// https://syzkaller.appspot.com/bug?id=70dd44230eac7b3dffba6e85a4222c3fdb954b2c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x1012ul, -1, 0ul); intptr_t res = 0; res = syscall(SYS_socket, 0x1cul, 5ul, 0x84); if (res != -1) r[0] = res; memcpy((void*)0x20000000, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 0ul, 0ul); if (res != -1) r[1] = res; memcpy( (void*)0x20000500, "\x84\x60\x98\x28\x3c\x26\xa8\x66\x2a\x1d\xb3\x03\x0e\xd3\xc4\x5e\x77\x4b" "\x4a\x32\x26\xb6\x63\x72\x94\x2b\xd1\xe6\xce\x16\xbe\xe0\x74\xc6\xc5\x79" "\xc1\x9c\x8a\x28\xa2\xe2\x79\xed\xb6\x21\xdc\x64\xd3\xb2\xb4\x10\x01\xd8" "\x21\x1b\xd4\xdc\x07\x7b\xba\x4d\x89\xbc\x3f\x1e\xfe\x41\xea\x3d\x52\x07" "\x63\xa9\xbd\xfa\x72\xe4\x3a\xbb\x67\xc9\x4d\x32\x21\x52\x76\x11\x6a\x27" "\x20\x7e\x69\x0c\x16\xf6\x9d\x59\x17\xd0\x04\x8c\x94\xf8\xdc\x5c\x90\x64" "\xb1\xfd\x72\xcd\x30\x77\x32\x3f\x5e\xa1\x14\x71\x95\xca\x3c\x4c\x25\xca" "\x19\x60\xc7\x9a\x2e\xc4\xf5\x67\x88\xf0\xbf\xd7\x02\x1b\xa2\x99\x5f\x4a" "\xc6\x4d\x3b\x14\x9c\x74\xc8\xa0\x4c\xfd\xb6\x80\x7b\xf5\x61\xb6\x1b\xcd" "\xfb\xcf\xae\xb4\xea\xbb\xd9\x95\x3c\xf6\x2c\xc6\xcb\xae\x08\xc0\xee\xdc" "\x2d\xbc\x71\xd9\x3b\x71\x14\xfd\x5b\x89\x01\x07\x28\x53\xaf\x47\xf8\xae" "\x38\x5c\x49\xa5\x3b\xdc\x81\xc3\x10\x79\xca\x39\xb9\x0d\xca\x4a\x17\x7c" "\x77\x0e\x7b\x8a\xef\x54\xc6\x2a\xe4\x36\xd0\xc5\x5d\x01\xf5\x5f\xf6\x39" "\xb4\x30\x42\x50\x45\x79\x09\x15\x20\xbd\x2b\xae\x4b\x5e\xed\x10\xe5\x8a" "\x08\xcd\xbe\x79\x23\x24\xd4\x5d\xac\x8a\xce\xd0\x95\x8b\x77\x2f\x8a\x54" "\x42\x25\x52\x3f\x72\xa7\x5a\x62\x0b\x3b\xd9\x44\x80\x2c\xa3\xb0\x08\x8b" "\x02\xe4\x00\x14\x4d\x48\xaf\xdf\x58\x73\xf3\x40\x15\xb5\xd8\x03\x06\x76" "\x33\x7d\x3d\x3b\xd6\xaf\xff\xfd\x64\x00\x1d\x61\xb5\x7f\x96\x8c\x1e\xaf" "\x30\xb1\x60\x6e\xb5\x21\x09\x8b\x45\x44\xdb\x54\x52\xb3\x4b\xef\xdc\x3b" "\x7f\xa9\xf6\xec\x7e\x3e\x6d\xb2\x6d\x33\x5a\x43\x16\xf5\x45\xa4\x86\x7f" "\x98\x3e\x0f\x05\x37\xb1\xa8\x62\x93\x2e\x9e\xb0\xe8\x90\xa6\xdf\xb7\x8f" "\x6b\x84\x16\x69\x28\x41\x9b\x10\xf8\xe4\x2e\x6c\x66\xbc\x4d\xbf\x48\xd1" "\xf2\x49\x4e\xfe\x5e\xce\xa9\xc6\x34\xf9\x70\xee\x2b\x36\x10\x15\xe3\xfe" "\x54\xec\x86\x4f\xe0\x1d\x5f\x24\x23\xf1\x90\x35\x45\x2e\x56\x23\xea\xc1" "\x8a\x90\xdf\x6d\x07\x0d\xec\xa8\xe6\x4c\xa1\xa7\xe0\xed\x63\xe8\xa8\xc5" "\x40\xdd\x6d\x77\x5b\x1d\x91\x4f\x32\x6b\xfc\x36\xda\xa4\x77\x0b\x2c\xc1" "\x14\xab\xa6\x61\xb7\x84\x4c\xc0\xdc\xb5\xc9\x46\x48\xda\x3b\xa4\x11\x26" "\x4e\xcc\xef\x32\xd2\x4f\x04\x8c\xb7\xcb\x2a\x08\x3e\xcf\x85\xf2\x47\x4a" "\x0f\xa9\xe0\x5d\x9e\x09\xa5\xe4\x20\x42\xad\xec\x38\xad\x1c\x34\x78\xf1" "\xe8\xdd\xfc\x5a\xfb\xac\x73\x2e\x33\x83\xa6\xfa\xe4\xb3\x74\xe8\xc3\x9c" "\x44\xff\x2f\x63\xd9\xdc\x5a\x49\x62\xa4\xf7\xfb\xc1\x92\x96\x8f\x95\x25" "\xa0\x8d\x0c\x71\xde\x70\xb1\x3d\xd9\x26\x3f\x73\x51\x5a\xfd\xab\xbe\xea" "\xd0\xe2\x13\xd3\x71\x75\x06\xbf\xc6\xc6\x3b\x27\x03\xac\x40\xe5\x83\x84" "\x14\x70\xaa\xd5\x93\x36\x68\xd2\x61\xb3\x1b\xe9\x2d\x5f\xb5\xea\xdb\x88" "\x15\x85\xa2\xa9\xc7\xa9\xef\x8d\x12\x32\x10\xe5\x7f\xa4\x75\x3c\xab\xa9" "\x16\x1a\xaa\x6a\x24\xdd\x1b\xf5\x92\x1c\x29\x59\xa7\x60\x4d\x73\xb9\x48" "\xc2\x31\x7c\x21\xa5\xf2\xcd\xfb\xf4\x50\x21\xfa\xbd\x4f\x87\x3a\x98\x55" "\x3a\x03\x1f\x7c\x06\x8e\x1c\x5c\x0f\x94\x03\x86\x00\xd3\x98\xe8\x30\x83" "\xf9\x1e\xb9\xbc\xb6\xd3\x82\x01\x70\xd6\x36\x8d\x18\xb0\xb4\xaf\x3b\x6c" "\x1a\x87\x1a\xa2\x61\xe4\xfa\x9c\x06\xc9\x04\x76\xb1\x53\xa4\x52\xbb\x93" "\x5f\xdb\x05\x9e\x7e\x82\xe9\xf1\xe7\xcd\x9b\x57\x35\x16\x96\xa1\x3f\xa6" "\xcf\x21\x28\x9c\x9b\x65\x38\xba\x9f\xef\x5a\x3b\xff\x8f\x93\x83\xef\xd8" "\x18\xda\xc6\x9a\xc9\xa5\xb3\x4e\x44\x66\x42\xd3\x98\x26\xd7\xec\x83\x6f" "\xae\x21\xe0\x4b\xa0\x0d\x24\x6a\xb7\xad\xa4\x0f\x1e\xdb\xa8\xaa\x86\x58" "\xa6\x8c\xef\x43\x67\xfd\x62\x23\xff\x23\x76\x2c\x31\xdf\x57\x2e\x59\xb0" "\xc5\x44\x5f\x55\x79\xfa\x9d\x93\xe9\x25\x93\x79\x21\x6e\x09\x3c\x1d\x86" "\xe3\x5c\x4f\x84\xc3\xdc\x36\x3c\x72\xa7\x9c\xd0\x5f\xf4\xa3\x93\xaa\x42" "\x24\xc7\xff\xf0\x9f\x3f\x82\xbc\xd4\xf3\xd0\xac\x50\x44\xf5\xc1\x25\x63" "\x0a\x57\xe1\xc0\xfb\x78\xa6\x29\xc2\xe0\x02\xec\x07\x5d\x0e\x80\x9e\x27" "\x92\x36\xeb\x21\xc1\x7b\xee\x48\xd5\x92\x3e\x1a\xbe\x13\xc9\x7f\xb8\xc3" "\x85\x5b\x88\x6f\x8e\x9e\xab\x39\x93\xf4\xf8\x98\x92\x5c\xd6\xe4\x9b\x24" "\x22\xb8\x46\x27\x32\x9a\x83\x5b\x72\x63\x88\x12\xff\x51\xab\x1d\xbe\x3d" "\x5c\xa2\xe0\x7f\x47\xfa\xd0\x59\x41\x68\x4c\xec\xcf\x83\x30\xf7\xbf\x17" "\x27\x9e\x35\x67\x52\x13\xff\xcc\xc9\xc7\xa6\xf7\x55\xce\xcb\x28\xb5\xeb" "\x60\xe3\xce\xad\xb6\xb8\x52\x4a\x74\xa1\x7b\xbd\x59\x6f\xfb\xc7\xbc\xcc" "\x94\x56\xa4\x57\xbf\x33\x0b\xe4\x3e\x36\xb0\x30\x9f\x8e\xa1\x84\x14\xf5" "\x70\xe8\x6d\x03\x1b\x98\x8b\xc6\x9b\x49\xcf\x83\xed\xaf\x28\x85", 1024); memcpy((void*)0x20000900, "\x4e\xfd\x3c\xcb\x57\xd0\x0f\xd4\x09\x72\x2f\x27\xcd\x64\x78\x93\xdf" "\xfa\x70\x17\x94\x6d\x82\xf3\x80\xfa\x87\x52\x60\x73\xe4\xec", 32); *(uint32_t*)0x20000920 = 9; *(uint8_t*)0x20000924 = 4; *(uint64_t*)0x20000928 = 0x20000100; *(uint64_t*)0x20000930 = 2; *(uint64_t*)0x20000938 = 8; *(uint64_t*)0x20000940 = 0x101; *(uint64_t*)0x20000948 = 0x852; *(uint64_t*)0x20000950 = 9; *(uint64_t*)0x20000958 = 0x20; *(uint64_t*)0x20000960 = 0x8001; *(uint32_t*)0x20000968 = -1; syscall(SYS_ioctl, r[1], 0xc4504440ul, 0x20000500ul); res = syscall(SYS_dup2, r[0], r[1]); if (res != -1) r[2] = res; *(uint32_t*)0x20000080 = 0; *(uint64_t*)0x20000088 = 0; *(uint32_t*)0x200000c0 = 0x10; syscall(SYS_getsockopt, r[2], 0x84, 0x8004, 0x20000080ul, 0x200000c0ul); memcpy((void*)0x20000000, "/dev/pf\000", 8); res = syscall(SYS_openat, 0xffffffffffffff9cul, 0x20000000ul, 2ul, 0ul); if (res != -1) r[3] = res; syscall(SYS_ioctl, r[3], 0xcbe0441aul, 0x200000c0ul); return 0; }