// https://syzkaller.appspot.com/bug?id=65e38e5a8444d3c1d5869e6a2652299df9cd6233 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define __syscall syscall static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[12] = {0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; syscall(SYS_open, 0ul, 1ul, 0ul); syscall(SYS_pipe, 0x20000040ul); syscall(SYS_openat, 0xffffffffffffff9cul, 0ul, 0ul, 0ul); syscall(SYS_setpgid, 0, 0); syscall(SYS_execve, 0ul, 0ul, 0ul); syscall(SYS_socketpair, 1ul, 1ul, 0ul, 0ul); syscall(SYS_dup2, -1, -1); syscall(SYS_pipe, 0ul); syscall(SYS_setpgid, 0, 0); syscall(SYS_write, -1, 0ul, 0ul); syscall(SYS_fcntl, -1, 6ul, 0); res = syscall(SYS_fcntl, -1, 5ul, 0); if (res != -1) r[0] = res; syscall(SYS_fcntl, -1, 6ul, r[0]); syscall(SYS_kevent, -1, 0ul, 0, 0ul, 0, 0ul); syscall(SYS_kqueue); syscall(SYS_dup2, -1, -1); syscall(SYS_getppid); syscall(SYS_fcntl, -1, 5ul, 0); syscall(SYS_write, -1, 0x20000340ul, 0x10000014cul); syscall(SYS_getsockopt, 0xffffff9c, 0xfffful, 0x1022ul, 0ul, 0ul); syscall(SYS_socket, 0x11ul, 3ul, 0); syscall(SYS_kqueue); syscall(SYS_sendmsg, -1, 0ul, 0ul); syscall(SYS_msgrcv, 0, 0ul, 0ul, 0ul, 0ul); res = syscall(SYS_pipe, 0x20000040ul); if (res != -1) r[1] = *(uint32_t*)0x20000040; memcpy((void*)0x20000080, "/dev/bpf\000", 9); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000080ul, 0ul, 0ul); if (res != -1) r[2] = res; memcpy((void*)0x200000c0, "tap", 3); *(uint8_t*)0x200000c3 = 0x30; *(uint8_t*)0x200000c4 = 0; syscall(SYS_ioctl, r[2], 0x8020426cul, 0x200000c0ul); syscall(SYS_msgrcv, 0, 0ul, 0ul, 0xfffffffffffffffdul, 0x1800ul); syscall(SYS_fcntl, r[1], 4ul, 0x46bfbul); memcpy((void*)0x20000380, "/dev/ttyCcfg\000", 13); syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000380ul, 0x8000ul, 0ul); syscall(SYS_getpid); syscall(SYS_pipe, 0ul); memcpy((void*)0x20000200, "\023\023w\305\3745\324\024T\325\324\035)\255\032`)" "Y\201F\346\276\026nA\255\r\275@T\003<\2373\273\332\202$" "\242\363\327r\347cnH\263<\277p\203r\350\361\271\223>" "\305\022wC\276\"\006 \236\360-\371\313\362\366\350\200\3238/\000", 78); syscall(SYS_ktrace, 0x20000200ul, 3ul, 0x100ul, 0); res = syscall(SYS_socketpair, 1ul, 5ul, 0ul, 0x20000080ul); if (res != -1) r[3] = *(uint32_t*)0x20000080; res = syscall(SYS_openat, 0xffffffffffffff9cul, 0ul, 0ul, 0ul); if (res != -1) r[4] = res; syscall(SYS_ioctl, r[4], 0x8020426cul, 0ul); syscall(SYS_ioctl, r[4], 0x80104267ul, 0ul); syscall(SYS_ioctl, -1, 0xc0107005ul, 0ul); syscall(SYS_msgget, 0ul, 0x425ul); syscall(SYS_mmap, 0x20ffb000ul, 0x4000ul, 0ul, 0x10ul, -1, 0ul, 0ul); *(uint32_t*)0x20000000 = 0x43cbc; syscall(SYS_setsockopt, r[3], 0xfffful, 0x1001ul, 0x20000000ul, 4ul); syscall(SYS_msgsnd, 0, 0ul, 0ul, 0x80000803ul); res = syscall(SYS_open, 0ul, 0ul, 0ul); if (res != -1) r[5] = res; syscall(SYS_fcntl, -1, 4ul, 0x46bfbul); res = syscall(SYS_getppid); if (res != -1) r[6] = res; syscall(SYS_fcntl, -1, 6ul, r[6]); res = syscall(SYS_fcntl, -1, 5ul, 0); if (res != -1) r[7] = res; syscall(SYS_fcntl, -1, 6ul, r[7]); memcpy((void*)0x20000080, "./bus\000", 6); memcpy((void*)0x200000c0, "./bus\000", 6); syscall(SYS_symlinkat, 0x20000080ul, -1, 0x200000c0ul); *(uint32_t*)0x20000140 = 8; syscall(SYS_ioctl, r[5], 0x8004667eul, 0x20000140ul); syscall(SYS_pipe, 0ul); syscall(SYS_fcntl, -1, 4ul, 0x46bfbul); memcpy((void*)0x20000000, "/dev/wsmouse\000", 13); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[8] = res; res = syscall(SYS_getppid); if (res != -1) r[9] = res; syscall(SYS_setpgid, 0, r[9]); syscall(SYS_fcntl, r[8], 6ul, r[9]); syscall(SYS_fcntl, r[8], 5ul, 0); syscall(SYS_read, -1, 0ul, 0ul); memcpy((void*)0x20000480, "/dev/vmm\000", 9); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000480ul, 0ul, 0ul); if (res != -1) r[10] = res; *(uint32_t*)0x20000580 = 1; *(uint32_t*)0x20000584 = 0; *(uint64_t*)0x20000588 = 1; *(uint64_t*)0x20000590 = 0; *(uint64_t*)0x20000598 = 0; *(uint64_t*)0x200005a0 = 0; *(uint64_t*)0x200005a8 = 0x20000000; *(uint64_t*)0x200005b0 = 0x80000000; *(uint64_t*)0x200005b8 = 0; *(uint64_t*)0x200005c0 = 0; *(uint64_t*)0x200005c8 = 0; *(uint64_t*)0x200005d0 = 0; *(uint64_t*)0x200005d8 = 0; *(uint64_t*)0x200005e0 = 0; *(uint64_t*)0x200005e8 = 0; *(uint64_t*)0x200005f0 = 0; *(uint64_t*)0x200005f8 = 0; *(uint64_t*)0x20000600 = 0; *(uint64_t*)0x20000608 = 0; *(uint64_t*)0x20000610 = 0; *(uint64_t*)0x20000618 = 0; *(uint64_t*)0x20000620 = 0; *(uint64_t*)0x20000628 = 0; *(uint64_t*)0x20000630 = 0; *(uint64_t*)0x20000638 = 0; *(uint64_t*)0x20000640 = 0; *(uint64_t*)0x20000648 = 0; *(uint64_t*)0x20000650 = 0; *(uint64_t*)0x20000658 = 0; *(uint64_t*)0x20000660 = 0; *(uint64_t*)0x20000668 = 0; *(uint64_t*)0x20000670 = 0; *(uint64_t*)0x20000678 = 0; *(uint64_t*)0x20000680 = 0; *(uint64_t*)0x20000688 = 0; *(uint64_t*)0x20000690 = 0; *(uint64_t*)0x20000698 = 0; *(uint64_t*)0x200006a0 = 0; *(uint64_t*)0x200006a8 = 0; *(uint64_t*)0x200006b0 = 0; *(uint64_t*)0x200006b8 = 0; *(uint64_t*)0x200006c0 = 0; *(uint64_t*)0x200006c8 = 0; *(uint64_t*)0x200006d0 = 0; *(uint16_t*)0x200006d8 = 0; *(uint32_t*)0x200006dc = 0; *(uint32_t*)0x200006e0 = 0; *(uint64_t*)0x200006e8 = 0; *(uint16_t*)0x200006f0 = 0; *(uint32_t*)0x200006f4 = 0; *(uint32_t*)0x200006f8 = 0; *(uint64_t*)0x20000700 = 0; *(uint16_t*)0x20000708 = 0; *(uint32_t*)0x2000070c = 0; *(uint32_t*)0x20000710 = 0; *(uint64_t*)0x20000718 = 0; *(uint16_t*)0x20000720 = 0; *(uint32_t*)0x20000724 = 0; *(uint32_t*)0x20000728 = 0; *(uint64_t*)0x20000730 = 0; *(uint16_t*)0x20000738 = 0; *(uint32_t*)0x2000073c = 0; *(uint32_t*)0x20000740 = 0; *(uint64_t*)0x20000748 = 0; *(uint16_t*)0x20000750 = 0; *(uint32_t*)0x20000754 = 0; *(uint32_t*)0x20000758 = 0; *(uint64_t*)0x20000760 = 0; *(uint16_t*)0x20000768 = 0; *(uint32_t*)0x2000076c = 0; *(uint32_t*)0x20000770 = 0; *(uint64_t*)0x20000778 = 0; *(uint16_t*)0x20000780 = 0; *(uint32_t*)0x20000784 = 0; *(uint32_t*)0x20000788 = 0; *(uint64_t*)0x20000790 = 0; *(uint16_t*)0x20000798 = 0; *(uint32_t*)0x2000079c = 0; *(uint32_t*)0x200007a0 = 0; *(uint64_t*)0x200007a8 = 0; *(uint16_t*)0x200007b0 = 0; *(uint32_t*)0x200007b4 = 0; *(uint32_t*)0x200007b8 = 0; *(uint64_t*)0x200007c0 = 0; syscall(SYS_ioctl, r[10], 0xc5005601ul, 0x20000580ul); memcpy((void*)0x20000040, "./file0\000", 8); res = syscall(SYS_open, 0x20000040ul, 0ul, 0ul); if (res != -1) r[11] = res; syscall(SYS_mmap, 0x20000000ul, 0x13000ul, 0ul, 0x10ul, r[11], 0ul, 0ul); syscall(SYS_openat, 0xffffffffffffff9cul, 0ul, 0ul, 0ul); syscall(SYS_mmap, 0x20000000ul, 0x3000ul, 0ul, 0x4010ul, -1, 0ul, 2ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); loop(); return 0; }