// https://syzkaller.appspot.com/bug?id=917b10dd8c0dc5bc32027a328405df521f007619 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 2, 1, 0); memcpy((void*)0x20178d3e, "\x6d\x61\x6e\x67\x6c\x65\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x20178d5e = 0; *(uint32_t*)0x20178d62 = 0; *(uint32_t*)0x20178d66 = 0x90; *(uint32_t*)0x20178d6a = 0; *(uint32_t*)0x20178d6e = 0; *(uint32_t*)0x20178d72 = 0; *(uint32_t*)0x20178d76 = 0; *(uint32_t*)0x20178d7a = 0; *(uint32_t*)0x20178d7e = 0; *(uint32_t*)0x20178d82 = 0; *(uint32_t*)0x20178d86 = 0; *(uint32_t*)0x20178d8a = 0; *(uint32_t*)0x20178d8e = 0; *(uint32_t*)0x20178d92 = 0x10; *(uint32_t*)0x20178d96 = 0x20462ff0; *(uint32_t*)0x20178d9a = htobe32(0xe0000001); *(uint32_t*)0x20178d9e = htobe32(0); *(uint32_t*)0x20178da2 = htobe32(0); *(uint32_t*)0x20178da6 = htobe32(0); memcpy((void*)0x20178daa, "\x46\x18\x1b\x9a\x75\x1e\xa1\x82\x8d\x6d\xcb\xfe\x73\x01\x38\x87", 16); memcpy((void*)0x20178dba, "\x69\x70\x61\x64\x70\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x20178dca = 0; *(uint8_t*)0x20178dcb = 0; *(uint8_t*)0x20178dcc = 0; *(uint8_t*)0x20178dcd = 0; *(uint8_t*)0x20178dce = 0; *(uint8_t*)0x20178dcf = 0; *(uint8_t*)0x20178dd0 = 0; *(uint8_t*)0x20178dd1 = 0; *(uint8_t*)0x20178dd2 = 0; *(uint8_t*)0x20178dd3 = 0; *(uint8_t*)0x20178dd4 = 0; *(uint8_t*)0x20178dd5 = 0; *(uint8_t*)0x20178dd6 = 0; *(uint8_t*)0x20178dd7 = 0; *(uint8_t*)0x20178dd8 = 0; *(uint8_t*)0x20178dd9 = 0; *(uint8_t*)0x20178dda = 0; *(uint8_t*)0x20178ddb = 0; *(uint8_t*)0x20178ddc = 0; *(uint8_t*)0x20178ddd = 0; *(uint8_t*)0x20178dde = 0; *(uint8_t*)0x20178ddf = 0; *(uint8_t*)0x20178de0 = 0; *(uint8_t*)0x20178de1 = 0; *(uint8_t*)0x20178de2 = 0; *(uint8_t*)0x20178de3 = 0; *(uint8_t*)0x20178de4 = 0; *(uint8_t*)0x20178de5 = 0; *(uint8_t*)0x20178de6 = 0; *(uint8_t*)0x20178de7 = 0; *(uint8_t*)0x20178de8 = 0; *(uint8_t*)0x20178de9 = 0; *(uint16_t*)0x20178dea = 0; *(uint8_t*)0x20178dec = 0; *(uint8_t*)0x20178ded = 0; *(uint32_t*)0x20178dee = 0; *(uint16_t*)0x20178df2 = 0x70; *(uint16_t*)0x20178df4 = 0x90; *(uint32_t*)0x20178df6 = 0; *(uint64_t*)0x20178dfa = 0; *(uint64_t*)0x20178e02 = 0; *(uint16_t*)0x20178e0a = 0x20; memcpy((void*)0x20178e0c, "\x8b\xbf\xc1\xb2\x44\xc5\x6c\x09\x14\x61\x86\x1e" "\x4a\x5e\x93\xc5\x24\x40\x52\x9e\x58\xf3\x47\xc9" "\x3a\x1c\xc0\x7e\x74", 29); *(uint8_t*)0x20178e29 = 3; syscall(__NR_setsockopt, r[0], 0, 0x40, 0x20178d3e, 0xec); } int main() { loop(); return 0; }