// https://syzkaller.appspot.com/bug?id=004b0f7b61d4901cbfecfc33de7996e8cbe0a278 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; void loop() { long res = 0; res = syscall(__NR_socket, 0x2b, 1, 0); if (res != -1) r[0] = res; *(uint64_t*)0x20000680 = 0x20000000; *(uint16_t*)0x20000000 = 0x26; memcpy((void*)0x20000002, "\x61\x65\x61\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20000010 = 0; *(uint32_t*)0x20000014 = 0; memcpy((void*)0x20000018, "\x67\x63\x6d\x5f\x62\x61\x73\x65\x28\x6c\x72\x77\x28\x63\x61\x73\x74" "\x36\x29\x2c\x73\x68\x61\x35\x31\x32\x2d\x67\x65\x6e\x65\x72\x69\x63" "\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20000688 = 0x80; *(uint64_t*)0x20000690 = 0x20000340; *(uint64_t*)0x20000340 = 0x20000080; *(uint64_t*)0x20000348 = 0; *(uint64_t*)0x20000350 = 0x200000c0; *(uint64_t*)0x20000358 = 0; *(uint64_t*)0x20000360 = 0x200001c0; *(uint64_t*)0x20000368 = 0; *(uint64_t*)0x20000370 = 0x20000280; *(uint64_t*)0x20000378 = 0; *(uint64_t*)0x20000380 = 0x200002c0; *(uint64_t*)0x20000388 = 0; *(uint64_t*)0x20000390 = 0x20000300; *(uint64_t*)0x20000398 = 0; *(uint64_t*)0x20000698 = 6; *(uint64_t*)0x200006a0 = 0x200003c0; *(uint64_t*)0x200003c0 = 0x10; *(uint32_t*)0x200003c8 = 0x10d; *(uint32_t*)0x200003cc = 2; *(uint64_t*)0x200003d0 = 0x10; *(uint32_t*)0x200003d8 = 0x104; *(uint32_t*)0x200003dc = 5; *(uint64_t*)0x200003e0 = 0x10; *(uint32_t*)0x200003e8 = 0x19f; *(uint32_t*)0x200003ec = 1; *(uint64_t*)0x200003f0 = 0x10; *(uint32_t*)0x200003f8 = 0x109; *(uint32_t*)0x200003fc = 2; *(uint64_t*)0x200006a8 = 0x40; *(uint32_t*)0x200006b0 = 0x810; syscall(__NR_sendmsg, r[0], 0x20000680, 0x20048890); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }