// https://syzkaller.appspot.com/bug?id=ddc3986bb6db996b17477fe5662ba038e7dfd57c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; res = syscall(__NR_socket, 2ul, 1ul, 0); if (res != -1) r[0] = res; *(uint16_t*)0x20e5b000 = 2; *(uint16_t*)0x20e5b002 = htobe16(0x4e20); *(uint32_t*)0x20e5b004 = htobe32(0xe0000002); syscall(__NR_bind, r[0], 0x20e5b000ul, 0x10ul); *(uint16_t*)0x200001c0 = 2; *(uint16_t*)0x200001c2 = htobe16(0x4e20); *(uint32_t*)0x200001c4 = htobe32(0); syscall(__NR_connect, r[0], 0x200001c0ul, 0x10ul); *(uint32_t*)0x20000100 = 1; *(uint32_t*)0x20000104 = 3; *(uint64_t*)0x20000108 = 0x200024c0; memcpy( (void*)0x200024c0, "\x18\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x95\x00" "\x2b\x4e\x00\x00\x00\x00\xa4\x72\xe2\xc5\x21\x58\xa4\x83\x3f\xb9\x6f\x88" "\x4d\xbf\x9a\x7a\x01\xe3\x17\x80\xe9\xe3\xcd\x7f\x89\xd8\xf0\x0f\x5f\x1a" "\x7d\x62\xd3\xec\x2a\x10\xef\x9e\xeb\x7c\x62\xec\x77\x7c\xf3\x95\x58\x94" "\x33\x89\x84\x05\x52\x25\x58\x1b\xe4\xcd\x5f\x23\x8e\x99\xb3\x60\xd8\xd9" "\x50\x70\xec\xba\x32\x6e\xbe\x9b\xd8\x65\x0a\x15\x73\xbe\x0a\xba\x07\xc7" "\x8a\xe6\x68\x9c\x3c\xd5\x83\x20\x7c\xf0\x6f\x03\x4b\xa3\x1f\xce\x89\x43" "\x87\xbf\x66\xc2\x98\x83\xea\xb6\x7b\x8e\xa7\x71\x47\x07\xd8\xf2\xff\x37" "\x19\x35\xbc\x19\x5e\xab\x20\x7e\x88\xc2\x9e\x77\x5f\x1e\x61\xd2\xeb\x9d" "\xbb\xe0\xe9\xca\xeb\xbe\x71\x26\xfe\x01\xc5\xbc\x77\x8c\x72\x66\xe3\x54" "\x47\xa4\x42\xf3\x8e\x47\x66\x3c\x84\xc6\xa3\x7e\xa3\xdd\x54\x06\x2e\x1c" "\x47\x6c\xde\xec\x6f\x59\x74\xfa\xad\x1a\x67\xee\xb3\x5b\x68\xf3\xcf\xed" "\x52\xc2\xda\x64\xca\xe8\xdb\xf6\xf3\xe6\xab\x02\xbd\x69\x78\x18\xe5\x05" "\x85\x48\x30\x5d\x88\x2c\x2e\x0d\x06\x9e\x00\xc5\xac\x7f\xb8\x8a\x38\xa3" "\x42\x38\x5b\x2a\x8c\x31\xd9\x42\xe9\x62\xe6\xd3\x84\x74\x90\x98\xea\x29" "\x31\x6f\xc4\x1d\x4e\x10\xce\x7e\x82\x0e\x9f\x7a\x50\x63\x70\xd2\xcb\xb1" "\xe4\xa9\x3a\xf8\x57\x84\x7a\xc9\x83\x13\x45\x0c\x02\x69\x88\x2d\x6c\x89" "\xb9\x18\x4c\xba\x72\x43\xcf\xd1\x4f\xc8\xb5\x3a\x3b\x83\x56\xc7\x09\x4f" "\x33\x62\xaf\x08\x80\xda\xb0\x2d\xdc\x7f\x88\x46\x7c", 337); *(uint64_t*)0x20000110 = 0x202bf000; memcpy((void*)0x202bf000, "syzkaller\000", 10); *(uint32_t*)0x20000118 = 4; *(uint32_t*)0x2000011c = 0x436; *(uint64_t*)0x20000120 = 0x20000040; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; memset((void*)0x20000130, 0, 16); *(uint32_t*)0x20000140 = 0; *(uint32_t*)0x20000144 = 0; *(uint32_t*)0x20000148 = -1; *(uint32_t*)0x2000014c = 8; *(uint64_t*)0x20000150 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000158 = 0; *(uint32_t*)0x2000015c = 0x10; *(uint64_t*)0x20000160 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint32_t*)0x20000168 = 0; *(uint32_t*)0x2000016c = 0; *(uint32_t*)0x20000170 = -1; *(uint32_t*)0x20000174 = 0; *(uint64_t*)0x20000178 = 0; res = syscall(__NR_bpf, 5ul, 0x20000100ul, 0x48ul); if (res != -1) r[1] = res; res = syscall(__NR_socket, 0x29ul, 0x1000000000002ul, 0); if (res != -1) r[2] = res; *(uint32_t*)0x20000180 = r[0]; *(uint32_t*)0x20000184 = r[1]; syscall(__NR_ioctl, r[2], 0x89e0, 0x20000180ul); *(uint32_t*)0x20000180 = r[0]; *(uint32_t*)0x20000184 = r[1]; syscall(__NR_ioctl, r[2], 0x89e0, 0x20000180ul); return 0; }