// https://syzkaller.appspot.com/bug?id=dff959993aab54549f2673720bc00be19226bc01 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } *(uint32_t*)0x20000200 = 3; *(uint32_t*)0x20000204 = 0xe; *(uint64_t*)0x20000208 = 0x20000c00; memcpy( (void*)0x20000c00, "\xb7\x02\x00\x00\xc3\x00\x00\x00\xbf\x23\x00\x00\x00\x00\x00\x00\x27\x03" "\x00\x00\x00\xfe\xfe\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x79\xa4\xf0\xff" "\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05\x00\x00\x00" "\x00\x00\x65\x04\x04\x00\x01\x10\x00\x00\x04\x04\x00\x00\x01\x00\x7d\x60" "\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x80\x00\x00\x00\x85\x00" "\x00\x00\x53\x00\x00\x00\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x10" "\x00\x00\x00\x00\xac\xaa\x8e\x53\xa5\x3c\xb8\x64\xc3\x00\x09\x4c\x07\x00" "\x00\x00\x00\x00\x00\xd9\x4c\xf0\x98\x7b\x00\xa7\x49\xa8\xe5\x3b\x5c\x94" "\x91\xcd\x1f\x2b\x94\xa6\x4f\x1d\xe2\x3d\x03\xa8\xf0\x36\x2e\xbf\xc4\x4c" "\x77\x51\x1e\x60\x07\x0e\x25\x51\x00\x70\xf7\x77\x8d\x3e\x77\xad\x85\x31" "\x9f\x01\x13\xab\xba\xc7\x95\xf8\xc2\x4a\xbc\xa2\x46\x15\x02\x26\xeb\x93" "\xfe\x39\x23\x3a\xdd\x8f\x68\xf8\x76\x99\x16\x23\x34\x34\x3b\xef\xce\x83" "\x2c\xb8\x07\x5c\x5f\x0a\xe3\x0c\xde\x22\x13\x71\xff\x00\x00\x00\x67\xe4" "\xb7\x5d\xa9\x53\x70\xae\x6f\xd2\xb9\x9a\xc1\x8f\x98\x40\x34\x94\xd4\xa9" "\x4e\x95\xfb\x8d\xcd\x81\x34\x87\xb2\xbd\xb0\x06\xc6\x46\x5c\x15\xf0\x44" "\x85\xa9\xf8\xc8\xe4\x9d\x00\x00\x00\x97\x18\x4c\x8e\x9d\x34\xb1\xe3\x82" "\xb2\x5e\x96\x14\x63\x4e\x8e\x09\x19\x4f\x7b\x83\x13\x8f\x52\x75\xd9\xab" "\x46\x37\x97\xa2\xf6\xdc\xb4\x5d\x5f\x27\x8c\xd4\xfb\x74\x55\x95\x75\xda" "\x35\x60\xc0\x1c\xdf\x1e\xaa\x3f\xc7\xa3\xfb\x4f\x16\x89\xdf\xd5\xb6\x26" "\x17\x47\x70\xe4\xdf\xd1\xc8\x2a\x69\x4e\xfc\x62\xf9\xef\x9c\x8c\x0e\xa1" "\xef\xa5\xb9\x49\xce\x22\x82\x7f\x6f\xd1\xdf\xc6\x9d\x03\x48\x2d\x8e\xc2" "\x64\xe3\xd9\x6a\xd1\x9a\x0c\x99\xa2\x34\xb4\xb7\x1b\x0b\xc2\x25\x73\xf8" "\x59\x4b\x91\x78\x1c\xd8\xff\x7f\x00\x00\x00\x00\x00\x00\x29\x9e\xbf\x94" "\x58\x8e\x60\xab\xe9\xa5\x65\xc5\xbb\xdc\x03\x58\x22\x6f\x85\x80\xdc\x1a" "\x83\xc6\xa4\x44\x08\xde\x23\x47\x5a\x74\xef\x0d\xed\xa8\xda\x40\x89\x26" "\x9c\xcb\x4e\x72\x8d\xee\x63\x20\x44\x45\x76\xc8\x7c\xc5\x76\x29\x1e\x53" "\x67\xa5\xf1\xa5\xd5\xa1\x2f\x83\x13\xff\xff\x0b\x7f\x73\x33\x52\x79\xaa" "\x2b\x68\xc9\xf0\x45\x83\x11\x19\x88\x17\x64\xc7\x1b\xb6\x5b\x51\x38\xc5" "\x0e\x06\x02\x4e\x80\xfd\x96\x56\xbc\x07\x7e\x4e\x25\x96\x95\x74\x89\x89" "\x33\x5b\xa9\xee\xef\x28\x8d\xe7\x38\x15\xf2\x0f\xef\xd4\xac\xfb\x68\x13" "\xff\xff\x00\x00\x0b\x97\x1a\xec\x1a\x3e\x61\x8a\x08\xa9\x4e\xcb\xd4\x01" "\xc8\x10\x9c\x87\xee\x3f\x5c\x05\x01\x85\x75\x38\xd2\xa7\x66\xbf\xcf\x41" "\x28\xfb\xe7\x26\x90\x3a\xca\x57\x7a\xa8\x94\x3a\xf7\x47\x76\x07\x18\xde" "\xe5\xa2\x13\x96\xdc\xe6\xf6\x1c\x6f\x3c\x7e\x00\x00\x00\xcb\x08\x68\xb4" "\x87\x19\xe4\x72\x96\xf2\x29\x9d\xf3\xec\xfb\x5f\x3f\x0e\x42\xf6\xf1\xeb" "\x1d\xc6\x4d\xcc\x8e\x39\x73\x66\xd1\x20\x33\xf6\x28\x8e\xdb\xda\x3b\x83" "\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\xed\xd4\xe1\x26" "\x6d\xc9\xd7\x32\x23\xfe\x61\x4f\x02\x5a\x7f\x28\x4d\xe7\x6b\x3b\x67\x6a" "\x13\xc5\x7a\x0e\xd2\x4f\x62\x70\xc4\xcb\xbf\x93\x47\x2e\xb8\x09\x3d\x82" "\x96\xc6\x8d\xfb\xb0\x3d\xde\xdc\x3e\x02\x9b\x08\x95\x9b\x14\x5a\x7b\x11" "\x00\x68\xba\x07\x1e\x75\xd7\x57\x16\x24\x30\x52\xad\x24\xb6\x24\xfd\xdc" "\x2f\x0f\x3a\x01\x8c\x00\x85\xc2\x31\x9c\x24\x8d\x64\x3c\xd0\x9f\xa8\x55" "\xb2\x0a\x6d\x45\x3f\x2e\x95\x4f\xf0\xe5\x5c\x01\x00\x00\x00\x85\x47\xc5" "\xa0\xec\xef\xcc\x44\xcc\x95\x32\xf7\x29\x16\x7f\x21\x59\x37\x35\x7a\x4b" "\xb9\x74\x61\x93\xc1\xec\x00\x00\x00\x00\x00\x00\xdd\x43\xc1\x08\xc2\x10" "\x9d\x22\x1b\x7b\x26\xb7\xc9\xc2\x09\x00\x00\x05\xb7\x91\x8a\x6c\xd8\x56" "\xb8\xfa\x80\x6c\x85\x48\x04\x43\x15\x9c\x6b\xed\x51\xa0\xe0\x21\xf0\x5f" "\x7c\xaa\x1b\x99\xcd\xb4\xd0\x8d\x90\x31\x21\x0a\xc0\x0e\x67\xd8\xc4\x0a" "\x18\x50\x3c\xb7\xaa\xbc\xc0\x66\xdf\xbf\xd7\xf8\x7a\xbe\x11\x22\xf0\x0e" "\x54\x54\xbe\xc3\x56\x3a\x19\x58\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x84\xb2\x7f\xc6\xa3\xf9\x5b\xf0\x2b\x4e\xb5\xf1\x59\x9d" "\xd4\x6e\xdc\xad\x43\x2c\xc2\x16\x31\x6f\xe0\x7a\xfe\x27\x64\x9c\x89\xcf" "\x02\x2a\x90\xd8\x95\xa2\xd7\x0f\xcd\xe7\xa9\xc3\x7e\xde\x0c\x47\xc2\x7f" "\x44\x59\x5a\xb4\xb1\xfb\x1e\xd5\xb1\xd9\x13\x14\xb2\xd5\x0f\x94\xa7\x68" "\xfb\x60\x56\x79\x48\x50\x41\xa6\x37\x6b\x83\x44\xa3\x9a\xf6\x8a\xed\x2b" "\xe3\x97\x94\xdd\x86\xae\x82\xf9\x66\x0c\xf4\xf9\x35\x25\x5d\x71\xf9\xfa" "\xb2\xe4\x30\xac\x42\xbb\xa1\xf5\x41\x41\xcf\x39\xd4\xd5\x0c\x4d\xed\x50" "\x4b\xea\xcb\x0d\xe2\x10\xd7\xa3\x71\x6d\xca\x73\x62\xc1\x34\xb9\x1c\xef" "\x3e\xfc\x51\x4f\xbc\xb4\x74\x7e\x68\x14\xac\x16\x44\x9a\xc0\x2a\x43\xd9" "\xd4\x15\x16\x97\xb4\xb7\x89\x0e\xc6\xb4\x81\xc5\xf0\xca\x8c\x52\xa6\x32" "\x2f\x34\xa7\x96\xfa\x59\x41\xd2\x34\x09\xec\xf7\x34\x58\x22\x3b\xaa\xff" "\xb9\x4a\x89\xee\x28\x84\xdf\x00\x00\x00\x00\x00\x00", 1111); *(uint64_t*)0x20000210 = 0x20000340; memcpy((void*)0x20000340, "syzkaller\000", 10); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint32_t*)0x20000268 = 0x36; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = -1; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; *(uint32_t*)0x20000290 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x200001c0 = r[0]; *(uint32_t*)0x200001c4 = 0x40000f0; *(uint32_t*)0x200001c8 = 0xe40; *(uint32_t*)0x200001cc = 0x8f7c3c8f; *(uint64_t*)0x200001d0 = 0x20000040; memcpy((void*)0x20000040, "\x7b\x55\x15\xcc\xca\xbc\xa1\x26\x41\xe6\x5d\x58\xfd\x1a\x12\xf6\x39" "\x0a\x72\xfa\xe1\xb8\x82\x0c\x1b\x8b\xb2\x06\x41\x4e\x92\x3b\x1f\xf6" "\x71\x57\x95\x12\x0c\xdc\x26\xd2\x25\x41\x9d\xe2\x14\x58\xe2\x58\x84" "\x4c\xf8\xdd", 54); *(uint64_t*)0x200001d8 = 0; *(uint32_t*)0x200001e0 = 0x7ffe; *(uint32_t*)0x200001e4 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint64_t*)0x200001f0 = 0x20000080; memcpy( (void*)0x20000080, "\xc3\xdb\x1e\xba\x7f\xb4\x30\xe4\x31\xad\x16\xf8\x22\x03\xfe\x9b\xd3\xce" "\x81\x3f\xce\x65\xab\x5f\xc7\x77\x03\x03\x98\x11\x5e\x5e\xf0\x8a\xa7\xdd" "\x23\xb2\x8a\x73\xb4\x12\xf2\x5f\xb6\x69\x88\x6b\xf7\x93\xbc\x82\x66\xa5" "\x93\xcb\x6a\x6a\x1f\x8c\xa6\xa6\x86\xdf\x31\x2c\xd7\x11\xd8\xdc\x49\x71" "\x3c\x8e\xde\xc1\x00\xd5\xd3\xbd\x36\xcf\xf3\xb3\x15\x74\x4c\x95\x60\x56" "\xf6\xc2\x7c\x7d\xab\x2c\x2d\x7e\x01\x4b\x59\x9b\x49\x2b\x58\xbf\x5f\x71" "\x3e\x57\x5f\x7c\x62\x74\x97\x21\x55\x48\x63\x07\xfb\x77\x8a", 123); *(uint64_t*)0x200001f8 = 0x20000000; *(uint32_t*)0x20000200 = 5; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200001c0ul, /*size=*/0x28ul); return 0; }