#define _GNU_SOURCE #include #include #include #include #include static void execute1(const int fd) { // sendmsg$RDMA_NLDEV_CMD_SET arguments: [ // fd: sock_nl_rdma (resource) // msg: ptr[in, msghdr_netlink[netlink_msg[RDMA_NLDEV_SET, void, // nldev_policy$SET]]] { // msghdr_netlink[netlink_msg[RDMA_NLDEV_SET, void, nldev_policy$SET]] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, netlink_msg[RDMA_NLDEV_SET, void, // nldev_policy$SET]]] { // iovec[in, netlink_msg[RDMA_NLDEV_SET, void, nldev_policy$SET]] { // addr: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {24 00 00 00 1b 14 01 00 2a bd d4 44 d4 // 46 df 25 08 00 01 00 00 00 00 00 09 00 02} (length 0x1b) // } // } // } // len: len = 0x24 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x4040891 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x4180 (8 bytes) // ] *(uint64_t*)0x200000000140 = 0; *(uint32_t*)0x200000000148 = 0; *(uint64_t*)0x200000000150 = 0x200000000200; *(uint64_t*)0x200000000200 = 0x2000000001c0; memcpy((void*)0x2000000001c0, "\x24\x00\x00\x00\x1b\x14\x01\x00\x2a\xbd\xd4\x44\xd4\x46\xdf\x25\x08" "\x00\x01\x00\x00\x00\x00\x00\x09\x00\x02", 27); *(uint64_t*)0x200000000208 = 0x24; *(uint64_t*)0x200000000158 = 1; *(uint64_t*)0x200000000160 = 0; *(uint64_t*)0x200000000168 = 0; *(uint32_t*)0x200000000170 = 0x4040891; syscall(__NR_sendmsg, /*fd=*/fd, /*msg=*/0x200000000140ul, /*f=MSG_NOSIGNAL|MSG_EOR|0x100*/ 0x4180ul); } static void execute2(const int fd) { // sendmsg$RDMA_NLDEV_CMD_NEWLINK arguments: [ // fd: sock_nl_rdma (resource) // msg: ptr[in, msghdr_netlink[netlink_msg[RDMA_NLDEV_NEWLINK, void, // nldev_policy$NEWLINK]]] { // msghdr_netlink[netlink_msg[RDMA_NLDEV_NEWLINK, void, // nldev_policy$NEWLINK]] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, netlink_msg[RDMA_NLDEV_NEWLINK, void, // nldev_policy$NEWLINK]]] { // iovec[in, netlink_msg[RDMA_NLDEV_NEWLINK, void, // nldev_policy$NEWLINK]] { // addr: ptr[in, netlink_msg_t[const[RDMA_NLDEV_NEWLINK, int16], // void, nldev_policy$NEWLINK]] { // netlink_msg_t[const[RDMA_NLDEV_NEWLINK, int16], void, // nldev_policy$NEWLINK] { // len: len = 0x38 (4 bytes) // type: const = 0x1403 (2 bytes) // flags: netlink_msg_flags = 0x1 (2 bytes) // seq: int32 = 0x70bd2d (4 bytes) // pid: int32 = 0x25dffbfb (4 bytes) // payload: buffer: {} (length 0x0) // attrs: array[nldev_policy$NEWLINK] { // nldev_policy$NEWLINK { // RDMA_NLDEV_ATTR_DEV_NAME: // nlattr_t[const[RDMA_NLDEV_ATTR_DEV_NAME, int16], // string[nldev_name]] { // nla_len: offsetof = 0x9 (2 bytes) // nla_type: const = 0x2 (2 bytes) // payload: buffer: {73 79 7a 31 00} (length 0x5) // size: buffer: {} (length 0x0) // pad = 0x0 (3 bytes) // } // RDMA_NLDEV_ATTR_LINK_TYPE: // nlattr_t[const[RDMA_NLDEV_ATTR_LINK_TYPE, int16], // string[nldev_type]] { // nla_len: offsetof = 0x8 (2 bytes) // nla_type: const = 0x41 (2 bytes) // payload: buffer: {72 78 65 00} (length 0x4) // size: buffer: {} (length 0x0) // } // RDMA_NLDEV_ATTR_NDEV_NAME: // nlattr_t[const[RDMA_NLDEV_ATTR_NDEV_NAME, int16], // devname] { // nla_len: offsetof = 0x14 (2 bytes) // nla_type: const = 0x33 (2 bytes) // payload: buffer: {6c 6f 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00} (length 0x10) size: buffer: {} (length // 0x0) // } // } // } // } // } // len: len = 0x38 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x4000840 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x4000 (8 bytes) // ] *(uint64_t*)0x200000000000 = 0; *(uint32_t*)0x200000000008 = 0; *(uint64_t*)0x200000000010 = 0x200000000140; *(uint64_t*)0x200000000140 = 0x200000000180; *(uint32_t*)0x200000000180 = 0x38; *(uint16_t*)0x200000000184 = 0x1403; *(uint16_t*)0x200000000186 = 1; *(uint32_t*)0x200000000188 = 0x70bd2d; *(uint32_t*)0x20000000018c = 0x25dffbfb; *(uint16_t*)0x200000000190 = 9; *(uint16_t*)0x200000000192 = 2; memcpy((void*)0x200000000194, "syz1\000", 5); *(uint16_t*)0x20000000019c = 8; *(uint16_t*)0x20000000019e = 0x41; memcpy((void*)0x2000000001a0, "rxe\000", 4); *(uint16_t*)0x2000000001a4 = 0x14; *(uint16_t*)0x2000000001a6 = 0x33; memcpy((void*)0x2000000001a8, "lo\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16); *(uint64_t*)0x200000000148 = 0x38; *(uint64_t*)0x200000000018 = 1; *(uint64_t*)0x200000000020 = 0; *(uint64_t*)0x200000000028 = 0; *(uint32_t*)0x200000000030 = 0x4000840; syscall(__NR_sendmsg, /*fd=*/fd, /*msg=*/0x200000000000ul, /*f=MSG_NOSIGNAL*/ 0x4000ul); } int main(int argc, char *argv[]) { syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); if (unshare(CLONE_NEWNET)) return 1; int fd = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0x14); if (fd == -1) return 1; execute1(fd); execute2(fd); execute1(fd); return 0; }