1#!/bin/sh 2 3# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> 4# Bug 293898 - panic: AUX register unsupported 5 6# No problems seen. 7 8[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 9 10. ../default.cfg 11set -u 12prog=$(basename "$0" .sh) 13cat > /tmp/$prog.c <<EOF 14// autogenerated by syzkaller (https://github.com/google/syzkaller) 15 16#define _GNU_SOURCE 17 18#include <pwd.h> 19#include <stdarg.h> 20#include <stdbool.h> 21#include <stdint.h> 22#include <stdio.h> 23#include <stdlib.h> 24#include <string.h> 25#include <sys/endian.h> 26#include <sys/syscall.h> 27#include <unistd.h> 28 29uint64_t r[1] = {0xffffffffffffffff}; 30 31int main(void) 32{ 33 syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 34 /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 35 /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 36 /*fd=*/(intptr_t)-1, /*offset=*/0ul); 37 const char* reason; 38 (void)reason; 39 intptr_t res = 0; 40 if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 41 } 42 // openat\$pass_pass_cdevsw arguments: [ 43 // fd: const = 0xffffffffffffff9c (8 bytes) 44 // file: ptr[in, buffer] { 45 // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) 46 // } 47 // flags: open_flags = 0x2 (4 bytes) 48 // mode: const = 0x0 (4 bytes) 49 // ] 50 // returns fd_pass_pass_cdevsw 51 memcpy((void*)0x200000000100, "/dev/pass0\000", 11); 52 res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, 53 /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); 54 if (res != -1) 55 r[0] = res; 56 // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ 57 // fd: fd_pass_pass_cdevsw (resource) 58 // cmd: const = 0xc4e01a02 (8 bytes) 59 // arg: ptr[inout, ccb\$pass_cdevsw] { 60 // union ccb\$pass_cdevsw { 61 // cqa: ccb_que_ais\$pass_cdevsw { 62 // ccb_h: ccb_hdr\$pass_cdevsw { 63 // pinfo: cam_pinfo\$pass_cdevsw { 64 // priority: int32 = 0x0 (4 bytes) 65 // generation: int32 = 0x3 (4 bytes) 66 // index: int32 = 0x2000000 (4 bytes) 67 // } 68 // pad = 0x0 (4 bytes) 69 // xpt_links: camq_entry\$pass_cdevsw { 70 // links_next: intptr = 0xfea (8 bytes) 71 // priority: int32 = 0xfffffffb (4 bytes) 72 // pad = 0x0 (4 bytes) 73 // } 74 // sim_links: camq_entry\$pass_cdevsw { 75 // links_next: intptr = 0x2 (8 bytes) 76 // priority: int32 = 0x6 (4 bytes) 77 // pad = 0x0 (4 bytes) 78 // } 79 // periph_links: camq_entry\$pass_cdevsw { 80 // links_next: intptr = 0x83 (8 bytes) 81 // priority: int32 = 0xd (4 bytes) 82 // pad = 0x0 (4 bytes) 83 // } 84 // retry_count: int16 = 0x1 (2 bytes) 85 // alloc_flags: int16 = 0x6b4 (2 bytes) 86 // pad = 0x0 (4 bytes) 87 // cbfcnp: intptr = 0x0 (8 bytes) 88 // func_code: int32 = 0x918 (4 bytes) 89 // status: int32 = 0x4 (4 bytes) 90 // path: intptr = 0xfffffffffffffffc (8 bytes) 91 // path_id: int32 = 0x9 (4 bytes) 92 // target_id: int32 = 0x8 (4 bytes) 93 // target_lun: int64 = 0x7d44 (8 bytes) 94 // flags: int32 = 0x1 (4 bytes) 95 // xflags: int32 = 0xfffffff8 (4 bytes) 96 // periph_priv: buffer: {69 32 82 68 e7 3f ef 85 2d 76 56 88 e5 d9 97 // 10 17} (length 0x10) sim_priv: buffer: {00 00 00 00 00 00 00 00 98 // 00 00 00 00 00 00 80 00} (length 0x10) qos: buffer: {f6 7d 0f 00 99 // 10 00 00 00 00 32 e5 67 b7 bc 75 2d} (length 0x10) timeout: 100 // int32 = 0xffffffff (4 bytes) pad = 0x0 (4 bytes) softtimeout: 101 // timeval { 102 // sec: intptr = 0x5 (8 bytes) 103 // usec: intptr = 0x4 (8 bytes) 104 // } 105 // } 106 // payload: buffer: {f5 6a 42 5c 52 f4 74 e3 39 a5 05 00 00 00 ce 58 107 // c0 19 28 cb 06 ee d4 11 85 f4 29 8a 46 09 8a 1d be bf 87 fb 73 a4 108 // 9e 3f 64 4f f0 18 b6 64 8f ab 00 00 00 00 00 00 00 00 00 00 00 00 109 // 00 00 00 00} (length 0x40) 110 // } 111 // } 112 // } 113 // ] 114 *(uint32_t*)0x200000000000 = 0; 115 *(uint32_t*)0x200000000004 = 3; 116 *(uint32_t*)0x200000000008 = 0x2000000; 117 *(uint64_t*)0x200000000010 = 0xfea; 118 *(uint32_t*)0x200000000018 = 0xfffffffb; 119 *(uint64_t*)0x200000000020 = 2; 120 *(uint32_t*)0x200000000028 = 6; 121 *(uint64_t*)0x200000000030 = 0x83; 122 *(uint32_t*)0x200000000038 = 0xd; 123 *(uint16_t*)0x200000000040 = 1; 124 *(uint16_t*)0x200000000042 = 0x6b4; 125 *(uint64_t*)0x200000000048 = 0; 126 *(uint32_t*)0x200000000050 = 0x918; 127 *(uint32_t*)0x200000000054 = 4; 128 *(uint64_t*)0x200000000058 = 0xfffffffffffffffc; 129 *(uint32_t*)0x200000000060 = 9; 130 *(uint32_t*)0x200000000064 = 8; 131 *(uint64_t*)0x200000000068 = 0x7d44; 132 *(uint32_t*)0x200000000070 = 1; 133 *(uint32_t*)0x200000000074 = 0xfffffff8; 134 memcpy((void*)0x200000000078, 135 "\x69\x32\x82\x68\xe7\x3f\xef\x85\x2d\x76\x56\x88\xe5\xd9\x10\x17", 136 16); 137 memcpy((void*)0x200000000088, 138 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00", 139 16); 140 memcpy((void*)0x200000000098, 141 "\xf6\x7d\x0f\x00\x10\x00\x00\x00\x00\x32\xe5\x67\xb7\xbc\x75\x2d", 142 16); 143 *(uint32_t*)0x2000000000a8 = -1; 144 *(uint64_t*)0x2000000000b0 = 5; 145 *(uint64_t*)0x2000000000b8 = 4; 146 memcpy((void*)0x2000000000c0, 147 "\xf5\x6a\x42\x5c\x52\xf4\x74\xe3\x39\xa5\x05\x00\x00\x00\xce\x58\xc0" 148 "\x19\x28\xcb\x06\xee\xd4\x11\x85\xf4\x29\x8a\x46\x09\x8a\x1d\xbe\xbf" 149 "\x87\xfb\x73\xa4\x9e\x3f\x64\x4f\xf0\x18\xb6\x64\x8f\xab\x00\x00\x00" 150 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 151 64); 152 syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, 153 /*arg=*/0x200000000000ul); 154 return 0; 155} 156EOF 157mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 158 159timeout 3m /tmp/$prog > /dev/null 2>&1 160 161rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core 162exit 0 163