// https://syzkaller.appspot.com/bug?id=9494ed733ec3b0f2d792a0190271b65cd768ec22 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0); if (res != -1) r[0] = res; *(uint32_t*)0x200000000040 = 1; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/1, /*optname=SO_ZEROCOPY*/ 0x3c, /*optval=*/0x200000000040ul, /*optlen=*/0xfff0ul); *(uint32_t*)0x2000000000c0 = 1; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/6, /*optname=*/0x13, /*optval=*/0x2000000000c0ul, /*optlen=*/4ul); *(uint16_t*)0x200000000080 = 2; *(uint16_t*)0x200000000082 = htobe16(0); *(uint32_t*)0x200000000084 = htobe32(0x7f000001); syscall(__NR_connect, /*fd=*/r[0], /*addr=*/0x200000000080ul, /*addrlen=*/0x10ul); *(uint32_t*)0x2000000001c0 = -1; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/6, /*optname=*/0x13, /*optval=*/0x2000000001c0ul, /*optlen=*/4ul); syscall(__NR_write, /*fd=*/r[0], /*data=*/0x2000000014c0ul, /*len=*/0x46bul); *(uint64_t*)0x200000000f40 = 0; *(uint32_t*)0x200000000f48 = 0; *(uint64_t*)0x200000000f50 = 0x200000000500; *(uint64_t*)0x200000000500 = 0x2000000006c0; memset((void*)0x2000000006c0, 237, 1); *(uint64_t*)0x200000000508 = 1; *(uint64_t*)0x200000000510 = 0x200000000200; memset((void*)0x200000000200, 181, 1); *(uint64_t*)0x200000000518 = 1; *(uint64_t*)0x200000000520 = 0x200000000580; memcpy((void*)0x200000000580, "\x08\x41\x4e\x55\x3e\xb6\xd3\xb6\xe1\xf8\x13\x77\xe5\xc0\x6d\x4c\xf4" "\x3b\xa7\x43\xc1\x99\x58\x05\x88\xe0\xd0\xd8\xe6\x1f\x57\x92\xef\xb7" "\x76\x3f\x91\x50\x3f\x8a\xb4\x41\xf2\x12\xd7\xb0\xce\xd9\xfc\xc7\xdd" "\x1d\xe8\x9d\x6d\xb9\x0d\x05\x6f\x6b\x7d\xa5\xdf\xd1\x17\x58\xbf\x20" "\x70\x78\x81\x27\x35\x06\xbd\xf4\x0e\x9f\x94\x9a\xd6\xa0\x15\xe5\xdb" "\x13\x18\x1b\xb4\x2b\x02\xeb\x2b\x38\x38\x9a\xcd\x6e\xef\x2a\x0e\x70" "\x0c\x31\xf1\xb7\x21\x55\x3e\x89\x7c\x29\x4b\x26\x38\x0e\xbb\x8c\xf4" "\xc9\x52\xbd\xc3\xa5\x7c\x4b\x2b\xe2\x8c\x85\xd1\x86\x56\x16\x9c\xcc" "\x00\xb5\xbc\x7f\x09\x3a\xa4\x9c\x13\xf1\xa5\x3e\xfb\xa2\x9e\xbf\x42" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 163); *(uint64_t*)0x200000000528 = 0xa3; *(uint64_t*)0x200000000530 = 0x200000000140; memset((void*)0x200000000140, 85, 1); *(uint64_t*)0x200000000538 = 1; *(uint64_t*)0x200000000540 = 0x200000000180; memset((void*)0x200000000180, 128, 1); *(uint64_t*)0x200000000548 = 0xfffffddf; *(uint64_t*)0x200000000f58 = 5; *(uint64_t*)0x200000000f60 = 0; *(uint64_t*)0x200000000f68 = 0; *(uint32_t*)0x200000000f70 = 0; *(uint32_t*)0x200000000f78 = 0; *(uint64_t*)0x200000000f80 = 0; *(uint32_t*)0x200000000f88 = 0; *(uint64_t*)0x200000000f90 = 0x200000000900; *(uint64_t*)0x200000000900 = 0x200000000100; memset((void*)0x200000000100, 241, 1); *(uint64_t*)0x200000000908 = 1; *(uint64_t*)0x200000000910 = 0x200000000c80; memset((void*)0x200000000c80, 97, 1); *(uint64_t*)0x200000000918 = 1; *(uint64_t*)0x200000000920 = 0x200000000b40; memset((void*)0x200000000b40, 77, 1); *(uint64_t*)0x200000000928 = 1; *(uint64_t*)0x200000000930 = 0x200000000d80; memset((void*)0x200000000d80, 111, 1); *(uint64_t*)0x200000000938 = 1; *(uint64_t*)0x200000000940 = 0x200000000e80; memset((void*)0x200000000e80, 234, 1); *(uint64_t*)0x200000000948 = 1; *(uint64_t*)0x200000000f98 = 5; *(uint64_t*)0x200000000fa0 = 0; *(uint64_t*)0x200000000fa8 = 0; *(uint32_t*)0x200000000fb0 = 0; *(uint32_t*)0x200000000fb8 = 0x70040000; *(uint64_t*)0x200000000fc0 = 0; *(uint32_t*)0x200000000fc8 = 0; *(uint64_t*)0x200000000fd0 = 0x2000000002c0; *(uint64_t*)0x2000000002c0 = 0x200000000380; memset((void*)0x200000000380, 187, 1); *(uint64_t*)0x2000000002c8 = 1; *(uint64_t*)0x2000000002d0 = 0x2000000007c0; memset((void*)0x2000000007c0, 161, 1); *(uint64_t*)0x2000000002d8 = 1; *(uint64_t*)0x2000000002e0 = 0x200000000000; memset((void*)0x200000000000, 115, 1); *(uint64_t*)0x2000000002e8 = 1; *(uint64_t*)0x2000000002f0 = 0x2000000009c0; memset((void*)0x2000000009c0, 92, 1); *(uint64_t*)0x2000000002f8 = 1; *(uint64_t*)0x200000000fd8 = 4; *(uint64_t*)0x200000000fe0 = 0; *(uint64_t*)0x200000000fe8 = 0; *(uint32_t*)0x200000000ff0 = 0; *(uint32_t*)0x200000000ff8 = 0; *(uint64_t*)0x200000001000 = 0; *(uint32_t*)0x200000001008 = 0; *(uint64_t*)0x200000001010 = 0x200000000dc0; *(uint64_t*)0x200000000dc0 = 0x200000000440; memset((void*)0x200000000440, 136, 1); *(uint64_t*)0x200000000dc8 = 1; *(uint64_t*)0x200000000dd0 = 0x200000000240; memcpy( (void*)0x200000000240, "\xe5\xfd\xa9\x4c\x09\xdb\x54\xb7\x55\x6d\x59\x7a\x09\x0f\x53\x7f\x24\xf4" "\x58\x0b\x9b\x7a\x84\xa8\x02\xd7\x8b\xa2\xd4\x26\x94\x61\x18\x0c\x4c\x81" "\x35\x90\xa6\xf2\x86\x68\x14\x6b\x3c\x4f\x57\x73\xda\x19\x8e\x17\x99\x6c" "\xa0\x25\xe5\xc2\x97\x60\xc5\xa3\xa3\xf7\x8d\x5a\xf9\x2f\x33", 69); *(uint64_t*)0x200000000dd8 = 0x45; *(uint64_t*)0x200000000de0 = 0x200000001040; memset((void*)0x200000001040, 150, 1); *(uint64_t*)0x200000000de8 = 1; *(uint64_t*)0x200000001018 = 3; *(uint64_t*)0x200000001020 = 0; *(uint64_t*)0x200000001028 = 0; *(uint32_t*)0x200000001030 = 0; *(uint32_t*)0x200000001038 = 0; syscall(__NR_sendmmsg, /*fd=*/r[0], /*mmsg=*/0x200000000f40ul, /*vlen=*/4ul, /*f=MSG_ZEROCOPY|MSG_BATCH|MSG_OOB|MSG_MORE|MSG_DONTWAIT|MSG_CONFIRM*/ 0x4048841ul); return 0; }