Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
B
bad-rss-4.20.17
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
zhanggen
bad-rss-4.20.17
Commits
00410747
Commit
00410747
authored
Mar 21, 2019
by
zhanggen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add new file
parent
1838d4ce
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
187 additions
and
0 deletions
+187
-0
code.c
code.c
+187
-0
No files found.
code.c
0 → 100644
View file @
00410747
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
unsigned
long
long
procid
;
static
void
sleep_ms
(
uint64_t
ms
)
{
usleep
(
ms
*
1000
);
}
static
uint64_t
current_time_ms
(
void
)
{
struct
timespec
ts
;
if
(
clock_gettime
(
CLOCK_MONOTONIC
,
&
ts
))
exit
(
1
);
return
(
uint64_t
)
ts
.
tv_sec
*
1000
+
(
uint64_t
)
ts
.
tv_nsec
/
1000000
;
}
static
bool
write_file
(
const
char
*
file
,
const
char
*
what
,
...)
{
char
buf
[
1024
];
va_list
args
;
va_start
(
args
,
what
);
vsnprintf
(
buf
,
sizeof
(
buf
),
what
,
args
);
va_end
(
args
);
buf
[
sizeof
(
buf
)
-
1
]
=
0
;
int
len
=
strlen
(
buf
);
int
fd
=
open
(
file
,
O_WRONLY
|
O_CLOEXEC
);
if
(
fd
==
-
1
)
return
false
;
if
(
write
(
fd
,
buf
,
len
)
!=
len
)
{
int
err
=
errno
;
close
(
fd
);
errno
=
err
;
return
false
;
}
close
(
fd
);
return
true
;
}
static
long
syz_open_dev
(
long
a0
,
long
a1
,
long
a2
)
{
if
(
a0
==
0xc
||
a0
==
0xb
)
{
char
buf
[
128
];
sprintf
(
buf
,
"/dev/%s/%d:%d"
,
a0
==
0xc
?
"char"
:
"block"
,
(
uint8_t
)
a1
,
(
uint8_t
)
a2
);
return
open
(
buf
,
O_RDWR
,
0
);
}
else
{
char
buf
[
1024
];
char
*
hash
;
strncpy
(
buf
,
(
char
*
)
a0
,
sizeof
(
buf
)
-
1
);
buf
[
sizeof
(
buf
)
-
1
]
=
0
;
while
((
hash
=
strchr
(
buf
,
'#'
)))
{
*
hash
=
'0'
+
(
char
)(
a1
%
10
);
a1
/=
10
;
}
return
open
(
buf
,
a2
,
0
);
}
}
static
void
kill_and_wait
(
int
pid
,
int
*
status
)
{
kill
(
-
pid
,
SIGKILL
);
kill
(
pid
,
SIGKILL
);
int
i
;
for
(
i
=
0
;
i
<
100
;
i
++
)
{
if
(
waitpid
(
-
1
,
status
,
WNOHANG
|
__WALL
)
==
pid
)
return
;
usleep
(
1000
);
}
DIR
*
dir
=
opendir
(
"/sys/fs/fuse/connections"
);
if
(
dir
)
{
for
(;;)
{
struct
dirent
*
ent
=
readdir
(
dir
);
if
(
!
ent
)
break
;
if
(
strcmp
(
ent
->
d_name
,
"."
)
==
0
||
strcmp
(
ent
->
d_name
,
".."
)
==
0
)
continue
;
char
abort
[
300
];
snprintf
(
abort
,
sizeof
(
abort
),
"/sys/fs/fuse/connections/%s/abort"
,
ent
->
d_name
);
int
fd
=
open
(
abort
,
O_WRONLY
);
if
(
fd
==
-
1
)
{
continue
;
}
if
(
write
(
fd
,
abort
,
1
)
<
0
)
{
}
close
(
fd
);
}
closedir
(
dir
);
}
else
{
}
while
(
waitpid
(
-
1
,
status
,
__WALL
)
!=
pid
)
{
}
}
#define SYZ_HAVE_SETUP_TEST 1
static
void
setup_test
()
{
prctl
(
PR_SET_PDEATHSIG
,
SIGKILL
,
0
,
0
,
0
);
setpgrp
();
write_file
(
"/proc/self/oom_score_adj"
,
"1000"
);
}
#define SYZ_HAVE_RESET_TEST 1
static
void
reset_test
()
{
int
fd
;
for
(
fd
=
3
;
fd
<
30
;
fd
++
)
close
(
fd
);
}
static
void
execute_one
(
void
);
#define WAIT_FLAGS __WALL
static
void
loop
(
void
)
{
int
iter
;
for
(
iter
=
0
;;
iter
++
)
{
int
pid
=
fork
();
if
(
pid
<
0
)
exit
(
1
);
if
(
pid
==
0
)
{
setup_test
();
execute_one
();
reset_test
();
exit
(
0
);
}
int
status
=
0
;
uint64_t
start
=
current_time_ms
();
for
(;;)
{
if
(
waitpid
(
-
1
,
&
status
,
WNOHANG
|
WAIT_FLAGS
)
==
pid
)
break
;
sleep_ms
(
1
);
if
(
current_time_ms
()
-
start
<
5
*
1000
)
continue
;
kill_and_wait
(
pid
,
&
status
);
break
;
}
}
}
uint64_t
r
[
1
]
=
{
0xffffffffffffffff
};
void
execute_one
(
void
)
{
long
res
=
0
;
memcpy
((
void
*
)
0x20000040
,
"/dev/sg#
\000
"
,
9
);
res
=
syz_open_dev
(
0x20000040
,
0
,
0
);
if
(
res
!=
-
1
)
r
[
0
]
=
res
;
*
(
uint32_t
*
)
0x20000080
=
1
;
*
(
uint32_t
*
)
0x20000084
=
0
;
*
(
uint32_t
*
)
0x20000088
=
8
;
memcpy
((
void
*
)
0x2000008c
,
"
\xe9
"
,
1
);
syscall
(
__NR_ioctl
,
r
[
0
],
1
,
0x20000080
);
}
int
main
(
void
)
{
syscall
(
__NR_mmap
,
0x20000000
,
0x1000000
,
3
,
0x32
,
-
1
,
0
);
for
(
procid
=
0
;
procid
<
8
;
procid
++
)
{
if
(
fork
()
==
0
)
{
loop
();
}
}
sleep
(
1000000
);
return
0
;
}
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment