Hi, My first report has already attached the C reproducer and .config.
I've tested on my Ubuntu16.04 (4.4.0-79-generic #100-Ubuntu SMP x86_64). The reproducer can cause my computer to freeze. 2017-06-13 13:11 GMT+08:00 Dmitry Vyukov <dvyu...@google.com>: > On Tue, Jun 13, 2017 at 4:27 AM, <idaif...@gmail.com> wrote: >> Update: got another reproducible KASAN report on commit >> 32c1431eea4881a6b17bd7c639315010aeefa452(4.12-rc5) : > > Hi, > > If it's reproducible, please provide the reproducer. > > >> ================================================================== >> BUG: KASAN: use-after-free in cleanup_timers_list >> kernel/time/posix-cpu-timers.c:401 [inline] >> BUG: KASAN: use-after-free in cleanup_timers+0x35e/0x430 >> kernel/time/posix-cpu-timers.c:415 >> Read of size 8 at addr ffff88006c9229f0 by task syz-executor0/29927 >> >> CPU: 2 PID: 29927 Comm: syz-executor0 Not tainted 4.12.0-rc5 #1 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> Ubuntu-1.8.2-1ubuntu1 04/01/2014 >> Call Trace: >> __dump_stack lib/dump_stack.c:16 [inline] >> dump_stack+0x83/0xbc lib/dump_stack.c:52 >> print_address_description+0x73/0x290 mm/kasan/report.c:252 >> kasan_report_error mm/kasan/report.c:351 [inline] >> kasan_report+0x22b/0x340 mm/kasan/report.c:408 >> __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 >> cleanup_timers_list kernel/time/posix-cpu-timers.c:401 [inline] >> cleanup_timers+0x35e/0x430 kernel/time/posix-cpu-timers.c:415 >> posix_cpu_timers_exit+0x19/0x20 kernel/time/posix-cpu-timers.c:425 >> __exit_signal kernel/exit.c:103 [inline] >> release_task+0x1b7/0x12c0 kernel/exit.c:199 >> exit_notify kernel/exit.c:748 [inline] >> do_exit+0x15ba/0x2c60 kernel/exit.c:900 >> do_group_exit+0xf6/0x340 kernel/exit.c:982 >> get_signal+0x5c2/0x11b0 kernel/signal.c:2318 >> do_signal+0x8d/0x19e0 arch/x86/kernel/signal.c:808 >> exit_to_usermode_loop+0xe5/0x130 arch/x86/entry/common.c:157 >> prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] >> syscall_return_slowpath+0xd6/0x100 arch/x86/entry/common.c:263 >> entry_SYSCALL_64_fastpath+0xa3/0xa5 >> RIP: 0033:0x450439 >> RSP: 002b:00007fd78ca08cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca >> RAX: fffffffffffffe00 RBX: 0000000000718020 RCX: 0000000000450439 >> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718020 >> RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000 >> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 >> R13: 00007ffe2264c6cf R14: 00007fd78ca099c0 R15: 0000000000000000 >> >> Allocated by task 29927: >> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 >> save_stack+0x46/0xd0 mm/kasan/kasan.c:513 >> set_track mm/kasan/kasan.c:525 [inline] >> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617 >> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555 >> slab_post_alloc_hook mm/slab.h:456 [inline] >> slab_alloc_node mm/slub.c:2718 [inline] >> slab_alloc mm/slub.c:2726 [inline] >> kmem_cache_alloc+0xb9/0x180 mm/slub.c:2731 >> kmem_cache_zalloc include/linux/slab.h:655 [inline] >> alloc_posix_timer kernel/time/posix-timers.c:551 [inline] >> SYSC_timer_create kernel/time/posix-timers.c:618 [inline] >> SyS_timer_create+0x167/0x1020 kernel/time/posix-timers.c:603 >> entry_SYSCALL_64_fastpath+0x1a/0xa5 >> >> Freed by task 26611: >> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 >> save_stack+0x46/0xd0 mm/kasan/kasan.c:513 >> set_track mm/kasan/kasan.c:525 [inline] >> kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590 >> slab_free_hook mm/slub.c:1357 [inline] >> slab_free_freelist_hook mm/slub.c:1379 [inline] >> slab_free mm/slub.c:2961 [inline] >> kmem_cache_free+0x72/0x1a0 mm/slub.c:2983 >> k_itimer_rcu_free+0x1d/0x20 kernel/time/posix-timers.c:566 >> __rcu_reclaim kernel/rcu/rcu.h:195 [inline] >> rcu_do_batch kernel/rcu/tree.c:2800 [inline] >> invoke_rcu_callbacks kernel/rcu/tree.c:3057 [inline] >> __rcu_process_callbacks kernel/rcu/tree.c:3024 [inline] >> rcu_process_callbacks+0x3a4/0x1610 kernel/rcu/tree.c:3041 >> __do_softirq+0x1be/0x59c kernel/softirq.c:284 >> >> The buggy address belongs to the object at ffff88006c922998 >> which belongs to the cache posix_timers_cache of size 216 >> The buggy address is located 88 bytes inside of >> 216-byte region [ffff88006c922998, ffff88006c922a70) >> The buggy address belongs to the page: >> page:ffffea0001b24800 count:1 mapcount:0 mapping: (null) >> index:0xffff88006c920af8 compound_mapcount: 0 >> flags: 0x500000000008100(slab|head) >> raw: 0500000000008100 0000000000000000 ffff88006c920af8 00000001001d0002 >> raw: ffff88006c9f9850 ffff88006c9f9850 ffff88006d81aac0 0000000000000000 >> page dumped because: kasan: bad access detected >> >> Memory state around the buggy address: >> ffff88006c922880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ffff88006c922900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >>>ffff88006c922980: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb >> ^ >> ffff88006c922a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc >> ffff88006c922a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ================================================================== >> Disabling lock debugging due to kernel taint >> Kernel panic - not syncing: panic_on_warn set ... >> >> CPU: 2 PID: 29927 Comm: syz-executor0 Tainted: G B 4.12.0-rc5 >> #1 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> Ubuntu-1.8.2-1ubuntu1 04/01/2014 >> Call Trace: >> __dump_stack lib/dump_stack.c:16 [inline] >> dump_stack+0x83/0xbc lib/dump_stack.c:52 >> panic+0x1af/0x388 kernel/panic.c:180 >> kasan_end_report+0x50/0x50 mm/kasan/report.c:176 >> kasan_report_error mm/kasan/report.c:356 [inline] >> kasan_report+0x13b/0x340 mm/kasan/report.c:408 >> __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 >> cleanup_timers_list kernel/time/posix-cpu-timers.c:401 [inline] >> cleanup_timers+0x35e/0x430 kernel/time/posix-cpu-timers.c:415 >> posix_cpu_timers_exit+0x19/0x20 kernel/time/posix-cpu-timers.c:425 >> __exit_signal kernel/exit.c:103 [inline] >> release_task+0x1b7/0x12c0 kernel/exit.c:199 >> exit_notify kernel/exit.c:748 [inline] >> do_exit+0x15ba/0x2c60 kernel/exit.c:900 >> do_group_exit+0xf6/0x340 kernel/exit.c:982 >> get_signal+0x5c2/0x11b0 kernel/signal.c:2318 >> do_signal+0x8d/0x19e0 arch/x86/kernel/signal.c:808 >> exit_to_usermode_loop+0xe5/0x130 arch/x86/entry/common.c:157 >> prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] >> syscall_return_slowpath+0xd6/0x100 arch/x86/entry/common.c:263 >> entry_SYSCALL_64_fastpath+0xa3/0xa5 >> RIP: 0033:0x450439 >> RSP: 002b:00007fd78ca08cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca >> RAX: fffffffffffffe00 RBX: 0000000000718020 RCX: 0000000000450439 >> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718020 >> RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000 >> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 >> R13: 00007ffe2264c6cf R14: 00007fd78ca099c0 R15: 0000000000000000 >> Shutting down cpus with NMI >> Dumping ftrace buffer: >> (ftrace buffer empty) >> Kernel Offset: disabled >> Rebooting in 86400 seconds.. >> >> >> 在 2017年6月8日星期四 UTC+8下午5:30:27,idaifish写道: >>> >>> Hi: >>> >>> I've got the following error report while fuzzing the kernel with >>> syzkaller on 4.12.0-rc3. >>> >>> PoC and config are attached. >>> >>> >>> ------------------------------------------------------------------------------------------------------------------ >>> >>> kasan: GPF could be caused by NULL-ptr deref or user memory access >>> general protection fault: 0000 [#1] SMP KASAN >>> Dumping ftrace buffer: >>> (ftrace buffer empty) >>> Modules linked in: >>> CPU: 2 PID: 11989 Comm: syz-executor0 Not tainted 4.12.0-rc3 #1 >>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >>> Ubuntu-1.8.2-1ubuntu1 04/01/2014 >>> task: ffff88006d4f2980 task.stack: ffff88006acb0000 >>> RIP: 0010:__list_del include/linux/list.h:104 [inline] >>> RIP: 0010:__list_del_entry include/linux/list.h:119 [inline] >>> RIP: 0010:list_del_init include/linux/list.h:158 [inline] >>> RIP: 0010:cleanup_timers_list kernel/time/posix-cpu-timers.c:402 [inline] >>> RIP: 0010:cleanup_timers+0x299/0x430 kernel/time/posix-cpu-timers.c:415 >>> RSP: 0018:ffff88006acb7988 EFLAGS: 00010002 >>> RAX: ffff88006d4f2980 RBX: ffff88006bff3940 RCX: 0000000000000001 >>> RDX: ffffffff81266ad0 RSI: 0000000000000000 RDI: 0000000000000008 >>> RBP: ffff88006acb79c8 R08: 0000000000000000 R09: 0000000000000002 >>> R10: 00000000f17eaa6c R11: 000000006ec117ba R12: 0000000000000000 >>> R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88006bff3940 >>> FS: 0000000000000000(0000) GS:ffff88006e400000(0000) >>> knlGS:0000000000000000 >>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>> CR2: 00000000204f5000 CR3: 000000000380e000 CR4: 00000000000006e0 >>> DR0: 0000000000000042 DR1: 0000000000008000 DR2: 0000000000000000 >>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 >>> Call Trace: >>> posix_cpu_timers_exit+0x19/0x20 kernel/time/posix-cpu-timers.c:425 >>> __exit_signal kernel/exit.c:103 [inline] >>> release_task+0x1b7/0x12c0 kernel/exit.c:199 >>> exit_notify kernel/exit.c:748 [inline] >>> do_exit+0x15ba/0x2c60 kernel/exit.c:900 >>> do_group_exit+0xf6/0x340 kernel/exit.c:982 >>> get_signal+0x5c2/0x11b0 kernel/signal.c:2318 >>> do_signal+0x8d/0x19e0 arch/x86/kernel/signal.c:808 >>> exit_to_usermode_loop+0xe5/0x130 arch/x86/entry/common.c:157 >>> prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] >>> syscall_return_slowpath+0xd6/0x100 arch/x86/entry/common.c:263 >>> entry_SYSCALL_64_fastpath+0xa3/0xa5 >>> RIP: 0033:0x450439 >>> RSP: 002b:00007fce47004cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca >>> RAX: fffffffffffffe00 RBX: 0000000000718020 RCX: 0000000000450439 >>> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718020 >>> RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000 >>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 >>> R13: 00007fff1a12cddf R14: 00007fce470059c0 R15: 0000000000000000 >>> Code: 00 e8 9c a0 09 00 48 8d 7b 08 48 89 fa 48 c1 ea 03 42 80 3c 2a 00 0f >>> 85 c2 00 00 00 49 8d 7e 08 48 8b 53 08 48 89 f9 48 c1 e9 03 <42> 80 3c 29 00 >>> 0f 85 96 00 00 00 48 89 d1 49 89 56 08 48 c1 e9 >>> RIP: __list_del include/linux/list.h:104 [inline] RSP: ffff88006acb7988 >>> RIP: __list_del_entry include/linux/list.h:119 [inline] RSP: >>> ffff88006acb7988 >>> RIP: list_del_init include/linux/list.h:158 [inline] RSP: ffff88006acb7988 >>> RIP: cleanup_timers_list kernel/time/posix-cpu-timers.c:402 [inline] RSP: >>> ffff88006acb7988 >>> RIP: cleanup_timers+0x299/0x430 kernel/time/posix-cpu-timers.c:415 RSP: >>> ffff88006acb7988 >>> ---[ end trace ac8e042e922b484f ]--- >>> Kernel panic - not syncing: Fatal exception >>> Dumping ftrace buffer: >>> (ftrace buffer empty) >>> Kernel Offset: disabled >>> Rebooting in 86400 seconds.. >>> >>> >>> ----------- >>> Regards, >>> idaifish >> >> -- >> You received this message because you are subscribed to the Google Groups >> "syzkaller" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to syzkaller+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- Regards, idaifish
// autogenerated by syzkaller (http://github.com/google/syzkaller) #ifndef __NR_mmap #define __NR_mmap 9 #endif #ifndef __NR_rt_sigprocmask #define __NR_rt_sigprocmask 14 #endif #ifndef __NR_timer_create #define __NR_timer_create 222 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 55 #endif #ifndef __NR_getpid #define __NR_getpid 39 #endif #ifndef __NR_gettid #define __NR_gettid 186 #endif #ifndef __NR_timer_settime #define __NR_timer_settime 223 #endif #ifndef __NR_rt_tgsigqueueinfo #define __NR_rt_tgsigqueueinfo 297 #endif #ifndef __NR_rt_sigtimedwait #define __NR_rt_sigtimedwait 128 #endif #define _GNU_SOURCE #include <sys/ioctl.h> #include <sys/mman.h> #include <sys/mount.h> #include <sys/prctl.h> #include <sys/resource.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/time.h> #include <sys/types.h> #include <sys/wait.h> #include <linux/capability.h> #include <linux/kvm.h> #include <linux/sched.h> #include <arpa/inet.h> #include <linux/if.h> #include <linux/if_ether.h> #include <linux/if_tun.h> #include <linux/ip.h> #include <linux/tcp.h> #include <net/if_arp.h> #include <assert.h> #include <dirent.h> #include <errno.h> #include <fcntl.h> #include <grp.h> #include <pthread.h> #include <setjmp.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stddef.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> const int kFailStatus = 67; const int kErrorStatus = 68; const int kRetryStatus = 69; __attribute__((noreturn)) void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } __attribute__((noreturn)) void fail(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } __attribute__((noreturn)) void exitf(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static int flag_debug; void debug(const char* msg, ...) { if (!flag_debug) return; va_list args; va_start(args, msg); vfprintf(stdout, msg, args); va_end(args); fflush(stdout); } __thread int skip_segv; __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { debug("SIGSEGV on %p, skipping\n", addr); _longjmp(segv_env, 1); } debug("SIGSEGV on %p, exiting\n", addr); doexit(sig); for (;;) { } } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7, uintptr_t a8) { switch (nr) { default: return syscall(nr, a0, a1, a2, a3, a4, a5); } } static void setup_main_process() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); install_segv_handler(); char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); unshare(CLONE_NEWNS); unshare(CLONE_NEWIPC); unshare(CLONE_IO); } static int do_sandbox_setuid(int executor_pid, bool enable_tun) { int pid = fork(); if (pid) return pid; sandbox_common(); const int nobody = 65534; if (setgroups(0, NULL)) fail("failed to setgroups"); if (syscall(SYS_setresgid, nobody, nobody, nobody)) fail("failed to setresgid"); if (syscall(SYS_setresuid, nobody, nobody, nobody)) fail("failed to setresuid"); prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); loop(); doexit(1); } long r[39]; void loop() { memset(r, -1, sizeof(r)); r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0x1c000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0); NONFAILING(*(uint64_t*)0x20003000 = (uint64_t)0xfffffffffffff051); r[2] = execute_syscall(__NR_rt_sigprocmask, 0x2ul, 0x20003000ul, 0x20011ff8ul, 0x8ul, 0, 0, 0, 0, 0); r[3] = execute_syscall(__NR_getpid, 0, 0, 0, 0, 0, 0, 0, 0, 0); r[4] = execute_syscall(__NR_gettid, 0, 0, 0, 0, 0, 0, 0, 0, 0); NONFAILING(*(uint64_t*)0x2001afb0 = (uint64_t)0x0); NONFAILING(*(uint32_t*)0x2001afb8 = (uint32_t)0x8); NONFAILING(*(uint32_t*)0x2001afbc = (uint32_t)0x2); NONFAILING(*(uint64_t*)0x2001afc0 = (uint64_t)0x7f); NONFAILING(*(uint64_t*)0x2001afc8 = (uint64_t)0xbd); NONFAILING(*(uint64_t*)0x2001afd0 = (uint64_t)0x86); NONFAILING(*(uint64_t*)0x2001afd8 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x2001afe0 = (uint64_t)0x100); NONFAILING(*(uint64_t*)0x2001afe8 = (uint64_t)0x4); NONFAILING(*(uint64_t*)0x2001aff0 = (uint64_t)0xffff); NONFAILING(*(uint64_t*)0x2001aff8 = (uint64_t)0x7); r[16] = execute_syscall(__NR_timer_create, 0x3ul, 0x2001afb0ul, 0x2000b000ul, 0, 0, 0, 0, 0, 0); if (r[16] != -1) NONFAILING(r[17] = *(uint32_t*)0x2000b000); NONFAILING(*(uint32_t*)0x2000b000 = (uint32_t)0x0); NONFAILING(*(uint16_t*)0x2000b004 = (uint16_t)0x3f7d); NONFAILING(*(uint16_t*)0x2000b006 = (uint16_t)0x21); NONFAILING(*(uint64_t*)0x2000b008 = (uint64_t)0x1); NONFAILING(*(uint64_t*)0x2000b010 = (uint64_t)0x2); NONFAILING(*(uint32_t*)0x2001b000 = (uint32_t)0x18); r[24] = execute_syscall(__NR_getsockopt, 0xfffffffffffffffful, 0x84ul, 0x73ul, 0x2000b000ul, 0x2001b000ul, 0, 0, 0, 0); NONFAILING(*(uint64_t*)0x20011fe0 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x20011fe8 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x20011ff0 = (uint64_t)0x77359400); NONFAILING(*(uint64_t*)0x20011ff8 = (uint64_t)0x0); r[29] = execute_syscall(__NR_timer_settime, r[17], 0x1ul, 0x20011fe0ul, 0x2001afe0ul, 0, 0, 0, 0, 0); NONFAILING(*(uint32_t*)0x2000aff0 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x2000aff4 = (uint32_t)0x3); NONFAILING(*(uint32_t*)0x2000aff8 = (uint32_t)0x10001); NONFAILING(*(uint32_t*)0x2000affc = (uint32_t)0x3d9d); r[34] = execute_syscall(__NR_rt_tgsigqueueinfo, r[3], r[4], 0x32ul, 0x2000aff0ul, 0, 0, 0, 0, 0); NONFAILING(*(uint64_t*)0x20012000 = (uint64_t)0xfffffffffffffffc); NONFAILING(*(uint64_t*)0x20014ff0 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x20014ff8 = (uint64_t)0x98967c); r[38] = execute_syscall(__NR_rt_sigtimedwait, 0x20012000ul, 0x20015ff0ul, 0x20014ff0ul, 0x8ul, 0, 0, 0, 0, 0); } int main() { setup_main_process(); int pid = do_sandbox_setuid(0, false); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } return 0; }
repro.report
Description: Binary data
