// https://syzkaller.appspot.com/bug?id=d6e4dd59a9b708895738b9cc59e6bdcb3a43ff14 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #ifndef __NR_getrandom #define __NR_getrandom 318 #endif uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); use_temporary_dir(); long res = 0; syscall(__NR_getrandom, 0x20000140, 0xfffffffffffffc68, 2); memcpy((void*)0x20000080, "/dev/kvm", 9); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000080, 0, 0); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, r[0], 0xae01, 0); if (res != -1) r[1] = res; res = syscall(__NR_ioctl, r[1], 0xae41, 0); if (res != -1) r[2] = res; *(uint8_t*)0x20000000 = 5; *(uint8_t*)0x20000001 = 7; *(uint8_t*)0x20000002 = 0x40; *(uint8_t*)0x20000003 = 0; *(uint32_t*)0x20000004 = 0; *(uint8_t*)0x20000008 = 0; *(uint8_t*)0x20000009 = 0; *(uint8_t*)0x2000000a = 0x92; *(uint8_t*)0x2000000b = 5; *(uint8_t*)0x2000000c = 1; *(uint8_t*)0x2000000d = -1; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; *(uint32_t*)0x20000010 = 0xef; *(uint32_t*)0x20000014 = 0; *(uint8_t*)0x20000018 = 0; *(uint8_t*)0x20000019 = 0; *(uint8_t*)0x2000001a = 0; *(uint8_t*)0x2000001b = 0; syscall(__NR_ioctl, r[2], 0x4040aea0, 0x20000000); *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0; *(uint64_t*)0x20000048 = 0; *(uint64_t*)0x20000050 = 0x2000; *(uint64_t*)0x20000058 = 0x20ffe000; syscall(__NR_ioctl, r[1], 0x4020ae46, 0x20000040); *(uint64_t*)0x200003c0 = 0; *(uint32_t*)0x200003c8 = 0; *(uint16_t*)0x200003cc = 0; *(uint8_t*)0x200003ce = 0; *(uint8_t*)0x200003cf = 0; *(uint8_t*)0x200003d0 = 0; *(uint8_t*)0x200003d1 = 0; *(uint8_t*)0x200003d2 = 0; *(uint8_t*)0x200003d3 = 0; *(uint8_t*)0x200003d4 = 0; *(uint8_t*)0x200003d5 = 0; *(uint8_t*)0x200003d6 = 0; *(uint8_t*)0x200003d7 = 0; *(uint64_t*)0x200003d8 = 0; *(uint32_t*)0x200003e0 = 0; *(uint16_t*)0x200003e4 = 0; *(uint8_t*)0x200003e6 = 0; *(uint8_t*)0x200003e7 = 0; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint64_t*)0x200003f0 = 0; *(uint32_t*)0x200003f8 = 0; *(uint16_t*)0x200003fc = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; *(uint8_t*)0x20000400 = 0; *(uint8_t*)0x20000401 = 0; *(uint8_t*)0x20000402 = 0; *(uint8_t*)0x20000403 = 0; *(uint8_t*)0x20000404 = 0; *(uint8_t*)0x20000405 = 0; *(uint8_t*)0x20000406 = 0; *(uint8_t*)0x20000407 = 0; *(uint64_t*)0x20000408 = 0; *(uint32_t*)0x20000410 = 0; *(uint16_t*)0x20000414 = 0; *(uint8_t*)0x20000416 = 0; *(uint8_t*)0x20000417 = 0; *(uint8_t*)0x20000418 = 0; *(uint8_t*)0x20000419 = 0; *(uint8_t*)0x2000041a = 0; *(uint8_t*)0x2000041b = 0; *(uint8_t*)0x2000041c = 0; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0; *(uint8_t*)0x2000041f = 0; *(uint64_t*)0x20000420 = 0; *(uint32_t*)0x20000428 = 0; *(uint16_t*)0x2000042c = 0; *(uint8_t*)0x2000042e = 0; *(uint8_t*)0x2000042f = 0; *(uint8_t*)0x20000430 = 0; *(uint8_t*)0x20000431 = 0; *(uint8_t*)0x20000432 = 0; *(uint8_t*)0x20000433 = 0; *(uint8_t*)0x20000434 = 0; *(uint8_t*)0x20000435 = 0; *(uint8_t*)0x20000436 = 0; *(uint8_t*)0x20000437 = 0; *(uint64_t*)0x20000438 = 0; *(uint32_t*)0x20000440 = 0; *(uint16_t*)0x20000444 = 0; *(uint8_t*)0x20000446 = 0; *(uint8_t*)0x20000447 = 0; *(uint8_t*)0x20000448 = 0; *(uint8_t*)0x20000449 = 0; *(uint8_t*)0x2000044a = 0; *(uint8_t*)0x2000044b = 0; *(uint8_t*)0x2000044c = 0; *(uint8_t*)0x2000044d = 0; *(uint8_t*)0x2000044e = 0; *(uint8_t*)0x2000044f = 0; *(uint64_t*)0x20000450 = 0; *(uint32_t*)0x20000458 = 0; *(uint16_t*)0x2000045c = 0; *(uint8_t*)0x2000045e = 0; *(uint8_t*)0x2000045f = 0; *(uint8_t*)0x20000460 = 0; *(uint8_t*)0x20000461 = 0; *(uint8_t*)0x20000462 = 0; *(uint8_t*)0x20000463 = 0; *(uint8_t*)0x20000464 = 0; *(uint8_t*)0x20000465 = 0; *(uint8_t*)0x20000466 = 0; *(uint8_t*)0x20000467 = 0; *(uint64_t*)0x20000468 = 0; *(uint32_t*)0x20000470 = 0; *(uint16_t*)0x20000474 = 0; *(uint8_t*)0x20000476 = 0; *(uint8_t*)0x20000477 = 0; *(uint8_t*)0x20000478 = 0; *(uint8_t*)0x20000479 = 0; *(uint8_t*)0x2000047a = 0; *(uint8_t*)0x2000047b = 0; *(uint8_t*)0x2000047c = 0; *(uint8_t*)0x2000047d = 0; *(uint8_t*)0x2000047e = 0; *(uint8_t*)0x2000047f = 0; *(uint64_t*)0x20000480 = 0; *(uint16_t*)0x20000488 = 0; *(uint16_t*)0x2000048a = 0; *(uint16_t*)0x2000048c = 0; *(uint16_t*)0x2000048e = 0; *(uint64_t*)0x20000490 = 0; *(uint16_t*)0x20000498 = 0; *(uint16_t*)0x2000049a = 0; *(uint16_t*)0x2000049c = 0; *(uint16_t*)0x2000049e = 0; *(uint64_t*)0x200004a0 = 0x8005001f; *(uint64_t*)0x200004a8 = 0; *(uint64_t*)0x200004b0 = 0; *(uint64_t*)0x200004b8 = 0x28; *(uint64_t*)0x200004c0 = 0; *(uint64_t*)0x200004c8 = 0x6500; *(uint64_t*)0x200004d0 = 0; *(uint64_t*)0x200004d8 = 0; *(uint64_t*)0x200004e0 = 0; *(uint64_t*)0x200004e8 = 0; *(uint64_t*)0x200004f0 = 0; syscall(__NR_ioctl, r[2], 0x4138ae84, 0x200003c0); syscall(__NR_ioctl, r[2], 0xae80, 0); return 0; }