// https://syzkaller.appspot.com/bug?id=44b3aab0203daaff083ef9be19a3040900869a06 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #ifndef __NR_io_uring_register #define __NR_io_uring_register 427 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // mmap arguments: [ // addr: VMA[0xff5000] // len: len = 0xff5000 (8 bytes) // prot: mmap_prot = 0x3 (8 bytes) // flags: mmap_flags = 0x20000000ec071 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall( __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xff5000ul, /*prot=PROT_WRITE|PROT_READ*/ 3ul, /*flags=MAP_SYNC|MAP_STACK|MAP_POPULATE|MAP_NORESERVE|MAP_HUGETLB|MAP_FIXED|0x2000000000061*/ 0x20000000ec071ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); // io_uring_setup arguments: [ // entries: int32 = 0x5594 (4 bytes) // params: ptr[inout, io_uring_params] { // io_uring_params { // sq_entries: int32 = 0x0 (4 bytes) // cq_entries: int32 = 0x10000000 (4 bytes) // flags: io_uring_setup_flags = 0x1 (4 bytes) // sq_thread_cpu: int32 = 0x1 (4 bytes) // sq_thread_idle: int32 = 0x21e (4 bytes) // features: int32 = 0x0 (4 bytes) // wq_fd: fd_io_uring (resource) // resv: buffer: {00 00 00 00 00 00 00 00 00 00 00 00} (length 0xc) // sq_off: array[int32] { // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // } // cq_off: array[int32] { // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // } // } // } // ] // returns fd_io_uring *(uint32_t*)0x200000000104 = 0x10000000; *(uint32_t*)0x200000000108 = 1; *(uint32_t*)0x20000000010c = 1; *(uint32_t*)0x200000000110 = 0x21e; *(uint32_t*)0x200000000118 = -1; memset((void*)0x20000000011c, 0, 12); res = syscall(__NR_io_uring_setup, /*entries=*/0x5594, /*params=*/0x200000000100ul); if (res != -1) r[0] = res; // io_uring_register$IORING_REGISTER_BUFFERS arguments: [ // fd: fd_io_uring (resource) // opcode: const = 0x0 (8 bytes) // arg: ptr[in, array[iovec[out, array[int8]]]] { // array[iovec[out, array[int8]]] { // iovec[out, array[int8]] { // addr: ptr[out, buffer] { // buffer: (DirOut) // } // len: len = 0x440000 (8 bytes) // } // } // } // nr_args: len = 0x100000000000011a (8 bytes) // ] *(uint64_t*)0x2000000002c0 = 0x200000001700; *(uint64_t*)0x2000000002c8 = 0x440000; syscall(__NR_io_uring_register, /*fd=*/r[0], /*opcode=*/0ul, /*arg=*/0x2000000002c0ul, /*nr_args=*/0x100000000000011aul); return 0; }