1*ef777be9SPeter Holm#!/bin/sh 2*ef777be9SPeter Holm 3*ef777be9SPeter Holm# No issues seen (Looks a bit like syzkaller43.sh) 4*ef777be9SPeter Holm 5*ef777be9SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 6*ef777be9SPeter Holm 7*ef777be9SPeter Holm. ../default.cfg 8*ef777be9SPeter Holmset -u 9*ef777be9SPeter Holmprog=$(basename "$0" .sh) 10*ef777be9SPeter Holmcat > /tmp/$prog.c <<EOF 11*ef777be9SPeter Holm// https://syzkaller.appspot.com/bug?id=cf4c0a08d26692dc8f22b0fcc50db08fd17dd709 12*ef777be9SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller) 13*ef777be9SPeter Holm 14*ef777be9SPeter Holm#define _GNU_SOURCE 15*ef777be9SPeter Holm 16*ef777be9SPeter Holm#include <sys/types.h> 17*ef777be9SPeter Holm 18*ef777be9SPeter Holm#include <dirent.h> 19*ef777be9SPeter Holm#include <errno.h> 20*ef777be9SPeter Holm#include <pthread.h> 21*ef777be9SPeter Holm#include <pwd.h> 22*ef777be9SPeter Holm#include <setjmp.h> 23*ef777be9SPeter Holm#include <signal.h> 24*ef777be9SPeter Holm#include <stdarg.h> 25*ef777be9SPeter Holm#include <stdbool.h> 26*ef777be9SPeter Holm#include <stdint.h> 27*ef777be9SPeter Holm#include <stdio.h> 28*ef777be9SPeter Holm#include <stdlib.h> 29*ef777be9SPeter Holm#include <string.h> 30*ef777be9SPeter Holm#include <sys/endian.h> 31*ef777be9SPeter Holm#include <sys/resource.h> 32*ef777be9SPeter Holm#include <sys/stat.h> 33*ef777be9SPeter Holm#include <sys/syscall.h> 34*ef777be9SPeter Holm#include <sys/wait.h> 35*ef777be9SPeter Holm#include <time.h> 36*ef777be9SPeter Holm#include <unistd.h> 37*ef777be9SPeter Holm 38*ef777be9SPeter Holm#ifndef SYS_aio_writev 39*ef777be9SPeter Holm#define SYS_aio_writev 578 40*ef777be9SPeter Holm#endif 41*ef777be9SPeter Holm 42*ef777be9SPeter Holmstatic __thread int clone_ongoing; 43*ef777be9SPeter Holmstatic __thread int skip_segv; 44*ef777be9SPeter Holmstatic __thread jmp_buf segv_env; 45*ef777be9SPeter Holm 46*ef777be9SPeter Holmstatic void segv_handler(int sig, siginfo_t* info, void* ctx __unused) 47*ef777be9SPeter Holm{ 48*ef777be9SPeter Holm if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { 49*ef777be9SPeter Holm exit(sig); 50*ef777be9SPeter Holm } 51*ef777be9SPeter Holm uintptr_t addr = (uintptr_t)info->si_addr; 52*ef777be9SPeter Holm const uintptr_t prog_start = 1 << 20; 53*ef777be9SPeter Holm const uintptr_t prog_end = 100 << 20; 54*ef777be9SPeter Holm int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; 55*ef777be9SPeter Holm int valid = addr < prog_start || addr > prog_end; 56*ef777be9SPeter Holm if (sig == SIGBUS) 57*ef777be9SPeter Holm valid = 1; 58*ef777be9SPeter Holm if (skip && valid) { 59*ef777be9SPeter Holm _longjmp(segv_env, 1); 60*ef777be9SPeter Holm } 61*ef777be9SPeter Holm exit(sig); 62*ef777be9SPeter Holm} 63*ef777be9SPeter Holm 64*ef777be9SPeter Holmstatic void install_segv_handler(void) 65*ef777be9SPeter Holm{ 66*ef777be9SPeter Holm struct sigaction sa; 67*ef777be9SPeter Holm memset(&sa, 0, sizeof(sa)); 68*ef777be9SPeter Holm sa.sa_sigaction = segv_handler; 69*ef777be9SPeter Holm sa.sa_flags = SA_NODEFER | SA_SIGINFO; 70*ef777be9SPeter