Google Git
Sign in
kernel / pub / scm / linux / kernel / git / shuah / linux-arts / 119d09e4764c87e4f4680df9d05a8eb141cd633e / . / syzkaller-repros / linux / 88def480f8ec3781fb39b776b256fbb75b9e97d4.c
blob: 0b68aefd210f5f5f1b2d495fb4343f72ed13c768 [file] [log] [blame]
// KASAN: wild-memory-access Read in skb_copy_ubufs
// https://syzkaller.appspot.com/bug?id=88def480f8ec3781fb39b776b256fbb75b9e97d4
// status:fixed
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <errno.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/if_tun.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <net/if_arp.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
const int kFailStatus = 67;
const int kRetryStatus = 69;
__attribute__((noreturn)) static void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}
__attribute__((noreturn)) static void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}
__attribute__((noreturn)) static void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}
#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}
static void vsnprintf_check(char* str, size_t size, const char* format,
va_list args)
{
int rv;
rv = vsnprintf(str, size, format, args);
if (rv < 0)
fail("tun: snprintf failed");
if ((size_t)rv >= size)
fail("tun: string '%s...' doesn't fit into buffer", str);
}
static void snprintf_check(char* str, size_t size, const char* format,
...)
{
va_list args;
va_start(args, format);
vsnprintf_check(str, size, format, args);
va_end(args);
}
#define COMMAND_MAX_LEN 128
static void execute_command(const char* format, ...)
{
va_list args;
char command[COMMAND_MAX_LEN];
int rv;
va_start(args, format);
vsnprintf_check(command, sizeof(command), format, args);
rv = system(command);
if (rv != 0)
fail("tun: command \"%s\" failed with code %d", &command[0], rv);
va_end(args);
}
static int tunfd = -1;
#define SYZ_TUN_MAX_PACKET_SIZE 1000
#define MAX_PIDS 32
#define ADDR_MAX_LEN 32
#define LOCAL_MAC "aa:aa:aa:aa:aa:%02hx"
#define REMOTE_MAC "bb:bb:bb:bb:bb:%02hx"
#define LOCAL_IPV4 "172.20.%d.170"
#define REMOTE_IPV4 "172.20.%d.187"
#define LOCAL_IPV6 "fe80::%02hxaa"
#define REMOTE_IPV6 "fe80::%02hxbb"
static void initialize_tun(uint64_t pid)
{
if (pid >= MAX_PIDS)
fail("tun: no more than %d executors", MAX_PIDS);
int id = pid;
tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
if (tunfd == -1)
fail("tun: can't open /dev/net/tun");
char iface[IFNAMSIZ];
snprintf_check(iface, sizeof(iface), "syz%d", id);
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, iface, IFNAMSIZ);
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
fail("tun: ioctl(TUNSETIFF) failed");
char local_mac[ADDR_MAX_LEN];
snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id);
char remote_mac[ADDR_MAX_LEN];
snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id);
char local_ipv4[ADDR_MAX_LEN];
snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id);
char remote_ipv4[ADDR_MAX_LEN];
snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id);
char local_ipv6[ADDR_MAX_LEN];
snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id);
char remote_ipv6[ADDR_MAX_LEN];
snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id);
execute_command("sysctl -w net.ipv6.conf.%s.accept_dad=0", iface);
execute_command("sysctl -w net.ipv6.conf.%s.router_solicitations=0",
iface);
execute_command("ip link set dev %s address %s", iface, local_mac);
execute_command("ip addr add %s/24 dev %s", local_ipv4, iface);
execute_command("ip -6 addr add %s/120 dev %s", local_ipv6, iface);
execute_command("ip neigh add %s lladdr %s dev %s nud permanent",
remote_ipv4, remote_mac, iface);
execute_command("ip -6 neigh add %s lladdr %s dev %s nud permanent",
remote_ipv6, remote_mac, iface);
execute_command("ip link set dev %s up", iface);
}
static void setup_tun(uint64_t pid, bool enable_tun)
{
if (enable_tun)
initialize_tun(pid);
}
static int read_tun(char* data, int size)
{
int rv = read(tunfd, data, size);
if (rv < 0) {
if (errno == EAGAIN)
return -1;
fail("tun: read failed with %d, errno: %d", rv, errno);
}
return rv;
}
static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1)
{
if (tunfd < 0)
return (uintptr_t)-1;
int64_t length = a0;
char* data = (char*)a1;
return write(tunfd, data, length);
}
static void flush_tun()
{
char data[SYZ_TUN_MAX_PACKET_SIZE];
while (read_tun(&data[0], sizeof(data)) != -1)
;
}
static uint64_t current_time_ms()
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
fail("clock_gettime failed");
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void test();
void loop()
{
int iter;
for (iter = 0;; iter++) {
int pid = fork();
if (pid < 0)
fail("clone failed");
if (pid == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
flush_tun();
test();
doexit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
int res = waitpid(-1, &status, __WALL | WNOHANG);
if (res == pid)
break;
usleep(1000);
if (current_time_ms() - start > 5 * 1000) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
while (waitpid(-1, &status, __WALL) != pid) {
}
break;
}
}
}
}
long r[323];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 1:
*(uint32_t*)0x2001d000 = (uint32_t)0x0;
*(uint32_t*)0x2001d004 = (uint32_t)0x78;
*(uint8_t*)0x2001d008 = (uint8_t)0x0;
*(uint8_t*)0x2001d009 = (uint8_t)0x0;
*(uint8_t*)0x2001d00a = (uint8_t)0x0;
*(uint8_t*)0x2001d00b = (uint8_t)0x0;
*(uint32_t*)0x2001d00c = (uint32_t)0x0;
*(uint64_t*)0x2001d010 = (uint64_t)0x0;
*(uint64_t*)0x2001d018 = (uint64_t)0x0;
*(uint64_t*)0x2001d020 = (uint64_t)0x0;
*(uint8_t*)0x2001d028 = (uint8_t)0x0;
*(uint8_t*)0x2001d029 = (uint8_t)0x0;
*(uint8_t*)0x2001d02a = (uint8_t)0x0;
*(uint8_t*)0x2001d02b = (uint8_t)0x0;
*(uint32_t*)0x2001d02c = (uint32_t)0x0;
*(uint32_t*)0x2001d030 = (uint32_t)0x0;
*(uint32_t*)0x2001d034 = (uint32_t)0x0;
*(uint64_t*)0x2001d038 = (uint64_t)0x0;
*(uint64_t*)0x2001d040 = (uint64_t)0x0;
*(uint64_t*)0x2001d048 = (uint64_t)0x0;
*(uint64_t*)0x2001d050 = (uint64_t)0x0;
*(uint64_t*)0x2001d058 = (uint64_t)0x0;
*(uint32_t*)0x2001d060 = (uint32_t)0x0;
*(uint64_t*)0x2001d068 = (uint64_t)0x0;
*(uint32_t*)0x2001d070 = (uint32_t)0x0;
*(uint16_t*)0x2001d074 = (uint16_t)0x0;
*(uint16_t*)0x2001d076 = (uint16_t)0x0;
r[28] = syscall(__NR_perf_event_open, 0x2001d000ul, 0x0ul, 0x0ul,
0xfffffffffffffffful, 0x0ul);
break;
case 2:
*(uint32_t*)0x2023c000 = (uint32_t)0x0;
*(uint16_t*)0x2023c004 = (uint16_t)0xa;
*(uint16_t*)0x2023c006 = (uint16_t)0x204e;
*(uint32_t*)0x2023c008 = (uint32_t)0x0;
*(uint8_t*)0x2023c00c = (uint8_t)0x0;
*(uint8_t*)0x2023c00d = (uint8_t)0x0;
*(uint8_t*)0x2023c00e = (uint8_t)0x0;
*(uint8_t*)0x2023c00f = (uint8_t)0x0;
*(uint8_t*)0x2023c010 = (uint8_t)0x0;
*(uint8_t*)0x2023c011 = (uint8_t)0x0;
*(uint8_t*)0x2023c012 = (uint8_t)0x0;
*(uint8_t*)0x2023c013 = (uint8_t)0x0;
*(uint8_t*)0x2023c014 = (uint8_t)0x0;
*(uint8_t*)0x2023c015 = (uint8_t)0x0;
*(uint8_t*)0x2023c016 = (uint8_t)0x0;
*(uint8_t*)0x2023c017 = (uint8_t)0x0;
*(uint8_t*)0x2023c018 = (uint8_t)0x0;
*(uint8_t*)0x2023c019 = (uint8_t)0x0;
*(uint8_t*)0x2023c01a = (uint8_t)0x0;
*(uint8_t*)0x2023c01b = (uint8_t)0x0;
*(uint32_t*)0x2023c01c = (uint32_t)0x0;
*(uint64_t*)0x2023c024 = (uint64_t)0x0;
*(uint64_t*)0x2023c02c = (uint64_t)0x0;
*(uint64_t*)0x2023c034 = (uint64_t)0x0;
*(uint64_t*)0x2023c03c = (uint64_t)0x0;
*(uint64_t*)0x2023c044 = (uint64_t)0x0;
*(uint64_t*)0x2023c04c = (uint64_t)0x0;
*(uint64_t*)0x2023c054 = (uint64_t)0x0;
*(uint64_t*)0x2023c05c = (uint64_t)0x0;
*(uint64_t*)0x2023c064 = (uint64_t)0x0;
*(uint64_t*)0x2023c06c = (uint64_t)0x0;
*(uint64_t*)0x2023c074 = (uint64_t)0x0;
*(uint64_t*)0x2023c07c = (uint64_t)0x0;
*(uint32_t*)0x2023c08c = (uint32_t)0x0;
*(uint16_t*)0x2023c090 = (uint16_t)0x0;
*(uint32_t*)0x2023c092 = (uint32_t)0x0;
*(uint32_t*)0x2023c096 = (uint32_t)0x0;
*(uint32_t*)0x2023c09a = (uint32_t)0x0;
*(uint32_t*)0x20d62000 = (uint32_t)0xa0;
r[68] = syscall(__NR_getsockopt, 0xffffffffffffff9cul, 0x84ul,
0x9ul, 0x2023c000ul, 0x20d62000ul);
break;
case 3:
*(uint32_t*)0x20f90000 = (uint32_t)0x3;
*(uint64_t*)0x20f90008 = (uint64_t)0x20c3a000;
r[71] = syscall(__NR_ioctl, 0xfffffffffffffffful, 0x800443d2ul,
0x20f90000ul);
break;
case 4:
memcpy((void*)0x204e1000, "\x2f\x64\x65\x76\x2f\x71\x61\x74\x5f\x61"
"\x64\x66\x5f\x63\x74\x6c\x00",
17);
r[73] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x204e1000ul,
0x242200ul, 0x0ul);
break;
case 5:
*(uint8_t*)0x20b4cffe = (uint8_t)0x7;
*(uint8_t*)0x20b4cfff = (uint8_t)0x400;
r[76] = syscall(__NR_ioctl, r[73], 0x541cul, 0x20b4cffeul);
break;
case 6:
r[77] = syscall(__NR_ioctl, r[73], 0x540ful, 0x20ccaffcul);
break;
case 7:
r[78] = syscall(__NR_socket, 0x2000000011ul, 0x3ul, 0x300ul);
break;
case 8:
*(uint32_t*)0x20feaff0 = (uint32_t)0x0;
*(uint32_t*)0x20feaff4 = (uint32_t)0xa;
*(uint64_t*)0x20feaff8 = (uint64_t)0x20196f30;
*(uint16_t*)0x20196f30 = (uint16_t)0x2;
*(uint16_t*)0x20196f32 = (uint16_t)0x204e;
*(uint8_t*)0x20196f34 = (uint8_t)0xac;
*(uint8_t*)0x20196f35 = (uint8_t)0x14;
*(uint8_t*)0x20196f36 = (uint8_t)0x0;
*(uint8_t*)0x20196f37 = (uint8_t)0xbb;
*(uint8_t*)0x20196f38 = (uint8_t)0x0;
*(uint8_t*)0x20196f39 = (uint8_t)0x0;
*(uint8_t*)0x20196f3a = (uint8_t)0x0;
*(uint8_t*)0x20196f3b = (uint8_t)0x0;
*(uint8_t*)0x20196f3c = (uint8_t)0x0;
*(uint8_t*)0x20196f3d = (uint8_t)0x0;
*(uint8_t*)0x20196f3e = (uint8_t)0x0;
*(uint8_t*)0x20196f3f = (uint8_t)0x0;
*(uint16_t*)0x20196f40 = (uint16_t)0x2;
*(uint16_t*)0x20196f42 = (uint16_t)0x214e;
*(uint32_t*)0x20196f44 = (uint32_t)0x0;
*(uint8_t*)0x20196f48 = (uint8_t)0x0;
*(uint8_t*)0x20196f49 = (uint8_t)0x0;
*(uint8_t*)0x20196f4a = (uint8_t)0x0;
*(uint8_t*)0x20196f4b = (uint8_t)0x0;
*(uint8_t*)0x20196f4c = (uint8_t)0x0;
*(uint8_t*)0x20196f4d = (uint8_t)0x0;
*(uint8_t*)0x20196f4e = (uint8_t)0x0;
*(uint8_t*)0x20196f4f = (uint8_t)0x0;
*(uint16_t*)0x20196f50 = (uint16_t)0xa;
*(uint16_t*)0x20196f52 = (uint16_t)0x224e;
*(uint32_t*)0x20196f54 = (uint32_t)0x81;
*(uint8_t*)0x20196f58 = (uint8_t)0x0;
*(uint8_t*)0x20196f59 = (uint8_t)0x0;
*(uint8_t*)0x20196f5a = (uint8_t)0x0;
*(uint8_t*)0x20196f5b = (uint8_t)0x0;
*(uint8_t*)0x20196f5c = (uint8_t)0x0;
*(uint8_t*)0x20196f5d = (uint8_t)0x0;
*(uint8_t*)0x20196f5e = (uint8_t)0x0;
*(uint8_t*)0x20196f5f = (uint8_t)0x0;
*(uint8_t*)0x20196f60 = (uint8_t)0x0;
*(uint8_t*)0x20196f61 = (uint8_t)0x0;
*(uint8_t*)0x20196f62 = (uint8_t)0x0;
*(uint8_t*)0x20196f63 = (uint8_t)0x0;
*(uint8_t*)0x20196f64 = (uint8_t)0x0;
*(uint8_t*)0x20196f65 = (uint8_t)0x0;
*(uint8_t*)0x20196f66 = (uint8_t)0x0;
*(uint8_t*)0x20196f67 = (uint8_t)0x0;
*(uint32_t*)0x20196f68 = (uint32_t)0x80000001;
*(uint16_t*)0x20196f6c = (uint16_t)0xa;
*(uint16_t*)0x20196f6e = (uint16_t)0x214e;
*(uint32_t*)0x20196f70 = (uint32_t)0x0;
*(uint64_t*)0x20196f74 = (uint64_t)0x0;
*(uint64_t*)0x20196f7c = (uint64_t)0x100000000000000;
*(uint32_t*)0x20196f84 = (uint32_t)0x100000001;
*(uint16_t*)0x20196f88 = (uint16_t)0x2;
*(uint16_t*)0x20196f8a = (uint16_t)0x234e;
*(uint32_t*)0x20196f8c = (uint32_t)0x100007f;
*(uint8_t*)0x20196f90 = (uint8_t)0x0;
*(uint8_t*)0x20196f91 = (uint8_t)0x0;
*(uint8_t*)0x20196f92 = (uint8_t)0x0;
*(uint8_t*)0x20196f93 = (uint8_t)0x0;
*(uint8_t*)0x20196f94 = (uint8_t)0x0;
*(uint8_t*)0x20196f95 = (uint8_t)0x0;
*(uint8_t*)0x20196f96 = (uint8_t)0x0;
*(uint8_t*)0x20196f97 = (uint8_t)0x0;
*(uint16_t*)0x20196f98 = (uint16_t)0xa;
*(uint16_t*)0x20196f9a = (uint16_t)0x214e;
*(uint32_t*)0x20196f9c = (uint32_t)0x3;
*(uint64_t*)0x20196fa0 = (uint64_t)0x0;
*(uint64_t*)0x20196fa8 = (uint64_t)0x100000000000000;
*(uint32_t*)0x20196fb0 = (uint32_t)0x4;
*(uint16_t*)0x20196fb4 = (uint16_t)0x2;
*(uint16_t*)0x20196fb6 = (uint16_t)0x214e;
*(uint32_t*)0x20196fb8 = (uint32_t)0x0;
*(uint8_t*)0x20196fbc = (uint8_t)0x0;
*(uint8_t*)0x20196fbd = (uint8_t)0x0;
*(uint8_t*)0x20196fbe = (uint8_t)0x0;
*(uint8_t*)0x20196fbf = (uint8_t)0x0;
*(uint8_t*)0x20196fc0 = (uint8_t)0x0;
*(uint8_t*)0x20196fc1 = (uint8_t)0x0;
*(uint8_t*)0x20196fc2 = (uint8_t)0x0;
*(uint8_t*)0x20196fc3 = (uint8_t)0x0;
*(uint16_t*)0x20196fc4 = (uint16_t)0x2;
*(uint16_t*)0x20196fc6 = (uint16_t)0x204e;
*(uint32_t*)0x20196fc8 = (uint32_t)0x100007f;
*(uint8_t*)0x20196fcc = (uint8_t)0x0;
*(uint8_t*)0x20196fcd = (uint8_t)0x0;
*(uint8_t*)0x20196fce = (uint8_t)0x0;
*(uint8_t*)0x20196fcf = (uint8_t)0x0;
*(uint8_t*)0x20196fd0 = (uint8_t)0x0;
*(uint8_t*)0x20196fd1 = (uint8_t)0x0;
*(uint8_t*)0x20196fd2 = (uint8_t)0x0;
*(uint8_t*)0x20196fd3 = (uint8_t)0x0;
*(uint16_t*)0x20196fd4 = (uint16_t)0xa;
*(uint16_t*)0x20196fd6 = (uint16_t)0x224e;
*(uint32_t*)0x20196fd8 = (uint32_t)0x5;
*(uint64_t*)0x20196fdc = (uint64_t)0x0;
*(uint64_t*)0x20196fe4 = (uint64_t)0x100000000000000;
*(uint32_t*)0x20196fec = (uint32_t)0x8000;
*(uint16_t*)0x20196ff0 = (uint16_t)0x2;
*(uint16_t*)0x20196ff2 = (uint16_t)0x234e;
*(uint8_t*)0x20196ff4 = (uint8_t)0xac;
*(uint8_t*)0x20196ff5 = (uint8_t)0x14;
*(uint8_t*)0x20196ff6 = (uint8_t)0x0;
*(uint8_t*)0x20196ff7 = (uint8_t)0xaa;
*(uint8_t*)0x20196ff8 = (uint8_t)0x0;
*(uint8_t*)0x20196ff9 = (uint8_t)0x0;
*(uint8_t*)0x20196ffa = (uint8_t)0x0;
*(uint8_t*)0x20196ffb = (uint8_t)0x0;
*(uint8_t*)0x20196ffc = (uint8_t)0x0;
*(uint8_t*)0x20196ffd = (uint8_t)0x0;
*(uint8_t*)0x20196ffe = (uint8_t)0x0;
*(uint8_t*)0x20196fff = (uint8_t)0x0;
*(uint32_t*)0x20015ffc = (uint32_t)0x10;
r[193] = syscall(__NR_getsockopt, r[78], 0x84ul, 0x6ful,
0x20feaff0ul, 0x20015ffcul);
break;
case 9:
*(uint32_t*)0x20001fd0 = (uint32_t)0x0;
*(uint32_t*)0x20001fd4 = (uint32_t)0x1;
*(uint64_t*)0x20001fd8 = (uint64_t)0x20000000;
*(uint64_t*)0x20001fe0 = (uint64_t)0x20fdbfef;
*(uint32_t*)0x20001fe8 = (uint32_t)0x0;
*(uint32_t*)0x20001fec = (uint32_t)0x0;
*(uint64_t*)0x20001ff0 = (uint64_t)0x20b92fd0;
*(uint32_t*)0x20001ff8 = (uint32_t)0x0;
*(uint8_t*)0x20000000 = (uint8_t)0x0;
*(uint8_t*)0x20000001 = (uint8_t)0x0;
*(uint16_t*)0x20000002 = (uint16_t)0xfffffffffffff802;
*(uint32_t*)0x20000004 = (uint32_t)0xffffffffffffffff;
memcpy((void*)0x20fdbfef, "\x00", 1);
r[207] = syscall(__NR_bpf, 0x5ul, 0x20001fd0ul, 0x30ul);
break;
case 10:
r[208] = syscall(__NR_socket, 0x2ul, 0x80002ul, 0x10004ul);
break;
case 11:
r[209] = syscall(__NR_ioctl, r[208], 0x541bul, 0x20a67000ul);
break;
case 12:
r[210] = syscall(__NR_socket, 0x11ul, 0x802ul, 0x300ul);
break;
case 13:
r[211] = syscall(__NR_setsockopt, r[210], 0x107ul, 0x12ul,
0x20000000ul, 0x4ul);
break;
case 14:
*(uint32_t*)0x20f87000 = (uint32_t)0x0;
r[213] = syscall(__NR_setsockopt, r[210], 0x1ul, 0x8ul,
0x20f87000ul, 0x4ul);
break;
case 15:
*(uint32_t*)0x2061c000 = (uint32_t)0x0;
*(uint32_t*)0x2061c004 = (uint32_t)0x8;
*(uint32_t*)0x20acf000 = (uint32_t)0x8;
r[217] = syscall(__NR_getsockopt, r[210], 0x84ul, 0xdul,
0x2061c000ul, 0x20acf000ul);
if (r[217] != -1)
r[218] = *(uint32_t*)0x2061c000;
break;
case 16:
*(uint16_t*)0x205fb000 = (uint16_t)0xa;
*(uint16_t*)0x205fb002 = (uint16_t)0x214e;
*(uint32_t*)0x205fb004 = (uint32_t)0x1;
*(uint64_t*)0x205fb008 = (uint64_t)0x0;
*(uint64_t*)0x205fb010 = (uint64_t)0x100000000000000;
*(uint32_t*)0x205fb018 = (uint32_t)0x8;
r[225] = syscall(__NR_sendto, r[210], 0x20c58fb4ul, 0x0ul,
0xfffffffffffffffful, 0x205fb000ul, 0x1cul);
break;
case 17:
*(uint32_t*)0x20081ffc = (uint32_t)0x4aef;
r[227] = syscall(__NR_ioctl, r[210], 0x894cul, 0x20081ffcul);
break;
case 18:
*(uint32_t*)0x20453fe0 = (uint32_t)0xffffffffffffffff;
*(uint64_t*)0x20453fe8 = (uint64_t)0x20e65000;
*(uint64_t*)0x20453ff0 = (uint64_t)0x20859000;
*(uint64_t*)0x20453ff8 = (uint64_t)0x1;
r[232] = syscall(__NR_bpf, 0x2ul, 0x20453fe0ul, 0x20ul);
break;
case 19:
*(uint32_t*)0x2037d000 = r[218];
*(uint32_t*)0x2037d004 = (uint32_t)0x4;
*(uint32_t*)0x201e4ffc = (uint32_t)0x8;
r[236] = syscall(__NR_getsockopt, r[210], 0x84ul, 0x71ul,
0x2037d000ul, 0x201e4ffcul);
break;
case 20:
*(uint32_t*)0x203baffc = (uint32_t)0xc;
r[238] = syscall(__NR_getsockopt, r[210], 0x1ul, 0x11ul,
0x2096a000ul, 0x203baffcul);
if (r[238] != -1)
r[239] = *(uint32_t*)0x2096a000;
break;
case 21:
*(uint32_t*)0x20460f60 = r[218];
*(uint16_t*)0x20460f64 = (uint16_t)0x2;
*(uint16_t*)0x20460f66 = (uint16_t)0x214e;
*(uint32_t*)0x20460f68 = (uint32_t)0x0;
*(uint8_t*)0x20460f6c = (uint8_t)0x0;
*(uint8_t*)0x20460f6d = (uint8_t)0x0;
*(uint8_t*)0x20460f6e = (uint8_t)0x0;
*(uint8_t*)0x20460f6f = (uint8_t)0x0;
*(uint8_t*)0x20460f70 = (uint8_t)0x0;
*(uint8_t*)0x20460f71 = (uint8_t)0x0;
*(uint8_t*)0x20460f72 = (uint8_t)0x0;
*(uint8_t*)0x20460f73 = (uint8_t)0x0;
*(uint64_t*)0x20460f74 = (uint64_t)0x0;
*(uint64_t*)0x20460f7c = (uint64_t)0x0;
*(uint64_t*)0x20460f84 = (uint64_t)0x0;
*(uint64_t*)0x20460f8c = (uint64_t)0x0;
*(uint64_t*)0x20460f94 = (uint64_t)0x0;
*(uint64_t*)0x20460f9c = (uint64_t)0x0;
*(uint64_t*)0x20460fa4 = (uint64_t)0x0;
*(uint64_t*)0x20460fac = (uint64_t)0x0;
*(uint64_t*)0x20460fb4 = (uint64_t)0x0;
*(uint64_t*)0x20460fbc = (uint64_t)0x0;
*(uint64_t*)0x20460fc4 = (uint64_t)0x0;
*(uint64_t*)0x20460fcc = (uint64_t)0x0;
*(uint64_t*)0x20460fd4 = (uint64_t)0x0;
*(uint64_t*)0x20460fdc = (uint64_t)0x0;
*(uint64_t*)0x20460fe4 = (uint64_t)0x0;
*(uint32_t*)0x20460fec = (uint32_t)0xff0000000000;
*(uint16_t*)0x20460ff0 = (uint16_t)0x1;
*(uint32_t*)0x20460ff2 = (uint32_t)0x80000001;
*(uint32_t*)0x20460ff6 = (uint32_t)0x1000;
*(uint32_t*)0x20460ffa = (uint32_t)0x20;
r[272] = syscall(__NR_setsockopt, r[210], 0x84ul, 0x9ul,
0x20460f60ul, 0xa0ul);
break;
case 22:
*(uint32_t*)0x207d5000 = r[239];
r[274] = syscall(__NR_ioctl, r[208], 0x8901ul, 0x207d5000ul);
break;
case 23:
memcpy((void*)0x20000000, "\xef\xad\x07\x00\x00\xa7", 6);
*(uint8_t*)0x20000006 = (uint8_t)0x0;
*(uint8_t*)0x20000007 = (uint8_t)0x0;
*(uint8_t*)0x20000008 = (uint8_t)0x0;
*(uint8_t*)0x20000009 = (uint8_t)0x0;
*(uint8_t*)0x2000000a = (uint8_t)0x0;
*(uint8_t*)0x2000000b = (uint8_t)0x0;
*(uint16_t*)0x2000000c = (uint16_t)0x0;
*(uint16_t*)0x2000000e = (uint16_t)0x7100;
*(uint8_t*)0x20000010 = (uint8_t)0x0;
*(uint8_t*)0x20000011 = (uint8_t)0x0;
memcpy((void*)0x20000012, "\x9a", 1);
memcpy((void*)0x20000013, "\x2f\x3f\x7b", 3);
*(uint16_t*)0x20000016 = (uint16_t)0x0;
memcpy((void*)0x20000018,
"\xbb\xf7\x8b\x9a\x1e\xf9\xd7\x58\x5c\x44\xdc\x14\x2e\xcb"
"\xaf\x80\x66\xd2\x61\x0e\x91\xb0\xe5\xce\xa2\x2f\xde\xe4"
"\x0a\x7e\x5f\x9e\x41\xdd\x99\xf8\xfb\xe9\xb2\x8d\x03\xe6"
"\xb4\x99\x2c\x5b\x98\xa2\xc3\x7c\x5e\xbe\x16\x92\xbc\xc8"
"\xfb\xc1\xec\xad\x74\xff\xe1\xff\x13\xc5\x05\xb9\x66\xc4"
"\x2b\x6d\x44\xa1\x2c\xe0\x6c\x5a\x04\x31\x56\xfd\x53\xcd"
"\xbf\xdc\xbb\x08\x9e\xb0\xfc\x74\x3f\xd2\xa7\x4c\x56\x1b"
"\x81\x03\x20\x17\xdf\x10\x93",
105);
r[290] = syz_emit_ethernet(0x81ul, 0x20000000ul);
break;
case 24:
*(uint8_t*)0x209cbfd2 = (uint8_t)0xaa;
*(uint8_t*)0x209cbfd3 = (uint8_t)0xaa;
*(uint8_t*)0x209cbfd4 = (uint8_t)0xaa;
*(uint8_t*)0x209cbfd5 = (uint8_t)0xaa;
*(uint8_t*)0x209cbfd6 = (uint8_t)0xaa;
*(uint8_t*)0x209cbfd7 = (uint8_t)0x0;
memcpy((void*)0x209cbfd8, "\xb4\x2d\xd4\x91\xaa\x6c", 6);
*(uint16_t*)0x209cbfde = (uint16_t)0x81;
STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x3, 0, 3);
STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x20, 3, 1);
STORE_BY_BITMASK(uint16_t, 0x209cbfe0, 0x800, 4, 12);
*(uint16_t*)0x209cbfe2 = (uint16_t)0x888;
*(uint16_t*)0x209cbfe4 = (uint16_t)0x100;
*(uint16_t*)0x209cbfe6 = (uint16_t)0x8;
*(uint8_t*)0x209cbfe8 = (uint8_t)0x6;
*(uint8_t*)0x209cbfe9 = (uint8_t)0x4;
*(uint16_t*)0x209cbfea = (uint16_t)0xb00;
*(uint8_t*)0x209cbfec = (uint8_t)0x0;
*(uint8_t*)0x209cbfed = (uint8_t)0x0;
*(uint8_t*)0x209cbfee = (uint8_t)0x0;
*(uint8_t*)0x209cbfef = (uint8_t)0x0;
*(uint8_t*)0x209cbff0 = (uint8_t)0x0;
*(uint8_t*)0x209cbff1 = (uint8_t)0x0;
*(uint32_t*)0x209cbff2 = (uint32_t)0x20000e0;
*(uint8_t*)0x209cbff6 = (uint8_t)0xbb;
*(uint8_t*)0x209cbff7 = (uint8_t)0xbb;
*(uint8_t*)0x209cbff8 = (uint8_t)0xbb;
*(uint8_t*)0x209cbff9 = (uint8_t)0xbb;
*(uint8_t*)0x209cbffa = (uint8_t)0xbb;
*(uint8_t*)0x209cbffb = (uint8_t)0x0;
*(uint32_t*)0x209cbffc = (uint32_t)0x20000e0;
r[322] = syz_emit_ethernet(0x2eul, 0x209cbfd2ul);
break;
}
return 0;
}
void test()
{
long i;
pthread_t th[50];
memset(r, -1, sizeof(r));
srand(getpid());
for (i = 0; i < 25; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(rand() % 10000);
}
for (i = 0; i < 25; i++) {
pthread_create(&th[25 + i], 0, thr, (void*)i);
if (rand() % 2)
usleep(rand() % 10000);
}
usleep(rand() % 100000);
}
int main()
{
int i;
for (i = 0; i < 8; i++) {
if (fork() == 0) {
setup_tun(i, true);
loop();
return 0;
}
}
sleep(1000000);
return 0;
}