// https://syzkaller.appspot.com/bug?id=020b61559d824612ee1c44faf27f164b9e2768e2 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[1]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xd51000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xf, 3, 2); *(uint32_t*)0x205f5000 = 0; *(uint32_t*)0x205f5004 = 0; *(uint32_t*)0x205f5008 = 0x208feff0; *(uint32_t*)0x205f500c = 1; *(uint32_t*)0x205f5010 = 0; *(uint32_t*)0x205f5014 = 0; *(uint32_t*)0x205f5018 = 0; *(uint32_t*)0x208feff0 = 0x20d4cea8; *(uint32_t*)0x208feff4 = 0x78; *(uint8_t*)0x20d4cea8 = 2; *(uint8_t*)0x20d4cea9 = 3; *(uint8_t*)0x20d4ceaa = 0; *(uint8_t*)0x20d4ceab = 3; *(uint16_t*)0x20d4ceac = 0xf; *(uint16_t*)0x20d4ceae = 0; *(uint32_t*)0x20d4ceb0 = 0x70bd25; *(uint32_t*)0x20d4ceb4 = 0x25dfdbfb; *(uint16_t*)0x20d4ceb8 = 1; *(uint16_t*)0x20d4ceba = 9; *(uint16_t*)0x20d4cebc = 0xfffe; *(uint16_t*)0x20d4cebe = 0; *(uint16_t*)0x20d4cec0 = 5; *(uint16_t*)0x20d4cec2 = 6; *(uint8_t*)0x20d4cec4 = 0; *(uint8_t*)0x20d4cec5 = 0; *(uint16_t*)0x20d4cec6 = 0; *(uint16_t*)0x20d4cec8 = 0xa; *(uint16_t*)0x20d4ceca = htobe16(0x4e20); *(uint32_t*)0x20d4cecc = 0; *(uint8_t*)0x20d4ced0 = 0xfe; *(uint8_t*)0x20d4ced1 = 0x80; *(uint8_t*)0x20d4ced2 = 0; *(uint8_t*)0x20d4ced3 = 0; *(uint8_t*)0x20d4ced4 = 0; *(uint8_t*)0x20d4ced5 = 0; *(uint8_t*)0x20d4ced6 = 0; *(uint8_t*)0x20d4ced7 = 0; *(uint8_t*)0x20d4ced8 = 0; *(uint8_t*)0x20d4ced9 = 0; *(uint8_t*)0x20d4ceda = 0; *(uint8_t*)0x20d4cedb = 0; *(uint8_t*)0x20d4cedc = 0; *(uint8_t*)0x20d4cedd = 0; *(uint8_t*)0x20d4cede = 0; *(uint8_t*)0x20d4cedf = 0xbb; *(uint32_t*)0x20d4cee0 = 0; *(uint16_t*)0x20d4cee8 = 2; *(uint16_t*)0x20d4ceea = 1; *(uint32_t*)0x20d4ceec = htobe32(0x4d2); *(uint8_t*)0x20d4cef0 = 0; *(uint8_t*)0x20d4cef1 = 0; *(uint8_t*)0x20d4cef2 = 0; *(uint8_t*)0x20d4cef3 = 0xb; *(uint32_t*)0x20d4cef4 = 0; *(uint16_t*)0x20d4cef8 = 5; *(uint16_t*)0x20d4cefa = 5; *(uint8_t*)0x20d4cefc = 0; *(uint8_t*)0x20d4cefd = 0; *(uint16_t*)0x20d4cefe = 0; *(uint16_t*)0x20d4cf00 = 0xa; *(uint16_t*)0x20d4cf02 = htobe16(0x4e20); *(uint32_t*)0x20d4cf04 = 0; *(uint8_t*)0x20d4cf08 = 0; *(uint8_t*)0x20d4cf09 = 0; *(uint8_t*)0x20d4cf0a = 0; *(uint8_t*)0x20d4cf0b = 0; *(uint8_t*)0x20d4cf0c = 0; *(uint8_t*)0x20d4cf0d = 0; *(uint8_t*)0x20d4cf0e = 0; *(uint8_t*)0x20d4cf0f = 0; *(uint8_t*)0x20d4cf10 = 0; *(uint8_t*)0x20d4cf11 = 0; *(uint8_t*)0x20d4cf12 = 0; *(uint8_t*)0x20d4cf13 = 0; *(uint8_t*)0x20d4cf14 = 0; *(uint8_t*)0x20d4cf15 = 0; *(uint8_t*)0x20d4cf16 = 0; *(uint8_t*)0x20d4cf17 = 0; *(uint32_t*)0x20d4cf18 = 0; syscall(__NR_sendmsg, r[0], 0x205f5000, 0); } int main() { loop(); return 0; }