Holm sigaction(SIGSEGV, &sa, NULL); 71*ef777be9SPeter Holm sigaction(SIGBUS, &sa, NULL); 72*ef777be9SPeter Holm} 73*ef777be9SPeter Holm 74*ef777be9SPeter Holm#define NONFAILING(...) \ 75*ef777be9SPeter Holm ({ \ 76*ef777be9SPeter Holm int ok = 1; \ 77*ef777be9SPeter Holm __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ 78*ef777be9SPeter Holm if (_setjmp(segv_env) == 0) { \ 79*ef777be9SPeter Holm __VA_ARGS__; \ 80*ef777be9SPeter Holm } else \ 81*ef777be9SPeter Holm ok = 0; \ 82*ef777be9SPeter Holm __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ 83*ef777be9SPeter Holm ok; \ 84*ef777be9SPeter Holm }) 85*ef777be9SPeter Holm 86*ef777be9SPeter Holmstatic void kill_and_wait(int pid, int* status) 87*ef777be9SPeter Holm{ 88*ef777be9SPeter Holm kill(pid, SIGKILL); 89*ef777be9SPeter Holm while (waitpid(-1, status, 0) != pid) { 90*ef777be9SPeter Holm } 91*ef777be9SPeter Holm} 92*ef777be9SPeter Holm 93*ef777be9SPeter Holmstatic void sleep_ms(uint64_t ms) 94*ef777be9SPeter Holm{ 95*ef777be9SPeter Holm usleep(ms * 1000); 96*ef777be9SPeter Holm} 97*ef777be9SPeter Holm 98*ef777be9SPeter Holmstatic uint64_t current_time_ms(void) 99*ef777be9SPeter Holm{ 100*ef777be9SPeter Holm struct timespec ts; 101*ef777be9SPeter Holm if (clock_gettime(CLOCK_MONOTONIC, &ts)) 102*ef777be9SPeter Holm exit(1); 103*ef777be9SPeter Holm return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 104*ef777be9SPeter Holm} 105*ef777be9SPeter Holm 106*ef777be9SPeter Holmstatic void use_temporary_dir(void) 107*ef777be9SPeter Holm{ 108*ef777be9SPeter Holm char tmpdir_template[] = "./syzkaller.XXXXXX"; 109*ef777be9SPeter Holm char* tmpdir = mkdtemp(tmpdir_template); 110*ef777be9SPeter Holm if (!tmpdir) 111*ef777be9SPeter Holm exit(1); 112*ef777be9SPeter Holm if (chmod(tmpdir, 0777)) 113*ef777be9SPeter Holm exit(1); 114*ef777be9SPeter Holm if (chdir(tmpdir)) 115*ef777be9SPeter Holm exit(1); 116*ef777be9SPeter Holm} 117*ef777be9SPeter Holm 118*ef777be9SPeter Holmstatic void reset_flags(const char* filename) 119*ef777be9SPeter Holm{ 120*ef777be9SPeter Holm struct stat st; 121*ef777be9SPeter Holm if (lstat(filename, &st)) 122*ef777be9SPeter Holm exit(1); 123*ef777be9SPeter Holm st.st_flags &= ~(SF_NOUNLINK | UF_NOUNLINK | SF_IMMUTABLE | UF_IMMUTABLE | 124*ef777be9SPeter Holm SF_APPEND | UF_APPEND); 125*ef777be9SPeter Holm if (lchflags(filename, st.st_flags)) 126*ef777be9SPeter Holm exit(1); 127*ef777be9SPeter Holm} 128*ef777be9SPeter Holmstatic void __attribute__((noinline)) remove_dir(const char* dir) 129*ef777be9SPeter Holm{ 130*ef777be9SPeter Holm DIR* dp = opendir(dir); 131*ef777be9SPeter Holm if (dp == NULL) { 132*ef777be9SPeter Holm if (errno == EACCES) { 133*ef777be9SPeter Holm if (rmdir(dir)) 134*ef777be9SPeter Holm exit(1); 135*ef777be9SPeter Holm return; 136*ef777be9SPeter Holm } 137*ef777be9SPeter Holm exit(1); 138*ef777be9SPeter Holm } 139*ef777be9SPeter Holm struct dirent* ep = 0; 140*ef777be9SPeter Holm while ((ep = readdir(dp))) { 141*ef777be9SPeter Holm if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) 142*ef777be9SPeter Holm continue; 143*ef777be9SPeter Holm char filename[FILENAME_MAX]; 144*ef777be9SPeter Holm snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); 145*ef777be9SPeter Holm struct stat st; 146*ef777be9SPeter Holm if (lstat(filename, &st)) 147*ef777be9SPeter Holm exit(1); 148*ef777be9SPeter Holm if (S_ISDIR(st.st_mode)) { 149*ef777be9SPeter Holm remove_dir(filename); 150*ef777be9SPeter Holm continue; 151*ef777be9SPeter Holm } 152*ef777be9SPeter Holm if (unlink(filename)) { 153*ef777be9SPeter Holm if (errno == EPERM) { 154*ef777be9SPeter Holm reset_flags(filename); 155*ef777be9SPeter Holm reset_flags(dir); 156*ef777be9SPeter Holm if (unlink(filename) == 0) 157*ef777be9SPeter Holm continue; 158*ef777be9SPeter Holm } 159*ef777be9SPeter Holm exit(1); 160*ef777be9SPeter Holm } 161*ef777be9SPeter Holm } 162*ef777be9SPeter Holm closedir(dp); 163*ef777be9SPeter Holm while (rmdir(dir)) { 164*ef777be9SPeter Holm if (errno == EPERM) { 165*ef777be9SPeter Holm reset_flags(dir); 166*ef777be9SPeter Holm if (rmdir(dir) == 0) 167*ef777be9SPeter Holm break; 168*ef777be9SPeter Holm } 169*ef777be9SPeter Holm exit(1); 170*ef777be9SPeter Holm } 171*ef777be9SPeter Holm} 172*ef777be9SPeter Holm 173*ef777be9SPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg) 174*ef777be9SPeter Holm{ 175*ef777be9SPeter Holm pthread_t th; 176*ef777be9SPeter Holm pthread_attr_t attr; 177*ef777be9SPeter Holm pthread_attr_init(&attr); 178*ef777be9SPeter Holm pthread_attr_setstacksize(&attr, 128 << 10); 179*ef777be9SPeter Holm int i = 0; 180*ef777be9SPeter Holm for (; i < 100; i++) { 181*ef777be9SPeter Holm if (pthread_create(&th, &attr, fn, arg) == 0) { 182*ef777be9SPeter Holm pthread_attr_destroy(&attr); 183*ef777be9SPeter Holm return; 184*ef777be9SPeter Holm } 185*ef777be9SPeter Holm if (errno == EAGAIN) { 186*ef777be9SPeter Holm usleep(50); 187*ef777be9SPeter Holm continue; 188*ef777be9SPeter Holm } 189*ef777be9SPeter Holm break; 190*ef777be9SPeter Holm } 191*ef777be9SPeter Holm exit(1); 192*ef777be9SPeter Holm} 193*ef777be9SPeter Holm 194*ef777be9SPeter Holmtypedef struct { 195*ef777be9SPeter Holm pthread_mutex_t mu; 196*ef777be9SPeter Holm pthread_cond_t cv; 197*ef777be9SPeter Holm int state; 198*ef777be9SPeter Holm} event_t; 199*ef777be9SPeter Holm 200*ef777be9SPeter Holmstatic void event_init(event_t* ev) 201*ef777be9SPeter Holm{ 202*ef777be9SPeter Holm if (pthread_mutex_init(&ev->mu, 0)) 203*ef777be9SPeter Holm exit(1); 204*ef777be9SPeter Holm if (pthread_cond_init(&ev->cv, 0)) 205*ef777be9SPeter Holm exit(1); 206*ef777be9SPeter Holm ev->state = 0; 207*ef777be9SPeter Holm} 208*ef777be9SPeter Holm 209*ef777be9SPeter Holmstatic void event_reset(event_t* ev) 210*ef777be9SPeter Holm{ 211*ef777be9SPeter Holm ev->state = 0; 212*ef777be9SPeter Holm} 213*ef777be9SPeter Holm 214*ef777be9SPeter Holmstatic void event_set(event_t* ev) 215*ef777be9SPeter Holm{ 216*ef777be9SPeter Holm pthread_mutex_lock(&ev->mu); 217*ef777be9SPeter Holm if (ev->state) 218*ef777be9SPeter Holm exit(1); 219*ef777be9SPeter Holm ev->state = 1; 220*ef777be9SPeter Holm pthread_mutex_unlock(&ev->mu); 221*ef777be9SPeter Holm pthread_cond_broadcast(&ev->cv); 222*ef777be9SPeter Holm} 223*ef777be9SPeter Holm 224*ef777be9SPeter Holmstatic void event_wait(event_t* ev) 225*ef777be9SPeter Holm{ 226*ef777be9SPeter Holm pthread_mutex_lock(&ev->mu); 227*ef777be9SPeter Holm while (!ev->state) 228*ef777be9SPeter Holm pthread_cond_wait(&ev->cv, &ev->mu); 229*ef777be9SPeter Holm pthread_mutex_unlock(&ev->mu); 230*ef777be9SPeter Holm} 231*ef777be9SPeter Holm 232*ef777be9SPeter Holmstatic int event_isset(event_t* ev) 233*ef777be9SPeter Holm{ 234*ef777be9SPeter Holm pthread_mutex_lock(&ev->mu); 235*ef777be9SPeter Holm int res = ev->state; 236*ef777be9SPeter Holm pthread_mutex_unlock(&ev->mu); 237*ef777be9SPeter Holm return res; 238*ef777be9SPeter Holm} 239*ef777be9SPeter Holm 240*ef777be9SPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout) 241*ef777be9SPeter Holm{ 242*ef777be9SPeter Holm uint64_t start = current_time_ms(); 243*ef777be9SPeter Holm uint64_t now = start; 244*ef777be9SPeter Holm pthread_mutex_lock(&ev->mu); 245*ef777be9SPeter Holm for (;;) { 246*ef777be9SPeter Holm if (ev->state) 247*ef777be9SPeter Holm break; 248*ef777be9SPeter Holm uint64_t remain = timeout - (now - start); 249*ef777be9SPeter Holm struct timespec ts; 250*ef777be9SPeter Holm ts.tv_sec = remain / 1000; 251*ef777be9SPeter Holm ts.tv_nsec = (remain % 1000) * 1000 * 1000; 252*ef777be9SPeter Holm pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); 253*ef777be9SPeter Holm now = current_time_ms(); 254*ef777be9SPeter Holm if (now - start > timeout) 255*ef777be9SPeter Holm break; 256*ef777be9SPeter Holm } 257*ef777be9SPeter Holm int res = ev->state; 258*ef777be9SPeter Holm pthread_mutex_unlock(&ev->mu); 259*ef777be9SPeter Holm return res; 260*ef777be9SPeter Holm} 261*ef777be9SPeter Holm 262*ef777be9SPeter Holmstatic void sandbox_common() 263*ef777be9SPeter Holm{ 264*ef777be9SPeter Holm struct rlimit rlim; 265*ef777be9SPeter Holm rlim.rlim_cur = rlim.rlim_max = 128 << 20; 266*ef777be9SPeter Holm setrlimit(RLIMIT_AS, &rlim); 267*ef777be9SPeter Holm rlim.rlim_cur = rlim.rlim_max = 8 << 20; 268*ef777be9SPeter Holm setrlimit(RLIMIT_MEMLOCK, &rlim); 269*ef777be9SPeter Holm rlim.rlim_cur = rlim.rlim_max = 1 << 20; 270*ef777be9SPeter Holm setrlimit(RLIMIT_FSIZE, &rlim); 271*ef777be9SPeter Holm rlim.rlim_cur = rlim.rlim_max = 1 << 20; 272*ef777be9SPeter Holm setrlimit(RLIMIT_STACK, &rlim); 273*ef777be9SPeter Holm rlim.rlim_cur = rlim.rlim_max = 0; 274*ef777be9SPeter Holm setrlimit(RLIMIT_CORE, &rlim); 275*ef777be9SPeter Holm rlim.rlim_cur = rlim.rlim_max = 256; 276*ef777be9SPeter Holm setrlimit(RLIMIT_NOFILE, &rlim); 277*ef777be9SPeter Holm} 278*ef777be9SPeter Holm 279*ef777be9SPeter Holmstatic void loop(); 280*ef777be9SPeter Holm 281*ef777be9SPeter Holmstatic int do_sandbox_none(void) 282*ef777be9SPeter Holm{ 283*ef777be9SPeter Holm sandbox_common(); 284*ef777be9SPeter Holm loop(); 285*ef777be9SPeter Holm return 0; 286*ef777be9SPeter Holm} 287*ef777be9SPeter Holm 288*ef777be9SPeter Holmstruct thread_t { 289*ef777be9SPeter Holm int created, call; 290*ef777be9SPeter Holm event_t ready, done; 291*ef777be9SPeter Holm}; 292*ef777be9SPeter Holm 293*ef777be9SPeter Holmstatic struct thread_t threads[16]; 294*ef777be9SPeter Holmstatic void execute_call(int call); 295*ef777be9SPeter Holmstatic int running; 296*ef777be9SPeter Holm 297*ef777be9SPeter Holmstatic void* thr(void* arg) 298*ef777be9SPeter Holm{ 299*ef777be9SPeter Holm struct thread_t* th = (struct thread_t*)arg; 300*ef777be9SPeter Holm for (;;) { 301*ef777be9SPeter Holm event_wait(&th->ready); 302*ef777be9SPeter Holm event_reset(&th->ready); 303*ef777be9SPeter Holm execute_call(th->call); 304*ef777be9SPeter Holm __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); 305*ef777be9SPeter Holm event_set(&th->done); 306*ef777be9SPeter Holm } 307*ef777be9SPeter Holm return 0; 308*ef777be9SPeter Holm} 309*ef777be9SPeter Holm 310*ef777be9SPeter Holmstatic void execute_one(void) 311*ef777be9SPeter Holm{ 312*ef777be9SPeter Holm if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 313*ef777be9SPeter Holm } 314*ef777be9SPeter Holm int i, call, thread; 315*ef777be9SPeter Holm for (call = 0; call < 24; call++) { 316*ef777be9SPeter Holm for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); 317*ef777be9SPeter Holm thread++) { 318*ef777be9SPeter Holm struct thread_t* th = &threads[thread]; 319*ef777be9SPeter Holm if (!th->created) { 320*ef777be9SPeter Holm th->created = 1; 321*ef777be9SPeter Holm event_init(&th->ready); 322*ef777be9SPeter Holm event_init(&th->done); 323*ef777be9SPeter Holm event_set(&th->done); 324*ef777be9SPeter Holm thread_start(thr, th); 325*ef777be9SPeter Holm } 326*ef777be9SPeter Holm if (!event_isset(&th->done)) 327*ef777be9SPeter Holm continue; 328*ef777be9SPeter Holm event_reset(&th->done); 329*ef777be9SPeter Holm th->call = call; 330*ef777be9SPeter Holm __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); 331*ef777be9SPeter Holm event_set(&th->ready); 332*ef777be9SPeter Holm event_timedwait(&th->done, 50); 333*ef777be9SPeter Holm break; 334*ef777be9SPeter Holm } 335*ef777be9SPeter Holm } 336*ef777be9SPeter Holm for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) 337*ef777be9SPeter Holm sleep_ms(1); 338*ef777be9SPeter Holm} 339*ef777be9SPeter Holm 340*ef777be9SPeter Holmstatic void execute_one(void); 341*ef777be9SPeter Holm 342*ef777be9SPeter Holm#define WAIT_FLAGS 0 343*ef777be9SPeter Holm 344*ef777be9SPeter Holmstatic void loop(void) 345*ef777be9SPeter Holm{ 346*ef777be9SPeter Holm int iter = 0; 347*ef777be9SPeter Holm for (;; iter++) { 348*ef777be9SPeter Holm char cwdbuf[32]; 349*ef777be9SPeter Holm sprintf(cwdbuf, "./%d", iter); 350*ef777be9SPeter Holm if (mkdir(cwdbuf, 0777)) 351*ef777be9SPeter Holm exit(1); 352*ef777be9SPeter Holm int pid = fork(); 353*ef777be9SPeter Holm if (pid < 0) 354*ef777be9SPeter Holm exit(1); 355*ef777be9SPeter Holm if (pid == 0) { 356*ef777be9SPeter Holm if (chdir(cwdbuf)) 357*ef777be9SPeter Holm exit(1); 358*ef777be9SPeter Holm execute_one(); 359*ef777be9SPeter Holm exit(0); 360*ef777be9SPeter Holm } 361*ef777be9SPeter Holm int status = 0; 362*ef777be9SPeter Holm uint64_t start = current_time_ms(); 363*ef777be9SPeter Holm for (;;) { 364*ef777be9SPeter Holm sleep_ms(10); 365*ef777be9SPeter Holm if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 366*ef777be9SPeter Holm break; 367*ef777be9SPeter Holm if (current_time_ms() - start < 5000) 368*ef777be9SPeter Holm continue; 369*ef777be9SPeter Holm kill_and_wait(pid, &status); 370*ef777be9SPeter Holm break; 371*ef777be9SPeter Holm } 372*ef777be9SPeter Holm remove_dir(cwdbuf); 373*ef777be9SPeter Holm } 374*ef777be9SPeter Holm} 375*ef777be9SPeter Holm 376*ef777be9SPeter Holmuint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; 377*ef777be9SPeter Holm 378*ef777be9SPeter Holmvoid execute_call(int call) 379*ef777be9SPeter Holm{ 380*ef777be9SPeter Holm intptr_t res = 0; 381*ef777be9SPeter Holm switch (call) { 382*ef777be9SPeter Holm case 0: 383*ef777be9SPeter Holm res = syscall(SYS_socket, /*domain=AF_INET6*/ 0x1cul, 384*ef777be9SPeter Holm /*type=SOCK_STREAM*/ 1ul, /*proto=*/0); 385*ef777be9SPeter Holm if (res != -1) 386*ef777be9SPeter Holm r[0] = res; 387*ef777be9SPeter Holm break; 388*ef777be9SPeter Holm case 1: 389*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x200000c0 = 0x101); 390*ef777be9SPeter Holm syscall(SYS_setsockopt, /*fd=*/r[0], /*level=*/0xffff, 391*ef777be9SPeter Holm /*optname=SO_SNDBUF*/ 0x1001, /*optval=*/0x200000c0ul, 392*ef777be9SPeter Holm /*optlen=*/4ul); 393*ef777be9SPeter Holm break; 394*ef777be9SPeter Holm case 2: 395*ef777be9SPeter Holm NONFAILING(*(uint8_t*)0x20000140 = 0x1c); 396*ef777be9SPeter Holm NONFAILING(*(uint8_t*)0x20000141 = 0x1c); 397*ef777be9SPeter Holm NONFAILING(*(uint16_t*)0x20000142 = htobe16(0x4e23)); 398*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000144 = 0); 399*ef777be9SPeter Holm NONFAILING(memset((void*)0x20000148, 0, 16)); 400*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000158 = 0); 401*ef777be9SPeter Holm syscall(SYS_bind, /*fd=*/r[0], /*addr=*/0x20000140ul, /*addrlen=*/0x1cul); 402*ef777be9SPeter Holm break; 403*ef777be9SPeter Holm case 3: 404*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000500 = r[0]); 405*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000508 = 0); 406*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000510 = 0); 407*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000518 = 0); 408*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000520 = 4); 409*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000524 = 0); 410*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000528 = 0); 411*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000530 = 0); 412*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000534 = 4); 413*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000538 = 0x822e); 414*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000540 = 0); 415*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000548 = 0x20000340); 416*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000550 = 0); 417*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000554 = 0); 