// https://syzkaller.appspot.com/bug?id=ed37ff7af4f0cc3ebbad64f58ac3fdd223b42e5f // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); intptr_t res = 0; memcpy((void*)0x20000080, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/1ul); if (res != -1) r[2] = res; memcpy( (void*)0x20000800, "\xb6\x0c\x6a\x79\x19\x53\xef\xdc\x0f\xfe\xb5\xae\xec\xb2\x72\x72\x19\xa6" "\xeb\xe6\x40\xee\x38\x29\x93\x1e\x56\xc2\xe5\x67\x82\x01\x1a\x81\xf6\x64" "\x00\xe2\x91\x16\x48\x3d\x71\x67\xb4\xca\x7c\xb1\xcb\x78\x56\x1c\x66\xad" "\x06\xde\x74\xeb\x8b\x28\x3c\x63\xa7\x32\x69\xc9\x84\xbe\xf0\x0e\xb8\xe4" "\x40\x2a\xdc\x31\xaa\x56\xf7\x8e\xd6\xc1\x91\xc8\xc1\x3e\x05\xa8\x50\x80" "\xe6\xf1\x40\x8f\xb4\x66\x48\x57\x4d\xf2\x0e\x8d\xe6\x20\xe8\x96\x9b\x23" "\x00\x7b\xbb\xb4\x36\x76\xc9\xba\xdb\x2c\xfa\xdf\xbe\x6d\x15\xc3\x23\xad" "\x8e\xf0\x57\x3a\xfa\x62\x54\x49\x42\x9b\x1e\xa9\xfe\x44\x3a\x36\x15\x75" "\xd3\x59\xc4\xf2\x6a\x65\x30\x41\xff\x83\x24\xfa\xda\x43\xde\xa4\x67\x8b" "\x00\xb7\xe1\xd9\xb9\xe9\xea\xc7\x69\xd7\x79\x77\xa2\x0d\x38\xb5\x0a\xa7" "\xa5\x32\x01\x94\x4b\xf9\x7b\x92\x16\x8d\xdb\x7f\xe1\x65\xf5\x15\xd3\xb8" "\x70\x9a\xd2\x73\x7a\xd4\x70\x1f\xda\x6a\xb8\x56\x8c\xd9\x47\x81\x2d\x28" "\xcf\x05\x95\x7e\xf0\xed\xb1\xc2\x72\x44\x61\x4e\xb0\x0f\x86\xe0\xab\x49" "\x45\x31\x4b\x13\x37\x55\xf2\x7d\x4d\x36\xe5\x90\x1c\xac\xe2\x20\x0d\x62" "\xdf\x8a\xd6\xd0\x7e\x31\x63\xc0\x85\xeb\x4b\x68\x9c\xb0\x77\x37\x1f\xca" "\xf7\x36\x2b\xf2\x91\x91\x9a\xc7\x9d\x1f\x3e\xca\xbb\x88\x48\xc7\xe7\xb7" "\xb6\x05\x34\x54\x66\x46\x54\xb9\xfb\xdb\x79\x07\x1c\x2c\x5b\x77\xde\x3f" "\xcc\x4a\x05\xea\xd5\x18\xef\x17\x89\x46\x75\x58\x35\x70\xe9\x73\xbc\xc8" "\xc3\xb6\x26\xaf\x29\x90\x2d\x4c\x5a\xba\xef\xce\x10\x5f\x58\x72\x16\x42" "\xae\x03\x52\xdf\x5d\xbd\x95\x82\xa7\x91\xaf\x05\x12\x61\x8b\x84\xbb\x92" "\xc8\x12\x79\x8d\xbc\xfb\x3b\xaa\x2b\xc0\x52\xa6\xae\x82\xf6\x6d\xdb\xac" "\xe6\xfd\xab\xad\x25\x66\x42\xde\x08\x31\xb5\x7c\x0c\x95\x03\x29\x03\x0a" "\x84\xb7\x2a\x3e\x88\x8f\xe0\xfd\x0e\x4f\xfb\xe2\xba\x78\xfe\xa1\x94\xed" "\xfe\xca\x7e\xb4\x9d\x7f\x3f\xb8\x60\x9c\x89\x25\x48\xfd\xa4\x60\x61\x71" "\x29\x96\xa0\x8d\xe2\x6c\xff\x9f\x99\x98\xeb\xe1\x91\x25\xe0\x2f\x2b\x0d" "\x97\xf4\x5b\xd3\x08\x36\x14\xef\x80\x47\x0b\x05\xb9\x79\x92\x5c\x00\x0d" "\x2a\x80\x21\x76\x56\x8e\xf3\x22\x4f\x1b\xf0\x93\x03\x7d\x9d\xb3\x99\x27" "\xb0\xbd\x32\x10\x5b\xaa\xd5\xb4\xa7\x2c\xed\xb6\xe8\x34\x36\xad\x9b\x60" "\x45\x6a\x14\xca\xe5\xd2\xf5\xfd\xb7\xe6\x8e\x32\xca\x6e\x67\xc4\x6f\x4f" "\xa6\xc5\xf8\x55\xca\x52\xc3\x47\x5e\xd6\x05\x2d\x0b\x01\x19\x13\x9d\xab" "\xc4\x86\xf5\x97\x7b\x5c\x73\x96\x17\xa9\xb2\xbe\xe3\x80\x76\x25\xa9\x2d" "\x94\xcb\x3f\x98\x88\xd2\x12\x2e\x51\x96\xeb\x83\x35\x7a\xed\x4b\x40\x3f" "\x17\xbc\xbd\xe9\x78\xba\x37\x64\x0f\xd6\x63\xcd\xb2\xa5\xc7\x5c\xfe\xc1" "\x5e\xb7\x38\x12\xb1\x08\xc5\xfb\x59\x16\xab\x3a\x85\xa6\xda\x7a\xd9\x71" "\xc6\x05\x1e\xbd\x01\x08\x8e\x49\x6f\x07\xf4\xc1\x38\x9a\xec\x53\x4f\xc4" "\xad\x4e\xb0\x1e\xd4\x5e\xf5\x3e\xfc\x55\x2c\x22\x24\x52\x89\x40\x98\x3f" "\xab\x4c\x62\xa0\x7d\xb9\x16\x85\x01\x1c\xfb\x6f\xdf\xbb\x5a\x81\x81\x8e" "\x51\x40\x6d\x2c\xe9\x94\x07\x0d\x4d\xd0\x0c\xc7\x33\x3c\x0c\x96\xaa\xa8" "\xf7\x8c\x7b\xd5\x8c\x10\x7c\x5f\xbe\x45\x61\xb1\x1d\x6f\x17\x89\x8d\x59" "\xc7\xaa\xc9\x76\x89\xaf\x1b\xc9\x8c\xe7\x35\x34\xbb\xec\x5d\x4d\xda\x16" "\xa5\xf5\xc8\x73\x20\x55\xb2\xc7\xa3\x2a\xb3\xa3\xf4\x99\xf6\x11\xb4\x8c" "\xbf\x55\x57\x75\x0d\x40\x1f\x54\xd3\x2d\x59\x64\x90\xc4\xed\xc7\x70\x07" "\x18\xca\x68\xb0\x40\x57\x0a\x35\xee\xb4\x59\x0f\xb8\xed\x6e\xc9\x0d\xef" "\x97\x86\x27\xaf\x41\x8e\x42\x88\xdf\x2d\xb3\xc2\x8e\x33\x64\xcb\x03\xb2" "\xbe\xea\xe2\xbc\x53\xd3\xd5\xab\xb7\xb9\x5c\x31\x70\xec\xb6\xf0\xb7\xd1" "\xee\xd5\xca\x9e\xf1\xad\xed\x08\x36\xbb\x17\x44\xd2\x82\xc4\x78\xfe\x67" "\x12\x5b\xf0\x06\x10\xa1\xe7\x38\xe2\x99\x0f\xfc\xdf\x30\xb5\x81\x8e\x24" "\xa0\x32\xbd\x64\xf2\xa3\x79\x95\x67\x1a\x85\x1d\x38\x43\x57\x89\x75\x46" "\x8d\x61\x81\xe4\xa3\x84\x7a\x4d\xb9\x3c\x32\x78\xe1\xa2\x71\xb1\x98\x6c" "\x0c\x73\x39\x63\x25\x5d\x88\xbd\x90\xd6\x11\x56\xbf\xab\xc6\x6c\x2e\xe4" "\x7b\x30\x5f\xd2\x05\x28\x26\xf1\x8b\x51\xb6\xdb\x95\xf8\x6c\xec\xfd\xcb" "\x45\x88\x57\x34\x93\x89\xf3\xfd\x98\x47\x64\x9b\x61\xbe\x25\x05\x6a\x84" "\x11\xaf\xda\xac\xfb\x5c\xfb\xfa\xf3\x60\x80\x63\x12\xba\xca\x86\x1b\x6a" "\x53\x3f\x2b\x9e\x1e\x2b\xdb\x9e\x71\x08\xe3\x79\xd7\x29\xc3\x96\xfd\xd4" "\x84\xc9\x03\xf3\x6a\x1b\x1d\x37\x31\x11\x36\x67\x94\x1c\x32\x67\x99\x82" "\xb3\x1c\xf4\xad\x27\x7d\xf0\x2d\xeb\xb6\xf1\xa7\x34\x38\x5a\x1f\xd8\x7f" "\xa0\x94\x8a\xcd\xa4\x53\x57\xd6\xb9\x1d\xf6\x68\x1b\x57\x2f\x0e", 1024); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4400ae8f, /*arg=*/0x20000800ul); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); return 0; }