// https://syzkaller.appspot.com/bug?id=29bd73ed27734a53a46318ed8921a0087df8f5fd // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } long r[3]; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 2, 1, 0); r[1] = syscall(__NR_socket, 0xa, 1, 0); *(uint16_t*)0x20c9c000 = 0xa; *(uint16_t*)0x20c9c002 = htobe16(0x4e22); *(uint32_t*)0x20c9c004 = 0; *(uint8_t*)0x20c9c008 = 0; *(uint8_t*)0x20c9c009 = 0; *(uint8_t*)0x20c9c00a = 0; *(uint8_t*)0x20c9c00b = 0; *(uint8_t*)0x20c9c00c = 0; *(uint8_t*)0x20c9c00d = 0; *(uint8_t*)0x20c9c00e = 0; *(uint8_t*)0x20c9c00f = 0; *(uint8_t*)0x20c9c010 = 0; *(uint8_t*)0x20c9c011 = 0; *(uint8_t*)0x20c9c012 = 0; *(uint8_t*)0x20c9c013 = 0; *(uint8_t*)0x20c9c014 = 0; *(uint8_t*)0x20c9c015 = 0; *(uint8_t*)0x20c9c016 = 0; *(uint8_t*)0x20c9c017 = 0; *(uint32_t*)0x20c9c018 = 0; syscall(__NR_bind, r[1], 0x20c9c000, 0x1c); syscall(__NR_listen, r[1], 0); memcpy((void*)0x20042ffc, "tls", 4); syscall(__NR_setsockopt, r[1], 6, 0x1f, 0x20042ffc, 4); *(uint16_t*)0x200b0000 = 2; *(uint16_t*)0x200b0002 = htobe16(0x4e22); *(uint32_t*)0x200b0004 = htobe32(0); *(uint8_t*)0x200b0008 = 0; *(uint8_t*)0x200b0009 = 0; *(uint8_t*)0x200b000a = 0; *(uint8_t*)0x200b000b = 0; *(uint8_t*)0x200b000c = 0; *(uint8_t*)0x200b000d = 0; *(uint8_t*)0x200b000e = 0; *(uint8_t*)0x200b000f = 0; syscall(__NR_sendto, r[0], 0x2087a000, 0, 0x20008045, 0x200b0000, 0x10); r[2] = syscall(__NR_socket, 0x10, 3, 0); memcpy((void*)0x20203000, "\x26\x00\x00\x00\x13\x00\x47\xf1\x07\x01\xc1\xb0" "\x0e\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" "\x09\xef\x18\xff\xff\x00\xf1\x32\x05\x00\x14\x00" "\x6e\x35", 38); syscall(__NR_write, r[2], 0x20203000, 0x26); } int main() { for (;;) { loop(); } }