// https://syzkaller.appspot.com/bug?id=c7ac769bd7ee15549b8a2be188bcee07d98a5357 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define __syscall syscall static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void loop(void) { intptr_t res = 0; res = syscall(SYS_socketpair, 1ul, 1ul, 0, 0x20000000ul); if (res != -1) NONFAILING(r[0] = *(uint32_t*)0x20000004); NONFAILING(*(uint32_t*)0x20000080 = 0xc); syscall(SYS_getsockopt, r[0], 0xffff, 0x1022, 0x20000040ul, 0x20000080ul); NONFAILING(*(uint64_t*)0x20000480 = 0); NONFAILING(*(uint32_t*)0x20000488 = 0); NONFAILING(*(uint64_t*)0x20000490 = 0x20000400); NONFAILING(*(uint64_t*)0x20000400 = 0x20000280); NONFAILING(memcpy( (void*)0x20000280, "\x25\x81\x20\x69\xf7\x9a\xc6\xfe\xff\x94\x12\x0b\x71\xc9\x9d\xa3\x9b\xf6" "\x18\x0a\x7b\xc1\x87\x4e\xf4\x72\xd6\xac\xa3\xa8\xef\xf7\x38\xeb\xfd\x55" "\xde\x6a\x16\x30\x52\xed\x93\x7f\xf2\x19\xeb\x54\x62\xf5\x90\xa4\x1c\x91" "\x69\x52\xc2\xd4\xa2\x5c\xd6\xb9\xf9\x0a\x4a\x1f\x4a", 67)); NONFAILING(*(uint64_t*)0x20000408 = 0x43); NONFAILING(*(uint64_t*)0x20000410 = 0); NONFAILING(*(uint64_t*)0x20000418 = 0); NONFAILING(*(uint64_t*)0x20000420 = 0); NONFAILING(*(uint64_t*)0x20000428 = 0); NONFAILING(*(uint64_t*)0x20000498 = 3); NONFAILING(*(uint64_t*)0x200004a0 = 0); NONFAILING(*(uint64_t*)0x200004a8 = 0); NONFAILING(*(uint32_t*)0x200004b0 = 0); syscall(SYS_sendmsg, 0xffffff9c, 0x20000480ul, 8ul); NONFAILING(memcpy((void*)0x20000140, "./bus\000", 6)); syscall(SYS_mknod, 0x20000140ul, 0x2000ul, 0x4086337); /* major = 99, minor = 264247 */ NONFAILING(*(uint32_t*)0x200000c0 = 6); NONFAILING(*(uint64_t*)0x200000c8 = 0x20000080); NONFAILING(*(uint16_t*)0x20000080 = 0); NONFAILING(*(uint8_t*)0x20000082 = 0); NONFAILING(*(uint8_t*)0x20000083 = 0); NONFAILING(*(uint32_t*)0x20000084 = 0); NONFAILING(*(uint16_t*)0x20000088 = 0); NONFAILING(*(uint8_t*)0x2000008a = 0); NONFAILING(*(uint8_t*)0x2000008b = 0); NONFAILING(*(uint32_t*)0x2000008c = 0); NONFAILING(*(uint16_t*)0x20000090 = 0); NONFAILING(*(uint8_t*)0x20000092 = 0); NONFAILING(*(uint8_t*)0x20000093 = 0); NONFAILING(*(uint32_t*)0x20000094 = 0); NONFAILING(*(uint16_t*)0x20000098 = 0); NONFAILING(*(uint8_t*)0x2000009a = 0); NONFAILING(*(uint8_t*)0x2000009b = 0); NONFAILING(*(uint32_t*)0x2000009c = 0); NONFAILING(*(uint16_t*)0x200000a0 = 0); NONFAILING(*(uint8_t*)0x200000a2 = 0); NONFAILING(*(uint8_t*)0x200000a3 = 0); NONFAILING(*(uint32_t*)0x200000a4 = 0); NONFAILING(*(uint16_t*)0x200000a8 = 0x210); NONFAILING(*(uint8_t*)0x200000aa = 0); NONFAILING(*(uint8_t*)0x200000ab = 0); NONFAILING(*(uint32_t*)0x200000ac = 0); syscall(SYS_ioctl, -1, 0x80104277ul, 0x200000c0ul); NONFAILING(memcpy((void*)0x20000000, "./bus\000", 6)); res = syscall(SYS_open, 0x20000000ul, 0ul, 0ul); if (res != -1) r[1] = res; NONFAILING(*(uint64_t*)0x20000180 = 0); NONFAILING(*(uint32_t*)0x20000188 = 0); NONFAILING(*(uint64_t*)0x20000190 = 0); NONFAILING(*(uint64_t*)0x20000198 = 0); NONFAILING(*(uint64_t*)0x200001a0 = 0x200004c0); NONFAILING(*(uint64_t*)0x200004c0 = 0xd0); NONFAILING(*(uint32_t*)0x200004c8 = 0); NONFAILING(*(uint32_t*)0x200004cc = 0); NONFAILING(memcpy( (void*)0x200004d0, "\x15\xae\xb4\x7d\xcf\xed\xc4\xcf\xd5\x76\x80\xc2\x2a\xe3\x2c\xd7\x29\xfc" "\x40\x8a\xca\x99\x53\x40\x49\x1c\xc7\x74\xf6\x5e\xf8\x6b\xa2\x2c\x7d\x70" "\xfe\xc0\xf2\x32\xee\xde\xfd\xc4\x88\x21\x93\x95\x87\x64\x55\xba\xd8\x1c" "\x37\x53\xa7\xc1\x92\x78\x77\xce\x5a\x51\x79\x06\xf6\x63\x4a\xf2\x9b\x05" "\x15\x42\xe8\x3a\x43\x9b\x30\xf0\xf4\x28\xb7\x52\xd9\xc5\x0d\xc6\xff\x47" "\x90\x8c\xc2\x81\xbb\x5f\xcc\x8a\xb9\xec\x25\x32\xc4\xc0\xef\x83\xc7\xaf" "\x25\x93\xb2\x2e\x0f\xaa\x8e\x19\x5e\x30\xa8\x85\x1c\xc0\x83\x3a\xa3\x84" "\xde\xed\x16\x03\x5a\xce\xa0\x5b\x89\x08\xe5\xd9\x5c\x2e\x93\xe7\x5d\xc9" "\x9f\xce\xbe\x78\x53\xb4\x2e\xc8\x28\x90\xa9\xf2\x33\x11\x6d\xa2\xd9\xdc" "\x96\x8f\x57\x07\x1c\x38\x55\x01\xbd\x71\xf8\xbf\x16\xa2\xd6\x2a\x90\xc5" "\x1c\x6e\xc2\xcb\xc1", 185)); NONFAILING(*(uint64_t*)0x20000590 = 0xf8); NONFAILING(*(uint32_t*)0x20000598 = 0); NONFAILING(*(uint32_t*)0x2000059c = 0); NONFAILING(memcpy( (void*)0x200005a0, "\xf6\xbe\x87\xa6\x49\xf2\x08\x0b\x47\x41\x57\x16\xd4\xb1\xce\x4f\x02\xd8" "\x48\x2f\xe2\xbe\xae\x41\xa0\xfe\xc4\xbd\x7f\xc7\x3a\xcc\xfc\xb4\xd3\x12" "\xba\x79\xec\xe7\xa0\xdd\x60\xd7\x5a\x42\x1a\x47\x70\xb2\x44\xd1\xac\xf8" "\xb3\x91\x6e\x3b\xf3\x3e\x9e\x58\x98\xfd\x0c\xb0\xd3\x21\xd0\x4e\x6f\x5d" "\xa6\xde\x61\x58\xfe\x6a\xc0\x14\xab\x9c\xd9\xc9\x78\x6d\x41\x84\x8c\x39" "\x1c\xc4\x69\xe1\xf7\xc7\xff\x50\x97\x8b\xb3\xfe\x5f\x42\xe4\x41\x13\x03" "\x68\x21\x02\xa6\xb6\x4d\x23\x8a\xe5\x79\xc3\x68\x2a\xf3\x9e\x15\x21\xfc" "\x90\x1f\x09\xf4\x22\x1a\x2a\x6f\x53\x7d\x5c\x43\x70\xd3\x0d\x39\x35\x49" "\x2b\xea\x93\x11\xd2\x0a\xdd\x0d\xbc\x5e\x7c\xe6\xc7\x23\x9b\x94\x5e\xb8" "\xbf\x3e\x7d\x58\xf1\x17\x0a\x41\xb2\x6c\x4c\x92\xa6\x20\x80\xae\x16\x00" "\x2d\x4d\x70\x7a\xea\x2b\x3c\xc4\x36\x36\x02\xd0\xb6\x34\x7b\x10\xb6\x82" "\xde\x89\x97\x41\xed\xd4\xc6\x93\xd4\xd7\x01\x5f\xb3\xdd\x6a\xa4\x6a\x23" "\x09\x9b\x64\xdf\x2c\x66\xed\x14\x99", 225)); NONFAILING(*(uint64_t*)0x20000688 = 0x48); NONFAILING(*(uint32_t*)0x20000690 = 0); NONFAILING(*(uint32_t*)0x20000694 = 0); NONFAILING(memcpy( (void*)0x20000698, "\x6d\x59\x89\xe8\x0a\x38\xa3\xdd\xa3\xb6\x6d\x6b\xe1\xc8\xb5\x3c\x6d\x74" "\xb1\x27\x2f\x2a\xeb\x5d\xe8\xa1\x0a\xe1\x97\x0d\xcd\xce\x46\x8b\xb2\x7b" "\xaa\xea\xc9\xcc\x4d\x6b\x5b\x21\x46\x03\x85\x7b\x6d", 49)); NONFAILING(*(uint64_t*)0x200001a8 = 0x210); NONFAILING(*(uint32_t*)0x200001b0 = 0); syscall(SYS_sendmsg, -1, 0x20000180ul, 0ul); NONFAILING(*(uint32_t*)0x20000040 = 1); syscall(SYS_ioctl, r[1], 0x82907003ul, 0x20000040ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; }