// https://syzkaller.appspot.com/bug?id=05b7b1b95ae3cbbce72bbe3d2b2235b169b247f3 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[2] = {0xffffffffffffffff, 0x0}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000100, "/dev/fuse\000", 10); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 2ul, 0ul); if (res != -1) r[0] = res; memcpy((void*)0x200001c0, "fd", 2); *(uint8_t*)0x200001c2 = 0x3d; sprintf((char*)0x200001c3, "0x%016llx", (long long)-1); *(uint8_t*)0x200001d5 = 0x2c; memcpy((void*)0x200001d6, "rootmode", 8); *(uint8_t*)0x200001de = 0x3d; sprintf((char*)0x200001df, "%023llo", (long long)0); *(uint8_t*)0x200001f6 = 0x2c; memcpy((void*)0x200001f7, "user_id", 7); *(uint8_t*)0x200001fe = 0x3d; sprintf((char*)0x200001ff, "%020llu", (long long)0xee00); *(uint8_t*)0x20000213 = 0x2c; memcpy((void*)0x20000214, "group_id", 8); *(uint8_t*)0x2000021c = 0x3d; sprintf((char*)0x2000021d, "%020llu", (long long)0xee00); *(uint8_t*)0x20000231 = 0x2c; *(uint8_t*)0x20000232 = 0; syscall(__NR_mount, 0ul, 0ul, 0ul, 0ul, 0x200001c0ul); memcpy((void*)0x20000140, "./file0\000", 8); memcpy((void*)0x20000040, "fuse\000", 5); memcpy((void*)0x20000180, "fd=", 3); sprintf((char*)0x20000183, "%020llu", (long long)r[0]); memcpy((void*)0x20000197, "\x2c\x72\x6f\x6f\x74\x6d\x6f\x64\x65\x3d\x30\x30\x30\x30\x30\x30\x30" "\x30\x30\x30\x30\x30\x61\x30\xfc\x2a\xef\xed\x2e\x2a\xff\x1f\xaa\x63" "\x75\x73\x65\x72\x5f\x69\x64", 41); syscall(__NR_mount, 0x20000000ul, 0x20000140ul, 0x20000040ul, 0ul, 0x20000180ul); res = syscall(__NR_read, r[0], 0x20000240ul, 0x2020ul); if (res != -1) r[1] = *(uint64_t*)0x20000248; *(uint32_t*)0x20002280 = 0x18; *(uint32_t*)0x20002284 = 0x24; *(uint64_t*)0x20002288 = r[1]; *(uint32_t*)0x20002290 = 6; *(uint32_t*)0x20002294 = 0; syscall(__NR_write, r[0], 0x20002280ul, 0x18ul); return 0; }