xref: /freebsd/tools/test/stress2/misc/syzkaller46.sh (revision cbc3ecb7ef08a2978d42b384a49d3456b0ba0a32) 
1*cbc3ecb7SPeter Holm#!/bin/sh
2*cbc3ecb7SPeter Holm
3*cbc3ecb7SPeter Holm# Fatal trap 12: page fault while in kernel mode
4*cbc3ecb7SPeter Holm# cpuid = 4; apic id = 04
5*cbc3ecb7SPeter Holm# fault virtual address   = 0x28
6*cbc3ecb7SPeter Holm# fault code              = supervisor read data, page not present
7*cbc3ecb7SPeter Holm# instruction pointer     = 0x20:0xffffffff81549dea
8*cbc3ecb7SPeter Holm# stack pointer           = 0x28:0xfffffe01d8689480
9*cbc3ecb7SPeter Holm# frame pointer           = 0x28:0xfffffe01d8689490
10*cbc3ecb7SPeter Holm# code segment            = base 0x0, limit 0xfffff, type 0x1b
11*cbc3ecb7SPeter Holm#                         = DPL 0, pres 1, long 1, def32 0, gran 1
12*cbc3ecb7SPeter Holm# processor eflags        = interrupt enabled, resume, IOPL = 0
13*cbc3ecb7SPeter Holm# current process         = 3050 (syzkaller46)
14*cbc3ecb7SPeter Holm# trap number             = 12
15*cbc3ecb7SPeter Holm# panic: page fault
16*cbc3ecb7SPeter Holm# cpuid = 4
17*cbc3ecb7SPeter Holm# time = 1635158869
18*cbc3ecb7SPeter Holm# KDB: stack backtrace:
19*cbc3ecb7SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01d8688cb0
20*cbc3ecb7SPeter Holm# kdb_backtrace() at kdb_backtrace+0xc9/frame 0xfffffe01d8688e10
21*cbc3ecb7SPeter Holm# vpanic() at vpanic+0x248/frame 0xfffffe01d8688ef0
22*cbc3ecb7SPeter Holm# panic() at panic+0xb5/frame 0xfffffe01d8688fb0
23*cbc3ecb7SPeter Holm# trap_fatal() at trap_fatal+0x52e/frame 0xfffffe01d86890b0
24*cbc3ecb7SPeter Holm# trap_pfault() at trap_pfault+0x132/frame 0xfffffe01d86891d0
25*cbc3ecb7SPeter Holm# trap() at trap+0x53f/frame 0xfffffe01d86893b0
26*cbc3ecb7SPeter Holm# calltrap() at calltrap+0x8/frame 0xfffffe01d86893b0
27*cbc3ecb7SPeter Holm# --- trap 0xc, rip = 0xffffffff81549dea, rsp = 0xfffffe01d8689480, rbp = 0xfffffe01d8689490 ---
28*cbc3ecb7SPeter Holm# filt_bpfwrite() filt_bpfwrite+0x4a/frame 0xfffffe01d8689490
29*cbc3ecb7SPeter Holm# kqueue_register() at kqueue_register+0xea3/frame 0xfffffe01d86895d0
30*cbc3ecb7SPeter Holm# kqueue_kevent() at kqueue_kevent+0x26a/frame 0xfffffe01d86899c0
31*cbc3ecb7SPeter Holm# kern_kevent_fp() at kern_kevent_fp+0xd2/frame 0xfffffe01d8689a10
32*cbc3ecb7SPeter Holm# kern_kevent() at kern_kevent+0x138/frame 0xfffffe01d8689b10
33*cbc3ecb7SPeter Holm# kern_kevent_generic() at kern_kevent_gene6/frame 0xfffffesys_kevent() at sys_kevent+0x1e1/frame 0xfffffe01d8689d30
34*cbc3ecb7SPeter Holm# amd64_syscall() at amd64_syscall+0x31e/frame 0xfffffe01d8689f30
35*cbc3ecb7SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01d8689f30
36*cbc3ecb7SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003adafa, rsp = 0x7fffffffe648, rbp = 0x7fffffffe670 ---
37*cbc3ecb7SPeter Holm# KDB: enter: panic
38*cbc3ecb7SPeter Holm# [ thread pid 3050 tid 100263 ]
39*cbc3ecb7SPeter Holm# Stopped at      kdb_enter+0x37: movq    $0,0x2638c4e(%rip)
40*cbc3ecb7SPeter Holm# db> x/s version
41*cbc3ecb7SPeter Holm# version: FreeBSD 14.0-CURRENT #0 main-n250242-eab5358b9080-dirty: Mon Oct 25 11:32:45 CEST 2021
42*cbc3ecb7SPeter Holm# pho@mercat1.netperf.freebsd.org
43*cbc3ecb7SPeter Holm# db>
44*cbc3ecb7SPeter Holm
45*cbc3ecb7SPeter Holm
46*cbc3ecb7SPeter Holm[ `uname -p` != "amd64" ] && exit 0
47*cbc3ecb7SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
48*cbc3ecb7SPeter Holm
49*cbc3ecb7SPeter Holm. ../default.cfg
50*cbc3ecb7SPeter Holmcat > /tmp/syzkaller46.c <<EOF
51*cbc3ecb7SPeter Holm// https://syzkaller.appspot.com/bug?id=a99f705b2b8b854d70ec4d47eed481c90046bd3c
52*cbc3ecb7SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
53*cbc3ecb7SPeter Holm// Reported-by: syzbot+ae45d5166afe15a5a21d@syzkaller.appspotmail.com
54*cbc3ecb7SPeter Holm
55*cbc3ecb7SPeter Holm#define _GNU_SOURCE
56*cbc3ecb7SPeter Holm
57*cbc3ecb7SPeter Holm#include <pwd.h>
58*cbc3ecb7SPeter Holm#include <stdarg.h>
59*cbc3ecb7SPeter Holm#include <stdbool.h>
60*cbc3ecb7SPeter Holm#include <stdint.h>
61*cbc3ecb7SPeter Holm#include <stdio.h>
62*cbc3ecb7SPeter Holm#include <stdlib.h>
63*cbc3ecb7SPeter Holm#include <string.h>
64*cbc3ecb7SPeter Holm#include <sys/endian.h>
65*cbc3ecb7SPeter Holm#include <sys/syscall.h>
66*cbc3ecb7SPeter Holm#include <unistd.h>
67*cbc3ecb7SPeter Holm
68*cbc3ecb7SPeter Holmuint64_t r[1] = {0xffffffffffffffff};
69*cbc3ecb7SPeter Holm
70*cbc3ecb7SPeter Holmint main(void)
71*cbc3ecb7SPeter Holm{
72*cbc3ecb7SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
73*cbc3ecb7SPeter Holm  intptr_t res = 0;
74*cbc3ecb7SPeter Holm  memcpy((void*)0x20000040, "/dev/bpf\000", 9);
75*cbc3ecb7SPeter Holm  syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000040ul, 0ul, 0ul);
76*cbc3ecb7SPeter Holm  res = syscall(SYS_kqueue);
77*cbc3ecb7SPeter Holm  if (res != -1)
78*cbc3ecb7SPeter Holm    r[0] = res;
79*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000480 = 0x284;
80*cbc3ecb7SPeter Holm  *(uint16_t*)0x20000488 = 0xfff8;
81*cbc3ecb7SPeter Holm  *(uint16_t*)0x2000048a = 0x10;
82*cbc3ecb7SPeter Holm  *(uint32_t*)0x2000048c = 1;
83*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000490 = 0x401;
84*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000498 = 5;
85*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004a0 = 5;
86*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004a8 = 0x24000000;
87*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004b0 = 0x100000000;
88*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004b8 = 0x3f;
89*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004c0 = 3;
90*cbc3ecb7SPeter Holm  *(uint16_t*)0x200004c8 = 0xfffe;
91*cbc3ecb7SPeter Holm  *(uint16_t*)0x200004ca = 1;
92*cbc3ecb7SPeter Holm  *(uint32_t*)0x200004cc = 1;
93*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004d0 = 1;
94*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004d8 = 3;
95*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004e0 = 9;
96*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004e8 = 0x3ff;
97*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004f0 = 0x100000001;
98*cbc3ecb7SPeter Holm  *(uint64_t*)0x200004f8 = 3;
99*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000500 = 5;
100*cbc3ecb7SPeter Holm  *(uint16_t*)0x20000508 = 0xfffe;
101*cbc3ecb7SPeter Holm  *(uint16_t*)0x2000050a = 0x42;
102*cbc3ecb7SPeter Holm  *(uint32_t*)0x2000050c = 2;
103*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000510 = 5;
104*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000518 = 0x7f;
105*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000520 = 9;
106*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000528 = 0x600000000;
107*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000530 = 0x1f;
108*cbc3ecb7SPeter Holm  *(uint64_t*)0x20000538 = 7;
109*cbc3ecb7SPeter Holm  syscall(SYS_kevent, r[0], 0x20000480ul, 3ul, 0x200001c0ul, 0xaul, 0ul);
110*cbc3ecb7SPeter Holm  return 0;
111*cbc3ecb7SPeter Holm}
112*cbc3ecb7SPeter HolmEOF
113*cbc3ecb7SPeter Holmmycc -o /tmp/syzkaller46 -Wall -Wextra -O0 /tmp/syzkaller46.c -lpthread || exit 1
114*cbc3ecb7SPeter Holm
115*cbc3ecb7SPeter Holm(cd /tmp; ./syzkaller46)
116*cbc3ecb7SPeter Holm
117*cbc3ecb7SPeter Holmrm -rf /tmp/syzkaller46 /tmp/syzkaller46.c /tmp/syzkaller.*
118*cbc3ecb7SPeter Holmexit 0
119