// https://syzkaller.appspot.com/bug?id=7bd6fc42489ba2eb2a9e44977633abd1c2fe0624 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } long r[72]; void* thr(void* arg) { switch ((long)arg) { case 0: r[0] = syscall(__NR_prctl, 0x15ul); break; case 1: r[1] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, r[0], 0x0ul); break; case 2: r[2] = syscall(__NR_socket, 0xaul, 0x2ul, 0x0ul); break; case 3: r[3] = syscall(__NR_write, r[2], 0x20013f1aul, 0x0ul); break; case 4: *(uint32_t*)0x20000f18 = (uint32_t)0x10000e0; *(uint8_t*)0x20000f28 = (uint8_t)0xac; *(uint8_t*)0x20000f29 = (uint8_t)0x14; *(uint8_t*)0x20000f2a = (uint8_t)0x0; *(uint8_t*)0x20000f2b = (uint8_t)0xbb; *(uint16_t*)0x20000f38 = (uint16_t)0x204e; *(uint16_t*)0x20000f3a = (uint16_t)0x0; *(uint16_t*)0x20000f3c = (uint16_t)0x204e; *(uint16_t*)0x20000f3e = (uint16_t)0x0; *(uint16_t*)0x20000f40 = (uint16_t)0xa; *(uint8_t*)0x20000f42 = (uint8_t)0x0; *(uint8_t*)0x20000f43 = (uint8_t)0x0; *(uint8_t*)0x20000f44 = (uint8_t)0x0; *(uint32_t*)0x20000f48 = r[0]; *(uint32_t*)0x20000f4c = r[0]; *(uint64_t*)0x20000f50 = (uint64_t)0x0; *(uint64_t*)0x20000f58 = (uint64_t)0x0; *(uint64_t*)0x20000f60 = (uint64_t)0x0; *(uint64_t*)0x20000f68 = (uint64_t)0x0; *(uint64_t*)0x20000f70 = (uint64_t)0x0; *(uint64_t*)0x20000f78 = (uint64_t)0x0; *(uint64_t*)0x20000f80 = (uint64_t)0x0; *(uint64_t*)0x20000f88 = (uint64_t)0x0; *(uint64_t*)0x20000f90 = (uint64_t)0x0; *(uint64_t*)0x20000f98 = (uint64_t)0x0; *(uint64_t*)0x20000fa0 = (uint64_t)0x0; *(uint64_t*)0x20000fa8 = (uint64_t)0x0; *(uint32_t*)0x20000fb0 = (uint32_t)0x0; *(uint32_t*)0x20000fb4 = (uint32_t)0x0; *(uint8_t*)0x20000fb8 = (uint8_t)0x1; *(uint8_t*)0x20000fb9 = (uint8_t)0x0; *(uint8_t*)0x20000fba = (uint8_t)0x0; *(uint8_t*)0x20000fbb = (uint8_t)0x2; *(uint64_t*)0x20000fc0 = (uint64_t)0x0; *(uint64_t*)0x20000fc8 = (uint64_t)0x100000000000000; *(uint32_t*)0x20000fd0 = (uint32_t)0x4; *(uint8_t*)0x20000fd4 = (uint8_t)0x100000000000001; *(uint16_t*)0x20000fd8 = (uint16_t)0x0; *(uint8_t*)0x20000fdc = (uint8_t)0xac; *(uint8_t*)0x20000fdd = (uint8_t)0x14; *(uint8_t*)0x20000fde = (uint8_t)0x0; *(uint8_t*)0x20000fdf = (uint8_t)0xbb; *(uint32_t*)0x20000fec = (uint32_t)0x21a9336f; *(uint8_t*)0x20000ff0 = (uint8_t)0x0; *(uint8_t*)0x20000ff1 = (uint8_t)0x0; *(uint8_t*)0x20000ff2 = (uint8_t)0xfd; *(uint32_t*)0x20000ff4 = (uint32_t)0x0; *(uint32_t*)0x20000ff8 = (uint32_t)0x3; *(uint32_t*)0x20000ffc = (uint32_t)0x401; r[53] = syscall(__NR_setsockopt, r[2], 0x29ul, 0x23ul, 0x20000f18ul, 0xe8ul); break; case 5: r[54] = syscall(__NR_fcntl, r[2], 0x406ul, r[2]); break; case 6: *(uint16_t*)0x20ef8000 = (uint16_t)0x2; *(uint16_t*)0x20ef8002 = (uint16_t)0x224e; *(uint8_t*)0x20ef8004 = (uint8_t)0xac; *(uint8_t*)0x20ef8005 = (uint8_t)0x14; *(uint8_t*)0x20ef8006 = (uint8_t)0x0; *(uint8_t*)0x20ef8007 = (uint8_t)0xaa; *(uint8_t*)0x20ef8008 = (uint8_t)0x0; *(uint8_t*)0x20ef8009 = (uint8_t)0x0; *(uint8_t*)0x20ef800a = (uint8_t)0x0; *(uint8_t*)0x20ef800b = (uint8_t)0x0; *(uint8_t*)0x20ef800c = (uint8_t)0x0; *(uint8_t*)0x20ef800d = (uint8_t)0x0; *(uint8_t*)0x20ef800e = (uint8_t)0x0; *(uint8_t*)0x20ef800f = (uint8_t)0x0; r[69] = syscall(__NR_connect, r[2], 0x20ef8000ul, 0x10ul); break; case 7: break; case 8: r[71] = syscall(__NR_listen, r[0], 0xb0ul); break; } return 0; } void test() { long i; pthread_t th[18]; memset(r, -1, sizeof(r)); srand(getpid()); for (i = 0; i < 9; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(rand() % 10000); } for (i = 0; i < 9; i++) { pthread_create(&th[9 + i], 0, thr, (void*)i); if (rand() % 2) usleep(rand() % 10000); } usleep(rand() % 100000); } int main() { loop(); return 0; }