#!/bin/sh

# panic: ASan: Invalid access, 8-byte read at 0xfffffe01fece46f8, StackMiddle(f2)
# cpuid = 4
# time = 1687335671
# KDB: stack backtrace:
# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01fece42f0
# kdb_backtrace() at kdb_backtrace+0xc7/frame 0xfffffe01fece4450
# vpanic() at vpanic+0x1d7/frame 0xfffffe01fece4510
# panic() at panic+0xb5/frame 0xfffffe01fece45e0
# kasan_report() at kasan_report+0xdc/frame 0xfffffe01fece46b0
# __cap_rights_is_set() at __cap_rights_is_set+0x186/frame 0xfffffe01fece47d0
# fget_fcntl() at fget_fcntl+0xd7/frame 0xfffffe01fece48d0
# kern_fcntl() at kern_fcntl+0x602/frame 0xfffffe01fece4c10
# kern_fcntl_freebsd() at kern_fcntl_freebsd+0x244/frame 0xfffffe01fece4d30
# ia32_syscall() at ia32_syscall+0x32a/frame 0xfffffe01fece4f30
# int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xffffdb38
# KDB: enter: panic
# [ thread pid 4224 tid 100231 ]
# Stopped at      kdb_enter+0x34: movq    $0,0x1e3f7c1(%rip)
# db> x/s version
# version:        FreeBSD 14.0-CURRENT #0 main-n263725-1efa7dbc0798e: Wed Jun 21 09:13:50 CEST 2023
# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO-KASAN
# db> 

uname -p | grep -Eq "amd64|i386" || exit 0
[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1

. ../default.cfg
prog=$(basename "$0" .sh)
cat > /tmp/$prog.c <<EOF
// https://syzkaller.appspot.com/bug?id=81419dc41de046ccb99da6f333074b750ac36680
// autogenerated by syzkaller (https://github.com/google/syzkaller)
// Reported-by: syzbot+d35497494d68b4859367@syzkaller.appspotmail.com
// i386 + ASan

#define _GNU_SOURCE

#include <pwd.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/endian.h>
#include <sys/syscall.h>
#include <unistd.h>

uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0};

int main(void)
{
  syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
  intptr_t res = 0;
  syscall(SYS_munmap, 0x10ffa000, 0x3000);
  syscall(SYS_mmap, 0x10ffd000, 0x1000, 4, 0x1010, -1, 0);
  syscall(SYS_mmap, 0x10ffc000, 0x1000, 0, 0x1010, -1, 0);
  syscall(SYS_mmap, 0x10ffc000, 0x1000, 0, 0x1010, -1, 0);
  syscall(SYS_mprotect, 0x10ffe000, 0x2000, 7);
  syscall(SYS_mprotect, 0x10ffd000, 0x3000, 0);
  syscall(SYS_fork);
  res = syscall(SYS_fork);
  if (res != -1)
    r[0] = res;
  syscall(SYS_fork);
  res = syscall(SYS_fork);
  if (res != -1)
    r[1] = res;
  syscall(SYS_sigqueue, (intptr_t)r[1], 0x2b, 0);
  res = syscall(SYS_fork);
  if (res != -1)
    r[2] = res;
  syscall(SYS_sigqueue, (intptr_t)r[2], 0x2b, 0);
  syscall(SYS_vfork);
  syscall(SYS_fcntl, -1, 5, 0);
  syscall(SYS_sigqueue, 0, 0x2b, 0);
  syscall(SYS_getpgrp, (intptr_t)r[0]);
  syscall(SYS_fork);
  res = syscall(SYS_fork);
  if (res != -1)
    r[3] = res;
  syscall(SYS_sigqueue, (intptr_t)r[3], 0x2b, 0);
  syscall(SYS_getpid);
  syscall(SYS_mmap, 0x10ffc000, 0x1000, 3, 0x10, -1, 7);
  syscall(SYS_mmap, 0x10ffc000, 0x1000, 3, 0x10, -1, 7);
  res = syscall(SYS_fork);
  if (res != -1)
    r[4] = res;
  syscall(SYS_sigqueue, (intptr_t)r[4], 0xc, 0);
  return 0;
}
EOF
mycc -o /tmp/$prog -Wall -Wextra -O0 -m32 /tmp/$prog.c || exit 1

(cd /tmp; timeout 2m ./$prog)

rm -rf /tmp/$prog /tmp/$prog.c /tmp/syzkaller.*
exit 0