// https://syzkaller.appspot.com/bug?id=286166aa4744abfe4a5d2b5f6eb4796575004992 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); if (pthread_create(&th, &attr, fn, arg)) exit(1); pthread_attr_destroy(&attr); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static long syz_open_procfs(long a0, long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_genetlink_get_family_id(long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 43; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } #ifndef __NR_creat #define __NR_creat 8 #endif #ifndef __NR_fcntl #define __NR_fcntl 55 #endif #ifndef __NR_futex #define __NR_futex 240 #endif #ifndef __NR_getegid #define __NR_getegid 50 #endif #ifndef __NR_getgid #define __NR_getgid 47 #endif #ifndef __NR_io_setup #define __NR_io_setup 245 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 356 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_pipe #define __NR_pipe 42 #endif #ifndef __NR_ppoll #define __NR_ppoll 309 #endif #ifndef __NR_read #define __NR_read 3 #endif #ifndef __NR_recvmmsg #define __NR_recvmmsg 337 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_sendto #define __NR_sendto 369 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_setxattr #define __NR_setxattr 226 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_uname #define __NR_uname 122 #endif #ifndef __NR_write #define __NR_write 4 #endif #ifndef __NR_writev #define __NR_writev 146 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: syscall(__NR_openat, 0xffffff9c, 0, 0, 0); break; case 1: syscall(__NR_getegid); break; case 2: syscall(__NR_ioctl, -1, 0x400454ca, 0); break; case 3: syscall(__NR_io_setup, 0x2b0, 0x20000040); break; case 4: syz_open_procfs(0, 0); break; case 5: syscall(__NR_uname, 0); break; case 6: syscall(__NR_setsockopt, -1, 0x107, 5, 0, 0); break; case 7: res = syscall(__NR_openat, 0xffffff9c, 0, 0x2000, 0); if (res != -1) r[0] = res; break; case 8: syscall(__NR_ioctl, (long)r[0], 0x5411, 0); break; case 9: memcpy((void*)0x20000180, "net/ip6_tables_matches\x00", 23); syz_open_procfs(0, 0x20000180); break; case 10: res = syscall(__NR_socket, 2, 1, 0); if (res != -1) r[1] = res; break; case 11: syscall(__NR_setsockopt, (long)r[1], 1, 0x1a, 0, 0); break; case 12: *(uint16_t*)0x20e68000 = 2; *(uint16_t*)0x20e68002 = htobe16(0x4e26); *(uint8_t*)0x20e68004 = 0xac; *(uint8_t*)0x20e68005 = 0x14; *(uint8_t*)0x20e68006 = 0x14; *(uint8_t*)0x20e68007 = 0xaa; syscall(__NR_sendto, (long)r[1], 0, 0, 0x200007fd, 0x20e68000, 0xd); break; case 13: syscall(__NR_ppoll, 0, 0, 0, 0, 0); break; case 14: syscall(__NR_fcntl, -1, 4, 0); break; case 15: res = syscall(__NR_pipe, 0x20000040); if (res != -1) r[2] = *(uint32_t*)0x20000040; break; case 16: syscall(__NR_read, (long)r[2], 0, 0); break; case 17: syz_open_procfs(-1, 0); break; case 18: *(uint32_t*)0x20003b40 = 0; *(uint32_t*)0x20003b44 = 0x989680; syscall(__NR_recvmmsg, (long)r[1], 0, 0, 0, 0x20003b40); break; case 19: syscall(__NR_openat, 0xffffff9c, 0, 0, 0); break; case 20: res = syscall(__NR_socket, 2, 2, 0); if (res != -1) r[3] = res; break; case 21: memcpy((void*)0x20000d40, "filter\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00", 32); *(uint32_t*)0x20000d60 = 7; *(uint32_t*)0x20000d64 = 4; *(uint32_t*)0x20000d68 = 0xfffffea5; *(uint32_t*)0x20000d6c = 0x280; *(uint32_t*)0x20000d70 = 0; *(uint32_t*)0x20000d74 = 0x3b4; *(uint32_t*)0x20000d78 = 0x3b4; *(uint32_t*)0x20000d7c = 0x3b4; *(uint32_t*)0x20000d80 = 0x3b4; *(uint32_t*)0x20000d84 = 4; *(uint32_t*)0x20000d88 = 0x20000340; *(uint8_t*)0x20000d8c = 0; *(uint8_t*)0x20000d8d = 0; *(uint8_t*)0x20000d8e = 0; *(uint8_t*)0x20000d8f = 0; *(uint8_t*)0x20000d90 = 0; *(uint8_t*)0x20000d91 = 0; *(uint8_t*)0x20000d92 = 0; *(uint8_t*)0x20000d93 = 0; *(uint8_t*)0x20000d94 = 0; *(uint8_t*)0x20000d95 = 0; *(uint8_t*)0x20000d96 = 0; *(uint8_t*)0x20000d97 = 0; *(uint8_t*)0x20000d98 = 0; *(uint8_t*)0x20000d99 = 0; *(uint8_t*)0x20000d9a = 0; *(uint8_t*)0x20000d9b = 0; *(uint8_t*)0x20000d9c = 0; *(uint8_t*)0x20000d9d = 0; *(uint8_t*)0x20000d9e = 0; *(uint8_t*)0x20000d9f = 0; *(uint8_t*)0x20000da0 = 0; *(uint8_t*)0x20000da1 = 0; *(uint8_t*)0x20000da2 = 0; *(uint8_t*)0x20000da3 = 0; *(uint8_t*)0x20000da4 = 0; *(uint8_t*)0x20000da5 = 0; *(uint8_t*)0x20000da6 = 0; *(uint8_t*)0x20000da7 = 0; *(uint8_t*)0x20000da8 = 0; *(uint8_t*)0x20000da9 = 0; *(uint8_t*)0x20000daa = 0; *(uint8_t*)0x20000dab = 0; *(uint8_t*)0x20000dac = 0; *(uint8_t*)0x20000dad = 0; *(uint8_t*)0x20000dae = 0; *(uint8_t*)0x20000daf = 0; *(uint8_t*)0x20000db0 = 0; *(uint8_t*)0x20000db1 = 0; *(uint8_t*)0x20000db2 = 0; *(uint8_t*)0x20000db3 = 0; *(uint8_t*)0x20000db4 = 0; *(uint8_t*)0x20000db5 = 0; *(uint8_t*)0x20000db6 = 0; *(uint8_t*)0x20000db7 = 0; *(uint8_t*)0x20000db8 = 0; *(uint8_t*)0x20000db9 = 0; *(uint8_t*)0x20000dba = 0; *(uint8_t*)0x20000dbb = 0; *(uint8_t*)0x20000dbc = 0; *(uint8_t*)0x20000dbd = 0; *(uint8_t*)0x20000dbe = 0; *(uint8_t*)0x20000dbf = 0; *(uint8_t*)0x20000dc0 = 0; *(uint8_t*)0x20000dc1 = 0; *(uint8_t*)0x20000dc2 = 0; *(uint8_t*)0x20000dc3 = 0; *(uint8_t*)0x20000dc4 = 0; *(uint8_t*)0x20000dc5 = 0; *(uint8_t*)0x20000dc6 = 0; *(uint8_t*)0x20000dc7 = 0; *(uint8_t*)0x20000dc8 = 0; *(uint8_t*)0x20000dc9 = 0; *(uint8_t*)0x20000dca = 0; *(uint8_t*)0x20000dcb = 0; *(uint8_t*)0x20000dcc = 0; *(uint8_t*)0x20000dcd = 0; *(uint8_t*)0x20000dce = 0; *(uint8_t*)0x20000dcf = 0; *(uint8_t*)0x20000dd0 = 0; *(uint8_t*)0x20000dd1 = 0; *(uint8_t*)0x20000dd2 = 0; *(uint8_t*)0x20000dd3 = 0; *(uint8_t*)0x20000dd4 = 0; *(uint8_t*)0x20000dd5 = 0; *(uint8_t*)0x20000dd6 = 0; *(uint8_t*)0x20000dd7 = 0; *(uint8_t*)0x20000dd8 = 0; *(uint8_t*)0x20000dd9 = 0; *(uint8_t*)0x20000dda = 0; *(uint8_t*)0x20000ddb = 0; *(uint8_t*)0x20000ddc = 0; *(uint8_t*)0x20000ddd = 0; *(uint8_t*)0x20000dde = 0; *(uint8_t*)0x20000ddf = 0; *(uint8_t*)0x20000de0 = 0; *(uint8_t*)0x20000de1 = 0; *(uint8_t*)0x20000de2 = 0; *(uint8_t*)0x20000de3 = 0; *(uint8_t*)0x20000de4 = 0; *(uint8_t*)0x20000de5 = 0; *(uint8_t*)0x20000de6 = 0; *(uint8_t*)0x20000de7 = 0; *(uint8_t*)0x20000de8 = 0; *(uint8_t*)0x20000de9 = 0; *(uint8_t*)0x20000dea = 0; *(uint8_t*)0x20000deb = 0; *(uint8_t*)0x20000dec = 0; *(uint8_t*)0x20000ded = 0; *(uint8_t*)0x20000dee = 0; *(uint8_t*)0x20000def = 0; *(uint8_t*)0x20000df0 = 0; *(uint8_t*)0x20000df1 = 0; *(uint8_t*)0x20000df2 = 0; *(uint8_t*)0x20000df3 = 0; *(uint8_t*)0x20000df4 = 0; *(uint8_t*)0x20000df5 = 0; *(uint8_t*)0x20000df6 = 0; *(uint8_t*)0x20000df7 = 0; *(uint8_t*)0x20000df8 = 0; *(uint8_t*)0x20000df9 = 0; *(uint8_t*)0x20000dfa = 0; *(uint8_t*)0x20000dfb = 0; *(uint8_t*)0x20000dfc = 0; *(uint8_t*)0x20000dfd = 0; *(uint8_t*)0x20000dfe = 0; *(uint8_t*)0x20000dff = 0; *(uint8_t*)0x20000e00 = 0; *(uint8_t*)0x20000e01 = 0; *(uint8_t*)0x20000e02 = 0; *(uint8_t*)0x20000e03 = 0; *(uint8_t*)0x20000e04 = 0; *(uint8_t*)0x20000e05 = 0; *(uint8_t*)0x20000e06 = 0; *(uint8_t*)0x20000e07 = 0; *(uint8_t*)0x20000e08 = 0; *(uint8_t*)0x20000e09 = 0; *(uint8_t*)0x20000e0a = 0; *(uint8_t*)0x20000e0b = 0; *(uint8_t*)0x20000e0c = 0; *(uint8_t*)0x20000e0d = 0; *(uint8_t*)0x20000e0e = 0; *(uint8_t*)0x20000e0f = 0; *(uint8_t*)0x20000e10 = 0; *(uint8_t*)0x20000e11 = 0; *(uint8_t*)0x20000e12 = 0; *(uint8_t*)0x20000e13 = 0; *(uint8_t*)0x20000e14 = 0; *(uint8_t*)0x20000e15 = 0; *(uint8_t*)0x20000e16 = 0; *(uint8_t*)0x20000e17 = 0; *(uint8_t*)0x20000e18 = 0; *(uint8_t*)0x20000e19 = 0; *(uint8_t*)0x20000e1a = 0; *(uint8_t*)0x20000e1b = 0; *(uint8_t*)0x20000e1c = 0; *(uint8_t*)0x20000e1d = 0; *(uint8_t*)0x20000e1e = 0; *(uint8_t*)0x20000e1f = 0; *(uint8_t*)0x20000e20 = 0; *(uint8_t*)0x20000e21 = 0; *(uint8_t*)0x20000e22 = 0; *(uint8_t*)0x20000e23 = 0; *(uint8_t*)0x20000e24 = 0; *(uint8_t*)0x20000e25 = 0; *(uint8_t*)0x20000e26 = 0; *(uint8_t*)0x20000e27 = 0; *(uint8_t*)0x20000e28 = 0; *(uint8_t*)0x20000e29 = 0; *(uint8_t*)0x20000e2a = 0; *(uint8_t*)0x20000e2b = 0; *(uint8_t*)0x20000e2c = 0; *(uint8_t*)0x20000e2d = 0; *(uint8_t*)0x20000e2e = 0; *(uint8_t*)0x20000e2f = 0; *(uint16_t*)0x20000e5e = 0xfe10; *(uint16_t*)0x20000e60 = 0x140; *(uint32_t*)0x20000e64 = 0; *(uint64_t*)0x20000e6c = 0; *(uint64_t*)0x20000e74 = 0; *(uint16_t*)0x20000e7c = 0x50; memcpy((void*)0x20000e7e, "mangle\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00", 29); *(uint8_t*)0x20000e9b = 0; *(uint8_t*)0x20000e9c = 0; *(uint8_t*)0x20000e9d = 0; *(uint8_t*)0x20000e9e = 0; *(uint8_t*)0x20000e9f = 0; *(uint8_t*)0x20000ea0 = 0; *(uint8_t*)0x20000ea1 = 0; *(uint8_t*)0x20000ea2 = 0; *(uint8_t*)0x20000ea3 = 0; *(uint8_t*)0x20000ea4 = 0; *(uint8_t*)0x20000ea5 = 0; *(uint8_t*)0x20000ea6 = 0; *(uint8_t*)0x20000ea7 = 0; *(uint8_t*)0x20000ea8 = 0; *(uint8_t*)0x20000ea9 = 0; *(uint8_t*)0x20000eaa = 0; *(uint8_t*)0x20000eab = 0; *(uint8_t*)0x20000eac = 0xaa; *(uint8_t*)0x20000ead = 0xaa; *(uint8_t*)0x20000eae = 0xaa; *(uint8_t*)0x20000eaf = 0xaa; *(uint8_t*)0x20000eb0 = 0xaa; *(uint8_t*)0x20000eb1 = 0xaa; *(uint32_t*)0x20000ebc = htobe32(0x7f000001); *(uint32_t*)0x20000ec0 = htobe32(0x1f); *(uint8_t*)0x20000ec4 = 8; *(uint32_t*)0x20000ec8 = -1; *(uint32_t*)0x20000ecc = htobe32(0); *(uint32_t*)0x20000ed0 = htobe32(0xe0000001); *(uint32_t*)0x20000ed4 = htobe32(0xff); *(uint32_t*)0x20000ed8 = htobe32(0); *(uint8_t*)0x20000edc = 0; *(uint8_t*)0x20000edd = 0; *(uint8_t*)0x20000ede = 0; *(uint8_t*)0x20000edf = 0; *(uint8_t*)0x20000ee0 = 0; *(uint8_t*)0x20000ee1 = 0; *(uint8_t*)0x20000ee2 = 0; *(uint8_t*)0x20000ee3 = 0; *(uint8_t*)0x20000ee4 = 0; *(uint8_t*)0x20000ee5 = 0; *(uint8_t*)0x20000ee6 = 0; *(uint8_t*)0x20000ee7 = 0; *(uint8_t*)0x20000ee8 = 0; *(uint8_t*)0x20000ee9 = 0; *(uint8_t*)0x20000eea = 0; *(uint8_t*)0x20000eeb = 0; *(uint8_t*)0x20000ef4 = -1; *(uint8_t*)0x20000ef5 = -1; *(uint8_t*)0x20000ef6 = 0; *(uint8_t*)0x20000ef7 = 0; *(uint8_t*)0x20000ef8 = -1; *(uint8_t*)0x20000ef9 = 0; *(uint8_t*)0x20000f04 = 0; *(uint8_t*)0x20000f05 = 0; *(uint8_t*)0x20000f06 = 0; *(uint8_t*)0x20000f07 = 0; *(uint8_t*)0x20000f08 = 0; *(uint8_t*)0x20000f09 = 0; *(uint8_t*)0x20000f0a = 0; *(uint8_t*)0x20000f0b = 0; *(uint8_t*)0x20000f0c = 0; *(uint8_t*)0x20000f0d = 0; *(uint8_t*)0x20000f0e = 0; *(uint8_t*)0x20000f0f = 0; *(uint8_t*)0x20000f10 = 0; *(uint8_t*)0x20000f11 = 0; *(uint8_t*)0x20000f12 = 0; *(uint8_t*)0x20000f13 = 0; *(uint8_t*)0x20000f1c = 0; *(uint8_t*)0x20000f1d = -1; *(uint8_t*)0x20000f1e = -1; *(uint8_t*)0x20000f1f = -1; *(uint8_t*)0x20000f20 = -1; *(uint8_t*)0x20000f21 = -1; *(uint16_t*)0x20000f2c = htobe16(0x7fff); *(uint16_t*)0x20000f2e = htobe16(0xf65); *(uint16_t*)0x20000f30 = htobe16(0xff); *(uint16_t*)0x20000f32 = htobe16(7); *(uint16_t*)0x20000f34 = htobe16(0x3f); *(uint16_t*)0x20000f36 = htobe16(0xf801); memcpy((void*)0x20000f38, "eql\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); memcpy((void*)0x20000f48, "bcsf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x20000f62 = 0; *(uint8_t*)0x20000f80 = 0; *(uint8_t*)0x20000f90 = 0; *(uint16_t*)0x20000f92 = 1; *(uint16_t*)0x20000f9e = 0xf0; *(uint16_t*)0x20000fa0 = 0xffee; *(uint32_t*)0x20000fa4 = 0; *(uint64_t*)0x20000fac = 0; *(uint64_t*)0x20000fb4 = 0; *(uint16_t*)0x20000fbc = 0x50; memcpy((void*)0x20000fbe, "mangle\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00", 29); *(uint8_t*)0x20000fdb = 0; *(uint8_t*)0x20000fdc = 0; *(uint8_t*)0x20000fdd = 0; *(uint8_t*)0x20000fde = 0; *(uint8_t*)0x20000fdf = 0; *(uint8_t*)0x20000fe0 = 0; *(uint8_t*)0x20000fe1 = 0; *(uint8_t*)0x20000fe2 = 0; *(uint8_t*)0x20000fe3 = 0; *(uint8_t*)0x20000fe4 = 0; *(uint8_t*)0x20000fe5 = 0; *(uint8_t*)0x20000fe6 = 0; *(uint8_t*)0x20000fe7 = 0; *(uint8_t*)0x20000fe8 = 0; *(uint8_t*)0x20000fe9 = 0; *(uint8_t*)0x20000fea = 0; *(uint8_t*)0x20000feb = 0; *(uint8_t*)0x20000fec = 0; *(uint8_t*)0x20000fed = 0; *(uint8_t*)0x20000fee = 0; *(uint8_t*)0x20000fef = 0; *(uint8_t*)0x20000ff0 = 0; *(uint8_t*)0x20000ff1 = 0; *(uint8_t*)0x20000ffc = 0xac; *(uint8_t*)0x20000ffd = 0x14; *(uint8_t*)0x20000ffe = 0x14; *(uint8_t*)0x20000fff = 0xaa; *(uint8_t*)0x20001000 = 0xac; *(uint8_t*)0x20001001 = 0x14; *(uint8_t*)0x20001002 = 0x14; *(uint8_t*)0x20001003 = 0xaa; *(uint8_t*)0x20001004 = 0; *(uint32_t*)0x20001008 = 0; *(uint32_t*)0x2000100c = htobe32(0x7f000001); *(uint8_t*)0x20001010 = 0xac; *(uint8_t*)0x20001011 = 0x14; *(uint8_t*)0x20001012 = 0x14; *(uint8_t*)0x20001013 = 0; *(uint32_t*)0x20001014 = htobe32(0); *(uint32_t*)0x20001018 = htobe32(0); *(uint8_t*)0x2000101c = 0; *(uint8_t*)0x2000101d = 0; *(uint8_t*)0x2000101e = 0; *(uint8_t*)0x2000101f = 0; *(uint8_t*)0x20001020 = 0; *(uint8_t*)0x20001021 = 0; *(uint8_t*)0x20001022 = 0; *(uint8_t*)0x20001023 = 0; *(uint8_t*)0x20001024 = 0; *(uint8_t*)0x20001025 = 0; *(uint8_t*)0x20001026 = 0; *(uint8_t*)0x20001027 = 0; *(uint8_t*)0x20001028 = 0; *(uint8_t*)0x20001029 = 0; *(uint8_t*)0x2000102a = 0; *(uint8_t*)0x2000102b = 0; *(uint8_t*)0x20001034 = 0; *(uint8_t*)0x20001035 = 0; *(uint8_t*)0x20001036 = 0; *(uint8_t*)0x20001037 = 0; *(uint8_t*)0x20001038 = 0; *(uint8_t*)0x20001039 = 0; *(uint8_t*)0x20001044 = 0; *(uint8_t*)0x20001045 = 0; *(uint8_t*)0x20001046 = 0; *(uint8_t*)0x20001047 = 0; *(uint8_t*)0x20001048 = 0; *(uint8_t*)0x20001049 = 0; *(uint8_t*)0x2000105c = 0; *(uint8_t*)0x2000105d = 0; *(uint8_t*)0x2000105e = 0; *(uint8_t*)0x2000105f = 0; *(uint8_t*)0x20001060 = 0; *(uint8_t*)0x20001061 = 0; *(uint16_t*)0x2000106c = htobe16(0); *(uint16_t*)0x2000106e = htobe16(0); *(uint16_t*)0x20001070 = htobe16(0); *(uint16_t*)0x20001072 = htobe16(0); *(uint16_t*)0x20001074 = htobe16(0); *(uint16_t*)0x20001076 = htobe16(0); memcpy((void*)0x20001078, "ip6gre0\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); memcpy((void*)0x20001088, "ip6_vti0\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x200010a2 = 0; *(uint8_t*)0x200010c0 = 0; *(uint8_t*)0x200010d0 = 0; *(uint16_t*)0x200010d2 = 0; *(uint16_t*)0x200010de = 0xe1; *(uint16_t*)0x200010e0 = 0x134; *(uint32_t*)0x200010e4 = 0; *(uint64_t*)0x200010ec = 0; *(uint64_t*)0x200010f4 = 0; *(uint16_t*)0x200010fc = 0x44; memcpy((void*)0x200010fe, "LED\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00", 29); *(uint8_t*)0x2000111b = 0; memcpy((void*)0x2000111c, "syz0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00", 27); *(uint8_t*)0x20001137 = 0; *(uint32_t*)0x20001138 = 0; *(uint32_t*)0x2000113c = 0; *(uint8_t*)0x20001140 = 0; *(uint8_t*)0x20001141 = 0; *(uint8_t*)0x20001142 = 0; *(uint8_t*)0x20001143 = 0; *(uint8_t*)0x20001144 = 0; *(uint8_t*)0x20001145 = 0; *(uint8_t*)0x20001146 = 0; *(uint8_t*)0x20001147 = 0; *(uint8_t*)0x20001148 = 0; *(uint8_t*)0x20001149 = 0; *(uint8_t*)0x2000114a = 0; *(uint8_t*)0x2000114b = 0; *(uint8_t*)0x2000114c = 0; *(uint8_t*)0x2000114d = 0; *(uint8_t*)0x2000114e = 0; *(uint8_t*)0x2000114f = 0; *(uint8_t*)0x20001150 = 0; *(uint8_t*)0x20001151 = 0; *(uint8_t*)0x20001152 = 0; *(uint8_t*)0x20001153 = 0; *(uint8_t*)0x20001154 = 0; *(uint8_t*)0x20001155 = 0; *(uint8_t*)0x20001156 = 0; *(uint8_t*)0x20001157 = 0; *(uint8_t*)0x20001158 = 0; *(uint8_t*)0x20001159 = 0; *(uint8_t*)0x2000115a = 0; *(uint8_t*)0x2000115b = 0; *(uint8_t*)0x2000115c = 0; *(uint8_t*)0x2000115d = 0; *(uint8_t*)0x2000115e = 0; *(uint8_t*)0x2000115f = 0; *(uint8_t*)0x20001160 = 0; *(uint8_t*)0x20001161 = 0; *(uint8_t*)0x20001162 = 0; *(uint8_t*)0x20001163 = 0; *(uint8_t*)0x20001164 = 0; *(uint8_t*)0x20001165 = 0; *(uint8_t*)0x20001166 = 0; *(uint8_t*)0x20001167 = 0; *(uint8_t*)0x20001168 = 0; *(uint8_t*)0x20001169 = 0; *(uint8_t*)0x2000116a = 0; *(uint8_t*)0x2000116b = 0; *(uint8_t*)0x2000116c = 0; *(uint8_t*)0x2000116d = 0; *(uint8_t*)0x2000116e = 0; *(uint8_t*)0x2000116f = 0; *(uint8_t*)0x20001170 = 0; *(uint8_t*)0x20001171 = 0; *(uint8_t*)0x20001172 = 0; *(uint8_t*)0x20001173 = 0; *(uint8_t*)0x20001174 = 0; *(uint8_t*)0x20001175 = 0; *(uint8_t*)0x20001176 = 0; *(uint8_t*)0x20001177 = 0; *(uint8_t*)0x20001178 = 0; *(uint8_t*)0x20001179 = 0; *(uint8_t*)0x2000117a = 0; *(uint8_t*)0x2000117b = 0; *(uint8_t*)0x2000117c = 0; *(uint8_t*)0x2000117d = 0; *(uint8_t*)0x2000117e = 0; *(uint8_t*)0x2000117f = 0; *(uint8_t*)0x20001180 = 0; *(uint8_t*)0x20001181 = 0; *(uint8_t*)0x20001182 = 0; *(uint8_t*)0x20001183 = 0; *(uint8_t*)0x20001184 = 0; *(uint8_t*)0x20001185 = 0; *(uint8_t*)0x20001186 = 0; *(uint8_t*)0x20001187 = 0; *(uint8_t*)0x20001188 = 0; *(uint8_t*)0x20001189 = 0; *(uint8_t*)0x2000118a = 0; *(uint8_t*)0x2000118b = 0; *(uint8_t*)0x2000118c = 0; *(uint8_t*)0x2000118d = 0; *(uint8_t*)0x2000118e = 0; *(uint8_t*)0x2000118f = 0; *(uint8_t*)0x20001190 = 0; *(uint8_t*)0x20001191 = 0; *(uint8_t*)0x20001192 = 0; *(uint8_t*)0x20001193 = 0; *(uint8_t*)0x20001194 = 0; *(uint8_t*)0x20001195 = 0; *(uint8_t*)0x20001196 = 0; *(uint8_t*)0x20001197 = 0; *(uint8_t*)0x20001198 = 0; *(uint8_t*)0x20001199 = 0; *(uint8_t*)0x2000119a = 0; *(uint8_t*)0x2000119b = 0; *(uint8_t*)0x2000119c = 0; *(uint8_t*)0x2000119d = 0; *(uint8_t*)0x2000119e = 0; *(uint8_t*)0x2000119f = 0; *(uint8_t*)0x200011a0 = 0; *(uint8_t*)0x200011a1 = 0; *(uint8_t*)0x200011a2 = 0; *(uint8_t*)0x200011a3 = 0; *(uint8_t*)0x200011a4 = 0; *(uint8_t*)0x200011a5 = 0; *(uint8_t*)0x200011a6 = 0; *(uint8_t*)0x200011a7 = 0; *(uint8_t*)0x200011a8 = 0; *(uint8_t*)0x200011a9 = 0; *(uint8_t*)0x200011aa = 0; *(uint8_t*)0x200011ab = 0; *(uint8_t*)0x200011ac = 0; *(uint8_t*)0x200011ad = 0; *(uint8_t*)0x200011ae = 0; *(uint8_t*)0x200011af = 0; *(uint8_t*)0x200011b0 = 0; *(uint8_t*)0x200011b1 = 0; *(uint8_t*)0x200011b2 = 0; *(uint8_t*)0x200011b3 = 0; *(uint8_t*)0x200011b4 = 0; *(uint8_t*)0x200011b5 = 0; *(uint8_t*)0x200011b6 = 0; *(uint8_t*)0x200011b7 = 0; *(uint8_t*)0x200011b8 = 0; *(uint8_t*)0x200011b9 = 0; *(uint8_t*)0x200011ba = 0; *(uint8_t*)0x200011bb = 0; *(uint8_t*)0x200011bc = 0; *(uint8_t*)0x200011bd = 0; *(uint8_t*)0x200011be = 0; *(uint8_t*)0x200011bf = 0; *(uint8_t*)0x200011c0 = 0; *(uint8_t*)0x200011c1 = 0; *(uint8_t*)0x200011c2 = 0; *(uint8_t*)0x200011c3 = 0; *(uint8_t*)0x200011c4 = 0; *(uint8_t*)0x200011c5 = 0; *(uint8_t*)0x200011c6 = 0; *(uint8_t*)0x200011c7 = 0; *(uint8_t*)0x200011c8 = 0; *(uint8_t*)0x200011c9 = 0; *(uint8_t*)0x200011ca = 0; *(uint8_t*)0x200011cb = 0; *(uint8_t*)0x200011cc = 0; *(uint8_t*)0x200011cd = 0; *(uint8_t*)0x200011ce = 0; *(uint8_t*)0x200011cf = 0; *(uint8_t*)0x200011d0 = 0; *(uint8_t*)0x200011d1 = 0; *(uint8_t*)0x200011d2 = 0; *(uint8_t*)0x200011d3 = 0; *(uint8_t*)0x200011d4 = 0; *(uint8_t*)0x200011d5 = 0; *(uint8_t*)0x200011d6 = 0; *(uint8_t*)0x200011d7 = 0; *(uint8_t*)0x200011d8 = 0; *(uint8_t*)0x200011d9 = 0; *(uint8_t*)0x200011da = 0; *(uint8_t*)0x200011db = 0; *(uint8_t*)0x200011dc = 0; *(uint8_t*)0x200011dd = 0; *(uint8_t*)0x200011de = 0; *(uint8_t*)0x200011df = 0; *(uint8_t*)0x200011e0 = 0; *(uint8_t*)0x200011e1 = 0; *(uint8_t*)0x200011e2 = 0; *(uint8_t*)0x200011e3 = 0; *(uint16_t*)0x200011e4 = 0xc0; *(uint16_t*)0x200011e6 = 0xe4; *(uint32_t*)0x200011e8 = 0; *(uint64_t*)0x200011f0 = 0; *(uint64_t*)0x200011f8 = 0; *(uint16_t*)0x20001200 = 0x24; memcpy((void*)0x20001202, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000121f = 0; *(uint32_t*)0x20001220 = 0xfffffffe; syscall(__NR_setsockopt, (long)r[3], 0, 0x60, 0x20000d40, 0xffffff16); break; case 22: syscall(__NR_openat, 0xffffff9c, 0, 2, 0); break; case 23: syscall(__NR_write, -1, 0, 0); break; case 24: syscall(__NR_socket, 2, 2, 0); break; case 25: memcpy((void*)0x200003c0, "syz1\x00", 5); syscall(__NR_setxattr, 0, 0, 0x200003c0, 5, 0); break; case 26: syscall(__NR_writev, -1, 0, 0); break; case 27: memcpy((void*)0x20000080, "IPVS\x00", 5); syz_genetlink_get_family_id(0x20000080); break; case 28: res = syscall(__NR_socket, 0x10, 3, 0xffff7ffe); if (res != -1) r[4] = res; break; case 29: syscall(__NR_futex, 0, 4, 0, 0, 0, 1); break; case 30: syscall(__NR_sendmsg, (long)r[4], 0, 0); break; case 31: syscall(__NR_setsockopt, -1, 0, 0x41, 0, 0); break; case 32: syscall(__NR_fcntl, -1, 0x10, 0x20000100); break; case 33: *(uint64_t*)0x200002c0 = 0; *(uint64_t*)0x200002c8 = 0; *(uint64_t*)0x200002d0 = 0; *(uint64_t*)0x200002d8 = 5; *(uint64_t*)0x200002e0 = 0xb60; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 7; *(uint32_t*)0x200002f0 = 0xc; *(uint32_t*)0x200002f4 = 8; memcpy((void*)0x200002f8, "\x22\xf1\xda\x29\x79\x7e\x1c\xcd\x8a\x68\xd9\x97\xf0\xfa\x53\x4f" "\xc4\xa0\x2f\x85\xfa\x1f\x39\x0b\xc1\x45\x29\x19\x00\x14\x9d\xc3" "\x94\x5a\xe3\x4b\xc8\x27\x75\x0c\xf5\x2a\x05\xef\x27\x30\x08\x5e" "\x8b\xb3\xdc\x9f\x88\x59\x33\xac\xb7\xa2\xcb\xcb\x6f\x75\x03\x8f", 64); memcpy((void*)0x20000338, "\x15\xc4\x13\xee\x62\xb0\x06\xd2\x72\x10\x6a\x3c\x14\x10\x72\x98" "\x26\xca\xf6\x0e\x89\xbb\x4e\x23\x71\x0f\xda\x8f\x52\x27\xb5\x6f" "\xca\x30\x1a\x56\xff\x7c\xf4\x78\x7a\xdf\x9b\x5c\x21\xfb\x7e\x7b" "\x0a\xf9\x62\x01\x2e\x81\x25\x6d\x39\x78\x7f\x62\x30\x26\xd8\x2a", 64); memcpy((void*)0x20000378, "\x1c\x1f\x43\xb9\x73\x07\xc8\x61\x98\x9c\xcf\xc4" "\x25\xca\x70\x08\x73\x08\xca\x06\x3c\x79\x9f\x3d" "\x7f\x33\x6e\xb2\x82\xe9\xdd\x73", 32); *(uint32_t*)0x20000398 = 7; *(uint32_t*)0x2000039c = 6; syscall(__NR_ioctl, -1, 0x4c04, 0x200002c0); break; case 34: syscall(__NR_creat, 0, 0x80); break; case 35: syscall(__NR_getgid); break; case 36: syscall(__NR_write, -1, 0, 0); break; case 37: syscall(__NR_read, -1, 0, 0); break; case 38: res = syscall(__NR_memfd_create, 0, 2); if (res != -1) r[5] = res; break; case 39: syscall(__NR_setsockopt, (long)r[5], 6, 0x1d, 0, 0); break; case 40: syscall(__NR_ioctl, -1, 0x660c); break; case 41: syscall(__NR_ioctl, (long)r[5], 0x403c5404, 0); break; case 42: syscall(__NR_ioctl, -1, 0x40106614, 0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }