// https://syzkaller.appspot.com/bug?id=54f4ce6239e6e0d0d5583488421c6fa3ba7ed6b4 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include static void test(); void loop() { while (1) { test(); } } long r[1]; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0x10, 3, 6); *(uint64_t*)0x2000b000 = 0x2000f000; *(uint32_t*)0x2000b008 = 0xc; *(uint64_t*)0x2000b010 = 0x205a6ff0; *(uint64_t*)0x2000b018 = 1; *(uint64_t*)0x2000b020 = 0; *(uint64_t*)0x2000b028 = 0; *(uint32_t*)0x2000b030 = 0; *(uint16_t*)0x2000f000 = 0x10; *(uint16_t*)0x2000f002 = 0; *(uint32_t*)0x2000f004 = 0; *(uint32_t*)0x2000f008 = 0; *(uint64_t*)0x205a6ff0 = 0x207a0000; *(uint64_t*)0x205a6ff8 = 0x138; *(uint32_t*)0x207a0000 = 0x138; *(uint16_t*)0x207a0004 = 0x10; *(uint16_t*)0x207a0006 = 0x713; *(uint32_t*)0x207a0008 = 0; *(uint32_t*)0x207a000c = 0; *(uint8_t*)0x207a0010 = 0xfe; *(uint8_t*)0x207a0011 = 0x80; *(uint8_t*)0x207a0012 = 0; *(uint8_t*)0x207a0013 = 0; *(uint8_t*)0x207a0014 = 0; *(uint8_t*)0x207a0015 = 0; *(uint8_t*)0x207a0016 = 0; *(uint8_t*)0x207a0017 = 0; *(uint8_t*)0x207a0018 = 0; *(uint8_t*)0x207a0019 = 0; *(uint8_t*)0x207a001a = 0; *(uint8_t*)0x207a001b = 0; *(uint8_t*)0x207a001c = 0; *(uint8_t*)0x207a001d = 0; *(uint8_t*)0x207a001e = 0; *(uint8_t*)0x207a001f = 0xaa; *(uint32_t*)0x207a0020 = htobe32(0xe0000002); *(uint16_t*)0x207a0030 = 0; *(uint16_t*)0x207a0032 = htobe16(0); *(uint16_t*)0x207a0034 = 0; *(uint16_t*)0x207a0036 = htobe16(0); *(uint16_t*)0x207a0038 = 0; *(uint8_t*)0x207a003a = 0; *(uint8_t*)0x207a003b = 0; *(uint8_t*)0x207a003c = 0; *(uint32_t*)0x207a0040 = 0; *(uint32_t*)0x207a0044 = 0; *(uint32_t*)0x207a0048 = htobe32(0); *(uint32_t*)0x207a0058 = 0; *(uint8_t*)0x207a005c = 0x6c; *(uint8_t*)0x207a0060 = 0xfe; *(uint8_t*)0x207a0061 = 0x80; *(uint8_t*)0x207a0062 = 0; *(uint8_t*)0x207a0063 = 0; *(uint8_t*)0x207a0064 = 0; *(uint8_t*)0x207a0065 = 0; *(uint8_t*)0x207a0066 = 0; *(uint8_t*)0x207a0067 = 0; *(uint8_t*)0x207a0068 = 0; *(uint8_t*)0x207a0069 = 0; *(uint8_t*)0x207a006a = 0; *(uint8_t*)0x207a006b = 0; *(uint8_t*)0x207a006c = 0; *(uint8_t*)0x207a006d = 0; *(uint8_t*)0x207a006e = 0; *(uint8_t*)0x207a006f = 0xbb; *(uint64_t*)0x207a0070 = 0; *(uint64_t*)0x207a0078 = 0; *(uint64_t*)0x207a0080 = 0; *(uint64_t*)0x207a0088 = 0; *(uint64_t*)0x207a0090 = 0; *(uint64_t*)0x207a0098 = 0; *(uint64_t*)0x207a00a0 = 0; *(uint64_t*)0x207a00a8 = 0; *(uint64_t*)0x207a00b0 = 0; *(uint64_t*)0x207a00b8 = 0; *(uint64_t*)0x207a00c0 = 0; *(uint64_t*)0x207a00c8 = 0; *(uint32_t*)0x207a00d0 = 0; *(uint32_t*)0x207a00d4 = 0; *(uint32_t*)0x207a00d8 = 0; *(uint32_t*)0x207a00dc = 0; *(uint32_t*)0x207a00e0 = 0; *(uint16_t*)0x207a00e4 = 0xa; *(uint8_t*)0x207a00e6 = 0; *(uint8_t*)0x207a00e7 = 0; *(uint8_t*)0x207a00e8 = 0; *(uint16_t*)0x207a00f0 = 0x48; *(uint16_t*)0x207a00f2 = 3; memcpy((void*)0x207a00f4, "\x64\x65\x66\x6c\x61\x74\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\xf1\xff\xff\xff\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x207a0134 = 0; syscall(__NR_sendmsg, r[0], 0x2000b000, 0); } int main() { for (;;) { loop(); } }