xref: /freebsd/tools/test/stress2/misc/syzkaller67.sh (revision 83c701af5340d2aa0a665498ad5a54f025c74c4c) 
1*83c701afSPeter Holm#!/bin/sh
2*83c701afSPeter Holm
3*83c701afSPeter Holm# panic: ASan: Invalid access, 8-byte read at 0xfffffe01fece46f8, StackMiddle(f2)
4*83c701afSPeter Holm# cpuid = 4
5*83c701afSPeter Holm# time = 1687335671
6*83c701afSPeter Holm# KDB: stack backtrace:
7*83c701afSPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01fece42f0
8*83c701afSPeter Holm# kdb_backtrace() at kdb_backtrace+0xc7/frame 0xfffffe01fece4450
9*83c701afSPeter Holm# vpanic() at vpanic+0x1d7/frame 0xfffffe01fece4510
10*83c701afSPeter Holm# panic() at panic+0xb5/frame 0xfffffe01fece45e0
11*83c701afSPeter Holm# kasan_report() at kasan_report+0xdc/frame 0xfffffe01fece46b0
12*83c701afSPeter Holm# __cap_rights_is_set() at __cap_rights_is_set+0x186/frame 0xfffffe01fece47d0
13*83c701afSPeter Holm# fget_fcntl() at fget_fcntl+0xd7/frame 0xfffffe01fece48d0
14*83c701afSPeter Holm# kern_fcntl() at kern_fcntl+0x602/frame 0xfffffe01fece4c10
15*83c701afSPeter Holm# kern_fcntl_freebsd() at kern_fcntl_freebsd+0x244/frame 0xfffffe01fece4d30
16*83c701afSPeter Holm# ia32_syscall() at ia32_syscall+0x32a/frame 0xfffffe01fece4f30
17*83c701afSPeter Holm# int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xffffdb38
18*83c701afSPeter Holm# KDB: enter: panic
19*83c701afSPeter Holm# [ thread pid 4224 tid 100231 ]
20*83c701afSPeter Holm# Stopped at      kdb_enter+0x34: movq    $0,0x1e3f7c1(%rip)
21*83c701afSPeter Holm# db> x/s version
22*83c701afSPeter Holm# version:        FreeBSD 14.0-CURRENT #0 main-n263725-1efa7dbc0798e: Wed Jun 21 09:13:50 CEST 2023
23*83c701afSPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO-KASAN
24*83c701afSPeter Holm# db>
25*83c701afSPeter Holm
26*83c701afSPeter Holmuname -p | grep -Eq "amd64|i386" || exit 0
27*83c701afSPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
28*83c701afSPeter Holm
29*83c701afSPeter Holm. ../default.cfg
30*83c701afSPeter Holmprog=$(basename "$0" .sh)
31*83c701afSPeter Holmcat > /tmp/$prog.c <<EOF
32*83c701afSPeter Holm// https://syzkaller.appspot.com/bug?id=81419dc41de046ccb99da6f333074b750ac36680
33*83c701afSPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
34*83c701afSPeter Holm// Reported-by: syzbot+d35497494d68b4859367@syzkaller.appspotmail.com
35*83c701afSPeter Holm// i386 + ASan
36*83c701afSPeter Holm
37*83c701afSPeter Holm#define _GNU_SOURCE
38*83c701afSPeter Holm
39*83c701afSPeter Holm#include <pwd.h>
40*83c701afSPeter Holm#include <stdarg.h>
41*83c701afSPeter Holm#include <stdbool.h>
42*83c701afSPeter Holm#include <stdint.h>
43*83c701afSPeter Holm#include <stdio.h>
44*83c701afSPeter Holm#include <stdlib.h>
45*83c701afSPeter Holm#include <string.h>
46*83c701afSPeter Holm#include <sys/endian.h>
47*83c701afSPeter Holm#include <sys/syscall.h>
48*83c701afSPeter Holm#include <unistd.h>
49*83c701afSPeter Holm
50*83c701afSPeter Holmuint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0};
51*83c701afSPeter Holm
52*83c701afSPeter Holmint main(void)
53*83c701afSPeter Holm{
54*83c701afSPeter Holm  syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
55*83c701afSPeter Holm  intptr_t res = 0;
56*83c701afSPeter Holm  syscall(SYS_munmap, 0x10ffa000, 0x3000);
57*83c701afSPeter Holm  syscall(SYS_mmap, 0x10ffd000, 0x1000, 4, 0x1010, -1, 0);
58*83c701afSPeter Holm  syscall(SYS_mmap, 0x10ffc000, 0x1000, 0, 0x1010, -1, 0);
59*83c701afSPeter Holm  syscall(SYS_mmap, 0x10ffc000, 0x1000, 0, 0x1010, -1, 0);
60*83c701afSPeter Holm  syscall(SYS_mprotect, 0x10ffe000, 0x2000, 7);
61*83c701afSPeter Holm  syscall(SYS_mprotect, 0x10ffd000, 0x3000, 0);
62*83c701afSPeter Holm  syscall(SYS_fork);
63*83c701afSPeter Holm  res = syscall(SYS_fork);
64*83c701afSPeter Holm  if (res != -1)
65*83c701afSPeter Holm    r[0] = res;
66*83c701afSPeter Holm  syscall(SYS_fork);
67*83c701afSPeter Holm  res = syscall(SYS_fork);
68*83c701afSPeter Holm  if (res != -1)
69*83c701afSPeter Holm    r[1] = res;
70*83c701afSPeter Holm  syscall(SYS_sigqueue, (intptr_t)r[1], 0x2b, 0);
71*83c701afSPeter Holm  res = syscall(SYS_fork);
72*83c701afSPeter Holm  if (res != -1)
73*83c701afSPeter Holm    r[2] = res;
74*83c701afSPeter Holm  syscall(SYS_sigqueue, (intptr_t)r[2], 0x2b, 0);
75*83c701afSPeter Holm  syscall(SYS_vfork);
76*83c701afSPeter Holm  syscall(SYS_fcntl, -1, 5, 0);
77*83c701afSPeter Holm  syscall(SYS_sigqueue, 0, 0x2b, 0);
78*83c701afSPeter Holm  syscall(SYS_getpgrp, (intptr_t)r[0]);
79*83c701afSPeter Holm  syscall(SYS_fork);
80*83c701afSPeter Holm  res = syscall(SYS_fork);
81*83c701afSPeter Holm  if (res != -1)
82*83c701afSPeter Holm    r[3] = res;
83*83c701afSPeter Holm  syscall(SYS_sigqueue, (intptr_t)r[3], 0x2b, 0);
84*83c701afSPeter Holm  syscall(SYS_getpid);
85*83c701afSPeter Holm  syscall(SYS_mmap, 0x10ffc000, 0x1000, 3, 0x10, -1, 7);
86*83c701afSPeter Holm  syscall(SYS_mmap, 0x10ffc000, 0x1000, 3, 0x10, -1, 7);
87*83c701afSPeter Holm  res = syscall(SYS_fork);
88*83c701afSPeter Holm  if (res != -1)
89*83c701afSPeter Holm    r[4] = res;
90*83c701afSPeter Holm  syscall(SYS_sigqueue, (intptr_t)r[4], 0xc, 0);
91*83c701afSPeter Holm  return 0;
92*83c701afSPeter Holm}
93*83c701afSPeter HolmEOF
94*83c701afSPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 -m32 /tmp/$prog.c || exit 1
95*83c701afSPeter Holm
96*83c701afSPeter Holm(cd /tmp; timeout 2m ./$prog)
97*83c701afSPeter Holm
98*83c701afSPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/syzkaller.*
99*83c701afSPeter Holmexit 0
100