// https://syzkaller.appspot.com/bug?id=b97ec15bfe317ac1ddccb41f2a913d4f7a31c6d7 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static long syz_open_dev(long a0, long a1, long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); long res = 0; NONFAILING(memcpy((void*)0x20000100, "/dev/video#", 12)); res = syz_open_dev(0x20000100, 0x7fff, 0x42000); if (res != -1) r[0] = res; NONFAILING(*(uint32_t*)0x20000140 = 0); NONFAILING(*(uint32_t*)0x20000144 = 0xa5fc); NONFAILING(*(uint32_t*)0x20000148 = 1); NONFAILING(*(uint32_t*)0x20000150 = 2); NONFAILING(memcpy( (void*)0x20000158, "\x14\xaa\x34\xef\x35\x7e\x73\x07\x28\xd7\x7e\xd7\xa6\xa2\x3b\x6d\x02\x27" "\x51\x37\x34\xb8\x33\x11\x14\x29\xbe\x28\x89\x87\x5c\xea\x97\x7e\x6a\x0e" "\x40\x2b\x63\x63\xb3\x04\xe7\xa2\xf5\x55\xb8\x29\x7f\x88\xb4\x29\x1f\xdd" "\xc0\xac\x9c\xaf\xf7\xdd\xa0\xc9\xf8\x7b\x31\x0c\x19\x19\xaa\x97\x91\xd6" "\x27\x23\x58\x4e\xb9\xb0\x43\xd2\xa8\xfd\x33\xa0\x54\x01\x6e\xd1\x1e\xc9" "\x72\xdc\x9c\xb8\x95\x6e\xee\xa7\x4a\x06\xcb\xb0\x64\xb1\xc6\xd0\x81\x1b" "\x28\x8c\xe1\xd4\x51\x31\xac\x77\x30\x2a\xc8\x74\x0c\x75\x55\x0d\xec\xcb" "\x83\x5f\x31\x4c\x9e\x44\x23\x29\xd9\xd0\xe3\xb2\x24\x29\xe8\xde\x3f\xb1" "\x82\x35\xe2\x53\x59\x6b\x2c\x4e\x6e\xde\x53\xc6\x73\x34\x93\xe2\xb2\x22" "\xaf\x6e\xb7\xf3\xdd\xa2\xe4\x32\x9d\xbc\x5b\x5b\x0e\xb3\xe0\x99\x50\x5b" "\x06\x4b\x16\x02\x1f\xff\x8b\xc6\xac\x27\x47\x40\x55\x56\xbf\x1f\x68\xb4" "\x39\x67", 200)); NONFAILING(*(uint32_t*)0x20000220 = 0); NONFAILING(*(uint32_t*)0x20000224 = 0); NONFAILING(*(uint32_t*)0x20000228 = 0); NONFAILING(*(uint32_t*)0x2000022c = 0); NONFAILING(*(uint32_t*)0x20000230 = 0); NONFAILING(*(uint32_t*)0x20000234 = 0); NONFAILING(*(uint32_t*)0x20000238 = 0); NONFAILING(*(uint32_t*)0x2000023c = 0); syscall(__NR_ioctl, r[0], 0xc100565c, 0x20000140); return 0; }