// https://syzkaller.appspot.com/bug?id=edc4bdcf9437492a8287e70f7c3c4231511fe690 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_compat_50_mknod #define SYS_compat_50_mknod 14 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_writev #define SYS_writev 121 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000000, "./file0\000", 8); syscall(SYS_compat_50_mknod, 0x20000000ul, 0x2001ul, 0x400); memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(SYS_open, 0x20000000ul, 2ul, 0ul); if (res != -1) r[0] = res; memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(SYS_open, 0x20000000ul, 0ul, 0ul); if (res != -1) r[1] = res; syscall(SYS_dup2, r[0], r[1]); *(uint64_t*)0x20000640 = 0x20000040; memcpy( (void*)0x20000040, "\x23\xb2\xcc\x55\x6c\x49\x00\xd4\x66\x19\x79\x4d\x28\x9c\xb0\x73\xe2\x3e" "\x0e\x5d\x74\x86\xd3\x1a\xc0\x2b\x98\xd5\xd5\xab\x4c\xa3\xcc\x7e\x3d\xb4" "\x43\x92\xce\x4d\x39\x8c\xe0\xe4\x4b\xd6\xd5\x12\xe6\x6f\xe1\x8a\x7a\x44" "\xdb\x1f\x18\x2d\x57\xf0\x6a\x2e\x21\xb3\x67\xe8\xf9\xbd\xd5\xc4\x33\xfe" "\xac\xcf\x6e\xe1\xa3\x99\x41\xde\x78\x4c\x13\x7e\x8a\xdf\x50\x59\xa9\xf8" "\xd5\xb1\x86\xe9\xa7\x17\x22\x9f\x14\x7a\x57\xec\x95\x63\xf6\x7e\x13\x0c" "\x1b\x92\x0b\xe1\xc7\xb2\x88\x72\x7d\x54\x7a\x08\xe2\x00\xc7\x47\xd1\x3e" "\xb7\xee\x17\xf5\x21\xd5\x1d\x2e\x6b\xc9\xdb\x62\x6c\xcf\x22\xf0", 142); *(uint64_t*)0x20000648 = 0x8e; *(uint64_t*)0x20000650 = 0x20000100; memcpy( (void*)0x20000100, "\x4a\x08\x79\x80\x75\x5d\xd2\x5b\x6a\x26\xe1\x24\x97\x40\xc2\x15\x5f\x9c" "\x29\xfe\xce\x5d\x22\x6d\x00\xf7\xd7\x67\xdd\x41\x25\xd1\x82\x9c\xba\xeb" "\x8f\xcc\x64\xb0\x4b\x5c\x1e\x5b\xf8\x0d\x61\x7b\xd8\xfc\x93\x3a\x1b\x3c" "\x3b\x72\x80\xa1\x8c\x60\x2d\x9d\x0a\x64\x8f\x28\xce\x00\xee\x83\x66\x6e" "\x5d\x16\x74\x82\x3d\x02\x72\xa3\x03\x9b\x7b\x1f\xaf\x6e\x75\x57\x98\x77" "\xae\x41\x35\x1d\x9f\x07\xba\x4b\xa6\x30\xaf\x01\x24\x75\x53\xf2\x59\xc3" "\x04\x0f\x0b\xa8\x6f\x0d\x99\x6d\x4a\x0d\xc6\x41\xa7\x07\xa3\x34\x06\x80" "\x45\x9e\x38\xf2\xef\x93\x84\x9f\x9c\x48\xb1\x4d\xa2\xb7\x80\x50\x7a\xf9" "\xbb\x20\x1c\x59\x02\xad\xa5\x93\x0c\xc6\xb5\x3d\x81\x8b\x82\x33\x5f\xb8" "\xc6\xe1\x03\x10\xa3\x41\x32\xcc\x9c\xa8\xac\x0a\xe5\x98\x06\x55\x6a\x57" "\x92\x86\xbf\x46\x4f\xcf\x5a\xd5\x35\x60\x19\xdb\x75\xbd\x19\x51\x2c\xc6" "\xba\xbc\xed\x85\x70\xa7\x37\x41\xd7\x3c\xca\xc8", 210); *(uint64_t*)0x20000658 = 0xd2; *(uint64_t*)0x20000660 = 0; *(uint64_t*)0x20000668 = 0; *(uint64_t*)0x20000670 = 0; *(uint64_t*)0x20000678 = 0; *(uint64_t*)0x20000680 = 0; *(uint64_t*)0x20000688 = 0; *(uint64_t*)0x20000690 = 0; *(uint64_t*)0x20000698 = 0; *(uint64_t*)0x200006a0 = 0; *(uint64_t*)0x200006a8 = 0; syscall(SYS_writev, r[1], 0x20000640ul, 7ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }