API tools faq
paste
zzqq0103

Untitled

zzqq0103
Mar 15th, 2024
65
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.98 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #include <arpa/inet.h>
  4. #include <endian.h>
  5. #include <errno.h>
  6. #include <net/if.h>
  7. #include <netinet/in.h>
  8. #include <stdbool.h>
  9. #include <stdint.h>
  10. #include <stdio.h>
  11. #include <stdlib.h>
  12. #include <string.h>
  13. #include <sys/socket.h>
  14. #include <sys/syscall.h>
  15. #include <sys/types.h>
  16. #include <unistd.h>
  17.  
  18. #include <linux/genetlink.h>
  19. #include <linux/if_addr.h>
  20. #include <linux/if_link.h>
  21. #include <linux/in6.h>
  22. #include <linux/neighbour.h>
  23. #include <linux/net.h>
  24. #include <linux/netlink.h>
  25. #include <linux/rtnetlink.h>
  26. #include <linux/veth.h>
  27.  
  28. struct nlmsg {
  29. char* pos;
  30. int nesting;
  31. struct nlattr* nested[8];
  32. char buf[4096];
  33. };
  34.  
  35. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
  36. const void* data, int size)
  37. {
  38. memset(nlmsg, 0, sizeof(*nlmsg));
  39. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  40. hdr->nlmsg_type = typ;
  41. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
  42. memcpy(hdr + 1, data, size);
  43. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
  44. }
  45.  
  46. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
  47. int size)
  48. {
  49. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
  50. attr->nla_len = sizeof(*attr) + size;
  51. attr->nla_type = typ;
  52. if (size > 0)
  53. memcpy(attr + 1, data, size);
  54. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
  55. }
  56.  
  57. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
  58. int* reply_len, bool dofail)
  59. {
  60. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
  61. exit(1);
  62. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  63. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
  64. struct sockaddr_nl addr;
  65. memset(&addr, 0, sizeof(addr));
  66. addr.nl_family = AF_NETLINK;
  67. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
  68. (struct sockaddr*)&addr, sizeof(addr));
  69. if (n != (ssize_t)hdr->nlmsg_len) {
  70. if (dofail)
  71. exit(1);
  72. return -1;
  73. }
  74. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  75. if (reply_len)
  76. *reply_len = 0;
  77. if (n < 0) {
  78. if (dofail)
  79. exit(1);
  80. return -1;
  81. }
  82. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
  83. errno = EINVAL;
  84. if (dofail)
  85. exit(1);
  86. return -1;
  87. }
  88. if (hdr->nlmsg_type == NLMSG_DONE)
  89. return 0;
  90. if (reply_len && hdr->nlmsg_type == reply_type) {
  91. *reply_len = n;
  92. return 0;
  93. }
  94. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
  95. errno = EINVAL;
  96. if (dofail)
  97. exit(1);
  98. return -1;
  99. }
  100. if (hdr->nlmsg_type != NLMSG_ERROR) {
  101. errno = EINVAL;
  102. if (dofail)
  103. exit(1);
  104. return -1;
  105. }
  106. errno = -((struct nlmsgerr*)(hdr + 1))->error;
  107. return -errno;
  108. }
  109.  
  110. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
  111. const char* family_name, bool dofail)
  112. {
  113. struct genlmsghdr genlhdr;
  114. memset(&genlhdr, 0, sizeof(genlhdr));
  115. genlhdr.cmd = CTRL_CMD_GETFAMILY;
  116. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
  117. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
  118. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
  119. int n = 0;
  120. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
  121. if (err < 0) {
  122. return -1;
  123. }
  124. uint16_t id = 0;
  125. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
  126. NLMSG_ALIGN(sizeof(genlhdr)));
  127. for (; (char*)attr < nlmsg->buf + n;
  128. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
  129. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
  130. id = *(uint16_t*)(attr + 1);
  131. break;
  132. }
  133. }
  134. if (!id) {
  135. errno = EINVAL;
  136. return -1;
  137. }
  138. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  139. return id;
  140. }
  141.  
  142. const int kInitNetNsFd = 201;
  143.  
  144. static long syz_init_net_socket(volatile long domain, volatile long type,
  145. volatile long proto)
  146. {
  147. return syscall(__NR_socket, domain, type, proto);
  148. }
  149.  
  150. static long syz_genetlink_get_family_id(volatile long name,
  151. volatile long sock_arg)
  152. {
  153. int fd = sock_arg;
  154. if (fd < 0) {
  155. fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  156. if (fd == -1) {
  157. return -1;
  158. }
  159. }
  160. struct nlmsg nlmsg_tmp;
  161. int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false);
  162. if ((int)sock_arg < 0)
  163. close(fd);
  164. if (ret < 0) {
  165. return -1;
  166. }
  167. return ret;
  168. }
  169.  
  170. uint64_t r[2] = {0xffffffffffffffff, 0x0};
  171.  
  172. int main(void)
  173. {
  174. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  175. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  176. /*offset=*/0ul);
  177. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
  178. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
  179. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  180. /*offset=*/0ul);
  181. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  182. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  183. /*offset=*/0ul);
  184. intptr_t res = 0;
  185. res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x10);
  186. if (res != -1)
  187. r[0] = res;
  188. syz_genetlink_get_family_id(/*name=*/0, /*fd=*/-1);
  189. syz_init_net_socket(/*domain=*/0x10, /*type=*/3, /*proto=*/0x10);
  190. memcpy((void*)0x20000340, "nbd\000", 4);
  191. syz_genetlink_get_family_id(/*name=*/0x20000340, /*fd=*/-1);
  192. memcpy((void*)0x20000040, "batadv\000", 7);
  193. res = -1;
  194. res = syz_genetlink_get_family_id(/*name=*/0x20000040, /*fd=*/r[0]);
  195. if (res != -1)
  196. r[1] = res;
  197. *(uint64_t*)0x20000140 = 0x20000000;
  198. *(uint16_t*)0x20000000 = 0x10;
  199. *(uint16_t*)0x20000002 = 0;
  200. *(uint32_t*)0x20000004 = 0;
  201. *(uint32_t*)0x20000008 = 0x1000000;
  202. *(uint32_t*)0x20000148 = 0xc;
  203. *(uint64_t*)0x20000150 = 0x20000100;
  204. *(uint64_t*)0x20000100 = 0x20000080;
  205. *(uint32_t*)0x20000080 = 0x5c;
  206. *(uint16_t*)0x20000084 = r[1];
  207. *(uint16_t*)0x20000086 = 0x10;
  208. *(uint32_t*)0x20000088 = 0x70bd2b;
  209. *(uint32_t*)0x2000008c = 0x25dfdbff;
  210. *(uint8_t*)0x20000090 = 0xa;
  211. *(uint8_t*)0x20000091 = 0;
  212. *(uint16_t*)0x20000092 = 0;
  213. *(uint16_t*)0x20000094 = 5;
  214. *(uint16_t*)0x20000096 = 0x29;
  215. *(uint8_t*)0x20000098 = 0;
  216. *(uint16_t*)0x2000009c = 8;
  217. *(uint16_t*)0x2000009e = 0xb;
  218. *(uint32_t*)0x200000a0 = 0xfffffff8;
  219. *(uint16_t*)0x200000a4 = 5;
  220. *(uint16_t*)0x200000a6 = 0x38;
  221. *(uint8_t*)0x200000a8 = 0;
  222. *(uint16_t*)0x200000ac = 5;
  223. *(uint16_t*)0x200000ae = 0x2d;
  224. *(uint8_t*)0x200000b0 = 1;
  225. *(uint16_t*)0x200000b4 = 8;
  226. *(uint16_t*)0x200000b6 = 0x31;
  227. *(uint32_t*)0x200000b8 = 4;
  228. *(uint16_t*)0x200000bc = 5;
  229. *(uint16_t*)0x200000be = 0x2a;
  230. *(uint8_t*)0x200000c0 = 0;
  231. *(uint16_t*)0x200000c4 = 8;
  232. *(uint16_t*)0x200000c6 = 0x34;
  233. *(uint32_t*)0x200000c8 = 4;
  234. *(uint16_t*)0x200000cc = 5;
  235. *(uint16_t*)0x200000ce = 0x2e;
  236. *(uint8_t*)0x200000d0 = 1;
  237. *(uint16_t*)0x200000d4 = 5;
  238. *(uint16_t*)0x200000d6 = 0x2f;
  239. *(uint8_t*)0x200000d8 = 0;
  240. *(uint64_t*)0x20000108 = 0x5c;
  241. *(uint64_t*)0x20000158 = 1;
  242. *(uint64_t*)0x20000160 = 0;
  243. *(uint64_t*)0x20000168 = 0;
  244. *(uint32_t*)0x20000170 = 0x4040010;
  245. syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x20000140ul, /*f=MSG_OOB*/ 1ul);
  246. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul);
  247. syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0ul,
  248. /*f=MSG_PROBE|MSG_DONTWAIT*/ 0x50ul);
  249. syscall(__NR_socketpair, /*domain=AF_VSOCK*/ 0x28ul, /*type=*/0ul,
  250. /*proto=*/0, /*fds=*/0ul);
  251. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul);
  252. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul);
  253. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul);
  254. *(uint64_t*)0x20001880 = 0;
  255. *(uint32_t*)0x20001888 = 0;
  256. *(uint64_t*)0x20001890 = 0;
  257. *(uint64_t*)0x20001898 = 1;
  258. *(uint64_t*)0x200018a0 = 0;
  259. *(uint64_t*)0x200018a8 = 0;
  260. *(uint32_t*)0x200018b0 = 0;
  261. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x20001880ul,
  262. /*f=MSG_BATCH|MSG_CONFIRM*/ 0x40800ul);
  263. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x5411, /*arg=*/0ul);
  264. syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul,
  265. /*f=MSG_FASTOPEN|MSG_DONTROUTE|0x40000000*/ 0x60000004ul);
  266. return 0;
  267. }
  268.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!