// https://syzkaller.appspot.com/bug?id=f1834e1735946170a8a3a4c85edb978e94bada81 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include long r[56]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul); r[2] = syscall(__NR_close, r[1]); r[3] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul); *(uint16_t*)0x20d60000 = (uint16_t)0x26; memcpy((void*)0x20d60002, "\x61\x65\x61\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20d60010 = (uint32_t)0x0; *(uint32_t*)0x20d60014 = (uint32_t)0x400000000002; memcpy((void*)0x20d60018, "\x67\x63\x6d\x28\x61\x65\x73\x29\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00", 64); r[9] = syscall(__NR_bind, r[1], 0x20d60000ul, 0x58ul); memcpy((void*)0x20174000, "\xea\x35\x00\x00\x00\x05\xae\x00\x00\x01" "\x01\x92\xa5\x54\xc5\xbe\xef\x12\x00\x53" "\x4c\x90\xbb\xc0", 24); r[11] = syscall(__NR_setsockopt, r[3], 0x117ul, 0x1ul, 0x20174000ul, 0x18ul); r[12] = syscall(__NR_accept, r[1], 0x0ul, 0x0ul); *(uint32_t*)0x20a53000 = (uint32_t)0x1c; r[14] = syscall(__NR_accept, r[1], 0x20506fe4ul, 0x20a53000ul); *(uint64_t*)0x20e5b000 = (uint64_t)0x0; *(uint32_t*)0x20e5b008 = (uint32_t)0x0; *(uint64_t*)0x20e5b010 = (uint64_t)0x20643fd0; *(uint64_t*)0x20e5b018 = (uint64_t)0x2; *(uint64_t*)0x20e5b020 = (uint64_t)0x2069afd0; *(uint64_t*)0x20e5b028 = (uint64_t)0x30; *(uint32_t*)0x20e5b030 = (uint32_t)0x20004003; *(uint64_t*)0x20643fd0 = (uint64_t)0x20577000; *(uint64_t*)0x20643fd8 = (uint64_t)0x0; *(uint64_t*)0x20643fe0 = (uint64_t)0x20f8af64; *(uint64_t*)0x20643fe8 = (uint64_t)0x9c; memcpy((void*)0x20f8af64, "\x73\x73\x7d\xdd\xb0\x6b\xc3\xac\xe4\xf1\xfc\x86\xdc\x84\x24" "\xad\x46\xe5\x4d\xc2\xf4\xa9\xe9\xcd\x2b\xcb\xaf\x15\xcf\x7b" "\x72\x6e\xcf\x05\x38\x80\xd1\x81\x5d\x5e\x68\x9b\x5f\xfd\x05" "\xbe\xd3\x5f\xe4\x11\xc1\x6b\x4c\xf7\xf7\x04\x16\x65\x08\xdd" "\x21\xf7\x54\x16\x10\x12\xb1\x3e\xd5\x60\xa5\x2b\xdd\x0b\xf0" "\xc9\xcc\x23\x43\x30\x7a\x8b\xbd\x7f\xbc\x93\xa9\x90\xf9\xda" "\x87\x4d\x1c\x52\x6d\xcb\xe0\x55\x02\xb8\x26\xc0\x51\xc0\x1f" "\xcf\xda\xe1\xec\x0b\x48\x70\xa3\xd2\x05\x8d\x77\x8d\x85\x6e" "\xfb\x5b\x13\x85\x18\x12\xe3\x3e\x55\xb2\x3f\x34\xae\x15\x74" "\x64\x95\x69\x25\x61\xb8\xac\xd7\x46\x34\x0d\xfd\x05\x8a\x64" "\x6b\xda\x09\x37\x91\x7a", 156); *(uint64_t*)0x2069afd0 = (uint64_t)0x18; *(uint32_t*)0x2069afd8 = (uint32_t)0x117; *(uint32_t*)0x2069afdc = (uint32_t)0x3; *(uint32_t*)0x2069afe0 = (uint32_t)0x0; *(uint64_t*)0x2069afe8 = (uint64_t)0x18; *(uint32_t*)0x2069aff0 = (uint32_t)0x117; *(uint32_t*)0x2069aff4 = (uint32_t)0x3; *(uint32_t*)0x2069aff8 = (uint32_t)0x1; r[35] = syscall(__NR_sendmsg, r[12], 0x20e5b000ul, 0x80ul); *(uint64_t*)0x20b2f000 = (uint64_t)0x208e8000; *(uint32_t*)0x20b2f008 = (uint32_t)0x10; *(uint64_t*)0x20b2f010 = (uint64_t)0x20030fa0; *(uint64_t*)0x20b2f018 = (uint64_t)0x6; *(uint64_t*)0x20b2f020 = (uint64_t)0x20590000; *(uint64_t*)0x20b2f028 = (uint64_t)0x0; *(uint32_t*)0x20b2f030 = (uint32_t)0x36d; *(uint64_t*)0x20030fa0 = (uint64_t)0x2039d000; *(uint64_t*)0x20030fa8 = (uint64_t)0x0; *(uint64_t*)0x20030fb0 = (uint64_t)0x20425000; *(uint64_t*)0x20030fb8 = (uint64_t)0x0; *(uint64_t*)0x20030fc0 = (uint64_t)0x2034df41; *(uint64_t*)0x20030fc8 = (uint64_t)0x0; *(uint64_t*)0x20030fd0 = (uint64_t)0x2009f000; *(uint64_t*)0x20030fd8 = (uint64_t)0x0; *(uint64_t*)0x20030fe0 = (uint64_t)0x200cd000; *(uint64_t*)0x20030fe8 = (uint64_t)0x0; *(uint64_t*)0x20030ff0 = (uint64_t)0x20588f73; *(uint64_t*)0x20030ff8 = (uint64_t)0x8d; r[55] = syscall(__NR_recvmsg, r[12], 0x20b2f000ul, 0x40ul); } int main() { loop(); return 0; }