// https://syzkaller.appspot.com/bug?id=1665547180092fef185a46d5a4ba5b382d77848e
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <errno.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <unistd.h>
__attribute__((noreturn)) static void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}
#include <stdint.h>
#include <string.h>
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 8 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}
static int do_sandbox_none(int executor_pid, bool enable_tun)
{
int pid = fork();
if (pid)
return pid;
sandbox_common();
loop();
doexit(1);
}
long r[62];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 1:
r[1] = syscall(__NR_socket, 0xaul, 0x1ul, 0x8010000000000084ul);
break;
case 2:
*(uint64_t*)0x20ee7000 = (uint64_t)0x20c8bfe4;
*(uint32_t*)0x20ee7008 = (uint32_t)0x1c;
*(uint64_t*)0x20ee7010 = (uint64_t)0x204a2fbe;
*(uint64_t*)0x20ee7018 = (uint64_t)0x5;
*(uint64_t*)0x20ee7020 = (uint64_t)0x20b33d18;
*(uint64_t*)0x20ee7028 = (uint64_t)0x6;
*(uint32_t*)0x20ee7030 = (uint32_t)0x8880;
*(uint16_t*)0x20c8bfe4 = (uint16_t)0xa;
*(uint16_t*)0x20c8bfe6 = (uint16_t)0x234e;
*(uint32_t*)0x20c8bfe8 = (uint32_t)0x2;
*(uint8_t*)0x20c8bfec = (uint8_t)0xfe;
*(uint8_t*)0x20c8bfed = (uint8_t)0x80;
*(uint8_t*)0x20c8bfee = (uint8_t)0x0;
*(uint8_t*)0x20c8bfef = (uint8_t)0x0;
*(uint8_t*)0x20c8bff0 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff1 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff2 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff3 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff4 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff5 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff6 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff7 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff8 = (uint8_t)0x0;
*(uint8_t*)0x20c8bff9 = (uint8_t)0x0;
*(uint8_t*)0x20c8bffa = (uint8_t)0x0;
*(uint8_t*)0x20c8bffb = (uint8_t)0xaa;
*(uint32_t*)0x20c8bffc = (uint32_t)0x1;
*(uint64_t*)0x204a2fbe = (uint64_t)0x20e84000;
*(uint64_t*)0x204a2fc6 = (uint64_t)0x0;
*(uint64_t*)0x204a2fce = (uint64_t)0x20a2e000;
*(uint64_t*)0x204a2fd6 = (uint64_t)0x0;
*(uint64_t*)0x204a2fde = (uint64_t)0x20208000;
*(uint64_t*)0x204a2fe6 = (uint64_t)0x0;
*(uint64_t*)0x204a2fee = (uint64_t)0x20e2ff1b;
*(uint64_t*)0x204a2ff6 = (uint64_t)0x0;
*(uint64_t*)0x204a2ffe = (uint64_t)0x2032c000;
*(uint64_t*)0x204a3006 = (uint64_t)0xe;
memcpy((void*)0x2032c000,
"\x32\xdf\xf2\xfc\x28\x46\xf8\x81\x08\x9d\x0d\x72\xf9\x40",
14);
*(uint64_t*)0x20b33d18 = (uint64_t)0x10;
*(uint32_t*)0x20b33d20 = (uint32_t)0x10f;
*(uint32_t*)0x20b33d24 = (uint32_t)0x7;
*(uint64_t*)0x20b33d28 = (uint64_t)0x10;
*(uint32_t*)0x20b33d30 = (uint32_t)0x11f;
*(uint32_t*)0x20b33d34 = (uint32_t)0x2;
*(uint64_t*)0x20b33d38 = (uint64_t)0x10;
*(uint32_t*)0x20b33d40 = (uint32_t)0x10a;
*(uint32_t*)0x20b33d44 = (uint32_t)0x0;
*(uint64_t*)0x20b33d48 = (uint64_t)0x10;
*(uint32_t*)0x20b33d50 = (uint32_t)0x1ff;
*(uint32_t*)0x20b33d54 = (uint32_t)0x7f;
*(uint64_t*)0x20b33d58 = (uint64_t)0x10;
*(uint32_t*)0x20b33d60 = (uint32_t)0x1ff;
*(uint32_t*)0x20b33d64 = (uint32_t)0x80000000;
*(uint64_t*)0x20b33d68 = (uint64_t)0x10;
*(uint32_t*)0x20b33d70 = (uint32_t)0x108;
*(uint32_t*)0x20b33d74 = (uint32_t)0x80;
r[58] = syscall(__NR_sendmsg, r[1], 0x20ee7000ul, 0x40000ul);
break;
case 3:
r[59] = syscall(__NR_listen, r[1], 0x2ul);
break;
case 4:
*(uint32_t*)0x20ce9000 = (uint32_t)0x9;
r[61] =
syscall(__NR_accept4, r[1], 0x202de000ul, 0x20ce9000ul, 0x0ul);
break;
}
return 0;
}
void loop()
{
long i;
pthread_t th[10];
memset(r, -1, sizeof(r));
for (i = 0; i < 5; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(rand() % 10000);
}
usleep(rand() % 100000);
}
int main()
{
int pid = do_sandbox_none(0, false);
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}