// https://syzkaller.appspot.com/bug?id=dc6352b92862eb79373fe03fdf9af5928753e057 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } uint64_t r[2] = {0xffffffffffffffff, 0x0}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); intptr_t res = 0; res = syscall(__NR_socket, 0x10, 3, 0x10); if (res != -1) r[0] = res; memcpy((void*)0x20000640, "TIPCv2\000", 7); res = syz_genetlink_get_family_id(0x20000640); if (res != -1) r[1] = res; *(uint64_t*)0x20000000 = 0; *(uint32_t*)0x20000008 = 0; *(uint64_t*)0x20000010 = 0x200000c0; *(uint64_t*)0x200000c0 = 0x20000100; *(uint32_t*)0x20000100 = 0x6c; *(uint16_t*)0x20000104 = r[1]; *(uint16_t*)0x20000106 = 1; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint8_t*)0x20000110 = 3; *(uint8_t*)0x20000111 = 0; *(uint16_t*)0x20000112 = 0; *(uint16_t*)0x20000114 = 0x58; *(uint16_t*)0x20000116 = 1; *(uint16_t*)0x20000118 = 0x10; *(uint16_t*)0x2000011a = 1; memcpy((void*)0x2000011c, "udp:syz0\000", 9); *(uint16_t*)0x20000128 = 0x44; *(uint16_t*)0x2000012a = 4; *(uint16_t*)0x2000012c = 0x20; *(uint16_t*)0x2000012e = 1; *(uint16_t*)0x20000130 = 0xa; *(uint16_t*)0x20000132 = htobe16(0); *(uint32_t*)0x20000134 = htobe32(0); *(uint8_t*)0x20000138 = -1; *(uint8_t*)0x20000139 = 3; *(uint8_t*)0x2000013a = 0; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0; *(uint8_t*)0x2000013f = 0; *(uint8_t*)0x20000140 = 0; *(uint8_t*)0x20000141 = 0; *(uint8_t*)0x20000142 = 0; *(uint8_t*)0x20000143 = 0; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 1; *(uint32_t*)0x20000148 = 0; *(uint16_t*)0x2000014c = 0x20; *(uint16_t*)0x2000014e = 2; *(uint16_t*)0x20000150 = 0xa; *(uint16_t*)0x20000152 = htobe16(0); *(uint32_t*)0x20000154 = htobe32(0); *(uint8_t*)0x20000158 = -1; *(uint8_t*)0x20000159 = 1; *(uint8_t*)0x2000015a = 0; *(uint8_t*)0x2000015b = 0; *(uint8_t*)0x2000015c = 0; *(uint8_t*)0x2000015d = 0; *(uint8_t*)0x2000015e = 0; *(uint8_t*)0x2000015f = 0; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0; *(uint8_t*)0x20000164 = 0; *(uint8_t*)0x20000165 = 0; *(uint8_t*)0x20000166 = 0; *(uint8_t*)0x20000167 = 1; *(uint32_t*)0x20000168 = 0; *(uint64_t*)0x200000c8 = 0x6c; *(uint64_t*)0x20000018 = 1; *(uint64_t*)0x20000020 = 0; *(uint64_t*)0x20000028 = 0; *(uint32_t*)0x20000030 = 0; syscall(__NR_sendmsg, r[0], 0x20000000, 0); return 0; }