// https://syzkaller.appspot.com/bug?id=1f279caf435ac992193322d3c4024825dcec1c39 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 222 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 211 #endif #ifndef __NR_sendto #define __NR_sendto 206 #endif #ifndef __NR_socket #define __NR_socket 198 #endif #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$nl_netfilter arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0xc (4 bytes) // ] // returns sock_nl_netfilter res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[0] = res; // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {14 00 00 00 10 00 01 00 00 00 00 00 00 // 00 00 00 00 00 00 0a 20 00 00 00 00 0a 01 03 00 00 00 00 // 00 00 00 00 01 00 00 00 09 00 01 00 73 79 7a 30 00 00 00 // 00 40 00 00 00 03 0a 01 02 00 00 00 00 00 00 00 00 01 00 // 00 00 09 00 03 00 73 79 7a 32 00 00 00 00 14 00 04 80 08 // 00 02 40 32 65 65 a7 08 00 01 40 00 00 00 00 09 00 01 00 // 73 79 7a 30 00 00 00 00 48 00 00 00 06 0a 01 04 00 00 00 // 00 00 00 00 00 01 00 00 00 08 00 0b 40 00 00 00 00 09 00 // 01 00 73 79 7a 30 00 00 00 00 20 00 04 80 1c 00 01 80 0b // 00 01 00 72 65 6a 65 63 74 00 00 0c 00 02 80 08 00 01 40 // 00 00 00 01 14 00 00 00 11 00 01} (length 0xc3) // } // } // } // len: len = 0xd0 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x200000c0 = 0; *(uint32_t*)0x200000c8 = 0; *(uint64_t*)0x200000d0 = 0x20000040; *(uint64_t*)0x20000040 = 0x200003c0; memcpy( (void*)0x200003c0, "\x14\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x0a\x20\x00\x00\x00\x00\x0a\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00\x09\x00\x01\x00\x73\x79\x7a\x30\x00\x00\x00\x00\x40\x00" "\x00\x00\x03\x0a\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x09\x00\x03\x00\x73\x79\x7a\x32\x00\x00\x00\x00\x14\x00\x04\x80\x08\x00" "\x02\x40\x32\x65\x65\xa7\x08\x00\x01\x40\x00\x00\x00\x00\x09\x00\x01\x00" "\x73\x79\x7a\x30\x00\x00\x00\x00\x48\x00\x00\x00\x06\x0a\x01\x04\x00\x00" "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x08\x00\x0b\x40\x00\x00\x00\x00" "\x09\x00\x01\x00\x73\x79\x7a\x30\x00\x00\x00\x00\x20\x00\x04\x80\x1c\x00" "\x01\x80\x0b\x00\x01\x00\x72\x65\x6a\x65\x63\x74\x00\x00\x0c\x00\x02\x80" "\x08\x00\x01\x40\x00\x00\x00\x01\x14\x00\x00\x00\x11\x00\x01", 195); *(uint64_t*)0x20000048 = 0xd0; *(uint64_t*)0x200000d8 = 1; *(uint64_t*)0x200000e0 = 0; *(uint64_t*)0x200000e8 = 0; *(uint32_t*)0x200000f0 = 0; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000c0ul, /*f=*/0ul); // socket$inet6_tcp arguments: [ // domain: const = 0xa (8 bytes) // type: const = 0x1 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_tcp6 res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0); if (res != -1) r[1] = res; // socket$nl_netfilter arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0xc (4 bytes) // ] // returns sock_nl_netfilter res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[2] = res; // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {14 00 00 00 10 00 01 00 00 00 00 00 00 // 00 00 00 05 00 00 0a 28 00 00 00 00 0a 03 00 00 00 00 00 // 00 00 00 00 0a 00 00 07 08 00 02 40 00 00 00 02 09 00 01 // 00 73 79 7a 31 00 00 00 00 2c 00 00 00 03 0a 01 01 00 00 // 00 00 00 00 00 00 0a 00 00 07 09 00 01 00 73 79 7a 31 00 // 00 00 00 09 00 03 00 73 79 7a 32 00 00 00 00 14 00 00 00 // 11 00 01} (length 0x6f) // } // } // } // len: len = 0x7c (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x40001 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x4040850 (8 bytes) // ] *(uint64_t*)0x200000c0 = 0; *(uint32_t*)0x200000c8 = 0; *(uint64_t*)0x200000d0 = 0x20000080; *(uint64_t*)0x20000080 = 0x20001680; memcpy((void*)0x20001680, "\x14\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05" "\x00\x00\x0a\x28\x00\x00\x00\x00\x0a\x03\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x0a\x00\x00\x07\x08\x00\x02\x40\x00\x00\x00\x02\x09\x00\x01" "\x00\x73\x79\x7a\x31\x00\x00\x00\x00\x2c\x00\x00\x00\x03\x0a\x01\x01" "\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x07\x09\x00\x01\x00\x73" "\x79\x7a\x31\x00\x00\x00\x00\x09\x00\x03\x00\x73\x79\x7a\x32\x00\x00" "\x00\x00\x14\x00\x00\x00\x11\x00\x01", 111); *(uint64_t*)0x20000088 = 0x7c; *(uint64_t*)0x200000d8 = 1; *(uint64_t*)0x200000e0 = 0; *(uint64_t*)0x200000e8 = 0; *(uint32_t*)0x200000f0 = 0x40001; syscall(__NR_sendmsg, /*fd=*/r[2], /*msg=*/0x200000c0ul, /*f=MSG_ZEROCOPY|MSG_BATCH|MSG_PROBE|MSG_DONTWAIT|MSG_CONFIRM*/ 0x4040850ul); // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {14 00 00 00 10 00 01 00 00 00 00 00 00 // 00 00 00 07 00 00 0a 4c 00 00 00 03 0a 0f db 00 00 00 00 // 00 00 00 00 0a 00 20 05 09 00 03 00 73 79 7a 30 00 00 00 // 00 09 00 01 00 73 79 7a 31 00 00 00 00 14 00 04 80 08 00 // 02 40 3c b1 40 bb 08 00 01 40 00 00 00 03 0a 00 07 00 72 // 6f 75 74 65 00 00 00 14 00 00 00 11 00 01} (length 0x67) // } // } // } // len: len = 0x74 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x4000850 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x24000840 (8 bytes) // ] *(uint64_t*)0x20009b40 = 0; *(uint32_t*)0x20009b48 = 0; *(uint64_t*)0x20009b50 = 0x20009b00; *(uint64_t*)0x20009b00 = 0x20000a40; memcpy( (void*)0x20000a40, "\x14\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00" "\x00\x0a\x4c\x00\x00\x00\x03\x0a\x0f\xdb\x00\x00\x00\x00\x00\x00\x00\x00" "\x0a\x00\x20\x05\x09\x00\x03\x00\x73\x79\x7a\x30\x00\x00\x00\x00\x09\x00" "\x01\x00\x73\x79\x7a\x31\x00\x00\x00\x00\x14\x00\x04\x80\x08\x00\x02\x40" "\x3c\xb1\x40\xbb\x08\x00\x01\x40\x00\x00\x00\x03\x0a\x00\x07\x00\x72\x6f" "\x75\x74\x65\x00\x00\x00\x14\x00\x00\x00\x11\x00\x01", 103); *(uint64_t*)0x20009b08 = 0x74; *(uint64_t*)0x20009b58 = 1; *(uint64_t*)0x20009b60 = 0; *(uint64_t*)0x20009b68 = 0; *(uint32_t*)0x20009b70 = 0x4000850; syscall( __NR_sendmsg, /*fd=*/r[2], /*msg=*/0x20009b40ul, /*f=MSG_ZEROCOPY|MSG_FASTOPEN|MSG_DONTWAIT|MSG_CONFIRM*/ 0x24000840ul); // socket$nl_netfilter arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0xc (4 bytes) // ] // returns sock_nl_netfilter res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[3] = res; // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {14 00 00 00 10 00 01 00 00 00 00 00 00 // 00 00 00 00 00 00 0a 28 00 00 00 00 0a 01 01 00 00 00 00 // 5e 1a ff d5 02 00 00 00 09 00 01 00 73 79 7a 30 00 00 00 // 00 08 00 02 40 00 00 00 03 2c 00 00 00 03 0a 01 03 00 00 // e6 ff 00 00 00 00 02 00 00 00 09 00 01 00 73 79 7a 30 00 // 00 00 00 09 00 03 00 73 79 7a 32 00 00 00 00 14 00 00 00 // 11 00 01} (length 0x6f) // } // } // } // len: len = 0x7c (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x2000c2c0 = 0; *(uint32_t*)0x2000c2c8 = 0; *(uint64_t*)0x2000c2d0 = 0x20000200; *(uint64_t*)0x20000200 = 0x200008c0; memcpy((void*)0x200008c0, "\x14\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x0a\x28\x00\x00\x00\x00\x0a\x01\x01\x00\x00\x00\x00\x5e\x1a" "\xff\xd5\x02\x00\x00\x00\x09\x00\x01\x00\x73\x79\x7a\x30\x00\x00\x00" "\x00\x08\x00\x02\x40\x00\x00\x00\x03\x2c\x00\x00\x00\x03\x0a\x01\x03" "\x00\x00\xe6\xff\x00\x00\x00\x00\x02\x00\x00\x00\x09\x00\x01\x00\x73" "\x79\x7a\x30\x00\x00\x00\x00\x09\x00\x03\x00\x73\x79\x7a\x32\x00\x00" "\x00\x00\x14\x00\x00\x00\x11\x00\x01", 111); *(uint64_t*)0x20000208 = 0x7c; *(uint64_t*)0x2000c2d8 = 1; *(uint64_t*)0x2000c2e0 = 0; *(uint64_t*)0x2000c2e8 = 0; *(uint32_t*)0x2000c2f0 = 0; syscall(__NR_sendmsg, /*fd=*/r[3], /*msg=*/0x2000c2c0ul, /*f=*/0ul); // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[in, nft_batch_msg] { // nft_batch_msg { // begin: nft_nlmsghdr[NFNL_MSG_BATCH_BEGIN] { // nlmsg_len: len = 0x14 (4 bytes) // nlmsg_type: const = 0x10 (2 bytes) // nlmsg_flags: const = 0x1 (2 bytes) // nlmsg_seq: const = 0x0 (4 bytes) // nlmsg_pid: const = 0x0 (4 bytes) // hdr: nfgenmsg_nft { // nfgen_family: families = 0x0 (1 bytes) // version: const = 0x0 (1 bytes) // res_id: const = 0xa (2 bytes) // } // } // msgs: array[nft_batch_message] { // union nft_batch_message { // NFT_MSG_NEWRULE: // netlink_msg_netfilter_tt[NFNL_SUBSYS_NFTABLES, // NFT_MSG_NEWRULE, array[nft_rule_policy]] { // len: len = 0x6c (4 bytes) // type: const = 0x6 (1 bytes) // subsys: const = 0xa (1 bytes) // flags: netlink_netfilter_msg_flags = 0x40b (2 bytes) // seq: const = 0x0 (4 bytes) // pid: const = 0x0 (4 bytes) // hdr: nfgenmsg { // nfgen_family: nfproto = 0x2 (1 bytes) // version: const = 0x0 (1 bytes) // res_id: int16be = 0x0 (2 bytes) // } // attrs: array[nft_rule_policy] { // union nft_rule_policy { // NFTA_RULE_EXPRESSIONS: // nlattr_tt[const[NFTA_RULE_EXPRESSIONS, int16:14], // 0, 1, array[nlnest[NFTA_LIST_ELEM, // nft_expr_policy]]] { // nla_len: offsetof = 0x40 (2 bytes) // nla_type: const = 0x4 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 bytes) // NLA_F_NESTED: const = 0x1 (1 bytes) // payload: array[nlattr_tt[const[NFTA_LIST_ELEM, // int16:14], 0, 1, nft_expr_policy]] { // nlattr_tt[const[NFTA_LIST_ELEM, int16:14], 0, // 1, nft_expr_policy] { // nla_len: offsetof = 0x18 (2 bytes) // nla_type: const = 0x1 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 bytes) // NLA_F_NESTED: const = 0x1 (1 bytes) // payload: union nft_expr_policy { // osf: nft_expr_policy_t["osf", // nft_osf_policy] { // NFTA_EXPR_NAME: // nlattr_t[const[NFTA_EXPR_NAME, int16], // string["osf"]] { // nla_len: offsetof = 0x8 (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: buffer: {6f 73 66 00} (length // 0x4) size: buffer: {} (length 0x0) // } // NFTA_EXPR_DATA: union // optional[nlnest[NFTA_EXPR_DATA, // array[nft_osf_policy]]] { // val: nlattr_tt[const[NFTA_EXPR_DATA, // int16:14], 0, 1, // array[nft_osf_policy]] { // nla_len: offsetof = 0xc (2 bytes) // nla_type: const = 0x2 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 // bytes) NLA_F_NESTED: const = 0x1 (1 // bytes) payload: // array[nft_osf_policy] { // union nft_osf_policy { // NFTA_OSF_DREG: // nlattr_tt[const[NFTA_OSF_DREG, // int16:14], 1, 0, // flags[nft_registers, int32be]] { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x1 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: nft_registers // = 0x4 (4 bytes) size: buffer: // {} (length 0x0) // } // } // } // size: buffer: {} (length 0x0) // } // } // } // } // size: buffer: {} (length 0x0) // } // nlattr_tt[const[NFTA_LIST_ELEM, int16:14], 0, // 1, nft_expr_policy] { // nla_len: offsetof = 0x24 (2 bytes) // nla_type: const = 0x1 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 bytes) // NLA_F_NESTED: const = 0x1 (1 bytes) // payload: union nft_expr_policy { // meta: nft_expr_policy_t["meta", // nft_meta_policy] { // NFTA_EXPR_NAME: // nlattr_t[const[NFTA_EXPR_NAME, int16], // string["meta"]] { // nla_len: offsetof = 0x9 (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: buffer: {6d 65 74 61 00} // (length 0x5) size: buffer: {} (length // 0x0) pad = 0x0 (3 bytes) // } // NFTA_EXPR_DATA: union // optional[nlnest[NFTA_EXPR_DATA, // array[nft_meta_policy]]] { // val: nlattr_tt[const[NFTA_EXPR_DATA, // int16:14], 0, 1, // array[nft_meta_policy]] { // nla_len: offsetof = 0x14 (2 bytes) // nla_type: const = 0x2 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 // bytes) NLA_F_NESTED: const = 0x1 (1 // bytes) payload: // array[nft_meta_policy] { // union nft_meta_policy { // NFTA_META_KEY: // nlattr_tt[const[NFTA_META_KEY, // int16:14], 1, 0, // int32be[NFT_META_LEN:NFT_META_BRI_BROUTE]] // { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x2 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: int32be = 0xc // (4 bytes) size: buffer: {} // (length 0x0) // } // } // union nft_meta_policy { // NFTA_META_SREG: // nlattr_tt[const[NFTA_META_SREG, // int16:14], 1, 0, // flags[nft_registers, int32be]] { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x3 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: nft_registers // = 0x15 (4 bytes) size: buffer: // {} (length 0x0) // } // } // } // size: buffer: {} (length 0x0) // } // } // } // } // size: buffer: {} (length 0x0) // } // } // size: buffer: {} (length 0x0) // } // } // union nft_rule_policy { // NFTA_RULE_TABLE: nlattr_t[const[NFTA_RULE_TABLE, // int16], string[nft_table_name]] { // nla_len: offsetof = 0x9 (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: buffer: {73 79 7a 30 00} (length 0x5) // size: buffer: {} (length 0x0) // pad = 0x0 (3 bytes) // } // } // union nft_rule_policy { // NFTA_RULE_CHAIN: nlattr_t[const[NFTA_RULE_CHAIN, // int16], string[nft_chain_name]] { // nla_len: offsetof = 0x9 (2 bytes) // nla_type: const = 0x2 (2 bytes) // payload: buffer: {73 79 7a 32 00} (length 0x5) // size: buffer: {} (length 0x0) // pad = 0x0 (3 bytes) // } // } // } // } // } // } // end: nft_nlmsghdr[NFNL_MSG_BATCH_END] { // nlmsg_len: len = 0x14 (4 bytes) // nlmsg_type: const = 0x11 (2 bytes) // nlmsg_flags: const = 0x1 (2 bytes) // nlmsg_seq: const = 0x0 (4 bytes) // nlmsg_pid: const = 0x0 (4 bytes) // hdr: nfgenmsg_nft { // nfgen_family: families = 0x1 (1 bytes) // version: const = 0x0 (1 bytes) // res_id: const = 0xa (2 bytes) // } // } // } // } // len: len = 0x94 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x20000000 = 0; *(uint32_t*)0x20000008 = 0; *(uint64_t*)0x20000010 = 0x20000040; *(uint64_t*)0x20000040 = 0x20004f40; *(uint32_t*)0x20004f40 = 0x14; *(uint16_t*)0x20004f44 = 0x10; *(uint16_t*)0x20004f46 = 1; *(uint32_t*)0x20004f48 = 0; *(uint32_t*)0x20004f4c = 0; *(uint8_t*)0x20004f50 = 0; *(uint8_t*)0x20004f51 = 0; *(uint16_t*)0x20004f52 = htobe16(0xa); *(uint32_t*)0x20004f54 = 0x6c; *(uint8_t*)0x20004f58 = 6; *(uint8_t*)0x20004f59 = 0xa; *(uint16_t*)0x20004f5a = 0x40b; *(uint32_t*)0x20004f5c = 0; *(uint32_t*)0x20004f60 = 0; *(uint8_t*)0x20004f64 = 2; *(uint8_t*)0x20004f65 = 0; *(uint16_t*)0x20004f66 = htobe16(0); *(uint16_t*)0x20004f68 = 0x40; STORE_BY_BITMASK(uint16_t, , 0x20004f6a, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f6b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f6b, 1, 7, 1); *(uint16_t*)0x20004f6c = 0x18; STORE_BY_BITMASK(uint16_t, , 0x20004f6e, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f6f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f6f, 1, 7, 1); *(uint16_t*)0x20004f70 = 8; *(uint16_t*)0x20004f72 = 1; memcpy((void*)0x20004f74, "osf\000", 4); *(uint16_t*)0x20004f78 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x20004f7a, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f7b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f7b, 1, 7, 1); *(uint16_t*)0x20004f7c = 8; STORE_BY_BITMASK(uint16_t, , 0x20004f7e, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f7f, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f7f, 0, 7, 1); *(uint32_t*)0x20004f80 = htobe32(4); *(uint16_t*)0x20004f84 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x20004f86, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f87, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f87, 1, 7, 1); *(uint16_t*)0x20004f88 = 9; *(uint16_t*)0x20004f8a = 1; memcpy((void*)0x20004f8c, "meta\000", 5); *(uint16_t*)0x20004f94 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x20004f96, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f97, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f97, 1, 7, 1); *(uint16_t*)0x20004f98 = 8; STORE_BY_BITMASK(uint16_t, , 0x20004f9a, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004f9b, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004f9b, 0, 7, 1); *(uint32_t*)0x20004f9c = htobe32(0xc); *(uint16_t*)0x20004fa0 = 8; STORE_BY_BITMASK(uint16_t, , 0x20004fa2, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20004fa3, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20004fa3, 0, 7, 1); *(uint32_t*)0x20004fa4 = htobe32(0x15); *(uint16_t*)0x20004fa8 = 9; *(uint16_t*)0x20004faa = 1; memcpy((void*)0x20004fac, "syz0\000", 5); *(uint16_t*)0x20004fb4 = 9; *(uint16_t*)0x20004fb6 = 2; memcpy((void*)0x20004fb8, "syz2\000", 5); *(uint32_t*)0x20004fc0 = 0x14; *(uint16_t*)0x20004fc4 = 0x11; *(uint16_t*)0x20004fc6 = 1; *(uint32_t*)0x20004fc8 = 0; *(uint32_t*)0x20004fcc = 0; *(uint8_t*)0x20004fd0 = 1; *(uint8_t*)0x20004fd1 = 0; *(uint16_t*)0x20004fd2 = htobe16(0xa); *(uint64_t*)0x20000048 = 0x94; *(uint64_t*)0x20000018 = 1; *(uint64_t*)0x20000020 = 0; *(uint64_t*)0x20000028 = 0; *(uint32_t*)0x20000030 = 0; syscall(__NR_sendmsg, /*fd=*/r[3], /*msg=*/0x20000000ul, /*f=*/0ul); // sendto$inet6 arguments: [ // fd: sock_in6 (resource) // buf: nil // len: len = 0x0 (8 bytes) // f: send_flags = 0x20004002 (8 bytes) // addr: ptr[in, sockaddr_in6] { // sockaddr_in6 { // family: const = 0xa (2 bytes) // port: int16be = 0x2 (2 bytes) // flow: int32be = 0x80000000 (4 bytes) // addr: union ipv6_addr { // rand_addr: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00} (length 0x10) // } // scope: int32 = 0x0 (4 bytes) // } // } // addrlen: len = 0x1c (8 bytes) // ] *(uint16_t*)0x20b63fe4 = 0xa; *(uint16_t*)0x20b63fe6 = htobe16(2); *(uint32_t*)0x20b63fe8 = htobe32(0x80000000); memset((void*)0x20b63fec, 0, 16); *(uint32_t*)0x20b63ffc = 0; syscall(__NR_sendto, /*fd=*/r[1], /*buf=*/0ul, /*len=*/0ul, /*f=MSG_FASTOPEN|MSG_NOSIGNAL|0x2*/ 0x20004002ul, /*addr=*/0x20b63fe4ul, /*addrlen=*/0x1cul); return 0; }