// https://syzkaller.appspot.com/bug?id=4522c4fb3896c243a66d4bda935f828e80899c2c // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } #ifndef __NR_readv #define __NR_readv 145 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); memcpy((void*)0x20005000, "/dev/sg#", 9); r[0] = syz_open_dev(0x20005000, 0, 0x8002); *(uint8_t*)0x20438000 = 3; *(uint8_t*)0x20438001 = 3; *(uint16_t*)0x20438002 = 5; *(uint16_t*)0x20438004 = 7; *(uint16_t*)0x20438006 = 0x81; *(uint16_t*)0x20438008 = 6; STORE_BY_BITMASK(uint8_t, 0x2043800a, 0, 0, 4); STORE_BY_BITMASK(uint8_t, 0x2043800a, 6, 4, 4); memcpy((void*)0x2043800b, "\x96\x14\x4e", 3); *(uint16_t*)0x2043800e = htobe16(0x1fa); *(uint8_t*)0x20438010 = -1; *(uint8_t*)0x20438011 = 8; *(uint8_t*)0x20438012 = 0; *(uint8_t*)0x20438013 = 0; *(uint8_t*)0x20438014 = 0; *(uint8_t*)0x20438015 = 0; *(uint8_t*)0x20438016 = 0; *(uint8_t*)0x20438017 = 0; *(uint8_t*)0x20438018 = 0; *(uint8_t*)0x20438019 = 0; *(uint8_t*)0x2043801a = 0; *(uint8_t*)0x2043801b = 0; *(uint8_t*)0x2043801c = 0; *(uint8_t*)0x2043801d = 0; *(uint8_t*)0x2043801e = 0; *(uint8_t*)0x2043801f = 0; *(uint8_t*)0x20438020 = 0; *(uint8_t*)0x20438021 = 0; *(uint8_t*)0x20438022 = -1; *(uint8_t*)0x20438023 = 2; *(uint8_t*)0x20438024 = 0; *(uint8_t*)0x20438025 = 0; *(uint8_t*)0x20438026 = 0; *(uint8_t*)0x20438027 = 0; *(uint8_t*)0x20438028 = 0; *(uint8_t*)0x20438029 = 0; *(uint8_t*)0x2043802a = 0; *(uint8_t*)0x2043802b = 0; *(uint8_t*)0x2043802c = 0; *(uint8_t*)0x2043802d = 0; *(uint8_t*)0x2043802e = 0; *(uint8_t*)0x2043802f = 0; *(uint8_t*)0x20438030 = 0; *(uint8_t*)0x20438031 = 1; *(uint8_t*)0x20438032 = 0x5c; *(uint8_t*)0x20438033 = 0; *(uint8_t*)0x20438034 = -1; STORE_BY_BITMASK(uint8_t, 0x20438035, 0, 0, 1); STORE_BY_BITMASK(uint8_t, 0x20438035, 0, 1, 2); STORE_BY_BITMASK(uint8_t, 0x20438035, 2, 3, 5); *(uint32_t*)0x20438036 = 0x67; *(uint8_t*)0x2043803a = 0x2c; *(uint8_t*)0x2043803b = 1; *(uint8_t*)0x2043803c = 0; *(uint8_t*)0x2043803d = 0; *(uint8_t*)0x2043803e = 0; *(uint8_t*)0x2043803f = 0; *(uint8_t*)0x20438040 = 0; *(uint8_t*)0x20438041 = 0; *(uint8_t*)0x20438042 = 1; *(uint8_t*)0x20438043 = 8; *(uint8_t*)0x20438044 = 0; *(uint8_t*)0x20438045 = 0; *(uint8_t*)0x20438046 = 0; *(uint8_t*)0x20438047 = 0; *(uint8_t*)0x20438048 = 0; *(uint8_t*)0x20438049 = 0; *(uint8_t*)0x2043804a = 0; *(uint8_t*)0x2043804b = 0; *(uint8_t*)0x20438052 = 0x7f; *(uint8_t*)0x20438053 = 4; *(uint8_t*)0x20438054 = 0; *(uint8_t*)0x20438055 = 0; *(uint8_t*)0x20438056 = 0; *(uint8_t*)0x20438057 = 0; *(uint8_t*)0x20438058 = 0; *(uint8_t*)0x20438059 = 0; *(uint8_t*)0x2043805a = 5; *(uint8_t*)0x2043805b = 0; *(uint8_t*)0x2043805c = 0; *(uint8_t*)0x2043805d = 1; *(uint8_t*)0x2043805e = 0; *(uint8_t*)0x2043805f = 5; *(uint8_t*)0x20438060 = 2; *(uint16_t*)0x20438061 = htobe16(0xbe); *(uint8_t*)0x20438063 = 4; *(uint8_t*)0x20438064 = 1; *(uint8_t*)0x20438065 = 5; *(uint8_t*)0x20438066 = 4; *(uint8_t*)0x20438067 = 1; *(uint8_t*)0x20438068 = 0x13; *(uint8_t*)0x20438069 = 0xc9; *(uint8_t*)0x2043806a = 0x10; *(uint8_t*)0x2043806b = 0; *(uint8_t*)0x2043806c = 0; *(uint8_t*)0x2043806d = 0; *(uint8_t*)0x2043806e = 0; *(uint8_t*)0x2043806f = 0; *(uint8_t*)0x20438070 = 0; *(uint8_t*)0x20438071 = 0; *(uint8_t*)0x20438072 = 0; *(uint8_t*)0x20438073 = 0; *(uint8_t*)0x20438074 = 0; *(uint8_t*)0x20438075 = -1; *(uint8_t*)0x20438076 = -1; *(uint8_t*)0x20438077 = 0xac; *(uint8_t*)0x20438078 = 0x14; *(uint8_t*)0x20438079 = 0; *(uint8_t*)0x2043807a = 0xbb; *(uint8_t*)0x2043807b = 1; *(uint8_t*)0x2043807c = 2; *(uint8_t*)0x2043807d = 0; *(uint8_t*)0x2043807e = 0; *(uint8_t*)0x2043807f = 0; *(uint8_t*)0x20438080 = 0; *(uint8_t*)0x20438081 = 0; *(uint8_t*)0x20438082 = 0; *(uint8_t*)0x20438083 = 0; *(uint8_t*)0x20438084 = 0; *(uint8_t*)0x20438085 = 0xc9; *(uint8_t*)0x20438086 = 0x10; *(uint8_t*)0x20438087 = 0; *(uint8_t*)0x20438088 = 0; *(uint8_t*)0x20438089 = 0; *(uint8_t*)0x2043808a = 0; *(uint8_t*)0x2043808b = 0; *(uint8_t*)0x2043808c = 0; *(uint8_t*)0x2043808d = 0; *(uint8_t*)0x2043808e = 0; *(uint8_t*)0x2043808f = 0; *(uint8_t*)0x20438090 = 0; *(uint8_t*)0x20438091 = -1; *(uint8_t*)0x20438092 = -1; *(uint32_t*)0x20438093 = htobe32(0xe0000001); *(uint8_t*)0x20438097 = 4; *(uint8_t*)0x20438098 = 0xb; *(uint8_t*)0x20438099 = 0; *(uint8_t*)0x2043809a = 0; *(uint8_t*)0x2043809b = 0; *(uint8_t*)0x2043809c = 0; *(uint8_t*)0x2043809d = 0; *(uint8_t*)0x2043809e = 0; *(uint8_t*)0x2043809f = 7; *(uint8_t*)0x204380a0 = 0x58; *(uint32_t*)0x204380a1 = htobe32(0x8000); *(uint8_t*)0x204380a5 = 0x14; *(uint8_t*)0x204380a6 = 6; *(uint16_t*)0x204380a7 = 2; *(uint64_t*)0x204380a9 = 8; *(uint64_t*)0x204380b1 = 1; *(uint64_t*)0x204380b9 = 0x800; *(uint64_t*)0x204380c1 = 3; *(uint64_t*)0x204380c9 = 0x7f; *(uint64_t*)0x204380d1 = 0x8000; *(uint64_t*)0x204380d9 = 3; *(uint64_t*)0x204380e1 = 0; *(uint64_t*)0x204380e9 = 0x7fffffff; *(uint64_t*)0x204380f1 = 0x100; *(uint8_t*)0x204380ff = 0x3a; *(uint8_t*)0x20438100 = 0x12; *(uint8_t*)0x20438101 = 3; *(uint8_t*)0x20438102 = 4; *(uint32_t*)0x20438103 = 0; *(uint8_t*)0x20438107 = 0xfe; *(uint8_t*)0x20438108 = 0x80; *(uint8_t*)0x20438109 = 0; *(uint8_t*)0x2043810a = 0; *(uint8_t*)0x2043810b = 0; *(uint8_t*)0x2043810c = 0; *(uint8_t*)0x2043810d = 0; *(uint8_t*)0x2043810e = 0; *(uint8_t*)0x2043810f = 0; *(uint8_t*)0x20438110 = 0; *(uint8_t*)0x20438111 = 0; *(uint8_t*)0x20438112 = 0; *(uint8_t*)0x20438113 = 0; *(uint8_t*)0x20438114 = 0; *(uint8_t*)0x20438115 = 0; *(uint8_t*)0x20438116 = 0xaa; *(uint8_t*)0x20438117 = 0; *(uint8_t*)0x20438118 = 0; *(uint8_t*)0x20438119 = 0; *(uint8_t*)0x2043811a = 0; *(uint8_t*)0x2043811b = 0; *(uint8_t*)0x2043811c = 0; *(uint8_t*)0x2043811d = 0; *(uint8_t*)0x2043811e = 0; *(uint8_t*)0x2043811f = 0; *(uint8_t*)0x20438120 = 0; *(uint8_t*)0x20438121 = -1; *(uint8_t*)0x20438122 = -1; *(uint32_t*)0x20438123 = htobe32(9); *(uint8_t*)0x20438127 = 0xfe; *(uint8_t*)0x20438128 = 0x80; *(uint8_t*)0x20438129 = 0; *(uint8_t*)0x2043812a = 0; *(uint8_t*)0x2043812b = 0; *(uint8_t*)0x2043812c = 0; *(uint8_t*)0x2043812d = 0; *(uint8_t*)0x2043812e = 0; *(uint8_t*)0x2043812f = 0; *(uint8_t*)0x20438130 = 0; *(uint8_t*)0x20438131 = 0; *(uint8_t*)0x20438132 = 0; *(uint8_t*)0x20438133 = 0; *(uint8_t*)0x20438134 = 0; *(uint8_t*)0x20438135 = 0; *(uint8_t*)0x20438136 = 0xbb; *(uint8_t*)0x20438137 = 0; *(uint8_t*)0x20438138 = 0; *(uint8_t*)0x20438139 = 0; *(uint8_t*)0x2043813a = 0; *(uint8_t*)0x2043813b = 0; *(uint8_t*)0x2043813c = 0; *(uint8_t*)0x2043813d = 0; *(uint8_t*)0x2043813e = 0; *(uint8_t*)0x2043813f = 0; *(uint8_t*)0x20438140 = 0; *(uint8_t*)0x20438141 = -1; *(uint8_t*)0x20438142 = -1; *(uint32_t*)0x20438143 = htobe32(0); *(uint8_t*)0x20438147 = 0; *(uint8_t*)0x20438148 = 0; *(uint8_t*)0x20438149 = 0; *(uint8_t*)0x2043814a = 0; *(uint8_t*)0x2043814b = 0; *(uint8_t*)0x2043814c = 0; *(uint8_t*)0x2043814d = 0; *(uint8_t*)0x2043814e = 0; *(uint8_t*)0x2043814f = 0; *(uint8_t*)0x20438150 = 0; *(uint8_t*)0x20438151 = -1; *(uint8_t*)0x20438152 = -1; *(uint32_t*)0x20438153 = htobe32(0x7f000001); *(uint8_t*)0x20438157 = 0xfe; *(uint8_t*)0x20438158 = 0x80; *(uint8_t*)0x20438159 = 0; *(uint8_t*)0x2043815a = 0; *(uint8_t*)0x2043815b = 0; *(uint8_t*)0x2043815c = 0; *(uint8_t*)0x2043815d = 0; *(uint8_t*)0x2043815e = 0; *(uint8_t*)0x2043815f = 0; *(uint8_t*)0x20438160 = 0; *(uint8_t*)0x20438161 = 0; *(uint8_t*)0x20438162 = 0; *(uint8_t*)0x20438163 = 0; *(uint8_t*)0x20438164 = 0; *(uint8_t*)0x20438165 = 0; *(uint8_t*)0x20438166 = 0x12; *(uint8_t*)0x20438167 = 0xfe; *(uint8_t*)0x20438168 = 0x80; *(uint8_t*)0x20438169 = 0; *(uint8_t*)0x2043816a = 0; *(uint8_t*)0x2043816b = 0; *(uint8_t*)0x2043816c = 0; *(uint8_t*)0x2043816d = 0; *(uint8_t*)0x2043816e = 0; *(uint8_t*)0x2043816f = 0; *(uint8_t*)0x20438170 = 0; *(uint8_t*)0x20438171 = 0; *(uint8_t*)0x20438172 = 0; *(uint8_t*)0x20438173 = 0; *(uint8_t*)0x20438174 = 0; *(uint8_t*)0x20438175 = 0; *(uint8_t*)0x20438176 = 0xaa; *(uint8_t*)0x20438177 = -1; *(uint8_t*)0x20438178 = 2; *(uint8_t*)0x20438179 = 0; *(uint8_t*)0x2043817a = 0; *(uint8_t*)0x2043817b = 0; *(uint8_t*)0x2043817c = 0; *(uint8_t*)0x2043817d = 0; *(uint8_t*)0x2043817e = 0; *(uint8_t*)0x2043817f = 0; *(uint8_t*)0x20438180 = 0; *(uint8_t*)0x20438181 = 0; *(uint8_t*)0x20438182 = 0; *(uint8_t*)0x20438183 = 0; *(uint8_t*)0x20438184 = 0; *(uint8_t*)0x20438185 = 0; *(uint8_t*)0x20438186 = 1; *(uint8_t*)0x20438187 = 0xfe; *(uint8_t*)0x20438188 = 0x80; *(uint8_t*)0x20438189 = 0; *(uint8_t*)0x2043818a = 0; *(uint8_t*)0x2043818b = 0; *(uint8_t*)0x2043818c = 0; *(uint8_t*)0x2043818d = 0; *(uint8_t*)0x2043818e = 0; *(uint8_t*)0x2043818f = 0; *(uint8_t*)0x20438190 = 0; *(uint8_t*)0x20438191 = 0; *(uint8_t*)0x20438192 = 0; *(uint8_t*)0x20438193 = 0; *(uint8_t*)0x20438194 = 0; *(uint8_t*)0x20438195 = 0; *(uint8_t*)0x20438196 = 0xc; *(uint8_t*)0x20438197 = 1; *(uint8_t*)0x20438198 = 6; *(uint8_t*)0x20438199 = 0; *(uint8_t*)0x2043819a = 0; *(uint8_t*)0x2043819b = 0; *(uint8_t*)0x2043819c = 0; *(uint8_t*)0x2043819d = 0; *(uint8_t*)0x2043819e = 0; *(uint8_t*)0x2043819f = 0; *(uint8_t*)0x204381a0 = 1; *(uint8_t*)0x204381a1 = 0; *(uint8_t*)0x204381a2 = 4; *(uint8_t*)0x204381a3 = 1; *(uint8_t*)0x204381a4 = 7; *(uint8_t*)0x204381a5 = 4; *(uint8_t*)0x204381a6 = 1; *(uint8_t*)0x204381a7 = 0; *(uint8_t*)0x204381a8 = 0xc2; *(uint8_t*)0x204381a9 = 4; *(uint32_t*)0x204381aa = htobe32(0); *(uint8_t*)0x204381ae = 5; *(uint8_t*)0x204381af = 2; *(uint16_t*)0x204381b0 = htobe16(0xfd3f); *(uint8_t*)0x204381b2 = 5; *(uint8_t*)0x204381b3 = 2; *(uint16_t*)0x204381b4 = htobe16(-1); *(uint8_t*)0x204381b6 = 1; *(uint8_t*)0x204381b7 = 3; *(uint8_t*)0x204381b8 = 0; *(uint8_t*)0x204381b9 = 0; *(uint8_t*)0x204381ba = 0; *(uint8_t*)0x204381bb = 0xc9; *(uint8_t*)0x204381bc = 0x10; *(uint8_t*)0x204381bd = 0xfe; *(uint8_t*)0x204381be = 0x80; *(uint8_t*)0x204381bf = 0; *(uint8_t*)0x204381c0 = 0; *(uint8_t*)0x204381c1 = 0; *(uint8_t*)0x204381c2 = 0; *(uint8_t*)0x204381c3 = 0; *(uint8_t*)0x204381c4 = 0; *(uint8_t*)0x204381c5 = 0; *(uint8_t*)0x204381c6 = 0; *(uint8_t*)0x204381c7 = 0; *(uint8_t*)0x204381c8 = 0; *(uint8_t*)0x204381c9 = 0; *(uint8_t*)0x204381ca = 0; *(uint8_t*)0x204381cb = 0; *(uint8_t*)0x204381cc = 0xaa; *(uint8_t*)0x204381cd = 4; *(uint8_t*)0x204381ce = 1; *(uint8_t*)0x204381cf = 0; *(uint8_t*)0x204381d0 = 0x3c; *(uint8_t*)0x204381d1 = 0; *(uint8_t*)0x204381d2 = 0; *(uint8_t*)0x204381d3 = 0; *(uint8_t*)0x204381d4 = 0; *(uint8_t*)0x204381d5 = 0; *(uint8_t*)0x204381d6 = 0; *(uint8_t*)0x204381d7 = 0; *(uint8_t*)0x204381d8 = 0xc2; *(uint8_t*)0x204381d9 = 4; *(uint32_t*)0x204381da = htobe32(0x80000001); *(uint8_t*)0x204381de = 0x3a; *(uint8_t*)0x204381df = 6; *(uint8_t*)0x204381e0 = 2; *(uint8_t*)0x204381e1 = 1; *(uint32_t*)0x204381e2 = 0; *(uint8_t*)0x204381e6 = -1; *(uint8_t*)0x204381e7 = 1; *(uint8_t*)0x204381e8 = 0; *(uint8_t*)0x204381e9 = 0; *(uint8_t*)0x204381ea = 0; *(uint8_t*)0x204381eb = 0; *(uint8_t*)0x204381ec = 0; *(uint8_t*)0x204381ed = 0; *(uint8_t*)0x204381ee = 0; *(uint8_t*)0x204381ef = 0; *(uint8_t*)0x204381f0 = 0; *(uint8_t*)0x204381f1 = 0; *(uint8_t*)0x204381f2 = 0; *(uint8_t*)0x204381f3 = 0; *(uint8_t*)0x204381f4 = 0; *(uint8_t*)0x204381f5 = 1; *(uint8_t*)0x204381f6 = -1; *(uint8_t*)0x204381f7 = 2; *(uint8_t*)0x204381f8 = 0; *(uint8_t*)0x204381f9 = 0; *(uint8_t*)0x204381fa = 0; *(uint8_t*)0x204381fb = 0; *(uint8_t*)0x204381fc = 0; *(uint8_t*)0x204381fd = 0; *(uint8_t*)0x204381fe = 0; *(uint8_t*)0x204381ff = 0; *(uint8_t*)0x20438200 = 0; *(uint8_t*)0x20438201 = 0; *(uint8_t*)0x20438202 = 0; *(uint8_t*)0x20438203 = 0; *(uint8_t*)0x20438204 = 0; *(uint8_t*)0x20438205 = 1; *(uint8_t*)0x20438206 = 0xfe; *(uint8_t*)0x20438207 = 0x80; *(uint8_t*)0x20438208 = 0; *(uint8_t*)0x20438209 = 0; *(uint8_t*)0x2043820a = 0; *(uint8_t*)0x2043820b = 0; *(uint8_t*)0x2043820c = 0; *(uint8_t*)0x2043820d = 0; *(uint8_t*)0x2043820e = 0; *(uint8_t*)0x2043820f = 0; *(uint8_t*)0x20438210 = 0; *(uint8_t*)0x20438211 = 0; *(uint8_t*)0x20438212 = 0; *(uint8_t*)0x20438213 = 0; *(uint8_t*)0x20438214 = 0; *(uint8_t*)0x20438215 = 0xbb; STORE_BY_BITMASK(uint16_t, 0x20438216, 0, 0, 1); STORE_BY_BITMASK(uint16_t, 0x20438216, 0, 1, 1); STORE_BY_BITMASK(uint16_t, 0x20438216, 1, 2, 1); STORE_BY_BITMASK(uint16_t, 0x20438216, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20438216, 0, 4, 4); STORE_BY_BITMASK(uint16_t, 0x20438216, -1, 8, 1); STORE_BY_BITMASK(uint16_t, 0x20438216, 0, 9, 4); STORE_BY_BITMASK(uint16_t, 0x20438216, 1, 13, 3); *(uint16_t*)0x20438218 = htobe16(0x880b); *(uint16_t*)0x2043821a = htobe16(0); *(uint16_t*)0x2043821c = htobe16(1); *(uint16_t*)0x2043821e = htobe16(4); *(uint16_t*)0x20438220 = htobe16(8); STORE_BY_BITMASK(uint16_t, 0x20438222, 0x3f, 0, 1); STORE_BY_BITMASK(uint16_t, 0x20438222, 0, 1, 1); STORE_BY_BITMASK(uint16_t, 0x20438222, 0, 2, 1); STORE_BY_BITMASK(uint16_t, 0x20438222, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20438222, 0, 4, 9); STORE_BY_BITMASK(uint16_t, 0x20438222, 0, 13, 3); *(uint16_t*)0x20438224 = htobe16(0x800); *(uint16_t*)0x20438226 = htobe16(1); STORE_BY_BITMASK(uint16_t, 0x20438228, -1, 0, 1); STORE_BY_BITMASK(uint16_t, 0x20438228, 0, 1, 1); STORE_BY_BITMASK(uint16_t, 0x20438228, 0x7ff, 2, 1); STORE_BY_BITMASK(uint16_t, 0x20438228, 0xef, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20438228, 0, 4, 9); STORE_BY_BITMASK(uint16_t, 0x20438228, 0, 13, 3); *(uint16_t*)0x2043822a = htobe16(0x86dd); syscall(__NR_write, r[0], 0x20438000, 0x22c); *(uint32_t*)0x20bb7000 = 0x20f93fcb; *(uint32_t*)0x20bb7004 = 0x3e; syscall(__NR_readv, r[0], 0x20bb7000, 1); } int main() { loop(); return 0; }