// https://syzkaller.appspot.com/bug?id=cdbe3c90a4e82721cf40b1d260aa2f7905889339 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } long r[1]; void execute_call(int call) { switch (call) { case 0: syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); break; case 1: r[0] = syscall(__NR_socket, 0x10, 3, 6); break; case 2: *(uint64_t*)0x2014f000 = 0x203c7ff4; *(uint32_t*)0x2014f008 = 0xc; *(uint64_t*)0x2014f010 = 0x20bd7000; *(uint64_t*)0x2014f018 = 1; *(uint64_t*)0x2014f020 = 0; *(uint64_t*)0x2014f028 = 0; *(uint32_t*)0x2014f030 = 0; *(uint16_t*)0x203c7ff4 = 0x10; *(uint16_t*)0x203c7ff6 = 0; *(uint32_t*)0x203c7ff8 = 0; *(uint32_t*)0x203c7ffc = 0; *(uint64_t*)0x20bd7000 = 0x20c07e98; *(uint64_t*)0x20bd7008 = 0x154; *(uint32_t*)0x20c07e98 = 0x154; *(uint16_t*)0x20c07e9c = 0x10; *(uint16_t*)0x20c07e9e = 0x713; *(uint32_t*)0x20c07ea0 = 0; *(uint32_t*)0x20c07ea4 = 0; *(uint8_t*)0x20c07ea8 = 0xfe; *(uint8_t*)0x20c07ea9 = 0x80; *(uint8_t*)0x20c07eaa = 0; *(uint8_t*)0x20c07eab = 0; *(uint8_t*)0x20c07eac = 0; *(uint8_t*)0x20c07ead = 0; *(uint8_t*)0x20c07eae = 0; *(uint8_t*)0x20c07eaf = 0; *(uint8_t*)0x20c07eb0 = 0; *(uint8_t*)0x20c07eb1 = 0; *(uint8_t*)0x20c07eb2 = 0; *(uint8_t*)0x20c07eb3 = 0; *(uint8_t*)0x20c07eb4 = 0; *(uint8_t*)0x20c07eb5 = 0; *(uint8_t*)0x20c07eb6 = 0; *(uint8_t*)0x20c07eb7 = 0xaa; *(uint8_t*)0x20c07eb8 = 0; *(uint8_t*)0x20c07eb9 = 0; *(uint8_t*)0x20c07eba = 0; *(uint8_t*)0x20c07ebb = 0; *(uint8_t*)0x20c07ebc = 0; *(uint8_t*)0x20c07ebd = 0; *(uint8_t*)0x20c07ebe = 0; *(uint8_t*)0x20c07ebf = 0; *(uint8_t*)0x20c07ec0 = 0; *(uint8_t*)0x20c07ec1 = 0; *(uint8_t*)0x20c07ec2 = -1; *(uint8_t*)0x20c07ec3 = -1; *(uint8_t*)0x20c07ec4 = 0xac; *(uint8_t*)0x20c07ec5 = 0x14; *(uint8_t*)0x20c07ec6 = 0; *(uint8_t*)0x20c07ec7 = 0xaa; *(uint16_t*)0x20c07ec8 = htobe16(0x4e20); *(uint16_t*)0x20c07eca = htobe16(0); *(uint16_t*)0x20c07ecc = 0; *(uint16_t*)0x20c07ece = htobe16(0); *(uint16_t*)0x20c07ed0 = 0; *(uint8_t*)0x20c07ed2 = 0; *(uint8_t*)0x20c07ed3 = 0; *(uint8_t*)0x20c07ed4 = 0; *(uint32_t*)0x20c07ed8 = 0; *(uint32_t*)0x20c07edc = 0; *(uint8_t*)0x20c07ee0 = 0; *(uint8_t*)0x20c07ee1 = 0; *(uint8_t*)0x20c07ee2 = 0; *(uint8_t*)0x20c07ee3 = 0; *(uint8_t*)0x20c07ee4 = 0; *(uint8_t*)0x20c07ee5 = 0; *(uint8_t*)0x20c07ee6 = 0; *(uint8_t*)0x20c07ee7 = 0; *(uint8_t*)0x20c07ee8 = 0; *(uint8_t*)0x20c07ee9 = 0; *(uint8_t*)0x20c07eea = 0; *(uint8_t*)0x20c07eeb = 0; *(uint8_t*)0x20c07eec = 0; *(uint8_t*)0x20c07eed = 0; *(uint8_t*)0x20c07eee = 0; *(uint8_t*)0x20c07eef = 0; *(uint32_t*)0x20c07ef0 = 0; *(uint8_t*)0x20c07ef4 = 0x33; *(uint32_t*)0x20c07ef8 = htobe32(-1); *(uint64_t*)0x20c07f08 = 0; *(uint64_t*)0x20c07f10 = 0; *(uint64_t*)0x20c07f18 = 0; *(uint64_t*)0x20c07f20 = 0; *(uint64_t*)0x20c07f28 = 0; *(uint64_t*)0x20c07f30 = 0; *(uint64_t*)0x20c07f38 = 0; *(uint64_t*)0x20c07f40 = 0; *(uint64_t*)0x20c07f48 = 0; *(uint64_t*)0x20c07f50 = 0; *(uint64_t*)0x20c07f58 = 0; *(uint64_t*)0x20c07f60 = 0; *(uint32_t*)0x20c07f68 = 0; *(uint32_t*)0x20c07f6c = 0; *(uint32_t*)0x20c07f70 = 0; *(uint32_t*)0x20c07f74 = 0; *(uint32_t*)0x20c07f78 = 0; *(uint16_t*)0x20c07f7c = 0xa; *(uint8_t*)0x20c07f7e = 0; *(uint8_t*)0x20c07f7f = 0; *(uint8_t*)0x20c07f80 = 0; *(uint16_t*)0x20c07f88 = 0x1c; *(uint16_t*)0x20c07f8a = 0x17; *(uint32_t*)0x20c07f8c = 0xfffffd69; *(uint32_t*)0x20c07f90 = 0; *(uint32_t*)0x20c07f94 = 0; *(uint32_t*)0x20c07f98 = 0; *(uint32_t*)0x20c07f9c = 0; *(uint32_t*)0x20c07fa0 = 4; *(uint16_t*)0x20c07fa4 = 0x48; *(uint16_t*)0x20c07fa6 = 1; memcpy((void*)0x20c07fa8, "\x6d\x64\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20c07fe8 = 0; syscall(__NR_sendmsg, r[0], 0x2014f000, 0); break; case 3: memcpy((void*)0x20cc7fe8, "/selinux/avc/hash_stats", 24); syscall(__NR_openat, 0xffffffffffffff9c, 0x20cc7fe8, 0, 0); break; } } void loop() { memset(r, -1, sizeof(r)); execute(4); collide = 1; execute(4); } int main() { loop(); return 0; }