// https://syzkaller.appspot.com/bug?id=c57f525df252a51f37fb7b425cf7a39f81bed52e // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_accept4 #define __NR_accept4 242 #endif #ifndef __NR_bind #define __NR_bind 200 #endif #ifndef __NR_connect #define __NR_connect 203 #endif #ifndef __NR_listen #define __NR_listen 201 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif #ifndef __NR_sendmmsg #define __NR_sendmmsg 269 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 211 #endif #ifndef __NR_socket #define __NR_socket 198 #endif static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup " "failed: %s\n", reason); intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } res = syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_DCCP|0x40000000000*/ 0x40000080806ul, /*proto=*/0); if (res != -1) r[0] = res; *(uint16_t*)0x2047b000 = 0xa; *(uint16_t*)0x2047b002 = htobe16(0x4e20); *(uint32_t*)0x2047b004 = htobe32(0); *(uint64_t*)0x2047b008 = htobe64(0); *(uint64_t*)0x2047b010 = htobe64(1); *(uint32_t*)0x2047b018 = 0; syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x2047b000ul, /*addrlen=*/0x1cul); syscall(__NR_listen, /*fd=*/r[0], /*backlog=*/0x20000005); res = syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_DCCP*/ 6ul, /*proto=*/0); if (res != -1) r[1] = res; *(uint16_t*)0x20000040 = 0xa; *(uint16_t*)0x20000042 = htobe16(0x4e20); *(uint32_t*)0x20000044 = htobe32(0); memset((void*)0x20000048, 0, 16); *(uint32_t*)0x20000058 = 0; syscall(__NR_connect, /*fd=*/r[1], /*addr=*/0x20000040ul, /*addrlen=*/0x1cul); res = syscall(__NR_accept4, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul, /*flags=*/0ul); if (res != -1) r[2] = res; *(uint64_t*)0x20000340 = 0; *(uint32_t*)0x20000348 = 0; *(uint64_t*)0x20000350 = 0x20000140; *(uint64_t*)0x20000140 = 0x20000740; *(uint64_t*)0x20000148 = 0x224; *(uint64_t*)0x20000358 = 1; *(uint64_t*)0x20000360 = 0; *(uint64_t*)0x20000368 = 0; *(uint32_t*)0x20000370 = 0x40024; syscall(__NR_sendmsg, /*fd=*/r[2], /*msg=*/0x20000340ul, /*f=MSG_OOB*/ 1ul); *(uint64_t*)0x20002ac0 = 0; *(uint32_t*)0x20002ac8 = 0; *(uint64_t*)0x20002ad0 = 0; *(uint64_t*)0x20002ad8 = 0; *(uint64_t*)0x20002ae0 = 0; *(uint64_t*)0x20002ae8 = 0; *(uint32_t*)0x20002af0 = 0; *(uint32_t*)0x20002af8 = 0; *(uint64_t*)0x20002b00 = 0; *(uint32_t*)0x20002b08 = 0; *(uint64_t*)0x20002b10 = 0; *(uint64_t*)0x20002b18 = 0; *(uint64_t*)0x20002b20 = 0; *(uint64_t*)0x20002b28 = 0; *(uint32_t*)0x20002b30 = 0; *(uint32_t*)0x20002b38 = 0; syscall(__NR_sendmmsg, /*fd=*/r[1], /*mmsg=*/0x20002ac0ul, /*vlen=*/2ul, /*f=*/0ul); *(uint64_t*)0x200001c0 = 0; *(uint32_t*)0x200001c8 = 0x9b4c; *(uint64_t*)0x200001d0 = 0; *(uint64_t*)0x200001d8 = 0; *(uint64_t*)0x200001e0 = 0; *(uint64_t*)0x200001e8 = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f8 = 0; inject_fault(6); syscall(__NR_sendmmsg, /*fd=*/r[2], /*mmsg=*/0x200001c0ul, /*vlen=*/0x500ul, /*f=*/0ul); return 0; }