ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 0.894s ok github.com/google/syzkaller/pkg/ast 1.438s ok github.com/google/syzkaller/pkg/bisect 84.829s ok github.com/google/syzkaller/pkg/build 1.041s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 7.346s ok github.com/google/syzkaller/pkg/config (cached) ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (5.36s) --- FAIL: TestGenerate/freebsd/386 (1.66s) csource_test.go:67: seed=1602231936037585192 --- FAIL: TestGenerate/freebsd/386/6 (1.17s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:4 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :420:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor730336996 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/4 (1.52s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:10 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (; iter < 10; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :418:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor807819702 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/8 (1.46s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:setuid Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, WUNTRACED) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); char pwbuf[1024]; struct passwd *pw, pwres; if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw) exit(1); if (setgroups(0, NULL)) exit(1); if (setgid(pw->pw_gid)) exit(1); if (setuid(pw->pw_uid)) exit(1); loop(); exit(1); } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_setuid(); return 0; } :441:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor478842099 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/13 (1.39s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:true} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; res = syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; res = syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); (void)res; break; case 3: *(uint32_t*)0x10000a80 = 0; res = syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); res = syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); res = syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; res = syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; res = syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); res = syscall(SYS_lchmod, 0x10000c80, 2); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); (void)res; break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); res = -1; errno = EFAULT; res = syz_execute_func(0x10000100); fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0); break; case 12: (void)res; break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :425:17: error: use of undeclared identifier 'SYS___realpathat' res = syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor476116381 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/11 (1.56s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:true Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (sig == SIGBUS) { valid = 1; } if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) ({ int ok = 1; __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } else ok = 0; __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); ok; }) static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: NONFAILING(memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024)); NONFAILING(memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32)); NONFAILING(*(uint32_t*)0x100004a0 = 8); NONFAILING(*(uint8_t*)0x100004a4 = 0x40); NONFAILING(*(uint32_t*)0x100004a8 = 0x10000000); NONFAILING(memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78)); NONFAILING(*(uint64_t*)0x100004ac = 9); NONFAILING(*(uint64_t*)0x100004b4 = 2); NONFAILING(*(uint64_t*)0x100004bc = 2); NONFAILING(*(uint64_t*)0x100004c4 = 6); NONFAILING(*(uint64_t*)0x100004cc = 0x80000000); NONFAILING(*(uint64_t*)0x100004d4 = 0x81); NONFAILING(*(uint64_t*)0x100004dc = 0x40); NONFAILING(*(uint32_t*)0x100004e4 = 5); syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: NONFAILING(memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024)); NONFAILING(memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32)); NONFAILING(*(uint32_t*)0x10000960 = 7); NONFAILING(*(uint8_t*)0x10000964 = 0x85); NONFAILING(*(uint32_t*)0x10000968 = 0x10000500); NONFAILING(memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20)); NONFAILING(*(uint64_t*)0x1000096c = 9); NONFAILING(*(uint64_t*)0x10000974 = 0x3f); NONFAILING(*(uint64_t*)0x1000097c = 0x401); NONFAILING(*(uint64_t*)0x10000984 = 0x7fffffff); NONFAILING(*(uint64_t*)0x1000098c = 0x10000000000); NONFAILING(*(uint64_t*)0x10000994 = 0xfff); NONFAILING(*(uint64_t*)0x1000099c = 0x100000000000000); NONFAILING(*(uint32_t*)0x100009a4 = 1); syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: NONFAILING(memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6)); NONFAILING(*(uint8_t*)0x100009c6 = 0); NONFAILING(*(uint8_t*)0x100009c7 = 0); NONFAILING(*(uint8_t*)0x100009c8 = 0); NONFAILING(*(uint8_t*)0x100009c9 = 0); NONFAILING(*(uint8_t*)0x100009ca = 0); NONFAILING(*(uint8_t*)0x100009cb = 0); NONFAILING(*(uint16_t*)0x100009cc = htobe16(0x86dd)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4)); NONFAILING(memcpy((void*)0x100009cf, "\xd8\x82\x40", 3)); NONFAILING(*(uint16_t*)0x100009d2 = htobe16(0x67)); NONFAILING(*(uint8_t*)0x100009d4 = 0x8b); NONFAILING(*(uint8_t*)0x100009d5 = 0); NONFAILING(*(uint8_t*)0x100009d6 = 0); NONFAILING(*(uint8_t*)0x100009d7 = 0); NONFAILING(*(uint8_t*)0x100009d8 = 0); NONFAILING(*(uint8_t*)0x100009d9 = 0); NONFAILING(*(uint8_t*)0x100009da = 0); NONFAILING(*(uint8_t*)0x100009db = 0); NONFAILING(*(uint8_t*)0x100009dc = 0); NONFAILING(*(uint8_t*)0x100009dd = 0); NONFAILING(*(uint8_t*)0x100009de = 0); NONFAILING(*(uint8_t*)0x100009df = 0); NONFAILING(*(uint8_t*)0x100009e0 = 0); NONFAILING(*(uint8_t*)0x100009e1 = 0); NONFAILING(*(uint8_t*)0x100009e2 = 0); NONFAILING(*(uint8_t*)0x100009e3 = 0); NONFAILING(*(uint8_t*)0x100009e4 = 0); NONFAILING(*(uint8_t*)0x100009e5 = 0); NONFAILING(*(uint64_t*)0x100009e6 = htobe64(0)); NONFAILING(*(uint64_t*)0x100009ee = htobe64(1)); NONFAILING(memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103)); break; case 3: NONFAILING(*(uint32_t*)0x10000a80 = 0); syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: NONFAILING(memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68)); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: NONFAILING(memcpy((void*)0x10000b40, "./file0\000", 8)); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: NONFAILING(*(uint32_t*)0x10000c00 = 0x1c); syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: NONFAILING(*(uint32_t*)0x10000c40 = 5); NONFAILING(*(uint32_t*)0x10000c44 = 2); syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: NONFAILING(memcpy((void*)0x10000c80, "./file0\000", 8)); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: NONFAILING(*(uint8_t*)0x10000000 = 0xaa); NONFAILING(*(uint8_t*)0x10000001 = 0xaa); NONFAILING(*(uint8_t*)0x10000002 = 0xaa); NONFAILING(*(uint8_t*)0x10000003 = 0xaa); NONFAILING(*(uint8_t*)0x10000004 = 0xaa); NONFAILING(*(uint8_t*)0x10000005 = 0xaa); NONFAILING(*(uint8_t*)0x10000006 = 0xaa); NONFAILING(*(uint8_t*)0x10000007 = 0xaa); NONFAILING(*(uint8_t*)0x10000008 = 0xaa); NONFAILING(*(uint8_t*)0x10000009 = 0xaa); NONFAILING(*(uint8_t*)0x1000000a = 0xaa); NONFAILING(*(uint8_t*)0x1000000b = 0xaa); NONFAILING(*(uint16_t*)0x1000000c = htobe16(0x88a8)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12)); NONFAILING(*(uint16_t*)0x10000010 = htobe16(0x8100)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12)); NONFAILING(*(uint16_t*)0x10000014 = htobe16(0x800)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6)); NONFAILING(*(uint16_t*)0x10000018 = htobe16(0xe7)); NONFAILING(*(uint16_t*)0x1000001a = htobe16(0x66)); NONFAILING(*(uint16_t*)0x1000001c = htobe16(-1)); NONFAILING(*(uint8_t*)0x1000001e = 0); NONFAILING(*(uint8_t*)0x1000001f = 0x5d); NONFAILING(*(uint16_t*)0x10000020 = htobe16(0)); NONFAILING(*(uint32_t*)0x10000022 = htobe32(-1)); NONFAILING(*(uint32_t*)0x10000026 = htobe32(0xe0000001)); NONFAILING(*(uint8_t*)0x1000002a = 0x44); NONFAILING(*(uint8_t*)0x1000002b = 6); NONFAILING(memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4)); NONFAILING(*(uint8_t*)0x10000030 = 1); NONFAILING(*(uint8_t*)0x10000031 = 1); NONFAILING(*(uint8_t*)0x10000032 = 0x11); NONFAILING(memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15)); NONFAILING(*(uint8_t*)0x10000042 = 0x94); NONFAILING(*(uint8_t*)0x10000043 = 6); NONFAILING(*(uint32_t*)0x10000044 = htobe32(0x552b3dec)); NONFAILING(*(uint8_t*)0x10000048 = 0); NONFAILING(*(uint8_t*)0x10000049 = 0x86); NONFAILING(*(uint8_t*)0x1000004a = 0xf); NONFAILING(memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13)); NONFAILING(*(uint8_t*)0x1000005a = 8); NONFAILING(*(uint8_t*)0x1000005b = 0); NONFAILING(*(uint16_t*)0x1000005c = htobe16(0)); NONFAILING(*(uint16_t*)0x1000005e = htobe16(0x1f)); NONFAILING(*(uint16_t*)0x10000060 = htobe16(0xae36)); NONFAILING(memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155)); struct csum_inet csum_1; csum_inet_init(&csum_1); NONFAILING(csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163)); NONFAILING(*(uint16_t*)0x1000005c = csum_inet_digest(&csum_1)); struct csum_inet csum_2; csum_inet_init(&csum_2); NONFAILING(csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68)); NONFAILING(*(uint16_t*)0x10000020 = csum_inet_digest(&csum_2)); break; case 11: NONFAILING(memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57)); NONFAILING(syz_execute_func(0x10000100)); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; } :450:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor845765665 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/0 (1.97s) csource_test.go:123: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :265:10: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor075328983 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/14 (1.81s) csource_test.go:123: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:2 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:true Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; int collide = 0; again: for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); for (procid = 0; procid < 2; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :430:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor714092874 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/7 (2.03s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); loop(); return 0; } :389:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor641564248 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/12 (1.90s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:true Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :420:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor691123980 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/5 (2.07s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: ioctl$DIOCRTSTADDRS(0xffffffffffffffff, 0xc4504449, &(0x7f0000000080)={{"c33ae1d7ace1241b1c03eaefebf74db163915a0bf1b388f6c36d59c77891254f65b0c984fc2be1b080c3b8c3d5d42292e58ea3e02d3b74272f3656e00e4d131b3b07713fd9cb86b40808514f58bbf7d626ad55439d194e4acade743a7354457424539c29442e24022a9f68154fa633c3e609a5e371789177d16a8405b3a4703f49372a512ba8ee4a3851f79b01ab4a3f3cf65f410399a271347b2c68cd28c5f5904ef5d4612399dc9e8a0829ae73c99c50f0f576bf16d38efcbf66476b785431a5e93171168e0fbcdbd6d3cf1ba657ecf14ba60f6e8f18e0da4d7a13db337b7508b7b7de2ff1de6a7bb94e8b8143d4ad6188501d04302cde08629001bfca810e5533adeb14a0ee4c8d244694e091a5d177608a3850188eb6f839a7c626d3dc390bc9a0e9faa35c7d10229d14382e2031e8aa3f7cd066bb6bc0e8f6259d365502a85d13d71bd1ab5ef28a701925e23beb531ca1a93101a0db35a6e8d797d46f053d4562b0c3896cfb91669869f82259c073c4eb7b65afa62b0a37ff5ead5be57187a37ce3c5af9b37d50a89c28f8fed5953173f8df188ba31f5dfd3973e12edf11ae5917eb0657b3796f76784c03c1aa13a7b1a15ddf54ed277387f7ea4057b81b1126391d5d37ac2c878f68444613d8c942510e03ffe6b6813268f4b067c8793642023b5ca52a7fcbb7f96f675f87b82ddec5507168d1fd3b4c166cd5cd12d68a266f1b2eaee4159b990b9d62e88844752ee03ff4adc97a993618c0c856c0c2bfe4760389cef292861251120a1c36147f33f5a217ed56da6858721fc11aacc711cfa74e7d60cb1e27263995fc9c49dd3a37b34872acd3b31ef031cd39ea4e0ff2635f44e8b561cbcdf2095d3cee586d296985153644b802f69ea2e11fa1e71be713c49e8a7475f26eec3fad432cfeecaff2a84a91e3ad7cb6e2cea970fa3aa2861c5571958783dc339462f2b5235e8139e6f292f98ffaf46150b32dbd906b13ff5d6a45f4401f77971df4ecf24d7c9618b57f5d40a674b4b2d4c7da929b5a187c3bf773c882d48a3b90ac191f651bcc38ac462264e6dc4db77e8e8631e3aed0bd0d2c0b62baf69bd5ebdea1440256d7d5998dcb0c9bd7c3d191fd8254e82b92a3183601a8d5a98737f6631a7b3dd58fe77a557cfc7b5d00376db39ec531d396affab1d89135c3fe860d313a240e6582ef96d18781702eaba44036558294bd3f20650674928191ac8553697fd654475575fb16d4466190c14f686e6bca7ab1e919c37814bf6c1c9905106ff673f1a4f5969b0b8194f62b21f0fe4e8980b87d1962813029f7bc998c955de450f7a4b8efe45036e881bf9547269211ec700c23b26590120ecb904fa41acae742afe32c72404e1520a0eea2d02b0703efb2b0a495005083abb84a59f2055b70e0c39160ef59e034c68c4435f3e838ca2ffa3e343d6", "138ccaa45ad3df6da8a039dc2887ebe89dab7a81e1f6de3b8e1abca71f8fbc2a", 