// https://syzkaller.appspot.com/bug?id=aa701901e3d35b0d99b97b626efe1b06274bf88d // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 222 #endif #ifndef __NR_recvmsg #define __NR_recvmsg 212 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 211 #endif #ifndef __NR_socketpair #define __NR_socketpair 199 #endif uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socketpair$unix arguments: [ // domain: const = 0x1 (8 bytes) // type: unix_socket_type = 0x2 (8 bytes) // proto: const = 0x0 (4 bytes) // fds: ptr[out, unix_pair] { // unix_pair { // fd0: sock_unix (resource) // fd1: sock_unix (resource) // } // } // ] res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_DGRAM*/ 2ul, /*proto=*/0, /*fds=*/0x20000000ul); if (res != -1) { r[0] = *(uint32_t*)0x20000000; r[1] = *(uint32_t*)0x20000004; } // sendmsg$unix arguments: [ // fd: sock_unix (resource) // msg: ptr[in, send_msghdr_un] { // send_msghdr_un { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: nil // vlen: len = 0x0 (8 bytes) // ctrl: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {14 00 00 00 00 00 00 00 01 00 00 00 01} // (length 0xd) // } // } // } // ctrllen: bytesize = 0x18 (8 bytes) // f: send_flags = 0x4 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x24040884 (8 bytes) // ] *(uint64_t*)0x20000900 = 0; *(uint32_t*)0x20000908 = 0; *(uint64_t*)0x20000910 = 0; *(uint64_t*)0x20000918 = 0; *(uint64_t*)0x20000920 = 0x200008c0; memcpy((void*)0x200008c0, "\x14\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01", 13); *(uint64_t*)0x20000928 = 0x18; *(uint32_t*)0x20000930 = 4; syscall( __NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000900ul, /*f=MSG_ZEROCOPY|MSG_FASTOPEN|MSG_BATCH|MSG_EOR|MSG_DONTROUTE|MSG_CONFIRM*/ 0x24040884ul); // mmap arguments: [ // addr: VMA[0x3000] // len: len = 0x3000 (8 bytes) // prot: mmap_prot = 0x8 (8 bytes) // flags: mmap_flags = 0x5031 (8 bytes) // fd: fd (resource) // offset: intptr = 0xc2dcc000 (8 bytes) // ] syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x3000ul, /*prot=PROT_SEM*/ 8ul, /*flags=MAP_NORESERVE|MAP_FIXED|MAP_EXECUTABLE|MAP_ANONYMOUS|0x1*/ 0x5031ul, /*fd=*/(intptr_t)-1, /*offset=*/0xc2dcc000ul); // recvmsg arguments: [ // fd: sock (resource) // msg: ptr[inout, recv_msghdr] { // recv_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: ptr[out, buffer] { // buffer: (DirOut) // } // msg_controllen: bytesize = 0x69 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: recv_flags = 0x302 (8 bytes) // ] *(uint64_t*)0x20003000 = 0; *(uint32_t*)0x20003008 = 0; *(uint64_t*)0x20003010 = 0; *(uint64_t*)0x20003018 = 0; *(uint64_t*)0x20003020 = 0x20002f80; *(uint64_t*)0x20003028 = 0x69; *(uint32_t*)0x20003030 = 0; syscall(__NR_recvmsg, /*fd=*/r[0], /*msg=*/0x20003000ul, /*f=MSG_WAITALL|MSG_PEEK|0x200*/ 0x302ul, 0); return 0; }