// https://syzkaller.appspot.com/bug?id=702906331957f4cfed2a64192e9bc6bfb668bf58
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
struct csum_inet {
uint32_t acc;
};
static void csum_inet_init(struct csum_inet* csum)
{
csum->acc = 0;
}
static void csum_inet_update(struct csum_inet* csum, const uint8_t* data,
size_t length)
{
if (length == 0)
return;
size_t i;
for (i = 0; i < length - 1; i += 2)
csum->acc += *(uint16_t*)&data[i];
if (length & 1)
csum->acc += (uint16_t)data[length - 1];
while (csum->acc > 0xffff)
csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16);
}
static uint16_t csum_inet_digest(struct csum_inet* csum)
{
return ~csum->acc;
}
uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
intptr_t res = 0;
res = syscall(__NR_socket, 0x10ul, 3ul, 6);
if (res != -1)
r[0] = res;
*(uint64_t*)0x2014f000 = 0;
*(uint32_t*)0x2014f008 = 0;
*(uint64_t*)0x2014f010 = 0x200001c0;
*(uint64_t*)0x200001c0 = 0x20000580;
memcpy((void*)0x20000580,
"\xcc\x00\x00\x00\x19\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xfe\x88"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00",
64);
*(uint32_t*)0x200005c0 = 0;
*(uint32_t*)0x200005c4 = 0;
memcpy((void*)0x200005c8,
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x02\x00\x0c\x00\x0f\x00\x06\x00\x00\x00\x00\x00\x00"
"\x00\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdc\xa7\xa2\x88"
"\x31\x05\x87\x55\xd1\x22\x0b\x19\x3a\xda\xa2\x3d\x91\x03\x28\xc0\xf5"
"\xc8\xf4\x85\x88\x74\x57\xdd\xd3\x39\xa4\x29\x39\xde\x7b\x6f\x20\xa8"
"\xa0\xab\x91\xb1\x52\x7b\x8a\x48\x7e\xb3\x69\x4f\x61\x2b\x31\x67\x83"
"\xf1\x6f\x1a\x8f\x03\x7d\x62\x67\x8b\x5f\xdd\x9a\x2d\xb1\xce\xcf\xa4"
"\xa1\xe7\xdc\x00\x9c\xdf\x2f\x8e\xc9\x52\x1d\x2c\xaa\xdc\x10\xeb\xd7"
"\xd4\x81\xc2\xc6\xa3\x86\xcb\x6f\x61\xb1\x11\xdb\x62\xd7\x30\xf5\x2d"
"\x03\xd9\xd7\x80\xe6\x2c\x51\xc5\xfe\x46\xec\x85\x68\xd4\x96\xe3\x7c"
"\x81\x4f\xa8\xbe\xa6\x09\xc0\x02\x0f\x9f\xcb\x24\x4d\x9f\x91\x43\xfe"
"\x25\x28\xad\x4b\xde\x0b\x83\x41\x71\xde\xc5\x56\xb3\xd6\x95\x3a\x8c"
"\x3a\xa1\x25\x80\xfb\x74\x72\xd0\x95\xaf\xbd\xb0\x7d\xc9\xd2\xf7\xab"
"\x1a\x8d\xa3\x4d\x37\x95\x28\x89\xf4\xc5\xaa\x89\x17\xe8\x6b\xec\x49"
"\x93\xab\x3a\x20\xbd",
328);
*(uint64_t*)0x200001c8 = 0xcc;
*(uint64_t*)0x2014f018 = 1;
*(uint64_t*)0x2014f020 = 0;
*(uint64_t*)0x2014f028 = 0;
*(uint32_t*)0x2014f030 = 0;
syscall(__NR_sendmsg, r[0], 0x2014f000ul, 0ul);
res = syscall(__NR_socket, 2ul, 0xaul, 0);
if (res != -1)
r[1] = res;
*(uint64_t*)0x20000100 = 0;
*(uint16_t*)0x20000108 = 2;
*(uint16_t*)0x2000010a = 0;
*(uint32_t*)0x2000010c = htobe32(0);
*(uint32_t*)0x20000110 = 3;
*(uint32_t*)0x20000114 = 0;
*(uint16_t*)0x20000118 = 6;
memcpy((void*)0x2000011a, "\x38\x7e\xcd\x35\x77\xf2", 6);
*(uint16_t*)0x20000128 = 2;
*(uint16_t*)0x2000012a = htobe16(0x4e24);
*(uint32_t*)0x2000012c = htobe32(0);
*(uint16_t*)0x20000138 = 0;
*(uint16_t*)0x2000013a = 0;
*(uint64_t*)0x20000140 = 0;
*(uint64_t*)0x20000148 = 0;
*(uint16_t*)0x20000150 = 0;
*(uint64_t*)0x20000158 = 0x20000080;
memcpy((void*)0x20000080, "bridge_slave_0\000\000", 16);
*(uint64_t*)0x20000160 = 0xff;
*(uint64_t*)0x20000168 = 0xecb;
*(uint16_t*)0x20000170 = 1;
syscall(__NR_ioctl, r[1], 0x890b, 0x20000100ul);
memcpy((void*)0x20000080, "/dev/net/tun\000", 13);
res =
syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000080ul, 0x88002ul, 0ul);
if (res != -1)
r[2] = res;
memcpy((void*)0x20000300, "syzkaller1\000\000\000\000\000\000", 16);
*(uint16_t*)0x20000310 = 0x5001;
syscall(__NR_ioctl, r[2], 0x400454ca, 0x20000300ul);
res = syscall(__NR_socket, 0x10ul, 3ul, 0);
if (res != -1)
r[3] = res;
memcpy((void*)0x20000140, "syzkaller1\000\000\000\000\000\000", 16);
*(uint16_t*)0x20000150 = 7;
*(uint16_t*)0x20000152 = htobe16(0);
*(uint32_t*)0x20000154 = htobe32(0);
syscall(__NR_ioctl, r[3], 0x8914, 0x20000140ul);
*(uint8_t*)0x20000240 = 0;
*(uint8_t*)0x20000241 = 0;
*(uint16_t*)0x20000242 = 0;
*(uint16_t*)0x20000244 = 0;
*(uint16_t*)0x20000246 = 0;
*(uint16_t*)0x20000248 = 0;
STORE_BY_BITMASK(uint8_t, , 0x2000024a, 8, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000024a, 4, 4, 4);
STORE_BY_BITMASK(uint8_t, , 0x2000024b, 0, 0, 2);
STORE_BY_BITMASK(uint8_t, , 0x2000024b, 0, 2, 6);
*(uint16_t*)0x2000024c = htobe16(0x2c);
*(uint16_t*)0x2000024e = htobe16(0);
*(uint16_t*)0x20000250 = htobe16(0);
*(uint8_t*)0x20000252 = 0;
*(uint8_t*)0x20000253 = 0x2f;
*(uint16_t*)0x20000254 = htobe16(0);
*(uint8_t*)0x20000256 = 0xac;
*(uint8_t*)0x20000257 = 0x14;
*(uint8_t*)0x20000258 = 0x14;
*(uint8_t*)0x20000259 = 0;
*(uint8_t*)0x2000025a = 0xac;
*(uint8_t*)0x2000025b = 0x14;
*(uint8_t*)0x2000025c = 8;
*(uint8_t*)0x2000025d = 0xbb;
*(uint8_t*)0x2000025e = 0xd;
*(uint8_t*)0x2000025f = 0;
*(uint16_t*)0x20000260 = htobe16(0);
*(uint16_t*)0x20000262 = htobe16(0);
*(uint16_t*)0x20000264 = htobe16(0);
*(uint32_t*)0x20000266 = htobe32(0);
*(uint32_t*)0x2000026a = htobe32(0);
*(uint32_t*)0x2000026e = htobe32(0);
struct csum_inet csum_1;
csum_inet_init(&csum_1);
csum_inet_update(&csum_1, (const uint8_t*)0x2000025e, 20);
*(uint16_t*)0x20000260 = csum_inet_digest(&csum_1);
struct csum_inet csum_2;
csum_inet_init(&csum_2);
csum_inet_update(&csum_2, (const uint8_t*)0x2000024a, 20);
*(uint16_t*)0x20000254 = csum_inet_digest(&csum_2);
syscall(__NR_write, r[2], 0x20000240ul, 0x100cul);
return 0;
}