| // WARNING: kernel stack frame pointer has bad value |
| // https://syzkaller.appspot.com/bug?id=47ec6043e25102603ddbf1b92b58b7181e1f0077 |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <endian.h> |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| __attribute__((noreturn)) static void doexit(int status) |
| { |
| volatile unsigned i; |
| syscall(__NR_exit_group, status); |
| for (i = 0;; i++) { |
| } |
| } |
| #include <errno.h> |
| #include <stdarg.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| |
| const int kFailStatus = 67; |
| const int kRetryStatus = 69; |
| |
| static void fail(const char* msg, ...) |
| { |
| int e = errno; |
| va_list args; |
| va_start(args, msg); |
| vfprintf(stderr, msg, args); |
| va_end(args); |
| fprintf(stderr, " (errno %d)\n", e); |
| doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); |
| } |
| |
| static void use_temporary_dir() |
| { |
| char tmpdir_template[] = "./syzkaller.XXXXXX"; |
| char* tmpdir = mkdtemp(tmpdir_template); |
| if (!tmpdir) |
| fail("failed to mkdtemp"); |
| if (chmod(tmpdir, 0777)) |
| fail("failed to chmod"); |
| if (chdir(tmpdir)) |
| fail("failed to chdir"); |
| } |
| |
| static void execute_one(); |
| extern unsigned long long procid; |
| |
| void loop() |
| { |
| while (1) { |
| execute_one(); |
| } |
| } |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; |
| void execute_one() |
| { |
| long res = 0; |
| res = syscall(__NR_socket, 0x26, 5, 0); |
| if (res != -1) |
| r[0] = res; |
| *(uint16_t*)0x20000000 = 0x26; |
| memcpy((void*)0x20000002, |
| "\x68\x61\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); |
| *(uint32_t*)0x20000010 = 0; |
| *(uint32_t*)0x20000014 = 0; |
| memcpy((void*)0x20000018, |
| "\x73\x68\x61\x33\x2d\x32\x32\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 64); |
| syscall(__NR_bind, r[0], 0x20000000, 0x58); |
| *(uint32_t*)0x20000080 = 0; |
| res = syscall(__NR_accept4, r[0], 0, 0x20000080, 0); |
| if (res != -1) |
| r[1] = res; |
| *(uint64_t*)0x20000440 = 0x20000200; |
| *(uint64_t*)0x20000448 = 0; |
| *(uint64_t*)0x20000450 = 0x200002c0; |
| *(uint64_t*)0x20000458 = 0; |
| *(uint64_t*)0x20000460 = 0x20000300; |
| *(uint64_t*)0x20000468 = 0; |
| *(uint64_t*)0x20000470 = 0x20000380; |
| *(uint64_t*)0x20000478 = 0; |
| *(uint64_t*)0x20000480 = 0x20000400; |
| memcpy((void*)0x20000400, "\xe8\x79\x55\x67\x24\x40\x80\x57\xf2\x41\xeb\xbe" |
| "\x36\x58\x15\xd3\x6f\xb3\x40\xa5\x51\xd4\xbe\xa4" |
| "\x43\xf2\xb5\xc2\xd5\xe3\x3b\xca\xa6\x20\x65\xdc" |
| "\x0c\x8e\xd9\xe9\xe0\xed\xf7\x1f\x39\x38\xa1\x1c" |
| "\x98\xa1\xb5\xdb\x02", |
| 53); |
| *(uint64_t*)0x20000488 = 0x35; |
| syscall(__NR_writev, r[1], 0x20000440, 5); |
| } |
| |
| int main() |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| char* cwd = get_current_dir_name(); |
| for (;;) { |
| if (chdir(cwd)) |
| fail("failed to chdir"); |
| use_temporary_dir(); |
| loop(); |
| } |
| } |