API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 26th, 2025
29
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 52.25 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #include <arpa/inet.h>
  4. #include <dirent.h>
  5. #include <endian.h>
  6. #include <errno.h>
  7. #include <fcntl.h>
  8. #include <net/if.h>
  9. #include <net/if_arp.h>
  10. #include <netinet/in.h>
  11. #include <sched.h>
  12. #include <signal.h>
  13. #include <stdarg.h>
  14. #include <stdbool.h>
  15. #include <stdint.h>
  16. #include <stdio.h>
  17. #include <stdlib.h>
  18. #include <string.h>
  19. #include <sys/ioctl.h>
  20. #include <sys/mount.h>
  21. #include <sys/prctl.h>
  22. #include <sys/resource.h>
  23. #include <sys/socket.h>
  24. #include <sys/stat.h>
  25. #include <sys/syscall.h>
  26. #include <sys/time.h>
  27. #include <sys/types.h>
  28. #include <sys/uio.h>
  29. #include <sys/wait.h>
  30. #include <time.h>
  31. #include <unistd.h>
  32.  
  33. #include <linux/capability.h>
  34. #include <linux/genetlink.h>
  35. #include <linux/if_addr.h>
  36. #include <linux/if_ether.h>
  37. #include <linux/if_link.h>
  38. #include <linux/if_tun.h>
  39. #include <linux/in6.h>
  40. #include <linux/ip.h>
  41. #include <linux/neighbour.h>
  42. #include <linux/net.h>
  43. #include <linux/netlink.h>
  44. #include <linux/rtnetlink.h>
  45. #include <linux/tcp.h>
  46. #include <linux/veth.h>
  47.  
  48. #ifndef __NR_bpf
  49. #define __NR_bpf 321
  50. #endif
  51.  
  52. static unsigned long long procid;
  53.  
  54. static void sleep_ms(uint64_t ms)
  55. {
  56. usleep(ms * 1000);
  57. }
  58.  
  59. static uint64_t current_time_ms(void)
  60. {
  61. struct timespec ts;
  62. if (clock_gettime(CLOCK_MONOTONIC, &ts))
  63. exit(1);
  64. return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
  65. }
  66.  
  67. static bool write_file(const char* file, const char* what, ...)
  68. {
  69. char buf[1024];
  70. va_list args;
  71. va_start(args, what);
  72. vsnprintf(buf, sizeof(buf), what, args);
  73. va_end(args);
  74. buf[sizeof(buf) - 1] = 0;
  75. int len = strlen(buf);
  76. int fd = open(file, O_WRONLY | O_CLOEXEC);
  77. if (fd == -1)
  78. return false;
  79. if (write(fd, buf, len) != len) {
  80. int err = errno;
  81. close(fd);
  82. errno = err;
  83. return false;
  84. }
  85. close(fd);
  86. return true;
  87. }
  88.  
  89. struct nlmsg {
  90. char* pos;
  91. int nesting;
  92. struct nlattr* nested[8];
  93. char buf[4096];
  94. };
  95.  
  96. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
  97. const void* data, int size)
  98. {
  99. memset(nlmsg, 0, sizeof(*nlmsg));
  100. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  101. hdr->nlmsg_type = typ;
  102. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
  103. memcpy(hdr + 1, data, size);
  104. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
  105. }
  106.  
  107. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
  108. int size)
  109. {
  110. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
  111. attr->nla_len = sizeof(*attr) + size;
  112. attr->nla_type = typ;
  113. if (size > 0)
  114. memcpy(attr + 1, data, size);
  115. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
  116. }
  117.  
  118. static void netlink_nest(struct nlmsg* nlmsg, int typ)
  119. {
  120. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
  121. attr->nla_type = typ;
  122. nlmsg->pos += sizeof(*attr);
  123. nlmsg->nested[nlmsg->nesting++] = attr;
  124. }
  125.  
  126. static void netlink_done(struct nlmsg* nlmsg)
  127. {
  128. struct nlattr* attr = nlmsg->nested[--nlmsg->nesting];
  129. attr->nla_len = nlmsg->pos - (char*)attr;
  130. }
  131.  
  132. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
  133. int* reply_len, bool dofail)
  134. {
  135. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
  136. exit(1);
  137. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  138. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
  139. struct sockaddr_nl addr;
  140. memset(&addr, 0, sizeof(addr));
  141. addr.nl_family = AF_NETLINK;
  142. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
  143. (struct sockaddr*)&addr, sizeof(addr));
  144. if (n != (ssize_t)hdr->nlmsg_len) {
  145. if (dofail)
  146. exit(1);
  147. return -1;
  148. }
  149. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  150. if (reply_len)
  151. *reply_len = 0;
  152. if (n < 0) {
  153. if (dofail)
  154. exit(1);
  155. return -1;
  156. }
  157. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
  158. errno = EINVAL;
  159. if (dofail)
  160. exit(1);
  161. return -1;
  162. }
  163. if (hdr->nlmsg_type == NLMSG_DONE)
  164. return 0;
  165. if (reply_len && hdr->nlmsg_type == reply_type) {
  166. *reply_len = n;
  167. return 0;
  168. }
  169. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
  170. errno = EINVAL;
  171. if (dofail)
  172. exit(1);
  173. return -1;
  174. }
  175. if (hdr->nlmsg_type != NLMSG_ERROR) {
  176. errno = EINVAL;
  177. if (dofail)
  178. exit(1);
  179. return -1;
  180. }
  181. errno = -((struct nlmsgerr*)(hdr + 1))->error;
  182. return -errno;
  183. }
  184.  
  185. static int netlink_send(struct nlmsg* nlmsg, int sock)
  186. {
  187. return netlink_send_ext(nlmsg, sock, 0, NULL, true);
  188. }
  189.  
  190. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
  191. const char* family_name, bool dofail)
  192. {
  193. struct genlmsghdr genlhdr;
  194. memset(&genlhdr, 0, sizeof(genlhdr));
  195. genlhdr.cmd = CTRL_CMD_GETFAMILY;
  196. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
  197. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
  198. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
  199. int n = 0;
  200. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
  201. if (err < 0) {
  202. return -1;
  203. }
  204. uint16_t id = 0;
  205. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
  206. NLMSG_ALIGN(sizeof(genlhdr)));
  207. for (; (char*)attr < nlmsg->buf + n;
  208. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
  209. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
  210. id = *(uint16_t*)(attr + 1);
  211. break;
  212. }
  213. }
  214. if (!id) {
  215. errno = EINVAL;
  216. return -1;
  217. }
  218. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  219. return id;
  220. }
  221.  
  222. static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset,
  223. unsigned int total_len)
  224. {
  225. struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset);
  226. if (offset == total_len || offset + hdr->nlmsg_len > total_len)
  227. return -1;
  228. return hdr->nlmsg_len;
  229. }
  230.  
  231. static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type,
  232. const char* name, bool up)
  233. {
  234. struct ifinfomsg hdr;
  235. memset(&hdr, 0, sizeof(hdr));
  236. if (up)
  237. hdr.ifi_flags = hdr.ifi_change = IFF_UP;
  238. netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr,
  239. sizeof(hdr));
  240. if (name)
  241. netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name));
  242. netlink_nest(nlmsg, IFLA_LINKINFO);
  243. netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type));
  244. }
  245.  
  246. static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type,
  247. const char* name)
  248. {
  249. netlink_add_device_impl(nlmsg, type, name, false);
  250. netlink_done(nlmsg);
  251. int err = netlink_send(nlmsg, sock);
  252. if (err < 0) {
  253. }
  254. }
  255.  
  256. static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name,
  257. const char* peer)
  258. {
  259. netlink_add_device_impl(nlmsg, "veth", name, false);
  260. netlink_nest(nlmsg, IFLA_INFO_DATA);
  261. netlink_nest(nlmsg, VETH_INFO_PEER);
  262. nlmsg->pos += sizeof(struct ifinfomsg);
  263. netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer));
  264. netlink_done(nlmsg);
  265. netlink_done(nlmsg);
  266. netlink_done(nlmsg);
  267. int err = netlink_send(nlmsg, sock);
  268. if (err < 0) {
  269. }
  270. }
  271.  
  272. static void netlink_add_xfrm(struct nlmsg* nlmsg, int sock, const char* name)
  273. {
  274. netlink_add_device_impl(nlmsg, "xfrm", name, true);
  275. netlink_nest(nlmsg, IFLA_INFO_DATA);
  276. int if_id = 1;
  277. netlink_attr(nlmsg, 2, &if_id, sizeof(if_id));
  278. netlink_done(nlmsg);
  279. netlink_done(nlmsg);
  280. int err = netlink_send(nlmsg, sock);
  281. if (err < 0) {
  282. }
  283. }
  284.  
  285. static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name,
  286. const char* slave1, const char* slave2)
  287. {
  288. netlink_add_device_impl(nlmsg, "hsr", name, false);
  289. netlink_nest(nlmsg, IFLA_INFO_DATA);
  290. int ifindex1 = if_nametoindex(slave1);
  291. netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
  292. int ifindex2 = if_nametoindex(slave2);
  293. netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
  294. netlink_done(nlmsg);
  295. netlink_done(nlmsg);
  296. int err = netlink_send(nlmsg, sock);
  297. if (err < 0) {
  298. }
  299. }
  300.  
  301. static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type,
  302. const char* name, const char* link)
  303. {
  304. netlink_add_device_impl(nlmsg, type, name, false);
  305. netlink_done(nlmsg);
  306. int ifindex = if_nametoindex(link);
  307. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  308. int err = netlink_send(nlmsg, sock);
  309. if (err < 0) {
  310. }
  311. }
  312.  
  313. static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name,
  314. const char* link, uint16_t id, uint16_t proto)
  315. {
  316. netlink_add_device_impl(nlmsg, "vlan", name, false);
  317. netlink_nest(nlmsg, IFLA_INFO_DATA);
  318. netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id));
  319. netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto));
  320. netlink_done(nlmsg);
  321. netlink_done(nlmsg);
  322. int ifindex = if_nametoindex(link);
  323. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  324. int err = netlink_send(nlmsg, sock);
  325. if (err < 0) {
  326. }
  327. }
  328.  
  329. static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name,
  330. const char* link)
  331. {
  332. netlink_add_device_impl(nlmsg, "macvlan", name, false);
  333. netlink_nest(nlmsg, IFLA_INFO_DATA);
  334. uint32_t mode = MACVLAN_MODE_BRIDGE;
  335. netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode));
  336. netlink_done(nlmsg);
  337. netlink_done(nlmsg);
  338. int ifindex = if_nametoindex(link);
  339. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  340. int err = netlink_send(nlmsg, sock);
  341. if (err < 0) {
  342. }
  343. }
  344.  
  345. static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name,
  346. uint32_t vni, struct in_addr* addr4,
  347. struct in6_addr* addr6)
  348. {
  349. netlink_add_device_impl(nlmsg, "geneve", name, false);
  350. netlink_nest(nlmsg, IFLA_INFO_DATA);
  351. netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni));
  352. if (addr4)
  353. netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4));
  354. if (addr6)
  355. netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6));
  356. netlink_done(nlmsg);
  357. netlink_done(nlmsg);
  358. int err = netlink_send(nlmsg, sock);
  359. if (err < 0) {
  360. }
  361. }
  362.  
  363. #define IFLA_IPVLAN_FLAGS 2
  364. #define IPVLAN_MODE_L3S 2
  365. #undef IPVLAN_F_VEPA
  366. #define IPVLAN_F_VEPA 2
  367.  
  368. static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name,
  369. const char* link, uint16_t mode, uint16_t flags)
  370. {
  371. netlink_add_device_impl(nlmsg, "ipvlan", name, false);
  372. netlink_nest(nlmsg, IFLA_INFO_DATA);
  373. netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode));
  374. netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags));
  375. netlink_done(nlmsg);
  376. netlink_done(nlmsg);
  377. int ifindex = if_nametoindex(link);
  378. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  379. int err = netlink_send(nlmsg, sock);
  380. if (err < 0) {
  381. }
  382. }
  383.  
  384. static void netlink_device_change(struct nlmsg* nlmsg, int sock,
  385. const char* name, bool up, const char* master,
  386. const void* mac, int macsize,
  387. const char* new_name)
  388. {
  389. struct ifinfomsg hdr;
  390. memset(&hdr, 0, sizeof(hdr));
  391. if (up)
  392. hdr.ifi_flags = hdr.ifi_change = IFF_UP;
  393. hdr.ifi_index = if_nametoindex(name);
  394. netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
  395. if (new_name)
  396. netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name));
  397. if (master) {
  398. int ifindex = if_nametoindex(master);
  399. netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
  400. }
  401. if (macsize)
  402. netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
  403. int err = netlink_send(nlmsg, sock);
  404. if (err < 0) {
  405. }
  406. }
  407.  
  408. static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev,
  409. const void* addr, int addrsize)
  410. {
  411. struct ifaddrmsg hdr;
  412. memset(&hdr, 0, sizeof(hdr));
  413. hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
  414. hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
  415. hdr.ifa_scope = RT_SCOPE_UNIVERSE;
  416. hdr.ifa_index = if_nametoindex(dev);
  417. netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
  418. sizeof(hdr));
  419. netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize);
  420. netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize);
  421. return netlink_send(nlmsg, sock);
  422. }
  423.  
  424. static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev,
  425. const char* addr)
  426. {
  427. struct in_addr in_addr;
  428. inet_pton(AF_INET, addr, &in_addr);
  429. int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr));
  430. if (err < 0) {
  431. }
  432. }
  433.  
  434. static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev,
  435. const char* addr)
  436. {
  437. struct in6_addr in6_addr;
  438. inet_pton(AF_INET6, addr, &in6_addr);
  439. int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr));
  440. if (err < 0) {
  441. }
  442. }
  443.  
  444. static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name,
  445. const void* addr, int addrsize, const void* mac,
  446. int macsize)
  447. {
  448. struct ndmsg hdr;
  449. memset(&hdr, 0, sizeof(hdr));
  450. hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
  451. hdr.ndm_ifindex = if_nametoindex(name);
  452. hdr.ndm_state = NUD_PERMANENT;
  453. netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr,
  454. sizeof(hdr));
  455. netlink_attr(nlmsg, NDA_DST, addr, addrsize);
  456. netlink_attr(nlmsg, NDA_LLADDR, mac, macsize);
  457. int err = netlink_send(nlmsg, sock);
  458. if (err < 0) {
  459. }
  460. }
  461.  
  462. static struct nlmsg nlmsg;
  463.  
  464. static int tunfd = -1;
  465.  
  466. #define TUN_IFACE "syz_tun"
  467. #define LOCAL_MAC 0xaaaaaaaaaaaa
  468. #define REMOTE_MAC 0xaaaaaaaaaabb
  469. #define LOCAL_IPV4 "172.20.20.170"
  470. #define REMOTE_IPV4 "172.20.20.187"
  471. #define LOCAL_IPV6 "fe80::aa"
  472. #define REMOTE_IPV6 "fe80::bb"
  473.  
  474. #define IFF_NAPI 0x0010
  475.  
  476. static void initialize_tun(void)
  477. {
  478. tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
  479. if (tunfd == -1) {
  480. printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
  481. printf("otherwise fuzzing or reproducing might not work as intended\n");
  482. return;
  483. }
  484. const int kTunFd = 200;
  485. if (dup2(tunfd, kTunFd) < 0)
  486. exit(1);
  487. close(tunfd);
  488. tunfd = kTunFd;
  489. struct ifreq ifr;
  490. memset(&ifr, 0, sizeof(ifr));
  491. strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
  492. ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
  493. if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
  494. exit(1);
  495. }
  496. char sysctl[64];
  497. sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
  498. write_file(sysctl, "0");
  499. sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
  500. write_file(sysctl, "0");
  501. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  502. if (sock == -1)
  503. exit(1);
  504. netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4);
  505. netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6);
  506. uint64_t macaddr = REMOTE_MAC;
  507. struct in_addr in_addr;
  508. inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
  509. netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr),
  510. &macaddr, ETH_ALEN);
  511. struct in6_addr in6_addr;
  512. inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
  513. netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr),
  514. &macaddr, ETH_ALEN);
  515. macaddr = LOCAL_MAC;
  516. netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN,
  517. NULL);
  518. close(sock);
  519. }
  520.  
  521. #define DEVLINK_FAMILY_NAME "devlink"
  522.  
  523. #define DEVLINK_CMD_PORT_GET 5
  524. #define DEVLINK_ATTR_BUS_NAME 1
  525. #define DEVLINK_ATTR_DEV_NAME 2
  526. #define DEVLINK_ATTR_NETDEV_NAME 7
  527.  
  528. static struct nlmsg nlmsg2;
  529.  
  530. static void initialize_devlink_ports(const char* bus_name, const char* dev_name,
  531. const char* netdev_prefix)
  532. {
  533. struct genlmsghdr genlhdr;
  534. int len, total_len, id, err, offset;
  535. uint16_t netdev_index;
  536. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  537. if (sock == -1)
  538. exit(1);
  539. int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  540. if (rtsock == -1)
  541. exit(1);
  542. id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true);
  543. if (id == -1)
  544. goto error;
  545. memset(&genlhdr, 0, sizeof(genlhdr));
  546. genlhdr.cmd = DEVLINK_CMD_PORT_GET;
  547. netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr));
  548. netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1);
  549. netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1);
  550. err = netlink_send_ext(&nlmsg, sock, id, &total_len, true);
  551. if (err < 0) {
  552. goto error;
  553. }
  554. offset = 0;
  555. netdev_index = 0;
  556. while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) {
  557. struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN +
  558. NLMSG_ALIGN(sizeof(genlhdr)));
  559. for (; (char*)attr < nlmsg.buf + offset + len;
  560. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
  561. if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) {
  562. char* port_name;
  563. char netdev_name[IFNAMSIZ];
  564. port_name = (char*)(attr + 1);
  565. snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix,
  566. netdev_index);
  567. netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0,
  568. netdev_name);
  569. break;
  570. }
  571. }
  572. offset += len;
  573. netdev_index++;
  574. }
  575. error:
  576. close(rtsock);
  577. close(sock);
  578. }
  579.  
  580. #define DEV_IPV4 "172.20.20.%d"
  581. #define DEV_IPV6 "fe80::%02x"
  582. #define DEV_MAC 0x00aaaaaaaaaa
  583.  
  584. static void netdevsim_add(unsigned int addr, unsigned int port_count)
  585. {
  586. write_file("/sys/bus/netdevsim/del_device", "%u", addr);
  587. if (write_file("/sys/bus/netdevsim/new_device", "%u %u", addr, port_count)) {
  588. char buf[32];
  589. snprintf(buf, sizeof(buf), "netdevsim%d", addr);
  590. initialize_devlink_ports("netdevsim", buf, "netdevsim");
  591. }
  592. }
  593.  
  594. #define WG_GENL_NAME "wireguard"
  595. enum wg_cmd {
  596. WG_CMD_GET_DEVICE,
  597. WG_CMD_SET_DEVICE,
  598. };
  599. enum wgdevice_attribute {
  600. WGDEVICE_A_UNSPEC,
  601. WGDEVICE_A_IFINDEX,
  602. WGDEVICE_A_IFNAME,
  603. WGDEVICE_A_PRIVATE_KEY,
  604. WGDEVICE_A_PUBLIC_KEY,
  605. WGDEVICE_A_FLAGS,
  606. WGDEVICE_A_LISTEN_PORT,
  607. WGDEVICE_A_FWMARK,
  608. WGDEVICE_A_PEERS,
  609. };
  610. enum wgpeer_attribute {
  611. WGPEER_A_UNSPEC,
  612. WGPEER_A_PUBLIC_KEY,
  613. WGPEER_A_PRESHARED_KEY,
  614. WGPEER_A_FLAGS,
  615. WGPEER_A_ENDPOINT,
  616. WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  617. WGPEER_A_LAST_HANDSHAKE_TIME,
  618. WGPEER_A_RX_BYTES,
  619. WGPEER_A_TX_BYTES,
  620. WGPEER_A_ALLOWEDIPS,
  621. WGPEER_A_PROTOCOL_VERSION,
  622. };
  623. enum wgallowedip_attribute {
  624. WGALLOWEDIP_A_UNSPEC,
  625. WGALLOWEDIP_A_FAMILY,
  626. WGALLOWEDIP_A_IPADDR,
  627. WGALLOWEDIP_A_CIDR_MASK,
  628. };
  629.  
  630. static void netlink_wireguard_setup(void)
  631. {
  632. const char ifname_a[] = "wg0";
  633. const char ifname_b[] = "wg1";
  634. const char ifname_c[] = "wg2";
  635. const char private_a[] =
  636. "\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1"
  637. "\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43";
  638. const char private_b[] =
  639. "\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c"
  640. "\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e";
  641. const char private_c[] =
  642. "\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15"
  643. "\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42";
  644. const char public_a[] =
  645. "\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25"
  646. "\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c";
  647. const char public_b[] =
  648. "\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e"
  649. "\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b";
  650. const char public_c[] =
  651. "\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c"
  652. "\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22";
  653. const uint16_t listen_a = 20001;
  654. const uint16_t listen_b = 20002;
  655. const uint16_t listen_c = 20003;
  656. const uint16_t af_inet = AF_INET;
  657. const uint16_t af_inet6 = AF_INET6;
  658. const struct sockaddr_in endpoint_b_v4 = {
  659. .sin_family = AF_INET,
  660. .sin_port = htons(listen_b),
  661. .sin_addr = {htonl(INADDR_LOOPBACK)}};
  662. const struct sockaddr_in endpoint_c_v4 = {
  663. .sin_family = AF_INET,
  664. .sin_port = htons(listen_c),
  665. .sin_addr = {htonl(INADDR_LOOPBACK)}};
  666. struct sockaddr_in6 endpoint_a_v6 = {.sin6_family = AF_INET6,
  667. .sin6_port = htons(listen_a)};
  668. endpoint_a_v6.sin6_addr = in6addr_loopback;
  669. struct sockaddr_in6 endpoint_c_v6 = {.sin6_family = AF_INET6,
  670. .sin6_port = htons(listen_c)};
  671. endpoint_c_v6.sin6_addr = in6addr_loopback;
  672. const struct in_addr first_half_v4 = {0};
  673. const struct in_addr second_half_v4 = {(uint32_t)htonl(128 << 24)};
  674. const struct in6_addr first_half_v6 = {{{0}}};
  675. const struct in6_addr second_half_v6 = {{{0x80}}};
  676. const uint8_t half_cidr = 1;
  677. const uint16_t persistent_keepalives[] = {1, 3, 7, 9, 14, 19};
  678. struct genlmsghdr genlhdr = {.cmd = WG_CMD_SET_DEVICE, .version = 1};
  679. int sock;
  680. int id, err;
  681. sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  682. if (sock == -1) {
  683. return;
  684. }
  685. id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true);
  686. if (id == -1)
  687. goto error;
  688. netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
  689. netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1);
  690. netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32);
  691. netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2);
  692. netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
  693. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  694. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
  695. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4,
  696. sizeof(endpoint_b_v4));
  697. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  698. &persistent_keepalives[0], 2);
  699. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  700. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  701. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  702. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
  703. sizeof(first_half_v4));
  704. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  705. netlink_done(&nlmsg);
  706. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  707. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  708. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
  709. sizeof(first_half_v6));
  710. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  711. netlink_done(&nlmsg);
  712. netlink_done(&nlmsg);
  713. netlink_done(&nlmsg);
  714. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  715. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
  716. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6,
  717. sizeof(endpoint_c_v6));
  718. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  719. &persistent_keepalives[1], 2);
  720. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  721. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  722. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  723. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
  724. sizeof(second_half_v4));
  725. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  726. netlink_done(&nlmsg);
  727. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  728. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  729. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
  730. sizeof(second_half_v6));
  731. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  732. netlink_done(&nlmsg);
  733. netlink_done(&nlmsg);
  734. netlink_done(&nlmsg);
  735. netlink_done(&nlmsg);
  736. err = netlink_send(&nlmsg, sock);
  737. if (err < 0) {
  738. }
  739. netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
  740. netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1);
  741. netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32);
  742. netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2);
  743. netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
  744. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  745. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
  746. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6,
  747. sizeof(endpoint_a_v6));
  748. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  749. &persistent_keepalives[2], 2);
  750. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  751. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  752. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  753. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
  754. sizeof(first_half_v4));
  755. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  756. netlink_done(&nlmsg);
  757. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  758. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  759. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
  760. sizeof(first_half_v6));
  761. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  762. netlink_done(&nlmsg);
  763. netlink_done(&nlmsg);
  764. netlink_done(&nlmsg);
  765. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  766. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
  767. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4,
  768. sizeof(endpoint_c_v4));
  769. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  770. &persistent_keepalives[3], 2);
  771. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  772. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  773. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  774. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
  775. sizeof(second_half_v4));
  776. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  777. netlink_done(&nlmsg);
  778. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  779. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  780. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
  781. sizeof(second_half_v6));
  782. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  783. netlink_done(&nlmsg);
  784. netlink_done(&nlmsg);
  785. netlink_done(&nlmsg);
  786. netlink_done(&nlmsg);
  787. err = netlink_send(&nlmsg, sock);
  788. if (err < 0) {
  789. }
  790. netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
  791. netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1);
  792. netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32);
  793. netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2);
  794. netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
  795. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  796. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
  797. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6,
  798. sizeof(endpoint_a_v6));
  799. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  800. &persistent_keepalives[4], 2);
  801. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  802. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  803. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  804. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
  805. sizeof(first_half_v4));
  806. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  807. netlink_done(&nlmsg);
  808. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  809. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  810. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
  811. sizeof(first_half_v6));
  812. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  813. netlink_done(&nlmsg);
  814. netlink_done(&nlmsg);
  815. netlink_done(&nlmsg);
  816. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  817. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
  818. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4,
  819. sizeof(endpoint_b_v4));
  820. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  821. &persistent_keepalives[5], 2);
  822. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  823. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  824. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  825. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
  826. sizeof(second_half_v4));
  827. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  828. netlink_done(&nlmsg);
  829. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  830. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  831. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
  832. sizeof(second_half_v6));
  833. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  834. netlink_done(&nlmsg);
  835. netlink_done(&nlmsg);
  836. netlink_done(&nlmsg);
  837. netlink_done(&nlmsg);
  838. err = netlink_send(&nlmsg, sock);
  839. if (err < 0) {
  840. }
  841.  
  842. error:
  843. close(sock);
  844. }
  845.  
  846. static void initialize_netdevices(void)
  847. {
  848. char netdevsim[16];
  849. sprintf(netdevsim, "netdevsim%d", (int)procid);
  850. struct {
  851. const char* type;
  852. const char* dev;
  853. } devtypes[] = {
  854. {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, {"vcan", "vcan0"},
  855. {"bond", "bond0"}, {"team", "team0"}, {"dummy", "dummy0"},
  856. {"nlmon", "nlmon0"}, {"caif", "caif0"}, {"batadv", "batadv0"},
  857. {"vxcan", "vxcan1"}, {"veth", 0}, {"wireguard", "wg0"},
  858. {"wireguard", "wg1"}, {"wireguard", "wg2"},
  859. };
  860. const char* devmasters[] = {"bridge", "bond", "team", "batadv"};
  861. struct {
  862. const char* name;
  863. int macsize;
  864. bool noipv6;
  865. } devices[] = {
  866. {"lo", ETH_ALEN},
  867. {"sit0", 0},
  868. {"bridge0", ETH_ALEN},
  869. {"vcan0", 0, true},
  870. {"tunl0", 0},
  871. {"gre0", 0},
  872. {"gretap0", ETH_ALEN},
  873. {"ip_vti0", 0},
  874. {"ip6_vti0", 0},
  875. {"ip6tnl0", 0},
  876. {"ip6gre0", 0},
  877. {"ip6gretap0", ETH_ALEN},
  878. {"erspan0", ETH_ALEN},
  879. {"bond0", ETH_ALEN},
  880. {"veth0", ETH_ALEN},
  881. {"veth1", ETH_ALEN},
  882. {"team0", ETH_ALEN},
  883. {"veth0_to_bridge", ETH_ALEN},
  884. {"veth1_to_bridge", ETH_ALEN},
  885. {"veth0_to_bond", ETH_ALEN},
  886. {"veth1_to_bond", ETH_ALEN},
  887. {"veth0_to_team", ETH_ALEN},
  888. {"veth1_to_team", ETH_ALEN},
  889. {"veth0_to_hsr", ETH_ALEN},
  890. {"veth1_to_hsr", ETH_ALEN},
  891. {"hsr0", 0},
  892. {"dummy0", ETH_ALEN},
  893. {"nlmon0", 0},
  894. {"vxcan0", 0, true},
  895. {"vxcan1", 0, true},
  896. {"caif0", ETH_ALEN},
  897. {"batadv0", ETH_ALEN},
  898. {netdevsim, ETH_ALEN},
  899. {"xfrm0", ETH_ALEN},
  900. {"veth0_virt_wifi", ETH_ALEN},
  901. {"veth1_virt_wifi", ETH_ALEN},
  902. {"virt_wifi0", ETH_ALEN},
  903. {"veth0_vlan", ETH_ALEN},
  904. {"veth1_vlan", ETH_ALEN},
  905. {"vlan0", ETH_ALEN},
  906. {"vlan1", ETH_ALEN},
  907. {"macvlan0", ETH_ALEN},
  908. {"macvlan1", ETH_ALEN},
  909. {"ipvlan0", ETH_ALEN},
  910. {"ipvlan1", ETH_ALEN},
  911. {"veth0_macvtap", ETH_ALEN},
  912. {"veth1_macvtap", ETH_ALEN},
  913. {"macvtap0", ETH_ALEN},
  914. {"macsec0", ETH_ALEN},
  915. {"veth0_to_batadv", ETH_ALEN},
  916. {"veth1_to_batadv", ETH_ALEN},
  917. {"batadv_slave_0", ETH_ALEN},
  918. {"batadv_slave_1", ETH_ALEN},
  919. {"geneve0", ETH_ALEN},
  920. {"geneve1", ETH_ALEN},
  921. {"wg0", 0},
  922. {"wg1", 0},
  923. {"wg2", 0},
  924. };
  925. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  926. if (sock == -1)
  927. exit(1);
  928. unsigned i;
  929. for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
  930. netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev);
  931. for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
  932. char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
  933. sprintf(slave0, "%s_slave_0", devmasters[i]);
  934. sprintf(veth0, "veth0_to_%s", devmasters[i]);
  935. netlink_add_veth(&nlmsg, sock, slave0, veth0);
  936. sprintf(slave1, "%s_slave_1", devmasters[i]);
  937. sprintf(veth1, "veth1_to_%s", devmasters[i]);
  938. netlink_add_veth(&nlmsg, sock, slave1, veth1);
  939. sprintf(master, "%s0", devmasters[i]);
  940. netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL);
  941. netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL);
  942. }
  943. netlink_add_xfrm(&nlmsg, sock, "xfrm0");
  944. netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL);
  945. netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL);
  946. netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr");
  947. netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr");
  948. netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
  949. netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL);
  950. netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL);
  951. netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi");
  952. netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0",
  953. "veth1_virt_wifi");
  954. netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan");
  955. netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q));
  956. netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD));
  957. netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan");
  958. netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan");
  959. netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0);
  960. netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S,
  961. IPVLAN_F_VEPA);
  962. netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap");
  963. netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap");
  964. netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap");
  965. char addr[32];
  966. sprintf(addr, DEV_IPV4, 14 + 10);
  967. struct in_addr geneve_addr4;
  968. if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0)
  969. exit(1);
  970. struct in6_addr geneve_addr6;
  971. if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0)
  972. exit(1);
  973. netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0);
  974. netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6);
  975. netdevsim_add((int)procid, 4);
  976. netlink_wireguard_setup();
  977. for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
  978. char addr[32];
  979. sprintf(addr, DEV_IPV4, i + 10);
  980. netlink_add_addr4(&nlmsg, sock, devices[i].name, addr);
  981. if (!devices[i].noipv6) {
  982. sprintf(addr, DEV_IPV6, i + 10);
  983. netlink_add_addr6(&nlmsg, sock, devices[i].name, addr);
  984. }
  985. uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
  986. netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr,
  987. devices[i].macsize, NULL);
  988. }
  989. close(sock);
  990. }
  991. static void initialize_netdevices_init(void)
  992. {
  993. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  994. if (sock == -1)
  995. exit(1);
  996. struct {
  997. const char* type;
  998. int macsize;
  999. bool noipv6;
  1000. bool noup;
  1001. } devtypes[] = {
  1002. {"nr", 7, true},
  1003. {"rose", 5, true, true},
  1004. };
  1005. unsigned i;
  1006. for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
  1007. char dev[32], addr[32];
  1008. sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
  1009. sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
  1010. netlink_add_addr4(&nlmsg, sock, dev, addr);
  1011. if (!devtypes[i].noipv6) {
  1012. sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
  1013. netlink_add_addr6(&nlmsg, sock, dev, addr);
  1014. }
  1015. int macsize = devtypes[i].macsize;
  1016. uint64_t macaddr = 0xbbbbbb +
  1017. ((unsigned long long)i << (8 * (macsize - 2))) +
  1018. (procid << (8 * (macsize - 1)));
  1019. netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr,
  1020. macsize, NULL);
  1021. }
  1022. close(sock);
  1023. }
  1024.  
  1025. static int read_tun(char* data, int size)
  1026. {
  1027. if (tunfd < 0)
  1028. return -1;
  1029. int rv = read(tunfd, data, size);
  1030. if (rv < 0) {
  1031. if (errno == EAGAIN || errno == EBADF || errno == EBADFD)
  1032. return -1;
  1033. exit(1);
  1034. }
  1035. return rv;
  1036. }
  1037.  
  1038. static long syz_emit_ethernet(volatile long a0, volatile long a1,
  1039. volatile long a2)
  1040. {
  1041. if (tunfd < 0)
  1042. return (uintptr_t)-1;
  1043. uint32_t length = a0;
  1044. char* data = (char*)a1;
  1045. return write(tunfd, data, length);
  1046. }
  1047.  
  1048. static void flush_tun()
  1049. {
  1050. char data[1000];
  1051. while (read_tun(&data[0], sizeof(data)) != -1) {
  1052. }
  1053. }
  1054.  
  1055. #define MAX_FDS 30
  1056.  
  1057. static void setup_binderfs();
  1058. static void setup_fusectl();
  1059. static void sandbox_common_mount_tmpfs(void)
  1060. {
  1061. write_file("/proc/sys/fs/mount-max", "100000");
  1062. if (mkdir("./syz-tmp", 0777))
  1063. exit(1);
  1064. if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
  1065. exit(1);
  1066. if (mkdir("./syz-tmp/newroot", 0777))
  1067. exit(1);
  1068. if (mkdir("./syz-tmp/newroot/dev", 0700))
  1069. exit(1);
  1070. unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
  1071. if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL))
  1072. exit(1);
  1073. if (mkdir("./syz-tmp/newroot/proc", 0700))
  1074. exit(1);
  1075. if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL))
  1076. exit(1);
  1077. if (mkdir("./syz-tmp/newroot/selinux", 0700))
  1078. exit(1);
  1079. const char* selinux_path = "./syz-tmp/newroot/selinux";
  1080. if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) {
  1081. if (errno != ENOENT)
  1082. exit(1);
  1083. if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) &&
  1084. errno != ENOENT)
  1085. exit(1);
  1086. }
  1087. if (mkdir("./syz-tmp/newroot/sys", 0700))
  1088. exit(1);
  1089. if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL))
  1090. exit(1);
  1091. if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL,
  1092. bind_mount_flags, NULL) &&
  1093. errno != ENOENT)
  1094. exit(1);
  1095. if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL,
  1096. bind_mount_flags, NULL) &&
  1097. errno != ENOENT)
  1098. exit(1);
  1099. if (mount("/proc/sys/fs/binfmt_misc",
  1100. "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags,
  1101. NULL) &&
  1102. errno != ENOENT)
  1103. exit(1);
  1104. if (mkdir("./syz-tmp/pivot", 0777))
  1105. exit(1);
  1106. if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
  1107. if (chdir("./syz-tmp"))
  1108. exit(1);
  1109. } else {
  1110. if (chdir("/"))
  1111. exit(1);
  1112. if (umount2("./pivot", MNT_DETACH))
  1113. exit(1);
  1114. }
  1115. if (chroot("./newroot"))
  1116. exit(1);
  1117. if (chdir("/"))
  1118. exit(1);
  1119. setup_binderfs();
  1120. setup_fusectl();
  1121. }
  1122.  
  1123. static void setup_fusectl()
  1124. {
  1125. if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
  1126. }
  1127. }
  1128.  
  1129. static void setup_binderfs()
  1130. {
  1131. if (mkdir("/dev/binderfs", 0777)) {
  1132. }
  1133. if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
  1134. }
  1135. if (symlink("/dev/binderfs", "./binderfs")) {
  1136. }
  1137. }
  1138.  
  1139. static void loop();
  1140.  
  1141. static void sandbox_common()
  1142. {
  1143. prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  1144. setsid();
  1145. struct rlimit rlim;
  1146. rlim.rlim_cur = rlim.rlim_max = (200 << 20);
  1147. setrlimit(RLIMIT_AS, &rlim);
  1148. rlim.rlim_cur = rlim.rlim_max = 32 << 20;
  1149. setrlimit(RLIMIT_MEMLOCK, &rlim);
  1150. rlim.rlim_cur = rlim.rlim_max = 136 << 20;
  1151. setrlimit(RLIMIT_FSIZE, &rlim);
  1152. rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  1153. setrlimit(RLIMIT_STACK, &rlim);
  1154. rlim.rlim_cur = rlim.rlim_max = 128 << 20;
  1155. setrlimit(RLIMIT_CORE, &rlim);
  1156. rlim.rlim_cur = rlim.rlim_max = 256;
  1157. setrlimit(RLIMIT_NOFILE, &rlim);
  1158. if (unshare(CLONE_NEWNS)) {
  1159. }
  1160. if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
  1161. }
  1162. if (unshare(CLONE_NEWIPC)) {
  1163. }
  1164. if (unshare(0x02000000)) {
  1165. }
  1166. if (unshare(CLONE_NEWUTS)) {
  1167. }
  1168. if (unshare(CLONE_SYSVSEM)) {
  1169. }
  1170. typedef struct {
  1171. const char* name;
  1172. const char* value;
  1173. } sysctl_t;
  1174. static const sysctl_t sysctls[] = {
  1175. {"/proc/sys/kernel/shmmax", "16777216"},
  1176. {"/proc/sys/kernel/shmall", "536870912"},
  1177. {"/proc/sys/kernel/shmmni", "1024"},
  1178. {"/proc/sys/kernel/msgmax", "8192"},
  1179. {"/proc/sys/kernel/msgmni", "1024"},
  1180. {"/proc/sys/kernel/msgmnb", "1024"},
  1181. {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
  1182. };
  1183. unsigned i;
  1184. for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
  1185. write_file(sysctls[i].name, sysctls[i].value);
  1186. }
  1187.  
  1188. static int wait_for_loop(int pid)
  1189. {
  1190. if (pid < 0)
  1191. exit(1);
  1192. int status = 0;
  1193. while (waitpid(-1, &status, __WALL) != pid) {
  1194. }
  1195. return WEXITSTATUS(status);
  1196. }
  1197.  
  1198. static void drop_caps(void)
  1199. {
  1200. struct __user_cap_header_struct cap_hdr = {};
  1201. struct __user_cap_data_struct cap_data[2] = {};
  1202. cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
  1203. cap_hdr.pid = getpid();
  1204. if (syscall(SYS_capget, &cap_hdr, &cap_data))
  1205. exit(1);
  1206. const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
  1207. cap_data[0].effective &= ~drop;
  1208. cap_data[0].permitted &= ~drop;
  1209. cap_data[0].inheritable &= ~drop;
  1210. if (syscall(SYS_capset, &cap_hdr, &cap_data))
  1211. exit(1);
  1212. }
  1213.  
  1214. static int do_sandbox_none(void)
  1215. {
  1216. if (unshare(CLONE_NEWPID)) {
  1217. }
  1218. int pid = fork();
  1219. if (pid != 0)
  1220. return wait_for_loop(pid);
  1221. sandbox_common();
  1222. drop_caps();
  1223. initialize_netdevices_init();
  1224. if (unshare(CLONE_NEWNET)) {
  1225. }
  1226. write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
  1227. initialize_tun();
  1228. initialize_netdevices();
  1229. sandbox_common_mount_tmpfs();
  1230. loop();
  1231. exit(1);
  1232. }
  1233.  
  1234. static void kill_and_wait(int pid, int* status)
  1235. {
  1236. kill(-pid, SIGKILL);
  1237. kill(pid, SIGKILL);
  1238. for (int i = 0; i < 100; i++) {
  1239. if (waitpid(-1, status, WNOHANG | __WALL) == pid)
  1240. return;
  1241. usleep(1000);
  1242. }
  1243. DIR* dir = opendir("/sys/fs/fuse/connections");
  1244. if (dir) {
  1245. for (;;) {
  1246. struct dirent* ent = readdir(dir);
  1247. if (!ent)
  1248. break;
  1249. if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
  1250. continue;
  1251. char abort[300];
  1252. snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
  1253. ent->d_name);
  1254. int fd = open(abort, O_WRONLY);
  1255. if (fd == -1) {
  1256. continue;
  1257. }
  1258. if (write(fd, abort, 1) < 0) {
  1259. }
  1260. close(fd);
  1261. }
  1262. closedir(dir);
  1263. } else {
  1264. }
  1265. while (waitpid(-1, status, __WALL) != pid) {
  1266. }
  1267. }
  1268.  
  1269. static void setup_test()
  1270. {
  1271. prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  1272. setpgrp();
  1273. write_file("/proc/self/oom_score_adj", "1000");
  1274. flush_tun();
  1275. }
  1276.  
  1277. static void close_fds()
  1278. {
  1279. for (int fd = 3; fd < MAX_FDS; fd++)
  1280. close(fd);
  1281. }
  1282.  
  1283. void enable_zswap()
  1284. {
  1285. int fd =
  1286. open("/syzcgroup/cpu/memory.compression_enabled", O_WRONLY | O_CLOEXEC);
  1287. if (fd == -1) {
  1288. return;
  1289. }
  1290. if (write(fd, "1", 1) != 1)
  1291. exit(1);
  1292. close(fd);
  1293. }
  1294.  
  1295. void setup_ext()
  1296. {
  1297. mkdir("/sys/fs/ghost", 0777);
  1298. mount(NULL, "/sys/fs/ghost", "ghost", 0, NULL);
  1299. enable_zswap();
  1300. }
  1301.  
  1302. static void execute_one(void);
  1303.  
  1304. #define WAIT_FLAGS __WALL
  1305.  
  1306. static void loop(void)
  1307. {
  1308. int iter = 0;
  1309. for (;; iter++) {
  1310. int pid = fork();
  1311. if (pid < 0)
  1312. exit(1);
  1313. if (pid == 0) {
  1314. setup_test();
  1315. execute_one();
  1316. close_fds();
  1317. exit(0);
  1318. }
  1319. int status = 0;
  1320. uint64_t start = current_time_ms();
  1321. for (;;) {
  1322. sleep_ms(10);
  1323. if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
  1324. break;
  1325. if (current_time_ms() - start < 5000)
  1326. continue;
  1327. kill_and_wait(pid, &status);
  1328. break;
  1329. }
  1330. }
  1331. }
  1332.  
  1333. uint64_t r[6] = {0xffffffffffffffff,
  1334. 0xffffffffffffffff,
  1335. 0xffffffffffffffff,
  1336. 0xffffffffffffffff,
  1337. 0x0,
  1338. 0xffffffffffffffff};
  1339.  
  1340. void execute_one(void)
  1341. {
  1342. intptr_t res = 0;
  1343. if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  1344. }
  1345. *(uint32_t*)0x20000640 = 0x19;
  1346. *(uint32_t*)0x20000644 = 4;
  1347. *(uint32_t*)0x20000648 = 4;
  1348. *(uint32_t*)0x2000064c = 4;
  1349. *(uint32_t*)0x20000650 = 0;
  1350. *(uint32_t*)0x20000654 = -1;
  1351. *(uint32_t*)0x20000658 = 0;
  1352. memset((void*)0x2000065c, 0, 16);
  1353. *(uint32_t*)0x2000066c = 0;
  1354. *(uint32_t*)0x20000670 = -1;
  1355. *(uint32_t*)0x20000674 = 0;
  1356. *(uint32_t*)0x20000678 = 0;
  1357. *(uint32_t*)0x2000067c = 0;
  1358. *(uint64_t*)0x20000680 = 0;
  1359. *(uint32_t*)0x20000688 = 0;
  1360. *(uint32_t*)0x2000068c = 0;
  1361. res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000640ul, /*size=*/0x50ul);
  1362. if (res != -1)
  1363. r[0] = res;
  1364. *(uint32_t*)0x20000300 = 0;
  1365. *(uint32_t*)0x20000304 = 0xf;
  1366. *(uint64_t*)0x20000308 = 0x20000280;
  1367. memcpy((void*)0x20000280,
  1368. "\x18\x00\x00\x00\x00\x00\x00\xf2\x9b\xd4\xdb\x00\x00\x00\x00\x00\x18"
  1369. "\x11\x00\x00",
  1370. 20);
  1371. *(uint32_t*)0x20000294 = -1;
  1372. memcpy((void*)0x20000298,
  1373. "\x00\x00\x00\x00\x01\x00\x00\x00\x9e\x50\x00\x08\x14\x00\x00\x00\xb7"
  1374. "\x03\x00\x00\x00\x00\x00\x00\x85\x00\x00\x00\x33\x00\x00\x00\xb7",
  1375. 33);
  1376. *(uint64_t*)0x20000310 = 0;
  1377. *(uint32_t*)0x20000318 = 0;
  1378. *(uint32_t*)0x2000031c = 0;
  1379. *(uint64_t*)0x20000320 = 0;
  1380. *(uint32_t*)0x20000328 = 0;
  1381. *(uint32_t*)0x2000032c = 0;
  1382. memset((void*)0x20000330, 0, 16);
  1383. *(uint32_t*)0x20000340 = 0;
  1384. *(uint32_t*)0x20000344 = 0;
  1385. *(uint32_t*)0x20000348 = -1;
  1386. *(uint32_t*)0x2000034c = 0;
  1387. *(uint64_t*)0x20000350 = 0;
  1388. *(uint32_t*)0x20000358 = 0;
  1389. *(uint32_t*)0x2000035c = 0;
  1390. *(uint64_t*)0x20000360 = 0;
  1391. *(uint32_t*)0x20000368 = 0;
  1392. *(uint32_t*)0x2000036c = 0;
  1393. *(uint32_t*)0x20000370 = 0;
  1394. *(uint32_t*)0x20000374 = 0;
  1395. *(uint64_t*)0x20000378 = 0;
  1396. *(uint64_t*)0x20000380 = 0;
  1397. *(uint32_t*)0x20000388 = 0;
  1398. *(uint32_t*)0x2000038c = 0;
  1399. *(uint32_t*)0x20000390 = 0;
  1400. syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000300ul, /*size=*/0x90ul);
  1401. *(uint32_t*)0x20000040 = 0x1b;
  1402. *(uint32_t*)0x20000044 = 0;
  1403. *(uint32_t*)0x20000048 = 0;
  1404. *(uint32_t*)0x2000004c = 0x2000;
  1405. *(uint32_t*)0x20000050 = 0;
  1406. *(uint32_t*)0x20000054 = -1;
  1407. *(uint32_t*)0x20000058 = 0;
  1408. memset((void*)0x2000005c, 0, 16);
  1409. *(uint32_t*)0x2000006c = 0;
  1410. *(uint32_t*)0x20000070 = -1;
  1411. *(uint32_t*)0x20000074 = 0;
  1412. *(uint32_t*)0x20000078 = 0;
  1413. *(uint32_t*)0x2000007c = 0;
  1414. *(uint64_t*)0x20000080 = 0;
  1415. *(uint32_t*)0x20000088 = 0;
  1416. *(uint32_t*)0x2000008c = 0;
  1417. res = syscall(__NR_bpf, /*cmd=*/0x1900000000000000ul, /*arg=*/0x20000040ul,
  1418. /*size=*/0x48ul);
  1419. if (res != -1)
  1420. r[1] = res;
  1421. *(uint32_t*)0x20000100 = 0;
  1422. *(uint32_t*)0x20000104 = 7;
  1423. *(uint64_t*)0x20000108 = 0x200002c0;
  1424. memcpy((void*)0x200002c0,
  1425. "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18"
  1426. "\x11\x00\x00",
  1427. 20);
  1428. *(uint32_t*)0x200002d4 = r[1];
  1429. memcpy((void*)0x200002d8,
  1430. "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x02\x00\x00\x00\x00\x00\x00\x85"
  1431. "\x00\x00\x00\x07\x00\x00\x00\x95",
  1432. 25);
  1433. *(uint64_t*)0x20000110 = 0;
  1434. *(uint32_t*)0x20000118 = 0;
  1435. *(uint32_t*)0x2000011c = 0;
  1436. *(uint64_t*)0x20000120 = 0;
  1437. *(uint32_t*)0x20000128 = 0;
  1438. *(uint32_t*)0x2000012c = 0;
  1439. memset((void*)0x20000130, 0, 16);
  1440. *(uint32_t*)0x20000140 = 0;
  1441. *(uint32_t*)0x20000144 = 0;
  1442. *(uint32_t*)0x20000148 = -1;
  1443. *(uint32_t*)0x2000014c = 0;
  1444. *(uint64_t*)0x20000150 = 0;
  1445. *(uint32_t*)0x20000158 = 0;
  1446. *(uint32_t*)0x2000015c = 0;
  1447. *(uint64_t*)0x20000160 = 0;
  1448. *(uint32_t*)0x20000168 = 0;
  1449. *(uint32_t*)0x2000016c = 0;
  1450. *(uint32_t*)0x20000170 = 0;
  1451. *(uint32_t*)0x20000174 = 0;
  1452. *(uint64_t*)0x20000178 = 0;
  1453. *(uint64_t*)0x20000180 = 0;
  1454. *(uint32_t*)0x20000188 = 0;
  1455. *(uint32_t*)0x2000018c = 0;
  1456. *(uint32_t*)0x20000190 = 0;
  1457. syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000100ul, /*size=*/0x90ul);
  1458. *(uint32_t*)0x200004c0 = 6;
  1459. *(uint32_t*)0x200004c4 = 0xf;
  1460. *(uint64_t*)0x200004c8 = 0x20000280;
  1461. memcpy((void*)0x20000280,
  1462. "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18"
  1463. "\x11\x00\x00",
  1464. 20);
  1465. *(uint32_t*)0x20000294 = r[0];
  1466. memcpy((void*)0x20000298,
  1467. "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x02\x00\x00\x00", 13);
  1468. *(uint64_t*)0x200004d0 = 0x20000000;
  1469. memcpy((void*)0x20000000, "GPL\000", 4);
  1470. *(uint32_t*)0x200004d8 = 0;
  1471. *(uint32_t*)0x200004dc = 0;
  1472. *(uint64_t*)0x200004e0 = 0;
  1473. *(uint32_t*)0x200004e8 = 0;
  1474. *(uint32_t*)0x200004ec = 0;
  1475. memset((void*)0x200004f0, 0, 16);
  1476. *(uint32_t*)0x20000500 = 0;
  1477. *(uint32_t*)0x20000504 = 0;
  1478. *(uint32_t*)0x20000508 = -1;
  1479. *(uint32_t*)0x2000050c = 0;
  1480. *(uint64_t*)0x20000510 = 0;
  1481. *(uint32_t*)0x20000518 = 0;
  1482. *(uint32_t*)0x2000051c = 0;
  1483. *(uint64_t*)0x20000520 = 0;
  1484. *(uint32_t*)0x20000528 = 0;
  1485. *(uint32_t*)0x2000052c = 0;
  1486. *(uint32_t*)0x20000530 = 0;
  1487. *(uint32_t*)0x20000534 = 0;
  1488. *(uint64_t*)0x20000538 = 0;
  1489. *(uint64_t*)0x20000540 = 0;
  1490. *(uint32_t*)0x20000548 = 0;
  1491. *(uint32_t*)0x2000054c = 0;
  1492. *(uint32_t*)0x20000550 = 0;
  1493. res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200004c0ul, /*size=*/0x90ul);
  1494. if (res != -1)
  1495. r[2] = res;
  1496. *(uint32_t*)0x20000200 = r[0];
  1497. *(uint64_t*)0x20000208 = 0x20000180;
  1498. *(uint32_t*)0x20000180 = 0;
  1499. *(uint64_t*)0x20000210 = 0x200000c0;
  1500. *(uint32_t*)0x200000c0 = r[2];
  1501. *(uint64_t*)0x20000218 = 0;
  1502. syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x20000200ul, /*size=*/0x20ul);
  1503. *(uint32_t*)0x20000800 = r[2];
  1504. *(uint32_t*)0x20000804 = 0x4000000;
  1505. *(uint32_t*)0x20000808 = 0;
  1506. *(uint32_t*)0x2000080c = 0;
  1507. *(uint64_t*)0x20000810 = 0;
  1508. *(uint64_t*)0x20000818 = 0;
  1509. *(uint32_t*)0x20000820 = 0x1000;
  1510. *(uint32_t*)0x20000824 = 0;
  1511. *(uint32_t*)0x20000828 = 0;
  1512. *(uint32_t*)0x2000082c = 0;
  1513. *(uint64_t*)0x20000830 = 0;
  1514. *(uint64_t*)0x20000838 = 0;
  1515. *(uint32_t*)0x20000840 = 2;
  1516. *(uint32_t*)0x20000844 = 0;
  1517. *(uint32_t*)0x20000848 = 0;
  1518. syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000800ul, /*size=*/0x50ul);
  1519. res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0);
  1520. if (res != -1)
  1521. r[3] = res;
  1522. memcpy((void*)0x20000180, "syz_tun\000\000\000\000\000\000\000\000\000", 16);
  1523. res = syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x8933, /*arg=*/0x20000180ul);
  1524. if (res != -1)
  1525. r[4] = *(uint32_t*)0x20000190;
  1526. *(uint32_t*)0x20000040 = 6;
  1527. *(uint32_t*)0x20000044 = 0xc;
  1528. *(uint64_t*)0x20000048 = 0x20000100;
  1529. memcpy(
  1530. (void*)0x20000100,
  1531. "\x18\x02\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x85\x00"
  1532. "\x00\x00\x2c\x00\x00\x00\x18\x01\x00\x00\x20\x20\x70\x37\x00\x00\x00\x00"
  1533. "\x00\x20\x20\x20\x7b\x1a\xf8\xff\x00\x00\x00\x00\xbf\xa1\x00\x00\x00\x00"
  1534. "\x00\x00\x07\x01\x00\x00\xf8\xff\xff\xff\xb7\x02\x00\x00\x08\x00\x00\x00"
  1535. "\xb7\x03\x00\x00\x00\x00\x00\x00\x85\x00\x00\x00\x06\x00\x00\x00\x95",
  1536. 89);
  1537. *(uint64_t*)0x20000050 = 0x200001c0;
  1538. memcpy((void*)0x200001c0, "GPL\000", 4);
  1539. *(uint32_t*)0x20000058 = 0;
  1540. *(uint32_t*)0x2000005c = 0;
  1541. *(uint64_t*)0x20000060 = 0;
  1542. *(uint32_t*)0x20000068 = 0;
  1543. *(uint32_t*)0x2000006c = 0;
  1544. memset((void*)0x20000070, 0, 16);
  1545. *(uint32_t*)0x20000080 = 0;
  1546. *(uint32_t*)0x20000084 = 0;
  1547. *(uint32_t*)0x20000088 = -1;
  1548. *(uint32_t*)0x2000008c = 0;
  1549. *(uint64_t*)0x20000090 = 0;
  1550. *(uint32_t*)0x20000098 = 0;
  1551. *(uint32_t*)0x2000009c = 0;
  1552. *(uint64_t*)0x200000a0 = 0;
  1553. *(uint32_t*)0x200000a8 = 0;
  1554. *(uint32_t*)0x200000ac = 0;
  1555. *(uint32_t*)0x200000b0 = 0;
  1556. *(uint32_t*)0x200000b4 = 0;
  1557. *(uint64_t*)0x200000b8 = 0;
  1558. *(uint64_t*)0x200000c0 = 0;
  1559. *(uint32_t*)0x200000c8 = 0x10;
  1560. *(uint32_t*)0x200000cc = 0;
  1561. *(uint32_t*)0x200000d0 = 0;
  1562. res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000040ul, /*size=*/0x90ul);
  1563. if (res != -1)
  1564. r[5] = res;
  1565. *(uint32_t*)0x20000240 = r[5];
  1566. *(uint32_t*)0x20000244 = r[4];
  1567. *(uint32_t*)0x20000248 = 0x25;
  1568. *(uint32_t*)0x2000024c = 0;
  1569. syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x20000240ul, /*size=*/0x10ul);
  1570. memset((void*)0x20001b40, 170, 5);
  1571. *(uint8_t*)0x20001b45 = 0xaa;
  1572. *(uint8_t*)0x20001b46 = 0x17;
  1573. *(uint8_t*)0x20001b47 = 0x80;
  1574. *(uint8_t*)0x20001b48 = 0xc2;
  1575. *(uint8_t*)0x20001b49 = 6;
  1576. *(uint8_t*)0x20001b4a = 5;
  1577. *(uint8_t*)0x20001b4b = 0;
  1578. *(uint16_t*)0x20001b4c = htobe16(0x11);
  1579. *(uint8_t*)0x20001b4e = 0xab;
  1580. *(uint8_t*)0x20001b4f = 0xaa;
  1581. memset((void*)0x20001b50, 101, 1);
  1582. memcpy((void*)0x20001b51, "\xc4\xa8\x59", 3);
  1583. *(uint16_t*)0x20001b54 = htobe16(0x9300);
  1584. syz_emit_ethernet(/*len=*/0x16, /*packet=*/0x20001b40, /*frags=*/0);
  1585. }
  1586. int main(void)
  1587. {
  1588. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  1589. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  1590. /*offset=*/0ul);
  1591. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
  1592. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
  1593. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  1594. /*offset=*/0ul);
  1595. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  1596. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  1597. /*offset=*/0ul);
  1598. const char* reason;
  1599. (void)reason;
  1600. setup_ext();
  1601. do_sandbox_none();
  1602. return 0;
  1603. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!