// https://syzkaller.appspot.com/bug?id=cfd1259183411f37d70c7f9ee6835fa872abe8a8 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mknod #define SYS_mknod 450 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_pwritev #define SYS_pwritev 290 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000140, "./file0\000", 8); syscall(SYS_mknod, 0x20000140ul, 0x2080ul, 0); memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(SYS_open, 0x20000000ul, 0x40000400000107e2ul, 0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000240 = 0x20000040; memcpy((void*)0x20000040, "\x96\x74\x5b\x96\x95\x58\x6d\x32\x41\x37\x47\xc4\x12\x0d\xa5\x45\x30" "\x9d\xd7\x23\xce\x04\xb7\x60\x93\xe1\x5a\x64\xc6\x54\xc1\x65\x4e\x02" "\x7d\xc4\x35\x2e\x41\xee\x1b\xb4\xd3\x1b\xe8\x78\xa6\xca\x00\x93\x72" "\x4f\x84\x58\x14\x8c\x7c\x4b\x6d\x46\x62\x74\x4a\xbf\xf0\x40\x79\x94" "\x2d\x44\xa6\x33\x48\x40\x25\x16\x37\x19\x3a\x73\x14\x5d\x4d\x09\x8a" "\xc8\x07\x00\xec\xd3\x30\x27\x12\xe4\x29\x7a\xf6\xce\x12\xb8\x87\xcc" "\x76\x61\xbf\x17\x49\x13\xaa\x1e\x68\xb8\x3e\xd1\xf3\xf0\xc1\xa7\xb4" "\x8f\x6d\xe0\x4c\x76\x4c\xf4\x76\xf5\x7d\x67\xca\x5d\x84\xcf\x64\xf9" "\x9e\xae\x5e\x79\x62\x69\xcd\x46\x7b\x97\x24\x33\x73\xf9\x36\x03\xf1" "\x7a\x90\x78\x52\xb5\xe2\xc4\x40\x6e\x88\x4f\x18\xfc\x2b\x7d\xc2\xe3" "\x77\xa1\x2a\x92\x60\x82\x5a\xd1\xd2\xc1\xec\x62\x12\x05\x71\x80\x51", 187); *(uint64_t*)0x20000248 = 0xbb; *(uint64_t*)0x20000250 = 0x20000280; memcpy((void*)0x20000280, "\x38\xa2\x17\x09\x6c\xca\x11\x7b\x5e\xd2\xca\x3d\xc9\xa1\x72\xa7\x86" "\x20\xfd\x3b\x1d\x94\x1f\xd0\x5d\x81\x12\x71\x5a\x3b\xd3\xc8\x4f\x2f" "\x1c\x9b\x1c\xa0\xf0\x82\x62\x35\x78\x81\x0b\x2b\xd4\x75\x61\x8e\x22" "\xe5\xf7\xb2\xf9\x34\x91\xe1\xc8\xfa\xb2\x8b\xbf\x3d\x64\xbd\x98\x55" "\x05\xd9\xf4\x47\x74\xad\x05\x14\xe5\xdf\x28\xc4\xbd\x55\x86\x48\xbc" "\x47\x6e\xd4\x81\xae\xb7\x96\x71\xda\x21\xc8\xfa\x4b\x27\x77\x82\x21" "\x63\xfa\xe5\x03\x9b\xab\x38\x21\xee\x1d\x43\xb6\x4a\x98\x01\x83\xa0" "\x7b\x52\xef\x50\x93\x71\xb8\xd0\xd5\x7c\x49\x98\x82\x4e\x64\x81\xf9" "\x19\x91\xc6\x94\x50\xd6\x30\x74\xaf\x33\x60\x41\x1c\xbc\x96\x18\x86" "\x12\x7d\x89\x30\x33\xaa\x92\xee\x96\xe6\xd8\xbc\x29\x80\x73\x39\xd5" "\x8c\xb5\xe2\xea\x5e\xdd\x87\xb4\xef\x5e\x86\x2f\x0e\xa3\x77\xe7\x8c" "\x2d\x60\xa7\x26\x76\xbe\xb4\xf1\xf9\x1b", 197); *(uint64_t*)0x20000258 = 0xb9; *(uint64_t*)0x20000260 = 0x20000100; *(uint64_t*)0x20000268 = 0xffffffc4; syscall(SYS_pwritev, r[0], 0x20000240ul, 3ul, 0ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }