// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$nl_netfilter arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0xc (4 bytes) // ] // returns sock_nl_netfilter res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[0] = res; // sendmsg$NFQNL_MSG_CONFIG arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[netlink_msg_netfilter_t[NFNL_SUBSYS_QUEUE, // NFQNL_MSG_CONFIG, nfqa_cfg_policy]]] { // msghdr_netlink[netlink_msg_netfilter_t[NFNL_SUBSYS_QUEUE, // NFQNL_MSG_CONFIG, nfqa_cfg_policy]] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, netlink_msg_netfilter_t[NFNL_SUBSYS_QUEUE, // NFQNL_MSG_CONFIG, nfqa_cfg_policy]]] { // iovec[in, netlink_msg_netfilter_t[NFNL_SUBSYS_QUEUE, // NFQNL_MSG_CONFIG, nfqa_cfg_policy]] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {30 00 00 00 02 03 01 03 00 00 00 00 00 // 00 00 00 01 00 00 00 09 00 06 00 00 00 00 09 01 00 00 00 // 08 00 01 00 01 00 00 1d 08 00 03 40 00 00 00 0e 87 46 cf // 65 b3 63 78 6e 85 14 c8 59 e4 69 79 d7 a0 5b 8e d8 62 75 // 41 f0 b5 c4 c1 45 8c 24 e2 9d fa d6 45 37 35 90 16 cd c6 // c1 ba 91 35 75 22 5e ce e7 6e 23 58 24 8e e8 d2 5b 28 e7 // b1 24 10 ce 60 48 2a 04 9f 3d 4c b1 14 b2 f5 fd ed f0 71 // e1 10 18 43 dd b3 22 e9 da c2 4f 6e e7 1c fe 9f 7c c4 aa // 6d 42 2e 3f f4 ff 40 84 b1 57 60 97 8e 87 79 e2 16 b0 09 // 98 f9 e9 e2 3f 01} (length 0xab) // } // } // } // len: len = 0x30 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x4800 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x8010 (8 bytes) // ] *(uint64_t*)0x2000000000c0 = 0; *(uint32_t*)0x2000000000c8 = 0; *(uint64_t*)0x2000000000d0 = 0x200000000080; *(uint64_t*)0x200000000080 = 0x200000000380; memcpy( (void*)0x200000000380, "\x30\x00\x00\x00\x02\x03\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" "\x00\x00\x09\x00\x06\x00\x00\x00\x00\x09\x01\x00\x00\x00\x08\x00\x01\x00" "\x01\x00\x00\x1d\x08\x00\x03\x40\x00\x00\x00\x0e\x87\x46\xcf\x65\xb3\x63" "\x78\x6e\x85\x14\xc8\x59\xe4\x69\x79\xd7\xa0\x5b\x8e\xd8\x62\x75\x41\xf0" "\xb5\xc4\xc1\x45\x8c\x24\xe2\x9d\xfa\xd6\x45\x37\x35\x90\x16\xcd\xc6\xc1" "\xba\x91\x35\x75\x22\x5e\xce\xe7\x6e\x23\x58\x24\x8e\xe8\xd2\x5b\x28\xe7" "\xb1\x24\x10\xce\x60\x48\x2a\x04\x9f\x3d\x4c\xb1\x14\xb2\xf5\xfd\xed\xf0" "\x71\xe1\x10\x18\x43\xdd\xb3\x22\xe9\xda\xc2\x4f\x6e\xe7\x1c\xfe\x9f\x7c" "\xc4\xaa\x6d\x42\x2e\x3f\xf4\xff\x40\x84\xb1\x57\x60\x97\x8e\x87\x79\xe2" "\x16\xb0\x09\x98\xf9\xe9\xe2\x3f\x01", 171); *(uint64_t*)0x200000000088 = 0x30; *(uint64_t*)0x2000000000d8 = 1; *(uint64_t*)0x2000000000e0 = 0; *(uint64_t*)0x2000000000e8 = 0; *(uint32_t*)0x2000000000f0 = 0x4800; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x2000000000c0ul, /*f=MSG_PROBE|MSG_MORE*/ 0x8010ul); return 0; }