Date: Thu, 10 Dec 2020 05:45:46 +0000 (UTC) From: Peter Holm <pho@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r368497 - user/pho/stress2/misc Message-ID: <202012100545.0BA5jkDV045932@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pho Date: Thu Dec 10 05:45:46 2020 New Revision: 368497 URL: https://svnweb.freebsd.org/changeset/base/368497 Log: Added two more syzkaller reproducers. Added: user/pho/stress2/misc/syzkaller10.sh (contents, props changed) Added: user/pho/stress2/misc/syzkaller10.sh ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/pho/stress2/misc/syzkaller10.sh Thu Dec 10 05:45:46 2020 (r368497) @@ -0,0 +1,95 @@ +#!/bin/sh + +# panic: sbsndptr_noadv: sb_mb is NULL +# cpuid = 0 +# time = 1586867804 +# KDB: stack backtrace: +# db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025a68360 +# vpanic() at vpanic+0x1c7/frame 0xfffffe0025a683c0 +# panic() at panic+0x43/frame 0xfffffe0025a68420 +# sbsndptr_noadv() at sbsndptr_noadv+0xae/frame 0xfffffe0025a68460 +# rack_output() at rack_output+0x51f5/frame 0xfffffe0025a68700 +# tcp_usr_send() at tcp_usr_send+0x5c7/frame 0xfffffe0025a687e0 +# sosend_generic() at sosend_generic+0x8fd/frame 0xfffffe0025a688e0 +# sosend() at sosend+0xc6/frame 0xfffffe0025a68950 +# kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0025a68a00 +# sendit() at sendit+0x224/frame 0xfffffe0025a68a60 +# sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0025a68ac0 +# amd64_syscall() at amd64_syscall+0x262/frame 0xfffffe0025a68bf0 + +# $FreeBSD$ + +[ `uname -p` = "i386" ] && exit 0 + +. ../default.cfg +cat > /tmp/syzkaller10.c <<EOF +// https://syzkaller.appspot.com/bug?id=048f650e99696f881872a285cef0e3b9bd4f4e25 +// autogenerated by syzkaller (https://github.com/google/syzkaller) + +#define _GNU_SOURCE + +#include <pwd.h> +#include <stdarg.h> +#include <stdbool.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/endian.h> +#include <sys/syscall.h> +#include <unistd.h> + +uint64_t r[1] = {0xffffffffffffffff}; + +int main(void) +{ + syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); + intptr_t res = 0; + res = syscall(SYS_socket, 2ul, 1ul, 0); + if (res != -1) + r[0] = res; + memcpy((void*)0x20000080, + "rack\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" + "\000\000\000\000\000\000\000\000\000\000\000\000", + 32); + *(uint32_t*)0x200000a0 = 0; + syscall(SYS_setsockopt, r[0], 6, 0x2000, 0x20000080ul, 0x24ul); + *(uint8_t*)0x20000000 = 0x2c; + *(uint8_t*)0x20000001 = 2; + *(uint16_t*)0x20000002 = htobe16(0x4e21); + *(uint32_t*)0x20000004 = htobe32(-1); + *(uint8_t*)0x20000008 = 0; + *(uint8_t*)0x20000009 = 0; + *(uint8_t*)0x2000000a = 0; + *(uint8_t*)0x2000000b = 0; + *(uint8_t*)0x2000000c = 0; + *(uint8_t*)0x2000000d = 0; + *(uint8_t*)0x2000000e = 0; + *(uint8_t*)0x2000000f = 0; + syscall(SYS_sendto, r[0], 0ul, 0ul, 0ul, 0x20000000ul, 0x10ul); + *(uint8_t*)0x20000040 = 0x10; + *(uint8_t*)0x20000041 = 2; + *(uint16_t*)0x20000042 = htobe16(0x4e21); + *(uint32_t*)0x20000044 = htobe32(0); + *(uint8_t*)0x20000048 = 0; + *(uint8_t*)0x20000049 = 0; + *(uint8_t*)0x2000004a = 0; + *(uint8_t*)0x2000004b = 0; + *(uint8_t*)0x2000004c = 0; + *(uint8_t*)0x2000004d = 0; + *(uint8_t*)0x2000004e = 0; + *(uint8_t*)0x2000004f = 0; + syscall(SYS_sendto, r[0], 0ul, 0ul, 0x60005ul, 0x20000040ul, 0x10ul); + return 0; +} +EOF +mycc -o /tmp/syzkaller10 -Wall -Wextra -O2 /tmp/syzkaller10.c -lpthread || + exit 1 + +(cd /tmp; ./syzkaller10) & +sleep 60 +pkill -9 syzkaller10 +wait + +rm -f /tmp/syzkaller10 /tmp/syzkaller10.c /tmp/syzkaller10.core +exit 0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202012100545.0BA5jkDV045932>