// https://syzkaller.appspot.com/bug?id=47ffd53c1f3612fc8749ef9acb1cec7e79afce0c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #define __syscall syscall uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); intptr_t res = 0; memcpy((void*)0x20000200, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000200ul, 2ul, 0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000840 = 0; *(uint32_t*)0x20000848 = 0; *(uint64_t*)0x20000850 = 0x20000080; *(uint64_t*)0x20000080 = 0x20000280; memcpy((void*)0x20000280, "\x04\x00\x00\x00\x32\xda\x2e\xdb\x09\x7f\x27\x41\x85\x5f\xd2\x88\xfd" "\x96\xe3\xdf\x95\x3d\x89\x10\xa0\x8e\x31\xd9\x04\x75\x85\xbb\x7b\x78" "\x00\x00\x00\x00\x00\x00\x00\x03\x22\x0b\xe6\x22\x45\xc2\xb9\x78\x47" "\x85\xf0\x8b\x2b\x70\x82\x37\xc7\x75\xfd\x4f\x8e\x9c\x13\x04\xd3\x53" "\x97\x72\x23\x56\xed\xc1\x57\xb0\x32\x6b\xdf\x84\xe5\x89\xd5\x8a\xbd" "\x35\xd0\x49\x25\x3c\xbd\x68\x91\x41\x2d\xd2\x9f\xa6\x1e\xf7\x23\x08" "\x00\x00\x00\x00\x00\x00\x00\x5f\x89\x13\xe9\x4d\x29\x75\x68\x83\x95" "\xab\xea\x28\x8b\xb6\x2c\x21\xbc\x46\x91\xfd\x24\xc1\x71\x6d\x5f\xc0" "\x95\x42\xa0\x33\x7b\x01\xde\x42\xe8\x00\x08\x00\x00\xe8\xb8\x0b\x57" "\xa3\x91\x6a\xab\xff\x1d\x5b\x1b\x7f\xc3\xab\x17\x55\x59\x76\x69\x37" "\xe7\xaf\x95\x1e\x50\x43\xe3\xf8\xd2\x60\xb8\xfe\x04\x75\xe8\x0b\x18", 187); *(uint64_t*)0x20000088 = 0xbb; *(uint64_t*)0x20000858 = 1; *(uint64_t*)0x20000860 = 0; *(uint64_t*)0x20000868 = 0; *(uint32_t*)0x20000870 = 0; syscall(SYS_sendmsg, -1, 0x20000840ul, 0ul); *(uint32_t*)0x20000240 = 0; syscall(SYS_ioctl, r[0], 0xc1084425ul, 0x20000240ul); return 0; }