Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
B
bad-page-map-5.0
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
zhanggen
bad-page-map-5.0
Commits
cfda3598
Commit
cfda3598
authored
Mar 13, 2019
by
zhanggen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add new file
parents
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
191 additions
and
0 deletions
+191
-0
code.c
code.c
+191
-0
No files found.
code.c
0 → 100644
View file @
cfda3598
C
reproducer
:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static
__thread
int
skip_segv
;
static
__thread
jmp_buf
segv_env
;
static
void
segv_handler
(
int
sig
,
siginfo_t
*
info
,
void
*
ctx
)
{
uintptr_t
addr
=
(
uintptr_t
)
info
->
si_addr
;
const
uintptr_t
prog_start
=
1
<<
20
;
const
uintptr_t
prog_end
=
100
<<
20
;
if
(
__atomic_load_n
(
&
skip_segv
,
__ATOMIC_RELAXED
)
&&
(
addr
<
prog_start
||
addr
>
prog_end
))
{
_longjmp
(
segv_env
,
1
);
}
exit
(
sig
);
}
static
void
install_segv_handler
(
void
)
{
struct
sigaction
sa
;
memset
(
&
sa
,
0
,
sizeof
(
sa
));
sa
.
sa_handler
=
SIG_IGN
;
syscall
(
SYS_rt_sigaction
,
0x20
,
&
sa
,
NULL
,
8
);
syscall
(
SYS_rt_sigaction
,
0x21
,
&
sa
,
NULL
,
8
);
memset
(
&
sa
,
0
,
sizeof
(
sa
));
sa
.
sa_sigaction
=
segv_handler
;
sa
.
sa_flags
=
SA_NODEFER
|
SA_SIGINFO
;
sigaction
(
SIGSEGV
,
&
sa
,
NULL
);
sigaction
(
SIGBUS
,
&
sa
,
NULL
);
}
#define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); }
static
void
sleep_ms
(
uint64_t
ms
)
{
usleep
(
ms
*
1000
);
}
static
uint64_t
current_time_ms
(
void
)
{
struct
timespec
ts
;
if
(
clock_gettime
(
CLOCK_MONOTONIC
,
&
ts
))
exit
(
1
);
return
(
uint64_t
)
ts
.
tv_sec
*
1000
+
(
uint64_t
)
ts
.
tv_nsec
/
1000000
;
}
static
long
syz_open_dev
(
long
a0
,
long
a1
,
long
a2
)
{
if
(
a0
==
0xc
||
a0
==
0xb
)
{
char
buf
[
128
];
sprintf
(
buf
,
"/dev/%s/%d:%d"
,
a0
==
0xc
?
"char"
:
"block"
,
(
uint8_t
)
a1
,
(
uint8_t
)
a2
);
return
open
(
buf
,
O_RDWR
,
0
);
}
else
{
char
buf
[
1024
];
char
*
hash
;
NONFAILING
(
strncpy
(
buf
,
(
char
*
)
a0
,
sizeof
(
buf
)
-
1
));
buf
[
sizeof
(
buf
)
-
1
]
=
0
;
while
((
hash
=
strchr
(
buf
,
'#'
)))
{
*
hash
=
'0'
+
(
char
)(
a1
%
10
);
a1
/=
10
;
}
return
open
(
buf
,
a2
,
0
);
}
}
static
void
kill_and_wait
(
int
pid
,
int
*
status
)
{
kill
(
-
pid
,
SIGKILL
);
kill
(
pid
,
SIGKILL
);
int
i
;
for
(
i
=
0
;
i
<
100
;
i
++
)
{
if
(
waitpid
(
-
1
,
status
,
WNOHANG
|
__WALL
)
==
pid
)
return
;
usleep
(
1000
);
}
DIR
*
dir
=
opendir
(
"/sys/fs/fuse/connections"
);
if
(
dir
)
{
for
(;;)
{
struct
dirent
*
ent
=
readdir
(
dir
);
if
(
!
ent
)
break
;
if
(
strcmp
(
ent
->
d_name
,
"."
)
==
0
||
strcmp
(
ent
->
d_name
,
".."
)
==
0
)
continue
;
char
abort
[
300
];
snprintf
(
abort
,
sizeof
(
abort
),
"/sys/fs/fuse/connections/%s/abort"
,
ent
->
d_name
);
int
fd
=
open
(
abort
,
O_WRONLY
);
if
(
fd
==
-
1
)
{
continue
;
}
if
(
write
(
fd
,
abort
,
1
)
<
0
)
{
}
close
(
fd
);
}
closedir
(
dir
);
}
else
{
}
while
(
waitpid
(
-
1
,
status
,
__WALL
)
!=
pid
)
{
}
}
#define SYZ_HAVE_SETUP_TEST 1
static
void
setup_test
()
{
prctl
(
PR_SET_PDEATHSIG
,
SIGKILL
,
0
,
0
,
0
);
setpgrp
();
}
#define SYZ_HAVE_RESET_TEST 1
static
void
reset_test
()
{
int
fd
;
for
(
fd
=
3
;
fd
<
30
;
fd
++
)
close
(
fd
);
}
static
void
execute_one
(
void
);
#define WAIT_FLAGS __WALL
static
void
loop
(
void
)
{
int
iter
;
for
(
iter
=
0
;;
iter
++
)
{
int
pid
=
fork
();
if
(
pid
<
0
)
exit
(
1
);
if
(
pid
==
0
)
{
setup_test
();
execute_one
();
reset_test
();
exit
(
0
);
}
int
status
=
0
;
uint64_t
start
=
current_time_ms
();
for
(;;)
{
if
(
waitpid
(
-
1
,
&
status
,
WNOHANG
|
WAIT_FLAGS
)
==
pid
)
break
;
sleep_ms
(
1
);
if
(
current_time_ms
()
-
start
<
5
*
1000
)
continue
;
kill_and_wait
(
pid
,
&
status
);
break
;
}
}
}
uint64_t
r
[
1
]
=
{
0xffffffffffffffff
};
void
execute_one
(
void
)
{
long
res
=
0
;
NONFAILING
(
memcpy
((
void
*
)
0x20000000
,
"/dev/sg#
\000
"
,
9
));
res
=
syz_open_dev
(
0x20000000
,
0
,
0
);
if
(
res
!=
-
1
)
r
[
0
]
=
res
;
NONFAILING
(
*
(
uint32_t
*
)
0x20000180
=
1
);
NONFAILING
(
*
(
uint32_t
*
)
0x20000184
=
0
);
NONFAILING
(
*
(
uint32_t
*
)
0x20000188
=
8
);
NONFAILING
(
memcpy
((
void
*
)
0x2000018c
,
"S"
,
1
));
syscall
(
__NR_ioctl
,
r
[
0
],
1
,
0x20000180
);
}
int
main
(
void
)
{
syscall
(
__NR_mmap
,
0x20000000
,
0x1000000
,
3
,
0x32
,
-
1
,
0
);
install_segv_handler
();
loop
();
return
0
;
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment