// https://syzkaller.appspot.com/bug?id=4d7da8b9a9a23db755999d249f31421ac16c77ae // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$inet6_sctp arguments: [ // domain: const = 0xa (8 bytes) // type: sctp_socket_type = 0x1 (8 bytes) // proto: const = 0x84 (4 bytes) // ] // returns sock_sctp6 res = syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_STREAM*/ 1ul, /*proto=*/0x84); if (res != -1) r[0] = res; // sendmmsg$inet6 arguments: [ // fd: sock_in6 (resource) // mmsg: ptr[in, array[mmsghdr_inet6]] { // array[mmsghdr_inet6] { // mmsghdr_inet6 { // msg_hdr: msghdr_inet6 { // msg_name: ptr[in, sockaddr_in6] { // sockaddr_in6 { // family: const = 0xa (2 bytes) // port: int16be = 0x0 (2 bytes) // flow: int32be = 0x0 (4 bytes) // addr: union ipv6_addr { // private0: ipv6_addr_private[0] { // a0: const = 0xfc (1 bytes) // a1: const = 0x0 (1 bytes) // a2: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0xd) a3: int8 = 0x0 (1 bytes) // } // } // scope: int32 = 0xfffffffc (4 bytes) // } // } // msg_namelen: len = 0x1c (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {b3} (length 0x1) // } // len: len = 0x1 (8 bytes) // } // } // } // msg_iovlen: len = 0x1 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // mmsghdr_inet6 { // msg_hdr: msghdr_inet6 { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // mmsghdr_inet6 { // msg_hdr: msghdr_inet6 { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // } // vlen: len = 0x3 (8 bytes) // f: send_flags = 0x44 (8 bytes) // ] *(uint64_t*)0x200000000480 = 0x200000000000; *(uint16_t*)0x200000000000 = 0xa; *(uint16_t*)0x200000000002 = htobe16(0); *(uint32_t*)0x200000000004 = htobe32(0); *(uint8_t*)0x200000000008 = 0xfc; *(uint8_t*)0x200000000009 = 0; memset((void*)0x20000000000a, 0, 13); *(uint8_t*)0x200000000017 = 0; *(uint32_t*)0x200000000018 = 0xfffffffc; *(uint32_t*)0x200000000488 = 0x1c; *(uint64_t*)0x200000000490 = 0x200000000300; *(uint64_t*)0x200000000300 = 0x2000000006c0; memset((void*)0x2000000006c0, 179, 1); *(uint64_t*)0x200000000308 = 1; *(uint64_t*)0x200000000498 = 1; *(uint64_t*)0x2000000004a0 = 0; *(uint64_t*)0x2000000004a8 = 0; *(uint32_t*)0x2000000004b0 = 0; *(uint32_t*)0x2000000004b8 = 0; *(uint64_t*)0x2000000004c0 = 0; *(uint32_t*)0x2000000004c8 = 0; *(uint64_t*)0x2000000004d0 = 0; *(uint64_t*)0x2000000004d8 = 0; *(uint64_t*)0x2000000004e0 = 0; *(uint64_t*)0x2000000004e8 = 0; *(uint32_t*)0x2000000004f0 = 0; *(uint32_t*)0x2000000004f8 = 0; *(uint64_t*)0x200000000500 = 0; *(uint32_t*)0x200000000508 = 0; *(uint64_t*)0x200000000510 = 0; *(uint64_t*)0x200000000518 = 0; *(uint64_t*)0x200000000520 = 0; *(uint64_t*)0x200000000528 = 0; *(uint32_t*)0x200000000530 = 0; *(uint32_t*)0x200000000538 = 0; syscall(__NR_sendmmsg, /*fd=*/r[0], /*mmsg=*/0x200000000480ul, /*vlen=*/3ul, /*f=MSG_DONTWAIT|MSG_DONTROUTE*/ 0x44ul); // listen arguments: [ // fd: sock (resource) // backlog: int32 = 0x100101 (4 bytes) // ] syscall(__NR_listen, /*fd=*/r[0], /*backlog=*/0x100101); // setsockopt$inet_sctp6_SCTP_AUTO_ASCONF arguments: [ // fd: sock_sctp6 (resource) // level: const = 0x84 (4 bytes) // opt: const = 0x1e (4 bytes) // val: ptr[in, int32] { // int32 = 0x6 (4 bytes) // } // len: len = 0x4 (8 bytes) // ] *(uint32_t*)0x2000000000c0 = 6; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/0x84, /*opt=*/0x1e, /*val=*/0x2000000000c0ul, /*len=*/4ul); // accept arguments: [ // fd: sock (resource) // peer: nil // peerlen: nil // ] // returns sock syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); return 0; }