// https://syzkaller.appspot.com/bug?id=83aa676a823eeb2855ab831541b2c8175904c281 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$kvm arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6b 76 6d 00} (length 0x9) // } // flags: open_flags = 0x0 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_kvm memcpy((void*)0x200000000080, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$KVM_CREATE_VM arguments: [ // fd: fd_kvm (resource) // cmd: const = 0xae01 (4 bytes) // type: intptr = 0x0 (8 bytes) // ] // returns fd_kvmvm res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; // ioctl$KVM_CREATE_IRQCHIP arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae60 (4 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); // ioctl$KVM_CREATE_VCPU arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae41 (4 bytes) // id: intptr = 0x1 (8 bytes) // ] // returns fd_kvmcpu res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/1ul); if (res != -1) r[2] = res; // ioctl$KVM_SET_LAPIC arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4400ae8f (4 bytes) // arg: ptr[in, kvm_lapic_state] { // kvm_lapic_state { // regs: buffer: {b6 0c 6a 79 19 53 ef dc 0f fe b5 ae ec b2 72 72 19 a6 // eb e6 40 ee 38 29 93 1e 56 c2 e5 67 82 01 1a 81 f6 64 00 e2 91 16 48 // 3d 71 67 b4 ca 7c b1 cb 78 56 1c 66 ad 06 de 74 eb 8b 28 3c 63 a7 32 // 69 c9 84 be f0 0e b8 e4 40 2a dc 31 aa 56 f7 8e d6 c1 91 c8 c1 3e 05 // a8 50 80 e6 f1 40 8f b4 66 48 57 4d f2 0e 8d e6 20 e8 96 9b 23 00 7b // bb b4 36 76 c9 ba db 2c fa df be 6d 15 c3 23 ad 8e f0 57 3a fa 62 54 // 49 42 9b 1e a9 fe 44 3a 36 15 75 d3 59 c4 f2 6a 65 30 41 ff 83 24 fa // da 43 de a4 67 8b 00 b7 e1 d9 b9 e9 ea c7 69 d7 79 77 a2 0d 38 b5 0a // a7 a5 32 01 94 4b f9 7b 92 16 8d db 7f e1 65 f5 15 d3 b8 70 9a d2 73 // 7a d4 70 1f da 6a b8 56 8c d9 47 81 2d 28 cf 05 95 7e f0 ed b1 c2 72 // 44 61 4e b0 0f 86 e0 ab 49 45 31 4b 13 37 55 f2 7d 4d 36 e5 90 1c ac // e2 20 0d 62 df 8a d6 d0 7e 31 63 c0 85 eb 4b 68 9c b0 77 37 1f ca f7 // 36 2b f2 91 91 9a c7 9d 1f 3e ca bb 88 48 c7 e7 b7 b6 05 34 54 66 46 // 54 b9 fb db 79 07 1c 2c 5b 77 de 3f cc 4a 05 ea d5 18 ef 17 89 46 75 // 58 35 70 e9 73 bc c8 c3 b6 26 af 29 90 2d 4c 5a ba ef ce 10 5f 58 72 // 16 42 ae 03 52 df 5d bd 95 82 a7 91 af 05 12 61 8b 84 bb 92 c8 12 79 // 8d bc fb 3b aa 2b c0 52 a6 ae 82 f6 6d db ac e6 fd ab ad 25 66 42 de // 08 31 b5 7c 0c 95 03 29 03 0a 84 b7 2a 3e 88 8f e0 fd 0e 4f fb e2 ba // 78 fe a1 94 ed fe ca 7e b4 9d 7f 3f b8 60 9c 89 25 48 fd a4 60 61 71 // 29 96 a0 8d e2 6c ff 9f 99 98 eb e1 91 25 e0 2f 2b 0d 97 f4 5b d3 08 // 36 14 ef 80 47 0b 05 b9 79 92 5c 00 0d 2a 80 21 76 56 8e f3 22 4f 1b // f0 93 03 7d 9d b3 99 27 b0 bd 32 10 5b aa d5 b4 a7 2c ed b6 e8 34 36 // ad 9b 60 45 6a 14 ca e5 d2 f5 fd b7 e6 8e 32 ca 6e 67 c4 6f 4f a6 c5 // f8 55 ca 52 c3 47 5e d6 05 2d 0b 01 19 13 9d ab c4 86 f5 97 7b 5c 73 // 96 17 a9 b2 be e3 80 76 25 a9 2d 94 cb 3f 98 88 d2 12 2e 51 96 eb 83 // 35 7a ed 4b 40 3f 17 bc bd e9 78 ba 37 64 0f d6 63 cd b2 a5 c7 5c fe // c1 5e b7 38 12 b1 08 c5 fb 59 16 ab 3a 85 a6 da 7a d9 71 c6 05 1e bd // 01 08 8e 49 6f 07 f4 c1 38 9a ec 53 4f c4 ad 4e b0 1e d4 5e f5 3e fc // 55 2c 22 24 52 89 40 98 3f ab 4c 62 a0 7d b9 16 85 01 1c fb 6f df bb // 5a 81 81 8e 51 40 6d 2c e9 94 07 0d 4d d0 0c c7 33 3c 0c 96 aa a8 f7 // 8c 7b d5 8c 10 7c 5f be 45 61 b1 1d 6f 17 89 8d 59 c7 aa c9 76 89 af // 1b c9 8c e7 35 34 bb ec 5d 4d da 16 a5 f5 c8 73 20 55 b2 c7 a3 2a b3 // a3 f4 99 f6 11 b4 8c bf 55 57 75 0d 40 1f 54 d3 2d 59 64 90 c4 ed c7 // 70 07 18 ca 68 b0 40 57 0a 35 ee b4 59 0f b8 ed 6e c9 0d ef 97 86 27 // af 41 8e 42 88 df 2d b3 c2 8e 33 64 cb 03 b2 be ea e2 bc 53 d3 d5 ab // b7 b9 5c 31 70 ec b6 f0 b7 d1 ee d5 ca 9e f1 ad ed 08 36 bb 17 44 d2 // 82 c4 78 fe 67 12 5b f0 06 10 a1 e7 38 e2 99 0f fc df 30 b5 81 8e 24 // a0 32 bd 64 f2 a3 79 95 67 1a 85 1d 38 43 57 89 75 46 8d 61 81 e4 a3 // 84 7a 4d b9 3c 32 78 e1 a2 71 b1 98 6c 0c 73 39 63 25 5d 88 bd 90 d6 // 11 56 bf ab c6 6c 2e e4 7b 30 5f d2 05 28 26 f1 8b 51 b6 db 95 f8 6c // ec fd cb 45 88 57 34 93 89 f3 fd 98 47 64 9b 61 be 25 05 6a 84 11 af // da ac fb 5c fb fa f3 60 80 63 12 ba ca 86 1b 6a 53 3f 2b 9e 1e 2b db // 9e 71 08 e3 79 d7 29 c3 96 fd d4 84 c9 03 f3 6a 1b 1d 37 31 11 36 67 // 94 1c 32 67 99 82 b3 1c f4 ad 27 7d f0 2d eb b6 f1 a7 34 38 5a 1f d8 // 7f a0 94 8a cd a4 53 57 d6 b9 1d f6 68 1b 57 2f 0e} (length 0x400) // } // } // ] memcpy( (void*)0x200000000800, "\xb6\x0c\x6a\x79\x19\x53\xef\xdc\x0f\xfe\xb5\xae\xec\xb2\x72\x72\x19\xa6" "\xeb\xe6\x40\xee\x38\x29\x93\x1e\x56\xc2\xe5\x67\x82\x01\x1a\x81\xf6\x64" "\x00\xe2\x91\x16\x48\x3d\x71\x67\xb4\xca\x7c\xb1\xcb\x78\x56\x1c\x66\xad" "\x06\xde\x74\xeb\x8b\x28\x3c\x63\xa7\x32\x69\xc9\x84\xbe\xf0\x0e\xb8\xe4" "\x40\x2a\xdc\x31\xaa\x56\xf7\x8e\xd6\xc1\x91\xc8\xc1\x3e\x05\xa8\x50\x80" "\xe6\xf1\x40\x8f\xb4\x66\x48\x57\x4d\xf2\x0e\x8d\xe6\x20\xe8\x96\x9b\x23" "\x00\x7b\xbb\xb4\x36\x76\xc9\xba\xdb\x2c\xfa\xdf\xbe\x6d\x15\xc3\x23\xad" "\x8e\xf0\x57\x3a\xfa\x62\x54\x49\x42\x9b\x1e\xa9\xfe\x44\x3a\x36\x15\x75" "\xd3\x59\xc4\xf2\x6a\x65\x30\x41\xff\x83\x24\xfa\xda\x43\xde\xa4\x67\x8b" "\x00\xb7\xe1\xd9\xb9\xe9\xea\xc7\x69\xd7\x79\x77\xa2\x0d\x38\xb5\x0a\xa7" "\xa5\x32\x01\x94\x4b\xf9\x7b\x92\x16\x8d\xdb\x7f\xe1\x65\xf5\x15\xd3\xb8" "\x70\x9a\xd2\x73\x7a\xd4\x70\x1f\xda\x6a\xb8\x56\x8c\xd9\x47\x81\x2d\x28" "\xcf\x05\x95\x7e\xf0\xed\xb1\xc2\x72\x44\x61\x4e\xb0\x0f\x86\xe0\xab\x49" "\x45\x31\x4b\x13\x37\x55\xf2\x7d\x4d\x36\xe5\x90\x1c\xac\xe2\x20\x0d\x62" "\xdf\x8a\xd6\xd0\x7e\x31\x63\xc0\x85\xeb\x4b\x68\x9c\xb0\x77\x37\x1f\xca" "\xf7\x36\x2b\xf2\x91\x91\x9a\xc7\x9d\x1f\x3e\xca\xbb\x88\x48\xc7\xe7\xb7" "\xb6\x05\x34\x54\x66\x46\x54\xb9\xfb\xdb\x79\x07\x1c\x2c\x5b\x77\xde\x3f" "\xcc\x4a\x05\xea\xd5\x18\xef\x17\x89\x46\x75\x58\x35\x70\xe9\x73\xbc\xc8" "\xc3\xb6\x26\xaf\x29\x90\x2d\x4c\x5a\xba\xef\xce\x10\x5f\x58\x72\x16\x42" "\xae\x03\x52\xdf\x5d\xbd\x95\x82\xa7\x91\xaf\x05\x12\x61\x8b\x84\xbb\x92" "\xc8\x12\x79\x8d\xbc\xfb\x3b\xaa\x2b\xc0\x52\xa6\xae\x82\xf6\x6d\xdb\xac" "\xe6\xfd\xab\xad\x25\x66\x42\xde\x08\x31\xb5\x7c\x0c\x95\x03\x29\x03\x0a" "\x84\xb7\x2a\x3e\x88\x8f\xe0\xfd\x0e\x4f\xfb\xe2\xba\x78\xfe\xa1\x94\xed" "\xfe\xca\x7e\xb4\x9d\x7f\x3f\xb8\x60\x9c\x89\x25\x48\xfd\xa4\x60\x61\x71" "\x29\x96\xa0\x8d\xe2\x6c\xff\x9f\x99\x98\xeb\xe1\x91\x25\xe0\x2f\x2b\x0d" "\x97\xf4\x5b\xd3\x08\x36\x14\xef\x80\x47\x0b\x05\xb9\x79\x92\x5c\x00\x0d" "\x2a\x80\x21\x76\x56\x8e\xf3\x22\x4f\x1b\xf0\x93\x03\x7d\x9d\xb3\x99\x27" "\xb0\xbd\x32\x10\x5b\xaa\xd5\xb4\xa7\x2c\xed\xb6\xe8\x34\x36\xad\x9b\x60" "\x45\x6a\x14\xca\xe5\xd2\xf5\xfd\xb7\xe6\x8e\x32\xca\x6e\x67\xc4\x6f\x4f" "\xa6\xc5\xf8\x55\xca\x52\xc3\x47\x5e\xd6\x05\x2d\x0b\x01\x19\x13\x9d\xab" "\xc4\x86\xf5\x97\x7b\x5c\x73\x96\x17\xa9\xb2\xbe\xe3\x80\x76\x25\xa9\x2d" "\x94\xcb\x3f\x98\x88\xd2\x12\x2e\x51\x96\xeb\x83\x35\x7a\xed\x4b\x40\x3f" "\x17\xbc\xbd\xe9\x78\xba\x37\x64\x0f\xd6\x63\xcd\xb2\xa5\xc7\x5c\xfe\xc1" "\x5e\xb7\x38\x12\xb1\x08\xc5\xfb\x59\x16\xab\x3a\x85\xa6\xda\x7a\xd9\x71" "\xc6\x05\x1e\xbd\x01\x08\x8e\x49\x6f\x07\xf4\xc1\x38\x9a\xec\x53\x4f\xc4" "\xad\x4e\xb0\x1e\xd4\x5e\xf5\x3e\xfc\x55\x2c\x22\x24\x52\x89\x40\x98\x3f" "\xab\x4c\x62\xa0\x7d\xb9\x16\x85\x01\x1c\xfb\x6f\xdf\xbb\x5a\x81\x81\x8e" "\x51\x40\x6d\x2c\xe9\x94\x07\x0d\x4d\xd0\x0c\xc7\x33\x3c\x0c\x96\xaa\xa8" "\xf7\x8c\x7b\xd5\x8c\x10\x7c\x5f\xbe\x45\x61\xb1\x1d\x6f\x17\x89\x8d\x59" "\xc7\xaa\xc9\x76\x89\xaf\x1b\xc9\x8c\xe7\x35\x34\xbb\xec\x5d\x4d\xda\x16" "\xa5\xf5\xc8\x73\x20\x55\xb2\xc7\xa3\x2a\xb3\xa3\xf4\x99\xf6\x11\xb4\x8c" "\xbf\x55\x57\x75\x0d\x40\x1f\x54\xd3\x2d\x59\x64\x90\xc4\xed\xc7\x70\x07" "\x18\xca\x68\xb0\x40\x57\x0a\x35\xee\xb4\x59\x0f\xb8\xed\x6e\xc9\x0d\xef" "\x97\x86\x27\xaf\x41\x8e\x42\x88\xdf\x2d\xb3\xc2\x8e\x33\x64\xcb\x03\xb2" "\xbe\xea\xe2\xbc\x53\xd3\xd5\xab\xb7\xb9\x5c\x31\x70\xec\xb6\xf0\xb7\xd1" "\xee\xd5\xca\x9e\xf1\xad\xed\x08\x36\xbb\x17\x44\xd2\x82\xc4\x78\xfe\x67" "\x12\x5b\xf0\x06\x10\xa1\xe7\x38\xe2\x99\x0f\xfc\xdf\x30\xb5\x81\x8e\x24" "\xa0\x32\xbd\x64\xf2\xa3\x79\x95\x67\x1a\x85\x1d\x38\x43\x57\x89\x75\x46" "\x8d\x61\x81\xe4\xa3\x84\x7a\x4d\xb9\x3c\x32\x78\xe1\xa2\x71\xb1\x98\x6c" "\x0c\x73\x39\x63\x25\x5d\x88\xbd\x90\xd6\x11\x56\xbf\xab\xc6\x6c\x2e\xe4" "\x7b\x30\x5f\xd2\x05\x28\x26\xf1\x8b\x51\xb6\xdb\x95\xf8\x6c\xec\xfd\xcb" "\x45\x88\x57\x34\x93\x89\xf3\xfd\x98\x47\x64\x9b\x61\xbe\x25\x05\x6a\x84" "\x11\xaf\xda\xac\xfb\x5c\xfb\xfa\xf3\x60\x80\x63\x12\xba\xca\x86\x1b\x6a" "\x53\x3f\x2b\x9e\x1e\x2b\xdb\x9e\x71\x08\xe3\x79\xd7\x29\xc3\x96\xfd\xd4" "\x84\xc9\x03\xf3\x6a\x1b\x1d\x37\x31\x11\x36\x67\x94\x1c\x32\x67\x99\x82" "\xb3\x1c\xf4\xad\x27\x7d\xf0\x2d\xeb\xb6\xf1\xa7\x34\x38\x5a\x1f\xd8\x7f" "\xa0\x94\x8a\xcd\xa4\x53\x57\xd6\xb9\x1d\xf6\x68\x1b\x57\x2f\x0e", 1024); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4400ae8f, /*arg=*/0x200000000800ul); // ioctl$KVM_RUN arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0xae80 (4 bytes) // arg: const = 0x0 (8 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); return 0; }