// https://syzkaller.appspot.com/bug?id=4522c4fb3896c243a66d4bda935f828e80899c2c // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); memcpy((void*)0x20000000, "/dev/sg#", 9); r[0] = syz_open_dev(0x20000000, 0, 2); memcpy((void*)0x202b7000, "\x06\xe2\x45\xf1\xdc\x92\xc0\x59\x84\x2f\x08\xba\xd1\x97\x25\xff\x31" "\x0e\x27\xcc\x00\x11\x02\xb2\xf5\x20\x34\x6d\x72\xe6\xdd\xaf\x30\x7a" "\x18\x2b\xdb\x2b\xf6\x77\x3b\x69\x7c\x67\x88\xef\x2a\x7e\xa6\x37\x62" "\x32\x08\x5e\x13\x66\xf1\xcc\x63\x54\xc3\x63\x4f\x86\xd3\xd3\xc0\xe0" "\x7e\x5f\x9f\xd4\xfe\xb0\xf4\xa3\x92\xa0\x6e\xa6\x92\xa4\xa4\x2e\x2b" "\x90\x5f\x9b\xfa\xbb\xd9\xc9\x5d\x9b\x2b\x4e\x6e\x4a\x80\xf7\xd1\x96" "\x59\x2c\x22\x56\xd3\xf6\x30\x24\x89\xcf\xb0\x72\x85\x51\xc9\x2a\xa3" "\x7a\x28\x19\xa9\xf2\x16\x92\x8c\x63\xfa\x7f\x27\x7c\x3c\x9e\x24\x28" "\xa3\x69\x77\x05\x85\xff\x58\xec\xaa\xcb\xce\xe7\x6e\xfe\x80\x64\x4c" "\x50\x95\xed\xb7\xde\x3d\x67\x91\xbb\x7d\x7e\x9b\x7e\xa7\x6c\xbf\x05" "\x64\x0a\x28\xf5\xb1\x5d\xc0\x7d\x6f\x19\x56\x19\x0f\xf5\x0b\xe0\xea" "\x8d\xc8\x0c\x6f\xd3\xd1\x27\x24\x21\xb2\x86\x40\x45\x37\xcd\x7b\x83" "\x4b\x1c\xa5\x9a\x33\xb8\x78", 211); syscall(__NR_write, r[0], 0x202b7000, 0xd3); *(uint64_t*)0x204bb000 = 0x203d4000; *(uint64_t*)0x204bb008 = 0xa5; syscall(__NR_readv, r[0], 0x204bb000, 1); } int main() { loop(); return 0; }