ok github.com/google/syzkaller/dashboard/app 0.358s ? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/executor 1.624s ok github.com/google/syzkaller/pkg/ast 1.720s ok github.com/google/syzkaller/pkg/bisect 77.280s ok github.com/google/syzkaller/pkg/build 2.011s ? github.com/google/syzkaller/pkg/cmdprof [no test files] ok github.com/google/syzkaller/pkg/compiler 10.910s ok github.com/google/syzkaller/pkg/config 0.142s ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (9.18s) --- FAIL: TestGenerate/freebsd/386 (0.58s) csource_test.go:67: seed=1601677436307321929 --- FAIL: TestGenerate/freebsd/386/14 (1.32s) csource_test.go:123: opts: {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:2 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:true Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; int collide = 0; again: for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); for (procid = 0; procid < 2; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :323:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor497881013 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/0 (1.52s) csource_test.go:123: opts: {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); res = syscall(SYS_getgid); if (res != -1) r[2] = res; syscall(SYS_setregid, (intptr_t)r[2], -1); syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :170:10: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor961116206 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/12 (1.31s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:true Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :313:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor366502288 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/11 (1.55s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:true Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (sig == SIGBUS) { valid = 1; } if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); } static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: NONFAILING(memcpy((void*)0x10000000, "./file0\000", 8)); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: NONFAILING(*(uint32_t*)0x10000080 = 0); NONFAILING(*(uint32_t*)0x10000084 = 0x2c); NONFAILING(memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44)); NONFAILING(*(uint32_t*)0x100000c0 = 0x34); res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) NONFAILING(r[0] = *(uint32_t*)0x10000080); break; case 2: NONFAILING(memcpy((void*)0x10000100, "./file0\000", 8)); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: NONFAILING(memcpy((void*)0x10000140, ".\000", 2)); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: NONFAILING(memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254)); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: NONFAILING(memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024)); NONFAILING(memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32)); NONFAILING(*(uint32_t*)0x100007e0 = 5); NONFAILING(*(uint8_t*)0x100007e4 = 7); NONFAILING(*(uint32_t*)0x100007e8 = 0x10000340); NONFAILING(memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111)); NONFAILING(*(uint64_t*)0x100007ec = 0x84); NONFAILING(*(uint64_t*)0x100007f4 = 4); NONFAILING(*(uint64_t*)0x100007fc = 8); NONFAILING(*(uint64_t*)0x10000804 = 7); NONFAILING(*(uint64_t*)0x1000080c = 0x400); NONFAILING(*(uint64_t*)0x10000814 = 8); NONFAILING(*(uint64_t*)0x1000081c = 8); NONFAILING(*(uint32_t*)0x10000824 = 0x81); syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: NONFAILING(*(uint32_t*)0x10000840 = r[0]); NONFAILING(*(uint32_t*)0x10000844 = 8); syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: NONFAILING(*(uint8_t*)0x10000000 = -1); NONFAILING(*(uint8_t*)0x10000001 = -1); NONFAILING(*(uint8_t*)0x10000002 = -1); NONFAILING(*(uint8_t*)0x10000003 = -1); NONFAILING(*(uint8_t*)0x10000004 = -1); NONFAILING(*(uint8_t*)0x10000005 = -1); NONFAILING(memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6)); NONFAILING(*(uint16_t*)0x1000000c = htobe16(0x88a8)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12)); NONFAILING(*(uint16_t*)0x10000010 = htobe16(0x8100)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12)); NONFAILING(*(uint16_t*)0x10000014 = htobe16(0x806)); NONFAILING(*(uint16_t*)0x10000016 = htobe16(0x18)); NONFAILING(*(uint16_t*)0x10000018 = htobe16(0x812b)); NONFAILING(*(uint8_t*)0x1000001a = 6); NONFAILING(*(uint8_t*)0x1000001b = 0xa); NONFAILING(*(uint16_t*)0x1000001c = htobe16(2)); NONFAILING(*(uint8_t*)0x1000001e = 0); NONFAILING(*(uint8_t*)0x1000001f = 0); NONFAILING(*(uint8_t*)0x10000020 = 0); NONFAILING(*(uint8_t*)0x10000021 = 0); NONFAILING(*(uint8_t*)0x10000022 = 0); NONFAILING(*(uint8_t*)0x10000023 = 0); NONFAILING(memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10)); NONFAILING(*(uint8_t*)0x1000002e = 0xaa); NONFAILING(*(uint8_t*)0x1000002f = 0xaa); NONFAILING(*(uint8_t*)0x10000030 = 0xaa); NONFAILING(*(uint8_t*)0x10000031 = 0xaa); NONFAILING(*(uint8_t*)0x10000032 = 0xaa); NONFAILING(*(uint8_t*)0x10000033 = 0xbb); NONFAILING(memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16)); break; case 11: NONFAILING(memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60)); NONFAILING(syz_execute_func(0x10000080)); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; } :343:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor375080879 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/8 (1.94s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:setuid Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, WUNTRACED) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_setuid(void) { int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); char pwbuf[1024]; struct passwd *pw, pwres; if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw) exit(1); if (setgroups(0, NULL)) exit(1); if (setgid(pw->pw_gid)) exit(1); if (setuid(pw->pw_uid)) exit(1); loop(); exit(1); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_setuid(); return 0; } :334:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor138573907 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/10 (1.75s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); do_sandbox_none(); return 0; } :258:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor182973250 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/9 (1.58s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static int tunfd = -1; #define MAX_TUN 4 #define TUN_IFACE "tap%d" #define TUN_DEVICE "/dev/tap%d" #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" #define LOCAL_IPV4 "172.20.%d.170" #define REMOTE_IPV4 "172.20.%d.187" #define LOCAL_IPV6 "fe80::%02hxaa" #define REMOTE_IPV6 "fe80::%02hxbb" static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv = vsnprintf(str, size, format, args); if (rv < 0) exit(1); if ((size_t)rv >= size) exit(1); } static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; va_start(args, format); char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); int rv = system(command); if (rv) { if (panic) exit(1); } } static void initialize_tun(int tun_id) { if (tun_id < 0 || tun_id >= MAX_TUN) { exit(1); } char tun_device[sizeof(TUN_DEVICE)]; snprintf_check(tun_device, sizeof(tun_device), TUN_DEVICE, tun_id); char tun_iface[sizeof(TUN_IFACE)]; snprintf_check(tun_iface, sizeof(tun_iface), TUN_IFACE, tun_id); execute_command(0, "ifconfig %s destroy", tun_device); tunfd = open(tun_device, O_RDWR | O_NONBLOCK); if ((tunfd < 0) && (errno == ENOENT)) { execute_command(0, "kldload -q if_tap"); tunfd = open(tun_device, O_RDWR | O_NONBLOCK); } if (tunfd == -1) { printf("tun: can't open %s: errno=%d\n", tun_device, errno); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; char local_mac[sizeof(LOCAL_MAC)]; snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC); execute_command(1, "ifconfig %s ether %s", tun_iface, local_mac); char local_ipv4[sizeof(LOCAL_IPV4)]; snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, tun_id); execute_command(1, "ifconfig %s inet %s netmask 255.255.255.0", tun_iface, local_ipv4); char remote_mac[sizeof(REMOTE_MAC)]; char remote_ipv4[sizeof(REMOTE_IPV4)]; snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC); snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, tun_id); execute_command(0, "arp -s %s %s", remote_ipv4, remote_mac); char local_ipv6[sizeof(LOCAL_IPV6)]; snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, tun_id); execute_command(1, "ifconfig %s inet6 %s", tun_iface, local_ipv6); char remote_ipv6[sizeof(REMOTE_IPV6)]; snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, tun_id); execute_command(0, "ndp -s %s%%%s %s", remote_ipv6, tun_iface, remote_mac); } static long syz_emit_ethernet(volatile long a0, volatile long a1) { if (tunfd < 0) return (uintptr_t)-1; size_t length = a0; const char* data = (char*)a1; return write(tunfd, data, length); } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN) return -1; exit(1); } return rv; } struct tcp_resources { uint32_t seq; uint32_t ack; }; static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; char data[1000]; int rv = read_tun(&data[0], sizeof(data)); if (rv == -1) return (uintptr_t)-1; size_t length = rv; if (length < sizeof(struct ether_header)) return (uintptr_t)-1; struct ether_header* ethhdr = (struct ether_header*)&data[0]; struct tcphdr* tcphdr = 0; if (ethhdr->ether_type == htons(ETHERTYPE_IP)) { if (length < sizeof(struct ether_header) + sizeof(struct ip)) return (uintptr_t)-1; struct ip* iphdr = (struct ip*)&data[sizeof(struct ether_header)]; if (iphdr->ip_p != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ether_header) + iphdr->ip_hl * 4 + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ether_header) + iphdr->ip_hl * 4]; } else { if (length < sizeof(struct ether_header) + sizeof(struct ip6_hdr)) return (uintptr_t)-1; struct ip6_hdr* ipv6hdr = (struct ip6_hdr*)&data[sizeof(struct ether_header)]; if (ipv6hdr->ip6_nxt != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ether_header) + sizeof(struct ip6_hdr) + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ether_header) + sizeof(struct ip6_hdr)]; } struct tcp_resources* res = (struct tcp_resources*)a0; res->seq = htonl(ntohl(tcphdr->th_seq) + (uint32_t)a1); res->ack = htonl(ntohl(tcphdr->th_ack) + (uint32_t)a2); return 0; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); initialize_tun(procid); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); syz_emit_ethernet(0x44, 0x10000000); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: syz_extract_tcp_res(0x100000c0, 5, 1); break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :483:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor007074244 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/7 (1.53s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox: Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); loop(); return 0; } :282:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor736356246 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/6 (1.49s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:4 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:false} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); break; case 4: res = syscall(SYS_getgid); if (res != -1) r[2] = res; break; case 5: syscall(SYS_setregid, (intptr_t)r[2], -1); break; case 6: syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); syz_execute_func(0x10000080); break; case 12: break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :313:11: error: use of undeclared identifier 'SYS___realpathat' syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor807214077 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/13 (2.16s) csource_test.go:123: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false UseTmpDir:true HandleSegv:false Repro:false Trace:true} program: __realpathat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040)=""/8, 0x8, 0x0) getsockopt$inet6_sctp_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x102, &(0x7f0000000080)={0x0, 0x2c, "62b731e5fc22a3896ac6142a20732d2e97c59348119c3364ac33637589f0a0bf0d2453a689736a74ea769dd5"}, &(0x7f00000000c0)=0x34) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0, 0x44) mknodat(r1, &(0x7f0000000140)='.\x00', 0x1, 0x1) r2 = getgid() setregid(r2, 0xffffffffffffffff) getresuid(&(0x7f0000000180), &(0x7f00000001c0), &(0x7f0000000200)) ioctl$DIOCGETALTQV1(r1, 0xc1304430, &(0x7f0000000240)="089aeb921337ee4be02b2524deba2fa2aa5fdec743abfba103a71adb466ae566a86e3b1bd5cfad0713418293fe779ac8f40dd46447056a46f4135614280e54e4fcfe487cbaef1b5eccb65ff7c1f30cb76c4bb032c362f1501f50a87f031c31f0f04412247015a817dc8d57b66b424c42115b16d2f887a79a73deab2472040a700ee00ea1c33bfd0572885d528c9101c3c300981a342579ad50e7a1c138a000e378650de16abb78e2229f645099a9038bc317a7e906cd4809730a741e3c945a19cc3c5fadb42f845bdabc65175a9061ffe537473941ee2118505fdaf44956cedef603a0c82d39d11dd6b944dc9215e8619a5652ed6832d532fe16bf62b60c") ioctl$DIOCRSETTFLAGS(r1, 0xc450444a, &(0x7f00000003c0)={{"d6fa813738994e7fbcd0822ab85e0dd441a9524fcd7c8a27918782950297b87f7005d8d07afac53f2c3b08a3646d6c7d183c035fb9ecd47e0a514c31d1a710639be6bb3ed9fe948392aab56f61b2298734a9798a23656575cb590eec37bbd88f3ad7fdc4e6aeeb45260e079626fb7650e7a30e365cd1617ffc7894f4810e592a109f98a430513f916f5870f2cd6fc809f2c1530866610da68fced1f612c48691dabc727ba8fbb5eb0683f219767a3f4f322c1a81304b2ab418a92669f9d81bcc638bbd259e0ce0c254c12a6efab27f799b0e6167904e659e359ec31a83cf8245d717ede039a40a2ec03b5a6869e269015579c6799495fecbdbdd09f2e25751bd49d62080c6a3adeb533926007b93ae74682755a6c676a25653abf013a6e5008b1ca4410d58ff4cacff233f2dcb00d579e62cc9228ddf84c99cfa6294292518c3189c2c69dc3de8bbd21d101eee91334cd0bcefb94774ea2696ca9800508dd84d66eed81c3482432db97754aff0ded5b4d6a4bd646c55e9071af6bc0ea9677e094f5f3ed72b69a5c6c701e2dae894656e521ff37ca12e99bb4c5e73cebe83cfc0cae6ce0b75b112406af1bf2116626c0595f7ee626bec0dda5c1c2c0af503d2f6bb74795c938c61fcad9f51c0dcd883403e68952d347f1b828690be2fe1820fd1052d10252b91e780d35a17706a6b71437d7817d0589eb2eb987cb43d8b0947ba9bfe7c513cab3ce7d2a9261365edcb70fadd303a4c03025a9f82bd82da37f8c5cff988548bfdbddb9741cd086405c0f4d572731f045b9f14da39f45d038544b20bfb152abde3327132cfd095923fe47a7a24795979f1ab89a50dbf40acf354094652f4285395f3a6f618f4505e5e6119f7b83da698bea9d4b53b0c5646a85e45b9ae74375e329516432299217c15e4974653bff7c300e8b0181433b381f9f701540e5ecd7a36b12c6601ced580e70b03694370f170db27de9978def7dceef2a7dc93bbd410573233e863b253066c54b999c9abd52ef50b5e754193d2cf360294dfd60dc67f73118adaf6828c9fa98b0193593577873937774ea4512935f0fd4b00eff3c0cb0e8ab96f8b952ab7ca5879e6b580ac9d67605491f8121fec81b92ffbb703cf462dc5571ccaf1b7345ab193d4306118a3f19bf2795b5c50d7e64a980cc252acc40e8a605035a15d406d869a2bd275a9bfbbaf0e4e3cc1b3ece4fd2d519aa540fc27ddfec3cc0e3bd35b68bc309cf9ba9ef5ec4752e72b9b365fea7dbd38c695a6e46ba9f8f569d8571c21447282d10117e2fc3111a5b7c24694d9fc3373bc9b34acbbbace29322244b545c8bd44c7a541655c47f6ff021f62583571f24260a474b409e055ee28ced6b1a2c84b9af8282afa5e4c29a5725bba8576a319d8a1d63ed3bbd360571c7c6634a455b3d352aff5192e5de94dc440106f6956", "ab289979a2680ec5678ca2f69243ee515fadd8e8e6d59c968b2d89c013ed6012", 0x5, 0x7}, &(0x7f0000000340)="c1f79791e5374e62af4be8dbfad23a442bb6c0e5568ca98b716e4d91ccc6bc482ac8112393ab4b77fa22dd04722d6687272199a823b155fba282b7744f27a0b754f70b81d4f243ff827c81804ee873cc2037b6b9f185b75bd183891fef90a0f753bfef3058cbf145f945e2ed526c5d", 0x84, 0x4, 0x8, 0x7, 0x400, 0x8, 0x8, 0x81}) setsockopt$inet6_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000840)={r0, 0x8}, 0x8) syz_emit_ethernet(0x44, &(0x7f0000000000)={@broadcast, @random="34f75c76c0d1", [{[{0x88a8, 0x6}], {0x8100, 0x5, 0x1, 0x2}}], {@arp={0x806, @generic={0x18, 0x812b, 0x6, 0xa, 0x2, @empty, "49d325ffc361b7df0cd1", @remote, "81435add99354009445dd94f88b48924"}}}}) syz_execute_func(&(0x7f0000000080)="df7565c4e2c9ae3500000000660f3803575265660f5fe4260ff66b00c4e1c5db83c9000000c4c1fa70830080000008f30f1efa0f0d697636f30f5bfb") syz_extract_tcp_res(&(0x7f00000000c0), 0x5, 0x1) csource_test.go:124: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) exit(1); } closedir(dp); if (rmdir(dir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 13; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0x0, 0xffffffffffffffff, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x10000000, "./file0\000", 8); res = syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); break; case 1: *(uint32_t*)0x10000080 = 0; *(uint32_t*)0x10000084 = 0x2c; memcpy((void*)0x10000088, "\x62\xb7\x31\xe5\xfc\x22\xa3\x89\x6a\xc6\x14\x2a\x20\x73\x2d\x2e\x97\xc5\x93\x48\x11\x9c\x33\x64\xac\x33\x63\x75\x89\xf0\xa0\xbf\x0d\x24\x53\xa6\x89\x73\x6a\x74\xea\x76\x9d\xd5", 44); *(uint32_t*)0x100000c0 = 0x34; res = syscall(SYS_getsockopt, 0xffffff9c, 0x84, 0x102, 0x10000080, 0x100000c0); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = *(uint32_t*)0x10000080; break; case 2: memcpy((void*)0x10000100, "./file0\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x10000100, 0, 0x44); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[1] = res; break; case 3: memcpy((void*)0x10000140, ".\000", 2); res = syscall(SYS_mknodat, (intptr_t)r[1], 0x10000140, 1, 1ull); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); break; case 4: res = syscall(SYS_getgid); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[2] = res; break; case 5: res = syscall(SYS_setregid, (intptr_t)r[2], -1); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); break; case 6: res = syscall(SYS_getresuid, 0x10000180, 0x100001c0, 0x10000200); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); break; case 7: memcpy((void*)0x10000240, "\x08\x9a\xeb\x92\x13\x37\xee\x4b\xe0\x2b\x25\x24\xde\xba\x2f\xa2\xaa\x5f\xde\xc7\x43\xab\xfb\xa1\x03\xa7\x1a\xdb\x46\x6a\xe5\x66\xa8\x6e\x3b\x1b\xd5\xcf\xad\x07\x13\x41\x82\x93\xfe\x77\x9a\xc8\xf4\x0d\xd4\x64\x47\x05\x6a\x46\xf4\x13\x56\x14\x28\x0e\x54\xe4\xfc\xfe\x48\x7c\xba\xef\x1b\x5e\xcc\xb6\x5f\xf7\xc1\xf3\x0c\xb7\x6c\x4b\xb0\x32\xc3\x62\xf1\x50\x1f\x50\xa8\x7f\x03\x1c\x31\xf0\xf0\x44\x12\x24\x70\x15\xa8\x17\xdc\x8d\x57\xb6\x6b\x42\x4c\x42\x11\x5b\x16\xd2\xf8\x87\xa7\x9a\x73\xde\xab\x24\x72\x04\x0a\x70\x0e\xe0\x0e\xa1\xc3\x3b\xfd\x05\x72\x88\x5d\x52\x8c\x91\x01\xc3\xc3\x00\x98\x1a\x34\x25\x79\xad\x50\xe7\xa1\xc1\x38\xa0\x00\xe3\x78\x65\x0d\xe1\x6a\xbb\x78\xe2\x22\x9f\x64\x50\x99\xa9\x03\x8b\xc3\x17\xa7\xe9\x06\xcd\x48\x09\x73\x0a\x74\x1e\x3c\x94\x5a\x19\xcc\x3c\x5f\xad\xb4\x2f\x84\x5b\xda\xbc\x65\x17\x5a\x90\x61\xff\xe5\x37\x47\x39\x41\xee\x21\x18\x50\x5f\xda\xf4\x49\x56\xce\xde\xf6\x03\xa0\xc8\x2d\x39\xd1\x1d\xd6\xb9\x44\xdc\x92\x15\xe8\x61\x9a\x56\x52\xed\x68\x32\xd5\x32\xfe\x16\xbf\x62\xb6\x0c", 254); res = syscall(SYS_ioctl, (intptr_t)r[1], 0xc1304430, 0x10000240); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); break; case 8: memcpy((void*)0x100003c0, "\xd6\xfa\x81\x37\x38\x99\x4e\x7f\xbc\xd0\x82\x2a\xb8\x5e\x0d\xd4\x41\xa9\x52\x4f\xcd\x7c\x8a\x27\x91\x87\x82\x95\x02\x97\xb8\x7f\x70\x05\xd8\xd0\x7a\xfa\xc5\x3f\x2c\x3b\x08\xa3\x64\x6d\x6c\x7d\x18\x3c\x03\x5f\xb9\xec\xd4\x7e\x0a\x51\x4c\x31\xd1\xa7\x10\x63\x9b\xe6\xbb\x3e\xd9\xfe\x94\x83\x92\xaa\xb5\x6f\x61\xb2\x29\x87\x34\xa9\x79\x8a\x23\x65\x65\x75\xcb\x59\x0e\xec\x37\xbb\xd8\x8f\x3a\xd7\xfd\xc4\xe6\xae\xeb\x45\x26\x0e\x07\x96\x26\xfb\x76\x50\xe7\xa3\x0e\x36\x5c\xd1\x61\x7f\xfc\x78\x94\xf4\x81\x0e\x59\x2a\x10\x9f\x98\xa4\x30\x51\x3f\x91\x6f\x58\x70\xf2\xcd\x6f\xc8\x09\xf2\xc1\x53\x08\x66\x61\x0d\xa6\x8f\xce\xd1\xf6\x12\xc4\x86\x91\xda\xbc\x72\x7b\xa8\xfb\xb5\xeb\x06\x83\xf2\x19\x76\x7a\x3f\x4f\x32\x2c\x1a\x81\x30\x4b\x2a\xb4\x18\xa9\x26\x69\xf9\xd8\x1b\xcc\x63\x8b\xbd\x25\x9e\x0c\xe0\xc2\x54\xc1\x2a\x6e\xfa\xb2\x7f\x79\x9b\x0e\x61\x67\x90\x4e\x65\x9e\x35\x9e\xc3\x1a\x83\xcf\x82\x45\xd7\x17\xed\xe0\x39\xa4\x0a\x2e\xc0\x3b\x5a\x68\x69\xe2\x69\x01\x55\x79\xc6\x79\x94\x95\xfe\xcb\xdb\xdd\x09\xf2\xe2\x57\x51\xbd\x49\xd6\x20\x80\xc6\xa3\xad\xeb\x53\x39\x26\x00\x7b\x93\xae\x74\x68\x27\x55\xa6\xc6\x76\xa2\x56\x53\xab\xf0\x13\xa6\xe5\x00\x8b\x1c\xa4\x41\x0d\x58\xff\x4c\xac\xff\x23\x3f\x2d\xcb\x00\xd5\x79\xe6\x2c\xc9\x22\x8d\xdf\x84\xc9\x9c\xfa\x62\x94\x29\x25\x18\xc3\x18\x9c\x2c\x69\xdc\x3d\xe8\xbb\xd2\x1d\x10\x1e\xee\x91\x33\x4c\xd0\xbc\xef\xb9\x47\x74\xea\x26\x96\xca\x98\x00\x50\x8d\xd8\x4d\x66\xee\xd8\x1c\x34\x82\x43\x2d\xb9\x77\x54\xaf\xf0\xde\xd5\xb4\xd6\xa4\xbd\x64\x6c\x55\xe9\x07\x1a\xf6\xbc\x0e\xa9\x67\x7e\x09\x4f\x5f\x3e\xd7\x2b\x69\xa5\xc6\xc7\x01\xe2\xda\xe8\x94\x65\x6e\x52\x1f\xf3\x7c\xa1\x2e\x99\xbb\x4c\x5e\x73\xce\xbe\x83\xcf\xc0\xca\xe6\xce\x0b\x75\xb1\x12\x40\x6a\xf1\xbf\x21\x16\x62\x6c\x05\x95\xf7\xee\x62\x6b\xec\x0d\xda\x5c\x1c\x2c\x0a\xf5\x03\xd2\xf6\xbb\x74\x79\x5c\x93\x8c\x61\xfc\xad\x9f\x51\xc0\xdc\xd8\x83\x40\x3e\x68\x95\x2d\x34\x7f\x1b\x82\x86\x90\xbe\x2f\xe1\x82\x0f\xd1\x05\x2d\x10\x25\x2b\x91\xe7\x80\xd3\x5a\x17\x70\x6a\x6b\x71\x43\x7d\x78\x17\xd0\x58\x9e\xb2\xeb\x98\x7c\xb4\x3d\x8b\x09\x47\xba\x9b\xfe\x7c\x51\x3c\xab\x3c\xe7\xd2\xa9\x26\x13\x65\xed\xcb\x70\xfa\xdd\x30\x3a\x4c\x03\x02\x5a\x9f\x82\xbd\x82\xda\x37\xf8\xc5\xcf\xf9\x88\x54\x8b\xfd\xbd\xdb\x97\x41\xcd\x08\x64\x05\xc0\xf4\xd5\x72\x73\x1f\x04\x5b\x9f\x14\xda\x39\xf4\x5d\x03\x85\x44\xb2\x0b\xfb\x15\x2a\xbd\xe3\x32\x71\x32\xcf\xd0\x95\x92\x3f\xe4\x7a\x7a\x24\x79\x59\x79\xf1\xab\x89\xa5\x0d\xbf\x40\xac\xf3\x54\x09\x46\x52\xf4\x28\x53\x95\xf3\xa6\xf6\x18\xf4\x50\x5e\x5e\x61\x19\xf7\xb8\x3d\xa6\x98\xbe\xa9\xd4\xb5\x3b\x0c\x56\x46\xa8\x5e\x45\xb9\xae\x74\x37\x5e\x32\x95\x16\x43\x22\x99\x21\x7c\x15\xe4\x97\x46\x53\xbf\xf7\xc3\x00\xe8\xb0\x18\x14\x33\xb3\x81\xf9\xf7\x01\x54\x0e\x5e\xcd\x7a\x36\xb1\x2c\x66\x01\xce\xd5\x80\xe7\x0b\x03\x69\x43\x70\xf1\x70\xdb\x27\xde\x99\x78\xde\xf7\xdc\xee\xf2\xa7\xdc\x93\xbb\xd4\x10\x57\x32\x33\xe8\x63\xb2\x53\x06\x6c\x54\xb9\x99\xc9\xab\xd5\x2e\xf5\x0b\x5e\x75\x41\x93\xd2\xcf\x36\x02\x94\xdf\xd6\x0d\xc6\x7f\x73\x11\x8a\xda\xf6\x82\x8c\x9f\xa9\x8b\x01\x93\x59\x35\x77\x87\x39\x37\x77\x4e\xa4\x51\x29\x35\xf0\xfd\x4b\x00\xef\xf3\xc0\xcb\x0e\x8a\xb9\x6f\x8b\x95\x2a\xb7\xca\x58\x79\xe6\xb5\x80\xac\x9d\x67\x60\x54\x91\xf8\x12\x1f\xec\x81\xb9\x2f\xfb\xb7\x03\xcf\x46\x2d\xc5\x57\x1c\xca\xf1\xb7\x34\x5a\xb1\x93\xd4\x30\x61\x18\xa3\xf1\x9b\xf2\x79\x5b\x5c\x50\xd7\xe6\x4a\x98\x0c\xc2\x52\xac\xc4\x0e\x8a\x60\x50\x35\xa1\x5d\x40\x6d\x86\x9a\x2b\xd2\x75\xa9\xbf\xbb\xaf\x0e\x4e\x3c\xc1\xb3\xec\xe4\xfd\x2d\x51\x9a\xa5\x40\xfc\x27\xdd\xfe\xc3\xcc\x0e\x3b\xd3\x5b\x68\xbc\x30\x9c\xf9\xba\x9e\xf5\xec\x47\x52\xe7\x2b\x9b\x36\x5f\xea\x7d\xbd\x38\xc6\x95\xa6\xe4\x6b\xa9\xf8\xf5\x69\xd8\x57\x1c\x21\x44\x72\x82\xd1\x01\x17\xe2\xfc\x31\x11\xa5\xb7\xc2\x46\x94\xd9\xfc\x33\x73\xbc\x9b\x34\xac\xbb\xba\xce\x29\x32\x22\x44\xb5\x45\xc8\xbd\x44\xc7\xa5\x41\x65\x5c\x47\xf6\xff\x02\x1f\x62\x58\x35\x71\xf2\x42\x60\xa4\x74\xb4\x09\xe0\x55\xee\x28\xce\xd6\xb1\xa2\xc8\x4b\x9a\xf8\x28\x2a\xfa\x5e\x4c\x29\xa5\x72\x5b\xba\x85\x76\xa3\x19\xd8\xa1\xd6\x3e\xd3\xbb\xd3\x60\x57\x1c\x7c\x66\x34\xa4\x55\xb3\xd3\x52\xaf\xf5\x19\x2e\x5d\xe9\x4d\xc4\x40\x10\x6f\x69\x56", 1024); memcpy((void*)0x100007c0, "\xab\x28\x99\x79\xa2\x68\x0e\xc5\x67\x8c\xa2\xf6\x92\x43\xee\x51\x5f\xad\xd8\xe8\xe6\xd5\x9c\x96\x8b\x2d\x89\xc0\x13\xed\x60\x12", 32); *(uint32_t*)0x100007e0 = 5; *(uint8_t*)0x100007e4 = 7; *(uint32_t*)0x100007e8 = 0x10000340; memcpy((void*)0x10000340, "\xc1\xf7\x97\x91\xe5\x37\x4e\x62\xaf\x4b\xe8\xdb\xfa\xd2\x3a\x44\x2b\xb6\xc0\xe5\x56\x8c\xa9\x8b\x71\x6e\x4d\x91\xcc\xc6\xbc\x48\x2a\xc8\x11\x23\x93\xab\x4b\x77\xfa\x22\xdd\x04\x72\x2d\x66\x87\x27\x21\x99\xa8\x23\xb1\x55\xfb\xa2\x82\xb7\x74\x4f\x27\xa0\xb7\x54\xf7\x0b\x81\xd4\xf2\x43\xff\x82\x7c\x81\x80\x4e\xe8\x73\xcc\x20\x37\xb6\xb9\xf1\x85\xb7\x5b\xd1\x83\x89\x1f\xef\x90\xa0\xf7\x53\xbf\xef\x30\x58\xcb\xf1\x45\xf9\x45\xe2\xed\x52\x6c\x5d", 111); *(uint64_t*)0x100007ec = 0x84; *(uint64_t*)0x100007f4 = 4; *(uint64_t*)0x100007fc = 8; *(uint64_t*)0x10000804 = 7; *(uint64_t*)0x1000080c = 0x400; *(uint64_t*)0x10000814 = 8; *(uint64_t*)0x1000081c = 8; *(uint32_t*)0x10000824 = 0x81; res = syscall(SYS_ioctl, (intptr_t)r[1], 0xc450444a, 0x100003c0); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: *(uint32_t*)0x10000840 = r[0]; *(uint32_t*)0x10000844 = 8; res = syscall(SYS_setsockopt, -1, 0x84, 0x29, 0x10000840, 8); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: *(uint8_t*)0x10000000 = -1; *(uint8_t*)0x10000001 = -1; *(uint8_t*)0x10000002 = -1; *(uint8_t*)0x10000003 = -1; *(uint8_t*)0x10000004 = -1; *(uint8_t*)0x10000005 = -1; memcpy((void*)0x10000006, "\x34\xf7\x5c\x76\xc0\xd1", 6); *(uint16_t*)0x1000000c = htobe16(0x88a8); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 6, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x1000000e, 0, 4, 12); *(uint16_t*)0x10000010 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, , 0x10000012, 5, 0, 3); STORE_BY_BITMASK(uint16_t, , 0x10000012, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x10000012, 2, 4, 12); *(uint16_t*)0x10000014 = htobe16(0x806); *(uint16_t*)0x10000016 = htobe16(0x18); *(uint16_t*)0x10000018 = htobe16(0x812b); *(uint8_t*)0x1000001a = 6; *(uint8_t*)0x1000001b = 0xa; *(uint16_t*)0x1000001c = htobe16(2); *(uint8_t*)0x1000001e = 0; *(uint8_t*)0x1000001f = 0; *(uint8_t*)0x10000020 = 0; *(uint8_t*)0x10000021 = 0; *(uint8_t*)0x10000022 = 0; *(uint8_t*)0x10000023 = 0; memcpy((void*)0x10000024, "\x49\xd3\x25\xff\xc3\x61\xb7\xdf\x0c\xd1", 10); *(uint8_t*)0x1000002e = 0xaa; *(uint8_t*)0x1000002f = 0xaa; *(uint8_t*)0x10000030 = 0xaa; *(uint8_t*)0x10000031 = 0xaa; *(uint8_t*)0x10000032 = 0xaa; *(uint8_t*)0x10000033 = 0xbb; memcpy((void*)0x10000034, "\x81\x43\x5a\xdd\x99\x35\x40\x09\x44\x5d\xd9\x4f\x88\xb4\x89\x24", 16); (void)res; break; case 11: memcpy((void*)0x10000080, "\xdf\x75\x65\xc4\xe2\xc9\xae\x35\x00\x00\x00\x00\x66\x0f\x38\x03\x57\x52\x65\x66\x0f\x5f\xe4\x26\x0f\xf6\x6b\x00\xc4\xe1\xc5\xdb\x83\xc9\x00\x00\x00\xc4\xc1\xfa\x70\x83\x00\x80\x00\x00\x08\xf3\x0f\x1e\xfa\x0f\x0d\x69\x76\x36\xf3\x0f\x5b\xfb", 60); res = -1; errno = EFAULT; res = syz_execute_func(0x10000080); fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0); break; case 12: (void)res; break; } } int main(void) { syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0); use_temporary_dir(); do_sandbox_none(); return 0; } :312:17: error: use of undeclared identifier 'SYS___realpathat' res = syscall(SYS___realpathat, -1, 0x10000000, 0x10000040, 8, 0); ^ 1 error generated. compiler invocation: clang [-o /tmp/syz-executor050501049 -DGOOS_freebsd=1 -DGOARCH_386=1 -DHOSTGOOS_freebsd=1 -x c - -m32 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -static -lc++ -Wno-overflow] --- FAIL: TestGenerate/freebsd/386/4 (1.83s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/3 (1.33s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/1 (1.09s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/5 (1.48s) csource_test.go:121: --- FAIL: TestGenerate/freebsd/386/2 (1.47s) csource_test.go:121: FAIL FAIL github.com/google/syzkaller/pkg/csource 19.119s ok github.com/google/syzkaller/pkg/db 3.471s ok github.com/google/syzkaller/pkg/email (cached) ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 2.149s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 3.697s ok github.com/google/syzkaller/pkg/ipc 9.130s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 0.099s ok github.com/google/syzkaller/pkg/osutil 0.618s ok github.com/google/syzkaller/pkg/report 6.532s ok github.com/google/syzkaller/pkg/repro 2.865s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 73.600s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.146s ok github.com/google/syzkaller/pkg/vcs 12.019s ok github.com/google/syzkaller/prog 18.449s ok github.com/google/syzkaller/prog/test (cached) ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ok github.com/google/syzkaller/sys/linux 0.149s ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd (cached) ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 1.907s ok github.com/google/syzkaller/syz-fuzzer 0.905s ok github.com/google/syzkaller/syz-hub 0.180s ok github.com/google/syzkaller/syz-hub/state 0.068s ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-linter 3.029s ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.077s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 0.599s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 10.249s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated 0.035s ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl 0.058s ? github.com/google/syzkaller/vm/vmm [no test files] FAIL