// https://syzkaller.appspot.com/bug?id=804e1b658b228d3a9d8f5683bd5ad23b5767d126 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static struct nlmsg nlmsg; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE \ { \ 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 \ } #define WIFI_IBSS_BSSID \ { \ 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 \ } #define WIFI_IBSS_SSID \ { \ 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 \ } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } static int hwsim80211_create_device(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t mac_addr[ETH_ALEN]) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_NEW_RADIO; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_SUPPORT_P2P_DEVICE, NULL, 0); netlink_attr(nlmsg, HWSIM_ATTR_PERM_ADDR, mac_addr, ETH_ALEN); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static void initialize_wifi_devices(void) { int rfkill = open("/dev/rfkill", O_RDWR); if (rfkill == -1) exit(1); struct rfkill_event event = {0}; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; if (write(rfkill, &event, sizeof(event)) != (ssize_t)(sizeof(event))) exit(1); close(rfkill); uint8_t mac_addr[6] = WIFI_MAC_BASE; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) exit(1); int hwsim_family_id = netlink_query_family_id(&nlmsg, sock, "MAC80211_HWSIM", true); int nl80211_family_id = netlink_query_family_id(&nlmsg, sock, "nl80211", true); uint8_t ssid[] = WIFI_IBSS_SSID; uint8_t bssid[] = WIFI_IBSS_BSSID; struct join_ibss_props ibss_props = {.wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = true, .mac = bssid, .ssid = ssid, .ssid_len = sizeof(ssid)}; for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) { mac_addr[5] = device_id; int ret = hwsim80211_create_device(&nlmsg, sock, hwsim_family_id, mac_addr); if (ret < 0) exit(1); char interface[6] = "wlan0"; interface[4] += device_id; if (nl80211_setup_ibss_interface(&nlmsg, sock, nl80211_family_id, interface, &ibss_props, true) < 0) exit(1); } for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) { char interface[6] = "wlan0"; interface[4] += device_id; int ret = await_ifla_operstate(&nlmsg, interface, IF_OPER_UP, true); if (ret < 0) exit(1); } close(sock); } #define MAX_FDS 30 static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_wifi_devices(); setup_binderfs(); loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); close_fds(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[9] = {0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10); if (res != -1) r[0] = res; memcpy((void*)0x20000080, "nl80211\000", 8); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x20000080, /*fd=*/-1); if (res != -1) r[1] = res; memcpy((void*)0x200000c0, "wlan0\000\000\000\000\000\000\000\000\000\000\000", 16); res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x8933, /*arg=*/0x200000c0ul); if (res != -1) r[2] = *(uint32_t*)0x200000d0; *(uint64_t*)0x20000100 = 0; *(uint32_t*)0x20000108 = 0; *(uint64_t*)0x20000110 = 0x20000140; *(uint64_t*)0x20000140 = 0x20000180; *(uint32_t*)0x20000180 = 0x24; *(uint16_t*)0x20000184 = r[1]; *(uint16_t*)0x20000186 = 5; *(uint32_t*)0x20000188 = 0; *(uint32_t*)0x2000018c = 0; *(uint8_t*)0x20000190 = 6; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint16_t*)0x20000194 = 8; *(uint16_t*)0x20000196 = 3; *(uint32_t*)0x20000198 = r[2]; *(uint16_t*)0x2000019c = 8; *(uint16_t*)0x2000019e = 5; *(uint32_t*)0x200001a0 = 3; *(uint64_t*)0x20000148 = 0x24; *(uint64_t*)0x20000118 = 1; *(uint64_t*)0x20000120 = 0; *(uint64_t*)0x20000128 = 0; *(uint32_t*)0x20000130 = 0; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x20000100ul, /*f=*/0ul); *(uint64_t*)0x200001c0 = 0; *(uint32_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0x20000200; *(uint64_t*)0x20000200 = 0x20000240; *(uint32_t*)0x20000240 = 0x74; *(uint16_t*)0x20000244 = r[1]; *(uint16_t*)0x20000246 = 5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint8_t*)0x20000250 = 0xf; *(uint8_t*)0x20000251 = 0; *(uint16_t*)0x20000252 = 0; *(uint16_t*)0x20000254 = 8; *(uint16_t*)0x20000256 = 3; *(uint32_t*)0x20000258 = r[2]; *(uint16_t*)0x2000025c = 0x28; *(uint16_t*)0x2000025e = 0xe; STORE_BY_BITMASK(uint8_t, , 0x20000260, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x20000260, 0, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x20000260, 8, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 1, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 4, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 5, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 6, 1); STORE_BY_BITMASK(uint8_t, , 0x20000261, 0, 7, 1); STORE_BY_BITMASK(uint16_t, , 0x20000262, 0, 0, 15); STORE_BY_BITMASK(uint16_t, , 0x20000263, 0, 7, 1); memset((void*)0x20000264, 255, 6); *(uint8_t*)0x2000026a = 8; *(uint8_t*)0x2000026b = 2; *(uint8_t*)0x2000026c = 0x11; *(uint8_t*)0x2000026d = 0; *(uint8_t*)0x2000026e = 0; *(uint8_t*)0x2000026f = 0; *(uint8_t*)0x20000270 = 8; *(uint8_t*)0x20000271 = 2; *(uint8_t*)0x20000272 = 0x11; *(uint8_t*)0x20000273 = 0; *(uint8_t*)0x20000274 = 0; *(uint8_t*)0x20000275 = 0; STORE_BY_BITMASK(uint16_t, , 0x20000276, 0, 0, 4); STORE_BY_BITMASK(uint16_t, , 0x20000276, 0, 4, 12); *(uint64_t*)0x20000278 = 0; *(uint16_t*)0x20000280 = 0x64; *(uint16_t*)0x20000282 = 1; *(uint16_t*)0x20000284 = 8; *(uint16_t*)0x20000286 = 0x26; *(uint32_t*)0x20000288 = 0x96c; *(uint16_t*)0x2000028c = 8; *(uint16_t*)0x2000028e = 0xc; *(uint32_t*)0x20000290 = 0x64; *(uint16_t*)0x20000294 = 8; *(uint16_t*)0x20000296 = 0xd; *(uint32_t*)0x20000298 = 0; *(uint16_t*)0x2000029c = 0xa; *(uint16_t*)0x2000029e = 0x34; memset((void*)0x200002a0, 2, 6); *(uint16_t*)0x200002a8 = 8; *(uint16_t*)0x200002aa = 0x35; *(uint32_t*)0x200002ac = 0; *(uint16_t*)0x200002b0 = 4; *(uint16_t*)0x200002b2 = 0x105; *(uint64_t*)0x20000208 = 0x74; *(uint64_t*)0x200001d8 = 1; *(uint64_t*)0x200001e0 = 0; *(uint64_t*)0x200001e8 = 0; *(uint32_t*)0x200001f0 = 0; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200001c0ul, /*f=*/0ul); res = syscall(__NR_pipe, /*pipefd=*/0x20002900ul); if (res != -1) { r[3] = *(uint32_t*)0x20002900; r[4] = *(uint32_t*)0x20002904; } *(uint64_t*)0x200001c0 = 0x20000040; memcpy( (void*)0x20000040, "\x76\xbc\x19\x2c\x0a\x59\xb7\xde\xba\xdf\x85\x5e\xbd\xda\x5d\xce\x4a\x7e" "\xd9\x99\x18\x23\xdc\x71\xe4\xcf\x02\xdb\xfa\xde\xe5\x11\xcc\x04\x39\x99" "\x33\xa3\x0a\x7f\x70\x86\x81\x4f\x46\xd2\x8e\x28\x1b\x22\xbd\x2e\xee\xae" "\x48\xdb\x8c\x7a\xc2\xfb\xfd\x6b\xa7\xbf\xdf\xef\xdd\xc5\xe5\xe3\x8c\x3f" "\x03\xe4\x21\xac\xd7\x45\xf4\x65\x5a\xa5\x52\x33\x82\xec\x54\x95\x4b\x80" "\xde\x03\x16\x30\x06\x0f\x34\x6c\xcd\x02\xd4\x42\x28\x74\xd3\x70\xcb\xa2" "\x32\x33\x7f\x88\x10\x2a\x56\x89\xce\x59\xda\x29", 120); *(uint64_t*)0x200001c8 = 0xfffffd61; *(uint64_t*)0x200001d0 = 0x20000300; memcpy((void*)0x20000300, "\xdd\x00\x53\x89\xf0\x9b\x9d\x1e\x54\xf5\xeb\x76\x9b\x67\xeb\xfe\x12" "\x5c\x00\x64\xbd\xe9\x71\x22\xf0\x66\x78\x26\x82\x96\x4c\x4b\x6c\xc4" "\x81\xb0\x98\xb3\x66\xd2\x62\xfb\x48\x45\x58\xa1\xa2\x50\x21\x66\x01" "\x6d\x40\x0c\xce\x50\xdd\xdd\xe6\xac\x25\xb3\x15\xa8\x40\xd6\x77\x77" "\xbf\x7a\x5a\x88\x09\x5f\x95\x0c\x26\x39\xbf\x99\x8e\xc7\x5d\x3f\x50" "\x61\xae\xd0\xe5\x48\xae\x98\xf3\x8d\x55\x8d\x55\x25\x34\xd9\xb3\xea" "\xd7\x2e\x2e\x40\x46\x16\x50\x7d\xe1\xd8\x02\x93\xff\x5f\x24\x00\x65" "\xe0\xd6\xfb\x64\x69\xd1\x82\x6f\x1b\xdb\xe3\x42\x36\x7d\xf1\x54\xd9" "\x0c\xb8\x3b\x32\xff\x03\x64\xfd\xfe\xf1\x08\x9b\x05\x72\xc5\xe2\xfc" "\xd3\x2d\x97\xa7\x18\x6a\x13\xe3\x5c\xb6\xf9\xad\xa8\x54\x56\x03\xdc" "\xb7\x20\x73\xaf\x8b\xa9\x01\x1c\x3c\xe3\x6c\xe9\x74\xac\x58\xd0\x38" "\x8d\xc4\xac\xb9\xf7\xe7\xd8\x94\xe2\xed\xb7\x5b\xb9\x49\xa0\x5d\x3e" "\x95\x86\x63\xcb\xbe\x41\xd7\x8a\xcc\x51\x89\xdd\x9f\x94\x61\x46\x6e" "\x59\xd6\x64\x9e\x79\xc8\x83\x62\xfb\xf9\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 255); *(uint64_t*)0x200001d8 = 0xff; syscall(__NR_vmsplice, /*fd=*/r[4], /*vec=*/0x200001c0ul, /*vlen=*/2ul, /*f=*/0ul); *(uint64_t*)0x200002c0 = 0; *(uint32_t*)0x200002c8 = 0; *(uint64_t*)0x200002d0 = 0; *(uint64_t*)0x200002d8 = 1; *(uint64_t*)0x200002e0 = 0; *(uint64_t*)0x200002e8 = 0; *(uint32_t*)0x200002f0 = 0x80c1; syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x200002c0ul, /*f=*/0ul); *(uint64_t*)0x20001700 = 0x20000100; memcpy((void*)0x20000100, "\x86\x52\x9a\x86\x20\x72\xd9\xe7\xba\x99\xfb\x62\x9e\xdf\xb7\x37\xb2" "\x25\x87\x6d\x78\x69\x85\xa6\x50\x74\x45\x18\xd6\xbf\xb4\xb8\xf6\xf3" "\x35\x8e\x6e\xe0\x45\x8c\xde\xf8\x2a\x12\x6b\x99\xc0\xb2\xe7\xec\x73" "\xd1\x6d\x24\xff\xdd\x22\x1b\xed\x16\x4f\x2e\x99\x71\xe9\x99\xb1\x9e" "\xf7\x86\x9b\x1c", 72); *(uint64_t*)0x20001708 = 0x48; *(uint64_t*)0x20001710 = 0x20000200; memcpy((void*)0x20000200, "\x5d\x2f\xdf\xdc\x2f\xff\x8f\x0b\x75\x81\x90\xe2\x4f\x7b\xbd\x24\xd2" "\xed\x6e\x84\xbf\x09\xfe\xf1\x18\x6f\xac\x73\x62\x2a\x38\x30\x50\xdd" "\x36\x77\x87\x08\x4a\xca\x05\x3d\xfe\x5e\x52\xcd\x0f\xd2\x3a\x22\x5e" "\x77\x00\x8a\xef\xa4\x13\x54\x64\xd8\x7c\xbe\x6d\x6c\xd8\x14\x70\xdd" "\xae\xa6\x31\x74", 72); *(uint64_t*)0x20001718 = 0x48; *(uint64_t*)0x20001720 = 0x20000400; memcpy( (void*)0x20000400, "\xb9\x96\xa1\xa8\xfb\x44\x02\x86\xb8\x56\xdc\x3e\x6c\x02\xa6\x16\x40\x78" "\x0f\x57\x7a\xb3\xbb\x13\x57\xe7\x0c\x5e\x77\x0b\x15\xb7\x93\xe9\x43\x1c" "\x32\x77\xd1\x71\x06\x9d\x78\x12\xc2\x92\xa2\x7f\x2f\xf6\x8c\x55\xb7\x40" "\xe2\x46\xe3\x62\x9e\x14\x41\x8b\xec\x22\x85\xbb\x58\xfe\x68\xe7\x4c\xfa" "\xf0\x4c\x08\x3e\x77\xaf\x11\xc5\xf1\xa2\x87\x1d\xa6\x7c\x72\x3f\xd3\x18" "\xcd\x37\x54\x1e\xe3\xed\xf5\xe7\x25\x96\xf7\x80\xac\x5d\x89\xde\x6e\x8e" "\xee\x7d\x14\x4a\xf7\x1b\xc7\xe1\x36\xb1\x8f\x48\x66\xd8\xa5\x3a\xaf\x0a" "\xd5\xfa\x64\xbb\x21\x65\x49\x6a\x72\x85\xa5\x7a\xcb\xed\xd8\x4f\x07\x8f" "\x5a\x9c\x70\x3e\x79\xfa\x2e\xc1\x2c\xde\x7c\x5d\x4e\xd7\x18\x6b\x29\x1c" "\xc5\x62\xfe\x8c\x6a\x36\x2e\xb8\x17\xd0\x39\x80\xef\xca\x42\xf7\x9f\xf3" "\x33\x60\x16\x9b\x6d\xfe\x43\x7c\xa4\xf7\x0a\x13\x39\x1a\x43\x78\xa1\xbc" "\x3e\x9b\x97\xb9\xa6\x63\x72\x6e\x4c\x69\xdf\xac\xe6\xeb\x88\x4e\x2a\x95" "\x66\x6a\xd3\x66\x98\x90\x0e\xe6\x7a\x1b\x83\xbe\x4c\xe8\x5f\x79\xbb\x1c" "\x58\x74\x4a\xc3\xb7\xb2\xb5\x60\x68\xfb\xb1\x6b\x61\x02\x79\x80\x34\x3c" "\x4a\x2f\xc7\x3f\xed\x5c\x7f\xc5\xf3\x87\x0d\xb4\xb9\x2d\x88\x5b\x39\xfa" "\x0b\xf7\x00\xb4\x8f\xc2\x06\x57\xcd\x58\x31\x13\x73\x7b\xb3\xf1\xd2\x88" "\x61\x27\xbf\xde\xa4\xa8\xae\x38\xb1\x4e\x0e\x55\x95\x56\x1b\xf3\x18\x07" "\x1c\x44\xe8\xb0\xa8\x64\x2b\x43\xec\x62\x22\x8c\x03\x4f\xa3\xfc\x79\xe6" "\x8f\x3f\xc8\x9f\x37\x3a\xd2\xee\xfc\x06\x86\x70\x60\xea\x45\xb9\x61\x92" "\xeb\xbe\x1e\x6f\x2f\x6c\x9f\x07\x13\x08\xa4\x13\x8f\xde\x8b\x63\x45\xdd" "\x88\x17\x2e\x75\x5e\xde\xca\x7d\xb6\xf4\x2b\xda\xd8\x9f\x6c\x57\xe2\xe1" "\xab\xfb\x08\x1a\x30\x99\xc9\x09\x00\x6c\x2d\x55\x39\xf0\x58\x0e\xe9\x51" "\x09\x21\xd3\x77\xb3\x88\x7f\xf3\xa6\xb6\x79\x38\xf1\x84\xb8\xa2\x6b\xa8" "\xe2\x05\x33\x85\xb5\x3e\xee\xf7\x5b\xaf\xb7\xed\xe2\x99\xcb\x5b\x70\x73" "\xf8\x53\xa9\x90\x40\x6d\xb2\x38\xb5\xb4\xf0\xf5\x38\xe8\xda\xd6\xa3\x71" "\xe4\x9e\x6e\x58\xf3\x6b\xe3\xf4\x50\xde\x03\xc4\x69\xe4\xfb\xf3\xb3\x3e" "\xdb\x40\x9b\xf5\xd2\x49\xdf\x2d\xd0\xeb\xd7\xd2\x0f\x30\x20\x2b\x04\x5f" "\x0e\xdf\x4d\x5c\x5d\x09\xf4\x06\x71\x53\x73\x59\x13\xae\xd1\xb7\x82\x20" "\x2b\xa2\x08\xcb\x45\xb7\xe8\xb7\x90\xd7\x7c\x56\x11\x01\x99\xfa\x73\x62" "\x19\xe5\xda\x42\xb5\x63\x5b\xd7\xf2\xc7\x23\x23\x66\xe9\xe3\xb9\xbc\x94" "\xd0\xbb\x8b\xee\x47\x7c\x71\xb3\x94\xf4\xc6\x52\x18\x3b\x11\x64\x94\x23" "\x9d\x46\xea\x8b\x60\xf0\x2f\x81\xdf\x26\xc0\xba\x98\xd8\x5a\xd2\x54\x7a" "\x46\xe6\x17\xee\x7f\x0b\x0e\x1f\x64\xb5\x33\x91\x75\x76\xf1\xdc\xcc\x61" "\x69\xe6\xbf\xa4\xaf\xa6\x4d\xde\x6b\x47\xa6\x0b\xf8\x40\x06\x01\x92\x40" "\xfe\x64\x19\xa3\x15\xfa\xad\x9c\x6e\x46\x1e\x54\x80\xb4\x6b\x09\x92\x46" "\x76\x9c\xc4\x95\x75\xa5\x81\x74\x95\x5e\x67\xf9\x10\x5d\x51\xa9\x10\x73" "\xf4\x5b\xf4\x6d\x8e\xab\x99\x60\x8f\x56\x5f\xb7\xac\x10\x9b\x1c\x52\xf7" "\x23\x2b\xdd\xf5\x43\x59\x32\x0c\x87\xe8\xda", 677); *(uint64_t*)0x20001728 = 0x2a5; syscall(__NR_vmsplice, /*fd=*/r[3], /*vec=*/0x20001700ul, /*vlen=*/3ul, /*f=*/0ul); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10); if (res != -1) r[5] = res; memcpy((void*)0x20000640, "nl80211\000", 8); res = -1; res = syz_genetlink_get_family_id(/*name=*/0x20000640, /*fd=*/-1); if (res != -1) r[6] = res; res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[7] = res; memcpy((void*)0x20000340, "wlan1\000\000\000\000\000\000\000\000\000\000\000", 16); res = syscall(__NR_ioctl, /*fd=*/r[7], /*cmd=*/0x8933, /*arg=*/0x20000340ul); if (res != -1) r[8] = *(uint32_t*)0x20000350; *(uint64_t*)0x20000440 = 0; *(uint32_t*)0x20000448 = 0; *(uint64_t*)0x20000450 = 0x20000400; *(uint64_t*)0x20000400 = 0x20000480; memcpy((void*)0x20000480, "\x98\x03\x00\x00", 4); *(uint16_t*)0x20000484 = r[6]; memcpy((void*)0x20000486, "\x01\x00\x28\x05\x70\x00\xfc\xdb\xdf\x25\x3b\x00\x00\x00\x08\x00\x03" "\x00", 18); *(uint32_t*)0x20000498 = r[8]; memcpy( (void*)0x2000049c, "\x04\x00\x8e\x00\x08\x00\x57\x00\x1b\x0a\x00\x00\x04\x00\x6c\x00\x05\x00" "\x19\x01\x07\x00\x00\x00\x08\x00\x26\x00\x6c\x09\x00\x00\x56\x03\x33\x00" "\x80\xb0\xc0\x00\xff\xff\xff\xff\xff\xff\x08\x02\x11\x00\x00\x01", 52); *(uint64_t*)0x20000408 = 0x398; *(uint64_t*)0x20000458 = 1; *(uint64_t*)0x20000460 = 0; *(uint64_t*)0x20000468 = 0; *(uint32_t*)0x20000470 = 0; syscall(__NR_sendmsg, /*fd=*/r[5], /*msg=*/0x20000440ul, /*f=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); do_sandbox_none(); return 0; }