// https://syzkaller.appspot.com/bug?id=6edcae717dd29099e4fc8d59c00c2ed14241d0ee // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef __NR_ioctl #define __NR_ioctl 29 #endif #ifndef __NR_mmap #define __NR_mmap 222 #endif static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; res = -1; res = syz_open_dev(0xc, 4, 0x14); if (res != -1) r[0] = res; *(uint32_t*)0x20000000 = 5; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0x563e; *(uint32_t*)0x20000010 = 0; *(uint64_t*)0x20000018 = 0x20000540; memcpy( (void*)0x20000540, "\xc0\xb5\x3c\x84\xd1\x20\x95\xe7\x35\x93\x7e\x38\x1e\x56\xd0\x26\x79\x3c" "\xbe\xed\xff\xfd\xdc\x65\xbb\x77\x26\x8c\x74\x0b\x73\x4c\x57\x51\x96\x33" "\x88\x5b\x12\x73\xad\x9b\x53\x60\x12\x24\xda\x3d\xb6\x6e\x47\x50\xd3\x5c" "\x5d\x35\xda\xad\xdb\x6d\xb6\x55\x12\x5e\x5b\x61\x30\x53\x93\x75\xa3\x32" "\x3d\xa2\xcc\xd3\xc0\x55\x52\x27\x80\x43\xf8\xa6\x9f\x48\x2b\x34\x5c\x66" "\x0f\x4b\xed\x71\xfb\x05\xc5\x62\x03\x03\xcf\xb7\xd8\xee\xc1\x93\xd4\x22" "\xc7\x5b\x49\x9e\xd3\x1b\xf3\xa6\x87\xa8\x7a\xe3\x27\xb8\x8f\x37\x00\x0a" "\x54\xc5\x5d\x48\x0b\xbc\xe8\xfd\x0c\xa5\x17\x58\x6a\x44\xbe\x67\x83\x2d" "\x24\x78\xe7\x59\x00\x36\x78\x93\x01\x17\x04\xd3\xbc\x02\x15\xf8\x36\xd0" "\x2c\x39\xb6\x4f\xb5\xe0\xe0\x45\xef\xa3\xed\x8e\x1b\x73\xa1\x9c\xf0\xba" "\xc9\x2d\x41\xf6\xf0\x25\xab\x11\x06\x3d\x0e\xe3\x0c\x16\xcd\xc2\xfe\xe4" "\x55\xe2\xb2\xf6\x83\x11\x60\xfa\xac\xd9\x2e\x7e\xc1\x16\x6d\x62\xca\x9c" "\x1c\x01\xc6\xc8\x4b\x3c\x45\xfe\x43\x56\xb2\xb1\xf0\xc2\x87\xbb\x56\xdf" "\xc6\xd6\xaf\xce\x79\x8d\x31\xe8\x65\x49\x75\xbe\xd4\x42\x07\x8f\x7d\xa8" "\x38\xeb\x84\x25\xbd\x4d\xf1\x6c\xb0\xb5\xa8\x20\x43\x6e\xb7\xb6\x04\x62" "\xf3\xa3\x0c\x37\x31\xee\x90\xa1\x42\x27\x3f\x2c\x54\x8a\x44\x27\x2a\x0d" "\x8a\x07\x5a\xb6\xd4\x77\x26\x43\xd2\x5e\x2e\xf7\x54\x89\x91\xa0\xbd\xff" "\x56\xa4\xd1\x09\xc4\x2e\x8c\xfa\xb2\xde\x32\x72\x89\xc2\x17\x42\xfb\x7b" "\x47\x1a\xec\x94\xd1\xb4\x61\xd7\x1f\xc5\x45\x7c\x21\x86\x05\xc9\xb6\x01" "\xf1\x3e\x28\xd5\x52\xf7\x57\x97\xad\x3e\x71\x5a\x33\x9f\x80\xec\x68\xdd" "\xc0\xce\x53\xe1\x42\x52\x16\xcb\x3a\x94\xe3\xe7\x65\x16\x6a\x3a\x37\x2d" "\xee\x62\x85\xa6\x6e\x25\xc1\x5f\xc4\xcc\x1f\x5c\x7d\x50\xeb\x07\x24\xbb" "\xf0\xe7\x53\x07\xc2\xa8\x68\x05\x65\x8a\xf2\x1a\x45\x28\xe8\xa0\x47\x46" "\xd0\xab\x2c\xad\x6c\x71\x53\x22\x7b\xac\x73\xa9\x91\x54\x66\xe6\xdb\xea" "\x3c\xd6\x09\xc2\xe7\xda\x8e\xdd\x78\x5a\xdb\x04\xd5\x4b\x4d\x10\x07\xc7" "\x32\x4f\xdf\x59\x05\x4f\xd2\x32\x17\xa5\x0c\x80\x7f\xb1\x55\x2c\xc4\x9f" "\xbe\xc0\xd3\x64\x7c\xeb\xd5\x3c\xac\x53\x0d\x7c\x62\xae\x5c\xbf\x92\x0a" "\x4c\x76\xb6\xd1\xda\x57\xc8\x15\xc6\xe5\x32\x01\x89\xbc\x4e\xfe\x61\x2f" "\x25\x64\xcc\x09\xd2\xff\xc2\x64\x60\x62\x0e\x15\x03\x60\x3d\xa5\x11\xb3" "\x5c\xb5\x35\x74\x15\xb6\xfa\xaf\x1f\x8f\xcd\x5a\x50\x92\x97\x93\xcf\x11" "\xdf\x92\xee\x5a\xfa\xbf\x19\xff\x1e\x5f\x42\x98\xf7\x35\xb3\xf5\x14\xd8" "\xfc\xe1\xb4\x05\xe2\xd5\x33\xde\xda\xc3\x94\x01\xf3\x1f\xe0\x4c\xcc\xb0" "\x20\xa9\xc2\xf5\x6d\x34\x6c\xe3\x50\x2f\x4e\x91\x58\x0c\x36\x6f\x39\x6c" "\xd8\xe2\x70\xbe\x76\xa0\xa7\x7d\x79\x51\x98\x16\x7c\x05\x31\x5e\x0a\xd7" "\xea\x4b\xe9\x27\xd2\xa7\x0e\x70\x4e\x28\xbe\x26\x7a\x30\x48\x32\x9d\x5c" "\x52\x23\x55\xe7\x5b\xc7\xec\xb5\x9f\x6d\x1d\xd0\xc8\x6b\x43\x78\x8a\x18" "\xd5\x8b\x8e\x00\x87\x5f\xe3\x25\x94\x08\xb0\x97\x29\x7d\x91\x58\xfd\xc7" "\x74\xdb\x11\x03\x46\xae\x68\xf3\xfb\xfb\x7a\x09\xbc\x30\xbd\x12\xfb\xa9" "\xf6\x9a\x6e\x50\xee\x24\x54\x0c\xb9\x7f\x57\xd7\x12\x83\xf5\x7e\xc5\x61" "\xec\xa0\x4d\x40\xd9\xd9\x79\xbf\xc9\x4f\x71\x4d\x7c\xa2\x5f\x1e\xea\x20" "\x2b\xfa\x6e\xba\xf7\x5a\x3c\x2c\x08\x62\x6a\x18\xaf\x60\x46\xdd\xf9\x61" "\xe8\xad\x9c\xcb\x65\xeb\xbd\xe6\x30\x94\xa4\x2f\x80\x31\xf4\x4a\x08\x5c" "\xf6\x0b\x9d\x4d\x8d\xbb\xa4\x96\x59\xde\x0d\xfc\xb6\x5f\x3b\x3f\x0b\x03" "\xde\x42\x74\x15\x08\xba\x98\xed\x73\x63\x01\x51\x1c\xd7\x43\x45\x56\x2e" "\xcb\xbc\xc5\x62\xf2\x43\x57\x21\xcc\xc7\x71\x1e\x74\x22\x3c\x02\x88\x1b" "\xa5\x2f\x0c\x8b\x6c\x1d\xd9\xbc\xd6\x87\x62\xe9\xfb\x5e\x9a\xbe\xfd\xff" "\x32\x5a\xd6\x3f\x38\x66\xb6\xd2\x98\xbb\x9a\x31\xa2\x5b\xd8\xa2\xee\x5a" "\xda\xfd\x98\x85\xf2\x37\xb3\x42\x76\x74\x73\xcd\xd7\x87\x7c\xdd\x31\xf3" "\xbc\x2b\xd9\x89\x97\x18\xde\xb9\x0f\x5e\x33\x7d\xb3\x8c\xb9\x88\x3d\x63" "\x4c\x9b\x78\x2d\x72\x28\x53\x26\x31\x52\x98\x79\x36\x49\x2d\xd4\xe6\x1c" "\xaa\xc3\xa0\x25\x82\x83\xdf\xb0\x51\x7e\x56\x5d\x6d\x74\x74\x99\x75\x07" "\xa6\x16\x12\x88\x69\xc0\x73\x10\x22\xfb\x67\x8f\x84\xf7\xb2\x15\x12\x63" "\x0c\x5f\x9e\x94\xa0\x56\x80\x67\x35\x6e\xbc\xb1\xfd\x6c\x47\xe5\x05\x0f" "\x09\x53\x41\xa3\xd8\xdf\xaa\x22\xc4\xd4\xf8\x22\x5c\x18\xa6\x65\x64\x37" "\xd1\xdc\x2d\x26\x35\x30\x27\x3f\xef\xe4\xfa\x00\x7d\x5f\xb0\x02\x48\xce" "\x44\xab\x80\x70\xc7\x8e\x16\x75\xaa\x28\x34\x2c\x1e\x5a\xff\x03\x67\x08" "\x85\x62\x67\x4e\x38\x8f\xe6\xab\x13\xa5\x87\x78\xda\x74\xda\xac", 1024); syscall(__NR_ioctl, r[0], 0x4b72, 0x20000000ul); return 0; }