// https://syzkaller.appspot.com/bug?id=4522c4fb3896c243a66d4bda935f828e80899c2c // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_writev #define __NR_writev 146 #endif #ifndef __NR_readv #define __NR_readv 145 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); memcpy((void*)0x20012ff7, "/dev/sg#", 9); r[0] = syz_open_dev(0x20012ff7, 0, 2); *(uint32_t*)0x20028fe0 = 0x20049fcc; *(uint32_t*)0x20028fe4 = 0x31; *(uint32_t*)0x20028fe8 = 0x20049f1c; *(uint32_t*)0x20028fec = 0xe4; memcpy((void*)0x20049fcc, "\xcf\x42\x0e\x6d\x0c\xd5\x50\xe6\x16\xdd\x86\xa7\xda\x4a\x6b\xb8\x30" "\x95\x9d\x07\x6d\x1e\xf7\xf6\x7d\x67\x2a\x4c\x43\x3b\x3b\x50\xf0\x84" "\xc4\xea\x94\x89\xb7\x1a\x9f\x75\x99\xb0\xec\x91\x04\xb8\x8f", 49); memcpy((void*)0x20049f1c, "\xb2\xf2\xb2\x32\x34\xb5\xff\x50\x3d\xf9\xfa\x1a\x4b\x59\x2e\xef\x67" "\x3d\xf4\xbd\x57\xae\xdc\x4c\x47\x07\x3f\xa4\x7e\x3d\xcf\xdc\x03\x5a" "\x65\x71\x40\xc8\x7f\x3c\xa9\xff\xb5\xec\xa7\x41\x51\x8c\xf9\x3b\xa6" "\x14\xca\x6f\x52\x9f\x47\x84\x9f\x82\x30\xad\xbc\xb5\xdd\xb9\x22\xc3" "\xc8\xb5\xf9\xde\x20\x09\x6c\xb2\x3d\x24\x3a\x78\x21\xde\x1e\xa2\x3a" "\xe6\x92\x3f\x91\xac\xa1\xac\x90\xd6\x22\xd9\x2f\x2d\xc2\x8f\x7e\x4d" "\x37\xa7\x74\xfa\x30\x26\xb1\x2f\x60\xf2\x47\x84\x6f\x70\x12\xea\x02" "\x01\x9a\x43\x5d\x79\x59\x5c\x7c\xe1\x3b\xd4\x7c\xdf\x52\xf1\x87\x4e" "\xa1\x18\xdc\xd0\xf8\x9b\x81\x79\xb9\x7a\xfa\xd2\x1c\xe9\x35\xc2\x11" "\xc6\xad\x8b\x0d\xa8\x57\xf8\x60\x70\x75\x0c\xf8\xa0\x50\x18\xdd\x6d" "\xda\xf3\x46\x3e\xc2\x86\x49\x34\x6d\x7b\x4d\x43\xd2\x7e\x27\xc0\xaf" "\x4f\xf2\x55\x9b\x8e\x8e\xa7\x71\x29\x17\x55\x05\xc2\xdf\x8d\xec\xa2" "\xb4\x4a\xda\x0d\x9d\x1d\x39\x36\xe3\x88\x31\x2e\xa9\x86\xc6\x8d\xf3" "\x5f\xc8\xef\x0c\xb8\xa6\x36", 228); syscall(__NR_writev, r[0], 0x20028fe0, 2); *(uint32_t*)0x20346ff0 = 0x20477000; *(uint32_t*)0x20346ff4 = 0x36; syscall(__NR_readv, r[0], 0x20346ff0, 1); } int main() { loop(); return 0; }