// https://syzkaller.appspot.com/bug?id=13ac69aefa01798532cbc878f4e404a7d15139eb // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i = 0; for (; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += le16toh((uint16_t)data[length - 1]); while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket arguments: [ // domain: socket_domain = 0x28 (8 bytes) // type: socket_type = 0x5 (8 bytes) // proto: int32 = 0x0 (4 bytes) // ] // returns sock res = syscall(__NR_socket, /*domain=AF_VSOCK*/ 0x28ul, /*type=SOCK_SEQPACKET*/ 5ul, /*proto=*/0); if (res != -1) r[0] = res; // bind$vsock_stream arguments: [ // fd: sock_vsock_stream (resource) // addr: ptr[in, sockaddr_vm] { // sockaddr_vm { // svm_family: const = 0x28 (2 bytes) // svm_reserved1: const = 0x0 (2 bytes) // svm_port: vmaddr_port = 0x0 (4 bytes) // svm_cid: union vmaddr_cid { // any: const = 0xffffffff (4 bytes) // } // svm_zero: const = 0x0 (4 bytes) // } // } // addrlen: len = 0x10 (8 bytes) // ] *(uint16_t*)0x200000000040 = 0x28; *(uint16_t*)0x200000000042 = 0; *(uint32_t*)0x200000000044 = 0; *(uint32_t*)0x200000000048 = -1; *(uint32_t*)0x20000000004c = 0; syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x200000000040ul, /*addrlen=*/0x10ul); // listen arguments: [ // fd: sock (resource) // backlog: int32 = 0x0 (4 bytes) // ] syscall(__NR_listen, /*fd=*/r[0], /*backlog=*/0); // socket arguments: [ // domain: socket_domain = 0x28 (8 bytes) // type: socket_type = 0x5 (8 bytes) // proto: int32 = 0x0 (4 bytes) // ] // returns sock res = syscall(__NR_socket, /*domain=AF_VSOCK*/ 0x28ul, /*type=SOCK_SEQPACKET*/ 5ul, /*proto=*/0); if (res != -1) r[1] = res; // connect$vsock_stream arguments: [ // fd: sock_vsock_stream (resource) // addr: ptr[in, sockaddr_vm] { // sockaddr_vm { // svm_family: const = 0x28 (2 bytes) // svm_reserved1: const = 0x0 (2 bytes) // svm_port: vmaddr_port = 0x0 (4 bytes) // svm_cid: union vmaddr_cid { // any: const = 0xffffffff (4 bytes) // } // svm_zero: const = 0x0 (4 bytes) // } // } // addrlen: len = 0x10 (8 bytes) // ] *(uint16_t*)0x200000000080 = 0x28; *(uint16_t*)0x200000000082 = 0; *(uint32_t*)0x200000000084 = 0; *(uint32_t*)0x200000000088 = -1; *(uint32_t*)0x20000000008c = 0; syscall(__NR_connect, /*fd=*/r[1], /*addr=*/0x200000000080ul, /*addrlen=*/0x10ul); // mmap arguments: [ // addr: VMA[0xfbe000] // len: len = 0xfbe000 (8 bytes) // prot: mmap_prot = 0x2 (8 bytes) // flags: mmap_flags = 0x31 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xfbe000ul, /*prot=PROT_WRITE*/ 2ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_SHARED*/ 0x31ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); // openat$tun arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6e 65 74 2f 74 75 6e 00} (length 0xd) // } // flags: open_flags = 0x48241 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_tun memcpy((void*)0x200000000000, "/dev/net/tun\000", 13); res = syscall( __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=O_TRUNC|O_NOATIME|O_LARGEFILE|O_CREAT|O_WRONLY*/ 0x48241, /*mode=*/0); if (res != -1) r[2] = res; // ioctl$TUNSETIFF arguments: [ // fd: fd_tun (resource) // cmd: const = 0x400454ca (4 bytes) // arg: ptr[in, ifreq_dev_t[devnames, flags[tun_setiff_flags, int16]]] { // ifreq_dev_t[devnames, flags[tun_setiff_flags, int16]] { // ifr_ifrn: buffer: {73 79 7a 6b 61 6c 6c 65 72 31 00 00 00 00 00 00} // (length 0x10) elem: tun_setiff_flags = 0x6bf1c2d5adba8c32 (2 bytes) // pad = 0x0 (22 bytes) // } // } // ] memcpy((void*)0x2000000000c0, "syzkaller1\000\000\000\000\000\000", 16); *(uint16_t*)0x2000000000d0 = 0x8c32; syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x400454ca, /*arg=*/0x2000000000c0ul); // write$tun arguments: [ // fd: fd_tun (resource) // buf: ptr[in, tun_buffer] { // tun_buffer { // pi: union optional[tun_pi] { // val: tun_pi { // flags: const = 0x0 (2 bytes) // proto: ether_types = 0x0 (2 bytes) // } // } // hdr: union optional[virtio_net_hdr] { // void: buffer: {} (length 0x0) // } // data: union tun_payload { // eth: eth_packet { // dst_mac: union mac_addr { // broadcast: buffer: {ff ff ff ff ff ff} (length 0x6) // } // src_mac: union mac_addr { // remote: mac_addr_t[const[0xbb, int8]] { // a0: buffer: {aa aa aa aa aa} (length 0x5) // a1: const = 0xbb (1 bytes) // } // } // vtag: union optional[vlan_tag] { // void: buffer: {} (length 0x0) // } // payload: eth_payload { // eth2: union eth2_packet { // ipv4: eth2_packet_t[ETH_P_IP, ipv4_packet] { // etype: const = 0x800 (2 bytes) // payload: union ipv4_packet { // udp: ipv4_packet_t[const[IPPROTO_UDP, int8], udp_packet] // { // header: ipv4_header[const[IPPROTO_UDP, int8]] { // ihl: bytesize4 = 0x5 (0 bytes) // version: const = 0x4 (1 bytes) // ecn: int8 = 0x0 (0 bytes) // dscp: int8 = 0x0 (1 bytes) // total_len: len = 0x452c (2 bytes) // id: int16be = 0x0 (2 bytes) // frag_off: int16be = 0x0 (2 bytes) // ttl: int8 = 0x0 (1 bytes) // protocol: const = 0x2f (1 bytes) // csum: csum = 0x0 (2 bytes) // src_ip: union ipv4_addr { // initdev: ipv4_addr_initdev { // a0: const = 0xac (1 bytes) // a1: const = 0x1e (1 bytes) // a2: int8 = 0x0 (1 bytes) // a3: proc = 0x0 (1 bytes) // } // } // dst_ip: union ipv4_addr { // multicast1: const = 0xe0000001 (4 bytes) // } // options: ipv4_options { // options: array[ipv4_option] { // } // } // } // payload: udp_packet { // src_port: int16be = 0x0 (2 bytes) // dst_port: int16be = 0x6558 (2 bytes) // length: len = 0x18 (2 bytes) // csum: csum = 0x0 (2 bytes) // payload: union udp_payload { // wg: union wg_packet { // data: message_data { // type: const = 0x4 (4 bytes) // key_idx: int32 = 0x0 (4 bytes) // counter: int64 = 0xffffdd86 (8 bytes) // encrypted_data: buffer: {} (length 0x0) // } // } // } // } // } // } // } // } // } // } // } // } // } // count: len = 0xfdef (8 bytes) // ] *(uint16_t*)0x200000000440 = 0; *(uint16_t*)0x200000000442 = htobe16(0); memset((void*)0x200000000444, 255, 6); memset((void*)0x20000000044a, 170, 5); *(uint8_t*)0x20000000044f = 0xbb; *(uint16_t*)0x200000000450 = htobe16(0x800); STORE_BY_BITMASK(uint8_t, , 0x200000000452, 5, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000452, 4, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000453, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000453, 0, 2, 6); *(uint16_t*)0x200000000454 = htobe16(0x452c); *(uint16_t*)0x200000000456 = htobe16(0); *(uint16_t*)0x200000000458 = htobe16(0); *(uint8_t*)0x20000000045a = 0; *(uint8_t*)0x20000000045b = 0x2f; *(uint16_t*)0x20000000045c = htobe16(0); *(uint8_t*)0x20000000045e = 0xac; *(uint8_t*)0x20000000045f = 0x1e; *(uint8_t*)0x200000000460 = 0; *(uint8_t*)0x200000000461 = 1; *(uint32_t*)0x200000000462 = htobe32(0xe0000001); *(uint16_t*)0x200000000466 = htobe16(0); *(uint16_t*)0x200000000468 = htobe16(0x6558); *(uint16_t*)0x20000000046a = htobe16(0x18); *(uint16_t*)0x20000000046c = htobe16(0); *(uint32_t*)0x20000000046e = 4; *(uint32_t*)0x200000000472 = 0; *(uint64_t*)0x200000000476 = 0xffffdd86; struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000000045e, 4); csum_inet_update(&csum_1, (const uint8_t*)0x200000000462, 4); uint16_t csum_1_chunk_2 = 0x1100; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 2); uint16_t csum_1_chunk_3 = 0x1800; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 2); csum_inet_update(&csum_1, (const uint8_t*)0x200000000466, 24); *(uint16_t*)0x20000000046c = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x200000000452, 20); *(uint16_t*)0x20000000045c = csum_inet_digest(&csum_2); syscall(__NR_write, /*fd=*/r[2], /*buf=*/0x200000000440ul, /*count=*/0xfdeful); // setsockopt$sock_linger arguments: [ // fd: sock (resource) // level: const = 0x1 (4 bytes) // optname: const = 0x3c (4 bytes) // optval: ptr[in, linger] { // linger { // onoff: int32 = 0x1 (4 bytes) // linger: int32 = 0x5 (4 bytes) // } // } // optlen: len = 0x8 (8 bytes) // ] *(uint32_t*)0x200000000180 = 1; *(uint32_t*)0x200000000184 = 5; syscall(__NR_setsockopt, /*fd=*/r[1], /*level=*/1, /*optname=*/0x3c, /*optval=*/0x200000000180ul, /*optlen=*/8ul); // sendmmsg arguments: [ // fd: sock (resource) // mmsg: ptr[in, array[send_mmsghdr]] { // array[send_mmsghdr] { // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {1b} (length 0x1) // } // len: len = 0x40000 (8 bytes) // } // } // } // msg_iovlen: len = 0x11 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // } // vlen: len = 0x1 (8 bytes) // f: send_flags = 0x24008094 (8 bytes) // ] *(uint64_t*)0x200000000100 = 0; *(uint32_t*)0x200000000108 = 0; *(uint64_t*)0x200000000110 = 0x200000000200; *(uint64_t*)0x200000000200 = 0x200000000000; memset((void*)0x200000000000, 27, 1); *(uint64_t*)0x200000000208 = 0x40000; *(uint64_t*)0x200000000118 = 0x11; *(uint64_t*)0x200000000120 = 0; *(uint64_t*)0x200000000128 = 0; *(uint32_t*)0x200000000130 = 0; *(uint32_t*)0x200000000138 = 0; syscall( __NR_sendmmsg, /*fd=*/r[1], /*mmsg=*/0x200000000100ul, /*vlen=*/1ul, /*f=MSG_ZEROCOPY|MSG_FASTOPEN|MSG_PROBE|MSG_MORE|MSG_EOR|MSG_DONTROUTE*/ 0x24008094ul); return 0; }