// https://syzkaller.appspot.com/bug?id=f9c94b10e49ae0433f27c4838c7e0f0a321606f5 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void loop() { long res = 0; res = syscall(__NR_socket, 0xf, 3, 2); if (res != -1) r[0] = res; *(uint64_t*)0x20360000 = 0; *(uint32_t*)0x20360008 = 0; *(uint64_t*)0x20360010 = 0x2035d000; *(uint64_t*)0x2035d000 = 0x2033c000; *(uint8_t*)0x2033c000 = 2; *(uint8_t*)0x2033c001 = 0xd; *(uint8_t*)0x2033c002 = 0; *(uint8_t*)0x2033c003 = 0; *(uint16_t*)0x2033c004 = 0x10; *(uint16_t*)0x2033c006 = 0; *(uint32_t*)0x2033c008 = 0; *(uint32_t*)0x2033c00c = 0; *(uint16_t*)0x2033c010 = 3; *(uint16_t*)0x2033c012 = 6; *(uint8_t*)0x2033c014 = 0; *(uint8_t*)0x2033c015 = 0; *(uint16_t*)0x2033c016 = 0; *(uint16_t*)0x2033c018 = 2; *(uint16_t*)0x2033c01a = htobe16(0); *(uint32_t*)0x2033c01c = htobe32(0x7f000001); *(uint8_t*)0x2033c020 = 0; *(uint8_t*)0x2033c021 = 0; *(uint8_t*)0x2033c022 = 0; *(uint8_t*)0x2033c023 = 0; *(uint8_t*)0x2033c024 = 0; *(uint8_t*)0x2033c025 = 0; *(uint8_t*)0x2033c026 = 0; *(uint8_t*)0x2033c027 = 0; *(uint16_t*)0x2033c028 = 3; *(uint16_t*)0x2033c02a = 5; *(uint8_t*)0x2033c02c = 0; *(uint8_t*)0x2033c02d = 0; *(uint16_t*)0x2033c02e = 0; *(uint16_t*)0x2033c030 = 2; *(uint16_t*)0x2033c032 = htobe16(0); *(uint32_t*)0x2033c034 = htobe32(0); *(uint8_t*)0x2033c038 = 0; *(uint8_t*)0x2033c039 = 0; *(uint8_t*)0x2033c03a = 0; *(uint8_t*)0x2033c03b = 0; *(uint8_t*)0x2033c03c = 0; *(uint8_t*)0x2033c03d = 0; *(uint8_t*)0x2033c03e = 0; *(uint8_t*)0x2033c03f = 0; *(uint16_t*)0x2033c040 = 8; *(uint16_t*)0x2033c042 = 0x12; *(uint16_t*)0x2033c044 = 0; *(uint8_t*)0x2033c046 = 1; *(uint8_t*)0x2033c047 = 0; *(uint32_t*)0x2033c048 = 0; *(uint32_t*)0x2033c04c = 0; *(uint16_t*)0x2033c050 = 0x30; *(uint16_t*)0x2033c052 = 0; *(uint8_t*)0x2033c054 = 0; *(uint8_t*)0x2033c055 = 0; *(uint16_t*)0x2033c056 = 0; *(uint32_t*)0x2033c058 = 0; *(uint32_t*)0x2033c05c = 0; *(uint8_t*)0x2033c060 = -1; *(uint8_t*)0x2033c061 = 1; *(uint8_t*)0x2033c062 = 0; *(uint8_t*)0x2033c063 = 0; *(uint8_t*)0x2033c064 = 0; *(uint8_t*)0x2033c065 = 0; *(uint8_t*)0x2033c066 = 0; *(uint8_t*)0x2033c067 = 0; *(uint8_t*)0x2033c068 = 0; *(uint8_t*)0x2033c069 = 0; *(uint8_t*)0x2033c06a = 0; *(uint8_t*)0x2033c06b = 0; *(uint8_t*)0x2033c06c = 0; *(uint8_t*)0x2033c06d = 0; *(uint8_t*)0x2033c06e = 0; *(uint8_t*)0x2033c06f = 1; *(uint8_t*)0x2033c070 = 0; *(uint8_t*)0x2033c071 = 0; *(uint8_t*)0x2033c072 = 0; *(uint8_t*)0x2033c073 = 0; *(uint8_t*)0x2033c074 = 0; *(uint8_t*)0x2033c075 = 0; *(uint8_t*)0x2033c076 = 0; *(uint8_t*)0x2033c077 = 0; *(uint8_t*)0x2033c078 = 0; *(uint8_t*)0x2033c079 = 0; *(uint8_t*)0x2033c07a = -1; *(uint8_t*)0x2033c07b = -1; *(uint32_t*)0x2033c07c = htobe32(0xe0000001); *(uint64_t*)0x2035d008 = 0x80; *(uint64_t*)0x20360018 = 1; *(uint64_t*)0x20360020 = 0; *(uint64_t*)0x20360028 = 0; *(uint32_t*)0x20360030 = 0; syscall(__NR_sendmsg, r[0], 0x20360000, 0); res = syscall(__NR_socket, 0xa, 0x80002, 0x88); if (res != -1) r[1] = res; *(uint16_t*)0x20000040 = 0xa; *(uint16_t*)0x20000042 = htobe16(0x4e23); *(uint32_t*)0x20000044 = 0; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; *(uint8_t*)0x20000050 = 0; *(uint8_t*)0x20000051 = 0; *(uint8_t*)0x20000052 = 0; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; *(uint8_t*)0x20000056 = 0; *(uint8_t*)0x20000057 = 0; *(uint32_t*)0x20000058 = 0; syscall(__NR_bind, r[1], 0x20000040, 0x1c); res = syscall(__NR_socket, 0xa, 0x8000000000000801, 0); if (res != -1) r[2] = res; res = syscall(__NR_dup2, r[1], r[2]); if (res != -1) r[3] = res; *(uint64_t*)0x20000000 = 0x205dafe4; *(uint16_t*)0x205dafe4 = 0xa; *(uint16_t*)0x205dafe6 = htobe16(0x4e23); *(uint32_t*)0x205dafe8 = 0; *(uint8_t*)0x205dafec = -1; *(uint8_t*)0x205dafed = 2; *(uint8_t*)0x205dafee = 0; *(uint8_t*)0x205dafef = 0; *(uint8_t*)0x205daff0 = 0; *(uint8_t*)0x205daff1 = 0; *(uint8_t*)0x205daff2 = 0; *(uint8_t*)0x205daff3 = 0; *(uint8_t*)0x205daff4 = 0; *(uint8_t*)0x205daff5 = 0; *(uint8_t*)0x205daff6 = 0; *(uint8_t*)0x205daff7 = 0; *(uint8_t*)0x205daff8 = 0; *(uint8_t*)0x205daff9 = 0; *(uint8_t*)0x205daffa = 0; *(uint8_t*)0x205daffb = 1; *(uint32_t*)0x205daffc = 0; *(uint32_t*)0x20000008 = 0x1c; *(uint64_t*)0x20000010 = 0x20fc8000; *(uint64_t*)0x20000018 = 0; *(uint64_t*)0x20000020 = 0; *(uint64_t*)0x20000028 = 0; *(uint32_t*)0x20000030 = 0; syscall(__NR_sendmsg, r[3], 0x20000000, 0x8000); *(uint64_t*)0x20000340 = 0x20000080; memcpy((void*)0x20000080, "\x7a\xd3", 2); *(uint64_t*)0x20000348 = 2; syscall(__NR_writev, r[1], 0x20000340, 1); *(uint32_t*)0x20ea3000 = 0; *(uint32_t*)0x20ea3004 = 0; *(uint32_t*)0x20ea3008 = 0; *(uint32_t*)0x20ea300c = 0; *(uint32_t*)0x20ea3010 = 0; *(uint32_t*)0x20ea3014 = 0; } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }