API tools faq
paste
Advertisement
qaqaq

Untitled

qaqaq
Aug 31st, 2022
131
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 55.18 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #include <arpa/inet.h>
  4. #include <dirent.h>
  5. #include <endian.h>
  6. #include <errno.h>
  7. #include <fcntl.h>
  8. #include <net/if.h>
  9. #include <net/if_arp.h>
  10. #include <netinet/in.h>
  11. #include <pthread.h>
  12. #include <sched.h>
  13. #include <signal.h>
  14. #include <stdarg.h>
  15. #include <stdbool.h>
  16. #include <stdint.h>
  17. #include <stdio.h>
  18. #include <stdlib.h>
  19. #include <string.h>
  20. #include <sys/ioctl.h>
  21. #include <sys/mount.h>
  22. #include <sys/prctl.h>
  23. #include <sys/resource.h>
  24. #include <sys/socket.h>
  25. #include <sys/stat.h>
  26. #include <sys/syscall.h>
  27. #include <sys/time.h>
  28. #include <sys/types.h>
  29. #include <sys/uio.h>
  30. #include <sys/wait.h>
  31. #include <time.h>
  32. #include <unistd.h>
  33. #include <usbg/function/hid.h>
  34. #include <usbg/function/loopback.h>
  35. #include <usbg/function/midi.h>
  36. #include <usbg/function/ms.h>
  37. #include <usbg/function/net.h>
  38. #include <usbg/function/printer.h>
  39. #include <usbg/usbg.h>
  40.  
  41. #include <linux/capability.h>
  42. #include <linux/futex.h>
  43. #include <linux/genetlink.h>
  44. #include <linux/if_addr.h>
  45. #include <linux/if_ether.h>
  46. #include <linux/if_link.h>
  47. #include <linux/if_tun.h>
  48. #include <linux/in6.h>
  49. #include <linux/ip.h>
  50. #include <linux/neighbour.h>
  51. #include <linux/net.h>
  52. #include <linux/netlink.h>
  53. #include <linux/rtnetlink.h>
  54. #include <linux/tcp.h>
  55. #include <linux/usb/ch9.h>
  56. #include <linux/veth.h>
  57.  
  58. #ifndef __NR_pwritev2
  59. #define __NR_pwritev2 328
  60. #endif
  61.  
  62. static unsigned long long procid;
  63.  
  64. static void sleep_ms(uint64_t ms)
  65. {
  66. usleep(ms * 1000);
  67. }
  68.  
  69. static uint64_t current_time_ms(void)
  70. {
  71. struct timespec ts;
  72. if (clock_gettime(CLOCK_MONOTONIC, &ts))
  73. exit(1);
  74. return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
  75. }
  76.  
  77. static void use_temporary_dir(void)
  78. {
  79. char tmpdir_template[] = "./syzkaller.XXXXXX";
  80. char* tmpdir = mkdtemp(tmpdir_template);
  81. if (!tmpdir)
  82. exit(1);
  83. if (chmod(tmpdir, 0777))
  84. exit(1);
  85. if (chdir(tmpdir))
  86. exit(1);
  87. }
  88.  
  89. static void thread_start(void* (*fn)(void*), void* arg)
  90. {
  91. pthread_t th;
  92. pthread_attr_t attr;
  93. pthread_attr_init(&attr);
  94. pthread_attr_setstacksize(&attr, 128 << 10);
  95. int i = 0;
  96. for (; i < 100; i++) {
  97. if (pthread_create(&th, &attr, fn, arg) == 0) {
  98. pthread_attr_destroy(&attr);
  99. return;
  100. }
  101. if (errno == EAGAIN) {
  102. usleep(50);
  103. continue;
  104. }
  105. break;
  106. }
  107. exit(1);
  108. }
  109.  
  110. typedef struct {
  111. int state;
  112. } event_t;
  113.  
  114. static void event_init(event_t* ev)
  115. {
  116. ev->state = 0;
  117. }
  118.  
  119. static void event_reset(event_t* ev)
  120. {
  121. ev->state = 0;
  122. }
  123.  
  124. static void event_set(event_t* ev)
  125. {
  126. if (ev->state)
  127. exit(1);
  128. __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
  129. syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
  130. }
  131.  
  132. static void event_wait(event_t* ev)
  133. {
  134. while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
  135. syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
  136. }
  137.  
  138. static int event_isset(event_t* ev)
  139. {
  140. return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
  141. }
  142.  
  143. static int event_timedwait(event_t* ev, uint64_t timeout)
  144. {
  145. uint64_t start = current_time_ms();
  146. uint64_t now = start;
  147. for (;;) {
  148. uint64_t remain = timeout - (now - start);
  149. struct timespec ts;
  150. ts.tv_sec = remain / 1000;
  151. ts.tv_nsec = (remain % 1000) * 1000 * 1000;
  152. syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
  153. if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
  154. return 1;
  155. now = current_time_ms();
  156. if (now - start > timeout)
  157. return 0;
  158. }
  159. }
  160.  
  161. static bool write_file(const char* file, const char* what, ...)
  162. {
  163. char buf[1024];
  164. va_list args;
  165. va_start(args, what);
  166. vsnprintf(buf, sizeof(buf), what, args);
  167. va_end(args);
  168. buf[sizeof(buf) - 1] = 0;
  169. int len = strlen(buf);
  170. int fd = open(file, O_WRONLY | O_CLOEXEC);
  171. if (fd == -1)
  172. return false;
  173. if (write(fd, buf, len) != len) {
  174. int err = errno;
  175. close(fd);
  176. errno = err;
  177. return false;
  178. }
  179. close(fd);
  180. return true;
  181. }
  182.  
  183. struct nlmsg {
  184. char* pos;
  185. int nesting;
  186. struct nlattr* nested[8];
  187. char buf[4096];
  188. };
  189.  
  190. static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
  191. const void* data, int size)
  192. {
  193. memset(nlmsg, 0, sizeof(*nlmsg));
  194. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  195. hdr->nlmsg_type = typ;
  196. hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
  197. memcpy(hdr + 1, data, size);
  198. nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
  199. }
  200.  
  201. static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
  202. int size)
  203. {
  204. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
  205. attr->nla_len = sizeof(*attr) + size;
  206. attr->nla_type = typ;
  207. if (size > 0)
  208. memcpy(attr + 1, data, size);
  209. nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
  210. }
  211.  
  212. static void netlink_nest(struct nlmsg* nlmsg, int typ)
  213. {
  214. struct nlattr* attr = (struct nlattr*)nlmsg->pos;
  215. attr->nla_type = typ;
  216. nlmsg->pos += sizeof(*attr);
  217. nlmsg->nested[nlmsg->nesting++] = attr;
  218. }
  219.  
  220. static void netlink_done(struct nlmsg* nlmsg)
  221. {
  222. struct nlattr* attr = nlmsg->nested[--nlmsg->nesting];
  223. attr->nla_len = nlmsg->pos - (char*)attr;
  224. }
  225.  
  226. static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
  227. int* reply_len, bool dofail)
  228. {
  229. if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
  230. exit(1);
  231. struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
  232. hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
  233. struct sockaddr_nl addr;
  234. memset(&addr, 0, sizeof(addr));
  235. addr.nl_family = AF_NETLINK;
  236. ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
  237. (struct sockaddr*)&addr, sizeof(addr));
  238. if (n != (ssize_t)hdr->nlmsg_len) {
  239. if (dofail)
  240. exit(1);
  241. return -1;
  242. }
  243. n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  244. if (reply_len)
  245. *reply_len = 0;
  246. if (n < 0) {
  247. if (dofail)
  248. exit(1);
  249. return -1;
  250. }
  251. if (n < (ssize_t)sizeof(struct nlmsghdr)) {
  252. errno = EINVAL;
  253. if (dofail)
  254. exit(1);
  255. return -1;
  256. }
  257. if (hdr->nlmsg_type == NLMSG_DONE)
  258. return 0;
  259. if (reply_len && hdr->nlmsg_type == reply_type) {
  260. *reply_len = n;
  261. return 0;
  262. }
  263. if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
  264. errno = EINVAL;
  265. if (dofail)
  266. exit(1);
  267. return -1;
  268. }
  269. if (hdr->nlmsg_type != NLMSG_ERROR) {
  270. errno = EINVAL;
  271. if (dofail)
  272. exit(1);
  273. return -1;
  274. }
  275. errno = -((struct nlmsgerr*)(hdr + 1))->error;
  276. return -errno;
  277. }
  278.  
  279. static int netlink_send(struct nlmsg* nlmsg, int sock)
  280. {
  281. return netlink_send_ext(nlmsg, sock, 0, NULL, true);
  282. }
  283.  
  284. static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
  285. const char* family_name, bool dofail)
  286. {
  287. struct genlmsghdr genlhdr;
  288. memset(&genlhdr, 0, sizeof(genlhdr));
  289. genlhdr.cmd = CTRL_CMD_GETFAMILY;
  290. netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
  291. netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
  292. strnlen(family_name, GENL_NAMSIZ - 1) + 1);
  293. int n = 0;
  294. int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
  295. if (err < 0) {
  296. return -1;
  297. }
  298. uint16_t id = 0;
  299. struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
  300. NLMSG_ALIGN(sizeof(genlhdr)));
  301. for (; (char*)attr < nlmsg->buf + n;
  302. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
  303. if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
  304. id = *(uint16_t*)(attr + 1);
  305. break;
  306. }
  307. }
  308. if (!id) {
  309. errno = EINVAL;
  310. return -1;
  311. }
  312. recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
  313. return id;
  314. }
  315.  
  316. static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset,
  317. unsigned int total_len)
  318. {
  319. struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset);
  320. if (offset == total_len || offset + hdr->nlmsg_len > total_len)
  321. return -1;
  322. return hdr->nlmsg_len;
  323. }
  324.  
  325. static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type,
  326. const char* name)
  327. {
  328. struct ifinfomsg hdr;
  329. memset(&hdr, 0, sizeof(hdr));
  330. netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr,
  331. sizeof(hdr));
  332. if (name)
  333. netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name));
  334. netlink_nest(nlmsg, IFLA_LINKINFO);
  335. netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type));
  336. }
  337.  
  338. static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type,
  339. const char* name)
  340. {
  341. netlink_add_device_impl(nlmsg, type, name);
  342. netlink_done(nlmsg);
  343. int err = netlink_send(nlmsg, sock);
  344. if (err < 0) {
  345. }
  346. }
  347.  
  348. static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name,
  349. const char* peer)
  350. {
  351. netlink_add_device_impl(nlmsg, "veth", name);
  352. netlink_nest(nlmsg, IFLA_INFO_DATA);
  353. netlink_nest(nlmsg, VETH_INFO_PEER);
  354. nlmsg->pos += sizeof(struct ifinfomsg);
  355. netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer));
  356. netlink_done(nlmsg);
  357. netlink_done(nlmsg);
  358. netlink_done(nlmsg);
  359. int err = netlink_send(nlmsg, sock);
  360. if (err < 0) {
  361. }
  362. }
  363.  
  364. static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name,
  365. const char* slave1, const char* slave2)
  366. {
  367. netlink_add_device_impl(nlmsg, "hsr", name);
  368. netlink_nest(nlmsg, IFLA_INFO_DATA);
  369. int ifindex1 = if_nametoindex(slave1);
  370. netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
  371. int ifindex2 = if_nametoindex(slave2);
  372. netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
  373. netlink_done(nlmsg);
  374. netlink_done(nlmsg);
  375. int err = netlink_send(nlmsg, sock);
  376. if (err < 0) {
  377. }
  378. }
  379.  
  380. static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type,
  381. const char* name, const char* link)
  382. {
  383. netlink_add_device_impl(nlmsg, type, name);
  384. netlink_done(nlmsg);
  385. int ifindex = if_nametoindex(link);
  386. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  387. int err = netlink_send(nlmsg, sock);
  388. if (err < 0) {
  389. }
  390. }
  391.  
  392. static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name,
  393. const char* link, uint16_t id, uint16_t proto)
  394. {
  395. netlink_add_device_impl(nlmsg, "vlan", name);
  396. netlink_nest(nlmsg, IFLA_INFO_DATA);
  397. netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id));
  398. netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto));
  399. netlink_done(nlmsg);
  400. netlink_done(nlmsg);
  401. int ifindex = if_nametoindex(link);
  402. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  403. int err = netlink_send(nlmsg, sock);
  404. if (err < 0) {
  405. }
  406. }
  407.  
  408. static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name,
  409. const char* link)
  410. {
  411. netlink_add_device_impl(nlmsg, "macvlan", name);
  412. netlink_nest(nlmsg, IFLA_INFO_DATA);
  413. uint32_t mode = MACVLAN_MODE_BRIDGE;
  414. netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode));
  415. netlink_done(nlmsg);
  416. netlink_done(nlmsg);
  417. int ifindex = if_nametoindex(link);
  418. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  419. int err = netlink_send(nlmsg, sock);
  420. if (err < 0) {
  421. }
  422. }
  423.  
  424. static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name,
  425. uint32_t vni, struct in_addr* addr4,
  426. struct in6_addr* addr6)
  427. {
  428. netlink_add_device_impl(nlmsg, "geneve", name);
  429. netlink_nest(nlmsg, IFLA_INFO_DATA);
  430. netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni));
  431. if (addr4)
  432. netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4));
  433. if (addr6)
  434. netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6));
  435. netlink_done(nlmsg);
  436. netlink_done(nlmsg);
  437. int err = netlink_send(nlmsg, sock);
  438. if (err < 0) {
  439. }
  440. }
  441.  
  442. #define IFLA_IPVLAN_FLAGS 2
  443. #define IPVLAN_MODE_L3S 2
  444. #undef IPVLAN_F_VEPA
  445. #define IPVLAN_F_VEPA 2
  446.  
  447. static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name,
  448. const char* link, uint16_t mode, uint16_t flags)
  449. {
  450. netlink_add_device_impl(nlmsg, "ipvlan", name);
  451. netlink_nest(nlmsg, IFLA_INFO_DATA);
  452. netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode));
  453. netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags));
  454. netlink_done(nlmsg);
  455. netlink_done(nlmsg);
  456. int ifindex = if_nametoindex(link);
  457. netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  458. int err = netlink_send(nlmsg, sock);
  459. if (err < 0) {
  460. }
  461. }
  462.  
  463. static void netlink_device_change(struct nlmsg* nlmsg, int sock,
  464. const char* name, bool up, const char* master,
  465. const void* mac, int macsize,
  466. const char* new_name)
  467. {
  468. struct ifinfomsg hdr;
  469. memset(&hdr, 0, sizeof(hdr));
  470. if (up)
  471. hdr.ifi_flags = hdr.ifi_change = IFF_UP;
  472. hdr.ifi_index = if_nametoindex(name);
  473. netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
  474. if (new_name)
  475. netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name));
  476. if (master) {
  477. int ifindex = if_nametoindex(master);
  478. netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
  479. }
  480. if (macsize)
  481. netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
  482. int err = netlink_send(nlmsg, sock);
  483. if (err < 0) {
  484. }
  485. }
  486.  
  487. static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev,
  488. const void* addr, int addrsize)
  489. {
  490. struct ifaddrmsg hdr;
  491. memset(&hdr, 0, sizeof(hdr));
  492. hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
  493. hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
  494. hdr.ifa_scope = RT_SCOPE_UNIVERSE;
  495. hdr.ifa_index = if_nametoindex(dev);
  496. netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
  497. sizeof(hdr));
  498. netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize);
  499. netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize);
  500. return netlink_send(nlmsg, sock);
  501. }
  502.  
  503. static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev,
  504. const char* addr)
  505. {
  506. struct in_addr in_addr;
  507. inet_pton(AF_INET, addr, &in_addr);
  508. int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr));
  509. if (err < 0) {
  510. }
  511. }
  512.  
  513. static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev,
  514. const char* addr)
  515. {
  516. struct in6_addr in6_addr;
  517. inet_pton(AF_INET6, addr, &in6_addr);
  518. int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr));
  519. if (err < 0) {
  520. }
  521. }
  522.  
  523. static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name,
  524. const void* addr, int addrsize, const void* mac,
  525. int macsize)
  526. {
  527. struct ndmsg hdr;
  528. memset(&hdr, 0, sizeof(hdr));
  529. hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
  530. hdr.ndm_ifindex = if_nametoindex(name);
  531. hdr.ndm_state = NUD_PERMANENT;
  532. netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr,
  533. sizeof(hdr));
  534. netlink_attr(nlmsg, NDA_DST, addr, addrsize);
  535. netlink_attr(nlmsg, NDA_LLADDR, mac, macsize);
  536. int err = netlink_send(nlmsg, sock);
  537. if (err < 0) {
  538. }
  539. }
  540.  
  541. static struct nlmsg nlmsg;
  542.  
  543. static int tunfd = -1;
  544.  
  545. #define TUN_IFACE "syz_tun"
  546. #define LOCAL_MAC 0xaaaaaaaaaaaa
  547. #define REMOTE_MAC 0xaaaaaaaaaabb
  548. #define LOCAL_IPV4 "172.20.20.170"
  549. #define REMOTE_IPV4 "172.20.20.187"
  550. #define LOCAL_IPV6 "fe80::aa"
  551. #define REMOTE_IPV6 "fe80::bb"
  552.  
  553. #define IFF_NAPI 0x0010
  554.  
  555. static void initialize_tun(void)
  556. {
  557. tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
  558. if (tunfd == -1) {
  559. printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
  560. printf("otherwise fuzzing or reproducing might not work as intended\n");
  561. return;
  562. }
  563. const int kTunFd = 200;
  564. if (dup2(tunfd, kTunFd) < 0)
  565. exit(1);
  566. close(tunfd);
  567. tunfd = kTunFd;
  568. struct ifreq ifr;
  569. memset(&ifr, 0, sizeof(ifr));
  570. strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
  571. ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
  572. if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
  573. exit(1);
  574. }
  575. char sysctl[64];
  576. sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
  577. write_file(sysctl, "0");
  578. sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
  579. write_file(sysctl, "0");
  580. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  581. if (sock == -1)
  582. exit(1);
  583. netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4);
  584. netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6);
  585. uint64_t macaddr = REMOTE_MAC;
  586. struct in_addr in_addr;
  587. inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
  588. netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr),
  589. &macaddr, ETH_ALEN);
  590. struct in6_addr in6_addr;
  591. inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
  592. netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr),
  593. &macaddr, ETH_ALEN);
  594. macaddr = LOCAL_MAC;
  595. netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN,
  596. NULL);
  597. close(sock);
  598. }
  599.  
  600. #define DEVLINK_FAMILY_NAME "devlink"
  601.  
  602. #define DEVLINK_CMD_PORT_GET 5
  603. #define DEVLINK_ATTR_BUS_NAME 1
  604. #define DEVLINK_ATTR_DEV_NAME 2
  605. #define DEVLINK_ATTR_NETDEV_NAME 7
  606.  
  607. static struct nlmsg nlmsg2;
  608.  
  609. static void initialize_devlink_ports(const char* bus_name, const char* dev_name,
  610. const char* netdev_prefix)
  611. {
  612. struct genlmsghdr genlhdr;
  613. int len, total_len, id, err, offset;
  614. uint16_t netdev_index;
  615. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  616. if (sock == -1)
  617. exit(1);
  618. int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  619. if (rtsock == -1)
  620. exit(1);
  621. id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true);
  622. if (id == -1)
  623. goto error;
  624. memset(&genlhdr, 0, sizeof(genlhdr));
  625. genlhdr.cmd = DEVLINK_CMD_PORT_GET;
  626. netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr));
  627. netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1);
  628. netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1);
  629. err = netlink_send_ext(&nlmsg, sock, id, &total_len, true);
  630. if (err < 0) {
  631. goto error;
  632. }
  633. offset = 0;
  634. netdev_index = 0;
  635. while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) {
  636. struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN +
  637. NLMSG_ALIGN(sizeof(genlhdr)));
  638. for (; (char*)attr < nlmsg.buf + offset + len;
  639. attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
  640. if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) {
  641. char* port_name;
  642. char netdev_name[IFNAMSIZ];
  643. port_name = (char*)(attr + 1);
  644. snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix,
  645. netdev_index);
  646. netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0,
  647. netdev_name);
  648. break;
  649. }
  650. }
  651. offset += len;
  652. netdev_index++;
  653. }
  654. error:
  655. close(rtsock);
  656. close(sock);
  657. }
  658.  
  659. #define DEV_IPV4 "172.20.20.%d"
  660. #define DEV_IPV6 "fe80::%02x"
  661. #define DEV_MAC 0x00aaaaaaaaaa
  662.  
  663. static void netdevsim_add(unsigned int addr, unsigned int port_count)
  664. {
  665. char buf[16];
  666. sprintf(buf, "%u %u", addr, port_count);
  667. if (write_file("/sys/bus/netdevsim/new_device", buf)) {
  668. snprintf(buf, sizeof(buf), "netdevsim%d", addr);
  669. initialize_devlink_ports("netdevsim", buf, "netdevsim");
  670. }
  671. }
  672.  
  673. #define WG_GENL_NAME "wireguard"
  674. enum wg_cmd {
  675. WG_CMD_GET_DEVICE,
  676. WG_CMD_SET_DEVICE,
  677. };
  678. enum wgdevice_attribute {
  679. WGDEVICE_A_UNSPEC,
  680. WGDEVICE_A_IFINDEX,
  681. WGDEVICE_A_IFNAME,
  682. WGDEVICE_A_PRIVATE_KEY,
  683. WGDEVICE_A_PUBLIC_KEY,
  684. WGDEVICE_A_FLAGS,
  685. WGDEVICE_A_LISTEN_PORT,
  686. WGDEVICE_A_FWMARK,
  687. WGDEVICE_A_PEERS,
  688. };
  689. enum wgpeer_attribute {
  690. WGPEER_A_UNSPEC,
  691. WGPEER_A_PUBLIC_KEY,
  692. WGPEER_A_PRESHARED_KEY,
  693. WGPEER_A_FLAGS,
  694. WGPEER_A_ENDPOINT,
  695. WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  696. WGPEER_A_LAST_HANDSHAKE_TIME,
  697. WGPEER_A_RX_BYTES,
  698. WGPEER_A_TX_BYTES,
  699. WGPEER_A_ALLOWEDIPS,
  700. WGPEER_A_PROTOCOL_VERSION,
  701. };
  702. enum wgallowedip_attribute {
  703. WGALLOWEDIP_A_UNSPEC,
  704. WGALLOWEDIP_A_FAMILY,
  705. WGALLOWEDIP_A_IPADDR,
  706. WGALLOWEDIP_A_CIDR_MASK,
  707. };
  708.  
  709. static void netlink_wireguard_setup(void)
  710. {
  711. const char ifname_a[] = "wg0";
  712. const char ifname_b[] = "wg1";
  713. const char ifname_c[] = "wg2";
  714. const char private_a[] =
  715. "\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1"
  716. "\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43";
  717. const char private_b[] =
  718. "\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c"
  719. "\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e";
  720. const char private_c[] =
  721. "\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15"
  722. "\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42";
  723. const char public_a[] =
  724. "\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25"
  725. "\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c";
  726. const char public_b[] =
  727. "\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e"
  728. "\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b";
  729. const char public_c[] =
  730. "\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c"
  731. "\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22";
  732. const uint16_t listen_a = 20001;
  733. const uint16_t listen_b = 20002;
  734. const uint16_t listen_c = 20003;
  735. const uint16_t af_inet = AF_INET;
  736. const uint16_t af_inet6 = AF_INET6;
  737. const struct sockaddr_in endpoint_b_v4 = {
  738. .sin_family = AF_INET,
  739. .sin_port = htons(listen_b),
  740. .sin_addr = {htonl(INADDR_LOOPBACK)}};
  741. const struct sockaddr_in endpoint_c_v4 = {
  742. .sin_family = AF_INET,
  743. .sin_port = htons(listen_c),
  744. .sin_addr = {htonl(INADDR_LOOPBACK)}};
  745. struct sockaddr_in6 endpoint_a_v6 = {.sin6_family = AF_INET6,
  746. .sin6_port = htons(listen_a)};
  747. endpoint_a_v6.sin6_addr = in6addr_loopback;
  748. struct sockaddr_in6 endpoint_c_v6 = {.sin6_family = AF_INET6,
  749. .sin6_port = htons(listen_c)};
  750. endpoint_c_v6.sin6_addr = in6addr_loopback;
  751. const struct in_addr first_half_v4 = {0};
  752. const struct in_addr second_half_v4 = {(uint32_t)htonl(128 << 24)};
  753. const struct in6_addr first_half_v6 = {{{0}}};
  754. const struct in6_addr second_half_v6 = {{{0x80}}};
  755. const uint8_t half_cidr = 1;
  756. const uint16_t persistent_keepalives[] = {1, 3, 7, 9, 14, 19};
  757. struct genlmsghdr genlhdr = {.cmd = WG_CMD_SET_DEVICE, .version = 1};
  758. int sock;
  759. int id, err;
  760. sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  761. if (sock == -1) {
  762. return;
  763. }
  764. id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true);
  765. if (id == -1)
  766. goto error;
  767. netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
  768. netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1);
  769. netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32);
  770. netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2);
  771. netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
  772. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  773. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
  774. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4,
  775. sizeof(endpoint_b_v4));
  776. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  777. &persistent_keepalives[0], 2);
  778. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  779. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  780. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  781. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
  782. sizeof(first_half_v4));
  783. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  784. netlink_done(&nlmsg);
  785. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  786. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  787. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
  788. sizeof(first_half_v6));
  789. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  790. netlink_done(&nlmsg);
  791. netlink_done(&nlmsg);
  792. netlink_done(&nlmsg);
  793. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  794. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
  795. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6,
  796. sizeof(endpoint_c_v6));
  797. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  798. &persistent_keepalives[1], 2);
  799. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  800. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  801. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  802. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
  803. sizeof(second_half_v4));
  804. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  805. netlink_done(&nlmsg);
  806. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  807. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  808. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
  809. sizeof(second_half_v6));
  810. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  811. netlink_done(&nlmsg);
  812. netlink_done(&nlmsg);
  813. netlink_done(&nlmsg);
  814. netlink_done(&nlmsg);
  815. err = netlink_send(&nlmsg, sock);
  816. if (err < 0) {
  817. }
  818. netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
  819. netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1);
  820. netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32);
  821. netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2);
  822. netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
  823. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  824. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
  825. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6,
  826. sizeof(endpoint_a_v6));
  827. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  828. &persistent_keepalives[2], 2);
  829. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  830. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  831. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  832. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
  833. sizeof(first_half_v4));
  834. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  835. netlink_done(&nlmsg);
  836. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  837. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  838. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
  839. sizeof(first_half_v6));
  840. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  841. netlink_done(&nlmsg);
  842. netlink_done(&nlmsg);
  843. netlink_done(&nlmsg);
  844. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  845. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32);
  846. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4,
  847. sizeof(endpoint_c_v4));
  848. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  849. &persistent_keepalives[3], 2);
  850. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  851. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  852. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  853. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
  854. sizeof(second_half_v4));
  855. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  856. netlink_done(&nlmsg);
  857. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  858. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  859. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
  860. sizeof(second_half_v6));
  861. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  862. netlink_done(&nlmsg);
  863. netlink_done(&nlmsg);
  864. netlink_done(&nlmsg);
  865. netlink_done(&nlmsg);
  866. err = netlink_send(&nlmsg, sock);
  867. if (err < 0) {
  868. }
  869. netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr));
  870. netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1);
  871. netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32);
  872. netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2);
  873. netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS);
  874. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  875. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32);
  876. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6,
  877. sizeof(endpoint_a_v6));
  878. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  879. &persistent_keepalives[4], 2);
  880. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  881. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  882. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  883. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4,
  884. sizeof(first_half_v4));
  885. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  886. netlink_done(&nlmsg);
  887. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  888. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  889. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6,
  890. sizeof(first_half_v6));
  891. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  892. netlink_done(&nlmsg);
  893. netlink_done(&nlmsg);
  894. netlink_done(&nlmsg);
  895. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  896. netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32);
  897. netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4,
  898. sizeof(endpoint_b_v4));
  899. netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  900. &persistent_keepalives[5], 2);
  901. netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS);
  902. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  903. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2);
  904. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4,
  905. sizeof(second_half_v4));
  906. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  907. netlink_done(&nlmsg);
  908. netlink_nest(&nlmsg, NLA_F_NESTED | 0);
  909. netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2);
  910. netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6,
  911. sizeof(second_half_v6));
  912. netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1);
  913. netlink_done(&nlmsg);
  914. netlink_done(&nlmsg);
  915. netlink_done(&nlmsg);
  916. netlink_done(&nlmsg);
  917. err = netlink_send(&nlmsg, sock);
  918. if (err < 0) {
  919. }
  920.  
  921. error:
  922. close(sock);
  923. }
  924. static void initialize_netdevices(void)
  925. {
  926. char netdevsim[16];
  927. sprintf(netdevsim, "netdevsim%d", (int)procid);
  928. struct {
  929. const char* type;
  930. const char* dev;
  931. } devtypes[] = {
  932. {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
  933. {"vcan", "vcan0"}, {"bond", "bond0"},
  934. {"team", "team0"}, {"dummy", "dummy0"},
  935. {"nlmon", "nlmon0"}, {"caif", "caif0"},
  936. {"batadv", "batadv0"}, {"vxcan", "vxcan1"},
  937. {"netdevsim", netdevsim}, {"veth", 0},
  938. {"xfrm", "xfrm0"}, {"wireguard", "wg0"},
  939. {"wireguard", "wg1"}, {"wireguard", "wg2"},
  940. };
  941. const char* devmasters[] = {"bridge", "bond", "team", "batadv"};
  942. struct {
  943. const char* name;
  944. int macsize;
  945. bool noipv6;
  946. } devices[] = {
  947. {"lo", ETH_ALEN},
  948. {"sit0", 0},
  949. {"bridge0", ETH_ALEN},
  950. {"vcan0", 0, true},
  951. {"tunl0", 0},
  952. {"gre0", 0},
  953. {"gretap0", ETH_ALEN},
  954. {"ip_vti0", 0},
  955. {"ip6_vti0", 0},
  956. {"ip6tnl0", 0},
  957. {"ip6gre0", 0},
  958. {"ip6gretap0", ETH_ALEN},
  959. {"erspan0", ETH_ALEN},
  960. {"bond0", ETH_ALEN},
  961. {"veth0", ETH_ALEN},
  962. {"veth1", ETH_ALEN},
  963. {"team0", ETH_ALEN},
  964. {"veth0_to_bridge", ETH_ALEN},
  965. {"veth1_to_bridge", ETH_ALEN},
  966. {"veth0_to_bond", ETH_ALEN},
  967. {"veth1_to_bond", ETH_ALEN},
  968. {"veth0_to_team", ETH_ALEN},
  969. {"veth1_to_team", ETH_ALEN},
  970. {"veth0_to_hsr", ETH_ALEN},
  971. {"veth1_to_hsr", ETH_ALEN},
  972. {"hsr0", 0},
  973. {"dummy0", ETH_ALEN},
  974. {"nlmon0", 0},
  975. {"vxcan0", 0, true},
  976. {"vxcan1", 0, true},
  977. {"caif0", ETH_ALEN},
  978. {"batadv0", ETH_ALEN},
  979. {netdevsim, ETH_ALEN},
  980. {"xfrm0", ETH_ALEN},
  981. {"veth0_virt_wifi", ETH_ALEN},
  982. {"veth1_virt_wifi", ETH_ALEN},
  983. {"virt_wifi0", ETH_ALEN},
  984. {"veth0_vlan", ETH_ALEN},
  985. {"veth1_vlan", ETH_ALEN},
  986. {"vlan0", ETH_ALEN},
  987. {"vlan1", ETH_ALEN},
  988. {"macvlan0", ETH_ALEN},
  989. {"macvlan1", ETH_ALEN},
  990. {"ipvlan0", ETH_ALEN},
  991. {"ipvlan1", ETH_ALEN},
  992. {"veth0_macvtap", ETH_ALEN},
  993. {"veth1_macvtap", ETH_ALEN},
  994. {"macvtap0", ETH_ALEN},
  995. {"macsec0", ETH_ALEN},
  996. {"veth0_to_batadv", ETH_ALEN},
  997. {"veth1_to_batadv", ETH_ALEN},
  998. {"batadv_slave_0", ETH_ALEN},
  999. {"batadv_slave_1", ETH_ALEN},
  1000. {"geneve0", ETH_ALEN},
  1001. {"geneve1", ETH_ALEN},
  1002. {"wg0", 0},
  1003. {"wg1", 0},
  1004. {"wg2", 0},
  1005. };
  1006. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  1007. if (sock == -1)
  1008. exit(1);
  1009. unsigned i;
  1010. for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
  1011. netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev);
  1012. for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
  1013. char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
  1014. sprintf(slave0, "%s_slave_0", devmasters[i]);
  1015. sprintf(veth0, "veth0_to_%s", devmasters[i]);
  1016. netlink_add_veth(&nlmsg, sock, slave0, veth0);
  1017. sprintf(slave1, "%s_slave_1", devmasters[i]);
  1018. sprintf(veth1, "veth1_to_%s", devmasters[i]);
  1019. netlink_add_veth(&nlmsg, sock, slave1, veth1);
  1020. sprintf(master, "%s0", devmasters[i]);
  1021. netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL);
  1022. netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL);
  1023. }
  1024. netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL);
  1025. netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL);
  1026. netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr");
  1027. netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr");
  1028. netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
  1029. netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL);
  1030. netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL);
  1031. netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi");
  1032. netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0",
  1033. "veth1_virt_wifi");
  1034. netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan");
  1035. netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q));
  1036. netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD));
  1037. netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan");
  1038. netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan");
  1039. netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0);
  1040. netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S,
  1041. IPVLAN_F_VEPA);
  1042. netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap");
  1043. netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap");
  1044. netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap");
  1045. char addr[32];
  1046. sprintf(addr, DEV_IPV4, 14 + 10);
  1047. struct in_addr geneve_addr4;
  1048. if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0)
  1049. exit(1);
  1050. struct in6_addr geneve_addr6;
  1051. if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0)
  1052. exit(1);
  1053. netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0);
  1054. netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6);
  1055. netdevsim_add((int)procid, 4);
  1056. netlink_wireguard_setup();
  1057. for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
  1058. char addr[32];
  1059. sprintf(addr, DEV_IPV4, i + 10);
  1060. netlink_add_addr4(&nlmsg, sock, devices[i].name, addr);
  1061. if (!devices[i].noipv6) {
  1062. sprintf(addr, DEV_IPV6, i + 10);
  1063. netlink_add_addr6(&nlmsg, sock, devices[i].name, addr);
  1064. }
  1065. uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
  1066. netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr,
  1067. devices[i].macsize, NULL);
  1068. }
  1069. close(sock);
  1070. }
  1071. static void initialize_netdevices_init(void)
  1072. {
  1073. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  1074. if (sock == -1)
  1075. exit(1);
  1076. struct {
  1077. const char* type;
  1078. int macsize;
  1079. bool noipv6;
  1080. bool noup;
  1081. } devtypes[] = {
  1082. {"nr", 7, true},
  1083. {"rose", 5, true, true},
  1084. };
  1085. unsigned i;
  1086. for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
  1087. char dev[32], addr[32];
  1088. sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
  1089. sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
  1090. netlink_add_addr4(&nlmsg, sock, dev, addr);
  1091. if (!devtypes[i].noipv6) {
  1092. sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
  1093. netlink_add_addr6(&nlmsg, sock, dev, addr);
  1094. }
  1095. int macsize = devtypes[i].macsize;
  1096. uint64_t macaddr = 0xbbbbbb +
  1097. ((unsigned long long)i << (8 * (macsize - 2))) +
  1098. (procid << (8 * (macsize - 1)));
  1099. netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr,
  1100. macsize, NULL);
  1101. }
  1102. close(sock);
  1103. }
  1104.  
  1105. static int read_tun(char* data, int size)
  1106. {
  1107. if (tunfd < 0)
  1108. return -1;
  1109. int rv = read(tunfd, data, size);
  1110. if (rv < 0) {
  1111. if (errno == EAGAIN || errno == EBADFD)
  1112. return -1;
  1113. exit(1);
  1114. }
  1115. return rv;
  1116. }
  1117.  
  1118. static void flush_tun()
  1119. {
  1120. char data[1000];
  1121. while (read_tun(&data[0], sizeof(data)) != -1) {
  1122. }
  1123. }
  1124.  
  1125. #define MAX_FDS 30
  1126.  
  1127. #define MAX_FUNC_NUM 2
  1128. #define MAX_DEVICE_NUM 8
  1129. union usbg_function_attr {
  1130. int default_attr;
  1131. struct usbg_f_midi_attrs midi_attr;
  1132. struct usbg_f_ms_attrs ms_attr;
  1133. struct usbg_f_net_attrs net_attr;
  1134. struct usbg_f_printer_attrs printer_attr;
  1135. struct usbg_f_loopback_attrs loopback_attr;
  1136. struct usbg_f_hid_attrs hid_attr;
  1137. };
  1138. struct usbg_func_config {
  1139. usbg_function_type f_type;
  1140. union usbg_function_attr f_attrs;
  1141. };
  1142.  
  1143. struct usb_gadget_device {
  1144. struct usbg_gadget_attrs* g_attrs;
  1145. struct usbg_config_attrs* c_attrs;
  1146. int func_num;
  1147. struct usbg_func_config func_conf[MAX_FUNC_NUM];
  1148. };
  1149.  
  1150. struct usb_gadget_device usb_device[MAX_DEVICE_NUM];
  1151. struct usbg_gadget_strs g_strs = {.manufacturer = (char*)"Foo Inc.",
  1152. .product = (char*)"Bar Gadget",
  1153. .serial = (char*)"12345678"};
  1154.  
  1155. struct usbg_config_strs c_strs = {.configuration = (char*)"1xMIDI"};
  1156.  
  1157. static int remove_gadget(usbg_gadget* g)
  1158. {
  1159. int usbg_ret;
  1160. usbg_udc* u;
  1161. /* Check if gadget is enabled */
  1162. u = usbg_get_gadget_udc(g);
  1163. /* If gadget is enable we have to disable it first */
  1164. if (u) {
  1165. usbg_ret = usbg_disable_gadget(g);
  1166. if (usbg_ret != USBG_SUCCESS) {
  1167. fprintf(stderr, "Error on disable gadget udc\n");
  1168. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1169. usbg_strerror((usbg_error)usbg_ret));
  1170. goto out;
  1171. }
  1172. }
  1173. /* Remove gadget with USBG_RM_RECURSE flag to remove
  1174. * also its configurations, functions and strings */
  1175. usbg_ret = usbg_rm_gadget(g, USBG_RM_RECURSE);
  1176. if (usbg_ret != USBG_SUCCESS) {
  1177. fprintf(stderr, "Error on gadget remove\n");
  1178. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1179. usbg_strerror((usbg_error)usbg_ret));
  1180. }
  1181.  
  1182. out:
  1183. return usbg_ret;
  1184. }
  1185. static volatile long syz_detach_gadget_impl(int uid)
  1186. {
  1187. int usbg_ret;
  1188. int ret = -1;
  1189. usbg_state* s;
  1190. usbg_gadget* g;
  1191. const char* g_name;
  1192. char g_name_target[10];
  1193. sprintf(g_name_target, "g%d", uid);
  1194. usbg_ret = usbg_init("/sys/kernel/config", &s);
  1195. if (usbg_ret != USBG_SUCCESS) {
  1196. fprintf(stderr, "Error on USB state init\n");
  1197. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1198. usbg_strerror((usbg_error)usbg_ret));
  1199. goto out1;
  1200. }
  1201. g = usbg_get_first_gadget(s);
  1202. while (g != NULL) {
  1203. /* Get current gadget attrs to be compared */
  1204. g_name = usbg_get_gadget_name(g);
  1205. /* Compare name with given values and remove if suitable */
  1206. if (strcmp(g_name, g_name_target) == 0) {
  1207. usbg_gadget* g_next = usbg_get_next_gadget(g);
  1208. usbg_ret = remove_gadget(g);
  1209. if (usbg_ret != USBG_SUCCESS)
  1210. goto out2;
  1211. g = g_next;
  1212. } else {
  1213. g = usbg_get_next_gadget(g);
  1214. }
  1215. }
  1216. usleep(500000);
  1217. ret = 0;
  1218.  
  1219. out2:
  1220. usbg_cleanup(s);
  1221. out1:
  1222. return ret;
  1223. }
  1224.  
  1225. static volatile long syz_attach_gadget_impl(struct usb_gadget_device* dev,
  1226. int uid)
  1227. {
  1228. syz_detach_gadget_impl(uid);
  1229. usbg_state* s;
  1230. usbg_gadget* g;
  1231. usbg_config* c;
  1232. usbg_function* f[MAX_FUNC_NUM];
  1233. usbg_udc* u;
  1234. int ret = -1;
  1235. int usbg_ret;
  1236. char g_name[10];
  1237. sprintf(g_name, "g%d", uid);
  1238. usbg_ret = usbg_init("/sys/kernel/config", &s);
  1239. if (usbg_ret != USBG_SUCCESS) {
  1240. fprintf(stderr, "Error on usbg init\n");
  1241. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1242. usbg_strerror((usbg_error)usbg_ret));
  1243. goto out1;
  1244. }
  1245. usbg_ret = usbg_create_gadget(s, g_name, dev->g_attrs, &g_strs, &g);
  1246. if (usbg_ret != USBG_SUCCESS) {
  1247. fprintf(stderr, "Error on creating gadget\n");
  1248. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1249. usbg_strerror((usbg_error)usbg_ret));
  1250. goto out2;
  1251. }
  1252. for (int i = 0; i < dev->func_num; i++) {
  1253. char f_name[10];
  1254. sprintf(f_name, "func%d", i);
  1255. if (dev->func_conf[i].f_attrs.default_attr == 0xffff)
  1256. usbg_ret = usbg_create_function(g, dev->func_conf[i].f_type,
  1257. (char*)f_name, NULL, &f[i]);
  1258. else
  1259. usbg_ret =
  1260. usbg_create_function(g, dev->func_conf[i].f_type, (char*)f_name,
  1261. &(dev->func_conf[i].f_attrs), &f[i]);
  1262. if (usbg_ret != USBG_SUCCESS) {
  1263. fprintf(stderr, "Error on creating gadget func\n");
  1264. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1265. usbg_strerror((usbg_error)usbg_ret));
  1266. goto out2;
  1267. }
  1268. }
  1269. usbg_ret = usbg_create_config(g, 1, "The only one config", dev->c_attrs,
  1270. &c_strs, &c);
  1271. if (usbg_ret != USBG_SUCCESS) {
  1272. fprintf(stderr, "Error on creating gadget config\n");
  1273. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1274. usbg_strerror((usbg_error)usbg_ret));
  1275. goto out2;
  1276. }
  1277. for (int i = 0; i < dev->func_num; i++) {
  1278. char f_name[10];
  1279. sprintf(f_name, "f_name.%d", i);
  1280. usbg_ret = usbg_add_config_function(c, (char*)f_name, f[i]);
  1281. if (usbg_ret != USBG_SUCCESS) {
  1282. fprintf(stderr, "Error on adding func to config\n");
  1283. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1284. usbg_strerror((usbg_error)usbg_ret));
  1285. goto out2;
  1286. }
  1287. }
  1288. u = usbg_get_first_udc(s);
  1289. if (uid > 0) {
  1290. for (int i = 0; i < uid; i++) {
  1291. u = usbg_get_next_udc(u);
  1292. }
  1293. }
  1294. usbg_ret = usbg_enable_gadget(g, u);
  1295. if (usbg_ret != USBG_SUCCESS) {
  1296. fprintf(stderr, "Error on enabling udc\n");
  1297. fprintf(stderr, "Error: %s : %s\n", usbg_error_name((usbg_error)usbg_ret),
  1298. usbg_strerror((usbg_error)usbg_ret));
  1299. goto out2;
  1300. }
  1301. ret = 0;
  1302.  
  1303. out2:
  1304. usbg_cleanup(s);
  1305.  
  1306. out1:
  1307. return ret;
  1308. }
  1309.  
  1310. static void parse_dev_descriptors(const char* buffer,
  1311. struct usb_gadget_device* dev)
  1312. {
  1313. printf("begin to parse...\n");
  1314. memset(dev, 0, sizeof(*dev));
  1315. dev->g_attrs = (struct usbg_gadget_attrs*)buffer;
  1316. dev->c_attrs =
  1317. (struct usbg_config_attrs*)(buffer + sizeof(struct usbg_gadget_attrs));
  1318. dev->func_num = *(int*)(buffer + sizeof(struct usbg_gadget_attrs) +
  1319. sizeof(struct usbg_config_attrs) + sizeof(int16_t));
  1320. int start_attr = sizeof(struct usbg_gadget_attrs) +
  1321. sizeof(struct usbg_config_attrs) + sizeof(int16_t) +
  1322. 2 * sizeof(int32_t);
  1323. int conf_size = 40;
  1324. for (int i = 0; i < dev->func_num; i++) {
  1325. dev->func_conf[i] =
  1326. *(struct usbg_func_config*)(buffer + start_attr + i * conf_size);
  1327. if (dev->func_conf[i].f_type == USBG_F_HID) {
  1328. struct usbg_f_hid_attrs* hid_attr = &(dev->func_conf[i].f_attrs.hid_attr);
  1329. struct usbg_f_hid_report_desc* report_desc = &(hid_attr->report_desc);
  1330. report_desc->len = strlen(report_desc->desc);
  1331. conf_size = 48;
  1332. }
  1333. }
  1334. }
  1335.  
  1336. static volatile long syz_attach_gadget(volatile long a0, volatile long a1)
  1337. {
  1338. const char* dev = (const char*)a0;
  1339. uint64_t uid = a1;
  1340. parse_dev_descriptors(dev, &usb_device[uid]);
  1341. return syz_attach_gadget_impl(&usb_device[uid], uid);
  1342. }
  1343.  
  1344. static void setup_common()
  1345. {
  1346. if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
  1347. }
  1348. }
  1349.  
  1350. static void setup_binderfs()
  1351. {
  1352. if (mkdir("/dev/binderfs", 0777)) {
  1353. }
  1354. if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
  1355. }
  1356. }
  1357.  
  1358. static void loop();
  1359.  
  1360. static void sandbox_common()
  1361. {
  1362. prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  1363. setsid();
  1364. struct rlimit rlim;
  1365. rlim.rlim_cur = rlim.rlim_max = (200 << 20);
  1366. setrlimit(RLIMIT_AS, &rlim);
  1367. rlim.rlim_cur = rlim.rlim_max = 32 << 20;
  1368. setrlimit(RLIMIT_MEMLOCK, &rlim);
  1369. rlim.rlim_cur = rlim.rlim_max = 136 << 20;
  1370. setrlimit(RLIMIT_FSIZE, &rlim);
  1371. rlim.rlim_cur = rlim.rlim_max = 1 << 20;
  1372. setrlimit(RLIMIT_STACK, &rlim);
  1373. rlim.rlim_cur = rlim.rlim_max = 0;
  1374. setrlimit(RLIMIT_CORE, &rlim);
  1375. rlim.rlim_cur = rlim.rlim_max = 256;
  1376. setrlimit(RLIMIT_NOFILE, &rlim);
  1377. if (unshare(CLONE_NEWNS)) {
  1378. }
  1379. if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
  1380. }
  1381. if (unshare(CLONE_NEWIPC)) {
  1382. }
  1383. if (unshare(0x02000000)) {
  1384. }
  1385. if (unshare(CLONE_NEWUTS)) {
  1386. }
  1387. if (unshare(CLONE_SYSVSEM)) {
  1388. }
  1389. typedef struct {
  1390. const char* name;
  1391. const char* value;
  1392. } sysctl_t;
  1393. static const sysctl_t sysctls[] = {
  1394. {"/proc/sys/kernel/shmmax", "16777216"},
  1395. {"/proc/sys/kernel/shmall", "536870912"},
  1396. {"/proc/sys/kernel/shmmni", "1024"},
  1397. {"/proc/sys/kernel/msgmax", "8192"},
  1398. {"/proc/sys/kernel/msgmni", "1024"},
  1399. {"/proc/sys/kernel/msgmnb", "1024"},
  1400. {"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
  1401. };
  1402. unsigned i;
  1403. for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
  1404. write_file(sysctls[i].name, sysctls[i].value);
  1405. }
  1406.  
  1407. static int wait_for_loop(int pid)
  1408. {
  1409. if (pid < 0)
  1410. exit(1);
  1411. int status = 0;
  1412. while (waitpid(-1, &status, __WALL) != pid) {
  1413. }
  1414. return WEXITSTATUS(status);
  1415. }
  1416.  
  1417. static void drop_caps(void)
  1418. {
  1419. struct __user_cap_header_struct cap_hdr = {};
  1420. struct __user_cap_data_struct cap_data[2] = {};
  1421. cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
  1422. cap_hdr.pid = getpid();
  1423. if (syscall(SYS_capget, &cap_hdr, &cap_data))
  1424. exit(1);
  1425. const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
  1426. cap_data[0].effective &= ~drop;
  1427. cap_data[0].permitted &= ~drop;
  1428. cap_data[0].inheritable &= ~drop;
  1429. if (syscall(SYS_capset, &cap_hdr, &cap_data))
  1430. exit(1);
  1431. }
  1432.  
  1433. static int do_sandbox_none(void)
  1434. {
  1435. if (unshare(CLONE_NEWPID)) {
  1436. }
  1437. int pid = fork();
  1438. if (pid != 0)
  1439. return wait_for_loop(pid);
  1440. setup_common();
  1441. sandbox_common();
  1442. drop_caps();
  1443. initialize_netdevices_init();
  1444. if (unshare(CLONE_NEWNET)) {
  1445. }
  1446. write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
  1447. initialize_tun();
  1448. initialize_netdevices();
  1449. setup_binderfs();
  1450. loop();
  1451. exit(1);
  1452. }
  1453.  
  1454. #define FS_IOC_SETFLAGS _IOW('f', 2, long)
  1455. static void remove_dir(const char* dir)
  1456. {
  1457. int iter = 0;
  1458. DIR* dp = 0;
  1459. retry:
  1460. while (umount2(dir, MNT_DETACH | UMOUNT_NOFOLLOW) == 0) {
  1461. }
  1462. dp = opendir(dir);
  1463. if (dp == NULL) {
  1464. if (errno == EMFILE) {
  1465. exit(1);
  1466. }
  1467. exit(1);
  1468. }
  1469. struct dirent* ep = 0;
  1470. while ((ep = readdir(dp))) {
  1471. if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
  1472. continue;
  1473. char filename[FILENAME_MAX];
  1474. snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
  1475. while (umount2(filename, MNT_DETACH | UMOUNT_NOFOLLOW) == 0) {
  1476. }
  1477. struct stat st;
  1478. if (lstat(filename, &st))
  1479. exit(1);
  1480. if (S_ISDIR(st.st_mode)) {
  1481. remove_dir(filename);
  1482. continue;
  1483. }
  1484. int i;
  1485. for (i = 0;; i++) {
  1486. if (unlink(filename) == 0)
  1487. break;
  1488. if (errno == EPERM) {
  1489. int fd = open(filename, O_RDONLY);
  1490. if (fd != -1) {
  1491. long flags = 0;
  1492. if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
  1493. }
  1494. close(fd);
  1495. continue;
  1496. }
  1497. }
  1498. if (errno == EROFS) {
  1499. break;
  1500. }
  1501. if (errno != EBUSY || i > 100)
  1502. exit(1);
  1503. if (umount2(filename, MNT_DETACH | UMOUNT_NOFOLLOW))
  1504. exit(1);
  1505. }
  1506. }
  1507. closedir(dp);
  1508. for (int i = 0;; i++) {
  1509. if (rmdir(dir) == 0)
  1510. break;
  1511. if (i < 100) {
  1512. if (errno == EPERM) {
  1513. int fd = open(dir, O_RDONLY);
  1514. if (fd != -1) {
  1515. long flags = 0;
  1516. if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
  1517. }
  1518. close(fd);
  1519. continue;
  1520. }
  1521. }
  1522. if (errno == EROFS) {
  1523. break;
  1524. }
  1525. if (errno == EBUSY) {
  1526. if (umount2(dir, MNT_DETACH | UMOUNT_NOFOLLOW))
  1527. exit(1);
  1528. continue;
  1529. }
  1530. if (errno == ENOTEMPTY) {
  1531. if (iter < 100) {
  1532. iter++;
  1533. goto retry;
  1534. }
  1535. }
  1536. }
  1537. exit(1);
  1538. }
  1539. }
  1540.  
  1541. static void kill_and_wait(int pid, int* status)
  1542. {
  1543. kill(-pid, SIGKILL);
  1544. kill(pid, SIGKILL);
  1545. for (int i = 0; i < 100; i++) {
  1546. if (waitpid(-1, status, WNOHANG | __WALL) == pid)
  1547. return;
  1548. usleep(1000);
  1549. }
  1550. DIR* dir = opendir("/sys/fs/fuse/connections");
  1551. if (dir) {
  1552. for (;;) {
  1553. struct dirent* ent = readdir(dir);
  1554. if (!ent)
  1555. break;
  1556. if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
  1557. continue;
  1558. char abort[300];
  1559. snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
  1560. ent->d_name);
  1561. int fd = open(abort, O_WRONLY);
  1562. if (fd == -1) {
  1563. continue;
  1564. }
  1565. if (write(fd, abort, 1) < 0) {
  1566. }
  1567. close(fd);
  1568. }
  1569. closedir(dir);
  1570. } else {
  1571. }
  1572. while (waitpid(-1, status, __WALL) != pid) {
  1573. }
  1574. }
  1575.  
  1576. static void setup_test()
  1577. {
  1578. prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  1579. setpgrp();
  1580. write_file("/proc/self/oom_score_adj", "1000");
  1581. flush_tun();
  1582. if (symlink("/dev/binderfs", "./binderfs")) {
  1583. }
  1584. }
  1585.  
  1586. static void close_fds()
  1587. {
  1588. for (int fd = 3; fd < MAX_FDS; fd++)
  1589. close(fd);
  1590. }
  1591.  
  1592. #define NL802154_CMD_SET_SHORT_ADDR 11
  1593. #define NL802154_ATTR_IFINDEX 3
  1594. #define NL802154_ATTR_SHORT_ADDR 10
  1595.  
  1596. static void setup_802154()
  1597. {
  1598. int sock_route = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
  1599. if (sock_route == -1)
  1600. exit(1);
  1601. int sock_generic = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  1602. if (sock_generic < 0)
  1603. exit(1);
  1604. int nl802154_family_id =
  1605. netlink_query_family_id(&nlmsg, sock_generic, "nl802154", true);
  1606. for (int i = 0; i < 2; i++) {
  1607. char devname[] = "wpan0";
  1608. devname[strlen(devname) - 1] += i;
  1609. uint64_t hwaddr = 0xaaaaaaaaaaaa0002 + (i << 8);
  1610. uint16_t shortaddr = 0xaaa0 + i;
  1611. int ifindex = if_nametoindex(devname);
  1612. struct genlmsghdr genlhdr;
  1613. memset(&genlhdr, 0, sizeof(genlhdr));
  1614. genlhdr.cmd = NL802154_CMD_SET_SHORT_ADDR;
  1615. netlink_init(&nlmsg, nl802154_family_id, 0, &genlhdr, sizeof(genlhdr));
  1616. netlink_attr(&nlmsg, NL802154_ATTR_IFINDEX, &ifindex, sizeof(ifindex));
  1617. netlink_attr(&nlmsg, NL802154_ATTR_SHORT_ADDR, &shortaddr,
  1618. sizeof(shortaddr));
  1619. int err = netlink_send(&nlmsg, sock_generic);
  1620. if (err < 0) {
  1621. }
  1622. netlink_device_change(&nlmsg, sock_route, devname, true, 0, &hwaddr,
  1623. sizeof(hwaddr), 0);
  1624. if (i == 0) {
  1625. netlink_add_device_impl(&nlmsg, "lowpan", "lowpan0");
  1626. netlink_done(&nlmsg);
  1627. netlink_attr(&nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex));
  1628. int err = netlink_send(&nlmsg, sock_route);
  1629. if (err < 0) {
  1630. }
  1631. }
  1632. }
  1633. close(sock_route);
  1634. close(sock_generic);
  1635. }
  1636.  
  1637. struct thread_t {
  1638. int created, call;
  1639. event_t ready, done;
  1640. };
  1641.  
  1642. static struct thread_t threads[16];
  1643. static void execute_call(int call);
  1644. static int running;
  1645.  
  1646. static void* thr(void* arg)
  1647. {
  1648. struct thread_t* th = (struct thread_t*)arg;
  1649. for (;;) {
  1650. event_wait(&th->ready);
  1651. event_reset(&th->ready);
  1652. execute_call(th->call);
  1653. __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
  1654. event_set(&th->done);
  1655. }
  1656. return 0;
  1657. }
  1658.  
  1659. static void execute_one(void)
  1660. {
  1661. int i, call, thread;
  1662. for (call = 0; call < 5; call++) {
  1663. for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
  1664. thread++) {
  1665. struct thread_t* th = &threads[thread];
  1666. if (!th->created) {
  1667. th->created = 1;
  1668. event_init(&th->ready);
  1669. event_init(&th->done);
  1670. event_set(&th->done);
  1671. thread_start(thr, th);
  1672. }
  1673. if (!event_isset(&th->done))
  1674. continue;
  1675. event_reset(&th->done);
  1676. th->call = call;
  1677. __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
  1678. event_set(&th->ready);
  1679. event_timedwait(&th->done, 50);
  1680. break;
  1681. }
  1682. }
  1683. for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
  1684. sleep_ms(1);
  1685. close_fds();
  1686. }
  1687.  
  1688. static void execute_one(void);
  1689.  
  1690. #define WAIT_FLAGS __WALL
  1691.  
  1692. static void loop(void)
  1693. {
  1694. int iter = 0;
  1695. for (;; iter++) {
  1696. char cwdbuf[32];
  1697. sprintf(cwdbuf, "./%d", iter);
  1698. if (mkdir(cwdbuf, 0777))
  1699. exit(1);
  1700. int pid = fork();
  1701. if (pid < 0)
  1702. exit(1);
  1703. if (pid == 0) {
  1704. if (chdir(cwdbuf))
  1705. exit(1);
  1706. setup_test();
  1707. execute_one();
  1708. exit(0);
  1709. }
  1710. int status = 0;
  1711. uint64_t start = current_time_ms();
  1712. for (;;) {
  1713. if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
  1714. break;
  1715. sleep_ms(1);
  1716. if (current_time_ms() - start < 5000)
  1717. continue;
  1718. kill_and_wait(pid, &status);
  1719. break;
  1720. }
  1721. remove_dir(cwdbuf);
  1722. }
  1723. }
  1724.  
  1725. void execute_call(int call)
  1726. {
  1727. switch (call) {
  1728. case 0:
  1729. syscall(__NR_pwritev2, -1, 0ul, 0ul, 0xdfc, 7, 0x1aul);
  1730. break;
  1731. case 1:
  1732. syscall(__NR_ioctl, -1, 0xc4089434, 0ul);
  1733. break;
  1734. case 2:
  1735. syscall(__NR_ioctl, -1, 0xc018937c, 0ul);
  1736. break;
  1737. case 3:
  1738. syscall(__NR_ioctl, -1, 0x6628, 0);
  1739. break;
  1740. case 4:
  1741. *(uint16_t*)0x20002880 = 0x110;
  1742. *(uint8_t*)0x20002882 = 0;
  1743. *(uint8_t*)0x20002883 = 0;
  1744. *(uint8_t*)0x20002884 = 0;
  1745. *(uint8_t*)0x20002885 = 0;
  1746. *(uint16_t*)0x20002886 = 0x114f;
  1747. *(uint16_t*)0x20002888 = 0x68a2;
  1748. *(uint16_t*)0x2000288a = 0;
  1749. *(uint8_t*)0x2000288c = 0x80;
  1750. *(uint8_t*)0x2000288d = 0x8a;
  1751. *(uint32_t*)0x20002890 = 2;
  1752. *(uint8_t*)0x20002898 = 0xb;
  1753. *(uint32_t*)0x200028a0 = 0xffff;
  1754. *(uint8_t*)0x200028c0 = 8;
  1755. *(uint32_t*)0x200028c8 = 0xffff;
  1756. syz_attach_gadget(0x20002880, 2);
  1757. break;
  1758. }
  1759. }
  1760. int main(void)
  1761. {
  1762. syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  1763. syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  1764. syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  1765. setup_802154();
  1766. for (procid = 0; procid < 8; procid++) {
  1767. if (fork() == 0) {
  1768. use_temporary_dir();
  1769. do_sandbox_none();
  1770. }
  1771. }
  1772. sleep(1000000);
  1773. return 0;
  1774. }
  1775.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!