// https://syzkaller.appspot.com/bug?id=d38ed0177151ca71af235c613ab4897461cf9ff3 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_connect #define __NR_connect 362 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_sendto #define __NR_sendto 369 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[1] = {0xffffffffffffffff}; int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); long res = 0; res = syscall(__NR_socket, 2, 1, 0); if (res != -1) r[0] = res; *(uint32_t*)0x20d06000 = 1; syscall(__NR_setsockopt, (long)r[0], 6, 0x13, 0x20d06000, 4); *(uint32_t*)0x200000c0 = 1; syscall(__NR_setsockopt, (long)r[0], 6, 0x14, 0x200000c0, 0x240); *(uint16_t*)0x20000200 = 2; *(uint16_t*)0x20000202 = htobe16(0); *(uint8_t*)0x20000204 = 0xac; *(uint8_t*)0x20000205 = 0x14; *(uint8_t*)0x20000206 = 0x14; *(uint8_t*)0x20000207 = 0xbb; *(uint8_t*)0x20000208 = 0; *(uint8_t*)0x20000209 = 0; *(uint8_t*)0x2000020a = 0; *(uint8_t*)0x2000020b = 0; *(uint8_t*)0x2000020c = 0; *(uint8_t*)0x2000020d = 0; *(uint8_t*)0x2000020e = 0; *(uint8_t*)0x2000020f = 0; syscall(__NR_connect, (long)r[0], 0x20000200, 0x10); *(uint32_t*)0x20001000 = 0x20000140; *(uint16_t*)0x20000140 = 0; *(uint16_t*)0x20000142 = 0; *(uint32_t*)0x20000144 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x20001004 = 0x80; *(uint32_t*)0x20001008 = 0x200001c0; *(uint32_t*)0x200001c0 = 0x20000a00; memcpy((void*)0x20000a00, "\x87\xb3\x95\x5e\x60\xd8\x47\x37\x57\xe2\xf3\xb1\xfb\xfe\x0a\xbf\x8e" "\xea\x82\x5f\x08\xd5\x44\xaa\xab\x2a\x6b\x61\xb6\xf8\x77\xe2\x1d\x86" "\x18\x1c\xd0\x5d\x8f\xfe\x4c\x9f\x9f\xaa\xf6\x5b\xc0\x60\x28\x97\x4a" "\xe6\x45\xc2\x2c\xaa\x53\x30\xe7\x35\xd1\x98\x27\x95\xa0\x21\xef\x5a" "\xb6\x37\x3b\xac\xea\xfa\x59\xfd\x1e\x04\x51\x73\x61\x75\x0b\x3f\x37" "\x88\x19\x12\x78\x2c\x5f\x7e\x2d\xee\xac\x49\xcf\x07\x31\x8f\x3b\x6b" "\x76\xcd\xf0\xaa\x32\xa3\x94\x55\x42\x4b\x5e\x97\x48\x99\xf8\xb5\xfa" "\xec\x50\x63\xc2\x14\x40\xf9\x78\x21\x1b\x61\x98\x82\xd6\xb8\xc4\x40" "\xf2\x43\xc7\xa1\x9b\x3a\xde\xf5\xf9\xf3\x29\x62\x0b\x32\xd1\x76\x32" "\x92\x4e\x10\x59\x30\x1d\x5c\x3e\x23\xdb\xe6\xc2\x53\x07\x06\x59\xe6" "\x42\x03\x2b\xf6\x95\xfc\x41\x26\x56\xe7\xf5\x0e\xec\xad\x72\x33\x8f" "\x21\xd5\x52\x9c\xf3\xe5\xff\x73\x89\xce\xee\xd8\x8b\x9d\x84\x49\x89" "\x0b\x08\xe7\x57\xc4\xaf\xb7\xf8\x58\xad\xf7\x2a\xe3\xc5\x66\x7d\xca" "\xd9\x34\xa1\x30\x55\x2d\x42\xe5\x30\xdd\xf2", 232); *(uint32_t*)0x200001c4 = 0xe8; *(uint32_t*)0x200001c8 = 0x20000b00; *(uint32_t*)0x200001cc = 0; *(uint32_t*)0x2000100c = 2; *(uint32_t*)0x20001010 = 0x20000b80; *(uint32_t*)0x20000b80 = 0xc; *(uint32_t*)0x20000b84 = 0; *(uint32_t*)0x20000b88 = 5; *(uint32_t*)0x20000b8c = 0xc; *(uint32_t*)0x20000b90 = 0; *(uint32_t*)0x20000b94 = 0xe5; *(uint32_t*)0x20000b98 = 0xc; *(uint32_t*)0x20000b9c = 0x117; *(uint32_t*)0x20000ba0 = 1; *(uint32_t*)0x20000ba4 = 0xc; *(uint32_t*)0x20000ba8 = 0x10b; *(uint32_t*)0x20000bac = 0xff; *(uint32_t*)0x20000bb0 = 0xc; *(uint32_t*)0x20000bb4 = 0x11f; *(uint32_t*)0x20000bb8 = 0; *(uint32_t*)0x20000bbc = 0xc; *(uint32_t*)0x20000bc0 = 0x117; *(uint32_t*)0x20000bc4 = 0x893a; *(uint32_t*)0x20000bc8 = 0xc; *(uint32_t*)0x20000bcc = 0x1ff; *(uint32_t*)0x20000bd0 = 3; *(uint32_t*)0x20000bd4 = 0xc; *(uint32_t*)0x20000bd8 = 0; *(uint32_t*)0x20000bdc = 5; *(uint32_t*)0x20000be0 = 0xc; *(uint32_t*)0x20000be4 = 0x115; *(uint32_t*)0x20000be8 = 4; *(uint32_t*)0x20001014 = 0x6c; *(uint32_t*)0x20001018 = 0; syscall(__NR_sendmsg, (long)r[0], 0x20001000, 0x40000); syscall(__NR_sendto, (long)r[0], 0x20000100, 0xffffff1f, 0, 0, 0xfffffe55); return 0; }