// https://syzkaller.appspot.com/bug?id=4f5b71612ca24f1c814f1413a8022656c4cae691 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_sendto #define __NR_sendto 369 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_writev #define __NR_writev 146 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[2]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0x10, 3, 0); *(uint32_t*)0x2097fff0 = 0x200f0000; *(uint32_t*)0x2097fff4 = 0x3b; memcpy((void*)0x200f0000, "\x34\x00\x00\x00\x13\x00\x19\x47\x04\x00\xff\x00" "\x00\x09\x00\xff\xef\xff\xdf\xe6\x01\x00\x00\x00" "\x2b\x78\xff\xff\xff\xec\x80\x05\x11\x00\x01\x00" "\x00\x00\xf2\xff\xfe\x00\x00\x00\x03\x11\x00\x01" "\x00\x18\xe9\x07\x00\x00\x00\x00\x00\x6f\xcb", 59); syscall(__NR_writev, r[0], 0x2097fff0, 1); r[1] = syscall(__NR_socket, 0xa, 2, 0); *(uint32_t*)0x20d01000 = 0x7ff; syscall(__NR_setsockopt, r[1], 0x29, 0x18, 0x20d01000, 4); memcpy( (void*)0x20adb000, "\x51\xe2\x51\x57\x88\x51\xf7\x41\x82\xa7\x4b\x89\xb2\x7d\xf4\x27\xae\xef" "\x44\x96\x6d\x20\x2e\x41\x38\xb5\xa1\x8e\x75\xa0\x42\x4e\x7f\xe9\x3b\x0d" "\x32\xc7\xab\xba\x87\xb6\x5f\x97\xab\xa1\xc2\x6a\x06\xb6\xd9\x4c\x4a\xef" "\xd8\xfd\xca\x10\xe7\x44\x39\x10\x62\xc8\xe6\x02\x72\x1c\x20\x05\x16\x08" "\xd9\xaa\x6d\xac\xf6\x1e\x1e\xb3\x31\xa4\xda\xad\x40\x2b\x98\x85\x59\x9d" "\x56\x13\x0f\x71\x49\xfb\x11\x11\xfa\x11\x6e\x94\x32\x4d\x58\x5a\x05\x69" "\xfb\xd3\x11\xda\xd5\x4c\xb4\xe3\x2f\xf7\xf0\x22\x16\x84\x4e\xf4\x2e\xeb" "\x66\xc3\xd5\x26\xc8\x78\xd5\x13\x5a\xd1\xc9\x26\x22\x39\x33\x9c\x18\x88" "\x5e\x2a\x0a\x95\x85\x4d\x6c\xde\x3d\xd2\xfe\xea\xa5\x02\x16\xaf\x6c\x57" "\x60\x92\x34\x13\xaf\x81\x19\x9a\x65\xa6\x33\x2b\x02\xec\x7b\xbf\x79\xd5" "\x57\xc0\x33\xcb\xe0\x32\xfd\xc4\x4f\x66\xa5\xc5\x9c\xc4\xa3\xc5\xd2\x18" "\xf5\x89\x6b\x35\x9d\x1e\xfd\x60\xba\xf9\x8d\xf6\x39\x65\x67\x47\x8f\x7b" "\x81\x7c\xe6\xe1\x1d\x59\xa7\xde\xf4\x52\xa0\xe1\xd0\x60\x7f\x57\xf6\x26" "\xa5\xb8\xd4\x76\x63\x6e\xf1\xee\x76\x30\x75\x24\xcf\x9a\xe4\x9b\xe4\xdb" "\x0a\xb2\xc8\xea\x0c\x5e\xbd\x1e\x80\xfe\xd6\x32\x15\x5e\x14\xda\x1f\x73" "\x24\xd9\x7b\xc6\x1a\x3c\x1e\xdc\x44\x31\xee\x8a\x6c\xaa\x2e\xd9\xf8\x5c" "\xea\x5a\x2a\x9b\x26\x36\x30\xc7\xd6\xfc\x35\xdd\xa6\x00\x2d\xa5\x71\xa2" "\xe5\x19\x17\xe7\xc1\x01\x9d\x8c\xe2\x1a\x60\x81\x47\xe4\x08\xcc\x4c\x7c" "\x5f\x44\x4f\xab\x93\x1b\xda\x86\xd9\x77\xd7\xc9\xcc\xef\xd8\x81\xe5\xef" "\x05\xb2\x87\xf4\x1e\xea\x52\x68\x62\x88\x58\x81\xc2\xcd\xc6\x87\xdf\xf0" "\x2b\xa9\xb7\x0a\x9b\x08\x73\x4a\xc4\xd6\x2c\x7f\x34\x46\x5c\x34\xaa\x9e" "\x9f\x13\x6c\x7f\x79\x6d\x9e\xea\x41\xaa\x37\xf6\x18\x30\x50\x83\x38\xbb" "\x1f\x88\x70\x89\x07\x05\x67\xa1\xdd\x96\xcd\x70\x0e\x7a\x09\x8d\xab\xed" "\xb6\x0f\x31\xac\xd1\x7d\x48\x7b\xc8\xbe\x1a\x31\x01\xd2\xb5\xac\x17\x15" "\x00\x37\x93\x59\x6c\x6d\xaa\x93\xa2\x7f\x4a\xdb\x4d\x6f\xbe\xa5\x66\x9c" "\x24\xc2\x06\xc9\x44\x31\x7e\xa1\x8a\x2c\x76\x24\x57\xf1\xbc\x94\x5f\xec" "\x8f\x84\x96\x41\xd4\x4e\x7e\x2a\x24\xfa\xee\xe2\x8f\x3f\x26\x63\x95\xfe" "\x18\xb0\xdc\xe2\x0c\x1f\x64\xe8\x89\x6c\x8f\xf0\xe4\xa4\x4a\x11\x6f\xb3" "\x24\x62\x47\x1a\x0f\xcd\xe1\x43\xe5\x51\x72\x3d\x57\x33\x97\x22\x76\x56" "\x73\xb4\x16\x3d\x66\xf4\x73\xac\x10\xf9\x88\xcb\x25\xc8\x90\x74\xfc\xb1" "\xbb\xa2\x0c\x41\xbd\xdd\x9c\xa5\xcd\x2f\x10\x66\x32\xf9\x88\x4a\x47\x86" "\x6d\x28\x4b\x4e\xfc\x6b\xb1\xaa\x74\xed\x48\xd4\xa6\x53\x57\x95\xf0\x87" "\x3a\x99\x90\x7e\xbc\x22\xbe\x23\x37\x36\x4c\xf9\xac\xc0\x63\xe3\x2f\x7d" "\x2e\xbd\xfa\xd6\x4d\x04\xaa\x40\x5d\x2d\xbd\xee\x11\x28\xab\x1e\x47\x61" "\xd2\xdd\x30\x88\x5a\xd3\x7d\xd1\x68\x47\x8f\x10\x78\x9d\x17\x2f\xee\xf4" "\xc8\x17\xa5\xcd\x37\x2c\xaa\xde\x57\xf2\x33\x00\xe4\x5f\x47\xe0\x01\xe3" "\xea\x09\x36\x4a\xb4\x2e\xe9\x80\x24\x77\x36\x8b\x99\x10\xf4\xe2\x40\x37" "\xc8\x71\xcb\x82\x51\x56\x8c\x79\x22\x87\xa6\xf4\x9f\xa6\x1b\x7c\x26\x00" "\xac\xca\xa0\xe7\xb4\x0c\x59\x12\xa9\xe1\x00\x22\x5c\x70\x44\x11\x44\xff" "\xa8\x29\x27\xfa\x48\x02\xed\x9e\xbb\x03\xee\xa8\xe9\x45\xaf\x5f\x49\x93" "\xf2\x1a\x7f\x53\xba\xf7\xec\x5b\xb6\xcc\x96\xb9\x17\xdd\xe8\x2c\x18\x84" "\x0c\x35\x00\xe9\x56\x5f\x68\xf6\x87\xb1\xc7\x3d\x83\x4c\x0d\x99\xd4\xac" "\xb0\x02\xdc\x56\x82\xdb\xcd\xb1\x21\x7a\x98\xf6\xc3\xef\x83\x18\xb7\xfa" "\x93\x89\x4e\x8a\x09\x7b\x45\x11\xba\x5c\x03\x5e\x27\xc9\xfe\x8b\xfe\x77" "\x54\x74\x1a\xc2\x1b\xbc\x03\x03\xb8\x16\x72\xe3\x11\x7e\x55\x90\xfe\x2d" "\x92\xf9\x12\x75\x9b\x99\x37\xf6\x42\x04\xec\x5c\xaa\x92\xe2\x18\xda\xa5" "\xa3\xef\x64\x61\x7b\xeb\x30\xcc\xcb\x31\x01\x6b\x13\xed\x8d\x7b\xca\xbb" "\x03\xe1\x76\xb1\xc9\x06\xa3\x8c\xbd\xa3\xbf\x1c\x12\x56\xab\x74\xab\x6f" "\x42\xed\x9b\xaf\xbb\xd0\x09\x62\x63\xbe\x1a\x7d\xa1\xe1\xc8\x8d\xee\xc5" "\x5a\x65\x3d\x17\x0e\x1e\x13\xc7\x7d\xac\xaa\x60\xa3\x7a\x6b\xa2\x38\x3e" "\x66\x1e\xbc\x9f\x13\xdb\xaa\xde\x2d\xd8\x84\xc9\x95\x18\x19\xfb\x46\x08" "\xe1\x9e\x70\xcd\x24\x96\xcc\xfb\x12\xf2\x4c\x71\xf4\x96\xcf\xe9\xbc\x88" "\xfe\x1b\xbe\xa1\xe9\xa2\x4b\x1d\x46\x64\xfb\x07\x76\xac\xa6\x26\x9b\x39" "\x67\x79\x68\x0e\x52\xf8\x68\x77\xd9\x20\x99\x88\xd1\x2c\xcb\x13\x7b\xe0" "\x1a\xb7\x49\x6d\x00\x54\x7a\x7d\x48\x49\xd3\x65\xa1\x8d\xbb\x55\xc4\x29" "\xcd\xe8\x7d\x33\xc4\xb7\x4a\xd2\x27\x3c\xdf\xee\x88\xb5\x41\x88\x66\xef" "\x32\x7f\x25\xe9\xcb\xcd\x5a\x64\xd9\x71\x84\x33\x9f\x7e\x4c\xb5\xf8\xde" "\x17\x1d\x27\x79\xc0\xf6\x88\x84\xae\x83\x5e\x39\x8f\x98\x2d\x57\x49\xf0" "\x85\x62\x8d\x36\x08\x98\x66\x56\xea\x04\xb7\x21\xf8\x28\x20\x2e\x93\x42" "\xbd\x7d\x19\xdf\xa0\x91\xe7\x72\xae\xbf\x97\x18\x03\x01\x67\xa8\xc0\x29" "\xdf\x7c\x58\xb7\xf4\x00\x58\x2b\xd9\x5e\x5a\xd8\x02\x05\x0d\x87\x75\xef" "\x37\x3e\x8e\x2c\x5b\xf3\x52\x5f\x90\x7a\xdd\x3b\xe4\x26\xcd\x5a\x07\x9c" "\x49\xab\xff\xe9\x33\xe9\xee\x21\x3a\x3b\xaf\x34\xf9\x32\xd1\x29\x93\x12" "\x69\x1e\x1c\x53\xe6\x24\x7a\xe0\x98\x9a\xd6\x60\x70\xd5\x1f\xad\x22\x85" "\x6a\x8b\x6b\x28\x95\x4e\x7d\x41\x18\x9b\x11\xc5\x32\x17\x89\xee\xc8\x67" "\x0d\xe9\xe8\xdb\x0b\x04\x73\xba\x2e\x02\x73\x1e\x60\xbe\x63\x26\x97\xd6" "\x1e\x05\x2c\x18\xd4\xbc\xc6\xd1\x57\x2f\xdf\x42\x6f\x7b\x2f\xee\x6c\x1d" "\xee\x66\xc8\x5c\x49\x7b\x90\xfa\xca\xf6\x3b\x8e\xc5\xcd\xe4\xa7\x34\x00" "\xf9\x18\x0b\xcf\xc0\xf8\x1e\xca\x95\x80\xa7\xc8\x14\x62\xa0\x77\xf9\x03" "\x40\x26\xbf\x72\xaa\x7c\x6d\xe4\xb3\xc1\x5d\x4a\x2d\xbd\x6f\xd7\xd8\x70" "\x84\xae\xa9\xf2\x5f\xb4\xbf\x5e\xc8\x3e\xb5\x68\x74\xa7\x60\x53\x37\x92" "\xdf\xf2\x69\x54\x07\xcc\xdd\x6a\x73\x75\xe0\x00\x72\x30\xfd\x3f\x65\x01" "\xc1\x52\xf1\xc1\xff\x27\x9b\x1d\x67\xcc\x95\xf2\x82\x07\x62\xb7\x92\x76" "\x59\x36\x8e\x41\x65\x7b\xde\xf2\xdd\x15\xb6\x34\x98\xa9\x3b\x78\x7b\xdb" "\x26\x80\x9d\x73\x4a\xaf\x98\xb8\x6f\xcf\x9f\xc6\x43\xa3\x4d\x03\xeb\xbe" "\x07\x28\x20\x66\x2d\x20\xf4\x77\x4d\x66\xc5\xae\x0a\x0a\xda\xde\x5b\x8f" "\x62\x42\xa0\x59\xb9\x26\x22\x1e\xe3\xd6\x77\x48\x74\x71\xc4\x32\xb0\xd6" "\xd6\x4d\xad\x03\x07\x03\x47\x5b\xb3\xec\xac\x39\xb2\x04\xa8\x14\xf5\xec" "\xe5\x96\x16\x21\x35\x8e\x36\xf8\xa2\xcf\x71\x96\xc7\x69\x59\x82\x4b\xbb" "\x47\x5a\x7c\xad\x8f\x57\x85\x3f\xe0\x5f\x59\xf3\x41\xb5\xb4\x96\x79\x04" "\xda\xf8\x33\xd9\x1a\xe9\x46\x1e\xf1\x00\x36\xf8\xbe\x77\x00\xd6\x6f\x2d" "\x2c\x3a\x63\xdb\xa8\xeb\x35\xe7\x12\x72\x46\x02\x9e\x22\x2f\x0b\x2a\xeb" "\xbe\x76\x7f\x51\x25\xe2\xd9\xea\x5d\x59\x87\xb9\xbb\x96\xf3\x03\xe4\xf3" "\xc6\x47\xc7\x76\xc5\xb6\x30\x64\x72\x89\x6d\xce\xbe\x0d\xe6\xd0\x01\xb4" "\x53\xa4\xe2\x6d\xfe\x43\x3b\x40\x95\x86\xe0\xfa\xca\x3e\xe8\x9e\x8b\x93" "\x6e\xa4\x6b\x97\xa0\xf6\x63\x54\x4a\x8f\x47\x84\xc6\xb4\x84\x33\x49\x49" "\xf5\x83\xb0\x25\x57\x64\x5c\x7d\x78\x84\x91\x0e\xaf\x48\x79\xda\x3f\x4f" "\x37\xce\x78\x9b\x72\x8a\x49\xd0\x54\x67\x30\xe2\xad\xb0\xa9\xcb\x74\x62" "\x0b\x0c\xf3\xa2\x80\x61\xa6\x07\x08\x9a\x47\xa2\x3e\x83\x1c\x16\xdd\x00" "\x2f\xc6\xad\x4e\xbd\x7c\x62\xd2\x65\xda\x40\xd6\xbf\xd1\x45\x69\x8d\x18" "\xd1\x45\x22\xe1\x9a\xa5\x99\xcd\x9e\x41\x2c\x46\x44\xdc\xcb\x31\x84\x9b" "\xd5\xe3\x14\x11\xc6\xff\x92\x49\xbe\x50\x76\x2c\xc6\xfd\xaa\x01\xa7\xcd" "\xcb\x16\x2d\xc0\x51\x65\x24\x00\x2b\x68\x8a\x46\x2f\x69\xb6\xcc\xe3\x48" "\xa6\xdc\x5e\x93\x56\xae\x39\x38\x90\x9e\xa0\x62\xf9\x50\x12\x20\x21\x4e" "\x83\xa4\xe6\x21\xb8\xd6\x85\x92\x5c\x92\xc7\x56\x4e\x91\x32\xcf\xe1\x0f" "\x8a\xcb\x64\x6b\x73\x11\x14\xff\x10\x14\x79\xf9\x9d\x70\xa4\xbd\x60\x33" "\xbf\x5e\x4e\x66\x75\x12\x0f\xa2\x1d\x06\x10\xa6\x85\xaf\x21\xba\x76\x16" "\x2f\xa5\xcc\x57\x10\x56\xb2\x95\xb8\xf9\x98\x7f\xde\xf1\x45\x26\xbe\x89" "\x51\x62\x34\xde\xe2\xd9\x3b\xf7\xce\xba\x53\x3a\xf0\x7b\xb7\xa6\xe9\xf1" "\xd5\x75\x6f\x81\xa7\x55\x8b\x5e\x02\x9e\x66\x2c\x5d\xfe\x00\xf6\x57\xbd" "\x5a\x51\x65\xc6\xd4\x4b\xd9\x0f\x71\x93\x42\xb7\xac\x36\xeb\x8f\x10\xcd" "\xae\xda\x44\xc0\x79\xec\xb3\x1d\x32\x41\x25\xac\x84\x8a\x27\xba\x17\x3a" "\xd3\x5d\x1a\xcd\x4e\x20\x63\x87\xec\xea\x47\x4d\x6a\x70\x08\x6d\x22\x54" "\x48\xe2\x47\xbf\xcd\x51\xec\xae\x1f\x15\xdf\xe1\x0a\xcc\x50\xe7\x75\x7c" "\xca\x9c\x5e\xf8\x05\x62\xb6\x32\x24\xc3\x25\x9d\x6d\x1f\xc9\x28\x26\x4d" "\x35\x6b\x83\x45\xba\x03\xe1\x0c\xd6\x97\x0c\x03\x43\xee\x98\x35\x9d\xcb" "\x59\x20\xb8\x3c\xb0\xaa\x03\x48\x07\xf4\x00\x50\xc6\xcf\x63\x54\x3e\x10" "\x7d\x85\xbf\xa8\x2c\xe4\xf5\xe9\x0f\x60\x78\xa7\x43\xb0\xc7\xcc\xdd\x00" "\x7c\x7c\x01\x15\xab\xfd\x5a\x9a\x52\x87\x3b\x7b\x5d\xa7\x8a\x1a\xb7\x40" "\x40\x16\xc5\xd0\x0a\xab\xcf\xc3\xe1\x60\x70\xb8\x22\x2a\x99\xef\xeb\xeb" "\xf6\x04\x2e\x6d\xa1\xdb\xb3\xe7\x82\xd8\x31\xc0\xeb\x4f\x46\x4b\x82\xab" "\xc0\xa8\x8f\x72\x4a\xfb\x9f\x28\x17\xb8\xb7\x12\xf2\xf5\x3d\x9b\xd0\x56" "\x49\xad\x0e\xd2\x75\x3d\xed\xd8\xc0\x0c\x18\x03\xb4\xe0\xda\x5b\x9e\xd5" "\x7e\x43\xc9\x32\xc1\x8e\xd1\x24\x8e", 2043); *(uint16_t*)0x20efbfe4 = 0xa; *(uint16_t*)0x20efbfe6 = htobe16(0x4e23); *(uint32_t*)0x20efbfe8 = 0x7ff; *(uint64_t*)0x20efbfec = htobe64(0); *(uint64_t*)0x20efbff4 = htobe64(1); *(uint32_t*)0x20efbffc = 0; syscall(__NR_sendto, r[1], 0x20adb000, 0x7fb, 0x8044, 0x20efbfe4, 0x1c); *(uint32_t*)0x204e2ffc = 0xf24; syscall(__NR_setsockopt, r[1], 0x11, 0x65, 0x204e2ffc, 4); *(uint32_t*)0x205bc000 = 0x20e2b000; *(uint32_t*)0x205bc004 = 0x80; *(uint32_t*)0x205bc008 = 0x20f8bfd0; *(uint32_t*)0x205bc00c = 0; *(uint32_t*)0x205bc010 = 0x207c7000; *(uint32_t*)0x205bc014 = 0; *(uint32_t*)0x205bc018 = 0; *(uint16_t*)0x20e2b000 = 0; memcpy((void*)0x20e2b002, "\xda\xf8\xff\xff\xff\xff\xff\xff\xff\x31\x7a\x53\x32\xb0\xcf\xb6\x1b" "\x34\x0e\x63\xf8\xab\x69\x18\x22\xe9\x01\xe7\xff\x4a\xc8\x15\xf9\x50" "\x59\xfc\x0d\x82\xc5\x7f\x84\x46\x86\xfb\xbf\x26\x8f\x3d\x6b\x53\xef" "\xc1\xcb\x2b\xa3\x00\x01\x18\x6a\x68\x50\x67\x76\xe9\xeb\xa5\xeb\xd0" "\x39\x01\x00\x00\x00\xff\xff\xd6\xff\xec\x35\x12\x0e\xc6\x4f\xa7\x33" "\xc1\xc9\x82\x76\xb2\x6e\xae\xce\x29\x00\x72\x7e\x34\x02\x81\x4d\xc2" "\x56\xce\xae\xcb\x2c\x80\xff\x58\x91\x1d\xbf\xf9\x00\x00\x00\x00\xff" "\x01\x00\x02\x00\x00\xb4\x56", 126); syscall(__NR_sendmsg, r[1], 0x205bc000, 0); } int main() { loop(); return 0; }