// https://syzkaller.appspot.com/bug?id=edc4bdcf9437492a8287e70f7c3c4231511fe690 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } #ifndef SYS_compat_50_mknod #define SYS_compat_50_mknod 14 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_pwritev #define SYS_pwritev 290 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000080, "./file0\000", 8); syscall(SYS_compat_50_mknod, 0x20000080ul, 0x2000ul, 0x400); memcpy((void*)0x20000040, "./file0\000", 8); res = syscall(SYS_open, 0x20000040ul, 2ul, 0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000000 = 0x200000c0; memcpy((void*)0x200000c0, "\x11\x77\xa6\x80\x2b\x77\x70\x41\xf0\x45\x95\x58\x0a\x93\xc8\x7c\x08" "\x90\x3e\xee\x25\x99\x4b\x59\xee\xa0\x13\xfa\xd4\x09\xf1\xd9\xc6\x9f" "\x6c\x28\xcd\x6c\x4f\xdd\x09\xbc\x18\xa2\xbe\xb3\x2b\x7c\x77\x34\x8f" "\x73\x75\x02\xfc\xfe\xd5\x8c\xcc\xc3\x5a\x0f\x22\x99\xe8\xed\x60\x6b" "\xfa\xfc\x5e\xb1\x2a\x21\x17\x2b\xee\x35\xcd\xcc\x97\x89\xbd\xd2\x1d" "\xf4\xc0\x06\x25\xd0\x89\x28\xe3\xa4\xf5\xcc\xdd\x49\x38\x63\xd6\xff" "\xac\x18\x0b\xba\x63\x93\x8c\xc9\x39\x60\x9f\xbc\xd0\x76\x06\xcf\xe0" "\x95\x6c\x05\xce\xb0\xe3\x67\x7b\xcc\x39\x9f\xa3\x8b\xc2\x67\x12\x00" "\xdb\x57\xaa\xf2\x7e\x17\xc8\x98\x85\x6f\xa8\xef\x5b\x12\xcf\x73\xfc" "\xfd\x04\x24\x7a\x47\xe6\x69\x9b\xa7\x86\x97\x8d\x6a\xe7\x0a\xba\xed" "\xa9\x15\x7e\x13\x2d\x76\x0f\x96\x44\xaa\x17\xc1\x57\xa3\x8c\xc9\x38" "\x3f\xb7\x93\xff\x9d\x66\xb9\x6e\xc4\x7b\x6f\xd7\xea\xb7\xe9\xfb\xc0" "\x75\xb3\xf1\x31\x3b\xc9\xb5\xe6\x4c\x16\x13\x88\xd6\x97\xa6\x66", 220); *(uint64_t*)0x20000008 = 0xdc; *(uint64_t*)0x20000010 = 0x200001c0; memcpy( (void*)0x200001c0, "\x91\xed\xa3\x25\xf1\xfc\x7e\xc0\xd8\x81\x2e\x5e\x03\xab\x51\x9f\xc6\x7d" "\xec\x91\x7b\xb5\x7a\xfc\xf5\x95\x29\xc2\x7e\x3b\x79\x4b\x5c\xb1\x5f\x70" "\x39\x98\xbf\x17\xae\x72\xc6\x34\xc8\x1b\x7a\x51\x27\xdb\xcb\x6a\x2e\xff" "\xe1\xde\x9b\xd4\xad\x07\x98\xd0\xf8\x5d\x62\x8d\xb1\x77\x5c\xea\x7e\x2d" "\xca\x5f\xcb\x25\xd7\x86\xcb\xff\x92\x4e\xba\x6d\x1e\xa2\xb1\xbe\xfe\x77" "\x59\x0b\xe4\x93\x45\x82\x53\x41\x4a\x6e\x39\xa1\x72\x83\x53\xaa\x39\xff" "\xa1\x50\xdb\x40\xd3\x3a\x8b\x6e\xef\x75\x8f\xd1\xe3\x46\x9c\x54\x57\x55" "\x5a\xae\xc9\x52\x9a\x8d\x1f\x72\xbc\xbc\xb2\xd6\x16\x0d\xf3\xda\xde\x1d" "\x3f\xa9\x78\xa7\x09\xf1\x22\x37\x04\x19\x38\x24\x7d\x64\x41\x88\x5e\xe5" "\x90\x58\xcd\x14\xab\xa3\x87\x88\x17\x5b\x6d\x2b\x7a\xe6\x57\xfd\x2c\x6a" "\xa2\x32\x3d\x41\xdc\xcb\xc1\x50\x1d\x60\x93\xc0\x71\xad\x3a\xc2\xf6\x32" "\x02\xf6\xf4\xba\xee\x24\xd2\xcb\x9a\x53\x16\x9d", 210); *(uint64_t*)0x20000018 = 0xd2; syscall(SYS_pwritev, r[0], 0x20000000ul, 2ul, 0x1000009b76ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }