// https://syzkaller.appspot.com/bug?id=a74718ca902617e6aa7327aa008b25844eccf2d3 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #define __syscall syscall static uintptr_t syz_open_pts(void) { int master, slave; if (openpty(&master, &slave, NULL, NULL, NULL) == -1) return -1; if (dup2(master, master + 100) != -1) close(master); return slave; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); intptr_t res = 0; res = syz_open_pts(); if (res != -1) r[0] = res; syscall(SYS_mknod, 0ul, 4ul, 0x701); syscall(SYS_close, r[0]); syz_open_pts(); *(uint64_t*)0x200009c0 = 0x20000800; memcpy((void*)0x20000800, "\x02\x39\xbd\x9a\x7f\x65\x95\x09\x42\x9b\xf2\xb1\x02\x85\x46\xd8\x66" "\x4e\x15\x0f\x4a\xc2\xf8\xaf\x0b\x5c\xf0\xf8\x59\xe9\x01\xcc\xcd\x66" "\x04\x13\x20\x58\x2d\xf8\xe0\x02\x03\xbd\x62\xbe\x9a\x3e\x4a\x00\x81" "\x56\x00\x56\xe8\xf8\x12\xa9\xdc\x8d\xc6\x7b\x53\x6e\x6d\x26\x09\xe7" "\x2f\x34\x89\x8b\xbb\xa6\x88\xa8\x99\xe4\xc1\x73\x9e\x24\x42\x9a\xad" "\xfd\xce\x00\x6f\xb8\x77\x26\x20\x1b\xd5\xb9\xd8\xcc\x81\x72\xdb\xa4" "\x09\xba\x8a\xe8\x5a\xf0\x52\xce\x46\xac\x0d\x21\x94\xa5\x97\x31\xf6" "\x39\x12\xce\xe3\x52\x36\x5a\x0b\xac\x83\xa3\x7e\xe3\xc7\x68\x18\x6a" "\x30\xb9\xa7\x73\xfc\xba\xe5\xa6\xa4\x20\xf3\x9e\x94\xc4\x2d\x1f\x33" "\xb3\x28\x6d\x16\xa1\xe9\xc7\x1d\x7b\x62\xa5\x65\xbc\xb9\xda\x8e\x81" "\x43\x41\x35\xad\xd0\xcf\x24\x84\x66\x09\xe2\x23\x5b\x61\x66\x6e\x9c" "\x3b\x34\x3a\x37\xc3\xf7\xa1\x1a\xee\x6e\x48\x32\x4b\x3e\x6c\x0f\x25" "\xcc\xd2\x14\x2e\x76\x57\x2b\xc0\x62\x60\x17\xb3\xde\xea\xd5\xdc\xa1", 221); *(uint64_t*)0x200009c8 = 0xfe53; syscall(SYS_writev, r[0], 0x200009c0ul, 1ul); return 0; }