From owner-svn-src-user@freebsd.org Thu Dec 10 05:45:47 2020 Return-Path: Delivered-To: svn-src-user@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 34245475C3B for ; Thu, 10 Dec 2020 05:45:47 +0000 (UTC) (envelope-from pho@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cs2vb115Mz3ClS; Thu, 10 Dec 2020 05:45:47 +0000 (UTC) (envelope-from pho@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1575C138CF; Thu, 10 Dec 2020 05:45:47 +0000 (UTC) (envelope-from pho@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0BA5jkMo045933; Thu, 10 Dec 2020 05:45:46 GMT (envelope-from pho@FreeBSD.org) Received: (from pho@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0BA5jkDV045932; Thu, 10 Dec 2020 05:45:46 GMT (envelope-from pho@FreeBSD.org) Message-Id: <202012100545.0BA5jkDV045932@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: pho set sender to pho@FreeBSD.org using -f From: Peter Holm Date: Thu, 10 Dec 2020 05:45:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r368497 - user/pho/stress2/misc X-SVN-Group: user X-SVN-Commit-Author: pho X-SVN-Commit-Paths: user/pho/stress2/misc X-SVN-Commit-Revision: 368497 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 05:45:47 -0000 Author: pho Date: Thu Dec 10 05:45:46 2020 New Revision: 368497 URL: https://svnweb.freebsd.org/changeset/base/368497 Log: Added two more syzkaller reproducers. Added: user/pho/stress2/misc/syzkaller10.sh (contents, props changed) Added: user/pho/stress2/misc/syzkaller10.sh ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/pho/stress2/misc/syzkaller10.sh Thu Dec 10 05:45:46 2020 (r368497) @@ -0,0 +1,95 @@ +#!/bin/sh + +# panic: sbsndptr_noadv: sb_mb is NULL +# cpuid = 0 +# time = 1586867804 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025a68360 +# vpanic() at vpanic+0x1c7/frame 0xfffffe0025a683c0 +# panic() at panic+0x43/frame 0xfffffe0025a68420 +# sbsndptr_noadv() at sbsndptr_noadv+0xae/frame 0xfffffe0025a68460 +# rack_output() at rack_output+0x51f5/frame 0xfffffe0025a68700 +# tcp_usr_send() at tcp_usr_send+0x5c7/frame 0xfffffe0025a687e0 +# sosend_generic() at sosend_generic+0x8fd/frame 0xfffffe0025a688e0 +# sosend() at sosend+0xc6/frame 0xfffffe0025a68950 +# kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0025a68a00 +# sendit() at sendit+0x224/frame 0xfffffe0025a68a60 +# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0025a68ac0 +# amd64_syscall() at amd64_syscall+0x262/frame 0xfffffe0025a68bf0 + +# $FreeBSD$ + +[ `uname -p` = "i386" ] && exit 0 + +. ../default.cfg +cat > /tmp/syzkaller10.c < +#include +#include +#include +#include +#include +#include +#include +#include +#include + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); + intptr_t res = 0; + res = syscall(SYS_socket, 2ul, 1ul, 0); + if (res != -1) + r[0] = res; + memcpy((void*)0x20000080, + "rack\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" + "\000\000\000\000\000\000\000\000\000\000\000\000", + 32); + *(uint32_t*)0x200000a0 = 0; + syscall(SYS_setsockopt, r[0], 6, 0x2000, 0x20000080ul, 0x24ul); + *(uint8_t*)0x20000000 = 0x2c; + *(uint8_t*)0x20000001 = 2; + *(uint16_t*)0x20000002 = htobe16(0x4e21); + *(uint32_t*)0x20000004 = htobe32(-1); + *(uint8_t*)0x20000008 = 0; + *(uint8_t*)0x20000009 = 0; + *(uint8_t*)0x2000000a = 0; + *(uint8_t*)0x2000000b = 0; + *(uint8_t*)0x2000000c = 0; + *(uint8_t*)0x2000000d = 0; + *(uint8_t*)0x2000000e = 0; + *(uint8_t*)0x2000000f = 0; + syscall(SYS_sendto, r[0], 0ul, 0ul, 0ul, 0x20000000ul, 0x10ul); + *(uint8_t*)0x20000040 = 0x10; + *(uint8_t*)0x20000041 = 2; + *(uint16_t*)0x20000042 = htobe16(0x4e21); + *(uint32_t*)0x20000044 = htobe32(0); + *(uint8_t*)0x20000048 = 0; + *(uint8_t*)0x20000049 = 0; + *(uint8_t*)0x2000004a = 0; + *(uint8_t*)0x2000004b = 0; + *(uint8_t*)0x2000004c = 0; + *(uint8_t*)0x2000004d = 0; + *(uint8_t*)0x2000004e = 0; + *(uint8_t*)0x2000004f = 0; + syscall(SYS_sendto, r[0], 0ul, 0ul, 0x60005ul, 0x20000040ul, 0x10ul); + return 0; +} +EOF +mycc -o /tmp/syzkaller10 -Wall -Wextra -O2 /tmp/syzkaller10.c -lpthread || + exit 1 + +(cd /tmp; ./syzkaller10) & +sleep 60 +pkill -9 syzkaller10 +wait + +rm -f /tmp/syzkaller10 /tmp/syzkaller10.c /tmp/syzkaller10.core +exit 0