// https://syzkaller.appspot.com/bug?id=dc6352b92862eb79373fe03fdf9af5928753e057 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } uint64_t r[2] = {0xffffffffffffffff, 0x0}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); intptr_t res = 0; res = syscall(__NR_socket, 0x10, 3, 0x10); if (res != -1) r[0] = res; memcpy((void*)0x20000140, "TIPCv2\000", 7); res = syz_genetlink_get_family_id(0x20000140); if (res != -1) r[1] = res; *(uint64_t*)0x20000580 = 0; *(uint32_t*)0x20000588 = 0; *(uint64_t*)0x20000590 = 0x20000540; *(uint64_t*)0x20000540 = 0x20000340; *(uint32_t*)0x20000340 = 0x134; *(uint16_t*)0x20000344 = r[1]; *(uint16_t*)0x20000346 = 0x821; *(uint32_t*)0x20000348 = 0; *(uint32_t*)0x2000034c = 0; *(uint8_t*)0x20000350 = 3; *(uint8_t*)0x20000351 = 0; *(uint16_t*)0x20000352 = 0; *(uint16_t*)0x20000354 = 8; *(uint16_t*)0x20000356 = 6; *(uint16_t*)0x20000358 = 4; *(uint16_t*)0x2000035a = 2; *(uint16_t*)0x2000035c = 0x118; *(uint16_t*)0x2000035e = 1; *(uint16_t*)0x20000360 = 0x38; *(uint16_t*)0x20000362 = 4; *(uint16_t*)0x20000364 = 0x14; *(uint16_t*)0x20000366 = 1; *(uint16_t*)0x20000368 = 2; *(uint16_t*)0x2000036a = htobe16(0x4e23); *(uint8_t*)0x2000036c = 0xac; *(uint8_t*)0x2000036d = 0x14; *(uint8_t*)0x2000036e = 0x14; *(uint8_t*)0x2000036f = 0xbb; *(uint16_t*)0x20000378 = 0x20; *(uint16_t*)0x2000037a = 2; *(uint16_t*)0x2000037c = 0xa; *(uint16_t*)0x2000037e = htobe16(0x4e22); *(uint32_t*)0x20000380 = htobe32(5); *(uint8_t*)0x20000384 = 0xfe; *(uint8_t*)0x20000385 = 0x88; *(uint8_t*)0x20000386 = 0; *(uint8_t*)0x20000387 = 0; *(uint8_t*)0x20000388 = 0; *(uint8_t*)0x20000389 = 0; *(uint8_t*)0x2000038a = 0; *(uint8_t*)0x2000038b = 0; *(uint8_t*)0x2000038c = 0; *(uint8_t*)0x2000038d = 0; *(uint8_t*)0x2000038e = 0; *(uint8_t*)0x2000038f = 0; *(uint8_t*)0x20000390 = 0; *(uint8_t*)0x20000391 = 0; *(uint8_t*)0x20000392 = 1; *(uint8_t*)0x20000393 = 1; *(uint32_t*)0x20000394 = 0x78; *(uint16_t*)0x20000398 = 0x2c; *(uint16_t*)0x2000039a = 4; *(uint16_t*)0x2000039c = 0x14; *(uint16_t*)0x2000039e = 1; *(uint16_t*)0x200003a0 = 2; *(uint16_t*)0x200003a2 = htobe16(0x4e22); *(uint8_t*)0x200003a4 = 0xac; *(uint8_t*)0x200003a5 = 0x14; *(uint8_t*)0x200003a6 = 0x14; *(uint8_t*)0x200003a7 = 0x23; *(uint16_t*)0x200003b0 = 0x14; *(uint16_t*)0x200003b2 = 2; *(uint16_t*)0x200003b4 = 2; *(uint16_t*)0x200003b6 = htobe16(0x4e21); *(uint32_t*)0x200003b8 = htobe32(0x7f000001); *(uint16_t*)0x200003c4 = 0x2c; *(uint16_t*)0x200003c6 = 4; *(uint16_t*)0x200003c8 = 0x14; *(uint16_t*)0x200003ca = 1; *(uint16_t*)0x200003cc = 2; *(uint16_t*)0x200003ce = htobe16(0x4e24); *(uint32_t*)0x200003d0 = htobe32(0x7f000001); *(uint16_t*)0x200003dc = 0x14; *(uint16_t*)0x200003de = 2; *(uint16_t*)0x200003e0 = 2; *(uint16_t*)0x200003e2 = htobe16(0x4e21); *(uint32_t*)0x200003e4 = htobe32(-1); *(uint16_t*)0x200003f0 = 0x18; *(uint16_t*)0x200003f2 = 1; memcpy((void*)0x200003f4, "eth", 3); *(uint8_t*)0x200003f7 = 0x3a; memcpy((void*)0x200003f8, "veth0_to_hsr\000", 13); *(uint16_t*)0x20000408 = 0x2c; *(uint16_t*)0x2000040a = 4; *(uint16_t*)0x2000040c = 0x14; *(uint16_t*)0x2000040e = 1; *(uint16_t*)0x20000410 = 2; *(uint16_t*)0x20000412 = htobe16(0x4e20); *(uint32_t*)0x20000414 = htobe32(0x7f000001); *(uint16_t*)0x20000420 = 0x14; *(uint16_t*)0x20000422 = 2; *(uint16_t*)0x20000424 = 2; *(uint16_t*)0x20000426 = htobe16(0x4e23); *(uint8_t*)0x20000428 = 0xac; *(uint8_t*)0x20000429 = 0x14; *(uint8_t*)0x2000042a = 0x14; *(uint8_t*)0x2000042b = 0x16; *(uint16_t*)0x20000434 = 0x14; *(uint16_t*)0x20000436 = 2; *(uint16_t*)0x20000438 = 8; *(uint16_t*)0x2000043a = 1; *(uint32_t*)0x2000043c = 0x18; *(uint16_t*)0x20000440 = 8; *(uint16_t*)0x20000442 = 1; *(uint32_t*)0x20000444 = 0x17; *(uint16_t*)0x20000448 = 0x1c; *(uint16_t*)0x2000044a = 2; *(uint16_t*)0x2000044c = 8; *(uint16_t*)0x2000044e = 4; *(uint32_t*)0x20000450 = -1; *(uint16_t*)0x20000454 = 8; *(uint16_t*)0x20000456 = 1; *(uint32_t*)0x20000458 = 1; *(uint16_t*)0x2000045c = 8; *(uint16_t*)0x2000045e = 1; *(uint32_t*)0x20000460 = 2; *(uint16_t*)0x20000464 = 0x10; *(uint16_t*)0x20000466 = 1; memcpy((void*)0x20000468, "udp:syz2\000", 9); *(uint64_t*)0x20000548 = 0x134; *(uint64_t*)0x20000598 = 1; *(uint64_t*)0x200005a0 = 0; *(uint64_t*)0x200005a8 = 0; *(uint32_t*)0x200005b0 = 0x40; syscall(__NR_sendmsg, r[0], 0x20000580, 0); return 0; }