// https://syzkaller.appspot.com/bug?id=f3812564c77c99ff09c57ba2b1485a899d8858a1 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(SYS_socket, 2ul, 1ul, 0); if (res != -1) r[0] = res; memcpy((void*)0x20000080, "bbr\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000", 32); *(uint32_t*)0x200000a0 = 0; syscall(SYS_setsockopt, r[0], 6, 0x2000, 0x20000080ul, 0x24ul); memcpy( (void*)0x20000700, "\xc5\xa1\x17\x12\xc6\xaa\x49\xd2\xea\x0b\xdd\x69\xdb\x49\x1a\xec\x90\xe0" "\xce\xfd\x5b\x9f\x1f\xd3\x2d\x13\xac\xa4\x03\x24\x4f\x7b\x3e\xc6\x35\x93" "\xb7\x45\xed\x86\xce\x69\x7d\x3b\x04\xb8\x2d\xa4\x8c\x69\x80\xf6\xa0\xd4" "\xe5\xb2\x56\xfe\x1e\x98\xb9\xf1\x79\xa5\xf1\x8f\xcf\x93\xa6\x2f\x4a\x65" "\x47\x56\xcb\x0f\xd0\x4e\x46\x7e\x65\x34\x3f\x78\x11\x2a\x97\x98\x0c\xf8" "\xae\x6d\x61\xde\x4f\xb2\x80\x6f\x1f\xe0\xb4\xfb\xe7\xa9\xa5\x11\x21\x7a" "\xbe\x52\x2c\xfc\x8f\x44\xee\xfa\x4d\xfb\x5e\xa0\x79\xd5\x85\x7f\x52\xad" "\x0b\xcc\x65\xa7\x56\x79\xf3\x67\xbd\x7a\x42\xf8\x4a\xac\x56\x71\xf4\x06" "\x72\x9d\x86\xfa\xda\xe6\x9b\xa3\x38\x80\x78\xdf\x47\x39\xb2\x8f\xda\xbc" "\xe7\x09\x37\xa9\x19\x7a\x7d\xb9\xc7\xd9\xb1\x13\x43\x06\x01\x18\x85\x97" "\x72\xd7\x62\x7b\xa1\xba\xa1\x6e\xfc\x96\xd1\x52\x3c\x2f\x5e\xd7\x9c\xfb" "\xdc\x2b\x45\x99\xf0\x88\xbe\x08\x41\x96\x0d\xb9\xc1\xa2\x53\xc1\x23\x85" "\x6c\xf4\xf0\x75\x7b\x10\x80\x05\x33\xd1\x37\x7f\x01\x1d\xbd\x56\x78\xb1" "\x63\x8e\xc7\x12\x47\xb1\xad\x3d\x91\x0a\x3b\xcf\x32\x84\xbd\x9d\x1a\x1d" "\x81\x8e\x58\x89\x99\xf7\x24\x01\x1f\x87\xad\x3e\xc1\xd5\x52\x0f\x3b\xb5" "\x60\xfd\xc3\x8d\xd0\x16\x36\x61\xb7\x7f\x00\xdc\xa8\x6e\xfb\x2c\x0c\x04" "\xfd\x52\x31\x88\xc2\xe2\x71\x49\x39\x9c\x56\xbc\xee\xbd\x95\x5f\x5f\xe9" "\x0e\x20\x2d\x30\xaa\x83\x15\xc3\xa5\xd2\xc8\x5e\xce\x44\xb0\xf9\xaf\xa0" "\x6f\x44\x34\x1d\xc5\xc3\x11\xe9\x5a\x80\x9b\xb1\x1f\x16\x53\xca\xbe\x4c" "\xb1\x08\x8f\x36\x59\xf0\x07\x3a\x99\x5d\x4a\xf9\xc0\x82\x95\xce\xdc\x87" "\x4f\x66\xce\xe0\x17\x47\xeb\x34\x35\x6a\x32\x77\x46\xd8\xd2\x04\x9c\x96" "\x3d\x3c\xa0\x9a\x77\xbb\x80\x10\x71\x8c\x80\x3e\xef\x72\x69\x9a\xcd\xbf" "\xc5\xe1\xd9\x57\x03\x70\xd4\xeb\x9d\x2b\x1e\x37\x1c\xb3\xc4\xcf\xc0\x64" "\x26\x67\x4f\x96\x1b\x57\xef\xda\xb8\x2b\xe1\xa4\x1b\x75\x4b\xf0\x11\x28" "\x81\xd3\x7e\xb2\xcc\x9d\xd8\x00\x76\xb5\x5d\x61\x4e\xca\xda\x96\x2b\xf4" "\x7d\x90\x22\xf5\xe5\x84\x30\x98\xdb\xfb\xe0\x9b\x31\x29\x12\x2f\x0a\x87" "\xe1\x69\x2b\xe1\x8d\x14\xc4\x38\xc9\x76\x34\xb0\x3f\x7e\x34\xde\xd6\x9a" "\xb2\x73\x8e\x71\x3f\x38\xf0\xd6\x32\x6b\xc4\x70\xf4\x77\x20\xd6\xa3\xe5" "\x30\x2b\xa4\x12\xe6\x81\x16\x69\xfb\x95\x6b\x42\x44\x96\x41\xa4\x45\x48" "\x6a\xae\x1b\xe7\x00\x75\xcc\xe1\x1c\x3b\x5f\x75\xca\xb1\x46\x23\x4a\xe8" "\xfe\xaf\x42\xdf\x8a\x69\xe5\xd1\x7b\x45\x1d\xa9\xca\xaa\xaa\xf9\x16\xed" "\xd8\x76\x1f\xad\xf6\x17\xea\x6c\x42\xb8\x18\x11\x53\x39\x3c\x2c\x55\x19" "\x30\xc6\x5e\x8d\xc1\xad\x23\x06\x0c\x2a\x70\xe0\x61\x58\xed\xbf\xfa\x4f" "\x40\xb4\xd1\x82\xa4\x82\xf5\xae\xf9\xa1\xca\x7f\x05\x60\x52\x36\x28\x1a" "\x75\x07\x1e\x9c\x13\x6d\x9f\x34\x39\x21\x27\x29\x3e\x19\xf7\x1c\x21\xb5" "\xa2\x09\x9b\xfb\x0a\xd1\x05\x66\xc2\x2a\xfa\x6b\xfd\xe9\xbc\x33\x5e\xa1" "\x6e\x1a\xd1\x41\xf5\xcd\x3e\x03\x25\x00\x06\x11\x60\x66\xf1\x45\x71\x88" "\x32\x86\xb0\x3e\x87\xcb\xe6\xd2\x04\x7b\x1b\xe8\x90\x65\x8e\xe8\xc2\x94" "\x1d\x07\xe3\x8c\x9c\x8e\x0e\x2c\x82\x86\x73\xc4\x23\x8f\x12\x7d\x54\x9b" "\xa3\x91\x98\xa1\xb3\x32\xad\xb3\x47\x7d\x11\x98\x2f\x1b\xb4\x7b\xc7\x69" "\xda\x1a\xee\xcb\x8c\x81\x96\x5f\x59\xb5\x17\x2d\xa9\xec\x68\x96\xd0\x69" "\xa9\xfd\xef\x9e\xe4\x6e\xda\xd7\xc1\x1b\xaa\xbd\x7d\xa6\x4d\xc5\x78\x0f" "\xc4\x72\x3d\xea\xf4\x06\x51\x86\x72\xa2\x66\x0c\x27\xab\x79\x2c\x20\x39" "\x50\x21\x9f\xf7\x04\x56\x26\x2a\x87\x17\x81\x81\x2d\xde\x1a\xa7\x11\xe3" "\x5e\xe6\xb6\x66\x44\xec\x39\x3c\xa4\x2a\xb8\xb9\x36\x3c\xa1\x0f\x4b\x36" "\xab\x08\xf1\x40\x46\x4f\x99\x4c\x0c\x39\x92\x9f\xca\x89\x9e\xbb\x20\x25" "\x0a\x96\xf2\x0c\x47\x56\x2c\xf7\x35\xa8\xc2\xba\x69\x7c\x9f\x1a\x4c\x83" "\xdd\x02\x57\xc2\xd0\x9a\x5c\xf4\x31\xe1\xa3\x26\x48\xf1\x6f\xb9\xe1\x87" "\xb6\x1f\x51\x60\x3c\x7e\xc0\x66\x57\x48\xbd\x35\x57\x2b\x7d\xc8\xee\x22" "\x4d\x5e\x7c\x2d\x86\x1f\x78\xbc\xdb\x9a\x61\x46\x26\x24\x7c\x6f\xa2\xba" "\xfe\x93\xfe\xdc\xa6\xf1\xb7\xf9\x8f\x9b\xc6\x21\x14\x09\x8c\x2a\x1a\x67" "\xb6\x73\x64\x13\xec\x99\xa0\xc3\x12\xee\xfd\xd5\xa1\x76\x56\x95\x84\xb6" "\x09\x82\x71\x8d\x07\x4b\xef\xa7\xe1\x3a\x9d\xc2\xc7\xcd\xf0\x20\x9c\xe7" "\xd8\xca\xcf\xb7\x65\x2d\x85\x5d\x11\xa4\xfb\x5e\x0e\xc2\x2b\xf2\x70\x29" "\xc4\x40\xcf\xd8\xfb\xca\x19\xfa\x0b\x80\xb7\xe3\x14\x4f\xd4\xd0\xb5\x2c" "\x36\x47\x7a\x4b\xa6\x6f\x09\x7b\xf4\xff\xfa\x27\x74\xdc\x0f\x83\x44\x6c" "\x06\xa5\x55\x47\x29\x0d\xd6\x00\x21\x9e\xa7\x82\x80\xd0\x25\xcd\x3c\x69" "\x1c\x68\xea\x7d\x9d\x1f\x8f\x10\x7b\x9c\x77\x83\xcb\xe8\xdf\xa5\x5e\x46" "\xc9\xf9\x3a\xc6\xd6\xfc\x59\x53\x21\x00\xc0\xb3\x0c\xff\x12\x4f\xd4\x00" "\x2c\x41\x7b\x39\xe2\x97\x02\x75\x15\x4c\x6c\xaf\xb1\x9a\x22\x62\x1d\x2e" "\x24\x10\x6f\x75\x7f\x26\xf0\x85\xcd\xce\x2a\xe3\xd3\x44\x13\x58\xfb\xdd" "\xf3\x10\xfc\x3c\x01\xb7\x7c\x3b\xcd\x4c\xce\xd8\x8e\xf3\xe6\x0e\x8f\x86" "\x9c\x62\xed\xd9\x98\xc2\x05\x15\x30\x9d\x98\x77\x29\x0e\xd5\x63\xd8\x6f" "\x2e\xad\x69\xd3\x5b\xb1\xd5\x07\x30\x07\x8a\xa1\x31\xbb\xe5\x9a\x0b\x07" "\x32\xd4\xf3\xc8\xa4\x99\xd6\x50\xc9\x22\xb5\xf1\x87\x3a\xbc\x45\xd1\x72" "\x87\x8c\x27\x40\x4b\x17\xed\xf9\x2a\xf3\x25\xe4\xb4\xf7\xe7\x73\x96\x4e" "\xd8\x3d\x6d\xc3\x9e\xd4\xf3\x4d\xf2\x8e\x82\x0d\x3d\x3e\x89\x72\xf8\xfb" "\x17\x7a\x64\x03\x24\x3c\x0c\x0c\xac\x42\xdd\x09\x55\x13\xc9\xe6\x69\x04" "\x8d\x3b\x1c\x12\xeb\xf6\xe1\xa3\x47\x7d\x79\x33\x59\x9e\x68\xa9\xbe\x36" "\xc3\x75\x90\x87\x6a\xca\x43\xf9\xb3\xd6\x2e\x69\x21\x25\xfe\xe6\x91\xc9" "\x9e\xf3\x30\x5c\x48\x80\x5d\x07\xd5\xfb\xc1\x65\x87\x2d\xad\x25\x1b\x97" "\x4e\x2b\x3e\x0a\x20\x70\x2f\xba\x73\x65\xe9\xe4\x33\xc4\x89\x63\x5d\xc1" "\x5b\x4b\x95\x9f\xef\x5d\x42\xc1\xae\xa1\x8e\xcf\x38\x1b\x15\x63\x8a\x93" "\xd8\x0c\xf9\x10\x76\x4c\x5e\x05\x17\x0e\xce\xe8\x6a\x9b\xcd\xfa\xca\x9e" "\xd1\x6a\x5f\x85\xf7\x93\x66\x8b\x84\x6b\x0b\xe6\xb5\x15\xad\xa0\x39\x07" "\xd1\xf7\x06\xe5\x2b\x1a\x32\xfd\xcc\x3e\x4a\x46\xdd\xee\x55\x11\x2f\x07" "\x5e\x4c\x63\x65\xb3\x63\x49\x28\x62\xf6\x68\xee\x86", 1381); *(uint8_t*)0x20000000 = 0x10; *(uint8_t*)0x20000001 = 2; *(uint16_t*)0x20000002 = htobe16(0x4e23); *(uint32_t*)0x20000004 = htobe32(-1); *(uint8_t*)0x20000008 = 0; *(uint8_t*)0x20000009 = 0; *(uint8_t*)0x2000000a = 0; *(uint8_t*)0x2000000b = 0; *(uint8_t*)0x2000000c = 0; *(uint8_t*)0x2000000d = 0; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; syscall(SYS_sendto, r[0], 0x20000700ul, 0x598ul, 0x180ul, 0x20000000ul, 0x10ul); *(uint32_t*)0x20000140 = -1; memcpy((void*)0x20000144, "\x3b\xcd\x2a\x69\x8c\xea\x8e\xba\x03\xda\xa9\x55\x00\x00\xeb\x77", 16); syscall(SYS_setsockopt, r[0], 6, 0x401, 0x20000140ul, 0x14ul); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); loop(); return 0; }