1*257a750cSPeter Holm#!/bin/sh 2*257a750cSPeter Holm 3*257a750cSPeter Holm# panic: Assertion uio->uio_resid < 0 failed at ../../../netlink/netlink_domain.c:808 4*257a750cSPeter Holm# cpuid = 8 5*257a750cSPeter Holm# time = 1759044376 6*257a750cSPeter Holm# KDB: stack backtrace: 7*257a750cSPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0184d17a70 8*257a750cSPeter Holm# vpanic() at vpanic+0x136/frame 0xfffffe0184d17ba0 9*257a750cSPeter Holm# panic() at panic+0x43/frame 0xfffffe0184d17c00 10*257a750cSPeter Holm# nl_soreceive() at nl_soreceive+0x433/frame 0xfffffe0184d17ca0 11*257a750cSPeter Holm# soreceive() at soreceive+0x45/frame 0xfffffe0184d17cc0 12*257a750cSPeter Holm# kern_recvit() at kern_recvit+0x181/frame 0xfffffe0184d17d70 13*257a750cSPeter Holm# sys_recvfrom() at sys_recvfrom+0xa2/frame 0xfffffe0184d17e00 14*257a750cSPeter Holm# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0184d17f30 15*257a750cSPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0184d17f30 16*257a750cSPeter Holm# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x822882cca, rsp = 0x823572e88, rbp = 0x823572f90 --- 17*257a750cSPeter Holm# KDB: enter: panic 18*257a750cSPeter Holm# [ thread pid 11012 tid 138112 ] 19*257a750cSPeter Holm# Stopped at $0,0x121a722(%rip) 20*257a750cSPeter Holm# db> x/s version 21*257a750cSPeter Holm# version: FreeBSD 16.0-CURRENT #0 main-n280667-52eb7e394a7e-dirty: Sun Sep 28 08:56:14 CEST 2025 22*257a750cSPeter Holm# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 23*257a750cSPeter Holm# db> 24*257a750cSPeter Holm 25*257a750cSPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 26*257a750cSPeter Holm 27*257a750cSPeter Holm. ../default.cfg 28*257a750cSPeter Holmset -u 29*257a750cSPeter Holmprog=$(basename "$0" .sh) 30*257a750cSPeter Holmcat > /tmp/$prog.c <<EOF 31*257a750cSPeter Holm// https://syzkaller.appspot.com/bug?id=e33cdff88b17af77553159c4b372cac4e4bcd652 32*257a750cSPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller) 33*257a750cSPeter Holm// syzbot+194f95f2c5fdffef1ef5@syzkaller.appspotmail.com 34*257a750cSPeter Holm 35*257a750cSPeter Holm#define _GNU_SOURCE 36*257a750cSPeter Holm 37*257a750cSPeter Holm#include <sys/types.h> 38*257a750cSPeter Holm 39*257a750cSPeter Holm#include <dirent.h> 40*257a750cSPeter Holm#include <errno.h> 41*257a750cSPeter Holm#include <pthread.h> 42*257a750cSPeter Holm#include <pwd.h> 43*257a750cSPeter Holm#include <setjmp.h> 44*257a750cSPeter Holm#include <signal.h> 45*257a750cSPeter Holm#include <stdarg.h> 46*257a750cSPeter Holm#include <stdbool.h> 47*257a750cSPeter Holm#include <stdint.h> 48*257a750cSPeter Holm#include <stdio.h> 49*257a750cSPeter Holm#include <stdlib.h> 50*257a750cSPeter Holm#include <string.h> 51*257a750cSPeter Holm#include <sys/endian.h> 52*257a750cSPeter Holm#include <sys/resource.h> 53*257a750cSPeter Holm#include <sys/stat.h> 54*257a750cSPeter Holm#include <sys/syscall.h> 55*257a750cSPeter Holm#include <sys/wait.h> 56*257a750cSPeter Holm#include <time.h> 57*257a750cSPeter Holm#include <unistd.h> 58*257a750cSPeter Holm 59*257a750cSPeter Holmstatic unsigned long long procid; 60*257a750cSPeter Holm 61*257a750cSPeter Holmstatic __thread int clone_ongoing; 62*257a750cSPeter Holmstatic __thread int skip_segv; 63*257a750cSPeter Holmstatic __thread jmp_buf segv_env; 64*257a750cSPeter Holm 65*257a750cSPeter Holmstatic void segv_handler(int sig, siginfo_t* info, void* ctx __unused) 66*257a750cSPeter Holm{ 67*257a750cSPeter Holm if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { 68*257a750cSPeter Holm exit(sig); 69*257a750cSPeter Holm } 70*257a750cSPeter Holm uintptr_t addr = (uintptr_t)info->si_addr; 71*257a750cSPeter Holm const uintptr_t prog_start = 1 << 20; 72*257a750cSPeter Holm const uintptr_t prog_end = 100 << 20; 73*257a750cSPeter Holm int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; 74*257a750cSPeter Holm int valid = addr < prog_start || addr > prog_end; 75*257a750cSPeter Holm if (sig == SIGBUS) 76*257a750cSPeter Holm valid = 1; 77*257a750cSPeter Holm if (skip && valid) { 78*257a750cSPeter Holm _longjmp(segv_env, 1); 79*257a750cSPeter Holm } 80*257a750cSPeter Holm exit(sig); 81*257a750cSPeter Holm} 82*257a750cSPeter Holm 83*257a750cSPeter Holmstatic void install_segv_handler(void) 84*257a750cSPeter Holm{ 85*257a750cSPeter Holm struct sigaction sa; 86*257a750cSPeter Holm memset(&sa, 0, sizeof(sa)); 87*257a750cSPeter Holm sa.sa_sigaction = segv_handler; 88*257a750cSPeter Holm sa.sa_flags = SA_NODEFER | SA_SIGINFO; 89*257a750cSPeter Holm sigaction(SIGSEGV, &sa, NULL); 90*257a750cSPeter Holm sigaction(SIGBUS, &sa, NULL); 91*257a750cSPeter Holm} 92*257a750cSPeter Holm 93*257a750cSPeter Holm#define NONFAILING(...) \ 94*257a750cSPeter Holm ({ \ 95*257a750cSPeter Holm int ok = 1; \ 96*257a750cSPeter Holm __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ 97*257a750cSPeter Holm if (_setjmp(segv_env) == 0) { \ 98*257a750cSPeter Holm __VA_ARGS__; \ 99*257a750cSPeter Holm } else \ 100*257a750cSPeter Holm ok = 0; \ 101*257a750cSPeter Holm __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ 102*257a750cSPeter Holm ok; \ 103*257a750cSPeter Holm }) 104*257a750cSPeter Holm 105*257a750cSPeter Holmstatic void kill_and_wait(int pid, int* status) 106*257a750cSPeter Holm{ 107*257a750cSPeter Holm kill(pid, SIGKILL); 108*257a750cSPeter Holm while (waitpid(-1, status, 0) != pid) { 109*257a750cSPeter Holm } 110*257a750cSPeter Holm} 111*257a750cSPeter Holm 112*257a750cSPeter Holmstatic void sleep_ms(uint64_t ms) 113*257a750cSPeter Holm{ 114*257a750cSPeter Holm usleep(ms * 1000); 115*257a750cSPeter Holm} 116*257a750cSPeter Holm 117*257a750cSPeter Holmstatic uint64_t current_time_ms(void) 118*257a750cSPeter Holm{ 119*257a750cSPeter Holm struct timespec ts; 120*257a750cSPeter Holm if (clock_gettime(CLOCK_MONOTONIC, &ts)) 121*257a750cSPeter Holm exit(1); 122*257a750cSPeter Holm return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; 123*257a750cSPeter Holm} 124*257a750cSPeter Holm 125*257a750cSPeter Holmstatic void use_temporary_dir(void) 126*257a750cSPeter Holm{ 127*257a750cSPeter Holm char tmpdir_template[] = "./syzkaller.XXXXXX"; 128*257a750cSPeter Holm char* tmpdir = mkdtemp(tmpdir_template); 129*257a750cSPeter Holm if (!tmpdir) 130*257a750cSPeter Holm exit(1); 131*257a750cSPeter Holm if (chmod(tmpdir, 0777)) 132*257a750cSPeter Holm exit(1); 133*257a750cSPeter Holm if (chdir(tmpdir)) 134*257a750cSPeter Holm exit(1); 135*257a750cSPeter Holm} 136*257a750cSPeter Holm 137*257a750cSPeter Holmstatic void reset_flags(const char* filename) 138*257a750cSPeter Holm{ 139*257a750cSPeter Holm struct stat st; 140*257a750cSPeter Holm if (lstat(filename, &st)) 141*257a750cSPeter Holm exit(1); 142*257a750cSPeter Holm st.st_flags &= ~(SF_NOUNLINK | UF_NOUNLINK | SF_IMMUTABLE | UF_IMMUTABLE | 143*257a750cSPeter Holm SF_APPEND | UF_APPEND); 144*257a750cSPeter Holm if (lchflags(filename, st.st_flags)) 145*257a750cSPeter Holm exit(1); 146*257a750cSPeter Holm} 147*257a750cSPeter Holmstatic void __attribute__((noinline)) remove_dir(const char* dir) 148*257a750cSPeter Holm{ 149*257a750cSPeter Holm DIR* dp = opendir(dir); 150*257a750cSPeter Holm if (dp == NULL) { 151*257a750cSPeter Holm if (errno == EACCES) { 152*257a750cSPeter Holm if (rmdir(dir)) 153*257a750cSPeter Holm exit(1); 154*257a750cSPeter Holm return; 155*257a750cSPeter Holm } 156*257a750cSPeter Holm exit(1); 157*257a750cSPeter Holm } 158*257a750cSPeter Holm struct dirent* ep = 0; 159*257a750cSPeter Holm while ((ep = readdir(dp))) { 160*257a750cSPeter Holm if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) 161*257a750cSPeter Holm continue; 162*257a750cSPeter Holm char filename[FILENAME_MAX]; 163*257a750cSPeter Holm snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); 164*257a750cSPeter Holm struct stat st; 165*257a750cSPeter Holm if (lstat(filename, &st)) 166*257a750cSPeter Holm exit(1); 167*257a750cSPeter Holm if (S_ISDIR(st.st_mode)) { 168*257a750cSPeter Holm remove_dir(filename); 169*257a750cSPeter Holm continue; 170*257a750cSPeter Holm } 171*257a750cSPeter Holm if (unlink(filename)) { 172*257a750cSPeter Holm if (errno == EPERM) { 173*257a750cSPeter Holm reset_flags(filename); 174*257a750cSPeter Holm reset_flags(dir); 175*257a750cSPeter Holm if (unlink(filename) == 0) 176*257a750cSPeter Holm continue; 177*257a750cSPeter Holm } 178*257a750cSPeter Holm exit(1); 179*257a750cSPeter Holm } 180*257a750cSPeter Holm } 181*257a750cSPeter Holm closedir(dp); 182*257a750cSPeter Holm while (rmdir(dir)) { 183*257a750cSPeter Holm if (errno == EPERM) { 184*257a750cSPeter Holm reset_flags(dir); 185*257a750cSPeter Holm if (rmdir(dir) == 0) 186*257a750cSPeter Holm break; 187*257a750cSPeter Holm } 188*257a750cSPeter Holm exit(1); 189*257a750cSPeter Holm } 190*257a750cSPeter Holm} 191*257a750cSPeter Holm 192*257a750cSPeter Holmstatic void thread_start(void* (*fn)(void*), void* arg) 193*257a750cSPeter Holm{ 194*257a750cSPeter Holm pthread_t th; 195*257a750cSPeter Holm pthread_attr_t attr; 196*257a750cSPeter Holm pthread_attr_init(&attr); 197*257a750cSPeter Holm pthread_attr_setstacksize(&attr, 128 << 10); 198*257a750cSPeter Holm int i = 0; 199*257a750cSPeter Holm for (; i < 100; i++) { 200*257a750cSPeter Holm if (pthread_create(&th, &attr, fn, arg) == 0) { 201*257a750cSPeter Holm pthread_attr_destroy(&attr); 202*257a750cSPeter Holm return; 203*257a750cSPeter Holm } 204*257a750cSPeter Holm if (errno == EAGAIN) { 205*257a750cSPeter Holm usleep(50); 206*257a750cSPeter Holm continue; 207*257a750cSPeter Holm } 208*257a750cSPeter Holm break; 209*257a750cSPeter Holm } 210*257a750cSPeter Holm exit(1); 211*257a750cSPeter Holm} 212*257a750cSPeter Holm 213*257a750cSPeter Holmtypedef struct { 214*257a750cSPeter Holm pthread_mutex_t mu; 215*257a750cSPeter Holm pthread_cond_t cv; 216*257a750cSPeter Holm int state; 217*257a750cSPeter Holm} event_t; 218*257a750cSPeter Holm 219*257a750cSPeter Holmstatic void event_init(event_t* ev) 220*257a750cSPeter Holm{ 221*257a750cSPeter Holm if (pthread_mutex_init(&ev->mu, 0)) 222*257a750cSPeter Holm exit(1); 223*257a750cSPeter Holm if (pthread_cond_init(&ev->cv, 0)) 224*257a750cSPeter Holm exit(1); 225*257a750cSPeter Holm ev->state = 0; 226*257a750cSPeter Holm} 227*257a750cSPeter Holm 228*257a750cSPeter Holmstatic void event_reset(event_t* ev) 229*257a750cSPeter Holm{ 230*257a750cSPeter Holm ev->state = 0; 231*257a750cSPeter Holm} 232*257a750cSPeter Holm 233*257a750cSPeter Holmstatic void event_set(event_t* ev) 234*257a750cSPeter Holm{ 235*257a750cSPeter Holm pthread_mutex_lock(&ev->mu); 236*257a750cSPeter Holm if (ev->state) 237*257a750cSPeter Holm exit(1); 238*257a750cSPeter Holm ev->state = 1; 239*257a750cSPeter Holm pthread_mutex_unlock(&ev->mu); 240*257a750cSPeter Holm pthread_cond_broadcast(&ev->cv); 241*257a750cSPeter Holm} 242*257a750cSPeter Holm 243*257a750cSPeter Holmstatic void event_wait(event_t* ev) 244*257a750cSPeter Holm{ 245*257a750cSPeter Holm pthread_mutex_lock(&ev->mu); 246*257a750cSPeter Holm while (!ev->state) 247*257a750cSPeter Holm pthread_cond_wait(&ev->cv, &ev->mu); 248*257a750cSPeter Holm pthread_mutex_unlock(&ev->mu); 249*257a750cSPeter Holm} 250*257a750cSPeter Holm 251*257a750cSPeter Holmstatic int event_isset(event_t* ev) 252*257a750cSPeter Holm{ 253*257a750cSPeter Holm pthread_mutex_lock(&ev->mu); 254*257a750cSPeter Holm int res = ev->state; 255*257a750cSPeter Holm pthread_mutex_unlock(&ev->mu); 256*257a750cSPeter Holm return res; 257*257a750cSPeter Holm} 258*257a750cSPeter Holm 259*257a750cSPeter Holmstatic int event_timedwait(event_t* ev, uint64_t timeout) 260*257a750cSPeter Holm{ 261*257a750cSPeter Holm uint64_t start = current_time_ms(); 262*257a750cSPeter Holm uint64_t now = start; 263*257a750cSPeter Holm pthread_mutex_lock(&ev->mu); 264*257a750cSPeter Holm for (;;) { 265*257a750cSPeter Holm if (ev->state) 266*257a750cSPeter Holm break; 267*257a750cSPeter Holm uint64_t remain = timeout - (now - start); 268*257a750cSPeter Holm struct timespec ts; 269*257a750cSPeter Holm ts.tv_sec = remain / 1000; 270*257a750cSPeter Holm ts.tv_nsec = (remain % 1000) * 1000 * 1000; 271*257a750cSPeter Holm pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); 272*257a750cSPeter Holm now = current_time_ms(); 273*257a750cSPeter Holm if (now - start > timeout) 274*257a750cSPeter Holm break; 275*257a750cSPeter Holm } 276*257a750cSPeter Holm int res = ev->state; 277*257a750cSPeter Holm pthread_mutex_unlock(&ev->mu); 278*257a750cSPeter Holm return res; 279*257a750cSPeter Holm} 280*257a750cSPeter Holm 281*257a750cSPeter Holmstatic void sandbox_common() 282*257a750cSPeter Holm{ 283*257a750cSPeter Holm struct rlimit rlim; 284*257a750cSPeter Holm rlim.rlim_cur = rlim.rlim_max = 128 << 20; 285*257a750cSPeter Holm setrlimit(RLIMIT_AS, &rlim); 286*257a750cSPeter Holm rlim.rlim_cur = rlim.rlim_max = 8 << 20; 287*257a750cSPeter Holm setrlimit(RLIMIT_MEMLOCK, &rlim); 288*257a750cSPeter Holm rlim.rlim_cur = rlim.rlim_max = 1 << 20; 289*257a750cSPeter Holm setrlimit(RLIMIT_FSIZE, &rlim); 290*257a750cSPeter Holm rlim.rlim_cur = rlim.rlim_max = 1 << 20; 291*257a750cSPeter Holm setrlimit(RLIMIT_STACK, &rlim); 292*257a750cSPeter Holm rlim.rlim_cur = rlim.rlim_max = 0; 293*257a750cSPeter Holm setrlimit(RLIMIT_CORE, &rlim); 294*257a750cSPeter Holm rlim.rlim_cur = rlim.rlim_max = 256; 295*257a750cSPeter Holm setrlimit(RLIMIT_NOFILE, &rlim); 296*257a750cSPeter Holm} 297*257a750cSPeter Holm 298*257a750cSPeter Holmstatic void loop(); 299*257a750cSPeter Holm 300*257a750cSPeter Holmstatic int do_sandbox_none(void) 301*257a750cSPeter Holm{ 302*257a750cSPeter Holm sandbox_common(); 303*257a750cSPeter Holm loop(); 304*257a750cSPeter Holm return 0; 305*257a750cSPeter Holm} 306*257a750cSPeter Holm 307*257a750cSPeter Holmstruct thread_t { 308*257a750cSPeter Holm int created, call; 309*257a750cSPeter Holm event_t ready, done; 310*257a750cSPeter Holm}; 311*257a750cSPeter Holm 312*257a750cSPeter Holmstatic struct thread_t threads[16]; 313*257a750cSPeter Holmstatic void execute_call(int call); 314*257a750cSPeter Holmstatic int running; 315*257a750cSPeter Holm 316*257a750cSPeter Holmstatic void* thr(void* arg) 317*257a750cSPeter Holm{ 318*257a750cSPeter Holm struct thread_t* th = (struct thread_t*)arg; 319*257a750cSPeter Holm for (;;) { 320*257a750cSPeter Holm event_wait(&th->ready); 321*257a750cSPeter Holm event_reset(&th->ready); 322*257a750cSPeter Holm execute_call(th->call); 323*257a750cSPeter Holm __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); 324*257a750cSPeter Holm event_set(&th->done); 325*257a750cSPeter Holm } 326*257a750cSPeter Holm return 0; 327*257a750cSPeter Holm} 328*257a750cSPeter Holm 329*257a750cSPeter Holmstatic void execute_one(void) 330*257a750cSPeter Holm{ 331*257a750cSPeter Holm if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 332*257a750cSPeter Holm } 333*257a750cSPeter Holm int i, call, thread; 334*257a750cSPeter Holm for (call = 0; call < 3; call++) { 335*257a750cSPeter Holm for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); 336*257a750cSPeter Holm thread++) { 337*257a750cSPeter Holm struct thread_t* th = &threads[thread]; 338*257a750cSPeter Holm if (!th->created) { 339*257a750cSPeter Holm th->created = 1; 340*257a750cSPeter Holm event_init(&th->ready); 341*257a750cSPeter Holm event_init(&th->done); 342*257a750cSPeter Holm event_set(&th->done); 343*257a750cSPeter Holm thread_start(thr, th); 344*257a750cSPeter Holm } 345*257a750cSPeter Holm if (!event_isset(&th->done)) 346*257a750cSPeter Holm continue; 347*257a750cSPeter Holm event_reset(&th->done); 348*257a750cSPeter Holm th->call = call; 349*257a750cSPeter Holm __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); 350*257a750cSPeter Holm event_set(&th->ready); 351*257a750cSPeter Holm event_timedwait(&th->done, 50); 352*257a750cSPeter Holm break; 353*257a750cSPeter Holm } 354*257a750cSPeter Holm } 355*257a750cSPeter Holm for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) 356*257a750cSPeter Holm sleep_ms(1); 357*257a750cSPeter Holm} 358*257a750cSPeter Holm 359*257a750cSPeter Holmstatic void execute_one(void); 360*257a750cSPeter Holm 361*257a750cSPeter Holm#define WAIT_FLAGS 0 362*257a750cSPeter Holm 363*257a750cSPeter Holmstatic void loop(void) 364*257a750cSPeter Holm{ 365*257a750cSPeter Holm int iter = 0; 366*257a750cSPeter Holm for (;; iter++) { 367*257a750cSPeter Holm char cwdbuf[32]; 368*257a750cSPeter Holm sprintf(cwdbuf, "./%d", iter); 369*257a750cSPeter Holm if (mkdir(cwdbuf, 0777)) 370*257a750cSPeter Holm exit(1); 371*257a750cSPeter Holm int pid = fork(); 372*257a750cSPeter Holm if (pid < 0) 373*257a750cSPeter Holm exit(1); 374*257a750cSPeter Holm if (pid == 0) { 375*257a750cSPeter Holm if (chdir(cwdbuf)) 376*257a750cSPeter Holm exit(1); 377*257a750cSPeter Holm execute_one(); 378*257a750cSPeter Holm exit(0); 379*257a750cSPeter Holm } 380*257a750cSPeter Holm int status = 0; 381*257a750cSPeter Holm uint64_t start = current_time_ms(); 382*257a750cSPeter Holm for (;;) { 383*257a750cSPeter Holm sleep_ms(10); 384*257a750cSPeter Holm if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) 385*257a750cSPeter Holm break; 386*257a750cSPeter Holm if (current_time_ms() - start < 5000) 387*257a750cSPeter Holm continue; 388*257a750cSPeter Holm kill_and_wait(pid, &status); 389*257a750cSPeter Holm break; 390*257a750cSPeter Holm } 391*257a750cSPeter Holm remove_dir(cwdbuf); 392*257a750cSPeter Holm } 393*257a750cSPeter Holm} 394*257a750cSPeter Holm 395*257a750cSPeter Holmuint64_t r[1] = {0xffffffffffffffff}; 396*257a750cSPeter Holm 397*257a750cSPeter Holmvoid execute_call(int call) 398*257a750cSPeter Holm{ 399*257a750cSPeter Holm intptr_t res = 0; 400*257a750cSPeter Holm switch (call) { 401*257a750cSPeter Holm case 0: 402*257a750cSPeter Holm // socket arguments: [ 403*257a750cSPeter Holm // domain: socket_domain = 0x26 (8 bytes) 404*257a750cSPeter Holm // type: socket_type = 0x2 (8 bytes) 405*257a750cSPeter Holm // proto: int8 = 0x0 (1 bytes) 406*257a750cSPeter Holm // ] 407*257a750cSPeter Holm // returns sock 408*257a750cSPeter Holm res = syscall(SYS_socket, /*domain=AF_INET|0x24*/ 0x26ul, 409*257a750cSPeter Holm /*type=SOCK_DGRAM*/ 2ul, /*proto=*/0); 410*257a750cSPeter Holm if (res != -1) 411*257a750cSPeter Holm r[0] = res; 412*257a750cSPeter Holm break; 413*257a750cSPeter Holm case 1: 414*257a750cSPeter Holm // bind arguments: [ 415*257a750cSPeter Holm // fd: sock (resource) 416*257a750cSPeter Holm // addr: ptr[in, sockaddr_storage] { 417*257a750cSPeter Holm // union sockaddr_storage { 418*257a750cSPeter Holm // in6: sockaddr_in6 { 419*257a750cSPeter Holm // len: len = 0x22 (1 bytes) 420*257a750cSPeter Holm // family: const = 0x1c (1 bytes) 421*257a750cSPeter Holm // port: proc = 0x3 (2 bytes) 422*257a750cSPeter Holm // flow: int32 = 0x0 (4 bytes) 423*257a750cSPeter Holm // addr: union ipv6_addr { 424*257a750cSPeter Holm // mcast1: ipv6_addr_multicast1 { 425*257a750cSPeter Holm // a0: const = 0xff (1 bytes) 426*257a750cSPeter Holm // a1: const = 0x1 (1 bytes) 427*257a750cSPeter Holm // a2: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00} (length 428*257a750cSPeter Holm // 0xd) a3: const = 0x1 (1 bytes) 429*257a750cSPeter Holm // } 430*257a750cSPeter Holm // } 431*257a750cSPeter Holm // scope: int32 = 0x0 (4 bytes) 432*257a750cSPeter Holm // } 433*257a750cSPeter Holm // } 434*257a750cSPeter Holm // } 435*257a750cSPeter Holm // addrlen: len = 0xc (8 bytes) 436*257a750cSPeter Holm // ] 437*257a750cSPeter Holm NONFAILING(*(uint8_t*)0x200000000040 = 0x22); 438*257a750cSPeter Holm NONFAILING(*(uint8_t*)0x200000000041 = 0x1c); 439*257a750cSPeter Holm NONFAILING(*(uint16_t*)0x200000000042 = htobe16(0x4e23 + procid * 4)); 440*257a750cSPeter Holm NONFAILING(*(uint32_t*)0x200000000044 = 0); 441*257a750cSPeter Holm NONFAILING(*(uint8_t*)0x200000000048 = -1); 442*257a750cSPeter Holm NONFAILING(*(uint8_t*)0x200000000049 = 1); 443*257a750cSPeter Holm NONFAILING(memset((void*)0x20000000004a, 0, 13)); 444*257a750cSPeter Holm NONFAILING(*(uint8_t*)0x200000000057 = 1); 445*257a750cSPeter Holm NONFAILING(*(uint32_t*)0x200000000058 = 0); 446*257a750cSPeter Holm syscall(SYS_bind, /*fd=*/r[0], /*addr=*/0x200000000040ul, 447*257a750cSPeter Holm /*addrlen=*/0xcul); 448*257a750cSPeter Holm break; 449*257a750cSPeter Holm case 2: 450*257a750cSPeter Holm // recvfrom\$inet arguments: [ 451*257a750cSPeter Holm // fd: sock_in (resource) 452*257a750cSPeter Holm // buf: nil 453*257a750cSPeter Holm // len: len = 0x51 (8 bytes) 454*257a750cSPeter Holm // f: recv_flags = 0x401313ab1a02f21f (8 bytes) 455*257a750cSPeter Holm // addr: nil 456*257a750cSPeter Holm // addrlen: len = 0x0 (8 bytes) 457*257a750cSPeter Holm // ] 458*257a750cSPeter Holm syscall(SYS_recvfrom, /*fd=*/r[0], /*buf=*/0ul, /*len=*/0x51ul, 459*257a750cSPeter Holm /*f=MSG_PEEK|MSG_OOB|0x401313ab1a02f21c*/ 0x401313ab1a02f21ful, 460*257a750cSPeter Holm /*addr=*/0ul, /*addrlen=*/0ul); 461*257a750cSPeter Holm break; 462*257a750cSPeter Holm } 463*257a750cSPeter Holm} 464*257a750cSPeter Holmint main(void) 465*257a750cSPeter Holm{ 466*257a750cSPeter Holm syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 467*257a750cSPeter Holm /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 468*257a750cSPeter Holm /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 469*257a750cSPeter Holm /*fd=*/(intptr_t)-1, /*offset=*/0ul); 470*257a750cSPeter Holm const char* reason; 471*257a750cSPeter Holm (void)reason; 472*257a750cSPeter Holm install_segv_handler(); 473*257a750cSPeter Holm for (procid = 0; procid < 4; procid++) { 474*257a750cSPeter Holm if (fork() == 0) { 475*257a750cSPeter Holm use_temporary_dir(); 476*257a750cSPeter Holm do_sandbox_none(); 477*257a750cSPeter Holm } 478*257a750cSPeter Holm } 479*257a750cSPeter Holm sleep(1000000); 480*257a750cSPeter Holm return 0; 481*257a750cSPeter Holm} 482*257a750cSPeter HolmEOF 483*257a750cSPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c -pthread || exit 1 484*257a750cSPeter Holm 485*257a750cSPeter Holm(cd ../testcases/swap; ./swap -t 5m -i 20 -l 100 > /dev/null 2>&1) & 486*257a750cSPeter Holmsleep 5 487*257a750cSPeter Holm 488*257a750cSPeter Holmwork=/tmp/$prog.dir 489*257a750cSPeter Holmrm -rf $work 490*257a750cSPeter Holmmkdir $work 491*257a750cSPeter Holmcd /tmp/$prog.dir 492*257a750cSPeter Holm 493*257a750cSPeter Holmtimeout 5m /tmp/$prog > /dev/null 2>&1 494*257a750cSPeter Holm 495*257a750cSPeter Holmwhile pkill swap; do :; done 496*257a750cSPeter Holmwait 497*257a750cSPeter Holm 498*257a750cSPeter Holmrm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core /tmp/syzkaller.?????? $work 499*257a750cSPeter Holmexit 0 500