// https://syzkaller.appspot.com/bug?id=75cf599d7211c156c9f4bdad353b077f211df7d6 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; res = syscall(__NR_socket, 0x10ul, 3ul, 0); if (res != -1) r[0] = res; *(uint32_t*)0x20000180 = 6; *(uint32_t*)0x20000184 = 4; *(uint64_t*)0x20000188 = 0x20000300; memcpy((void*)0x20000300, "\x18\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x85" "\x00\x00\x00\x2c\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x2b\x40" "\x03\xfe\x37\xa0\x77\xae\x55\xf5\x2c\x0d\x80\xa2\x64\x9b\xac\xa8\x53" "\x09\xbe\x96\xd5\xa4\x5b\xbb\xdb\x5f\xf7\xff\xff\xff\xd0\x75\xb3\xee" "\xe1\x44\x73\xf5\x1b\xe9\x8d\xb7\xef\xbb\x05\x98\x42\xba\x44\x70\xe8" "\xe0\x4a\xcb\x80\x7f\xbb\xab\xc6\x8a\xbd\xcc\xe9\xf6\x72\xb6\xbb\x61" "\xc3\x02\xdf\xd5\xc1\x10\x71\xad\xac\x29\xfd\x64\xd3\x3a\x35\x02\xfb" "\xeb\x1e\xd9\x9d\xd0\xe7\x92\xf2\x4c\x42\x0b\xfc\xc2\x63\x54\x21\xd3" "\x39\xad\x52\x1d\x69\x53\xb1\x13\x78\x50\xd9\xe9\xeb\xf6\x5e\xe9\x88" "\xea\x2d\xbe\xe5\x28\x67\x8e\xb4\x7e\xfb\x7b\x3f\x19\x04\x6c\x6f\x1b" "\xd1\xbf\x56\xe5\x85\x3e\xd9\x61\x37\xf9\x5b\x3a\x11\x95\x4e\xd1\xc8" "\xa8\x67\x64\x68\xcf\x24\x05\xe4\x87\x23\xd4\xb1\xff", 200); *(uint64_t*)0x20000190 = 0x200000c0; memcpy((void*)0x200000c0, "GPL\000", 4); *(uint32_t*)0x20000198 = 0; *(uint32_t*)0x2000019c = 0x1000; *(uint64_t*)0x200001a0 = 0x20001400; *(uint32_t*)0x200001a8 = 0; *(uint32_t*)0x200001ac = 0; memset((void*)0x200001b0, 0, 16); *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = -1; *(uint32_t*)0x200001cc = 8; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0x10; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = -1; *(uint32_t*)0x200001f4 = 0; *(uint64_t*)0x200001f8 = 0; res = syscall(__NR_bpf, 5ul, 0x20000180ul, 0x18ul); if (res != -1) r[1] = res; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint64_t*)0x20000150 = 0x20000080; *(uint64_t*)0x20000080 = 0x20000240; *(uint32_t*)0x20000240 = 0x34; *(uint16_t*)0x20000244 = 0x10; *(uint16_t*)0x20000246 = 0x801; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint8_t*)0x20000250 = 0; *(uint8_t*)0x20000251 = 0; *(uint16_t*)0x20000252 = 0; *(uint32_t*)0x20000254 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0; *(uint16_t*)0x20000260 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x20000262, 0x2b, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000263, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000263, 1, 7, 1); *(uint16_t*)0x20000264 = 8; *(uint16_t*)0x20000266 = 1; *(uint32_t*)0x20000268 = r[1]; *(uint16_t*)0x2000026c = 8; *(uint16_t*)0x2000026e = 0x1b; *(uint32_t*)0x20000270 = 0; *(uint64_t*)0x20000088 = 0x34; *(uint64_t*)0x20000158 = 1; *(uint64_t*)0x20000160 = 0; *(uint64_t*)0x20000168 = 0; *(uint32_t*)0x20000170 = 0; syscall(__NR_sendmsg, r[0], 0x20000140ul, 0ul); return 0; }