| // kernel panic: Out of memory and no killable processes... |
| // https://syzkaller.appspot.com/bug?id=7ccd9a3553ae90adf0e537e126233b44b5178a85 |
| // status:invalid |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #ifndef __NR_bpf |
| #define __NR_bpf 321 |
| #endif |
| |
| #define _GNU_SOURCE |
| |
| #include <arpa/inet.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <linux/if.h> |
| #include <linux/if_ether.h> |
| #include <linux/if_tun.h> |
| #include <linux/ip.h> |
| #include <linux/tcp.h> |
| #include <net/if_arp.h> |
| #include <pthread.h> |
| #include <sched.h> |
| #include <setjmp.h> |
| #include <signal.h> |
| #include <stdarg.h> |
| #include <stdbool.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/ioctl.h> |
| #include <sys/prctl.h> |
| #include <sys/resource.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/time.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| |
| const int kFailStatus = 67; |
| const int kRetryStatus = 69; |
| |
| __attribute__((noreturn)) static void doexit(int status) |
| { |
| volatile unsigned i; |
| syscall(__NR_exit_group, status); |
| for (i = 0;; i++) { |
| } |
| } |
| |
| __attribute__((noreturn)) static void fail(const char* msg, ...) |
| { |
| int e = errno; |
| fflush(stdout); |
| va_list args; |
| va_start(args, msg); |
| vfprintf(stderr, msg, args); |
| va_end(args); |
| fprintf(stderr, " (errno %d)\n", e); |
| doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); |
| } |
| |
| #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) |
| |
| #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ |
| (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) |
| |
| #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ |
| if ((bf_off) == 0 && (bf_len) == 0) { \ |
| *(type*)(addr) = (type)(val); \ |
| } else { \ |
| type new_val = *(type*)(addr); \ |
| new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ |
| new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ |
| *(type*)(addr) = new_val; \ |
| } |
| |
| static __thread int skip_segv; |
| static __thread jmp_buf segv_env; |
| |
| static void segv_handler(int sig, siginfo_t* info, void* uctx) |
| { |
| uintptr_t addr = (uintptr_t)info->si_addr; |
| const uintptr_t prog_start = 1 << 20; |
| const uintptr_t prog_end = 100 << 20; |
| if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && |
| (addr < prog_start || addr > prog_end)) { |
| _longjmp(segv_env, 1); |
| } |
| doexit(sig); |
| for (;;) { |
| } |
| } |
| |
| static void install_segv_handler() |
| { |
| struct sigaction sa; |
| |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_handler = SIG_IGN; |
| syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); |
| syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); |
| |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_sigaction = segv_handler; |
| sa.sa_flags = SA_NODEFER | SA_SIGINFO; |
| sigaction(SIGSEGV, &sa, NULL); |
| sigaction(SIGBUS, &sa, NULL); |
| } |
| |
| #define NONFAILING(...) \ |
| { \ |
| __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ |
| if (_setjmp(segv_env) == 0) { \ |
| __VA_ARGS__; \ |
| } \ |
| __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ |
| } |
| |
| static void use_temporary_dir() |
| { |
| char tmpdir_template[] = "./syzkaller.XXXXXX"; |
| char* tmpdir = mkdtemp(tmpdir_template); |
| if (!tmpdir) |
| fail("failed to mkdtemp"); |
| if (chmod(tmpdir, 0777)) |
| fail("failed to chmod"); |
| if (chdir(tmpdir)) |
| fail("failed to chdir"); |
| } |
| |
| static void vsnprintf_check(char* str, size_t size, const char* format, |
| va_list args) |
| { |
| int rv; |
| |
| rv = vsnprintf(str, size, format, args); |
| if (rv < 0) |
| fail("tun: snprintf failed"); |
| if ((size_t)rv >= size) |
| fail("tun: string '%s...' doesn't fit into buffer", str); |
| } |
| |
| static void snprintf_check(char* str, size_t size, const char* format, |
| ...) |
| { |
| va_list args; |
| |
| va_start(args, format); |
| vsnprintf_check(str, size, format, args); |
| va_end(args); |
| } |
| |
| #define COMMAND_MAX_LEN 128 |
| |
| static void execute_command(const char* format, ...) |
| { |
| va_list args; |
| char command[COMMAND_MAX_LEN]; |
| int rv; |
| |
| va_start(args, format); |
| |
| vsnprintf_check(command, sizeof(command), format, args); |
| rv = system(command); |
| if (rv != 0) |
| fail("tun: command \"%s\" failed with code %d", &command[0], rv); |
| |
| va_end(args); |
| } |
| |
| static int tunfd = -1; |
| |
| #define SYZ_TUN_MAX_PACKET_SIZE 1000 |
| |
| #define MAX_PIDS 32 |
| #define ADDR_MAX_LEN 32 |
| |
| #define LOCAL_MAC "aa:aa:aa:aa:aa:%02hx" |
| #define REMOTE_MAC "bb:bb:bb:bb:bb:%02hx" |
| |
| #define LOCAL_IPV4 "172.20.%d.170" |
| #define REMOTE_IPV4 "172.20.%d.187" |
| |
| #define LOCAL_IPV6 "fe80::%02hxaa" |
| #define REMOTE_IPV6 "fe80::%02hxbb" |
| |
| static void initialize_tun(uint64_t pid) |
| { |
| if (pid >= MAX_PIDS) |
| fail("tun: no more than %d executors", MAX_PIDS); |
| int id = pid; |
| |
| tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); |
| if (tunfd == -1) |
| fail("tun: can't open /dev/net/tun"); |
| |
| char iface[IFNAMSIZ]; |
| snprintf_check(iface, sizeof(iface), "syz%d", id); |
| |
| struct ifreq ifr; |
| memset(&ifr, 0, sizeof(ifr)); |
| strncpy(ifr.ifr_name, iface, IFNAMSIZ); |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) |
| fail("tun: ioctl(TUNSETIFF) failed"); |
| |
| char local_mac[ADDR_MAX_LEN]; |
| snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id); |
| char remote_mac[ADDR_MAX_LEN]; |
| snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id); |
| |
| char local_ipv4[ADDR_MAX_LEN]; |
| snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id); |
| char remote_ipv4[ADDR_MAX_LEN]; |
| snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id); |
| |
| char local_ipv6[ADDR_MAX_LEN]; |
| snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id); |
| char remote_ipv6[ADDR_MAX_LEN]; |
| snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id); |
| |
| execute_command("sysctl -w net.ipv6.conf.%s.accept_dad=0", iface); |
| |
| execute_command("sysctl -w net.ipv6.conf.%s.router_solicitations=0", |
| iface); |
| |
| execute_command("ip link set dev %s address %s", iface, local_mac); |
| execute_command("ip addr add %s/24 dev %s", local_ipv4, iface); |
| execute_command("ip -6 addr add %s/120 dev %s", local_ipv6, iface); |
| execute_command("ip neigh add %s lladdr %s dev %s nud permanent", |
| remote_ipv4, remote_mac, iface); |
| execute_command("ip -6 neigh add %s lladdr %s dev %s nud permanent", |
| remote_ipv6, remote_mac, iface); |
| execute_command("ip link set dev %s up", iface); |
| } |
| |
| static void setup_tun(uint64_t pid, bool enable_tun) |
| { |
| if (enable_tun) |
| initialize_tun(pid); |
| } |
| |
| static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1) |
| { |
| |
| if (tunfd < 0) |
| return (uintptr_t)-1; |
| |
| int64_t length = a0; |
| char* data = (char*)a1; |
| return write(tunfd, data, length); |
| } |
| |
| static void loop(); |
| |
| static void sandbox_common() |
| { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| setsid(); |
| |
| struct rlimit rlim; |
| rlim.rlim_cur = rlim.rlim_max = 128 << 20; |
| setrlimit(RLIMIT_AS, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 8 << 20; |
| setrlimit(RLIMIT_MEMLOCK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 1 << 20; |
| setrlimit(RLIMIT_FSIZE, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 1 << 20; |
| setrlimit(RLIMIT_STACK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 0; |
| setrlimit(RLIMIT_CORE, &rlim); |
| |
| unshare(CLONE_NEWNS); |
| unshare(CLONE_NEWIPC); |
| unshare(CLONE_IO); |
| } |
| |
| static int do_sandbox_none(int executor_pid, bool enable_tun) |
| { |
| int pid = fork(); |
| if (pid) |
| return pid; |
| |
| sandbox_common(); |
| setup_tun(executor_pid, enable_tun); |
| |
| loop(); |
| doexit(1); |
| } |
| |
| static void test(); |
| |
| void loop() |
| { |
| while (1) { |
| test(); |
| } |
| } |
| |
| long r[323]; |
| void* thr(void* arg) |
| { |
| switch ((long)arg) { |
| case 0: |
| r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, |
| 0xfffffffffffffffful, 0x0ul); |
| break; |
| case 1: |
| NONFAILING(*(uint32_t*)0x2001d000 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d004 = (uint32_t)0x78); |
| NONFAILING(*(uint8_t*)0x2001d008 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d009 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d00a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d00b = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d00c = (uint32_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d010 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d018 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d020 = (uint64_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d028 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d029 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d02a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2001d02b = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d02c = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d030 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d034 = (uint32_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d038 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d040 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d048 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d050 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d058 = (uint64_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d060 = (uint32_t)0x0); |
| NONFAILING(*(uint64_t*)0x2001d068 = (uint64_t)0x0); |
| NONFAILING(*(uint32_t*)0x2001d070 = (uint32_t)0x0); |
| NONFAILING(*(uint16_t*)0x2001d074 = (uint16_t)0x0); |
| NONFAILING(*(uint16_t*)0x2001d076 = (uint16_t)0x0); |
| r[28] = syscall(__NR_perf_event_open, 0x2001d000ul, 0x0ul, 0x0ul, |
| 0xfffffffffffffffful, 0x0ul); |
| break; |
| case 2: |
| NONFAILING(*(uint32_t*)0x2023c000 = (uint32_t)0x0); |
| NONFAILING(*(uint16_t*)0x2023c004 = (uint16_t)0xa); |
| NONFAILING(*(uint16_t*)0x2023c006 = (uint16_t)0x204e); |
| NONFAILING(*(uint32_t*)0x2023c008 = (uint32_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c00c = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c00d = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c00e = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c00f = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c010 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c011 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c012 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c013 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c014 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c015 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c016 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c017 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c018 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c019 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c01a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2023c01b = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x2023c01c = (uint32_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c024 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c02c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c034 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c03c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c044 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c04c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c054 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c05c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c064 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c06c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c074 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x2023c07c = (uint64_t)0x0); |
| NONFAILING(*(uint32_t*)0x2023c08c = (uint32_t)0x0); |
| NONFAILING(*(uint16_t*)0x2023c090 = (uint16_t)0x0); |
| NONFAILING(*(uint32_t*)0x2023c092 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x2023c096 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x2023c09a = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x20d62000 = (uint32_t)0xa0); |
| r[68] = syscall(__NR_getsockopt, 0xffffffffffffff9cul, 0x84ul, |
| 0x9ul, 0x2023c000ul, 0x20d62000ul); |
| break; |
| case 3: |
| NONFAILING(*(uint32_t*)0x20f90000 = (uint32_t)0x3); |
| NONFAILING(*(uint64_t*)0x20f90008 = (uint64_t)0x20c3a000); |
| r[71] = syscall(__NR_ioctl, 0xfffffffffffffffful, 0x800443d2ul, |
| 0x20f90000ul); |
| break; |
| case 4: |
| NONFAILING(memcpy((void*)0x204e1000, |
| "\x2f\x64\x65\x76\x2f\x71\x61\x74\x5f\x61\x64\x66" |
| "\x5f\x63\x74\x6c\x00", |
| 17)); |
| r[73] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x204e1000ul, |
| 0x242200ul, 0x0ul); |
| break; |
| case 5: |
| NONFAILING(*(uint8_t*)0x20b4cffe = (uint8_t)0x7); |
| NONFAILING(*(uint8_t*)0x20b4cfff = (uint8_t)0x400); |
| r[76] = syscall(__NR_ioctl, r[73], 0x541cul, 0x20b4cffeul); |
| break; |
| case 6: |
| r[77] = syscall(__NR_ioctl, r[73], 0x540ful, 0x20ccaffcul); |
| break; |
| case 7: |
| r[78] = syscall(__NR_socket, 0x2000000011ul, 0x3ul, 0x300ul); |
| break; |
| case 8: |
| NONFAILING(*(uint32_t*)0x20feaff0 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x20feaff4 = (uint32_t)0xa); |
| NONFAILING(*(uint64_t*)0x20feaff8 = (uint64_t)0x20196f30); |
| NONFAILING(*(uint16_t*)0x20196f30 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20196f32 = (uint16_t)0x204e); |
| NONFAILING(*(uint8_t*)0x20196f34 = (uint8_t)0xac); |
| NONFAILING(*(uint8_t*)0x20196f35 = (uint8_t)0x14); |
| NONFAILING(*(uint8_t*)0x20196f36 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f37 = (uint8_t)0xbb); |
| NONFAILING(*(uint8_t*)0x20196f38 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f39 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f3a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f3b = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f3c = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f3d = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f3e = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f3f = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x20196f40 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20196f42 = (uint16_t)0x214e); |
| NONFAILING(*(uint32_t*)0x20196f44 = (uint32_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f48 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f49 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f4a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f4b = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f4c = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f4d = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f4e = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f4f = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x20196f50 = (uint16_t)0xa); |
| NONFAILING(*(uint16_t*)0x20196f52 = (uint16_t)0x224e); |
| NONFAILING(*(uint32_t*)0x20196f54 = (uint32_t)0x81); |
| NONFAILING(*(uint8_t*)0x20196f58 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f59 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f5a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f5b = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f5c = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f5d = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f5e = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f5f = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f60 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f61 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f62 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f63 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f64 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f65 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f66 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f67 = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x20196f68 = (uint32_t)0x80000001); |
| NONFAILING(*(uint16_t*)0x20196f6c = (uint16_t)0xa); |
| NONFAILING(*(uint16_t*)0x20196f6e = (uint16_t)0x214e); |
| NONFAILING(*(uint32_t*)0x20196f70 = (uint32_t)0x0); |
| NONFAILING(*(uint64_t*)0x20196f74 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20196f7c = (uint64_t)0x100000000000000); |
| NONFAILING(*(uint32_t*)0x20196f84 = (uint32_t)0x100000001); |
| NONFAILING(*(uint16_t*)0x20196f88 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20196f8a = (uint16_t)0x234e); |
| NONFAILING(*(uint32_t*)0x20196f8c = (uint32_t)0x100007f); |
| NONFAILING(*(uint8_t*)0x20196f90 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f91 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f92 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f93 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f94 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f95 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f96 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196f97 = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x20196f98 = (uint16_t)0xa); |
| NONFAILING(*(uint16_t*)0x20196f9a = (uint16_t)0x214e); |
| NONFAILING(*(uint32_t*)0x20196f9c = (uint32_t)0x3); |
| NONFAILING(*(uint64_t*)0x20196fa0 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20196fa8 = (uint64_t)0x100000000000000); |
| NONFAILING(*(uint32_t*)0x20196fb0 = (uint32_t)0x4); |
| NONFAILING(*(uint16_t*)0x20196fb4 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20196fb6 = (uint16_t)0x214e); |
| NONFAILING(*(uint32_t*)0x20196fb8 = (uint32_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fbc = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fbd = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fbe = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fbf = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fc0 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fc1 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fc2 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fc3 = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x20196fc4 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20196fc6 = (uint16_t)0x204e); |
| NONFAILING(*(uint32_t*)0x20196fc8 = (uint32_t)0x100007f); |
| NONFAILING(*(uint8_t*)0x20196fcc = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fcd = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fce = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fcf = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fd0 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fd1 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fd2 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fd3 = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x20196fd4 = (uint16_t)0xa); |
| NONFAILING(*(uint16_t*)0x20196fd6 = (uint16_t)0x224e); |
| NONFAILING(*(uint32_t*)0x20196fd8 = (uint32_t)0x5); |
| NONFAILING(*(uint64_t*)0x20196fdc = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20196fe4 = (uint64_t)0x100000000000000); |
| NONFAILING(*(uint32_t*)0x20196fec = (uint32_t)0x8000); |
| NONFAILING(*(uint16_t*)0x20196ff0 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20196ff2 = (uint16_t)0x234e); |
| NONFAILING(*(uint8_t*)0x20196ff4 = (uint8_t)0xac); |
| NONFAILING(*(uint8_t*)0x20196ff5 = (uint8_t)0x14); |
| NONFAILING(*(uint8_t*)0x20196ff6 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ff7 = (uint8_t)0xaa); |
| NONFAILING(*(uint8_t*)0x20196ff8 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ff9 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ffa = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ffb = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ffc = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ffd = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196ffe = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20196fff = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x20015ffc = (uint32_t)0x10); |
| r[193] = syscall(__NR_getsockopt, r[78], 0x84ul, 0x6ful, |
| 0x20feaff0ul, 0x20015ffcul); |
| break; |
| case 9: |
| NONFAILING(*(uint32_t*)0x20001fd0 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x20001fd4 = (uint32_t)0x1); |
| NONFAILING(*(uint64_t*)0x20001fd8 = (uint64_t)0x20000000); |
| NONFAILING(*(uint64_t*)0x20001fe0 = (uint64_t)0x20fdbfef); |
| NONFAILING(*(uint32_t*)0x20001fe8 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x20001fec = (uint32_t)0x0); |
| NONFAILING(*(uint64_t*)0x20001ff0 = (uint64_t)0x20b92fd0); |
| NONFAILING(*(uint32_t*)0x20001ff8 = (uint32_t)0x0); |
| NONFAILING(*(uint8_t*)0x20000000 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20000001 = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x20000002 = (uint16_t)0xfffffffffffff802); |
| NONFAILING(*(uint32_t*)0x20000004 = (uint32_t)0xffffffffffffffff); |
| NONFAILING(memcpy((void*)0x20fdbfef, "\x00", 1)); |
| r[207] = syscall(__NR_bpf, 0x5ul, 0x20001fd0ul, 0x30ul); |
| break; |
| case 10: |
| r[208] = syscall(__NR_socket, 0x2ul, 0x80002ul, 0x10004ul); |
| break; |
| case 11: |
| r[209] = syscall(__NR_ioctl, r[208], 0x541bul, 0x20a67000ul); |
| break; |
| case 12: |
| r[210] = syscall(__NR_socket, 0x11ul, 0x802ul, 0x300ul); |
| break; |
| case 13: |
| r[211] = syscall(__NR_setsockopt, r[210], 0x107ul, 0x12ul, |
| 0x20000000ul, 0x4ul); |
| break; |
| case 14: |
| NONFAILING(*(uint32_t*)0x20f87000 = (uint32_t)0x0); |
| r[213] = syscall(__NR_setsockopt, r[210], 0x1ul, 0x8ul, |
| 0x20f87000ul, 0x4ul); |
| break; |
| case 15: |
| NONFAILING(*(uint32_t*)0x2061c000 = (uint32_t)0x0); |
| NONFAILING(*(uint32_t*)0x2061c004 = (uint32_t)0x8); |
| NONFAILING(*(uint32_t*)0x20acf000 = (uint32_t)0x8); |
| r[217] = syscall(__NR_getsockopt, r[210], 0x84ul, 0xdul, |
| 0x2061c000ul, 0x20acf000ul); |
| if (r[217] != -1) |
| NONFAILING(r[218] = *(uint32_t*)0x2061c000); |
| break; |
| case 16: |
| NONFAILING(*(uint16_t*)0x205fb000 = (uint16_t)0xa); |
| NONFAILING(*(uint16_t*)0x205fb002 = (uint16_t)0x214e); |
| NONFAILING(*(uint32_t*)0x205fb004 = (uint32_t)0x1); |
| NONFAILING(*(uint64_t*)0x205fb008 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x205fb010 = (uint64_t)0x100000000000000); |
| NONFAILING(*(uint32_t*)0x205fb018 = (uint32_t)0x8); |
| r[225] = syscall(__NR_sendto, r[210], 0x20c58fb4ul, 0x0ul, |
| 0xfffffffffffffffful, 0x205fb000ul, 0x1cul); |
| break; |
| case 17: |
| NONFAILING(*(uint32_t*)0x20081ffc = (uint32_t)0x4aef); |
| r[227] = syscall(__NR_ioctl, r[210], 0x894cul, 0x20081ffcul); |
| break; |
| case 18: |
| NONFAILING(*(uint32_t*)0x20453fe0 = (uint32_t)0xffffffffffffffff); |
| NONFAILING(*(uint64_t*)0x20453fe8 = (uint64_t)0x20e65000); |
| NONFAILING(*(uint64_t*)0x20453ff0 = (uint64_t)0x20859000); |
| NONFAILING(*(uint64_t*)0x20453ff8 = (uint64_t)0x1); |
| r[232] = syscall(__NR_bpf, 0x2ul, 0x20453fe0ul, 0x20ul); |
| break; |
| case 19: |
| NONFAILING(*(uint32_t*)0x2037d000 = r[218]); |
| NONFAILING(*(uint32_t*)0x2037d004 = (uint32_t)0x4); |
| NONFAILING(*(uint32_t*)0x201e4ffc = (uint32_t)0x8); |
| r[236] = syscall(__NR_getsockopt, r[210], 0x84ul, 0x71ul, |
| 0x2037d000ul, 0x201e4ffcul); |
| break; |
| case 20: |
| NONFAILING(*(uint32_t*)0x203baffc = (uint32_t)0xc); |
| r[238] = syscall(__NR_getsockopt, r[210], 0x1ul, 0x11ul, |
| 0x2096a000ul, 0x203baffcul); |
| if (r[238] != -1) |
| NONFAILING(r[239] = *(uint32_t*)0x2096a000); |
| break; |
| case 21: |
| NONFAILING(*(uint32_t*)0x20460f60 = r[218]); |
| NONFAILING(*(uint16_t*)0x20460f64 = (uint16_t)0x2); |
| NONFAILING(*(uint16_t*)0x20460f66 = (uint16_t)0x214e); |
| NONFAILING(*(uint32_t*)0x20460f68 = (uint32_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f6c = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f6d = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f6e = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f6f = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f70 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f71 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f72 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20460f73 = (uint8_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460f74 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460f7c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460f84 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460f8c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460f94 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460f9c = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fa4 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fac = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fb4 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fbc = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fc4 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fcc = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fd4 = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fdc = (uint64_t)0x0); |
| NONFAILING(*(uint64_t*)0x20460fe4 = (uint64_t)0x0); |
| NONFAILING(*(uint32_t*)0x20460fec = (uint32_t)0xff0000000000); |
| NONFAILING(*(uint16_t*)0x20460ff0 = (uint16_t)0x1); |
| NONFAILING(*(uint32_t*)0x20460ff2 = (uint32_t)0x80000001); |
| NONFAILING(*(uint32_t*)0x20460ff6 = (uint32_t)0x1000); |
| NONFAILING(*(uint32_t*)0x20460ffa = (uint32_t)0x20); |
| r[272] = syscall(__NR_setsockopt, r[210], 0x84ul, 0x9ul, |
| 0x20460f60ul, 0xa0ul); |
| break; |
| case 22: |
| NONFAILING(*(uint32_t*)0x207d5000 = r[239]); |
| r[274] = syscall(__NR_ioctl, r[208], 0x8901ul, 0x207d5000ul); |
| break; |
| case 23: |
| NONFAILING( |
| memcpy((void*)0x20000000, "\xef\xad\x07\x00\x00\xa7", 6)); |
| NONFAILING(*(uint8_t*)0x20000006 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20000007 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20000008 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20000009 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2000000a = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x2000000b = (uint8_t)0x0); |
| NONFAILING(*(uint16_t*)0x2000000c = (uint16_t)0x0); |
| NONFAILING(*(uint16_t*)0x2000000e = (uint16_t)0x7100); |
| NONFAILING(*(uint8_t*)0x20000010 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x20000011 = (uint8_t)0x0); |
| NONFAILING(memcpy((void*)0x20000012, "\x9a", 1)); |
| NONFAILING(memcpy((void*)0x20000013, "\x2f\x3f\x7b", 3)); |
| NONFAILING(*(uint16_t*)0x20000016 = (uint16_t)0x0); |
| NONFAILING(memcpy( |
| (void*)0x20000018, |
| "\xbb\xf7\x8b\x9a\x1e\xf9\xd7\x58\x5c\x44\xdc\x14\x2e\xcb\xaf" |
| "\x80\x66\xd2\x61\x0e\x91\xb0\xe5\xce\xa2\x2f\xde\xe4\x0a\x7e" |
| "\x5f\x9e\x41\xdd\x99\xf8\xfb\xe9\xb2\x8d\x03\xe6\xb4\x99\x2c" |
| "\x5b\x98\xa2\xc3\x7c\x5e\xbe\x16\x92\xbc\xc8\xfb\xc1\xec\xad" |
| "\x74\xff\xe1\xff\x13\xc5\x05\xb9\x66\xc4\x2b\x6d\x44\xa1\x2c" |
| "\xe0\x6c\x5a\x04\x31\x56\xfd\x53\xcd\xbf\xdc\xbb\x08\x9e\xb0" |
| "\xfc\x74\x3f\xd2\xa7\x4c\x56\x1b\x81\x03\x20\x17\xdf\x10\x93", |
| 105)); |
| r[290] = syz_emit_ethernet(0x81ul, 0x20000000ul); |
| break; |
| case 24: |
| NONFAILING(*(uint8_t*)0x209cbfd2 = (uint8_t)0xaa); |
| NONFAILING(*(uint8_t*)0x209cbfd3 = (uint8_t)0xaa); |
| NONFAILING(*(uint8_t*)0x209cbfd4 = (uint8_t)0xaa); |
| NONFAILING(*(uint8_t*)0x209cbfd5 = (uint8_t)0xaa); |
| NONFAILING(*(uint8_t*)0x209cbfd6 = (uint8_t)0xaa); |
| NONFAILING(*(uint8_t*)0x209cbfd7 = (uint8_t)0x0); |
| NONFAILING( |
| memcpy((void*)0x209cbfd8, "\xb4\x2d\xd4\x91\xaa\x6c", 6)); |
| NONFAILING(*(uint16_t*)0x209cbfde = (uint16_t)0x81); |
| NONFAILING(STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x3, 0, 3)); |
| NONFAILING(STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x20, 3, 1)); |
| NONFAILING(STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x800, 4, 12)); |
| NONFAILING(*(uint16_t*)0x209cbfe2 = (uint16_t)0x888); |
| NONFAILING(*(uint16_t*)0x209cbfe4 = (uint16_t)0x100); |
| NONFAILING(*(uint16_t*)0x209cbfe6 = (uint16_t)0x8); |
| NONFAILING(*(uint8_t*)0x209cbfe8 = (uint8_t)0x6); |
| NONFAILING(*(uint8_t*)0x209cbfe9 = (uint8_t)0x4); |
| NONFAILING(*(uint16_t*)0x209cbfea = (uint16_t)0xb00); |
| NONFAILING(*(uint8_t*)0x209cbfec = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x209cbfed = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x209cbfee = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x209cbfef = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x209cbff0 = (uint8_t)0x0); |
| NONFAILING(*(uint8_t*)0x209cbff1 = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x209cbff2 = (uint32_t)0x20000e0); |
| NONFAILING(*(uint8_t*)0x209cbff6 = (uint8_t)0xbb); |
| NONFAILING(*(uint8_t*)0x209cbff7 = (uint8_t)0xbb); |
| NONFAILING(*(uint8_t*)0x209cbff8 = (uint8_t)0xbb); |
| NONFAILING(*(uint8_t*)0x209cbff9 = (uint8_t)0xbb); |
| NONFAILING(*(uint8_t*)0x209cbffa = (uint8_t)0xbb); |
| NONFAILING(*(uint8_t*)0x209cbffb = (uint8_t)0x0); |
| NONFAILING(*(uint32_t*)0x209cbffc = (uint32_t)0x20000e0); |
| r[322] = syz_emit_ethernet(0x2eul, 0x209cbfd2ul); |
| break; |
| } |
| return 0; |
| } |
| |
| void test() |
| { |
| long i; |
| pthread_t th[50]; |
| |
| memset(r, -1, sizeof(r)); |
| srand(getpid()); |
| for (i = 0; i < 25; i++) { |
| pthread_create(&th[i], 0, thr, (void*)i); |
| usleep(rand() % 10000); |
| } |
| for (i = 0; i < 25; i++) { |
| pthread_create(&th[25 + i], 0, thr, (void*)i); |
| if (rand() % 2) |
| usleep(rand() % 10000); |
| } |
| usleep(rand() % 100000); |
| } |
| |
| int main() |
| { |
| install_segv_handler(); |
| use_temporary_dir(); |
| int pid = do_sandbox_none(0, true); |
| int status = 0; |
| while (waitpid(pid, &status, __WALL) != pid) { |
| } |
| return 0; |
| } |