ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.775s ok github.com/google/syzkaller/pkg/ast 1.473s ok github.com/google/syzkaller/pkg/bisect 74.857s ok github.com/google/syzkaller/pkg/build 1.567s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 11.083s ok github.com/google/syzkaller/pkg/config (cached) ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (6.69s) --- FAIL: TestGenerate/freebsd/386 (1.25s) csource_test.go:67: seed=1604050752125219836 --- FAIL: TestGenerate/freebsd/386/0 (0.70s) csource_test.go:123: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); syscall(SYS_shmdt, 0); memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :168:10: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor454118828 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/4 (1.68s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :309:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor193510405 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/7 (1.94s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); loop(); return 0; } :280:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor130069119 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/6 (2.07s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:4 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21 + procid*4); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :311:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor596491168 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/3 (1.96s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:false RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :229:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor927990996 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/10 (1.97s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); do_sandbox_none(); return 0; } :256:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor144716553 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/5 (2.09s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :309:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor142284242 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/8 (2.28s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:setuid Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, WUNTRACED) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); char pwbuf[1024]; struct passwd *pw, pwres; if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw) exit(1); if (setgroups(0, NULL)) exit(1); if (setgid(pw->pw_gid)) exit(1); if (setuid(pw->pw_uid)) exit(1); loop(); exit(1); } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_setuid(); return 0; } :332:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor921885731 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/2 (2.36s) csource_test.go:123: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :317:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor613783334 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/1 (2.32s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: freebsd12_shm_open(&(0x7f0000000000)='./file0\x00', 0x800, 0xc9) shmdt(0x0) ioctl$DIOCRDELTABLES(0xffffffffffffffff, 0xc450443e, &(0x7f0000000140)={{"1ae745ecdf4ddb7e44747b1eb3a361855ef7a8748b3a32b47fdf400933e06930ef3fe6b088373f299afa26d7c3a6a72bd7c42bdff8bd0dbe00a3c743da0bf8bf75598d3832b0892bfe1675071b14997e47cbca02036ccd95a2ab188a9c7e791e60aca10d9082d55b00dc9fbb38db32062f30126fa7c192016eaa6296d00732dc6491b669ed05aa3424a96412adb9fe4f554b492ed2ea1afcfa66eb4c2e3c1c329780ddb31b8f54a73ac065256945d5457b3e7033c8ed44f9030211c71ccd6daafe7e7bb5916c63661179d2fdbadfedb85abfa676044d9887f4d41ebbbca1838587f0b348c164decc4ccaafa573372d8be62a69adcbf9d360fffbdf29530a077c7e9d84123b0956d1afa397b6c54097aa48d73d3e2681b65e3e69d0cb288a5253e7422c88606a543e32038f260e19e03db60da6ea002c9f205871d6033231202d4a215ffe8022f49fbb17c6cdfdbc13da4599159c4e0472c54ca26e14d6990d733e45540acca63c7b3a21d39e6efa913387297da5f468354d4c99878d745b6c92b748fb674307f4b22f7df31f254c0b43b26169c2e1f7f08085f9ff22e70f00f9705790dd80ca430d5ac62aa0a79d1e8497988b6068db2fa515de9eb071655975811b6ab8b8e053a6363429f94348991eaa80d7dc423be49ebab2d74faf7b9fff03f2d06c286fb201be54c6ca10d6629fbd0d0e1432e638be82bd3be039d7e97654973e2c7c2ba65b3c6e7776fa16dee09113d8a47416ee7b67f27ec08989304235ab6f3ddbbbc6fe84a58f7aaf50853af672dad53e000b594271c3c73509cfb292c1f7aee7aa2ea7721e15e57a3b54a5b0e5efe8d9db1852f1bb94f8b6fdd92dc18b86f4ea2982b63ac8c121b7371e6c6ae6bae044ff5abb5a7a2b077ed82a81736dd905dc3491d04873714b331c874356e328f32451c6f456f6c0cd2b1e0c819c3f9a9c736b22ee97fa001b37818d48c43b5a94494d5fe6b97251c71e20bc7e3138a61ce23d373081b599d68ba36b88a5938b117a4ae1c15099cbf9017625fdb060eac5e1ed7009481fc58409aecbf44b4d21a257426cac67a9a0f5062d09f9209ac02aa3878e737fe8e3a4260f1c64b5c5cb071ac125aa5e4e35944368c1dc5e0cc96a11d77cfff539ef38a077428a01dc21748b7342bad2a2614c1b32d50d2aa9ba9b391dcc5824f21637ff6294b5dcfb6fc2a8bb0b2ea2514868f082b7d24335f72bf130acc7f6897259394ea82205fec9ad75a088c1200a94eaac0a8b05af976f1a4a983e8dbee9a03a215e15e18e1958da327c54ea411f76a37c5449d164b6e2a91519f0820c1cc4bd8a3ef9521ab1dce8a1e5306f91050ed6b444f5cc8d1945263b86c999088d10bfc1b05343a7aedd9a84188b84ca09430e32f73623d1a0fbcf186efc113e44b9f0460cb9d85f1923cbbcd16df5024741ad930aa83b", "a16d9b50c673924a489324b1a091acfa2806d32ca4521d9854097f849d801f7d", 0xf55, 0xff}, &(0x7f0000000040)="0ba5f67637b2cc899fb43f77467cd2484ae43d75010e986c71227dd2931a38beed8272dc4e165fd2500ee8d9e94d1b28ebee4e17489c1ac7437fce6248e61bd96b41dfab13b97449fbe36990decd753ca4683b9f0c66b085443b32448178896cae1b56f280ff82b1d643f010a7a285c83f856123c6095704f1ded1faf9b6549ebb842e6be23da0157aba646cbbdda1a5c712239c6a385327c60ed3b15fb348fa8a269542231434948f98ec31c7b181b4bace16e8d4f73b54772ab93a8c06fa941f20df625308fe12e40f528d5518f9b69637dfc004f00363782f21526d76a67074efcc810939c459", 0x10001, 0xd6a4, 0x6781, 0x5, 0x0, 0x3, 0x1, 0x100}) ioctl$DIOCOSFPADD(0xffffffffffffffff, 0xc088444f, &(0x7f00000005c0)="939d74a08d50eaddabaf8e739e2b76f32dda63627410e55b37f904f85f2a4d8eae182342ad13f87597d2ae0bab40aac155af85eb43bedfa04da9ace97325f492baefeac818abf571afc7fca076103f6f2b3325a6cbe7ae167316b9b039d7a6eda3114870fb908fc51752c0f47396a33d2ead7f90eb30f5626baffa4ec8628672baa74e1a679ae4bd75cc3dd3d099d860f7226344236423010db46eb6edadcdbfe1095be63623012af36edfd0cb748a9f42e8a3aa3910616f6fccbb9c2309a5a807f4e1") getsockopt$inet6_int(0xffffffffffffffff, 0x29, 0x13, &(0x7f00000006c0), &(0x7f0000000700)=0x4) r0 = socket$inet(0x2, 0x10000000, 0x5) getsockopt$inet_sctp_SCTP_AUTOCLOSE(r0, 0x84, 0x5, &(0x7f0000000740), &(0x7f0000000780)=0x4) setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x15, &(0x7f00000007c0)={0x0, 0xfff}, 0x8) setsockopt$sock_timeval(r0, 0xffff, 0x1005, &(0x7f0000000800)={0x40, 0x2}, 0x8) setsockopt$inet_sctp_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x6, &(0x7f0000000840)={@in6={{0x1c, 0x1c, 0x1, 0xffff02b3, @mcast2, 0x3}}}, 0x80) syz_emit_ethernet(0x3d, &(0x7f0000000000)={@local, @random="1470d7fce04b", [{[], {0x8100, 0x6, 0x1, 0x8}}], {@arp={0x806, @generic={0x18, 0x8100, 0x6, 0x7, 0x8, @broadcast, "764566c79812c1", @broadcast, "bf12d92cdfdf963fc3d5df8a580819c1"}}}}) syz_execute_func(&(0x7f0000000040)="c0f6aaf083084cc4c27d1a051b000000c4e12f599e00800000c4e1b9f253007c03dbe0c4c1316d80000000803e660f3807a900008010c4e16fd016") syz_extract_tcp_res(&(0x7f0000000080), 0x9, 0x2) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); break; case 1: syscall(SYS_shmdt, 0); break; case 2: memcpy((void*)0x10000140, "\x1a\xe7\x45\xec\xdf\x4d\xdb\x7e\x44\x74\x7b\x1e\xb3\xa3\x61\x85\x5e\xf7\xa8\x74\x8b\x3a\x32\xb4\x7f\xdf\x40\x09\x33\xe0\x69\x30\xef\x3f\xe6\xb0\x88\x37\x3f\x29\x9a\xfa\x26\xd7\xc3\xa6\xa7\x2b\xd7\xc4\x2b\xdf\xf8\xbd\x0d\xbe\x00\xa3\xc7\x43\xda\x0b\xf8\xbf\x75\x59\x8d\x38\x32\xb0\x89\x2b\xfe\x16\x75\x07\x1b\x14\x99\x7e\x47\xcb\xca\x02\x03\x6c\xcd\x95\xa2\xab\x18\x8a\x9c\x7e\x79\