// https://syzkaller.appspot.com/bug?id=45d463e3ae38f3c38f2c82f0a8c6a2c1c8ce7457 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_socket #define SYS_socket 394 #endif #ifndef SYS_writev #define SYS_writev 121 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x11ul, 3ul, 0); if (res != -1) r[0] = res; *(uint64_t*)0x200004c0 = 0x200000c0; memcpy((void*)0x200000c0, "\x3b\xe4\xfe\xef\xa0\x51\xd2\x9a\x1d\xa4\xb5\xd9\xfc\x75\x66\x42\xfb" "\x35\xe1\x67\x6a\x03\x82\xe8\x41\x61\x6e\xd6\x1c\x2e\x6f\xa3\x84\xc7" "\xad\x3b\x11\x78\xf0\xeb\x76\x7d\x1c\x4e\x21\x5d\x46\xed\x83\x06\x28" "\x50\x2e\xc9\xeb\x86\x7e\x69\xc2\xc8\x36\xed\xd3", 63); *(uint64_t*)0x200004c8 = 0x3f; *(uint64_t*)0x200004d0 = 0x20000100; memcpy((void*)0x20000100, "\x9e\xb3\xb2\xff\xd5\x56\x61\x6d\x5c\x50\xde\x80\x61\xcf\xcb\x2d\x13" "\xe8\xfa\xee\xa1\xbe\x25\xb9\x4b\xd5\xff\xf4\x7c\xc2\xd0\x5b\xc4\xe2" "\xff\x08\xbe\x77\x86\xbe\xd7\xb1\x84\xcb\x20\x29\x11\x20\x35\xf0\x69" "\x2f\xe6\x24\x21\x96\x7e\x7e\x9e\xdc\x67\xf4\x88\xe0\xc8\x4e\xbd\xa8" "\x95\x56\x45\x66\x59\x23\x68\xc6\x7d\x3c\x13\xfb\xd6\xd5\x1f\x78\x46" "\x56\x6a\x01\x1a\xe4\xe8\x1d\xa0\x96\xfb\x31\x68\x67\xb0\x4d\xfb\xcb" "\x96\x53\xc7\x78\xb9\x0a\xc8\x91\x44\xc2\x95\xcd\x71\x2e\x60\x37\xd5" "\x6d\x83\x04\xbf\xfb\xce\x43\x34\xca\x1b\x5d\xf7\x98\x3f\xde\xe8\x25" "\xc4\xce\x10\x80\xa9\x25\x5d\xf4\x96\xa4\xab\x3f\xf1\xed\x0c\x56\x52" "\xaf\x76\x49\x67\x14\xa4\x58\x7d\x8b\x0f\x2a\x55\x32\xbf\xee\x95\x9f" "\xba\x8e\x94\xf5\xb7\x3a\x7e\x85\x59\xdb\x06\xcc\xf3\x3a\xd2\xc3\xbe" "\x33\xa1\xc1\x53\x7f\x15\xa0\x38\x17\x23\xf0\xff\x2c\x02\xbb\xf6\x16" "\x4f\xc6\x3f\xc4\x63\xe8\xc5\xfc\xcb\x53\x72\x62", 216); *(uint64_t*)0x200004d8 = 0xd8; *(uint64_t*)0x200004e0 = 0x20000200; memcpy((void*)0x20000200, "\x65\xfe\x4f\x40\x9a\x59\x27\xbd\x36\xa7\x9c\x1a\xb4\x6c\x3b\xd7\x01" "\xc1\x7b\xcf\x89\x64\x89\x80\xdc\xc0\x0f\x39\xf2\x34\x14\x53\x79\x15" "\x34\xbc\x89\x0f\x71\x4e\xbe\x1c\xcf\x1d\xff\x98\x1a\x56\xbb\x02\x37" "\x51\xee\x04\xcb\xdb\xa2\x4e\xcf\x55\x42\xf8\x92\x0a\x4d\x7f\x89\x25" "\x8f\x72\x11\x71\x36\x88\xc1\x5f\xc5\xb6\x6c\xae\x52\x31\xac\x15\x69" "\x55\xe3\x0b\xdf\x00\x31\x9d\xbe\x66\x91\x2d\x09\xb2\x76\x79\xfb\xf5" "\x65\x00\xb7\xb6\x32\x04\x2d\x92\xf9\xee\xc9\xd1\xd9\xc2\x06\x2d\x8d" "\x23\x6f\x8b\x22\x12\x9a\x3f\xe4\xe6\x81\xf2\xae\x03\x4e\x05\x87\xb0" "\x60\x12\xd2\x4c\x85\x93\xfe\x32\x35\x85\x9f\x4f\x73\x47\x57\x9c\xee" "\xab\x97\xc6\x9c\x92\x2f\xca\xc8", 161); *(uint64_t*)0x200004e8 = 0xa1; *(uint64_t*)0x200004f0 = 0x200002c0; memcpy((void*)0x200002c0, "\x40\xfc\x88\x8c\x6d\x38\x4a\x8e\x98\xc8\x68\x59\x00\x5a\x9a\x49\x89" "\x39\x0d\xa6\x46\x09\x21\x10\xce\xc4\x99\x4b\xac\x50\x0e\x5d\x19\x10" "\x6d\x29\x5a\xfb\x84\x3b\x6f\x50\xfd\x5a\x16\x5b\x76\x23\xe8\xde\xbb" "\xf7\x43\xa0\xbb\x44\xa1\x88\x03\x96\x5e\x29\xd8\xda\x5d\x3e\x0b\x07" "\x56\xe2\xe5\x2e\x0e\x17\xea\x79\x56\x32\x6a\x82\xf2\xf8\xfa\x22\x7d" "\x8c\xa1\x86\xe3\xed\x33\xc3\x05\xdf\xe0\xf3\x25\xd8\x7d\x8f\xfd\xfd" "\xc8\xc5\x69\x81\x5a\xc1\xb6\xf7\x39\x4a\x8a\xa7\x90\xef\xcd\x26\x84" "\xc4\x63\xa7\x9e\x68\xa9\x1d\x8e\x03\x86\x76\x15\xb0\xa3\xf2\xc3\xf1" "\x39\xa2\x44\xf7\xdf\x20\x59\xcd\xd7\x40\x0d\x50\xce\xc3\x21\x19\x4b" "\x99\xa4\xbf\xe1\xfb\x3e\x1c\x50\xde\xa4\x1c\xae\x3c\x6c\x74\x0b\x1b" "\xf4\x07\x70\x8f\x7a\xbf\x06\xf7\xdc\x15\xf3\x1e\xc9\x23\xcd\x9b\xd3" "\x9b\x1d\xf6\xb6\x74\xc3\xa5\x67\x5c\xfb\xcb\x77\xae\xb9\x0c\x87\xef" "\x74\xf6\x35\x7d\xa1\x4b\x24\x2e\xec\x3e\x35\x9c\xc6\xf6\xc9\xe6\xc1" "\x35\xb0\xb2\x60\xba\xdf\x8c\xf9\xc5\xed\x90\x6e\xeb\x1e\x65\x47\x50" "\xbe\xdb\x17", 241); *(uint64_t*)0x200004f8 = 0xf1; *(uint64_t*)0x20000500 = 0x200003c0; memcpy((void*)0x200003c0, "\x51\x1f\x37\x8b\x98\x5b\x92\xf2\xae\xf7\x55\xfb\x14\x56\x47\x60\x5b" "\x66\x32\x56\x9e\x4d\x17\xfb\xea\xf2\x0e\xa0\x26\x31\x66\xb8\x73\x91" "\x59\xe0\x0c\x17\x67\x45\xc1\xf4\xe3\x7a\x12\xd7\xf7\xb5\x3c\x9d\x4f" "\x88\x6a\xf1\x2d\x60\xc9\xe9\x64\x09\x33\xef\x2f\xe6\x6f\xb0\x65\x85" "\x55\x53\x39\x1a\xfa\xac\x56\xa8\x8c\x4f\x8f\x08\xf3\x0f\x36\x0e\x0c" "\x1a\x42\x0d\x5e\xf0\x6e\x9b\x6f\x2b\xb0\x39\x67\x8d\xb8\x53\xb1\x12" "\xd6\xe6\x48\x9a\x66\x35\x9e\x4f\xef\x93\x61\x5c\x75\xc6\x4a\xb2", 118); *(uint64_t*)0x20000508 = 0x76; *(uint64_t*)0x20000510 = 0x20000440; memcpy((void*)0x20000440, "\x2a\x3d\xd4\x8a\xca\x84\xbd\x80\xea\x09\x1e\x17\x18\xf8\xa4\x29\xca" "\x9c\x92\xc7\x15\xb7\xba\x44\x00\xe5\x72\x59\x03\x62\x2c\xfc\x9e\xd5" "\xc8\x82\x0c\xcf\xf0\xb6\x70\xe6\xfe\xc4\xfc\x60\x78\x99\xa0\x73\xd9" "\xe2\x77\x78\x25\x74\xbf\xc2\x4e\x1c\x07\x90\xbb\x0f\xa8\x3b\x02\x80" "\x39\xa4\xa1\xe7\x01\xaf\xcf\x7f\xe0\xbd\x5a\x05\xbf\xd0\x14\x19\x2d" "\xb4\x13\xbd\x90\x39\x7e\x8f\x08\x73\xd4\x5d\x99\xc6\x3f\xd8\x4c\x25" "\x44\x1c\x0b\x05\x69\xe3", 108); *(uint64_t*)0x20000518 = 0x6c; syscall(SYS_writev, r[0], 0x200004c0ul, 6ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }