// https://syzkaller.appspot.com/bug?id=4462682cd32aee8ff03a43c8b9be3963743bc506 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[1] = {0xffffffffffffffff}; void loop() { long res; memcpy((void*)0x200000c0, "/dev/sg#", 9); res = syz_open_dev(0x200000c0, 0, 0x8002); if (res != -1) r[0] = res; memcpy((void*)0x20000100, "\xb6\x3d\xb8\x5e\x1e\x8d\x02\x00\x00\x00\x00\x00\x00\x3e\xb0\x01\x1d" "\xcc\x60\x6a\xed\x5e\xd2\xbc\x70\x18\xce\xbc\x9b\xc2\xfe\xff\xff\xff" "\xff\xff\xff\xff\xe2\x2c\x9b\x16\x00\x96\xaa\x1f\xae\x1a\x19\xc4\x9b" "\xdb\x3a\x3f\x7d\x5f\x37\x4e\x29\x35\x68\x8f\x1f\xf3\x3d\x10\xa5\x69" "\xf1\x60\x2a\xf3\xad\xb1\x77\xb3\x70\xb7\x8f\x61\x9a\x55\x75\x47\x2b" "\x80\x04\x21\x9d\x1b\x7f\x5f\xdd\xc7\xa6\xbf\x4f\x52\x86\x72\x21\x4b" "\xc0\xa9\x60\x17\x1b\x29\xcb\xab\x9f\xd3\x7c\x97\x9f\x4f\xbb\x7a\xcb" "\xed\xd9\x49\x66\x79\xa9\xe8\x1f\xc1\xfe\x19\xc3\xc0\x39\xf0\xf4\x33" "\xf5\x14\x80\x01\xd0\xb2\xf1\x43\x89\x08\xb2\x97\x0b\x4b\x31\xb7\x3c" "\x43\xd2\x82\xe3\x6f", 158); syscall(__NR_write, r[0], 0x20000100, 0x9e); *(uint64_t*)0x2085dff0 = 0x20e94000; *(uint64_t*)0x2085dff8 = 0x3e; syscall(__NR_readv, r[0], 0x2085dff0, 1); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }