// https://syzkaller.appspot.com/bug?id=3c1f47967b7cbd399d3ba3e65f297a29aa1c5f92 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); memcpy((void*)0x20416ff7, "/dev/sg#", 9); r[0] = syz_open_dev(0x20416ff7, 0, 0x806); *(uint64_t*)0x20d84f40 = 0; *(uint64_t*)0x20d84f48 = 0; *(uint16_t*)0x20d84f50 = 3; *(uint16_t*)0x20d84f52 = 0xffa6; *(uint32_t*)0x20d84f54 = 9; *(uint64_t*)0x20d84f58 = 0x77359400; *(uint64_t*)0x20d84f60 = 0; *(uint16_t*)0x20d84f68 = 0x19; *(uint16_t*)0x20d84f6a = 6; *(uint32_t*)0x20d84f6c = 4; *(uint64_t*)0x20d84f70 = 0; *(uint64_t*)0x20d84f78 = 0x2710; *(uint16_t*)0x20d84f80 = 0xb28; *(uint16_t*)0x20d84f82 = 9; *(uint32_t*)0x20d84f84 = 9; *(uint64_t*)0x20d84f88 = 0x77359400; *(uint64_t*)0x20d84f90 = 0; *(uint16_t*)0x20d84f98 = 0x7f; *(uint16_t*)0x20d84f9a = 1; *(uint32_t*)0x20d84f9c = 0xfff; *(uint64_t*)0x20d84fa0 = 0; *(uint64_t*)0x20d84fa8 = 0; *(uint16_t*)0x20d84fb0 = 0; *(uint16_t*)0x20d84fb2 = 5; *(uint32_t*)0x20d84fb4 = 7; *(uint64_t*)0x20d84fb8 = 0; *(uint64_t*)0x20d84fc0 = 0; *(uint16_t*)0x20d84fc8 = 0x24c; *(uint16_t*)0x20d84fca = 3; *(uint32_t*)0x20d84fcc = 0x80000000; *(uint64_t*)0x20d84fd0 = 0; *(uint64_t*)0x20d84fd8 = 0; *(uint16_t*)0x20d84fe0 = 6; *(uint16_t*)0x20d84fe2 = 0x13f9; *(uint32_t*)0x20d84fe4 = 0x7ff; *(uint64_t*)0x20d84fe8 = 0x77359400; *(uint64_t*)0x20d84ff0 = 0; *(uint16_t*)0x20d84ff8 = 0xc7; *(uint16_t*)0x20d84ffa = 9; *(uint32_t*)0x20d84ffc = 8; syscall(__NR_write, r[0], 0x20d84f40, 0xc0); *(uint64_t*)0x20529fc0 = 0x205bcf71; *(uint64_t*)0x20529fc8 = 0; *(uint64_t*)0x20529fd0 = 0x2009d000; *(uint64_t*)0x20529fd8 = 0; *(uint64_t*)0x20529fe0 = 0x2007a000; *(uint64_t*)0x20529fe8 = 0; *(uint64_t*)0x20529ff0 = 0x2039cfce; *(uint64_t*)0x20529ff8 = 0x32; syscall(__NR_readv, r[0], 0x20529fc0, 4); } int main() { loop(); return 0; }