// https://syzkaller.appspot.com/bug?id=bb1c86863734674653860da807a5a9888ab9e51c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 6; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000100, "/dev/hwrng\000", 11); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000100ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; break; case 1: *(uint64_t*)0x20000240 = 0x20033a80; *(uint64_t*)0x20000248 = 0xfffffd6e; syscall(__NR_preadv, /*fd=*/r[0], /*vec=*/0x20000240ul, /*vlen=*/1ul, /*off_low=*/0, /*off_high=*/0); break; case 2: memcpy( (void*)0x20000d00, "Y\377\377\000\000\000\000\000K\262\002\200B\351\350\314\336\006\000l" "\250\032J\257\262M\272\270_\005U\315<|>\236\354^\016\276\030+-" "\233\2113\002\000\246\037+" "\263\305\220z5\340\337i\267\237\264QW\311\311\222\003\t\000\000\000" "\000\000\262\017\356\276\f8\314\177\000\000\000Z\201\000\000\000\000" "\030I\023\361\242x\004\201R\3245R\256\005\000\000\000\000\000\000\000_" "M^dQ:\274\257q\210\031nSF|;]\341A\214\212\230\327|" "\334LF\r\261\375\277!\307u\314P\335\023~\211\317\205\312\240%" "\306\307\021\000\000\000\000\000\000\000?M9\\\av~\'\331\260\254dya]" "8\235\267\v\3639\305{\234!\017/" "\270o8\271\215\031\342\312\001y\203\347\ng\207\3313<" "u\276\352g\322\004e\362s\336}o#\220\332\234s,r\375:" "\313\307\vTmPZJ\254\213\320\300\274RK\313\0368\316\275[N\260\264<" "\353\206[\354\217\024\n\203\236&\\\267!\355\240\303," "\220m\017\000\000\000\000\000\000\377\320\263\224\000\000\000\000\000" "\000\000\235H\370\377Ro\243W\341\355\216S\256X\223\177\323\271\204Q" "\234\"\331\365\344e\371\312m\343\003\344\255\325&" "A\002\310\251\376\313\207\331\323\214\f\3008T~\304\275\220?" "\037\234\2330\031 " "\237\321p`\300/" "\000u\031\035\254\350%" "\267\t\2374\273\211\351\301\201\260\326\367\220\037\224\001M." "\026\005\026\271\351\334~\323-s\346;\224\034^\006\332v;" "\314D\225sj\340\325\276S\254\345N\352\236yl[[" "\3165\356\005\234\226\253J^c\367\031\264\330\344\207\235p\352?/" "\313\232\2525\'Q\fuG\201\212@\227M=v\376\a\253p\363\223\235\177@" "9\300\322\361\000\020\000\000\000\000\000\000\202\023\262\251\357\245" "\370\213k\263\236v\222\016\321\037\027Dx[\255\260\235/" "\226\3442mO\237h\352\363\024\315\226\211_)\033\342\326\b\224b\257;" "\222T\257z\224\237G\373\375|$k\003\327;\232y\356\371W?\263\371\370I." "E4\303eWq\372\":$\320\027Q\224\365\345mk\216&\361;#z\357*" "\316\231\004\271\220\274\311#-" "\215i\256\305\337\023\322K\213\365\f\262x\335\325\264\251^~O<" "\022\343\303P|7\304\310\261r0Z\230\207^" "\310C\033\226\264lsyF\305\274\377OE\351\3270\347\376p\203\247\241\331" "\344\272\222\027\277\340\341\001\267\213\030j\031n\310\377\351\364\364" "\317 " "a\327_w\017\235F\256\314A-/" "\203\253U\325\2778\244O\264\357\310\314H\321=\276\276x\265-" "\005\001\021\372\317\035m\265X\351\265O\025\307;" "Lb\316\032\314\230\350\351e\340\302N\347\327\035\222\207F8\236\367\335" "\332W\365X\200\240f\316o\330\177\300\226\bSB\316&\004$" "\303\3431U\204\202\360{i\035\002\020\306C\001^\317\223?" "w\001\204\240\326\242\020\244\374G\253D\326dGZ\262Cx\033\375D9\027\346" "\312uM\343\005)\342\003\342j$F1n@\336\n9t.[\255\265\f<" "o\333\244\220\304\320I\246\226\241\000\273\335\224\000t/" "1YekG\177\275rI\036\2124=\242\351\202<\236|\365\244\005#" "\177\250\001\000\202ih\371?\003Q\365\304\225\231 " "\247v~:$" "\002O\343\252\037\000\353h\'\322q\020\036\224n\327w\261\310G\211\364" "\214t\371R\205\0338OE\004\232\330\200\020x\277\n0\b,r\306r\367=" "\376\301\026\346\356\273:-h\272\213\024\232?\216\003;" "\345\004\330\251\232\323\005(\177|\255U\257e\207V.i4$6U,R\233\n{" "\'\3761\304\2609\226{" "\300e\241\347\251\264\032\n\365\327zuvz\2272\324\373\023u2\253\030\001" "~r\273cW!)\364\233\035I\236x;" "\262\343I\275\026T\2675\246\a\267\241\215\311\022\261\275\274\331c\351" "\346k\356\006\203\364\253\030\0038\217\311^\017\253\352&P\b\357#" "\366\303\374\324\240\375\025N\323\240\200\237\bU\2463\366\311\354Z`" "\244\240(\371\230B\257\336*\221\335k\241`d\360\227\311e\301\"EC\232?" "x\211\215\263\372F}\202D\370\f\361`\220D\321|%(" "\330\t\352\000C\316\177o+?" "v\356\306bL\035\276\204p\215\243\354\367\340\376\214=<\362\037@" "\3466E\247\234\323\266\365\340\024\270\324`\205\343;\214\370\362\331)" "\016\320\377\245K\363\361\304\030\364Z\334i\221\204\350\267\020\220" "\274\354t\024\337R\342\200\370a\222\262R\3370\312Q\337\207\275jp\034h3" "h\317<\202\227\245s/" "m\262\035d\367\374\365\251\035\3234{\314\037\t," "i\026\202\255\216\266\027\017\252\205^/" "w\273~\377\316\222\220\203\n\345\024\225\222|\376-S%" "\221i\257h\227z\000@" "K\273\302\fcD\377\334l\241\372R\274\320k\\\222\031a6Sv\005%{" "\342\351\361\335RB$8\260q9\241g&\027\345P\357\261<\266\342\262\3006^" "\0174\272\020\272\000\000\000\000\000\000\000\000\357\272\"\267\307~" "T\304Ei\375k\251\"F\251C\240\323\240\033\277\023\373\024S<" "\246\n5\206\236\262=8\'g`" "\217\250\0027\275\265s\351dti\300\275\\H\345v\335\017P\213+-" "\002i\216ZU\250YB\374\302R7\351\021\006\032Rd\2513\241\\\364_" "s\367\350+" "\275g\023\256a\004\330\202\366\220\2571\206b\201J\267E\260\342\326\223" "S\263\230\313\371\336=\326T\215\352\253\251Z!\323-\246_\304\244\266+" "\211\334]O" "\360y\326\260\362\237\247\317\255\206\\\354\354\326\235\bT\315\242" "\352", 1531); res = syscall(__NR_memfd_create, /*name=*/0x20000d00ul, /*flags=MFD_HUGETLB|MFD_ALLOW_SEALING|0x8*/ 0xeul); if (res != -1) r[1] = res; break; case 3: res = syscall(__NR_fcntl, /*fd=*/r[1], /*cmd=*/0ul, /*arg=*/r[1]); if (res != -1) r[2] = res; break; case 4: syscall( __NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x2000ul, /*prot=PROT_GROWSUP|PROT_GROWSDOWN|PROT_SEM|PROT_WRITE|PROT_READ|PROT_EXEC|0xfcffff10*/ 0xffffff1ful, /*flags=MAP_FIXED|MAP_PRIVATE*/ 0x12ul, /*fd=*/r[2], /*offset=*/0ul); break; case 5: syscall(__NR_mbind, /*addr=*/0x20199000ul, /*len=*/0x4000ul, /*mode=*/0ul, /*nodemask=*/0ul, /*maxnode=*/0ul, /*flags=MPOL_MF_MOVE|MPOL_MF_STRICT*/ 3ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }