// https://syzkaller.appspot.com/bug?id=bc3d3c58ff37aa23b3a696101f48ec9110c480e2 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // mmap arguments: [ // addr: VMA[0xb36000] // len: len = 0xb36000 (8 bytes) // prot: mmap_prot = 0xb635773f06ebbeef (8 bytes) // flags: mmap_flags = 0x8031 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall( __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul, /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE|PROT_READ|PROT_EXEC|0xb635773f04ebbee0*/ 0xb635773f06ebbeeful, /*flags=MAP_POPULATE|MAP_FIXED|MAP_ANONYMOUS|MAP_SHARED*/ 0x8031ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); // madvise arguments: [ // addr: VMA[0x600000] // len: len = 0x600003 (8 bytes) // advice: madvise_flags = 0x19 (8 bytes) // ] syscall(__NR_madvise, /*addr=*/0x200000000000ul, /*len=*/0x600003ul, /*advice=MADV_COLLAPSE*/ 0x19ul); // socket$alg arguments: [ // domain: const = 0x26 (8 bytes) // type: const = 0x5 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_alg res = syscall(__NR_socket, /*domain=*/0x26ul, /*type=*/5ul, /*proto=*/0); if (res != -1) r[0] = res; // bind$alg arguments: [ // fd: sock_alg (resource) // addr: ptr[in, sockaddr_alg] { // sockaddr_alg { // family: const = 0x26 (2 bytes) // type: buffer: {68 61 73 68 00 00 00 00 00 00 00 00 00 00} (length // 0xe) feat: af_alg_type = 0x0 (4 bytes) mask: af_alg_type = 0x0 (4 // bytes) name: buffer: {68 6d 61 63 28 6d 64 35 29 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00} (length 0x40) // } // } // addrlen: len = 0x58 (8 bytes) // ] *(uint16_t*)0x200000000180 = 0x26; memcpy((void*)0x200000000182, "hash\000\000\000\000\000\000\000\000\000\000", 14); *(uint32_t*)0x200000000190 = 0; *(uint32_t*)0x200000000194 = 0; memcpy((void*)0x200000000198, "hmac(md5)" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000", 64); syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x200000000180ul, /*addrlen=*/0x58ul); // accept$alg arguments: [ // fd: sock_alg (resource) // peer: const = 0x0 (8 bytes) // peerlen: const = 0x0 (8 bytes) // ] // returns sock_algconn res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); if (res != -1) r[1] = res; // setsockopt$ALG_SET_KEY arguments: [ // fd: sock_alg (resource) // level: const = 0x117 (4 bytes) // opt: const = 0x1 (4 bytes) // key: nil // keylen: len = 0x0 (8 bytes) // ] syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x117, /*opt=*/1, /*key=*/0ul, /*keylen=*/0ul); // sendmsg$alg