// https://syzkaller.appspot.com/bug?id=d204aaca3ac260c553e053c566b529f350ea6454 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_procfs(uintptr_t a0, uintptr_t a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == (uintptr_t)-1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static void execute_one(); extern unsigned long long procid; void loop() { while (1) { execute_one(); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one() { long res = 0; memcpy((void*)0x20000380, "\x2f\x65\x78\x65\x00\x00\x00\x00\x00\xff\x07\x00\x00\xdd\xd9\xf1\x91" "\xbe\x10\xee\xbf\x00\x0e\xe9\xff\x07\x00\x00\x00\x00\x00\x00\x54\xfa" "\x07\x42\x4a\xde\xe9\x16\xd2\xda\x75\xaf\xe7\x0b\x35\xa0\xfd\x6a\x1f" "\x34\x95\x72\xd2\x26\xd7\xa0\x75\xfb\x35\x33\x1c\xe3\x9c\x5a\x35\x68" "\x64\x10\x06\xd7\xc0\x20\x6a\x74\xe3\x33\x26\xcb\x16\xa1\x75\x35\x0e" "\x73\x0a\xb2\xbc\xe6\x82\xb6\x9d\x60\x3f\xc0\x5e\xad\x7f\xb5\x18\x0d" "\xe1\x3a\x74\x15\x5d\x85\x60\xfe\x23\xdf\xbb\xa1\x07\x24\x63\x10\x67" "\xf9\x55\xb8\x81\x0f\x34\x02\x05\x3f\x95\xa8\x79\x8b\x0e\x37\x49\xd9" "\xc7\x9c\xdd\x5f\x62\x54\x7e\x59\xab\x43\x52\xab\x0a\x38\x27\x38\x46" "\x65\xfd\x2c\x16\xea\x53\xe5\xe2\xa1\xdc\x06\x5b\x53\x52\x0b\x9c\xd4" "\xeb\x30\xed\xc0\xf7\x0c\xb8\x21\x49\xf8\xff\x5b\x62\x8e\xab\xf1\xa9" "\xab\x91\x91\x5a\x78\xb5\xcb\x25\x9f\x4a\x0f\xbf\xab\x4d\xac\xbd\x68" "\xf0\x77", 206); res = syz_open_procfs(0, 0x20000380); if (res != -1) r[0] = res; syscall(__NR_syncfs, r[0]); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }