// https://syzkaller.appspot.com/bug?id=de6519e18a472f06a6b530c84c3be8a29c554900 // autogenerated by syzkaller (http://github.com/google/syzkaller) #ifndef __NR_bpf #define __NR_bpf 321 #endif #define _GNU_SOURCE #include #include #include #include long r[68]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socketpair, 0x1ul, 0x1ul, 0x0ul, 0x20042000ul); if (r[1] != -1) r[2] = *(uint32_t*)0x20042000; if (r[1] != -1) r[3] = *(uint32_t*)0x20042004; *(uint32_t*)0x20b4cfd0 = (uint32_t)0x1; *(uint32_t*)0x20b4cfd4 = (uint32_t)0x2; *(uint64_t*)0x20b4cfd8 = (uint64_t)0x20ef3000; *(uint64_t*)0x20b4cfe0 = (uint64_t)0x20b4d000; *(uint32_t*)0x20b4cfe8 = (uint32_t)0x1; *(uint32_t*)0x20b4cfec = (uint32_t)0x80; *(uint64_t*)0x20b4cff0 = (uint64_t)0x2000a000; *(uint32_t*)0x20b4cff8 = (uint32_t)0x0; *(uint32_t*)0x20b4cffc = (uint32_t)0x0; *(uint8_t*)0x20ef3000 = (uint8_t)0x8db7; *(uint8_t*)0x20ef3001 = (uint8_t)0x0; *(uint16_t*)0x20ef3002 = (uint16_t)0x0; *(uint32_t*)0x20ef3004 = (uint32_t)0x0; *(uint8_t*)0x20ef3008 = (uint8_t)0xd395; *(uint8_t*)0x20ef3009 = (uint8_t)0x0; *(uint16_t*)0x20ef300a = (uint16_t)0x0; *(uint32_t*)0x20ef300c = (uint32_t)0x0; memcpy((void*)0x20b4d000, "\x73\x79\x73\x65\x4f\x00", 6); r[22] = syscall(__NR_bpf, 0x5ul, 0x20b4cfd0ul, 0x30ul); r[23] = syscall(__NR_socket, 0x29ul, 0x5ul, 0x0ul); *(uint32_t*)0x20d73000 = r[3]; *(uint32_t*)0x20d73004 = r[22]; r[26] = syscall(__NR_ioctl, r[23], 0x89e0ul, 0x20d73000ul); *(uint64_t*)0x203a3000 = (uint64_t)0x20000000; *(uint32_t*)0x203a3008 = (uint32_t)0x0; *(uint64_t*)0x203a3010 = (uint64_t)0x204baf90; *(uint64_t*)0x203a3018 = (uint64_t)0x7; *(uint64_t*)0x203a3020 = (uint64_t)0x201e6000; *(uint64_t*)0x203a3028 = (uint64_t)0x6; *(uint32_t*)0x203a3030 = (uint32_t)0x20000000; *(uint64_t*)0x204baf90 = (uint64_t)0x201c4f9d; *(uint64_t*)0x204baf98 = (uint64_t)0x0; *(uint64_t*)0x204bafa0 = (uint64_t)0x205b5fb5; *(uint64_t*)0x204bafa8 = (uint64_t)0x0; *(uint64_t*)0x204bafb0 = (uint64_t)0x2058df52; *(uint64_t*)0x204bafb8 = (uint64_t)0x0; *(uint64_t*)0x204bafc0 = (uint64_t)0x20e8b000; *(uint64_t*)0x204bafc8 = (uint64_t)0x0; *(uint64_t*)0x204bafd0 = (uint64_t)0x2044c000; *(uint64_t*)0x204bafd8 = (uint64_t)0x0; *(uint64_t*)0x204bafe0 = (uint64_t)0x20ec3f13; *(uint64_t*)0x204bafe8 = (uint64_t)0x0; *(uint64_t*)0x204baff0 = (uint64_t)0x20a18f67; *(uint64_t*)0x204baff8 = (uint64_t)0x99; memcpy((void*)0x20a18f67, "\x56\x21\xef\x60\x32\xcb\x7f\xd7\x9b\xee\x63\xa7\x66\x65\xfd" "\xd9\xe5\xaa\x3e\x2b\x6b\x58\xde\x16\x10\x2e\x34\x53\xb4\x17" "\x5a\x23\xd6\x4e\xff\xca\x1c\x64\x33\xf8\x62\x49\xf7\x39\x3d" "\x37\x9c\x0f\xf9\x13\x69\x76\xba\xe0\x6d\x4b\x47\x4b\xc0\x87" "\x75\x85\xbc\xd9\x78\x54\xe9\x51\x0d\x37\x37\xc7\x44\x4f\x73" "\x5e\xfe\x89\x25\x84\xee\x2a\xc8\xe7\x81\x4f\x98\x2a\x23\x11" "\x71\x1c\xce\x8b\x18\xdd\x8b\xe5\xaa\xa9\xa4\x43\xc3\xc8\x9d" "\xc8\xc2\xc3\xbb\x8c\x89\x18\xa5\x18\xbd\x4a\x6a\x7d\x0e\xea" "\x9f\x5c\x6c\x48\x30\xa2\x72\x0a\x13\xbb\xe6\x8b\xf6\xfb\x6f" "\xf8\xd3\xac\x30\x2d\x6d\xb7\x9a\x64\x7e\xa0\xcc\x4d\xee\x68" "\xa8\xc8\xc2", 153); *(uint64_t*)0x201e6000 = (uint64_t)0x10; *(uint32_t*)0x201e6008 = (uint32_t)0x11d; *(uint32_t*)0x201e600c = (uint32_t)0x3; *(uint64_t*)0x201e6010 = (uint64_t)0x10; *(uint32_t*)0x201e6018 = (uint32_t)0x117; *(uint32_t*)0x201e601c = (uint32_t)0x6; *(uint64_t*)0x201e6020 = (uint64_t)0x10; *(uint32_t*)0x201e6028 = (uint32_t)0x117; *(uint32_t*)0x201e602c = (uint32_t)0x7; *(uint64_t*)0x201e6030 = (uint64_t)0x10; *(uint32_t*)0x201e6038 = (uint32_t)0x103; *(uint32_t*)0x201e603c = (uint32_t)0x7; *(uint64_t*)0x201e6040 = (uint64_t)0x10; *(uint32_t*)0x201e6048 = (uint32_t)0x117; *(uint32_t*)0x201e604c = (uint32_t)0x1; *(uint64_t*)0x201e6050 = (uint64_t)0x10; *(uint32_t*)0x201e6058 = (uint32_t)0x10a; *(uint32_t*)0x201e605c = (uint32_t)0x401; r[67] = syscall(__NR_sendmsg, r[2], 0x203a3000ul, 0x8080ul); } int main() { loop(); return 0; }