// https://syzkaller.appspot.com/bug?id=10b0aad3bdc3d753ae894e260f0c5aa628254dd4 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } *(uint32_t*)0x200009c0 = 0xe; *(uint32_t*)0x200009c4 = 4; *(uint32_t*)0x200009c8 = 8; *(uint32_t*)0x200009cc = 8; *(uint32_t*)0x200009d0 = 0; *(uint32_t*)0x200009d4 = -1; *(uint32_t*)0x200009d8 = 0; memset((void*)0x200009dc, 0, 16); *(uint32_t*)0x200009ec = 0; *(uint32_t*)0x200009f0 = -1; *(uint32_t*)0x200009f4 = 0; *(uint32_t*)0x200009f8 = 0; *(uint32_t*)0x200009fc = 0; *(uint64_t*)0x20000a00 = 0; *(uint32_t*)0x20000a08 = 0; *(uint32_t*)0x20000a0c = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200009c0ul, /*size=*/0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x200000c0 = 6; *(uint32_t*)0x200000c4 = 0xd; *(uint64_t*)0x200000c8 = 0x20000200; memcpy((void*)0x20000200, "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x85" "\x00\x00\x00\xbc\x00\x00\x00\x18\x11\x00\x00", 28); *(uint32_t*)0x2000021c = r[0]; memcpy((void*)0x20000220, "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x08\x00\x00\x00\x00\x00\x00\x7b" "\x8a\xf8\xff\x00\x00\x00\x00\xbc\xa2\x00\x00\x00\x00\x00\x00\xa6\x02" "\x00\x00\xf8\xff\xff\xff\xb7\x03\x00\x00\x08\x00\x00\x00\xb7\x04\x00" "\x00\x00\x00\x04\x00\x85\x00\x00\x00\x33\x00\x00\x00\x95", 65); *(uint64_t*)0x200000d0 = 0x20000180; memcpy((void*)0x20000180, "GPL\000", 4); *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; memset((void*)0x200000f0, 0, 16); *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = -1; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; *(uint32_t*)0x20000150 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x94ul); if (res != -1) r[1] = res; *(uint32_t*)0x20000600 = r[1]; *(uint32_t*)0x20000604 = 5; *(uint32_t*)0x20000608 = 0; *(uint32_t*)0x2000060c = 0; *(uint64_t*)0x20000610 = 0; *(uint64_t*)0x20000618 = 0; *(uint32_t*)0x20000620 = 0xd01; *(uint32_t*)0x20000624 = 0x2000000; *(uint32_t*)0x20000628 = 0; *(uint32_t*)0x2000062c = 0; *(uint64_t*)0x20000630 = 0; *(uint64_t*)0x20000638 = 0; *(uint32_t*)0x20000640 = 0; *(uint32_t*)0x20000644 = 0; *(uint32_t*)0x20000648 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000600ul, /*size=*/0x50ul); *(uint32_t*)0x20002c80 = 3; *(uint32_t*)0x20002c84 = 0xc; *(uint64_t*)0x20002c88 = 0x200001c0; memcpy( (void*)0x200001c0, "\x18\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x85\x00" "\x00\x00\x9b\x00\x00\x00\x18\x01\x00\x00\x20\x20\x70\x25\x00\x00\x00\x00" "\x00\x20\x20\x20\x7b\x1a\xf8\xff\x00\x00\x00\x00\xbf\xa1\x00\x00\x00\x00" "\x00\x00\x07\x01\x00\x00\xf8\xff\xff\xff\xb7\x02\x00\x00\x08\x00\x00\x00" "\xb7\x03\x00\x00\x00\x00\x00\x00\x85\x00\x00\x00\x71\x00\x00\x00\x95\x00" "\x00\x00\x00\x00\x00\x00\x2f\x81\xc4\x61\xb3\xfe\xa8\x34\xce\xb0\xe1\x7d" "\x98\x38\xc2\x83\x0c\xa7\xce\x46\xe5\x81\xa1\x92\x32\x6a\x36\x98\xc7\x92" "\x05\xe0\x2f\x15\x61\xb0\xa3\xc5\x95\x44\x8e\x9f\x70\x24\xb4\x5f\xb2\x00" "\x6c\x99\x17\xfe\x2a\x42\xfc\xd2\xce\x27\x80\x09\x68\x2d\xc8\xf7\xc8\x67" "\xb1\x77\xec\x5b\xd5\x0b\x92\xae\xde\xf3\x5b\x6c\xd8\x7b\x56\x69\x0b\x4c" "\x96\xf6\x3a\xb0\x21\xee\x1c\xf6\x16\xd8\xaf\x74\x91\x1d\x5e\x51\xb7\x6d" "\x2c\x31\xb8\xbe\xce\x7b\x0f", 