// https://syzkaller.appspot.com/bug?id=54d5e15dd8f74815b88db2d0a90f0ad289436ba0 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define __syscall syscall static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { long res = 0; res = syscall(SYS_socket, 2, 3, 0); if (res != -1) r[0] = res; memcpy( (void*)0x200000c0, "\xd9\xb6\x65\x5b\xf6\xc9\xfc\x9d\x61\x95\xfe\xbc\x43\x2c\x7d\xd8\xfd\x14" "\x2d\x3e\x9e\x98\xf5\x8f\x05\xec\x46\xd0\x29\x12\xfc\x5b\xb5\x47\x78\x3d" "\x5b\x0e\x84\x02\xe1\x03\xd8\xd7\x65\x59\x14\x6b\xb6\x53\x52\xb8\x80\x69" "\xd5\xcf\xe3\x3d\x28\x66\xa5\x9c\x2c\xb1\xa0\xe7\x4b\x3b\x27\xcb\x08\x9d" "\x8a\x4e\x07\x09\x78\x3d\x2e\xf1\xb1\x8e\x00\xee\x34\x10\x2b\x96\x3e\xf3" "\x98\x67\x4f\x17\x81\x9b\x66\x03\xdc\x4c\x1f\x91\x15\x37\xe1\x31\x3c\x0e" "\x6a\x93\x09\xef\xa7\xb6\xd5\xf0\x8a\x04\x76\x83\xc9\xfb\xb9\xad\xbe\xcd" "\x06\x81\xf0\x8d\x09\x59\xe9\xb6\xbf\x13\x79\xd1\x39\x8a\x46\x5f\x20\x16" "\x1f\x5e\x96\xe6\x8a\xbd\xf4\x3b\x60\x2a\x6f\x90\xb8\xfa\xa4\x31\x83\x40" "\x97\xd6\x7d\xa7\x34\x9b\x3f\xad\x43\x4e\xea\x6b\x69\xfc\x95\x0a\x34\xf5" "\xb3\x5f\x39\xea\x11\x0c\xdd\x61\xbc\x93\xd0\x2b\x62\xdf\xbc\x99\x49\x95" "\x2e\x69\x34\xcd\x92\x9d\xde\x6e\xe6\xe6\x41\xee\x7f\x4f\x37\x1b\x60\xa6" "\x16\xb6\xa1\x1c\xd8\x59\x81\xd0\xc0\x64\x5a\x6d\x60\x0f\x47\x3d\xf7\xe0" "\xfd\xfb\x7b\x62\x1c\x18\xbf\x1e\xfe\x1d\xc3\xc7\x88\xc2\xbe\x59\x63\x6a" "\x59\xa9\x02\x1d\x91\xba\xaa\x27\xa9\x53\xb5\x96\x19\xaf\x26\x22\x19\xf1" "\x24\xc8\xf6\x22\x01\x02\x9b\xf8\x9f\x7a\xba\x82\x56\xa4\x0e\x62\x66\x6b" "\x32\x2f\x42\xd8\x73\x48\x80\x54\x40\xaf\x9c\x06\xce\x48\x50\xcc\x6e\xe7" "\x43\xa2\x6e\x20\xd3\xf2\xad\x3f\xef\x2d\x08\xa5\x43\x12\xae\xa8\x74\x62" "\x05\x4c\x0f\x8d\x2a\x0c\xf9\xe2\x88\x68\xbc\x55\x52\xd3\xc0\xcc\x27\x97" "\x79\xb2\x06\x34\x6e\xfa\xe9\x99\xbc\x28\x9a\x13\x2a\xd5\x87\xb3