// https://syzkaller.appspot.com/bug?id=7bd6fc42489ba2eb2a9e44977633abd1c2fe0624 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_sendto #define __NR_sendto 369 #endif #ifndef __NR_mmap #define __NR_mmap 90 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[89]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socket, 0x2ul, 0x3ul, 0x1ul); *(uint32_t*)0x20614f18 = (uint32_t)0x100007f; *(uint8_t*)0x20614f28 = (uint8_t)0xfe; *(uint8_t*)0x20614f29 = (uint8_t)0x80; *(uint8_t*)0x20614f2a = (uint8_t)0x0; *(uint8_t*)0x20614f2b = (uint8_t)0x0; *(uint8_t*)0x20614f2c = (uint8_t)0x0; *(uint8_t*)0x20614f2d = (uint8_t)0x0; *(uint8_t*)0x20614f2e = (uint8_t)0x0; *(uint8_t*)0x20614f2f = (uint8_t)0x0; *(uint8_t*)0x20614f30 = (uint8_t)0x0; *(uint8_t*)0x20614f31 = (uint8_t)0x0; *(uint8_t*)0x20614f32 = (uint8_t)0x0; *(uint8_t*)0x20614f33 = (uint8_t)0x0; *(uint8_t*)0x20614f34 = (uint8_t)0x0; *(uint8_t*)0x20614f35 = (uint8_t)0x0; *(uint8_t*)0x20614f36 = (uint8_t)0x0; *(uint8_t*)0x20614f37 = (uint8_t)0xbb; *(uint16_t*)0x20614f38 = (uint16_t)0x204e; *(uint16_t*)0x20614f3a = (uint16_t)0x0; *(uint16_t*)0x20614f3c = (uint16_t)0x204e; *(uint16_t*)0x20614f3e = (uint16_t)0x0; *(uint16_t*)0x20614f40 = (uint16_t)0x2; *(uint8_t*)0x20614f42 = (uint8_t)0x0; *(uint8_t*)0x20614f43 = (uint8_t)0x0; *(uint8_t*)0x20614f44 = (uint8_t)0x0; *(uint32_t*)0x20614f48 = (uint32_t)0x0; *(uint32_t*)0x20614f4c = (uint32_t)0x0; *(uint64_t*)0x20614f50 = (uint64_t)0x0; *(uint64_t*)0x20614f58 = (uint64_t)0x0; *(uint64_t*)0x20614f60 = (uint64_t)0x0; *(uint64_t*)0x20614f68 = (uint64_t)0x0; *(uint64_t*)0x20614f70 = (uint64_t)0x0; *(uint64_t*)0x20614f78 = (uint64_t)0x0; *(uint64_t*)0x20614f80 = (uint64_t)0x0; *(uint64_t*)0x20614f88 = (uint64_t)0x0; *(uint64_t*)0x20614f90 = (uint64_t)0x0; *(uint64_t*)0x20614f98 = (uint64_t)0x0; *(uint64_t*)0x20614fa0 = (uint64_t)0x0; *(uint64_t*)0x20614fa8 = (uint64_t)0x0; *(uint32_t*)0x20614fb0 = (uint32_t)0x0; *(uint32_t*)0x20614fb4 = (uint32_t)0x0; *(uint8_t*)0x20614fb8 = (uint8_t)0x1; *(uint8_t*)0x20614fb9 = (uint8_t)0x0; *(uint8_t*)0x20614fba = (uint8_t)0x0; *(uint8_t*)0x20614fbb = (uint8_t)0x0; *(uint8_t*)0x20614fc0 = (uint8_t)0xfe; *(uint8_t*)0x20614fc1 = (uint8_t)0x80; *(uint8_t*)0x20614fc2 = (uint8_t)0x0; *(uint8_t*)0x20614fc3 = (uint8_t)0x0; *(uint8_t*)0x20614fc4 = (uint8_t)0x0; *(uint8_t*)0x20614fc5 = (uint8_t)0x0; *(uint8_t*)0x20614fc6 = (uint8_t)0x0; *(uint8_t*)0x20614fc7 = (uint8_t)0x0; *(uint8_t*)0x20614fc8 = (uint8_t)0x0; *(uint8_t*)0x20614fc9 = (uint8_t)0x0; *(uint8_t*)0x20614fca = (uint8_t)0x0; *(uint8_t*)0x20614fcb = (uint8_t)0x0; *(uint8_t*)0x20614fcc = (uint8_t)0x0; *(uint8_t*)0x20614fcd = (uint8_t)0x0; *(uint8_t*)0x20614fce = (uint8_t)0x0; *(uint8_t*)0x20614fcf = (uint8_t)0xaa; *(uint32_t*)0x20614fd0 = (uint32_t)0x0; *(uint8_t*)0x20614fd4 = (uint8_t)0x0; *(uint16_t*)0x20614fd8 = (uint16_t)0xa; *(uint64_t*)0x20614fdc = (uint64_t)0x0; *(uint64_t*)0x20614fe4 = (uint64_t)0x100000000000000; *(uint32_t*)0x20614fec = (uint32_t)0x0; *(uint8_t*)0x20614ff0 = (uint8_t)0x0; *(uint8_t*)0x20614ff1 = (uint8_t)0x0; *(uint8_t*)0x20614ff2 = (uint8_t)0x0; *(uint32_t*)0x20614ff4 = (uint32_t)0x6; *(uint32_t*)0x20614ff8 = (uint32_t)0x0; *(uint32_t*)0x20614ffc = (uint32_t)0x1; r[75] = syscall(__NR_setsockopt, r[1], 0x0ul, 0x11ul, 0x20614f18ul, 0xe8ul); memcpy((void*)0x20fdbfc0, "\x81\x61\x97\xb6\x16\x57\x4d\x1d\xef\x9a\xa8\x94\x6e\xe3\x21" "\xcd\xf3\x77\xf4\xff\x49\xaa\x38\xb9\xe2\x5b\xa7\x2c\xf4\xf5" "\x70\xd8\xf8\xb6\x3f\x6f\x05\x2a\x7c\xf3\x98\xe4\xe8\xb3\xa4" "\x40\x57\xc6\x03\x84\x04\x5a\x65\xce\x52\x2f\x81\x64\x46\xf2" "\x65\x05\x54\x08", 64); *(uint16_t*)0x20fdbff0 = (uint16_t)0x2; *(uint16_t*)0x20fdbff2 = (uint16_t)0x214e; *(uint32_t*)0x20fdbff4 = (uint32_t)0x0; *(uint8_t*)0x20fdbff8 = (uint8_t)0x0; *(uint8_t*)0x20fdbff9 = (uint8_t)0x0; *(uint8_t*)0x20fdbffa = (uint8_t)0x0; *(uint8_t*)0x20fdbffb = (uint8_t)0x0; *(uint8_t*)0x20fdbffc = (uint8_t)0x0; *(uint8_t*)0x20fdbffd = (uint8_t)0x0; *(uint8_t*)0x20fdbffe = (uint8_t)0x0; *(uint8_t*)0x20fdbfff = (uint8_t)0x0; r[88] = syscall(__NR_sendto, r[1], 0x20fdbfc0ul, 0x40ul, 0x80ul, 0x20fdbff0ul, 0x10ul); } int main() { loop(); return 0; }