// https://syzkaller.appspot.com/bug?id=7b960555c96033c67abee42d6eb6a95f24df8e99
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/genetlink.h>
#include <linux/netlink.h>
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static long syz_genetlink_get_family_id(volatile long name)
{
char buf[512] = {0};
struct nlmsghdr* hdr = (struct nlmsghdr*)buf;
struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr);
struct nlattr* attr = (struct nlattr*)(genlhdr + 1);
hdr->nlmsg_len =
sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ;
hdr->nlmsg_type = GENL_ID_CTRL;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
genlhdr->cmd = CTRL_CMD_GETFAMILY;
attr->nla_type = CTRL_ATTR_FAMILY_NAME;
attr->nla_len = sizeof(*attr) + GENL_NAMSIZ;
strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ);
struct iovec iov = {hdr, hdr->nlmsg_len};
struct sockaddr_nl addr = {0};
addr.nl_family = AF_NETLINK;
int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (fd == -1) {
return -1;
}
struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0};
if (sendmsg(fd, &msg, 0) == -1) {
close(fd);
return -1;
}
ssize_t n = recv(fd, buf, sizeof(buf), 0);
close(fd);
if (n <= 0) {
return -1;
}
if (hdr->nlmsg_type != GENL_ID_CTRL) {
return -1;
}
for (; (char*)attr < buf + n;
attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == CTRL_ATTR_FAMILY_ID)
return *(uint16_t*)(attr + 1);
}
return -1;
}
uint64_t r[2] = {0xffffffffffffffff, 0x0};
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0ul);
intptr_t res = 0;
res = syscall(__NR_socket, 0x10ul, 3ul, 0x10);
if (res != -1)
r[0] = res;
memcpy((void*)0x20000440, "ethtool\000", 8);
res = syz_genetlink_get_family_id(0x20000440);
if (res != -1)
r[1] = res;
*(uint64_t*)0x20006440 = 0;
*(uint32_t*)0x20006448 = 0;
*(uint64_t*)0x20006450 = 0x20006400;
*(uint64_t*)0x20006400 = 0x20000280;
*(uint32_t*)0x20000280 = 0x54;
*(uint16_t*)0x20000284 = r[1];
*(uint16_t*)0x20000286 = 0x301;
*(uint32_t*)0x20000288 = 0xfffffffc;
*(uint32_t*)0x2000028c = 0;
*(uint8_t*)0x20000290 = 6;
*(uint8_t*)0x20000291 = 0;
*(uint16_t*)0x20000292 = 0;
*(uint16_t*)0x20000294 = 0xc;
STORE_BY_BITMASK(uint16_t, , 0x20000296, 1, 0, 14);
STORE_BY_BITMASK(uint16_t, , 0x20000297, 0, 6, 1);
STORE_BY_BITMASK(uint16_t, , 0x20000297, 1, 7, 1);
*(uint16_t*)0x20000298 = 8;
*(uint16_t*)0x2000029a = 1;
*(uint32_t*)0x2000029c = 0;
*(uint16_t*)0x200002a0 = 0xc;
STORE_BY_BITMASK(uint16_t, , 0x200002a2, 1, 0, 14);
STORE_BY_BITMASK(uint16_t, , 0x200002a3, 0, 6, 1);
STORE_BY_BITMASK(uint16_t, , 0x200002a3, 1, 7, 1);
*(uint16_t*)0x200002a4 = 8;
*(uint16_t*)0x200002a6 = 1;
*(uint32_t*)0x200002a8 = 0;
*(uint16_t*)0x200002ac = 0x1c;
STORE_BY_BITMASK(uint16_t, , 0x200002ae, 1, 0, 14);
STORE_BY_BITMASK(uint16_t, , 0x200002af, 0, 6, 1);
STORE_BY_BITMASK(uint16_t, , 0x200002af, 1, 7, 1);
*(uint16_t*)0x200002b0 = 8;
*(uint16_t*)0x200002b2 = 3;
*(uint32_t*)0x200002b4 = 0;
*(uint16_t*)0x200002b8 = 8;
*(uint16_t*)0x200002ba = 1;
*(uint32_t*)0x200002bc = 0;
*(uint16_t*)0x200002c0 = 8;
*(uint16_t*)0x200002c2 = 3;
*(uint32_t*)0x200002c4 = 2;
*(uint16_t*)0x200002c8 = 0xc;
STORE_BY_BITMASK(uint16_t, , 0x200002ca, 1, 0, 14);
STORE_BY_BITMASK(uint16_t, , 0x200002cb, 0, 6, 1);
STORE_BY_BITMASK(uint16_t, , 0x200002cb, 1, 7, 1);
*(uint16_t*)0x200002cc = 8;
*(uint16_t*)0x200002ce = 3;
*(uint32_t*)0x200002d0 = 6;
*(uint64_t*)0x20006408 = 0x54;
*(uint64_t*)0x20006458 = 1;
*(uint64_t*)0x20006460 = 0;
*(uint64_t*)0x20006468 = 0;
*(uint32_t*)0x20006470 = 0;
syscall(__NR_sendmsg, r[0], 0x20006440ul, 0ul);
return 0;
}