// https://syzkaller.appspot.com/bug?id=2773ef3a95ba3bd938ca3f7e27cc2ad8d59ad812 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); intptr_t res = 0; *(uint32_t*)0x20000040 = 3; *(uint32_t*)0x20000044 = 4; *(uint64_t*)0x20000048 = 0x20000200; memcpy( (void*)0x20000200, "\x18\x02\x00\x00\xe4\x14\x60\xfb\x00\x00\x00\x00\x00\x00\x00\x00\x85\x00" "\x00\x00\x27\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x93\x14\x88\xc7" "\x51\x07\x49\x6b\xea\x80\x64\x2b\x83\xe3\x27\xac\x55\x4a\xa8\x1c\x36\x7b" "\x0d\x39\x9a\xec\xc5\x07\x26\x17\x5d\xde\xf0\x97\x29\x9c\x08\x17\xd9\xd7" "\x14\x61\x43\xfb\xfb\x48\xa7\x85\x71\xa3\x0d\xad\xe1\xa0\x2a\x70\x69\x1a" "\x48\x31\x49\x5f\x5e\x44\x2a\x8d\xd5\x03\xe1\x06\xf1\xa3\x12\x2d\x78\xce" "\x80\x05\x4c\x30\xdd\x35\x19\x98\x04\x83\x59\xfe\xea\xbe\xb3\xc1\x64\x1b" "\x15\x32\xb9\x2e\x95\xa1\x8d\x2d\xe3\x9d\x85\x23\x41\xf7\xaa\x14\x59\x29" "\xf4\x54\x10\x9e\xa8\xef\x02\x42\x80\x3a\xbe\x06\x10\x00\x99\x65\xc7\x2e" "\xd6\x76\xb6\x39\x00\x6f\xaa\x68\xa6\x02\xb5\x12\x2d\x49\x3c\x0d\xa0\x4b" "\x76\xe1\xca\x3b\x13\x6d\x6d\x86\xaa\x28\xd1\x7b\x2e\xdd\xaf\x4b\x0c\xe6" "\xf4\xf5\xb3\xb6\xac\xab\x14\x7b\x06\xcc\x2e\x89\xc0\xb9\xf8\x3f\xd3\x48" "\xe8\x60\xdb\xc1\xff\xa8\x55\x78\x45\x1b\x85\x5f\xa1\x33\x13\xc5\xc1\x1a" "\xf7\x5f\xb5\x6a\x08\xc6\x57\x49\xe8\x3f\xc7\x15\x40\x55\x1a\x61\x2c\x9e" "\x45\x3b\xbe\x7b\xb5\xc7\x42\xac\x65\x56\xbf\x7a\x02\x48\x63\x8e\x21\x1b" "\x60\x00\x37\xf9\x67\xa3\x48\xba\x4e\x10\xde\x80\xec\x4d\x82\x55\x86\xf9" "\x23\x92\xdc\x34", 292); *(uint64_t*)0x20000050 = 0x20000000; memcpy((void*)0x20000000, "GPL\000", 4); *(uint32_t*)0x20000058 = 0; *(uint32_t*)0x2000005c = 0; *(uint64_t*)0x20000060 = 0; *(uint32_t*)0x20000068 = 0; *(uint32_t*)0x2000006c = 0; memset((void*)0x20000070, 0, 16); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0x25; *(uint32_t*)0x20000088 = -1; *(uint32_t*)0x2000008c = 8; *(uint64_t*)0x20000090 = 0; *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x2000009c = 0x10; *(uint64_t*)0x200000a0 = 0; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; *(uint32_t*)0x200000b0 = 0; *(uint32_t*)0x200000b4 = 0; *(uint64_t*)0x200000b8 = 0; *(uint64_t*)0x200000c0 = 0; *(uint32_t*)0x200000c8 = 0x10; *(uint32_t*)0x200000cc = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000040ul, /*size=*/0x90ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x2a0; *(uint32_t*)0x20000088 = 0xe; *(uint32_t*)0x2000008c = 0; *(uint64_t*)0x20000090 = 0x200001c0; memcpy((void*)0x200001c0, "\x9e\x36\xd4\x48\xb3\x88\xdd\x96\x5f\x7a\x33\xd4\xda\x9a", 14); *(uint64_t*)0x20000098 = 0; *(uint32_t*)0x200000a0 = 0; *(uint32_t*)0x200000a4 = 0xe8030000; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; *(uint64_t*)0x200000b0 = 0; *(uint64_t*)0x200000b8 = 0; *(uint32_t*)0x200000c0 = 0; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000080ul, /*size=*/0x50ul); return 0; }