// https://syzkaller.appspot.com/bug?id=45d463e3ae38f3c38f2c82f0a8c6a2c1c8ce7457 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_socket #define SYS_socket 394 #endif #ifndef SYS_writev #define SYS_writev 121 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x22, 3, 0); if (res != -1) r[0] = res; *(uint64_t*)0x20000380 = 0x20000080; memcpy((void*)0x20000080, "\xca\xc9\x4b\xe1\x7a\x7c\xfc\xbc\x71\xaf\xe7\x95\xe9\x24\x65\x54\x34" "\x14\xc2\x7f\x42\x78\x65\x73\xc3\x1b\x84\x0e\xa8\x1d\x1d\x60\x23\x9b" "\x6e\xe7\x10\x75\x14\x19\xd0\xc8\xd1\xc6\x53\x6a\xa6\x9b\x2b\x08\x2f" "\x99\x84\x19\x4b\x8d\x06\xdc\xe5\x6d\xf5\x79\xce\x86\x8e\xc6\x16\x87" "\x93\x9a\xcb\xb8\x84\x60\xc4\xcb\x76\x01\x86\x7a\xec\x1c\xb6\x65\x8c" "\xa0\x57\xba\x8a\xab\x93\x92\xd7\x82\x31\xac\x37\x12\x1a\x4c\x61\x23" "\x17\xa5\x16\xd5\x69\x71\x93\xb4\xcb\x1d\xb1\x35\x01\x9c\x03\x10\xe3" "\x8a\xda\xbe\x4f\xe5\xc0\xd6\x7d\xaf\x56\x12\xfe\x9c\x70\x1f\x01\xb0" "\xfa\x5b\x28\xb6\x76\xd3\xac\xf0\x8e\x84\x6a\x69\xd8\xa9\xa1\xea\xe8" "\xc4\x5e\x13\x6a\x40\xa0\xe0\xe3\x20\xa6\xd9\x9c\x5a\x7f\x6f\xca\x9d" "\x18\x98\x70\x39\xf9\xc6\x1f\x8f\xd0\x1f\x29\x17\xb8\x2a\x44\x82", 186); *(uint64_t*)0x20000388 = 0xba; *(uint64_t*)0x20000390 = 0x20000140; memcpy((void*)0x20000140, "\x08\x87\x24\xce\x37\xf8\xd2\x76\x10\xce\x02\x88\x56\xa0\x60\xc8\x9c" "\x7a\xe6\x64\xca\x30\xe6\x4e\x2d\xc3\x23\x0f\x9a\x8d\xf7\x79\xba\xbd" "\xf8\xb0\x40\x3d\x19\x9b\x7d\xcb\xfa\xcd\xe4\x22\x78\xe2\x9d\x7c\x53" "\x13\x7d\x78\x3d\xc3\xc0\xfa\xf0\xaa\x49\xc2\x7e\xf9\xdf\x56\x67\xbd" "\x3a\x88\x59\xb5\x32\x74\x2b\xab\xc7\x86\x6a\xcf\x41\x6f\x69\x96\xc3" "\x2d\xe3\xd1\x11\xc0\xde\x93\xf4\x61\xb2\x48\x85\xa3\x37\x32\x45\x84" "\xa1\x4c\x17\x65\x7d\x34\x57\x25\x37\xa4\x6c\x2b\x0c\x3c\x0c\xf8\x1c" "\x62\x33\x9b\xcf\x04\x9e\x10\xfc\x25\xc7\x45\x34\x34\x37\xb7\x11\xab" "\x8e\x96\xfb\x4f\x4a\xc1\x2b\x7c\x23\x40\xc1\x36\x80\xb9\xce\x3c\xb3" "\xe0\xe6\x8c\x0c\xe9\xab\x5f\x28\xe6\xa4\x8b\xad\xd1\x64\xf4\x0f\x6c" "\x59\x8d\x6c\xdb\xc1\x27\x89\x2b\xab\x7c\x30\x81\x1f\x60\x9b\xad\xa9" "\x98\x7c\x2a\x14\x9d\xf3\x4b\xf3\x48\xe3\xb9\xc5\x91\x25\xf3\xab\x25" "\xd0\xde\xe3\x5a\x39\xe0\x38\x52\xf4\x8d\x42\x0b\xf1\x14\x5a\x23\xab" "\xa2\x6e\xbe\xdb\x7c\x75\xc7\x9e\xcf\xd9\x4b\x15\x3b\x37\xa6\x89\xcd" "\x31\x61\x26\x89\x18\x73\xd2\x38\xcc\x4f", 248); *(uint64_t*)0x20000398 = 0xf8; *(uint64_t*)0x200003a0 = 0x20000240; memcpy((void*)0x20000240, "\x06\x6e\x80\xfb\x89\xd0\x4a\x40\x24\x57\xcf\x54\xe2\xc4\x58\x49\xac" "\x6f\x46\x60\x11\x92\x9c\xb1\x9e\x9e\xc2\x04\x0c\xf9\x26\x8a\x62\x46" "\x99\x92\xb3\xff\x02\x3a\xa0\x72\x20\xa7\x67\xe2\xcc\x51\x2c\x80\xe2" "\xc6\x89\xda\x98\x7d\xfb\x05\x03\x6f\x61\x0f\x95\xcd\x11", 65); *(uint64_t*)0x200003a8 = 0x41; *(uint64_t*)0x200003b0 = 0x20000700; memcpy((void*)0x20000700, "\xe1\xd7\x9e\x58\xb6\xd1\xc4\x58\x01\x01\xfa\x0b\x10\x9b\x81\x5c\x09" "\xd4\xe1\xf1\x42\x6c\xc0\x09\xce\x91\x45\xb2\x10\x2b\x1a\xb9\xd7\x30" "\xb2\xc3\xc6\xfa\x43\x04\x71\x11\x43\x47\x43\x01\x31\xf3\xda\xa7\x8e" "\xc7\x76\x0d\xaa\x54\x7a\x70\x04\xc2\xa4\x3a\x95\x0a\x23\x2f\x9a\xe7" "\x97\x20\x97\xb9\x80\xf7\x03\x26\x31\x28\xab\x35\x32\x0e\xe8\x8f\xd7" "\x74\xc0\xa6\x60\xf0\xf6\x9f\x8d\xf1\xf9\x3b\x95\xe9\xde\x0a\x8a\x82" "\x62\x34\x4a\x39\x70\x52\x95\x73\xa1\xd2\xd0\xc4\x7d\x1b\xb9\x4e\x2c" "\x14\xdc\x5a\x83\x30\x75\x11\x7a\x84\xde\x44\xe9\x4e\x47\xeb\x17\x92" "\x95\x75\xb4\x7d\x72\x69\x42\x7e\x7e\x43\x8e\x76\xfc\x78", 150); *(uint64_t*)0x200003b8 = 0x96; *(uint64_t*)0x200003c0 = 0x20000500; memcpy((void*)0x20000500, "\xdd\xb2\xf9\x88\x0b\x3d\xd3\x5d\x29\xbf\x6e\xff\x68\x7b\x20\xdc\xd6" "\x03\x98\xba\xe8\x76\x19\x6f\x45\xb3\x93\xd2\xc0\x2b\x8e\x1e\x9a\xf0" "\x67\x12\x00\x16\x6f\xe0\x13\xaf\x54\xed\xfb\x76\x25\xf3\xd3\x65\xc5" "\x4f\x51\x08\xfb\x54\x06\x36\x8e\x42\xf2\xc4\x9c\x3b\x32\x24\x0e\xaa" "\x21\xe6\x8a\xfd\x0f\x25\x5f\xef\x91\xbf\x0a\xdc\xf9\x50\x09\xcd\xb4" "\x16\x8b\x93\x4c\x06\x2a\xbb\x7c\x9d\xa1\xdf\xa0\xca\xe0\x7e\x60\x6b" "\x29\xa4\x74\xcf\xdb\x9d\xbd\xe8\x86\xf1\xed\x6f\xb9\x2c\x3f\x8e\xfe" "\x12\x82\x44\x26\x88\xe3\xdc\x59\x3f\x36\x19\x9d\x94\xce\x08\xb0\x8b" "\xe3\x55\x51\x16\x16\x8d\xf6\xe1\x91\x32\x34\x35\x53\xe2\xd1\xf9\xaa" "\xae\x97\x9f\x3e\x08\xb4\x27\x45\xd2\x46\x6b\xd1\xa6\xc7\xb2\x78\xa7" "\x9f\x83\xad\x65\x10\x5e\x5a\x7a\x7a\xe8\xae\x6f\xf4\xa7\xa4\x15\x89" "\x76\xa5\xc9\x60\xce\x76\xd9\xd4\x1c\xa1\x66\x13\x5c\xc8\x7c\x04\x52" "\x74\xce\xb8\x65\x33\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00", 223); *(uint64_t*)0x200003c8 = 0xdf; syscall(SYS_writev, r[0], 0x20000380, 8); } int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }