// https://syzkaller.appspot.com/bug?id=2c595167294aa449aaa72ecf3cac3357318b4ccb // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } long r[2]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xe73000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xa, 2, 0); r[1] = syscall(__NR_socket, 0x18, 1, 1); *(uint16_t*)0x205fafd2 = 0x18; *(uint32_t*)0x205fafd4 = 1; *(uint32_t*)0x205fafd8 = 0; *(uint32_t*)0x205fafdc = r[0]; *(uint16_t*)0x205fafe0 = 2; *(uint16_t*)0x205fafe2 = htobe16(0x4e21); *(uint32_t*)0x205fafe4 = htobe32(0xe0000002); *(uint8_t*)0x205fafe8 = 0; *(uint8_t*)0x205fafe9 = 0; *(uint8_t*)0x205fafea = 0; *(uint8_t*)0x205fafeb = 0; *(uint8_t*)0x205fafec = 0; *(uint8_t*)0x205fafed = 0; *(uint8_t*)0x205fafee = 0; *(uint8_t*)0x205fafef = 0; *(uint32_t*)0x205faff0 = 4; *(uint32_t*)0x205faff4 = 0; *(uint32_t*)0x205faff8 = 2; *(uint32_t*)0x205faffc = 0; syscall(__NR_connect, r[1], 0x205fafd2, 0x2e); *(uint16_t*)0x20e72fe4 = 0xa; *(uint16_t*)0x20e72fe6 = htobe16(0x4e21); *(uint32_t*)0x20e72fe8 = 0xff; *(uint8_t*)0x20e72fec = 0; *(uint8_t*)0x20e72fed = 0; *(uint8_t*)0x20e72fee = 0; *(uint8_t*)0x20e72fef = 0; *(uint8_t*)0x20e72ff0 = 0; *(uint8_t*)0x20e72ff1 = 0; *(uint8_t*)0x20e72ff2 = 0; *(uint8_t*)0x20e72ff3 = 0; *(uint8_t*)0x20e72ff4 = 0; *(uint8_t*)0x20e72ff5 = 0; *(uint8_t*)0x20e72ff6 = -1; *(uint8_t*)0x20e72ff7 = -1; *(uint32_t*)0x20e72ff8 = htobe32(0); *(uint32_t*)0x20e72ffc = 2; syscall(__NR_connect, r[0], 0x20e72fe4, 0x1c); *(uint16_t*)0x2064eff0 = 4; *(uint16_t*)0x2064eff2 = htobe16(0); *(uint32_t*)0x2064eff4 = htobe32(0x800); memcpy((void*)0x2064eff8, "\x86\x46\x2e\xb9\x66\xdc", 6); *(uint8_t*)0x2064effe = 8; *(uint8_t*)0x2064efff = 0; syscall(__NR_sendto, r[1], 0x20de7000, 0, 0xc3fe68eda9554f8b, 0x2064eff0, 0x10); *(uint8_t*)0x20000fbe = -1; *(uint8_t*)0x20000fbf = -1; *(uint8_t*)0x20000fc0 = -1; *(uint8_t*)0x20000fc1 = -1; *(uint8_t*)0x20000fc2 = -1; *(uint8_t*)0x20000fc3 = -1; *(uint8_t*)0x20000fc4 = 0xaa; *(uint8_t*)0x20000fc5 = 0xaa; *(uint8_t*)0x20000fc6 = 0xaa; *(uint8_t*)0x20000fc7 = 0xaa; *(uint8_t*)0x20000fc8 = 0; *(uint8_t*)0x20000fc9 = 0xf; *(uint16_t*)0x20000fca = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, 0x20000fcc, 4, 0, 3); STORE_BY_BITMASK(uint16_t, 0x20000fcc, 9, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20000fcc, 0xbd, 4, 12); *(uint16_t*)0x20000fce = htobe16(0x806); *(uint16_t*)0x20000fd0 = htobe16(0); *(uint16_t*)0x20000fd2 = htobe16(0x9200); *(uint8_t*)0x20000fd4 = 6; *(uint8_t*)0x20000fd5 = 0; *(uint16_t*)0x20000fd6 = htobe16(0xa); *(uint8_t*)0x20000fd8 = 0xaa; *(uint8_t*)0x20000fd9 = 0xaa; *(uint8_t*)0x20000fda = 0xaa; *(uint8_t*)0x20000fdb = 0xaa; *(uint8_t*)0x20000fdc = 0; *(uint8_t*)0x20000fdd = 0xa; *(uint8_t*)0x20000fde = 0xaa; *(uint8_t*)0x20000fdf = 0xaa; *(uint8_t*)0x20000fe0 = 0xaa; *(uint8_t*)0x20000fe1 = 0xaa; *(uint8_t*)0x20000fe2 = 0; *(uint8_t*)0x20000fe3 = 0xaa; memcpy((void*)0x20000fe4, "\xe5\x42\xbf\x4c\xa4\xe5\x19\xbe\x7e\xf7\x9a\xb4\x82\x6f\x03\x9b", 16); *(uint32_t*)0x20013000 = 0; *(uint32_t*)0x20013004 = 4; *(uint32_t*)0x20013008 = 0xd13; *(uint32_t*)0x2001300c = 0x54f; *(uint32_t*)0x20013010 = 0xb83; *(uint32_t*)0x20013014 = 0x7f5; } int main() { loop(); return 0; }