// https://syzkaller.appspot.com/bug?id=1fd1d44caf96ca464e1c1f19299d1f3e7558f6e5 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include long r[42]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xf7b000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socket, 0x26ul, 0x5ul, 0x0ul); *(uint16_t*)0x20590fa8 = (uint16_t)0x26; memcpy((void*)0x20590faa, "\x61\x65\x61\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20590fb8 = (uint32_t)0x0; *(uint32_t*)0x20590fbc = (uint32_t)0x0; memcpy((void*)0x20590fc0, "\x72\x66\x63\x37\x35\x33\x39\x28\x63\x68\x61\x63\x68\x61\x32" "\x30\x2c\x72\x6d\x64\x32\x35\x36\x2d\x67\x65\x6e\x65\x72\x69" "\x63\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00", 64); r[7] = syscall(__NR_bind, r[1], 0x20590fa8ul, 0x58ul); memcpy((void*)0x20f73fe0, "\x0a\x07\x75\xb0\xd5\xe3\x83\xe5\xb3\x00" "\x0c\xed\x5c\x54\xdb\xb7\x29\x5d\xf0\xdf" "\x82\x17\xad\x40\x00\x00\xb6\x00\x00\x00" "\x00\xe6", 32); r[9] = syscall(__NR_setsockopt, r[1], 0x117ul, 0x1ul, 0x20f73fe0ul, 0x20ul); r[10] = syscall(__NR_accept, r[1], 0x0ul, 0x0ul); *(uint64_t*)0x20f76fc8 = (uint64_t)0x0; *(uint32_t*)0x20f76fd0 = (uint32_t)0x0; *(uint64_t*)0x20f76fd8 = (uint64_t)0x20f79000; *(uint64_t*)0x20f76fe0 = (uint64_t)0x2; *(uint64_t*)0x20f76fe8 = (uint64_t)0x20f73f08; *(uint64_t*)0x20f76ff0 = (uint64_t)0x0; *(uint32_t*)0x20f76ff8 = (uint32_t)0x40000; *(uint64_t*)0x20f79000 = (uint64_t)0x20240fe2; *(uint64_t*)0x20f79008 = (uint64_t)0x0; *(uint64_t*)0x20f79010 = (uint64_t)0x20f77f1e; *(uint64_t*)0x20f79018 = (uint64_t)0xe2; memcpy((void*)0x20f77f1e, "\x5b\x29\x51\x33\x76\x7c\x76\xd4\x76\x81\xa1\x6c\x79\xe1\xf9" "\x5a\xb3\x36\x3f\xf3\xdf\xea\x0b\xe0\x37\x1d\x1f\x59\x0a\x23" "\x5b\x7a\xbc\x44\xa7\xf3\xf2\xee\x63\x66\x52\x0f\xd9\x06\x6c" "\x40\xca\xae\x5c\xaf\x13\x5a\x0b\x31\x3f\xf2\xee\x34\xa6\x0f" "\x76\x65\x68\xe3\xe7\x9a\x7e\xf1\x79\x51\xc9\x48\x17\xc2\x67" "\x60\x3f\xc0\xe0\x27\x1f\x13\x4c\xaa\x8d\x44\xe5\x3a\xe7\x60" "\xda\x72\x0d\xb0\xd2\xd6\x27\x71\x8c\xa8\xcb\x04\x2f\x10\xb8" "\x1a\x4e\xf9\xe2\x4e\xfe\xb8\x49\xc5\x54\x72\x8d\x94\x91\xa5" "\x98\x0d\xd4\x2e\x98\x88\xff\x4a\x02\x02\x7c\x9a\x8d\xe2\xa5" "\x40\x18\x2b\xdf\x42\xcb\xc3\x08\xdb\xcc\xc3\x67\xaa\xb5\x28" "\xf5\x02\xa4\xd7\x91\x20\x6e\x67\xbf\xdf\xb1\xcf\x0e\x37\x8c" "\x32\xdd\xe0\x68\x9f\x40\x04\x2b\xc3\x26\x16\x61\x2b\xe6\xe3" "\x66\x1b\x2c\xe4\x11\xcd\x5e\xfb\xb8\x05\x0a\x45\xc5\xaf\x9e" "\x4c\x8f\x8d\x57\x3d\x9f\xca\x3c\x76\x30\x4a\x1a\x14\xec\x39" "\x05\x67\x9d\xd4\x63\x7b\xaf\xfc\x40\x35\x22\xba\xac\x9e\x1a" "\xdb", 226); r[23] = syscall(__NR_sendmsg, r[10], 0x20f76fc8ul, 0x7eul); *(uint64_t*)0x20d63fc8 = (uint64_t)0x20f76ff0; *(uint32_t*)0x20d63fd0 = (uint32_t)0x10; *(uint64_t*)0x20d63fd8 = (uint64_t)0x208b4fb0; *(uint64_t*)0x20d63fe0 = (uint64_t)0x5; *(uint64_t*)0x20d63fe8 = (uint64_t)0x204f4000; *(uint64_t*)0x20d63ff0 = (uint64_t)0x0; *(uint32_t*)0x20d63ff8 = (uint32_t)0x400; *(uint64_t*)0x208b4fb0 = (uint64_t)0x20583000; *(uint64_t*)0x208b4fb8 = (uint64_t)0x0; *(uint64_t*)0x208b4fc0 = (uint64_t)0x20042f1b; *(uint64_t*)0x208b4fc8 = (uint64_t)0x0; *(uint64_t*)0x208b4fd0 = (uint64_t)0x20467f71; *(uint64_t*)0x208b4fd8 = (uint64_t)0x0; *(uint64_t*)0x208b4fe0 = (uint64_t)0x20f75fc9; *(uint64_t*)0x208b4fe8 = (uint64_t)0x0; *(uint64_t*)0x208b4ff0 = (uint64_t)0x20f7a000; *(uint64_t*)0x208b4ff8 = (uint64_t)0x19; r[41] = syscall(__NR_recvmsg, r[10], 0x20d63fc8ul, 0x12163ul); } int main() { loop(); return 0; }