// https://syzkaller.appspot.com/bug?id=f9c94b10e49ae0433f27c4838c7e0f0a321606f5 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void loop() { long res = 0; *(uint8_t*)0x2000a000 = -1; *(uint8_t*)0x2000a001 = 0xe0; *(uint8_t*)0x2000a002 = -1; *(uint8_t*)0x2000a003 = -1; *(uint8_t*)0x2000a004 = -1; *(uint8_t*)0x2000a005 = -1; *(uint8_t*)0x2000a006 = -1; *(uint8_t*)0x2000a007 = -1; *(uint8_t*)0x2000a008 = -1; *(uint8_t*)0x2000a009 = -1; *(uint8_t*)0x2000a00a = -1; *(uint8_t*)0x2000a00b = -1; *(uint16_t*)0x2000a00c = htobe16(0x800); STORE_BY_BITMASK(uint8_t, 0x2000a00e, 5, 0, 4); STORE_BY_BITMASK(uint8_t, 0x2000a00e, 4, 4, 4); STORE_BY_BITMASK(uint8_t, 0x2000a00f, 0, 0, 2); STORE_BY_BITMASK(uint8_t, 0x2000a00f, 0, 2, 6); *(uint16_t*)0x2000a010 = htobe16(0x1c); *(uint16_t*)0x2000a012 = htobe16(0); *(uint16_t*)0x2000a014 = htobe16(0); *(uint8_t*)0x2000a016 = 0; *(uint8_t*)0x2000a017 = 0x11; *(uint16_t*)0x2000a018 = 0; *(uint8_t*)0x2000a01a = 0xac; *(uint8_t*)0x2000a01b = 0x14; *(uint8_t*)0x2000a01c = -1; *(uint8_t*)0x2000a01d = 0xbb; *(uint32_t*)0x2000a01e = htobe32(0xe0000001); *(uint16_t*)0x2000a022 = htobe16(0); *(uint16_t*)0x2000a024 = htobe16(0x4e21); *(uint16_t*)0x2000a026 = htobe16(8); *(uint16_t*)0x2000a028 = 0; struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x2000a01a, 4); csum_inet_update(&csum_1, (const uint8_t*)0x2000a01e, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x800; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x2000a022, 8); *(uint16_t*)0x2000a028 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x2000a00e, 20); *(uint16_t*)0x2000a018 = csum_inet_digest(&csum_2); res = syscall(__NR_socket, 0xf, 3, 2); if (res != -1) r[0] = res; *(uint64_t*)0x20360000 = 0; *(uint32_t*)0x20360008 = 0; *(uint64_t*)0x20360010 = 0x2035d000; *(uint64_t*)0x2035d000 = 0x20000080; *(uint8_t*)0x20000080 = 2; *(uint8_t*)0x20000081 = 0xe; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint16_t*)0x20000084 = 0x10; *(uint16_t*)0x20000086 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 3; *(uint16_t*)0x20000092 = 6; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint16_t*)0x20000096 = 0; *(uint16_t*)0x20000098 = 2; *(uint16_t*)0x2000009a = htobe16(0); *(uint32_t*)0x2000009c = htobe32(0x7f000001); *(uint8_t*)0x200000a0 = 0; *(uint8_t*)0x200000a1 = 0; *(uint8_t*)0x200000a2 = 0; *(uint8_t*)0x200000a3 = 0; *(uint8_t*)0x200000a4 = 0; *(uint8_t*)0x200000a5 = 0; *(uint8_t*)0x200000a6 = 0; *(uint8_t*)0x200000a7 = 0; *(uint16_t*)0x200000a8 = 3; *(uint16_t*)0x200000aa = 5; *(uint8_t*)0x200000ac = 0; *(uint8_t*)0x200000ad = 0; *(uint16_t*)0x200000ae = 0; *(uint16_t*)0x200000b0 = 2; *(uint16_t*)0x200000b2 = htobe16(0); *(uint32_t*)0x200000b4 = htobe32(0); *(uint8_t*)0x200000b8 = 0; *(uint8_t*)0x200000b9 = 0; *(uint8_t*)0x200000ba = 0; *(uint8_t*)0x200000bb = 0; *(uint8_t*)0x200000bc = 0; *(uint8_t*)0x200000bd = 0; *(uint8_t*)0x200000be = 0; *(uint8_t*)0x200000bf = 0; *(uint16_t*)0x200000c0 = 8; *(uint16_t*)0x200000c2 = 0x12; *(uint16_t*)0x200000c4 = 0; *(uint8_t*)0x200000c6 = 1; *(uint8_t*)0x200000c7 = 0; *(uint32_t*)0x200000c8 = 0; *(uint32_t*)0x200000cc = 0; *(uint16_t*)0x200000d0 = 6; *(uint16_t*)0x200000d2 = 0; *(uint8_t*)0x200000d4 = 0; *(uint8_t*)0x200000d5 = 0; *(uint16_t*)0x200000d6 = 0; *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint8_t*)0x200000e0 = -1; *(uint8_t*)0x200000e1 = 1; *(uint8_t*)0x200000e2 = 0; *(uint8_t*)0x200000e3 = 0; *(uint8_t*)0x200000e4 = 0; *(uint8_t*)0x200000e5 = 0; *(uint8_t*)0x200000e6 = 0; *(uint8_t*)0x200000e7 = 0; *(uint8_t*)0x200000e8 = 0; *(uint8_t*)0x200000e9 = 0; *(uint8_t*)0x200000ea = 0; *(uint8_t*)0x200000eb = 0; *(uint8_t*)0x200000ec = 0; *(uint8_t*)0x200000ed = 0; *(uint8_t*)0x200000ee = 0; *(uint8_t*)0x200000ef = 1; *(uint8_t*)0x200000f0 = 0; *(uint8_t*)0x200000f1 = 0; *(uint8_t*)0x200000f2 = 0; *(uint8_t*)0x200000f3 = 0; *(uint8_t*)0x200000f4 = 0; *(uint8_t*)0x200000f5 = 0; *(uint8_t*)0x200000f6 = 0; *(uint8_t*)0x200000f7 = 0; *(uint8_t*)0x200000f8 = 0; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = -1; *(uint8_t*)0x200000fb = -1; *(uint32_t*)0x200000fc = htobe32(0xe0000001); *(uint64_t*)0x2035d008 = 0x80; *(uint64_t*)0x20360018 = 1; *(uint64_t*)0x20360020 = 0; *(uint64_t*)0x20360028 = 0; *(uint32_t*)0x20360030 = 0; syscall(__NR_sendmsg, r[0], 0x20360000, 0); res = syscall(__NR_socket, 0xa, 0x80002, 0x88); if (res != -1) r[1] = res; *(uint16_t*)0x20000040 = 0xa; *(uint16_t*)0x20000042 = htobe16(0x4e23); *(uint32_t*)0x20000044 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; *(uint8_t*)0x20000050 = 0; *(uint8_t*)0x20000051 = 0; *(uint8_t*)0x20000052 = 0; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; *(uint8_t*)0x20000056 = 0; *(uint8_t*)0x20000057 = 0; *(uint32_t*)0x20000058 = 0; syscall(__NR_bind, r[1], 0x20000040, 0x1c); res = syscall(__NR_socket, 0xa, 0x8000000000000802, 0); if (res != -1) r[2] = res; syscall(__NR_dup2, r[1], r[2]); *(uint64_t*)0x20000000 = 0x205dafe4; *(uint16_t*)0x205dafe4 = 0xa; *(uint16_t*)0x205dafe6 = htobe16(0x4e23); *(uint32_t*)0x205dafe8 = 0; *(uint8_t*)0x205dafec = -1; *(uint8_t*)0x205dafed = 2; *(uint8_t*)0x205dafee = 0; *(uint8_t*)0x205dafef = 0; *(uint8_t*)0x205daff0 = 0; *(uint8_t*)0x205daff1 = 0; *(uint8_t*)0x205daff2 = 0; *(uint8_t*)0x205daff3 = 0; *(uint8_t*)0x205daff4 = 0; *(uint8_t*)0x205daff5 = 0; *(uint8_t*)0x205daff6 = 0; *(uint8_t*)0x205daff7 = 0; *(uint8_t*)0x205daff8 = 0; *(uint8_t*)0x205daff9 = 0; *(uint8_t*)0x205daffa = 0; *(uint8_t*)0x205daffb = 1; *(uint32_t*)0x205daffc = 0; *(uint32_t*)0x20000008 = 0x1c; *(uint64_t*)0x20000010 = 0x20fc8000; *(uint64_t*)0x20000018 = 0; *(uint64_t*)0x20000020 = 0; *(uint64_t*)0x20000028 = 0; *(uint32_t*)0x20000030 = 0; syscall(__NR_sendmsg, r[2], 0x20000000, 0x8000); *(uint64_t*)0x20000200 = 0; syscall(__NR_write, r[2], 0x20000200, 8); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }