C reproducer:// autogenerated by syzkaller (http://github.com/google/syzkall

1.  
2. C reproducer:
3. // autogenerated by syzkaller (http://github.com/google/syzkaller)
4.  
5. #define _GNU_SOURCE
6. #include <endian.h>
7. #include <sys/syscall.h>
8. #include <unistd.h>
9. #include <errno.h>
10. #include <sched.h>
11. #include <signal.h>
12. #include <stdarg.h>
13. #include <stdbool.h>
14. #include <stdio.h>
15. #include <sys/prctl.h>
16. #include <sys/resource.h>
17. #include <sys/time.h>
18. #include <sys/wait.h>
19.  
20. __attribute__((noreturn)) static void doexit(int status)
21. {
22. volatile unsigned i;
23. syscall(__NR_exit_group, status);
24. for (i = 0;; i++) {
25. }
26. }
27. #include <stdint.h>
28. #include <string.h>
29. #include <errno.h>
30. #include <stdarg.h>
31. #include <stdio.h>
32.  
33. const int kFailStatus = 67;
34. const int kRetryStatus = 69;
35.  
36. static void fail(const char* msg, ...)
37. {
38. int e = errno;
39. va_list args;
40. va_start(args, msg);
41. vfprintf(stderr, msg, args);
42. va_end(args);
43. fprintf(stderr, " (errno %d)\n", e);
44. doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
45. }
46.  
47. static void loop();
48.  
49. static void sandbox_common()
50. {
51. prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
52. setpgrp();
53. setsid();
54.  
55. struct rlimit rlim;
56. rlim.rlim_cur = rlim.rlim_max = 160 << 20;
57. setrlimit(RLIMIT_AS, &rlim);
58. rlim.rlim_cur = rlim.rlim_max = 8 << 20;
59. setrlimit(RLIMIT_MEMLOCK, &rlim);
60. rlim.rlim_cur = rlim.rlim_max = 136 << 20;
61. setrlimit(RLIMIT_FSIZE, &rlim);
62. rlim.rlim_cur = rlim.rlim_max = 1 << 20;
63. setrlimit(RLIMIT_STACK, &rlim);
64. rlim.rlim_cur = rlim.rlim_max = 0;
65. setrlimit(RLIMIT_CORE, &rlim);
66.  
67. if (unshare(CLONE_NEWNS)) {
68. }
69. if (unshare(CLONE_NEWIPC)) {
70. }
71. if (unshare(0x02000000)) {
72. }
73. if (unshare(CLONE_NEWUTS)) {
74. }
75. if (unshare(CLONE_SYSVSEM)) {
76. }
77. }
78.  
79. static int do_sandbox_none(void)
80. {
81. if (unshare(CLONE_NEWPID)) {
82. }
83. int pid = fork();
84. if (pid < 0)
85. fail("sandbox fork failed");
86. if (pid)
87. return pid;
88.  
89. sandbox_common();
90. if (unshare(CLONE_NEWNET)) {
91. }
92. loop();
93. doexit(1);
94. }
95.  
96. uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
97. void loop()
98. {
99. long res = 0;
100. memcpy((void*)0x20000040, "./file0", 8);
101. res = syscall(__NR_open, 0x20000040, 0x43fd, 0xfffffffffffffffe);
102. if (res != -1)
103. r[0] = res;
104. memcpy((void*)0x20000075, "/lib/x86_64-linux-gnu/libc.so.6", 32);
105. res = syscall(__NR_open, 0x20000075, 0, 0);
106. if (res != -1)
107. r[1] = res;
108. syscall(__NR_close, r[1]);
109. memcpy((void*)0x20000180, "./file0", 8);
110. syscall(__NR_open, 0x20000180, 0, 8);
111. syscall(__NR_mmap, 0x20002000, 0x2000, 0x40000000005, 0x11, r[1], 0x4000);
112. *(uint64_t*)0x20000000 = 0;
113. syscall(__NR_write, r[0], 0x20000000, 0xd996d7aa);
114. }
115.  
116. int main()
117. {
118. syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
119. int pid = do_sandbox_none();
120. int status = 0;
121. while (waitpid(pid, &status, __WALL) != pid) {}
122. return 0;
123. }