Untitled

1. #define _GNU_SOURCE
2.  
3. #include <endian.h>
4. #include <errno.h>
5. #include <fcntl.h>
6. #include <stdint.h>
7. #include <stdio.h>
8. #include <stdlib.h>
9. #include <string.h>
10. #include <sys/ioctl.h>
11. #include <sys/mount.h>
12. #include <sys/stat.h>
13. #include <sys/syscall.h>
14. #include <sys/types.h>
15. #include <unistd.h>
16.  
17. #include <linux/loop.h>
18.  
19. unsigned long long procid;
20.  
21. struct fs_image_segment {
22. void* data;
23. uintptr_t size;
24. uintptr_t offset;
25. };
26.  
27. #define IMAGE_MAX_SEGMENTS 4096
28. #define IMAGE_MAX_SIZE (129 << 20)
29.  
30. #define SYZ_memfd_create 319
31.  
32. static long syz_mount_image(long fsarg, long dir, unsigned long size,
33. unsigned long nsegs, long segments, long flags,
34. long optsarg)
35. {
36. char loopname[64], fs[32], opts[256];
37. int loopfd, err = 0, res = -1;
38. unsigned long i;
39. struct fs_image_segment* segs = (struct fs_image_segment*)segments;
40. if (nsegs > IMAGE_MAX_SEGMENTS)
41. nsegs = IMAGE_MAX_SEGMENTS;
42. for (i = 0; i < nsegs; i++) {
43. if (segs[i].size > IMAGE_MAX_SIZE)
44. segs[i].size = IMAGE_MAX_SIZE;
45. segs[i].offset %= IMAGE_MAX_SIZE;
46. if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
47. segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
48. if (size < segs[i].offset + segs[i].offset)
49. size = segs[i].offset + segs[i].offset;
50. }
51. if (size > IMAGE_MAX_SIZE)
52. size = IMAGE_MAX_SIZE;
53. int memfd = syscall(SYZ_memfd_create, "syz_mount_image", 0);
54. if (memfd == -1) {
55. err = errno;
56. goto error;
57. }
58. if (ftruncate(memfd, size)) {
59. err = errno;
60. goto error_close_memfd;
61. }
62. for (i = 0; i < nsegs; i++) {
63. if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
64. }
65. }
66. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
67. loopfd = open(loopname, O_RDWR);
68. if (loopfd == -1) {
69. err = errno;
70. goto error_close_memfd;
71. }
72. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
73. if (errno != EBUSY) {
74. err = errno;
75. goto error_close_loop;
76. }
77. ioctl(loopfd, LOOP_CLR_FD, 0);
78. usleep(1000);
79. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
80. err = errno;
81. goto error_close_loop;
82. }
83. }
84. mkdir((char*)dir, 0777);
85. memset(fs, 0, sizeof(fs));
86. strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
87. memset(opts, 0, sizeof(opts));
88. strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
89. if (strcmp(fs, "iso9660") == 0) {
90. flags |= MS_RDONLY;
91. } else if (strncmp(fs, "ext", 3) == 0) {
92. if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
93. strcat(opts, ",errors=continue");
94. } else if (strcmp(fs, "xfs") == 0) {
95. strcat(opts, ",nouuid");
96. }
97. if (mount(loopname, (char*)dir, fs, flags, opts)) {
98. err = errno;
99. goto error_clear_loop;
100. }
101. res = 0;
102. error_clear_loop:
103. ioctl(loopfd, LOOP_CLR_FD, 0);
104. error_close_loop:
105. close(loopfd);
106. error_close_memfd:
107. close(memfd);
108. error:
109. errno = err;
110. return res;
111. }
112.  
113. int main()
114. {
115. syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
116.  
117. memcpy((void*)0x20000000, "vfat", 5);
118. memcpy((void*)0x200004c0, "./file0", 8);
119. syz_mount_image(0x20000000, 0x200004c0, 0, 0, 0x20000300, 0, 0x20000240);
120. memcpy((void*)0x20000080, "127.0.0.1", 10);
121. memcpy((void*)0x20000100, "./file1", 8);
122. memcpy((void*)0x20000140, "9p", 3);
123. memcpy((void*)0x200001c0, "trans=tcp,", 10);
124. memcpy((void*)0x200001ca, "port", 4);
125. *(uint8_t*)0x200001ce = 0x3d;
126. sprintf((char*)0x200001cf, "0x%016llx", (long long)0);
127. *(uint8_t*)0x200001e1 = 0x2c;
128. *(uint8_t*)0x200001e2 = 0;
129. syscall(__NR_mount, 0x20000080, 0x20000100, 0x20000140, 0, 0x200001c0);
130. memcpy((void*)0x200000c0, "./file0", 8);
131. memcpy((void*)0x20000040, "9p", 3);
132. syscall(__NR_mount, 0, 0x200000c0, 0x20000040, 0, 0x200001c0);
133. return 0;
134. }