// https://syzkaller.appspot.com/bug?id=88def480f8ec3781fb39b776b256fbb75b9e97d4 // autogenerated by syzkaller (http://github.com/google/syzkaller) #ifndef __NR_bpf #define __NR_bpf 321 #endif #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } __attribute__((noreturn)) static void fail(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } __attribute__((noreturn)) static void exitf(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } #define COMMAND_MAX_LEN 128 static void execute_command(const char* format, ...) { va_list args; char command[COMMAND_MAX_LEN]; int rv; va_start(args, format); vsnprintf_check(command, sizeof(command), format, args); rv = system(command); if (rv != 0) fail("tun: command \"%s\" failed with code %d", &command[0], rv); va_end(args); } static int tunfd = -1; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define MAX_PIDS 32 #define ADDR_MAX_LEN 32 #define LOCAL_MAC "aa:aa:aa:aa:aa:%02hx" #define REMOTE_MAC "bb:bb:bb:bb:bb:%02hx" #define LOCAL_IPV4 "172.20.%d.170" #define REMOTE_IPV4 "172.20.%d.187" #define LOCAL_IPV6 "fe80::%02hxaa" #define REMOTE_IPV6 "fe80::%02hxbb" static void initialize_tun(uint64_t pid) { if (pid >= MAX_PIDS) fail("tun: no more than %d executors", MAX_PIDS); int id = pid; tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) fail("tun: can't open /dev/net/tun"); char iface[IFNAMSIZ]; snprintf_check(iface, sizeof(iface), "syz%d", id); struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, iface, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNSETIFF) failed"); char local_mac[ADDR_MAX_LEN]; snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id); char remote_mac[ADDR_MAX_LEN]; snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id); char local_ipv4[ADDR_MAX_LEN]; snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id); char remote_ipv4[ADDR_MAX_LEN]; snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id); char local_ipv6[ADDR_MAX_LEN]; snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id); char remote_ipv6[ADDR_MAX_LEN]; snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id); execute_command("sysctl -w net.ipv6.conf.%s.accept_dad=0", iface); execute_command("sysctl -w net.ipv6.conf.%s.router_solicitations=0", iface); execute_command("ip link set dev %s address %s", iface, local_mac); execute_command("ip addr add %s/24 dev %s", local_ipv4, iface); execute_command("ip -6 addr add %s/120 dev %s", local_ipv6, iface); execute_command("ip neigh add %s lladdr %s dev %s nud permanent", remote_ipv4, remote_mac, iface); execute_command("ip -6 neigh add %s lladdr %s dev %s nud permanent", remote_ipv6, remote_mac, iface); execute_command("ip link set dev %s up", iface); } static void setup_tun(uint64_t pid, bool enable_tun) { if (enable_tun) initialize_tun(pid); } static int read_tun(char* data, int size) { int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN) return -1; fail("tun: read failed with %d, errno: %d", rv, errno); } return rv; } static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1) { if (tunfd < 0) return (uintptr_t)-1; int64_t length = a0; char* data = (char*)a1; return write(tunfd, data, length); } static void flush_tun() { char data[SYZ_TUN_MAX_PACKET_SIZE]; while (read_tun(&data[0], sizeof(data)) != -1) ; } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void test(); void loop() { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); flush_tun(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } } } long r[323]; void* thr(void* arg) { switch ((long)arg) { case 0: r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 1: *(uint32_t*)0x2001d000 = (uint32_t)0x0; *(uint32_t*)0x2001d004 = (uint32_t)0x78; *(uint8_t*)0x2001d008 = (uint8_t)0x0; *(uint8_t*)0x2001d009 = (uint8_t)0x0; *(uint8_t*)0x2001d00a = (uint8_t)0x0; *(uint8_t*)0x2001d00b = (uint8_t)0x0; *(uint32_t*)0x2001d00c = (uint32_t)0x0; *(uint64_t*)0x2001d010 = (uint64_t)0x0; *(uint64_t*)0x2001d018 = (uint64_t)0x0; *(uint64_t*)0x2001d020 = (uint64_t)0x0; *(uint8_t*)0x2001d028 = (uint8_t)0x0; *(uint8_t*)0x2001d029 = (uint8_t)0x0; *(uint8_t*)0x2001d02a = (uint8_t)0x0; *(uint8_t*)0x2001d02b = (uint8_t)0x0; *(uint32_t*)0x2001d02c = (uint32_t)0x0; *(uint32_t*)0x2001d030 = (uint32_t)0x0; *(uint32_t*)0x2001d034 = (uint32_t)0x0; *(uint64_t*)0x2001d038 = (uint64_t)0x0; *(uint64_t*)0x2001d040 = (uint64_t)0x0; *(uint64_t*)0x2001d048 = (uint64_t)0x0; *(uint64_t*)0x2001d050 = (uint64_t)0x0; *(uint64_t*)0x2001d058 = (uint64_t)0x0; *(uint32_t*)0x2001d060 = (uint32_t)0x0; *(uint64_t*)0x2001d068 = (uint64_t)0x0; *(uint32_t*)0x2001d070 = (uint32_t)0x0; *(uint16_t*)0x2001d074 = (uint16_t)0x0; *(uint16_t*)0x2001d076 = (uint16_t)0x0; r[28] = syscall(__NR_perf_event_open, 0x2001d000ul, 0x0ul, 0x0ul, 0xfffffffffffffffful, 0x0ul); break; case 2: *(uint32_t*)0x2023c000 = (uint32_t)0x0; *(uint16_t*)0x2023c004 = (uint16_t)0xa; *(uint16_t*)0x2023c006 = (uint16_t)0x204e; *(uint32_t*)0x2023c008 = (uint32_t)0x0; *(uint8_t*)0x2023c00c = (uint8_t)0x0; *(uint8_t*)0x2023c00d = (uint8_t)0x0; *(uint8_t*)0x2023c00e = (uint8_t)0x0; *(uint8_t*)0x2023c00f = (uint8_t)0x0; *(uint8_t*)0x2023c010 = (uint8_t)0x0; *(uint8_t*)0x2023c011 = (uint8_t)0x0; *(uint8_t*)0x2023c012 = (uint8_t)0x0; *(uint8_t*)0x2023c013 = (uint8_t)0x0; *(uint8_t*)0x2023c014 = (uint8_t)0x0; *(uint8_t*)0x2023c015 = (uint8_t)0x0; *(uint8_t*)0x2023c016 = (uint8_t)0x0; *(uint8_t*)0x2023c017 = (uint8_t)0x0; *(uint8_t*)0x2023c018 = (uint8_t)0x0; *(uint8_t*)0x2023c019 = (uint8_t)0x0; *(uint8_t*)0x2023c01a = (uint8_t)0x0; *(uint8_t*)0x2023c01b = (uint8_t)0x0; *(uint32_t*)0x2023c01c = (uint32_t)0x0; *(uint64_t*)0x2023c024 = (uint64_t)0x0; *(uint64_t*)0x2023c02c = (uint64_t)0x0; *(uint64_t*)0x2023c034 = (uint64_t)0x0; *(uint64_t*)0x2023c03c = (uint64_t)0x0; *(uint64_t*)0x2023c044 = (uint64_t)0x0; *(uint64_t*)0x2023c04c = (uint64_t)0x0; *(uint64_t*)0x2023c054 = (uint64_t)0x0; *(uint64_t*)0x2023c05c = (uint64_t)0x0; *(uint64_t*)0x2023c064 = (uint64_t)0x0; *(uint64_t*)0x2023c06c = (uint64_t)0x0; *(uint64_t*)0x2023c074 = (uint64_t)0x0; *(uint64_t*)0x2023c07c = (uint64_t)0x0; *(uint32_t*)0x2023c08c = (uint32_t)0x0; *(uint16_t*)0x2023c090 = (uint16_t)0x0; *(uint32_t*)0x2023c092 = (uint32_t)0x0; *(uint32_t*)0x2023c096 = (uint32_t)0x0; *(uint32_t*)0x2023c09a = (uint32_t)0x0; *(uint32_t*)0x20d62000 = (uint32_t)0xa0; r[68] = syscall(__NR_getsockopt, 0xffffffffffffff9cul, 0x84ul, 0x9ul, 0x2023c000ul, 0x20d62000ul); break; case 3: *(uint32_t*)0x20f90000 = (uint32_t)0x3; *(uint64_t*)0x20f90008 = (uint64_t)0x20c3a000; r[71] = syscall(__NR_ioctl, 0xfffffffffffffffful, 0x800443d2ul, 0x20f90000ul); break; case 4: memcpy((void*)0x204e1000, "\x2f\x64\x65\x76\x2f\x71\x61\x74\x5f\x61" "\x64\x66\x5f\x63\x74\x6c\x00", 17); r[73] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x204e1000ul, 0x242200ul, 0x0ul); break; case 5: *(uint8_t*)0x20b4cffe = (uint8_t)0x7; *(uint8_t*)0x20b4cfff = (uint8_t)0x400; r[76] = syscall(__NR_ioctl, r[73], 0x541cul, 0x20b4cffeul); break; case 6: r[77] = syscall(__NR_ioctl, r[73], 0x540ful, 0x20ccaffcul); break; case 7: r[78] = syscall(__NR_socket, 0x2000000011ul, 0x3ul, 0x300ul); break; case 8: *(uint32_t*)0x20feaff0 = (uint32_t)0x0; *(uint32_t*)0x20feaff4 = (uint32_t)0xa; *(uint64_t*)0x20feaff8 = (uint64_t)0x20196f30; *(uint16_t*)0x20196f30 = (uint16_t)0x2; *(uint16_t*)0x20196f32 = (uint16_t)0x204e; *(uint8_t*)0x20196f34 = (uint8_t)0xac; *(uint8_t*)0x20196f35 = (uint8_t)0x14; *(uint8_t*)0x20196f36 = (uint8_t)0x0; *(uint8_t*)0x20196f37 = (uint8_t)0xbb; *(uint8_t*)0x20196f38 = (uint8_t)0x0; *(uint8_t*)0x20196f39 = (uint8_t)0x0; *(uint8_t*)0x20196f3a = (uint8_t)0x0; *(uint8_t*)0x20196f3b = (uint8_t)0x0; *(uint8_t*)0x20196f3c = (uint8_t)0x0; *(uint8_t*)0x20196f3d = (uint8_t)0x0; *(uint8_t*)0x20196f3e = (uint8_t)0x0; *(uint8_t*)0x20196f3f = (uint8_t)0x0; *(uint16_t*)0x20196f40 = (uint16_t)0x2; *(uint16_t*)0x20196f42 = (uint16_t)0x214e; *(uint32_t*)0x20196f44 = (uint32_t)0x0; *(uint8_t*)0x20196f48 = (uint8_t)0x0; *(uint8_t*)0x20196f49 = (uint8_t)0x0; *(uint8_t*)0x20196f4a = (uint8_t)0x0; *(uint8_t*)0x20196f4b = (uint8_t)0x0; *(uint8_t*)0x20196f4c = (uint8_t)0x0; *(uint8_t*)0x20196f4d = (uint8_t)0x0; *(uint8_t*)0x20196f4e = (uint8_t)0x0; *(uint8_t*)0x20196f4f = (uint8_t)0x0; *(uint16_t*)0x20196f50 = (uint16_t)0xa; *(uint16_t*)0x20196f52 = (uint16_t)0x224e; *(uint32_t*)0x20196f54 = (uint32_t)0x81; *(uint8_t*)0x20196f58 = (uint8_t)0x0; *(uint8_t*)0x20196f59 = (uint8_t)0x0; *(uint8_t*)0x20196f5a = (uint8_t)0x0; *(uint8_t*)0x20196f5b = (uint8_t)0x0; *(uint8_t*)0x20196f5c = (uint8_t)0x0; *(uint8_t*)0x20196f5d = (uint8_t)0x0; *(uint8_t*)0x20196f5e = (uint8_t)0x0; *(uint8_t*)0x20196f5f = (uint8_t)0x0; *(uint8_t*)0x20196f60 = (uint8_t)0x0; *(uint8_t*)0x20196f61 = (uint8_t)0x0; *(uint8_t*)0x20196f62 = (uint8_t)0x0; *(uint8_t*)0x20196f63 = (uint8_t)0x0; *(uint8_t*)0x20196f64 = (uint8_t)0x0; *(uint8_t*)0x20196f65 = (uint8_t)0x0; *(uint8_t*)0x20196f66 = (uint8_t)0x0; *(uint8_t*)0x20196f67 = (uint8_t)0x0; *(uint32_t*)0x20196f68 = (uint32_t)0x80000001; *(uint16_t*)0x20196f6c = (uint16_t)0xa; *(uint16_t*)0x20196f6e = (uint16_t)0x214e; *(uint32_t*)0x20196f70 = (uint32_t)0x0; *(uint64_t*)0x20196f74 = (uint64_t)0x0; *(uint64_t*)0x20196f7c = (uint64_t)0x100000000000000; *(uint32_t*)0x20196f84 = (uint32_t)0x100000001; *(uint16_t*)0x20196f88 = (uint16_t)0x2; *(uint16_t*)0x20196f8a = (uint16_t)0x234e; *(uint32_t*)0x20196f8c = (uint32_t)0x100007f; *(uint8_t*)0x20196f90 = (uint8_t)0x0; *(uint8_t*)0x20196f91 = (uint8_t)0x0; *(uint8_t*)0x20196f92 = (uint8_t)0x0; *(uint8_t*)0x20196f93 = (uint8_t)0x0; *(uint8_t*)0x20196f94 = (uint8_t)0x0; *(uint8_t*)0x20196f95 = (uint8_t)0x0; *(uint8_t*)0x20196f96 = (uint8_t)0x0; *(uint8_t*)0x20196f97 = (uint8_t)0x0; *(uint16_t*)0x20196f98 = (uint16_t)0xa; *(uint16_t*)0x20196f9a = (uint16_t)0x214e; *(uint32_t*)0x20196f9c = (uint32_t)0x3; *(uint64_t*)0x20196fa0 = (uint64_t)0x0; *(uint64_t*)0x20196fa8 = (uint64_t)0x100000000000000; *(uint32_t*)0x20196fb0 = (uint32_t)0x4; *(uint16_t*)0x20196fb4 = (uint16_t)0x2; *(uint16_t*)0x20196fb6 = (uint16_t)0x214e; *(uint32_t*)0x20196fb8 = (uint32_t)0x0; *(uint8_t*)0x20196fbc = (uint8_t)0x0; *(uint8_t*)0x20196fbd = (uint8_t)0x0; *(uint8_t*)0x20196fbe = (uint8_t)0x0; *(uint8_t*)0x20196fbf = (uint8_t)0x0; *(uint8_t*)0x20196fc0 = (uint8_t)0x0; *(uint8_t*)0x20196fc1 = (uint8_t)0x0; *(uint8_t*)0x20196fc2 = (uint8_t)0x0; *(uint8_t*)0x20196fc3 = (uint8_t)0x0; *(uint16_t*)0x20196fc4 = (uint16_t)0x2; *(uint16_t*)0x20196fc6 = (uint16_t)0x204e; *(uint32_t*)0x20196fc8 = (uint32_t)0x100007f; *(uint8_t*)0x20196fcc = (uint8_t)0x0; *(uint8_t*)0x20196fcd = (uint8_t)0x0; *(uint8_t*)0x20196fce = (uint8_t)0x0; *(uint8_t*)0x20196fcf = (uint8_t)0x0; *(uint8_t*)0x20196fd0 = (uint8_t)0x0; *(uint8_t*)0x20196fd1 = (uint8_t)0x0; *(uint8_t*)0x20196fd2 = (uint8_t)0x0; *(uint8_t*)0x20196fd3 = (uint8_t)0x0; *(uint16_t*)0x20196fd4 = (uint16_t)0xa; *(uint16_t*)0x20196fd6 = (uint16_t)0x224e; *(uint32_t*)0x20196fd8 = (uint32_t)0x5; *(uint64_t*)0x20196fdc = (uint64_t)0x0; *(uint64_t*)0x20196fe4 = (uint64_t)0x100000000000000; *(uint32_t*)0x20196fec = (uint32_t)0x8000; *(uint16_t*)0x20196ff0 = (uint16_t)0x2; *(uint16_t*)0x20196ff2 = (uint16_t)0x234e; *(uint8_t*)0x20196ff4 = (uint8_t)0xac; *(uint8_t*)0x20196ff5 = (uint8_t)0x14; *(uint8_t*)0x20196ff6 = (uint8_t)0x0; *(uint8_t*)0x20196ff7 = (uint8_t)0xaa; *(uint8_t*)0x20196ff8 = (uint8_t)0x0; *(uint8_t*)0x20196ff9 = (uint8_t)0x0; *(uint8_t*)0x20196ffa = (uint8_t)0x0; *(uint8_t*)0x20196ffb = (uint8_t)0x0; *(uint8_t*)0x20196ffc = (uint8_t)0x0; *(uint8_t*)0x20196ffd = (uint8_t)0x0; *(uint8_t*)0x20196ffe = (uint8_t)0x0; *(uint8_t*)0x20196fff = (uint8_t)0x0; *(uint32_t*)0x20015ffc = (uint32_t)0x10; r[193] = syscall(__NR_getsockopt, r[78], 0x84ul, 0x6ful, 0x20feaff0ul, 0x20015ffcul); break; case 9: *(uint32_t*)0x20001fd0 = (uint32_t)0x0; *(uint32_t*)0x20001fd4 = (uint32_t)0x1; *(uint64_t*)0x20001fd8 = (uint64_t)0x20000000; *(uint64_t*)0x20001fe0 = (uint64_t)0x20fdbfef; *(uint32_t*)0x20001fe8 = (uint32_t)0x0; *(uint32_t*)0x20001fec = (uint32_t)0x0; *(uint64_t*)0x20001ff0 = (uint64_t)0x20b92fd0; *(uint32_t*)0x20001ff8 = (uint32_t)0x0; *(uint8_t*)0x20000000 = (uint8_t)0x0; *(uint8_t*)0x20000001 = (uint8_t)0x0; *(uint16_t*)0x20000002 = (uint16_t)0xfffffffffffff802; *(uint32_t*)0x20000004 = (uint32_t)0xffffffffffffffff; memcpy((void*)0x20fdbfef, "\x00", 1); r[207] = syscall(__NR_bpf, 0x5ul, 0x20001fd0ul, 0x30ul); break; case 10: r[208] = syscall(__NR_socket, 0x2ul, 0x80002ul, 0x10004ul); break; case 11: r[209] = syscall(__NR_ioctl, r[208], 0x541bul, 0x20a67000ul); break; case 12: r[210] = syscall(__NR_socket, 0x11ul, 0x802ul, 0x300ul); break; case 13: r[211] = syscall(__NR_setsockopt, r[210], 0x107ul, 0x12ul, 0x20000000ul, 0x4ul); break; case 14: *(uint32_t*)0x20f87000 = (uint32_t)0x0; r[213] = syscall(__NR_setsockopt, r[210], 0x1ul, 0x8ul, 0x20f87000ul, 0x4ul); break; case 15: *(uint32_t*)0x2061c000 = (uint32_t)0x0; *(uint32_t*)0x2061c004 = (uint32_t)0x8; *(uint32_t*)0x20acf000 = (uint32_t)0x8; r[217] = syscall(__NR_getsockopt, r[210], 0x84ul, 0xdul, 0x2061c000ul, 0x20acf000ul); if (r[217] != -1) r[218] = *(uint32_t*)0x2061c000; break; case 16: *(uint16_t*)0x205fb000 = (uint16_t)0xa; *(uint16_t*)0x205fb002 = (uint16_t)0x214e; *(uint32_t*)0x205fb004 = (uint32_t)0x1; *(uint64_t*)0x205fb008 = (uint64_t)0x0; *(uint64_t*)0x205fb010 = (uint64_t)0x100000000000000; *(uint32_t*)0x205fb018 = (uint32_t)0x8; r[225] = syscall(__NR_sendto, r[210], 0x20c58fb4ul, 0x0ul, 0xfffffffffffffffful, 0x205fb000ul, 0x1cul); break; case 17: *(uint32_t*)0x20081ffc = (uint32_t)0x4aef; r[227] = syscall(__NR_ioctl, r[210], 0x894cul, 0x20081ffcul); break; case 18: *(uint32_t*)0x20453fe0 = (uint32_t)0xffffffffffffffff; *(uint64_t*)0x20453fe8 = (uint64_t)0x20e65000; *(uint64_t*)0x20453ff0 = (uint64_t)0x20859000; *(uint64_t*)0x20453ff8 = (uint64_t)0x1; r[232] = syscall(__NR_bpf, 0x2ul, 0x20453fe0ul, 0x20ul); break; case 19: *(uint32_t*)0x2037d000 = r[218]; *(uint32_t*)0x2037d004 = (uint32_t)0x4; *(uint32_t*)0x201e4ffc = (uint32_t)0x8; r[236] = syscall(__NR_getsockopt, r[210], 0x84ul, 0x71ul, 0x2037d000ul, 0x201e4ffcul); break; case 20: *(uint32_t*)0x203baffc = (uint32_t)0xc; r[238] = syscall(__NR_getsockopt, r[210], 0x1ul, 0x11ul, 0x2096a000ul, 0x203baffcul); if (r[238] != -1) r[239] = *(uint32_t*)0x2096a000; break; case 21: *(uint32_t*)0x20460f60 = r[218]; *(uint16_t*)0x20460f64 = (uint16_t)0x2; *(uint16_t*)0x20460f66 = (uint16_t)0x214e; *(uint32_t*)0x20460f68 = (uint32_t)0x0; *(uint8_t*)0x20460f6c = (uint8_t)0x0; *(uint8_t*)0x20460f6d = (uint8_t)0x0; *(uint8_t*)0x20460f6e = (uint8_t)0x0; *(uint8_t*)0x20460f6f = (uint8_t)0x0; *(uint8_t*)0x20460f70 = (uint8_t)0x0; *(uint8_t*)0x20460f71 = (uint8_t)0x0; *(uint8_t*)0x20460f72 = (uint8_t)0x0; *(uint8_t*)0x20460f73 = (uint8_t)0x0; *(uint64_t*)0x20460f74 = (uint64_t)0x0; *(uint64_t*)0x20460f7c = (uint64_t)0x0; *(uint64_t*)0x20460f84 = (uint64_t)0x0; *(uint64_t*)0x20460f8c = (uint64_t)0x0; *(uint64_t*)0x20460f94 = (uint64_t)0x0; *(uint64_t*)0x20460f9c = (uint64_t)0x0; *(uint64_t*)0x20460fa4 = (uint64_t)0x0; *(uint64_t*)0x20460fac = (uint64_t)0x0; *(uint64_t*)0x20460fb4 = (uint64_t)0x0; *(uint64_t*)0x20460fbc = (uint64_t)0x0; *(uint64_t*)0x20460fc4 = (uint64_t)0x0; *(uint64_t*)0x20460fcc = (uint64_t)0x0; *(uint64_t*)0x20460fd4 = (uint64_t)0x0; *(uint64_t*)0x20460fdc = (uint64_t)0x0; *(uint64_t*)0x20460fe4 = (uint64_t)0x0; *(uint32_t*)0x20460fec = (uint32_t)0xff0000000000; *(uint16_t*)0x20460ff0 = (uint16_t)0x1; *(uint32_t*)0x20460ff2 = (uint32_t)0x80000001; *(uint32_t*)0x20460ff6 = (uint32_t)0x1000; *(uint32_t*)0x20460ffa = (uint32_t)0x20; r[272] = syscall(__NR_setsockopt, r[210], 0x84ul, 0x9ul, 0x20460f60ul, 0xa0ul); break; case 22: *(uint32_t*)0x207d5000 = r[239]; r[274] = syscall(__NR_ioctl, r[208], 0x8901ul, 0x207d5000ul); break; case 23: memcpy((void*)0x20000000, "\xef\xad\x07\x00\x00\xa7", 6); *(uint8_t*)0x20000006 = (uint8_t)0x0; *(uint8_t*)0x20000007 = (uint8_t)0x0; *(uint8_t*)0x20000008 = (uint8_t)0x0; *(uint8_t*)0x20000009 = (uint8_t)0x0; *(uint8_t*)0x2000000a = (uint8_t)0x0; *(uint8_t*)0x2000000b = (uint8_t)0x0; *(uint16_t*)0x2000000c = (uint16_t)0x0; *(uint16_t*)0x2000000e = (uint16_t)0x7100; *(uint8_t*)0x20000010 = (uint8_t)0x0; *(uint8_t*)0x20000011 = (uint8_t)0x0; memcpy((void*)0x20000012, "\x9a", 1); memcpy((void*)0x20000013, "\x2f\x3f\x7b", 3); *(uint16_t*)0x20000016 = (uint16_t)0x0; memcpy((void*)0x20000018, "\xbb\xf7\x8b\x9a\x1e\xf9\xd7\x58\x5c\x44\xdc\x14\x2e\xcb" "\xaf\x80\x66\xd2\x61\x0e\x91\xb0\xe5\xce\xa2\x2f\xde\xe4" "\x0a\x7e\x5f\x9e\x41\xdd\x99\xf8\xfb\xe9\xb2\x8d\x03\xe6" "\xb4\x99\x2c\x5b\x98\xa2\xc3\x7c\x5e\xbe\x16\x92\xbc\xc8" "\xfb\xc1\xec\xad\x74\xff\xe1\xff\x13\xc5\x05\xb9\x66\xc4" "\x2b\x6d\x44\xa1\x2c\xe0\x6c\x5a\x04\x31\x56\xfd\x53\xcd" "\xbf\xdc\xbb\x08\x9e\xb0\xfc\x74\x3f\xd2\xa7\x4c\x56\x1b" "\x81\x03\x20\x17\xdf\x10\x93", 105); r[290] = syz_emit_ethernet(0x81ul, 0x20000000ul); break; case 24: *(uint8_t*)0x209cbfd2 = (uint8_t)0xaa; *(uint8_t*)0x209cbfd3 = (uint8_t)0xaa; *(uint8_t*)0x209cbfd4 = (uint8_t)0xaa; *(uint8_t*)0x209cbfd5 = (uint8_t)0xaa; *(uint8_t*)0x209cbfd6 = (uint8_t)0xaa; *(uint8_t*)0x209cbfd7 = (uint8_t)0x0; memcpy((void*)0x209cbfd8, "\xb4\x2d\xd4\x91\xaa\x6c", 6); *(uint16_t*)0x209cbfde = (uint16_t)0x81; STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x3, 0, 3); STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x20, 3, 1); STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x800, 4, 12); *(uint16_t*)0x209cbfe2 = (uint16_t)0x888; *(uint16_t*)0x209cbfe4 = (uint16_t)0x100; *(uint16_t*)0x209cbfe6 = (uint16_t)0x8; *(uint8_t*)0x209cbfe8 = (uint8_t)0x6; *(uint8_t*)0x209cbfe9 = (uint8_t)0x4; *(uint16_t*)0x209cbfea = (uint16_t)0xb00; *(uint8_t*)0x209cbfec = (uint8_t)0x0; *(uint8_t*)0x209cbfed = (uint8_t)0x0; *(uint8_t*)0x209cbfee = (uint8_t)0x0; *(uint8_t*)0x209cbfef = (uint8_t)0x0; *(uint8_t*)0x209cbff0 = (uint8_t)0x0; *(uint8_t*)0x209cbff1 = (uint8_t)0x0; *(uint32_t*)0x209cbff2 = (uint32_t)0x20000e0; *(uint8_t*)0x209cbff6 = (uint8_t)0xbb; *(uint8_t*)0x209cbff7 = (uint8_t)0xbb; *(uint8_t*)0x209cbff8 = (uint8_t)0xbb; *(uint8_t*)0x209cbff9 = (uint8_t)0xbb; *(uint8_t*)0x209cbffa = (uint8_t)0xbb; *(uint8_t*)0x209cbffb = (uint8_t)0x0; *(uint32_t*)0x209cbffc = (uint32_t)0x20000e0; r[322] = syz_emit_ethernet(0x2eul, 0x209cbfd2ul); break; } return 0; } void test() { long i; pthread_t th[50]; memset(r, -1, sizeof(r)); srand(getpid()); for (i = 0; i < 25; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(rand() % 10000); } for (i = 0; i < 25; i++) { pthread_create(&th[25 + i], 0, thr, (void*)i); if (rand() % 2) usleep(rand() % 10000); } usleep(rand() % 100000); } int main() { int i; for (i = 0; i < 8; i++) { if (fork() == 0) { setup_tun(i, true); loop(); return 0; } } sleep(1000000); return 0; }