Google Git
Sign in
kernel / pub / scm / linux / kernel / git / shuah / linux-arts / fda3a6268584782d265ee38794c23e1b5b521eb1 / . / syzkaller-repros / linux / 61db0298a6967decdc09de586c547f4cec913045.c
blob: b2fd0bb1556094da5332f5e024849fa5cd9ceec7 [file] [log] [blame]
// general protection fault in gcmaes_crypt_by_sg
// https://syzkaller.appspot.com/bug?id=61db0298a6967decdc09de586c547f4cec913045
// status:open
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static int inject_fault(int nth)
{
int fd;
fd = open("/proc/thread-self/fail-nth", O_RDWR);
if (fd == -1)
exit(1);
char buf[16];
sprintf(buf, "%d", nth + 1);
if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
exit(1);
return fd;
}
static void setup_fault()
{
static struct {
const char* file;
const char* val;
bool fatal;
} files[] = {
{"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
{"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
{"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
};
unsigned i;
for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
if (!write_file(files[i].file, files[i].val)) {
if (files[i].fatal)
exit(1);
}
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
setup_fault();
intptr_t res = 0;
res = syscall(__NR_pipe, 0x200000c0);
if (res != -1) {
r[0] = *(uint32_t*)0x200000c0;
r[1] = *(uint32_t*)0x200000c4;
}
sprintf((char*)0x20000440, "%023llo", (long long)-1);
syscall(__NR_write, r[1], 0x20000440, 0x17);
syscall(__NR_perf_event_open, 0, 0, 0, -1, 0);
syscall(__NR_close, r[1]);
res = syscall(__NR_socket, 0xa, 1, 0);
if (res != -1)
r[2] = res;
*(uint32_t*)0x200000c0 = 1;
syscall(__NR_setsockopt, r[2], 6, 0x13, 0x200000c0, 4);
*(uint16_t*)0x20000140 = 0xa;
*(uint16_t*)0x20000142 = htobe16(0);
*(uint32_t*)0x20000144 = htobe32(0);
memcpy((void*)0x20000148,
"\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000",
16);
*(uint32_t*)0x20000158 = 0;
syscall(__NR_connect, r[2], 0x20000140, 0x1c);
memcpy((void*)0x20000040, "tls\000", 4);
syscall(__NR_setsockopt, r[2], 6, 0x1f, 0x20000040, 0x355);
*(uint16_t*)0x20000180 = 0x303;
*(uint16_t*)0x20000182 = 0x33;
memcpy((void*)0x20000184, "\x65\x8b\xdc\xe8\xf1\x6b\x69\x01", 8);
memcpy((void*)0x2000018c,
"\x9f\xae\x19\x47\xfe\x62\x57\x6d\x6d\x75\x73\xc5\x5f\x79\x5e\x68",
16);
memcpy((void*)0x2000019c, "\xa4\x3c\xc8\x0d", 4);
memcpy((void*)0x200001a0, "\xca\x90\xbc\x29\xc8\xf9\x1c\xf6", 8);
syscall(__NR_setsockopt, r[1], 0x11a, 1, 0x20000180, 0x28);
inject_fault(1);
syscall(__NR_splice, r[0], 0, r[1], 0, 0x100000300, 0);
return 0;
}