// https://syzkaller.appspot.com/bug?id=2431068eb52548f20447545f1948b727e87e720a // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); if (pthread_create(&th, &attr, fn, arg)) exit(1); pthread_attr_destroy(&attr); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 7; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } #ifndef __NR_clone #define __NR_clone 120 #endif #ifndef __NR_execve #define __NR_execve 11 #endif #ifndef __NR_mknod #define __NR_mknod 14 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_pipe #define __NR_pipe 42 #endif #ifndef __NR_splice #define __NR_splice 313 #endif #ifndef __NR_vmsplice #define __NR_vmsplice 316 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: syscall(__NR_clone, 0x200, 0x200000c0, 0x20000900, 0x20000340, 0x20000640); break; case 1: memcpy((void*)0x20000140, "./file0", 8); syscall(__NR_mknod, 0x20000140, 0x4000103e, 0); break; case 2: memcpy((void*)0x20000240, "./file0", 8); syscall(__NR_execve, 0x20000240, 0x20000200, 0x20000440); break; case 3: res = syscall(__NR_pipe, 0x20000040); if (res != -1) { r[0] = *(uint32_t*)0x20000040; r[1] = *(uint32_t*)0x20000044; } break; case 4: memcpy((void*)0x20000000, "/proc/thread-self/attr/exec", 28); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 2, 0); if (res != -1) r[2] = res; break; case 5: syscall(__NR_splice, (long)r[0], 0, (long)r[2], 0, 0x8ec0, 1); break; case 6: *(uint32_t*)0x20002180 = 0x20000280; memcpy((void*)0x20000280, "\x02\x23\xb1\x92\x4e\x7a\x40\x5e\x0c\xbc\xe5\x38\x38\x3f\x9b\x8c" "\x40\x38\x44\xf2\x8a\xd6\xca\x6a\x68\x30\xa4\x51\xd6\xd9\x04\x57" "\x97\xae\x13\xee\x1d\xa1\x8e\x5b\xc1\xdd\x98\x01\x46\xae\x97\xf3" "\xda\x5a\x53\xdd\x93\x5b\x89\x74\x00\x04\x00\x00\x00\x00\x00\x00" "\x56\x16\xb3\xaf\x74\xfd\xea\x3f\x94\x14\x07\xc9\xcb\x0b\x9a\xa7" "\xeb\x35\xcb\xd0\xac\x4c\x65\xc7\xdb\x8e\xee\x38\xa3\xb7\xe7\x72" "\x36\x33\x80\x4e\xa4\x4d\x2b\xaf\xe8\x12\x43\x1a\xdd\x29\x0e\xe3" "\xd8\x66\x8a\x3f\x8a\x7a\x2f\xd9\x71\x44\x6c\x1b\x83\x6a\xac\x23" "\x80\x89\xc0\xf7\xa7\x33\xfd\x3d\x34\x26\x6b\xc2\x72\x0c\xa6\x78" "\xeb\x05\xcc\x04\x83\x4d\x58\x7d\x4c\x52\xa4\xfa\xb1\xe5\x6c\xa3" "\xae\xd8\xdc\xcf\x31\xdf\x6b\x70\xf8\x1c\x23\x2a\x67\x35\xc7\x0b" "\x45\x9e\x20\x41\x58\xbf\x05\xe7\xe7\x8f\x06\xde\x85\x31\x2e\x80" "\xb8\x93\x29\x48\x32\x15\x6c\xeb\xb6\x13\x01\x7e\x10\xb1\x48\x9f" "\xb6\xf2\xed\x9f\x78\xa9\x8b\x8c\x12\x6f\x72\x4e\xba\xe1\x2a\xa5" "\x03\xec\x78\x16\x60\x78\xe2\x5f\x73\xe7\xc4\xbd\x85\x6b\x95\xdd" "\xe2\x99\x55\x0a\xe3\xdc\xf4\x66\x2e\xab\x90\x8d\xaa\xb0\x25\x15" "\x79\x93\xf3\x27\x29\x0b\x37\xf9\x99\xea\xf5\x4b\x3d\x7a\x6d\x23" "\x43\x04\xdf\x45\xfd\x04\xfb\xa4\x35\x9e\x7d\xe1\xff\x9d\xfc\x16" "\x9f\x46\x8c\x82\x74\xe8\xd5\x58\x7c\x56\x46\x7a\xcb\x8d\x72\x0b" "\x03\x08\xf5\x8a\x0f\x37\xe3\xdc\xf9\x33\xd0\x1b\x70\x35\x8c\x6f" "\x9e\x30\xa1\x20\x5e\xf3\xe9\x54\x91\xa2\xce\x51\x6f\x4f\x40\x50" "\xd3\xe0\x08\x67\xa5\x53\x02\x89\x9b\xf0\xb6\x71\x40\x86\x9e\x0f" "\x1e\x1d\x4a\xbc\xaa\xa2\x32\x54\x7c\xed\xd5\x05\x0d\xb0\x45\x9d" "\x4b\x26\xcf\x2f\xd2\x57\x4b\x69\x4b\xd6\x51\xd0\x25\xd6\x02\x91" "\xb1\xbe\x68\x9f\x5f\x25\x29\xe4\x6c\x8d\x44\x45\x88\x89\xdb\x01" "\xaa\xa2\x91\x3b\x7a\xfb\xcb\x5b\xce", 409); *(uint32_t*)0x20002184 = 0x199; syscall(__NR_vmsplice, (long)r[1], 0x20002180, 1, 0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }