// https://syzkaller.appspot.com/bug?id=159d03c53cb4c57b1a3b2f29373271bc2536b4df // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include long r[2]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 0x3, 0x32, 0xffffffff, 0x0); r[0] = syscall(__NR_socket, 0x26, 0x5, 0x0); *(uint16_t*)0x20e1d000 = 0x26; memcpy((void*)0x20e1d002, "\x61\x65\x61\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20e1d010 = 0x0; *(uint32_t*)0x20e1d014 = 0x0; memcpy((void*)0x20e1d018, "\x72\x66\x63\x37\x35\x33\x39\x28\x63\x74\x72\x2d\x73\x65\x72" "\x70\x65\x6e\x74\x2d\x73\x73\x65\x32\x2c\x77\x70\x33\x38\x34" "\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00", 64); syscall(__NR_bind, r[0], 0x20e1d000, 0x58); memcpy((void*)0x20b00000, "\x0a\x07\x75\xb0\xf8\xe3\x83\xf4\xb3\xb6" "\x20\xcc\x5c\x54\xdb\xb7\x29\x5d\xf0\xdf" "\x82\x17\xad\x40\x00\x00\x00\x00\x00\x00" "\x00\xe6", 32); syscall(__NR_setsockopt, r[0], 0x117, 0x1, 0x20b00000, 0x20); r[1] = syscall(__NR_accept, r[0], 0x0, 0x0); *(uint64_t*)0x201a9000 = 0x0; *(uint32_t*)0x201a9008 = 0x0; *(uint64_t*)0x201a9010 = 0x20ab7000; *(uint64_t*)0x201a9018 = 0x1; *(uint64_t*)0x201a9020 = 0x20505000; *(uint64_t*)0x201a9028 = 0x0; *(uint32_t*)0x201a9030 = 0x0; *(uint64_t*)0x20ab7000 = 0x2030c000; *(uint64_t*)0x20ab7008 = 0x10; memcpy((void*)0x2030c000, "\xc3\x5f\x77\x4c\xda\x95\xf7\x8b\xf4\xc6" "\x55\x70\x22\x28\xd1\x8b", 16); syscall(__NR_sendmsg, r[1], 0x201a9000, 0x0); *(uint64_t*)0x2022efc8 = 0x20f6eff0; *(uint32_t*)0x2022efd0 = 0x10; *(uint64_t*)0x2022efd8 = 0x20892fb0; *(uint64_t*)0x2022efe0 = 0x1; *(uint64_t*)0x2022efe8 = 0x208adfba; *(uint64_t*)0x2022eff0 = 0x46; *(uint32_t*)0x2022eff8 = 0x0; *(uint64_t*)0x20892fb0 = 0x208a8f50; *(uint64_t*)0x20892fb8 = 0xb0; syscall(__NR_recvmsg, r[1], 0x2022efc8, 0x0); } int main() { loop(); return 0; }