Untitled

1. #define _GNU_SOURCE
2.  
3. #include <dirent.h>
4. #include <endian.h>
5. #include <errno.h>
6. #include <fcntl.h>
7. #include <signal.h>
8. #include <stdarg.h>
9. #include <stdbool.h>
10. #include <stdint.h>
11. #include <stdio.h>
12. #include <stdlib.h>
13. #include <string.h>
14. #include <sys/prctl.h>
15. #include <sys/stat.h>
16. #include <sys/syscall.h>
17. #include <sys/types.h>
18. #include <sys/wait.h>
19. #include <time.h>
20. #include <unistd.h>
21.  
22. static void sleep_ms(uint64_t ms)
23. {
24. usleep(ms * 1000);
25. }
26.  
27. static uint64_t current_time_ms(void)
28. {
29. struct timespec ts;
30. if (clock_gettime(CLOCK_MONOTONIC, &ts))
31. exit(1);
32. return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
33. }
34.  
35. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
36. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
37. *(type*)(addr) = \
38. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
39. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
40.  
41. static bool write_file(const char* file, const char* what, ...)
42. {
43. char buf[1024];
44. va_list args;
45. va_start(args, what);
46. vsnprintf(buf, sizeof(buf), what, args);
47. va_end(args);
48. buf[sizeof(buf) - 1] = 0;
49. int len = strlen(buf);
50. int fd = open(file, O_WRONLY | O_CLOEXEC);
51. if (fd == -1)
52. return false;
53. if (write(fd, buf, len) != len) {
54. int err = errno;
55. close(fd);
56. errno = err;
57. return false;
58. }
59. close(fd);
60. return true;
61. }
62.  
63. static void kill_and_wait(int pid, int* status)
64. {
65. kill(-pid, SIGKILL);
66. kill(pid, SIGKILL);
67. for (int i = 0; i < 100; i++) {
68. if (waitpid(-1, status, WNOHANG | __WALL) == pid)
69. return;
70. usleep(1000);
71. }
72. DIR* dir = opendir("/sys/fs/fuse/connections");
73. if (dir) {
74. for (;;) {
75. struct dirent* ent = readdir(dir);
76. if (!ent)
77. break;
78. if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
79. continue;
80. char abort[300];
81. snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
82. ent->d_name);
83. int fd = open(abort, O_WRONLY);
84. if (fd == -1) {
85. continue;
86. }
87. if (write(fd, abort, 1) < 0) {
88. }
89. close(fd);
90. }
91. closedir(dir);
92. } else {
93. }
94. while (waitpid(-1, status, __WALL) != pid) {
95. }
96. }
97.  
98. static void setup_test()
99. {
100. prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
101. setpgrp();
102. write_file("/proc/self/oom_score_adj", "1000");
103. }
104.  
105. static void execute_one(void);
106.  
107. #define WAIT_FLAGS __WALL
108.  
109. static void loop(void)
110. {
111. int iter = 0;
112. for (;; iter++) {
113. int pid = fork();
114. if (pid < 0)
115. exit(1);
116. if (pid == 0) {
117. setup_test();
118. execute_one();
119. exit(0);
120. }
121. int status = 0;
122. uint64_t start = current_time_ms();
123. for (;;) {
124. if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
125. break;
126. sleep_ms(1);
127. if (current_time_ms() - start < 5000)
128. continue;
129. kill_and_wait(pid, &status);
130. break;
131. }
132. }
133. }
134.  
135. uint64_t r[1] = {0xffffffffffffffff};
136.  
137. void execute_one(void)
138. {
139. intptr_t res = 0;
140. *(uint32_t*)0x20000040 = 1;
141. *(uint32_t*)0x20000044 = 0x80;
142. *(uint8_t*)0x20000048 = 0;
143. *(uint8_t*)0x20000049 = 0;
144. *(uint8_t*)0x2000004a = 0;
145. *(uint8_t*)0x2000004b = 0;
146. *(uint32_t*)0x2000004c = 0;
147. *(uint64_t*)0x20000050 = 2;
148. *(uint64_t*)0x20000058 = 0;
149. *(uint64_t*)0x20000060 = 0;
150. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 0, 1);
151. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 1, 1);
152. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 2, 1);
153. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 3, 1);
154. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 4, 1);
155. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 5, 1);
156. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 6, 1);
157. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 7, 1);
158. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 8, 1);
159. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 9, 1);
160. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 10, 1);
161. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 11, 1);
162. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 12, 1);
163. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 13, 1);
164. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 14, 1);
165. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 15, 2);
166. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 17, 1);
167. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 18, 1);
168. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 19, 1);
169. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 20, 1);
170. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 21, 1);
171. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 22, 1);
172. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 23, 1);
173. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 24, 1);
174. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 25, 1);
175. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 26, 1);
176. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 27, 1);
177. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 28, 1);
178. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 29, 1);
179. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 30, 1);
180. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 31, 1);
181. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 32, 1);
182. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 33, 1);
183. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 34, 1);
184. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 35, 1);
185. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 36, 1);
186. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 37, 1);
187. STORE_BY_BITMASK(uint64_t, , 0x20000068, 0, 38, 26);
188. *(uint32_t*)0x20000070 = 0;
189. *(uint32_t*)0x20000074 = 0;
190. *(uint64_t*)0x20000078 = 0;
191. *(uint64_t*)0x20000080 = 0;
192. *(uint64_t*)0x20000088 = 0;
193. *(uint64_t*)0x20000090 = 0;
194. *(uint32_t*)0x20000098 = 0;
195. *(uint32_t*)0x2000009c = 0;
196. *(uint64_t*)0x200000a0 = 0;
197. *(uint32_t*)0x200000a8 = 0;
198. *(uint16_t*)0x200000ac = 0;
199. *(uint16_t*)0x200000ae = 0;
200. *(uint32_t*)0x200000b0 = 0;
201. *(uint32_t*)0x200000b4 = 0;
202. *(uint64_t*)0x200000b8 = 0;
203. res = syscall(__NR_perf_event_open, /*attr=*/0x20000040ul, /*pid=*/0,
204. /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul);
205. if (res != -1)
206. r[0] = res;
207. *(uint32_t*)0x20000100 = 0;
208. *(uint32_t*)0x20000104 = 0x80;
209. *(uint8_t*)0x20000108 = 0;
210. *(uint8_t*)0x20000109 = 0;
211. *(uint8_t*)0x2000010a = 0;
212. *(uint8_t*)0x2000010b = 0;
213. *(uint32_t*)0x2000010c = 0;
214. *(uint64_t*)0x20000110 = 0x3d;
215. *(uint64_t*)0x20000118 = 0x800;
216. *(uint64_t*)0x20000120 = 0;
217. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 0, 1);
218. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 1, 1);
219. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 2, 1);
220. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 3, 1);
221. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 4, 1);
222. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 5, 1);
223. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 6, 1);
224. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 7, 1);
225. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 8, 1);
226. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 9, 1);
227. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 10, 1);
228. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 11, 1);
229. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 12, 1);
230. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 13, 1);
231. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 14, 1);
232. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 15, 2);
233. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 17, 1);
234. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 18, 1);
235. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 19, 1);
236. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 20, 1);
237. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 21, 1);
238. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 22, 1);
239. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 23, 1);
240. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 24, 1);
241. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 25, 1);
242. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 26, 1);
243. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 27, 1);
244. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 28, 1);
245. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 29, 1);
246. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 30, 1);
247. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 31, 1);
248. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 32, 1);
249. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 33, 1);
250. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 34, 1);
251. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 35, 1);
252. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 36, 1);
253. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 37, 1);
254. STORE_BY_BITMASK(uint64_t, , 0x20000128, 0, 38, 26);
255. *(uint32_t*)0x20000130 = 0;
256. *(uint32_t*)0x20000134 = 0;
257. *(uint64_t*)0x20000138 = 0;
258. *(uint64_t*)0x20000140 = 8;
259. *(uint64_t*)0x20000148 = 8;
260. *(uint64_t*)0x20000150 = 0;
261. *(uint32_t*)0x20000158 = 0;
262. *(uint32_t*)0x2000015c = 0;
263. *(uint64_t*)0x20000160 = 0;
264. *(uint32_t*)0x20000168 = 0;
265. *(uint16_t*)0x2000016c = 0;
266. *(uint16_t*)0x2000016e = 0;
267. *(uint32_t*)0x20000170 = 0;
268. *(uint32_t*)0x20000174 = 0;
269. *(uint64_t*)0x20000178 = 0;
270. syscall(__NR_perf_event_open, /*attr=*/0x20000100ul, /*pid=*/0, /*cpu=*/0ul,
271. /*group=*/r[0], /*flags=*/0ul);
272. }
273. int main(void)
274. {
275. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
276. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
277. /*offset=*/0ul);
278. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
279. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
280. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
281. /*offset=*/0ul);
282. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
283. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
284. /*offset=*/0ul);
285. loop();
286. return 0;
287. }
288.  
289.