// https://syzkaller.appspot.com/bug?id=725244646b2c69398356d89714346347c1e6cb7b // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0x16000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 2, 0x80001, 0); memcpy((void*)0x2000fce8, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x2000fd08 = 0xe; *(uint32_t*)0x2000fd0c = 4; *(uint32_t*)0x2000fd10 = 0x2b8; *(uint32_t*)0x2000fd14 = -1; *(uint32_t*)0x2000fd18 = 0; *(uint32_t*)0x2000fd1c = 0; *(uint32_t*)0x2000fd20 = 0; *(uint32_t*)0x2000fd24 = -1; *(uint32_t*)0x2000fd28 = -1; *(uint32_t*)0x2000fd2c = 0; *(uint32_t*)0x2000fd30 = 0; *(uint32_t*)0x2000fd34 = 0; *(uint32_t*)0x2000fd38 = -1; *(uint32_t*)0x2000fd3c = 4; *(uint64_t*)0x2000fd40 = 0x20012fc0; *(uint8_t*)0x2000fd48 = 0; *(uint8_t*)0x2000fd49 = 0; *(uint8_t*)0x2000fd4a = 0; *(uint8_t*)0x2000fd4b = 0; *(uint8_t*)0x2000fd4c = 0; *(uint8_t*)0x2000fd4d = 0; *(uint8_t*)0x2000fd4e = 0; *(uint8_t*)0x2000fd4f = 0; *(uint8_t*)0x2000fd50 = 0; *(uint8_t*)0x2000fd51 = 0; *(uint8_t*)0x2000fd52 = 0; *(uint8_t*)0x2000fd53 = 0; *(uint8_t*)0x2000fd54 = 0; *(uint8_t*)0x2000fd55 = 0; *(uint8_t*)0x2000fd56 = 0; *(uint8_t*)0x2000fd57 = 0; *(uint8_t*)0x2000fd58 = 0; *(uint8_t*)0x2000fd59 = 0; *(uint8_t*)0x2000fd5a = 0; *(uint8_t*)0x2000fd5b = 0; *(uint8_t*)0x2000fd5c = 0; *(uint8_t*)0x2000fd5d = 0; *(uint8_t*)0x2000fd5e = 0; *(uint8_t*)0x2000fd5f = 0; *(uint8_t*)0x2000fd60 = 0; *(uint8_t*)0x2000fd61 = 0; *(uint8_t*)0x2000fd62 = 0; *(uint8_t*)0x2000fd63 = 0; *(uint8_t*)0x2000fd64 = 0; *(uint8_t*)0x2000fd65 = 0; *(uint8_t*)0x2000fd66 = 0; *(uint8_t*)0x2000fd67 = 0; *(uint8_t*)0x2000fd68 = 0; *(uint8_t*)0x2000fd69 = 0; *(uint8_t*)0x2000fd6a = 0; *(uint8_t*)0x2000fd6b = 0; *(uint8_t*)0x2000fd6c = 0; *(uint8_t*)0x2000fd6d = 0; *(uint8_t*)0x2000fd6e = 0; *(uint8_t*)0x2000fd6f = 0; *(uint8_t*)0x2000fd70 = 0; *(uint8_t*)0x2000fd71 = 0; *(uint8_t*)0x2000fd72 = 0; *(uint8_t*)0x2000fd73 = 0; *(uint8_t*)0x2000fd74 = 0; *(uint8_t*)0x2000fd75 = 0; *(uint8_t*)0x2000fd76 = 0; *(uint8_t*)0x2000fd77 = 0; *(uint8_t*)0x2000fd78 = 0; *(uint8_t*)0x2000fd79 = 0; *(uint8_t*)0x2000fd7a = 0; *(uint8_t*)0x2000fd7b = 0; *(uint8_t*)0x2000fd7c = 0; *(uint8_t*)0x2000fd7d = 0; *(uint8_t*)0x2000fd7e = 0; *(uint8_t*)0x2000fd7f = 0; *(uint8_t*)0x2000fd80 = 0; *(uint8_t*)0x2000fd81 = 0; *(uint8_t*)0x2000fd82 = 0; *(uint8_t*)0x2000fd83 = 0; *(uint8_t*)0x2000fd84 = 0; *(uint8_t*)0x2000fd85 = 0; *(uint8_t*)0x2000fd86 = 0; *(uint8_t*)0x2000fd87 = 0; *(uint8_t*)0x2000fd88 = 0; *(uint8_t*)0x2000fd89 = 0; *(uint8_t*)0x2000fd8a = 0; *(uint8_t*)0x2000fd8b = 0; *(uint8_t*)0x2000fd8c = 0; *(uint8_t*)0x2000fd8d = 0; *(uint8_t*)0x2000fd8e = 0; *(uint8_t*)0x2000fd8f = 0; *(uint8_t*)0x2000fd90 = 0; *(uint8_t*)0x2000fd91 = 0; *(uint8_t*)0x2000fd92 = 0; *(uint8_t*)0x2000fd93 = 0; *(uint8_t*)0x2000fd94 = 0; *(uint8_t*)0x2000fd95 = 0; *(uint8_t*)0x2000fd96 = 0; *(uint8_t*)0x2000fd97 = 0; *(uint8_t*)0x2000fd98 = 0; *(uint8_t*)0x2000fd99 = 0; *(uint8_t*)0x2000fd9a = 0; *(uint8_t*)0x2000fd9b = 0; *(uint32_t*)0x2000fd9c = 0; *(uint16_t*)0x2000fda0 = 0x70; *(uint16_t*)0x2000fda2 = 0x98; *(uint32_t*)0x2000fda4 = 0; *(uint64_t*)0x2000fda8 = 0; *(uint64_t*)0x2000fdb0 = 0; *(uint16_t*)0x2000fdb8 = 0x28; memcpy((void*)0x2000fdba, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000fdd7 = 0; *(uint32_t*)0x2000fdd8 = 0xfffffffe; *(uint8_t*)0x2000fde0 = 0xac; *(uint8_t*)0x2000fde1 = 0x14; *(uint8_t*)0x2000fde2 = 0; *(uint8_t*)0x2000fde3 = 0xbb; *(uint32_t*)0x2000fde4 = htobe32(-1); *(uint32_t*)0x2000fde8 = htobe32(0); *(uint32_t*)0x2000fdec = htobe32(0); memcpy((void*)0x2000fdf0, "\x3d\xad\x40\xf8\xc2\x6e\xa3\x56\xcb\xa4\x97\x36\xe0\x9f\x6d\x7f", 16); *(uint8_t*)0x2000fe00 = 0x73; *(uint8_t*)0x2000fe01 = 0x79; *(uint8_t*)0x2000fe02 = 0x7a; *(uint8_t*)0x2000fe03 = 0; *(uint8_t*)0x2000fe04 = 0; *(uint8_t*)0x2000fe10 = 0; *(uint8_t*)0x2000fe11 = 0; *(uint8_t*)0x2000fe12 = 0; *(uint8_t*)0x2000fe13 = 0; *(uint8_t*)0x2000fe14 = 0; *(uint8_t*)0x2000fe15 = 0; *(uint8_t*)0x2000fe16 = 0; *(uint8_t*)0x2000fe17 = 0; *(uint8_t*)0x2000fe18 = 0; *(uint8_t*)0x2000fe19 = 0; *(uint8_t*)0x2000fe1a = 0; *(uint8_t*)0x2000fe1b = 0; *(uint8_t*)0x2000fe1c = 0; *(uint8_t*)0x2000fe1d = 0; *(uint8_t*)0x2000fe1e = 0; *(uint8_t*)0x2000fe1f = 0; *(uint8_t*)0x2000fe20 = 0; *(uint8_t*)0x2000fe21 = 0; *(uint8_t*)0x2000fe22 = 0; *(uint8_t*)0x2000fe23 = 0; *(uint8_t*)0x2000fe24 = 0; *(uint8_t*)0x2000fe25 = 0; *(uint8_t*)0x2000fe26 = 0; *(uint8_t*)0x2000fe27 = 0; *(uint8_t*)0x2000fe28 = 0; *(uint8_t*)0x2000fe29 = 0; *(uint8_t*)0x2000fe2a = 0; *(uint8_t*)0x2000fe2b = 0; *(uint8_t*)0x2000fe2c = 0; *(uint8_t*)0x2000fe2d = 0; *(uint8_t*)0x2000fe2e = 0; *(uint8_t*)0x2000fe2f = 0; *(uint16_t*)0x2000fe30 = 0; *(uint8_t*)0x2000fe32 = 2; *(uint8_t*)0x2000fe33 = 0; *(uint32_t*)0x2000fe34 = 0; *(uint16_t*)0x2000fe38 = 0xc8; *(uint16_t*)0x2000fe3a = 0xf0; *(uint32_t*)0x2000fe3c = 0; *(uint64_t*)0x2000fe40 = 0; *(uint64_t*)0x2000fe48 = 0; *(uint16_t*)0x2000fe50 = 0x58; memcpy((void*)0x2000fe52, "\x68\x61\x73\x68\x6c\x69\x6d\x69\x74\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000fe6f = 1; memcpy((void*)0x2000fe70, "\x00\x01\x36\x67\x72\x65\x74\x61\x70\x30\x00\x00\x00\x00\x00\x00", 16); *(uint32_t*)0x2000fe80 = 0; *(uint32_t*)0x2000fe84 = 0; *(uint32_t*)0x2000fe88 = 9; *(uint32_t*)0x2000fe8c = 0; *(uint32_t*)0x2000fe90 = 0; *(uint32_t*)0x2000fe94 = 0x800002; *(uint32_t*)0x2000fe98 = 0xffffffd5; *(uint8_t*)0x2000fe9c = 0; *(uint8_t*)0x2000fe9d = 0; *(uint64_t*)0x2000fea0 = 0; *(uint16_t*)0x2000fea8 = 0x28; memcpy((void*)0x2000feaa, "\x43\x4c\x41\x53\x53\x49\x46\x59\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000fec7 = 0; *(uint32_t*)0x2000fec8 = 0xff44; *(uint8_t*)0x2000fed0 = 0xac; *(uint8_t*)0x2000fed1 = 0x14; *(uint8_t*)0x2000fed2 = 0; *(uint8_t*)0x2000fed3 = 0; *(uint32_t*)0x2000fed4 = htobe32(0xe0000001); *(uint32_t*)0x2000fed8 = htobe32(0); *(uint32_t*)0x2000fedc = htobe32(0); memcpy((void*)0x2000fee0, "\x74\x65\x71\x6c\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x2000fef0 = 0x73; *(uint8_t*)0x2000fef1 = 0x79; *(uint8_t*)0x2000fef2 = 0x7a; *(uint8_t*)0x2000fef3 = 0; *(uint8_t*)0x2000fef4 = 0; *(uint8_t*)0x2000ff00 = 0; *(uint8_t*)0x2000ff01 = 0; *(uint8_t*)0x2000ff02 = 0; *(uint8_t*)0x2000ff03 = 0; *(uint8_t*)0x2000ff04 = 0; *(uint8_t*)0x2000ff05 = 0; *(uint8_t*)0x2000ff06 = 0; *(uint8_t*)0x2000ff07 = 0; *(uint8_t*)0x2000ff08 = 0; *(uint8_t*)0x2000ff09 = 0; *(uint8_t*)0x2000ff0a = 0; *(uint8_t*)0x2000ff0b = 0; *(uint8_t*)0x2000ff0c = 0; *(uint8_t*)0x2000ff0d = 0; *(uint8_t*)0x2000ff0e = 0; *(uint8_t*)0x2000ff0f = 0; *(uint8_t*)0x2000ff10 = 0; *(uint8_t*)0x2000ff11 = 0; *(uint8_t*)0x2000ff12 = 0; *(uint8_t*)0x2000ff13 = 0; *(uint8_t*)0x2000ff14 = 0; *(uint8_t*)0x2000ff15 = 0; *(uint8_t*)0x2000ff16 = 0; *(uint8_t*)0x2000ff17 = 0; *(uint8_t*)0x2000ff18 = 0; *(uint8_t*)0x2000ff19 = 0; *(uint8_t*)0x2000ff1a = 0; *(uint8_t*)0x2000ff1b = 0; *(uint8_t*)0x2000ff1c = 0; *(uint8_t*)0x2000ff1d = 0; *(uint8_t*)0x2000ff1e = 0; *(uint8_t*)0x2000ff1f = 0; *(uint16_t*)0x2000ff20 = 0; *(uint8_t*)0x2000ff22 = 0; *(uint8_t*)0x2000ff23 = 0; *(uint32_t*)0x2000ff24 = 0; *(uint16_t*)0x2000ff28 = 0x70; *(uint16_t*)0x2000ff2a = 0x98; *(uint32_t*)0x2000ff2c = 0; *(uint64_t*)0x2000ff30 = 0; *(uint64_t*)0x2000ff38 = 0; *(uint16_t*)0x2000ff40 = 0x28; memcpy((void*)0x2000ff42, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000ff5f = 0; *(uint32_t*)0x2000ff60 = 0; *(uint32_t*)0x2000ff68 = htobe32(0xe0000001); *(uint32_t*)0x2000ff6c = htobe32(0x7f000001); *(uint32_t*)0x2000ff70 = htobe32(0); *(uint32_t*)0x2000ff74 = htobe32(0); memcpy((void*)0x2000ff78, "\x69\x66\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x2000ff88 = 0x73; *(uint8_t*)0x2000ff89 = 0x79; *(uint8_t*)0x2000ff8a = 0x7a; *(uint8_t*)0x2000ff8b = 0; *(uint8_t*)0x2000ff8c = 0; *(uint8_t*)0x2000ff98 = 0; *(uint8_t*)0x2000ff99 = 0; *(uint8_t*)0x2000ff9a = 0; *(uint8_t*)0x2000ff9b = 0; *(uint8_t*)0x2000ff9c = 0; *(uint8_t*)0x2000ff9d = 0; *(uint8_t*)0x2000ff9e = 0; *(uint8_t*)0x2000ff9f = 0; *(uint8_t*)0x2000ffa0 = 0; *(uint8_t*)0x2000ffa1 = 0; *(uint8_t*)0x2000ffa2 = 0; *(uint8_t*)0x2000ffa3 = 0; *(uint8_t*)0x2000ffa4 = 0; *(uint8_t*)0x2000ffa5 = 0; *(uint8_t*)0x2000ffa6 = 0; *(uint8_t*)0x2000ffa7 = 0; *(uint8_t*)0x2000ffa8 = 0; *(uint8_t*)0x2000ffa9 = 0; *(uint8_t*)0x2000ffaa = 0; *(uint8_t*)0x2000ffab = 0; *(uint8_t*)0x2000ffac = 0; *(uint8_t*)0x2000ffad = 0; *(uint8_t*)0x2000ffae = 0; *(uint8_t*)0x2000ffaf = 0; *(uint8_t*)0x2000ffb0 = 0; *(uint8_t*)0x2000ffb1 = 0; *(uint8_t*)0x2000ffb2 = 0; *(uint8_t*)0x2000ffb3 = 0; *(uint8_t*)0x2000ffb4 = 0; *(uint8_t*)0x2000ffb5 = 0; *(uint8_t*)0x2000ffb6 = 0; *(uint8_t*)0x2000ffb7 = 0; *(uint16_t*)0x2000ffb8 = 0; *(uint8_t*)0x2000ffba = 0; *(uint8_t*)0x2000ffbb = 0; *(uint32_t*)0x2000ffbc = 0; *(uint16_t*)0x2000ffc0 = 0x70; *(uint16_t*)0x2000ffc2 = 0x98; *(uint32_t*)0x2000ffc4 = 0; *(uint64_t*)0x2000ffc8 = 0; *(uint64_t*)0x2000ffd0 = 0; *(uint16_t*)0x2000ffd8 = 0x28; memcpy((void*)0x2000ffda, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000fff7 = 0; *(uint32_t*)0x2000fff8 = 0; *(uint64_t*)0x20012fc0 = 0; *(uint64_t*)0x20012fc8 = 0; *(uint64_t*)0x20012fd0 = 0; *(uint64_t*)0x20012fd8 = 0; *(uint64_t*)0x20012fe0 = 0; *(uint64_t*)0x20012fe8 = 0; *(uint64_t*)0x20012ff0 = 0; *(uint64_t*)0x20012ff8 = 0; syscall(__NR_setsockopt, r[0], 0, 0x40, 0x2000fce8, 0x318); } int main() { loop(); return 0; }