Google Git
Sign in
kernel / pub / scm / linux / kernel / git / shuah / linux-arts / 07759b820a9cbf01333d861d8eb2613b20d1ede4 / . / syzkaller-repros / linux / f698e37dae8c3eda978622cbd7747f61259c9d3a.c
blob: 9632a2c21eba23ebfa503f155c31f9164a187ac6 [file] [log] [blame]
// divide error in ___bpf_prog_run
// https://syzkaller.appspot.com/bug?id=f698e37dae8c3eda978622cbd7747f61259c9d3a
// status:fixed
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
long r[2];
void loop()
{
memset(r, -1, sizeof(r));
syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
*(uint32_t*)0x20781000 = 0;
*(uint32_t*)0x20781004 = 0x1c;
*(uint64_t*)0x20781008 = 0x20519fa8;
*(uint16_t*)0x20519fa8 = 0xa;
*(uint16_t*)0x20519faa = 0;
*(uint32_t*)0x20519fac = 0;
*(uint8_t*)0x20519fb0 = 0xfe;
*(uint8_t*)0x20519fb1 = 0x80;
*(uint8_t*)0x20519fb2 = 0;
*(uint8_t*)0x20519fb3 = 0;
*(uint8_t*)0x20519fb4 = 0;
*(uint8_t*)0x20519fb5 = 0;
*(uint8_t*)0x20519fb6 = 0;
*(uint8_t*)0x20519fb7 = 0;
*(uint8_t*)0x20519fb8 = 0;
*(uint8_t*)0x20519fb9 = 0;
*(uint8_t*)0x20519fba = 0;
*(uint8_t*)0x20519fbb = 0;
*(uint8_t*)0x20519fbc = 0;
*(uint8_t*)0x20519fbd = 0;
*(uint8_t*)0x20519fbe = 0;
*(uint8_t*)0x20519fbf = 0xaa;
*(uint32_t*)0x20519fc0 = 0x9c;
*(uint32_t*)0x20f91ffc = 0x10;
syscall(__NR_getsockopt, -1, 0x84, 0x6f, 0x20781000, 0x20f91ffc);
*(uint32_t*)0x20b70000 = 1;
*(uint32_t*)0x20b70004 = 5;
*(uint64_t*)0x20b70008 = 0x20519fa8;
*(uint64_t*)0x20b70010 = 0x20ce4ff6;
*(uint32_t*)0x20b70018 = 1;
*(uint32_t*)0x20b7001c = 0x1000;
*(uint64_t*)0x20b70020 = 0x204bb000;
*(uint32_t*)0x20b70028 = 0;
*(uint32_t*)0x20b7002c = 0;
*(uint8_t*)0x20b70030 = 0;
*(uint8_t*)0x20b70031 = 0;
*(uint8_t*)0x20b70032 = 0;
*(uint8_t*)0x20b70033 = 0;
*(uint8_t*)0x20b70034 = 0;
*(uint8_t*)0x20b70035 = 0;
*(uint8_t*)0x20b70036 = 0;
*(uint8_t*)0x20b70037 = 0;
*(uint8_t*)0x20b70038 = 0;
*(uint8_t*)0x20b70039 = 0;
*(uint8_t*)0x20b7003a = 0;
*(uint8_t*)0x20b7003b = 0;
*(uint8_t*)0x20b7003c = 0;
*(uint8_t*)0x20b7003d = 0;
*(uint8_t*)0x20b7003e = 0;
*(uint8_t*)0x20b7003f = 0;
*(uint32_t*)0x20b70040 = 0;
*(uint8_t*)0x20519fa8 = 0x18;
STORE_BY_BITMASK(uint8_t, 0x20519fa9, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, 0x20519fa9, 0, 4, 4);
*(uint16_t*)0x20519faa = 0;
*(uint32_t*)0x20519fac = 0;
*(uint8_t*)0x20519fb0 = 0;
*(uint8_t*)0x20519fb1 = 0;
*(uint16_t*)0x20519fb2 = 0;
*(uint32_t*)0x20519fb4 = 0xfffffffe;
STORE_BY_BITMASK(uint8_t, 0x20519fb8, 2, 0, 3);
STORE_BY_BITMASK(uint8_t, 0x20519fb8, 0, 3, 2);
STORE_BY_BITMASK(uint8_t, 0x20519fb8, 0xb, 5, 3);
STORE_BY_BITMASK(uint8_t, 0x20519fb9, 0x7a, 0, 4);
STORE_BY_BITMASK(uint8_t, 0x20519fb9, 0, 4, 4);
*(uint16_t*)0x20519fba = 0xff70;
*(uint32_t*)0x20519fbc = 0xfffffffc;
*(uint8_t*)0x20519fc8 = 0x95;
*(uint8_t*)0x20519fc9 = 0;
*(uint16_t*)0x20519fca = 0;
*(uint32_t*)0x20519fcc = 0;
memcpy((void*)0x20ce4ff6, "syzkaller", 10);
r[0] = syscall(__NR_bpf, 5, 0x20b70000, 0x48);
r[1] = syscall(__NR_socket, 0x10, 3, 0);
*(uint32_t*)0x204aeffc = r[0];
syscall(__NR_setsockopt, r[1], 1, 0x32, 0x204aeffc, 4);
memcpy((void*)0x20fd3000, "\x26\x00\x00\x00\x5e\x00\x09\x00\x00\x00\xea\xf8"
"\x3a\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\xff\xff\xff\x00\x00\x08\xdb\x1e\xe9\xff\x44\x35"
"\xea\xde",
38);
syscall(__NR_write, r[1], 0x20fd3000, 0x26);
}
int main()
{
loop();
return 0;
}