// https://syzkaller.appspot.com/bug?id=07cc21690e2fc06a108d6e5aa9a4e5becaf265b4 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 16; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 0 || call == 2 || call == 4 || call == 8 || call == 14) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[9] = { 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(SYS_semget, 0x798e2634ul, 1ul, 0x10ul); if (res != -1) r[0] = res; break; case 1: res = syscall(SYS_fcntl, -1, 5ul, 0); if (res != -1) r[1] = res; break; case 2: res = syscall(SYS_freebsd11_fstat, 0xffffff9c, 0x20000380ul); { int i; for (i = 0; i < 32; i++) { syscall(SYS_freebsd11_fstat, 0xffffff9c, 0x20000380ul); } } if (res != -1) { r[2] = *(uint32_t*)0x2000038c; r[3] = *(uint32_t*)0x20000390; } break; case 3: res = syscall(SYS_fork); { int i; for (i = 0; i < 32; i++) { syscall(SYS_fork); } } if (res != -1) r[4] = res; break; case 4: syscall(SYS_sigqueue, r[4], 0xf, 0); break; case 5: res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); if (res != -1) r[5] = res; break; case 6: syscall(SYS_setsockopt, r[5], 0x84, 0x13, 0ul, 0x7eul); break; case 7: res = syscall(SYS_socket, 2ul, 1ul, 0); { int i; for (i = 0; i < 32; i++) { syscall(SYS_socket, 2ul, 1ul, 0); } } if (res != -1) r[6] = res; break; case 8: *(uint32_t*)0x20000200 = 3; syscall(SYS_setsockopt, r[6], 6, 0x22, 0x20000200ul, 4ul); break; case 9: syscall(SYS_fstatat, r[6], 0ul, 0ul, 0x2000ul); break; case 10: *(uint64_t*)0x20001fc0 = 0; *(uint32_t*)0x20001fc8 = 0; *(uint64_t*)0x20001fd0 = 0x20000880; *(uint64_t*)0x20000880 = 0x20000280; memset((void*)0x20000280, 170, 1); *(uint64_t*)0x20000888 = 1; *(uint64_t*)0x20000890 = 0x20000440; memcpy( (void*)0x20000440, "\xb1\x14\xac\x7b\x1c\x7e\x92\x1d\xd4\xef\x3a\x91\x45\x4f\xe4\x7c\xb0" "\x5f\x40\xb5\xaf\x4f\xc7\x73\x2c\xce\x9d\x7d\x5d\x77\x5a\x2e\x1e\x0c" "\x03\xc1\x7f\x32\xd1\xef\x51\xea\x2e\x72\x94\xc9\xda\xcc\x51\x5e\x24" "\x0b\x50\x2a\x9f\xd5\x9d\x79\x74\xbf\x4a\x1a\xb1\x48\x8e\xf7\x5e\x0c" "\xe9\x4e\xae\xc7\xbf\x1b\x5e\xa4\x29\xa9\x24\x2f\x31\x5d\xbc\xe6\xf4" "\xb2\xc4\xdd\x49\x1e\xe6\x6c\x79\xdd\x04\x08\x8f\x22\x3f\x2e\xe9\x9d" "\x6e\x0c\x98\x3f\x53\x8c\xd0\x22\x3b\x57\x75\xeb\x87\x58\x0f\x20\x83" "\xad\xc3\xce\x93\x6e\x34\xd1\x53\x63\xb1\x55\x33\x91\x44\xbc\x5a\x31" "\xdb\xdd\xb4\x3d\x7a\xf8\x60\x52\x10\xbf\x63\x9c\x7d\x1e\x2b\xb4\x85" "\x55\x3b\xbb\xa6\xba\x41\xd9\x8b\x91\xd4\x7e\x58\x22\x21\xb9\xd8\xfc" "\x9a\x1f\xd7\x32\xcb\x0b\x47\xb6\x51\xa4\x0a\x5a\x77\xfa\x7a\x13\x38" "\xca\x14\x7b\x30\x5a\x90\x21\xd5\x14\xc3\x0f\x81\xda\xbb\xbf\x72\x8e" "\xec\xea\x87\x8b\x34\xae\x02\xa0\x3d\x28\xaf\x65\x36\x94\x6b\xbc\x1b" "\xc2\x96\x9f\xa8\xa3\x81\x00\x5a\x4d\x95\xb5\x4f\xaf\x63", 235); *(uint64_t*)0x20000898 = 0xeb; *(uint64_t*)0x200008a0 = 0; *(uint64_t*)0x200008a8 = 0; *(uint64_t*)0x200008b0 = 0x20000640; *(uint64_t*)0x200008b8 = 0; *(uint64_t*)0x200008c0 = 0x20000340; memcpy((void*)0x20000340, "\x55\xbc\x7f\x44\xce\x0f\x51\x9b\xdb\x44\x0e\x9b\xfd\xce\x48\xf3" "\xf1\x3d\x89\x7c\x28\x99\x72\x0a\xa1\xa1\x44\x50\x00\xde\xba\x11" "\x1d\x87\xfd\x24\xc9\x2c\x0f\x0f\xb1\xb6\xca\x05\x17\xaa\x23\x66" "\x2e\x8f\x42\x29\x1e\x26\x0f\xc0\xf2\x85\x0e\x06\xe6\x18", 62); *(uint64_t*)0x200008c8 = 0x3e; *(uint64_t*)0x200008d0 = 0x20000740; *(uint64_t*)0x200008d8 = 0; *(uint64_t*)0x20001fd8 = 6; *(uint64_t*)0x20001fe0 = 0x20000e80; sprintf((char*)0x20000e80, "%023llo", (long long)-1); *(uint32_t*)0x20000e97 = -1; *(uint32_t*)0x20000e9b = -1; *(uint32_t*)0x20000e9f = -1; *(uint32_t*)0x20000ea3 = 0; memcpy((void*)0x20000ea7, "\x10\x00\x00\x00", 4); *(uint32_t*)0x20000eab = -1; sprintf((char*)0x20000eaf, "%020llu", (long long)-1); *(uint32_t*)0x20000ec3 = 0; *(uint32_t*)0x20000ec7 = -1; *(uint32_t*)0x20000ecb = 0; *(uint32_t*)0x20000ecf = -1; *(uint32_t*)0x20000ed3 = 0; *(uint32_t*)0x20000ed7 = -1; *(uint32_t*)0x20000edb = 0; *(uint32_t*)0x20000edf = 0; *(uint32_t*)0x20000ee3 = 0; *(uint32_t*)0x20000ee7 = 0; *(uint32_t*)0x20000eeb = 0; *(uint32_t*)0x20000eef = 0; *(uint64_t*)0x20000ef3 = -1; *(uint32_t*)0x20000efb = -1; memcpy((void*)0x20000eff, "\xf3\xff\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00" "\x03\x00\x00\x00", 20); *(uint32_t*)0x20000f13 = 0; *(uint32_t*)0x20000f17 = 0; *(uint32_t*)0x20000f1b = 0; *(uint32_t*)0x20000f1f = 0; memcpy((void*)0x20000f23, "\x10\x00\x02\x00", 4); *(uint32_t*)0x20000f27 = 0; *(uint32_t*)0x20000f2b = 0; *(uint32_t*)0x20000f2f = -1; *(uint32_t*)0x20000f33 = 0; *(uint32_t*)0x20000f37 = 0; *(uint32_t*)0x20000f3b = 0; *(uint32_t*)0x20000f3f = -1; *(uint32_t*)0x20000f43 = 0; *(uint32_t*)0x20000f47 = 0; *(uint32_t*)0x20000f4b = 0; *(uint32_t*)0x20000f4f = 0; *(uint32_t*)0x20000f53 = -1; *(uint32_t*)0x20000f57 = 0; sprintf((char*)0x20000f5b, "%023llo", (long long)-1); *(uint32_t*)0x20000f72 = -1; *(uint32_t*)0x20000f76 = 0; *(uint32_t*)0x20000f7a = -1; *(uint32_t*)0x20000f7e = 0; *(uint32_t*)0x20000f82 = r[0]; memcpy((void*)0x20000f86, "\x10\x00\x00\x00", 4); *(uint32_t*)0x20000f8a = 0; *(uint32_t*)0x20000f8e = 0; *(uint32_t*)0x20000f92 = 0; *(uint32_t*)0x20000f96 = 0; *(uint32_t*)0x20000f9a = 0; *(uint32_t*)0x20000f9e = 0; *(uint32_t*)0x20000fa2 = r[3]; *(uint32_t*)0x20000fa6 = 0; *(uint32_t*)0x20000faa = 0; *(uint32_t*)0x20000fae = 0; *(uint32_t*)0x20000fb2 = 0; *(uint32_t*)0x20000fb6 = 0; *(uint32_t*)0x20000fba = -1; *(uint32_t*)0x20000fbe = 0; *(uint32_t*)0x20000fc2 = -1; *(uint32_t*)0x20000fc6 = 0; *(uint32_t*)0x20000fca = -1; *(uint32_t*)0x20000fce = -1; *(uint16_t*)0x20000fd2 = r[1]; *(uint32_t*)0x20000fd4 = r[5]; *(uint32_t*)0x20000fd8 = -1; *(uint32_t*)0x20000fdc = -1; *(uint32_t*)0x20000fe0 = -1; memcpy((void*)0x20000fe4, "\x30\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00", 16); *(uint32_t*)0x20000ff4 = -1; *(uint32_t*)0x20000ff8 = -1; *(uint32_t*)0x20000ffc = -1; *(uint32_t*)0x20001000 = -1; *(uint32_t*)0x20001004 = -1; *(uint32_t*)0x20001008 = r[6]; *(uint32_t*)0x2000100c = r[5]; memcpy((void*)0x20001010, "\x00\x00\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00" "\x03\x00\x00\x00", 20); *(uint32_t*)0x20001024 = 0; *(uint32_t*)0x20001028 = -1; *(uint32_t*)0x2000102c = 0; *(uint32_t*)0x20001030 = -1; memcpy((void*)0x20001034, "\x10\x00\x00\x00", 4); *(uint32_t*)0x20001038 = 0; *(uint32_t*)0x2000103c = 0; *(uint32_t*)0x20001040 = -1; *(uint32_t*)0x20001044 = -1; *(uint32_t*)0x20001048 = -1; *(uint32_t*)0x2000104c = -1; *(uint32_t*)0x20001050 = -1; *(uint32_t*)0x20001054 = -1; *(uint32_t*)0x20001058 = -1; *(uint32_t*)0x2000105c = 0; *(uint32_t*)0x20001060 = 0; *(uint32_t*)0x20001064 = 0; *(uint32_t*)0x20001068 = 0; *(uint32_t*)0x2000106c = 0; *(uint32_t*)0x20001070 = 0; *(uint32_t*)0x20001074 = 0; memcpy((void*)0x20001078, "\x00\x00\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00" "\x03\x00\x00\x00", 20); *(uint32_t*)0x2000108c = 0; *(uint32_t*)0x20001090 = 0; *(uint32_t*)0x20001094 = 0; *(uint32_t*)0x20001098 = 0; *(uint32_t*)0x2000109c = -1; *(uint32_t*)0x200010a0 = 0; *(uint32_t*)0x200010a4 = 0; *(uint32_t*)0x200010a8 = 0; *(uint32_t*)0x200010ac = 0; *(uint32_t*)0x200010b0 = 0; *(uint32_t*)0x200010b4 = 0; *(uint32_t*)0x200010b8 = 0; *(uint32_t*)0x200010bc = 0; *(uint32_t*)0x200010c0 = -1; *(uint64_t*)0x200010c4 = r[5]; *(uint32_t*)0x200010cc = 0; *(uint16_t*)0x200010d0 = -1; memcpy((void*)0x200010d2, "\x00\x00\x00\x00\x68\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00" "\x03\x00\x00\x00", 20); *(uint32_t*)0x200010e6 = 0; *(uint32_t*)0x200010ea = 0; *(uint32_t*)0x200010ee = 0; *(uint32_t*)0x200010f2 = 0; memcpy((void*)0x200010f6, "\x10\x00\x00\x00", 4); *(uint32_t*)0x200010fa = -1; memcpy((void*)0x200010fe, "\x42\xbb\xb8\x02\xf2\x61\xe2\xf4\xd1\xce\x1d\x8a\x17\x59\xd8\x29" "\x19\x10\x5f\x61\x54\x62\x9a\x99\x84\x0a\xe8\x56\xe6\xc1\x01\x81" "\xa7\x85\xb8\xeb\x9e\x50", 38); *(uint32_t*)0x20001124 = -1; *(uint32_t*)0x20001128 = 0; *(uint32_t*)0x2000112c = -1; *(uint32_t*)0x20001130 = 0; *(uint32_t*)0x20001134 = -1; *(uint32_t*)0x20001138 = 0; *(uint32_t*)0x2000113c = -1; *(uint32_t*)0x20001140 = -1; *(uint32_t*)0x20001144 = 0; *(uint32_t*)0x20001148 = -1; *(uint32_t*)0x2000114c = 0; *(uint32_t*)0x20001150 = -1; *(uint32_t*)0x20001154 = -1; sprintf((char*)0x20001158, "%023llo", (long long)-1); *(uint64_t*)0x20001fe8 = 0x2c8; *(uint32_t*)0x20001ff0 = 0x20080; syscall(SYS_sendmsg, -1, 0x20001fc0ul, 0ul); break; case 11: res = syscall(SYS_fstat, 0xffffff9c, 0x200000c0ul); if (res != -1) r[7] = *(uint32_t*)0x200000e0; break; case 12: *(uint64_t*)0x20000040 = 0x20000000; *(uint32_t*)0x20000000 = r[2]; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = -1; *(uint32_t*)0x2000000c = r[7]; *(uint16_t*)0x20000010 = 0x20; *(uint16_t*)0x20000012 = 1; *(uint32_t*)0x20000014 = 0; *(uint64_t*)0x20000018 = 5; *(uint64_t*)0x20000020 = 0; *(uint16_t*)0x20000028 = 1; *(uint16_t*)0x2000002a = 0; *(uint32_t*)0x2000002c = 0; *(uint64_t*)0x20000030 = 1; *(uint64_t*)0x20000038 = 0x16000000; syscall(SYS___semctl, 0, 0ul, 1ul, 0x20000040ul); break; case 13: res = syscall(SYS_socket, 2ul, 1ul, 0x84); if (res != -1) r[8] = res; break; case 14: *(uint64_t*)0x20000580 = 0x20000080; *(uint8_t*)0x20000080 = 0x10; *(uint8_t*)0x20000081 = 2; *(uint16_t*)0x20000082 = htobe16(0x4e20); *(uint32_t*)0x20000084 = htobe32(0x4585481d); memset((void*)0x20000088, 0, 8); *(uint32_t*)0x20000588 = 0x10; *(uint64_t*)0x20000590 = 0; *(uint32_t*)0x20000598 = 0; *(uint64_t*)0x200005a0 = 0; *(uint32_t*)0x200005a8 = 0; *(uint32_t*)0x200005ac = 0; syscall(SYS_sendmsg, r[8], 0x20000580ul, 0ul); break; case 15: *(uint64_t*)0x200027c0 = 0x20000380; *(uint8_t*)0x20000380 = 0x10; *(uint8_t*)0x20000381 = 2; *(uint16_t*)0x20000382 = htobe16(0x4e23); *(uint32_t*)0x20000384 = htobe32(-1); memset((void*)0x20000388, 0, 8); *(uint32_t*)0x200027c8 = 0x10; *(uint64_t*)0x200027d0 = 0x20002680; *(uint64_t*)0x20002680 = 0x200003c0; memset((void*)0x200003c0, 12, 1); *(uint64_t*)0x20002688 = 1; *(uint32_t*)0x200027d8 = 1; *(uint64_t*)0x200027e0 = 0x20002740; *(uint32_t*)0x20002740 = 0x14; *(uint32_t*)0x20002744 = 0x84; *(uint32_t*)0x20002748 = 7; *(uint16_t*)0x2000274c = 0; *(uint32_t*)0x20002750 = 0; *(uint32_t*)0x200027e8 = 0x14; *(uint32_t*)0x200027ec = 0; syscall(SYS_sendmsg, r[8], 0x200027c0ul, 0ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); use_temporary_dir(); do_sandbox_none(); return 0; }