x1e\x60\xac\xa1\x0d\x90\x82\xd5\x5b\x00\xdc\x9f\xbb\x38\xdb\x32\x06\x2f\x30\x12\x6f\xa7\xc1\x92\x01\x6e\xaa\x62\x96\xd0\x07\x32\xdc\x64\x91\xb6\x69\xed\x05\xaa\x34\x24\xa9\x64\x12\xad\xb9\xfe\x4f\x55\x4b\x49\x2e\xd2\xea\x1a\xfc\xfa\x66\xeb\x4c\x2e\x3c\x1c\x32\x97\x80\xdd\xb3\x1b\x8f\x54\xa7\x3a\xc0\x65\x25\x69\x45\xd5\x45\x7b\x3e\x70\x33\xc8\xed\x44\xf9\x03\x02\x11\xc7\x1c\xcd\x6d\xaa\xfe\x7e\x7b\xb5\x91\x6c\x63\x66\x11\x79\xd2\xfd\xba\xdf\xed\xb8\x5a\xbf\xa6\x76\x04\x4d\x98\x87\xf4\xd4\x1e\xbb\xbc\xa1\x83\x85\x87\xf0\xb3\x48\xc1\x64\xde\xcc\x4c\xca\xaf\xa5\x73\x37\x2d\x8b\xe6\x2a\x69\xad\xcb\xf9\xd3\x60\xff\xfb\xdf\x29\x53\x0a\x07\x7c\x7e\x9d\x84\x12\x3b\x09\x56\xd1\xaf\xa3\x97\xb6\xc5\x40\x97\xaa\x48\xd7\x3d\x3e\x26\x81\xb6\x5e\x3e\x69\xd0\xcb\x28\x8a\x52\x53\xe7\x42\x2c\x88\x60\x6a\x54\x3e\x32\x03\x8f\x26\x0e\x19\xe0\x3d\xb6\x0d\xa6\xea\x00\x2c\x9f\x20\x58\x71\xd6\x03\x32\x31\x20\x2d\x4a\x21\x5f\xfe\x80\x22\xf4\x9f\xbb\x17\xc6\xcd\xfd\xbc\x13\xda\x45\x99\x15\x9c\x4e\x04\x72\xc5\x4c\xa2\x6e\x14\xd6\x99\x0d\x73\x3e\x45\x54\x0a\xcc\xa6\x3c\x7b\x3a\x21\xd3\x9e\x6e\xfa\x91\x33\x87\x29\x7d\xa5\xf4\x68\x35\x4d\x4c\x99\x87\x8d\x74\x5b\x6c\x92\xb7\x48\xfb\x67\x43\x07\xf4\xb2\x2f\x7d\xf3\x1f\x25\x4c\x0b\x43\xb2\x61\x69\xc2\xe1\xf7\xf0\x80\x85\xf9\xff\x22\xe7\x0f\x00\xf9\x70\x57\x90\xdd\x80\xca\x43\x0d\x5a\xc6\x2a\xa0\xa7\x9d\x1e\x84\x97\x98\x8b\x60\x68\xdb\x2f\xa5\x15\xde\x9e\xb0\x71\x65\x59\x75\x81\x1b\x6a\xb8\xb8\xe0\x53\xa6\x36\x34\x29\xf9\x43\x48\x99\x1e\xaa\x80\xd7\xdc\x42\x3b\xe4\x9e\xba\xb2\xd7\x4f\xaf\x7b\x9f\xff\x03\xf2\xd0\x6c\x28\x6f\xb2\x01\xbe\x54\xc6\xca\x10\xd6\x62\x9f\xbd\x0d\x0e\x14\x32\xe6\x38\xbe\x82\xbd\x3b\xe0\x39\xd7\xe9\x76\x54\x97\x3e\x2c\x7c\x2b\xa6\x5b\x3c\x6e\x77\x76\xfa\x16\xde\xe0\x91\x13\xd8\xa4\x74\x16\xee\x7b\x67\xf2\x7e\xc0\x89\x89\x30\x42\x35\xab\x6f\x3d\xdb\xbb\xc6\xfe\x84\xa5\x8f\x7a\xaf\x50\x85\x3a\xf6\x72\xda\xd5\x3e\x00\x0b\x59\x42\x71\xc3\xc7\x35\x09\xcf\xb2\x92\xc1\xf7\xae\xe7\xaa\x2e\xa7\x72\x1e\x15\xe5\x7a\x3b\x54\xa5\xb0\xe5\xef\xe8\xd9\xdb\x18\x52\xf1\xbb\x94\xf8\xb6\xfd\xd9\x2d\xc1\x8b\x86\xf4\xea\x29\x82\xb6\x3a\xc8\xc1\x21\xb7\x37\x1e\x6c\x6a\xe6\xba\xe0\x44\xff\x5a\xbb\x5a\x7a\x2b\x07\x7e\xd8\x2a\x81\x73\x6d\xd9\x05\xdc\x34\x91\xd0\x48\x73\x71\x4b\x33\x1c\x87\x43\x56\xe3\x28\xf3\x24\x51\xc6\xf4\x56\xf6\xc0\xcd\x2b\x1e\x0c\x81\x9c\x3f\x9a\x9c\x73\x6b\x22\xee\x97\xfa\x00\x1b\x37\x81\x8d\x48\xc4\x3b\x5a\x94\x49\x4d\x5f\xe6\xb9\x72\x51\xc7\x1e\x20\xbc\x7e\x31\x38\xa6\x1c\xe2\x3d\x37\x30\x81\xb5\x99\xd6\x8b\xa3\x6b\x88\xa5\x93\x8b\x11\x7a\x4a\xe1\xc1\x50\x99\xcb\xf9\x01\x76\x25\xfd\xb0\x60\xea\xc5\xe1\xed\x70\x09\x48\x1f\xc5\x84\x09\xae\xcb\xf4\x4b\x4d\x21\xa2\x57\x42\x6c\xac\x67\xa9\xa0\xf5\x06\x2d\x09\xf9\x20\x9a\xc0\x2a\xa3\x87\x8e\x73\x7f\xe8\xe3\xa4\x26\x0f\x1c\x64\xb5\xc5\xcb\x07\x1a\xc1\x25\xaa\x5e\x4e\x35\x94\x43\x68\xc1\xdc\x5e\x0c\xc9\x6a\x11\xd7\x7c\xff\xf5\x39\xef\x38\xa0\x77\x42\x8a\x01\xdc\x21\x74\x8b\x73\x42\xba\xd2\xa2\x61\x4c\x1b\x32\xd5\x0d\x2a\xa9\xba\x9b\x39\x1d\xcc\x58\x24\xf2\x16\x37\xff\x62\x94\xb5\xdc\xfb\x6f\xc2\xa8\xbb\x0b\x2e\xa2\x51\x48\x68\xf0\x82\xb7\xd2\x43\x35\xf7\x2b\xf1\x30\xac\xc7\xf6\x89\x72\x59\x39\x4e\xa8\x22\x05\xfe\xc9\xad\x75\xa0\x88\xc1\x20\x0a\x94\xea\xac\x0a\x8b\x05\xaf\x97\x6f\x1a\x4a\x98\x3e\x8d\xbe\xe9\xa0\x3a\x21\x5e\x15\xe1\x8e\x19\x58\xda\x32\x7c\x54\xea\x41\x1f\x76\xa3\x7c\x54\x49\xd1\x64\xb6\xe2\xa9\x15\x19\xf0\x82\x0c\x1c\xc4\xbd\x8a\x3e\xf9\x52\x1a\xb1\xdc\xe8\xa1\xe5\x30\x6f\x91\x05\x0e\xd6\xb4\x44\xf5\xcc\x8d\x19\x45\x26\x3b\x86\xc9\x99\x08\x8d\x10\xbf\xc1\xb0\x53\x43\xa7\xae\xdd\x9a\x84\x18\x8b\x84\xca\x09\x43\x0e\x32\xf7\x36\x23\xd1\xa0\xfb\xcf\x18\x6e\xfc\x11\x3e\x44\xb9\xf0\x46\x0c\xb9\xd8\x5f\x19\x23\xcb\xbc\xd1\x6d\xf5\x02\x47\x41\xad\x93\x0a\xa8\x3b", 1024); memcpy((void*)0x10000540, "\xa1\x6d\x9b\x50\xc6\x73\x92\x4a\x48\x93\x24\xb1\xa0\x91\xac\xfa\x28\x06\xd3\x2c\xa4\x52\x1d\x98\x54\x09\x7f\x84\x9d\x80\x1f\x7d", 32); *(uint32_t*)0x10000560 = 0xf55; *(uint8_t*)0x10000564 = -1; *(uint32_t*)0x10000568 = 0x10000040; memcpy((void*)0x10000040, "\x0b\xa5\xf6\x76\x37\xb2\xcc\x89\x9f\xb4\x3f\x77\x46\x7c\xd2\x48\x4a\xe4\x3d\x75\x01\x0e\x98\x6c\x71\x22\x7d\xd2\x93\x1a\x38\xbe\xed\x82\x72\xdc\x4e\x16\x5f\xd2\x50\x0e\xe8\xd9\xe9\x4d\x1b\x28\xeb\xee\x4e\x17\x48\x9c\x1a\xc7\x43\x7f\xce\x62\x48\xe6\x1b\xd9\x6b\x41\xdf\xab\x13\xb9\x74\x49\xfb\xe3\x69\x90\xde\xcd\x75\x3c\xa4\x68\x3b\x9f\x0c\x66\xb0\x85\x44\x3b\x32\x44\x81\x78\x89\x6c\xae\x1b\x56\xf2\x80\xff\x82\xb1\xd6\x43\xf0\x10\xa7\xa2\x85\xc8\x3f\x85\x61\x23\xc6\x09\x57\x04\xf1\xde\xd1\xfa\xf9\xb6\x54\x9e\xbb\x84\x2e\x6b\xe2\x3d\xa0\x15\x7a\xba\x64\x6c\xbb\xdd\xa1\xa5\xc7\x12\x23\x9c\x6a\x38\x53\x27\xc6\x0e\xd3\xb1\x5f\xb3\x48\xfa\x8a\x26\x95\x42\x23\x14\x34\x94\x8f\x98\xec\x31\xc7\xb1\x81\xb4\xba\xce\x16\xe8\xd4\xf7\x3b\x54\x77\x2a\xb9\x3a\x8c\x06\xfa\x94\x1f\x20\xdf\x62\x53\x08\xfe\x12\xe4\x0f\x52\x8d\x55\x18\xf9\xb6\x96\x37\xdf\xc0\x04\xf0\x03\x63\x78\x2f\x21\x52\x6d\x76\xa6\x70\x74\xef\xcc\x81\x09\x39\xc4\x59", 232); *(uint64_t*)0x1000056c = 0x10001; *(uint64_t*)0x10000574 = 0xd6a4; *(uint64_t*)0x1000057c = 0x6781; *(uint64_t*)0x10000584 = 5; *(uint64_t*)0x1000058c = 0; *(uint64_t*)0x10000594 = 3; *(uint64_t*)0x1000059c = 1; *(uint32_t*)0x100005a4 = 0x100; syscall(SYS_ioctl, -1, 0xc450443e, 