// https://syzkaller.appspot.com/bug?id=244acf6996ae0b9122ac763d3099922258c9bd43 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; res = syscall(__NR_socket, 2ul, 1ul, 0); if (res != -1) r[0] = res; *(uint16_t*)0x200000c0 = 2; *(uint16_t*)0x200000c2 = htobe16(0x4e20); *(uint32_t*)0x200000c4 = htobe32(0xe0000002); syscall(__NR_bind, r[0], 0x200000c0ul, 0x10ul); *(uint32_t*)0x20000000 = 1; syscall(__NR_setsockopt, r[0], 1, 0x3c, 0x20000000ul, 4ul); *(uint16_t*)0x20000080 = 2; *(uint16_t*)0x20000082 = htobe16(0x4e20); *(uint32_t*)0x20000084 = htobe32(0); syscall(__NR_sendto, r[0], 0ul, 0ul, 0x20020001ul, 0x20000080ul, 0x10ul); *(uint64_t*)0x200006c0 = 0; *(uint32_t*)0x200006c8 = 0; *(uint64_t*)0x200006d0 = 0x20000680; *(uint64_t*)0x20000680 = 0x20000fc0; memcpy( (void*)0x20000fc0, "\x13\x1a\x26\x95\xc1\x88\x89\x91\x05\x84\xa0\xf4\xa8\x32\xba\xd5\x50\x53" "\x92\x25\x4e\x7e\x24\xb0\x06\x5f\xca\x5f\xe0\xf1\xf4\xac\x47\xf4\xe5\x95" "\x50\x37\xc4\xef\x3e\x90\x69\x54\x2a\xcd\xf2\x82\x1a\xfc\x53\xe9\x1a\xec" "\x7d\xe3\x06\x0e\xf5\xe6\xc2\x3b\x14\xb8\x5b\x6c\x5c\xf0\x54\x11\x03\x02" "\x7d\x37\x28\xb2\x8f\xd3\x26\x2b\xbc\xc0\x7b\xe1\x29\xe4\xec\x11\x4d\xa2" "\xcf\x91\x0b\x7e\x5f\xc2\xf2\x44\x16\xb9\x8a\xd4\x0e\x56\xfe\x2a\xca\x76" "\x3d\xec\x0a\x47\x56\xd7\x83\xfe\xec\x71\x07\x97\xa9\xae\xfa\x9e\x3e\x99" "\xaf\x1f\x12\xea\x71\x7b\x33\x20\x05\x14\x3c\x1e\x86\x9b\xd3\xaf\xcb\x8e" "\x55\xdd\x54\x5d\x48\xc5\xaf\xb3\xae\x0b\x63\xf6\x52\xc0\x78\xa9\xeb\x2f" "\x64\x00\x18\xd6\x0a\xbb\x7d\xdb\x42\x5c\x41\x63\x38\xb1\x58\xf5\x0e\x56" "\xb8\x53\xa1\x48\x28\x82\xd0\x58\x2d\x5a\xd0\xc0\xca\xc4\x60\xdf\xc2\xbc" "\xc7\xba\x99\x14\x6f\x45\x46\xad\x8e\x11\x16\x2d\x81\xf0\xac\x48\x9f\xfd" "\xeb\x9b\xf9\xd7\x2a\x95\x62\xde\xf3\x51\x40\x78\x51\xdc\xf8\x8c\x6d\xc3" "\x1e\x45\x7e\x0a\x19\x1f\xac\x5d\xde\xcf\x58\x89\x98\x53\x16\x55\x8e\x3d" "\x48\x63\xee\x39\x36\xe5\x28\x5c\x56\x9f\x7d\x68\xd5\x60\xb3\x9b\x3b\x57" "\x90\x25\x5d\x97\x48\x84\x10\x90\x2b\x6d\x96\x4d\x62\xb2\xb2\x09\xe3\xa6" "\x42\xfa\x8b\x25\x4e\xe2\x7c\xd1\x4a\xca\xce\xd9\x17\x00\xc0\x62\x1d\x1c" "\x02\x25\x55\x4a\xe9\xa2\xd5\x13\x0c\xf2\xe7\x95\x04\x15\x43\x4d\x3d\x98" "\x1e\x5f\xbe\x17\x16\xbb\xec\x9e\xdf\x7d\x29\x73\xee\x5b\x63\xcc\x3c\x8a" "\xf3\x6c\xfa\xe9\x14\xd8\x75\x03\xa3\xa5\x13\xe1\x28\x46\x60\xea\x7d\xba" "\xd3\xb1\x60\x56\x2d\x9a\x75\xc3\xb6\x7e\x12\x4e\x41\x57\xb1\xa7\xd8\xcc" "\x49\xb3\x2b\x4e\xee\x55\x52\xa1\x8c\xe9\xe8\xda\x0f\x34\x7e\x56\x66\x8e" "\x20\x9a\x3e\x43\x50\x32\x23\xfc\x0f\xc5\xae\xc4\xae\xf9\x2b\x83\xef\x5c" "\x3b\xb4\xb9\x87\xb1\xa1\x6d\x6a\xf3\x5c\x92\x97\xb1\xdd\xb4\x53\x0e\xa9" "\x34\x28\xc2\x81\x48\x16\x85\xc2\x9f\x22\xbe\x3f\x5c\xaa\x39\x33\xfe\x3c" "\xd9\x1d\xcd\xcd\x01\xbd\x48\x10\x48\x67\x27\xc9\x37\xf1\xbd\x44\x42\xc1" "\x04\x26\x57\x01\x97\x74\x08\x84\x67\x81\xd2\x27\x22\xd2\x65\xd1\xd0\xf1" "\x4a\x86\xc0\x07\xbb\x10\xe9\x03\xb7\x1c\x7d\x23\x00\x1e\x18\x48\x5a\x5f" "\x07\x58\xcd\x57\xa0\xc8\x4b\x1b\x77\x91\xcc\x70\x9d\xa0\xc0\x95\xf0\xdd" "\xa3\x1c\xd4\xa4\x63\xf5\x65\xc9\x46\x8c\x2b\x37\x7c\x50\x2b\x26\x22\xed" "\x36\xbf\x60\xf2\x72\x7e\x16\xf6\x22\x32\x9b\x45\xf5\xbe\xec\x9c\xf7\x9b" "\x13\xe0\xeb\x61\x1e\xba\x80\x5f\x4c\xe0\xbb\xf8\x94\x58\xbf\x5f\xe0\x71" "\x09\x36\x73\x86\x67\x98\x00\x4e\xb4\x7d\xf5\x77\x1c\x3b\x77\x75\x8b\xf3" "\x6b\x58\x74\x80\xd2\xef\x4a\xcb\x4c\xfc\x5a\x21\x5a\x3c\x8e\x15\xf0\x24" "\x54\xc5\x1b\xf8\xf0\x9b\xde\xbd\x0a\x2f\xd9\xf3\xf8\xa5\x06\x77\xc4\x85" "\x9b\x83\x19\x9e\x11\x40\x48\x22\x47\xbd\xb7\x9b\x13\x63\x85\x06\x47\xf0" "\x37\x42\x20\x73\x80\x1d\xd1\x09\x51\xa5\x8b\xa7\xd5\x66\xbe\x15\x43\x73" "\x3d\x28\xc9\x34\x53\x9a\xaf\xac\x22\x78\x0e\x13\xc8\x2c\xfc\xd6\xac\xba" "\x57\x16\x88\xf7\x75\x35\x69\xda\x86\x5a\x7b\x41\xff\x61\x28\xbd\x5b\x13" "\x16\x01\xee\x4a\xe1\x4c\x56\x56\x6d\x84\xec\x6a\x98\xfc\x2c\x67\xf2\x8f" "\x0a\x82\x3b\xc5\x8e\xd5\x65\xab\x6b\x43\xaf\x87\x01\xd6\xe8\x4a\xdb\x2f" "\xc0\x76\xe2\x09\x3a\x93\x1f\x1d\x0f\xdb\x33\x32\x10\x28\x05\x77\x2f\xad" "\x96\x7f\xa4\xf9\x91\x24\xfd\x0d\xd1\x62\xad\xa2\x4b\xe1\x24\x18\xf5\x22" "\x04\xd8\x3a\x4a\xb5\x0e\xba\xd8\x7a\xa4\x11\x85\xe7\x84\xc4\x3f\xe8\xe8" "\x17\xc0\x35\xd0\x77\xa4\x64\x2e\xb9\xc5\xa9\x08\x48\xf3\xf2\x16\x64\x9b" "\x6c\x68\x9a\xc4\xd0\x77\x1f\xf3\x6e\xc3\x3f\xc2\x30\x87\xe1\xef\x96\x16" "\x31\x59\x7a\x06\x31\x2c\xda\x6f\x96\x78\xec\xba\xa3\xd9\x3d\x12\x62\xd8" "\x7f\x8d\xcf\xe8\x06\xcb\x0f\xff\xec\x17\xa3\x42\xbb\x3e\xda\x0b\x74\xad" "\x5a\xb3\x50\xc2\xf8\xf1\xe8\xa7\x4f\xfe\x67\x87\x54\xeb\x47\xb7\xd3\xd6" "\x9a\x00\xb5\x80\x32\xb1\x46\x53\x4d\x90\xc7\xee\xd6\x1c\xed\x84\xca\x54" "\x59\x40\x56\xe5\x4e\xe8\x77\x28\x40\x08\x84\x65\xd9\xba\xc1\x68\xae\x6e" "\xa9\x1d\x03\x43\x34\x08\x09\x85\x33\x14\x56\x8e\x3d\xa9\x07\x94\x7d\xd5" "\xd1\x2f\x12\x1c\xa6\xf3\xa8\x41\xf5\x12\x79\x5e\x02\x01\x7f\xc2\x15\x11" "\xae\x22\xbe\xfa\xbb\x9c\xd9\x9e\x7b\xc9\xc5\x03\x15\x4e\xf2\x5f\xb8\x56" "\x58\xd1\xd7\xcd\x7f\x01\x98\x22\xa4\x08\xfd\x46\x50\x35\x1d\xc3\x4a\x1a" "\xbc\x44\x31\x97\x6b\x24\xa0\x9e\x09\xe3\x01\xd2\xd1\xcf\x21\x40\x19\x38" "\x7d\xfe\x2c\xd0\x3b\x91\xce\xe9\x8d\x4b\xa1\xff\x38\x6f\xe7\xc9\xb0\xb6" "\x18\x9d\x18\x8a\xdc\x37\x90\x43\x02\xb2\x60\xdf\x0b\xe1\xcb\x0d\x63\x6c" "\x2f\x7a\xe4\xa3\xfa\xf9\x89\x12\xb9\xf4\x0c\x79\xe0\xea\xa3\xb4\x52\xc5" "\xfc\x30\xf9\x60\x28\x5d\x99\xaf\x95\x22\x72\xfc\x87\xad\x2f\x9f\xf5\x89" "\x8b\x6d\x1f\xd3\xea\x6d\xec\xf3\x4a\x84\xc5\x3e\xb4\x8a\x48\xf1\x8f\x9c" "\xff\x7f\x1a\xe9\x76\xf8\x2a\x32\x4a\xf2\xb8\xf1\xd8\xf3\x13\x70\x30\xdd" "\xdb\xae\xf4\xf6\x1e\x9b\x59\xa4\x6b\xcf\x94\xdc\xf5\x46\x5e\x8f\xe2\x3e" "\x00\xda\x76\xa1\x40\x7c\xf9\x75\x42\x14\xce\x72\xeb\x9e\x47\xb5\xdd\xb9" "\x35\xea\xcd\xbc\x33\x51\xc5\x27\x70\x32\xef\x44\x2c\xdb\xce\xc2\x7e\x0c" "\x3e\x4a\xb4\xa6\x21\x11\xdd\xe2\x40\x37\x88\x20\x7a\x8e\x9b\x4d\x40\x28" "\x01\xae\xbd\x5d\x9a\xf9\xbb\x51\x44\x80\xfa\xbe\x08\xc2\xe7\xb1\x2a\xd9" "\x83\xc8\xa1\x1d\x2c\x6c\x3e\x01\x2f\x36\x57\xe6\x36\xce\x24\x1e\xfa\x70" "\x5d\xf3\xcf\xb9\x52\x97\xed\xb4\x41\xdf\x15\x3f\x4f\x60\x87\x2e\xed\x03" "\x9f\x01\x78\xa0\x8e\x8e\x68\x92\x64\x1d\x29\xec\xf8\x35\x88\x71\xa8\x9e" "\xe1\x1b\x23\x0d\xe9\xbc\x3e\x41\x8a\x5f\xb3\x4c\x57\x3e\xfb\x9b\x03\x74" "\xdb\xc9\xe5\xa0\x76\x3a\xe3\x04\xbd\xcb\xc0\x39\x05\xf8\x15\xc1\x66\x5d" "\xfe\x19\x91\x9e\xf8\x94\xcb\xdb\x99\xb9\x01\x5d\xc5\x76\xe0\xf9\x2c\xac" "\x5a\xba\xc3\x9c\xff\xd0\x0e\x93\xf5\xb6\x79\xab\x84\x16\xfb\x1b\xb0\x31" "\x8a\xb8\x70\x68\x74\xa8\xe7\x29\x34\x82\xf9\x70\x51\x32\x73\x69\xb7\x69" "\x33\x14\xa6\x9a\x48\x53\x06\xfa\x96\xf1\x6a\x79\x32\x5c\xbe\x59\x83\xd9" "\x15\x8c\xa9\xd0\xe2\xc8\x8c\xc2\xda\x4e\x4a\x3f\x15\xbc\xca\x13\x3d\xc8" "\x7f\xeb\xb6\x55\x52\x05\x7c\x05\x20\x1d\xe3\x54\xb8\xac\x9d\x2a\x17\xd5" "\x33\x47\x6c\xba\x9f\x20\xa9\x88\x6f\xeb\x8c\xa7\xb0\x3a\xdb\x86\x62\x18" "\x2d\xfc\xad\xa4\xad\x0c\x7e\x63\xd8\xa7\x17\x07\x48\x21\x9e\xa7\xe2\x00" "\xee\x58\x7c\xd5\xc3\xa0\x60\xc4\xeb\x1a\xf5\xa3\x0f\x07\xae\x49\x76\xa1" "\x18\x4f\x28\xed\xc6\x60\x9f\x55\x37\x96\x5d\xb8\x2d\x55\x72\x58\x84\xe0" "\xa3\x13\x81\xd3\xc6\x09\xa5\x81\x57\x86\xb8\x03\x0d\xf1\xe7\xec\x4e\x57" "\xd0\x40\xc4\xab\x84\x97\xa7\x28\xb4\xdb\x38\x0c\x34\x6f\x80\xa6\x46\xd5" "\x17\x64\x2c\xdf\x0a\xfd\x05\x67\x48\x2a\xfb\x12\x8c\xd2\x09\xfc\x79\xbd" "\x7a\xb2\x23\x14\x30\x7a\x9c", 1537); *(uint64_t*)0x20000688 = 0x601; *(uint64_t*)0x200006d8 = 1; *(uint64_t*)0x200006e0 = 0; *(uint64_t*)0x200006e8 = 0; *(uint32_t*)0x200006f0 = 0; *(uint32_t*)0x200006f8 = 0; syscall(__NR_sendmmsg, r[0], 0x200006c0ul, 1ul, 0x60cd814ul); *(uint64_t*)0x20000200 = 0x20001e80; memset((void*)0x20001e80, 122, 1); *(uint64_t*)0x20000208 = 1; syscall(__NR_writev, r[0], 0x20000200ul, 1ul); return 0; }