1#!/bin/sh 2 3# panic: Counter goes negative 4# cpuid = 8 5# time = 1653397881 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe014386fa40 8# vpanic() at vpanic+0x17f/frame 0xfffffe014386fa90 9# panic() at panic+0x43/frame 0xfffffe014386faf0 10# sctp_sorecvmsg() at sctp_sorecvmsg+0xf8e/frame 0xfffffe014386fc10 11# sctp_soreceive() at sctp_soreceive+0x196/frame 0xfffffe014386fe00 12# soreceive() at soreceive+0x4b/frame 0xfffffe014386fe20 13# soaio_process_sb() at soaio_process_sb+0x581/frame 0xfffffe014386feb0 14# soaio_kproc_loop() at soaio_kproc_loop+0xa9/frame 0xfffffe014386fef0 15# fork_exit() at fork_exit+0x80/frame 0xfffffe014386ff30 16# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe014386ff30 17# --- trap 0xc, rip = 0x8220e08da, rsp = 0x820a211b8, rbp = 0x820a211e0 --- 18# KDB: enter: panic 19# [ thread pid 78762 tid 931834 ] 20# Stopped at kdb_enter+0x32: movq $0,0x1278fc3(%rip) 21# db> x/s version 22# FreeBSD 14.0-CURRENT #0 reap-n255780-cbbb27164fa: Tue May 24 13:42:53 CEST 2022 23# pho@mercat1.netperf.freebsd.org:/var/tmp/deviant3/sys/amd64/compile/PHO 24# db> 25 26[ `uname -p` != "amd64" ] && exit 0 27 28. ../default.cfg 29cat > /tmp/syzkaller55.c <<EOF 30// https://syzkaller.appspot.com/bug?id=ce7f451c017537296074d9203baaec292b311365 31// autogenerated by syzkaller (https://github.com/google/syzkaller) 32// Reported-by: syzbot+e256d42e9b390564530a@syzkaller.appspotmail.com 33 34#define _GNU_SOURCE 35 36#include <sys/types.h> 37 38#include <pwd.h> 39#include <signal.h> 40#include <stdarg.h> 41#include <stdbool.h> 42#include <stdint.h> 43#include <stdio.h> 44#include <stdlib.h> 45#include <string.h> 46#include <sys/endian.h> 47#include <sys/syscall.h> 48#include <sys/wait.h> 49#include <time.h> 50#include <unistd.h> 51 52static unsigned long long procid; 53 54static void kill_and_wait(int pid, int* status) 55{ 56 kill(pid, SIGKILL); 57 while (waitpid(-1, status, 0) != pid) { 58 } 59} 60 61static void sleep_ms(uint64_t ms) 62{ 63 usleep(ms * 1000); 64} 65 66static uint64_t current_time_ms(void) 67{ 68 struct timespec ts; 69 if (clock_gettime(CLOCK_MONOTONIC, &ts)) 70 exit(1); 71 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 72} 73 74static void execute_one(void); 75 76#define WAIT_FLAGS 0 77 78static void loop(void) 79{ 80 int iter = 0; 81 for (;; iter++) { 82 int pid = fork(); 83 if (pid < 0) 84 exit(1); 85 if (pid == 0) { 86 execute_one(); 87 exit(0); 88 } 89 int status = 0; 90 uint64_t start = current_time_ms(); 91 for (;;) { 92 if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 93 break; 94 sleep_ms(1); 95 if (current_time_ms() - start < 5000) 96 continue; 97 kill_and_wait(pid, &status); 98 break; 99 } 100 } 101} 102 103uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; 104 105void execute_one(void) 106{ 107 intptr_t res = 0; 108 res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); 109 if (res != -1) 110 r[0] = res; 111 *(uint8_t*)0x20000000 = 0x1c; 112 *(uint8_t*)0x20000001 = 0x1c; 113 *(uint16_t*)0x20000002 = htobe16(0x4e23 + procid * 4); 114 *(uint32_t*)0x20000004 = 0; 115 memset((void*)0x20000008, 0, 16); 116 *(uint32_t*)0x20000018 = 0; 117 syscall(SYS_bind, r[0], 0x20000000ul, 0x1cul); 118 *(uint8_t*)0x20000080 = 0x1c; 119 *(uint8_t*)0x20000081 = 0x1c; 120 *(uint16_t*)0x20000082 = htobe16(0x4e23 + procid * 4); 121 *(uint32_t*)0x20000084 = 0; 122 *(uint64_t*)0x20000088 = htobe64(0); 123 *(uint64_t*)0x20000090 = htobe64(1); 124 *(uint32_t*)0x20000098 = 0; 125 syscall(SYS_connect, r[0], 0x20000080ul, 0x1cul); 126 *(uint32_t*)0x20000400 = r[0]; 127 *(uint64_t*)0x20000408 = 0; 128 *(uint64_t*)0x20000410 = 0x20000040; 129 memset((void*)0x20000040, 27, 1); 130 *(uint64_t*)0x20000418 = 1; 131 *(uint32_t*)0x20000420 = 0; 132 *(uint32_t*)0x20000424 = 0; 133 *(uint64_t*)0x20000428 = 0; 134 *(uint32_t*)0x20000430 = 0; 135 *(uint32_t*)0x20000434 = 0; 136 *(uint64_t*)0x20000438 = 0; 137 *(uint64_t*)0x20000440 = 0; 138 *(uint64_t*)0x20000448 = 0; 139 *(uint32_t*)0x20000450 = 0; 140 *(uint32_t*)0x20000454 = 0; 141 *(uint32_t*)0x20000458 = 0; 142 *(uint64_t*)0x20000460 = 0; 143 *(uint64_t*)0x20000468 = 0; 144 *(uint64_t*)0x20000470 = 0; 145 *(uint64_t*)0x20000478 = 0; 146 *(uint64_t*)0x20000480 = 0; 147 *(uint64_t*)0x20000488 = 0; 148 *(uint64_t*)0x20000490 = 0; 149 *(uint64_t*)0x20000498 = 0; 150 syscall(SYS_aio_read, 0x20000400ul); 151 memset((void*)0x200000c0, 89, 1); 152 syscall(SYS_sendto, r[0], 0x200000c0ul, 1ul, 0ul, 0ul, 0ul); 153 syscall(SYS_shutdown, r[0], 0ul); 154 res = syscall(SYS_socket, 0x1cul, 5ul, 0x84); 155 if (res != -1) 156 r[1] = res; 157 *(uint64_t*)0x200003c0 = 0; 158 *(uint32_t*)0x200003c8 = 0; 159 *(uint64_t*)0x200003d0 = 0x20000300; 160 *(uint64_t*)0x20000300 = 0x20000200; 161 memset((void*)0x20000200, 30, 1); 162 *(uint64_t*)0x20000308 = 1; 163 *(uint32_t*)0x200003d8 = 1; 164 *(uint64_t*)0x200003e0 = 0; 165 *(uint32_t*)0x200003e8 = 0; 166 *(uint32_t*)0x200003ec = 0; 167 syscall(SYS_sendmsg, r[0], 0x200003c0ul, 0ul); 168 res = syscall(SYS_dup2, r[0], r[1]); 169 if (res != -1) 170 r[2] = res; 171 *(uint32_t*)0x20000140 = 0; 172 memcpy((void*)0x20000144, "\x0a\x00\x01\x00\x01", 5); 173 syscall(SYS_setsockopt, r[2], 0x84, 0x901, 0x20000140ul, 0xaul); 174} 175int main(void) 176{ 177 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 178 for (procid = 0; procid < 4; procid++) { 179 if (fork() == 0) { 180 loop(); 181 } 182 } 183 sleep(1000000); 184 return 0; 185} 186EOF 187mycc -o /tmp/syzkaller55 -Wall -Wextra -O0 /tmp/syzkaller55.c || exit 1 188 189kldstat | grep -q sctp || kldload sctp.ko 190start=`date +%s` 191while [ $((`date +%s` - start)) -lt 120 ]; do 192 (cd /tmp; timeout 3m ./syzkaller55) 193done 194 195rm -rf /tmp/syzkaller55 /tmp/syzkaller55.c /tmp/syzkaller55.core \ 196 /tmp/syzkaller.?????? 197exit 0 198