// https://syzkaller.appspot.com/bug?id=bcaff554170b1e402c645b3d24be70770b2aa64a // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_socket, 0x10, 3, 0x10); *(uint32_t*)0x204b5fc8 = 0x20c61ff4; *(uint16_t*)0x20c61ff4 = 0x10; *(uint16_t*)0x20c61ff6 = 0x4000; *(uint32_t*)0x20c61ff8 = 0; *(uint32_t*)0x20c61ffc = 0x2000000; *(uint32_t*)0x204b5fcc = 0xc; *(uint32_t*)0x204b5fd0 = 0x20813ff2; *(uint32_t*)0x20813ff2 = 0x20000000; *(uint32_t*)0x20000000 = 0xb4; *(uint16_t*)0x20000004 = 0x1e; *(uint16_t*)0x20000006 = 0x829; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint8_t*)0x20000010 = 4; *(uint8_t*)0x20000011 = 0; *(uint16_t*)0x20000012 = 0; *(uint16_t*)0x20000014 = 0xa0; *(uint16_t*)0x20000016 = 0x11; memcpy((void*)0x20000018, "\xd7\x4a\x51\xe1\x4a\x99\xb2\xd3\x49\x3c\x85\x25\x9a\xb3\x42\xda\x59" "\x0d\x75\x27\xb3\xad\x63\x2f\x15\x47\xca\xe8\xb0\xb8\xa7\x6c\x87\xc2" "\x18\x1c\x63\xe5\x18\xcc\x66\x2f\x9f\x10\xb2\x02\xf1\xb7\x94\x71\x9a" "\x22\xef\xd5\xaf\x86\xf3\x51\xbf\x22\x81\xee\x92\x47\x1b\x62\xa3\x65" "\x98\xbf\x46\xc6\x62\x2b\xfd\xef\x30\x43\x63\xd7\x7e\xba\xe0\x4f\xc7" "\x98\xd4\xb0\x12\xe5\xe2\xa3\xc8\x99\xcd\x01\x87\xd6\x91\xde\xa8\x3a" "\x55\x8f\xdf\xd2\x56\x3d\xdb\x46\x15\xd6\x60\xb4\x9f\x09\x00\x39\xa1" "\xf8\x36\x05\x9c\x78\xb7\x69\xaa\xdd\x05\xde\x55\x0a\xbe\x37\xb5\xec" "\x27\x0c\xc7\x51\x87\xb9\x9e\xc4\x3c\x04\xd2\xfa\xab\x74\x8b\xea\x5e" "\xcf\xd9\x96", 156); *(uint32_t*)0x20813ff6 = 0xb4; *(uint32_t*)0x204b5fd4 = 1; *(uint32_t*)0x204b5fd8 = 0; *(uint32_t*)0x204b5fdc = 0; *(uint32_t*)0x204b5fe0 = 0; syscall(__NR_sendmsg, r[0], 0x204b5fc8, 0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }