// https://syzkaller.appspot.com/bug?id=d54834fc30378de92b867296890ae6f12d12fbab // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 280 #endif #ifndef __NR_close #define __NR_close 57 #endif #ifndef __NR_listen #define __NR_listen 201 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif #ifndef __NR_openat #define __NR_openat 56 #endif #ifndef __NR_sendmmsg #define __NR_sendmmsg 269 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 211 #endif #ifndef __NR_socket #define __NR_socket 198 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 15000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } memcpy((void*)0x200003c0, "cpuacct.stat\000", 13); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200003c0ul, /*flags=*/0x26e1ul, /*mode=*/0ul); if (res != -1) r[0] = res; syscall(__NR_close, /*fd=*/r[0]); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[1] = res; syscall(__NR_close, /*fd=*/r[1]); res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0); if (res != -1) r[2] = res; syscall(__NR_listen, /*fd=*/r[2], /*backlog=*/0); *(uint32_t*)0x20000680 = 0x10; *(uint32_t*)0x20000684 = 4; *(uint64_t*)0x20000688 = 0x20000380; memcpy((void*)0x20000380, "\x18\x02\x00\x00\x00\xc4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x85" "\x00\x00\x00\x3e\x00\x00\x00\x95", 25); *(uint64_t*)0x20000690 = 0x200000c0; memcpy((void*)0x200000c0, "GPL\000", 4); *(uint32_t*)0x20000698 = 0; *(uint32_t*)0x2000069c = 0; *(uint64_t*)0x200006a0 = 0; *(uint32_t*)0x200006a8 = 0; *(uint32_t*)0x200006ac = 0; memset((void*)0x200006b0, 0, 16); *(uint32_t*)0x200006c0 = 0; *(uint32_t*)0x200006c4 = 0; *(uint32_t*)0x200006c8 = -1; *(uint32_t*)0x200006cc = 8; *(uint64_t*)0x200006d0 = 0; *(uint32_t*)0x200006d8 = 0; *(uint32_t*)0x200006dc = 0x10; *(uint64_t*)0x200006e0 = 0; *(uint32_t*)0x200006e8 = 0; *(uint32_t*)0x200006ec = 0; *(uint32_t*)0x200006f0 = 0; *(uint32_t*)0x200006f4 = 0; *(uint64_t*)0x200006f8 = 0; *(uint64_t*)0x20000700 = 0; *(uint32_t*)0x20000708 = 0x10; *(uint32_t*)0x2000070c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000680ul, /*size=*/0x90ul); if (res != -1) r[3] = res; *(uint32_t*)0x200023c0 = 0x12; *(uint32_t*)0x200023c4 = 4; *(uint32_t*)0x200023c8 = 8; *(uint32_t*)0x200023cc = 0xb; *(uint32_t*)0x200023d0 = 0; *(uint32_t*)0x200023d4 = -1; *(uint32_t*)0x200023d8 = 0; memset((void*)0x200023dc, 0, 16); *(uint32_t*)0x200023ec = 0; *(uint32_t*)0x200023f0 = -1; *(uint32_t*)0x200023f4 = 0; *(uint32_t*)0x200023f8 = 0; *(uint32_t*)0x200023fc = 0; *(uint64_t*)0x20002400 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200023c0ul, /*size=*/0x48ul); if (res != -1) r[4] = res; *(uint32_t*)0x200001c0 = r[4]; *(uint32_t*)0x200001c4 = r[3]; *(uint32_t*)0x200001c8 = 7; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x200001d0 = 0; *(uint32_t*)0x200001d4 = -1; *(uint64_t*)0x200001d8 = 0; syscall(__NR_bpf, /*cmd=*/8ul, /*arg=*/0x200001c0ul, /*size=*/0x10ul); *(uint32_t*)0x20000500 = r[4]; *(uint64_t*)0x20000508 = 0x20000240; *(uint64_t*)0x20000510 = 0x200004c0; *(uint32_t*)0x200004c0 = r[2]; *(uint64_t*)0x20000518 = 0; syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x20000500ul, /*size=*/0x20ul); *(uint64_t*)0x20002f40 = 0; *(uint32_t*)0x20002f48 = 0; *(uint64_t*)0x20002f50 = 0x20000bc0; *(uint64_t*)0x20000bc0 = 0x20000140; memcpy((void*)0x20000140, "\xe4\x3d\x04\xfd\x21\x70\xbd\x50\x12\x5f\xfa\x6d\x1e\x17\x9f\x98\x98" "\x4b\x2c\x72\xca\x3b\xff\xd4\x87\x1a\x11\x29\x72\x96\x3a\x9b\x52\x49" "\x58\xb6\x3a\x16\x19\x12\x2a\xcc\x32\xa1\xe1\xc8\x1a\x85", 48); *(uint64_t*)0x20000bc8 = 0x30; *(uint64_t*)0x20000bd0 = 0x20000480; memcpy((void*)0x20000480, "\x14\x9d\x04\x4c\x07\xe5\x78\xf4\x8f\x6e\x7f\xb6\x51\x72\xa6\x1b\x03" "\x16\xe2\x0d\x92\xe7\x1c\x83\x4e\x31\xde\x43\x35\xc6", 30); *(uint64_t*)0x20000bd8 = 0x1e; *(uint64_t*)0x20002f58 = 2; *(uint64_t*)0x20002f60 = 0; *(uint64_t*)0x20002f68 = 0; *(uint32_t*)0x20002f70 = 0; *(uint32_t*)0x20002f78 = 0; *(uint64_t*)0x20002f80 = 0; *(uint32_t*)0x20002f88 = 0; *(uint64_t*)0x20002f90 = 0x20000e00; *(uint64_t*)0x20000e00 = 0x20001140; memcpy( (void*)0x20001140, "\x2c\xd3\x0c\x74\x45\x9f\xd7\xf3\x86\x80\x40\xd8\x41\xd7\x6b\x18\x1f\xd9" "\x30\x7a\xb6\x16\x0b\xd1\x99\xa5\x0b\x64\xe0\x9d\x2a\x59\x50\xfd\x97\xde" "\x7c\xca\x2e\x06\xd1\x4a\x95\x36\x2b\x04\x71\x5a\x1e\x66\x68\x84\xf0\x0b" "\x75\x4f\xad\x3a\xd2\x9f\x43\x66\x14\x8e\x82\x25\xd6\xb5\x1c\x6e\xeb\x37" "\x07\xe5\xc2\xc0\x9b\x86\x6c\x08\x71\x2a\xb9\x6b\x3b\xfb\x9e\xca\x39\x05" "\x27\xd3\xbd\x24\xb8\xac\x8f\xbe\xfb\x06\x46\x22\x0d\xda\x67\xb5\x0f\xef" "\xa2\x86\x62\xfe\xf7\x69\x96\x2f\x3c\x93\xb3\x83\x9b\xb0\x4a\x79\xed\x46" "\x42\x6b\xc4\xa3\x84\x98\x06\xa1\xe8\xfb\x00\x38\x99\x7c\x40\x88\xa2\x7c" "\xaf\x95\x3c\xe6\xc5\x25\x07\xd3\x07\xe8\xb7\x8d\x70\xc3\xfe\xb2\xc0\xb6" "\xbb\xac\x1a\x34\x6a\x68\x9f\x03\x3d\xe5\x70\xe0\x1b\xcf\xa2\x3a\xe9\x0b" "\x29\x4f\x25\x4f\x86\x71\xce\x0d\x68\x32\xa3\xfc\xbf\x48\xfa\x96\x18\xbf" "\x49\xed\xec\x47\xba\x1e\x07\x25\xe5\xd8\xad\x32\xa7\x46\xe0\x5e\xad\x48" "\x2c\x38\xb3\x4d\x52\xef\xff\x08\x58\x93\x24\x71\xf0\xbe\x04\xf6\x72\x22" "\xec\xa8\xdb\xea\x65\xc4\x1e\xff\x6e\xa0\xb0\xeb\x0b\xd4\x5f\xa2\xe8\xdd" "\xb2\xfc\x5d\xd1\x79\x04\x23\x8a\x58\x64\xe8\x02\x25\xa6\xe6\xe6\x72\x12" "\xc9\xf8\xcc\x44\x50\x25\xd9\xda\x9a\x7f\x26\xf2\xb0\x3a\x8b\x46\x96\xe0" "\x93\xa6\x58\x1a\x06\xfc\x65\x06\xe9\x8d\x90\x0a\xcb\xb2\x0a\x4e\xf7\xf3" "\x75\x1a\xc7\x2b\x3c\x91\x68\xee\xa2\x21\xed\x96\xbd\x13\x65\xe9\x73\xae" "\x45\xf5\xb7\xc1\xd8\x92\x23\xd9\x99\xbe\xda\x3d\x2b\x4f\xe3\x8a\x2e\x37" "\x13\x36\xaf\xa0\x1c\xb7\x81\x12\xfd\xf7\x99\x78\x03\xd0\xf7\x3d\xab\xb2" "\x40\x76\xed\xb1\x63\x15\xeb\xf5\xa9\x01\x71\x31\x4e\x8f\xcd\xfe\xc7\x4b" "\x46\xc8\x3f\xa3\x48\x1e\x0c\x57\x5e\x78\xba\xc1\x58\xac\x4f\x4e\x36\x82" "\x33\xf5\xda\x9b\x11\xc9\xdf\x11\xc6\xf2\xa1\x2b\xde\x17\x59\xd9\x3d\x6c" "\xfe\x3a\x43\x5d\x16\x06\x39\x05\xf0\xe1\x87\xde\x92\xe7\x14\xb5\x92", 431); *(uint64_t*)0x20000e08 = 0x1af; *(uint64_t*)0x20002f98 = 1; *(uint64_t*)0x20002fa0 = 0; *(uint64_t*)0x20002fa8 = 0; *(uint32_t*)0x20002fb0 = 0; *(uint32_t*)0x20002fb8 = 0; syscall(__NR_sendmmsg, /*fd=*/r[1], /*mmsg=*/0x20002f40ul, /*vlen=*/2ul, /*f=*/0ul); *(uint64_t*)0x20001100 = 0; *(uint32_t*)0x20001108 = 0; *(uint64_t*)0x20001110 = 0x200010c0; *(uint64_t*)0x200010c0 = 0x20000740; *(uint32_t*)0x20000740 = 0x14; *(uint16_t*)0x20000744 = 0x15; *(uint16_t*)0x20000746 = 0; *(uint32_t*)0x20000748 = 0; *(uint32_t*)0x2000074c = 0; *(uint8_t*)0x20000750 = 0x25; *(uint8_t*)0x20000751 = 0; *(uint64_t*)0x200010c8 = 0x14; *(uint64_t*)0x20001118 = 1; *(uint64_t*)0x20001120 = 0; *(uint64_t*)0x20001128 = 0; *(uint32_t*)0x20001130 = 0; syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20001100ul, /*f=MSG_ZEROCOPY|MSG_OOB|MSG_DONTWAIT|MSG_CONFIRM*/ 0x4000841ul); *(uint64_t*)0x20000240 = 0; *(uint32_t*)0x20000248 = 0; *(uint64_t*)0x20000250 = 0x20000080; *(uint64_t*)0x20000080 = 0x200001c0; *(uint64_t*)0x20000088 = 0x33fe0; *(uint64_t*)0x20000258 = 1; *(uint64_t*)0x20000260 = 0; *(uint64_t*)0x20000268 = 0; *(uint32_t*)0x20000270 = 0; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x20000240ul, /*f=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }