// https://syzkaller.appspot.com/bug?id=b428dffd6b64e8b746e20fc6fd028eca9577e215 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mknod #define SYS_mknod 450 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_pwritev #define SYS_pwritev 290 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000280, "./file0\000", 8); syscall(SYS_mknod, /*file=*/0x20000280ul, /*mode=*/0x2000ul, /*dev=*/0x200ul); memcpy((void*)0x20000840, "./file0\000", 8); res = syscall(SYS_open, /*file=*/0x20000840ul, /*flags=*/0x40000400000002c2ul, /*mode=*/0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000180 = 0; *(uint64_t*)0x20000188 = 0; *(uint64_t*)0x20000190 = 0x20000000; memset((void*)0x20000000, 205, 1); *(uint64_t*)0x20000198 = 0xffffffa2; *(uint64_t*)0x200001a0 = 0x20000040; memcpy( (void*)0x20000040, "\x9c\xc0\x09\xa8\x7e\x77\x7e\x9a\xc8\x11\x1f\x8f\x5b\x94\x8b\xb4\x38\xf7" "\x16\x04\x10\xb3\x37\x78\xa3\xac\x49\x1c\xc3\x75\x59\xda\x1a\x3d\xbc\xb8" "\xe2\xea\x55\x0d\xcc\xc6\x6b\x5e\x72\x0a\x86\x21\xe2\x93\x1a\xbd\xfd\xcd" "\x96\x9b\x10\x67\x67\xcf\x1b\x2c\xa8\x38\x15\xf1\x52\x4a\x05\x19\xe2\xcc" "\xa7\x02\xe2\x41\x54\x55\x67\xfd\xd8\x00\xb9\x01\x6c\xd6\xc2\xa1\xb5\x25" "\xad\xac\x66\xa0\x8a\xf7\x8d\x46\xd1\xd8\x00\xbf\xb8\xe6\xaa\x63\xc4\x5e" "\x0a\xd3\x65\xb4\xa0\x8a\x06\xd2\x68\xe1\xc7\xb1\x26\xfa\xb9\x73\x42\x8d" "\x1d\x12\xaf\x6f\x32\x4d\xd3\x22\x48\xa1\xdb\x6e\x26\xdd\x4f\x12\xa4\xf9" "\xde\x39\xde\xc3\x9b\xa8\x0a\x30\x32\x28\xce\x1f\xd5\x0f\xe7\x39\x1e\xeb" "\xfb\x32\x7a\xb4\x93\x10\x82\xd4\x1b\x4d\xd6\x4c\x01\x88\xbd\x94\x8d\xb5" "\x8e\x31\x28\x32\xe2\x70\x01\x8d\xb5\x78\x85\x15\xdb\xba\x51\xfd\x33\xca" "\xef\x5a\x5c\xb3\x1e\xf2\x3d\x07\x4c\x29\xa0\x57\x36\x45\x1e\x96\x3a\x9e" "\xf0\xf6\xdf\x39\x7d\xf6\x79\x3e\x4f\xb2\x7f\x2c\x9b\x3d\x81\x04\x6a\x43" "\xcb\x8c\xfb\x35\x76\x0f\xb0\x42\xb9\x16\xed\x04\x50\x45\xc2\x08\x12\xe0" "\x47\xb7\x5b\x3d\x2a\x6e\xc8\x00\x80\x00\x00\x00\x00\x00\x00", 267); *(uint64_t*)0x200001a8 = 0xe1; syscall(SYS_pwritev, /*fd=*/r[0], /*vec=*/0x20000180ul, /*vlen=*/3ul, /*off=*/8ul); } int main(void) { syscall(SYS_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/3ul, /*flags=*/0x1012ul, /*fd=*/-1, /*pad=*/0ul, /*offset=*/0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }