// https://syzkaller.appspot.com/bug?id=54f4ce6239e6e0d0d5583488421c6fa3ba7ed6b4 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } uint64_t r[1] = {0xffffffffffffffff}; void test() { long res; res = syscall(__NR_socket, 0x10, 3, 6); if (res != -1) r[0] = res; *(uint64_t*)0x20000040 = 0x20000200; *(uint16_t*)0x20000200 = 0x10; *(uint16_t*)0x20000202 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x20000048 = 0xc; *(uint64_t*)0x20000050 = 0x20000080; *(uint64_t*)0x20000080 = 0x20000480; *(uint32_t*)0x20000480 = 0x138; *(uint16_t*)0x20000484 = 0x10; *(uint16_t*)0x20000486 = 1; *(uint32_t*)0x20000488 = 0; *(uint32_t*)0x2000048c = 0; *(uint8_t*)0x20000490 = 0xfe; *(uint8_t*)0x20000491 = 0x80; *(uint8_t*)0x20000492 = 0; *(uint8_t*)0x20000493 = 0; *(uint8_t*)0x20000494 = 0; *(uint8_t*)0x20000495 = 0; *(uint8_t*)0x20000496 = 0; *(uint8_t*)0x20000497 = 0; *(uint8_t*)0x20000498 = 0; *(uint8_t*)0x20000499 = 0; *(uint8_t*)0x2000049a = 0; *(uint8_t*)0x2000049b = 0; *(uint8_t*)0x2000049c = 0; *(uint8_t*)0x2000049d = 0; *(uint8_t*)0x2000049e = 0; *(uint8_t*)0x2000049f = 0xbb; *(uint8_t*)0x200004a0 = 0xfe; *(uint8_t*)0x200004a1 = 0x80; *(uint8_t*)0x200004a2 = 0; *(uint8_t*)0x200004a3 = 0; *(uint8_t*)0x200004a4 = 0; *(uint8_t*)0x200004a5 = 0; *(uint8_t*)0x200004a6 = 0; *(uint8_t*)0x200004a7 = 0; *(uint8_t*)0x200004a8 = 0; *(uint8_t*)0x200004a9 = 0; *(uint8_t*)0x200004aa = 0; *(uint8_t*)0x200004ab = 0; *(uint8_t*)0x200004ac = 0; *(uint8_t*)0x200004ad = 0; *(uint8_t*)0x200004ae = 0; *(uint8_t*)0x200004af = 0xaa; *(uint16_t*)0x200004b0 = htobe16(0); *(uint16_t*)0x200004b2 = htobe16(0); *(uint16_t*)0x200004b4 = htobe16(0); *(uint16_t*)0x200004b6 = htobe16(0); *(uint16_t*)0x200004b8 = 0; *(uint8_t*)0x200004ba = 0; *(uint8_t*)0x200004bb = 0; *(uint8_t*)0x200004bc = 0; *(uint32_t*)0x200004c0 = 0; *(uint32_t*)0x200004c4 = 0; *(uint32_t*)0x200004c8 = htobe32(-1); *(uint32_t*)0x200004d8 = htobe32(0); *(uint8_t*)0x200004dc = 0x6c; *(uint8_t*)0x200004e0 = -1; *(uint8_t*)0x200004e1 = 2; *(uint8_t*)0x200004e2 = 0; *(uint8_t*)0x200004e3 = 0; *(uint8_t*)0x200004e4 = 0; *(uint8_t*)0x200004e5 = 0; *(uint8_t*)0x200004e6 = 0; *(uint8_t*)0x200004e7 = 0; *(uint8_t*)0x200004e8 = 0; *(uint8_t*)0x200004e9 = 0; *(uint8_t*)0x200004ea = 0; *(uint8_t*)0x200004eb = 0; *(uint8_t*)0x200004ec = 0; *(uint8_t*)0x200004ed = 0; *(uint8_t*)0x200004ee = 0; *(uint8_t*)0x200004ef = 1; *(uint64_t*)0x200004f0 = 0; *(uint64_t*)0x200004f8 = 0; *(uint64_t*)0x20000500 = 0; *(uint64_t*)0x20000508 = 0; *(uint64_t*)0x20000510 = 0; *(uint64_t*)0x20000518 = 0; *(uint64_t*)0x20000520 = 0; *(uint64_t*)0x20000528 = 0; *(uint64_t*)0x20000530 = 0; *(uint64_t*)0x20000538 = 0; *(uint64_t*)0x20000540 = 0; *(uint64_t*)0x20000548 = 0; *(uint32_t*)0x20000550 = 0; *(uint32_t*)0x20000554 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0; *(uint32_t*)0x20000560 = 0; *(uint16_t*)0x20000564 = 2; *(uint8_t*)0x20000566 = 0; *(uint8_t*)0x20000567 = 0; *(uint8_t*)0x20000568 = 0; *(uint16_t*)0x20000570 = 0x48; *(uint16_t*)0x20000572 = 3; memcpy((void*)0x20000574, "\x64\x65\x66\x6c\x61\x74\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x200005b4 = 0; *(uint64_t*)0x20000088 = 0x138; *(uint64_t*)0x20000058 = 1; *(uint64_t*)0x20000060 = 0; *(uint64_t*)0x20000068 = 0; *(uint32_t*)0x20000070 = 0; syscall(__NR_sendmsg, r[0], 0x20000040, 0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }