// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // bpf$MAP_CREATE_CONST_STR arguments: [ // cmd: const = 0x0 (8 bytes) // arg: ptr[in, bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, int32], // const[4, int32], const[8, int32], const[1, int32], // const[BPF_F_RDONLY_PROG, int32], const[0, int64]]] { // bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, int32], const[4, // int32], const[8, int32], const[1, int32], const[BPF_F_RDONLY_PROG, // int32], const[0, int64]] { // type: const = 0x2 (4 bytes) // ksize: const = 0x4 (4 bytes) // vsize: const = 0x8 (4 bytes) // max: const = 0x1 (4 bytes) // flags: const = 0x80 (4 bytes) // inner: fd_bpf_map (resource) // node: int32 = 0x0 (4 bytes) // map_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) map_ifindex: ifindex (resource) btf_fd: fd_btf // (resource) btf_key_type_id: int32 = 0x0 (4 bytes) btf_value_type_id: // int32 = 0x0 (4 bytes) btf_vmlinux_type_id: int32 = 0x0 (4 bytes) // map_extra: const = 0x0 (8 bytes) // value_type_btf_obj_fd: union // _bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, int32], const[4, // int32], const[8, int32], const[1, int32], const[BPF_F_RDONLY_PROG, // int32], const[0, int64]]_value_type_btf_obj_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad1: union _bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, int32], // const[4, int32], const[8, int32], const[1, int32], // const[BPF_F_RDONLY_PROG, int32], const[0, int64]]_pad1_wrapper { // value: const = 0x0 (4 bytes) // } // map_token_fd: union _bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, // int32], const[4, int32], const[8, int32], const[1, int32], // const[BPF_F_RDONLY_PROG, int32], const[0, // int64]]_map_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad2: union _bpf_map_create_arg_t[const[BPF_MAP_TYPE_ARRAY, int32], // const[4, int32], const[8, int32], const[1, int32], // const[BPF_F_RDONLY_PROG, int32], const[0, int64]]_pad2_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // size: len = 0x50 (8 bytes) // ] // returns fd_bpf_const_str_map *(uint32_t*)0x200000000340 = 2; *(uint32_t*)0x200000000344 = 4; *(uint32_t*)0x200000000348 = 8; *(uint32_t*)0x20000000034c = 1; *(uint32_t*)0x200000000350 = 0x80; *(uint32_t*)0x200000000354 = 0; *(uint32_t*)0x200000000358 = 0; memset((void*)0x20000000035c, 0, 16); *(uint32_t*)0x20000000036c = 0; *(uint32_t*)0x200000000370 = 0; *(uint32_t*)0x200000000374 = 0; *(uint32_t*)0x200000000378 = 0; *(uint32_t*)0x20000000037c = 0; *(uint64_t*)0x200000000380 = 0; *(uint32_t*)0x200000000388 = 0; *(uint32_t*)0x20000000038c = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000000340ul, /*size=*/0x50ul); if (res != -1) r[0] = res; // bpf$BPF_PROG_RAW_TRACEPOINT_LOAD arguments: [ // cmd: const = 0x5 (8 bytes) // arg: ptr[in, bpf_prog_t[flags[bpf_raw_tracepoint_prog_types, int32], // const[0, int32], const[0, int32], const[0, int32]]] { // bpf_prog_t[flags[bpf_raw_tracepoint_prog_types, int32], const[0, // int32], const[0, int32], const[0, int32]] { // type: bpf_raw_tracepoint_prog_types = 0x15 (4 bytes) // ninsn: bytesize8 = 0x10 (4 bytes) // insns: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 b7 08 00 00 00 00 00 00 7b 8a f8 ff 00 00 00 00 b7 08 00 00 // 00 00 00 00 7b 8a f0 ff 00 00 00 00 bf 81 00 00 00 00 00 00 07 // 08 00 00 f8 ff ff ff bf a4 00 00 00 00 00 00 07 04 00 00 f0 ff // ff ff b7 02 00 00 08 00 00 00 18 21 00 00} (length 0x5c) // } // union ANYUNION { // ANYRES32: ANYRES32 (resource) // } // union ANYUNION { // ANYBLOB: buffer: {00 00 00 00 02 00 00 00 b7 05 00 00 08 00 00 // 00 85 00 00 00 a9 00 00 00 95} (length 0x19) // } // } // } // license: ptr[in, buffer] { // buffer: {47 50 4c 00} (length 0x4) // } // loglev: int32 = 0x0 (4 bytes) // logsize: len = 0x0 (4 bytes) // log: nil // kern_version: bpf_kern_version = 0x0 (4 bytes) // flags: bpf_prog_load_flags = 0x5 (4 bytes) // prog_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) prog_ifindex: ifindex (resource) expected_attach_type: // const = 0x0 (4 bytes) btf_fd: fd_btf (resource) func_info_rec_size: // const = 0x8 (4 bytes) func_info: nil func_info_cnt: len = 0x0 (4 // bytes) line_info_rec_size: const = 0x10 (4 bytes) line_info: nil // line_info_cnt: len = 0x0 (4 bytes) // attach_btf_id: const = 0x0 (4 bytes) // attach_prog_fd: const = 0x0 (4 bytes) // core_relo_cnt: len = 0x0 (4 bytes) // fd_array: nil // core_relos: nil // core_relo_rec_size: const = 0x10 (4 bytes) // log_true_size: int32 = 0x0 (4 bytes) // prog_token_fd: union // _bpf_prog_t[flags[bpf_raw_tracepoint_prog_types, int32], const[0, // int32], const[0, int32], const[0, int32]]_prog_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad: union _bpf_prog_t[flags[bpf_raw_tracepoint_prog_types, int32], // const[0, int32], const[0, int32], const[0, int32]]_pad_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // size: len = 0x94 (8 bytes) // ] // returns fd_bpf_prog_raw_tracepoint *(uint32_t*)0x200000000400 = 0x15; *(uint32_t*)0x200000000404 = 0x10; *(uint64_t*)0x200000000408 = 0x200000000180; memcpy((void*)0x200000000180, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb7" "\x08\x00\x00\x00\x00\x00\x00\x7b\x8a\xf8\xff\x00\x00\x00\x00\xb7\x08" "\x00\x00\x00\x00\x00\x00\x7b\x8a\xf0\xff\x00\x00\x00\x00\xbf\x81\x00" "\x00\x00\x00\x00\x00\x07\x08\x00\x00\xf8\xff\xff\xff\xbf\xa4\x00\x00" "\x00\x00\x00\x00\x07\x04\x00\x00\xf0\xff\xff\xff\xb7\x02\x00\x00\x08" "\x00\x00\x00\x18\x21\x00\x00", 92); *(uint32_t*)0x2000000001dc = r[0]; memcpy((void*)0x2000000001e0, "\x00\x00\x00\x00\x02\x00\x00\x00\xb7\x05\x00\x00\x08\x00\x00\x00\x85" "\x00\x00\x00\xa9\x00\x00\x00\x95", 25); *(uint64_t*)0x200000000410 = 0x200000000300; memcpy((void*)0x200000000300, "GPL\000", 4); *(uint32_t*)0x200000000418 = 0; *(uint32_t*)0x20000000041c = 0; *(uint64_t*)0x200000000420 = 0; *(uint32_t*)0x200000000428 = 0; *(uint32_t*)0x20000000042c = 5; memset((void*)0x200000000430, 0, 16); *(uint32_t*)0x200000000440 = 0; *(uint32_t*)0x200000000444 = 0; *(uint32_t*)0x200000000448 = -1; *(uint32_t*)0x20000000044c = 8; *(uint64_t*)0x200000000450 = 0; *(uint32_t*)0x200000000458 = 0; *(uint32_t*)0x20000000045c = 0x10; *(uint64_t*)0x200000000460 = 0; *(uint32_t*)0x200000000468 = 0; *(uint32_t*)0x20000000046c = 0; *(uint32_t*)0x200000000470 = 0; *(uint32_t*)0x200000000474 = 0; *(uint64_t*)0x200000000478 = 0; *(uint64_t*)0x200000000480 = 0; *(uint32_t*)0x200000000488 = 0x10; *(uint32_t*)0x20000000048c = 0; *(uint32_t*)0x200000000490 = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000000400ul, /*size=*/0x94ul); return 0; }