// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$nl_netfilter arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0xc (4 bytes) // ] // returns sock_nl_netfilter res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0xc); if (res != -1) r[0] = res; // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {14 00 00 00 10 00 01 00 00 00 00 00 00 // 00 00 00 00 00 00 0a 28 00 00 00 00 0a 01 01 00 00 00 00 // 5e 1a ff d5 02 00 00 00 09 00 01 00 73 79 7a 30 00 00 00 // 00 08 00 02 40 00 00 00 03 2c 00 00 00 03 0a 01 03 00 00 // e6 ff 00 00 00 00 02 00 00 00 09 00 01 00 73 79 7a 30 00 // 00 00 00 09 00 03 00 73 79 7a 32 00 00 00 00 14 00 00 00 // 11 00 01} (length 0x6f) // } // } // } // len: len = 0x7c (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x10 (8 bytes) // ] *(uint64_t*)0x200000000080 = 0; *(uint32_t*)0x200000000088 = 0; *(uint64_t*)0x200000000090 = 0x200000000140; *(uint64_t*)0x200000000140 = 0x200000000340; memcpy((void*)0x200000000340, "\x14\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x0a\x28\x00\x00\x00\x00\x0a\x01\x01\x00\x00\x00\x00\x5e\x1a" "\xff\xd5\x02\x00\x00\x00\x09\x00\x01\x00\x73\x79\x7a\x30\x00\x00\x00" "\x00\x08\x00\x02\x40\x00\x00\x00\x03\x2c\x00\x00\x00\x03\x0a\x01\x03" "\x00\x00\xe6\xff\x00\x00\x00\x00\x02\x00\x00\x00\x09\x00\x01\x00\x73" "\x79\x7a\x30\x00\x00\x00\x00\x09\x00\x03\x00\x73\x79\x7a\x32\x00\x00" "\x00\x00\x14\x00\x00\x00\x11\x00\x01", 111); *(uint64_t*)0x200000000148 = 0x7c; *(uint64_t*)0x200000000098 = 1; *(uint64_t*)0x2000000000a0 = 0; *(uint64_t*)0x2000000000a8 = 0; *(uint32_t*)0x2000000000b0 = 0; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000080ul, /*f=MSG_PROBE*/ 0x10ul); // sendmsg$NFT_BATCH arguments: [ // fd: sock_nl_netfilter (resource) // msg: ptr[in, msghdr_netlink[nft_batch_msg]] { // msghdr_netlink[nft_batch_msg] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, nft_batch_msg]] { // iovec[in, nft_batch_msg] { // addr: ptr[in, nft_batch_msg] { // nft_batch_msg { // begin: nft_nlmsghdr[NFNL_MSG_BATCH_BEGIN] { // nlmsg_len: len = 0x14 (4 bytes) // nlmsg_type: const = 0x10 (2 bytes) // nlmsg_flags: const = 0x1 (2 bytes) // nlmsg_seq: const = 0x0 (4 bytes) // nlmsg_pid: const = 0x0 (4 bytes) // hdr: nfgenmsg_nft { // nfgen_family: families = 0x0 (1 bytes) // version: const = 0x0 (1 bytes) // res_id: const = 0xa (2 bytes) // } // } // msgs: array[nft_batch_message] { // union nft_batch_message { // NFT_MSG_NEWRULE: // netlink_msg_netfilter_tt[NFNL_SUBSYS_NFTABLES, // NFT_MSG_NEWRULE, array[nft_rule_policy]] { // len: len = 0x88 (4 bytes) // type: const = 0x6 (1 bytes) // subsys: const = 0xa (1 bytes) // flags: netlink_netfilter_msg_flags = 0x40b (2 bytes) // seq: const = 0x0 (4 bytes) // pid: const = 0x0 (4 bytes) // hdr: nfgenmsg { // nfgen_family: nfproto = 0x2 (1 bytes) // version: const = 0x0 (1 bytes) // res_id: int16be = 0x0 (2 bytes) // } // attrs: array[nft_rule_policy] { // union nft_rule_policy { // NFTA_RULE_EXPRESSIONS: // nlattr_tt[const[NFTA_RULE_EXPRESSIONS, int16:14], // 0, 1, array[nlnest[NFTA_LIST_ELEM, // nft_expr_policy]]] { // nla_len: offsetof = 0x5c (2 bytes) // nla_type: const = 0x4 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 bytes) // NLA_F_NESTED: const = 0x1 (1 bytes) // payload: array[nlattr_tt[const[NFTA_LIST_ELEM, // int16:14], 0, 1, nft_expr_policy]] { // nlattr_tt[const[NFTA_LIST_ELEM, int16:14], 0, // 1, nft_expr_policy] { // nla_len: offsetof = 0x58 (2 bytes) // nla_type: const = 0x1 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 bytes) // NLA_F_NESTED: const = 0x1 (1 bytes) // payload: union nft_expr_policy { // inner: nft_expr_policy_t["inner", // nft_inner_policy] { // NFTA_EXPR_NAME: // nlattr_t[const[NFTA_EXPR_NAME, int16], // string["inner"]] { // nla_len: offsetof = 0xa (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: buffer: {69 6e 6e 65 72 00} // (length 0x6) size: buffer: {} (length // 0x0) pad = 0x0 (2 bytes) // } // NFTA_EXPR_DATA: union // optional[nlnest[NFTA_EXPR_DATA, // array[nft_inner_policy]]] { // val: nlattr_tt[const[NFTA_EXPR_DATA, // int16:14], 0, 1, // array[nft_inner_policy]] { // nla_len: offsetof = 0x48 (2 bytes) // nla_type: const = 0x2 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 // bytes) NLA_F_NESTED: const = 0x1 (1 // bytes) payload: // array[nft_inner_policy] { // union nft_inner_policy { // NFTA_INNER_TYPE: // nlattr_tt[const[NFTA_INNER_TYPE, // int16:14], 1, 0, int32be[0:255]] // { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x2 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: int32be = 0x84 // (4 bytes) size: buffer: {} // (length 0x0) // } // } // union nft_inner_policy { // NFTA_INNER_FLAGS: // nlattr_tt[const[NFTA_INNER_FLAGS, // int16:14], 1, 0, // flags[nft_inner_flags, int32be]] // { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x3 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: // nft_inner_flags = 0xa (4 // bytes) size: buffer: {} // (length 0x0) // } // } // union nft_inner_policy { // NFTA_INNER_HDRSIZE: // nlattr_tt[const[NFTA_INNER_HDRSIZE, // int16:14], 1, 0, int32be[0:64]] // { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x4 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: int32be = 0xf // (4 bytes) size: buffer: {} // (length 0x0) // } // } // union nft_inner_policy { // NFTA_INNER_NUM: // nlattr_tt[const[NFTA_INNER_NUM, // int16:14], 1, 0, int32be[0]] { // nla_len: offsetof = 0x8 (2 // bytes) nla_type: const = 0x1 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x1 (0 bytes) // NLA_F_NESTED: const = 0x0 (1 // bytes) payload: int32be = 0x0 // (4 bytes) size: buffer: {} // (length 0x0) // } // } // union nft_inner_policy { // NFTA_INNER_EXPR: // nlattr_tt[const[NFTA_INNER_EXPR, // int16:14], 0, 1, // nft_expr_policy_inner] { // nla_len: offsetof = 0x24 (2 // bytes) nla_type: const = 0x5 // (1 bytes) NLA_F_NET_BYTEORDER: // const = 0x0 (0 bytes) // NLA_F_NESTED: const = 0x1 (1 // bytes) payload: union // nft_expr_policy_inner { // meta: // nft_expr_policy_t["meta", // nft_meta_policy] { // NFTA_EXPR_NAME: // nlattr_t[const[NFTA_EXPR_NAME, // int16], string["meta"]] { // nla_len: offsetof = 0x9 // (2 bytes) nla_type: // const = 0x1 (2 bytes) // payload: buffer: {6d 65 // 74 61 00} (length 0x5) // size: buffer: {} (length // 0x0) pad = 0x0 (3 bytes) // } // NFTA_EXPR_DATA: union // optional[nlnest[NFTA_EXPR_DATA, // array[nft_meta_policy]]] { // val: // nlattr_tt[const[NFTA_EXPR_DATA, // int16:14], 0, 1, // array[nft_meta_policy]] // { // nla_len: offsetof = // 0x14 (2 bytes) // nla_type: const = 0x2 // (1 bytes) // NLA_F_NET_BYTEORDER: // const = 0x0 (0 bytes) // NLA_F_NESTED: const = // 0x1 (1 bytes) payload: // array[nft_meta_policy] // { // union // nft_meta_policy { // NFTA_META_DREG: // nlattr_tt[const[NFTA_META_DREG, // int16:14], 1, 0, // flags[nft_registers, // int32be]] { // nla_len: // offsetof = 0x8 // (2 bytes) // nla_type: const // = 0x1 (1 bytes) // NLA_F_NET_BYTEORDER: // const = 0x1 (0 // bytes) // NLA_F_NESTED: // const = 0x0 (1 // bytes) payload: // nft_registers = // 0xe (4 bytes) // size: buffer: {} // (length 0x0) // } // } // union // nft_meta_policy { // NFTA_META_KEY: // nlattr_tt[const[NFTA_META_KEY, // int16:14], 1, 0, // int32be[NFT_META_LEN:NFT_META_BRI_BROUTE]] // { // nla_len: // offsetof = 0x8 // (2 bytes) // nla_type: const // = 0x2 (1 bytes) // NLA_F_NET_BYTEORDER: // const = 0x1 (0 // bytes) // NLA_F_NESTED: // const = 0x0 (1 // bytes) payload: // int32be = 0x19 // (4 bytes) size: // buffer: {} // (length 0x0) // } // } // } // size: buffer: {} // (length 0x0) // } // } // } // } // size: buffer: {} (length 0x0) // } // } // } // size: buffer: {} (length 0x0) // } // } // } // } // size: buffer: {} (length 0x0) // } // } // size: buffer: {} (length 0x0) // } // } // union nft_rule_policy { // NFTA_RULE_TABLE: nlattr_t[const[NFTA_RULE_TABLE, // int16], string[nft_table_name]] { // nla_len: offsetof = 0x9 (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: buffer: {73 79 7a 30 00} (length 0x5) // size: buffer: {} (length 0x0) // pad = 0x0 (3 bytes) // } // } // union nft_rule_policy { // NFTA_RULE_CHAIN: nlattr_t[const[NFTA_RULE_CHAIN, // int16], string[nft_chain_name]] { // nla_len: offsetof = 0x9 (2 bytes) // nla_type: const = 0x2 (2 bytes) // payload: buffer: {73 79 7a 32 00} (length 0x5) // size: buffer: {} (length 0x0) // pad = 0x0 (3 bytes) // } // } // } // } // } // } // end: nft_nlmsghdr[NFNL_MSG_BATCH_END] { // nlmsg_len: len = 0x14 (4 bytes) // nlmsg_type: const = 0x11 (2 bytes) // nlmsg_flags: const = 0x1 (2 bytes) // nlmsg_seq: const = 0x0 (4 bytes) // nlmsg_pid: const = 0x0 (4 bytes) // hdr: nfgenmsg_nft { // nfgen_family: families = 0x1 (1 bytes) // version: const = 0x0 (1 bytes) // res_id: const = 0xa (2 bytes) // } // } // } // } // len: len = 0xb0 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x200000000000 = 0; *(uint32_t*)0x200000000008 = 0; *(uint64_t*)0x200000000010 = 0x200000000040; *(uint64_t*)0x200000000040 = 0x200000000180; *(uint32_t*)0x200000000180 = 0x14; *(uint16_t*)0x200000000184 = 0x10; *(uint16_t*)0x200000000186 = 1; *(uint32_t*)0x200000000188 = 0; *(uint32_t*)0x20000000018c = 0; *(uint8_t*)0x200000000190 = 0; *(uint8_t*)0x200000000191 = 0; *(uint16_t*)0x200000000192 = htobe16(0xa); *(uint32_t*)0x200000000194 = 0x88; *(uint8_t*)0x200000000198 = 6; *(uint8_t*)0x200000000199 = 0xa; *(uint16_t*)0x20000000019a = 0x40b; *(uint32_t*)0x20000000019c = 0; *(uint32_t*)0x2000000001a0 = 0; *(uint8_t*)0x2000000001a4 = 2; *(uint8_t*)0x2000000001a5 = 0; *(uint16_t*)0x2000000001a6 = htobe16(0); *(uint16_t*)0x2000000001a8 = 0x5c; STORE_BY_BITMASK(uint16_t, , 0x2000000001aa, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001ab, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001ab, 1, 7, 1); *(uint16_t*)0x2000000001ac = 0x58; STORE_BY_BITMASK(uint16_t, , 0x2000000001ae, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001af, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001af, 1, 7, 1); *(uint16_t*)0x2000000001b0 = 0xa; *(uint16_t*)0x2000000001b2 = 1; memcpy((void*)0x2000000001b4, "inner\000", 6); *(uint16_t*)0x2000000001bc = 0x48; STORE_BY_BITMASK(uint16_t, , 0x2000000001be, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001bf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001bf, 1, 7, 1); *(uint16_t*)0x2000000001c0 = 8; STORE_BY_BITMASK(uint16_t, , 0x2000000001c2, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001c3, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001c3, 0, 7, 1); *(uint32_t*)0x2000000001c4 = htobe32(0x84); *(uint16_t*)0x2000000001c8 = 8; STORE_BY_BITMASK(uint16_t, , 0x2000000001ca, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001cb, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001cb, 0, 7, 1); *(uint32_t*)0x2000000001cc = htobe32(0xa); *(uint16_t*)0x2000000001d0 = 8; STORE_BY_BITMASK(uint16_t, , 0x2000000001d2, 4, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001d3, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001d3, 0, 7, 1); *(uint32_t*)0x2000000001d4 = htobe32(0xf); *(uint16_t*)0x2000000001d8 = 8; STORE_BY_BITMASK(uint16_t, , 0x2000000001da, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001db, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001db, 0, 7, 1); *(uint32_t*)0x2000000001dc = htobe32(0); *(uint16_t*)0x2000000001e0 = 0x24; STORE_BY_BITMASK(uint16_t, , 0x2000000001e2, 5, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001e3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001e3, 1, 7, 1); *(uint16_t*)0x2000000001e4 = 9; *(uint16_t*)0x2000000001e6 = 1; memcpy((void*)0x2000000001e8, "meta\000", 5); *(uint16_t*)0x2000000001f0 = 0x14; STORE_BY_BITMASK(uint16_t, , 0x2000000001f2, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001f3, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001f3, 1, 7, 1); *(uint16_t*)0x2000000001f4 = 8; STORE_BY_BITMASK(uint16_t, , 0x2000000001f6, 1, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001f7, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001f7, 0, 7, 1); *(uint32_t*)0x2000000001f8 = htobe32(0xe); *(uint16_t*)0x2000000001fc = 8; STORE_BY_BITMASK(uint16_t, , 0x2000000001fe, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000000001ff, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000000001ff, 0, 7, 1); *(uint32_t*)0x200000000200 = htobe32(0x19); *(uint16_t*)0x200000000204 = 9; *(uint16_t*)0x200000000206 = 1; memcpy((void*)0x200000000208, "syz0\000", 5); *(uint16_t*)0x200000000210 = 9; *(uint16_t*)0x200000000212 = 2; memcpy((void*)0x200000000214, "syz2\000", 5); *(uint32_t*)0x20000000021c = 0x14; *(uint16_t*)0x200000000220 = 0x11; *(uint16_t*)0x200000000222 = 1; *(uint32_t*)0x200000000224 = 0; *(uint32_t*)0x200000000228 = 0; *(uint8_t*)0x20000000022c = 1; *(uint8_t*)0x20000000022d = 0; *(uint16_t*)0x20000000022e = htobe16(0xa); *(uint64_t*)0x200000000048 = 0xb0; *(uint64_t*)0x200000000018 = 1; *(uint64_t*)0x200000000020 = 0; *(uint64_t*)0x200000000028 = 0; *(uint32_t*)0x200000000030 = 0; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x200000000000ul, /*f=*/0ul); return 0; }