// https://syzkaller.appspot.com/bug?id=1637d1cd1f210d4ee70804b33566411110f6edd2 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 280 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // bpf$MAP_CREATE_CONST_STR arguments: [ // cmd: const = 0x0 (8 bytes) // arg: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {02 00 00 00 04 00 00 00 08 00 00 00 01 00 00 00 // 80} (length 0x11) // } // } // } // size: len = 0x48 (8 bytes) // ] // returns fd_bpf_const_str_map memcpy((void*)0x20000340, "\x02\x00\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\x01\x00\x00\x00\x80", 17); res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000340ul, /*size=*/0x48ul); if (res != -1) r[0] = res; // bpf$MAP_UPDATE_CONST_STR arguments: [ // cmd: const = 0x2 (8 bytes) // arg: ptr[inout, bpf_map_update_const_str_arg] { // bpf_map_update_const_str_arg { // map: map_bpf_const_str { // in: fd_bpf_const_str_map (resource) // out: fd_bpf_const_str (resource) // } // pad = 0x0 (4 bytes) // key: ptr[in, const[0, const]] { // const = 0x0 (4 bytes) // } // val: ptr[in, buffer] { // buffer: {25 70 49 34 20 20 20 00} (length 0x8) // } // flags: const = 0x0 (8 bytes) // } // } // size: len = 0x20 (8 bytes) // ] *(uint32_t*)0x20000000 = r[0]; *(uint64_t*)0x20000008 = 0x20000200; *(uint32_t*)0x20000200 = 0; *(uint64_t*)0x20000010 = 0x20000140; memcpy((void*)0x20000140, "%pI4 \000", 8); *(uint64_t*)0x20000018 = 0; res = syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x20000000ul, /*size=*/0x20ul); if (res != -1) r[1] = *(uint32_t*)0x20000000; // bpf$BPF_MAP_CONST_STR_FREEZE arguments: [ // cmd: const = 0x16 (8 bytes) // arg: ptr[inout, bpf_map_const_str_freeze] { // bpf_map_const_str_freeze { // in: fd_bpf_const_str (resource) // out: bpf_frozen_const_str (resource) // } // } // size: len = 0x4 (8 bytes) // ] *(uint32_t*)0x200000c0 = r[1]; res = syscall(__NR_bpf, /*cmd=*/0x16ul, /*arg=*/0x200000c0ul, /*size=*/4ul); if (res != -1) r[2] = *(uint32_t*)0x200000c0; // bpf$PROG_LOAD arguments: [ // cmd: const = 0x5 (8 bytes) // arg: ptr[in, bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]]] { // bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, // bpf_btf_id[opt], fd_bpf_prog[opt]] { // type: bpf_prog_type = 0x16 (4 bytes) // ninsn: bytesize8 = 0x10 (4 bytes) // insns: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 b7 08 00 00 00 00 00 00 7b 8a f8 ff 00 00 00 00 b7 08 00 00 // ff ff 0b 86 7b 8a f0 ff 00 00 00 00 bf a1 00 00 00 00 00 00 07 // 01 00 00 f8 ff ff ff bf a4 00 00 00 00 00 00 07 04 00 00 f0 ff // ff ff b7 02 00 00 08 00 00 00 18 23 00 00} (length 0x5c) // } // union ANYUNION { // ANYRES32: ANYRES32 (resource) // } // union ANYUNION { // ANYBLOB: buffer: {00 00 00 00 00 00 00 00 b7 05 00 00 08 00 00 // 00 85 00 00 00 a5 00 00 00 95} (length 0x19) // } // } // } // license: ptr[in, buffer] { // buffer: {47 50 4c 00} (length 0x4) // } // loglev: int32 = 0x0 (4 bytes) // logsize: len = 0x0 (4 bytes) // log: nil // kern_version: bpf_kern_version = 0x0 (4 bytes) // flags: bpf_prog_load_flags = 0x0 (4 bytes) // prog_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) prog_ifindex: ifindex (resource) expected_attach_type: // union bpf_prog_attach_types { // flow_dissector: flow_dissector_attach_types = 0x0 (4 bytes) // } // btf_fd: fd_btf (resource) // func_info_rec_size: const = 0x0 (4 bytes) // func_info: nil // func_info_cnt: len = 0x0 (4 bytes) // line_info_rec_size: const = 0x0 (4 bytes) // line_info: nil // line_info_cnt: len = 0x0 (4 bytes) // attach_btf_id: bpf_btf_id (resource) // attach_prog_fd: fd_bpf_prog (resource) // core_relo_cnt: len = 0x0 (4 bytes) // fd_array: nil // core_relos: nil // core_relo_rec_size: const = 0x0 (4 bytes) // log_true_size: int32 = 0x0 (4 bytes) // prog_token_fd: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_prog_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_pad_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // size: len = 0x90 (8 bytes) // ] // returns fd_bpf_prog *(uint32_t*)0x200003c0 = 0x16; *(uint32_t*)0x200003c4 = 0x10; *(uint64_t*)0x200003c8 = 0x20000040; memcpy((void*)0x20000040, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb7" "\x08\x00\x00\x00\x00\x00\x00\x7b\x8a\xf8\xff\x00\x00\x00\x00\xb7\x08" "\x00\x00\xff\xff\x0b\x86\x7b\x8a\xf0\xff\x00\x00\x00\x00\xbf\xa1\x00" "\x00\x00\x00\x00\x00\x07\x01\x00\x00\xf8\xff\xff\xff\xbf\xa4\x00\x00" "\x00\x00\x00\x00\x07\x04\x00\x00\xf0\xff\xff\xff\xb7\x02\x00\x00\x08" "\x00\x00\x00\x18\x23\x00\x00", 92); *(uint32_t*)0x2000009c = r[2]; memcpy((void*)0x200000a0, "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x05\x00\x00\x08\x00\x00\x00\x85" "\x00\x00\x00\xa5\x00\x00\x00\x95", 25); *(uint64_t*)0x200003d0 = 0x20000600; memcpy((void*)0x20000600, "GPL\000", 4); *(uint32_t*)0x200003d8 = 0; *(uint32_t*)0x200003dc = 0; *(uint64_t*)0x200003e0 = 0; *(uint32_t*)0x200003e8 = 0; *(uint32_t*)0x200003ec = 0; memset((void*)0x200003f0, 0, 16); *(uint32_t*)0x20000400 = 0; *(uint32_t*)0x20000404 = 0; *(uint32_t*)0x20000408 = 0; *(uint32_t*)0x2000040c = 0; *(uint64_t*)0x20000410 = 0; *(uint32_t*)0x20000418 = 0; *(uint32_t*)0x2000041c = 0; *(uint64_t*)0x20000420 = 0; *(uint32_t*)0x20000428 = 0; *(uint32_t*)0x2000042c = 0; *(uint32_t*)0x20000430 = 0; *(uint32_t*)0x20000434 = 0; *(uint64_t*)0x20000438 = 0; *(uint64_t*)0x20000440 = 0; *(uint32_t*)0x20000448 = 0; *(uint32_t*)0x2000044c = 0; *(uint32_t*)0x20000450 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200003c0ul, /*size=*/0x90ul); if (res != -1) r[3] = res; // bpf$BPF_PROG_TEST_RUN arguments: [ // cmd: const = 0xa (8 bytes) // arg: ptr[in, bpf_test_prog_arg] { // bpf_test_prog_arg { // prog: fd_bpf_prog (resource) // retval: const = 0x8 (4 bytes) // insizedata: len = 0xe (4 bytes) // outsizedata: len = 0x0 (4 bytes) // indata: ptr[in, buffer] { // buffer: {40 f0 53 8e f0 47 b2 1f b6 00 68 30 55 00} (length 0xe) // } // outdata: nil // repeat: int32 = 0x402 (4 bytes) // dur: const = 0x0 (4 bytes) // insizectx: len = 0x0 (4 bytes) // outsizectx: len = 0x0 (4 bytes) // inctx: nil // outctx: nil // flags: bpf_prog_test_run_flags = 0x0 (4 bytes) // cpu: const = 0x0 (4 bytes) // batch_size: int32 = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // size: len = 0x50 (8 bytes) // ] *(uint32_t*)0x20000640 = r[3]; *(uint32_t*)0x20000644 = 8; *(uint32_t*)0x20000648 = 0xe; *(uint32_t*)0x2000064c = 0; *(uint64_t*)0x20000650 = 0x20000300; memcpy((void*)0x20000300, "\x40\xf0\x53\x8e\xf0\x47\xb2\x1f\xb6\x00\x68\x30\x55\x00", 14); *(uint64_t*)0x20000658 = 0; *(uint32_t*)0x20000660 = 0x402; *(uint32_t*)0x20000664 = 0; *(uint32_t*)0x20000668 = 0; *(uint32_t*)0x2000066c = 0; *(uint64_t*)0x20000670 = 0; *(uint64_t*)0x20000678 = 0; *(uint32_t*)0x20000680 = 0; *(uint32_t*)0x20000684 = 0; *(uint32_t*)0x20000688 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000640ul, /*size=*/0x50ul); return 0; }