// https://syzkaller.appspot.com/bug?id=ad9da2be119e0ca4626ef81bd90f6e67b425c74d // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$inet6_tcp arguments: [ // domain: const = 0xa (8 bytes) // type: const = 0x1 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_tcp6 res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0); if (res != -1) r[0] = res; // close arguments: [ // fd: fd (resource) // ] syscall(__NR_close, /*fd=*/r[0]); // socket$inet6_mptcp arguments: [ // domain: const = 0xa (8 bytes) // type: const = 0x1 (8 bytes) // proto: const = 0x106 (4 bytes) // ] // returns sock_mptcp6 res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0x106); if (res != -1) r[1] = res; // bind$inet6 arguments: [ // fd: sock_in6 (resource) // addr: ptr[in, sockaddr_in6] { // sockaddr_in6 { // family: const = 0xa (2 bytes) // port: int16be = 0x4e22 (2 bytes) // flow: int32be = 0x0 (4 bytes) // addr: union ipv6_addr { // empty: ipv6_addr_empty { // a0: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) // } // } // scope: int32 = 0x1 (4 bytes) // } // } // addrlen: len = 0x1c (8 bytes) // ] *(uint16_t*)0x200000000040 = 0xa; *(uint16_t*)0x200000000042 = htobe16(0x4e22); *(uint32_t*)0x200000000044 = htobe32(0); memset((void*)0x200000000048, 0, 16); *(uint32_t*)0x200000000058 = 1; syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x200000000040ul, /*addrlen=*/0x1cul); // listen arguments: [ // fd: sock (resource) // backlog: int32 = 0x0 (4 bytes) // ] syscall(__NR_listen, /*fd=*/r[1], /*backlog=*/0); // socket$netlink arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: netlink_proto = 0x8000000004 (4 bytes) // ] // returns sock_netlink res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=NETLINK_INET_DIAG*/ 4); if (res != -1) r[2] = res; // writev arguments: [ // fd: fd (resource) // vec: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {58 00 00 00 14 00 19 23 40 83 4b 80 04 0d 8c 56 0a 06 // ff ff ff 7f 00 00 4e 22 00 00 00 00 58 00 0b 48 04 00 94 5f 64 // 00 94 00 05 00 38 92 5a 01 00 00 00 80 00 00 00 80 04 00 00 00 // ff 01 09 00 00 00 ff f5 dd 00 00 00 08 00 03 00 06 01 00 00 41 // 8e 01 40 00 04 fc ff} (length 0x58) // } // len: len = 0x58 (8 bytes) // } // } // } // vlen: len = 0x1 (8 bytes) // ] *(uint64_t*)0x200000000280 = 0x2000000005c0; memcpy( (void*)0x2000000005c0, "\x58\x00\x00\x00\x14\x00\x19\x23\x40\x83\x4b\x80\x04\x0d\x8c\x56\x0a\x06" "\xff\xff\xff\x7f\x00\x00\x4e\x22\x00\x00\x00\x00\x58\x00\x0b\x48\x04\x00" "\x94\x5f\x64\x00\x94\x00\x05\x00\x38\x92\x5a\x01\x00\x00\x00\x80\x00\x00" "\x00\x80\x04\x00\x00\x00\xff\x01\x09\x00\x00\x00\xff\xf5\xdd\x00\x00\x00" "\x08\x00\x03\x00\x06\x01\x00\x00\x41\x8e\x01\x40\x00\x04\xfc\xff", 88); *(uint64_t*)0x200000000288 = 0x58; syscall(__NR_writev, /*fd=*/r[2], /*vec=*/0x200000000280ul, /*vlen=*/1ul); return 0; }