1#!/bin/sh 2 3# Fatal trap 12: page fault while in kernel mode 4# cpuid = 15; apic id = 23 5# fault virtual address = 0x10 6# fault code = supervisor read data, page not present 7# instruction pointer = 0x20:0xffffffff80de3833 8# stack pointer = 0x28:0xfffffe01398a8860 9# frame pointer = 0x28:0xfffffe01398a8880 10# code segment = base 0x0, limit 0xfffff, type 0x1b 11# = DPL 0, pres 1, long 1, def32 0, gran 1 12# processor eflags = interrupt enabled, resume, IOPL = 0 13# current process = 2798 (syzkaller17) 14# trap number = 12 15# panic: page fault 16# cpuid = 15 17# time = 1593500664 18# KDB: stack backtrace: 19# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01398a8510 20# vpanic() at vpanic+0x182/frame 0xfffffe01398a8560 21# panic() at panic+0x43/frame 0xfffffe01398a85c0 22# trap_fatal() at trap_fatal+0x387/frame 0xfffffe01398a8620 23# trap_pfault() at trap_pfault+0x99/frame 0xfffffe01398a8680 24# trap() at trap+0x2a5/frame 0xfffffe01398a8790 25# calltrap() at calltrap+0x8/frame 0xfffffe01398a8790 26# --- trap 0xc, rip = 0xffffffff80de3833, rsp = 0xfffffe01398a8860, rbp = 0xfffffe01398a8880 --- 27# sctp_find_ifa_in_ep() at sctp_find_ifa_in_ep+0x83/frame 0xfffffe01398a8880 28# sctp_addr_mgmt_ep_sa() at sctp_addr_mgmt_ep_sa+0x56/frame 0xfffffe01398a88c0 29# sctp_bindx_delete_address() at sctp_bindx_delete_address+0x9e/frame 0xfffffe01398a8910 30# sctp_setopt() at sctp_setopt+0x2134/frame 0xfffffe01398a8990 31# sctp_ctloutput() at sctp_ctloutput+0x173/frame 0xfffffe01398a89f0 32# sosetopt() at sosetopt+0xed/frame 0xfffffe01398a8a50 33# kern_setsockopt() at kern_setsockopt+0xac/frame 0xfffffe01398a8ab0 34# sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe01398a8ad0 35# amd64_syscall() at amd64_syscall+0x159/frame 0xfffffe01398a8bf0 36# fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe01398a8bf0 37# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x80042813a, rsp = 0x7fffffffe538, rbp = 0x7fffffffe570 --- 38# KDB: enter: panic 39# [ thread pid 2798 tid 100249 ] 40# Stopped at kdb_enter+0x37: movq $0,0x10c4cf6(%rip) 41# db> x/s version 42# version: FreeBSD 13.0-CURRENT #0 r362791: Tue Jun 30 08:57:50 CEST 2020 43# pho@t2.osted.lan:/usr/src/sys/amd64/compile/PHO 44# db> 45 46[ `uname -p` != "amd64" ] && exit 0 47 48. ../default.cfg 49kldstat -v | grep -q sctp || kldload sctp.ko 50cat > /tmp/syzkaller17.c <<EOF 51// https://syzkaller.appspot.com/bug?id=a038e666f2e27a98b03aa605054c088e6ef2bb5d 52// autogenerated by syzkaller (https://github.com/google/syzkaller) 53// Reported-by: syzbot+f3a6fccfa6ae9d3ded29@syzkaller.appspotmail.com 54 55#define _GNU_SOURCE 56 57#include <pwd.h> 58#include <stdarg.h> 59#include <stdbool.h> 60#include <stdint.h> 61#include <stdio.h> 62#include <stdlib.h> 63#include <string.h> 64#include <sys/endian.h> 65#include <sys/syscall.h> 66#include <unistd.h> 67 68uint64_t r[1] = {0xffffffffffffffff}; 69 70int main(void) 71{ 72 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 73 intptr_t res = 0; 74 res = syscall(SYS_socket, 2ul, 5ul, 0x84); 75 if (res != -1) 76 r[0] = res; 77 *(uint8_t*)0x200001c0 = 0x10; 78 *(uint8_t*)0x200001c1 = 2; 79 *(uint16_t*)0x200001c2 = htobe16(0x4e20); 80 *(uint8_t*)0x200001c4 = 0xac; 81 *(uint8_t*)0x200001c5 = 0x14; 82 *(uint8_t*)0x200001c6 = 0; 83 *(uint8_t*)0x200001c7 = 0xaa; 84 *(uint8_t*)0x200001c8 = 0; 85 *(uint8_t*)0x200001c9 = 0; 86 *(uint8_t*)0x200001ca = 0; 87 *(uint8_t*)0x200001cb = 0; 88 *(uint8_t*)0x200001cc = 0; 89 *(uint8_t*)0x200001cd = 0; 90 *(uint8_t*)0x200001ce = 0; 91 *(uint8_t*)0x200001cf = 0; 92 *(uint64_t*)0x200001d0 = 0; 93 *(uint64_t*)0x200001d8 = 0; 94 *(uint64_t*)0x200001e0 = 0; 95 *(uint64_t*)0x200001e8 = 0; 96 *(uint64_t*)0x200001f0 = 0; 97 *(uint64_t*)0x200001f8 = 0; 98 *(uint64_t*)0x20000200 = 0; 99 *(uint64_t*)0x20000208 = 0; 100 *(uint64_t*)0x20000210 = 0; 101 *(uint64_t*)0x20000218 = 0; 102 *(uint64_t*)0x20000220 = 0; 103 *(uint64_t*)0x20000228 = 0; 104 *(uint64_t*)0x20000230 = 0; 105 *(uint64_t*)0x20000238 = 0; 106 *(uint64_t*)0x20000240 = 0; 107 *(uint32_t*)0x20000248 = 0; 108 *(uint32_t*)0x2000024c = 4; 109 *(uint32_t*)0x20000250 = 0; 110 *(uint32_t*)0x20000254 = 0; 111 *(uint32_t*)0x20000258 = 0; 112 *(uint16_t*)0x2000025c = 0; 113 *(uint8_t*)0x2000025e = 0; 114 syscall(SYS_setsockopt, r[0], 0x84, 0x8002, 0x200001c0ul, 0xa0ul); 115 return 0; 116} 117EOF 118mycc -o /tmp/syzkaller17 -Wall -Wextra -O0 /tmp/syzkaller17.c || 119 exit 1 120 121(cd ../testcases/swap; ./swap -t 1m -i 20 -h > /dev/null 2>&1) & 122start=`date +%s` 123while pgrep -q swap; do 124 (cd /tmp; timeout 1m ./syzkaller17) 125 [ $((`date +%s` - start)) -ge 60 ] && break 126done 127pkill -9 syzkaller17 swap 128wait 129 130rm -f /tmp/syzkaller17 /tmp/syzkaller17.c /tmp/syzkaller17.core 131exit 0 132