// https://syzkaller.appspot.com/bug?id=edc4bdcf9437492a8287e70f7c3c4231511fe690 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mknod #define SYS_mknod 450 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_pwritev #define SYS_pwritev 290 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20001200, "./file0\000", 8); syscall(SYS_mknod, /*file=*/0x20001200ul, /*mode=*/0x2000ul, /*dev=*/0x400ul); memcpy((void*)0x20000000, "./file0\000", 8); res = syscall(SYS_open, /*file=*/0x20000000ul, /*flags=*/2ul, /*mode=*/0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000240 = 0x200000c0; memcpy( (void*)0x200000c0, "\x46\x50\x88\xb2\x88\x79\xb8\xb2\x77\xeb\x25\xe5\xe4\x5a\x61\x4b\x5f\x88" "\x09\x70\xc2\x24\xf9\x6b\x5c\xb5\x5d\xe5\x49\x78\x39\xe7\x51\xa0\xed\xe6" "\xfc\xc6\x56\x3c\x63\xa9\x9b\x3c\x36\xc0\x71\x46\x08\xb6\xa2\xf1\x99\x4c" "\xc0\x81\x80\x4b\x9c\x82\xd4\x5c\xec\xea\x93\xf9\x5c\x49\xc4\x19\xf2\x6e" "\xcc\x45\x17\x72\x86\x41\xa3\xc3\xb5\x68\x20\x68\x70\x8c\xc5\x53\xd3\x7a" "\xa0\x04\x33\xf3\xaa\x01\x76\x0c\x27\xae\x53\x10\xb3\xf5\x9e\x80\xb9\x23" "\x74\x30\x08\x4b\x34\xd3\x1a\x84\x2d\xae\x64\xe3\x9d\xe5\x37\x38\x03\x7a" "\xdb\x1b\xcd\x8a\xad\x3e\x05\xcd\x42\xd5\xe1\x02\x46\x7f\xb9\x44\x07\xd3" "\x8e\xaa\x8f\x86\x7f\x74\xf6\x11\x16\x4d\xc2\x89\xc4\x5f\xed\xff\xe7\x94" "\xb1\x97\xdf\x68\x72\x3c\x4c\x1b\x53\x10\xba\x44\x4a\xeb\xf3\x70\x34\x9d" "\x45\x39\xd5\xe7\x63\x32\xe9\x9a\x06\x20\x8b\x90\x2a\x56\xff\xc8\x14\xde" "\x53\xfc\x20\xb2\xa3\x5e\x4b\x60\x14\xb7\x9f\x3a\x92", 211); *(uint64_t*)0x20000248 = 0xd3; *(uint64_t*)0x20000250 = 0x200001c0; memcpy((void*)0x200001c0, "\x7d\xd2\x08\xba\x92\x56\x3b\x09\x11\x54\xc9\x7e\x5d\x15\xea\xe7\x12" "\x5c\xca\xa5\x88\xa7\xd6\xf1\x37\x03\x24\x8d\x4e\x20\x2e\x78", 32); *(uint64_t*)0x20000258 = 0x20; *(uint64_t*)0x20000260 = 0; *(uint64_t*)0x20000268 = 0; syscall(SYS_pwritev, /*fd=*/r[0], /*vec=*/0x20000240ul, /*vlen=*/3ul, /*off=*/0ul); } int main(void) { syscall(SYS_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/3ul, /*flags=*/0x1012ul, /*fd=*/-1, /*pad=*/0ul, /*offset=*/0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }