API tools faq
paste
Advertisement
qaqaq

Untitled

qaqaq
Sep 23rd, 2022
69
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 26.01 KB | None | 0 0
raw download clone embed print report
  1. // autogenerated by syzkaller (https://github.com/google/syzkaller)
  2.  
  3. #define _GNU_SOURCE
  4.  
  5. #include <endian.h>
  6. #include <errno.h>
  7. #include <fcntl.h>
  8. #include <stddef.h>
  9. #include <stdint.h>
  10. #include <stdio.h>
  11. #include <stdlib.h>
  12. #include <string.h>
  13. #include <sys/ioctl.h>
  14. #include <sys/mount.h>
  15. #include <sys/stat.h>
  16. #include <sys/syscall.h>
  17. #include <sys/types.h>
  18. #include <unistd.h>
  19. #include <usbg/function/hid.h>
  20. #include <usbg/function/loopback.h>
  21. #include <usbg/function/midi.h>
  22. #include <usbg/function/ms.h>
  23. #include <usbg/function/net.h>
  24. #include <usbg/function/printer.h>
  25. #include <usbg/usbg.h>
  26.  
  27. #include <linux/loop.h>
  28. #include <linux/usb/ch9.h>
  29.  
  30. #ifndef __NR_memfd_create
  31. #define __NR_memfd_create 319
  32. #endif
  33.  
  34. static unsigned long long procid;
  35.  
  36. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
  37. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
  38. *(type*)(addr) = \
  39. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
  40. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
  41.  
  42. #define MAX_FUNC_NUM 2
  43. #define MAX_DEVICE_NUM 8
  44. union usbg_function_attr {
  45. int default_attr;
  46. struct usbg_f_midi_attrs midi_attr;
  47. struct usbg_f_ms_attrs ms_attr;
  48. struct usbg_f_net_attrs net_attr;
  49. struct usbg_f_printer_attrs printer_attr;
  50. struct usbg_f_loopback_attrs loopback_attr;
  51. struct usbg_f_hid_attrs hid_attr;
  52. };
  53. struct usbg_func_config {
  54. usbg_function_type f_type;
  55. union usbg_function_attr f_attrs;
  56. };
  57.  
  58. struct usb_gadget_device {
  59. struct usbg_gadget_attrs* g_attrs;
  60. struct usbg_config_attrs* c_attrs;
  61. int func_num;
  62. struct usbg_func_config func_conf[MAX_FUNC_NUM];
  63. };
  64.  
  65. struct usb_gadget_device usb_device[MAX_DEVICE_NUM];
  66. struct usbg_gadget_strs g_strs = {.manufacturer = (char*)"Foo Inc.",
  67. .product = (char*)"Bar Gadget",
  68. .serial = (char*)"12345678"};
  69.  
  70. struct usbg_config_strs c_strs = {.configuration = (char*)"1xMIDI"};
  71.  
  72. static int remove_gadget(usbg_gadget* g)
  73. {
  74. int usbg_ret;
  75. usbg_udc* u;
  76. /* Check if gadget is enabled */
  77. u = usbg_get_gadget_udc(g);
  78. /* If gadget is enable we have to disable it first */
  79. if (u) {
  80. usbg_ret = usbg_disable_gadget(g);
  81. if (usbg_ret != USBG_SUCCESS) {
  82. fprintf(stderr, "Error on disable gadget udc\n");
  83. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  84. usbg_strerror((usbg_error)usbg_ret));
  85. goto out;
  86. }
  87. }
  88. /* Remove gadget with USBG_RM_RECURSE flag to remove
  89. * also its configurations, functions and strings */
  90. usbg_ret = usbg_rm_gadget(g, USBG_RM_RECURSE);
  91. if (usbg_ret != USBG_SUCCESS) {
  92. fprintf(stderr, "Error on gadget remove\n");
  93. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  94. usbg_strerror((usbg_error)usbg_ret));
  95. }
  96.  
  97. out:
  98. return usbg_ret;
  99. }
  100. static volatile long syz_detach_gadget_impl(int uid)
  101. {
  102. int usbg_ret;
  103. int ret = -1;
  104. usbg_state* s;
  105. usbg_gadget* g;
  106. const char* g_name;
  107. char g_name_target[10];
  108. sprintf(g_name_target, "g%d", uid);
  109. usbg_ret = usbg_init("/sys/kernel/config", &s);
  110. if (usbg_ret != USBG_SUCCESS) {
  111. fprintf(stderr, "Error on USB state init\n");
  112. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  113. usbg_strerror((usbg_error)usbg_ret));
  114. goto out1;
  115. }
  116. g = usbg_get_first_gadget(s);
  117. while (g != NULL) {
  118. /* Get current gadget attrs to be compared */
  119. g_name = usbg_get_gadget_name(g);
  120. /* Compare name with given values and remove if suitable */
  121. if (strcmp(g_name, g_name_target) == 0) {
  122. usbg_gadget* g_next = usbg_get_next_gadget(g);
  123. usbg_ret = remove_gadget(g);
  124. if (usbg_ret != USBG_SUCCESS)
  125. goto out2;
  126. g = g_next;
  127. } else {
  128. g = usbg_get_next_gadget(g);
  129. }
  130. }
  131. usleep(500000);
  132. ret = 0;
  133.  
  134. out2:
  135. usbg_cleanup(s);
  136. out1:
  137. return ret;
  138. }
  139.  
  140. static volatile long syz_attach_gadget_impl(struct usb_gadget_device* dev,
  141. int uid)
  142. {
  143. syz_detach_gadget_impl(uid);
  144. usbg_state* s;
  145. usbg_gadget* g;
  146. usbg_config* c;
  147. usbg_function* f[MAX_FUNC_NUM];
  148. usbg_udc* u;
  149. int ret = -1;
  150. int usbg_ret;
  151. char g_name[10];
  152. sprintf(g_name, "g%d", uid);
  153. usbg_ret = usbg_init("/sys/kernel/config", &s);
  154. if (usbg_ret != USBG_SUCCESS) {
  155. fprintf(stderr, "Error on usbg init\n");
  156. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  157. usbg_strerror((usbg_error)usbg_ret));
  158. goto out1;
  159. }
  160. usbg_ret = usbg_create_gadget(s, g_name, dev->g_attrs, &g_strs, &g);
  161. if (usbg_ret != USBG_SUCCESS) {
  162. fprintf(stderr, "Error on creating gadget\n");
  163. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  164. usbg_strerror((usbg_error)usbg_ret));
  165. goto out2;
  166. }
  167. for (int i = 0; i < dev->func_num; i++) {
  168. char f_name[10];
  169. sprintf(f_name, "func%d", i);
  170. if (dev->func_conf[i].f_attrs.default_attr == 0xffff)
  171. usbg_ret = usbg_create_function(g, dev->func_conf[i].f_type,
  172. (char*)f_name, NULL, &f[i]);
  173. else
  174. usbg_ret =
  175. usbg_create_function(g, dev->func_conf[i].f_type, (char*)f_name,
  176. &(dev->func_conf[i].f_attrs), &f[i]);
  177. if (usbg_ret != USBG_SUCCESS) {
  178. fprintf(stderr, "Error on creating gadget func\n");
  179. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  180. usbg_strerror((usbg_error)usbg_ret));
  181. goto out2;
  182. }
  183. }
  184. usbg_ret = usbg_create_config(g, 1, "The only one config", dev->c_attrs,
  185. &c_strs, &c);
  186. if (usbg_ret != USBG_SUCCESS) {
  187. fprintf(stderr, "Error on creating gadget config\n");
  188. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  189. usbg_strerror((usbg_error)usbg_ret));
  190. goto out2;
  191. }
  192. for (int i = 0; i < dev->func_num; i++) {
  193. char f_name[10];
  194. sprintf(f_name, "f_name.%d", i);
  195. usbg_ret = usbg_add_config_function(c, (char*)f_name, f[i]);
  196. if (usbg_ret != USBG_SUCCESS) {
  197. fprintf(stderr, "Error on adding func to config\n");
  198. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  199. usbg_strerror((usbg_error)usbg_ret));
  200. goto out2;
  201. }
  202. }
  203. u = usbg_get_first_udc(s);
  204. if (uid > 0) {
  205. for (int i = 0; i < uid; i++) {
  206. u = usbg_get_next_udc(u);
  207. }
  208. }
  209. usbg_ret = usbg_enable_gadget(g, u);
  210. if (usbg_ret != USBG_SUCCESS) {
  211. fprintf(stderr, "Error on enabling udc\n");
  212. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  213. usbg_strerror((usbg_error)usbg_ret));
  214. goto out2;
  215. }
  216. ret = 0;
  217.  
  218. out2:
  219. usbg_cleanup(s);
  220.  
  221. out1:
  222. return ret;
  223. }
  224.  
  225. static void parse_dev_descriptors(const char* buffer,
  226. struct usb_gadget_device* dev)
  227. {
  228. memset(dev, 0, sizeof(*dev));
  229. dev->g_attrs = (struct usbg_gadget_attrs*)buffer;
  230. dev->c_attrs =
  231. (struct usbg_config_attrs*)(buffer + sizeof(struct usbg_gadget_attrs));
  232. dev->func_num = *(int*)(buffer + sizeof(struct usbg_gadget_attrs) +
  233. sizeof(struct usbg_config_attrs) + sizeof(int16_t));
  234. int start_attr = sizeof(struct usbg_gadget_attrs) +
  235. sizeof(struct usbg_config_attrs) + sizeof(int16_t) +
  236. 2 * sizeof(int32_t);
  237. int conf_size = 40;
  238. for (int i = 0; i < dev->func_num; i++) {
  239. dev->func_conf[i] =
  240. *(struct usbg_func_config*)(buffer + start_attr + i * conf_size);
  241. if (dev->func_conf[i].f_type == USBG_F_HID) {
  242. struct usbg_f_hid_attrs* hid_attr = &(dev->func_conf[i].f_attrs.hid_attr);
  243. struct usbg_f_hid_report_desc* report_desc = &(hid_attr->report_desc);
  244. report_desc->len = strlen(report_desc->desc);
  245. conf_size = 48;
  246. }
  247. }
  248. }
  249.  
  250. static volatile long syz_attach_gadget(volatile long a0, volatile long a1)
  251. {
  252. const char* dev = (const char*)a0;
  253. uint64_t uid = a1;
  254. parse_dev_descriptors(dev, &usb_device[uid]);
  255. return syz_attach_gadget_impl(&usb_device[uid], uid);
  256. }
  257.  
  258. static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
  259. {
  260. if (a0 == 0xc || a0 == 0xb) {
  261. char buf[128];
  262. sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
  263. (uint8_t)a2);
  264. return open(buf, O_RDWR, 0);
  265. } else {
  266. char buf[1024];
  267. char* hash;
  268. strncpy(buf, (char*)a0, sizeof(buf) - 1);
  269. buf[sizeof(buf) - 1] = 0;
  270. while ((hash = strchr(buf, '#'))) {
  271. *hash = '0' + (char)(a1 % 10);
  272. a1 /= 10;
  273. }
  274. return open(buf, a2, 0);
  275. }
  276. }
  277.  
  278. struct fs_image_segment {
  279. void* data;
  280. uintptr_t size;
  281. uintptr_t offset;
  282. };
  283.  
  284. #define IMAGE_MAX_SEGMENTS 4096
  285. #define IMAGE_MAX_SIZE (129 << 20)
  286.  
  287. static unsigned long fs_image_segment_check(unsigned long size,
  288. unsigned long nsegs,
  289. struct fs_image_segment* segs)
  290. {
  291. if (nsegs > IMAGE_MAX_SEGMENTS)
  292. nsegs = IMAGE_MAX_SEGMENTS;
  293. for (size_t i = 0; i < nsegs; i++) {
  294. if (segs[i].size > IMAGE_MAX_SIZE)
  295. segs[i].size = IMAGE_MAX_SIZE;
  296. segs[i].offset %= IMAGE_MAX_SIZE;
  297. if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
  298. segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
  299. if (size < segs[i].offset + segs[i].offset)
  300. size = segs[i].offset + segs[i].offset;
  301. }
  302. if (size > IMAGE_MAX_SIZE)
  303. size = IMAGE_MAX_SIZE;
  304. return size;
  305. }
  306. static int setup_loop_device(long unsigned size, long unsigned nsegs,
  307. struct fs_image_segment* segs,
  308. const char* loopname, int* memfd_p, int* loopfd_p)
  309. {
  310. int err = 0, loopfd = -1;
  311. size = fs_image_segment_check(size, nsegs, segs);
  312. int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
  313. if (memfd == -1) {
  314. err = errno;
  315. goto error;
  316. }
  317. if (ftruncate(memfd, size)) {
  318. err = errno;
  319. goto error_close_memfd;
  320. }
  321. for (size_t i = 0; i < nsegs; i++) {
  322. if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
  323. }
  324. }
  325. loopfd = open(loopname, O_RDWR);
  326. if (loopfd == -1) {
  327. err = errno;
  328. goto error_close_memfd;
  329. }
  330. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  331. if (errno != EBUSY) {
  332. err = errno;
  333. goto error_close_loop;
  334. }
  335. ioctl(loopfd, LOOP_CLR_FD, 0);
  336. usleep(1000);
  337. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  338. err = errno;
  339. goto error_close_loop;
  340. }
  341. }
  342. *memfd_p = memfd;
  343. *loopfd_p = loopfd;
  344. return 0;
  345.  
  346. error_close_loop:
  347. close(loopfd);
  348. error_close_memfd:
  349. close(memfd);
  350. error:
  351. errno = err;
  352. return -1;
  353. }
  354.  
  355. static long syz_mount_image(volatile long fsarg, volatile long dir,
  356. volatile unsigned long size,
  357. volatile unsigned long nsegs,
  358. volatile long segments, volatile long flags,
  359. volatile long optsarg)
  360. {
  361. struct fs_image_segment* segs = (struct fs_image_segment*)segments;
  362. int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs;
  363. char* mount_opts = (char*)optsarg;
  364. char* target = (char*)dir;
  365. char* fs = (char*)fsarg;
  366. char* source = NULL;
  367. char loopname[64];
  368. if (need_loop_device) {
  369. memset(loopname, 0, sizeof(loopname));
  370. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
  371. if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1)
  372. return -1;
  373. source = loopname;
  374. }
  375. mkdir(target, 0777);
  376. char opts[256];
  377. memset(opts, 0, sizeof(opts));
  378. if (strlen(mount_opts) > (sizeof(opts) - 32)) {
  379. }
  380. strncpy(opts, mount_opts, sizeof(opts) - 32);
  381. if (strcmp(fs, "iso9660") == 0) {
  382. flags |= MS_RDONLY;
  383. } else if (strncmp(fs, "ext", 3) == 0) {
  384. if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
  385. strcat(opts, ",errors=continue");
  386. } else if (strcmp(fs, "xfs") == 0) {
  387. strcat(opts, ",nouuid");
  388. }
  389. res = mount(source, target, fs, flags, opts);
  390. if (res == -1) {
  391. err = errno;
  392. goto error_clear_loop;
  393. }
  394. res = open(target, O_RDONLY | O_DIRECTORY);
  395. if (res == -1) {
  396. err = errno;
  397. }
  398.  
  399. error_clear_loop:
  400. if (need_loop_device) {
  401. ioctl(loopfd, LOOP_CLR_FD, 0);
  402. close(loopfd);
  403. close(memfd);
  404. }
  405. errno = err;
  406. return res;
  407. }
  408.  
  409. uint64_t r[7] = {0xffffffffffffffff,
  410. 0xffffffffffffffff,
  411. 0xffffffffffffffff,
  412. 0xffffffffffffffff,
  413. 0xffffffffffffffff,
  414. 0xffffffffffffffff,
  415. 0x0};
  416.  
  417. int main(void)
  418. {
  419. syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  420. syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  421. syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  422. intptr_t res = 0;
  423. *(uint16_t*)0x20000080 = 0x320;
  424. *(uint8_t*)0x20000082 = 0xfe;
  425. *(uint8_t*)0x20000083 = 7;
  426. *(uint8_t*)0x20000084 = 2;
  427. *(uint8_t*)0x20000085 = 0;
  428. *(uint16_t*)0x20000086 = 0x5ac;
  429. *(uint16_t*)0x20000088 = 0x30a;
  430. *(uint16_t*)0x2000008a = 3;
  431. *(uint8_t*)0x2000008c = 0x80;
  432. *(uint8_t*)0x2000008d = 0xe2;
  433. *(uint32_t*)0x20000090 = 2;
  434. *(uint8_t*)0x20000098 = 0xd;
  435. *(uint64_t*)0x200000a0 = 9;
  436. *(uint32_t*)0x200000a8 = 0;
  437. *(uint64_t*)0x200000b0 = 0x20000000;
  438. STORE_BY_BITMASK(uint8_t, , 0x20000000, 3, 0, 2);
  439. STORE_BY_BITMASK(uint8_t, , 0x20000000, 1, 2, 2);
  440. STORE_BY_BITMASK(uint8_t, , 0x20000000, 8, 4, 4);
  441. memcpy((void*)0x20000001, "\x73\xd5\x36\xa4", 4);
  442. STORE_BY_BITMASK(uint8_t, , 0x20000005, 3, 0, 2);
  443. STORE_BY_BITMASK(uint8_t, , 0x20000005, 0, 2, 2);
  444. STORE_BY_BITMASK(uint8_t, , 0x20000005, 0xb, 4, 4);
  445. memcpy((void*)0x20000006, "\x01\xf3\x5c\xe4", 4);
  446. STORE_BY_BITMASK(uint8_t, , 0x2000000a, 3, 0, 2);
  447. STORE_BY_BITMASK(uint8_t, , 0x2000000a, 2, 2, 2);
  448. STORE_BY_BITMASK(uint8_t, , 0x2000000a, 0xa, 4, 4);
  449. memcpy((void*)0x2000000b, "\x29\xf2\x5a\x42", 4);
  450. *(uint32_t*)0x200000b8 = 0;
  451. *(uint32_t*)0x200000c0 = 0x10;
  452. *(uint32_t*)0x200000c4 = 0;
  453. *(uint8_t*)0x200000c8 = 0xd;
  454. *(uint64_t*)0x200000d0 = 4;
  455. *(uint32_t*)0x200000d8 = 0;
  456. *(uint64_t*)0x200000e0 = 0x20000040;
  457. STORE_BY_BITMASK(uint8_t, , 0x20000040, 0, 0, 2);
  458. STORE_BY_BITMASK(uint8_t, , 0x20000040, 1, 2, 2);
  459. STORE_BY_BITMASK(uint8_t, , 0x20000040, 1, 4, 4);
  460. STORE_BY_BITMASK(uint8_t, , 0x20000041, 1, 0, 2);
  461. STORE_BY_BITMASK(uint8_t, , 0x20000041, 0, 2, 2);
  462. STORE_BY_BITMASK(uint8_t, , 0x20000041, 9, 4, 4);
  463. memset((void*)0x20000042, 99, 1);
  464. STORE_BY_BITMASK(uint8_t, , 0x20000043, 1, 0, 2);
  465. STORE_BY_BITMASK(uint8_t, , 0x20000043, 1, 2, 2);
  466. STORE_BY_BITMASK(uint8_t, , 0x20000043, 4, 4, 4);
  467. memset((void*)0x20000044, 120, 1);
  468. STORE_BY_BITMASK(uint8_t, , 0x20000045, 1, 0, 2);
  469. STORE_BY_BITMASK(uint8_t, , 0x20000045, 0, 2, 2);
  470. STORE_BY_BITMASK(uint8_t, , 0x20000045, 8, 4, 4);
  471. memset((void*)0x20000046, 148, 1);
  472. STORE_BY_BITMASK(uint8_t, , 0x20000047, 1, 0, 2);
  473. STORE_BY_BITMASK(uint8_t, , 0x20000047, 2, 2, 2);
  474. STORE_BY_BITMASK(uint8_t, , 0x20000047, 0, 4, 4);
  475. memset((void*)0x20000048, 84, 1);
  476. *(uint32_t*)0x200000e8 = 0;
  477. *(uint32_t*)0x200000f0 = 0x10;
  478. *(uint32_t*)0x200000f4 = 1;
  479. syz_attach_gadget(0x20000080, 2);
  480. memcpy((void*)0x20000000, "/dev/bsg\000", 9);
  481. res =
  482. syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x404000ul, 0ul);
  483. if (res != -1)
  484. r[0] = res;
  485. memcpy((void*)0x20000080, "/dev/hidg0", 10);
  486. res = syscall(__NR_openat, -1, 0x20000080ul, 0x8240ul, 0x30ul);
  487. if (res != -1)
  488. r[1] = res;
  489. memcpy((void*)0x200000c0, "/dev/vcsa#\000", 11);
  490. res = -1;
  491. res = syz_open_dev(0x200000c0, 0xc489, 0x4800);
  492. if (res != -1)
  493. r[2] = res;
  494. memcpy((void*)0x20000100, "/dev/hidraw#\000", 13);
  495. res = -1;
  496. res = syz_open_dev(0x20000100, 9, 1);
  497. if (res != -1)
  498. r[3] = res;
  499. *(uint32_t*)0x20000140 = 0x10000;
  500. syscall(__NR_ioctl, r[2], 0x40086602, 0x20000140ul);
  501. syscall(__NR_ioctl, r[2], 0x540b, 1ul);
  502. *(uint8_t*)0x20000200 = 0;
  503. *(uint8_t*)0x20000201 = 0x30;
  504. *(uint16_t*)0x20000202 = 0x1000;
  505. *(uint16_t*)0x20000204 = 8;
  506. *(uint16_t*)0x20000206 = 0x73;
  507. *(uint32_t*)0x20000208 = 2;
  508. *(uint64_t*)0x20000210 = 0x20000180;
  509. memcpy((void*)0x20000180,
  510. "\x51\x8d\xad\x54\x64\xdd\xb1\xbd\xc4\x17\x80\x02\x43\x07\xb1\xb2\xc8"
  511. "\x16\xc7\x0b\x40\x7b\x77\x9b\x7d\x2e\x33\x37\xf7\xf9\xa0\x2a\x24\x9a"
  512. "\x3d\x17\xf2\x24\x4e\x06\x6c\x9a\x04\xc1\x8b\x64\x0f\x0d\x9b\x00\xd2"
  513. "\xb7\x04\xf3\x6d\x4a\xb4\x2f\x3a\x97\x1e\xfc\x19\xa8\x66\xd3\x01\xb8"
  514. "\x6c\x0e\xf2\xba\xa7\x01\x26\x92\x5a\x35\xbb\xad\x97\x15\x1a\x6c\x97"
  515. "\x99\x60\x14\xf4\x65\x0e\x69\x16\x18\x52\xc1\x9f\x27\x52\x67\x7d\x6e"
  516. "\xaf\xb0\xfd\x67\xec\x6a\x19\x69\xbd\x51\x9d\x0b\x21",
  517. 115);
  518. syscall(__NR_ioctl, r[1], 0xc0185500, 0x20000200ul);
  519. *(uint64_t*)0x20000240 = 0x7fffffff;
  520. res = syscall(__NR_signalfd4, r[3], 0x20000240ul, 8ul, 0x80800ul);
  521. if (res != -1)
  522. r[4] = res;
  523. *(uint32_t*)0x20000280 = 1;
  524. syscall(__NR_ioctl, r[4], 0x80045510, 0x20000280ul);
  525. syscall(__NR_ioctl, r[4], 0x40046629, 0x200002c0ul);
  526. *(uint32_t*)0x20000300 = 0x7ff;
  527. *(uint64_t*)0x20000308 = 4;
  528. *(uint64_t*)0x20000310 = 0x9954;
  529. *(uint64_t*)0x20000318 = 0x8000000000000001;
  530. *(uint32_t*)0x20000320 = 1;
  531. *(uint16_t*)0x20000324 = 0xfffb;
  532. *(uint16_t*)0x20000326 = 0;
  533. syscall(__NR_ioctl, r[3], 0x40286608, 0x20000300ul);
  534. *(uint32_t*)0x20000340 = 0x10;
  535. syscall(__NR_ioctl, r[1], 0x40047211, 0x20000340ul);
  536. *(uint16_t*)0x20000380 = 0x310;
  537. *(uint8_t*)0x20000382 = 0;
  538. *(uint8_t*)0x20000383 = 0;
  539. *(uint8_t*)0x20000384 = 0;
  540. *(uint8_t*)0x20000385 = 0x48;
  541. *(uint16_t*)0x20000386 = 0x8dd;
  542. *(uint16_t*)0x20000388 = 0x988;
  543. *(uint16_t*)0x2000038a = 0;
  544. *(uint8_t*)0x2000038c = 0xc0;
  545. *(uint8_t*)0x2000038d = 0x50;
  546. *(uint32_t*)0x20000390 = 1;
  547. *(uint8_t*)0x20000398 = 8;
  548. *(uint32_t*)0x200003a0 = 0xffff;
  549. syz_attach_gadget(0x20000380, 2);
  550. *(uint32_t*)0x200003c0 = 0x40;
  551. syscall(__NR_ioctl, r[1], 0xc0044d13, 0x200003c0ul);
  552. syscall(__NR_ioctl, r[0], 0x5514, 0);
  553. res = -1;
  554. res = syz_open_dev(0xc, 4, 0x14);
  555. if (res != -1)
  556. r[5] = res;
  557. *(uint64_t*)0x20000400 = 0;
  558. syscall(__NR_ioctl, r[5], 0x4008941a, 0x20000400ul);
  559. res = syscall(__NR_read, r[1], 0x20000a00ul, 0x2020ul);
  560. if (res != -1)
  561. r[6] = *(uint32_t*)0x20000a10;
  562. memcpy((void*)0x20000440, "tmpfs\000", 6);
  563. memcpy((void*)0x20000480, "./file0\000", 8);
  564. *(uint64_t*)0x20000940 = 0x200004c0;
  565. memcpy(
  566. (void*)0x200004c0,
  567. "\x31\x20\xad\x0c\x9e\x40\xc5\xc6\x2b\xf8\xcf\xde\x7a\x2c\x65\x9c\x33\x26"
  568. "\xa6\x9b\xf6\xa1\xbf\x57\x8e\x93\x49\x44\x5b\x8d\x35\xd2\x94\x45\x35\x29"
  569. "\xa9\x0a\x48\xcb\xb6\xb4\x65\x35\x5a\x0a\x3a\xf9\x5e\xca\x1c\x1b\x3d\x51"
  570. "\xec\x52\xee\xe7\x94\xaa\x80\x34\x95\xc9\xe1\x80\x84\x22\x47\x73\x56\xeb"
  571. "\xa0\x30\xfc\x1d\xc5\x7c\xe2\x94\x8c\x0d\xc7\xfb\x5d\x27\xcc\x08\x24\xec"
  572. "\x4a\x54\xd6\x0a\x7f\x43\xd3\x36\x93\x6e\x7a\x14\x59\xf4\x07\x9f\xee\x7f"
  573. "\x0b\x6e\x1c\x5c\xc8\x62\x77\x37\x8b\x01\x43\x13\xf3\xce\x32\xf2\x45\x22"
  574. "\x05\x66\xe2\xcc\x63\x55\xd2\x4a\x26\x39\x91\x46\x96\x46\x0c\xf2\xfa\x75"
  575. "\x42\xfa\x5a\xc9\x8f\x5f\x8d\xfa\x2f\xe7\x61\x2b\x6a\xc0\x00\x9d\xd5\x5d"
  576. "\xd8\xc7\x2a\x35\x04\x4b\xb5\x32\xe1\x6f\x7a\x79\x10\x1c\x4b\xee\x76\xfc"
  577. "\x0b\x9e\x01\x36\xb3\xd8\x08\x24\x92\x11\x91\x79\xaf\xfd\x8f\x7a\x55\xf6"
  578. "\x06\xbe\xd0\xc6\x34\x0c\xc3\x66\x90\x2b\x38\xd6\x86\x42\x23\x92\x82\xd9"
  579. "\x29\xc0\xd3\x6d\x8e\x2a\xd8\x9f\x8e\x50\xc8\x49\x76\x0e\xb8\xcb\xe6\x94"
  580. "\xf7\x23\x10\x6a\x1e\x08\x16\x3a\x78\x76",
  581. 244);
  582. *(uint64_t*)0x20000948 = 0xf4;
  583. *(uint64_t*)0x20000950 = 6;
  584. *(uint64_t*)0x20000958 = 0x200005c0;
  585. memcpy((void*)0x200005c0,
  586. "\x9b\xa7\x9b\x2b\xba\x19\xec\x4e\xf6\xe5\x17\x04\x86\x78\x99\xb0\xfd"
  587. "\xcb\xfc\x80\x03\xb8\x49\xa1\xb0\x50\xa6\xf2\x77\x8e\x41\xbf\xdb\x1f"
  588. "\xf6\xa4\x01\x1a\x62\x59\xdd\x92\xf0\x42\xe9\x7b\x29\xd0\x60\x36\x7f"
  589. "\xdc\x3b\x3e\x2e\x49\xf7\xb4\x0d\x1a\x56\x66\xb7\x87\x1d\x39\x4d\x78"
  590. "\x84\xad\x8e\x04\xb3\x39\x3a\x6b\x95\xb9\xc2\xe8\x4c\x17\x8f\x27\x4f"
  591. "\x71\xe2\xa6\x16\x7d\x7c\x2e\x04\x83\xb6\x4a\x69\xb5\x5e\xdd\xf7\x88"
  592. "\xf1\x1b\x31\x11\x75\x7a\x8e\xa8\x4c\x3e\xb1\xd1\x45\xb9\x30\x41\x3b"
  593. "\x22\xfe\x87\xe3\xd2\xaa\x92\x12\xc0\x1f\x09\x25\x5c\x1d\x67\xc2\x57"
  594. "\x9b\xb5\x6f\x85\x8b\xd6\x25\xe9\x2e\x4c\x06\x5f\xf2\x85\x07\xa2",
  595. 152);
  596. *(uint64_t*)0x20000960 = 0x98;
  597. *(uint64_t*)0x20000968 = 0xb682;
  598. *(uint64_t*)0x20000970 = 0x20000680;
  599. memcpy((void*)0x20000680,
  600. "\x28\xf8\xb7\x4f\x14\xf2\x95\x89\xba\x1b\x54\x02\xf7\x7b\x21\x12\x7d"
  601. "\x40\xc1\x72\x87\xfa\x53\xe2\x43\x76\x0a\x2a\x64\xf2\x91\x31\xa6\x28"
  602. "\x8e\x53\xcb\x9d\x87\xe2\x4c\xb0\x4c\x22\x8e\xe5\xdb\x15\x3d\x82\x02"
  603. "\x0b\x6d\x08\xbd\x9d\x2a\x75\x05\x4a\xf4\x13\xea\x5f\xe7\xec\x4c\x71"
  604. "\x40\xef\x27\xe6\x4d\x2d\xc5\x4d\xaa",
  605. 77);
  606. *(uint64_t*)0x20000978 = 0x4d;
  607. *(uint64_t*)0x20000980 = 0x11c3;
  608. *(uint64_t*)0x20000988 = 0x20000700;
  609. memcpy(
  610. (void*)0x20000700,
  611. "\x57\x20\x35\x9f\x65\x49\x7a\x53\x0b\x99\x42\xaa\xba\x1a\xf4\xcf\x66\x06"
  612. "\xd4\xa9\xc7\xfc\xa8\xd5\xf2\xbb\xa2\x20\xbf\x32\x26\x9c\xd6\x55\x44\xf4"
  613. "\x70\x9c\x7b\xb5\x11\xfb\x70\xf0\xf6\xeb\xe9\xde\x29\xb1\x27\xdf\x62\xb0"
  614. "\xa9\xf0\x23\x99\xf5\x3e\xc4\x4a\xa6\x61\xfa\xeb\x35\x57\xe4\x9d\xeb\xfe"
  615. "\xdb\xcf\x26\xc2\x9a\x66\xcc\xa5\x13\x9e\x0b\x03\xab\xb6\xb9\x3b\xa5\xe1"
  616. "\xc9\x0d\x92\xf5\xca\x4c\x60\x77\x98\x62\x29\x07\x1b\x5d\x83\x58\x70\x1e"
  617. "\xef\x45\x57\x43\x42\x5a\xfc\x53\x94\xc5\x96\x1a\xfb\x10\x1d\x2e\x8c\x12"
  618. "\xd3\xd0\xcc\x08\x21\xf2\x91\x9a\x3f\x07\x17\x4e\x75\x76\x65\xcb\x09\xd0"
  619. "\xae\x88\x5f\xf7\x47\x1b\x2a\x43\x1e\xbb\xe7\x83\xdd\x94\xec\xa2\xc2\x73"
  620. "\x72\x6a\xd0\x69\x62\xe1\xd0\x41\x73\x09\x2a\xe9\xb6\xcc\xe1\x4a\x9f\xe0"
  621. "\x6e\x2d\x42\x63\xe1\xb4\x05\x7e\x4a\x71\x19\x61\x92\xdf\x08\x9e\x57\xce"
  622. "\x85\xa0\x56\x51\x76\x55\xe0\x02\x0f\xac\xd7\x4b\x16\xf9\xaa",
  623. 213);
  624. *(uint64_t*)0x20000990 = 0xd5;
  625. *(uint64_t*)0x20000998 = 1;
  626. *(uint64_t*)0x200009a0 = 0x20000800;
  627. memcpy((void*)0x20000800, "\x8a\x57\x9f\xca\xf5", 5);
  628. *(uint64_t*)0x200009a8 = 5;
  629. *(uint64_t*)0x200009b0 = 7;
  630. *(uint64_t*)0x200009b8 = 0x20000840;
  631. memcpy(
  632. (void*)0x20000840,
  633. "\x7c\x1f\x4e\x66\x61\x3f\x53\xe4\xd6\xbc\xbb\x9c\x90\x00\x05\xe4\xd5\x29"
  634. "\xe7\xa6\x3b\xd0\x4f\xb4\xe0\x7c\x15\x26\x78\x14\xbb\x00\x1e\x61\xce\x64"
  635. "\x9e\x83\xe3\x4e\x21\x0c\x53\x16\x0f\xe0\xc3\x8a\x6f\x56\x88\xb8\xa7\xc5"
  636. "\xb9\xf6\x06\x1a\xdf\xdc\xce\x59\x0e\x39\x4e\xa1\xb9\x31\x9a\x14\x29\x2c"
  637. "\x5b\xa6\x1b\x79\x00\x33\x02\x0b\xe1\x49\xd1\xf7\x32\x1a\x7d\x6b\xb7\x52"
  638. "\x72\xfa\x4c\xf0\xda\x81\x8f\xb2\xe9\xbe\x87\x3a\x59\x5e\x2c\xe0\x7f\x2d"
  639. "\x7b\xf4\x07\x09\x06\xf1\x0a\x9f\x38\xec\x1f\xe9\x55\x78\xfe\xa4\x9e\x53"
  640. "\x51\xe4\xf5\xbf\xce\x17\x04\x77\x0d\xcf\xd3\xd9\x11\x49\x5f\xf5\x03\x9c"
  641. "\x61\x3b\xa1\x12\xce\x3f\xec\x49\xba\xd0\x9c\xbb\x2e\xb3\xbb\x3a\x1c\x15"
  642. "\x73\x76\x0c\x1f\x02\x16\xba\x48\x31\xf2\x52\xc7\x1a\x1b\x43\x56\x7d\xbf"
  643. "\x6d\x1a\xd9\x23\x26\x15\x40\xe6\x14\x81\x69\xa3\xc8\xcb\x49\xec\x37\x17"
  644. "\xcf\x57\x37\x7b\x35\x5b\xb6\xe8\xf9\x89\x30\x41\x23\x19\x20\xa8\x65\xe5"
  645. "\xd0\x64\x01\xe9\x49\x24\x8c\x20\x5b",
  646. 225);
  647. *(uint64_t*)0x200009c0 = 0xe1;
  648. *(uint64_t*)0x200009c8 = 0x18000000000;
  649. memcpy((void*)0x20004a80, "gid", 3);
  650. *(uint8_t*)0x20004a83 = 0x3d;
  651. sprintf((char*)0x20004a84, "0x%016llx", (long long)-1);
  652. *(uint8_t*)0x20004a96 = 0x2c;
  653. memcpy((void*)0x20004a97, "huge=advise", 11);
  654. *(uint8_t*)0x20004aa2 = 0x2c;
  655. memcpy((void*)0x20004aa3, "nr_inodes", 9);
  656. *(uint8_t*)0x20004aac = 0x3d;
  657. *(uint8_t*)0x20004aad = 0x34;
  658. *(uint8_t*)0x20004aae = 0x32;
  659. *(uint8_t*)0x20004aaf = 0x12;
  660. *(uint8_t*)0x20004ab0 = 0x38;
  661. *(uint8_t*)0x20004ab1 = 0x34;
  662. *(uint8_t*)0x20004ab2 = 0x78;
  663. *(uint8_t*)0x20004ab3 = 0x74;
  664. *(uint8_t*)0x20004ab4 = 0x30;
  665. *(uint8_t*)0x20004ab5 = 0x2c;
  666. memcpy((void*)0x20004ab6, "mpol", 4);
  667. *(uint8_t*)0x20004aba = 0x3d;
  668. memcpy((void*)0x20004abb, "default", 7);
  669. memcpy((void*)0x20004ac2, "=static", 7);
  670. *(uint8_t*)0x20004ac9 = 0x3a;
  671. *(uint8_t*)0x20004aca = 0x39;
  672. *(uint8_t*)0x20004acb = 0x34;
  673. *(uint8_t*)0x20004acc = 0x32;
  674. *(uint8_t*)0x20004acd = 0x2c;
  675. memcpy((void*)0x20004ace, "euid<", 5);
  676. sprintf((char*)0x20004ad3, "%020llu", (long long)r[6]);
  677. *(uint8_t*)0x20004ae7 = 0x2c;
  678. memcpy((void*)0x20004ae8, "smackfsdef", 10);
  679. *(uint8_t*)0x20004af2 = 0x3d;
  680. memcpy((void*)0x20004af3, "/dev/amidi.", 11);
  681. *(uint8_t*)0x20004afe = 0x2c;
  682. memcpy((void*)0x20004aff, "fscontext", 9);
  683. *(uint8_t*)0x20004b08 = 0x3d;
  684. memcpy((void*)0x20004b09, "user_u", 6);
  685. *(uint8_t*)0x20004b0f = 0x2c;
  686. memcpy((void*)0x20004b10, "fscontext", 9);
  687. *(uint8_t*)0x20004b19 = 0x3d;
  688. memcpy((void*)0x20004b1a, "user_u", 6);
  689. *(uint8_t*)0x20004b20 = 0x2c;
  690. memcpy((void*)0x20004b21, "euid<", 5);
  691. sprintf((char*)0x20004b26, "%020llu", (long long)0);
  692. *(uint8_t*)0x20004b3a = 0x2c;
  693. memcpy((void*)0x20004b3b, "appraise", 8);
  694. *(uint8_t*)0x20004b43 = 0x2c;
  695. memcpy((void*)0x20004b44, "obj_type", 8);
  696. *(uint8_t*)0x20004b4c = 0x3d;
  697. memcpy((void*)0x20004b4d, "/dev/hidg1", 10);
  698. *(uint8_t*)0x20004b57 = 0x2c;
  699. memcpy((void*)0x20004b58, "obj_role", 8);
  700. *(uint8_t*)0x20004b60 = 0x3d;
  701. memcpy((void*)0x20004b61, "/dev/bus/usb/003/002", 20);
  702. *(uint8_t*)0x20004b75 = 0x2c;
  703. memcpy((void*)0x20004b76, "smackfstransmute", 16);
  704. *(uint8_t*)0x20004b86 = 0x3d;
  705. memcpy((void*)0x20004b87, "/dev/hidraw0", 12);
  706. *(uint8_t*)0x20004b93 = 0x2c;
  707. *(uint8_t*)0x20004b94 = 0;
  708. syz_mount_image(0x20000440, 0x20000480, 5, 6, 0x20000940, 0x11001,
  709. 0x20004a80);
  710. return 0;
  711. }
  712.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!