// https://syzkaller.appspot.com/bug?id=70dd44230eac7b3dffba6e85a4222c3fdb954b2c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; res = syscall(SYS_socket, 0x1cul, 5ul, 0x84); if (res != -1) r[0] = res; memcpy((void*)0x20000000, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[1] = res; memcpy( (void*)0x20000500, "\x64\x90\x9c\xdf\x5b\x11\xc6\xef\xc8\xa4\xec\x50\xf4\x37\xd1\x61\x52\x08" "\xf9\xbb\xa2\x95\xfb\x4d\xe1\x6a\xc8\x7a\x9e\xe0\xb7\xdd\xc9\xb9\xe5\xa4" "\x4f\x31\xcf\x70\x0a\xbd\xfe\xe5\x13\x5e\xbd\x9d\x15\x8a\x33\x70\xcd\x28" "\xf9\xd5\xfe\x25\x94\xfb\xa1\x97\xf2\x79\x6d\x0d\x2b\xd0\xe2\x33\x0c\x68" "\x48\x66\xd1\x28\x57\xa2\xda\x2e\x5b\x40\x19\xec\xd1\x99\x9d\xad\x66\xc2" "\xb0\x76\x4e\xea\x2e\x4c\xae\xcc\x33\x7d\x36\x64\x0c\x1f\xa1\x3f\x7c\x29" "\xca\xca\xea\xed\xb7\xeb\x02\x11\x98\xe3\xf8\x6e\xdd\xeb\xe4\x89\x96\xa5" "\x32\xaf\xfe\x44\x38\xb5\xcc\xca\xae\xc6\x49\x21\x6d\xc3\xe4\x0e\x9e\x30" "\x1d\xf4\xd1\x84\x8f\x0d\xf4\xf2\x0f\x80\x8f\x07\xc7\xe4\x07\xb5\xc2\xc4" "\x75\xe7\x6f\xf0\xbb\xba\x89\x80\xa4\x4f\x4d\xe6\x85\xab\xa3\x70\xe7\xe3" "\x6a\x6e\x02\x81\xf9\x3f\x3e\x1d\xe9\xcb\xcb\xc9\x7b\x4f\xfc\x3a\xca\x66" "\x66\x04\x7d\x54\xdd\x5d\x44\x53\x12\x50\x3e\x81\x19\x84\x6a\x7b\x16\x42" "\x95\x65\xc1\x65\xe0\x4d\x4e\xa0\x97\x4a\x7f\x4d\xa3\x4c\x05\x88\x4c\x43" "\xe7\xdc\x9d\x53\xdb\x3d\xc1\x3b\x0d\xe7\x29\xcd\x2e\x1e\x71\x52\x40\x6b" "\xbd\xab\x11\x7c\x19\x4a\x24\x25\x37\xef\xe3\x1e\x60\xfb\xbe\xd1\xb6\xd8" "\x52\x33\xe9\x23\x47\x37\x94\x81\xe1\x62\xd0\xeb\x88\xa1\xc9\x9e\xa7\xeb" "\xb4\x63\x89\xcd\x0e\x96\xe2\x47\x30\xfa\x98\x14\xb0\xf8\xa7\x99\x43\x4d" "\x61\x88\xc0\xf8\x53\x7f\x32\xa2\x5b\xf3\x1f\x1a\x66\x97\x16\x7e\x29\x91" "\x3e\x1f\x21\x12\x43\x58\xfa\x14\xa4\x2e\x96\x37\x11\x93\x1c\x9b\x41\x9d" "\x54\x4e\x44\x2f\x41\xa0\x18\x50\x4d\x22\xb0\xd7\xef\x81\x63\x56\xbb\x37" "\x18\xdd\xc8\x73\x65\x6f\xad\xad\xb8\xba\x17\xb3\xc7\xe0\x8d\xdd\xf1\xa6" "\x67\x65\x1b\xc0\xdf\x87\x2d\xbe\x8e\xae\x99\x7a\x9d\x33\xd2\x3a\xf5\xc3" "\x1e\x26\xc8\xb4\x33\x11\x37\x80\xa5\x35\xb5\xe5\x9b\xbd\x37\x81\xf8\xe1" "\x30\xec\xbe\x49\xed\x15\xd8\xfe\xbe\xb4\x61\x39\x3f\x92\x51\x10\x5e\x36" "\x0b\xe3\x98\x54\xd4\x40\x72\x93\x9b\x2a\x81\x95\x35\xaa\xe2\xc1\xc0\x0f" "\x74\x5b\x37\x63\x66\xb2\x85\x47\x23\xc3\xd6\xc6\xee\x1e\xa2\x30\x18\x39" "\xe7\xa0\xcd\x7f\xb9\xb8\x91\x83\x69\x1a\xfb\x6a\xce\x5f\xca\xc9\x79\xc7" "\x74\x63\x6e\xef\x2e\x47\xf5\x83\x0f\x21\xec\x06\x2b\x37\x24\xf6\x0d\xbd" "\xd6\x97\x25\x39\x14\x2c\x8d\xed\x0e\xf1\x84\x3c\xea\x83\x9d\x69\x91\x95" "\xdf\xe6\xcf\xe7\x92\xaf\x8d\x13\x35\x9d\x82\x07\xbd\xfa\x3c\x41\x06\x3f" "\x84\xd8\x12\x29\x80\x72\xce\x3a\x1f\xc1\xd0\xc3\x66\xc8\xd2\x89\x7c\x88" "\xbb\xa6\x23\x8e\x2e\x68\x4e\x9b\xf3\xe8\xc2\x8e\x8c\x0e\x99\xb6\x88\xfa" "\x92\xeb\xaa\xb5\x49\x69\x76\x50\x67\x5f\x0c\x09\x7e\x75\x73\x84\xdd\x9e" "\x74\x6b\x8f\x8a\x26\xf0\x7f\x72\xe0\xde\x5a\x96\xce\xfb\xc7\xad\x73\x77" "\xad\x08\x8c\x1d\xf2\x31\x7f\x35\xd7\xea\xb2\x9f\x2b\xa9\x93\x91\x17\x5e" "\xa3\x9d\xa1\xe0\x57\x67\x54\x1c\x4c\x76\x66\x9d\x5e\x66\xe5\x97\x50\x97" "\x9a\xef\x8c\x7b\xc4\xd8\x5e\xf5\x12\x61\x2e\x5b\xd7\x93\x4f\x9b\x58\x67" "\x36\x97\x5b\x11\x9f\x35\xc1\x5f\xe2\x1a\xb4\xb2\x9d\xfe\x4c\x6d\xe5\x8e" "\x24\xd3\x10\x8b\x2c\xd7\x35\xbe\xae\x76\xab\x24\x77\x12\xaf\x8d\x7c\x80" "\x5d\x0c\x02\x3f\x61\xcf\xb8\xe0\x60\x14\xd3\x18\x54\x4b\x60\x20\x97\x9a" "\xac\xc3\x20\x0d\x3f\x2f\xd1\x43\x9d\x69\xd1\xb9\x68\x08\x76\xec\x62\xdb" "\xe5\xe4\x04\x95\x67\x16\xa0\x26\x7b\x76\x92\x08\x4b\x19\x5f\x9f\xe4\x5a" "\xd6\x6e\xb9\x84\xe3\xfe\xf6\xf5\x2c\xfc\x38\xd1\xe6\x62\xee\x9a\x27\xdf" "\xb1\x97\x3e\x7a\xe7\x72\x20\x9a\xd7\x30\x5e\xf6\xd4\xef\xab\xed\x05\x97" "\xa8\xd0\xb3\xc9\xb2\x9b\xb0\x0e\xfe\x8a\x4e\x00\x03\xe8\x0b\x3b\x4f\x1a" "\x9f\x4a\x93\x97\x29\x51\xaa\x9a\xf6\x39\xb5\x36\x04\x65\x29\x27\x2d\xb2" "\xd6\xcb\x28\x53\xf1\xa2\xdb\xd2\xb4\x53\x23\x3f\x2c\xa9\x6b\x29\x62\x74" "\xf4\x49\x35\xa0\xd3\xd4\x82\x78\x88\xe7\xa2\xa7\xca\xc9\xb4\x90\xf1\x8d" "\xce\x01\xc4\xac\x5b\x72\xa8\x86\xec\x3e\x44\x97\xb6\xac\xc9\xb8\x1e\x0f" "\xe4\x08\xf9\x8f\x6b\x5c\x08\x7b\xd2\x49\xd3\x7f\xd5\x66\x03\xb5\x77\xa1" "\x28\xfa\xa5\xd4\x97\x39\xf5\x08\x5f\xfc\xb6\x8f\xc4\xc8\x25\x1f\x5f\x38" "\x17\x83\x3a\xf6\xe3\xac\x96\x2a\x70\x75\x74\x3b\xf2\x6d\x7b\xf8\xa5\x93" "\xf3\x53\x7c\xdb\xc5\xf2\x48\xb1\xc9\xdd\xfa\x24\xb7\x08\x00\xe2\x2d\x8d" "\x0d\xfe\xdf\x71\xf6\xc0\x62\x1b\x59\x98\x15\x6a\xad\xc4\x02\x3f\x86\x15" "\xfd\x2a\x2d\x15\xc7\x1a\xf2\x28\xaf\x46\xbd\x51\xbb\x3b\x7e\x70\x0b\x3f" "\xa7\xc5\x58\x3b\x72\xb9\x87\xdd\x63\xa3\x7d\x92\x2d\xf0\xe0\x31\xbd\xaa" "\xfe\x9a\x5b\x8a\x1a\xba\x7b\x02\xd3\xd7\xa8\x74\x58\xc2\xf5\x09", 1024); memcpy((void*)0x20000900, "\xbc\x58\x94\x22\x1b\xbd\x23\x90\x48\x06\x8a\x33\x44\xb5\x7f\xb6\xc2" "\xdb\x9a\x73\x4d\xc1\xbf\x10\x1d\x1d\x03\x5c\x98\x3f\xd2\x52", 32); *(uint32_t*)0x20000920 = 4; *(uint8_t*)0x20000924 = 3; *(uint64_t*)0x20000928 = 0x20000100; *(uint64_t*)0x20000930 = 2; *(uint64_t*)0x20000938 = 0; *(uint64_t*)0x20000940 = 3; *(uint64_t*)0x20000948 = 0x8001; *(uint64_t*)0x20000950 = 4; *(uint64_t*)0x20000958 = 0x401; *(uint64_t*)0x20000960 = 0xfff; *(uint32_t*)0x20000968 = 1; syscall(SYS_ioctl, -1, 0xc4504445ul, 0x20000500ul); res = syscall(SYS_dup2, r[0], r[1]); if (res != -1) r[2] = res; *(uint32_t*)0x20000080 = 0; *(uint64_t*)0x20000088 = 0; *(uint32_t*)0x200000c0 = 0x10; syscall(SYS_getsockopt, r[2], 0x84, 0x8004, 0x20000080ul, 0x200000c0ul); memcpy((void*)0x20000000, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 2ul, 0ul); if (res != -1) r[3] = res; syscall(SYS_ioctl, r[3], 0xcbe0441aul, 0x200000c0ul); return 0; }