Untitled

1. #define _GNU_SOURCE
2.  
3. #include <endian.h>
4. #include <stdint.h>
5. #include <stdio.h>
6. #include <stdlib.h>
7. #include <string.h>
8. #include <sys/syscall.h>
9. #include <sys/types.h>
10. #include <unistd.h>
11.  
12. #ifndef __NR_memfd_secret
13. #define __NR_memfd_secret 447
14. #endif
15.  
16. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
17. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
18. *(type*)(addr) = \
19. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
20. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
21.  
22. static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2,
23. volatile long a3, volatile long a4)
24. {
25. char* dest = (char*)a0;
26. uint32_t dest_off = (uint32_t)a1;
27. char* src = (char*)a2;
28. uint32_t src_off = (uint32_t)a3;
29. size_t n = (size_t)a4;
30. return (long)memcpy(dest + dest_off, src + src_off, n);
31. }
32.  
33. uint64_t r[2] = {0xffffffffffffffff, 0x0};
34.  
35. int main(void)
36. {
37. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
38. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
39. /*offset=*/0ul);
40. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
41. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
42. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
43. /*offset=*/0ul);
44. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
45. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
46. /*offset=*/0ul);
47. intptr_t res = 0;
48. *(uint32_t*)0x20000d80 = 0;
49. *(uint32_t*)0x20000d84 = 0x80;
50. *(uint8_t*)0x20000d88 = 0;
51. *(uint8_t*)0x20000d89 = 0;
52. *(uint8_t*)0x20000d8a = 0;
53. *(uint8_t*)0x20000d8b = 0;
54. *(uint32_t*)0x20000d8c = 0;
55. *(uint64_t*)0x20000d90 = 0;
56. *(uint64_t*)0x20000d98 = 0;
57. *(uint64_t*)0x20000da0 = 8;
58. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 0, 1);
59. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 1, 1);
60. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 2, 1);
61. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 3, 1);
62. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 4, 1);
63. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 5, 1);
64. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 6, 1);
65. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 7, 1);
66. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 8, 1);
67. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 9, 1);
68. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 10, 1);
69. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 11, 1);
70. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 12, 1);
71. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 13, 1);
72. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 14, 1);
73. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 15, 2);
74. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 17, 1);
75. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 18, 1);
76. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 19, 1);
77. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 20, 1);
78. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 21, 1);
79. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 22, 1);
80. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 23, 1);
81. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 24, 1);
82. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 25, 1);
83. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 26, 1);
84. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 27, 1);
85. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 28, 1);
86. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 29, 1);
87. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 30, 1);
88. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 31, 1);
89. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 32, 1);
90. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 33, 1);
91. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 1, 34, 1);
92. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 35, 1);
93. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 36, 1);
94. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 37, 1);
95. STORE_BY_BITMASK(uint64_t, , 0x20000da8, 0, 38, 26);
96. *(uint32_t*)0x20000db0 = 0;
97. *(uint32_t*)0x20000db4 = 0;
98. *(uint64_t*)0x20000db8 = 0;
99. *(uint64_t*)0x20000dc0 = 0;
100. *(uint64_t*)0x20000dc8 = 0;
101. *(uint64_t*)0x20000dd0 = 0;
102. *(uint32_t*)0x20000dd8 = 0;
103. *(uint32_t*)0x20000ddc = 0;
104. *(uint64_t*)0x20000de0 = 0;
105. *(uint32_t*)0x20000de8 = 0;
106. *(uint16_t*)0x20000dec = 0x46e;
107. *(uint16_t*)0x20000dee = 0;
108. *(uint32_t*)0x20000df0 = 0;
109. *(uint32_t*)0x20000df4 = 0;
110. *(uint64_t*)0x20000df8 = 0;
111. syscall(__NR_perf_event_open, /*attr=*/0x20000d80ul, /*fd=*/-1, /*cpu=*/0ul,
112. /*group=*/-1, /*flags=*/0ul);
113. res = syscall(__NR_memfd_secret, /*flags=*/0ul);
114. if (res != -1)
115. r[0] = res;
116. syscall(__NR_ftruncate, /*fd=*/r[0], /*len=*/6ul);
117. res = syscall(
118. __NR_mmap, /*addr=*/0x20ffc000ul, /*len=*/0x3000ul,
119. /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE|PROT_READ|0x800000*/ 0x280000bul,
120. /*flags=MAP_NORESERVE|MAP_FIXED|MAP_SHARED*/ 0x4011ul, /*fd=*/r[0],
121. /*offset=*/0ul);
122. if (res != -1)
123. r[1] = res;
124. *(uint32_t*)0x20000040 = 0;
125. syz_memcpy_off(/*ring_ptr=*/r[1], /*flag_off=*/0, /*src=*/0x20000040,
126. /*src_off=*/0, /*nbytes=*/4);
127. syscall(__NR_mmap, /*addr=*/0x20ae4000ul, /*len=*/0x1000ul,
128. /*prot=PROT_GROWSUP|PROT_GROWSDOWN|PROT_SEM|PROT_WRITE*/ 0x300000aul,
129. /*flags=MAP_FIXED|MAP_SHARED*/ 0x11ul, /*fd=*/r[0], /*offset=*/0ul);
130. return 0;
131. }
132.