// https://syzkaller.appspot.com/bug?id=c7ac769bd7ee15549b8a2be188bcee07d98a5357 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #define __syscall syscall uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000140, "./bus\000", 6); syscall(SYS_mknod, 0x20000140ul, 0x2000ul, 0x4086337); /* major = 99, minor = 264247 */ *(uint32_t*)0x200000c0 = 6; *(uint64_t*)0x200000c8 = 0x20000080; *(uint16_t*)0x20000080 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint32_t*)0x20000084 = 0; *(uint16_t*)0x20000088 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint32_t*)0x20000094 = 0; *(uint16_t*)0x20000098 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint32_t*)0x2000009c = 0; *(uint16_t*)0x200000a0 = 0; *(uint8_t*)0x200000a2 = 0; *(uint8_t*)0x200000a3 = 0; *(uint32_t*)0x200000a4 = 0; *(uint16_t*)0x200000a8 = 0x210; *(uint8_t*)0x200000aa = 0; *(uint8_t*)0x200000ab = 0; *(uint32_t*)0x200000ac = 0; syscall(SYS_ioctl, -1, 0x80104277ul, 0x200000c0ul); *(uint32_t*)0x20000040 = -1; *(uint16_t*)0x20000048 = 0xfffa; *(uint16_t*)0x2000004a = 0; *(uint32_t*)0x2000004c = 0; *(uint64_t*)0x20000050 = 0; *(uint64_t*)0x20000058 = 0x1000; *(uint32_t*)0x20000060 = -1; *(uint16_t*)0x20000068 = 0; *(uint16_t*)0x2000006a = 0; *(uint32_t*)0x2000006c = 0x10; *(uint64_t*)0x20000070 = 0; *(uint64_t*)0x20000078 = 0; syscall(SYS_kevent, -1, 0x20000040ul, 0, 0ul, 0, 0ul); memcpy((void*)0x20000100, "./bus\000", 6); res = syscall(SYS_open, 0x20000100ul, 0ul, 0ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000b40 = 0; *(uint32_t*)0x20000b48 = 0; *(uint64_t*)0x20000b50 = 0x200007c0; *(uint64_t*)0x200007c0 = 0x20000240; memcpy( (void*)0x20000240, "\x11\x94\x55\xb3\xcd\xbb\xf2\x95\x00\xed\xc4\x5e\xdb\x6e\x0b\xde\x85\xfb" "\x58\x1f\xf3\x7d\x7f\xb8\xb6\xad\x95\xe1\x0f\x0f\xde\x22\xcc\x81\x8c\x13" "\x79\x76\xa2\x0f\x6f\x9a\xc5\xaa\x43\x0c\x22\x1c\xb4\x87\x09\xf5\x92\x87" "\x02\xa3\xa6\x95\x40\x09\xc6\x44\x04\xfe\xa2\xde\x86\x41\x78\x84\x05\x9a" "\x4e\xc8\xc2\xd3\x60\x84\xea\x57\xac\xf3\x8c\x28\x5a\xea\x84\x72\xa9\x16" "\x13\x5a\x8d\xec\xa7\xe0\x99\x12\x6c\x2b\xa1\xc8\xdb\xfc\xa2\xa4\x1d\x1d" "\xf6\x3b\x16\x56\x91\x65\xc1\x64\x98\x49\xd0\x62\xcd\x9a\x50\xff\x6a\x0c" "\x38\x7f\xa3\x9f\xba\x0c\x27\xbc\xc2\x77\x7e\x9a\x0a\xdd\x10\xaf\xca\xb7" "\x7e\x2c\xb2\xb6\x93\x63\xed\x9b\x29\xe3\xc7\x4e\x94\xc7\xff\xf4\xf0\xd0" "\x8b\xca\xa0\xd7\x21\x13\x1c\x9b\xbc\x79\xa3\x58\x09\x21\x59\x6d\xfd\x13" "\x33\xb9\x75\xae\x98\x45\x0f\x1a\xed\x38\xf9\x39\x98\xfd\x00\xdf\x8d\x81" "\x7b\xfc\x2a\x77\x1d\x94\x47\x2a\xc7\x7b\x0f\x1c\x19\x3d\x30\x88\x7a\x71" "\xd9\x9f\xb2\x12\x15\x3a\x40\x9e\x6c\x40\x59\x24", 228); *(uint64_t*)0x200007c8 = 0xe4; *(uint64_t*)0x200007d0 = 0; *(uint64_t*)0x200007d8 = 0; *(uint64_t*)0x200007e0 = 0; *(uint64_t*)0x200007e8 = 0; *(uint64_t*)0x200007f0 = 0; *(uint64_t*)0x200007f8 = 0; *(uint64_t*)0x20000800 = 0; *(uint64_t*)0x20000808 = 0; *(uint64_t*)0x20000810 = 0; *(uint64_t*)0x20000818 = 0; *(uint64_t*)0x20000820 = 0; *(uint64_t*)0x20000828 = 0; *(uint64_t*)0x20000b58 = 7; *(uint64_t*)0x20000b60 = 0; *(uint64_t*)0x20000b68 = 0; *(uint32_t*)0x20000b70 = 0; syscall(SYS_sendmsg, -1, 0x20000b40ul, 4ul); *(uint64_t*)0x20000180 = 0; *(uint32_t*)0x20000188 = 0; *(uint64_t*)0x20000190 = 0; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; *(uint64_t*)0x200001a8 = 0x210; *(uint32_t*)0x200001b0 = 0; syscall(SYS_sendmsg, -1, 0x20000180ul, 0ul); *(uint32_t*)0x20000040 = 2; syscall(SYS_ioctl, r[0], 0x82907003ul, 0x20000040ul); syscall(SYS_socket, 2ul, 2ul, 0); return 0; }