// https://syzkaller.appspot.com/bug?id=4fb33a0100cc2d174ccf7722d9974bad7870120b // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } *(uint64_t*)0x20000940 = 0; *(uint32_t*)0x20000948 = 0; *(uint64_t*)0x20000950 = 0x20000180; *(uint64_t*)0x20000180 = 0x20000000; memcpy((void*)0x20000000, "\xd8\x00\x00\x00\x1c\x00\x81\x04\x4e\x81\xf7\x82\xdb\x44\xb9\x04\x0a" "\x1d\x08\x03\x0e\x00\x00\x00\xe8\xfe\xa4\xa1\x18\x00\x15\x00\x06\x00" "\x14\x26\x03\x60\x0e\x12\x08\x00\x0f\x10\x00\x81\x04\x01\xa8\x00\x16" "\x00\x0a\x00\x01", 55); *(uint64_t*)0x20000188 = 0x37; *(uint64_t*)0x20000958 = 1; *(uint64_t*)0x20000960 = 0; *(uint64_t*)0x20000968 = 0; *(uint32_t*)0x20000970 = 0x7400; syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x20000940ul, /*f=*/0ul); *(uint16_t*)0x20000000 = 0xa; *(uint16_t*)0x20000002 = htobe16(0x4e20); *(uint32_t*)0x20000004 = htobe32(0); *(uint8_t*)0x20000008 = -1; *(uint8_t*)0x20000009 = 2; memset((void*)0x2000000a, 0, 13); *(uint8_t*)0x20000017 = 1; *(uint32_t*)0x20000018 = 6; syscall(__NR_bind, /*fd=*/-1, /*addr=*/0x20000000ul, /*addrlen=*/0x1cul); memcpy((void*)0x20000000, "\x8f\xed\xcb\x79\x07\x00\x98\x75\xf3\x75\x38\xe4\x86\xdd\x63\x17\xce" "\x62\x03\x00\xfe", 21); syscall(__NR_write, /*fd=*/-1, /*buf=*/0x20000000ul, /*len=*/0xfe1bul); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=SOCK_DGRAM*/ 2ul, /*proto=*/0); if (res != -1) r[0] = res; *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint64_t*)0x20000090 = 0x20000040; *(uint64_t*)0x20000040 = 0x20000300; memcpy( (void*)0x20000300, "\x14\x00\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x0a\x5c\x00\x00\x00\x06\x0a\x09\x04\x00\x00\x00\x00\x00\x00\x00\x00" "\x02\x00\x00\x00\x09\x00\x02\x00\x73\x79\x7a\x32\x00\x00\x00\x00\x09\x00" "\x01\x00\x73\x79\x7a\x30\x00\x00\x00\x00\x30\x00\x04\x80\x2c", 69); *(uint64_t*)0x20000048 = 0x84; *(uint64_t*)0x20000098 = 1; *(uint64_t*)0x200000a0 = 0; *(uint64_t*)0x200000a8 = 0; *(uint32_t*)0x200000b0 = 0; syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x20000080ul, /*f=*/0ul); memcpy((void*)0x20000000, "\x56\x3f\x00\x00\x18\x00\x59\x9c\x6d\x0e\xab\x07\x00\x04\x00\x05\x23", 17); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x20000000ul, /*len=*/0xfe33ul); syscall(__NR_bind, /*fd=*/-1, /*addr=*/0ul, /*addrlen=*/0ul); syscall(__NR_write, /*fd=*/-1, /*buf=*/0ul, /*len=*/0xfe1bul); res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=SOCK_DGRAM*/ 2ul, /*proto=*/0); if (res != -1) r[1] = res; memcpy((void*)0x20000000, "\x56\x3f\x00\x00\x19\x00\x59\x9c\x6d\x0e\xab\x07\x00\x04\x00\x05\x23", 17); syscall(__NR_write, /*fd=*/r[1], /*buf=*/0x20000000ul, /*len=*/0xfe33ul); return 0; }