// https://syzkaller.appspot.com/bug?id=8af2597890938b642c3bf44a85859691fb9d5cfa // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void use_temporary_dir() { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } long r[2]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xa, 2, 0); *(uint16_t*)0x20e6f000 = 0xa; *(uint16_t*)0x20e6f002 = htobe16(0x4e22); *(uint32_t*)0x20e6f004 = 0; *(uint8_t*)0x20e6f008 = 0; *(uint8_t*)0x20e6f009 = 0; *(uint8_t*)0x20e6f00a = 0; *(uint8_t*)0x20e6f00b = 0; *(uint8_t*)0x20e6f00c = 0; *(uint8_t*)0x20e6f00d = 0; *(uint8_t*)0x20e6f00e = 0; *(uint8_t*)0x20e6f00f = 0; *(uint8_t*)0x20e6f010 = 0; *(uint8_t*)0x20e6f011 = 0; *(uint8_t*)0x20e6f012 = -1; *(uint8_t*)0x20e6f013 = -1; *(uint8_t*)0x20e6f014 = 0xac; *(uint8_t*)0x20e6f015 = 0x14; *(uint8_t*)0x20e6f016 = 0; *(uint8_t*)0x20e6f017 = 0xaa; *(uint32_t*)0x20e6f018 = 1; syscall(__NR_connect, r[0], 0x20e6f000, 0x1c); *(uint16_t*)0x20e84000 = 0xa; *(uint16_t*)0x20e84002 = htobe16(0x4e20); *(uint32_t*)0x20e84004 = 9; *(uint64_t*)0x20e84008 = htobe64(0); *(uint64_t*)0x20e84010 = htobe64(1); *(uint32_t*)0x20e84018 = 0x5a2; syscall(__NR_connect, r[0], 0x20e84000, 0x1c); r[1] = syscall(__NR_socket, 0x18, 1, 1); *(uint16_t*)0x205fafd2 = 0x18; *(uint32_t*)0x205fafd4 = 1; *(uint32_t*)0x205fafd8 = 0; *(uint32_t*)0x205fafdc = r[0]; *(uint16_t*)0x205fafe0 = 2; *(uint16_t*)0x205fafe2 = htobe16(0x4e21); *(uint32_t*)0x205fafe4 = htobe32(0xe0000002); *(uint8_t*)0x205fafe8 = 0; *(uint8_t*)0x205fafe9 = 0; *(uint8_t*)0x205fafea = 0; *(uint8_t*)0x205fafeb = 0; *(uint8_t*)0x205fafec = 0; *(uint8_t*)0x205fafed = 0; *(uint8_t*)0x205fafee = 0; *(uint8_t*)0x205fafef = 0; *(uint32_t*)0x205faff0 = 4; *(uint32_t*)0x205faff4 = 0; *(uint32_t*)0x205faff8 = 2; *(uint32_t*)0x205faffc = 0; syscall(__NR_connect, r[1], 0x205fafd2, 0x2e); *(uint64_t*)0x2037ffc8 = 0x209dd000; *(uint32_t*)0x2037ffd0 = 0xc; *(uint64_t*)0x2037ffd8 = 0x202ceff0; *(uint64_t*)0x2037ffe0 = 1; *(uint64_t*)0x2037ffe8 = 0; *(uint64_t*)0x2037fff0 = 0; *(uint32_t*)0x2037fff8 = 0x8820; *(uint16_t*)0x209dd000 = 0x10; *(uint16_t*)0x209dd002 = 0; *(uint32_t*)0x209dd004 = 0; *(uint32_t*)0x209dd008 = 2; *(uint64_t*)0x202ceff0 = 0x20e77000; *(uint64_t*)0x202ceff8 = 0x108; *(uint32_t*)0x20e77000 = 0x108; *(uint16_t*)0x20e77004 = 0x13; *(uint16_t*)0x20e77006 = 0x224; *(uint32_t*)0x20e77008 = 0x70bd28; *(uint32_t*)0x20e7700c = 0x25dfdbfd; memcpy((void*)0x20e77010, "\x65\x63\x62\x2d\x73\x65\x72\x70\x65\x6e\x74\x2d\x61\x76\x78\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint8_t*)0x20e77050 = 0; *(uint8_t*)0x20e77051 = 0; *(uint8_t*)0x20e77052 = 0; *(uint8_t*)0x20e77053 = 0; *(uint8_t*)0x20e77054 = 0; *(uint8_t*)0x20e77055 = 0; *(uint8_t*)0x20e77056 = 0; *(uint8_t*)0x20e77057 = 0; *(uint8_t*)0x20e77058 = 0; *(uint8_t*)0x20e77059 = 0; *(uint8_t*)0x20e7705a = 0; *(uint8_t*)0x20e7705b = 0; *(uint8_t*)0x20e7705c = 0; *(uint8_t*)0x20e7705d = 0; *(uint8_t*)0x20e7705e = 0; *(uint8_t*)0x20e7705f = 0; *(uint8_t*)0x20e77060 = 0; *(uint8_t*)0x20e77061 = 0; *(uint8_t*)0x20e77062 = 0; *(uint8_t*)0x20e77063 = 0; *(uint8_t*)0x20e77064 = 0; *(uint8_t*)0x20e77065 = 0; *(uint8_t*)0x20e77066 = 0; *(uint8_t*)0x20e77067 = 0; *(uint8_t*)0x20e77068 = 0; *(uint8_t*)0x20e77069 = 0; *(uint8_t*)0x20e7706a = 0; *(uint8_t*)0x20e7706b = 0; *(uint8_t*)0x20e7706c = 0; *(uint8_t*)0x20e7706d = 0; *(uint8_t*)0x20e7706e = 0; *(uint8_t*)0x20e7706f = 0; *(uint8_t*)0x20e77070 = 0; *(uint8_t*)0x20e77071 = 0; *(uint8_t*)0x20e77072 = 0; *(uint8_t*)0x20e77073 = 0; *(uint8_t*)0x20e77074 = 0; *(uint8_t*)0x20e77075 = 0; *(uint8_t*)0x20e77076 = 0; *(uint8_t*)0x20e77077 = 0; *(uint8_t*)0x20e77078 = 0; *(uint8_t*)0x20e77079 = 0; *(uint8_t*)0x20e7707a = 0; *(uint8_t*)0x20e7707b = 0; *(uint8_t*)0x20e7707c = 0; *(uint8_t*)0x20e7707d = 0; *(uint8_t*)0x20e7707e = 0; *(uint8_t*)0x20e7707f = 0; *(uint8_t*)0x20e77080 = 0; *(uint8_t*)0x20e77081 = 0; *(uint8_t*)0x20e77082 = 0; *(uint8_t*)0x20e77083 = 0; *(uint8_t*)0x20e77084 = 0; *(uint8_t*)0x20e77085 = 0; *(uint8_t*)0x20e77086 = 0; *(uint8_t*)0x20e77087 = 0; *(uint8_t*)0x20e77088 = 0; *(uint8_t*)0x20e77089 = 0; *(uint8_t*)0x20e7708a = 0; *(uint8_t*)0x20e7708b = 0; *(uint8_t*)0x20e7708c = 0; *(uint8_t*)0x20e7708d = 0; *(uint8_t*)0x20e7708e = 0; *(uint8_t*)0x20e7708f = 0; *(uint8_t*)0x20e77090 = 0; *(uint8_t*)0x20e77091 = 0; *(uint8_t*)0x20e77092 = 0; *(uint8_t*)0x20e77093 = 0; *(uint8_t*)0x20e77094 = 0; *(uint8_t*)0x20e77095 = 0; *(uint8_t*)0x20e77096 = 0; *(uint8_t*)0x20e77097 = 0; *(uint8_t*)0x20e77098 = 0; *(uint8_t*)0x20e77099 = 0; *(uint8_t*)0x20e7709a = 0; *(uint8_t*)0x20e7709b = 0; *(uint8_t*)0x20e7709c = 0; *(uint8_t*)0x20e7709d = 0; *(uint8_t*)0x20e7709e = 0; *(uint8_t*)0x20e7709f = 0; *(uint8_t*)0x20e770a0 = 0; *(uint8_t*)0x20e770a1 = 0; *(uint8_t*)0x20e770a2 = 0; *(uint8_t*)0x20e770a3 = 0; *(uint8_t*)0x20e770a4 = 0; *(uint8_t*)0x20e770a5 = 0; *(uint8_t*)0x20e770a6 = 0; *(uint8_t*)0x20e770a7 = 0; *(uint8_t*)0x20e770a8 = 0; *(uint8_t*)0x20e770a9 = 0; *(uint8_t*)0x20e770aa = 0; *(uint8_t*)0x20e770ab = 0; *(uint8_t*)0x20e770ac = 0; *(uint8_t*)0x20e770ad = 0; *(uint8_t*)0x20e770ae = 0; *(uint8_t*)0x20e770af = 0; *(uint8_t*)0x20e770b0 = 0; *(uint8_t*)0x20e770b1 = 0; *(uint8_t*)0x20e770b2 = 0; *(uint8_t*)0x20e770b3 = 0; *(uint8_t*)0x20e770b4 = 0; *(uint8_t*)0x20e770b5 = 0; *(uint8_t*)0x20e770b6 = 0; *(uint8_t*)0x20e770b7 = 0; *(uint8_t*)0x20e770b8 = 0; *(uint8_t*)0x20e770b9 = 0; *(uint8_t*)0x20e770ba = 0; *(uint8_t*)0x20e770bb = 0; *(uint8_t*)0x20e770bc = 0; *(uint8_t*)0x20e770bd = 0; *(uint8_t*)0x20e770be = 0; *(uint8_t*)0x20e770bf = 0; *(uint8_t*)0x20e770c0 = 0; *(uint8_t*)0x20e770c1 = 0; *(uint8_t*)0x20e770c2 = 0; *(uint8_t*)0x20e770c3 = 0; *(uint8_t*)0x20e770c4 = 0; *(uint8_t*)0x20e770c5 = 0; *(uint8_t*)0x20e770c6 = 0; *(uint8_t*)0x20e770c7 = 0; *(uint8_t*)0x20e770c8 = 0; *(uint8_t*)0x20e770c9 = 0; *(uint8_t*)0x20e770ca = 0; *(uint8_t*)0x20e770cb = 0; *(uint8_t*)0x20e770cc = 0; *(uint8_t*)0x20e770cd = 0; *(uint8_t*)0x20e770ce = 0; *(uint8_t*)0x20e770cf = 0; *(uint32_t*)0x20e770d0 = 0x400; *(uint32_t*)0x20e770d4 = 0x400; *(uint32_t*)0x20e770d8 = 0; *(uint32_t*)0x20e770dc = 0; *(uint16_t*)0x20e770e0 = 8; *(uint16_t*)0x20e770e2 = 1; *(uint32_t*)0x20e770e4 = 0xfffffff8; *(uint16_t*)0x20e770e8 = 8; *(uint16_t*)0x20e770ea = 1; *(uint32_t*)0x20e770ec = 0x1000; *(uint16_t*)0x20e770f0 = 8; *(uint16_t*)0x20e770f2 = 1; *(uint32_t*)0x20e770f4 = 0x400; *(uint16_t*)0x20e770f8 = 8; *(uint16_t*)0x20e770fa = 1; *(uint32_t*)0x20e770fc = 0xc05a; *(uint16_t*)0x20e77100 = 8; *(uint16_t*)0x20e77102 = 1; *(uint32_t*)0x20e77104 = 0x81; syscall(__NR_sendmsg, r[1], 0x2037ffc8, 0x81); } int main() { use_temporary_dir(); loop(); return 0; }