// https://syzkaller.appspot.com/bug?id=12ead29884166e5196c2435d029aa748559f731b // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2, 0); } } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); const char* reason; (void)reason; use_temporary_dir(); intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$nullb arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6e 75 6c 6c 62 30 00} (length 0xc) // } // flags: open_flags = 0x2c240 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_block memcpy((void*)0x200000000040, "/dev/nullb0\000", 12); res = syscall( __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, /*flags=O_TRUNC|O_NOFOLLOW|O_LARGEFILE|O_DIRECT|O_CREAT*/ 0x2c240, /*mode=*/0); if (res != -1) r[0] = res; // syz_open_dev$loop arguments: [ // dev: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6c 6f 6f 70 23 00} (length 0xb) // } // id: intptr = 0x47ffffa (8 bytes) // flags: open_flags = 0x122c42 (8 bytes) // ] // returns fd_loop memcpy((void*)0x200000000080, "/dev/loop#\000", 11); res = -1; res = syz_open_dev( /*dev=*/0x200000000080, /*id=*/0x47ffffa, /*flags=O_NONBLOCK|O_NOFOLLOW|O_CREAT|FASYNC|O_APPEND|0x100002*/ 0x122c42); if (res != -1) r[1] = res; // ioctl$LOOP_CONFIGURE arguments: [ // fd: fd_loop (resource) // cmd: const = 0x4c0a (4 bytes) // arg: ptr[in, loop_config] { // loop_config { // fd: fd_loop (resource) // block_size: int32 = 0x0 (4 bytes) // info: loop_info64 { // lo_device: const = 0x0 (8 bytes) // lo_inode: const = 0x0 (8 bytes) // lo_rdevice: const = 0x0 (8 bytes) // lo_offset: int64 = 0x8 (8 bytes) // lo_sizelimit: int64 = 0x0 (8 bytes) // lo_number: const = 0x0 (4 bytes) // lo_enc_type: lo_encrypt_type = 0x0 (4 bytes) // lo_enc_key_size: int32 = 0x13 (4 bytes) // lo_flags: lo_flags = 0x1c (4 bytes) // lo_file_name: buffer: {33 9f 02 0b be 78 b3 98 43 d6 01 01 00 00 // 00 00 00 08 0d 0e c0 c1 b4 e9 b1 c4 36 9d 03 74 02 50 ce aa c5 94 // b1 b3 d7 41 dd 17 c1 8e 84 38 ef 2a 56 5e f1 e8 33 23 69 5c 58 d6 // 65 00 00 00 00 00} (length 0x40) lo_crypt_name: buffer: {a1 16 39 // 39 c7 87 a1 6c 1c a4 3f 85 39 f3 d3 28 97 37 f0 37 4c 72 a9 64 a0 // 19 3b 3e 87 72 fd 29 f3 52 39 d2 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} (length 0x40) // lo_enc_key: buffer: {24 43 1a 39 77 a6 8e 17 4f 00 5e 95 ac 6a 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} (length 0x20) // lo_init: array[int64] { // int64 = 0x0 (8 bytes) // int64 = 0x0 (8 bytes) // } // } // reserved: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00} (length 0x40) // } // } // ] *(uint32_t*)0x200000000440 = r[0]; *(uint32_t*)0x200000000444 = 0; *(uint64_t*)0x200000000448 = 0; *(uint64_t*)0x200000000450 = 0; *(uint64_t*)0x200000000458 = 0; *(uint64_t*)0x200000000460 = 8; *(uint64_t*)0x200000000468 = 0; *(uint32_t*)0x200000000470 = 0; *(uint32_t*)0x200000000474 = 0; *(uint32_t*)0x200000000478 = 0x13; *(uint32_t*)0x20000000047c = 0x1c; memcpy((void*)0x200000000480, "\x33\x9f\x02\x0b\xbe\x78\xb3\x98\x43\xd6\x01\x01\x00\x00\x00\x00\x00" "\x08\x0d\x0e\xc0\xc1\xb4\xe9\xb1\xc4\x36\x9d\x03\x74\x02\x50\xce\xaa" "\xc5\x94\xb1\xb3\xd7\x41\xdd\x17\xc1\x8e\x84\x38\xef\x2a\x56\x5e\xf1" "\xe8\x33\x23\x69\x5c\x58\xd6\x65\x00\x00\x00\x00\x00", 64); memcpy((void*)0x2000000004c0, "\xa1\x16\x39\x39\xc7\x87\xa1\x6c\x1c\xa4\x3f\x85\x39\xf3\xd3\x28\x97" "\x37\xf0\x37\x4c\x72\xa9\x64\xa0\x19\x3b\x3e\x87\x72\xfd\x29\xf3\x52" "\x39\xd2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); memcpy((void*)0x200000000500, "\x24\x43\x1a\x39\x77\xa6\x8e\x17\x4f\x00\x5e\x95\xac\x6a\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint64_t*)0x200000000520 = 0; *(uint64_t*)0x200000000528 = 0; memset((void*)0x200000000530, 0, 64); syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x4c0a, /*arg=*/0x200000000440ul); // ioctl$FS_IOC_GETFSMAP arguments: [ // fd: fd (resource) // cmd: const = 0x4c09 (4 bytes) // arg: nil // ] syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x4c09, /*arg=*/0ul); return 0; }