Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- C reproducer:
- // autogenerated by syzkaller (http://github.com/google/syzkaller)
- #define _GNU_SOURCE
- #include <endian.h>
- #include <sys/syscall.h>
- #include <unistd.h>
- #include <errno.h>
- #include <sched.h>
- #include <signal.h>
- #include <stdarg.h>
- #include <stdbool.h>
- #include <stdio.h>
- #include <sys/prctl.h>
- #include <sys/resource.h>
- #include <sys/time.h>
- #include <sys/wait.h>
- __attribute__((noreturn)) static void doexit(int status)
- {
- volatile unsigned i;
- syscall(__NR_exit_group, status);
- for (i = 0;; i++) {
- }
- }
- #include <stdint.h>
- #include <string.h>
- #include <errno.h>
- #include <stdarg.h>
- #include <stdio.h>
- const int kFailStatus = 67;
- const int kRetryStatus = 69;
- static void fail(const char* msg, ...)
- {
- int e = errno;
- va_list args;
- va_start(args, msg);
- vfprintf(stderr, msg, args);
- va_end(args);
- fprintf(stderr, " (errno %d)\n", e);
- doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
- }
- static void loop();
- static void sandbox_common()
- {
- prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
- setpgrp();
- setsid();
- struct rlimit rlim;
- rlim.rlim_cur = rlim.rlim_max = 160 << 20;
- setrlimit(RLIMIT_AS, &rlim);
- rlim.rlim_cur = rlim.rlim_max = 8 << 20;
- setrlimit(RLIMIT_MEMLOCK, &rlim);
- rlim.rlim_cur = rlim.rlim_max = 136 << 20;
- setrlimit(RLIMIT_FSIZE, &rlim);
- rlim.rlim_cur = rlim.rlim_max = 1 << 20;
- setrlimit(RLIMIT_STACK, &rlim);
- rlim.rlim_cur = rlim.rlim_max = 0;
- setrlimit(RLIMIT_CORE, &rlim);
- if (unshare(CLONE_NEWNS)) {
- }
- if (unshare(CLONE_NEWIPC)) {
- }
- if (unshare(0x02000000)) {
- }
- if (unshare(CLONE_NEWUTS)) {
- }
- if (unshare(CLONE_SYSVSEM)) {
- }
- }
- static int do_sandbox_none(void)
- {
- if (unshare(CLONE_NEWPID)) {
- }
- int pid = fork();
- if (pid < 0)
- fail("sandbox fork failed");
- if (pid)
- return pid;
- sandbox_common();
- if (unshare(CLONE_NEWNET)) {
- }
- loop();
- doexit(1);
- }
- uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
- void loop()
- {
- long res = 0;
- memcpy((void*)0x20000040, "./file0", 8);
- res = syscall(__NR_open, 0x20000040, 0x43fd, 0xfffffffffffffffe);
- if (res != -1)
- r[0] = res;
- memcpy((void*)0x20000075, "/lib/x86_64-linux-gnu/libc.so.6", 32);
- res = syscall(__NR_open, 0x20000075, 0, 0);
- if (res != -1)
- r[1] = res;
- syscall(__NR_close, r[1]);
- memcpy((void*)0x20000180, "./file0", 8);
- syscall(__NR_open, 0x20000180, 0, 8);
- syscall(__NR_mmap, 0x20002000, 0x2000, 0x40000000005, 0x11, r[1], 0x4000);
- *(uint64_t*)0x20000000 = 0;
- syscall(__NR_write, r[0], 0x20000000, 0xd996d7aa);
- }
- int main()
- {
- syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
- int pid = do_sandbox_none();
- int status = 0;
- while (waitpid(pid, &status, __WALL) != pid) {}
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement