// https://syzkaller.appspot.com/bug?id=1032ace3ce23b2ee0d1f6587ed65eda11d8f74c4 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_socket #define SYS_socket 394 #endif #ifndef SYS_writev #define SYS_writev 121 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x22ul, 3ul, 0); if (res != -1) r[0] = res; *(uint64_t*)0x20000000 = 0; *(uint64_t*)0x20000008 = 0; *(uint64_t*)0x20000010 = 0x200000c0; memcpy((void*)0x200000c0, "\x4c\xbd\x24\x07\x03\x05\x7b\x42\x53\x29\xa9\x27\x3a\x8b\x83\x08\x19" "\x13\x2c\xfd\x9d\x6c\xd0\x80\x15\x67\x46\x06\xf8\x60\x78\xba\x02\x63" "\x57\xc5\xef\x27\x74\x49\x3c\x07\x5d\x6e\xe4\xe8\xe6\x58\x80\x4d\xcc" "\x12\x56\xf6\x86\x31\x6a\x2e\x9c\xb9\xb5\x86\x26\xa0\xb4\x25\x33\xbd" "\x77\x63\x64\xf9\xc4\xad\x97\xe4\xc1\x8f\x0b\x65\x72\x2c\xc7\x4c\xbd" "\x13\xd2\x61\x19\xfd\x1f\x2e\xfc\xec\x45\xc5\xcf\xec\x7e\xad\x2a\x94" "\x89\xdd\x0b\xe5\x03\x60\x97\x7d\x99\xe0\x67\xcf\xdd\x7f\x8e\xde\x14" "\xeb\xd6\xce\x79\x28\x48\x46\x4e\x1e\x9c\x69\xe1\x22\xa0\x79\x53\xc3" "\x1b\x3d\xea\x75\xe7\x8d\x75\xf1\xa8\xf5\xdb\x1c\x33\xde\x44\xaa\xc5" "\x2f\xe5\x4d\xe6\x68\x63\x2f\xab\xbe\x5b\xd4\x8e\x8c\x92\x1f\xdf\x09" "\x5a\x73\x7e\xea\xf0\x1e\xe8\x02\x5c", 179); *(uint64_t*)0x20000018 = 0xb3; *(uint64_t*)0x20000020 = 0x20000180; memcpy((void*)0x20000180, "\xdf\xa6\x17\xe9\x7f\x3e\x33\x11\x15\x03\x58\x9c\x1c\x8b\xd1\xb1\x3e" "\x77\xbb\x95\xe4\x53\xf1\x50\x64\x6a\x1f\x4c\x17\x9d\x4f\x51\x42\xc9" "\xa8\x14\xb1\x71\x6a\x4b\x03\x33\x27\x84\xc6\x20\x0b\xde\x0b\x9f\xc9" "\x96\x7c\x56\x86\x44\x61\x11\x94\x26\x14\x79\x98\xd6\xc5\x7a\x46\x80" "\x39\x36\x19\x16\xfc\xe3\xd6\x6b\xd4\x71\x76\x36\x62\xea\xb7\xf8\x38" "\x3b\x21\x72\xab\xc5\xb5\x1b\x10\x60\x2c\x46\x65\xcd\x20\xc5\xfd\xa7" "\x0d\xc7\x4c\xc0\x9c\x09\x45\xd4\xff\xbe\x2e\xc2\x2d\x9c\x05\x52\xbc" "\x02\x72\x1a\x5e\x15\xed\x06\xc1\x95\x72\xc8\xff\xd3\x1f\x00\x35\x31" "\x0d\x84\x91\x3c\x42\xa6\xfc\x8f\x48\xef\x53\x4a\xe5\xeb\x95\x39\x7e" "\x55\x42\xdb\x36\xcf\x0f\xe3\x82\xab\x64\x07", 164); *(uint64_t*)0x20000028 = 0xa4; syscall(SYS_writev, r[0], 0x20000000ul, 3ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }