// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup " "failed: %s\n", reason); intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // mkdir arguments: [ // path: ptr[in, buffer] { // buffer: {2e 2f 70 6d 32 39 30 38 65 00} (length 0xa) // } // mode: open_mode = 0x1ff (8 bytes) // ] memcpy((void*)0x200000001000, "./pm2908e\000", 10); syscall( __NR_mkdir, /*path=*/0x200000001000ul, /*mode=S_IXOTH|S_IWOTH|S_IROTH|S_IXGRP|S_IWGRP|S_IRGRP|S_IXUSR|S_IWUSR|0x100*/ 0x1fful); // mount arguments: [ // src: nil // dst: ptr[in, buffer] { // buffer: {2e 2f 70 6d 32 39 30 38 65 00} (length 0xa) // } // type: ptr[in, buffer] { // buffer: {74 72 61 63 65 66 73 00} (length 0x8) // } // flags: mount_flags = 0x0 (8 bytes) // data: nil // ] memcpy((void*)0x200000001040, "./pm2908e\000", 10); memcpy((void*)0x200000001080, "tracefs\000", 8); syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200000001040ul, /*type=*/0x200000001080ul, /*flags=*/0ul, /*data=*/0ul); // openat arguments: [ // fd: fd_dir (resource) // file: ptr[in, buffer] { // buffer: {2e 2f 70 6d 32 39 30 38 65 2f 75 70 72 6f 62 65 5f 65 76 65 // 6e 74 73 00} (length 0x18) // } // flags: open_flags = 0x1 (4 bytes) // mode: open_mode = 0x0 (2 bytes) // ] // returns fd memcpy((void*)0x2000000010c0, "./pm2908e/uprobe_events\000", 24); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x2000000010c0ul, /*flags=O_WRONLY*/ 1, /*mode=*/0); if (res != -1) r[0] = res; // write arguments: [ // fd: fd (resource) // buf: ptr[in, buffer] { // buffer: {70 3a 75 70 72 6f 62 65 73 2f 70 6d 32 39 30 38 65 20 2f 70 // 72 6f 63 2f 73 65 6c 66 2f 65 78 65 3a 30} (length 0x22) // } // count: len = 0x22 (8 bytes) // ] memcpy((void*)0x200000001100, "p:uprobes/pm2908e /proc/self/exe:0", 34); inject_fault(12); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000001100ul, /*count=*/0x22ul); return 0; }