// https://syzkaller.appspot.com/bug?id=957dfa1fd66e4d0de51ed7e3d1f814589e07e2b1 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_socket #define SYS_socket 394 #endif #ifndef SYS_writev #define SYS_writev 121 #endif uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 0x22ul, 3ul, 0); if (res != -1) r[0] = res; *(uint64_t*)0x20019600 = 0x20019300; memcpy( (void*)0x20019300, "\x8c\x4b\xb6\xce\xb3\xe4\xdc\x10\x16\x01\x14\xd1\x18\xac\xeb\x06\xde\xed" "\xbc\xad\xaa\xcb\x41\xd6\x1e\x45\xd9\xaa\x95\xac\x33\x12\x51\x2c\xce\x10" "\x2a\xef\x9a\x6c\x23\x15\x25\x60\x16\x74\x2b\xc2\x5c\x0e\xde\x41\x32\x04" "\xf5\xd1\x1e\xca\x16\x6c\x5d\xb8\xfa\x3e\xe6\x8d\xc9\xd0\x96\x91\x24\xa6" "\xe3\x5f\x21\x8a\x70\x31\xd8\x0a\xd2\x32\x90\xfa\xb6\x84\x65\x11\x58\x00" "\x4f\x2b\xa3\x57\x8a\x95\x09\x92\xa3\x0f\x73\xe1\x6f\x7f\x78\x9c\x52\x74" "\xd1\xe8\x73\x9a\xb9\xae\xdc\x6f\xc2\x16\x63\x38\x62\x4e\x96\xe0\x8d\x85" "\x50\x0a\x27\xc1\x5e\x34\x1e\x00\x08\x00\x00\x66\x43\xe5\x0c\xa5\x29\xf7" "\x7c\xe9\x15\x79\xce\xc9\x7b\x07\xf2\xcb\x64\x24\x8a\xad\x8b\x65\x9e\x9f" "\x45\xc6\x8b\x60\x1e\x41\xda\x86\xad\x76\xd4\xda\xfd\xbe\xe1\x82\xab\xf3" "\xbd\xd2\x21\x0e\x00\x00\x00\x00\x00\x00\xa9\x01\xec\xf5\x5f\x00\xe2\xa9" "\xb3\xad\x37\x80\x32\xfe\x22\x3b\x36\x55\x45\x5b\x4d\x39\x57\x71\x41\x3b" "\xb4\xc5\x9c\x33\xf3\xe7\xe2\x1b\xbd\xdd\x4b\x9b\xd8\x85\xa7\x82\x79\xb8" "\x1d\x2e\x6f\xd7\x63\x24\x5e\x86\x6b\xc0\x8a\xe5\xca\x6e\xd5\xf4\x07\xc0" "\xd3\x0b\x7a\x0d\x18\xa7\xf1\x6d\xad\xc8\x41\xdf\xbe\x45\x14\xd8\x6f\xc8" "\x68\x72\xe5\xa0\x7e\x29\x7a\x5b\x2b\x00\x41\x04\x0f\x86\x61\x1f\x7b\x02" "\x42\x2d\x3b\x3f\xff\x19\xab\x39\x47\x9c\x82\xa0\xc7\xfe\x36\x64\xc3\xbe" "\xfe\x02\x21\xf1\x1c\x0c\xaf\x0d\x2c\xe3\xcd\x1a\x02\x6b\xa6\x66\x67\x95" "\xf8\xe7\x04\x1d\x4a\xe3\xd2\xcd\xe9\x41\x7e\x13\xc5\x92\x0b\x0e\x73\xf8" "\xc5\xf9\x3c\xd8\x6a\x84\x69\x0c\x39\x60\x9d\xa3\x62\x74\x50\x36\xa6\xb2" "\xa0\xc1\xe2\x1c\x6e\x84\xce\x5e\x37\xfd\x6e\x52\xd7\x62\xac\x19\x9b\xa5" "\x0a\xb6\xa0\x69\x62\x1f\x0b\xd3\x4e\x3b\x20\x85\x43\x5e\x0c\x79\x05\xcd" "\x89\xf1\x96\x9e\x65\xb3\x00\x0d\x53\x2f\x8b\xf2\xa3\x4a\xaf\x78\x65\x08" "\xf0\x7e\x96\xac\x33\x04\x47\x6e\x89\x58\xb1\xb6\x78\xcb\x77\xc8\x90\xfc" "\x2f\xa1\x4e\x71\xe8\xa3\xb6\x2e\x1d\x77\xde\xd8\x6e\x0f\x5d\x28\xb6\x8a" "\x85\xc5\x71\x23\x57\x95\xdf\x14\xd7\xfd\xe7\x3d\xf2\x49\x28\xc8\x6b\xa3" "\xd0\xdf\x7c\x7e\x5e\xdd\xb1\x72\x51\x9f\x5d\xf7\x62\x70\x02\xc0\xac\x82" "\x3a\x7b\x6d\x9b\x6a\x9c\x67\xa6\x59", 495); *(uint64_t*)0x20019608 = 0x1ef; *(uint64_t*)0x20019610 = 0; *(uint64_t*)0x20019618 = 0; *(uint64_t*)0x20019620 = 0; *(uint64_t*)0x20019628 = 0; *(uint64_t*)0x20019630 = 0; *(uint64_t*)0x20019638 = 0; *(uint64_t*)0x20019640 = 0x20000100; memcpy((void*)0x20000100, "\xc1\xf2\x2e\x91\x8e\xe3\xdb\x82\xc3\x86\x9c\xe7\xcc\xd5\xc1\x17\x75" "\xa9\x1f\x90\x69\xd9\x9d\xc5\x0a\xbb\xc8\xe2\x7a\xe9\x5f\x14\x96\xe9" "\x8b\x19\xa1\x14\x46\xe1\x2d\xc5\x31\x2e\xf0\x26\x47\x19\x20\xc7\x40" "\x5b\xda\xc4\x51\x84\x3e\x75\xd6\xd1\xfb\x1f\xe5\x8e\x5f\x55\x27\x31" "\x01\xbf\xa5\xfc\x8a\x73\x2b\xf0\x98\x2c\xb7\x3e\xa8\x72\x95\x96\xa3" "\x16\x0c\xc8\x26\x12\x59\x98\xb1\xc1\xb4\x18\x4e\x95\x80\x62\x4b\xe3" "\xaf\xfd\xd5\xd0\x51\xc7\xb6\x03\x54\xb7\xdf\x53\x68\x6b\xef\x94\x97" "\x59\x63\x99\xd7\x16\x4d\xcf\xdf\x40\xd5\x13\x8e\x71\xe5\xde\x00\x5a" "\x22\x1d\x03\xdf\xd3\x66\xbd\xa5\x64\x26\x06\x2b\xf6\x10\x48\x72\x2f" "\xbc", 154); *(uint64_t*)0x20019648 = 0x9a; *(uint64_t*)0x20019650 = 0x20019500; memcpy((void*)0x20019500, "\x51\x2a\x90\x66\x94\xb8\x53\xfc\xec\x2f\x38\x2d\xe9\x9c\x3a\x8e\x9e" "\x94\x78\x5a\xe8\xe4\xde\x59\xbc\xbf\x6e\x04\xb6\x54\x68\xf8\xa7\x82" "\xbc\x31\xca\x30\x04\x90\x56\xce\xe8\xb0\x8d\x7e\xe9\x5a\x5c\x75\xa6" "\x33\xa2\x86\xfc\x22\xda\xdb\xde\xfb\x04\x92\x82\xa2\x7a\xc8\x7e\x20" "\xa1\xa0\x3e\xe1\x73\x96\x46\xda\x18\xec\xe9\x9d\xc7\xe8\x88\x71\xd8" "\x94\x1f\xd9\xea\xf0\x5c\x5e\x31\x85\x8d\x3a\xa2\x0d\x52\x3f\xf1\x20" "\x27\xd4\x6d\xa1\x64\x23\xec\xa5\xaf\xeb\xc2\x3c\x15\x13\xf1\x7f\x81" "\xff\x64\xd8\xe3\x42\x96\x92\x17\xf4\xe4\x7c\xb3\x85\x22\x72\x60\x6f" "\x27\x1f\xb1\x9e\x7a\x83\x30\x55\x60\x8a\xdd\x3e\x11\x45\xb6\x1a\xe3" "\x18\x55\x67\x8e\xe5\xad\x30\x33\x54\x83\x58\x1f\xe0\xec\x95\x22\x60" "\xd3\x24\x06\x74\x0c\x35\xbe\xdd\xe4\x90\x80\x46\x43\x3e\xb1\xcc\xd2" "\xe0\x57\x8d\x2e\x5b\x3e\x93\x1f\xd4\xa1\x5a\x9a\xb3\xee\xfa\xde\x95" "\x0f\x54\xd7\xac\x77\x53\xbf\x26\xc2\xff\x8d\x9b\xac", 217); *(uint64_t*)0x20019658 = 0xd9; syscall(SYS_writev, r[0], 0x20019600ul, 6ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }