Google Git
Sign in
kernel / pub / scm / linux / kernel / git / shuah / linux-arts / ebec47a771cab06af3d956c556a60e1ff05e9f09 / . / syzkaller-repros / linux / 47ec6043e25102603ddbf1b92b58b7181e1f0077.c
blob: f2fcc965af95dd5e8331fd73b3ce4f8732f85cc4 [file] [log] [blame]
// WARNING: kernel stack frame pointer has bad value
// https://syzkaller.appspot.com/bug?id=47ec6043e25102603ddbf1b92b58b7181e1f0077
// status:fixed
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
__attribute__((noreturn)) static void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}
#include <errno.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
const int kFailStatus = 67;
const int kRetryStatus = 69;
static void fail(const char* msg, ...)
{
int e = errno;
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}
static void use_temporary_dir()
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}
static void execute_one();
extern unsigned long long procid;
void loop()
{
while (1) {
execute_one();
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void execute_one()
{
long res = 0;
res = syscall(__NR_socket, 0x26, 5, 0);
if (res != -1)
r[0] = res;
*(uint16_t*)0x20000000 = 0x26;
memcpy((void*)0x20000002,
"\x68\x61\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14);
*(uint32_t*)0x20000010 = 0;
*(uint32_t*)0x20000014 = 0;
memcpy((void*)0x20000018,
"\x73\x68\x61\x33\x2d\x32\x32\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
64);
syscall(__NR_bind, r[0], 0x20000000, 0x58);
*(uint32_t*)0x20000080 = 0;
res = syscall(__NR_accept4, r[0], 0, 0x20000080, 0);
if (res != -1)
r[1] = res;
*(uint64_t*)0x20000440 = 0x20000200;
*(uint64_t*)0x20000448 = 0;
*(uint64_t*)0x20000450 = 0x200002c0;
*(uint64_t*)0x20000458 = 0;
*(uint64_t*)0x20000460 = 0x20000300;
*(uint64_t*)0x20000468 = 0;
*(uint64_t*)0x20000470 = 0x20000380;
*(uint64_t*)0x20000478 = 0;
*(uint64_t*)0x20000480 = 0x20000400;
memcpy((void*)0x20000400, "\xe8\x79\x55\x67\x24\x40\x80\x57\xf2\x41\xeb\xbe"
"\x36\x58\x15\xd3\x6f\xb3\x40\xa5\x51\xd4\xbe\xa4"
"\x43\xf2\xb5\xc2\xd5\xe3\x3b\xca\xa6\x20\x65\xdc"
"\x0c\x8e\xd9\xe9\xe0\xed\xf7\x1f\x39\x38\xa1\x1c"
"\x98\xa1\xb5\xdb\x02",
53);
*(uint64_t*)0x20000488 = 0x35;
syscall(__NR_writev, r[1], 0x20000440, 5);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
char* cwd = get_current_dir_name();
for (;;) {
if (chdir(cwd))
fail("failed to chdir");
use_temporary_dir();
loop();
}
}