// https://syzkaller.appspot.com/bug?id=54f4ce6239e6e0d0d5583488421c6fa3ba7ed6b4 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include static void execute_one(); extern unsigned long long procid; void loop() { while (1) { execute_one(); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one() { long res = 0; res = syscall(__NR_socket, 0x10, 3, 6); if (res != -1) r[0] = res; *(uint64_t*)0x200000c0 = 0x20000040; *(uint16_t*)0x20000040 = 0x10; *(uint16_t*)0x20000042 = 0; *(uint32_t*)0x20000044 = 0; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x200000c8 = 0xc; *(uint64_t*)0x200000d0 = 0x20000000; *(uint64_t*)0x20000000 = 0x20000340; *(uint32_t*)0x20000340 = 0x140; *(uint16_t*)0x20000344 = 0x10; *(uint16_t*)0x20000346 = 1; *(uint32_t*)0x20000348 = 0; *(uint32_t*)0x2000034c = 0; *(uint8_t*)0x20000350 = 0xfe; *(uint8_t*)0x20000351 = 0x80; *(uint8_t*)0x20000352 = 0; *(uint8_t*)0x20000353 = 0; *(uint8_t*)0x20000354 = 0; *(uint8_t*)0x20000355 = 0; *(uint8_t*)0x20000356 = 0; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 0; *(uint8_t*)0x2000035c = 0; *(uint8_t*)0x2000035d = 0; *(uint8_t*)0x2000035e = 0; *(uint8_t*)0x2000035f = 0xbb; *(uint8_t*)0x20000360 = 0xfe; *(uint8_t*)0x20000361 = 0x80; *(uint8_t*)0x20000362 = 0; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0; *(uint8_t*)0x20000365 = 0; *(uint8_t*)0x20000366 = 0; *(uint8_t*)0x20000367 = 0; *(uint8_t*)0x20000368 = 0; *(uint8_t*)0x20000369 = 0; *(uint8_t*)0x2000036a = 0; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 0; *(uint8_t*)0x2000036e = 0; *(uint8_t*)0x2000036f = 0xaa; *(uint16_t*)0x20000370 = htobe16(0); *(uint16_t*)0x20000372 = htobe16(0); *(uint16_t*)0x20000374 = htobe16(0); *(uint16_t*)0x20000376 = htobe16(0); *(uint16_t*)0x20000378 = 0; *(uint8_t*)0x2000037a = 0; *(uint8_t*)0x2000037b = 0; *(uint8_t*)0x2000037c = 0; *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 0; *(uint32_t*)0x20000388 = htobe32(-1); *(uint32_t*)0x20000398 = htobe32(0); *(uint8_t*)0x2000039c = 0x6c; *(uint8_t*)0x200003a0 = -1; *(uint8_t*)0x200003a1 = 2; *(uint8_t*)0x200003a2 = 0; *(uint8_t*)0x200003a3 = 0; *(uint8_t*)0x200003a4 = 0; *(uint8_t*)0x200003a5 = 0; *(uint8_t*)0x200003a6 = 0; *(uint8_t*)0x200003a7 = 0; *(uint8_t*)0x200003a8 = 0; *(uint8_t*)0x200003a9 = 0; *(uint8_t*)0x200003aa = 0; *(uint8_t*)0x200003ab = 0; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 1; *(uint64_t*)0x200003b0 = 0; *(uint64_t*)0x200003b8 = 0; *(uint64_t*)0x200003c0 = 0; *(uint64_t*)0x200003c8 = 0; *(uint64_t*)0x200003d0 = 0; *(uint64_t*)0x200003d8 = 0; *(uint64_t*)0x200003e0 = 0; *(uint64_t*)0x200003e8 = 0; *(uint64_t*)0x200003f0 = 0; *(uint64_t*)0x200003f8 = 0; *(uint64_t*)0x20000400 = 0; *(uint64_t*)0x20000408 = 0; *(uint32_t*)0x20000410 = 0; *(uint32_t*)0x20000414 = 0; *(uint32_t*)0x20000418 = 0; *(uint32_t*)0x2000041c = 0; *(uint32_t*)0x20000420 = 0; *(uint16_t*)0x20000424 = 2; *(uint8_t*)0x20000426 = 0; *(uint8_t*)0x20000427 = 0; *(uint8_t*)0x20000428 = 0; *(uint16_t*)0x20000430 = 8; *(uint16_t*)0x20000432 = 0x1d; *(uint32_t*)0x20000434 = 0; *(uint16_t*)0x20000438 = 0x48; *(uint16_t*)0x2000043a = 3; memcpy((void*)0x2000043c, "\x64\x65\x66\x6c\x61\x74\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x2000047c = 0; *(uint64_t*)0x20000008 = 0x140; *(uint64_t*)0x200000d8 = 1; *(uint64_t*)0x200000e0 = 0; *(uint64_t*)0x200000e8 = 0; *(uint32_t*)0x200000f0 = 0; syscall(__NR_sendmsg, r[0], 0x200000c0, 0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }