// https://syzkaller.appspot.com/bug?id=d0670a431b2c67476e8720c13765be725658486b // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); intptr_t res = 0; syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, /*prot=*/0xb635773f06ebbeeeul, /*flags=*/0x8031ul, /*fd=*/-1, /*offset=*/0ul); memcpy((void*)0x20000240, "clear_refs\000", 11); res = -1; res = syz_open_procfs(/*pid=*/0, /*file=*/0x20000240); if (res != -1) r[0] = res; *(uint64_t*)0x20000140 = 0x20000080; memset((void*)0x20000080, 52, 1); *(uint64_t*)0x20000148 = 1; syscall(__NR_writev, /*fd=*/r[0], /*vec=*/0x20000140ul, /*vlen=*/1ul); memcpy((void*)0x20001240, "security\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000", 32); *(uint32_t*)0x20001260 = 0xe; *(uint32_t*)0x20001264 = 4; *(uint32_t*)0x20001268 = 0x3d8; *(uint32_t*)0x2000126c = -1; *(uint32_t*)0x20001270 = 0; *(uint32_t*)0x20001274 = 0x100; *(uint32_t*)0x20001278 = 0; *(uint32_t*)0x2000127c = -1; *(uint32_t*)0x20001280 = -1; *(uint32_t*)0x20001284 = 0x340; *(uint32_t*)0x20001288 = 0x340; *(uint32_t*)0x2000128c = 0x340; *(uint32_t*)0x20001290 = -1; *(uint32_t*)0x20001294 = 4; *(uint64_t*)0x20001298 = 0; memset((void*)0x200012a0, 0, 84); *(uint32_t*)0x200012f4 = 0; *(uint16_t*)0x200012f8 = 0xa0; *(uint16_t*)0x200012fa = 0x100; *(uint32_t*)0x200012fc = 0; *(uint64_t*)0x20001300 = 0; *(uint64_t*)0x20001308 = 0; *(uint16_t*)0x20001310 = 0x30; memcpy((void*)0x20001312, "ah\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x2000132f = 0; *(uint32_t*)0x20001330 = 0xb8ab; *(uint32_t*)0x20001334 = 5; *(uint8_t*)0x20001338 = 0; *(uint16_t*)0x20001340 = 0x60; memcpy((void*)0x20001342, "CLUSTERIP\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000", 29); *(uint8_t*)0x2000135f = 0; *(uint32_t*)0x20001360 = 0; memset((void*)0x20001364, 0, 6); *(uint16_t*)0x2000136a = 2; *(uint16_t*)0x2000136c = 8; *(uint16_t*)0x2000136e = 0x38; *(uint16_t*)0x20001370 = 0x2a; *(uint16_t*)0x20001372 = 0x1f; *(uint16_t*)0x20001374 = 0x23; *(uint16_t*)0x20001376 = 0x1e; *(uint16_t*)0x20001378 = 3; *(uint16_t*)0x2000137a = 0x1f; *(uint16_t*)0x2000137c = 8; *(uint16_t*)0x2000137e = 7; *(uint16_t*)0x20001380 = 0x10; *(uint16_t*)0x20001382 = 8; *(uint16_t*)0x20001384 = 0x16; *(uint16_t*)0x20001386 = 7; *(uint16_t*)0x20001388 = 0x19; *(uint16_t*)0x2000138a = 0xa; *(uint16_t*)0x2000138c = 0x20; *(uint32_t*)0x20001390 = 1; *(uint32_t*)0x20001394 = 9; *(uint64_t*)0x20001398 = 7; *(uint32_t*)0x200013a0 = htobe32(0xe0000001); *(uint32_t*)0x200013a4 = htobe32(0x7f000001); *(uint32_t*)0x200013a8 = htobe32(-1); *(uint32_t*)0x200013ac = htobe32(-1); memcpy((void*)0x200013b0, "ip6_vti0\000\000\000\000\000\000\000\000", 16); memcpy((void*)0x200013c0, "netpci0\000\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x200013d0 = 0; *(uint8_t*)0x200013e0 = -1; *(uint16_t*)0x200013f0 = 0x33; *(uint8_t*)0x200013f2 = 2; *(uint8_t*)0x200013f3 = 0x40; *(uint32_t*)0x200013f4 = 0; *(uint16_t*)0x200013f8 = 0xc0; *(uint16_t*)0x200013fa = 0x120; *(uint32_t*)0x200013fc = 0; *(uint64_t*)0x20001400 = 0; *(uint64_t*)0x20001408 = 0; *(uint16_t*)0x20001410 = 0x28; memcpy((void*)0x20001412, "ttl\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x2000142f = 0; *(uint8_t*)0x20001430 = 2; *(uint8_t*)0x20001431 = 0x83; *(uint16_t*)0x20001438 = 0x28; memcpy((void*)0x2000143a, "icmp\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20001457 = 0; *(uint8_t*)0x20001458 = 0xe; memcpy((void*)0x20001459, ";K", 2); *(uint8_t*)0x2000145b = 1; *(uint16_t*)0x20001460 = 0x60; memcpy((void*)0x20001462, "CLUSTERIP\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000", 29); *(uint8_t*)0x2000147f = 0; *(uint32_t*)0x20001480 = 0; memset((void*)0x20001484, 170, 5); *(uint8_t*)0x20001489 = 0xbb; *(uint16_t*)0x2000148a = 9; *(uint16_t*)0x2000148c = 5; *(uint16_t*)0x2000148e = 0x3b; *(uint16_t*)0x20001490 = 1; *(uint16_t*)0x20001492 = 5; *(uint16_t*)0x20001494 = 0x34; *(uint16_t*)0x20001496 = 0x2c; *(uint16_t*)0x20001498 = 0x12; *(uint16_t*)0x2000149a = 0x39; *(uint16_t*)0x2000149c = 0x1a; *(uint16_t*)0x2000149e = 0xe; *(uint16_t*)0x200014a0 = 0x30; *(uint16_t*)0x200014a2 = 3; *(uint16_t*)0x200014a4 = 0x3c; *(uint16_t*)0x200014a6 = 0x3c; *(uint16_t*)0x200014a8 = 0; *(uint16_t*)0x200014aa = 0x3b; *(uint16_t*)0x200014ac = 0x11; *(uint32_t*)0x200014b0 = 1; *(uint32_t*)0x200014b4 = 0xfffffffa; *(uint64_t*)0x200014b8 = 8; *(uint8_t*)0x200014c0 = 0xac; *(uint8_t*)0x200014c1 = 0x14; *(uint8_t*)0x200014c2 = 0x14; *(uint8_t*)0x200014c3 = 0xbb; *(uint32_t*)0x200014c4 = htobe32(-1); *(uint32_t*)0x200014c8 = htobe32(0xff000000); *(uint32_t*)0x200014cc = htobe32(0xff); memcpy((void*)0x200014d0, "veth1_vlan\000\000\000\000\000\000", 16); memcpy((void*)0x200014e0, "netpci0\000\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x200014f0 = -1; *(uint8_t*)0x20001500 = 0; *(uint16_t*)0x20001510 = 0x88; *(uint8_t*)0x20001512 = 2; *(uint8_t*)0x20001513 = 2; *(uint32_t*)0x20001514 = 0; *(uint16_t*)0x20001518 = 0xc0; *(uint16_t*)0x2000151a = 0x120; *(uint32_t*)0x2000151c = 0; *(uint64_t*)0x20001520 = 0; *(uint64_t*)0x20001528 = 0; *(uint16_t*)0x20001530 = 0x50; memcpy((void*)0x20001532, "osf\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x2000154f = 0; memcpy((void*)0x20001550, "syz1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000", 32); *(uint32_t*)0x20001570 = 0; *(uint32_t*)0x20001574 = 0x991777f5; *(uint32_t*)0x20001578 = 0; *(uint32_t*)0x2000157c = 2; *(uint16_t*)0x20001580 = 0x60; memcpy((void*)0x20001582, "CLUSTERIP\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000", 29); *(uint8_t*)0x2000159f = 0; *(uint32_t*)0x200015a0 = 0; memcpy((void*)0x200015a4, "\x3a\xe2\x55\x5c\x9f\x2e", 6); *(uint16_t*)0x200015aa = 0x8c2; *(uint16_t*)0x200015ac = 0xa; *(uint16_t*)0x200015ae = 0x1a; *(uint16_t*)0x200015b0 = 1; *(uint16_t*)0x200015b2 = 0x17; *(uint16_t*)0x200015b4 = 0x24; *(uint16_t*)0x200015b6 = 0x3e; *(uint16_t*)0x200015b8 = 2; *(uint16_t*)0x200015ba = 0x14; *(uint16_t*)0x200015bc = 0x10; *(uint16_t*)0x200015be = 0x29; *(uint16_t*)0x200015c0 = 0x37; *(uint16_t*)0x200015c2 = 0x28; *(uint16_t*)0x200015c4 = 0x36; *(uint16_t*)0x200015c6 = 0x1e; *(uint16_t*)0x200015c8 = 0x1a; *(uint16_t*)0x200015ca = 0x10; *(uint16_t*)0x200015cc = 0xd; *(uint32_t*)0x200015d0 = 2; *(uint32_t*)0x200015d4 = 4; *(uint64_t*)0x200015d8 = 0x48fbf4a0; memset((void*)0x200015e0, 0, 84); *(uint32_t*)0x20001634 = 0; *(uint16_t*)0x20001638 = 0x70; *(uint16_t*)0x2000163a = 0x98; *(uint32_t*)0x2000163c = 0; *(uint64_t*)0x20001640 = 0; *(uint64_t*)0x20001648 = 0; *(uint16_t*)0x20001650 = 0x28; memset((void*)0x20001652, 0, 29); *(uint8_t*)0x2000166f = 0; *(uint32_t*)0x20001670 = 0xfffffffe; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0, /*opt=*/0x40, /*val=*/0x20001240ul, /*len=*/0x438ul); return 0; }