// https://syzkaller.appspot.com/bug?id=0d259373da8be7356652213543e1efc254a5abf0 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include long r[3]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20fcbff7, "/dev/kvm", 9); r[0] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20fcbff7ul, 0x0ul, 0x0ul); r[1] = syscall(__NR_ioctl, r[0], 0xae01ul, 0x0ul); r[2] = syscall(__NR_ioctl, r[1], 0xae41ul, 0x0ul); *(uint64_t*)0x20c2a000 = (uint64_t)0x107002; *(uint32_t*)0x20c2a008 = (uint32_t)0x1000; *(uint16_t*)0x20c2a00c = (uint16_t)0x0; *(uint8_t*)0x20c2a00e = (uint8_t)0x80; *(uint8_t*)0x20c2a00f = (uint8_t)0xf319; *(uint8_t*)0x20c2a010 = (uint8_t)0x2; *(uint8_t*)0x20c2a011 = (uint8_t)0x100000000; *(uint8_t*)0x20c2a012 = (uint8_t)0x6; *(uint8_t*)0x20c2a013 = (uint8_t)0x5; *(uint8_t*)0x20c2a014 = (uint8_t)0xfffffffffffffbff; *(uint8_t*)0x20c2a015 = (uint8_t)0xb5f; *(uint8_t*)0x20c2a016 = (uint8_t)0x401; *(uint8_t*)0x20c2a017 = (uint8_t)0x0; *(uint64_t*)0x20c2a018 = (uint64_t)0x15000; *(uint32_t*)0x20c2a020 = (uint32_t)0x5000; *(uint16_t*)0x20c2a024 = (uint16_t)0xd; *(uint8_t*)0x20c2a026 = (uint8_t)0x1; *(uint8_t*)0x20c2a027 = (uint8_t)0xb2; *(uint8_t*)0x20c2a028 = (uint8_t)0x2; *(uint8_t*)0x20c2a029 = (uint8_t)0x38; *(uint8_t*)0x20c2a02a = (uint8_t)0x0; *(uint8_t*)0x20c2a02b = (uint8_t)0x8001; *(uint8_t*)0x20c2a02c = (uint8_t)0x1; *(uint8_t*)0x20c2a02d = (uint8_t)0x6; *(uint8_t*)0x20c2a02e = (uint8_t)0x80; *(uint8_t*)0x20c2a02f = (uint8_t)0x0; *(uint64_t*)0x20c2a030 = (uint64_t)0x1; *(uint32_t*)0x20c2a038 = (uint32_t)0x102001; *(uint16_t*)0x20c2a03c = (uint16_t)0x4; *(uint8_t*)0x20c2a03e = (uint8_t)0x1; *(uint8_t*)0x20c2a03f = (uint8_t)0x1; *(uint8_t*)0x20c2a040 = (uint8_t)0x3; *(uint8_t*)0x20c2a041 = (uint8_t)0x8; *(uint8_t*)0x20c2a042 = (uint8_t)0x0; *(uint8_t*)0x20c2a043 = (uint8_t)0x6; *(uint8_t*)0x20c2a044 = (uint8_t)0xa3d9; *(uint8_t*)0x20c2a045 = (uint8_t)0x8; *(uint8_t*)0x20c2a046 = (uint8_t)0x6; *(uint8_t*)0x20c2a047 = (uint8_t)0x0; *(uint64_t*)0x20c2a048 = (uint64_t)0x4; *(uint32_t*)0x20c2a050 = (uint32_t)0x1; *(uint16_t*)0x20c2a054 = (uint16_t)0x19; *(uint8_t*)0x20c2a056 = (uint8_t)0x5f5; *(uint8_t*)0x20c2a057 = (uint8_t)0xd7; *(uint8_t*)0x20c2a058 = (uint8_t)0x7fff; *(uint8_t*)0x20c2a059 = (uint8_t)0x2; *(uint8_t*)0x20c2a05a = (uint8_t)0x4ab; *(uint8_t*)0x20c2a05b = (uint8_t)0x3; *(uint8_t*)0x20c2a05c = (uint8_t)0xd024; *(uint8_t*)0x20c2a05d = (uint8_t)0x3000000000000; *(uint8_t*)0x20c2a05e = (uint8_t)0x57; *(uint8_t*)0x20c2a05f = (uint8_t)0x0; *(uint64_t*)0x20c2a060 = (uint64_t)0x11000; *(uint32_t*)0x20c2a068 = (uint32_t)0x100001; *(uint16_t*)0x20c2a06c = (uint16_t)0xb; *(uint8_t*)0x20c2a06e = (uint8_t)0x0; *(uint8_t*)0x20c2a06f = (uint8_t)0x1000; *(uint8_t*)0x20c2a070 = (uint8_t)0xffffffffffffff01; *(uint8_t*)0x20c2a071 = (uint8_t)0xa7c5; *(uint8_t*)0x20c2a072 = (uint8_t)0x3; *(uint8_t*)0x20c2a073 = (uint8_t)0x2b; *(uint8_t*)0x20c2a074 = (uint8_t)0x7; *(uint8_t*)0x20c2a075 = (uint8_t)0x80; *(uint8_t*)0x20c2a076 = (uint8_t)0x2; *(uint8_t*)0x20c2a077 = (uint8_t)0x0; *(uint64_t*)0x20c2a078 = (uint64_t)0x10003; *(uint32_t*)0x20c2a080 = (uint32_t)0x7000; *(uint16_t*)0x20c2a084 = (uint16_t)0xc; *(uint8_t*)0x20c2a086 = (uint8_t)0x7; *(uint8_t*)0x20c2a087 = (uint8_t)0x81; *(uint8_t*)0x20c2a088 = (uint8_t)0x7f; *(uint8_t*)0x20c2a089 = (uint8_t)0xff; *(uint8_t*)0x20c2a08a = (uint8_t)0x18000; *(uint8_t*)0x20c2a08b = (uint8_t)0xfffffffffffff801; *(uint8_t*)0x20c2a08c = (uint8_t)0x770a796d; *(uint8_t*)0x20c2a08d = (uint8_t)0x80; *(uint8_t*)0x20c2a08e = (uint8_t)0x0; *(uint8_t*)0x20c2a08f = (uint8_t)0x0; *(uint64_t*)0x20c2a090 = (uint64_t)0x0; *(uint32_t*)0x20c2a098 = (uint32_t)0x5000; *(uint16_t*)0x20c2a09c = (uint16_t)0x4; *(uint8_t*)0x20c2a09e = (uint8_t)0x9; *(uint8_t*)0x20c2a09f = (uint8_t)0x9; *(uint8_t*)0x20c2a0a0 = (uint8_t)0x6; *(uint8_t*)0x20c2a0a1 = (uint8_t)0x5; *(uint8_t*)0x20c2a0a2 = (uint8_t)0x3ae; *(uint8_t*)0x20c2a0a3 = (uint8_t)0x6; *(uint8_t*)0x20c2a0a4 = (uint8_t)0x566a; *(uint8_t*)0x20c2a0a5 = (uint8_t)0x312f7907; *(uint8_t*)0x20c2a0a6 = (uint8_t)0xff; *(uint8_t*)0x20c2a0a7 = (uint8_t)0x0; *(uint64_t*)0x20c2a0a8 = (uint64_t)0x10000; *(uint32_t*)0x20c2a0b0 = (uint32_t)0x1f000; *(uint16_t*)0x20c2a0b4 = (uint16_t)0xd; *(uint8_t*)0x20c2a0b6 = (uint8_t)0x1; *(uint8_t*)0x20c2a0b7 = (uint8_t)0xbbf1; *(uint8_t*)0x20c2a0b8 = (uint8_t)0x60; *(uint8_t*)0x20c2a0b9 = (uint8_t)0x70000000; *(uint8_t*)0x20c2a0ba = (uint8_t)0x8; *(uint8_t*)0x20c2a0bb = (uint8_t)0x4; *(uint8_t*)0x20c2a0bc = (uint8_t)0x7; *(uint8_t*)0x20c2a0bd = (uint8_t)0x0; *(uint8_t*)0x20c2a0be = (uint8_t)0x7fffffff; *(uint8_t*)0x20c2a0bf = (uint8_t)0x0; *(uint64_t*)0x20c2a0c0 = (uint64_t)0xd000; *(uint16_t*)0x20c2a0c8 = (uint16_t)0x2; *(uint16_t*)0x20c2a0ca = (uint16_t)0x0; *(uint16_t*)0x20c2a0cc = (uint16_t)0x0; *(uint16_t*)0x20c2a0ce = (uint16_t)0x0; *(uint64_t*)0x20c2a0d0 = (uint64_t)0x0; *(uint16_t*)0x20c2a0d8 = (uint16_t)0x101004; *(uint16_t*)0x20c2a0da = (uint16_t)0x0; *(uint16_t*)0x20c2a0dc = (uint16_t)0x0; *(uint16_t*)0x20c2a0de = (uint16_t)0x0; *(uint64_t*)0x20c2a0e0 = (uint64_t)0x0; *(uint64_t*)0x20c2a0e8 = (uint64_t)0x0; *(uint64_t*)0x20c2a0f0 = (uint64_t)0x0; *(uint64_t*)0x20c2a0f8 = (uint64_t)0x4020; *(uint64_t*)0x20c2a100 = (uint64_t)0x3; *(uint64_t*)0x20c2a108 = (uint64_t)0x100; *(uint64_t*)0x20c2a110 = (uint64_t)0x0; *(uint64_t*)0x20c2a118 = (uint64_t)0xffffffffffffff80; *(uint64_t*)0x20c2a120 = (uint64_t)0x4; *(uint64_t*)0x20c2a128 = (uint64_t)0x8; *(uint64_t*)0x20c2a130 = (uint64_t)0xd9; syscall(__NR_ioctl, r[2], 0x4138ae84ul, 0x20c2a000ul); } int main() { loop(); return 0; }