0000000680)=""/173, &(0x7f0000000740)=0x48000) recvfrom$unix(r0, &(0x7f0000000780)=""/127, 0x7f, 0x9080, 0x0, 0x0) syz_emit_ethernet(0xa8, &(0x7f0000000000)="7cdc7f3d7523bc457cc7061f4218d205a9121313b3382a24390756c28e681e8ae64f9faefb9773a6088d8507b9f588abff90ed553d01e60af1ce4d9db1ae174c74afd76b975ec8e14ed2ecf1ea152061fe82fe634d1d1d20bfd25ca07d9ce4531e9c745c512bd468865e81abeaffeae134bea52451f13a61092e1d81780479ec9ce32bde5b1f03166d656fa34cd18fc1fbd00b1632fbd99d303f0c69398bc4dae4c54a53cb9abee5") syz_execute_func(&(0x7f00000000c0)="c4217d2800673642d9f6c4a1d45e7bf2c44171d30ec462a104d5660f6e5600420f01eec4214d67560ed8b0df1cc1f1c4e17ee64c5b06") syz_extract_tcp_res(&(0x7f0000000100), 0x0, 0x8) syz_usb_connect(0x0, 0x5bc, &(0x7f0000000140)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5aa, 0x1, 0x0, 0x4d, 0x0, 0x5, [{{0x9, 0x4, 0x7f, 0x2, 0x10, 0x0, 0x0, 0x0, 0x1f, [@cdc_ncm={{0xa, 0x24, 0x6, 0x0, 0x1, "c31ca1665e"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0xfffffe01, 0x7fff, 0xfe01, 0x1}, {0x6, 0x24, 0x1a, 0x101}, [@country_functional={0x6, 0x24, 0x7, 0xfd, 0x1000}, @acm={0x4, 0x24, 0x2, 0xf}, @call_mgmt={0x5, 0x24, 0x1, 0x3, 0xd0}, @dmm={0x7, 0x24, 0x14, 0x5, 0x9}]}, @generic={0xba, 0xb, "fe82f412bde13cfe9a7c58428cb9c3a085528b59210545973bdc2aa0c21153e71c9f065bbef110ef76911ae14a69050c92640446799fa1dc7aa0c243c215b0afa1309900f0be311c8259db4122e479aa5291ed38ba4b00ce42693f27395216818197276335cc1c977550da0a1f62519c184c228c94bcc63e4bda51b0deedcd99e26844ea31953103142c05bb4f68263771ca791acfb8e6f1b7e1c8c6b47a7290ee50a6d9d6c64f7e2018c62bd45d9d9326861a01e0593026"}], [{{0x9, 0x5, 0x9, 0x10, 0xbf7, 0x80, 0x3, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0xb6}]}}, {{0x9, 0x5, 0x5, 0x3, 0x20, 0x5, 0x8, 0xf5, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x81, 0x5}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x1f, 0x2, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x3, 0x8001}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x74, 0x4}]}}, {{0x9, 0x5, 0x6, 0x4, 0x20, 0xc3, 0x4, 0x30, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x0, 0x1}, @generic={0x9e, 0x21, "1a0380c07acd2903333b9ee1a73421f88915a3939a28a2a21a53be2ea907f73f40513cd60a484a95155348fd7cd7928796335066c54fa273655eed763577efa806a489ed9ee1473ce85f420c0c527764aefdd88e116ca338e920cea4645fa6005fecea1ab9cfc4aa74fee4f55192f612d98fd96cb5404152c5d352118853a9f7026a95e6ddd19c24df1a2f9ab247ef37a063b2ed773755b9766a0a47"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x400, 0x2, 0x7b, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x8, 0x8}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x40, 0x1f}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x0, 0x6}}, {{0x9, 0x5, 0xc, 0x0, 0x200, 0x7f, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x42, 0x0, 0x3}]}}, {{0x9, 0x5, 0x6, 0x1, 0x10, 0x7f, 0x6, 0x20, [@generic={0x3e, 0x24, "3279e68b3107ce57e93f9b3d336fefa9de179b08505c0edd9edf7339466085554d34e4571b470f40aacb1c79140c88fce17873e9a606d0d0ae191306"}, @generic={0x19, 0x23, "a5c0a892c2b95a227dc6623c0b74310c155d862f239e16"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x20, 0x2, 0x81, 0x40, [@generic={0xe6, 0x30, "5dc526386b6e274ce9c060656dd756e8d6bae3de5b6d899add115e5c8359a147fc3b4630114b017fe4e9d7c9f92e32d1988c0ccb1ed7621114fa2c225280ef03024e75e1fae3e646ffe71a417afedcdc061eba0b1dfa91ec7ae5aa5f96e15c4c72ff5fb57f5033f1fc1c99b8ee5502c3217a1123b5c0df2dd8574ea1a54fe11e8e3aa570a93cb20ceef3f3b3b5343b0af5cae6d05f2bf9044d71b2c3abf277629bcc887b3086a1d691243f2ca2b15d6388a748f30b9ba3bc4d473dc28c196c2ebd244e8af69d1a6d4def0eca62e1a807d4cfc5ac9ae27560149a869eaf4e46a7fdc70375"}]}}, {{0x9, 0x5, 0x0, 0x8, 0x400, 0x1f, 0xe5, 0x1, [@generic={0xd8, 0x2, "3be1779519825a94f8786d27a30f8bffd73797ba274dc1f21db7c91692bff3a9456978712d40e5e6936159b174f76212043d5f7dac45574235de4773cf1c00aaa9d04d86331fe261d5a57af86ed97ca305af1e3346ea1bbb851e813632d2e69ec04110cefc29ae7dbc2a5799f9cf8ce398b53c1f7257832c7fc4cd89f052561fb26835f90970e97fcf52aea2dda0d72fd1050a982b5afbd94f73cb505b7533f8ded2e5cfb6d87ce6ef2d369754cb9d76362181e6b7c08e868a8bb6837feb00a4192093ff8033aa6371eb0222ff0b4ce7337b40d23039"}, @generic={0xb0, 0x4, "5377b0a3d6fabe2be486710049d6514c7aadcd0d30db7f39c5e143b8216b9bbe9eb3ed55ce71026b96ff08eb3b057e8d6283e65686383eab4513ee1bf6348adf1bff30e34df44157705f0843ad96a2905b4d6ef0b81f89708ba1b3af113d5c16f6d53cf38682914f1816e141b0a51d38710450a2c5f0c5987ca7870d11e920bbc23d036a1df5892fc0d59f6379eebfccaff8fc1cc5696f4325e9c3ec3ca29b78b476ba61af6b5143f00f394ae2a5"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x3ff, 0x9, 0x6, 0x9}}, {{0x9, 0x5, 0x6, 0x0, 0x3ff, 0x1f, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x400, 0x2, 0x8, 0x6}}, {{0x9, 0x5, 0x4, 0x2, 0x8, 0x3f, 0x0, 0x9, [@generic={0x7b, 0x7, "faafe139e2c26d2a37c4bd0f570be6f1afe1e7dd3129bb4e93e1d91fecda5292b1b868e1467f14d99bb5d8a9eaf4b585ce939b3be95537637d10a5c31b791161025fb03a9f97cbaf12c2d3fa969062fda625226a7844fc5dd3f779063035ace5c837de731f2d7420f534b5f8abba9a749a2544434a21de8c68"}]}}, {{0x9, 0x5, 0xe, 0x10, 0x8, 0x1, 0x1, 0x95}}, {{0x9, 0x5, 0x8, 0x8, 0x40, 0x4, 0x5}}]}}]}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000700)={0xa, 0x6, 0x50, 0x14, 0x28, 0x6, 0x28, 0x9}, 0x51, &(0x7f0000000740)={0x5, 0xf, 0x51, 0x6, [@ptm_cap={0x3}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x8, 0x10, 0xff, 0x6, 0x1000, 0x40}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "c16ee167a2c7694cf8e1bb43a90ffc24"}, @ssp_cap={0x24, 0x10, 0xa, 0xff, 0x6, 0x400, 0xf88f, 0xfffa, [0x0, 0xc0c0, 0x60, 0xff3f00, 0xfff0, 0xff0000]}, @ptm_cap={0x3}]}, 0x2, [{0xd8, &(0x7f00000007c0)=@string={0xd8, 0x3, "e4e51994186235f6dd685b5af9c790d2c6ac3b9c71acc8be67689e27dbea32effdb2e68b21875172f656ee58ca782e43ca108c5ed0f6b3666249b103518f49bfe2cd201b7ba816c344f3e240d81e0ccee4c11fb860c61f7be1abaf0b22343009174c7cdf9ddec7031242854a0e957f6b85e0c4eef6643022a8d960c0720f8a6328f7ffd76f08ec6a4c5a8bcd4eca63cdaf03d245cae284cf01fa3a581def6e67efdfce679100dc6d9e7e3b8f8aeddfabaef5fe479123d0d0bb2f8ef7cecd3fc18b19a7243b718dd27fb2687ccb8acfdeb741cd7317c0"}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x414}}]}) syz_usb_disconnect(0xffffffffffffffff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___getfh30 #define SYS___getfh30 395 #endif #ifndef SYS___utimes50 #define SYS___utimes50 420 #endif #ifndef SYS_compat_14_shmctl #define SYS_compat_14_shmctl 229 #endif #ifndef SYS_fchmodat #define SYS_fchmodat 463 #endif #ifndef SYS_ioctl #define SYS_ioctl 54 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_preadv #define SYS_preadv 289 #endif #ifndef SYS_recvfrom #define SYS_recvfrom 29 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); *(uint64_t*)0x20000040 = 5; *(uint64_t*)0x20000048 = 6; inject_fault(1); res = syscall(SYS___utimes50, 0x20000000ul, 0x20000040ul); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); break; case 1: memcpy((void*)0x20000080, "./file0\000", 8); *(uint64_t*)0x20000180 = 5; res = syscall(SYS___getfh30, 0x20000080ul, 0x200000c0ul, 0x20000180ul); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); break; case 2: memcpy((void*)0x200001c0, "./file0\000", 8); res = syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); { int i; for(i = 0; i < 4; i++) { syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); } } if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20000400 = 0x20000200; *(uint64_t*)0x20000408 = 0; *(uint64_t*)0x20000410 = 0x20000240; *(uint64_t*)0x20000418 = 0x2c; *(uint64_t*)0x20000420 = 0x20000280; *(uint64_t*)0x20000428 = 0xb2; *(uint64_t*)0x20000430 = 0x20000340; *(uint64_t*)0x20000438 = 0xb1; res = syscall(SYS_preadv, r[0], 0x20000400ul, 4ul, 6ul); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); break; case 4: memcpy((void*)0x20000440, "./file0\000", 8); res = syscall(SYS_open, 0x20000440ul, 0x1000000ul, 0ul); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[1] = res; break; case 5: res = syscall(SYS_ioctl, r[1], 0x4004575ful, 0x20000480ul); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: *(uint64_t*)0x200005f8 = 0x200004c0; memcpy((void*)0x200004c0, "\x39\x56\xea\x18\x77\x15\xb3\x64\xf0\x78\xd2\x25\x29\x01\x0e\x88\x1c\x15\xc4\xac\x90\x5a\x9b\x74\x13\x77\xa2\x9b\x3f\x3f\xd0\x79\xdc\xb3\x1d\xd9\x07\x81\x05\x60\x5a\xb6\xc3\x35\x82\xb0\x4e\xcd\x1c\x5a\x5a\xbd\xa9\xa0\x69\xcf\xfc\x19\xb6\x23\xcc\x7e\x6c\xa3\x0e\xa6\x44\xaf\x2f\x9f\xf3\xf0\x41\x48\x5f\x48\xd1\xb5\xf6\xed\x02\x35\x46\x8e\x74\x1f\x36\x34\xe6\xed\xa3\x58\xc8\xf7\x35\x24\x73\xf5\xce\x3b\x37\xd5\xd9\x1e\xd2\x9d\x5a\x2a\x2e\x99\xc6\x24\xae\x17\xd1\x3e\x54\xa4\x03\xf2\xb1\x79\xe4\x3a\xc2\x81\xc4\x24\x69\x74\x15\x1f\xbc\xb7\x92\x20\x04\x7b\x01\x74\xdd\x32\x36\x78\x4c\x58\x1a\x21\xe2\x29\xa7\x1f\x22\x83\xfd\x0b\xb1\x81\x0c\xc5\x54\xda\x71\xc7\x21\xa7\xdf\x2f\x74\xdc\x3b\x6b\xaa\xe1\x63\x5c\x72\xad\x1a\x07\xdf\xe6\x55\xcd\xf7\xe5\x27\x74\xef\x46\xb5\x37\x2d\x0f\xa1\xca\xd8\xa2\x88\xa7\x4d\x34\x96\x4d\xb9\x67\x60\xe2\xcf\x85\x86\xf2\xea\x7d\xad", 215); res = syscall(SYS_compat_14_shmctl, 0, 2ul, 0x200005c0ul); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); break; case 7: memcpy((void*)0x20000600, "./file0\000", 8); res = syscall(SYS_fchmodat, r[0], 0x20000600ul, 0x800ul, 0x500ul); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); break; case 8: memcpy((void*)0x20000640, "./file0\000", 8); *(uint64_t*)0x20000740 = 0x48000; res = syscall(SYS___getfh30, 0x20000640ul, 0x20000680ul, 0x20000740ul); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: res = syscall(SYS_recvfrom, r[0], 0x20000780ul, 0x7ful, 0x9080ul, 0ul, 0ul); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: memcpy((void*)0x200000c0, "\xc4\x21\x7d\x28\x00\x67\x36\x42\xd9\xf6\xc4\xa1\xd4\x5e\x7b\xf2\xc4\x41\x71\xd3\x0e\xc4\x62\xa1\x04\xd5\x66\x0f\x6e\x56\x00\x42\x0f\x01\xee\xc4\x21\x4d\x67\x56\x0e\xd8\xb0\xdf\x1c\xc1\xf1\xc4\xe1\x7e\xe6\x4c\x5b\x06", 54); res = -1; errno = EFAULT; res = syz_execute_func(0x200000c0); fprintf(stderr, "### call=10 errno=%u\n", res == -1 ? errno : 0); break; case 11: *(uint8_t*)0x20000140 = 0x12; *(uint8_t*)0x20000141 = 1; *(uint16_t*)0x20000142 = 0x201; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 0x10; *(uint16_t*)0x20000148 = 0; *(uint16_t*)0x2000014a = 0; *(uint16_t*)0x2000014c = 0; *(uint8_t*)0x2000014e = 1; *(uint8_t*)0x2000014f = 2; *(uint8_t*)0x20000150 = 3; *(uint8_t*)0x20000151 = 1; *(uint8_t*)0x20000152 = 9; *(uint8_t*)0x20000153 = 2; *(uint16_t*)0x20000154 = 0x5aa; *(uint8_t*)0x20000156 = 1; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0x4d; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 5; *(uint8_t*)0x2000015b = 9; *(uint8_t*)0x2000015c = 4; *(uint8_t*)0x2000015d = 0x7f; *(uint8_t*)0x2000015e = 2; *(uint8_t*)0x2000015f = 0x10; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0x1f; *(uint8_t*)0x20000164 = 0xa; *(uint8_t*)0x20000165 = 0x24; *(uint8_t*)0x20000166 = 6; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 1; memcpy((void*)0x20000169, "\xc3\x1c\xa1\x66\x5e", 5); *(uint8_t*)0x2000016e = 5; *(uint8_t*)0x2000016f = 0x24; *(uint8_t*)0x20000170 = 0; *(uint16_t*)0x20000171 = 6; *(uint8_t*)0x20000173 = 0xd; *(uint8_t*)0x20000174 = 0x24; *(uint8_t*)0x20000175 = 0xf; *(uint8_t*)0x20000176 = 1; *(uint32_t*)0x20000177 = 0xfffffe01; *(uint16_t*)0x2000017b = 0x7fff; *(uint16_t*)0x2000017d = 0xfe01; *(uint8_t*)0x2000017f = 1; *(uint8_t*)0x20000180 = 6; *(uint8_t*)0x20000181 = 0x24; *(uint8_t*)0x20000182 = 0x1a; *(uint16_t*)0x20000183 = 0x101; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 6; *(uint8_t*)0x20000187 = 0x24; *(uint8_t*)0x20000188 = 7; *(uint8_t*)0x20000189 = 0xfd; *(uint16_t*)0x2000018a = 0x1000; *(uint8_t*)0x2000018c = 4; *(uint8_t*)0x2000018d = 0x24; *(uint8_t*)0x2000018e = 2; *(uint8_t*)0x2000018f = 0xf; *(uint8_t*)0x20000190 = 5; *(uint8_t*)0x20000191 = 0x24; *(uint8_t*)0x20000192 = 1; *(uint8_t*)0x20000193 = 3; *(uint8_t*)0x20000194 = 0xd0; *(uint8_t*)0x20000195 = 7; *(uint8_t*)0x20000196 = 0x24; *(uint8_t*)0x20000197 = 0x14; *(uint16_t*)0x20000198 = 5; *(uint16_t*)0x2000019a = 9; *(uint8_t*)0x2000019c = 0xba; *(uint8_t*)0x2000019d = 0xb; memcpy((void*)0x2000019e, "\xfe\x82\xf4\x12\xbd\xe1\x3c\xfe\x9a\x7c\x58\x42\x8c\xb9\xc3\xa0\x85\x52\x8b\x59\x21\x05\x45\x97\x3b\xdc\x2a\xa0\xc2\x11\x53\xe7\x1c\x9f\x06\x5b\xbe\xf1\x10\xef\x76\x91\x1a\xe1\x4a\x69\x05\x0c\x92\x64\x04\x46\x79\x9f\xa1\xdc\x7a\xa0\xc2\x43\xc2\x15\xb0\xaf\xa1\x30\x99\x00\xf0\xbe\x31\x1c\x82\x59\xdb\x41\x22\xe4\x79\xaa\x52\x91\xed\x38\xba\x4b\x00\xce\x42\x69\x3f\x27\x39\x52\x16\x81\x81\x97\x27\x63\x35\xcc\x1c\x97\x75\x50\xda\x0a\x1f\x62\x51\x9c\x18\x4c\x22\x8c\x94\xbc\xc6\x3e\x4b\xda\x51\xb0\xde\xed\xcd\x99\xe2\x68\x44\xea\x31\x95\x31\x03\x14\x2c\x05\xbb\x4f\x68\x26\x37\x71\xca\x79\x1a\xcf\xb8\xe6\xf1\xb7\xe1\xc8\xc6\xb4\x7a\x72\x90\xee\x50\xa6\xd9\xd6\xc6\x4f\x7e\x20\x18\xc6\x2b\xd4\x5d\x9d\x93\x26\x86\x1a\x01\xe0\x59\x30\x26", 184); *(uint8_t*)0x20000256 = 9; *(uint8_t*)0x20000257 = 5; *(uint8_t*)0x20000258 = 9; *(uint8_t*)0x20000259 = 0x10; *(uint16_t*)0x2000025a = 0xbf7; *(uint8_t*)0x2000025c = 0x80; *(uint8_t*)0x2000025d = 3; *(uint8_t*)0x2000025e = 0x80; *(uint8_t*)0x2000025f = 7; *(uint8_t*)0x20000260 = 0x25; *(uint8_t*)0x20000261 = 1; *(uint8_t*)0x20000262 = 1; *(uint8_t*)0x20000263 = 0x81; *(uint16_t*)0x20000264 = 0xb6; *(uint8_t*)0x20000266 = 9; *(uint8_t*)0x20000267 = 5; *(uint8_t*)0x20000268 = 5; *(uint8_t*)0x20000269 = 3; *(uint16_t*)0x2000026a = 0x20; *(uint8_t*)0x2000026c = 5; *(uint8_t*)0x2000026d = 8; *(uint8_t*)0x2000026e = 0xf5; *(uint8_t*)0x2000026f = 7; *(uint8_t*)0x20000270 = 0x25; *(uint8_t*)0x20000271 = 1; *(uint8_t*)0x20000272 = 3; *(uint8_t*)0x20000273 = 0x81; *(uint16_t*)0x20000274 = 5; *(uint8_t*)0x20000276 = 9; *(uint8_t*)0x20000277 = 5; *(uint8_t*)0x20000278 = 3; *(uint8_t*)0x20000279 = 1; *(uint16_t*)0x2000027a = 0x40; *(uint8_t*)0x2000027c = 0x1f; *(uint8_t*)0x2000027d = 2; *(uint8_t*)0x2000027e = 0; *(uint8_t*)0x2000027f = 7; *(uint8_t*)0x20000280 = 0x25; *(uint8_t*)0x20000281 = 1; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 3; *(uint16_t*)0x20000284 = 0x8001; *(uint8_t*)0x20000286 = 7; *(uint8_t*)0x20000287 = 0x25; *(uint8_t*)0x20000288 = 1; *(uint8_t*)0x20000289 = 3; *(uint8_t*)0x2000028a = 0x74; *(uint16_t*)0x2000028b = 4; *(uint8_t*)0x2000028d = 9; *(uint8_t*)0x2000028e = 5; *(uint8_t*)0x2000028f = 6; *(uint8_t*)0x20000290 = 4; *(uint16_t*)0x20000291 = 0x20; *(uint8_t*)0x20000293 = 0xc3; *(uint8_t*)0x20000294 = 4; *(uint8_t*)0x20000295 = 0x30; *(uint8_t*)0x20000296 = 7; *(uint8_t*)0x20000297 = 0x25; *(uint8_t*)0x20000298 = 1; *(uint8_t*)0x20000299 = 0x80; *(uint8_t*)0x2000029a = 0; *(uint16_t*)0x2000029b = 1; *(uint8_t*)0x2000029d = 0x9e; *(uint8_t*)0x2000029e = 0x21; memcpy((void*)0x2000029f, "\x1a\x03\x80\xc0\x7a\xcd\x29\x03\x33\x3b\x9e\xe1\xa7\x34\x21\xf8\x89\x15\xa3\x93\x9a\x28\xa2\xa2\x1a\x53\xbe\x2e\xa9\x07\xf7\x3f\x40\x51\x3c\xd6\x0a\x48\x4a\x95\x15\x53\x48\xfd\x7c\xd7\x92\x87\x96\x33\x50\x66\xc5\x4f\xa2\x73\x65\x5e\xed\x76\x35\x77\xef\xa8\x06\xa4\x89\xed\x9e\xe1\x47\x3c\xe8\x5f\x42\x0c\x0c\x52\x77\x64\xae\xfd\xd8\x8e\x11\x6c\xa3\x38\xe9\x20\xce\xa4\x64\x5f\xa6\x00\x5f\xec\xea\x1a\xb9\xcf\xc4\xaa\x74\xfe\xe4\xf5\x51\x92\xf6\x12\xd9\x8f\xd9\x6c\xb5\x40\x41\x52\xc5\xd3\x52\x11\x88\x53\xa9\xf7\x02\x6a\x95\xe6\xdd\xd1\x9c\x24\xdf\x1a\x2f\x9a\xb2\x47\xef\x37\xa0\x63\xb2\xed\x77\x37\x55\xb9\x76\x6a\x0a\x47", 156); *(uint8_t*)0x2000033b = 9; *(uint8_t*)0x2000033c = 5; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0xc; *(uint16_t*)0x2000033f = 0x400; *(uint8_t*)0x20000341 = 2; *(uint8_t*)0x20000342 = 0x7b; *(uint8_t*)0x20000343 = 0x27; *(uint8_t*)0x20000344 = 7; *(uint8_t*)0x20000345 = 0x25; *(uint8_t*)0x20000346 = 1; *(uint8_t*)0x20000347 = 0x80; *(uint8_t*)0x20000348 = 8; *(uint16_t*)0x20000349 = 8; *(uint8_t*)0x2000034b = 7; *(uint8_t*)0x2000034c = 0x25; *(uint8_t*)0x2000034d = 1; *(uint8_t*)0x2000034e = 0x81; *(uint8_t*)0x2000034f = 0x40; *(uint16_t*)0x20000350 = 0x1f; *(uint8_t*)0x20000352 = 9; *(uint8_t*)0x20000353 = 5; *(uint8_t*)0x20000354 = 0x80; *(uint8_t*)0x20000355 = 8; *(uint16_t*)0x20000356 = 8; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 6; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 9; *(uint8_t*)0x2000035c = 5; *(uint8_t*)0x2000035d = 0xc; *(uint8_t*)0x2000035e = 0; *(uint16_t*)0x2000035f = 0x200; *(uint8_t*)0x20000361 = 0x7f; *(uint8_t*)0x20000362 = 8; *(uint8_t*)0x20000363 = 8; *(uint8_t*)0x20000364 = 7; *(uint8_t*)0x20000365 = 0x25; *(uint8_t*)0x20000366 = 1; *(uint8_t*)0x20000367 = 0x42; *(uint8_t*)0x20000368 = 0; *(uint16_t*)0x20000369 = 3; *(uint8_t*)0x2000036b = 9; *(uint8_t*)0x2000036c = 5; *(uint8_t*)0x2000036d = 6; *(uint8_t*)0x2000036e = 1; *(uint16_t*)0x2000036f = 0x10; *(uint8_t*)0x20000371 = 0x7f; *(uint8_t*)0x20000372 = 6; *(uint8_t*)0x20000373 = 0x20; *(uint8_t*)0x20000374 = 0x3e; *(uint8_t*)0x20000375 = 0x24; memcpy((void*)0x20000376, "\x32\x79\xe6\x8b\x31\x07\xce\x57\xe9\x3f\x9b\x3d\x33\x6f\xef\xa9\xde\x17\x9b\x08\x50\x5c\x0e\xdd\x9e\xdf\x73\x39\x46\x60\x85\x55\x4d\x34\xe4\x57\x1b\x47\x0f\x40\xaa\xcb\x1c\x79\x14\x0c\x88\xfc\xe1\x78\x73\xe9\xa6\x06\xd0\xd0\xae\x19\x13\x06", 60); *(uint8_t*)0x200003b2 = 0x19; *(uint8_t*)0x200003b3 = 0x23; memcpy((void*)0x200003b4, "\xa5\xc0\xa8\x92\xc2\xb9\x5a\x22\x7d\xc6\x62\x3c\x0b\x74\x31\x0c\x15\x5d\x86\x2f\x23\x9e\x16", 23); *(uint8_t*)0x200003cb = 9; *(uint8_t*)0x200003cc = 5; *(uint8_t*)0x200003cd = 1; *(uint8_t*)0x200003ce = 0; *(uint16_t*)0x200003cf = 0x20; *(uint8_t*)0x200003d1 = 2; *(uint8_t*)0x200003d2 = 0x81; *(uint8_t*)0x200003d3 = 0x40; *(uint8_t*)0x200003d4 = 0xe6; *(uint8_t*)0x200003d5 = 0x30; memcpy((void*)0x200003d6, "\x5d\xc5\x26\x38\x6b\x6e\x27\x4c\xe9\xc0\x60\x65\x6d\xd7\x56\xe8\xd6\xba\xe3\xde\x5b\x6d\x89\x9a\xdd\x11\x5e\x5c\x83\x59\xa1\x47\xfc\x3b\x46\x30\x11\x4b\x01\x7f\xe4\xe9\xd7\xc9\xf9\x2e\x32\xd1\x98\x8c\x0c\xcb\x1e\xd7\x62\x11\x14\xfa\x2c\x22\x52\x80\xef\x03\x02\x4e\x75\xe1\xfa\xe3\xe6\x46\xff\xe7\x1a\x41\x7a\xfe\xdc\xdc\x06\x1e\xba\x0b\x1d\xfa\x91\xec\x7a\xe5\xaa\x5f\x96\xe1\x5c\x4c\x72\xff\x5f\xb5\x7f\x50\x33\xf1\xfc\x1c\x99\xb8\xee\x55\x02\xc3\x21\x7a\x11\x23\xb5\xc0\xdf\x2d\xd8\x57\x4e\xa1\xa5\x4f\xe1\x1e\x8e\x3a\xa5\x70\xa9\x3c\xb2\x0c\xee\xf3\xf3\xb3\xb5\x34\x3b\x0a\xf5\xca\xe6\xd0\x5f\x2b\xf9\x04\x4d\x71\xb2\xc3\xab\xf2\x77\x62\x9b\xcc\x88\x7b\x30\x86\xa1\xd6\x91\x24\x3f\x2c\xa2\xb1\x5d\x63\x88\xa7\x48\xf3\x0b\x9b\xa3\xbc\x4d\x47\x3d\xc2\x8c\x19\x6c\x2e\xbd\x24\x4e\x8a\xf6\x9d\x1a\x6d\x4d\xef\x0e\xca\x62\xe1\xa8\x07\xd4\xcf\xc5\xac\x9a\xe2\x75\x60\x14\x9a\x86\x9e\xaf\x4e\x46\xa7\xfd\xc7\x03\x75", 228); *(uint8_t*)0x200004ba = 9; *(uint8_t*)0x200004bb = 5; *(uint8_t*)0x200004bc = 0; *(uint8_t*)0x200004bd = 8; *(uint16_t*)0x200004be = 0x400; *(uint8_t*)0x200004c0 = 0x1f; *(uint8_t*)0x200004c1 = 0xe5; *(uint8_t*)0x200004c2 = 1; *(uint8_t*)0x200004c3 = 0xd8; *(uint8_t*)0x200004c4 = 2; memcpy((void*)0x200004c5, "\x3b\xe1\x77\x95\x19\x82\x5a\x94\xf8\x78\x6d\x27\xa3\x0f\x8b\xff\xd7\x37\x97\xba\x27\x4d\xc1\xf2\x1d\xb7\xc9\x16\x92\xbf\xf3\xa9\x45\x69\x78\x71\x2d\x40\xe5\xe6\x93\x61\x59\xb1\x74\xf7\x62\x12\x04\x3d\x5f\x7d\xac\x45\x57\x42\x35\xde\x47\x73\xcf\x1c\x00\xaa\xa9\xd0\x4d\x86\x33\x1f\xe2\x61\xd5\xa5\x7a\xf8\x6e\xd9\x7c\xa3\x05\xaf\x1e\x33\x46\xea\x1b\xbb\x85\x1e\x81\x36\x32\xd2\xe6\x9e\xc0\x41\x10\xce\xfc\x29\xae\x7d\xbc\x2a\x57\x99\xf9\xcf\x8c\xe3\x98\xb5\x3c\x1f\x72\x57\x83\x2c\x7f\xc4\xcd\x89\xf0\x52\x56\x1f\xb2\x68\x35\xf9\x09\x70\xe9\x7f\xcf\x52\xae\xa2\xdd\xa0\xd7\x2f\xd1\x05\x0a\x98\x2b\x5a\xfb\xd9\x4f\x73\xcb\x50\x5b\x75\x33\xf8\xde\xd2\xe5\xcf\xb6\xd8\x7c\xe6\xef\x2d\x36\x97\x54\xcb\x9d\x76\x36\x21\x81\xe6\xb7\xc0\x8e\x86\x8a\x8b\xb6\x83\x7f\xeb\x00\xa4\x19\x20\x93\xff\x80\x33\xaa\x63\x71\xeb\x02\x22\xff\x0b\x4c\xe7\x33\x7b\x40\xd2\x30\x39", 214); *(uint8_t*)0x2000059b = 0xb0; *(uint8_t*)0x2000059c = 4; memcpy((void*)0x2000059d, "\x53\x77\xb0\xa3\xd6\xfa\xbe\x2b\xe4\x86\x71\x00\x49\xd6\x51\x4c\x7a\xad\xcd\x0d\x30\xdb\x7f\x39\xc5\xe1\x43\xb8\x21\x6b\x9b\xbe\x9e\xb3\xed\x55\xce\x71\x02\x6b\x96\xff\x08\xeb\x3b\x05\x7e\x8d\x62\x83\xe6\x56\x86\x38\x3e\xab\x45\x13\xee\x1b\xf6\x34\x8a\xdf\x1b\xff\x30\xe3\x4d\xf4\x41\x57\x70\x5f\x08\x43\xad\x96\xa2\x90\x5b\x4d\x6e\xf0\xb8\x1f\x89\x70\x8b\xa1\xb3\xaf\x11\x3d\x5c\x16\xf6\xd5\x3c\xf3\x86\x82\x91\x4f\x18\x16\xe1\x41\xb0\xa5\x1d\x38\x71\x04\x50\xa2\xc5\xf0\xc5\x98\x7c\xa7\x87\x0d\x11\xe9\x20\xbb\xc2\x3d\x03\x6a\x1d\xf5\x89\x2f\xc0\xd5\x9f\x63\x79\xee\xbf\xcc\xaf\xf8\xfc\x1c\xc5\x69\x6f\x43\x25\xe9\xc3\xec\x3c\xa2\x9b\x78\xb4\x76\xba\x61\xaf\x6b\x51\x43\xf0\x0f\x39\x4a\xe2\xa5", 174); *(uint8_t*)0x2000064b = 9; *(uint8_t*)0x2000064c = 5; *(uint8_t*)0x2000064d = 1; *(uint8_t*)0x2000064e = 0x10; *(uint16_t*)0x2000064f = 0x3ff; *(uint8_t*)0x20000651 = 9; *(uint8_t*)0x20000652 = 6; *(uint8_t*)0x20000653 = 9; *(uint8_t*)0x20000654 = 9; *(uint8_t*)0x20000655 = 5; *(uint8_t*)0x20000656 = 6; *(uint8_t*)0x20000657 = 0; *(uint16_t*)0x20000658 = 0x3ff; *(uint8_t*)0x2000065a = 0x1f; *(uint8_t*)0x2000065b = 6; *(uint8_t*)0x2000065c = 7; *(uint8_t*)0x2000065d = 9; *(uint8_t*)0x2000065e = 5; *(uint8_t*)0x2000065f = 0x80; *(uint8_t*)0x20000660 = 0xc; *(uint16_t*)0x20000661 = 0x400; *(uint8_t*)0x20000663 = 2; *(uint8_t*)0x20000664 = 8; *(uint8_t*)0x20000665 = 6; *(uint8_t*)0x20000666 = 9; *(uint8_t*)0x20000667 = 5; *(uint8_t*)0x20000668 = 4; *(uint8_t*)0x20000669 = 2; *(uint16_t*)0x2000066a = 8; *(uint8_t*)0x2000066c = 0x3f; *(uint8_t*)0x2000066d = 0; *(uint8_t*)0x2000066e = 9; *(uint8_t*)0x2000066f = 0x7b; *(uint8_t*)0x20000670 = 7; memcpy((void*)0x20000671, "\xfa\xaf\xe1\x39\xe2\xc2\x6d\x2a\x37\xc4\xbd\x0f\x57\x0b\xe6\xf1\xaf\xe1\xe7\xdd\x31\x29\xbb\x4e\x93\xe1\xd9\x1f\xec\xda\x52\x92\xb1\xb8\x68\xe1\x46\x7f\x14\xd9\x9b\xb5\xd8\xa9\xea\xf4\xb5\x85\xce\x93\x9b\x3b\xe9\x55\x37\x63\x7d\x10\xa5\xc3\x1b\x79\x11\x61\x02\x5f\xb0\x3a\x9f\x97\xcb\xaf\x12\xc2\xd3\xfa\x96\x90\x62\xfd\xa6\x25\x22\x6a\x78\x44\xfc\x5d\xd3\xf7\x79\x06\x30\x35\xac\xe5\xc8\x37\xde\x73\x1f\x2d\x74\x20\xf5\x34\xb5\xf8\xab\xba\x9a\x74\x9a\x25\x44\x43\x4a\x21\xde\x8c\x68", 121); *(uint8_t*)0x200006ea = 9; *(uint8_t*)0x200006eb = 5; *(uint8_t*)0x200006ec = 0xe; *(uint8_t*)0x200006ed = 0x10; *(uint16_t*)0x200006ee = 8; *(uint8_t*)0x200006f0 = 1; *(uint8_t*)0x200006f1 = 1; *(uint8_t*)0x200006f2 = 0x95; *(uint8_t*)0x200006f3 = 9; *(uint8_t*)0x200006f4 = 5; *(uint8_t*)0x200006f5 = 8; *(uint8_t*)0x200006f6 = 8; *(uint16_t*)0x200006f7 = 0x40; *(uint8_t*)0x200006f9 = 4; *(uint8_t*)0x200006fa = 5; *(uint8_t*)0x200006fb = 0; *(uint32_t*)0x20000900 = 0xa; *(uint64_t*)0x20000904 = 0x20000700; *(uint8_t*)0x20000700 = 0xa; *(uint8_t*)0x20000701 = 6; *(uint16_t*)0x20000702 = 0x50; *(uint8_t*)0x20000704 = 0x14; *(uint8_t*)0x20000705 = 0x28; *(uint8_t*)0x20000706 = 6; *(uint8_t*)0x20000707 = 0x28; *(uint8_t*)0x20000708 = 9; *(uint8_t*)0x20000709 = 0; *(uint32_t*)0x2000090c = 0x51; *(uint64_t*)0x20000910 = 0x20000740; *(uint8_t*)0x20000740 = 5; *(uint8_t*)0x20000741 = 0xf; *(uint16_t*)0x20000742 = 0x51; *(uint8_t*)0x20000744 = 6; *(uint8_t*)0x20000745 = 3; *(uint8_t*)0x20000746 = 0x10; *(uint8_t*)0x20000747 = 0xb; *(uint8_t*)0x20000748 = 3; *(uint8_t*)0x20000749 = 0x10; *(uint8_t*)0x2000074a = 0xb; *(uint8_t*)0x2000074b = 0xb; *(uint8_t*)0x2000074c = 0x10; *(uint8_t*)0x2000074d = 1; *(uint8_t*)0x2000074e = 8; *(uint16_t*)0x2000074f = 0x10; *(uint8_t*)0x20000751 = -1; *(uint8_t*)0x20000752 = 6; *(uint16_t*)0x20000753 = 0x1000; *(uint8_t*)0x20000755 = 0x40; *(uint8_t*)0x20000756 = 0x14; *(uint8_t*)0x20000757 = 0x10; *(uint8_t*)0x20000758 = 4; *(uint8_t*)0x20000759 = 0; memcpy((void*)0x2000075a, "\xc1\x6e\xe1\x67\xa2\xc7\x69\x4c\xf8\xe1\xbb\x43\xa9\x0f\xfc\x24", 16); *(uint8_t*)0x2000076a = 0x24; *(uint8_t*)0x2000076b = 0x10; *(uint8_t*)0x2000076c = 0xa; *(uint8_t*)0x2000076d = -1; STORE_BY_BITMASK(uint32_t, , 0x2000076e, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000076e, 0x400, 5, 27); *(uint16_t*)0x20000772 = 0xf88f; *(uint16_t*)0x20000774 = 0xfffa; *(uint32_t*)0x20000776 = 0; *(uint32_t*)0x2000077a = 0xc0c0; *(uint32_t*)0x2000077e = 0x60; *(uint32_t*)0x20000782 = 0xff3f00; *(uint32_t*)0x20000786 = 0xfff0; *(uint32_t*)0x2000078a = 0xff0000; *(uint8_t*)0x2000078e = 3; *(uint8_t*)0x2000078f = 0x10; *(uint8_t*)0x20000790 = 0xb; *(uint32_t*)0x20000918 = 2; *(uint32_t*)0x2000091c = 0xd8; *(uint64_t*)0x20000920 = 0x200007c0; *(uint8_t*)0x200007c0 = 0xd8; *(uint8_t*)0x200007c1 = 3; memcpy((void*)0x200007c2, "\xe4\xe5\x19\x94\x18\x62\x35\xf6\xdd\x68\x5b\x5a\xf9\xc7\x90\xd2\xc6\xac\x3b\x9c\x71\xac\xc8\xbe\x67\x68\x9e\x27\xdb\xea\x32\xef\xfd\xb2\xe6\x8b\x21\x87\x51\x72\xf6\x56\xee\x58\xca\x78\x2e\x43\xca\x10\x8c\x5e\xd0\xf6\xb3\x66\x62\x49\xb1\x03\x51\x8f\x49\xbf\xe2\xcd\x20\x1b\x7b\xa8\x16\xc3\x44\xf3\xe2\x40\xd8\x1e\x0c\xce\xe4\xc1\x1f\xb8\x60\xc6\x1f\x7b\xe1\xab\xaf\x0b\x22\x34\x30\x09\x17\x4c\x7c\xdf\x9d\xde\xc7\x03\x12\x42\x85\x4a\x0e\x95\x7f\x6b\x85\xe0\xc4\xee\xf6\x64\x30\x22\xa8\xd9\x60\xc0\x72\x0f\x8a\x63\x28\xf7\xff\xd7\x6f\x08\xec\x6a\x4c\x5a\x8b\xcd\x4e\xca\x63\xcd\xaf\x03\xd2\x45\xca\xe2\x84\xcf\x01\xfa\x3a\x58\x1d\xef\x6e\x67\xef\xdf\xce\x67\x91\x00\xdc\x6d\x9e\x7e\x3b\x8f\x8a\xed\xdf\xab\xae\xf5\xfe\x47\x91\x23\xd0\xd0\xbb\x2f\x8e\xf7\xce\xcd\x3f\xc1\x8b\x19\xa7\x24\x3b\x71\x8d\xd2\x7f\xb2\x68\x7c\xcb\x8a\xcf\xde\xb7\x41\xcd\x73\x17\xc0", 214); *(uint32_t*)0x20000928 = 4; *(uint64_t*)0x2000092c = 0x200008c0; *(uint8_t*)0x200008c0 = 4; *(uint8_t*)0x200008c1 = 3; *(uint16_t*)0x200008c2 = 0x414; res = -1; errno = EFAULT; res = syz_usb_connect(0, 0x5bc, 0x20000140, 0x20000900); fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0); break; case 12: res = -1; errno = EFAULT; res = syz_usb_disconnect(-1); fprintf(stderr, "### call=12 errno=%u\n", res == -1 ? errno : 0); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2894161724 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/14 (0.27s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __utimes50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x5, 0x6}) (fail_nth: 1) __getfh30(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=""/164, &(0x7f0000000180)=0x5) (async) r0 = open(&(0x7f00000001c0)='./file0\x00', 0x80, 0x100) (rerun: 4) preadv(r0, &(0x7f0000000400)=[{&(0x7f0000000200)}, {&(0x7f0000000240)=""/44, 0x2c}, {&(0x7f0000000280)=""/178, 0xb2}, {&(0x7f0000000340)=""/177, 0xb1}], 0x4, 0x6) r1 = open(&(0x7f0000000440)='./file0\x00', 0x1000000, 0x0) ioctl$WSDISPLAYIO_LINEBYTES(r1, 0x4004575f, &(0x7f0000000480)) compat_14_shmctl$IPC_STAT(0x0, 0x2, &(0x7f00000005c0)={{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)="3956ea187715b364f078d22529010e881c15c4ac905a9b741377a29b3f3fd079dcb31dd9078105605ab6c33582b04ecd1c5a5abda9a069cffc19b623cc7e6ca30ea644af2f9ff3f041485f48d1b5f6ed0235468e741f3634e6eda358c8f7352473f5ce3b37d5d91ed29d5a2a2e99c624ae17d13e54a403f2b179e43ac281c4246974151fbcb79220047b0174dd3236784c581a21e229a71f2283fd0bb1810cc554da71c721a7df2f74dc3b6baae1635c72ad1a07dfe655cdf7e52774ef46b5372d0fa1cad8a288a74d34964db96760e2cf8586f2ea7dad"}) fchmodat(r0, &(0x7f0000000600)='./file0\x00', 0x800, 0x500) __getfh30(&(0x7f0000000640)='./file0\x00', &(0x7f0000000680)=""/173, &(0x7f0000000740)=0x48000) recvfrom$unix(r0, &(0x7f0000000780)=""/127, 0x7f, 0x9080, 0x0, 0x0) syz_emit_ethernet(0xa8, &(0x7f0000000000)="7cdc7f3d7523bc457cc7061f4218d205a9121313b3382a24390756c28e681e8ae64f9faefb9773a6088d8507b9f588abff90ed553d01e60af1ce4d9db1ae174c74afd76b975ec8e14ed2ecf1ea152061fe82fe634d1d1d20bfd25ca07d9ce4531e9c745c512bd468865e81abeaffeae134bea52451f13a61092e1d81780479ec9ce32bde5b1f03166d656fa34cd18fc1fbd00b1632fbd99d303f0c69398bc4dae4c54a53cb9abee5") syz_execute_func(&(0x7f00000000c0)="c4217d2800673642d9f6c4a1d45e7bf2c44171d30ec462a104d5660f6e5600420f01eec4214d67560ed8b0df1cc1f1c4e17ee64c5b06") syz_extract_tcp_res(&(0x7f0000000100), 0x0, 0x8) syz_usb_connect(0x0, 0x5bc, &(0x7f0000000140)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x5aa, 0x1, 0x0, 0x4d, 0x0, 0x5, [{{0x9, 0x4, 0x7f, 0x2, 0x10, 0x0, 0x0, 0x0, 0x1f, [@cdc_ncm={{0xa, 0x24, 0x6, 0x0, 0x1, "c31ca1665e"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0xfffffe01, 0x7fff, 0xfe01, 0x1}, {0x6, 0x24, 0x1a, 0x101}, [@country_functional={0x6, 0x24, 0x7, 0xfd, 0x1000}, @acm={0x4, 0x24, 0x2, 0xf}, @call_mgmt={0x5, 0x24, 0x1, 0x3, 0xd0}, @dmm={0x7, 0x24, 0x14, 0x5, 0x9}]}, @generic={0xba, 0xb, "fe82f412bde13cfe9a7c58428cb9c3a085528b59210545973bdc2aa0c21153e71c9f065bbef110ef76911ae14a69050c92640446799fa1dc7aa0c243c215b0afa1309900f0be311c8259db4122e479aa5291ed38ba4b00ce42693f27395216818197276335cc1c977550da0a1f62519c184c228c94bcc63e4bda51b0deedcd99e26844ea31953103142c05bb4f68263771ca791acfb8e6f1b7e1c8c6b47a7290ee50a6d9d6c64f7e2018c62bd45d9d9326861a01e0593026"}], [{{0x9, 0x5, 0x9, 0x10, 0xbf7, 0x80, 0x3, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0xb6}]}}, {{0x9, 0x5, 0x5, 0x3, 0x20, 0x5, 0x8, 0xf5, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x81, 0x5}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x1f, 0x2, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x3, 0x8001}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x74, 0x4}]}}, {{0x9, 0x5, 0x6, 0x4, 0x20, 0xc3, 0x4, 0x30, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x0, 0x1}, @generic={0x9e, 0x21, "1a0380c07acd2903333b9ee1a73421f88915a3939a28a2a21a53be2ea907f73f40513cd60a484a95155348fd7cd7928796335066c54fa273655eed763577efa806a489ed9ee1473ce85f420c0c527764aefdd88e116ca338e920cea4645fa6005fecea1ab9cfc4aa74fee4f55192f612d98fd96cb5404152c5d352118853a9f7026a95e6ddd19c24df1a2f9ab247ef37a063b2ed773755b9766a0a47"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x400, 0x2, 0x7b, 0x27, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x8, 0x8}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x40, 0x1f}]}}, {{0x9, 0x5, 0x80, 0x8, 0x8, 0x0, 0x6}}, {{0x9, 0x5, 0xc, 0x0, 0x200, 0x7f, 0x8, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x42, 0x0, 0x3}]}}, {{0x9, 0x5, 0x6, 0x1, 0x10, 0x7f, 0x6, 0x20, [@generic={0x3e, 0x24, "3279e68b3107ce57e93f9b3d336fefa9de179b08505c0edd9edf7339466085554d34e4571b470f40aacb1c79140c88fce17873e9a606d0d0ae191306"}, @generic={0x19, 0x23, "a5c0a892c2b95a227dc6623c0b74310c155d862f239e16"}]}}, {{0x9, 0x5, 0x1, 0x0, 0x20, 0x2, 0x81, 0x40, [@generic={0xe6, 0x30, "5dc526386b6e274ce9c060656dd756e8d6bae3de5b6d899add115e5c8359a147fc3b4630114b017fe4e9d7c9f92e32d1988c0ccb1ed7621114fa2c225280ef03024e75e1fae3e646ffe71a417afedcdc061eba0b1dfa91ec7ae5aa5f96e15c4c72ff5fb57f5033f1fc1c99b8ee5502c3217a1123b5c0df2dd8574ea1a54fe11e8e3aa570a93cb20ceef3f3b3b5343b0af5cae6d05f2bf9044d71b2c3abf277629bcc887b3086a1d691243f2ca2b15d6388a748f30b9ba3bc4d473dc28c196c2ebd244e8af69d1a6d4def0eca62e1a807d4cfc5ac9ae27560149a869eaf4e46a7fdc70375"}]}}, {{0x9, 0x5, 0x0, 0x8, 0x400, 0x1f, 0xe5, 0x1, [@generic={0xd8, 0x2, "3be1779519825a94f8786d27a30f8bffd73797ba274dc1f21db7c91692bff3a9456978712d40e5e6936159b174f76212043d5f7dac45574235de4773cf1c00aaa9d04d86331fe261d5a57af86ed97ca305af1e3346ea1bbb851e813632d2e69ec04110cefc29ae7dbc2a5799f9cf8ce398b53c1f7257832c7fc4cd89f052561fb26835f90970e97fcf52aea2dda0d72fd1050a982b5afbd94f73cb505b7533f8ded2e5cfb6d87ce6ef2d369754cb9d76362181e6b7c08e868a8bb6837feb00a4192093ff8033aa6371eb0222ff0b4ce7337b40d23039"}, @generic={0xb0, 0x4, "5377b0a3d6fabe2be486710049d6514c7aadcd0d30db7f39c5e143b8216b9bbe9eb3ed55ce71026b96ff08eb3b057e8d6283e65686383eab4513ee1bf6348adf1bff30e34df44157705f0843ad96a2905b4d6ef0b81f89708ba1b3af113d5c16f6d53cf38682914f1816e141b0a51d38710450a2c5f0c5987ca7870d11e920bbc23d036a1df5892fc0d59f6379eebfccaff8fc1cc5696f4325e9c3ec3ca29b78b476ba61af6b5143f00f394ae2a5"}]}}, {{0x9, 0x5, 0x1, 0x10, 0x3ff, 0x9, 0x6, 0x9}}, {{0x9, 0x5, 0x6, 0x0, 0x3ff, 0x1f, 0x6, 0x7}}, {{0x9, 0x5, 0x80, 0xc, 0x400, 0x2, 0x8, 0x6}}, {{0x9, 0x5, 0x4, 0x2, 0x8, 0x3f, 0x0, 0x9, [@generic={0x7b, 0x7, "faafe139e2c26d2a37c4bd0f570be6f1afe1e7dd3129bb4e93e1d91fecda5292b1b868e1467f14d99bb5d8a9eaf4b585ce939b3be95537637d10a5c31b791161025fb03a9f97cbaf12c2d3fa969062fda625226a7844fc5dd3f779063035ace5c837de731f2d7420f534b5f8abba9a749a2544434a21de8c68"}]}}, {{0x9, 0x5, 0xe, 0x10, 0x8, 0x1, 0x1, 0x95}}, {{0x9, 0x5, 0x8, 0x8, 0x40, 0x4, 0x5}}]}}]}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000700)={0xa, 0x6, 0x50, 0x14, 0x28, 0x6, 0x28, 0x9}, 0x51, &(0x7f0000000740)={0x5, 0xf, 0x51, 0x6, [@ptm_cap={0x3}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x8, 0x10, 0xff, 0x6, 0x1000, 0x40}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "c16ee167a2c7694cf8e1bb43a90ffc24"}, @ssp_cap={0x24, 0x10, 0xa, 0xff, 0x6, 0x400, 0xf88f, 0xfffa, [0x0, 0xc0c0, 0x60, 0xff3f00, 0xfff0, 0xff0000]}, @ptm_cap={0x3}]}, 0x2, [{0xd8, &(0x7f00000007c0)=@string={0xd8, 0x3, "e4e51994186235f6dd685b5af9c790d2c6ac3b9c71acc8be67689e27dbea32effdb2e68b21875172f656ee58ca782e43ca108c5ed0f6b3666249b103518f49bfe2cd201b7ba816c344f3e240d81e0ccee4c11fb860c61f7be1abaf0b22343009174c7cdf9ddec7031242854a0e957f6b85e0c4eef6643022a8d960c0720f8a6328f7ffd76f08ec6a4c5a8bcd4eca63cdaf03d245cae284cf01fa3a581def6e67efdfce679100dc6d9e7e3b8f8aeddfabaef5fe479123d0d0bb2f8ef7cecd3fc18b19a7243b718dd27fb2687ccb8acfdeb741cd7317c0"}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x414}}]}) syz_usb_disconnect(0xffffffffffffffff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___getfh30 #define SYS___getfh30 395 #endif #ifndef SYS___utimes50 #define SYS___utimes50 420 #endif #ifndef SYS_compat_14_shmctl #define SYS_compat_14_shmctl 229 #endif #ifndef SYS_fchmodat #define SYS_fchmodat 463 #endif #ifndef SYS_ioctl #define SYS_ioctl 54 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_preadv #define SYS_preadv 289 #endif #ifndef SYS_recvfrom #define SYS_recvfrom 29 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); *(uint64_t*)0x20000040 = 5; *(uint64_t*)0x20000048 = 6; inject_fault(1); syscall(SYS___utimes50, 0x20000000ul, 0x20000040ul); break; case 1: memcpy((void*)0x20000080, "./file0\000", 8); *(uint64_t*)0x20000180 = 5; syscall(SYS___getfh30, 0x20000080ul, 0x200000c0ul, 0x20000180ul); break; case 2: memcpy((void*)0x200001c0, "./file0\000", 8); res = syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); { int i; for(i = 0; i < 4; i++) { syscall(SYS_open, 0x200001c0ul, 0x80ul, 0x100ul); } } if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20000400 = 0x20000200; *(uint64_t*)0x20000408 = 0; *(uint64_t*)0x20000410 = 0x20000240; *(uint64_t*)0x20000418 = 0x2c; *(uint64_t*)0x20000420 = 0x20000280; *(uint64_t*)0x20000428 = 0xb2; *(uint64_t*)0x20000430 = 0x20000340; *(uint64_t*)0x20000438 = 0xb1; syscall(SYS_preadv, r[0], 0x20000400ul, 4ul, 6ul); break; case 4: memcpy((void*)0x20000440, "./file0\000", 8); res = syscall(SYS_open, 0x20000440ul, 0x1000000ul, 0ul); if (res != -1) r[1] = res; break; case 5: syscall(SYS_ioctl, r[1], 0x4004575ful, 0x20000480ul); break; case 6: *(uint64_t*)0x200005f8 = 0x200004c0; memcpy((void*)0x200004c0, "\x39\x56\xea\x18\x77\x15\xb3\x64\xf0\x78\xd2\x25\x29\x01\x0e\x88\x1c\x15\xc4\xac\x90\x5a\x9b\x74\x13\x77\xa2\x9b\x3f\x3f\xd0\x79\xdc\xb3\x1d\xd9\x07\x81\x05\x60\x5a\xb6\xc3\x35\x82\xb0\x4e\xcd\x1c\x5a\x5a\xbd\xa9\xa0\x69\xcf\xfc\x19\xb6\x23\xcc\x7e\x6c\xa3\x0e\xa6\x44\xaf\x2f\x9f\xf3\xf0\x41\x48\x5f\x48\xd1\xb5\xf6\xed\x02\x35\x46\x8e\x74\x1f\x36\x34\xe6\xed\xa3\x58\xc8\xf7\x35\x24\x73\xf5\xce\x3b\x37\xd5\xd9\x1e\xd2\x9d\x5a\x2a\x2e\x99\xc6\x24\xae\x17\xd1\x3e\x54\xa4\x03\xf2\xb1\x79\xe4\x3a\xc2\x81\xc4\x24\x69\x74\x15\x1f\xbc\xb7\x92\x20\x04\x7b\x01\x74\xdd\x32\x36\x78\x4c\x58\x1a\x21\xe2\x29\xa7\x1f\x22\x83\xfd\x0b\xb1\x81\x0c\xc5\x54\xda\x71\xc7\x21\xa7\xdf\x2f\x74\xdc\x3b\x6b\xaa\xe1\x63\x5c\x72\xad\x1a\x07\xdf\xe6\x55\xcd\xf7\xe5\x27\x74\xef\x46\xb5\x37\x2d\x0f\xa1\xca\xd8\xa2\x88\xa7\x4d\x34\x96\x4d\xb9\x67\x60\xe2\xcf\x85\x86\xf2\xea\x7d\xad", 