418*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000558 = 0xfffffffffffffffe); 419*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000560 = 0); 420*ef777be9SPeter Holm NONFAILING(*(uint64_t*)0x20000568 = 0x20000380); 421*ef777be9SPeter Holm NONFAILING(memcpy((void*)0x20000380, "\x3c\x88\x80", 3)); 422*ef777be9SPeter Holm syscall(SYS_aio_writev, /*iocb=*/0x20000500ul); 423*ef777be9SPeter Holm break; 424*ef777be9SPeter Holm case 4: 425*ef777be9SPeter Holm NONFAILING(*(uint8_t*)0x20000180 = 0x1c); 426*ef777be9SPeter Holm NONFAILING(*(uint8_t*)0x20000181 = 0x1c); 427*ef777be9SPeter Holm NONFAILING(*(uint16_t*)0x20000182 = htobe16(0x4e23)); 428*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000184 = 0); 429*ef777be9SPeter Holm NONFAILING(memset((void*)0x20000188, 0, 16)); 430*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x20000198 = 0); 431*ef777be9SPeter Holm syscall(SYS_connect, /*fd=*/r[0], /*addr=*/0x20000180ul, 432*ef777be9SPeter Holm /*addrlen=*/0x1cul); 433*ef777be9SPeter Holm break; 434*ef777be9SPeter Holm case 5: 435*ef777be9SPeter Holm NONFAILING(memset((void*)0x20000200, 14, 1)); 436*ef777be9SPeter Holm syscall(SYS_sendto, /*fd=*/r[0], /*buf=*/0x20000200ul, /*len=*/0xff66ul, 437*ef777be9SPeter Holm /*f=*/0ul, /*addr=*/0ul, /*addrlen=*/0ul); 438*ef777be9SPeter Holm break; 439*ef777be9SPeter Holm case 6: 440*ef777be9SPeter Holm syscall(SYS_sendmsg, /*fd=*/r[0], /*msg=*/0ul, /*f=*/0ul); 441*ef777be9SPeter Holm break; 442*ef777be9SPeter Holm case 7: 443*ef777be9SPeter Holm syscall(SYS_socket, /*domain=AF_INET*/ 2ul, /*type=SOCK_STREAM*/ 1ul, 444*ef777be9SPeter Holm /*proto=*/0); 445*ef777be9SPeter Holm break; 446*ef777be9SPeter Holm case 8: 447*ef777be9SPeter Holm res = syscall(SYS_socket, /*domain=*/2ul, /*type=SOCK_SEQPACKET*/ 5ul, 448*ef777be9SPeter Holm /*proto=*/0x84); 449*ef777be9SPeter Holm if (res != -1) 450*ef777be9SPeter Holm r[1] = res; 451*ef777be9SPeter Holm break; 452*ef777be9SPeter Holm case 9: 453*ef777be9SPeter Holm syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0ul, 454*ef777be9SPeter Holm /*flags=O_RDWR*/ 2ul, /*mode=*/0ul); 455*ef777be9SPeter Holm break; 456*ef777be9SPeter Holm case 10: 457*ef777be9SPeter Holm syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0ul, 458*ef777be9SPeter Holm /*flags=O_RDWR*/ 2ul, /*mode=*/0ul); 459*ef777be9SPeter Holm break; 460*ef777be9SPeter Holm case 11: 461*ef777be9SPeter Holm syscall(SYS_socket, /*domain=*/2ul, /*type=SOCK_SEQPACKET*/ 5ul, 462*ef777be9SPeter Holm /*proto=*/0x84); 463*ef777be9SPeter Holm break; 464*ef777be9SPeter Holm case 12: 465*ef777be9SPeter Holm syscall(SYS_socket, /*domain=*/0x1cul, /*type=*/1ul, /*proto=*/0); 466*ef777be9SPeter Holm break; 467*ef777be9SPeter Holm case 13: 468*ef777be9SPeter Holm syscall(SYS_shutdown, /*fd=*/-1, /*how=*/0ul); 469*ef777be9SPeter Holm break; 470*ef777be9SPeter Holm case 14: 471*ef777be9SPeter Holm syscall(SYS_shutdown, /*fd=*/-1, /*how=*/0ul); 472*ef777be9SPeter Holm break; 473*ef777be9SPeter Holm case 15: 474*ef777be9SPeter Holm syscall(SYS_sendto, /*fd=*/-1, /*buf=*/0ul, /*len=*/0ul, /*f=*/0ul, 475*ef777be9SPeter Holm /*addr=*/0ul, /*addrlen=*/0ul); 476*ef777be9SPeter Holm break; 477*ef777be9SPeter Holm case 16: 478*ef777be9SPeter Holm syscall(SYS_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul); 479*ef777be9SPeter Holm break; 480*ef777be9SPeter Holm case 17: 481*ef777be9SPeter Holm syscall(SYS_rfork, /*flags=RFMEM|RFTHREAD|RFCFDG|RFNOWAIT*/ 0x3060ul); 482*ef777be9SPeter Holm break; 483*ef777be9SPeter Holm case 18: 484*ef777be9SPeter Holm syscall(SYS_rfork, /*flags=RFMEM|RFTHREAD|RFCFDG|RFNOWAIT*/ 0x3060ul); 485*ef777be9SPeter Holm break; 486*ef777be9SPeter Holm case 19: 487*ef777be9SPeter Holm syscall(SYS_openat, /*fd=*/0xffffff9cul, /*file=*/0ul, 488*ef777be9SPeter Holm /*flags=O_APPEND*/ 8ul, /*mode=*/0ul); 489*ef777be9SPeter Holm break; 490*ef777be9SPeter Holm case 20: 491*ef777be9SPeter Holm syscall(SYS_openat, /*fd=*/0xffffff9cul, /*file=*/0ul, 492*ef777be9SPeter Holm /*flags=O_APPEND*/ 8ul, /*mode=*/0ul); 493*ef777be9SPeter Holm break; 494*ef777be9SPeter Holm case 21: 495*ef777be9SPeter Holm syscall(SYS_connect, /*fd=*/r[1], /*addr=*/0ul, /*addrlen=*/0ul); 496*ef777be9SPeter Holm break; 497*ef777be9SPeter Holm case 22: 498*ef777be9SPeter Holm res = syscall(SYS_socket, /*domain=*/2ul, /*type=SOCK_STREAM*/ 1ul, 499*ef777be9SPeter Holm /*proto=*/0x84); 500*ef777be9SPeter Holm if (res != -1) 501*ef777be9SPeter Holm r[2] = res; 502*ef777be9SPeter Holm break; 503*ef777be9SPeter Holm case 23: 504*ef777be9SPeter Holm NONFAILING(*(uint32_t*)0x200001c0 = 0); 505*ef777be9SPeter Holm syscall(SYS_getsockopt, /*fd=*/r[2], /*level=*/0x84, /*opt=*/0xc, 506*ef777be9SPeter Holm /*val=*/0ul, /*len=*/0x200001c0ul); 507*ef777be9SPeter Holm break; 508*ef777be9SPeter Holm } 509*ef777be9SPeter Holm} 510*ef777be9SPeter Holmint main(void) 511*ef777be9SPeter Holm{ 512*ef777be9SPeter Holm syscall(SYS_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, 513*ef777be9SPeter Holm /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 514*ef777be9SPeter Holm /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/-1, 515*ef777be9SPeter Holm /*offset=*/0ul); 516*ef777be9SPeter Holm const char* reason; 517*ef777be9SPeter Holm (void)reason; 518*ef777be9SPeter Holm install_segv_handler(); 519*ef777be9SPeter Holm use_temporary_dir(); 520*ef777be9SPeter Holm do_sandbox_none(); 521*ef777be9SPeter Holm return 0; 522*ef777be9SPeter Holm} 523*ef777be9SPeter HolmEOF 524*ef777be9SPeter Holmmycc -o /tmp/$prog -m32 -Wall -Wextra -O0 /tmp/$prog.c -lpthread || exit 1 525*ef777be9SPeter Holm 526*ef777be9SPeter Holm(cd ../testcases/swap; ./swap -t 2m -i 10 -l 100 > /dev/null 2>&1) & 527*ef777be9SPeter Holmsleep 1 528*ef777be9SPeter Holmcd /tmp 529*ef777be9SPeter Holmstart=`date +%s` 530*ef777be9SPeter Holmwhile [ $((`date +%s` - start)) -lt 120 ]; do 531*ef777be9SPeter Holm timeout 3m /tmp/$prog > /dev/null 2>&1 532*ef777be9SPeter Holmdone 533*ef777be9SPeter Holmwhile pkill swap; do :; done 534*ef777be9SPeter Holmwait 535*ef777be9SPeter Holm 536*ef777be9SPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core 537*ef777be9SPeter Holmexit 0 538