0x10000140); break; case 3: memcpy((void*)0x100005c0, "\x93\x9d\x74\xa0\x8d\x50\xea\xdd\xab\xaf\x8e\x73\x9e\x2b\x76\xf3\x2d\xda\x63\x62\x74\x10\xe5\x5b\x37\xf9\x04\xf8\x5f\x2a\x4d\x8e\xae\x18\x23\x42\xad\x13\xf8\x75\x97\xd2\xae\x0b\xab\x40\xaa\xc1\x55\xaf\x85\xeb\x43\xbe\xdf\xa0\x4d\xa9\xac\xe9\x73\x25\xf4\x92\xba\xef\xea\xc8\x18\xab\xf5\x71\xaf\xc7\xfc\xa0\x76\x10\x3f\x6f\x2b\x33\x25\xa6\xcb\xe7\xae\x16\x73\x16\xb9\xb0\x39\xd7\xa6\xed\xa3\x11\x48\x70\xfb\x90\x8f\xc5\x17\x52\xc0\xf4\x73\x96\xa3\x3d\x2e\xad\x7f\x90\xeb\x30\xf5\x62\x6b\xaf\xfa\x4e\xc8\x62\x86\x72\xba\xa7\x4e\x1a\x67\x9a\xe4\xbd\x75\xcc\x3d\xd3\xd0\x99\xd8\x60\xf7\x22\x63\x44\x23\x64\x23\x01\x0d\xb4\x6e\xb6\xed\xad\xcd\xbf\xe1\x09\x5b\xe6\x36\x23\x01\x2a\xf3\x6e\xdf\xd0\xcb\x74\x8a\x9f\x42\xe8\xa3\xaa\x39\x10\x61\x6f\x6f\xcc\xbb\x9c\x23\x09\xa5\xa8\x07\xf4\xe1", 195); syscall(SYS_ioctl, -1, 0xc088444f, 0x100005c0); break; case 4: *(uint32_t*)0x10000700 = 4; syscall(SYS_getsockopt, -1, 0x29, 0x13, 0x100006c0, 0x10000700); break; case 5: res = syscall(SYS_socket, 2, 0x10000000, 5); if (res != -1) r[0] = res; break; case 6: *(uint32_t*)0x10000780 = 4; syscall(SYS_getsockopt, (intptr_t)r[0], 0x84, 5, 0x10000740, 0x10000780); break; case 7: *(uint32_t*)0x100007c0 = 0; *(uint16_t*)0x100007c4 = 0xfff; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 0x15, 0x100007c0, 8); break; case 8: *(uint32_t*)0x10000800 = 0x40; *(uint32_t*)0x10000804 = 2; syscall(SYS_setsockopt, (intptr_t)r[0], 0xffff, 0x1005, 0x10000800, 8); break; case 9: *(uint8_t*)0x10000840 = 0x1c; *(uint8_t*)0x10000841 = 0x1c; *(uint16_t*)0x10000842 = htobe16(0x4e21); *(uint32_t*)0x10000844 = 0xffff02b3; *(uint8_t*)0x10000848 = -1; *(uint8_t*)0x10000849 = 2; *(uint8_t*)0x1000084a = 0; *(uint8_t*)0x1000084b = 0; *(uint8_t*)0x1000084c = 0; *(uint8_t*)0x1000084d = 0; *(uint8_t*)0x1000084e = 0; *(uint8_t*)0x1000084f = 0; *(uint8_t*)0x10000850 = 0; *(uint8_t*)0x10000851 = 0; *(uint8_t*)0x10000852 = 0; *(uint8_t*)0x10000853 = 0; *(uint8_t*)0x10000854 = 0; *(uint8_t*)0x10000855 = 0; *(uint8_t*)0x10000856 = 0; *(uint8_t*)0x10000857 = 1; *(uint32_t*)0x10000858 = 3; *(uint64_t*)0x1000085c = 0; *(uint64_t*)0x10000864 = 0; *(uint64_t*)0x1000086c = 0; *(uint64_t*)0x10000874 = 0; *(uint64_t*)0x1000087c = 0; *(uint64_t*)0x10000884 = 0; *(uint64_t*)0x1000088c = 0; *(uint64_t*)0x10000894 = 0; *(uint64_t*)0x1000089c = 0; *(uint64_t*)0x100008a4 = 0; *(uint64_t*)0x100008ac = 0; *(uint64_t*)0x100008b4 = 0; *(uint32_t*)0x100008bc = 0; syscall(SYS_setsockopt, (intptr_t)r[0], 0x84, 6, 0x10000840, 0x80); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; memcpy((void*)0x10000006, "\x14\x70\xd7\xfc\xe0\x4b", 6); *(uint16_t*)0x1000000c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 8, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x806); *(uint16_t*)0x10000012 = htobe16(0x18); *(uint16_t*)0x10000014 = htobe16(0x8100); *(uint8_t*)0x10000016 = 6; *(uint8_t*)0x10000017 = 7; *(uint16_t*)0x10000018 = htobe16(8); *(uint8_t*)0x1000001a = -1; *(uint8_t*)0x1000001b = -1; *(uint8_t*)0x1000001c = -1; *(uint8_t*)0x1000001d = -1; *(uint8_t*)0x1000001e = -1; *(uint8_t*)0x1000001f = -1; memcpy((void*)0x10000020, "\x76\x45\x66\xc7\x98\x12\xc1", 7); *(uint8_t*)0x10000027 = -1; *(uint8_t*)0x10000028 = -1; *(uint8_t*)0x10000029 = -1; *(uint8_t*)0x1000002a = -1; *(uint8_t*)0x1000002b = -1; *(uint8_t*)0x1000002c = -1; memcpy((void*)0x1000002d, "\xbf\x12\xd9\x2c\xdf\xdf\x96\x3f\xc3\xd5\xdf\x8a\x58\x08\x19\xc1", 16); break; case 11: memcpy((void*)0x10000040, "\xc0\xf6\xaa\xf0\x83\x08\x4c\xc4\xc2\x7d\x1a\x05\x1b\x00\x00\x00\xc4\xe1\x2f\x59\x9e\x00\x80\x00\x00\xc4\xe1\xb9\xf2\x53\x00\x7c\x03\xdb\xe0\xc4\xc1\x31\x6d\x80\x00\x00\x00\x80\x3e\x66\x0f\x38\x07\xa9\x00\x00\x80\x10\xc4\xe1\x6f\xd0\x16", 59); syz_execute_func(0x10000040); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :309:11: error: use of undeclared identifier 'SYS_freebsd12_shm_open' syscall(SYS_freebsd12_shm_open, 0x10000000, 0x800, 0xc9); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor962329165 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/11 (2.26s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/13 (1.34s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/14 (1.68s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/9 (1.47s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/12 (1.19s) csource_test.go:121: FAIL FAIL github.com/google/syzkaller/pkg/csource 15.972s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 1.290s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 3.178s ok github.com/google/syzkaller/pkg/ipc 6.174s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro 1.505s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 66.549s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.402s ok github.com/google/syzkaller/pkg/vcs 9.122s ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux (cached) ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 1.422s ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ? github.com/google/syzkaller/tools/syz-kconf [no test files] ok github.com/google/syzkaller/tools/syz-linter 8.233s ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 9.560s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL