1*dfc38320SPeter Holm#!/bin/sh 2*dfc38320SPeter Holm 3*dfc38320SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 4*dfc38320SPeter Holm 5*dfc38320SPeter Holm# Fixed by: 6*dfc38320SPeter Holm# 628c3b307fb2 - main - cache: only let non-dir descriptors through when doing EMPTYPATH lookups 7*dfc38320SPeter Holm 8*dfc38320SPeter Holm. ../default.cfg 9*dfc38320SPeter Holm[ `id -u` -ne 0 ] && echo "Must be root!" && exit 1 10*dfc38320SPeter Holm 11*dfc38320SPeter Holmcat > /tmp/syzkaller48.c <<EOF 12*dfc38320SPeter Holm// Reported-by: syzbot+9aa5439dd9c708aeb1a8@syzkaller.appspotmail.com 13*dfc38320SPeter Holm 14*dfc38320SPeter Holm#define _GNU_SOURCE 15*dfc38320SPeter Holm 16*dfc38320SPeter Holm#include <pwd.h> 17*dfc38320SPeter Holm#include <stdarg.h> 18*dfc38320SPeter Holm#include <stdbool.h> 19*dfc38320SPeter Holm#include <stdint.h> 20*dfc38320SPeter Holm#include <stdio.h> 21*dfc38320SPeter Holm#include <stdlib.h> 22*dfc38320SPeter Holm#include <string.h> 23*dfc38320SPeter Holm#include <sys/endian.h> 24*dfc38320SPeter Holm#include <sys/syscall.h> 25*dfc38320SPeter Holm#include <unistd.h> 26*dfc38320SPeter Holm 27*dfc38320SPeter Holm#ifndef SYS___realpathat 28*dfc38320SPeter Holm#define SYS___realpathat 574 29*dfc38320SPeter Holm#endif 30*dfc38320SPeter Holm 31*dfc38320SPeter Holmuint64_t r[1] = {0xffffffffffffffff}; 32*dfc38320SPeter Holm 33*dfc38320SPeter Holmint main(void) 34*dfc38320SPeter Holm{ 35*dfc38320SPeter Holm int i; 36*dfc38320SPeter Holm 37*dfc38320SPeter Holm syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 38*dfc38320SPeter Holm intptr_t res = 0; 39*dfc38320SPeter Holm memcpy((void*)0x200000c0, "./file0\000", 8); 40*dfc38320SPeter Holm for (i = 0; i < 1000; i++) { 41*dfc38320SPeter Holm res = syscall(SYS_open, 0x200000c0ul, 0x48300ul, 0ul); 42*dfc38320SPeter Holm if (res != -1) 43*dfc38320SPeter Holm r[0] = res; 44*dfc38320SPeter Holm memcpy((void*)0x20000080, ".\000", 2); 45*dfc38320SPeter Holm syscall(SYS___realpathat, r[0], 0x20000080ul, 0x200002c0ul, 0xabul, 0ul); 46*dfc38320SPeter Holm close(res); 47*dfc38320SPeter Holm } 48*dfc38320SPeter Holm return 0; 49*dfc38320SPeter Holm} 50*dfc38320SPeter HolmEOF 51*dfc38320SPeter Holm 52*dfc38320SPeter Holmset -e 53*dfc38320SPeter Holmmount | grep "on $mntpoint " | grep -q /dev/md && umount -f $mntpoint 54*dfc38320SPeter Holm[ -c /dev/md$mdstart ] && mdconfig -d -u $mdstart 55*dfc38320SPeter Holmmdconfig -a -t swap -s 5g -u $mdstart 56*dfc38320SPeter Holmnewfs $newfs_flags -n md$mdstart > /dev/null 57*dfc38320SPeter Holmmount /dev/md$mdstart $mntpoint 58*dfc38320SPeter Holmset +e 59*dfc38320SPeter Holm 60*dfc38320SPeter Holmmkdir $mntpoint/work 61*dfc38320SPeter Holmmycc -o $mntpoint/work/syzkaller48 -Wall -Wextra -O0 /tmp/syzkaller48.c || exit 1 62*dfc38320SPeter Holm 63*dfc38320SPeter Holmwhile true; do 64*dfc38320SPeter Holm touch $mntpoint/work/file0 65*dfc38320SPeter Holm rm $mntpoint/work/file0 66*dfc38320SPeter Holmdone & 67*dfc38320SPeter Holm 68*dfc38320SPeter Holmstart=`date +%s` 69*dfc38320SPeter Holmwhile [ $((`date +%s` - start)) -lt 120 ]; do 70*dfc38320SPeter Holm (cd $mntpoint/work; ./syzkaller48) 71*dfc38320SPeter Holmdone 72*dfc38320SPeter Holmkill $! 73*dfc38320SPeter Holmwait 74*dfc38320SPeter Holmls -l $mntpoint/work 75*dfc38320SPeter Holm 76*dfc38320SPeter Holmfor i in `jot 6`; do 77*dfc38320SPeter Holm mount | grep -q "on $mntpoint " || break 78*dfc38320SPeter Holm umount $mntpoint && break || sleep 10 79*dfc38320SPeter Holm [ $i -eq 6 ] && 80*dfc38320SPeter Holm { echo FATAL; fstat -mf $mntpoint; exit 1; } 81*dfc38320SPeter Holmdone 82*dfc38320SPeter Holmmdconfig -d -u $mdstart 83*dfc38320SPeter Holm 84*dfc38320SPeter Holmrm -rf /tmp/syzkaller48.c 85*dfc38320SPeter Holmexit 0 86