// https://syzkaller.appspot.com/bug?id=ad9da2be119e0ca4626ef81bd90f6e67b425c74d // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$inet_mptcp arguments: [ // domain: const = 0x2 (8 bytes) // type: const = 0x1 (8 bytes) // proto: const = 0x106 (4 bytes) // ] // returns sock_mptcp res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0x106); if (res != -1) r[0] = res; // listen arguments: [ // fd: sock (resource) // backlog: int32 = 0x0 (4 bytes) // ] syscall(__NR_listen, /*fd=*/r[0], /*backlog=*/0); // socket$kcm arguments: [ // domain: const = 0x10 (8 bytes) // type: kcm_socket_type = 0x2 (8 bytes) // proto: const = 0x4 (4 bytes) // ] // returns sock_kcm res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=SOCK_DGRAM*/ 2ul, /*proto=*/4); if (res != -1) r[1] = res; // sendmsg$kcm arguments: [ // fd: sock_kcm (resource) // msg: ptr[in, send_msghdr] { // send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {89 00 00 00 12 00 81 ae 08 06 0c dc 03 00 00 00 7f // 03 e3 f7 00 00 00 00 00 e2 ff ca 1b 1f 00 00 00 00 04 c0 0e // 72 f7 50 37 5e d0 8a 56 33 1d bf 9e d7 81 5e 38 1a d6 e7 47 // 03 3a 00 93 b8 37 dc 6c c0 1e 32 ef ae c8 c7 a6 ec 00 12 08 // 00 03 00 06 01 00 00 bd ad 44 6b 9b bc 7a 46 e3 98 82 85 dc // df 12 f2 13 08 f8 68 fe ce 01 95 5f ed 00 09 d7 8f 0a 94 7e // e2 b4 9e 33 53 8a fa 8a f9 23 47 51 4f 0b 56 a2 0f f2 7f ff} // (length 0x89) // } // len: len = 0x89 (8 bytes) // } // } // } // msg_iovlen: len = 0x1 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x200000000240 = 0; *(uint32_t*)0x200000000248 = 0; *(uint64_t*)0x200000000250 = 0x200000000140; *(uint64_t*)0x200000000140 = 0x200000000280; memcpy( (void*)0x200000000280, "\x89\x00\x00\x00\x12\x00\x81\xae\x08\x06\x0c\xdc\x03\x00\x00\x00\x7f\x03" "\xe3\xf7\x00\x00\x00\x00\x00\xe2\xff\xca\x1b\x1f\x00\x00\x00\x00\x04\xc0" "\x0e\x72\xf7\x50\x37\x5e\xd0\x8a\x56\x33\x1d\xbf\x9e\xd7\x81\x5e\x38\x1a" "\xd6\xe7\x47\x03\x3a\x00\x93\xb8\x37\xdc\x6c\xc0\x1e\x32\xef\xae\xc8\xc7" "\xa6\xec\x00\x12\x08\x00\x03\x00\x06\x01\x00\x00\xbd\xad\x44\x6b\x9b\xbc" "\x7a\x46\xe3\x98\x82\x85\xdc\xdf\x12\xf2\x13\x08\xf8\x68\xfe\xce\x01\x95" "\x5f\xed\x00\x09\xd7\x8f\x0a\x94\x7e\xe2\xb4\x9e\x33\x53\x8a\xfa\x8a\xf9" "\x23\x47\x51\x4f\x0b\x56\xa2\x0f\xf2\x7f\xff", 137); *(uint64_t*)0x200000000148 = 0x89; *(uint64_t*)0x200000000258 = 1; *(uint64_t*)0x200000000260 = 0; *(uint64_t*)0x200000000268 = 0; *(uint32_t*)0x200000000270 = 0; syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x200000000240ul, /*f=*/0ul); return 0; }