Created
April 8, 2018 11:15
-
-
Save dvyukov/1dd75d55efd238e7207af1cc38478b3a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// autogenerated by syzkaller (http://github.com/google/syzkaller) | |
#define _GNU_SOURCE | |
#include <fcntl.h> | |
#include <signal.h> | |
#include <stdio.h> | |
#include <sys/prctl.h> | |
#include <sys/socket.h> | |
#include <sys/stat.h> | |
#include <sys/syscall.h> | |
#include <sys/time.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#include <time.h> | |
#include <unistd.h> | |
#include <errno.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdbool.h> | |
#include <stdarg.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/mman.h> | |
static bool write_file(const char* file, const char* what, ...) | |
{ | |
char buf[1024]; | |
va_list args; | |
va_start(args, what); | |
vsnprintf(buf, sizeof(buf), what, args); | |
va_end(args); | |
buf[sizeof(buf) - 1] = 0; | |
int len = strlen(buf); | |
int fd = open(file, O_WRONLY | O_CLOEXEC); | |
if (fd == -1) | |
return false; | |
if (write(fd, buf, len) != len) { | |
int err = errno; | |
close(fd); | |
errno = err; | |
return false; | |
} | |
close(fd); | |
return true; | |
} | |
static int inject_fault(int nth) | |
{ | |
int fd; | |
char buf[16]; | |
fd = open("/proc/thread-self/fail-nth", O_RDWR); | |
if (fd == -1) | |
exit(printf("failed to open /proc/thread-self/fail-nth\n")); | |
sprintf(buf, "%d", nth + 1); | |
if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) | |
exit(printf("failed to write /proc/thread-self/fail-nth\n")); | |
return fd; | |
} | |
void execute_one() | |
{ | |
int fd = syscall(__NR_socket, 0x26, 5, 0); | |
*(uint16_t*)0x20000040 = 0x26; | |
memcpy((void*)0x20000042, | |
"\x72\x6e\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); | |
*(uint32_t*)0x20000050 = 0; | |
*(uint32_t*)0x20000054 = 0; | |
memcpy((void*)0x20000058, | |
"\x64\x72\x62\x67\x5f\x70\x72\x5f\x63\x74\x72\x5f\x61\x65\x73\x31\x32" | |
"\x38\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", | |
64); | |
syscall(__NR_bind, fd, 0x20000040, 0x58); | |
inject_fault(8); | |
syscall(__NR_setsockopt, fd, 0x117, 1, 0x205b1fd0, 0); | |
} | |
int main() | |
{ | |
write_file("/sys/kernel/debug/failslab/ignore-gfp-wait", "N"); | |
write_file("/sys/kernel/debug/fail_futex/ignore-private", "N"); | |
mmap((void*)0x20000000, 0x1000000, 3, 0x32, -1, 0); | |
int i; | |
for (i = 0; i < 8; i++) { | |
if (fork() == 0) { | |
for (;;) { | |
int pid = fork(); | |
if (pid == 0) { | |
execute_one(); | |
exit(0); | |
} | |
int status; | |
while (waitpid(pid, &status, __WALL) != pid) {} | |
} | |
} | |
} | |
sleep(1000000); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment