// https://syzkaller.appspot.com/bug?id=1eaa30de66a3dcf8f4ecffec1ecc90dba071b6f2 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static struct { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; } nlmsg; static void netlink_init(int typ, int flags, const void* data, int size) { memset(&nlmsg, 0, sizeof(nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg.pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg.pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send(int sock) { if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; hdr->nlmsg_len = nlmsg.pos - nlmsg.buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static void netlink_device_change(int sock, const char* name, bool up, const char* master, const void* mac, int macsize) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr)); netlink_attr(IFLA_IFNAME, name, strlen(name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(IFLA_ADDRESS, mac, macsize); int err = netlink_send(sock); (void)err; } static int netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(IFA_LOCAL, addr, addrsize); netlink_attr(IFA_ADDRESS, addr, addrsize); return netlink_send(sock); } static void netlink_add_addr4(int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } static void netlink_add_neigh(int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(NDA_DST, addr, addrsize); netlink_attr(NDA_LLADDR, mac, macsize); int err = netlink_send(sock); (void)err; } static int tunfd = -1; static int tun_frags_enabled; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 #define IFF_NAPI_FRAGS 0x0020 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) exit(1); } if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) exit(1); tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN); close(sock); } #define MAX_FRAGS 4 struct vnet_fragmentation { uint32_t full; uint32_t count; uint32_t frags[MAX_FRAGS]; }; static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; struct iovec vecs[MAX_FRAGS + 1]; uint32_t nfrags = 0; if (!tun_frags_enabled || frags == NULL) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } else { bool full = true; uint32_t i, count = 0; full = frags->full; count = frags->count; if (count > MAX_FRAGS) count = MAX_FRAGS; for (i = 0; i < count && length != 0; i++) { uint32_t size = 0; size = frags->frags[i]; if (size > length) size = length; vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = size; nfrags++; data += size; length -= size; } if (length != 0 && (full || nfrags == 0)) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } } return writev(tunfd, vecs, nfrags); } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); loop(); exit(1); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 10; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res; switch (call) { case 0: res = syscall(__NR_pipe, 0x20000300); if (res != -1) { r[0] = *(uint32_t*)0x20000300; r[1] = *(uint32_t*)0x20000304; } break; case 1: res = syscall(__NR_socket, 0x11, 3, 0x300); if (res != -1) r[2] = res; break; case 2: *(uint16_t*)0x200000c0 = 0; *(uint8_t*)0x200000c2 = 0; *(uint8_t*)0x200000c3 = 0xfc; syscall(__NR_setsockopt, r[2], 0x107, 0x12, 0x200000c0, 4); break; case 3: res = syscall(__NR_socket, 2, 2, 0); if (res != -1) r[3] = res; break; case 4: syscall(__NR_fcntl, r[1], 0x407, 0); break; case 5: syscall(__NR_write, r[1], 0x20000140, 0x4240a2a0); break; case 6: *(uint16_t*)0x200002c0 = 2; *(uint16_t*)0x200002c2 = htobe16(0); *(uint8_t*)0x200002c4 = 0xac; *(uint8_t*)0x200002c5 = 0x14; *(uint8_t*)0x200002c6 = 0x14; *(uint8_t*)0x200002c7 = 0xaa; syscall(__NR_bind, r[3], 0x200002c0, 0x10); break; case 7: *(uint16_t*)0x20000040 = 2; *(uint16_t*)0x20000042 = htobe16(0); *(uint32_t*)0x20000044 = htobe32(0xe0000001); syscall(__NR_connect, r[3], 0x20000040, 0x10); break; case 8: syscall(__NR_splice, r[0], 0, r[3], 0, 0x30005, 0); break; case 9: memcpy( (void*)0x20000680, "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xbb\x86\xdd\x60\x50\xa0" "\x9c\x04\xd9\x2c\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\xbb\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xaa\x04\x20\x88\x0b\x03\xa2\x00\x00\x96\x2a\x19\xef\x82\x0f" "\x47\x47\x38\xe7\x9a\xe1\x76\xab\x5d\xd3\x98\x7c\xbb\x13\x66\xf4\x7a" "\x47\x8b\x57\xb6\xc4\x1c\xfa\x0b\x51\xf5\x02\x88\xe8\x14\x37\x41\xf9" "\x96\x9a\xda\x84\x94\x51\x6d\xc2\xc7\x07\x1b\x73\x79\xcb\x8a\x74\xce" "\x17\xda\x10\x4b\x27\xba\xea\xf5\x95\x1f\x39\x35\xda\x77\x3a\xae\xd5" "\x96\x11\x42\x41\x75\x5d\x58\x38\x82\xa7\xd5\x2a\xdd\x8a\x07\x8f\x00" "\x56\x1f\x77\xdf\xc7\x15\xc1\x00\xa4\x4d\xa0\xe5\x22\xf6\x5b\xf5\x2c" "\x2d\x29\x1d\xa6\xc1\xbf\x52\x93\xf1\x27\xf2\x24\x39\x70\x7a\xbc\x36" "\xfb\x15\x05\x50\x08\xae\x89\x69\x98\x99\x04\xd0\x6a\x81\x9e\xd2\x7b" "\xe7\x42\xfc\xa1\xae\xa7\x90\x97\x42\x4e\xb1\x41\xcd\x50\x74\xf4\x56" "\x5c\x2e\xf5\x93\xc2\x53\x29\x06\x33\x73\x31\xed\x35\x1b\x38\x0c\x90" "\x68\x89\xfb\xf3\xae\x21\x62\xca\x3c\x73\xe4\xe8\x3a\xe5\x37\xf8\x10" "\x09\x5c\x78\x6e\xc0\xbc\xaf\x53\x01\xe9\x2b\x61\x85\x82\xd3\xb6\x2c" "\x4f\x5a\xf0\x0a\x81\x40\x6c\x90\x1a\x1e\xe4\xc4\x8d\x94\xac\xf4\x33" "\xb4\xb5\xe7\xda\xc3\xf5\x8c\x4d\x7c\x21\xa3\xf1\xd7\xdc\x99\xe6\x32" "\x4a\x61\x93\x14\x33\xdb\x48\x70\x35\x6e\x1c\x4e\x46\x98\xf5\x6e\xe2" "\xc5\x92\x3f\xb9\x33\xac\x8b\x75\xa7\x25\x68\x26\x44\xbb\x45\x9c\x09" "\x1e\x58\xf5\x4b\xb9\x79\x0a\x92\xd0\x64\x82\x4e\x48\x8c\x7d\x93\xb4" "\xa2\x99\xf7\x98\xd3\x53\xa9\xf7\x87\x8e\x00\x7c\x28\x79\x8e\x6a\xa7" "\x85\x2b\xfb\x03\x63\x78\xea\x58\xc6\x1a\x16\x2b\xef\x4d\xac\x9e\x07" "\xdb\xcd\xf3\xb2\x4b\x26\x31\xec\x75\x84\x3c\x22\x1d\x81\xb9\x06\xbb" "\xec\x10\xd9\x4a\x90\x3d\x4e\x24\xbb\x81\x63\xdf\x8c\x1d\x81\xe3\x33" "\x23\x1e\x32\xe1\x20\xeb\x8a\xbf\x73\x7c\x47\x0b\x4a\xc8\x07\x54\xd4" "\xa1\x19\x5f\x16\x2b\x05\xfc\x50\xef\x67\x09\x5c\x93\x87\x25\xb8\xe3" "\xe1\xa0\x74\x16\xbe\x73\x14\x09\xd8\x91\xda\x9c\x78\x23\x19\x88\x1e" "\x27\xe5\x66\xc2\xdb\xe9\x88\xb8\x85\xe9\xb1\x79\xa9\x8f\x6a\x64\x09" "\xa7\xd8\xbb\x33\x93\x5b\x31\xc0\x05\x42\xe9\xfe\x5c\xbd\xad\xa9\x37" "\x64\xa3\x85\xc1\x48\x07\xee\x59\xd5\xbe\xd5\x96\xbd\xd6\x6c\xea\xe1" "\xb9\xdc\xbf\x47\x90\xb1\xdb\x6e\x9b\xd5\x6c\x1c\x5f\x44\xe1\x0a\x58" "\x8a\xcd\x11\x58\xe5\x23\xaf\x7b\x18\xf0\x85\xde\x8a\x73\x95\x1c\xa5" "\x33\xfa\x44\x1a\x51\x19\x05\x5f\xf5\x72\xab\xe6\xdd\x95\xb9\xa0\x03" "\xd0\x48\x1c\x8c\x00\xfc\xa4\x68\x78\x4f\x7a\xe7\xb1\x7d\xdd\xec\x2f" "\x8c\x05\x1c\xa9\xa9\xc9\xa8\x3d\xa9\x82\xd4\x05\x8b\x13\x62\xa0\x28" "\x33\xd4\x70\x48\x29\x83\x5f\x1e\xf8\xd7\x48\xee\xd9\xff\xa9\x86\x3d" "\x1c\xfa\x9d\xc5\x55\x77\x37\xc9\x27\x20\xb5\x0a\x5d\x9e\x00\x4e\x5f" "\x68\xae\x16\xaf\x56\x1c\x9a\x2f\xa0\x4b\xa2\xe8\x91\xc6\x7d\xa4\x4c" "\x3a\x48\x3e\xbf\xb1\xda\x6b\x61\x17\xa2\xdf\xc3\x63\xff\xea\x4e\xbd" "\x5b\x05\x64\x06\x4b\x6a\x65\xb9\xa1\xa1\x9c\x62\xbc\x37\x1d\x29\xb9" "\x0a\x38\x21\x76\xdd\x26\x18\x74\x37\xa8\x50\x1d\x29\x83\xd7\x22\x74" "\x72\xd4\xab\xbe\x41\xa1\xe4\xa3\x8c\xe9\x25\x0e\xdb\x26\x1d\x47\x78" "\x76\x1b\x79\xdc\xd8\x73\x6e\x98\x70\xe0\x9d\xcb\x96\x0a\x36\xf7\xa8" "\xee\x80\x13\x40\xaf\x32\x8a\x65\x5a\xfd\x7b\x7f\x1d\xe9\x6a\xb0\x14" "\x66\x43\x8c\x78\xb2\xd0\xc8\x06\x4a\x2b\x1e\x68\xd9\x60\x80\x34\x41" "\x53\xb6\x60\x38\x15\x2b\x85\xdb\x54\x6b\xf6\xb6\x36\x76\xe8\x3b\x2c" "\x28\xc9\x4f\x7b\x0c\x92\xd3\xdc\xbd\xf3\x8f\x43\x45\x58\xe0\x94\x82" "\x46\xf0\x3a\xa7\xe7\x03\xa1\x40\x83\xb8\xef\x1a\x65\x54\xa7\x97\x65" "\x7c\xcc\x8c\xe4\xdc\x3a\xb8\x69\x29\xdf\xf9\x5c\x00\x77\x8e\x82\x06" "\x3b\x7a\x2e\x7f\x3b\x4e\x66\x90\xad\x4e\x24\x33\x13\x58\xff\xe4\xe5" "\xde\x4d\xaf\x48\x8a\xf0\x0d\xf5\x4b\xad\xeb\x3c\x58\x1d\x93\xd5\x2a" "\x2e\xc0\x7d\x38\x01\x55\xe6\x04\x6d\x22\x69\x9f\x65\x8a\x67\x0d\x47" "\xec\xb3\xa5\xcc\x7c\xa2\x8f\xe7\x84\x49\x32\xa9\x48\x19\xe7\xf8\x68" "\x0e\xa5\xc1\x07\xe8\x54\xbe\x31\x15\x81\x3a\xb1\x1f\x4b\x1d\x73\x6b" "\xe1\xc8\x95\xb9\x85\xad\x24\x06\x36\xd8\xf9\x6a\x38\x0a\x24\x53\x74" "\x02\x16\x4a\x01\x10\x69\xc2\x5b\x05\x5a\x1a\xa7\xf5\x8d\x9b\xa0\x77" "\x01\x96\xb6\xb4\x2a\x80\xc0\x0f\x0d\x0b\xfb\xf9\x14\xb0\x11\xd7\x9e" "\x9c\xec\x63\x15\x65\xc6\xcc\xe0\xa6\xf0\x61\x10\x66\xa1\x41\x33\x00" "\x00\x08\x00\x28\x1b\x2c\xb8\x85\x53\xb3\x05\x65\xeb\xa7\x1f\xbe\x23" "\xb7\x96\xd4\x7e\xa5\xcd\xf7\xfb\xd5\x1e\xf3\x08\x07\x50\xb1\xba\x6c" "\xd0\xc7\x40\xe7\x9c\x82\x7d\x17\x3d\xeb\xf0\xf0\xb4\xc8\x9d\xac\xe3" "\x19\xba\x93\x7a\x6f\x70\xa3\x2c\x68\x42\x0b\xc7\xe0\x56\x6f\xa0\xb2" "\x38\xf8\x54\x74\x2d\xb4\xff\xfc\x52\x1d\xc2\xab\xc1\xc9\xf1\x02\x39" "\xc9\x04\x3e\x4a\x3a\x0f\x44\x7c\xf2\x76\xe1\x4d\xbf\xd1\xf8\x00\x0c" "\x46\xfc\xec\xc1\x9a\x35\xc7\xb8\x63\x10\x00\x00\x86\xdd\x00\x00\x00" "\x00\x00\x00\xa7\x7e\xe6\xb4\x75\xe4\x67\xfc\x42\x73\x42\xd5\xc6\xbb" "\x82\xc6\x50\x37\xb6\x08\x00\x88\xbe\x00\x00\x00\x00\x10\x00\x00\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x08\x00\x22\xeb\x00\x00\x00\x00\x20" "\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00" "\x65\x58\x00\x00\x00\x00\x29\x1a\xe3\x1f\x74\x65\x0e\x26\xa0\x94\x44" "\xe9\x00\xbc\x47\x14\xfa\xca\xaa\xbd\xbe\x51\x50\x82\x2f\x27\xb7\x4f" "\x47\xb8\x44\xc1\x28\x3a\x65\xe1\x65\x0a\xf9\x6e\xb8\xfa\x5d\x6d\x45" "\x37\xaf\x26\xc8\xa8\x8e\x00\xf1\xfe\xa4\x39\x7c\x45\x1f\x0f\x4c\xfb" "\xc5\x40\xec\x5f\xe3\x00\x5d\xb7\x0f\x1c\x15\x1b\x9f\x14\x9c\xd2\xd7" "\xff\x90\x3e\x16\x04\x89\x6c\xbb\xe6\x1b\xcf\xfb\x99\xe7\x6c\x0d\x6b" "\x03\x1e\x80", 1295); syz_emit_ethernet(0x50f, 0x20000680, 0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); do_sandbox_none(); return 0; }