// https://syzkaller.appspot.com/bug?id=abb6cc54bd2802dfdeb0978f7adf870325b80f92 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { close(fd); return false; } close(fd); return true; } static int inject_fault(int nth) { int fd; char buf[16]; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) fail("failed to open /proc/thread-self/fail-nth"); sprintf(buf, "%d", nth + 1); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) fail("failed to write /proc/thread-self/fail-nth"); return fd; } static void test(); void loop() { while (1) { test(); } } long r[91]; void test() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul); r[2] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul); *(uint16_t*)0x20421fa8 = (uint16_t)0x26; memcpy((void*)0x20421faa, "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20421fb8 = (uint32_t)0x0; *(uint32_t*)0x20421fbc = (uint32_t)0x0; memcpy((void*)0x20421fc0, "\x63\x62\x63\x28\x61\x72\x63\x34\x2d\x67\x65\x6e\x65\x72\x69" "\x63\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00", 64); r[8] = syscall(__NR_bind, r[1], 0x20421fa8ul, 0x58ul); memcpy((void*)0x205fffe8, "\xad", 1); r[10] = syscall(__NR_setsockopt, r[1], 0x117ul, 0x1ul, 0x205fffe8ul, 0x1ul); r[11] = syscall(__NR_accept, r[1], 0x0ul, 0x0ul); *(uint64_t*)0x20e7bf58 = (uint64_t)0x0; *(uint32_t*)0x20e7bf60 = (uint32_t)0x0; *(uint64_t*)0x20e7bf68 = (uint64_t)0x205b1000; *(uint64_t*)0x20e7bf70 = (uint64_t)0x1; *(uint64_t*)0x20e7bf78 = (uint64_t)0x20460fe8; *(uint64_t*)0x20e7bf80 = (uint64_t)0x0; *(uint32_t*)0x20e7bf88 = (uint32_t)0x20004001; *(uint64_t*)0x20e7bf90 = (uint64_t)0x0; *(uint32_t*)0x20e7bf98 = (uint32_t)0x0; *(uint64_t*)0x20e7bfa0 = (uint64_t)0x20150000; *(uint64_t*)0x20e7bfa8 = (uint64_t)0x5; *(uint64_t*)0x20e7bfb0 = (uint64_t)0x20761000; *(uint64_t*)0x20e7bfb8 = (uint64_t)0x0; *(uint32_t*)0x20e7bfc0 = (uint32_t)0x0; *(uint64_t*)0x20e7bfc8 = (uint64_t)0x0; *(uint32_t*)0x20e7bfd0 = (uint32_t)0x0; *(uint64_t*)0x20e7bfd8 = (uint64_t)0x207d8000; *(uint64_t*)0x20e7bfe0 = (uint64_t)0x4; *(uint64_t*)0x20e7bfe8 = (uint64_t)0x209a8000; *(uint64_t*)0x20e7bff0 = (uint64_t)0x90; *(uint32_t*)0x20e7bff8 = (uint32_t)0x0; *(uint64_t*)0x205b1000 = (uint64_t)0x20245fd3; *(uint64_t*)0x205b1008 = (uint64_t)0x2; memcpy((void*)0x20245fd3, "\x08\xec", 2); *(uint64_t*)0x20150000 = (uint64_t)0x20ccb000; *(uint64_t*)0x20150008 = (uint64_t)0x0; *(uint64_t*)0x20150010 = (uint64_t)0x20d93000; *(uint64_t*)0x20150018 = (uint64_t)0x0; *(uint64_t*)0x20150020 = (uint64_t)0x203c2000; *(uint64_t*)0x20150028 = (uint64_t)0x0; *(uint64_t*)0x20150030 = (uint64_t)0x20c58000; *(uint64_t*)0x20150038 = (uint64_t)0x0; *(uint64_t*)0x20150040 = (uint64_t)0x20cbcf19; *(uint64_t*)0x20150048 = (uint64_t)0x0; *(uint64_t*)0x207d8000 = (uint64_t)0x20a66000; *(uint64_t*)0x207d8008 = (uint64_t)0x0; *(uint64_t*)0x207d8010 = (uint64_t)0x206e2000; *(uint64_t*)0x207d8018 = (uint64_t)0x0; *(uint64_t*)0x207d8020 = (uint64_t)0x208ca000; *(uint64_t*)0x207d8028 = (uint64_t)0x0; *(uint64_t*)0x207d8030 = (uint64_t)0x20d1efdf; *(uint64_t*)0x207d8038 = (uint64_t)0x0; *(uint64_t*)0x209a8000 = (uint64_t)0x18; *(uint32_t*)0x209a8008 = (uint32_t)0x117; *(uint32_t*)0x209a800c = (uint32_t)0x4; *(uint32_t*)0x209a8010 = (uint32_t)0x3; *(uint64_t*)0x209a8018 = (uint64_t)0x18; *(uint32_t*)0x209a8020 = (uint32_t)0x117; *(uint32_t*)0x209a8024 = (uint32_t)0x3; *(uint32_t*)0x209a8028 = (uint32_t)0x0; *(uint64_t*)0x209a8030 = (uint64_t)0x18; *(uint32_t*)0x209a8038 = (uint32_t)0x117; *(uint32_t*)0x209a803c = (uint32_t)0x4; *(uint32_t*)0x209a8040 = (uint32_t)0x1; *(uint64_t*)0x209a8048 = (uint64_t)0x18; *(uint32_t*)0x209a8050 = (uint32_t)0x117; *(uint32_t*)0x209a8054 = (uint32_t)0x4; *(uint32_t*)0x209a8058 = (uint32_t)0x5; *(uint64_t*)0x209a8060 = (uint64_t)0x18; *(uint32_t*)0x209a8068 = (uint32_t)0x117; *(uint32_t*)0x209a806c = (uint32_t)0x4; *(uint32_t*)0x209a8070 = (uint32_t)0x1; *(uint64_t*)0x209a8078 = (uint64_t)0x18; *(uint32_t*)0x209a8080 = (uint32_t)0x117; *(uint32_t*)0x209a8084 = (uint32_t)0x3; *(uint32_t*)0x209a8088 = (uint32_t)0x0; r[78] = syscall(__NR_sendmmsg, r[11], 0x20e7bf58ul, 0x3ul, 0x4000ul); *(uint64_t*)0x20b2f000 = (uint64_t)0x208e8000; *(uint32_t*)0x20b2f008 = (uint32_t)0x10; *(uint64_t*)0x20b2f010 = (uint64_t)0x20030fa0; *(uint64_t*)0x20b2f018 = (uint64_t)0x2; *(uint64_t*)0x20b2f020 = (uint64_t)0x20590000; *(uint64_t*)0x20b2f028 = (uint64_t)0x0; *(uint32_t*)0x20b2f030 = (uint32_t)0x36d; *(uint64_t*)0x20030fa0 = (uint64_t)0x2039d000; *(uint64_t*)0x20030fa8 = (uint64_t)0x0; *(uint64_t*)0x20030fb0 = (uint64_t)0x200cd000; *(uint64_t*)0x20030fb8 = (uint64_t)0x1a; write_file("/sys/kernel/debug/failslab/ignore-gfp-wait", "N"); write_file("/sys/kernel/debug/fail_futex/ignore-private", "N"); inject_fault(2); r[90] = syscall(__NR_recvmsg, r[11], 0x20b2f000ul, 0x40ul); } int main() { loop(); return 0; }