// https://syzkaller.appspot.com/bug?id=e6d1ed219bd92dd9b3e653eda032852996a9b457 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_procfs(uintptr_t a0, uintptr_t a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == (uintptr_t)-1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } uint64_t r[1] = {0xffffffffffffffff}; void loop() { long res = 0; memcpy((void*)0x20000080, "\x2f\x65\x78\x65\x00\x00\x00\x00\x00\x04\x09\x00" "\x4b\xdd\xd9\xde\x91\xbe\x10\xee\xbf\x00\x0e\xe9" "\xa9\x0f\x79\x80\x58\x43\x9e\xd5\x54\xfa\x07\x42" "\x4a\xde\xe9\x01\xd2\xdb\x75\xaf\x1f\x02\x00\xf5" "\xab\x26\xd7\xa0\x71\xfb\x35\x33\x1c\xe3\x9c\x5a", 60); syz_open_procfs(0, 0x20000080); memcpy((void*)0x20000040, "fd/3", 5); res = syz_open_procfs(0, 0x20000040); if (res != -1) r[0] = res; syscall(__NR_ftruncate, r[0], 0xf17e); syscall(__NR_io_submit, 0, 0x1ffffffffffffc2c, 0x20000000); *(uint64_t*)0x200078c0 = 0x20001f80; *(uint32_t*)0x200078c8 = 0x80; *(uint64_t*)0x200078d0 = 0x20002040; *(uint64_t*)0x20002040 = 0x20002000; *(uint64_t*)0x20002048 = 0x40; *(uint64_t*)0x200078d8 = 1; *(uint64_t*)0x200078e0 = 0x20002080; *(uint64_t*)0x200078e8 = 0x9a; *(uint32_t*)0x200078f0 = 0x1ff; *(uint32_t*)0x200078f8 = 0xe8; *(uint64_t*)0x20007900 = 0; *(uint32_t*)0x20007908 = 0; *(uint64_t*)0x20007910 = 0x20002540; *(uint64_t*)0x20002540 = 0x20002140; *(uint64_t*)0x20002548 = 0x63; *(uint64_t*)0x20002550 = 0x200021c0; *(uint64_t*)0x20002558 = 0x7e; *(uint64_t*)0x20002560 = 0x20002240; *(uint64_t*)0x20002568 = 0x96; *(uint64_t*)0x20002570 = 0x20002300; *(uint64_t*)0x20002578 = 0x4b; *(uint64_t*)0x20002580 = 0x20002380; *(uint64_t*)0x20002588 = 0x25; *(uint64_t*)0x20002590 = 0x200023c0; *(uint64_t*)0x20002598 = 0x75; *(uint64_t*)0x200025a0 = 0x20002440; *(uint64_t*)0x200025a8 = 0x61; *(uint64_t*)0x200025b0 = 0x200024c0; *(uint64_t*)0x200025b8 = 0x44; *(uint64_t*)0x20007918 = 8; *(uint64_t*)0x20007920 = 0; *(uint64_t*)0x20007928 = 0; *(uint32_t*)0x20007930 = 5; *(uint32_t*)0x20007938 = 0; *(uint64_t*)0x20007940 = 0x200025c0; *(uint32_t*)0x20007948 = 0x80; *(uint64_t*)0x20007950 = 0x20004a40; *(uint64_t*)0x20004a40 = 0x20002640; *(uint64_t*)0x20004a48 = 0xd7; *(uint64_t*)0x20004a50 = 0x20002740; *(uint64_t*)0x20004a58 = 0x1000; *(uint64_t*)0x20004a60 = 0x20003740; *(uint64_t*)0x20004a68 = 0x3e; *(uint64_t*)0x20004a70 = 0x20003780; *(uint64_t*)0x20004a78 = 0x95; *(uint64_t*)0x20004a80 = 0x20003840; *(uint64_t*)0x20004a88 = 0x87; *(uint64_t*)0x20004a90 = 0x20003900; *(uint64_t*)0x20004a98 = 0x1000; *(uint64_t*)0x20004aa0 = 0x20004900; *(uint64_t*)0x20004aa8 = 0x12; *(uint64_t*)0x20004ab0 = 0x20004940; *(uint64_t*)0x20004ab8 = 0xdf; *(uint64_t*)0x20007958 = 8; *(uint64_t*)0x20007960 = 0x20004ac0; *(uint64_t*)0x20007968 = 0x1000; *(uint32_t*)0x20007970 = 1; *(uint32_t*)0x20007978 = 0x10000; *(uint64_t*)0x20007980 = 0x20005ac0; *(uint32_t*)0x20007988 = 0x80; *(uint64_t*)0x20007990 = 0x20005cc0; *(uint64_t*)0x20005cc0 = 0x20005b40; *(uint64_t*)0x20005cc8 = 1; *(uint64_t*)0x20005cd0 = 0x20005b80; *(uint64_t*)0x20005cd8 = 0xd; *(uint64_t*)0x20005ce0 = 0x20005bc0; *(uint64_t*)0x20005ce8 = 0xfd; *(uint64_t*)0x20007998 = 3; *(uint64_t*)0x200079a0 = 0x20005d00; *(uint64_t*)0x200079a8 = 0x24; *(uint32_t*)0x200079b0 = 0xff; *(uint32_t*)0x200079b8 = 0x6922; *(uint64_t*)0x200079c0 = 0x20005d40; *(uint32_t*)0x200079c8 = 0x80; *(uint64_t*)0x200079d0 = 0x20005f80; *(uint64_t*)0x20005f80 = 0x20005dc0; *(uint64_t*)0x20005f88 = 0x94; *(uint64_t*)0x20005f90 = 0x20005e80; *(uint64_t*)0x20005f98 = 0xf0; *(uint64_t*)0x200079d8 = 2; *(uint64_t*)0x200079e0 = 0x20005fc0; *(uint64_t*)0x200079e8 = 0x62; *(uint32_t*)0x200079f0 = 8; *(uint32_t*)0x200079f8 = 7; *(uint64_t*)0x20007a00 = 0x20006040; *(uint32_t*)0x20007a08 = 0x80; *(uint64_t*)0x20007a10 = 0x20006240; *(uint64_t*)0x20006240 = 0x200060c0; *(uint64_t*)0x20006248 = 0x9c; *(uint64_t*)0x20006250 = 0x20006180; *(uint64_t*)0x20006258 = 0xa6; *(uint64_t*)0x20007a18 = 2; *(uint64_t*)0x20007a20 = 0x20006280; *(uint64_t*)0x20007a28 = 0x4a; *(uint32_t*)0x20007a30 = 0; *(uint32_t*)0x20007a38 = 9; *(uint64_t*)0x20007a40 = 0x20006300; *(uint32_t*)0x20007a48 = 0x80; *(uint64_t*)0x20007a50 = 0x20006440; *(uint64_t*)0x20006440 = 0x20006380; *(uint64_t*)0x20006448 = 0x8e; *(uint64_t*)0x20007a58 = 1; *(uint64_t*)0x20007a60 = 0x20006480; *(uint64_t*)0x20007a68 = 1; *(uint32_t*)0x20007a70 = 0x283; *(uint32_t*)0x20007a78 = 0xe5; *(uint64_t*)0x20007a80 = 0x200064c0; *(uint32_t*)0x20007a88 = 0x80; *(uint64_t*)0x20007a90 = 0x20007640; *(uint64_t*)0x20007640 = 0x20006540; *(uint64_t*)0x20007648 = 0x40; *(uint64_t*)0x20007650 = 0x20006580; *(uint64_t*)0x20007658 = 0x1000; *(uint64_t*)0x20007660 = 0x20007580; *(uint64_t*)0x20007668 = 0xa0; *(uint64_t*)0x20007a98 = 3; *(uint64_t*)0x20007aa0 = 0x20007680; *(uint64_t*)0x20007aa8 = 0x8b; *(uint32_t*)0x20007ab0 = 1; *(uint32_t*)0x20007ab8 = 0; *(uint64_t*)0x20007ac0 = 0x20007740; *(uint32_t*)0x20007ac8 = 0x80; *(uint64_t*)0x20007ad0 = 0x20007800; *(uint64_t*)0x20007800 = 0x200077c0; *(uint64_t*)0x20007808 = 0x3e; *(uint64_t*)0x20007ad8 = 1; *(uint64_t*)0x20007ae0 = 0x20007840; *(uint64_t*)0x20007ae8 = 0x6a; *(uint32_t*)0x20007af0 = 0x101; *(uint32_t*)0x20007af8 = 0x3b9; *(uint64_t*)0x20007b00 = 0x77359400; *(uint64_t*)0x20007b08 = 0; syscall(__NR_recvmmsg, -1, 0x200078c0, 9, 0x100, 0x20007b00); *(uint16_t*)0x20fd6000 = 0; *(uint16_t*)0x20fd6002 = 0; *(uint16_t*)0x20fd6004 = 0; *(uint16_t*)0x20fd6006 = 0; *(uint8_t*)0x20fd6008 = 0; *(uint8_t*)0x20fd6009 = 0; *(uint8_t*)0x20fd600a = 0; *(uint8_t*)0x20fd600b = 0; *(uint32_t*)0x20fd600c = 0; *(uint8_t*)0x20fd6010 = 0; syscall(__NR_ioctl, -1, 0x5402, 0x20fd6000); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }