// https://syzkaller.appspot.com/bug?id=8fc4ac2bd63ac049e7a369676b65f047f65d7736 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$kvm arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6b 76 6d 00} (length 0x9) // } // flags: open_flags = 0xe8381 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_kvm memcpy((void*)0x200000000080, "/dev/kvm\000", 9); res = syscall( __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=O_TRUNC|O_NOFOLLOW|O_NOCTTY|O_NOATIME|O_LARGEFILE|O_EXCL|0x80001*/ 0xe8381, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$KVM_CREATE_VM arguments: [ // fd: fd_kvm (resource) // cmd: const = 0xae01 (4 bytes) // type: intptr = 0x0 (8 bytes) // ] // returns fd_kvmvm res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; // ioctl$KVM_CREATE_VCPU arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae41 (4 bytes) // id: intptr = 0x0 (8 bytes) // ] // returns fd_kvmcpu syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/0ul); // ioctl$KVM_SET_IRQCHIP arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0x400caed0 (4 bytes) // arg: ptr[in, kvm_irqchip] { // kvm_irqchip { // chipid: kvm_chip_id = 0x1 (4 bytes) // pad: const = 0x0 (4 bytes) // chip: union kvm_irq_chip { // ioapic: kvm_ioapic_state { // base: kvm_guest_addrs = 0xffffffff (8 bytes) // ioregs: int32 = 0x296d (4 bytes) // id: int32 = 0x4 (4 bytes) // irr: int32 = 0x6 (4 bytes) // pad: const = 0x0 (4 bytes) // redir: array[kvm_ioapic_redir] { // kvm_ioapic_redir { // vector: int8 = 0x98 (1 bytes) // f0: int8 = 0x5d (1 bytes) // f1: int8 = 0x7f (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x7f (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x41 (1 bytes) // f0: int8 = 0x8 (1 bytes) // f1: int8 = 0x81 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x3 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xf (1 bytes) // f0: int8 = 0x5 (1 bytes) // f1: int8 = 0x2 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x13 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x3 (1 bytes) // f0: int8 = 0x3e (1 bytes) // f1: int8 = 0x8 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x8f (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x3 (1 bytes) // f0: int8 = 0x7f (1 bytes) // f1: int8 = 0x91 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xa (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xf (1 bytes) // f0: int8 = 0xe3 (1 bytes) // f1: int8 = 0x0 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xac (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x3 (1 bytes) // f0: int8 = 0x8 (1 bytes) // f1: int8 = 0x6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x8 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x1 (1 bytes) // f0: int8 = 0xfa (1 bytes) // f1: int8 = 0x6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x67 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x2 (1 bytes) // f0: int8 = 0x7 (1 bytes) // f1: int8 = 0x2 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x8 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x8 (1 bytes) // f0: int8 = 0x4 (1 bytes) // f1: int8 = 0x43 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x9f (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xf (1 bytes) // f0: int8 = 0x8 (1 bytes) // f1: int8 = 0x6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x3 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x2 (1 bytes) // f0: int8 = 0x4c (1 bytes) // f1: int8 = 0x3 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xa (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x7 (1 bytes) // f0: int8 = 0x6 (1 bytes) // f1: int8 = 0x2 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xa6 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x8 (1 bytes) // f0: int8 = 0x0 (1 bytes) // f1: int8 = 0x8 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x9 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x2 (1 bytes) // f0: int8 = 0x4c (1 bytes) // f1: int8 = 0xa2 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x1 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x8 (1 bytes) // f0: int8 = 0x5e (1 bytes) // f1: int8 = 0x4 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x3 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x5 (1 bytes) // f0: int8 = 0xa0 (1 bytes) // f1: int8 = 0x47 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x6 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x7 (1 bytes) // f0: int8 = 0x3 (1 bytes) // f1: int8 = 0x2 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xa7 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x4 (1 bytes) // f0: int8 = 0x0 (1 bytes) // f1: int8 = 0x7 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x7 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x5e (1 bytes) // f0: int8 = 0xa (1 bytes) // f1: int8 = 0xb (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x3 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x7f (1 bytes) // f0: int8 = 0x6 (1 bytes) // f1: int8 = 0xca (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x4 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x93 (1 bytes) // f0: int8 = 0x44 (1 bytes) // f1: int8 = 0x9 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x10 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x2 (1 bytes) // f0: int8 = 0x8 (1 bytes) // f1: int8 = 0x0 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xfc (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x6 (1 bytes) // f0: int8 = 0xc (1 bytes) // f1: int8 = 0xc6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x8 (1 bytes) // } // } // } // } // } // } // ] *(uint32_t*)0x200000000980 = 1; *(uint32_t*)0x200000000984 = 0; *(uint64_t*)0x200000000988 = 0xffffffff; *(uint32_t*)0x200000000990 = 0x296d; *(uint32_t*)0x200000000994 = 4; *(uint32_t*)0x200000000998 = 6; *(uint32_t*)0x20000000099c = 0; *(uint8_t*)0x2000000009a0 = 0x98; *(uint8_t*)0x2000000009a1 = 0x5d; *(uint8_t*)0x2000000009a2 = 0x7f; memset((void*)0x2000000009a3, 0, 4); *(uint8_t*)0x2000000009a7 = 0x7f; *(uint8_t*)0x2000000009a8 = 0x41; *(uint8_t*)0x2000000009a9 = 8; *(uint8_t*)0x2000000009aa = 0x81; memset((void*)0x2000000009ab, 0, 4); *(uint8_t*)0x2000000009af = 3; *(uint8_t*)0x2000000009b0 = 0xf; *(uint8_t*)0x2000000009b1 = 5; *(uint8_t*)0x2000000009b2 = 2; memset((void*)0x2000000009b3, 0, 4); *(uint8_t*)0x2000000009b7 = 0x13; *(uint8_t*)0x2000000009b8 = 3; *(uint8_t*)0x2000000009b9 = 0x3e; *(uint8_t*)0x2000000009ba = 8; memset((void*)0x2000000009bb, 0, 4); *(uint8_t*)0x2000000009bf = 0x8f; *(uint8_t*)0x2000000009c0 = 3; *(uint8_t*)0x2000000009c1 = 0x7f; *(uint8_t*)0x2000000009c2 = 0x91; memset((void*)0x2000000009c3, 0, 4); *(uint8_t*)0x2000000009c7 = 0xa; *(uint8_t*)0x2000000009c8 = 0xf; *(uint8_t*)0x2000000009c9 = 0xe3; *(uint8_t*)0x2000000009ca = 0; memset((void*)0x2000000009cb, 0, 4); *(uint8_t*)0x2000000009cf = 0xac; *(uint8_t*)0x2000000009d0 = 3; *(uint8_t*)0x2000000009d1 = 8; *(uint8_t*)0x2000000009d2 = 6; memset((void*)0x2000000009d3, 0, 4); *(uint8_t*)0x2000000009d7 = 8; *(uint8_t*)0x2000000009d8 = 1; *(uint8_t*)0x2000000009d9 = 0xfa; *(uint8_t*)0x2000000009da = 6; memset((void*)0x2000000009db, 0, 4); *(uint8_t*)0x2000000009df = 0x67; *(uint8_t*)0x2000000009e0 = 2; *(uint8_t*)0x2000000009e1 = 7; *(uint8_t*)0x2000000009e2 = 2; memset((void*)0x2000000009e3, 0, 4); *(uint8_t*)0x2000000009e7 = 8; *(uint8_t*)0x2000000009e8 = 8; *(uint8_t*)0x2000000009e9 = 4; *(uint8_t*)0x2000000009ea = 0x43; memset((void*)0x2000000009eb, 0, 4); *(uint8_t*)0x2000000009ef = 0x9f; *(uint8_t*)0x2000000009f0 = 0xf; *(uint8_t*)0x2000000009f1 = 8; *(uint8_t*)0x2000000009f2 = 6; memset((void*)0x2000000009f3, 0, 4); *(uint8_t*)0x2000000009f7 = 3; *(uint8_t*)0x2000000009f8 = 2; *(uint8_t*)0x2000000009f9 = 0x4c; *(uint8_t*)0x2000000009fa = 3; memset((void*)0x2000000009fb, 0, 4); *(uint8_t*)0x2000000009ff = 0xa; *(uint8_t*)0x200000000a00 = 7; *(uint8_t*)0x200000000a01 = 6; *(uint8_t*)0x200000000a02 = 2; memset((void*)0x200000000a03, 0, 4); *(uint8_t*)0x200000000a07 = 0xa6; *(uint8_t*)0x200000000a08 = 8; *(uint8_t*)0x200000000a09 = 0; *(uint8_t*)0x200000000a0a = 8; memset((void*)0x200000000a0b, 0, 4); *(uint8_t*)0x200000000a0f = 9; *(uint8_t*)0x200000000a10 = 2; *(uint8_t*)0x200000000a11 = 0x4c; *(uint8_t*)0x200000000a12 = 0xa2; memset((void*)0x200000000a13, 0, 4); *(uint8_t*)0x200000000a17 = 1; *(uint8_t*)0x200000000a18 = 8; *(uint8_t*)0x200000000a19 = 0x5e; *(uint8_t*)0x200000000a1a = 4; memset((void*)0x200000000a1b, 0, 4); *(uint8_t*)0x200000000a1f = 3; *(uint8_t*)0x200000000a20 = 5; *(uint8_t*)0x200000000a21 = 0xa0; *(uint8_t*)0x200000000a22 = 0x47; memset((void*)0x200000000a23, 0, 4); *(uint8_t*)0x200000000a27 = 6; *(uint8_t*)0x200000000a28 = 7; *(uint8_t*)0x200000000a29 = 3; *(uint8_t*)0x200000000a2a = 2; memset((void*)0x200000000a2b, 0, 4); *(uint8_t*)0x200000000a2f = 0xa7; *(uint8_t*)0x200000000a30 = 4; *(uint8_t*)0x200000000a31 = 0; *(uint8_t*)0x200000000a32 = 7; memset((void*)0x200000000a33, 0, 4); *(uint8_t*)0x200000000a37 = 7; *(uint8_t*)0x200000000a38 = 0x5e; *(uint8_t*)0x200000000a39 = 0xa; *(uint8_t*)0x200000000a3a = 0xb; memset((void*)0x200000000a3b, 0, 4); *(uint8_t*)0x200000000a3f = 3; *(uint8_t*)0x200000000a40 = 0x7f; *(uint8_t*)0x200000000a41 = 6; *(uint8_t*)0x200000000a42 = 0xca; memset((void*)0x200000000a43, 0, 4); *(uint8_t*)0x200000000a47 = 4; *(uint8_t*)0x200000000a48 = 0x93; *(uint8_t*)0x200000000a49 = 0x44; *(uint8_t*)0x200000000a4a = 9; memset((void*)0x200000000a4b, 0, 4); *(uint8_t*)0x200000000a4f = 0x10; *(uint8_t*)0x200000000a50 = 2; *(uint8_t*)0x200000000a51 = 8; *(uint8_t*)0x200000000a52 = 0; memset((void*)0x200000000a53, 0, 4); *(uint8_t*)0x200000000a57 = 0xfc; *(uint8_t*)0x200000000a58 = 6; *(uint8_t*)0x200000000a59 = 0xc; *(uint8_t*)0x200000000a5a = 0xc6; memset((void*)0x200000000a5b, 0, 4); *(uint8_t*)0x200000000a5f = 8; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x400caed0, /*arg=*/0x200000000980ul); return 0; }