// https://syzkaller.appspot.com/bug?id=ae28a692910f2e066889b98c890adc67d88a4fda // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (sig == SIGBUS) valid = 1; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x1012ul, /*fd=*/-1, /*offset=*/0ul); install_segv_handler(); intptr_t res = 0; NONFAILING(memcpy((void*)0x20000040, "/dev/mdctl\000", 11)); res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000040ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; NONFAILING(*(uint32_t*)0x20000100 = 0); NONFAILING(*(uint32_t*)0x20000104 = 2); NONFAILING(*(uint32_t*)0x20000108 = 0); NONFAILING(*(uint64_t*)0x20000110 = 0x20000080); NONFAILING(memcpy((void*)0x20000080, "./file0\000", 8)); NONFAILING(*(uint64_t*)0x20000118 = 0x7d451615); NONFAILING(*(uint32_t*)0x20000120 = 0x200); NONFAILING(*(uint32_t*)0x20000124 = 2); NONFAILING(*(uint64_t*)0x20000128 = 2); NONFAILING(*(uint32_t*)0x20000130 = 3); NONFAILING(*(uint32_t*)0x20000134 = 0); NONFAILING(*(uint64_t*)0x20000138 = 0x200000c0); NONFAILING(memcpy((void*)0x200000c0, "/dev/bpf\000", 9)); NONFAILING(*(uint32_t*)0x20000140 = 3); NONFAILING(*(uint32_t*)0x20000144 = 1); NONFAILING(*(uint32_t*)0x20000148 = 4); NONFAILING(*(uint32_t*)0x2000014c = 0x8000); NONFAILING(*(uint32_t*)0x20000150 = 0x851); NONFAILING(*(uint32_t*)0x20000154 = 0); NONFAILING(*(uint32_t*)0x20000158 = 7); NONFAILING(*(uint32_t*)0x2000015c = 5); NONFAILING(*(uint32_t*)0x20000160 = 6); NONFAILING(*(uint32_t*)0x20000164 = 1); NONFAILING(*(uint32_t*)0x20000168 = 2); NONFAILING(*(uint32_t*)0x2000016c = 0x7ff); NONFAILING(*(uint32_t*)0x20000170 = 0xfffffffa); NONFAILING(*(uint32_t*)0x20000174 = 0xfffffe00); NONFAILING(*(uint32_t*)0x20000178 = 0xdf5); NONFAILING(*(uint32_t*)0x2000017c = 2); NONFAILING(*(uint32_t*)0x20000180 = 9); NONFAILING(*(uint32_t*)0x20000184 = 4); NONFAILING(*(uint32_t*)0x20000188 = 5); NONFAILING(*(uint32_t*)0x2000018c = 6); NONFAILING(*(uint32_t*)0x20000190 = 3); NONFAILING(*(uint32_t*)0x20000194 = 0x815); NONFAILING(*(uint32_t*)0x20000198 = 6); NONFAILING(*(uint32_t*)0x2000019c = 6); NONFAILING(*(uint32_t*)0x200001a0 = 8); NONFAILING(*(uint32_t*)0x200001a4 = 5); NONFAILING(*(uint32_t*)0x200001a8 = 3); NONFAILING(*(uint32_t*)0x200001ac = 3); NONFAILING(*(uint32_t*)0x200001b0 = 9); NONFAILING(*(uint32_t*)0x200001b4 = 0xff); NONFAILING(*(uint32_t*)0x200001b8 = 6); NONFAILING(*(uint32_t*)0x200001bc = 2); NONFAILING(*(uint32_t*)0x200001c0 = 0); NONFAILING(*(uint32_t*)0x200001c4 = 0x74c763ea); NONFAILING(*(uint32_t*)0x200001c8 = 1); NONFAILING(*(uint32_t*)0x200001cc = 8); NONFAILING(*(uint32_t*)0x200001d0 = 0xaae4); NONFAILING(*(uint32_t*)0x200001d4 = 7); NONFAILING(*(uint32_t*)0x200001d8 = 0x34a5d0be); NONFAILING(*(uint32_t*)0x200001dc = 0x80000000); NONFAILING(*(uint32_t*)0x200001e0 = 4); NONFAILING(*(uint32_t*)0x200001e4 = 4); NONFAILING(*(uint32_t*)0x200001e8 = 0); NONFAILING(*(uint32_t*)0x200001ec = 8); NONFAILING(*(uint32_t*)0x200001f0 = 0); NONFAILING(*(uint32_t*)0x200001f4 = 9); NONFAILING(*(uint32_t*)0x200001f8 = 3); NONFAILING(*(uint32_t*)0x200001fc = 0xfffffe01); NONFAILING(*(uint32_t*)0x20000200 = 7); NONFAILING(*(uint32_t*)0x20000204 = 0x80); NONFAILING(*(uint32_t*)0x20000208 = 7); NONFAILING(*(uint32_t*)0x2000020c = 0xfffffe00); NONFAILING(*(uint32_t*)0x20000210 = 0x200); NONFAILING(*(uint32_t*)0x20000214 = 5); NONFAILING(*(uint32_t*)0x20000218 = 4); NONFAILING(*(uint32_t*)0x2000021c = 1); NONFAILING(*(uint32_t*)0x20000220 = 0x29); NONFAILING(*(uint32_t*)0x20000224 = 0x32); NONFAILING(*(uint32_t*)0x20000228 = 2); NONFAILING(*(uint32_t*)0x2000022c = 0x3f); NONFAILING(*(uint32_t*)0x20000230 = 8); NONFAILING(*(uint32_t*)0x20000234 = 6); NONFAILING(*(uint32_t*)0x20000238 = 1); NONFAILING(*(uint32_t*)0x2000023c = 0x7fff); NONFAILING(*(uint32_t*)0x20000240 = 2); NONFAILING(*(uint32_t*)0x20000244 = 7); NONFAILING(*(uint32_t*)0x20000248 = 1); NONFAILING(*(uint32_t*)0x2000024c = 0); NONFAILING(*(uint32_t*)0x20000250 = 2); NONFAILING(*(uint32_t*)0x20000254 = 1); NONFAILING(*(uint32_t*)0x20000258 = 0x47); NONFAILING(*(uint32_t*)0x2000025c = 6); NONFAILING(*(uint32_t*)0x20000260 = 0xa71); NONFAILING(*(uint32_t*)0x20000264 = 7); NONFAILING(*(uint32_t*)0x20000268 = 0x100); NONFAILING(*(uint32_t*)0x2000026c = 5); NONFAILING(*(uint32_t*)0x20000270 = 0xe5); NONFAILING(*(uint32_t*)0x20000274 = 4); NONFAILING(*(uint32_t*)0x20000278 = 0); NONFAILING(*(uint32_t*)0x2000027c = 1); NONFAILING(*(uint32_t*)0x20000280 = 0xfffff800); NONFAILING(*(uint32_t*)0x20000284 = 0x10661f27); NONFAILING(*(uint32_t*)0x20000288 = 0x5af); NONFAILING(*(uint32_t*)0x2000028c = 0x80000001); NONFAILING(*(uint32_t*)0x20000290 = 0xae); NONFAILING(*(uint32_t*)0x20000294 = 0x30); NONFAILING(*(uint32_t*)0x20000298 = 5); NONFAILING(*(uint32_t*)0x2000029c = 4); NONFAILING(*(uint32_t*)0x200002a0 = 3); NONFAILING(*(uint32_t*)0x200002a4 = 0x101); NONFAILING(*(uint32_t*)0x200002a8 = 0xffffffec); NONFAILING(*(uint32_t*)0x200002ac = 0xff); NONFAILING(*(uint32_t*)0x200002b0 = 7); NONFAILING(*(uint32_t*)0x200002b4 = 0x2a9); NONFAILING(*(uint32_t*)0x200002b8 = 1); NONFAILING(*(uint32_t*)0x200002bc = 4); syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc1c06d00ul, /*arg=*/0x20000100ul); return 0; }