| // KMSAN: uninit-value in __inet6_bind |
| // https://syzkaller.appspot.com/bug?id=c1bc9515d815388b96876f42105845ed6bc6b2fe |
| // status:fixed |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <errno.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/socket.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #include <linux/genetlink.h> |
| #include <linux/netlink.h> |
| |
| static long syz_genetlink_get_family_id(long name) |
| { |
| char buf[512] = {0}; |
| struct nlmsghdr* hdr = (struct nlmsghdr*)buf; |
| struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); |
| struct nlattr* attr = (struct nlattr*)(genlhdr + 1); |
| hdr->nlmsg_len = |
| sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; |
| hdr->nlmsg_type = GENL_ID_CTRL; |
| hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
| genlhdr->cmd = CTRL_CMD_GETFAMILY; |
| attr->nla_type = CTRL_ATTR_FAMILY_NAME; |
| attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; |
| strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); |
| struct iovec iov = {hdr, hdr->nlmsg_len}; |
| struct sockaddr_nl addr = {0}; |
| addr.nl_family = AF_NETLINK; |
| int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); |
| if (fd == -1) { |
| return -1; |
| } |
| struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; |
| if (sendmsg(fd, &msg, 0) == -1) { |
| close(fd); |
| return -1; |
| } |
| ssize_t n = recv(fd, buf, sizeof(buf), 0); |
| close(fd); |
| if (n <= 0) { |
| return -1; |
| } |
| if (hdr->nlmsg_type != GENL_ID_CTRL) { |
| return -1; |
| } |
| for (; (char*)attr < buf + n; |
| attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { |
| if (attr->nla_type == CTRL_ATTR_FAMILY_ID) |
| return *(uint16_t*)(attr + 1); |
| } |
| return -1; |
| } |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0x0}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| long res = 0; |
| res = syscall(__NR_socket, 0x10, 3, 0x10); |
| if (res != -1) |
| r[0] = res; |
| memcpy((void*)0x20000600, "TIPCv2\x00", 7); |
| res = syz_genetlink_get_family_id(0x20000600); |
| if (res != -1) |
| r[1] = res; |
| *(uint64_t*)0x200008c0 = 0; |
| *(uint32_t*)0x200008c8 = 0; |
| *(uint64_t*)0x200008d0 = 0x20000880; |
| *(uint64_t*)0x20000880 = 0x20000640; |
| *(uint32_t*)0x20000640 = 0x6c; |
| *(uint16_t*)0x20000644 = r[1]; |
| *(uint16_t*)0x20000646 = 0x201; |
| *(uint32_t*)0x20000648 = 0; |
| *(uint32_t*)0x2000064c = 0; |
| *(uint8_t*)0x20000650 = 3; |
| *(uint8_t*)0x20000651 = 0; |
| *(uint16_t*)0x20000652 = 0; |
| *(uint16_t*)0x20000654 = 0x58; |
| *(uint16_t*)0x20000656 = 1; |
| *(uint16_t*)0x20000658 = 0x10; |
| *(uint16_t*)0x2000065a = 1; |
| memcpy((void*)0x2000065c, "udp:syz2\x00", 9); |
| *(uint16_t*)0x20000668 = 0x44; |
| *(uint16_t*)0x2000066a = 4; |
| *(uint16_t*)0x2000066c = 0x20; |
| *(uint16_t*)0x2000066e = 1; |
| *(uint16_t*)0x20000670 = 0xa; |
| *(uint16_t*)0x20000672 = htobe16(0); |
| *(uint32_t*)0x20000674 = 0; |
| *(uint8_t*)0x20000678 = 0xfe; |
| *(uint8_t*)0x20000679 = 0x80; |
| *(uint8_t*)0x2000067a = 0; |
| *(uint8_t*)0x2000067b = 0; |
| *(uint8_t*)0x2000067c = 0; |
| *(uint8_t*)0x2000067d = 0; |
| *(uint8_t*)0x2000067e = 0; |
| *(uint8_t*)0x2000067f = 0; |
| *(uint8_t*)0x20000680 = 0; |
| *(uint8_t*)0x20000681 = 0; |
| *(uint8_t*)0x20000682 = 0; |
| *(uint8_t*)0x20000683 = 0; |
| *(uint8_t*)0x20000684 = 0; |
| *(uint8_t*)0x20000685 = 0; |
| *(uint8_t*)0x20000686 = 0; |
| *(uint8_t*)0x20000687 = 0xbb; |
| *(uint32_t*)0x20000688 = 0x1ff; |
| *(uint16_t*)0x2000068c = 0x20; |
| *(uint16_t*)0x2000068e = 2; |
| *(uint16_t*)0x20000690 = 2; |
| *(uint16_t*)0x20000692 = htobe16(0); |
| *(uint32_t*)0x20000694 = 0; |
| *(uint64_t*)0x20000698 = htobe64(0); |
| *(uint64_t*)0x200006a0 = htobe64(1); |
| *(uint32_t*)0x200006a8 = 0; |
| *(uint64_t*)0x20000888 = 0x6c; |
| *(uint64_t*)0x200008d8 = 1; |
| *(uint64_t*)0x200008e0 = 0; |
| *(uint64_t*)0x200008e8 = 0; |
| *(uint32_t*)0x200008f0 = 0; |
| syscall(__NR_sendmsg, r[0], 0x200008c0, 0); |
| return 0; |
| } |