// https://syzkaller.appspot.com/bug?id=90cd06695bd4650a5228385b4b02f370ef9c219f // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); long res = 0; memcpy((void*)0x20000100, "/dev/kvm", 9); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, r[0], 0xae01, 0); if (res != -1) r[1] = res; res = syscall(__NR_ioctl, r[1], 0xae41, 0); if (res != -1) r[2] = res; *(uint32_t*)0x200001c0 = 2; *(uint32_t*)0x200001c4 = 0; *(uint64_t*)0x200001c8 = 0x34; *(uint64_t*)0x200001d0 = 0; *(uint64_t*)0x200001d8 = 0; *(uint64_t*)0x200001e0 = 0; *(uint8_t*)0x200001e8 = 0; *(uint8_t*)0x200001e9 = 0; *(uint8_t*)0x200001ea = 0; *(uint8_t*)0x200001eb = 0; *(uint8_t*)0x200001ec = 0; *(uint8_t*)0x200001ed = 0; *(uint8_t*)0x200001ee = 0; *(uint8_t*)0x200001ef = 0; *(uint8_t*)0x200001f0 = 0; *(uint8_t*)0x200001f1 = 0; *(uint8_t*)0x200001f2 = 0; *(uint8_t*)0x200001f3 = 0; *(uint8_t*)0x200001f4 = 0; *(uint8_t*)0x200001f5 = 0; *(uint8_t*)0x200001f6 = 0; *(uint8_t*)0x200001f7 = 0; *(uint8_t*)0x200001f8 = 0; *(uint8_t*)0x200001f9 = 0; *(uint8_t*)0x200001fa = 0; *(uint8_t*)0x200001fb = 0; *(uint8_t*)0x200001fc = 0; *(uint8_t*)0x200001fd = 0; *(uint8_t*)0x200001fe = 0; *(uint8_t*)0x200001ff = 0; *(uint8_t*)0x20000200 = 0; *(uint8_t*)0x20000201 = 0; *(uint8_t*)0x20000202 = 0; *(uint8_t*)0x20000203 = 0; *(uint8_t*)0x20000204 = 0; *(uint8_t*)0x20000205 = 0; *(uint8_t*)0x20000206 = 0; *(uint8_t*)0x20000207 = 0; *(uint8_t*)0x20000208 = 0; *(uint8_t*)0x20000209 = 0; *(uint8_t*)0x2000020a = 0; *(uint8_t*)0x2000020b = 0; *(uint8_t*)0x2000020c = 0; *(uint8_t*)0x2000020d = 0; *(uint8_t*)0x2000020e = 0; *(uint8_t*)0x2000020f = 0; *(uint8_t*)0x20000210 = 0; *(uint8_t*)0x20000211 = 0; *(uint8_t*)0x20000212 = 0; *(uint8_t*)0x20000213 = 0; *(uint8_t*)0x20000214 = 0; *(uint8_t*)0x20000215 = 0; *(uint8_t*)0x20000216 = 0; *(uint8_t*)0x20000217 = 0; *(uint8_t*)0x20000218 = 0; *(uint8_t*)0x20000219 = 0; *(uint8_t*)0x2000021a = 0; *(uint8_t*)0x2000021b = 0; *(uint8_t*)0x2000021c = 0; *(uint8_t*)0x2000021d = 0; *(uint8_t*)0x2000021e = 0; *(uint8_t*)0x2000021f = 0; *(uint8_t*)0x20000220 = 0; *(uint8_t*)0x20000221 = 0; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 0; *(uint8_t*)0x20000224 = 0; *(uint8_t*)0x20000225 = 0; *(uint8_t*)0x20000226 = 0; *(uint8_t*)0x20000227 = 0; syscall(__NR_ioctl, r[2], 0xc080aebe, 0x200001c0); *(uint16_t*)0x20000040 = 2; *(uint16_t*)0x20000042 = htobe16(0x4e23); *(uint32_t*)0x20000044 = htobe32(-1); *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; syscall(__NR_bind, -1, 0x20000040, 0x10); *(uint32_t*)0x20266ffc = 0; syscall(__NR_setsockopt, -1, 1, 0, 0x20266ffc, 4); memcpy((void*)0x20000640, "/dev/net/tun", 13); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000640, 0, 0); syscall(__NR_ioctl, -1, 0xae01, 0); memcpy((void*)0x20000100, "/dev/kvm", 9); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0); *(uint64_t*)0x20044000 = 0; *(uint32_t*)0x20044008 = 0x12; *(uint32_t*)0x2004400c = 0; *(uint64_t*)0x20044010 = 0x200001c0; *(uint64_t*)0x20044018 = 0x20000000; syscall(__NR_timer_create, 0, 0x20044000, 0x20000180); return 0; }