// https://syzkaller.appspot.com/bug?id=1eb05f269bdabb964ee6a568e95a681c65e1eaec // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_accept #define SYS_accept 30 #endif #ifndef SYS_bind #define SYS_bind 104 #endif #ifndef SYS_close #define SYS_close 6 #endif #ifndef SYS_connect #define SYS_connect 98 #endif #ifndef SYS_dup2 #define SYS_dup2 90 #endif #ifndef SYS_listen #define SYS_listen 106 #endif #ifndef SYS_mkdir #define SYS_mkdir 136 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_openat #define SYS_openat 468 #endif #ifndef SYS_socket #define SYS_socket 394 #endif uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0); intptr_t res = 0; memcpy((void*)0x20000180, "./file1\000", 8); syscall(SYS_mkdir, 0x20000180, 0); memcpy((void*)0x20000040, "./file1\000", 8); res = syscall(SYS_openat, 0xffffff9c, 0x20000040, 0, 0); if (res != -1) r[0] = res; syscall(SYS_close, r[0]); res = syscall(SYS_socket, 1, 1, 0); if (res != -1) r[1] = res; res = syscall(SYS_socket, 1, 1, 0); if (res != -1) r[2] = res; *(uint16_t*)0x20003000 = 1; memcpy((void*)0x20003002, "\351\037q\211Y\036\2223aK\000", 11); syscall(SYS_bind, r[2], 0x20003000, 0xc); syscall(SYS_listen, r[2], 0); *(uint16_t*)0x20000280 = 1; memcpy((void*)0x20000282, "\351\037q\211Y\036\2223aK\000", 11); syscall(SYS_connect, r[1], 0x20000280, 0x6e); syscall(SYS_dup2, r[2], r[1]); res = syscall(SYS_accept, r[0], 0, 0); if (res != -1) r[3] = res; *(uint16_t*)0x20000000 = 1; memcpy((void*)0x20000002, "\351\037q\211Y\036\2223aK\000", 11); syscall(SYS_connect, r[3], 0x20000000, 0xd); syscall(SYS_accept, r[2], 0, 0); return 0; }