// https://syzkaller.appspot.com/bug?id=2c595167294aa449aaa72ecf3cac3357318b4ccb // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_connect #define __NR_connect 362 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[2]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xa, 2, 0); *(uint16_t*)0x20e6f000 = 0xa; *(uint16_t*)0x20e6f002 = htobe16(0x4e22); *(uint32_t*)0x20e6f004 = 0; *(uint8_t*)0x20e6f008 = 0; *(uint8_t*)0x20e6f009 = 0; *(uint8_t*)0x20e6f00a = 0; *(uint8_t*)0x20e6f00b = 0; *(uint8_t*)0x20e6f00c = 0; *(uint8_t*)0x20e6f00d = 0; *(uint8_t*)0x20e6f00e = 0; *(uint8_t*)0x20e6f00f = 0; *(uint8_t*)0x20e6f010 = 0; *(uint8_t*)0x20e6f011 = 0; *(uint8_t*)0x20e6f012 = -1; *(uint8_t*)0x20e6f013 = -1; *(uint8_t*)0x20e6f014 = 0xac; *(uint8_t*)0x20e6f015 = 0x14; *(uint8_t*)0x20e6f016 = 0; *(uint8_t*)0x20e6f017 = 0xaa; *(uint32_t*)0x20e6f018 = 1; syscall(__NR_connect, r[0], 0x20e6f000, 0x1c); r[1] = syscall(__NR_socket, 0x18, 1, 1); *(uint16_t*)0x2093bfe4 = 0xa; *(uint16_t*)0x2093bfe6 = htobe16(0x4e21); *(uint32_t*)0x2093bfe8 = 0xfff; *(uint8_t*)0x2093bfec = -1; *(uint8_t*)0x2093bfed = 1; *(uint8_t*)0x2093bfee = 0; *(uint8_t*)0x2093bfef = 0; *(uint8_t*)0x2093bff0 = 0; *(uint8_t*)0x2093bff1 = 0; *(uint8_t*)0x2093bff2 = 0; *(uint8_t*)0x2093bff3 = 0; *(uint8_t*)0x2093bff4 = 0; *(uint8_t*)0x2093bff5 = 0; *(uint8_t*)0x2093bff6 = 0; *(uint8_t*)0x2093bff7 = 0; *(uint8_t*)0x2093bff8 = 0; *(uint8_t*)0x2093bff9 = 0; *(uint8_t*)0x2093bffa = 0; *(uint8_t*)0x2093bffb = 1; *(uint32_t*)0x2093bffc = -1; syscall(__NR_connect, r[0], 0x2093bfe4, 0x1c); *(uint16_t*)0x205fafd2 = 0x18; *(uint32_t*)0x205fafd4 = 1; *(uint32_t*)0x205fafd8 = 0; *(uint32_t*)0x205fafdc = r[0]; *(uint16_t*)0x205fafe0 = 2; *(uint16_t*)0x205fafe2 = htobe16(0x4e21); *(uint32_t*)0x205fafe4 = htobe32(0xe0000002); *(uint8_t*)0x205fafe8 = 0; *(uint8_t*)0x205fafe9 = 0; *(uint8_t*)0x205fafea = 0; *(uint8_t*)0x205fafeb = 0; *(uint8_t*)0x205fafec = 0; *(uint8_t*)0x205fafed = 0; *(uint8_t*)0x205fafee = 0; *(uint8_t*)0x205fafef = 0; *(uint32_t*)0x205faff0 = 4; *(uint32_t*)0x205faff4 = 0; *(uint32_t*)0x205faff8 = 2; *(uint32_t*)0x205faffc = 0; syscall(__NR_connect, r[1], 0x205fafd2, 0x2e); *(uint32_t*)0x2037ffc8 = 0x209dd000; *(uint32_t*)0x2037ffcc = 0xc; *(uint32_t*)0x2037ffd0 = 0x202ceff0; *(uint32_t*)0x2037ffd4 = 1; *(uint32_t*)0x2037ffd8 = 0; *(uint32_t*)0x2037ffdc = 0; *(uint32_t*)0x2037ffe0 = 0x8820; *(uint16_t*)0x209dd000 = 0x10; *(uint16_t*)0x209dd002 = 0; *(uint32_t*)0x209dd004 = 0; *(uint32_t*)0x209dd008 = 2; *(uint32_t*)0x202ceff0 = 0x2097b000; *(uint32_t*)0x202ceff4 = 0xfff1; *(uint32_t*)0x2097b000 = 0x10; *(uint16_t*)0x2097b004 = 0x14; *(uint16_t*)0x2097b006 = 0x200; *(uint32_t*)0x2097b008 = 0x70bd26; *(uint32_t*)0x2097b00c = 0x25dfdbfe; syscall(__NR_sendmsg, r[1], 0x2037ffc8, 0x81); memcpy((void*)0x20005f92, "\x65\x6f\xe1\x20\x5e\x68", 6); *(uint8_t*)0x20005f98 = 0xaa; *(uint8_t*)0x20005f99 = 0xaa; *(uint8_t*)0x20005f9a = 0xaa; *(uint8_t*)0x20005f9b = 0xaa; *(uint8_t*)0x20005f9c = 0; *(uint8_t*)0x20005f9d = 0xbb; *(uint16_t*)0x20005f9e = htobe16(0x9100); STORE_BY_BITMASK(uint16_t, 0x20005fa0, 2, 0, 3); STORE_BY_BITMASK(uint16_t, 0x20005fa0, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20005fa0, 0x20, 4, 12); *(uint16_t*)0x20005fa2 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, 0x20005fa4, 0x47, 0, 3); STORE_BY_BITMASK(uint16_t, 0x20005fa4, 2, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20005fa4, 3, 4, 12); *(uint16_t*)0x20005fa6 = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, 0x20005fa8, 7, 0, 4); STORE_BY_BITMASK(uint8_t, 0x20005fa8, 6, 4, 4); memcpy((void*)0x20005fa9, "\x12\x4b\x52", 3); *(uint16_t*)0x20005fac = htobe16(0x30); *(uint8_t*)0x20005fae = 0x2f; *(uint8_t*)0x20005faf = 0; *(uint8_t*)0x20005fb0 = -1; *(uint8_t*)0x20005fb1 = 2; *(uint8_t*)0x20005fb2 = 0; *(uint8_t*)0x20005fb3 = 0; *(uint8_t*)0x20005fb4 = 0; *(uint8_t*)0x20005fb5 = 0; *(uint8_t*)0x20005fb6 = 0; *(uint8_t*)0x20005fb7 = 0; *(uint8_t*)0x20005fb8 = 0; *(uint8_t*)0x20005fb9 = 0; *(uint8_t*)0x20005fba = 0; *(uint8_t*)0x20005fbb = 0; *(uint8_t*)0x20005fbc = 0; *(uint8_t*)0x20005fbd = 0; *(uint8_t*)0x20005fbe = 0; *(uint8_t*)0x20005fbf = 1; *(uint8_t*)0x20005fc0 = 0; *(uint8_t*)0x20005fc1 = 0; *(uint8_t*)0x20005fc2 = 0; *(uint8_t*)0x20005fc3 = 0; *(uint8_t*)0x20005fc4 = 0; *(uint8_t*)0x20005fc5 = 0; *(uint8_t*)0x20005fc6 = 0; *(uint8_t*)0x20005fc7 = 0; *(uint8_t*)0x20005fc8 = 0; *(uint8_t*)0x20005fc9 = 0; *(uint8_t*)0x20005fca = -1; *(uint8_t*)0x20005fcb = -1; *(uint8_t*)0x20005fcc = 0xac; *(uint8_t*)0x20005fcd = 0x14; *(uint8_t*)0x20005fce = 0; *(uint8_t*)0x20005fcf = 0xbb; *(uint8_t*)0x20005fd0 = 3; *(uint8_t*)0x20005fd1 = 1; *(uint16_t*)0x20005fd2 = 0; *(uint8_t*)0x20005fd4 = 0; *(uint8_t*)0x20005fd5 = 0; *(uint8_t*)0x20005fd6 = 0; *(uint8_t*)0x20005fd7 = 0; STORE_BY_BITMASK(uint8_t, 0x20005fd8, 0, 0, 4); STORE_BY_BITMASK(uint8_t, 0x20005fd8, 6, 4, 4); memcpy((void*)0x20005fd9, "\x57\x1b\x82", 3); *(uint16_t*)0x20005fdc = htobe16(0); *(uint8_t*)0x20005fde = 0; *(uint8_t*)0x20005fdf = 0; *(uint8_t*)0x20005fe0 = 0; *(uint8_t*)0x20005fe1 = 0; *(uint8_t*)0x20005fe2 = 0; *(uint8_t*)0x20005fe3 = 0; *(uint8_t*)0x20005fe4 = 0; *(uint8_t*)0x20005fe5 = 0; *(uint8_t*)0x20005fe6 = 0; *(uint8_t*)0x20005fe7 = 0; *(uint8_t*)0x20005fe8 = 0; *(uint8_t*)0x20005fe9 = 0; *(uint8_t*)0x20005fea = -1; *(uint8_t*)0x20005feb = -1; *(uint32_t*)0x20005fec = htobe32(1); *(uint8_t*)0x20005ff0 = 0xfe; *(uint8_t*)0x20005ff1 = 0x80; *(uint8_t*)0x20005ff2 = 0; *(uint8_t*)0x20005ff3 = 0; *(uint8_t*)0x20005ff4 = 0; *(uint8_t*)0x20005ff5 = 0; *(uint8_t*)0x20005ff6 = 0; *(uint8_t*)0x20005ff7 = 0; *(uint8_t*)0x20005ff8 = 0; *(uint8_t*)0x20005ff9 = 0; *(uint8_t*)0x20005ffa = 0; *(uint8_t*)0x20005ffb = 0; *(uint8_t*)0x20005ffc = 0; *(uint8_t*)0x20005ffd = 0; *(uint8_t*)0x20005ffe = 0; *(uint8_t*)0x20005fff = 0xaa; *(uint32_t*)0x20002fe8 = 0; *(uint32_t*)0x20002fec = 1; *(uint32_t*)0x20002ff0 = 0; struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20005fb0, 16); csum_inet_update(&csum_1, (const uint8_t*)0x20005fc0, 16); uint32_t csum_1_chunk_2 = 0x30000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 4); uint32_t csum_1_chunk_3 = 0x3a000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20005fd0, 48); *(uint16_t*)0x20005fd2 = csum_inet_digest(&csum_1); } int main() { loop(); return 0; }