0x8, 0x40}, &(0x7f0000000000)="504164a018f8c2ab990fb138243a70bd1f9a5a21226eb18c830cd2aee4cfa0165754b334163230f4aac7a16f736d4efa94ea1f0266595ca44bfed993e0ae9226e10a4fb125bfc2ae29e2431c6972", 0x9, 0x2, 0x2, 0x6, 0x80000000, 0x81, 0x40, 0x5}) ioctl$DIOCRCLRTSTATS(0xffffffffffffffff, 0xc4504441, &(0x7f0000000540)={{"5a74125d9b2c6db6fa88cd72b2e4b45a4bb5343951f9de38b63392fff5edac8795d2beab5485383a33632bdbbf6f496ff138614dc9f9516e111cc5aa4570ca19d4497b89b258f65b710d4d3f4e1dafe43f70baf51da5e101069884b3b8f5358cf7e246d24cdc123b10ba6605ba46ae5178d1fe2c4b2c9fa3f3f3c145ae6066e31d33768591341acf8fad9033b9ced22813d20dc77eedce619c7bb65ba0a889e0fefb8281c0a88ee64a29746b6ff0e9d2db70e8180bdee380f08fb194dce295e1eaa893709be9bfe39775c4232328159ad9c3aa4224dd0cbe3341145b89f6f9c170e619f590b0bf0493b74973f4fba6b974f2bdee806b5c604cc8222b1543f6693a85d96b56b09110bb8928e8016dfd309b61c579a6c345887f50be646f182829b1ab66a27db812eb4cacba79bc9d98cb18310940f74a4602cb85692b42fe8a99c95ae91a67195c048d2000ae4350f89baffd5c7d292e228f25c7eb924fc8693ee38573287e389e35746fbaa37ab9b770b351e367bf05e00d7dbd68db30b87975757cb251365916cda5a363ff40d96aaf33233bb14115dab9efe4649e40f2e5e01db2d65a3043302d9f1f08595a448cccb7a717c6954c7233411d08e1140f2ac5fb625cd1b6b6586561e66ded23f69e3d017a64bd221f2d3f274d846940aab424e829050ee33dd6ce69cc50c693ad316a7f90817317b21f719016c31c22d9ca46cfcb467122979e8c55f690c49b89b04564ce70f96ebd09edb40687017be21c8f567d6b152bcc830736a9320181d88a979e506b50acb148545987b361023ca78bdde928624018aeae51e3f86c3b540b16051d3881a98d1aa02910c94460a0f95310c25bf7a996e41c17f2399e760323b4f417bfc5225d705468066faf9027404c4271fc37ecf73f1470a998274a79286baed6ca7c4a88c827e96b4ea96f0bf23ff9afaded0937704cc63d24b3bcf0d62551d7a8f300114437c624d2c14e90d084aefe7963a2a88882eda723c328c360a296f98ea7fd565a4b58222c1b4e89dabc7078fff6f23ceebcedb8813d3712d3c7f7f6f083fbb19e724a2027f16f1c8e2f660112421ba698699a0481330c0baca6b7b8e4515006178e1b078b6ca6306b9aedf73f0ce22da0a0637929ab2a917cf65300bf90f2378ab6494a04bcf87b9afb7eb746fb016cb6db0ba3faa85ca8f51b7e9bd8a9cd9c79fb77730f0eaf32be459cde898e323a9ed52951f8cbb25ed095b4d53c02bbef1e646dd556a9b69e2dd55f5bba3c7e3548bd01227f2b4d28f2597e4cb2f48232fa0a9adad4db26d412f2c698f03195a68d5548ea1991fa68a7a23d552cd61b2bc69513b1cf737c252fb9aac500262c9e47b9a680c74c7a060083d59165386982b5053f5683537ba139d61f494ac501142300efbc216cf4b9390de0ab29400bcdf5dea05156c1301df3f0", "21c62cdf3e9152798235fbe946d77dc7a78f8ed9d987a3e5964236d1a7081389", 0x7, 0x85}, &(0x7f0000000500)="52b4622b0f6dc8eee7e26956deb6651f580fa2cd", 0x9, 0x3f, 0x401, 0x7fffffff, 0x10000000000, 0xfff, 0x100000000000000, 0x1}) syz_emit_ethernet(0x9d, &(0x7f00000009c0)={@random="5374adcfed27", @empty, [], {@ipv6={0x86dd, {0x9, 0x6, "d88240", 0x67, 0x8b, 0x0, @empty, @loopback, {[], @generic="f4b4cf43a7aef20c31e14bee9247103031ea180ffe1999bfb047b666122e7a31f3bbb765984dd66d0048dd884c5046769fda23d1698a23839cf3afbf15305873bb5343f5d2c95230a99726afd87dcdcda40de7adeac5954ec93c0c6c3d669177e7f932bd8d9833"}}}}}) setsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(0xffffffffffffff9c, 0x84, 0x10, &(0x7f0000000a80), 0x4) r0 = fcntl$dupfd(0xffffffffffffff9c, 0x11, 0xffffffffffffff9c) ioctl$DIOCADDADDR(r0, 0xc4704434, &(0x7f0000000ac0)="50e16a4f1711c681ab660d59a3d967a097bb87f063f4c49ba1a443373d02dee51448a79f1acb5a806f25197c29a6ad5c10db0a546c3a5014ab8c80b4f8594c1b9d424603") __realpathat(r0, &(0x7f0000000b40)='./file0\x00', &(0x7f0000000b80)=""/5, 0x5, 0x0) accept(r0, &(0x7f0000000bc0)=@in6={0x1c, 0x1c, 0xffffffffffffffff, 0x0, @loopback}, &(0x7f0000000c00)=0x1c) ioctl$DIOCGETLIMIT(r0, 0xc0084427, &(0x7f0000000c40)={0x5, 0x2}) lchmod(&(0x7f0000000c80)='./file0\x00', 0x2) syz_emit_ethernet(0xfd, &(0x7f0000000000)={@local, @local, [{[{0x88a8, 0x1}], {0x8100, 0x2, 0x0, 0x1}}], {@ipv4={0x800, {{0x11, 0x4, 0x2, 0x3, 0xe7, 0x66, 0xffff, 0x0, 0x5d, 0x0, @broadcast, @multicast1, {[@generic={0x44, 0x6, "0183b4a4"}, @noop, @generic={0x1, 0x11, "db1f84f685ce60f91e893688e964b3"}, @ra={0x94, 0x6, 0x552b3dec}, @end, @generic={0x86, 0xf, "c40a262ab08ecf148a552aaa89"}]}}, @icmp=@echo={0x8, 0x0, 0x0, 0x1f, 0xae36, "1463e381bd0e99fd714be2890e54547495f86cacd73055376f19207bad31a13734aacba28e2ec27c9e3e30cae344d1d5dc20121b300a4503f9d4d6ba08661f056ed270cecb2bd72449700fb8cfb544ca92b4ca73ae6fb35cbc90e49937757ea5a54d78dbb0aac5f93a36c7b5adc975cdb1eb9463065cde071923f7f8771792e8b7541e60f7a93958bb128b93ce90d887fcb062235bd38ab0c6299b"}}}}}) syz_execute_func(&(0x7f0000000100)="c4e18d71f28b660f380b95f20000002e0f6b8800000000660f71f3063e7a0dc4e22146ae000000000f01dec4e2a193648e00f2a768a75c70c8") syz_extract_tcp_res(&(0x7f0000000140), 0x62, 0x8001) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000080, "\xc3\x3a\xe1\xd7\xac\xe1\x24\x1b\x1c\x03\xea\xef\xeb\xf7\x4d\xb1\x63\x91\x5a\x0b\xf1\xb3\x88\xf6\xc3\x6d\x59\xc7\x78\x91\x25\x4f\x65\xb0\xc9\x84\xfc\x2b\xe1\xb0\x80\xc3\xb8\xc3\xd5\xd4\x22\x92\xe5\x8e\xa3\xe0\x2d\x3b\x74\x27\x2f\x36\x56\xe0\x0e\x4d\x13\x1b\x3b\x07\x71\x3f\xd9\xcb\x86\xb4\x08\x08\x51\x4f\x58\xbb\xf7\xd6\x26\xad\x55\x43\x9d\x19\x4e\x4a\xca\xde\x74\x3a\x73\x54\x45\x74\x24\x53\x9c\x29\x44\x2e\x24\x02\x2a\x9f\x68\x15\x4f\xa6\x33\xc3\xe6\x09\xa5\xe3\x71\x78\x91\x77\xd1\x6a\x84\x05\xb3\xa4\x70\x3f\x49\x37\x2a\x51\x2b\xa8\xee\x4a\x38\x51\xf7\x9b\x01\xab\x4a\x3f\x3c\xf6\x5f\x41\x03\x99\xa2\x71\x34\x7b\x2c\x68\xcd\x28\xc5\xf5\x90\x4e\xf5\xd4\x61\x23\x99\xdc\x9e\x8a\x08\x29\xae\x73\xc9\x9c\x50\xf0\xf5\x76\xbf\x16\xd3\x8e\xfc\xbf\x66\x47\x6b\x78\x54\x31\xa5\xe9\x31\x71\x16\x8e\x0f\xbc\xdb\xd6\xd3\xcf\x1b\xa6\x57\xec\xf1\x4b\xa6\x0f\x6e\x8f\x18\xe0\xda\x4d\x7a\x13\xdb\x33\x7b\x75\x08\xb7\xb7\xde\x2f\xf1\xde\x6a\x7b\xb9\x4e\x8b\x81\x43\xd4\xad\x61\x88\x50\x1d\x04\x30\x2c\xde\x08\x62\x90\x01\xbf\xca\x81\x0e\x55\x33\xad\xeb\x14\xa0\xee\x4c\x8d\x24\x46\x94\xe0\x91\xa5\xd1\x77\x60\x8a\x38\x50\x18\x8e\xb6\xf8\x39\xa7\xc6\x26\xd3\xdc\x39\x0b\xc9\xa0\xe9\xfa\xa3\x5c\x7d\x10\x22\x9d\x14\x38\x2e\x20\x31\xe8\xaa\x3f\x7c\xd0\x66\xbb\x6b\xc0\xe8\xf6\x25\x9d\x36\x55\x02\xa8\x5d\x13\xd7\x1b\xd1\xab\x5e\xf2\x8a\x70\x19\x25\xe2\x3b\xeb\x53\x1c\xa1\xa9\x31\x01\xa0\xdb\x35\xa6\xe8\xd7\x97\xd4\x6f\x05\x3d\x45\x62\xb0\xc3\x89\x6c\xfb\x91\x66\x98\x69\xf8\x22\x59\xc0\x73\xc4\xeb\x7b\x65\xaf\xa6\x2b\x0a\x37\xff\x5e\xad\x5b\xe5\x71\x87\xa3\x7c\xe3\xc5\xaf\x9b\x37\xd5\x0a\x89\xc2\x8f\x8f\xed\x59\x53\x17\x3f\x8d\xf1\x88\xba\x31\xf5\xdf\xd3\x97\x3e\x12\xed\xf1\x1a\xe5\x91\x7e\xb0\x65\x7b\x37\x96\xf7\x67\x84\xc0\x3c\x1a\xa1\x3a\x7b\x1a\x15\xdd\xf5\x4e\xd2\x77\x38\x7f\x7e\xa4\x05\x7b\x81\xb1\x12\x63\x91\xd5\xd3\x7a\xc2\xc8\x78\xf6\x84\x44\x61\x3d\x8c\x94\x25\x10\xe0\x3f\xfe\x6b\x68\x13\x26\x8f\x4b\x06\x7c\x87\x93\x64\x20\x23\xb5\xca\x52\xa7\xfc\xbb\x7f\x96\xf6\x75\xf8\x7b\x82\xdd\xec\x55\x07\x16\x8d\x1f\xd3\xb4\xc1\x66\xcd\x5c\xd1\x2d\x68\xa2\x66\xf1\xb2\xea\xee\x41\x59\xb9\x90\xb9\xd6\x2e\x88\x84\x47\x52\xee\x03\xff\x4a\xdc\x97\xa9\x93\x61\x8c\x0c\x85\x6c\x0c\x2b\xfe\x47\x60\x38\x9c\xef\x29\x28\x61\x25\x11\x20\xa1\xc3\x61\x47\xf3\x3f\x5a\x21\x7e\xd5\x6d\xa6\x85\x87\x21\xfc\x11\xaa\xcc\x71\x1c\xfa\x74\xe7\xd6\x0c\xb1\xe2\x72\x63\x99\x5f\xc9\xc4\x9d\xd3\xa3\x7b\x34\x87\x2a\xcd\x3b\x31\xef\x03\x1c\xd3\x9e\xa4\xe0\xff\x26\x35\xf4\x4e\x8b\x56\x1c\xbc\xdf\x20\x95\xd3\xce\xe5\x86\xd2\x96\x98\x51\x53\x64\x4b\x80\x2f\x69\xea\x2e\x11\xfa\x1e\x71\xbe\x71\x3c\x49\xe8\xa7\x47\x5f\x26\xee\xc3\xfa\xd4\x32\xcf\xee\xca\xff\x2a\x84\xa9\x1e\x3a\xd7\xcb\x6e\x2c\xea\x97\x0f\xa3\xaa\x28\x61\xc5\x57\x19\x58\x78\x3d\xc3\x39\x46\x2f\x2b\x52\x35\xe8\x13\x9e\x6f\x29\x2f\x98\xff\xaf\x46\x15\x0b\x32\xdb\xd9\x06\xb1\x3f\xf5\xd6\xa4\x5f\x44\x01\xf7\x79\x71\xdf\x4e\xcf\x24\xd7\xc9\x61\x8b\x57\xf5\xd4\x0a\x67\x4b\x4b\x2d\x4c\x7d\xa9\x29\xb5\xa1\x87\xc3\xbf\x77\x3c\x88\x2d\x48\xa3\xb9\x0a\xc1\x91\xf6\x51\xbc\xc3\x8a\xc4\x62\x26\x4e\x6d\xc4\xdb\x77\xe8\xe8\x63\x1e\x3a\xed\x0b\xd0\xd2\xc0\xb6\x2b\xaf\x69\xbd\x5e\xbd\xea\x14\x40\x25\x6d\x7d\x59\x98\xdc\xb0\xc9\xbd\x7c\x3d\x19\x1f\xd8\x25\x4e\x82\xb9\x2a\x31\x83\x60\x1a\x8d\x5a\x98\x73\x7f\x66\x31\xa7\xb3\xdd\x58\xfe\x77\xa5\x57\xcf\xc7\xb5\xd0\x03\x76\xdb\x39\xec\x53\x1d\x39\x6a\xff\xab\x1d\x89\x13\x5c\x3f\xe8\x60\xd3\x13\xa2\x40\xe6\x58\x2e\xf9\x6d\x18\x78\x17\x02\xea\xba\x44\x03\x65\x58\x29\x4b\xd3\xf2\x06\x50\x67\x49\x28\x19\x1a\xc8\x55\x36\x97\xfd\x65\x44\x75\x57\x5f\xb1\x6d\x44\x66\x19\x0c\x14\xf6\x86\xe6\xbc\xa7\xab\x1e\x91\x9c\x37\x81\x4b\xf6\xc1\xc9\x90\x51\x06\xff\x67\x3f\x1a\x4f\x59\x69\xb0\xb8\x19\x4f\x62\xb2\x1f\x0f\xe4\xe8\x98\x0b\x87\xd1\x96\x28\x13\x02\x9f\x7b\xc9\x98\xc9\x55\xde\x45\x0f\x7a\x4b\x8e\xfe\x45\x03\x6e\x88\x1b\xf9\x54\x72\x69\x21\x1e\xc7\x00\xc2\x3b\x26\x59\x01\x20\xec\xb9\x04\xfa\x41\xac\xae\x74\x2a\xfe\x32\xc7\x24\x04\xe1\x52\x0a\x0e\xea\x2d\x02\xb0\x70\x3e\xfb\x2b\x0a\x49\x50\x05\x08\x3a\xbb\x84\xa5\x9f\x20\x55\xb7\x0e\x0c\x39\x16\x0e\xf5\x9e\x03\x4c\x68\xc4\x43\x5f\x3e\x83\x8c\xa2\xff\xa3\xe3\x43\xd6", 1024); memcpy((void*)0x10000480, "\x13\x8c\xca\xa4\x5a\xd3\xdf\x6d\xa8\xa0\x39\xdc\x28\x87\xeb\xe8\x9d\xab\x7a\x81\xe1\xf6\xde\x3b\x8e\x1a\xbc\xa7\x1f\x8f\xbc\x2a", 32); *(uint32_t*)0x100004a0 = 8; *(uint8_t*)0x100004a4 = 0x40; *(uint32_t*)0x100004a8 = 0x10000000; memcpy((void*)0x10000000, "\x50\x41\x64\xa0\x18\xf8\xc2\xab\x99\x0f\xb1\x38\x24\x3a\x70\xbd\x1f\x9a\x5a\x21\x22\x6e\xb1\x8c\x83\x0c\xd2\xae\xe4\xcf\xa0\x16\x57\x54\xb3\x34\x16\x32\x30\xf4\xaa\xc7\xa1\x6f\x73\x6d\x4e\xfa\x94\xea\x1f\x02\x66\x59\x5c\xa4\x4b\xfe\xd9\x93\xe0\xae\x92\x26\xe1\x0a\x4f\xb1\x25\xbf\xc2\xae\x29\xe2\x43\x1c\x69\x72", 78); *(uint64_t*)0x100004ac = 9; *(uint64_t*)0x100004b4 = 2; *(uint64_t*)0x100004bc = 2; *(uint64_t*)0x100004c4 = 6; *(uint64_t*)0x100004cc = 0x80000000; *(uint64_t*)0x100004d4 = 0x81; *(uint64_t*)0x100004dc = 0x40; *(uint32_t*)0x100004e4 = 5; syscall(SYS_ioctl, -1, 0xc4504449, 0x10000080); break; case 1: memcpy((void*)0x10000540, "\x5a\x74\x12\x5d\x9b\x2c\x6d\xb6\xfa\x88\xcd\x72\xb2\xe4\xb4\x5a\x4b\xb5\x34\x39\x51\xf9\xde\x38\xb6\x33\x92\xff\xf5\xed\xac\x87\x95\xd2\xbe\xab\x54\x85\x38\x3a\x33\x63\x2b\xdb\xbf\x6f\x49\x6f\xf1\x38\x61\x4d\xc9\xf9\x51\x6e\x11\x1c\xc5\xaa\x45\x70\xca\x19\xd4\x49\x7b\x89\xb2\x58\xf6\x5b\x71\x0d\x4d\x3f\x4e\x1d\xaf\xe4\x3f\x70\xba\xf5\x1d\xa5\xe1\x01\x06\x98\x84\xb3\xb8\xf5\x35\x8c\xf7\xe2\x46\xd2\x4c\xdc\x12\x3b\x10\xba\x66\x05\xba\x46\xae\x51\x78\xd1\xfe\x2c\x4b\x2c\x9f\xa3\xf3\xf3\xc1\x45\xae\x60\x66\xe3\x1d\x33\x76\x85\x91\x34\x1a\xcf\x8f\xad\x90\x33\xb9\xce\xd2\x28\x13\xd2\x0d\xc7\x7e\xed\xce\x61\x9c\x7b\xb6\x5b\xa0\xa8\x89\xe0\xfe\xfb\x82\x81\xc0\xa8\x8e\xe6\x4a\x29\x74\x6b\x6f\xf0\xe9\xd2\xdb\x70\xe8\x18\x0b\xde\xe3\x80\xf0\x8f\xb1\x94\xdc\xe2\x95\xe1\xea\xa8\x93\x70\x9b\xe9\xbf\xe3\x97\x75\xc4\x23\x23\x28\x15\x9a\xd9\xc3\xaa\x42\x24\xdd\x0c\xbe\x33\x41\x14\x5b\x89\xf6\xf9\xc1\x70\xe6\x19\xf5\x90\xb0\xbf\x04\x93\xb7\x49\x73\xf4\xfb\xa6\xb9\x74\xf2\xbd\xee\x80\x6b\x5c\x60\x4c\xc8\x22\x2b\x15\x43\xf6\x69\x3a\x85\xd9\x6b\x56\xb0\x91\x10\xbb\x89\x28\xe8\x01\x6d\xfd\x30\x9b\x61\xc5\x79\xa6\xc3\x45\x88\x7f\x50\xbe\x64\x6f\x18\x28\x29\xb1\xab\x66\xa2\x7d\xb8\x12\xeb\x4c\xac\xba\x79\xbc\x9d\x98\xcb\x18\x31\x09\x40\xf7\x4a\x46\x02\xcb\x85\x69\x2b\x42\xfe\x8a\x99\xc9\x5a\xe9\x1a\x67\x19\x5c\x04\x8d\x20\x00\xae\x43\x50\xf8\x9b\xaf\xfd\x5c\x7d\x29\x2e\x22\x8f\x25\xc7\xeb\x92\x4f\xc8\x69\x3e\xe3\x85\x73\x28\x7e\x38\x9e\x35\x74\x6f\xba\xa3\x7a\xb9\xb7\x70\xb3\x51\xe3\x67\xbf\x05\xe0\x0d\x7d\xbd\x68\xdb\x30\xb8\x79\x75\x75\x7c\xb2\x51\x36\x59\x16\xcd\xa5\xa3\x63\xff\x40\xd9\x6a\xaf\x33\x23\x3b\xb1\x41\x15\xda\xb9\xef\xe4\x64\x9e\x40\xf2\xe5\xe0\x1d\xb2\xd6\x5a\x30\x43\x30\x2d\x9f\x1f\x08\x59\x5a\x44\x8c\xcc\xb7\xa7\x17\xc6\x95\x4c\x72\x33\x41\x1d\x08\xe1\x14\x0f\x2a\xc5\xfb\x62\x5c\xd1\xb6\xb6\x58\x65\x61\xe6\x6d\xed\x23\xf6\x9e\x3d\x01\x7a\x64\xbd\x22\x1f\x2d\x3f\x27\x4d\x84\x69\x40\xaa\xb4\x24\xe8\x29\x05\x0e\xe3\x3d\xd6\xce\x69\xcc\x50\xc6\x93\xad\x31\x6a\x7f\x90\x81\x73\x17\xb2\x1f\x71\x90\x16\xc3\x1c\x22\xd9\xca\x46\xcf\xcb\x46\x71\x22\x97\x9e\x8c\x55\xf6\x90\xc4\x9b\x89\xb0\x45\x64\xce\x70\xf9\x6e\xbd\x09\xed\xb4\x06\x87\x01\x7b\xe2\x1c\x8f\x56\x7d\x6b\x15\x2b\xcc\x83\x07\x36\xa9\x32\x01\x81\xd8\x8a\x97\x9e\x50\x6b\x50\xac\xb1\x48\x54\x59\x87\xb3\x61\x02\x3c\xa7\x8b\xdd\xe9\x28\x62\x40\x18\xae\xae\x51\xe3\xf8\x6c\x3b\x54\x0b\x16\x05\x1d\x38\x81\xa9\x8d\x1a\xa0\x29\x10\xc9\x44\x60\xa0\xf9\x53\x10\xc2\x5b\xf7\xa9\x96\xe4\x1c\x17\xf2\x39\x9e\x76\x03\x23\xb4\xf4\x17\xbf\xc5\x22\x5d\x70\x54\x68\x06\x6f\xaf\x90\x27\x40\x4c\x42\x71\xfc\x37\xec\xf7\x3f\x14\x70\xa9\x98\x27\x4a\x79\x28\x6b\xae\xd6\xca\x7c\x4a\x88\xc8\x27\xe9\x6b\x4e\xa9\x6f\x0b\xf2\x3f\xf9\xaf\xad\xed\x09\x37\x70\x4c\xc6\x3d\x24\xb3\xbc\xf0\xd6\x25\x51\xd7\xa8\xf3\x00\x11\x44\x37\xc6\x24\xd2\xc1\x4e\x90\xd0\x84\xae\xfe\x79\x63\xa2\xa8\x88\x82\xed\xa7\x23\xc3\x28\xc3\x60\xa2\x96\xf9\x8e\xa7\xfd\x56\x5a\x4b\x58\x22\x2c\x1b\x4e\x89\xda\xbc\x70\x78\xff\xf6\xf2\x3c\xee\xbc\xed\xb8\x81\x3d\x37\x12\xd3\xc7\xf7\xf6\xf0\x83\xfb\xb1\x9e\x72\x4a\x20\x27\xf1\x6f\x1c\x8e\x2f\x66\x01\x12\x42\x1b\xa6\x98\x69\x9a\x04\x81\x33\x0c\x0b\xac\xa6\xb7\xb8\xe4\x51\x50\x06\x17\x8e\x1b\x07\x8b\x6c\xa6\x30\x6b\x9a\xed\xf7\x3f\x0c\xe2\x2d\xa0\xa0\x63\x79\x29\xab\x2a\x91\x7c\xf6\x53\x00\xbf\x90\xf2\x37\x8a\xb6\x49\x4a\x04\xbc\xf8\x7b\x9a\xfb\x7e\xb7\x46\xfb\x01\x6c\xb6\xdb\x0b\xa3\xfa\xa8\x5c\xa8\xf5\x1b\x7e\x9b\xd8\xa9\xcd\x9c\x79\xfb\x77\x73\x0f\x0e\xaf\x32\xbe\x45\x9c\xde\x89\x8e\x32\x3a\x9e\xd5\x29\x51\xf8\xcb\xb2\x5e\xd0\x95\xb4\xd5\x3c\x02\xbb\xef\x1e\x64\x6d\xd5\x56\xa9\xb6\x9e\x2d\xd5\x5f\x5b\xba\x3c\x7e\x35\x48\xbd\x01\x22\x7f\x2b\x4d\x28\xf2\x59\x7e\x4c\xb2\xf4\x82\x32\xfa\x0a\x9a\xda\xd4\xdb\x26\xd4\x12\xf2\xc6\x98\xf0\x31\x95\xa6\x8d\x55\x48\xea\x19\x91\xfa\x68\xa7\xa2\x3d\x55\x2c\xd6\x1b\x2b\xc6\x95\x13\xb1\xcf\x73\x7c\x25\x2f\xb9\xaa\xc5\x00\x26\x2c\x9e\x47\xb9\xa6\x80\xc7\x4c\x7a\x06\x00\x83\xd5\x91\x65\x38\x69\x82\xb5\x05\x3f\x56\x83\x53\x7b\xa1\x39\xd6\x1f\x49\x4a\xc5\x01\x14\x23\x00\xef\xbc\x21\x6c\xf4\xb9\x39\x0d\xe0\xab\x29\x40\x0b\xcd\xf5\xde\xa0\x51\x56\xc1\x30\x1d\xf3\xf0", 1024); memcpy((void*)0x10000940, "\x21\xc6\x2c\xdf\x3e\x91\x52\x79\x82\x35\xfb\xe9\x46\xd7\x7d\xc7\xa7\x8f\x8e\xd9\xd9\x87\xa3\xe5\x96\x42\x36\xd1\xa7\x08\x13\x89", 32); *(uint32_t*)0x10000960 = 7; *(uint8_t*)0x10000964 = 0x85; *(uint32_t*)0x10000968 = 0x10000500; memcpy((void*)0x10000500, "\x52\xb4\x62\x2b\x0f\x6d\xc8\xee\xe7\xe2\x69\x56\xde\xb6\x65\x1f\x58\x0f\xa2\xcd", 20); *(uint64_t*)0x1000096c = 9; *(uint64_t*)0x10000974 = 0x3f; *(uint64_t*)0x1000097c = 0x401; *(uint64_t*)0x10000984 = 0x7fffffff; *(uint64_t*)0x1000098c = 0x10000000000; *(uint64_t*)0x10000994 = 0xfff; *(uint64_t*)0x1000099c = 0x100000000000000; *(uint32_t*)0x100009a4 = 1; syscall(SYS_ioctl, -1, 0xc4504441, 0x10000540); break; case 2: memcpy((void*)0x100009c0, "\x53\x74\xad\xcf\xed\x27", 6); *(uint8_t*)0x100009c6 = 0; *(uint8_t*)0x100009c7 = 0; *(uint8_t*)0x100009c8 = 0; *(uint8_t*)0x100009c9 = 0; *(uint8_t*)0x100009ca = 0; *(uint8_t*)0x100009cb = 0; *(uint16_t*)0x100009cc = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x100009ce, 6, 4, 4); memcpy((void*)0x100009cf, "\xd8\x82\x40", 3); *(uint16_t*)0x100009d2 = htobe16(0x67); *(uint8_t*)0x100009d4 = 0x8b; *(uint8_t*)0x100009d5 = 0; *(uint8_t*)0x100009d6 = 0; *(uint8_t*)0x100009d7 = 0; *(uint8_t*)0x100009d8 = 0; *(uint8_t*)0x100009d9 = 0; *(uint8_t*)0x100009da = 0; *(uint8_t*)0x100009db = 0; *(uint8_t*)0x100009dc = 0; *(uint8_t*)0x100009dd = 0; *(uint8_t*)0x100009de = 0; *(uint8_t*)0x100009df = 0; *(uint8_t*)0x100009e0 = 0; *(uint8_t*)0x100009e1 = 0; *(uint8_t*)0x100009e2 = 0; *(uint8_t*)0x100009e3 = 0; *(uint8_t*)0x100009e4 = 0; *(uint8_t*)0x100009e5 = 0; *(uint64_t*)0x100009e6 = htobe64(0); *(uint64_t*)0x100009ee = htobe64(1); memcpy((void*)0x100009f6, "\xf4\xb4\xcf\x43\xa7\xae\xf2\x0c\x31\xe1\x4b\xee\x92\x47\x10\x30\x31\xea\x18\x0f\xfe\x19\x99\xbf\xb0\x47\xb6\x66\x12\x2e\x7a\x31\xf3\xbb\xb7\x65\x98\x4d\xd6\x6d\x00\x48\xdd\x88\x4c\x50\x46\x76\x9f\xda\x23\xd1\x69\x8a\x23\x83\x9c\xf3\xaf\xbf\x15\x30\x58\x73\xbb\x53\x43\xf5\xd2\xc9\x52\x30\xa9\x97\x26\xaf\xd8\x7d\xcd\xcd\xa4\x0d\xe7\xad\xea\xc5\x95\x4e\xc9\x3c\x0c\x6c\x3d\x66\x91\x77\xe7\xf9\x32\xbd\x8d\x98\x33", 103); break; case 3: *(uint32_t*)0x10000a80 = 0; syscall(SYS_setsockopt, 0xffffff9c, 0x84, 0x10, 0x10000a80, 4); break; case 4: res = syscall(SYS_fcntl, 0xffffff9c, 0x11, 0xffffff9c); if (res != -1) r[0] = res; break; case 5: memcpy((void*)0x10000ac0, "\x50\xe1\x6a\x4f\x17\x11\xc6\x81\xab\x66\x0d\x59\xa3\xd9\x67\xa0\x97\xbb\x87\xf0\x63\xf4\xc4\x9b\xa1\xa4\x43\x37\x3d\x02\xde\xe5\x14\x48\xa7\x9f\x1a\xcb\x5a\x80\x6f\x25\x19\x7c\x29\xa6\xad\x5c\x10\xdb\x0a\x54\x6c\x3a\x50\x14\xab\x8c\x80\xb4\xf8\x59\x4c\x1b\x9d\x42\x46\x03", 68); syscall(SYS_ioctl, (intptr_t)r[0], 0xc4704434, 0x10000ac0); break; case 6: memcpy((void*)0x10000b40, "./file0\000", 8); syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); break; case 7: *(uint32_t*)0x10000c00 = 0x1c; syscall(SYS_accept, (intptr_t)r[0], 0x10000bc0, 0x10000c00); break; case 8: *(uint32_t*)0x10000c40 = 5; *(uint32_t*)0x10000c44 = 2; syscall(SYS_ioctl, (intptr_t)r[0], 0xc0084427, 0x10000c40); break; case 9: memcpy((void*)0x10000c80, "./file0\000", 8); syscall(SYS_lchmod, 0x10000c80, 2); break; case 10: *(uint8_t*)0x10000000 = 0xaa; *(uint8_t*)0x10000001 = 0xaa; *(uint8_t*)0x10000002 = 0xaa; *(uint8_t*)0x10000003 = 0xaa; *(uint8_t*)0x10000004 = 0xaa; *(uint8_t*)0x10000005 = 0xaa; *(uint8_t*)0x10000006 = 0xaa; *(uint8_t*)0x10000007 = 0xaa; *(uint8_t*)0x10000008 = 0xaa; *(uint8_t*)0x10000009 = 0xaa; *(uint8_t*)0x1000000a = 0xaa; *(uint8_t*)0x1000000b = 0xaa; *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 1, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x10000016, 0x11, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x10000016, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x10000017, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x10000017, 3, 2, 6); *(uint16_t*)0x10000018 = htobe16(0xe7); *(uint16_t*)0x1000001a = htobe16(0x66); *(uint16_t*)0x1000001c = htobe16(-1); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0x5d; *(uint16_t*)0x10000020 = htobe16(0); *(uint32_t*)0x10000022 = htobe32(-1); *(uint32_t*)0x10000026 = htobe32(0xe0000001); *(uint8_t*)0x1000002a = 0x44; *(uint8_t*)0x1000002b = 6; memcpy((void*)0x1000002c, "\x01\x83\xb4\xa4", 4); *(uint8_t*)0x10000030 = 1; *(uint8_t*)0x10000031 = 1; *(uint8_t*)0x10000032 = 0x11; memcpy((void*)0x10000033, "\xdb\x1f\x84\xf6\x85\xce\x60\xf9\x1e\x89\x36\x88\xe9\x64\xb3", 15); *(uint8_t*)0x10000042 = 0x94; *(uint8_t*)0x10000043 = 6; *(uint32_t*)0x10000044 = htobe32(0x552b3dec); *(uint8_t*)0x10000048 = 0; *(uint8_t*)0x10000049 = 0x86; *(uint8_t*)0x1000004a = 0xf; memcpy((void*)0x1000004b, "\xc4\x0a\x26\x2a\xb0\x8e\xcf\x14\x8a\x55\x2a\xaa\x89", 13); *(uint8_t*)0x1000005a = 8; *(uint8_t*)0x1000005b = 0; *(uint16_t*)0x1000005c = htobe16(0); *(uint16_t*)0x1000005e = htobe16(0x1f); *(uint16_t*)0x10000060 = htobe16(0xae36); memcpy((void*)0x10000062, "\x14\x63\xe3\x81\xbd\x0e\x99\xfd\x71\x4b\xe2\x89\x0e\x54\x54\x74\x95\xf8\x6c\xac\xd7\x30\x55\x37\x6f\x19\x20\x7b\xad\x31\xa1\x37\x34\xaa\xcb\xa2\x8e\x2e\xc2\x7c\x9e\x3e\x30\xca\xe3\x44\xd1\xd5\xdc\x20\x12\x1b\x30\x0a\x45\x03\xf9\xd4\xd6\xba\x08\x66\x1f\x05\x6e\xd2\x70\xce\xcb\x2b\xd7\x24\x49\x70\x0f\xb8\xcf\xb5\x44\xca\x92\xb4\xca\x73\xae\x6f\xb3\x5c\xbc\x90\xe4\x99\x37\x75\x7e\xa5\xa5\x4d\x78\xdb\xb0\xaa\xc5\xf9\x3a\x36\xc7\xb5\xad\xc9\x75\xcd\xb1\xeb\x94\x63\x06\x5c\xde\x07\x19\x23\xf7\xf8\x77\x17\x92\xe8\xb7\x54\x1e\x60\xf7\xa9\x39\x58\xbb\x12\x8b\x93\xce\x90\xd8\x87\xfc\xb0\x62\x23\x5b\xd3\x8a\xb0\xc6\x29\x9b", 155); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x1000005a, 163); *(uint16_t*)0x1000005c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x10000016, 68); *(uint16_t*)0x10000020 = csum_inet_digest(&csum_2); break; case 11: memcpy((void*)0x10000100, "\xc4\xe1\x8d\x71\xf2\x8b\x66\x0f\x38\x0b\x95\xf2\x00\x00\x00\x2e\x0f\x6b\x88\x00\x00\x00\x00\x66\x0f\x71\xf3\x06\x3e\x7a\x0d\xc4\xe2\x21\x46\xae\x00\x00\x00\x00\x0f\x01\xde\xc4\xe2\xa1\x93\x64\x8e\x00\xf2\xa7\x68\xa7\x5c\x70\xc8", 57); syz_execute_func(0x10000100); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :418:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, (intptr_t)r[0], 0x10000b40, 0x10000b80, 5, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor720383227 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/10 (1.85s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/1 (0.92s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/2 (0.97s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/9 (1.25s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/3 (1.32s) csource_test.go:121: FAIL FAIL github.com/google/syzkaller/pkg/csource 13.570s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 1.174s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 1.912s ok github.com/google/syzkaller/pkg/ipc 3.671s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro (cached) ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 61.355s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.185s ok github.com/google/syzkaller/pkg/vcs 6.471s ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux (cached) ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-linter 3.367s ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm (cached) ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated (cached) ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files] FAIL