xref: /freebsd/tools/test/stress2/misc/syzkaller67.sh (revision ba3c1f5972d7b90feb6e6da47905ff2757e0fe57)
1#!/bin/sh
2
3# panic: ASan: Invalid access, 8-byte read at 0xfffffe01fece46f8, StackMiddle(f2)
4# cpuid = 4
5# time = 1687335671
6# KDB: stack backtrace:
7# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01fece42f0
8# kdb_backtrace() at kdb_backtrace+0xc7/frame 0xfffffe01fece4450
9# vpanic() at vpanic+0x1d7/frame 0xfffffe01fece4510
10# panic() at panic+0xb5/frame 0xfffffe01fece45e0
11# kasan_report() at kasan_report+0xdc/frame 0xfffffe01fece46b0
12# __cap_rights_is_set() at __cap_rights_is_set+0x186/frame 0xfffffe01fece47d0
13# fget_fcntl() at fget_fcntl+0xd7/frame 0xfffffe01fece48d0
14# kern_fcntl() at kern_fcntl+0x602/frame 0xfffffe01fece4c10
15# kern_fcntl_freebsd() at kern_fcntl_freebsd+0x244/frame 0xfffffe01fece4d30
16# ia32_syscall() at ia32_syscall+0x32a/frame 0xfffffe01fece4f30
17# int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xffffdb38
18# KDB: enter: panic
19# [ thread pid 4224 tid 100231 ]
20# Stopped at      kdb_enter+0x34: movq    $0,0x1e3f7c1(%rip)
21# db> x/s version
22# version:        FreeBSD 14.0-CURRENT #0 main-n263725-1efa7dbc0798e: Wed Jun 21 09:13:50 CEST 2023
23# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO-KASAN
24# db>
25
26uname -p | grep -Eq "amd64|i386" || exit 0
27[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
28
29. ../default.cfg
30prog=$(basename "$0" .sh)
31cat > /tmp/$prog.c <<EOF
32// https://syzkaller.appspot.com/bug?id=81419dc41de046ccb99da6f333074b750ac36680
33// autogenerated by syzkaller (https://github.com/google/syzkaller)
34// Reported-by: syzbot+d35497494d68b4859367@syzkaller.appspotmail.com
35// i386 + ASan
36
37#define _GNU_SOURCE
38
39#include <pwd.h>
40#include <stdarg.h>
41#include <stdbool.h>
42#include <stdint.h>
43#include <stdio.h>
44#include <stdlib.h>
45#include <string.h>
46#include <sys/endian.h>
47#include <sys/syscall.h>
48#include <unistd.h>
49
50uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0};
51
52int main(void)
53{
54  syscall(SYS_mmap, 0x10000000, 0x1000000, 7, 0x1012, -1, 0);
55  intptr_t res = 0;
56  syscall(SYS_munmap, 0x10ffa000, 0x3000);
57  syscall(SYS_mmap, 0x10ffd000, 0x1000, 4, 0x1010, -1, 0);
58  syscall(SYS_mmap, 0x10ffc000, 0x1000, 0, 0x1010, -1, 0);
59  syscall(SYS_mmap, 0x10ffc000, 0x1000, 0, 0x1010, -1, 0);
60  syscall(SYS_mprotect, 0x10ffe000, 0x2000, 7);
61  syscall(SYS_mprotect, 0x10ffd000, 0x3000, 0);
62  syscall(SYS_fork);
63  res = syscall(SYS_fork);
64  if (res != -1)
65    r[0] = res;
66  syscall(SYS_fork);
67  res = syscall(SYS_fork);
68  if (res != -1)
69    r[1] = res;
70  syscall(SYS_sigqueue, (intptr_t)r[1], 0x2b, 0);
71  res = syscall(SYS_fork);
72  if (res != -1)
73    r[2] = res;
74  syscall(SYS_sigqueue, (intptr_t)r[2], 0x2b, 0);
75  syscall(SYS_vfork);
76  syscall(SYS_fcntl, -1, 5, 0);
77  syscall(SYS_sigqueue, 0, 0x2b, 0);
78  syscall(SYS_getpgrp, (intptr_t)r[0]);
79  syscall(SYS_fork);
80  res = syscall(SYS_fork);
81  if (res != -1)
82    r[3] = res;
83  syscall(SYS_sigqueue, (intptr_t)r[3], 0x2b, 0);
84  syscall(SYS_getpid);
85  syscall(SYS_mmap, 0x10ffc000, 0x1000, 3, 0x10, -1, 7);
86  syscall(SYS_mmap, 0x10ffc000, 0x1000, 3, 0x10, -1, 7);
87  res = syscall(SYS_fork);
88  if (res != -1)
89    r[4] = res;
90  syscall(SYS_sigqueue, (intptr_t)r[4], 0xc, 0);
91  return 0;
92}
93EOF
94mycc -o /tmp/$prog -Wall -Wextra -O0 -m32 /tmp/$prog.c || exit 1
95
96(cd /tmp; timeout 2m ./$prog)
97
98rm -rf /tmp/$prog /tmp/$prog.c /tmp/syzkaller.*
99exit 0
100