215); syscall(SYS_compat_14_shmctl, 0, 2ul, 0x200005c0ul); break; case 7: memcpy((void*)0x20000600, "./file0\000", 8); syscall(SYS_fchmodat, r[0], 0x20000600ul, 0x800ul, 0x500ul); break; case 8: memcpy((void*)0x20000640, "./file0\000", 8); *(uint64_t*)0x20000740 = 0x48000; syscall(SYS___getfh30, 0x20000640ul, 0x20000680ul, 0x20000740ul); break; case 9: syscall(SYS_recvfrom, r[0], 0x20000780ul, 0x7ful, 0x9080ul, 0ul, 0ul); break; case 10: memcpy((void*)0x200000c0, "\xc4\x21\x7d\x28\x00\x67\x36\x42\xd9\xf6\xc4\xa1\xd4\x5e\x7b\xf2\xc4\x41\x71\xd3\x0e\xc4\x62\xa1\x04\xd5\x66\x0f\x6e\x56\x00\x42\x0f\x01\xee\xc4\x21\x4d\x67\x56\x0e\xd8\xb0\xdf\x1c\xc1\xf1\xc4\xe1\x7e\xe6\x4c\x5b\x06", 54); syz_execute_func(0x200000c0); break; case 11: *(uint8_t*)0x20000140 = 0x12; *(uint8_t*)0x20000141 = 1; *(uint16_t*)0x20000142 = 0x201; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 0x10; *(uint16_t*)0x20000148 = 0; *(uint16_t*)0x2000014a = 0; *(uint16_t*)0x2000014c = 0; *(uint8_t*)0x2000014e = 1; *(uint8_t*)0x2000014f = 2; *(uint8_t*)0x20000150 = 3; *(uint8_t*)0x20000151 = 1; *(uint8_t*)0x20000152 = 9; *(uint8_t*)0x20000153 = 2; *(uint16_t*)0x20000154 = 0x5aa; *(uint8_t*)0x20000156 = 1; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0x4d; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 5; *(uint8_t*)0x2000015b = 9; *(uint8_t*)0x2000015c = 4; *(uint8_t*)0x2000015d = 0x7f; *(uint8_t*)0x2000015e = 2; *(uint8_t*)0x2000015f = 0x10; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0x1f; *(uint8_t*)0x20000164 = 0xa; *(uint8_t*)0x20000165 = 0x24; *(uint8_t*)0x20000166 = 6; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 1; memcpy((void*)0x20000169, "\xc3\x1c\xa1\x66\x5e", 5); *(uint8_t*)0x2000016e = 5; *(uint8_t*)0x2000016f = 0x24; *(uint8_t*)0x20000170 = 0; *(uint16_t*)0x20000171 = 6; *(uint8_t*)0x20000173 = 0xd; *(uint8_t*)0x20000174 = 0x24; *(uint8_t*)0x20000175 = 0xf; *(uint8_t*)0x20000176 = 1; *(uint32_t*)0x20000177 = 0xfffffe01; *(uint16_t*)0x2000017b = 0x7fff; *(uint16_t*)0x2000017d = 0xfe01; *(uint8_t*)0x2000017f = 1; *(uint8_t*)0x20000180 = 6; *(uint8_t*)0x20000181 = 0x24; *(uint8_t*)0x20000182 = 0x1a; *(uint16_t*)0x20000183 = 0x101; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 6; *(uint8_t*)0x20000187 = 0x24; *(uint8_t*)0x20000188 = 7; *(uint8_t*)0x20000189 = 0xfd; *(uint16_t*)0x2000018a = 0x1000; *(uint8_t*)0x2000018c = 4; *(uint8_t*)0x2000018d = 0x24; *(uint8_t*)0x2000018e = 2; *(uint8_t*)0x2000018f = 0xf; *(uint8_t*)0x20000190 = 5; *(uint8_t*)0x20000191 = 0x24; *(uint8_t*)0x20000192 = 1; *(uint8_t*)0x20000193 = 3; *(uint8_t*)0x20000194 = 0xd0; *(uint8_t*)0x20000195 = 7; *(uint8_t*)0x20000196 = 0x24; *(uint8_t*)0x20000197 = 0x14; *(uint16_t*)0x20000198 = 5; *(uint16_t*)0x2000019a = 9; *(uint8_t*)0x2000019c = 0xba; *(uint8_t*)0x2000019d = 0xb; memcpy((void*)0x2000019e, "\xfe\x82\xf4\x12\xbd\xe1\x3c\xfe\x9a\x7c\x58\x42\x8c\xb9\xc3\xa0\x85\x52\x8b\x59\x21\x05\x45\x97\x3b\xdc\x2a\xa0\xc2\x11\x53\xe7\x1c\x9f\x06\x5b\xbe\xf1\x10\xef\x76\x91\x1a\xe1\x4a\x69\x05\x0c\x92\x64\x04\x46\x79\x9f\xa1\xdc\x7a\xa0\xc2\x43\xc2\x15\xb0\xaf\xa1\x30\x99\x00\xf0\xbe\x31\x1c\x82\x59\xdb\x41\x22\xe4\x79\xaa\x52\x91\xed\x38\xba\x4b\x00\xce\x42\x69\x3f\x27\x39\x52\x16\x81\x81\x97\x27\x63\x35\xcc\x1c\x97\x75\x50\xda\x0a\x1f\x62\x51\x9c\x18\x4c\x22\x8c\x94\xbc\xc6\x3e\x4b\xda\x51\xb0\xde\xed\xcd\x99\xe2\x68\x44\xea\x31\x95\x31\x03\x14\x2c\x05\xbb\x4f\x68\x26\x37\x71\xca\x79\x1a\xcf\xb8\xe6\xf1\xb7\xe1\xc8\xc6\xb4\x7a\x72\x90\xee\x50\xa6\xd9\xd6\xc6\x4f\x7e\x20\x18\xc6\x2b\xd4\x5d\x9d\x93\x26\x86\x1a\x01\xe0\x59\x30\x26", 184); *(uint8_t*)0x20000256 = 9; *(uint8_t*)0x20000257 = 5; *(uint8_t*)0x20000258 = 9; *(uint8_t*)0x20000259 = 0x10; *(uint16_t*)0x2000025a = 0xbf7; *(uint8_t*)0x2000025c = 0x80; *(uint8_t*)0x2000025d = 3; *(uint8_t*)0x2000025e = 0x80; *(uint8_t*)0x2000025f = 7; *(uint8_t*)0x20000260 = 0x25; *(uint8_t*)0x20000261 = 1; *(uint8_t*)0x20000262 = 1; *(uint8_t*)0x20000263 = 0x81; *(uint16_t*)0x20000264 = 0xb6; *(uint8_t*)0x20000266 = 9; *(uint8_t*)0x20000267 = 5; *(uint8_t*)0x20000268 = 5; *(uint8_t*)0x20000269 = 3; *(uint16_t*)0x2000026a = 0x20; *(uint8_t*)0x2000026c = 5; *(uint8_t*)0x2000026d = 8; *(uint8_t*)0x2000026e = 0xf5; *(uint8_t*)0x2000026f = 7; *(uint8_t*)0x20000270 = 0x25; *(uint8_t*)0x20000271 = 1; *(uint8_t*)0x20000272 = 3; *(uint8_t*)0x20000273 = 0x81; *(uint16_t*)0x20000274 = 5; *(uint8_t*)0x20000276 = 9; *(uint8_t*)0x20000277 = 5; *(uint8_t*)0x20000278 = 3; *(uint8_t*)0x20000279 = 1; *(uint16_t*)0x2000027a = 0x40; *(uint8_t*)0x2000027c = 0x1f; *(uint8_t*)0x2000027d = 2; *(uint8_t*)0x2000027e = 0; *(uint8_t*)0x2000027f = 7; *(uint8_t*)0x20000280 = 0x25; *(uint8_t*)0x20000281 = 1; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 3; *(uint16_t*)0x20000284 = 0x8001; *(uint8_t*)0x20000286 = 7; *(uint8_t*)0x20000287 = 0x25; *(uint8_t*)0x20000288 = 1; *(uint8_t*)0x20000289 = 3; *(uint8_t*)0x2000028a = 0x74; *(uint16_t*)0x2000028b = 4; *(uint8_t*)0x2000028d = 9; *(uint8_t*)0x2000028e = 5; *(uint8_t*)0x2000028f = 6; *(uint8_t*)0x20000290 = 4; *(uint16_t*)0x20000291 = 0x20; *(uint8_t*)0x20000293 = 0xc3; *(uint8_t*)0x20000294 = 4; *(uint8_t*)0x20000295 = 0x30; *(uint8_t*)0x20000296 = 7; *(uint8_t*)0x20000297 = 0x25; *(uint8_t*)0x20000298 = 1; *(uint8_t*)0x20000299 = 0x80; *(uint8_t*)0x2000029a = 0; *(uint16_t*)0x2000029b = 1; *(uint8_t*)0x2000029d = 0x9e; *(uint8_t*)0x2000029e = 0x21; memcpy((void*)0x2000029f, "\x1a\x03\x80\xc0\x7a\xcd\x29\x03\x33\x3b\x9e\xe1\xa7\x34\x21\xf8\x89\x15\xa3\x93\x9a\x28\xa2\xa2\x1a\x53\xbe\x2e\xa9\x07\xf7\x3f\x40\x51\x3c\xd6\x0a\x48\x4a\x95\x15\x53\x48\xfd\x7c\xd7\x92\x87\x96\x33\x50\x66\xc5\x4f\xa2\x73\x65\x5e\xed\x76\x35\x77\xef\xa8\x06\xa4\x89\xed\x9e\xe1\x47\x3c\xe8\x5f\x42\x0c\x0c\x52\x77\x64\xae\xfd\xd8\x8e\x11\x6c\xa3\x38\xe9\x20\xce\xa4\x64\x5f\xa6\x00\x5f\xec\xea\x1a\xb9\xcf\xc4\xaa\x74\xfe\xe4\xf5\x51\x92\xf6\x12\xd9\x8f\xd9\x6c\xb5\x40\x41\x52\xc5\xd3\x52\x11\x88\x53\xa9\xf7\x02\x6a\x95\xe6\xdd\xd1\x9c\x24\xdf\x1a\x2f\x9a\xb2\x47\xef\x37\xa0\x63\xb2\xed\x77\x37\x55\xb9\x76\x6a\x0a\x47", 156); *(uint8_t*)0x2000033b = 9; *(uint8_t*)0x2000033c = 5; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0xc; *(uint16_t*)0x2000033f = 0x400; *(uint8_t*)0x20000341 = 2; *(uint8_t*)0x20000342 = 0x7b; *(uint8_t*)0x20000343 = 0x27; *(uint8_t*)0x20000344 = 7; *(uint8_t*)0x20000345 = 0x25; *(uint8_t*)0x20000346 = 1; *(uint8_t*)0x20000347 = 0x80; *(uint8_t*)0x20000348 = 8; *(uint16_t*)0x20000349 = 8; *(uint8_t*)0x2000034b = 7; *(uint8_t*)0x2000034c = 0x25; *(uint8_t*)0x2000034d = 1; *(uint8_t*)0x2000034e = 0x81; *(uint8_t*)0x2000034f = 0x40; *(uint16_t*)0x20000350 = 0x1f; *(uint8_t*)0x20000352 = 9; *(uint8_t*)0x20000353 = 5; *(uint8_t*)0x20000354 = 0x80; *(uint8_t*)0x20000355 = 8; *(uint16_t*)0x20000356 = 8; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 6; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 9; *(uint8_t*)0x2000035c = 5; *(uint8_t*)0x2000035d = 0xc; *(uint8_t*)0x2000035e = 0; *(uint16_t*)0x2000035f = 0x200; *(uint8_t*)0x20000361 = 0x7f; *(uint8_t*)0x20000362 = 8; *(uint8_t*)0x20000363 = 8; *(uint8_t*)0x20000364 = 7; *(uint8_t*)0x20000365 = 0x25; *(uint8_t*)0x20000366 = 1; *(uint8_t*)0x20000367 = 0x42; *(uint8_t*)0x20000368 = 0; *(uint16_t*)0x20000369 = 3; *(uint8_t*)0x2000036b = 9; *(uint8_t*)0x2000036c = 5; *(uint8_t*)0x2000036d = 6; *(uint8_t*)0x2000036e = 1; *(uint16_t*)0x2000036f = 0x10; *(uint8_t*)0x20000371 = 0x7f; *(uint8_t*)0x20000372 = 6; *(uint8_t*)0x20000373 = 0x20; *(uint8_t*)0x20000374 = 0x3e; *(uint8_t*)0x20000375 = 0x24; memcpy((void*)0x20000376, "\x32\x79\xe6\x8b\x31\x07\xce\x57\xe9\x3f\x9b\x3d\x33\x6f\xef\xa9\xde\x17\x9b\x08\x50\x5c\x0e\xdd\x9e\xdf\x73\x39\x46\x60\x85\x55\x4d\x34\xe4\x57\x1b\x47\x0f\x40\xaa\xcb\x1c\x79\x14\x0c\x88\xfc\xe1\x78\x73\xe9\xa6\x06\xd0\xd0\xae\x19\x13\x06", 60); *(uint8_t*)0x200003b2 = 0x19; *(uint8_t*)0x200003b3 = 0x23; memcpy((void*)0x200003b4, "\xa5\xc0\xa8\x92\xc2\xb9\x5a\x22\x7d\xc6\x62\x3c\x0b\x74\x31\x0c\x15\x5d\x86\x2f\x23\x9e\x16", 23); *(uint8_t*)0x200003cb = 9; *(uint8_t*)0x200003cc = 5; *(uint8_t*)0x200003cd = 1; *(uint8_t*)0x200003ce = 0; *(uint16_t*)0x200003cf = 0x20; *(uint8_t*)0x200003d1 = 2; *(uint8_t*)0x200003d2 = 0x81; *(uint8_t*)0x200003d3 = 0x40; *(uint8_t*)0x200003d4 = 0xe6; *(uint8_t*)0x200003d5 = 0x30; memcpy((void*)0x200003d6, "\x5d\xc5\x26\x38\x6b\x6e\x27\x4c\xe9\xc0\x60\x65\x6d\xd7\x56\xe8\xd6\xba\xe3\xde\x5b\x6d\x89\x9a\xdd\x11\x5e\x5c\x83\x59\xa1\x47\xfc\x3b\x46\x30\x11\x4b\x01\x7f\xe4\xe9\xd7\xc9\xf9\x2e\x32\xd1\x98\x8c\x0c\xcb\x1e\xd7\x62\x11\x14\xfa\x2c\x22\x52\x80\xef\x03\x02\x4e\x75\xe1\xfa\xe3\xe6\x46\xff\xe7\x1a\x41\x7a\xfe\xdc\xdc\x06\x1e\xba\x0b\x1d\xfa\x91\xec\x7a\xe5\xaa\x5f\x96\xe1\x5c\x4c\x72\xff\x5f\xb5\x7f\x50\x33\xf1\xfc\x1c\x99\xb8\xee\x55\x02\xc3\x21\x7a\x11\x23\xb5\xc0\xdf\x2d\xd8\x57\x4e\xa1\xa5\x4f\xe1\x1e\x8e\x3a\xa5\x70\xa9\x3c\xb2\x0c\xee\xf3\xf3\xb3\xb5\x34\x3b\x0a\xf5\xca\xe6\xd0\x5f\x2b\xf9\x04\x4d\x71\xb2\xc3\xab\xf2\x77\x62\x9b\xcc\x88\x7b\x30\x86\xa1\xd6\x91\x24\x3f\x2c\xa2\xb1\x5d\x63\x88\xa7\x48\xf3\x0b\x9b\xa3\xbc\x4d\x47\x3d\xc2\x8c\x19\x6c\x2e\xbd\x24\x4e\x8a\xf6\x9d\x1a\x6d\x4d\xef\x0e\xca\x62\xe1\xa8\x07\xd4\xcf\xc5\xac\x9a\xe2\x75\x60\x14\x9a\x86\x9e\xaf\x4e\x46\xa7\xfd\xc7\x03\x75", 228); *(uint8_t*)0x200004ba = 9; *(uint8_t*)0x200004bb = 5; *(uint8_t*)0x200004bc = 0; *(uint8_t*)0x200004bd = 8; *(uint16_t*)0x200004be = 0x400; *(uint8_t*)0x200004c0 = 0x1f; *(uint8_t*)0x200004c1 = 0xe5; *(uint8_t*)0x200004c2 = 1; *(uint8_t*)0x200004c3 = 0xd8; *(uint8_t*)0x200004c4 = 2; memcpy((void*)0x200004c5, "\x3b\xe1\x77\x95\x19\x82\x5a\x94\xf8\x78\x6d\x27\xa3\x0f\x8b\xff\xd7\x37\x97\xba\x27\x4d\xc1\xf2\x1d\xb7\xc9\x16\x92\xbf\xf3\xa9\x45\x69\x78\x71\x2d\x40\xe5\xe6\x93\x61\x59\xb1\x74\xf7\x62\x12\x04\x3d\x5f\x7d\xac\x45\x57\x42\x35\xde\x47\x73\xcf\x1c\x00\xaa\xa9\xd0\x4d\x86\x33\x1f\xe2\x61\xd5\xa5\x7a\xf8\x6e\xd9\x7c\xa3\x05\xaf\x1e\x33\x46\xea\x1b\xbb\x85\x1e\x81\x36\x32\xd2\xe6\x9e\xc0\x41\x10\xce\xfc\x29\xae\x7d\xbc\x2a\x57\x99\xf9\xcf\x8c\xe3\x98\xb5\x3c\x1f\x72\x57\x83\x2c\x7f\xc4\xcd\x89\xf0\x52\x56\x1f\xb2\x68\x35\xf9\x09\x70\xe9\x7f\xcf\x52\xae\xa2\xdd\xa0\xd7\x2f\xd1\x05\x0a\x98\x2b\x5a\xfb\xd9\x4f\x73\xcb\x50\x5b\x75\x33\xf8\xde\xd2\xe5\xcf\xb6\xd8\x7c\xe6\xef\x2d\x36\x97\x54\xcb\x9d\x76\x36\x21\x81\xe6\xb7\xc0\x8e\x86\x8a\x8b\xb6\x83\x7f\xeb\x00\xa4\x19\x20\x93\xff\x80\x33\xaa\x63\x71\xeb\x02\x22\xff\x0b\x4c\xe7\x33\x7b\x40\xd2\x30\x39", 214); *(uint8_t*)0x2000059b = 0xb0; *(uint8_t*)0x2000059c = 4; memcpy((void*)0x2000059d, "\x53\x77\xb0\xa3\xd6\xfa\xbe\x2b\xe4\x86\x71\x00\x49\xd6\x51\x4c\x7a\xad\xcd\x0d\x30\xdb\x7f\x39\xc5\xe1\x43\xb8\x21\x6b\x9b\xbe\x9e\xb3\xed\x55\xce\x71\x02\x6b\x96\xff\x08\xeb\x3b\x05\x7e\x8d\x62\x83\xe6\x56\x86\x38\x3e\xab\x45\x13\xee\x1b\xf6\x34\x8a\xdf\x1b\xff\x30\xe3\x4d\xf4\x41\x57\x70\x5f\x08\x43\xad\x96\xa2\x90\x5b\x4d\x6e\xf0\xb8\x1f\x89\x70\x8b\xa1\xb3\xaf\x11\x3d\x5c\x16\xf6\xd5\x3c\xf3\x86\x82\x91\x4f\x18\x16\xe1\x41\xb0\xa5\x1d\x38\x71\x04\x50\xa2\xc5\xf0\xc5\x98\x7c\xa7\x87\x0d\x11\xe9\x20\xbb\xc2\x3d\x03\x6a\x1d\xf5\x89\x2f\xc0\xd5\x9f\x63\x79\xee\xbf\xcc\xaf\xf8\xfc\x1c\xc5\x69\x6f\x43\x25\xe9\xc3\xec\x3c\xa2\x9b\x78\xb4\x76\xba\x61\xaf\x6b\x51\x43\xf0\x0f\x39\x4a\xe2\xa5", 174); *(uint8_t*)0x2000064b = 9; *(uint8_t*)0x2000064c = 5; *(uint8_t*)0x2000064d = 1; *(uint8_t*)0x2000064e = 0x10; *(uint16_t*)0x2000064f = 0x3ff; *(uint8_t*)0x20000651 = 9; *(uint8_t*)0x20000652 = 6; *(uint8_t*)0x20000653 = 9; *(uint8_t*)0x20000654 = 9; *(uint8_t*)0x20000655 = 5; *(uint8_t*)0x20000656 = 6; *(uint8_t*)0x20000657 = 0; *(uint16_t*)0x20000658 = 0x3ff; *(uint8_t*)0x2000065a = 0x1f; *(uint8_t*)0x2000065b = 6; *(uint8_t*)0x2000065c = 7; *(uint8_t*)0x2000065d = 9; *(uint8_t*)0x2000065e = 5; *(uint8_t*)0x2000065f = 0x80; *(uint8_t*)0x20000660 = 0xc; *(uint16_t*)0x20000661 = 0x400; *(uint8_t*)0x20000663 = 2; *(uint8_t*)0x20000664 = 8; *(uint8_t*)0x20000665 = 6; *(uint8_t*)0x20000666 = 9; *(uint8_t*)0x20000667 = 5; *(uint8_t*)0x20000668 = 4; *(uint8_t*)0x20000669 = 2; *(uint16_t*)0x2000066a = 8; *(uint8_t*)0x2000066c = 0x3f; *(uint8_t*)0x2000066d = 0; *(uint8_t*)0x2000066e = 9; *(uint8_t*)0x2000066f = 0x7b; *(uint8_t*)0x20000670 = 7; memcpy((void*)0x20000671, "\xfa\xaf\xe1\x39\xe2\xc2\x6d\x2a\x37\xc4\xbd\x0f\x57\x0b\xe6\xf1\xaf\xe1\xe7\xdd\x31\x29\xbb\x4e\x93\xe1\xd9\x1f\xec\xda\x52\x92\xb1\xb8\x68\xe1\x46\x7f\x14\xd9\x9b\xb5\xd8\xa9\xea\xf4\xb5\x85\xce\x93\x9b\x3b\xe9\x55\x37\x63\x7d\x10\xa5\xc3\x1b\x79\x11\x61\x02\x5f\xb0\x3a\x9f\x97\xcb\xaf\x12\xc2\xd3\xfa\x96\x90\x62\xfd\xa6\x25\x22\x6a\x78\x44\xfc\x5d\xd3\xf7\x79\x06\x30\x35\xac\xe5\xc8\x37\xde\x73\x1f\x2d\x74\x20\xf5\x34\xb5\xf8\xab\xba\x9a\x74\x9a\x25\x44\x43\x4a\x21\xde\x8c\x68", 121); *(uint8_t*)0x200006ea = 9; *(uint8_t*)0x200006eb = 5; *(uint8_t*)0x200006ec = 0xe; *(uint8_t*)0x200006ed = 0x10; *(uint16_t*)0x200006ee = 8; *(uint8_t*)0x200006f0 = 1; *(uint8_t*)0x200006f1 = 1; *(uint8_t*)0x200006f2 = 0x95; *(uint8_t*)0x200006f3 = 9; *(uint8_t*)0x200006f4 = 5; *(uint8_t*)0x200006f5 = 8; *(uint8_t*)0x200006f6 = 8; *(uint16_t*)0x200006f7 = 0x40; *(uint8_t*)0x200006f9 = 4; *(uint8_t*)0x200006fa = 5; *(uint8_t*)0x200006fb = 0; *(uint32_t*)0x20000900 = 0xa; *(uint64_t*)0x20000904 = 0x20000700; *(uint8_t*)0x20000700 = 0xa; *(uint8_t*)0x20000701 = 6; *(uint16_t*)0x20000702 = 0x50; *(uint8_t*)0x20000704 = 0x14; *(uint8_t*)0x20000705 = 0x28; *(uint8_t*)0x20000706 = 6; *(uint8_t*)0x20000707 = 0x28; *(uint8_t*)0x20000708 = 9; *(uint8_t*)0x20000709 = 0; *(uint32_t*)0x2000090c = 0x51; *(uint64_t*)0x20000910 = 0x20000740; *(uint8_t*)0x20000740 = 5; *(uint8_t*)0x20000741 = 0xf; *(uint16_t*)0x20000742 = 0x51; *(uint8_t*)0x20000744 = 6; *(uint8_t*)0x20000745 = 3; *(uint8_t*)0x20000746 = 0x10; *(uint8_t*)0x20000747 = 0xb; *(uint8_t*)0x20000748 = 3; *(uint8_t*)0x20000749 = 0x10; *(uint8_t*)0x2000074a = 0xb; *(uint8_t*)0x2000074b = 0xb; *(uint8_t*)0x2000074c = 0x10; *(uint8_t*)0x2000074d = 1; *(uint8_t*)0x2000074e = 8; *(uint16_t*)0x2000074f = 0x10; *(uint8_t*)0x20000751 = -1; *(uint8_t*)0x20000752 = 6; *(uint16_t*)0x20000753 = 0x1000; *(uint8_t*)0x20000755 = 0x40; *(uint8_t*)0x20000756 = 0x14; *(uint8_t*)0x20000757 = 0x10; *(uint8_t*)0x20000758 = 4; *(uint8_t*)0x20000759 = 0; memcpy((void*)0x2000075a, "\xc1\x6e\xe1\x67\xa2\xc7\x69\x4c\xf8\xe1\xbb\x43\xa9\x0f\xfc\x24", 16); *(uint8_t*)0x2000076a = 0x24; *(uint8_t*)0x2000076b = 0x10; *(uint8_t*)0x2000076c = 0xa; *(uint8_t*)0x2000076d = -1; STORE_BY_BITMASK(uint32_t, , 0x2000076e, 6, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000076e, 0x400, 5, 27); *(uint16_t*)0x20000772 = 0xf88f; *(uint16_t*)0x20000774 = 0xfffa; *(uint32_t*)0x20000776 = 0; *(uint32_t*)0x2000077a = 0xc0c0; *(uint32_t*)0x2000077e = 0x60; *(uint32_t*)0x20000782 = 0xff3f00; *(uint32_t*)0x20000786 = 0xfff0; *(uint32_t*)0x2000078a = 0xff0000; *(uint8_t*)0x2000078e = 3; *(uint8_t*)0x2000078f = 0x10; *(uint8_t*)0x20000790 = 0xb; *(uint32_t*)0x20000918 = 2; *(uint32_t*)0x2000091c = 0xd8; *(uint64_t*)0x20000920 = 0x200007c0; *(uint8_t*)0x200007c0 = 0xd8; *(uint8_t*)0x200007c1 = 3; memcpy((void*)0x200007c2, "\xe4\xe5\x19\x94\x18\x62\x35\xf6\xdd\x68\x5b\x5a\xf9\xc7\x90\xd2\xc6\xac\x3b\x9c\x71\xac\xc8\xbe\x67\x68\x9e\x27\xdb\xea\x32\xef\xfd\xb2\xe6\x8b\x21\x87\x51\x72\xf6\x56\xee\x58\xca\x78\x2e\x43\xca\x10\x8c\x5e\xd0\xf6\xb3\x66\x62\x49\xb1\x03\x51\x8f\x49\xbf\xe2\xcd\x20\x1b\x7b\xa8\x16\xc3\x44\xf3\xe2\x40\xd8\x1e\x0c\xce\xe4\xc1\x1f\xb8\x60\xc6\x1f\x7b\xe1\xab\xaf\x0b\x22\x34\x30\x09\x17\x4c\x7c\xdf\x9d\xde\xc7\x03\x12\x42\x85\x4a\x0e\x95\x7f\x6b\x85\xe0\xc4\xee\xf6\x64\x30\x22\xa8\xd9\x60\xc0\x72\x0f\x8a\x63\x28\xf7\xff\xd7\x6f\x08\xec\x6a\x4c\x5a\x8b\xcd\x4e\xca\x63\xcd\xaf\x03\xd2\x45\xca\xe2\x84\xcf\x01\xfa\x3a\x58\x1d\xef\x6e\x67\xef\xdf\xce\x67\x91\x00\xdc\x6d\x9e\x7e\x3b\x8f\x8a\xed\xdf\xab\xae\xf5\xfe\x47\x91\x23\xd0\xd0\xbb\x2f\x8e\xf7\xce\xcd\x3f\xc1\x8b\x19\xa7\x24\x3b\x71\x8d\xd2\x7f\xb2\x68\x7c\xcb\x8a\xcf\xde\xb7\x41\xcd\x73\x17\xc0", 214); *(uint32_t*)0x20000928 = 4; *(uint64_t*)0x2000092c = 0x200008c0; *(uint8_t*)0x200008c0 = 4; *(uint8_t*)0x200008c1 = 3; *(uint16_t*)0x200008c2 = 0x414; syz_usb_connect(0, 0x5bc, 0x20000140, 0x20000900); break; case 12: syz_usb_disconnect(-1); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2937286050 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_usb_connect (0.27s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_usb_connect(0x4, 0x38a, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x378, 0x2, 0x0, 0x4, 0xf0, 0x8, [{{0x9, 0x4, 0x8, 0x75, 0x1, 0x0, 0x0, 0x0, 0x58, [@hid_hid={0x9, 0x21, 0x81, 0x76, 0x1, {0x22, 0xec1}}], [{{0x9, 0x5, 0xb, 0x8, 0x0, 0x7, 0x88, 0xc2}}]}}, {{0x9, 0x4, 0xff, 0x9, 0x7, 0x0, 0x0, 0x0, 0x8, [@cdc_ncm={{0xa, 0x24, 0x6, 0x0, 0x1, "4dd1cb8966"}, {0x5, 0x24, 0x0, 0x8}, {0xd, 0x24, 0xf, 0x1, 0x7f, 0x2, 0x46, 0x2}, {0x6, 0x24, 0x1a, 0x3, 0x4}, [@mdlm_detail={0xed, 0x24, 0x13, 0x1, "86b7ab6a07e3b151ba13786024c67e90720d284c8b2d3d712da30d98fc586c83b95813f27238ceb35b6a6994fdd50416ddef6ecf09c4192fdd97792b2d16c165884e3786a9ba9feb2b0f78025bc903106ddfcc4884e03bf8f0c34ad70e9cf47e90f796d2968fc000d42dd354744a816d5e983ae791119dfd0657a3f089f5adbc0c0cb8508928b83438b094e0b1b1881187c586791e2d875c5eed2f3406bc575baa4034f704f7b96448d39be55d80ed2b60a32df6ff84952a4f6722b0ef9fbb9f13927568e5365524871a0bd339db0fab427ebace00872cde182b184fe556c034cafcd201b73564e2ba"}, @mdlm={0x15, 0x24, 0x12, 0x6}, @acm={0x4, 0x24, 0x2, 0x6}, @obex={0x5, 0x24, 0x15, 0x8001}, @network_terminal={0x7, 0x24, 0xa, 0x1f, 0x6, 0x2, 0x8}, @mdlm_detail={0xc1, 0x24, 0x13, 0x81, "95a8e08f4f0fb3abae5508293f15c3ce0e7ad40fb35072ffd4e27bf4f835ef17cd2c8fc9a24700b1a88016a2acbf09dd7586d878b9a2e1c4f1e3e47ecfe81a831a87b5d75069aff1eb8d59fc23de6555b27ed064c53b272f9afa43e29d712b50b81776b6221e1124fee36fd26656c612a18f54359c6331632dc789f3222ac5ddb2ac3fefe1ab90deec05557917d178562214d26d5cc75fd96dc08e7808b14fe746e74270ca2c092907354c627fdd7ea77991aff9ccef0a9d694c0b2416"}]}], [{{0x9, 0x5, 0x6, 0x2, 0x10, 0x7, 0x0, 0x2, [@generic={0xc0, 0x11, "a804fc8c4a7e0484e1a3ded5c3927b02a7bf114970949fdc776699eaab92367e7c05476d2751499b7c9f2a2da35bb0568ac9d0332d601a99192527a304833e52f6b2ba3116c2d087253b89a72c620a6be76d16aded4fceab48c37c6b79ebc498a82d34215e30650de9a8a3349e9248483e4a981828e478b53b1e29fe87a0307761ae1e028abdd82d9a6869ad9e4c06052825bd2e54a690ee1be817134c6adf81f42863f5dd83d3e9da1ecdb3b4039b2d21a7b6bcadcfadf414bf27fe453c"}]}}, {{0x9, 0x5, 0x8, 0x0, 0x0, 0x20, 0x4, 0x1}}, {{0x9, 0x5, 0x9, 0x10, 0x200, 0x6, 0x20, 0xb}}, {{0x9, 0x5, 0x7, 0x10, 0x200, 0x6d, 0x7f, 0xbb, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x1}]}}, {{0x9, 0x5, 0x0, 0x10, 0x400, 0x80, 0x42, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x80, 0xfff}, @generic={0x1f, 0xf, "e15cdee62a2768389824649026523e9c63ff85dc832db6da2fd7027ce3"}]}}, {{0x9, 0x5, 0xc, 0x2, 0x3ff, 0xc3, 0x0, 0x9, [@generic={0x15, 0x21, "a95d8e0c167e9ee0a119232223a1b85a05c37c"}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x0, 0x1}]}}, {{0x9, 0x5, 0xc, 0x10, 0x10, 0x1, 0x8, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x6, 0x2}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x97, 0x8000}]}}]}}]}}]}}, &(0x7f0000000700)={0xa, &(0x7f00000003c0)={0xa, 0x6, 0x0, 0x10, 0xf2, 0x60, 0x20, 0x2}, 0x1c, &(0x7f0000000400)={0x5, 0xf, 0x1c, 0x2, [@ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x6, "42f58645aeff7fe8b4cf4167ae7c8d25"}]}, 0x5, [{0xd9, &(0x7f0000000440)=@string={0xd9, 0x3, "29c27fc50b0f4be64eae03a957316b25af1a588882d1b24a8b332bd67def5ab2400d9af0876255138b2310bfb13f248bea02a2d69e47ef05130878a684a41ce92b9b5f0b148d4f3f7ff2a0decbe55c68e1c1857285ccbabd09a0a0c3539a036778084d3a30cc268a9d9e4a5d64d9f9517b09fc2407ae36122991f8e1792a755cd28dcfdfbd0811063b0e03193f9dbb30263dfe4ea2899c16419f6b5a0b0cde0b5a0ccc6486a921707313df867fceac0945370b6cf82d9212a6ee0556abcfb1f9cbd1b179028ca16e948efeb4800cbf10a1cda43f5c94bc"}}, {0x4, &(0x7f0000000540)=@lang_id={0x4, 0x3, 0x41f}}, {0xd1, &(0x7f0000000580)=@string={0xd1, 0x3, "c4e02db64818342235ea51e69b9f6e7786b45f997436ae4c556ea9b238f6793045b7d949285c384b97b59526c456d71c7224d123aa4fb257f4d21d576d4caeb41882bb9f2201d495912da5f342672e74a704e059c7b192ef2e52c6f1adc3cf25a42c0db43b2a4977ec0827408771419e5ed2da5bb2d09fcd9a7bbf27c342930929bd0baa304ae45cde3d275220dfeaa6bf286908cfa26efa451d9983ad4f0602d998cb4945d211e35104553621ef5dae3c4f4555e4cf088691a0375ee5658db44a15cd416a3e2f65c18efcc466e4ce"}}, {0x4, &(0x7f0000000680)=@lang_id={0x4, 0x3, 0x4ff}}, {0x4, &(0x7f00000006c0)=@lang_id={0x4, 0x3, 0x380a}}]}) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); *(uint8_t*)0x20000000 = 0x12; *(uint8_t*)0x20000001 = 1; *(uint16_t*)0x20000002 = 0x200; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; *(uint8_t*)0x20000006 = 0; *(uint8_t*)0x20000007 = 0x10; *(uint16_t*)0x20000008 = 0; *(uint16_t*)0x2000000a = 0; *(uint16_t*)0x2000000c = 0; *(uint8_t*)0x2000000e = 1; *(uint8_t*)0x2000000f = 2; *(uint8_t*)0x20000010 = 3; *(uint8_t*)0x20000011 = 1; *(uint8_t*)0x20000012 = 9; *(uint8_t*)0x20000013 = 2; *(uint16_t*)0x20000014 = 0x378; *(uint8_t*)0x20000016 = 2; *(uint8_t*)0x20000017 = 0; *(uint8_t*)0x20000018 = 4; *(uint8_t*)0x20000019 = 0xf0; *(uint8_t*)0x2000001a = 8; *(uint8_t*)0x2000001b = 9; *(uint8_t*)0x2000001c = 4; *(uint8_t*)0x2000001d = 8; *(uint8_t*)0x2000001e = 0x75; *(uint8_t*)0x2000001f = 1; *(uint8_t*)0x20000020 = 0; *(uint8_t*)0x20000021 = 0; *(uint8_t*)0x20000022 = 0; *(uint8_t*)0x20000023 = 0x58; *(uint8_t*)0x20000024 = 9; *(uint8_t*)0x20000025 = 0x21; *(uint16_t*)0x20000026 = 0x81; *(uint8_t*)0x20000028 = 0x76; *(uint8_t*)0x20000029 = 1; *(uint8_t*)0x2000002a = 0x22; *(uint16_t*)0x2000002b = 0xec1; *(uint8_t*)0x2000002d = 9; *(uint8_t*)0x2000002e = 5; *(uint8_t*)0x2000002f = 0xb; *(uint8_t*)0x20000030 = 8; *(uint16_t*)0x20000031 = 0; *(uint8_t*)0x20000033 = 7; *(uint8_t*)0x20000034 = 0x88; *(uint8_t*)0x20000035 = 0xc2; *(uint8_t*)0x20000036 = 9; *(uint8_t*)0x20000037 = 4; *(uint8_t*)0x20000038 = -1; *(uint8_t*)0x20000039 = 9; *(uint8_t*)0x2000003a = 7; *(uint8_t*)0x2000003b = 0; *(uint8_t*)0x2000003c = 0; *(uint8_t*)0x2000003d = 0; *(uint8_t*)0x2000003e = 8; *(uint8_t*)0x2000003f = 0xa; *(uint8_t*)0x20000040 = 0x24; *(uint8_t*)0x20000041 = 6; *(uint8_t*)0x20000042 = 0; *(uint8_t*)0x20000043 = 1; memcpy((void*)0x20000044, "\x4d\xd1\xcb\x89\x66", 5); *(uint8_t*)0x20000049 = 5; *(uint8_t*)0x2000004a = 0x24; *(uint8_t*)0x2000004b = 0; *(uint16_t*)0x2000004c = 8; *(uint8_t*)0x2000004e = 0xd; *(uint8_t*)0x2000004f = 0x24; *(uint8_t*)0x20000050 = 0xf; *(uint8_t*)0x20000051 = 1; *(uint32_t*)0x20000052 = 0x7f; *(uint16_t*)0x20000056 = 2; *(uint16_t*)0x20000058 = 0x46; *(uint8_t*)0x2000005a = 2; *(uint8_t*)0x2000005b = 6; *(uint8_t*)0x2000005c = 0x24; *(uint8_t*)0x2000005d = 0x1a; *(uint16_t*)0x2000005e = 3; *(uint8_t*)0x20000060 = 4; *(uint8_t*)0x20000061 = 0xed; *(uint8_t*)0x20000062 = 0x24; *(uint8_t*)0x20000063 = 0x13; *(uint8_t*)0x20000064 = 1; memcpy((void*)0x20000065, "\x86\xb7\xab\x6a\x07\xe3\xb1\x51\xba\x13\x78\x60\x24\xc6\x7e\x90\x72\x0d\x28\x4c\x8b\x2d\x3d\x71\x2d\xa3\x0d\x98\xfc\x58\x6c\x83\xb9\x58\x13\xf2\x72\x38\xce\xb3\x5b\x6a\x69\x94\xfd\xd5\x04\x16\xdd\xef\x6e\xcf\x09\xc4\x19\x2f\xdd\x97\x79\x2b\x2d\x16\xc1\x65\x88\x4e\x37\x86\xa9\xba\x9f\xeb\x2b\x0f\x78\x02\x5b\xc9\x03\x10\x6d\xdf\xcc\x48\x84\xe0\x3b\xf8\xf0\xc3\x4a\xd7\x0e\x9c\xf4\x7e\x90\xf7\x96\xd2\x96\x8f\xc0\x00\xd4\x2d\xd3\x54\x74\x4a\x81\x6d\x5e\x98\x3a\xe7\x91\x11\x9d\xfd\x06\x57\xa3\xf0\x89\xf5\xad\xbc\x0c\x0c\xb8\x50\x89\x28\xb8\x34\x38\xb0\x94\xe0\xb1\xb1\x88\x11\x87\xc5\x86\x79\x1e\x2d\x87\x5c\x5e\xed\x2f\x34\x06\xbc\x57\x5b\xaa\x40\x34\xf7\x04\xf7\xb9\x64\x48\xd3\x9b\xe5\x5d\x80\xed\x2b\x60\xa3\x2d\xf6\xff\x84\x95\x2a\x4f\x67\x22\xb0\xef\x9f\xbb\x9f\x13\x92\x75\x68\xe5\x36\x55\x24\x87\x1a\x0b\xd3\x39\xdb\x0f\xab\x42\x7e\xba\xce\x00\x87\x2c\xde\x18\x2b\x18\x4f\xe5\x56\xc0\x34\xca\xfc\xd2\x01\xb7\x35\x64\xe2\xba", 233); *(uint8_t*)0x2000014e = 0x15; *(uint8_t*)0x2000014f = 0x24; *(uint8_t*)0x20000150 = 0x12; *(uint16_t*)0x20000151 = 6; *(uint64_t*)0x20000153 = 0x14f5e048ba817a3; *(uint64_t*)0x2000015b = 0x2a397ecbffc007a6; *(uint8_t*)0x20000163 = 4; *(uint8_t*)0x20000164 = 0x24; *(uint8_t*)0x20000165 = 2; *(uint8_t*)0x20000166 = 6; *(uint8_t*)0x20000167 = 5; *(uint8_t*)0x20000168 = 0x24; *(uint8_t*)0x20000169 = 0x15; *(uint16_t*)0x2000016a = 0x8001; *(uint8_t*)0x2000016c = 7; *(uint8_t*)0x2000016d = 0x24; *(uint8_t*)0x2000016e = 0xa; *(uint8_t*)0x2000016f = 0x1f; *(uint8_t*)0x20000170 = 6; *(uint8_t*)0x20000171 = 2; *(uint8_t*)0x20000172 = 8; *(uint8_t*)0x20000173 = 0xc1; *(uint8_t*)0x20000174 = 0x24; *(uint8_t*)0x20000175 = 0x13; *(uint8_t*)0x20000176 = 0x81; memcpy((void*)0x20000177, "\x95\xa8\xe0\x8f\x4f\x0f\xb3\xab\xae\x55\x08\x29\x3f\x15\xc3\xce\x0e\x7a\xd4\x0f\xb3\x50\x72\xff\xd4\xe2\x7b\xf4\xf8\x35\xef\x17\xcd\x2c\x8f\xc9\xa2\x47\x00\xb1\xa8\x80\x16\xa2\xac\xbf\x09\xdd\x75\x86\xd8\x78\xb9\xa2\xe1\xc4\xf1\xe3\xe4\x7e\xcf\xe8\x1a\x83\x1a\x87\xb5\xd7\x50\x69\xaf\xf1\xeb\x8d\x59\xfc\x23\xde\x65\x55\xb2\x7e\xd0\x64\xc5\x3b\x27\x2f\x9a\xfa\x43\xe2\x9d\x71\x2b\x50\xb8\x17\x76\xb6\x22\x1e\x11\x24\xfe\xe3\x6f\xd2\x66\x56\xc6\x12\xa1\x8f\x54\x35\x9c\x63\x31\x63\x2d\xc7\x89\xf3\x22\x2a\xc5\xdd\xb2\xac\x3f\xef\xe1\xab\x90\xde\xec\x05\x55\x79\x17\xd1\x78\x56\x22\x14\xd2\x6d\x5c\xc7\x5f\xd9\x6d\xc0\x8e\x78\x08\xb1\x4f\xe7\x46\xe7\x42\x70\xca\x2c\x09\x29\x07\x35\x4c\x62\x7f\xdd\x7e\xa7\x79\x91\xaf\xf9\xcc\xef\x0a\x9d\x69\x4c\x0b\x24\x16", 189); *(uint8_t*)0x20000234 = 9; *(uint8_t*)0x20000235 = 5; *(uint8_t*)0x20000236 = 6; *(uint8_t*)0x20000237 = 2; *(uint16_t*)0x20000238 = 0x10; *(uint8_t*)0x2000023a = 7; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 2; *(uint8_t*)0x2000023d = 0xc0; *(uint8_t*)0x2000023e = 0x11; memcpy((void*)0x2000023f, "\xa8\x04\xfc\x8c\x4a\x7e\x04\x84\xe1\xa3\xde\xd5\xc3\x92\x7b\x02\xa7\xbf\x11\x49\x70\x94\x9f\xdc\x77\x66\x99\xea\xab\x92\x36\x7e\x7c\x05\x47\x6d\x27\x51\x49\x9b\x7c\x9f\x2a\x2d\xa3\x5b\xb0\x56\x8a\xc9\xd0\x33\x2d\x60\x1a\x99\x19\x25\x27\xa3\x04\x83\x3e\x52\xf6\xb2\xba\x31\x16\xc2\xd0\x87\x25\x3b\x89\xa7\x2c\x62\x0a\x6b\xe7\x6d\x16\xad\xed\x4f\xce\xab\x48\xc3\x7c\x6b\x79\xeb\xc4\x98\xa8\x2d\x34\x21\x5e\x30\x65\x0d\xe9\xa8\xa3\x34\x9e\x92\x48\x48\x3e\x4a\x98\x18\x28\xe4\x78\xb5\x3b\x1e\x29\xfe\x87\xa0\x30\x77\x61\xae\x1e\x02\x8a\xbd\xd8\x2d\x9a\x68\x69\xad\x9e\x4c\x06\x05\x28\x25\xbd\x2e\x54\xa6\x90\xee\x1b\xe8\x17\x13\x4c\x6a\xdf\x81\xf4\x28\x63\xf5\xdd\x83\xd3\xe9\xda\x1e\xcd\xb3\xb4\x03\x9b\x2d\x21\xa7\xb6\xbc\xad\xcf\xad\xf4\x14\xbf\x27\xfe\x45\x3c", 190); *(uint8_t*)0x200002fd = 9; *(uint8_t*)0x200002fe = 5; *(uint8_t*)0x200002ff = 8; *(uint8_t*)0x20000300 = 0; *(uint16_t*)0x20000301 = 0; *(uint8_t*)0x20000303 = 0x20; *(uint8_t*)0x20000304 = 4; *(uint8_t*)0x20000305 = 1; *(uint8_t*)0x20000306 = 9; *(uint8_t*)0x20000307 = 5; *(uint8_t*)0x20000308 = 9; *(uint8_t*)0x20000309 = 0x10; *(uint16_t*)0x2000030a = 0x200; *(uint8_t*)0x2000030c = 6; *(uint8_t*)0x2000030d = 0x20; *(uint8_t*)0x2000030e = 0xb; *(uint8_t*)0x2000030f = 9; *(uint8_t*)0x20000310 = 5; *(uint8_t*)0x20000311 = 7; *(uint8_t*)0x20000312 = 0x10; *(uint16_t*)0x20000313 = 0x200; *(uint8_t*)0x20000315 = 0x6d; *(uint8_t*)0x20000316 = 0x7f; *(uint8_t*)0x20000317 = 0xbb; *(uint8_t*)0x20000318 = 7; *(uint8_t*)0x20000319 = 0x25; *(uint8_t*)0x2000031a = 1; *(uint8_t*)0x2000031b = 1; *(uint8_t*)0x2000031c = 1; *(uint16_t*)0x2000031d = 0; *(uint8_t*)0x2000031f = 9; *(uint8_t*)0x20000320 = 5; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0x10; *(uint16_t*)0x20000323 = 0x400; *(uint8_t*)0x20000325 = 0x80; *(uint8_t*)0x20000326 = 0x42; *(uint8_t*)0x20000327 = 3; *(uint8_t*)0x20000328 = 7; *(uint8_t*)0x20000329 = 0x25; *(uint8_t*)0x2000032a = 1; *(uint8_t*)0x2000032b = 0x81; *(uint8_t*)0x2000032c = 0x80; *(uint16_t*)0x2000032d = 0xfff; *(uint8_t*)0x2000032f = 0x1f; *(uint8_t*)0x20000330 = 0xf; memcpy((void*)0x20000331, "\xe1\x5c\xde\xe6\x2a\x27\x68\x38\x98\x24\x64\x90\x26\x52\x3e\x9c\x63\xff\x85\xdc\x83\x2d\xb6\xda\x2f\xd7\x02\x7c\xe3", 29); *(uint8_t*)0x2000034e = 9; *(uint8_t*)0x2000034f = 5; *(uint8_t*)0x20000350 = 0xc; *(uint8_t*)0x20000351 = 2; *(uint16_t*)0x20000352 = 0x3ff; *(uint8_t*)0x20000354 = 0xc3; *(uint8_t*)0x20000355 = 0; *(uint8_t*)0x20000356 = 9; *(uint8_t*)0x20000357 = 0x15; *(uint8_t*)0x20000358 = 0x21; memcpy((void*)0x20000359, "\xa9\x5d\x8e\x0c\x16\x7e\x9e\xe0\xa1\x19\x23\x22\x23\xa1\xb8\x5a\x05\xc3\x7c", 19); *(uint8_t*)0x2000036c = 7; *(uint8_t*)0x2000036d = 0x25; *(uint8_t*)0x2000036e = 1; *(uint8_t*)0x2000036f = 2; *(uint8_t*)0x20000370 = 0; *(uint16_t*)0x20000371 = 1; *(uint8_t*)0x20000373 = 9; *(uint8_t*)0x20000374 = 5; *(uint8_t*)0x20000375 = 0xc; *(uint8_t*)0x20000376 = 0x10; *(uint16_t*)0x20000377 = 0x10; *(uint8_t*)0x20000379 = 1; *(uint8_t*)0x2000037a = 8; *(uint8_t*)0x2000037b = 1; *(uint8_t*)0x2000037c = 7; *(uint8_t*)0x2000037d = 0x25; *(uint8_t*)0x2000037e = 1; *(uint8_t*)0x2000037f = 2; *(uint8_t*)0x20000380 = 6; *(uint16_t*)0x20000381 = 2; *(uint8_t*)0x20000383 = 7; *(uint8_t*)0x20000384 = 0x25; *(uint8_t*)0x20000385 = 1; *(uint8_t*)0x20000386 = 0x81; *(uint8_t*)0x20000387 = 0x97; *(uint16_t*)0x20000388 = 0x8000; *(uint32_t*)0x20000700 = 0xa; *(uint64_t*)0x20000704 = 0x200003c0; *(uint8_t*)0x200003c0 = 0xa; *(uint8_t*)0x200003c1 = 6; *(uint16_t*)0x200003c2 = 0; *(uint8_t*)0x200003c4 = 0x10; *(uint8_t*)0x200003c5 = 0xf2; *(uint8_t*)0x200003c6 = 0x60; *(uint8_t*)0x200003c7 = 0x20; *(uint8_t*)0x200003c8 = 2; *(uint8_t*)0x200003c9 = 0; *(uint32_t*)0x2000070c = 0x1c; *(uint64_t*)0x20000710 = 0x20000400; *(uint8_t*)0x20000400 = 5; *(uint8_t*)0x20000401 = 0xf; *(uint16_t*)0x20000402 = 0x1c; *(uint8_t*)0x20000404 = 2; *(uint8_t*)0x20000405 = 3; *(uint8_t*)0x20000406 = 0x10; *(uint8_t*)0x20000407 = 0xb; *(uint8_t*)0x20000408 = 0x14; *(uint8_t*)0x20000409 = 0x10; *(uint8_t*)0x2000040a = 4; *(uint8_t*)0x2000040b = 6; memcpy((void*)0x2000040c, "\x42\xf5\x86\x45\xae\xff\x7f\xe8\xb4\xcf\x41\x67\xae\x7c\x8d\x25", 16); *(uint32_t*)0x20000718 = 5; *(uint32_t*)0x2000071c = 0xd9; *(uint64_t*)0x20000720 = 0x20000440; *(uint8_t*)0x20000440 = 0xd9; *(uint8_t*)0x20000441 = 3; memcpy((void*)0x20000442, "\x29\xc2\x7f\xc5\x0b\x0f\x4b\xe6\x4e\xae\x03\xa9\x57\x31\x6b\x25\xaf\x1a\x58\x88\x82\xd1\xb2\x4a\x8b\x33\x2b\xd6\x7d\xef\x5a\xb2\x40\x0d\x9a\xf0\x87\x62\x55\x13\x8b\x23\x10\xbf\xb1\x3f\x24\x8b\xea\x02\xa2\xd6\x9e\x47\xef\x05\x13\x08\x78\xa6\x84\xa4\x1c\xe9\x2b\x9b\x5f\x0b\x14\x8d\x4f\x3f\x7f\xf2\xa0\xde\xcb\xe5\x5c\x68\xe1\xc1\x85\x72\x85\xcc\xba\xbd\x09\xa0\xa0\xc3\x53\x9a\x03\x67\x78\x08\x4d\x3a\x30\xcc\x26\x8a\x9d\x9e\x4a\x5d\x64\xd9\xf9\x51\x7b\x09\xfc\x24\x07\xae\x36\x12\x29\x91\xf8\xe1\x79\x2a\x75\x5c\xd2\x8d\xcf\xdf\xbd\x08\x11\x06\x3b\x0e\x03\x19\x3f\x9d\xbb\x30\x26\x3d\xfe\x4e\xa2\x89\x9c\x16\x41\x9f\x6b\x5a\x0b\x0c\xde\x0b\x5a\x0c\xcc\x64\x86\xa9\x21\x70\x73\x13\xdf\x86\x7f\xce\xac\x09\x45\x37\x0b\x6c\xf8\x2d\x92\x12\xa6\xee\x05\x56\xab\xcf\xb1\xf9\xcb\xd1\xb1\x79\x02\x8c\xa1\x6e\x94\x8e\xfe\xb4\x80\x0c\xbf\x10\xa1\xcd\xa4\x3f\x5c\x94\xbc", 215); *(uint32_t*)0x20000728 = 4; *(uint64_t*)0x2000072c = 0x20000540; *(uint8_t*)0x20000540 = 4; *(uint8_t*)0x20000541 = 3; *(uint16_t*)0x20000542 = 0x41f; *(uint32_t*)0x20000734 = 0xd1; *(uint64_t*)0x20000738 = 0x20000580; *(uint8_t*)0x20000580 = 0xd1; *(uint8_t*)0x20000581 = 3; memcpy((void*)0x20000582, "\xc4\xe0\x2d\xb6\x48\x18\x34\x22\x35\xea\x51\xe6\x9b\x9f\x6e\x77\x86\xb4\x5f\x99\x74\x36\xae\x4c\x55\x6e\xa9\xb2\x38\xf6\x79\x30\x45\xb7\xd9\x49\x28\x5c\x38\x4b\x97\xb5\x95\x26\xc4\x56\xd7\x1c\x72\x24\xd1\x23\xaa\x4f\xb2\x57\xf4\xd2\x1d\x57\x6d\x4c\xae\xb4\x18\x82\xbb\x9f\x22\x01\xd4\x95\x91\x2d\xa5\xf3\x42\x67\x2e\x74\xa7\x04\xe0\x59\xc7\xb1\x92\xef\x2e\x52\xc6\xf1\xad\xc3\xcf\x25\xa4\x2c\x0d\xb4\x3b\x2a\x49\x77\xec\x08\x27\x40\x87\x71\x41\x9e\x5e\xd2\xda\x5b\xb2\xd0\x9f\xcd\x9a\x7b\xbf\x27\xc3\x42\x93\x09\x29\xbd\x0b\xaa\x30\x4a\xe4\x5c\xde\x3d\x27\x52\x20\xdf\xea\xa6\xbf\x28\x69\x08\xcf\xa2\x6e\xfa\x45\x1d\x99\x83\xad\x4f\x06\x02\xd9\x98\xcb\x49\x45\xd2\x11\xe3\x51\x04\x55\x36\x21\xef\x5d\xae\x3c\x4f\x45\x55\xe4\xcf\x08\x86\x91\xa0\x37\x5e\xe5\x65\x8d\xb4\x4a\x15\xcd\x41\x6a\x3e\x2f\x65\xc1\x8e\xfc\xc4\x66\xe4\xce", 207); *(uint32_t*)0x20000740 = 4; *(uint64_t*)0x20000744 = 0x20000680; *(uint8_t*)0x20000680 = 4; *(uint8_t*)0x20000681 = 3; *(uint16_t*)0x20000682 = 0x4ff; *(uint32_t*)0x2000074c = 4; *(uint64_t*)0x20000750 = 0x200006c0; *(uint8_t*)0x200006c0 = 4; *(uint8_t*)0x200006c1 = 3; *(uint16_t*)0x200006c2 = 0x380a; syz_usb_connect(4, 0x38a, 0x20000000, 0x20000700); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor3720794376 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/10 (0.28s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/3 (0.28s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/1 (0.24s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/9 (0.29s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/5 (0.29s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/0 (0.30s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/8 (0.30s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/6 (0.31s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/11 (0.31s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/2 (0.32s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/7 (0.28s) csource_test.go:148: FAIL FAIL github.com/google/syzkaller/pkg/csource 5.735s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore (cached) ok github.com/google/syzkaller/pkg/host 7.131s ok github.com/google/syzkaller/pkg/html (cached) ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/image (cached) ok github.com/google/syzkaller/pkg/instance 1.879s ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] ok github.com/google/syzkaller/pkg/ipc 8.768s ok github.com/google/syzkaller/pkg/kconfig 1.711s ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 1.623s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 5.200s ok github.com/google/syzkaller/pkg/repro 1.526s ok github.com/google/syzkaller/pkg/runtest 195.984s ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/stats (cached) ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ok github.com/google/syzkaller/sys/linux (cached) ok github.com/google/syzkaller/sys/netbsd (cached) ok github.com/google/syzkaller/sys/openbsd (cached) ok github.com/google/syzkaller/syz-ci 0.585s ok github.com/google/syzkaller/syz-fuzzer 0.236s ok github.com/google/syzkaller/syz-hub 0.046s ok github.com/google/syzkaller/syz-hub/state 0.057s ok github.com/google/syzkaller/syz-manager 0.874s ok github.com/google/syzkaller/syz-verifier 0.536s ok github.com/google/syzkaller/tools/syz-kconf (cached) ok github.com/google/syzkaller/tools/syz-linter (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ok github.com/google/syzkaller/vm 8.414s ok github.com/google/syzkaller/vm/isolated 0.400s ok github.com/google/syzkaller/vm/proxyapp 2.745s ok github.com/google/syzkaller/vm/vmimpl 0.432s FAIL