// https://syzkaller.appspot.com/bug?id=c8dfdc91e52021144af9f69c76730c07207ad104 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define __syscall syscall static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000000, "/dev/rvnd0c\000", 12); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[0] = res; syscall(SYS_execve, 0ul, 0ul, 0ul); memcpy((void*)0x20000480, "./file0\000", 8); res = syscall(SYS_open, 0x20000480ul, 0x80000000000206ul, 0x4ebfac6bbaf7949ul); if (res != -1) r[1] = res; *(uint64_t*)0x20000740 = 0; *(uint64_t*)0x20000748 = 0; *(uint64_t*)0x20000750 = 0; *(uint64_t*)0x20000758 = 0; *(uint64_t*)0x20000760 = 0x200014c0; memcpy( (void*)0x200014c0, "\xe4\xa7\xc0\x68\x82\x8f\xcd\x3d\x7d\xdc\x9e\x63\x39\x7e\xdf\xa2\x81\xc2" "\x76\x8f\xd1\x7d\xb4\xe8\xb6\xf2\x74\xd1\xb2\xe9\xf6\xc9\x58\x8c\xf5\xc3" "\x27\xba\xab\x2e\xb1\x99\x1c\x7b\x88\x3d\x0e\xfb\x06\x67\x4f\x9a\x1d\x85" "\xcb\x1d\x84\x3a\x6a\xee\x63\x2b\x96\xa3\x67\x19\xba\x16\x8e\x64\x68\x7d" "\xa9\xf5\x78\x23\x35\x3f\xbf\x6f\x09\x98\x8c\x36\x96\x31\x4c\xeb\x9b\xfa" "\x31\x3b\xcf\xe8\xa8\x16\x8a\x7a\x1c\x58\x83\x09\xed\x4c\x8c\x3c\xa9\xa7" "\x46\x0d\x61\xd2\x2a\x67\x87\x0c\x9e\xae\x0a\x9c\x23\xd6\xea\xd6\x18\x4a" "\x02\x4b\x1b\xd2\x09\x5c\x2f\x8f\xf3\xfb\x07\x77\x62\xde\x83\xca\x59\x52" "\x84\x8e\x2c\x5c\x5c\x17\x71\xd4\xeb\x76\x1e\xe4\x4d\xd3\x50\xa6\x70\x8a" "\x74\xd0\x09\x4a\x35\x01\x59\xa7\x65\xd0\x9b\xf7\x09\x36\x4c\xa3\x22\x58" "\xa0\x4f\x29\x12\xce\xc0\x48\x8b\x68\xc2\xc1\x62\x72\x24\xcc\x45\xd9\x22" "\xa6\xe6\xce\x3e\x89\xae\xaa\x9d\xb4\xd3\xf7\x45\x31\xce\x36\x24\x8b\x8b" "\x5a\xe6\x8f\xca\x3a\x71\x7e\xe9\x19\x92\xdd\xec\xc4\xc4\x27\xe7\x9a\x0f" "\xd9\x87\x7b\x34\x8f\x24\x98\x0e\x8a\x03\xaa\x21\x35\xac\x40\x6d\x18\x3b" "\xeb\x9d\x67\x71\x19\x7c\x23\xa0\xe0\x2f\x33\x9f\x3e\x6f\x46\x13\x0d\xaa" "\xef\x35\xbe\xea\xac\x97\x83\x27\x89\x5d\xfd\xce\x4d\x07\x4d\x4c\xf7\x45" "\x3f\x41\x20\xb6\x2d\x49\xd6\xea\xf7\x47\x1b\x65\x01\x5b\x2a\xc7\xc8\x4b" "\xab\xe6\x4c\x48\xc3\x27\x14\x45\x2b\xd5\x6c\x8c\xde\x87\xb6\xf8\xed\x53" "\x89\x7f\x4d\x62\x82\x9a\xbc\x3a\xf7\xab\x4e\xba\xef\x9f\x76\x19\xbf\x62" "\xfd\x83\xe1\xe2\x59\x86\x32\xff\x56\xa2\x9a\x19\xd8\xb1\x58\x31\xb3\xfb" "\x26\x9e\x28\x54\x2e\x5c\x92\x4c\xc6\xca\xee\x94\xb9\xe6\x81\xf7\xd2\xc7" "\xee\x4a\x32\xd5\x0e\xd5\xb1\x56\x06\x2d\xf0\xbd\xc9\xd1\x18\xa0\xf7\xed" "\x9e\xe3\x82\xe1\xcf\xcb\xf8\xef\xbf\xd5\x38\xf5\x33\xa5\xdc\xc7\xf9\xb3" "\xfd\x30\x39\xeb\x6b\x0d\x33\x68\x41\x28\x54\x8c\x25\x94\xfd\x91\xd3\x9a" "\xe3\x1a\xd5\x5e\xd5\x24\x69\x44\x51\x32\xc8\x80\xde\x5f\xca\x02\xdc\x71" "\x9c\x20\x90\x2c\x2e\x5b\xbc\x62\xf7\xca\xc6\x2f\xff\x7b\x8a\xd8\x9d\x0d" "\x7e\x1f\xc3\x3d\x0a\x8d\xc9\xa4\x5f\x3d\xb7\x42\xe8\x7c\x4d\x62\x5f\xdf" "\x4c\x3f\xe8\xa8\xeb\x8f\x0b\xac\xf0\x64\xa9\x8e\x3f\xd2\x49\xfb\x1d\xf1" "\xaf\xc8\x98\xf1\xea\x66\x52\x25\x74\x0f\xc7\x86\xc0\xc3\xb7\x2a\x0a\xb8" "\x89\x71\x92\x2e\xdf\xb3\x4b\x64\x4e\xdd\xa7\x9f\xfb\x8a\x67\xe1\xc8\x28" "\xa0\x8b\xdb\x78\x54\xa2\xa2\xa3\x67\xba\x37\xca\x88\x57\xd6\x8b\xd0\xfa" "\xd0\x13\x81\xad\x3f\xf3\xae\x93\xc2\x0b\x4f\x62\x21\x0f\xaf\x36\x22\xe9" "\xe5\x4d\xc5\x6b\x96\x45\x57\x62\x37\x7c\x31\xb3\xca\xc9\xba\x05\x00\x6d" "\x00\x3d\xe0\x50\x44\xb7\x80\x84\x50\x76\xe5\xc9\x5d\xc2\xb4\xe0\x89\x42" "\x22\x16\x01\x3c\x6d\x7d\xd3\x78\x5f\xe4\x96\x8c\x16\x32\xcc\xe5\xe8\x5c" "\x2d\x8b\x95\x51\x89\xcc\x55\xd5\xc3\xc2\xe1\x47\x5b\x4d\x9d\xba\x0a\x1e" "\x78\x38\xbc\xd7\x9f\x5e\xea\x1f\x62\x45\xce\xcf\x2e\xd1\x6b\x35\xd3\x5a" "\xfb\x1d\x00\x56\x5b\x5c\x52\x45\x14\xd3\x28\x68\x8f\xaa\xad\x8a\x1e\x88" "\x13\x3e\xcf\x64\x89\xcf\x85\xba\x89\xc2\xb8\xa6\x7d\x9f\x59\x86\x3d\x28" "\xd1\xbe\x97\xba\xe5\xf8\x20\x1b\x64\x27\x5b\x1e\x01\x31\x00\x8f\xf0\x16" "\x77\x32\x16\xd9\xb1\x21\x78\xf4\xb1\xbb\x50\x11\x7f\xcb\xf1\xcb\x7d\x66" "\x2e\x03\x12\x96\x20\x0e\xe1\x5e\xab\x8f\x64\x88\x79\x29\xec\x2c\xd9\xc0" "\xe0\x73\x70\xe2\xab\x28\xc8", 763); *(uint64_t*)0x20000768 = 0x2fb; *(uint64_t*)0x20000770 = 0; *(uint64_t*)0x20000778 = 0; syscall(SYS_writev, r[1], 0x20000740ul, 4ul); *(uint64_t*)0x20000500 = 0x20000440; memcpy((void*)0x20000440, "./file0\000", 8); *(uint64_t*)0x20000508 = 0x10001; *(uint64_t*)0x20000510 = 0x200004c0; memcpy((void*)0x200004c0, "./file0\000", 8); *(uint32_t*)0x20000518 = 8; syscall(SYS_ioctl, r[0], 0xc0384600ul, 0x20000500ul); syscall(SYS_openat, 0xffffffffffffff9cul, 0ul, 0ul, 0ul); syscall(SYS_ioctl, r[1], 0xc4104603ul, 0ul); memcpy((void*)0x20000000, "/dev/rvnd0c\000", 12); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[2] = res; syscall(SYS_ioctl, r[2], 0x20006473ul, 0ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); loop(); return 0; }