// https://syzkaller.appspot.com/bug?id=7c48f2a02168c6d8581d28dcc5c3c5b7a7c52f21 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } memcpy((void*)0x200000000000, "/dev/mdctl\000", 11); res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; *(uint32_t*)0x200000000340 = 0; *(uint32_t*)0x200000000344 = 7; *(uint32_t*)0x200000000348 = 0; *(uint64_t*)0x200000000350 = 0; *(uint64_t*)0x200000000358 = 0x800000008; *(uint32_t*)0x200000000360 = 4; *(uint32_t*)0x200000000364 = 6; *(uint64_t*)0x200000000368 = 0xa; *(uint32_t*)0x200000000370 = 0; *(uint32_t*)0x200000000374 = 0xa7; *(uint64_t*)0x200000000378 = 0; *(uint32_t*)0x200000000380 = 0x18; *(uint32_t*)0x200000000384 = 6; *(uint32_t*)0x200000000388 = 9; *(uint32_t*)0x20000000038c = 2; *(uint32_t*)0x200000000390 = 4; *(uint32_t*)0x200000000394 = 4; *(uint32_t*)0x200000000398 = 6; *(uint32_t*)0x20000000039c = 0xf; *(uint32_t*)0x2000000003a0 = 6; *(uint32_t*)0x2000000003a4 = 7; *(uint32_t*)0x2000000003a8 = 0x408; *(uint32_t*)0x2000000003ac = 7; *(uint32_t*)0x2000000003b0 = 5; *(uint32_t*)0x2000000003b4 = 1; *(uint32_t*)0x2000000003b8 = 1; *(uint32_t*)0x2000000003bc = 0xfffffff3; *(uint32_t*)0x2000000003c0 = 9; *(uint32_t*)0x2000000003c4 = 6; *(uint32_t*)0x2000000003c8 = 0x8000007; *(uint32_t*)0x2000000003cc = 0; *(uint32_t*)0x2000000003d0 = 0x401; *(uint32_t*)0x2000000003d4 = 9; *(uint32_t*)0x2000000003d8 = 0xcde; *(uint32_t*)0x2000000003dc = 0x100; *(uint32_t*)0x2000000003e0 = 0xfffffff8; *(uint32_t*)0x2000000003e4 = 7; *(uint32_t*)0x2000000003e8 = 7; *(uint32_t*)0x2000000003ec = 0; *(uint32_t*)0x2000000003f0 = 5; *(uint32_t*)0x2000000003f4 = 0x5ba; *(uint32_t*)0x2000000003f8 = 7; *(uint32_t*)0x2000000003fc = 0xffbffffa; *(uint32_t*)0x200000000400 = 5; *(uint32_t*)0x200000000404 = 9; *(uint32_t*)0x200000000408 = 0x3d5532c1; *(uint32_t*)0x20000000040c = 7; *(uint32_t*)0x200000000410 = 3; *(uint32_t*)0x200000000414 = 0x8000; *(uint32_t*)0x200000000418 = 2; *(uint32_t*)0x20000000041c = 1; *(uint32_t*)0x200000000420 = 3; *(uint32_t*)0x200000000424 = 0; *(uint32_t*)0x200000000428 = 0; *(uint32_t*)0x20000000042c = 2; *(uint32_t*)0x200000000430 = 6; *(uint32_t*)0x200000000434 = 0x27ad222b; *(uint32_t*)0x200000000438 = 6; *(uint32_t*)0x20000000043c = 0x80000003; *(uint32_t*)0x200000000440 = 0xac5e; *(uint32_t*)0x200000000444 = 2; *(uint32_t*)0x200000000448 = 0xfffffff7; *(uint32_t*)0x20000000044c = 0x6ddbd7a2; *(uint32_t*)0x200000000450 = 4; *(uint32_t*)0x200000000454 = 0x52; *(uint32_t*)0x200000000458 = 7; *(uint32_t*)0x20000000045c = 8; *(uint32_t*)0x200000000460 = 0x86; *(uint32_t*)0x200000000464 = 9; *(uint32_t*)0x200000000468 = 0x20; *(uint32_t*)0x20000000046c = 3; *(uint32_t*)0x200000000470 = 0x7ffe; *(uint32_t*)0x200000000474 = 9; *(uint32_t*)0x200000000478 = 0x7f; *(uint32_t*)0x20000000047c = 8; *(uint32_t*)0x200000000480 = 6; *(uint32_t*)0x200000000484 = 8; *(uint32_t*)0x200000000488 = 0x10001; *(uint32_t*)0x20000000048c = 0xfffffff5; *(uint32_t*)0x200000000490 = 0; *(uint32_t*)0x200000000494 = 0x80; *(uint32_t*)0x200000000498 = 9; *(uint32_t*)0x20000000049c = 0x800007; *(uint32_t*)0x2000000004a0 = 0x20006; *(uint32_t*)0x2000000004a4 = 0; *(uint32_t*)0x2000000004a8 = 2; *(uint32_t*)0x2000000004ac = 0xe07; *(uint32_t*)0x2000000004b0 = 0x388d; *(uint32_t*)0x2000000004b4 = 0; *(uint32_t*)0x2000000004b8 = 3; *(uint32_t*)0x2000000004bc = 4; *(uint32_t*)0x2000000004c0 = 3; *(uint32_t*)0x2000000004c4 = 0x40; *(uint32_t*)0x2000000004c8 = 0x80000001; *(uint32_t*)0x2000000004cc = -1; *(uint32_t*)0x2000000004d0 = 5; *(uint32_t*)0x2000000004d4 = 0xed; *(uint32_t*)0x2000000004d8 = 0x80000000; *(uint32_t*)0x2000000004dc = 0xc; *(uint32_t*)0x2000000004e0 = 0x7f; *(uint32_t*)0x2000000004e4 = 0x296; *(uint32_t*)0x2000000004e8 = 2; *(uint32_t*)0x2000000004ec = 0xe6; *(uint32_t*)0x2000000004f0 = 0x7fffffff; *(uint32_t*)0x2000000004f4 = 5; *(uint32_t*)0x2000000004f8 = 0xc2b0; *(uint32_t*)0x2000000004fc = 0xa1; syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc1c06d00ul, /*arg=*/0x200000000340ul); } int main(void) { syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }