// https://syzkaller.appspot.com/bug?id=fa551e80818a9ef8f55c0c90cdacad1fcf141496 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include long r[72]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socket, 0x40000000015ul, 0x5ul, 0x0ul); *(uint16_t*)0x208a5ff0 = (uint16_t)0x2; *(uint16_t*)0x208a5ff2 = (uint16_t)0x204e; *(uint32_t*)0x208a5ff4 = (uint32_t)0x100007f; *(uint8_t*)0x208a5ff8 = (uint8_t)0x0; *(uint8_t*)0x208a5ff9 = (uint8_t)0x0; *(uint8_t*)0x208a5ffa = (uint8_t)0x0; *(uint8_t*)0x208a5ffb = (uint8_t)0x0; *(uint8_t*)0x208a5ffc = (uint8_t)0x0; *(uint8_t*)0x208a5ffd = (uint8_t)0x0; *(uint8_t*)0x208a5ffe = (uint8_t)0x0; *(uint8_t*)0x208a5fff = (uint8_t)0x0; r[13] = syscall(__NR_bind, r[1], 0x208a5ff0ul, 0x10ul); *(uint64_t*)0x2048cfe4 = (uint64_t)0x20477000; *(uint32_t*)0x2048cfec = (uint32_t)0x10; *(uint64_t*)0x2048cff4 = (uint64_t)0x20982fdf; *(uint64_t*)0x2048cffc = (uint64_t)0xa; *(uint64_t*)0x2048d004 = (uint64_t)0x20c07000; *(uint64_t*)0x2048d00c = (uint64_t)0xd0; *(uint32_t*)0x2048d014 = (uint32_t)0x4; *(uint16_t*)0x20477000 = (uint16_t)0x2; *(uint16_t*)0x20477002 = (uint16_t)0x214e; *(uint32_t*)0x20477004 = (uint32_t)0x10000e0; *(uint8_t*)0x20477008 = (uint8_t)0x0; *(uint8_t*)0x20477009 = (uint8_t)0x0; *(uint8_t*)0x2047700a = (uint8_t)0x0; *(uint8_t*)0x2047700b = (uint8_t)0x0; *(uint8_t*)0x2047700c = (uint8_t)0x0; *(uint8_t*)0x2047700d = (uint8_t)0x0; *(uint8_t*)0x2047700e = (uint8_t)0x0; *(uint8_t*)0x2047700f = (uint8_t)0x0; *(uint64_t*)0x20982fdf = (uint64_t)0x20885f46; *(uint64_t*)0x20982fe7 = (uint64_t)0x0; *(uint64_t*)0x20982fef = (uint64_t)0x20a1b000; *(uint64_t*)0x20982ff7 = (uint64_t)0x0; *(uint64_t*)0x20982fff = (uint64_t)0x20b4c000; *(uint64_t*)0x20983007 = (uint64_t)0x0; *(uint64_t*)0x2098300f = (uint64_t)0x20ebef3a; *(uint64_t*)0x20983017 = (uint64_t)0x0; *(uint64_t*)0x2098301f = (uint64_t)0x20f4b000; *(uint64_t*)0x20983027 = (uint64_t)0x0; *(uint64_t*)0x2098302f = (uint64_t)0x2004f000; *(uint64_t*)0x20983037 = (uint64_t)0x0; *(uint64_t*)0x2098303f = (uint64_t)0x209e2f26; *(uint64_t*)0x20983047 = (uint64_t)0x0; *(uint64_t*)0x2098304f = (uint64_t)0x20ca7000; *(uint64_t*)0x20983057 = (uint64_t)0x0; *(uint64_t*)0x2098305f = (uint64_t)0x204ae000; *(uint64_t*)0x20983067 = (uint64_t)0x0; *(uint64_t*)0x2098306f = (uint64_t)0x20989ff6; *(uint64_t*)0x20983077 = (uint64_t)0x0; *(uint64_t*)0x20c07000 = (uint64_t)0x10; *(uint32_t*)0x20c07008 = (uint32_t)0x1; *(uint32_t*)0x20c0700c = (uint32_t)0x4; *(uint64_t*)0x20c07010 = (uint64_t)0x10; *(uint32_t*)0x20c07018 = (uint32_t)0x1; *(uint32_t*)0x20c0701c = (uint32_t)0x4; *(uint64_t*)0x20c07020 = (uint64_t)0x10; *(uint32_t*)0x20c07028 = (uint32_t)0x11f; *(uint32_t*)0x20c0702c = (uint32_t)0x1; *(uint64_t*)0x20c07030 = (uint64_t)0x80; *(uint32_t*)0x20c07038 = (uint32_t)0x114; *(uint32_t*)0x20c0703c = (uint32_t)0x8; memcpy((void*)0x20c07040, "\x29\xbb\xfa\xdc\x77\xe6\xe6\xd7\x81\x02\x56\xbd\x99\xa2\x2c" "\xce\xe4\x52\x0f\xb7\xd5\x7d\x09\x7e\xf0\xdc\xca\xa0\xad\x74" "\x18\x3d\xa1\x27\x25\x35\x82\x3b\xa4\x41\xd5\xa4\xfd\x01\xf8" "\x22\x43\x7a\xa0\x46\xe7\x38\x14\x5a\xee\xdc\xf6\x57\xa3\xe1" "\xb5\x83\xeb\x57\xb4\x97\x34\x99\x96\xa1\x16\xb3\xc7\x64\x84" "\x06\xbc\xf2\x27\xc7\x3b\x46\x48\x52\x42\xb6\x2b\x56\x5d\x4a" "\x61\xd9\x39\x95\x94\xbb\x5b\xb7\x4a\x3f\x30\x2a\xb1\xa0\xdd" "\x63\x27\x53\x94\xa3\xd5", 111); *(uint64_t*)0x20c070b0 = (uint64_t)0x10; *(uint32_t*)0x20c070b8 = (uint32_t)0x13f; *(uint32_t*)0x20c070bc = (uint32_t)0x5; *(uint64_t*)0x20c070c0 = (uint64_t)0x10; *(uint32_t*)0x20c070c8 = (uint32_t)0x13b; *(uint32_t*)0x20c070cc = (uint32_t)0xf4b; r[71] = syscall(__NR_sendmsg, r[1], 0x2048cfe4ul, 0x40ul); } int main() { loop(); return 0; }