// https://syzkaller.appspot.com/bug?id=1f4ddab55bcaf38ad92dc0291a878c7842f10eae // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_compat_40_mount #define SYS_compat_40_mount 21 #endif #ifndef SYS_ioctl #define SYS_ioctl 54 #endif #ifndef SYS_mkdir #define SYS_mkdir 136 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_posix_spawn #define SYS_posix_spawn 474 #endif #ifndef SYS_sendto #define SYS_sendto 133 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } void execute_one(void) { *(uint16_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = 0x101; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0; *(uint32_t*)0x200001e0 = 0; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; syscall(SYS_posix_spawn, -1, 0ul, 0ul, 0x200001c0ul, 0ul, 0ul); *(uint32_t*)0x20000100 = 1; *(uint32_t*)0x20000104 = 0; *(uint64_t*)0x20000108 = 0; syscall(SYS_ioctl, -1, 0xc0105766ul, 0x20000100ul); memcpy((void*)0x20000200, "\x5f\x3b\x36\xf7\x3b\xdb\xf7\xc9\x8a\xd8\x74\xd0\xf3\xea\x08\x0e\xf0" "\xa2\x33\x28\x97\x4a\x9a\x54\x62\x3d\x38\x5f\x04\xd0\xf8\xca\xb2\xf5" "\x3c\x12\x00\xaa\x8c\x7f\xe4\xd7\xaf\xc5\xd1\xe6\x89\x85\xd5\x9e\x9d" "\xb5\x3a\x29\xe1\x9d\x90\x83\xd2\x82\x83\x04\x8a\x74\x22\x08\x13\x54" "\x59\x24\xff\xbd\x78\x6f\xfa\xa2\x73\xc6\x70\x0b\x65\xde\xb5\xff\xea" "\xb2\x30\xf2\xcf\x02\xbe\xa8\xec\x56\xd5\x84\x0e\x3d\x9a\xab\xdb\xda" "\x82\xb4\x43\x01\x61\xd2\x8b\xa1\xbd\x38\x24\x3b\xde\xae\xf4\x1c\x1f" "\x19\x0b\x09\x50\x85\x9b\xc6\xa1\x52\xcb\x75\x94\xfc\xe4\x9d\x17\xee" "\x9e\x0c\xd1\x3c\x5e\xbc\x34\x9f\xd6\x2d\x1c\xd7\xf1\x7f\x34\xf8\xa7" "\x35\x54\x95\x08\x9d\xa1\x13\x42\x94\xd5\xc5\x69\xeb\x1d\x16\x95\xd0" "\x1b\xd8\xa5\xb9\xbb\x62\x2e\xf1\x51\xb9\xc6\x0e\x6e\x91\xd8\x12\x99" "\x4f\xfc\x7e\x4b\x81\x72\x22\x8d\xe5\x8e\x90", 198); syscall(SYS_sendto, -1, 0x20000200ul, 0xc6ul, 3ul, 0ul, 0ul); memcpy((void*)0x20000080, "./file0\000", 8); syscall(SYS_mkdir, 0x20000080ul, 0x38ul); memcpy((void*)0x20000440, "tmpfs\000", 6); memcpy((void*)0x200000c0, "./file0\000", 8); syscall(SYS_compat_40_mount, 0x20000440ul, 0x200000c0ul, 0ul, 0x20000100ul); memcpy((void*)0x20000040, "./file0\000", 8); syscall(SYS_compat_40_mount, 0ul, 0x20000040ul, 0x4c9dad3b660521bbul, 0x200001c0ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }