// https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_secret #define __NR_memfd_secret 447 #endif static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void* vma1 = (void*)a2; void* vma2 = (void*)a3; void** ring_ptr_out = (void**)a4; void** sqes_ptr_out = (void**)a5; uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sqes_index = (uint32_t)a3; uint32_t sq_ring_entries = *(uint32_t*)(ring_ptr + SQ_RING_ENTRIES_OFFSET); uint32_t cq_ring_entries = *(uint32_t*)(ring_ptr + CQ_RING_ENTRIES_OFFSET); uint32_t sq_array_off = (CQ_CQES_OFFSET + cq_ring_entries * SIZEOF_IO_URING_CQE + 63) & ~63; if (sq_ring_entries) sqes_index %= sq_ring_entries; char* sqe_dest = sqes_ptr + sqes_index * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; uint32_t sq_tail_next = *sq_tail_ptr + 1; uint32_t* sq_array = (uint32_t*)(ring_ptr + sq_array_off); *(sq_array + sq_tail) = sqes_index; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); install_segv_handler(); intptr_t res = 0; NONFAILING(*(uint32_t*)0x20000244 = 0); NONFAILING(*(uint32_t*)0x20000248 = 0); NONFAILING(*(uint32_t*)0x2000024c = 0); NONFAILING(*(uint32_t*)0x20000250 = 0); NONFAILING(*(uint32_t*)0x20000258 = -1); NONFAILING(memset((void*)0x2000025c, 0, 12)); NONFAILING( syz_io_uring_setup(0x66f2, 0x20000240, 0x202a2000, 0x200bf000, 0, 0)); NONFAILING(*(uint32_t*)0x200001c4 = 0); NONFAILING(*(uint32_t*)0x200001c8 = 0); NONFAILING(*(uint32_t*)0x200001cc = 0); NONFAILING(*(uint32_t*)0x200001d0 = 0); NONFAILING(*(uint32_t*)0x200001d8 = -1); NONFAILING(memset((void*)0x200001dc, 0, 12)); NONFAILING( syz_io_uring_setup(0x18eb, 0x200001c0, 0x20acc000, 0x2046d000, 0, 0)); NONFAILING(memcpy((void*)0x20000100, "/dev/video2\000", 12)); syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 2ul, 0ul); NONFAILING(*(uint8_t*)0x20000000 = 0x16); NONFAILING(*(uint8_t*)0x20000001 = 0); NONFAILING(*(uint16_t*)0x20000002 = 0); NONFAILING(*(uint32_t*)0x20000004 = 0); NONFAILING(*(uint64_t*)0x20000008 = 0); NONFAILING(*(uint64_t*)0x20000010 = 0x20000040); NONFAILING(*(uint32_t*)0x20000018 = 0x12); NONFAILING(*(uint32_t*)0x2000001c = 0); NONFAILING(*(uint64_t*)0x20000020 = 0); NONFAILING(*(uint16_t*)0x20000028 = 0); NONFAILING(*(uint16_t*)0x2000002a = 0); NONFAILING(memset((void*)0x2000002c, 0, 20)); NONFAILING(syz_io_uring_submit(0, 0, 0x20000000, 0)); NONFAILING(*(uint64_t*)0x200047c0 = 0); NONFAILING(*(uint32_t*)0x200047c8 = 0); NONFAILING(*(uint64_t*)0x200047d0 = 0x20000000); NONFAILING(*(uint64_t*)0x20000000 = 0); NONFAILING(*(uint64_t*)0x20000008 = 0xfffffffffffffd85); NONFAILING(*(uint64_t*)0x200047d8 = 1); NONFAILING(*(uint64_t*)0x200047e0 = 0); NONFAILING(*(uint64_t*)0x200047e8 = 0); NONFAILING(*(uint32_t*)0x200047f0 = 0); syscall(__NR_sendmsg, -1, 0x200047c0ul, 0ul); syscall(__NR_memfd_secret, 0ul); res = syscall(__NR_socket, 0x10ul, 3ul, 0); if (res != -1) r[0] = res; NONFAILING(memcpy((void*)0x20000180, "/dev/kvm\000", 9)); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000180ul, 0ul, 0ul); if (res != -1) r[1] = res; res = syscall(__NR_ioctl, r[1], 0xae01, 0ul); if (res != -1) r[2] = res; NONFAILING(memcpy((void*)0x20000040, "memory.current\000", 15)); res = syscall(__NR_openat, 0xffffff9c, 0x20000040ul, 0x275aul, 0ul); if (res != -1) r[3] = res; NONFAILING(*(uint32_t*)0x20000000 = r[0]); syscall(__NR_write, r[3], 0x20000000ul, 0x208e24bul); syscall(__NR_mmap, 0x20000000ul, 0xb36000ul, 2ul, 0x28011ul, r[3], 0ul); NONFAILING(*(uint64_t*)0x200015c0 = 0x20000080); NONFAILING(*(uint64_t*)0x200015c8 = 0xffffffff000); syscall(__NR_preadv, r[3], 0x200015c0ul, 5ul, 0, 0); res = syscall(__NR_ioctl, r[2], 0xae41, 0ul); if (res != -1) r[4] = res; syscall(__NR_ioctl, r[4], 0x4048aecb, 0x20003680ul); syscall(__NR_ioctl, r[4], 0x4048aecb, 0x20003680ul); return 0; }