// https://syzkaller.appspot.com/bug?id=020b61559d824612ee1c44faf27f164b9e2768e2 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xf65000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xf, 3, 2); *(uint32_t*)0x205f5000 = 0; *(uint32_t*)0x205f5004 = 0; *(uint32_t*)0x205f5008 = 0x208feff0; *(uint32_t*)0x205f500c = 1; *(uint32_t*)0x205f5010 = 0; *(uint32_t*)0x205f5014 = 0; *(uint32_t*)0x205f5018 = 0; *(uint32_t*)0x208feff0 = 0x203c8000; *(uint32_t*)0x208feff4 = 0x78; *(uint8_t*)0x203c8000 = 2; *(uint8_t*)0x203c8001 = 3; *(uint8_t*)0x203c8002 = 0; *(uint8_t*)0x203c8003 = 2; *(uint16_t*)0x203c8004 = 0xf; *(uint16_t*)0x203c8006 = 0; *(uint32_t*)0x203c8008 = 0x70bd25; *(uint32_t*)0x203c800c = 0x25dfdbfb; *(uint16_t*)0x203c8010 = 1; *(uint16_t*)0x203c8012 = 8; *(uint16_t*)0x203c8014 = 0xfffc; *(uint16_t*)0x203c8016 = 0; *(uint16_t*)0x203c8018 = 5; *(uint16_t*)0x203c801a = 6; *(uint8_t*)0x203c801c = 0; *(uint8_t*)0x203c801d = 0; *(uint16_t*)0x203c801e = 0; *(uint16_t*)0x203c8020 = 0xa; *(uint16_t*)0x203c8022 = htobe16(0x4e20); *(uint32_t*)0x203c8024 = 0x20000000; *(uint8_t*)0x203c8028 = 0; *(uint8_t*)0x203c8029 = 0; *(uint8_t*)0x203c802a = 0; *(uint8_t*)0x203c802b = 0; *(uint8_t*)0x203c802c = 0; *(uint8_t*)0x203c802d = 0; *(uint8_t*)0x203c802e = 0; *(uint8_t*)0x203c802f = 0; *(uint8_t*)0x203c8030 = 0; *(uint8_t*)0x203c8031 = 0; *(uint8_t*)0x203c8032 = 0; *(uint8_t*)0x203c8033 = 0; *(uint8_t*)0x203c8034 = 0; *(uint8_t*)0x203c8035 = 0; *(uint8_t*)0x203c8036 = 0; *(uint8_t*)0x203c8037 = 0; *(uint32_t*)0x203c8038 = 0; *(uint16_t*)0x203c8040 = 2; *(uint16_t*)0x203c8042 = 1; *(uint32_t*)0x203c8044 = htobe32(0x4d2); *(uint8_t*)0x203c8048 = 0; *(uint8_t*)0x203c8049 = 6; *(uint8_t*)0x203c804a = 0xfb; *(uint8_t*)0x203c804b = 0; *(uint32_t*)0x203c804c = 0; *(uint16_t*)0x203c8050 = 5; *(uint16_t*)0x203c8052 = 5; *(uint8_t*)0x203c8054 = 0; *(uint8_t*)0x203c8055 = 0; *(uint16_t*)0x203c8056 = 0; *(uint16_t*)0x203c8058 = 0xa; *(uint16_t*)0x203c805a = htobe16(0x4e20); *(uint32_t*)0x203c805c = 0; *(uint8_t*)0x203c8060 = 0; *(uint8_t*)0x203c8061 = 0; *(uint8_t*)0x203c8062 = 0; *(uint8_t*)0x203c8063 = 0; *(uint8_t*)0x203c8064 = 0; *(uint8_t*)0x203c8065 = 0; *(uint8_t*)0x203c8066 = 0; *(uint8_t*)0x203c8067 = 0; *(uint8_t*)0x203c8068 = 0; *(uint8_t*)0x203c8069 = 0; *(uint8_t*)0x203c806a = 0; *(uint8_t*)0x203c806b = 0; *(uint8_t*)0x203c806c = 0; *(uint8_t*)0x203c806d = 0; *(uint8_t*)0x203c806e = 0; *(uint8_t*)0x203c806f = 0; *(uint32_t*)0x203c8070 = 0xfffffffc; syscall(__NR_sendmsg, r[0], 0x205f5000, 0); } int main() { loop(); return 0; }