// https://syzkaller.appspot.com/bug?id=957dfa1fd66e4d0de51ed7e3d1f814589e07e2b1 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_socket #define SYS_socket 394 #endif #ifndef SYS_writev #define SYS_writev 121 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x22ul, 3ul, -1); if (res != -1) r[0] = res; *(uint64_t*)0x20000840 = 0x20000300; memcpy((void*)0x20000300, "\x4d\x40\xec\x40\x6c\x69\xa0\x64\x60\x4d\x72\xd3\x7c\x79\x67\xa0\xdc" "\x9e\xb5\xc0\x9a\x77\x43\x5e\x4a\x25\xe0\xb5\x40\x96\xa1\xd3\x05\xb9" "\x49\x23\x4c\xe9\x98\x92\x9e\x3f\x08\xfd\x94\xe2\xc5\xdf\x99\x60\x7e" "\x44\xfb\x5f\xca\x18\x0c\xce\x11\x19\xcf\xb4\xcb\xcb\xf4", 65); *(uint64_t*)0x20000848 = 0x41; *(uint64_t*)0x20000850 = 0x20000380; memcpy((void*)0x20000380, "\x71\x84\x38\xc4\x8c\x73\x13\x13\x56\x05\xaa\xc2\x1c\xeb\xfb\x76\x4a" "\x66\x1f\x76\x36\xb6\x63\x1d\x88\x5f\x45\x64\x39\x8a\x51\x6d\x17\x88" "\x2c\xdd\xbf\xc8\xed\xec\x1b\x79\xe8\x53\x0d\x4c\xb3\x34\x4f\x3f\xba" "\x9b\x83\xcb\xff\x08\x8f\xc9\xec\xec\x6f\x3b\xd2\x7a\xda\xfa\xb0\x1c" "\x98\xef\xdf\x7f\xf4\xba\x8b\xc4\xfa\x71\x10\xb3\x68\x52\x26\x87\xee" "\xfc\x8b\xc5\x40\x5a\x18\xb1\x7b\x31\x8b\x47\x34\xdc\x6a\x6d\x44\xe8" "\xda\x01\x1b\x7f\xb4\xba\xd5\xab\xab\xfe\x84\x3a\xde\x86\x09\xed\xe2" "\xcc\xe7\x17\xdf\x24\xef\x6d\xfe\x61\x0f\x40\xc6\x3f\x64\x26\x58\xc0" "\x72\xd5\xc0\x53\xdd\xb4\xe3\x6f\x84\x5d\x55\x75\xce\x22\x0a\xf6\x8f" "\xb9\xe7\x6c\xbc\x15\x02\x6d\x76\xe4\x3e\x65\x78\xb0\x87\x95\x0e\xda" "\xfc\xcd\xe9\x95\x69\x06\xe4\x44\xf2\x04\x18\x4c\x2b\xf6\x6c\x42\x38" "\x2d\x23\xfb\xae\x96\x8c\x79\x26\xc1\xc2\x7e\x43\xb2\x28\xcb\x4c\x99" "\x7c\xed\xb9\x5f\x60\x46\x80\x04\xdc\x9b\x98\x0f\x8d\xc8\x3d\x20\x5c", 221); *(uint64_t*)0x20000858 = 0xdd; *(uint64_t*)0x20000860 = 0x20000480; memcpy((void*)0x20000480, "\xfc\x1f\x24\x90\x8e\xa2\x67\x65\x88\x25\x72\x10\x28\x60\x6c\xa2\x3b" "\x35\xd2\xc0\x06\x60\xa0\xb4\xa9\x68\x06\x41\xeb\x71\x56\x52\x3d\x8a" "\xe9\x47\xfa\x88\x95\x08\x34\xdb\x6b\xca\xba\xdb\x3b\xeb\x37\x21\xaa" "\xa9\x12\xe1\xcd\x97\xf1\xb8\x1c\xe4\xc8\x28\x4d\x49\x71\x62\xb7\x28" "\x17\xa3\xe0\x10\xbc\x3e\x5d\xc1\x72\x92\x31\x27\x2e\x87\xa7\x6d\x22" "\x7b\xbb\x24", 88); *(uint64_t*)0x20000868 = 0x58; *(uint64_t*)0x20000870 = 0x20000500; memcpy((void*)0x20000500, "\x22\xc1\x0f\xbe\x20\x9f\xbd\x19\x87\xbe\xaf\x18\xdf\x07\x2b\xf4\x39" "\xd1\x5b\x5f\x46\xf1\x8c\xa6\x22\x4e\xdd\x9c\x51\xdc\xdc\x66\x96\xa8" "\x5a\x2b\xe5\x1f\xb7\xad\x9e\x30\x8f\x6b\x3e\x7d\x06\x4f\xbb\x78\x53" "\x3e\xfc\x6f\x84\x2e\xd7\x72\xfc\x5b\x20\x91\x0a\xb3\x6b\x8f\x06\x3e" "\x96\x4e\x4d\xed\x50\xf0\xd5\xdf\xc1\x82\x04\x80\x36\xe8\xfb\xa4\xc4" "\x10\xea\xed\xc1\x97\x69\xb5\x1e\x00\x34\x89\xdb\xf7\xd0\xe7\x13\x1e" "\x84\xdc\x30\xc5\x3a\x38\x18\xa2\x38\xfe\xe9\xe8\xc8\x76\x96\x85\x9b" "\x39\x54\xb1\xa0\x89\xf7\x54\x40\x4d\x6b\xf3\xaa\xd4\x5e\x9c\x12\xca" "\x1d\x90\x1e\x46\xf6\x43\x2e\x3e\x5a\x57\x7c\x60\xe3\x36\x04\x78\x67" "\x4c\x61\x03\x90\x6d\x13\xf2\x25\xbd\xd6\x70\x66\x9e\x36\x26\x3d\x3b" "\xfa\x64\xdf\x2e\xb0\x24\xcf\xe0\x91\xe7", 180); *(uint64_t*)0x20000878 = 0xb4; *(uint64_t*)0x20000880 = 0x20000600; memcpy((void*)0x20000600, "\xe4\x8d\x29\xff\x41\xe9\x8d\x49\x73\x5f\xdd\x9e" "\x92\x69\x8d\xc3\xf5\x68\xfd\x86\xb6\xa3\xdf", 23); *(uint64_t*)0x20000888 = 0x17; *(uint64_t*)0x20000890 = 0x20000640; memcpy((void*)0x20000640, "\x10\x28\x78\xe4\x09\x82\xea\x4c\xe7\x51\x06\x5b\xe9\x8a\x1c\xb8\x0b" "\xa7\x1b\xa7\x55\xd7\x86\x0a\xf6\x84\xb5\x4a\x10\x58\x58\xf8\x82\x7d" "\xe9\xe8\xc1\xb5\xc0\x01\x4d\xf7\x59\x21\xa7\x5e\x12\x63\x7a\xbb\xb5" "\x7e\x11\xc6\x19\x45\xad\x2b\x78\x4f\x07\x2b\x30\x4d\x83\x3f\x53\xb9" "\x80\x69\xd5\x26\x55\xcf\xc8\xe7\x93\xd2\xf6\xe9\x05\x88\x39\xd0\xca" "\x29\x51\x32\x96\x61\xf0\xf2\x56\x86\x9e\x83\x82\xa3\xd0\x76\x4c\x3f" "\x2e\xe4\x54\x93\xad\xf4\x9d\xc3\x6b\x89\x46\xca\xc0\x55\x84\x9b\x61" "\xee\x9f\x60\xe9\x77\x99\x7a\x5d\xc1\xb8\x43\x3a\x8e\xd6\x08\xe8\x71" "\x1c\xf0\xde\x6f\x8b\x6e\xf1\xf0\x71\xba\x75\x7f\xbe\xc0\x07\x85\xb1" "\x76\xe9\xaa\xd8\x8c\xf8\x84\x4c\x08\x84\x50\x66\x44\x0c\xca\x2d", 169); *(uint64_t*)0x20000898 = 0xa9; *(uint64_t*)0x200008a0 = 0x20000700; memcpy((void*)0x20000700, "\x72\xbb\xea\x7a\x1b\x74\x0f\xab\x73\xf0\x09\x7e\x3d\x8b\xa1\xa4\x76" "\x09\xfb\x23\x16\x9e\xa8\x58\x99\x7a\x98\xd4\x0b\x72\xea\x2d\x0d\x23" "\x53\x2e\xc7\x56\xdd\x70\x24\xfd\x43\xdd\x8e\xa4\x21\x76\x66\x2d\x67" "\xd0\xd9\xa1\x45\xf5\xc3\xf4\xac\xf4\x5f\x45\xf0\xf3\x99\x16\x1c\xe0" "\xe4\xe3\xff\x5e\x73\x95\x7c\x5d\x3d\xb0\x95\x4f\xc4\x89\x17\x5c\xf4" "\x47\xa5\x76\xae\x80\xc8\x0e\xb5\x29\x7c\x22\xe5\x18\x7e\x36\xa5\xbf" "\xbf\x04\x5e\x30\x44\xac\xcb\x2b\x04\x2e\x27\x35\x23\x99\xa6\xc4\x06" "\x7c", 120); *(uint64_t*)0x200008a8 = 0x78; *(uint64_t*)0x200008b0 = 0; *(uint64_t*)0x200008b8 = 0; *(uint64_t*)0x200008c0 = 0; *(uint64_t*)0x200008c8 = 0; syscall(SYS_writev, r[0], 0x20000840ul, 9ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }