xref: /freebsd/tools/test/stress2/misc/syzkaller46.sh (revision cbc3ecb7) 
1cbc3ecb7SPeter Holm#!/bin/sh
2cbc3ecb7SPeter Holm
3cbc3ecb7SPeter Holm# Fatal trap 12: page fault while in kernel mode
4cbc3ecb7SPeter Holm# cpuid = 4; apic id = 04
5cbc3ecb7SPeter Holm# fault virtual address   = 0x28
6cbc3ecb7SPeter Holm# fault code              = supervisor read data, page not present
7cbc3ecb7SPeter Holm# instruction pointer     = 0x20:0xffffffff81549dea
8cbc3ecb7SPeter Holm# stack pointer           = 0x28:0xfffffe01d8689480
9cbc3ecb7SPeter Holm# frame pointer           = 0x28:0xfffffe01d8689490
10cbc3ecb7SPeter Holm# code segment            = base 0x0, limit 0xfffff, type 0x1b
11cbc3ecb7SPeter Holm#                         = DPL 0, pres 1, long 1, def32 0, gran 1
12cbc3ecb7SPeter Holm# processor eflags        = interrupt enabled, resume, IOPL = 0
13cbc3ecb7SPeter Holm# current process         = 3050 (syzkaller46)
14cbc3ecb7SPeter Holm# trap number             = 12
15cbc3ecb7SPeter Holm# panic: page fault
16cbc3ecb7SPeter Holm# cpuid = 4
17cbc3ecb7SPeter Holm# time = 1635158869
18cbc3ecb7SPeter Holm# KDB: stack backtrace:
19cbc3ecb7SPeter Holm# db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe01d8688cb0
20cbc3ecb7SPeter Holm# kdb_backtrace() at kdb_backtrace+0xc9/frame 0xfffffe01d8688e10
21cbc3ecb7SPeter Holm# vpanic() at vpanic+0x248/frame 0xfffffe01d8688ef0
22cbc3ecb7SPeter Holm# panic() at panic+0xb5/frame 0xfffffe01d8688fb0
23cbc3ecb7SPeter Holm# trap_fatal() at trap_fatal+0x52e/frame 0xfffffe01d86890b0
24cbc3ecb7SPeter Holm# trap_pfault() at trap_pfault+0x132/frame 0xfffffe01d86891d0
25cbc3ecb7SPeter Holm# trap() at trap+0x53f/frame 0xfffffe01d86893b0
26cbc3ecb7SPeter Holm# calltrap() at calltrap+0x8/frame 0xfffffe01d86893b0
27cbc3ecb7SPeter Holm# --- trap 0xc, rip = 0xffffffff81549dea, rsp = 0xfffffe01d8689480, rbp = 0xfffffe01d8689490 ---
28cbc3ecb7SPeter Holm# filt_bpfwrite() filt_bpfwrite+0x4a/frame 0xfffffe01d8689490
29cbc3ecb7SPeter Holm# kqueue_register() at kqueue_register+0xea3/frame 0xfffffe01d86895d0
30cbc3ecb7SPeter Holm# kqueue_kevent() at kqueue_kevent+0x26a/frame 0xfffffe01d86899c0
31cbc3ecb7SPeter Holm# kern_kevent_fp() at kern_kevent_fp+0xd2/frame 0xfffffe01d8689a10
32cbc3ecb7SPeter Holm# kern_kevent() at kern_kevent+0x138/frame 0xfffffe01d8689b10
33cbc3ecb7SPeter Holm# kern_kevent_generic() at kern_kevent_gene6/frame 0xfffffesys_kevent() at sys_kevent+0x1e1/frame 0xfffffe01d8689d30
34cbc3ecb7SPeter Holm# amd64_syscall() at amd64_syscall+0x31e/frame 0xfffffe01d8689f30
35cbc3ecb7SPeter Holm# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01d8689f30
36cbc3ecb7SPeter Holm# --- syscall (0, FreeBSD ELF64, nosys), rip = 0x8003adafa, rsp = 0x7fffffffe648, rbp = 0x7fffffffe670 ---
37cbc3ecb7SPeter Holm# KDB: enter: panic
38cbc3ecb7SPeter Holm# [ thread pid 3050 tid 100263 ]
39cbc3ecb7SPeter Holm# Stopped at      kdb_enter+0x37: movq    $0,0x2638c4e(%rip)
40cbc3ecb7SPeter Holm# db> x/s version
41cbc3ecb7SPeter Holm# version: FreeBSD 14.0-CURRENT #0 main-n250242-eab5358b9080-dirty: Mon Oct 25 11:32:45 CEST 2021
42cbc3ecb7SPeter Holm# pho@mercat1.netperf.freebsd.org
43cbc3ecb7SPeter Holm# db>
44cbc3ecb7SPeter Holm
45cbc3ecb7SPeter Holm
46cbc3ecb7SPeter Holm[ `uname -p` != "amd64" ] && exit 0
47cbc3ecb7SPeter Holm[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
48cbc3ecb7SPeter Holm
49cbc3ecb7SPeter Holm. ../default.cfg
50cbc3ecb7SPeter Holmcat > /tmp/syzkaller46.c <<EOF
51cbc3ecb7SPeter Holm// https://syzkaller.appspot.com/bug?id=a99f705b2b8b854d70ec4d47eed481c90046bd3c
52cbc3ecb7SPeter Holm// autogenerated by syzkaller (https://github.com/google/syzkaller)
53cbc3ecb7SPeter Holm// Reported-by: syzbot+ae45d5166afe15a5a21d@syzkaller.appspotmail.com
54cbc3ecb7SPeter Holm
55cbc3ecb7SPeter Holm#define _GNU_SOURCE
56cbc3ecb7SPeter Holm
57cbc3ecb7SPeter Holm#include <pwd.h>
58cbc3ecb7SPeter Holm#include <stdarg.h>
59cbc3ecb7SPeter Holm#include <stdbool.h>
60cbc3ecb7SPeter Holm#include <stdint.h>
61cbc3ecb7SPeter Holm#include <stdio.h>
62cbc3ecb7SPeter Holm#include <stdlib.h>
63cbc3ecb7SPeter Holm#include <string.h>
64cbc3ecb7SPeter Holm#include <sys/endian.h>
65cbc3ecb7SPeter Holm#include <sys/syscall.h>
66cbc3ecb7SPeter Holm#include <unistd.h>
67cbc3ecb7SPeter Holm
68cbc3ecb7SPeter Holmuint64_t r[1] = {0xffffffffffffffff};
69cbc3ecb7SPeter Holm
70cbc3ecb7SPeter Holmint main(void)
71cbc3ecb7SPeter Holm{
72cbc3ecb7SPeter Holm  syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul);
73cbc3ecb7SPeter Holm  intptr_t res = 0;
74cbc3ecb7SPeter Holm  memcpy((void*)0x20000040, "/dev/bpf\000", 9);
75cbc3ecb7SPeter Holm  syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000040ul, 0ul, 0ul);
76cbc3ecb7SPeter Holm  res = syscall(SYS_kqueue);
77cbc3ecb7SPeter Holm  if (res != -1)
78cbc3ecb7SPeter Holm    r[0] = res;
79cbc3ecb7SPeter Holm  *(uint64_t*)0x20000480 = 0x284;
80cbc3ecb7SPeter Holm  *(uint16_t*)0x20000488 = 0xfff8;
81cbc3ecb7SPeter Holm  *(uint16_t*)0x2000048a = 0x10;
82cbc3ecb7SPeter Holm  *(uint32_t*)0x2000048c = 1;
83cbc3ecb7SPeter Holm  *(uint64_t*)0x20000490 = 0x401;
84cbc3ecb7SPeter Holm  *(uint64_t*)0x20000498 = 5;
85cbc3ecb7SPeter Holm  *(uint64_t*)0x200004a0 = 5;
86cbc3ecb7SPeter Holm  *(uint64_t*)0x200004a8 = 0x24000000;
87cbc3ecb7SPeter Holm  *(uint64_t*)0x200004b0 = 0x100000000;
88cbc3ecb7SPeter Holm  *(uint64_t*)0x200004b8 = 0x3f;
89cbc3ecb7SPeter Holm  *(uint64_t*)0x200004c0 = 3;
90cbc3ecb7SPeter Holm  *(uint16_t*)0x200004c8 = 0xfffe;
91cbc3ecb7SPeter Holm  *(uint16_t*)0x200004ca = 1;
92cbc3ecb7SPeter Holm  *(uint32_t*)0x200004cc = 1;
93cbc3ecb7SPeter Holm  *(uint64_t*)0x200004d0 = 1;
94cbc3ecb7SPeter Holm  *(uint64_t*)0x200004d8 = 3;
95cbc3ecb7SPeter Holm  *(uint64_t*)0x200004e0 = 9;
96cbc3ecb7SPeter Holm  *(uint64_t*)0x200004e8 = 0x3ff;
97cbc3ecb7SPeter Holm  *(uint64_t*)0x200004f0 = 0x100000001;
98cbc3ecb7SPeter Holm  *(uint64_t*)0x200004f8 = 3;
99cbc3ecb7SPeter Holm  *(uint64_t*)0x20000500 = 5;
100cbc3ecb7SPeter Holm  *(uint16_t*)0x20000508 = 0xfffe;
101cbc3ecb7SPeter Holm  *(uint16_t*)0x2000050a = 0x42;
102cbc3ecb7SPeter Holm  *(uint32_t*)0x2000050c = 2;
103cbc3ecb7SPeter Holm  *(uint64_t*)0x20000510 = 5;
104cbc3ecb7SPeter Holm  *(uint64_t*)0x20000518 = 0x7f;
105cbc3ecb7SPeter Holm  *(uint64_t*)0x20000520 = 9;
106cbc3ecb7SPeter Holm  *(uint64_t*)0x20000528 = 0x600000000;
107cbc3ecb7SPeter Holm  *(uint64_t*)0x20000530 = 0x1f;
108cbc3ecb7SPeter Holm  *(uint64_t*)0x20000538 = 7;
109cbc3ecb7SPeter Holm  syscall(SYS_kevent, r[0], 0x20000480ul, 3ul, 0x200001c0ul, 0xaul, 0ul);
110cbc3ecb7SPeter Holm  return 0;
111cbc3ecb7SPeter Holm}
112cbc3ecb7SPeter HolmEOF
113cbc3ecb7SPeter Holmmycc -o /tmp/syzkaller46 -Wall -Wextra -O0 /tmp/syzkaller46.c -lpthread || exit 1
114cbc3ecb7SPeter Holm
115cbc3ecb7SPeter Holm(cd /tmp; ./syzkaller46)
116cbc3ecb7SPeter Holm
117cbc3ecb7SPeter Holmrm -rf /tmp/syzkaller46 /tmp/syzkaller46.c /tmp/syzkaller.*
118cbc3ecb7SPeter Holmexit 0
119