Code Golf of Death

34

5

Write some code that causes a BSOD or kernel panic!

Rules:

  • On Windows, you must cause a BugCheck (Blue Screen of Death), on Linux (or other *nix systems) you must cause a kernel panic.
  • Must not damage the system (i.e. it should work on reboot)
  • Kernel-mode drivers are allowed.
  • State your OS and version information.
  • Explain how the crash is caused.
  • It's not against the rules to use tools that are specifically designed to cause a crash, but doing so isn't very creative!
  • Highest upvotes wins.

Polynomial

Posted 2012-06-07T16:02:22.767

Reputation: 4 082

Question was closed 2016-09-08T05:07:30.570

Kernel mode drivers are allowed? Doesn't it make 1/0 a valid answer? – ugoren – 2012-06-07T20:37:25.927

3@urogen - Last time I checked, putting 1/0 in a file called driver.c doesn't constitute a valid kernel-mode driver. Regardless, the winner is based on upvotes, not code length. – Polynomial – 2012-06-07T20:40:37.620

Trying to say that using kernel drivers makes it uninteresting. Every crash in a driver crashes the kernel, and writing code that crashes isn't a challenge for most of us. – ugoren – 2012-06-08T21:21:08.797

@ugoren - Sure, but a generic kernel driver crash won't get many upvotes, so it's unlikely to win. If you can make the system crash due to some strange or obscure trick in kernel-mode, that's likely to win you some votes. – Polynomial – 2012-06-11T09:15:58.613

1I haven't been following Meta Code Golf lately - is "highest-upvoted" now allowed? (If this is the case, this website just got 100x more awesome!) – Ry- – 2012-06-12T03:55:08.643

1@minitech It's an objective criteria, so I don't see why it shouldn't be allowed. – Polynomial – 2012-06-12T07:40:10.130

I'm voting to close this question as off-topic because questions without objective winning criteria are off-topic – cat – 2016-04-29T12:36:54.613

@cat See my reply to minitech's now-deleted comment. – Polynomial – 2016-04-29T14:18:37.117

@Polynomial this was on-topic when it was asked, and when it was asked(and up until a few months ago) "most votes" was objective. this is no longer the case: http://meta.codegolf.stackexchange.com/a/8134/46231

– cat – 2016-04-29T16:17:42.817

@Polynomial you will find this has been closed by community consensus, but you are free to appeal this closure on meta or by voting to reopen.

– cat – 2016-04-29T16:18:51.163

@cat Doesn't really matter now anyway. It got plenty of answers. – Polynomial – 2016-04-29T16:36:12.630

2@Polynomial I've upvoted it and almost all of the answers, they're great and the community genuinely wish these sorts of challenges could be allowed, but that doesn't fit with the SE model. – cat – 2016-04-29T16:41:09.573

@cat I don't think this question is lacking objective criteria. I think the bigger problem with this question is that it's about potentially harmful code. Granted, none of the code is malicious but it's still harmful.

– James – 2016-04-29T19:47:37.740

1@DrGreenEggsandHamDJ Well, my intention was certainly not harmful. I work in security, so if I wanted to write my own malicious code, I would! – Polynomial – 2016-04-29T19:48:23.900

@DrGreenEggsandHamDJ Indeed, the top answer is potentially harmful, but if you read the thingy I linked, there's a consensus that votes isn't objective, because people aren't. – cat – 2016-04-29T19:52:13.120

1

@cat If you look through here and here you'll see that nowhere is it explicitly stated that popularity contests are off-topic. They're discouraged because they tend to be off-topic, but they aren't inherently off-topic. I think this question (harmful code aside) is very high-quality as far as popcons go.

– James – 2016-04-29T19:55:31.943

@DrGreenEggsandHamDJ You are correct in all you say. popcons themselves are not inherently off-topic, it's just that popcons are off-topic when the provided primary winning criterion is not an objective one. – cat – 2016-04-29T20:12:41.917

@cat In every popcon, the primary winning criteria is votes. Granted, saying "Most votes wins" doesn't necessarily make it a high quality challenge. How is this challenge more objective than this challenge, when they are both scored by votes?

– James – 2016-04-29T20:17:44.103

@DrGreenEggsandHamDJ That question is special primarily because it's not a challenge by any sense of the word. It's not objective; the winner is M. Buettner's Mathematica because it's a damn amazing answer. Helka, being a well-known great-challenge-writer thought that might be an interesting experiment but we can only ever have one of those. – cat – 2016-04-29T20:36:10.270

@DrGreenEggsandHamDJ So if the code is potentially harmful, disregarding its validity as a popcon, why does this have 4 reopen votes? That's kinda scary since this definitely shouldn't stay open in a self-respecting graduated PPCG – cat – 2016-04-29T20:51:20.387

@cat I don't know. Although I still disagree with your opinion on this questions validity as a popcon. This comment chain is getting a little long. We should probably take it to chat or meta. (Or maybe even both) – James – 2016-04-29T20:53:41.943

Let us continue this discussion in chat.

– James – 2016-04-29T21:04:03.357

4

I'm voting to close this question as off-topic because it requires malicious code, which violates our rules. http://meta.codegolf.stackexchange.com/a/4831/34718

– mbomb007 – 2016-09-07T20:45:46.377

BSOD in 3 key presses: http://www.howtogeek.com/howto/windows-vista/keyboard-ninja-kill-windows-with-the-blue-screen-of-death-in-3-keystrokes/

– mbomb007 – 2016-09-19T21:11:17.207

Answers

24

Bash, x86 Linux 2.6.20 kernel

Warning: the following command may cause permanent damage to your system.

cat /dev/urandom > /dev/mem

Will output the following (try here). After this, the script hangs.

/var/root # cat /dev/urandom > /dev/mem                                        
BUG: unable to handle kernel paging request at virtual address 474e82a5         
 printing eip:                                                                  
c01450c4                                                                        
*pde = 00000000                                                                 
Oops: 0000 [#1]                                                                 
CPU:    0                                                                       
EIP:    0060:[<c01450c4>]    Not tainted VLI                                    
EFLAGS: 00000082   (2.6.20 #12)                                                 
EIP is at free_block+0x54/0xf0                                                  
eax: 00000000   ebx: 474e82a1   ecx: c00745c8   edx: c0005e80                   
esi: c0070ce0   edi: c002c1a0   ebp: 00000000   esp: c0085eec                   
ds: 007b   es: 007b   ss: 0068                                                  
Process events/0 (pid: 3, ti=c0084000 task=c0094030 task.ti=c0084000)           
Stack: c0076410 00000002 c0051db0 c0051db0 c0051da0 00000002 c002c1a0 c01457dd  
       00000000 c0070ce0 c002c1a0 c0091840 c0145800 c0145870 00000000 00000000  
       c02cb2a0 c02cb2a0 00000296 c011dd27 c003fab0 c0094030 c009413c 00047e6c  
Call Trace:                                                                     
 [<c01457dd>] drain_array+0x7d/0xa0                                             
 [<c0145800>] cache_reap+0x0/0x110                                              
 [<c0145870>] cache_reap+0x70/0x110                                             
 [<c011dd27>] run_workqueue+0x67/0x130                                          
 [<c011df17>] worker_thread+0x127/0x140                                                                
 [<c010c7d0>] default_wake_function+0x0/0x10                                    
 [<c010c817>] __wake_up_common+0x37/0x70                                        
 [<c010c7d0>] default_wake_function+0x0/0x10                                    
 [<c011ddf0>] worker_thread+0x0/0x140                                           
 [<c0120d94>] kthread+0x94/0xc0                                                 
 [<c0120d00>] kthread+0x0/0xc0                                                  
 [<c0102ee7>] kernel_thread_helper+0x7/0x10                                     
 =======================                                                        
Code: 04 0f 8d 8f 00 00 00 8b 44 24 08 8b 0c a8 8d 91 00 00 00 40 c1 ea 0c c1 e2

Here is another exception found with the same command:

/dev # cat urandom > mem                                                        
------------[ cut here ]------------                                            
Kernel BUG at c014514c [verbose debug info unavailable]                         
invalid opcode: 0000 [#1]                                                       
CPU:    0                                                                       
EIP:    0060:[<c014514c>]    Not tainted VLI                                    
EFLAGS: 00000046   (2.6.20 #12)                                                 
EIP is at free_block+0xdc/0xf0                                                  
eax: 1608347b   ebx: c009b010   ecx: c003f508   edx: c00057e0                   
esi: c009b000   edi: c002cd40   ebp: 00000000   esp: c0085eec                   
ds: 007b   es: 007b   ss: 0068                                                  
Process events/0 (pid: 3, ti=c0084000 task=c0094030 task.ti=c0084000)           
Stack: c009b010 00000004 c009b010 c009b010 c009b000 00000004 c002cd40 c01457dd  
       00000000 c02ddf20 c002cd40 c0091840 c0145800 c0145870 00000000 00000000  
       c02cb2a0 c02cb2a0 00000296 c011dd27 c005c5a0 c0094030 c009413c 000409ed

copy

Posted 2012-06-07T16:02:22.767

Reputation: 6 466

Very nice! Rather surprised that it's so easy to trash /dev/mem like that, though... wouldn't that imply that kernel memory can be altered by any process running as root? – Polynomial – 2012-06-07T19:16:20.863

6I guess so. With great power comes great responsibility. – copy – 2012-06-07T19:26:20.710

Well, armed with this bit of fun information, I'm going to dump my machine's memory and dig around in it! :) – Polynomial – 2012-06-07T19:32:46.600

Both bugs are the same, by the way. You're just in /dev in the second one. You can also crash it with cat /dev/mem > /dev/mem, though I'm not sure why that dies. – Polynomial – 2012-06-07T20:23:47.237

15Violates the Must not damage the system requirement - if you run it enough times, it will eventually rewrite the disk driver with code that formats the disk. – ugoren – 2012-06-07T20:36:08.677

Yeah, I realized that. What I actually meant is that another kind of exception was triggered (Invalid opcode in the second case, Page fault in the first). – copy – 2012-06-07T20:37:21.417

5@ugoren That is an extremely unlikely scenario. It would have to write a bunch of accurate 32 bit addresses and instructions at the right place and not overwrite others – copy – 2012-06-07T20:57:16.320

I tried /dev/zero instead of /dev/urandom, but it seems to just spin the CPU instead of causing a panic. Probably something got stuck in a loop. – Simon – 2012-06-07T21:03:51.540

9" run it enough times, it will eventually rewrite the disk driver with code that formats the disk" - Not certain, urandom is pseudorandom. – skeevey – 2012-06-08T03:17:42.927

3@ugoren The "must not damage the system" rule is just to prevent answers like sudo rm -Rf /. The chances of causing permanent damage to the system using this method are less than the chances of, say, brute-forcing the output of a set of song lyrics based on the hash of the text. – Polynomial – 2012-06-08T10:02:36.647

Another trick of a similar kind is dd if=/dev/zero of=/dev/mem count=9k. – Polynomial – 2012-06-15T15:55:26.447

For me, this outputs bash: /dev/mem: Permission denied when using sudo, and cat: write error: Bad address when using su. – LegionMammal978 – 2015-10-24T01:29:41.790

@LegionMammal978 are you root? (you need to log in as root.) – cat – 2016-04-29T12:30:09.140

Got a null pointer dereference ;-) – Mega Man – 2016-06-29T16:46:50.667

25

C, 16 chars, for P5 x86

main=-926478352;

Remember the F00F bug everyone? I helped lock up a machine or two back in the day with this little program. (Yes, I've been golfing for that long.)

Granted, it's not quite what was asked for, and it only works on old steppings of the P5 Pentium chips. But in its favor, it's cross-platform, working on both Linux and Windows!

breadbox

Posted 2012-06-07T16:02:22.767

Reputation: 6 893

2It's malicious, Isn't it? – None – 2016-07-25T08:56:43.420

9

QBASIC, 38 Characters

DEF SEG=0:FOR I=0 TO 4^8:POKE I,1:NEXT

Not sure how you would define a BSOD or Kernel panic in DOS, but this is probably pretty close. When run the screen just goes blank, and the machine responds to nothing, not even Ctrl+Alt+Delete. You have to restart with a hard reset or power cycle to get the machine going again. This is running on DOS 6.22 under VirtualBox. Not sure exactly why it causes the system to crash, but, basically the program is writing (POKE) to memory that it has no business writing to.

Kibbee

Posted 2012-06-07T16:02:22.767

Reputation: 919

2The reason it crashes is because you're overwriting system program memory with junk. – Polynomial – 2012-06-10T18:07:41.630

Yeah, I knew that, but I was thinking something a little more specific. I'm not even sure what part of memory it's writing to. – Kibbee – 2012-06-10T22:48:26.180

1

You're overwriting the DOS interrupt vectors and COMMAND.COM program code stored in low memory addresses. Source: http://img.tfd.com/cde/MEMMAP.GIF

– Polynomial – 2012-06-11T09:13:44.997

8

sh (in JSLinux)

Linux gives the init process special protection against signals. However, I noticed that in JSLinux, /sbin/init is a shell script that executes other binaries (most symlinked to /bin/busybox).

This "infinite" while loop restarts sh as necessary:

while /bin/true; do

  setsid sh -c 'exec sh </dev/ttyS0 >/dev/ttyS0 2>&1'

done

However, what if /bin/true does not always return an exit code of 0? /bin is on the read-only root file system, yet Linux lets us change that using "bind" mounts:

cp -R /bin /tmp/boom
rm /tmp/boom/true
printf '#!/bin/sh\nexec [ $PPID != 1 ]' > /tmp/boom/true
chmod 755 /tmp/boom/true
mount -o bind /tmp/boom /bin
killall -9 sh

And we get:

/var/root # ./boom.sh
Killed
Kernel panic - not syncing: Attempted to kill init!

PleaseStand

Posted 2012-06-07T16:02:22.767

Reputation: 5 369

4

GTB, 13 characters

Executed from a TI-84 calculator

:"+"→_[_+_→_]

If most of the RAM is free, it will crash with ERR:MEMORY

Otherwise, the calculator's RAM is so clogged that it turns off and clears it besides.

Great example of a "calculator virus"

Timtech

Posted 2012-06-07T16:02:22.767

Reputation: 12 038

I see, this just puts +, ++, ++++, etc. in Str0. It gave me ERR:MEMORY, but trying to display Str0's value instantly crashed my 84+. Also, this made me lose all of my programs. – LegionMammal978 – 2015-10-24T10:57:33.627

4

Batch (Windows 98)

\con\con

This is actually a BSOD Easter Egg of Windows 98...

Jacob

Posted 2012-06-07T16:02:22.767

Reputation: 1 582

yessssssssssss! – cat – 2016-04-29T12:30:33.547

4

Bash on Linux, 27 chars

echo c>/proc/sysrq-trigger

Or if you have sudo permissions:

echo c|sudo tee /proc/sysrq-trigger

user4740

Posted 2012-06-07T16:02:22.767

Reputation:

1This results in sh: can't create /proc/sysrq-trigger: nonexistent directory for me. (though this is in jsLinux, so I should probably test on a real box) – Polynomial – 2012-06-15T10:28:08.803

2

get-process | stop-process -force

in powershell

benwaffle

Posted 2012-06-07T16:02:22.767

Reputation: 199

1"It's not against the rules to use tools that are specifically designed to cause a crash, but doing so isn't very creative!" – John Dvorak – 2014-01-03T05:43:02.587

2

:(){ :|:& };:

In bash shell,

I am not so sure if this counts here, but if you let it run long enough CPU overheats and system crashes, and it does reboots safely without harm, of course if you do it all the time there will be some system damage.

Optimus

Posted 2012-06-07T16:02:22.767

Reputation: 509

6This doesn't really work. It just spins the CPU at 100% usage, which is negated by any half-decent cooling system. I've ran Folding@Home for months at 100% CPU usage and never had the machine even stutter. – Polynomial – 2012-06-08T07:40:56.903

4

Its a fork bomb

– Prince John Wesley – 2012-06-08T16:03:07.963

@Polynomial I really didn't knew what 'kernel panic' meant so should I remove my answer? (luckily I haven't seen one yet, but I only switched to linux an year back, I have seen a lot of BSODs almost 7-8 times a month on 'XP', less so often on '7' but still noticeable. I think the shortest solution would be a windows one) – Optimus – 2012-06-09T07:12:06.013

2@Optimus You might as well leave it here - it's not a valid answer, but it's not doing any harm. I'd actually expect a Windows solution to be more difficult, since Linux allows you to break things if you really want to. – Polynomial – 2012-06-10T18:06:24.737

2@Polynomial I don't think that's true, Linux only better documents the ways you can break it. – ceased to turn counterclockwis – 2012-06-16T18:57:12.913

1@leftaroundabout I disagree. Windows is designed from the ground up to actively prevent you from damaging the system state from user-mode, and also stops you from modifying critical system files via Windows File Protection, locked system files, etc. Linux, on the other hand, is designed in a way that allows for maximum stability if you don't try to mess with it. But, if you do want to mess with it, you can. For example, I can modify /dev/mem or /dev/kmem as I wish from root. – Polynomial – 2012-06-16T19:44:39.933

@Optimus I've seen :(){ :|:& };: a few times... I'm curious to know how this works? @PrinceJohnWesley mentioned this is a "fork bomb"? – WallyWest – 2016-08-26T02:50:31.193

@WallyWest it defines a function named : , read it as bomb() { bomb|bomb& }; bomb, so u define a function bomb and call it once. but this function creates two copies of itself, piping one's output to other and & creates a separate thread/process/fork or something, so basically it exponentially creates a lot of processes occupying all of the memory until the system comes to a halt. everything should be ok after reboot unless you have a forkbomb in your startup. if its not run as root and user memory restrictions are in place, it won't be able to halt your system. – Optimus – 2016-09-16T18:23:41.000

2

Ruby (run as root), 36 or 40 chars (depending on matches for /p*/s*r)

See http://www.kernel.org/doc/Documentation/sysrq.txt and search for 'c' (including quotes!) to see why it works.

open(Dir['/p*/s*r'][0],?a){|f|f<<?c}

EDIT: Longer version that works if you have other things matching /p*/s*r

open('/proc/sysrq-trigger',?a){|f|f<<?c}

EDIT 2: Intentionally overkill.

user4740

Posted 2012-06-07T16:02:22.767

Reputation:

1

Linux bash

cat /dev/zero > /dev/mem

Clear the entire memory and cause a infinite kernel panic.

Try it here.

TuxCrafting

Posted 2012-06-07T16:02:22.767

Reputation: 4 547

How different is this from this? s/zero/urandom/.

– NoOneIsHere – 2016-06-09T22:31:35.303

@NoOneIsHere The kernel panic never stop with this version, and here the memory is cleared, not filled with random bytes. – TuxCrafting – 2016-06-28T18:07:20.790

0

Batch, 15 bytes

:A
start
goto A

Merely overflows the memory in linear time by starting up cmd.exe hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds and hundreds of times.

There's a deadlier (but probably non-competing) 24-byte program that starts up itself over and over again, thus overflowing the memory in logarithmic time (i.e upgrading your RAM doesn't delay the crash). Suppose the below code is located in C:\a.bat:

:A
start C:\a.bat
goto A

.

Honestly I'm afraid to try those out.

user8397947

Posted 2012-06-07T16:02:22.767

Reputation: 1 242

Did anyone notice that the latter program is a fork bomb? – user8397947 – 2016-06-10T02:28:10.373

Yes, I did. :() { : | : & }; : – NoOneIsHere – 2016-06-14T21:07:36.147

why not @0 instead of C:\a.bat? – Johannes Kuhn – 2017-07-27T20:16:25.423

Asked: 2012-06-07T16:02:22.767

Viewed: 5 612 times

Active: 2016-09-07T18:30:32.160