// https://syzkaller.appspot.com/bug?id=004b0f7b61d4901cbfecfc33de7996e8cbe0a278 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; void loop() { long res = 0; res = syscall(__NR_socket, 0x2b, 1, 0); if (res != -1) r[0] = res; *(uint64_t*)0x20004680 = 0x20000040; *(uint16_t*)0x20000040 = 0x1d; *(uint32_t*)0x20000044 = 0; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x2000004c = 0; *(uint32_t*)0x20004688 = 0x80; *(uint64_t*)0x20004690 = 0x20002240; *(uint64_t*)0x20002240 = 0x200000c0; *(uint64_t*)0x20002248 = 0; *(uint64_t*)0x20002250 = 0x200010c0; *(uint64_t*)0x20002258 = 0; *(uint64_t*)0x20002260 = 0x20001140; *(uint64_t*)0x20002268 = 0; *(uint64_t*)0x20002270 = 0x20002140; *(uint64_t*)0x20002278 = 0; *(uint64_t*)0x20002280 = 0x20002180; *(uint64_t*)0x20002288 = 0; *(uint64_t*)0x20004698 = 5; *(uint64_t*)0x200046a0 = 0x200022c0; *(uint64_t*)0x200022c0 = 0x10; *(uint32_t*)0x200022c8 = 0x10b; *(uint32_t*)0x200022cc = 0x1f; *(uint64_t*)0x200022d0 = 0x10; *(uint32_t*)0x200022d8 = 0x187; *(uint32_t*)0x200022dc = 0x1b; *(uint64_t*)0x200022e0 = 0x10; *(uint32_t*)0x200022e8 = 0x115; *(uint32_t*)0x200022ec = 4; *(uint64_t*)0x200022f0 = 0x10; *(uint32_t*)0x200022f8 = 0x13f; *(uint32_t*)0x200022fc = 0x7ff; *(uint64_t*)0x200046a8 = 0x40; *(uint32_t*)0x200046b0 = 0x20000000; *(uint32_t*)0x200046b8 = 0x9e4; *(uint64_t*)0x200046c0 = 0; *(uint32_t*)0x200046c8 = 0; *(uint64_t*)0x200046d0 = 0x20002700; *(uint64_t*)0x20002700 = 0x20002540; *(uint64_t*)0x20002708 = 0; *(uint64_t*)0x20002710 = 0x200025c0; *(uint64_t*)0x20002718 = 0; *(uint64_t*)0x20002720 = 0x20002600; *(uint64_t*)0x20002728 = 0; *(uint64_t*)0x200046d8 = 3; *(uint64_t*)0x200046e0 = 0x20002740; *(uint64_t*)0x200046e8 = 0; *(uint32_t*)0x200046f0 = 0x40000; *(uint32_t*)0x200046f8 = 0; *(uint64_t*)0x20004700 = 0x20002940; *(uint16_t*)0x20002940 = 0x1f; *(uint8_t*)0x20002942 = 0xc3; *(uint8_t*)0x20002943 = 6; *(uint8_t*)0x20002944 = 8; *(uint8_t*)0x20002945 = 0x12; *(uint8_t*)0x20002946 = 3; *(uint8_t*)0x20002947 = 0x9b; *(uint8_t*)0x20002948 = 0; *(uint32_t*)0x20004708 = 0x80; *(uint64_t*)0x20004710 = 0x20002b00; *(uint64_t*)0x20002b00 = 0x200029c0; *(uint64_t*)0x20002b08 = 0; *(uint64_t*)0x20002b10 = 0x20002a00; *(uint64_t*)0x20002b18 = 0; *(uint64_t*)0x20004718 = 2; *(uint64_t*)0x20004720 = 0x20002b40; *(uint64_t*)0x20002b40 = 0x10; *(uint32_t*)0x20002b48 = 0x118; *(uint32_t*)0x20002b4c = 7; *(uint64_t*)0x20002b50 = 0x10; *(uint32_t*)0x20002b58 = 0x3a; *(uint32_t*)0x20002b5c = 0xfff; *(uint64_t*)0x20002b60 = 0x10; *(uint32_t*)0x20002b68 = 0x10e; *(uint32_t*)0x20002b6c = 9; *(uint64_t*)0x20002b70 = 0x10; *(uint32_t*)0x20002b78 = 0x3a; *(uint32_t*)0x20002b7c = 0xfffffff8; *(uint64_t*)0x20002b80 = 0x10; *(uint32_t*)0x20002b88 = 0x105; *(uint32_t*)0x20002b8c = 2; *(uint64_t*)0x20004728 = 0x50; *(uint32_t*)0x20004730 = 0x10; *(uint32_t*)0x20004738 = 4; *(uint64_t*)0x20004740 = 0x20003fc0; *(uint16_t*)0x20003fc0 = 0x11; *(uint16_t*)0x20003fc2 = htobe16(0x17); *(uint32_t*)0x20003fc4 = 0; *(uint16_t*)0x20003fc8 = 1; *(uint8_t*)0x20003fca = 0x7f; *(uint8_t*)0x20003fcb = 6; *(uint8_t*)0x20003fcc = 0; *(uint8_t*)0x20003fcd = 0; *(uint8_t*)0x20003fce = 0; *(uint8_t*)0x20003fcf = 0; *(uint8_t*)0x20003fd0 = 0; *(uint8_t*)0x20003fd1 = 0; *(uint8_t*)0x20003fd2 = 0; *(uint8_t*)0x20003fd3 = 0; *(uint32_t*)0x20004748 = 0x80; *(uint64_t*)0x20004750 = 0x20004040; *(uint64_t*)0x20004758 = 0; *(uint64_t*)0x20004760 = 0x20004080; *(uint64_t*)0x20004080 = 0x10; *(uint32_t*)0x20004088 = 0; *(uint32_t*)0x2000408c = 5; *(uint64_t*)0x20004090 = 0x10; *(uint32_t*)0x20004098 = 0x112; *(uint32_t*)0x2000409c = 0; *(uint64_t*)0x200040a0 = 0x10; *(uint32_t*)0x200040a8 = 0x10a; *(uint32_t*)0x200040ac = 4; *(uint64_t*)0x20004768 = 0x30; *(uint32_t*)0x20004770 = 0x4008000; *(uint32_t*)0x20004778 = 9; *(uint64_t*)0x20004780 = 0x200041c0; *(uint16_t*)0x200041c0 = 2; *(uint16_t*)0x200041c2 = htobe16(0x4e20); *(uint8_t*)0x200041c4 = 0xac; *(uint8_t*)0x200041c5 = 0x14; *(uint8_t*)0x200041c6 = 0x14; *(uint8_t*)0x200041c7 = 0xbb; *(uint8_t*)0x200041c8 = 0; *(uint8_t*)0x200041c9 = 0; *(uint8_t*)0x200041ca = 0; *(uint8_t*)0x200041cb = 0; *(uint8_t*)0x200041cc = 0; *(uint8_t*)0x200041cd = 0; *(uint8_t*)0x200041ce = 0; *(uint8_t*)0x200041cf = 0; *(uint32_t*)0x20004788 = 0x80; *(uint64_t*)0x20004790 = 0x200043c0; *(uint64_t*)0x200043c0 = 0x20004240; *(uint64_t*)0x200043c8 = 0; *(uint64_t*)0x200043d0 = 0x20004280; *(uint64_t*)0x200043d8 = 0; *(uint64_t*)0x200043e0 = 0x20004380; *(uint64_t*)0x200043e8 = 0; *(uint64_t*)0x20004798 = 3; *(uint64_t*)0x200047a0 = 0; *(uint64_t*)0x200047a8 = 0; *(uint32_t*)0x200047b0 = 1; *(uint32_t*)0x200047b8 = 0; *(uint64_t*)0x200047c0 = 0x20004400; *(uint16_t*)0x20004400 = 0x27; *(uint32_t*)0x20004404 = 1; *(uint32_t*)0x20004408 = 1; *(uint32_t*)0x2000440c = 3; *(uint8_t*)0x20004410 = 7; *(uint8_t*)0x20004411 = -1; memcpy((void*)0x20004412, "\xc3\x4c\x34\x51\x5d\x3e\xa0\x4a\x51\xb5\x5a\x47\x6c\xb6\x2b\xd9\xce" "\x8f\xc9\x63\x53\x97\x42\x98\x9d\xef\x19\xba\x2f\xcf\x00\x14\x0b\xef" "\x84\x4f\xfd\x51\xbc\x5b\xd4\xe3\x66\xfc\x48\x65\x52\x1f\x6c\xb4\x8b" "\x74\xfa\x07\xe8\xe1\x4c\x44\xc8\x4a\x19\x5b\x03", 63); *(uint64_t*)0x20004458 = 0x1b; *(uint32_t*)0x200047c8 = 0x80; *(uint64_t*)0x200047d0 = 0x20004500; *(uint64_t*)0x20004500 = 0x20004480; *(uint64_t*)0x20004508 = 0; *(uint64_t*)0x200047d8 = 1; *(uint64_t*)0x200047e0 = 0x20004540; *(uint64_t*)0x20004540 = 0x10; *(uint32_t*)0x20004548 = 0x108; *(uint32_t*)0x2000454c = 4; *(uint64_t*)0x20004550 = 0x10; *(uint32_t*)0x20004558 = 0x109; *(uint32_t*)0x2000455c = 0x8001; *(uint64_t*)0x200047e8 = 0x20; *(uint32_t*)0x200047f0 = 0x8000; *(uint32_t*)0x200047f8 = 6; syscall(__NR_sendmmsg, r[0], 0x20004680, 6, 0x20008014); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }