| // general protection fault in gcmaes_crypt_by_sg |
| // https://syzkaller.appspot.com/bug?id=61db0298a6967decdc09de586c547f4cec913045 |
| // status:open |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <stdarg.h> |
| #include <stdbool.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| static bool write_file(const char* file, const char* what, ...) |
| { |
| char buf[1024]; |
| va_list args; |
| va_start(args, what); |
| vsnprintf(buf, sizeof(buf), what, args); |
| va_end(args); |
| buf[sizeof(buf) - 1] = 0; |
| int len = strlen(buf); |
| int fd = open(file, O_WRONLY | O_CLOEXEC); |
| if (fd == -1) |
| return false; |
| if (write(fd, buf, len) != len) { |
| int err = errno; |
| close(fd); |
| errno = err; |
| return false; |
| } |
| close(fd); |
| return true; |
| } |
| |
| static int inject_fault(int nth) |
| { |
| int fd; |
| fd = open("/proc/thread-self/fail-nth", O_RDWR); |
| if (fd == -1) |
| exit(1); |
| char buf[16]; |
| sprintf(buf, "%d", nth + 1); |
| if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) |
| exit(1); |
| return fd; |
| } |
| |
| static void setup_fault() |
| { |
| static struct { |
| const char* file; |
| const char* val; |
| bool fatal; |
| } files[] = { |
| {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, |
| {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, |
| {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, |
| {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, |
| {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, |
| }; |
| unsigned i; |
| for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { |
| if (!write_file(files[i].file, files[i].val)) { |
| if (files[i].fatal) |
| exit(1); |
| } |
| } |
| } |
| |
| uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| setup_fault(); |
| intptr_t res = 0; |
| res = syscall(__NR_pipe, 0x200000c0); |
| if (res != -1) { |
| r[0] = *(uint32_t*)0x200000c0; |
| r[1] = *(uint32_t*)0x200000c4; |
| } |
| sprintf((char*)0x20000440, "%023llo", (long long)-1); |
| syscall(__NR_write, r[1], 0x20000440, 0x17); |
| syscall(__NR_perf_event_open, 0, 0, 0, -1, 0); |
| syscall(__NR_close, r[1]); |
| res = syscall(__NR_socket, 0xa, 1, 0); |
| if (res != -1) |
| r[2] = res; |
| *(uint32_t*)0x200000c0 = 1; |
| syscall(__NR_setsockopt, r[2], 6, 0x13, 0x200000c0, 4); |
| *(uint16_t*)0x20000140 = 0xa; |
| *(uint16_t*)0x20000142 = htobe16(0); |
| *(uint32_t*)0x20000144 = htobe32(0); |
| memcpy((void*)0x20000148, |
| "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", |
| 16); |
| *(uint32_t*)0x20000158 = 0; |
| syscall(__NR_connect, r[2], 0x20000140, 0x1c); |
| memcpy((void*)0x20000040, "tls\000", 4); |
| syscall(__NR_setsockopt, r[2], 6, 0x1f, 0x20000040, 0x355); |
| *(uint16_t*)0x20000180 = 0x303; |
| *(uint16_t*)0x20000182 = 0x33; |
| memcpy((void*)0x20000184, "\x65\x8b\xdc\xe8\xf1\x6b\x69\x01", 8); |
| memcpy((void*)0x2000018c, |
| "\x9f\xae\x19\x47\xfe\x62\x57\x6d\x6d\x75\x73\xc5\x5f\x79\x5e\x68", |
| 16); |
| memcpy((void*)0x2000019c, "\xa4\x3c\xc8\x0d", 4); |
| memcpy((void*)0x200001a0, "\xca\x90\xbc\x29\xc8\xf9\x1c\xf6", 8); |
| syscall(__NR_setsockopt, r[1], 0x11a, 1, 0x20000180, 0x28); |
| inject_fault(1); |
| syscall(__NR_splice, r[0], 0, r[1], 0, 0x100000300, 0); |
| return 0; |
| } |