\x10\x7c" "\x05\x61\xb8\x48\xaf\xb1\xc2\x01\xe2\x10\xa7\x87\x26\x6a\xc6\x04\xd1\x2a" "\xa0\x42\xb2\x15\x1f\x7b\xfb\x85\xdd\x9e\x54\x19\x0b\x27\x9d\x91\xa4\x9e" "\x79\x3b\x9a\x22\x45\x7f\x53\x9b\x66\x29\x4c\xe7\x7b\x73\xe0\xa4\x82\xdb" "\x4f\x5e\x42\xfd\xcf\xd2\xa7\x86\xde\x33\xed\x07\x67\x97\x98\xb0\xbb\x18" "\x80\x0f\x1d\xef\x75\xa3\xc6\xe0\x48\x45\xe7\x10\xf6\xef\xed\xee\x98\xcb" "\xeb\xbe\x0c\x99\xfd\x6a\xa3\xa5\x7f\xc5\xfc\xbe\x81\xda\xfe\xf0\xd6\x9b" "\x54\x4f\xec\x5a\xe0\x84\x61\x97\xca\x38\x23\x2f\xe8\x3d\x9c\x5e\x8b\xe3" "\x24\xfd\x5c\x28\xdc\x18\xf8\xdc\x6c\xd2\xd0\xca\x95\xaa\x86\x44\xbc\x2b" "\x4d\x51\x10\x80\xa3\xec\xe3\xf1\x2b\xc8\x12\x09\x1d\x68\x83\xa0\x2f\xb9" "\xa5\x1e\xf7\xf1\x15\xa4\xe7\x30\x90\x29\x32\xa4\xf1\x00\x3c\x6e\x4c\xae" "\x68\x19\xe9\x84\x0c\x96\x54\xe4\x44\x56\x7b\x31\xa2\x18\x93\x29\xa1\xa9" "\xb0\xf2\xfe\xaa\xbb\x7c\xf3\xbd\xb0\xe5\x7c\xae\x66\xf7\x04\xa7\x42\x18" "\xc2\xe8\xa4\x18\xdf\xec\x0f\x1c\x23\x35\x76\xf5\x16\x05\x08\x6c\xc4\xb5" "\xc9\x20\xbe\x4f\x2c\x15\x9c\x81\x3f\x7d\x39\x5f\x61\x96\x0c\xb8\x2e\xb6" "\x95\x24\x35\xdb\x47\x04\xf1\xb2\x27\x66\x71\xb9\x3c\xc8\x52\xc8\x6e\x7c" "\x43\x15\x68\x4c\x31\xe2\x5a\xab\x0d\x77\x49\x5a\x4e\x02\x96\xaa\x6d\xa7" "\x07\xaa\x02\x06\x9c\xc7\x80\xd5\xcf\x4e\x3e\x5d\x08\x2a\xe9\xef\x65\xc5" "\xf7\x49\x3b\xa6\xec\x3a\x0a\x90\xba\x7b\x67\x6e\xc7\xd7\x36\x82\x7d\x58" "\xe1\xb0\xcc\x01\xec\x42\xeb\x03\xe2\xd2\x1d\x1d\x27\x85\x6f\xb6\xae\x1a" "\x4c\x21\x1c\x5c\x5b\x3d\x81\x8a\xdb\xa7\x12\x85\x53\x52\xa3\xff\xdf\x95" "\xa5\x6d\xbc\x76\xc3\x82\x1c\xc7\x65\x5c\x53\x3d\x93\x03\x3f\x71\x68\x07" "\x49\xbf\x52\x13\x63\x66\x2c\x1a\x0e\xa7\xf6\xeb\x4f\x42\x8d\x7e\x24\x27" "\x1b\x80\x1f\x85\x27\xcb\xb9\x94\x13\x9c\x0d\xef\x12\x68\xa0\x12\x51\xbb" "\xdf\xfb\xd8\x91\xa0\xfa\xec\x0c\xe8\x78\xfb\x5f\xbd\xc6\x69\x57\x53\x95" "\xac\x0c\x1a\x62\xb1\xc7\x1d\x77\x84\xa3\xc9\xda\xbf\x60\x0d\x26\xce\xcf" "\x0b\x2a\x1d\x4f\x00\x2b\x73\x8c\xe5\x8b\xff\xa5\xfd\x92\xe7\x44\x34\x6c" "\x82\x23\x7a\x71\x56\x58\x17\x1c\x8c\x3b\xfb\xa8\xc5\x7a\xaa\xe1\x5a\x21" "\xc0\x02\x37\xc0\x06\x67\xdf\x67\xaf\xcd\x76\x86\x9f\xcf\x9e\x18\x23\x9a" "\x27\x6e\xdc\x72\x74\x74\xe5\x46\xc5\xc2\xa4\x59\x6f\x5e\x27\x58\xb8\x0e" "\xbb\xc9\xae\x35\x9e\xf0\x5e\x9d\xa8\x00\x15\x8e\xd1\xa3\xe8\x7e\xa0\xc6" "\x10\xef\xd1\x83\xc4\x05\x52\x00\x2a\xab\x78\x7c\x5f\x8c\xfd\xbc\x22\x69" "\x9c\x1b\xe7\xf7\xd8\x0a\xac\xdf\xd9\x2f\x7e\x44\xb1\x43\xa9\x17\xb8\x14" "\xfb\x5e\xa8\x80\xb1\xf7\xfb\x3f\x0d\xca\x5d\xe2\x13\xe1\x21\xcd\x0c\xa5" "\x7d\x66\xf1\x9e\xd8\x67\x15\x16\x18\x73\xb7\xf3\x4e\x23\x7e\xdf\xce\x1e" "\x67\x70\x1c\x2f\x32\xc3\xe4\x82\xa8\x47\x8f\xad\xd2\xb2\xc8\x06\x67\xc3" "\x7b\xdb\x1b\x82\x0c\x11\x8f\xcf\xaa\xb9\x58\x09\xfb\xcd\x78\x2d\x26\x85" "\xf0\xbc\xa3\xb0\xe9\x9f\xfb\xde\xda\x0c\xbe\x91\x83\x46\x49\x92\x40\x5d" "\x50\xcb\xae\xfa\xb3\x0c\x8c\x8e\x62\x52\x45\xcf\xb5\x8e\xfe\x30\x57\x16" "\xb5\x18\x9b\x27\x40\xc0\xa1\x96\xea\xda\xfb\x81\x43\xe6\x1e\xca\x60\x67" "\xc1\xf6\x3b\x2b\xd2\x17\x20\x32\xa2\x1c\x68\x5b\x3f\x1d\x29\xab\xbb\xee" "\xaa\x2f\x67\xd6\x63\x41\x7e\xe9\x69\x0f\xea\x71\x6f\x24\xa2\x5a\xbb\xc3" "\x5d\x2c\x48\xee\xf5\x4b\x3b\xec\x02\x9e\x60\x48\x66\x48\xfa\xd6\xfa\x4d" "\xce\x3d\x13\xeb\xca\x49\xca\x23\xd0\x63\x08\xde\x86\x1b\xa4\x96\xc1\xb3" "\xbd\x0b\xca\xb7\x97\x0f\x16\x65\x74\x21\xb5\x12\x71\x0c\x73\x59\xe2\x34" "\xee\x0c\xf2\xff\x20\x2a\x66\x41\x08\xf2\xc7\x4a\xa9\xc5\x80\xcf\x4d\xa4" "\xfa\x94\x83\xc1\xd4\x4e\x32\x2a\xfc\x57\xa8\x6d\xc3\x3a\x64\x03\xa5\xdc" "\xa9\x32\x86\xc0\x50\x5d\xec\xee\x0f\xb4\x4c\x9d\xe5\x47\x65\x70\x92\xd6" "\x2d\x54\x95\x3b\xdc\xe2\xe0\x13\x8d\x07\xf7\x3c\x81\xf2\x06\x49\xbc\x69" "\xd1\xfd\x57\xa4\xcd\x63\x57\x14\x30\x67\xde\x87\xf0\xfa\x08\xb7\x6f\xb0" "\xc1\x28\xca\x74\xe8\x65\x8a\x80\xc5\x7b\x2d\x15\xef\x97\x57\xd4\xb9\x64" "\xcd\xe8\x99\x4a\x2a\x59\xe0\x14\x3b\x78\xbe\x0f\x7f\x50\x53\x36\x73\x65" "\x67\x30\x16\xab\x37\x0a\x1f\xb0\x76\x31\x61\x58\x65\xa0\x42\x50\x48\x36" "\xd4\x2c\x60\x33\x9e\xcc\x17\xda\x92\xfc\x45\x11\x6c\x92\xf1\xd1\xea\x59" "\x6e\xd9\xa0\x90\xc0\xae\xac\x94\x12\x45\x96\xca\x6f\xa1\xee\xff\x5c\xe1" "\x4c\x7d\x2e\x26\x53\x8e\x69\x65\x1a\x60\xa4\x0a\x24\xb2\x1b\x91\x30\x8d" "\x12\xe8\x08\xb9\xd7\x5d\xc2\xb3\x84\x0c\x67\x8d\x37\x06\xf1\x8e\xa9\xca" "\x25\x74\x58\x70\xc8\x56\xde\x08\xb3\xdb\xff\x54\x59\x3f\x44\x3f\xd9\x9a" "\xd1\xe7\x5a\xb6\xb5\x0e\x4b\x88\x10\x33\x7b\x24\xf8\xb5\xea\xa1\x7e\x55" "\x5e\xde\x2b\x41\xaf\x93\x92\x57\x70\x24\x8b\x42\xf0\xc1\x3c\x8f\x5b\x73" "\x85\x55\xc1\xd4\x98\xf2\xa5\x1e\xbd\x4d\x85\x3c\x5e\x4a\x6d\x23\x36\xd7" "\x28\x65\xc0\x87\xcf\x7e\x69\x9a\xc9\xdd\x0c\x57\x79\x68\x70\xfa\xfb\x6b" "\x6b\x85\x43\x58\x00\xfc\x46\xef\x2d\x8a\x07\x33\x4e\x74\x0c\xc1\xba\xd9" "\xe4\x78\x1d\xf2\x17\x39\x94\x4c\x40\x07\x6b\x46\x15\xb2\x06\x2f\x27\xa5" "\x39\x1b\x06\x7a\xfd\x6c\x33\x9f\x07\x3f\x92\xd0\x2d\xef\x76\xc1\x7e\xcd" "\xbc\xc2\xb0\xec\xd4\x42\xf0\x48\xf2\x87\x3d\xe8\xe4\xc9\x30\xd6\x8e\x30" "\xde\x65\x44\xa6\x18\x18\x8f\xdb\x9c\x8a\x2b\xf3\x8c\xba\x6e\x28\xd0\x05" "\x2e\x6e\xa4\x75\xfb\x73\x8d\x4b\xeb\x40\x7d\x83\xd6\xde\xbf\x56\x3e\x1a" "\xb8\x5d\x4c\xed\x9f\x18\x27\xed\xef\x96\xba\x60\x1a\xad\x81\x89\xc1\x23" "\x95\xcf\xdb\x17\x20\x30\x3d\x92\x60\x75\x9a\x79\x08\x11\xa5\x8a\x23\xfb" "\x10\xec\xb1\xf6\x37\x86\x30\x4e\x5b\xe1\x92\x41\xe5\x95\xc6\xc7\x62\x04" "\x30\x2c\x6b\xed\xf4\xc7\x4b\x5a\xa4\x0b\x45\xc4\x69\xb8\x59\xe5\x01\xa5" "\x9b\x36\x59\x88\xc7\x9e\x40\x7e\xe4\xdc\x39\x0b\xf1\xb5\x6c\xf5\x67\x84" "\xff\x7a\x31\xbc\xc1\x56\x38\xf9\xf5\x69\x53\x70\x9a\x3c\x1b\x33\xe1\xbc" "\xb8\x9e\x88\x00\xfa\x93\x9d\xee\xb1\xbb\x03\x2c\x12\x36\x72\x57\x97\xa0" "\xd0\xda\x5d\xee\x65\xac\x45\x08\x17\x47\x78\x78\x11\xe2\x69\xa7\x39\x63" "\x6e\x72\xc3\x2a\x03\x20\xd0\x36\xc7\x64\x70\xc4\x2b\xda\x94\x8c\x54\x3b" "\x44\xc5\x8e\x3c\xe8\x4b\x36\x87\x18\xea\x86\xee\x3d\xc4\x3e\x19\x2b\xa4" "\xd1\xd1\x3e\x58\x99\xd2\x04\x89\x46\x08\xa6\x23\x3c\x59\x53\x08\xb2\x27" "\x5a\x8d\xe6\x42\x0e\xce\xc5\xa7\x32\xb3\x6e\x55\xe3\x8d\x65\xb1\xb0\x4a" "\x10\xb1\xf8\xb9\x19\x58\x5a\x98\x7d\x55\x4c\x97\x63\xe6\x1a\x6b\x89\x81" "\x34\x7a\x1f\xee\x19\x90\x44\xfd\x5f\xf4\x4b\x2f\x61\x59\x48\x22\xf5\x4b" "\x0a\xb0\x18\xbc\x76\x9b\xb1\x7c\x65\x94\x94\xa8\xa9\x4f\x81\x2d\x83\x8c" "\xba\x95\x2f\xe8\xc5\x2b\x74\x8f\x13\x2f\xa4\x5f\x46\x7c\x89\xe4\x22\x6a" "\xee\x4b\xa3\x5b\x4a\x08\x2d\x0f\xc7\x95\x67\x19\xd9\x67\x62\xa2\x5c\xcf" "\xe4\x04\x0f\x4c\x65\x6f\x06\xb6\xd7\x83\x85\xcf\x47\xfa\x71\xfb\x40\xfe" "\xd2\x82\xb5\xa7\x5d\xcc\x45\x59\x67\x8d\xaa\xec\x42\x1a\xf1\xca\xec\xf7" "\xb1\x18\x80\x2d\x32\x9f\x99\x34\x30\x31\x50\xcf\x36\xa7\xe4\x92\x46\x2c" "\xa3\x14\x19\x12\xbf\xc7\x86\x30\xf7\x26\xf9\x52\x4b\x9f\xed\xc8\x63\x6e" "\xc2\x4a\x22\xd3\xff\x2c\x0b\x1f\x45\xb8\x80\xe2\x48\x15\x14\x1a\xf0\x49" "\xb5\x5a\x53\x54\xe6\xc4\x7c\x9c\xb3\x37\x97\xc1\x12\x9e\xed\x6a\x53\x32" "\xfe\x17\x6b\x22\x4e\xc3\x7e\x5d\x60\x14\x75\xa0\xfe\x42\xab\x85\x91\x4a" "\x9a\x9f\xc4\x55\xf8\x09\x60\xe0\x01\x21\x28\x96\x40\xe5\xcd\x69\x06\xed" "\xad\xbd\xfb\x41\xf5\xca\x9b\x8a\x93\x41\x18\xa2\x7c\x2b\x79\xfd\x2d\xeb" "\xfb\x57\x45\x17\xdb\x6b\x7f\x6d\x18\x32\xca\x69\x8b\x97", 2048); syscall(SYS_setsockopt, r[0], 0, 1, 0x200000c0, 0x800); syscall(SYS_pledge, 0, 0); syscall(SYS_openat, -1, 0, 0x402, 0); } int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0); loop(); return 0; }