arguments: [ // fd: sock_algconn (resource) // msg: ptr[in, msghdr_alg] { // msghdr_alg { // addr: const = 0x0 (8 bytes) // addrlen: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {b6} (length 0x1) // } // len: len = 0x0 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {b1 cd c0 a9 24 35 04 1e 6b e0 63 32 97 29 ef 5e 76 // ad 3f e3 45 f5 04 9c 64 5e ea 4e df 3e ac 61 ac 61 25 c4 38 // 2b ea 15 99 93 72 65 1c 0b ed b1 01 c6 de 3c ef e7 1b 3c 94 // b2 4b 07 b8 aa fd f4 bd cc 25 69 b8 69 28 0e e3 81 d3 e4 5f // 30 db d8 e2 80 14 11 9a 60 36 cb 50 6f 7a 2b 2a 50 39 de 72 // 9d 40 08 60 c1 6b c4 6b eb ea cf b2 05 40 30 97 94 35 53 bb // ef 64 d6 a8 17 d6 0c a2 1b 79 44 84 87 33 b0 e4 e7 8d 36 21 // 9f e8 6b f2 27 4f 10 f9 77 fa 07 fb c3 07 48 4b c1 fe af 02 // 34 36 82 71 1f 9e 4f 55 c7 73 e4 27 96 9b a8 58 91 fc f6 7b // d3 40 69 4e 5c b9 d5 c0 0f 37 6b 9c 56 c2 4a 75 15 28 6a 8f // 09 55 78 4b 81 81 9d 21 6b 26 cb 77 c2 7d 97 6c 9f ae ba 5c // 25 0c ac} (length 0xdc) // } // len: len = 0xdc (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {67 a9 69 2b dd 01 fa ed 90 6c 64 11 d8 c3 a7 e0 03 // 73 40 87 3e 5a 1f 6e 59 dd 24 d0 2c ac 6a 00 0e 00 00 00 00 // 00 00 00 00 c5 15 7b 4b 67 31 7e 2e 9d 65 f6 f9 4b 47 bb 60 // 6a 3b 59 72 a2 7b ee c2 88 0d ae 2a af 9f df 76 03 9f 47 a0 // e9 95 6f 24 bb 4a 2d 94 a5 a4 6c 4b cc 87 31 b5 7e 2d d8 76 // b2 70 bf c2 62 78 1b fe fe 47 02 34 d1 af 70 89 43 8b 03 00 // a4 6e 30 98 df 7a fc 75 44 45 be 4f 47 df c5 54 8d 48 3f 2c // 9f 16 08 e9 1e e2 05 0f bb c9 ab 46 e0 fd df 55 f3 50 49 c1 // 88 aa f6 06 ec 39 f8 e9 6e 68 0d 1c 0e 65} (length 0xab) // } // len: len = 0xffffff41 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {35 68 ce d1 97 03 59 73 4f 55 3b 38 b7 e8 23 cd 3e // 4b 26 0c 30 3a b8 f7 05 91 54 5b 2a 2b 14 96 30 69 f9 4c 3c // a9 55 f4 bb 50 2b 1a eb 09 5a d4 c1 b3 7b 6b 3b 62 28 8d fd // d4 c0 b4 92 97 8a 19 05 2e 6e 96 ed a0 c0 16 23 6e 84 10 0e // 5f 55 75 85 3b 50 28 32 36 20 59 52 9b 4c 31 11 3a 6c 6b ef // e7 43 f7 0b 26 07 4f 05 cb 69 94 44 c9 98 bd 9e d5 b1 76 55 // 20 c1 58 1b 18 94 1a bd 3d 3b d3 59 02 af b1 63 72 75 c1 92 // 4c 35 61 3d 7c 62 7f 94 78 b4 66 be 18 8e 7c a7 b3 52 91 95 // 95 29 1d 82 e8 7b c3 12 7b c0 4a 85 75 39 73 69 09 81 97 bc // 47 7a 5f 71 b6 e5 3c f9 0a 92 65 05 37 59 04} (length 0xc0) // } // len: len = 0xc0 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {f6 54 50 97 a6 3e be 15 d5 73 7a b1 8a 96 e1 61 0c // 0e 5f f3 e2 fa 40 7d eb 36 68 7f b2 60 26 05 e8 34 ab af 43 // 94 04 96 15 46 ec e3 96 cd 6a 0f 9c 7b 71 ce 56 6b d4 5e 9d // a0 89 89 20 0a 2f 0a bc bd 50 08 f3 68 56 5d a7 77 5d 22 c3 // 01 12 8e 94 c5 36 f8 66 2e b4 94 5d 87 59 54 49 ff 99 5b 77 // 7b 3d dc 88 8c ee 5e 66 05 17 4f b2 37 a4 c8 8d 33 5d b0 c1 // f5 bd 61 f1 54 32 d3 79 73 83 71 ab d5 f2 f8 de bf e5 6c 38 // 59 0b 2c 9b 51 ce aa b0 5b 39 10 df 0c 54 69 80 04 4e 17 fc // c8 98 20 14 26 11 a1 69 da e2 27 32 6b 36 e8 2f 26 a2 d4 ee // f2 3c 37 50 4b 53 10 76 2e 11 74 f3 fc 72 81 ed 5a e9 d8 3f // 63 06 34 bc 00 d4 34 bb 5a e9 58 d7 7b 94 f3 a2 ca 14 aa 54 // 24 44 79 d0 4e fa 61 07 1c b2 4c a0 88 88 ac fd b1 55 16 fe // c5 a0 a9 fc d2 08 b6 c7 68 3a 8a 8f 72 fa 9a ee 44 2f 46 bc // 4d ff 0c 84 a3 9b 34 d5 82 30 ee 86 c3 69 99 7e 3b 63 39 fa // ff 3c 8b cb 2c 80 3d ff c1 94 14 db 25 c6 77 13 91 26 fb 38 // dd ca b8 5e 07 51 8c 03 2c a5 49 ef 67 68 56 87 db 08 f0 9e // 16 94 c0 87 89 c8 59 92 f7 95 31 25 ef 8a 94 02 01 ae 31 4e // dd 5b 60 16 e9 17 30 58 6f 02 1a 9e cf 74 d2 cf e1 84 bf 74 // 44 d3 68 be d8 bc fd 8b ab 42 36 2d 92 6b b6 b4 7c f2 0e 57 // 46 a4 c9 7a b7 31 98 46 1f 4f a4 83 75 a1 46 78 47 95 91 4b // 96 e7 c3 b8 c3 3f 33 5a 51 b5 af fe 5a 90 cd 2f 36 5b 13 f5 // 37 36 45 f1 c3 ae dc 04 3e 9b fa 00 71 8f 7c c6 58 5b 7a 5d // cd 34 7f 1a 68 5b 52 cf 28 65 b7 0b 9c 40 76 95 c8 31 ad 08 // 02 38 b1 60 54 7c fd eb cf 9b 58 71 d9 68 2b d4 ef fc a3 2a // 98 f5 0f a7 49 de a5 70 e9 fe ef 9c d8 8d 15 e9 7c 43 6a 95 // 81 9d 05 87 8a 66 21 00} (length 0x1f9) // } // len: len = 0x51 (8 bytes) // } // } // } // vlen: len = 0x5 (8 bytes) // ctrl: nil // ctrllen: bytesize = 0x0 (8 bytes) // f: send_flags = 0x20040890 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x2404c800 (8 bytes) // ] *(uint64_t*)0x200000000280 = 0; *(uint32_t*)0x200000000288 = 0; *(uint64_t*)0x200000000290 = 0x200000000740; *(uint64_t*)0x200000000740 = 0x200000000540; memset((void*)0x200000000540, 182, 1); *(uint64_t*)0x200000000748 = 0; *(uint64_t*)0x200000000750 = 0x200000000580; memcpy((void*)0x200000000580, "\xb1\xcd\xc0\xa9\x24\x35\x04\x1e\x6b\xe0\x63\x32\x97\x29\xef\x5e\x76" "\xad\x3f\xe3\x45\xf5\x04\x9c\x64\x5e\xea\x4e\xdf\x3e\xac\x61\xac\x61" "\x25\xc4\x38\x2b\xea\x15\x99\x93\x72\x65\x1c\x0b\xed\xb1\x01\xc6\xde" "\x3c\xef\xe7\x1b\x3c\x94\xb2\x4b\x07\xb8\xaa\xfd\xf4\xbd\xcc\x25\x69" "\xb8\x69\x28\x0e\xe3\x81\xd3\xe4\x5f\x30\xdb\xd8\xe2\x80\x14\x11\x9a" "\x60\x36\xcb\x50\x6f\x7a\x2b\x2a\x50\x39\xde\x72\x9d\x40\x08\x60\xc1" "\x6b\xc4\x6b\xeb\xea\xcf\xb2\x05\x40\x30\x97\x94\x35\x53\xbb\xef\x64" "\xd6\xa8\x17\xd6\x0c\xa2\x1b\x79\x44\x84\x87\x33\xb0\xe4\xe7\x8d\x36" "\x21\x9f\xe8\x6b\xf2\x27\x4f\x10\xf9\x77\xfa\x07\xfb\xc3\x07\x48\x4b" "\xc1\xfe\xaf\x02\x34\x36\x82\x71\x1f\x9e\x4f\x55\xc7\x73\xe4\x27\x96" "\x9b\xa8\x58\x91\xfc\xf6\x7b\xd3\x40\x69\x4e\x5c\xb9\xd5\xc0\x0f\x37" "\x6b\x9c\x56\xc2\x4a\x75\x15\x28\x6a\x8f\x09\x55\x78\x4b\x81\x81\x9d" "\x21\x6b\x26\xcb\x77\xc2\x7d\x97\x6c\x9f\xae\xba\x5c\x25\x0c\xac", 220); *(uint64_t*)0x200000000758 = 0xdc; *(uint64_t*)0x200000000760 = 0x2000000007c0; memcpy( (void*)0x2000000007c0, "\x67\xa9\x69\x2b\xdd\x01\xfa\xed\x90\x6c\x64\x11\xd8\xc3\xa7\xe0\x03\x73" "\x40\x87\x3e\x5a\x1f\x6e\x59\xdd\x24\xd0\x2c\xac\x6a\x00\x0e\x00\x00\x00" "\x00\x00\x00\x00\x00\xc5\x15\x7b\x4b\x67\x31\x7e\x2e\x9d\x65\xf6\xf9\x4b" "\x47\xbb\x60\x6a\x3b\x59\x72\xa2\x7b\xee\xc2\x88\x0d\xae\x2a\xaf\x9f\xdf" "\x76\x03\x9f\x47\xa0\xe9\x95\x6f\x24\xbb\x4a\x2d\x94\xa5\xa4\x6c\x4b\xcc" "\x87\x31\xb5\x7e\x2d\xd8\x76\xb2\x70\xbf\xc2\x62\x78\x1b\xfe\xfe\x47\x02" "\x34\xd1\xaf\x70\x89\x43\x8b\x03\x00\xa4\x6e\x30\x98\xdf\x7a\xfc\x75\x44" "\x45\xbe\x4f\x47\xdf\xc5\x54\x8d\x48\x3f\x2c\x9f\x16\x08\xe9\x1e\xe2\x05" "\x0f\xbb\xc9\xab\x46\xe0\xfd\xdf\x55\xf3\x50\x49\xc1\x88\xaa\xf6\x06\xec" "\x39\xf8\xe9\x6e\x68\x0d\x1c\x0e\x65", 171); *(uint64_t*)0x200000000768 = 0xffffff41; *(uint64_t*)0x200000000770 = 0x200000000680; memcpy( (void*)0x200000000680, "\x35\x68\xce\xd1\x97\x03\x59\x73\x4f\x55\x3b\x38\xb7\xe8\x23\xcd\x3e\x4b" "\x26\x0c\x30\x3a\xb8\xf7\x05\x91\x54\x5b\x2a\x2b\x14\x96\x30\x69\xf9\x4c" "\x3c\xa9\x55\xf4\xbb\x50\x2b\x1a\xeb\x09\x5a\xd4\xc1\xb3\x7b\x6b\x3b\x62" "\x28\x8d\xfd\xd4\xc0\xb4\x92\x97\x8a\x19\x05\x2e\x6e\x96\xed\xa0\xc0\x16" "\x23\x6e\x84\x10\x0e\x5f\x55\x75\x85\x3b\x50\x28\x32\x36\x20\x59\x52\x9b" "\x4c\x31\x11\x3a\x6c\x6b\xef\xe7\x43\xf7\x0b\x26\x07\x4f\x05\xcb\x69\x94" "\x44\xc9\x98\xbd\x9e\xd5\xb1\x76\x55\x20\xc1\x58\x1b\x18\x94\x1a\xbd\x3d" "\x3b\xd3\x59\x02\xaf\xb1\x63\x72\x75\xc1\x92\x4c\x35\x61\x3d\x7c\x62\x7f" "\x94\x78\xb4\x66\xbe\x18\x8e\x7c\xa7\xb3\x52\x91\x95\x95\x29\x1d\x82\xe8" "\x7b\xc3\x12\x7b\xc0\x4a\x85\x75\x39\x73\x69\x09\x81\x97\xbc\x47\x7a\x5f" "\x71\xb6\xe5\x3c\xf9\x0a\x92\x65\x05\x37\x59\x04", 192); *(uint64_t*)0x200000000778 = 0xc0; *(uint64_t*)0x200000000780 = 0x200000000980; memcpy( (void*)0x200000000980, "\xf6\x54\x50\x97\xa6\x3e\xbe\x15\xd5\x73\x7a\xb1\x8a\x96\xe1\x61\x0c\x0e" "\x5f\xf3\xe2\xfa\x40\x7d\xeb\x36\x68\x7f\xb2\x60\x26\x05\xe8\x34\xab\xaf" "\x43\x94\x04\x96\x15\x46\xec\xe3\x96\xcd\x6a\x0f\x9c\x7b\x71\xce\x56\x6b" "\xd4\x5e\x9d\xa0\x89\x89\x20\x0a\x2f\x0a\xbc\xbd\x50\x08\xf3\x68\x56\x5d" "\xa7\x77\x5d\x22\xc3\x01\x12\x8e\x94\xc5\x36\xf8\x66\x2e\xb4\x94\x5d\x87" "\x59\x54\x49\xff\x99\x5b\x77\x7b\x3d\xdc\x88\x8c\xee\x5e\x66\x05\x17\x4f" "\xb2\x37\xa4\xc8\x8d\x33\x5d\xb0\xc1\xf5\xbd\x61\xf1\x54\x32\xd3\x79\x73" "\x83\x71\xab\xd5\xf2\xf8\xde\xbf\xe5\x6c\x38\x59\x0b\x2c\x9b\x51\xce\xaa" "\xb0\x5b\x39\x10\xdf\x0c\x54\x69\x80\x04\x4e\x17\xfc\xc8\x98\x20\x14\x26" "\x11\xa1\x69\xda\xe2\x27\x32\x6b\x36\xe8\x2f\x26\xa2\xd4\xee\xf2\x3c\x37" "\x50\x4b\x53\x10\x76\x2e\x11\x74\xf3\xfc\x72\x81\xed\x5a\xe9\xd8\x3f\x63" "\x06\x34\xbc\x00\xd4\x34\xbb\x5a\xe9\x58\xd7\x7b\x94\xf3\xa2\xca\x14\xaa" "\x54\x24\x44\x79\xd0\x4e\xfa\x61\x07\x1c\xb2\x4c\xa0\x88\x88\xac\xfd\xb1" "\x55\x16\xfe\xc5\xa0\xa9\xfc\xd2\x08\xb6\xc7\x68\x3a\x8a\x8f\x72\xfa\x9a" "\xee\x44\x2f\x46\xbc\x4d\xff\x0c\x84\xa3\x9b\x34\xd5\x82\x30\xee\x86\xc3" "\x69\x99\x7e\x3b\x63\x39\xfa\xff\x3c\x8b\xcb\x2c\x80\x3d\xff\xc1\x94\x14" "\xdb\x25\xc6\x77\x13\x91\x26\xfb\x38\xdd\xca\xb8\x5e\x07\x51\x8c\x03\x2c" "\xa5\x49\xef\x67\x68\x56\x87\xdb\x08\xf0\x9e\x16\x94\xc0\x87\x89\xc8\x59" "\x92\xf7\x95\x31\x25\xef\x8a\x94\x02\x01\xae\x31\x4e\xdd\x5b\x60\x16\xe9" "\x17\x30\x58\x6f\x02\x1a\x9e\xcf\x74\xd2\xcf\xe1\x84\xbf\x74\x44\xd3\x68" "\xbe\xd8\xbc\xfd\x8b\xab\x42\x36\x2d\x92\x6b\xb6\xb4\x7c\xf2\x0e\x57\x46" "\xa4\xc9\x7a\xb7\x31\x98\x46\x1f\x4f\xa4\x83\x75\xa1\x46\x78\x47\x95\x91" "\x4b\x96\xe7\xc3\xb8\xc3\x3f\x33\x5a\x51\xb5\xaf\xfe\x5a\x90\xcd\x2f\x36" "\x5b\x13\xf5\x37\x36\x45\xf1\xc3\xae\xdc\x04\x3e\x9b\xfa\x00\x71\x8f\x7c" "\xc6\x58\x5b\x7a\x5d\xcd\x34\x7f\x1a\x68\x5b\x52\xcf\x28\x65\xb7\x0b\x9c" "\x40\x76\x95\xc8\x31\xad\x08\x02\x38\xb1\x60\x54\x7c\xfd\xeb\xcf\x9b\x58" "\x71\xd9\x68\x2b\xd4\xef\xfc\xa3\x2a\x98\xf5\x0f\xa7\x49\xde\xa5\x70\xe9" "\xfe\xef\x9c\xd8\x8d\x15\xe9\x7c\x43\x6a\x95\x81\x9d\x05\x87\x8a\x66\x21" "\x00", 505); *(uint64_t*)0x200000000788 = 0x51; *(uint64_t*)0x200000000298 = 5; *(uint64_t*)0x2000000002a0 = 0; *(uint64_t*)0x2000000002a8 = 0; *(uint32_t*)0x2000000002b0 = 0x20040890; syscall( __NR_sendmsg, /*fd=*/r[1], /*msg=*/0x200000000280ul, /*f=MSG_ZEROCOPY|MSG_FASTOPEN|MSG_BATCH|MSG_NOSIGNAL|MSG_MORE|MSG_CONFIRM*/ 0x2404c800ul); return 0; }