// https://syzkaller.appspot.com/bug?id=45d463e3ae38f3c38f2c82f0a8c6a2c1c8ce7457 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_socket #define SYS_socket 394 #endif #ifndef SYS_writev #define SYS_writev 121 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x22ul, 3ul, 0); if (res != -1) r[0] = res; *(uint64_t*)0x200014c0 = 0x200000c0; memcpy((void*)0x200000c0, "\x8f\xf5\x7b\xd8\xe8\x07\x02\x3a\x82\xe4\x61\x46\xb2\xa2\x1c\xb0\xe1" "\x89\x6b\x3e\x96\x3b\x1b\x1a\x86\xce\x73\xaf\x2f\x70\xa0\xd9\xc4\xc0" "\x35\xd6\xd3\xaa\xb1\x95\x08\x86\x3b\xfd\x46\xe0\x38\xea\x22\x24\xfa" "\x6d\x49\x30\x6e\x0f\x1f\x9d\x16\x5d\x6d\x42\xb6\xed\x2a\xed\xee\x4e" "\x49\xf6\xb6\xbc\x10\xc7\xf3\xa1", 76); *(uint64_t*)0x200014c8 = 0x4c; *(uint64_t*)0x200014d0 = 0x20000040; memcpy((void*)0x20000040, "\x0d\x6d\xa5\x3f\x15\x8b\x33\xb5\xe8\x8d\x3e\x73\x26\x7d\x78\xe2\x92" "\x9b\x66\xf0\xde\x44\x17\xe2\x1c\x7f\x61\xeb\x7b\x2c\xd9\x68\x0e\x9b" "\x0c\x01\x8e\x06\x7b\xd0\x61\xbe\x57\x03\x45\xac\x13\x27\x41\x64\xea" "\x96\xd6\x10\x69\x1c\x2d\xb5\x2f\x68\xcf", 61); *(uint64_t*)0x200014d8 = 0x3d; *(uint64_t*)0x200014e0 = 0x20000140; memcpy((void*)0x20000140, "\xfc\xaa\xcc\x7f\x34\xa8\x41\x96\x40\x21\x0a\x8f\xdf\xd3\xd4\x46\x13" "\x44\xaf\xb0\x7f\xe0\x8e\xfe\xe6\xbe\x9f\x35\x9c\x64\x2e\x68\xc5\x84" "\xe1\x03\xcd\xd8\x0b\x7d\x95\x93\xd2\x8d\xaf\xa0\xee\x35\xfe\x99\xee" "\x08\xaf\x5d\x6b\x14\x90\xcf\x35\xe5\x38\x1d\xf2\x3a\x9c\x57\x68\x2f" "\x96\x97\xa5\x00\xc3\xc8\xbd\xa5\xc4\xcc\xd6\xeb\xf0\x4c\x11\x84\xa7" "\x63\x9f\x14\xec\x8c\x8e\xbe\x85\xae\x00\xe6\x5a\xcc\xae\x05\xad\x70" "\x3a\x81\xc5\x83\x0a\x18\xe2\x93\x07\x8d\x5b\x0e\x63\xf1\xd4\x7a\xa2" "\xcd\x68\x20\x6e\x3d\x8d\x84\x05\x65\xaa\xd1\xcc\x32\xb1\x93\xec\xe6" "\x3a\x4f\xaa\x69\xf3\xfd\xe9\x4b\xae\x8b\x51\x55\x6a\x47\x90\xe5\x66" "\x36\xc3\x9d\xa6\xa6\x03\xb4\xb8\x5f\x0f\x7e\xad\xb8\x9f\xca\x25\x01" "\x84\x43\xea\x39\x97\xdc\x6d\x80\x6b\x23\xc9\x53\xf0\x03\x5b\xe5\xc9" "\x5b\x1b\x57\x74\x52\x07\x45\x97\xd1\xb0\xe1\x6f\xc0\x85\xc7\x61\xe1" "\x0e\x26\x0e\x4a\x8b\x55\x1d\xbf", 212); *(uint64_t*)0x200014e8 = 0xd4; *(uint64_t*)0x200014f0 = 0x20000240; memcpy((void*)0x20000240, "\x2d\xaa\x38\x2b\xf4\x9a\x1e\xef\xa1\xd3\xa2\xc8\x1d\x76\x93\xb7\x12" "\x94\x88\xf1\x3d\x10\x54\xcb\xce\x86\x95\xe9\xcc\xe7\x4d\x0e\x1b\x54" "\x58\x3c\x67\xb0\x59\x76\x5f\x02\x3c\x1d\x75\x5e\xf6\x75\xe0\x54\xa9" "\xf0\x59\x10\x8f\xbf\x69\x2a\xf9\xc3\x7c\xad\x77\xe6\x94\x52\xd5\xe8" "\x69\x34\x6c\x05\x65\x85\x06\x2d\x26\x58\x00\x07\x11\x4a\x77\xec\xe6" "\x0e\x73\xa0\x14\x43\x8b\xf5\x40\xba\x9f\x41\x7e\x22\x3e\x5d\x9b\x28" "\xd7\xd8\xb3\x71\xaa\x47\xfa\x7c\x27\xb7\xd9\x31\xc0\x3b\x9c\xe8\x8f" "\x16\xaa\x44\xdd\xbb\x70\x1e\x4e\x18\xb1\x1b\x0e\xff\xcb\x45\x8c\xc2" "\x8a\xe8\xc5\xb0\x9e\x0c\x3a\xea\x11\x73\xff\xa4\x80\xa2\x3f\xbf\x28" "\x3e\x5f\x6a\x60\x50\xbf\x64\x43\x8e\x9c\x23\x68\x84\x60\x2e\x5b\xcb" "\xf6\x18\x11\x63\x81\x38\xad\x01\x42\xd3\x14\xd6\x71\x99\x3e\x04\x38" "\xa7\xd1\x7c\x4a\x9d\x6a\xc8\xc6\x2f\x91\x0c\x1c\x1e\xec\x59\x40\x14" "\x97\x2a\x71\xc2\xf8\x8b\x76\xb2\x3f\xc6\x07\x5b\x4b\xb5\xaa\x19", 220); *(uint64_t*)0x200014f8 = 0xdc; *(uint64_t*)0x20001500 = 0x20000340; memcpy((void*)0x20000340, "\x40\x02\xfe\xa6\xfb\x38\x9c\x83\x5a\xc1\xe3\x6a\x8d\x1e\x3a\x0b\xe3" "\x4d\xf3\x80\x57\x50\x16\x4b\x8e\xc0\xe2\xfc\xc1\x70\xb9\xb8\xe4\xa9" "\x42\x6a\x29\xa7\x94\xb0\x43\xbf\x2b\x15\xc1\x5c\x56\xc9\xb6\xf7\xb3" "\x78\xab\xda\x23\x0a\xbe\xc8\x66\x94\xd7\x9e\xf1\x21\x44\x4d\x1b\x1a" "\xc4\xee\x84\xf1\x8d\xb6\xf1\xab\x8f\x57\x16\x18\xbc\x1e\x3a\xf2\x6f" "\x9a\xd4\xf3\x10\x63\x89\xef\x2a\x6b\xbf\x54\xad\x31\xf1\x1b\x9c\x92" "\x22\x7c", 104); *(uint64_t*)0x20001508 = 0x68; *(uint64_t*)0x20001510 = 0x200003c0; memcpy((void*)0x200003c0, "\xd0\x38\xd9\x07\xe0\x2d\xce\x21\x91\x49\x0f\xe7\xac\x4e\x98\x01\xec" "\xf6\x0c\x6b\x70\xe3\x23\x90\xab\x63\x68\x12\xe7\xdb\xae\xaf\x50\x8d" "\x83\x47\x36\x6f\xa3\x3d\x79\x42\xa2\x47\x3b\xff\x1a\x18\x5b\x40\x1d" "\x0b\xe5\x43\xe5\x8f\x60\x28\x0b\x71\x36\x64\x12\x55\x10\x5c\xef\x19" "\x5f\xe5\x59\xd3\x25\x9d\xdf\x9f\x19\xd3\xd5\xce\x97\x75\x30\x7f\x9a" "\x38\xd1\xd0\x13\x34\x41\xe4\xd1\xa8\x85\xad\x20\x63\x38\x38\x5c\x3d" "\xfa\xd7\x61\x2a\xd3\x09\x72\x95\x2c\xf5\xba\xfe\xc8\x6f\xcf\x96\xc9" "\x7d\x37\x28\x0b\x32\xc8\xac\x36\x95\x6d\x68\x3d\x68\x21\x4a\x61\x32" "\x85\x6b\xf4\x5e\xe3\x08\x0f\x38\x6b\xc5\xbc\xfa\xca\x86\xaf\x84\x19" "\x35\x37\xed\xc7\xee\xb6\x17\x63\xaf\xc6\x8c\x77\xea\x06\x86\x08\xbf" "\xdd\xcc\xa3\x11\xb5\xcf\x47\x5c\x62\x98\xdd\xd9\x4b\x6e\x62\xbd\xe4" "\xd5\x1b\xb1\x38\x92\xae\x2e\x73\x04\xa6\x9f\x1f\xf9\xed\xd4\x1d\xa4" "\x7d\xfc\xf2\x4a\x7c\x6b\x2b\xa3\xe6\xae", 214); *(uint64_t*)0x20001518 = 0xd6; *(uint64_t*)0x20001520 = 0; *(uint64_t*)0x20001528 = 0; syscall(SYS_writev, r[0], 0x200014c0ul, 7ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }