// https://syzkaller.appspot.com/bug?id=9fb3db5c567a9fc8b6a07a43ffc768387cae86a0 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_pts(uintptr_t a0, uintptr_t a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static void execute_one(); extern unsigned long long procid; void loop() { while (1) { execute_one(); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_one() { long res = 0; memcpy((void*)0x2088cff6, "/dev/ptmx", 10); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x2088cff6, 1, 0); if (res != -1) r[0] = res; *(uint32_t*)0x203b3fdc = 0; *(uint32_t*)0x203b3fe0 = 0; *(uint32_t*)0x203b3fe4 = 0; *(uint32_t*)0x203b3fe8 = 0; *(uint8_t*)0x203b3fec = 0; *(uint8_t*)0x203b3fed = 0; *(uint8_t*)0x203b3fee = 0; *(uint8_t*)0x203b3fef = 0; *(uint32_t*)0x203b3ff0 = 0; *(uint32_t*)0x203b3ff4 = 0; *(uint32_t*)0x203b3ff8 = 0; *(uint32_t*)0x203b3ffc = 0; syscall(__NR_ioctl, r[0], 0x40045431, 0x203b3fdc); memcpy( (void*)0x20000100, "\x00\x00\x00\x00\x1e\x00\x11\xd8\x88\x5f\xfd\x74\xc5\xd5\x5f\xa4\x8e\xe1" "\x4f\xc9\x27\x56\x1f\xeb\xf3\x8d\xbf\x35\xd4\x6b\x61\x94\xa3\xee\xc0\xcc" "\xb9\xe1\x3e\xeb\xef\x73\x3f\x4f\x57\x99\x6e\xf3\x5f\x5f\x25\x07\xa4\x6e" "\x7f\x00\x3f\x87\xb9\x19\x9f\x7e\xdb\xb2\x6d\x78\x75\x3e\xda\x64\xd9\x09" "\x7b\x03\x3f\xe2\x8e\x71\xd7\x71\x1a\xff\xc8\x76\xdd\x65\xd2\xc5\x01\x00" "\x00\x00\x7a\xa3\xc2\xd4\xf4\xaa\x23\xf6\x25\xd0\xc4\xd7\x95\x88\xf2\xb6" "\x4c\x58\x42\x38\xca\xcb\x99\xa1\x3d\x8e\x90\x0d\x73\x8e\x7b\xf9\xff\xf3" "\x61\x82\xb1\xf1\x3d\x09\xd6\x87\xf7\xdb\x2b\x70\xfa\x8b\x2a\xdc\x23\xaa" "\xb8\xcc\x2d\xb3\x34\xd8\x90\x01\x19\x19\x70\x20\xb9\x31\x89\xb4\x32\x55" "\x6f\xeb\x62\xcf\xb9\x01\x72\xa3\xba\x46\x36\x93\x2a\x2f\x21\x11\xb9\xd2" "\x4b\xa7\xdd\xc2\x3e\xb8\x67\x40\x12\x22\x76\xca\x02\x00\x00\x00\x07\xa9" "\x6b\xe1\xa4\x7d\x61\xd5\x62\xa8\xeb\x6b\x38\x31\x9c\x92\x04\xf7\xf0\x93" "\xa5\xa1\x8d\xe6\x04\xaf\x7d\x6f\xf8\xfd\x35\xf7\x56\x0d\xbf\x7f\xb4\xc4" "\x8e\xee\xd9\x0d\x4c\x86\xb0\xc3\x09\x00\x00\x00\xdf\x5f\xeb\xc0\xfa\xc7" "\xe6\xbe\xf8\xf5\xe8\x78\x34\x42\xc5\x41\x0a\xbd\x4e\x42\xb3\x1b\xe9\xc4" "\xfb\x54\x44\xf5\x34\xf7\x40\xff\x78\x00\x00\x00\x32\x27\x91\xd7\x76\x15" "\xda\x2e\xb8\xb6\x32\x8b\x85\x61\x47\x8c\x47\x7f\x97\x09\x71\x18\xe9\x41" "\xf3\x33\x01\x81\x95\x8e\xee\x40\xa8\x97\x71\x31\x57\x50\x6e\xa9\xd2\x49" "\x67\x34\x27\x3b\x10\xae\x86\xe9\xe2\x5f\xd3\xec\xd5\x65\xaf\x24\x5a\xd5" "\x70\x03\x0c\xa1\xac\xeb\x30\xed\xb3\x1a\xf5\xa0\xaa\x41\x4a\x80\xa5\x97" "\x5d\xa7\x67\xe4\x6a\x4b\x9c\x52\x61\x44\x75\x5a\xb7\xce\x82\x1c\x52\x90" "\x00\x08\x00\x00\xa0\x6e\x7c\x3f\x97\xbd\x1e\xf3\xd9\x54\x4e\xe6\xfc\x5a" "\x16\x2a\xe2\x67\xa8\x2c\x58\x9b\x19\x10\x5f\x6f\x10\x51\x78\x37\x72\x11" "\x00\x72\x4b\x39\xc1\xe7\x1b\x24\x6c\x89\x6f\xf1\x80\x92\x3a\x92\x11\xfb" "\x54\xe2\x5c\x4f\x81\xa3\x98\x70\x4e\x63\xa5\x68\x6d\x34\x0e\xab\x22\x27" "\x2f\x03\x92\x47\xa0\x05\xd1\xf6\x3f\x19\xb4\xe6\x3b\x5a\x13\x92\x10\xb3" "\x96\x54\x9e\xc4\xb4\xec\xd4\x9a\x00\x34\x47\x6e\xc8\xfb\xeb\x33\x9a\x3d" "\x5d\x9a\x57\x22\xed\x69\x51\x9d\xfe\xf9\xf6\x0c\xc3\xac\x8a\xf7\x3d\x19" "\x24\x8a\xc6\x6d\xdf\x3f\x5e\xfc\xfb\xb8\xb4\xfd\x90\xd1\x97\x80\xfd\xb9" "\x39\x56\x70\x1b\xd3\x6c\x60\x2b\x68\x1f\x58\x50\x70\x09", 536); syscall(__NR_write, r[0], 0x20000100, 0x218); res = syz_open_pts(r[0], 0); if (res != -1) r[1] = res; *(uint32_t*)0x200000c0 = 0x15; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = 0; *(uint32_t*)0x200000cc = 0; *(uint8_t*)0x200000d0 = 0; *(uint8_t*)0x200000d1 = 0; *(uint8_t*)0x200000d2 = 0; *(uint8_t*)0x200000d3 = 0; *(uint32_t*)0x200000d4 = 0; *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint32_t*)0x200000e0 = 0; syscall(__NR_ioctl, r[1], 0x5412, 0x200000c0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }