// https://syzkaller.appspot.com/bug?id=bddba6ce33aa2286aed84ee50a7281d2d3f910f4 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } long r[164]; void* thr(void* arg) { switch ((long)arg) { case 0: r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 1: *(uint32_t*)0x20e26f88 = (uint32_t)0x2; *(uint32_t*)0x20e26f8c = (uint32_t)0x78; *(uint8_t*)0x20e26f90 = (uint8_t)0xdce9; *(uint8_t*)0x20e26f91 = (uint8_t)0x0; *(uint8_t*)0x20e26f92 = (uint8_t)0x0; *(uint8_t*)0x20e26f93 = (uint8_t)0x0; *(uint32_t*)0x20e26f94 = (uint32_t)0x0; *(uint64_t*)0x20e26f98 = (uint64_t)0x0; *(uint64_t*)0x20e26fa0 = (uint64_t)0x0; *(uint64_t*)0x20e26fa8 = (uint64_t)0x0; *(uint8_t*)0x20e26fb0 = (uint8_t)0xfe; *(uint8_t*)0x20e26fb1 = (uint8_t)0x0; *(uint8_t*)0x20e26fb2 = (uint8_t)0x0; *(uint8_t*)0x20e26fb3 = (uint8_t)0x0; *(uint32_t*)0x20e26fb4 = (uint32_t)0x0; *(uint32_t*)0x20e26fb8 = (uint32_t)0x0; *(uint32_t*)0x20e26fbc = (uint32_t)0x0; *(uint64_t*)0x20e26fc0 = (uint64_t)0x0; *(uint64_t*)0x20e26fc8 = (uint64_t)0x0; *(uint64_t*)0x20e26fd0 = (uint64_t)0x0; *(uint64_t*)0x20e26fd8 = (uint64_t)0x0; *(uint64_t*)0x20e26fe0 = (uint64_t)0x0; *(uint32_t*)0x20e26fe8 = (uint32_t)0x0; *(uint64_t*)0x20e26ff0 = (uint64_t)0x0; *(uint32_t*)0x20e26ff8 = (uint32_t)0x0; *(uint16_t*)0x20e26ffc = (uint16_t)0x0; *(uint16_t*)0x20e26ffe = (uint16_t)0x0; r[28] = syscall(__NR_perf_event_open, 0x20e26f88ul, 0x0ul, 0xfffffffffffffffful, 0xfffffffffffffffful, 0x0ul); break; case 2: *(uint64_t*)0x20317000 = (uint64_t)0x2001afa0; *(uint32_t*)0x20317008 = (uint32_t)0x60; *(uint64_t*)0x20317010 = (uint64_t)0x2084c000; *(uint64_t*)0x20317018 = (uint64_t)0x4; *(uint64_t*)0x20317020 = (uint64_t)0x20bc1000; *(uint64_t*)0x20317028 = (uint64_t)0x10; *(uint32_t*)0x20317030 = (uint32_t)0x10; *(uint64_t*)0x20317038 = (uint64_t)0x209e8000; *(uint32_t*)0x20317040 = (uint32_t)0x60; *(uint64_t*)0x20317048 = (uint64_t)0x20a12000; *(uint64_t*)0x20317050 = (uint64_t)0x2; *(uint64_t*)0x20317058 = (uint64_t)0x208d1ef8; *(uint64_t*)0x20317060 = (uint64_t)0x10; *(uint32_t*)0x20317068 = (uint32_t)0x8000; *(uint64_t*)0x20317070 = (uint64_t)0x20eccfa0; *(uint32_t*)0x20317078 = (uint32_t)0x60; *(uint64_t*)0x20317080 = (uint64_t)0x20093000; *(uint64_t*)0x20317088 = (uint64_t)0x2; *(uint64_t*)0x20317090 = (uint64_t)0x200bc000; *(uint64_t*)0x20317098 = (uint64_t)0x10; *(uint32_t*)0x203170a0 = (uint32_t)0x804; *(uint64_t*)0x203170a8 = (uint64_t)0x20005fa0; *(uint32_t*)0x203170b0 = (uint32_t)0x60; *(uint64_t*)0x203170b8 = (uint64_t)0x20f60000; *(uint64_t*)0x203170c0 = (uint64_t)0x2; *(uint64_t*)0x203170c8 = (uint64_t)0x203eff18; *(uint64_t*)0x203170d0 = (uint64_t)0x10; *(uint32_t*)0x203170d8 = (uint32_t)0x20000010; *(uint16_t*)0x2001afa0 = (uint16_t)0x27; *(uint32_t*)0x2001afa4 = (uint32_t)0xffff; *(uint32_t*)0x2001afa8 = (uint32_t)0x0; *(uint32_t*)0x2001afac = (uint32_t)0x4; *(uint8_t*)0x2001afb0 = (uint8_t)0x8; *(uint8_t*)0x2001afb1 = (uint8_t)0xffffffff00000000; memcpy((void*)0x2001afb2, "\x96\x29\xc6\x00\x3a\x64\x08\xba\x9f\x6a\xc4\x62\xd0\xc9" "\x3c\x3b\x81\x3b\x2f\xb3\x8d\x00\x9c\x13\x2c\xf0\x8b\x8a" "\xf6\xc7\xd3\x80\x4f\xa4\xa3\x02\x1f\xe1\xa7\xc4\x01\x30" "\x11\x60\x57\xc2\x0c\x5c\x79\xec\x3e\x19\x33\x7c\x67\xe8" "\xe5\xa4\x29\x62\xcf\x7c\xd1", 63); *(uint64_t*)0x2001aff8 = (uint64_t)0x91; *(uint64_t*)0x2084c000 = (uint64_t)0x206d2000; *(uint64_t*)0x2084c008 = (uint64_t)0x0; *(uint64_t*)0x2084c010 = (uint64_t)0x206c9000; *(uint64_t*)0x2084c018 = (uint64_t)0x0; *(uint64_t*)0x2084c020 = (uint64_t)0x20f51000; *(uint64_t*)0x2084c028 = (uint64_t)0x0; *(uint64_t*)0x2084c030 = (uint64_t)0x20c28fff; *(uint64_t*)0x2084c038 = (uint64_t)0x0; *(uint64_t*)0x20bc1000 = (uint64_t)0x10; *(uint32_t*)0x20bc1008 = (uint32_t)0x117; *(uint32_t*)0x20bc100c = (uint32_t)0x0; *(uint16_t*)0x209e8000 = (uint16_t)0x27; *(uint32_t*)0x209e8004 = (uint32_t)0x5; *(uint32_t*)0x209e8008 = (uint32_t)0xb986; *(uint32_t*)0x209e800c = (uint32_t)0x3; *(uint8_t*)0x209e8010 = (uint8_t)0x400; *(uint8_t*)0x209e8011 = (uint8_t)0x400; memcpy((void*)0x209e8012, "\xb6\x4f\xae\xc2\xb9\x18\xd0\xaf\x99\xb9\x9e\xbc\x0c\xe7" "\x61\xae\x27\xba\x36\x23\x72\x59\x21\xff\x29\xa1\xa1\xab" "\xe3\xb9\xe5\xb0\x61\xdc\xbc\xbb\x6b\x1e\xec\x13\xe1\x39" "\x12\xe0\x44\xb0\x10\x80\x0d\x9f\xc2\xb5\x56\x2e\xeb\xd0" "\x31\xeb\xf2\x5a\xbd\xab\x7f", 63); *(uint64_t*)0x209e8058 = (uint64_t)0xdd; *(uint64_t*)0x20a12000 = (uint64_t)0x208b7f4b; *(uint64_t*)0x20a12008 = (uint64_t)0x0; *(uint64_t*)0x20a12010 = (uint64_t)0x20c4dff2; *(uint64_t*)0x20a12018 = (uint64_t)0x0; *(uint64_t*)0x208d1ef8 = (uint64_t)0x10; *(uint32_t*)0x208d1f00 = (uint32_t)0x10d; *(uint32_t*)0x208d1f04 = (uint32_t)0x3f; *(uint16_t*)0x20eccfa0 = (uint16_t)0x27; *(uint32_t*)0x20eccfa4 = (uint32_t)0x0; *(uint32_t*)0x20eccfa8 = (uint32_t)0xfffffffffffff1ff; *(uint32_t*)0x20eccfac = (uint32_t)0x7; *(uint8_t*)0x20eccfb0 = (uint8_t)0x2; *(uint8_t*)0x20eccfb1 = (uint8_t)0x9; memcpy((void*)0x20eccfb2, "\x94\x70\x9b\xb5\xaa\x71\xec\xd4\xdc\x82\xf6\xb2\xb3\x7d" "\x8d\x25\x6b\x20\x66\xfb\x1b\xc8\xc4\xdd\x24\x6b\x0b\x6f" "\x6c\x90\xb6\x13\x56\xa3\x77\xce\xb1\x52\x3b\xac\xb4\xea" "\x55\x79\x6a\xab\xf0\x2d\xe8\xb9\x87\x6d\x6d\xed\x88\x85" "\x13\x9e\x78\x0f\x34\xe7\x5a", 63); *(uint64_t*)0x20eccff8 = (uint64_t)0x9; *(uint64_t*)0x20093000 = (uint64_t)0x20fb7000; *(uint64_t*)0x20093008 = (uint64_t)0x0; *(uint64_t*)0x20093010 = (uint64_t)0x200f5f6b; *(uint64_t*)0x20093018 = (uint64_t)0x0; *(uint64_t*)0x200bc000 = (uint64_t)0x10; *(uint32_t*)0x200bc008 = (uint32_t)0x18f; *(uint32_t*)0x200bc00c = (uint32_t)0xb6d9; *(uint16_t*)0x20005fa0 = (uint16_t)0x27; *(uint32_t*)0x20005fa4 = (uint32_t)0x3; *(uint32_t*)0x20005fa8 = (uint32_t)0x1; *(uint32_t*)0x20005fac = (uint32_t)0x4; *(uint8_t*)0x20005fb0 = (uint8_t)0x0; *(uint8_t*)0x20005fb1 = (uint8_t)0x2; memcpy((void*)0x20005fb2, "\xf4\xc8\x25\x2e\x5e\x8d\x95\x6b\x01\xe3\xba\x6b\xfc\xa7" "\x5a\x30\x0e\xd8\xa5\x44\x4f\x79\xc1\x94\x36\xad\x7f\x16" "\x6d\x6f\x42\xae\xa1\x00\xc8\x7a\x10\xc5\xff\x67\xb3\xaa" "\x8e\xdc\xaa\xc5\x48\x0d\x42\x1f\xae\xc8\x4c\x09\x33\x65" "\x3c\x1d\xa9\x74\x32\x3c\xca", 63); *(uint64_t*)0x20005ff8 = (uint64_t)0x3; *(uint64_t*)0x20f60000 = (uint64_t)0x204a3000; *(uint64_t*)0x20f60008 = (uint64_t)0x0; *(uint64_t*)0x20f60010 = (uint64_t)0x20f97000; *(uint64_t*)0x20f60018 = (uint64_t)0x0; *(uint64_t*)0x203eff18 = (uint64_t)0x10; *(uint32_t*)0x203eff20 = (uint32_t)0x100; *(uint32_t*)0x203eff24 = (uint32_t)0x7; r[121] = syscall(__NR_sendmmsg, 0xfffffffffffffffful, 0x20317000ul, 0x4ul, 0x1ul); break; case 3: *(uint32_t*)0x20e7af88 = (uint32_t)0x1; *(uint32_t*)0x20e7af8c = (uint32_t)0x78; *(uint8_t*)0x20e7af90 = (uint8_t)0x0; *(uint8_t*)0x20e7af91 = (uint8_t)0x0; *(uint8_t*)0x20e7af92 = (uint8_t)0x0; *(uint8_t*)0x20e7af93 = (uint8_t)0x0; *(uint32_t*)0x20e7af94 = (uint32_t)0x0; *(uint64_t*)0x20e7af98 = (uint64_t)0x6; *(uint64_t*)0x20e7afa0 = (uint64_t)0x0; *(uint64_t*)0x20e7afa8 = (uint64_t)0x0; *(uint8_t*)0x20e7afb0 = (uint8_t)0xd34; *(uint8_t*)0x20e7afb1 = (uint8_t)0x0; *(uint8_t*)0x20e7afb2 = (uint8_t)0x0; *(uint8_t*)0x20e7afb3 = (uint8_t)0x0; *(uint32_t*)0x20e7afb4 = (uint32_t)0x0; *(uint32_t*)0x20e7afb8 = (uint32_t)0x0; *(uint32_t*)0x20e7afbc = (uint32_t)0x0; *(uint64_t*)0x20e7afc0 = (uint64_t)0x0; *(uint64_t*)0x20e7afc8 = (uint64_t)0x0; *(uint64_t*)0x20e7afd0 = (uint64_t)0x0; *(uint64_t*)0x20e7afd8 = (uint64_t)0x0; *(uint64_t*)0x20e7afe0 = (uint64_t)0x0; *(uint32_t*)0x20e7afe8 = (uint32_t)0x7; *(uint64_t*)0x20e7aff0 = (uint64_t)0x7; *(uint32_t*)0x20e7aff8 = (uint32_t)0x0; *(uint16_t*)0x20e7affc = (uint16_t)0x0; *(uint16_t*)0x20e7affe = (uint16_t)0x0; r[149] = syscall(__NR_perf_event_open, 0x20e7af88ul, 0x0ul, 0xfffffffful, 0xfffffffffffffffful, 0x0ul); break; case 4: *(uint32_t*)0x20cf9000 = (uint32_t)0x0; *(uint16_t*)0x20cf9004 = (uint16_t)0x80000000; *(uint32_t*)0x20afeffc = (uint32_t)0x8; r[153] = syscall(__NR_getsockopt, 0xfffffffffffffffful, 0x84ul, 0x18ul, 0x20cf9000ul, 0x20afeffcul); break; case 5: memcpy((void*)0x20000000, "\x2f\x64\x65\x76\x2f\x76\x67\x61\x5f\x61" "\x72\x62\x69\x74\x65\x72\x00", 17); r[155] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x100ul, 0x0ul); break; case 6: r[156] = syscall(__NR_socket, 0x1eul, 0x2ul, 0x0ul); break; case 7: *(uint16_t*)0x20afb000 = (uint16_t)0x1e; memcpy((void*)0x20afb002, "\x01\x03\x00\x00\x00\x00\x00\xb9\x00\x00\x00\x00\x47\x00" "\x00\x00\x00\xa9\x79\xf3\x21\xb3\x0c\x7b\xc8\x79\x04\x05" "\xc7\xba\xd6\x2e\x0a\x63\xa6\x32\xed\x49\x38\xd3\x6d\x73" "\xfb\x8f\x84\x01\xa3\xff\x59\x82\x9a\x2b\x0a\xfe\x7c\xe4" "\x3a\x4b\x24\x70\xa0\xc5\x21\x66\x69\xca\x02\x1f\x6f\x65" "\xdc\xf1\x60\xe7\xe5\x8f\x35\x8c\x00\x02\xf0\x00\x01\x58" "\xd1\x9b\xcb\x31\x51\xd2\x4a\xce\xf1\xf1\x62\x2c\xa5\xbd" "\xb9\xc8\xea\x31\x00\x00\x77\xae\xb8\x1c\x90\x00\x1d\x6d" "\x7c\x98\x04\x00\x00\x00\x00\xf7\x0d\xc1\x36\xcb\x18\x4a", 126); r[159] = syscall(__NR_bind, r[156], 0x20afb000ul, 0x80ul); break; case 8: r[160] = syscall(__NR_close, r[156]); break; case 9: r[161] = syscall(__NR_socket, 0x10ul, 0x2ul, 0x10ul); break; case 10: memcpy((void*)0x20fdb000, "\x1c\x00\x00\x00\x1f\x00\x07\x20\x27\x01" "\x00\x08\x1d\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x06\x00\xf7\x00\x00\x02" "\x00\x19\xfa\x97", 34); r[163] = syscall(__NR_write, r[161], 0x20fdb000ul, 0x22ul); break; } return 0; } void test() { long i; pthread_t th[22]; memset(r, -1, sizeof(r)); srand(getpid()); for (i = 0; i < 11; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(rand() % 10000); } for (i = 0; i < 11; i++) { pthread_create(&th[11 + i], 0, thr, (void*)i); if (rand() % 2) usleep(rand() % 10000); } usleep(rand() % 100000); } int main() { int i; for (i = 0; i < 8; i++) { if (fork() == 0) { loop(); return 0; } } sleep(1000000); return 0; }