| // general protection fault in tipc_nl_publ_dump |
| // https://syzkaller.appspot.com/bug?id=5252a0bc6b0003c7ab998ac22d4c480ce7631244 |
| // status:open |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <errno.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/socket.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #include <linux/genetlink.h> |
| #include <linux/netlink.h> |
| |
| static long syz_genetlink_get_family_id(volatile long name) |
| { |
| char buf[512] = {0}; |
| struct nlmsghdr* hdr = (struct nlmsghdr*)buf; |
| struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); |
| struct nlattr* attr = (struct nlattr*)(genlhdr + 1); |
| hdr->nlmsg_len = |
| sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; |
| hdr->nlmsg_type = GENL_ID_CTRL; |
| hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
| genlhdr->cmd = CTRL_CMD_GETFAMILY; |
| attr->nla_type = CTRL_ATTR_FAMILY_NAME; |
| attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; |
| strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); |
| struct iovec iov = {hdr, hdr->nlmsg_len}; |
| struct sockaddr_nl addr = {0}; |
| addr.nl_family = AF_NETLINK; |
| int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); |
| if (fd == -1) { |
| return -1; |
| } |
| struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; |
| if (sendmsg(fd, &msg, 0) == -1) { |
| close(fd); |
| return -1; |
| } |
| ssize_t n = recv(fd, buf, sizeof(buf), 0); |
| close(fd); |
| if (n <= 0) { |
| return -1; |
| } |
| if (hdr->nlmsg_type != GENL_ID_CTRL) { |
| return -1; |
| } |
| for (; (char*)attr < buf + n; |
| attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { |
| if (attr->nla_type == CTRL_ATTR_FAMILY_ID) |
| return *(uint16_t*)(attr + 1); |
| } |
| return -1; |
| } |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0x0}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| intptr_t res = 0; |
| res = syscall(__NR_socket, 0x10, 3, 0x10); |
| if (res != -1) |
| r[0] = res; |
| memcpy((void*)0x20000440, "TIPC\000", 5); |
| res = syz_genetlink_get_family_id(0x20000440); |
| if (res != -1) |
| r[1] = res; |
| *(uint64_t*)0x20000500 = 0; |
| *(uint32_t*)0x20000508 = 0x9000000; |
| *(uint64_t*)0x20000510 = 0x200004c0; |
| *(uint64_t*)0x200004c0 = 0x20000480; |
| *(uint32_t*)0x20000480 = 0x30; |
| *(uint16_t*)0x20000484 = r[1]; |
| *(uint16_t*)0x20000486 = 0x805; |
| *(uint32_t*)0x20000488 = 0; |
| *(uint32_t*)0x2000048c = 0; |
| *(uint8_t*)0x20000490 = 1; |
| *(uint8_t*)0x20000491 = 0; |
| *(uint16_t*)0x20000492 = 0; |
| *(uint32_t*)0x20000494 = 0; |
| *(uint16_t*)0x20000498 = 6; |
| *(uint16_t*)0x2000049a = 0; |
| *(uint16_t*)0x2000049c = htobe16(0x14); |
| *(uint16_t*)0x2000049e = htobe16(0x19); |
| *(uint32_t*)0x200004a0 = htobe32(0); |
| *(uint32_t*)0x200004a4 = htobe32(0); |
| *(uint32_t*)0x200004a8 = htobe32(0); |
| *(uint32_t*)0x200004ac = htobe32(0); |
| *(uint64_t*)0x200004c8 = 0x30; |
| *(uint64_t*)0x20000518 = 1; |
| *(uint64_t*)0x20000520 = 0; |
| *(uint64_t*)0x20000528 = 0; |
| *(uint32_t*)0x20000530 = 0; |
| syscall(__NR_sendmsg, r[0], 0x20000500, 0); |
| return 0; |
| } |