205); *(uint64_t*)0x20002c90 = 0x20000080; memcpy((void*)0x20000080, "GPL\000", 4); *(uint32_t*)0x20002c98 = 0; *(uint32_t*)0x20002c9c = 0; *(uint64_t*)0x20002ca0 = 0; *(uint32_t*)0x20002ca8 = 0; *(uint32_t*)0x20002cac = 0; memset((void*)0x20002cb0, 0, 16); *(uint32_t*)0x20002cc0 = 0; *(uint32_t*)0x20002cc4 = 0; *(uint32_t*)0x20002cc8 = -1; *(uint32_t*)0x20002ccc = 8; *(uint64_t*)0x20002cd0 = 0; *(uint32_t*)0x20002cd8 = 0; *(uint32_t*)0x20002cdc = 0x10; *(uint64_t*)0x20002ce0 = 0; *(uint32_t*)0x20002ce8 = 0; *(uint32_t*)0x20002cec = 0; *(uint32_t*)0x20002cf0 = 0; *(uint32_t*)0x20002cf4 = 0; *(uint64_t*)0x20002cf8 = 0; *(uint64_t*)0x20002d00 = 0; *(uint32_t*)0x20002d08 = 0x10; *(uint32_t*)0x20002d0c = 0; *(uint32_t*)0x20002d10 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20002c80ul, /*size=*/0x65ul); if (res != -1) r[2] = res; *(uint32_t*)0x200002c0 = r[2]; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0xe; *(uint32_t*)0x200002cc = 0; *(uint64_t*)0x200002d0 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xb9\x54\x7e\xd3\x87\xdb\xe9\xab\xc8\x9b\x6f\x5b\xec", 14); *(uint64_t*)0x200002d8 = 0; *(uint32_t*)0x200002e0 = 0x4000; *(uint32_t*)0x200002e4 = 0; *(uint32_t*)0x200002e8 = 0; *(uint32_t*)0x200002ec = 0; *(uint64_t*)0x200002f0 = 0; *(uint64_t*)0x200002f8 = 0; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200002c0ul, /*size=*/0x50ul); *(uint32_t*)0x20000040 = 6; *(uint32_t*)0x20000044 = 6; *(uint64_t*)0x20000048 = 0x20000480; memcpy((void*)0x20000480, "\x18\x02\x00\x00\xfa\xff\xff\xff\x00\x00\x00\x00\x00\x00\x40\x00\x85" "\x00\x00\x00\x2c\x00\x00\x00\x18\x00\x00\x00\x04\x00\x00\x00\x00\x00" "\x00\x00\x07\x00\x00\x00\x95", 41); *(uint64_t*)0x20000050 = 0x20000200; memcpy((void*)0x20000200, "syzkaller\000", 10); *(uint32_t*)0x20000058 = 0; *(uint32_t*)0x2000005c = 0; *(uint64_t*)0x20000060 = 0; *(uint32_t*)0x20000068 = 0; *(uint32_t*)0x2000006c = 0; memset((void*)0x20000070, 0, 16); *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0; *(uint32_t*)0x20000088 = -1; *(uint32_t*)0x2000008c = 0; *(uint64_t*)0x20000090 = 0; *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x2000009c = 0; *(uint64_t*)0x200000a0 = 0; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; *(uint32_t*)0x200000b0 = 0; *(uint32_t*)0x200000b4 = 0; *(uint64_t*)0x200000b8 = 0; *(uint64_t*)0x200000c0 = 0; *(uint32_t*)0x200000c8 = 0x10; *(uint32_t*)0x200000cc = 0; *(uint32_t*)0x200000d0 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000040ul, /*size=*/0x90ul); if (res != -1) r[3] = res; *(uint32_t*)0x200000c0 = r[3]; *(uint32_t*)0x200000c4 = 0x27; *(uint32_t*)0x200000c8 = 0; *(uint32_t*)0x200000cc = 0x3100; *(uint64_t*)0x200000d0 = 0; *(uint64_t*)0x200000d8 = 0; *(uint32_t*)0x200000e0 = 0x1400; *(uint32_t*)0x200000e4 = 0xf2ffffff; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; *(uint64_t*)0x200000f0 = 0; *(uint64_t*)0x200000f8 = 0; *(uint32_t*)0x20000100 = 2; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200000c0ul, /*size=*/0x50ul); return 0; }