// https://syzkaller.appspot.com/bug?id=58583553e35db710e1de660064edf1add53e16cb // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_futex #define __NR_futex 98 #endif #ifndef __NR_gettid #define __NR_gettid 178 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif #ifndef __NR_openat #define __NR_openat 56 #endif #ifndef __NR_timer_create #define __NR_timer_create 107 #endif #ifndef __NR_timer_settime #define __NR_timer_settime 110 #endif uint64_t r[2] = {0x0, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // gettid arguments: [ // ] // returns pid res = syscall(__NR_gettid); if (res != -1) r[0] = res; // timer_create arguments: [ // id: clock_id = 0x0 (8 bytes) // ev: ptr[in, sigevent] { // sigevent { // val: const = 0x0 (8 bytes) // signo: int32 = 0x21 (4 bytes) // notify: sigev_notify = 0x800000000004 (4 bytes) // u: union sigevent_u { // tid: pid (resource) // } // pad = 0x0 (32 bytes) // } // } // timerid: ptr[out, timerid] { // timerid (resource) // } // ] *(uint64_t*)0x20533fa0 = 0; *(uint32_t*)0x20533fa8 = 0x21; *(uint32_t*)0x20533fac = 4; *(uint32_t*)0x20533fb0 = r[0]; syscall(__NR_timer_create, /*id=*/0ul, /*ev=*/0x20533fa0ul, /*timerid=*/0x20bbdffcul); // timer_settime arguments: [ // timerid: timerid (resource) // flags: timer_flags = 0x0 (8 bytes) // new: ptr[in, itimerspec] { // itimerspec { // interv: timespec { // sec: time_sec (resource) // nsec: time_nsec (resource) // } // value: timespec { // sec: time_sec (resource) // nsec: time_nsec (resource) // } // } // } // old: nil // ] *(uint64_t*)0x20000280 = 0; *(uint64_t*)0x20000288 = 0x989680; *(uint64_t*)0x20000290 = 0; *(uint64_t*)0x20000298 = 0x989680; syscall(__NR_timer_settime, /*timerid=*/0, /*flags=*/0ul, /*new=*/0x20000280ul, /*old=*/0ul); // futex arguments: [ // addr: nil // op: futex_op = 0x86 (8 bytes) // val: int32 = 0x2 (4 bytes) // timeout: nil // addr2: nil // val3: int32 = 0xfffffffc (4 bytes) // ] syscall(__NR_futex, /*addr=*/0ul, /*op=FUTEX_PRIVATE_FLAG|FUTEX_LOCK_PI*/ 0x86ul, /*val=*/2, /*timeout=*/0ul, /*addr2=*/0ul, /*val3=*/0xfffffffc); // openat$cgroup_ro arguments: [ // fd: fd_cgroup (resource) // file: nil // flags: const = 0x275a (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x275a, /*mode=*/0); if (res != -1) r[1] = res; // mmap arguments: [ // addr: VMA[0xb36000] // len: len = 0xb36000 (8 bytes) // prot: mmap_prot = 0x200000a (8 bytes) // flags: mmap_flags = 0x28011 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE*/ 0x200000aul, /*flags=MAP_STACK|MAP_POPULATE|MAP_FIXED|MAP_SHARED*/ 0x28011ul, /*fd=*/r[1], /*offset=*/0ul); return 0; }