1#!/bin/sh 2 3# Fatal trap 12: page fault while in kernel mode 4# cpuid = 5; apic id = 05 5# fault virtual address = 0x3e07d728 6# fault code = supervisor write data, page not present 7# instruction pointer = 0x20:0xffffffff80c9ba1d 8# stack pointer = 0x28:0xfffffe014d9ceba0 9# frame pointer = 0x28:0xfffffe014d9cec00 10# code segment = base 0x0, limit 0xfffff, type 0x1b 11# = DPL 0, pres 1, long 1, def32 0, gran 1 12# processor eflags = interrupt enabled, resume, IOPL = 0 13# current process = 3135 (syzkaller60) 14# trap number = 12 15# panic: page fault 16# cpuid = 5 17# time = 1656134459 18# KDB: stack backtrace: 19# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe014d9ce960 20# vpanic() at vpanic+0x151/frame 0xfffffe014d9ce9b0 21# panic() at panic+0x43/frame 0xfffffe014d9cea10 22# trap_fatal() at trap_fatal+0x387/frame 0xfffffe014d9cea70 23# trap_pfault() at trap_pfault+0xab/frame 0xfffffe014d9cead0 24# calltrap() at calltrap+0x8/frame 0xfffffe014d9cead0 25# --- trap 0xc, rip = 0xffffffff80c9ba1d, rsp = 0xfffffe014d9ceba0, rbp = 0xfffffe014d9cec00 --- 26# soclose() at soclose+0x1ad/frame 0xfffffe014d9cec00 27# _fdrop() at _fdrop+0x1b/frame 0xfffffe014d9cec20 28# closef() at closef+0x1db/frame 0xfffffe014d9cecb0 29# fdescfree() at fdescfree+0x433/frame 0xfffffe014d9ced80 30# exit1() at exit1+0x4ef/frame 0xfffffe014d9cedf0 31# sys_exit() at sys_exit+0xd/frame 0xfffffe014d9cee00 32# amd64_syscall() md64_syscall+0x145/frame 0xfffffe014d9cef30 33# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe014d9cef30 34# --- syscall (1, FreeBSD ELF64, sys_exit), rip = 0x82209fdca, rsp = 0x820fab718, rbp = 0x820fab730 --- 35# KDB: enter: panic 36# [ thread pid 3135 tid 100332 ] 37# Stopped at kdb_enter+0x32: movq $0,0x129f1a3(%rip) 38# db> x/s version 39# version: FreeBSD 14.0-CURRENT #0 main-n256319-c11e64ce51308: Sat Jun 25 07:12:49 CEST 2022\012 40# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 41# db> 42 43[ `uname -p` != "amd64" ] && exit 0 44 45. ../default.cfg 46cat > /tmp/syzkaller60.c <<EOF 47// https://syzkaller.appspot.com/bug?id=c08c1aff3eaffde1197888c66684fabf474f3305 48// autogenerated by syzkaller (https://github.com/google/syzkaller) 49// Reported-by: syzbot+4b862074650b91e087b4@syzkaller.appspotmail.com 50 51#define _GNU_SOURCE 52 53#include <pwd.h> 54#include <stdarg.h> 55#include <stdbool.h> 56#include <stdint.h> 57#include <stdio.h> 58#include <stdlib.h> 59#include <string.h> 60#include <sys/endian.h> 61#include <sys/syscall.h> 62#include <unistd.h> 63 64uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; 65 66int main(void) 67{ 68 syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); 69 intptr_t res = 0; 70 res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); 71 if (res != -1) 72 r[0] = res; 73 *(uint8_t*)0x20000000 = 0x1c; 74 *(uint8_t*)0x20000001 = 0x1c; 75 *(uint16_t*)0x20000002 = htobe16(0x4e22); 76 *(uint32_t*)0x20000004 = 0; 77 memset((void*)0x20000008, 0, 16); 78 *(uint32_t*)0x20000018 = 0; 79 syscall(SYS_bind, r[0], 0x20000000ul, 0x1cul); 80 syscall(SYS_listen, r[0], 0x40000); 81 res = syscall(SYS_socket, 0x1cul, 1ul, 0x84); 82 if (res != -1) 83 r[1] = res; 84 *(uint8_t*)0x20000180 = 0x1c; 85 *(uint8_t*)0x20000181 = 0x1c; 86 *(uint16_t*)0x20000182 = htobe16(0x4e22); 87 *(uint32_t*)0x20000184 = 0; 88 *(uint64_t*)0x20000188 = htobe64(0); 89 *(uint64_t*)0x20000190 = htobe64(1); 90 *(uint32_t*)0x20000198 = 0; 91 syscall(SYS_connect, r[1], 0x20000180ul, 0x1cul); 92 return 0; 93} 94EOF 95mycc -o /tmp/syzkaller60 -Wall -Wextra -O0 /tmp/syzkaller60.c || exit 1 96 97kldstat | grep -q sctp || { kldload sctp.ko && loaded=1; } 98(cd /tmp; timeout 3m ./syzkaller60) 99 100rm -rf /tmp/syzkaller60 /tmp/syzkaller60.c /tmp/syzkaller60.core \ 101 /tmp/syzkaller.?????? 102[ $loaded ] && kldunload sctp.ko 103exit 0 104