// https://syzkaller.appspot.com/bug?id=de6519e18a472f06a6b530c84c3be8a29c554900 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif long r[177]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socketpair, 0x1ul, 0x5ul, 0x0ul, 0x2000dff8ul); if (r[1] != -1) r[2] = *(uint32_t*)0x2000dff8; if (r[1] != -1) r[3] = *(uint32_t*)0x2000dffc; *(uint32_t*)0x20b4cfd0 = (uint32_t)0x1; *(uint32_t*)0x20b4cfd4 = (uint32_t)0x2; *(uint64_t*)0x20b4cfd8 = (uint64_t)0x20ef3000; *(uint64_t*)0x20b4cfe0 = (uint64_t)0x20b4d000; *(uint32_t*)0x20b4cfe8 = (uint32_t)0x1; *(uint32_t*)0x20b4cfec = (uint32_t)0x80; *(uint64_t*)0x20b4cff0 = (uint64_t)0x2000a000; *(uint32_t*)0x20b4cff8 = (uint32_t)0x0; *(uint32_t*)0x20b4cffc = (uint32_t)0x0; *(uint8_t*)0x20ef3000 = (uint8_t)0x8db7; *(uint8_t*)0x20ef3001 = (uint8_t)0x0; *(uint16_t*)0x20ef3002 = (uint16_t)0x0; *(uint32_t*)0x20ef3004 = (uint32_t)0x0; *(uint8_t*)0x20ef3008 = (uint8_t)0xd395; *(uint8_t*)0x20ef3009 = (uint8_t)0x0; *(uint16_t*)0x20ef300a = (uint16_t)0x0; *(uint32_t*)0x20ef300c = (uint32_t)0x0; memcpy((void*)0x20b4d000, "\x73\x79\x73\x65\x4f\x00", 6); r[22] = syscall(__NR_bpf, 0x5ul, 0x20b4cfd0ul, 0x30ul); r[23] = syscall(__NR_socket, 0x29ul, 0x5ul, 0x0ul); *(uint32_t*)0x20760ff8 = r[2]; *(uint32_t*)0x20760ffc = r[22]; r[26] = syscall(__NR_ioctl, r[23], 0x89e0ul, 0x20760ff8ul); *(uint64_t*)0x20c7b000 = (uint64_t)0x2086b000; *(uint32_t*)0x20c7b008 = (uint32_t)0xa; *(uint64_t*)0x20c7b010 = (uint64_t)0x209c7fa0; *(uint64_t*)0x20c7b018 = (uint64_t)0x6; *(uint64_t*)0x20c7b020 = (uint64_t)0x20f45f50; *(uint64_t*)0x20c7b028 = (uint64_t)0x5; *(uint32_t*)0x20c7b030 = (uint32_t)0x20008054; *(uint64_t*)0x20c7b038 = (uint64_t)0x2073fff8; *(uint32_t*)0x20c7b040 = (uint32_t)0x8; *(uint64_t*)0x20c7b048 = (uint64_t)0x205dafe0; *(uint64_t*)0x20c7b050 = (uint64_t)0x2; *(uint64_t*)0x20c7b058 = (uint64_t)0x20000000; *(uint64_t*)0x20c7b060 = (uint64_t)0x0; *(uint32_t*)0x20c7b068 = (uint32_t)0x4000; *(uint64_t*)0x20c7b070 = (uint64_t)0x20c58ff6; *(uint32_t*)0x20c7b078 = (uint32_t)0xa; *(uint64_t*)0x20c7b080 = (uint64_t)0x20fbaf90; *(uint64_t*)0x20c7b088 = (uint64_t)0x7; *(uint64_t*)0x20c7b090 = (uint64_t)0x200b7fc0; *(uint64_t*)0x20c7b098 = (uint64_t)0x2; *(uint32_t*)0x20c7b0a0 = (uint32_t)0xc080; *(uint64_t*)0x20c7b0a8 = (uint64_t)0x20cd0ff8; *(uint32_t*)0x20c7b0b0 = (uint32_t)0x8; *(uint64_t*)0x20c7b0b8 = (uint64_t)0x2057ffc0; *(uint64_t*)0x20c7b0c0 = (uint64_t)0x4; *(uint64_t*)0x20c7b0c8 = (uint64_t)0x20000000; *(uint64_t*)0x20c7b0d0 = (uint64_t)0x0; *(uint32_t*)0x20c7b0d8 = (uint32_t)0x84; *(uint64_t*)0x20c7b0e0 = (uint64_t)0x200d9ff6; *(uint32_t*)0x20c7b0e8 = (uint32_t)0xa; *(uint64_t*)0x20c7b0f0 = (uint64_t)0x20b96fe0; *(uint64_t*)0x20c7b0f8 = (uint64_t)0x2; *(uint64_t*)0x20c7b100 = (uint64_t)0x209e3fc0; *(uint64_t*)0x20c7b108 = (uint64_t)0x2; *(uint32_t*)0x20c7b110 = (uint32_t)0x1; *(uint16_t*)0x2086b000 = (uint16_t)0x1; memcpy((void*)0x2086b002, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); *(uint64_t*)0x209c7fa0 = (uint64_t)0x20b08000; *(uint64_t*)0x209c7fa8 = (uint64_t)0x0; *(uint64_t*)0x209c7fb0 = (uint64_t)0x20739000; *(uint64_t*)0x209c7fb8 = (uint64_t)0x0; *(uint64_t*)0x209c7fc0 = (uint64_t)0x203cef67; *(uint64_t*)0x209c7fc8 = (uint64_t)0x0; *(uint64_t*)0x209c7fd0 = (uint64_t)0x20484000; *(uint64_t*)0x209c7fd8 = (uint64_t)0x0; *(uint64_t*)0x209c7fe0 = (uint64_t)0x207fa000; *(uint64_t*)0x209c7fe8 = (uint64_t)0x0; *(uint64_t*)0x209c7ff0 = (uint64_t)0x20b53f7a; *(uint64_t*)0x209c7ff8 = (uint64_t)0x0; *(uint64_t*)0x20f45f50 = (uint64_t)0x30; *(uint32_t*)0x20f45f58 = (uint32_t)0x1; *(uint32_t*)0x20f45f5c = (uint32_t)0x1; *(uint32_t*)0x20f45f60 = r[3]; *(uint32_t*)0x20f45f64 = r[22]; *(uint32_t*)0x20f45f68 = r[23]; *(uint32_t*)0x20f45f6c = r[23]; *(uint32_t*)0x20f45f70 = r[2]; *(uint32_t*)0x20f45f74 = r[2]; *(uint32_t*)0x20f45f78 = r[3]; *(uint64_t*)0x20f45f80 = (uint64_t)0x20; *(uint32_t*)0x20f45f88 = (uint32_t)0x1; *(uint32_t*)0x20f45f8c = (uint32_t)0x2; *(uint32_t*)0x20f45f90 = (uint32_t)0x0; *(uint32_t*)0x20f45f94 = (uint32_t)0x0; *(uint32_t*)0x20f45f98 = (uint32_t)0x0; *(uint64_t*)0x20f45fa0 = (uint64_t)0x20; *(uint32_t*)0x20f45fa8 = (uint32_t)0x1; *(uint32_t*)0x20f45fac = (uint32_t)0x1; *(uint32_t*)0x20f45fb0 = r[22]; *(uint32_t*)0x20f45fb4 = r[23]; *(uint32_t*)0x20f45fb8 = r[23]; *(uint32_t*)0x20f45fbc = r[3]; *(uint64_t*)0x20f45fc0 = (uint64_t)0x20; *(uint32_t*)0x20f45fc8 = (uint32_t)0x1; *(uint32_t*)0x20f45fcc = (uint32_t)0x1; *(uint32_t*)0x20f45fd0 = r[2]; *(uint32_t*)0x20f45fd4 = r[3]; *(uint32_t*)0x20f45fd8 = r[23]; *(uint32_t*)0x20f45fdc = (uint32_t)0xffffffffffffff9c; *(uint64_t*)0x20f45fe0 = (uint64_t)0x20; *(uint32_t*)0x20f45fe8 = (uint32_t)0x1; *(uint32_t*)0x20f45fec = (uint32_t)0x2; *(uint32_t*)0x20f45ff0 = (uint32_t)0x0; *(uint32_t*)0x20f45ff4 = (uint32_t)0x0; *(uint32_t*)0x20f45ff8 = (uint32_t)0x0; *(uint16_t*)0x2073fff8 = (uint16_t)0x1; *(uint8_t*)0x2073fffa = (uint8_t)0x0; *(uint32_t*)0x2073fffc = (uint32_t)0x4e22; *(uint64_t*)0x205dafe0 = (uint64_t)0x2071df35; *(uint64_t*)0x205dafe8 = (uint64_t)0x0; *(uint64_t*)0x205daff0 = (uint64_t)0x20dd8fde; *(uint64_t*)0x205daff8 = (uint64_t)0x0; *(uint16_t*)0x20c58ff6 = (uint16_t)0x1; memcpy((void*)0x20c58ff8, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); *(uint64_t*)0x20fbaf90 = (uint64_t)0x20bcbfec; *(uint64_t*)0x20fbaf98 = (uint64_t)0x0; *(uint64_t*)0x20fbafa0 = (uint64_t)0x20243f2d; *(uint64_t*)0x20fbafa8 = (uint64_t)0x0; *(uint64_t*)0x20fbafb0 = (uint64_t)0x208aef49; *(uint64_t*)0x20fbafb8 = (uint64_t)0x0; *(uint64_t*)0x20fbafc0 = (uint64_t)0x20e53000; *(uint64_t*)0x20fbafc8 = (uint64_t)0x0; *(uint64_t*)0x20fbafd0 = (uint64_t)0x202fd000; *(uint64_t*)0x20fbafd8 = (uint64_t)0x0; *(uint64_t*)0x20fbafe0 = (uint64_t)0x203a9000; *(uint64_t*)0x20fbafe8 = (uint64_t)0x0; *(uint64_t*)0x20fbaff0 = (uint64_t)0x20847000; *(uint64_t*)0x20fbaff8 = (uint64_t)0x0; *(uint64_t*)0x200b7fc0 = (uint64_t)0x20; *(uint32_t*)0x200b7fc8 = (uint32_t)0x1; *(uint32_t*)0x200b7fcc = (uint32_t)0x2; *(uint32_t*)0x200b7fd0 = (uint32_t)0x0; *(uint32_t*)0x200b7fd4 = (uint32_t)0x0; *(uint32_t*)0x200b7fd8 = (uint32_t)0x0; *(uint64_t*)0x200b7fe0 = (uint64_t)0x20; *(uint32_t*)0x200b7fe8 = (uint32_t)0x1; *(uint32_t*)0x200b7fec = (uint32_t)0x2; *(uint32_t*)0x200b7ff0 = (uint32_t)0x0; *(uint32_t*)0x200b7ff4 = (uint32_t)0x0; *(uint32_t*)0x200b7ff8 = (uint32_t)0x0; *(uint16_t*)0x20cd0ff8 = (uint16_t)0x0; *(uint8_t*)0x20cd0ffa = (uint8_t)0x0; *(uint32_t*)0x20cd0ffc = (uint32_t)0x4e22; *(uint64_t*)0x2057ffc0 = (uint64_t)0x20751f84; *(uint64_t*)0x2057ffc8 = (uint64_t)0x0; *(uint64_t*)0x2057ffd0 = (uint64_t)0x20e34000; *(uint64_t*)0x2057ffd8 = (uint64_t)0x0; *(uint64_t*)0x2057ffe0 = (uint64_t)0x20d9d000; *(uint64_t*)0x2057ffe8 = (uint64_t)0x0; *(uint64_t*)0x2057fff0 = (uint64_t)0x20dc7f19; *(uint64_t*)0x2057fff8 = (uint64_t)0x0; *(uint16_t*)0x200d9ff6 = (uint16_t)0x1; memcpy((void*)0x200d9ff8, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); *(uint64_t*)0x20b96fe0 = (uint64_t)0x20995fe5; *(uint64_t*)0x20b96fe8 = (uint64_t)0x0; *(uint64_t*)0x20b96ff0 = (uint64_t)0x2074e000; *(uint64_t*)0x20b96ff8 = (uint64_t)0x0; *(uint64_t*)0x209e3fc0 = (uint64_t)0x20; *(uint32_t*)0x209e3fc8 = (uint32_t)0x1; *(uint32_t*)0x209e3fcc = (uint32_t)0x1; *(uint32_t*)0x209e3fd0 = r[2]; *(uint32_t*)0x209e3fd4 = r[23]; *(uint32_t*)0x209e3fd8 = r[3]; *(uint64_t*)0x209e3fe0 = (uint64_t)0x20; *(uint32_t*)0x209e3fe8 = (uint32_t)0x1; *(uint32_t*)0x209e3fec = (uint32_t)0x2; *(uint32_t*)0x209e3ff0 = (uint32_t)0x0; *(uint32_t*)0x209e3ff4 = (uint32_t)0x0; *(uint32_t*)0x209e3ff8 = (uint32_t)0x0; r[176] = syscall(__NR_sendmmsg, r[3], 0x20c7b000ul, 0x5ul, 0x20008010ul); } int main() { loop(); return 0; }