// https://syzkaller.appspot.com/bug?id=0a885a86c3f396f8fb35dadea0d48618bf9eb4c4 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // mq_open arguments: [ // name: ptr[in, buffer] { // buffer: {65 74 68 30 00} (length 0x5) // } // flags: mq_open_flags = 0x42 (8 bytes) // mode: open_mode = 0x0 (8 bytes) // attr: nil // ] // returns fd_mq memcpy((void*)0x200000000000, "eth0\000", 5); syscall(__NR_mq_open, /*name=*/0x200000000000ul, /*flags=O_CREAT|O_RDWR*/ 0x42ul, /*mode=*/0ul, /*attr=*/0ul); // mq_open arguments: [ // name: ptr[in, buffer] { // buffer: {65 74 68 30 00 23 13 ae 75 e0 fb 75 30 2a f3 11 69 dd d9 c6 // 87 de bf 5f a0 f6 df 6b bf 2e 22 a6 c0 23 70 cd 1c 2f a6 f2 bc 79 4c // 85 61 b5 bb 7e 2b 3e bc 93 f8 ab 9a 33 85 6c 1d 15 11 1a 7b 40 21 32 // b6 21 ae f7 39 6b 90 88 0b 38 49 24 fd 51 1d 90 3d 72 d8 c0 d8 09 2f // 8d 76 b8 93 c3 43 ae 9d 63 d1 54 dd 14 d3 e1 be 5f 24 41 3d 7a ee bd // 2f 58 be 6d 4f 58 29 73 94 de be 5f 0b 01 be eb bb 91 11 7a c2 7c 64 // 1b 04 d2 f9 79 78 b2 1b 08 4c 54 72 77 88 9e 30 09 c6 e2 9c ed 5c d8 // 5b c8 04 20 f3 ac 5d 56 1d 3a fc c3 9e 02 07 78 ef fe 1c 2e 54 54 cf // bf f5 80 61 25 dc 51 b3 43 75 54 cc 37 8a 76 73 b2 07 fe b3 6a 2a ad // 18 49 cc e9 aa 7b 5d ef b7 f2 ee 2a f9 35 08 4a 74 d0 73 c4 aa c8 13 // 7e b2 f2 30 bd 66 db ae 47 e3 fb ef 94 ef 3a 51 1b e3 a3 a4 7d ef 60 // 65 cd 4c ab db 0d f2 79 9f 67 31 f4 09 18 69 2f 21 13 f1 2c 8c 75 aa // bf 7e 29 94 1b 32 93 86 e7 9a f2 6a a8 96 a6 a2 fc 4e 81 af 54 68 b3 // 1b 6f 3a e8 0b 71 37 53 e4 48 f3 4c a0 9c 97 42 12 10 9d aa 7f 71 06 // b9 28 f6 1c 83 b1 4a ec 92 36 b5 61 30 a0 42 ae 7c} (length 0x150) // } // flags: mq_open_flags = 0x42 (8 bytes) // mode: open_mode = 0x11 (8 bytes) // attr: nil // ] // returns fd_mq memcpy((void*)0x200000000080, "eth0\000#\023\256u\340\373u0*\363\021i\335\331\306\207\336\277_" "\240\366\337k\277.\"\246\300#p\315\034/" "\246\362\274yL\205a\265\273~+>" "\274\223\370\253\2323\205l\035\025\021\032{@!2\266!" "\256\3679k\220\210\v8I$\375Q\035\220=r\330\300\330\t/" "\215v\270\223\303C\256\235c\321T\335\024\323\341\276_$A=z\356\275/" "X\276mOX)s\224\336\276_\v\001\276\353\273\221\021z\302|" "d\033\004\322\371yx\262\033\bLTrw\210\2360\t\306\342\234\355\\\330[" "\310\004 " "\363\254]V\035:\374\303\236\002\ax\357\376\034.TT\317\277\365\200a%" "\334Q\263CuT\3147\212vs\262\a\376\263j*\255\030I\314\351\252{]" "\357\267\362\356*\3715\bJt\320s\304\252\310\023~" "\262\3620\275f\333\256G\343\373\357\224\357:Q\033\343\243\244}\357`" "e\315L\253\333\r\362y\237g1\364\t\030i/" "!\023\361,\214u\252\277~)" "\224\0332\223\206\347\232\362j\250\226\246\242\374N\201\257Th\263\033" "o:\350\vq7S\344H\363L\240\234\227B\022\020\235\252\177q\006\271(" "\366\034\203\261J\354\2226\265a0\240B\256|", 336); syscall(__NR_mq_open, /*name=*/0x200000000080ul, /*flags=O_CREAT|O_RDWR*/ 0x42ul, /*mode=S_IXOTH|S_IWGRP*/ 0x11ul, /*attr=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }