// https://syzkaller.appspot.com/bug?id=7c48f2a02168c6d8581d28dcc5c3c5b7a7c52f21 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (sig == SIGBUS) valid = 1; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void sandbox_common() { if (setsid() == -1 && errno != EPERM) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } uint64_t r[1] = {0xffffffffffffffff}; void loop(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } syscall(SYS_fhstat, /*fhp=*/0ul, /*statbuf=*/0ul); NONFAILING(memcpy((void*)0x200000000000, "/dev/mdctl\000", 11)); res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; NONFAILING(*(uint32_t*)0x200000000340 = 0); NONFAILING(*(uint32_t*)0x200000000344 = 7); NONFAILING(*(uint32_t*)0x200000000348 = 0); NONFAILING(*(uint64_t*)0x200000000350 = 0); NONFAILING(*(uint64_t*)0x200000000358 = 0x800000008); NONFAILING(*(uint32_t*)0x200000000360 = 4); NONFAILING(*(uint32_t*)0x200000000364 = 6); NONFAILING(*(uint64_t*)0x200000000368 = 0xa); NONFAILING(*(uint32_t*)0x200000000370 = 0); NONFAILING(*(uint32_t*)0x200000000374 = 0xa7); NONFAILING(*(uint64_t*)0x200000000378 = 0); NONFAILING(*(uint32_t*)0x200000000380 = 0x18); NONFAILING(*(uint32_t*)0x200000000384 = 6); NONFAILING(*(uint32_t*)0x200000000388 = 9); NONFAILING(*(uint32_t*)0x20000000038c = 2); NONFAILING(*(uint32_t*)0x200000000390 = 4); NONFAILING(*(uint32_t*)0x200000000394 = 4); NONFAILING(*(uint32_t*)0x200000000398 = 6); NONFAILING(*(uint32_t*)0x20000000039c = 0xf); NONFAILING(*(uint32_t*)0x2000000003a0 = 6); NONFAILING(*(uint32_t*)0x2000000003a4 = 7); NONFAILING(*(uint32_t*)0x2000000003a8 = 0x408); NONFAILING(*(uint32_t*)0x2000000003ac = 7); NONFAILING(*(uint32_t*)0x2000000003b0 = 5); NONFAILING(*(uint32_t*)0x2000000003b4 = 1); NONFAILING(*(uint32_t*)0x2000000003b8 = 1); NONFAILING(*(uint32_t*)0x2000000003bc = 0xfffffff3); NONFAILING(*(uint32_t*)0x2000000003c0 = 9); NONFAILING(*(uint32_t*)0x2000000003c4 = 6); NONFAILING(*(uint32_t*)0x2000000003c8 = 0x8000007); NONFAILING(*(uint32_t*)0x2000000003cc = 0); NONFAILING(*(uint32_t*)0x2000000003d0 = 0x401); NONFAILING(*(uint32_t*)0x2000000003d4 = 9); NONFAILING(*(uint32_t*)0x2000000003d8 = 0xcde); NONFAILING(*(uint32_t*)0x2000000003dc = 0x100); NONFAILING(*(uint32_t*)0x2000000003e0 = 0xfffffff8); NONFAILING(*(uint32_t*)0x2000000003e4 = 7); NONFAILING(*(uint32_t*)0x2000000003e8 = 7); NONFAILING(*(uint32_t*)0x2000000003ec = 0); NONFAILING(*(uint32_t*)0x2000000003f0 = 5); NONFAILING(*(uint32_t*)0x2000000003f4 = 0x5ba); NONFAILING(*(uint32_t*)0x2000000003f8 = 7); NONFAILING(*(uint32_t*)0x2000000003fc = 0xffbffffa); NONFAILING(*(uint32_t*)0x200000000400 = 5); NONFAILING(*(uint32_t*)0x200000000404 = 9); NONFAILING(*(uint32_t*)0x200000000408 = 0x3d5532c1); NONFAILING(*(uint32_t*)0x20000000040c = 7); NONFAILING(*(uint32_t*)0x200000000410 = 3); NONFAILING(*(uint32_t*)0x200000000414 = 0x8000); NONFAILING(*(uint32_t*)0x200000000418 = 2); NONFAILING(*(uint32_t*)0x20000000041c = 1); NONFAILING(*(uint32_t*)0x200000000420 = 3); NONFAILING(*(uint32_t*)0x200000000424 = 0); NONFAILING(*(uint32_t*)0x200000000428 = 0); NONFAILING(*(uint32_t*)0x20000000042c = 2); NONFAILING(*(uint32_t*)0x200000000430 = 6); NONFAILING(*(uint32_t*)0x200000000434 = 0x27ad222b); NONFAILING(*(uint32_t*)0x200000000438 = 6); NONFAILING(*(uint32_t*)0x20000000043c = 0x80000003); NONFAILING(*(uint32_t*)0x200000000440 = 0xac5e); NONFAILING(*(uint32_t*)0x200000000444 = 2); NONFAILING(*(uint32_t*)0x200000000448 = 0xfffffff7); NONFAILING(*(uint32_t*)0x20000000044c = 0x6ddbd7a2); NONFAILING(*(uint32_t*)0x200000000450 = 4); NONFAILING(*(uint32_t*)0x200000000454 = 0x52); NONFAILING(*(uint32_t*)0x200000000458 = 7); NONFAILING(*(uint32_t*)0x20000000045c = 8); NONFAILING(*(uint32_t*)0x200000000460 = 0x86); NONFAILING(*(uint32_t*)0x200000000464 = 9); NONFAILING(*(uint32_t*)0x200000000468 = 0x20); NONFAILING(*(uint32_t*)0x20000000046c = 3); NONFAILING(*(uint32_t*)0x200000000470 = 0x7ffe); NONFAILING(*(uint32_t*)0x200000000474 = 9); NONFAILING(*(uint32_t*)0x200000000478 = 0x7f); NONFAILING(*(uint32_t*)0x20000000047c = 8); NONFAILING(*(uint32_t*)0x200000000480 = 6); NONFAILING(*(uint32_t*)0x200000000484 = 8); NONFAILING(*(uint32_t*)0x200000000488 = 0x10001); NONFAILING(*(uint32_t*)0x20000000048c = 0xfffffff5); NONFAILING(*(uint32_t*)0x200000000490 = 0); NONFAILING(*(uint32_t*)0x200000000494 = 0x80); NONFAILING(*(uint32_t*)0x200000000498 = 9); NONFAILING(*(uint32_t*)0x20000000049c = 0x800007); NONFAILING(*(uint32_t*)0x2000000004a0 = 0x20006); NONFAILING(*(uint32_t*)0x2000000004a4 = 0); NONFAILING(*(uint32_t*)0x2000000004a8 = 2); NONFAILING(*(uint32_t*)0x2000000004ac = 0xe07); NONFAILING(*(uint32_t*)0x2000000004b0 = 0x388d); NONFAILING(*(uint32_t*)0x2000000004b4 = 0); NONFAILING(*(uint32_t*)0x2000000004b8 = 3); NONFAILING(*(uint32_t*)0x2000000004bc = 4); NONFAILING(*(uint32_t*)0x2000000004c0 = 3); NONFAILING(*(uint32_t*)0x2000000004c4 = 0x40); NONFAILING(*(uint32_t*)0x2000000004c8 = 0x80000001); NONFAILING(*(uint32_t*)0x2000000004cc = -1); NONFAILING(*(uint32_t*)0x2000000004d0 = 5); NONFAILING(*(uint32_t*)0x2000000004d4 = 0xed); NONFAILING(*(uint32_t*)0x2000000004d8 = 0x80000000); NONFAILING(*(uint32_t*)0x2000000004dc = 0xc); NONFAILING(*(uint32_t*)0x2000000004e0 = 0x7f); NONFAILING(*(uint32_t*)0x2000000004e4 = 0x296); NONFAILING(*(uint32_t*)0x2000000004e8 = 2); NONFAILING(*(uint32_t*)0x2000000004ec = 0xe6); NONFAILING(*(uint32_t*)0x2000000004f0 = 0x7fffffff); NONFAILING(*(uint32_t*)0x2000000004f4 = 5); NONFAILING(*(uint32_t*)0x2000000004f8 = 0xc2b0); NONFAILING(*(uint32_t*)0x2000000004fc = 0xa1); syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc1c06d00ul, /*arg=*/0x200000000340ul); } int main(void) { syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; }