1#!/bin/sh 2 3# Fixed by git: 208256579804 - main - O_PATH: disable kqfilter for fifos 4# Submitted by markj@ 5 6[ `uname -p` != "amd64" ] && exit 0 7 8. ../default.cfg 9cat > /tmp/syzkaller34.c <<EOF 10// autogenerated by syzkaller (https://github.com/google/syzkaller) 11 12#define _GNU_SOURCE 13 14#include <sys/types.h> 15 16#include <pwd.h> 17#include <signal.h> 18#include <stdarg.h> 19#include <stdbool.h> 20#include <stdint.h> 21#include <stdio.h> 22#include <stdlib.h> 23#include <string.h> 24#include <sys/endian.h> 25#include <sys/syscall.h> 26#include <sys/wait.h> 27#include <time.h> 28#include <unistd.h> 29 30static void kill_and_wait(int pid, int* status) 31{ 32 kill(pid, SIGKILL); 33 while (waitpid(-1, status, 0) != pid) { 34 } 35} 36 37static void sleep_ms(uint64_t ms) 38{ 39 usleep(ms * 1000); 40} 41 42static uint64_t current_time_ms(void) 43{ 44 struct timespec ts; 45 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 46 exit(1); 47 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 48} 49 50static void execute_one(void); 51 52#define WAIT_FLAGS 0 53 54static void loop(void) 55{ 56 int iter = 0; 57 for (;; iter++) { 58 int pid = fork(); 59 if (pid < 0) 60 exit(1); 61 if (pid == 0) { 62 execute_one(); 63 exit(0); 64 } 65 int status = 0; 66 uint64_t start = current_time_ms(); 67 for (;;) { 68 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 69 break; 70 sleep_ms(1); 71 if (current_time_ms() - start < 5000) { 72 continue; 73 } 74 kill_and_wait(pid, &status); 75 break; 76 } 77 } 78} 79 80uint64_t r[1] = {0xffffffffffffffff}; 81 82void execute_one(void) 83{ 84 intptr_t res = 0; 85 memcpy((void*)0x20000000, "./file0\000", 8); 86 syscall(SYS_mknodat, 0xffffff9c, 0x20000000ul, 0x1000ul, 0ul); 87 memcpy((void*)0x20000040, "./file0\000", 8); 88 syscall(SYS_open, 0x20000040ul, 0x400000ul, 0x72ul); 89 res = syscall(SYS_kqueue); 90 if (res != -1) 91 r[0] = res; 92 *(uint64_t*)0x20000100 = 3; 93 *(uint16_t*)0x20000108 = -1; 94 *(uint16_t*)0x2000010a = 0x4015; 95 *(uint32_t*)0x2000010c = 0; 96 *(uint64_t*)0x20000110 = 0x400000000; 97 *(uint64_t*)0x20000118 = 5; 98 *(uint64_t*)0x20000120 = 4; 99 *(uint64_t*)0x20000128 = 0; 100 *(uint64_t*)0x20000130 = 0; 101 *(uint64_t*)0x20000138 = 0; 102 syscall(SYS_kevent, r[0], 0x20000100ul, 0x2cul, 0ul, 0ul, 0ul); 103} 104int main(void) 105{ 106 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 107 loop(); 108 return 0; 109} 110 111 112EOF 113mycc -o /tmp/syzkaller34 -Wall -Wextra -O0 /tmp/syzkaller34.c || 114 exit 1 115 116(cd /tmp; timeout 3m ./syzkaller34) 117 118rm -rf /tmp/syzkaller34 syzkaller34.c /tmp/syzkaller.* 119exit 0 120