// https://syzkaller.appspot.com/bug?id=c7e345ba243bc4476aae52a3354ccbd2a90e344e // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define USB_DEBUG 0 #define USB_MAX_EP_NUM 32 struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; unsigned config_length; struct usb_interface_descriptor* iface; struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM]; unsigned eps_num; }; static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config) + sizeof(*index->iface)) return false; index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->config_length = length - sizeof(*index->dev); index->iface = (struct usb_interface_descriptor*)(buffer + sizeof(*index->dev) + sizeof(*index->config)); index->eps_num = 0; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_ENDPOINT) { index->eps[index->eps_num] = (struct usb_endpoint_descriptor*)(buffer + offset); index->eps_num++; } if (index->eps_num == USB_MAX_EP_NUM) break; offset += desc_length; } return true; } enum usb_fuzzer_event_type { USB_FUZZER_EVENT_INVALID, USB_FUZZER_EVENT_CONNECT, USB_FUZZER_EVENT_DISCONNECT, USB_FUZZER_EVENT_SUSPEND, USB_FUZZER_EVENT_RESUME, USB_FUZZER_EVENT_CONTROL, }; struct usb_fuzzer_event { uint32_t type; uint32_t length; char data[0]; }; struct usb_fuzzer_init { uint64_t speed; const char* driver_name; const char* device_name; }; struct usb_fuzzer_ep_io { uint16_t ep; uint16_t flags; uint32_t length; char data[0]; }; #define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init) #define USB_FUZZER_IOCTL_RUN _IO('U', 1) #define USB_FUZZER_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_fuzzer_event) #define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 4, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 7, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_EP_READ _IOWR('U', 8, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 9) #define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 10, uint32_t) int usb_fuzzer_open() { return open("/sys/kernel/debug/usb-fuzzer", O_RDWR); } int usb_fuzzer_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_fuzzer_init arg; arg.speed = speed; arg.driver_name = driver; arg.device_name = device; return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg); } int usb_fuzzer_run(int fd) { return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0); } int usb_fuzzer_event_fetch(int fd, struct usb_fuzzer_event* event) { return ioctl(fd, USB_FUZZER_IOCTL_EVENT_FETCH, event); } int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io); } int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, io); } int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io); } int usb_fuzzer_ep_read(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP_READ, io); } int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc); } int usb_fuzzer_configure(int fd) { return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0); } int usb_fuzzer_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power); } #define USB_MAX_PACKET_SIZE 1024 struct usb_fuzzer_control_event { struct usb_fuzzer_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_fuzzer_ep_io_data { struct usb_fuzzer_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char* default_string = "syzkaller"; static bool lookup_connect_response(struct vusb_connect_descriptors* descs, struct usb_device_index* index, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { uint8_t str_idx; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (str_idx >= descs->strs_len) { *response_data = (char*)default_string; *response_length = strlen(default_string); } else { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; } return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: *response_data = descs->qual; *response_length = descs->qual_len; return true; default: exit(1); return false; } break; default: exit(1); return false; } break; default: exit(1); return false; } return false; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; char* dev = (char*)a2; struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } struct usb_device_index index; memset(&index, 0, sizeof(index)); int rv = 0; NONFAILING(rv = parse_usb_descriptor(dev, dev_len, &index)); if (!rv) { return rv; } int fd = usb_fuzzer_open(); if (fd < 0) { return fd; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_fuzzer_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_fuzzer_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_FUZZER_EVENT_CONTROL) continue; bool response_found = false; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { NONFAILING(response_found = lookup_connect_response(descs, &index, &event.ctrl, &response_data, &response_length)); if (!response_found) { return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) != USB_TYPE_STANDARD || event.ctrl.bRequest != USB_REQ_SET_CONFIGURATION) { exit(1); return -1; } done = true; } if (done) { rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower); if (rv < 0) { return rv; } rv = usb_fuzzer_configure(fd); if (rv < 0) { return rv; } unsigned ep; for (ep = 0; ep < index.eps_num; ep++) { rv = usb_fuzzer_ep_enable(fd, index.eps[ep]); if (rv < 0) { } else { } } } struct usb_fuzzer_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response); else rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response); if (rv < 0) { return rv; } } sleep_ms(200); return fd; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(struct vusb_descriptors* descs, struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); int resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; struct vusb_descriptors* descs = (struct vusb_descriptors*)a1; struct vusb_responses* resps = (struct vusb_responses*)a2; struct usb_fuzzer_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_fuzzer_event_fetch(fd, (struct usb_fuzzer_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_FUZZER_EVENT_CONTROL) { return -1; } bool response_found = false; char* response_data = NULL; uint32_t response_length = 0; if (event.ctrl.bRequestType & USB_DIR_IN) { NONFAILING(response_found = lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)); if (!response_found) { return -1; } } else { response_length = event.ctrl.wLength; } struct usb_fuzzer_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response); } else { rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 20; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45 + (call == 0 ? 2000 : 0) + (call == 1 ? 300 : 0) + (call == 2 ? 300 : 0) + (call == 5 ? 2000 : 0) + (call == 13 ? 2000 : 0) + (call == 14 ? 300 : 0) + (call == 15 ? 300 : 0) + (call == 18 ? 2000 : 0) + (call == 19 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res; switch (call) { case 0: NONFAILING(memcpy((void*)0x20000000, "\x12\x01\x00\x00\x00\x00\x00\x20\x6d\x90\xd9\xc3\x40\x00" "\x00\x00\x00\x01\x09\x02\x24\x00\x01\x00\x00\xa0\x00\x09" "\x04\x00\x00\x01\x03\x01\x01\x00\x09\x21\x00\x00\x00\x01" "\x22\x05\x00\x09\x05\x81\x03\x00\xe1\x00\x00\x00", 54)); res = syz_usb_connect(0, 0x36, 0x20000000, 0); if (res != -1) r[0] = res; break; case 1: syz_usb_control_io(r[0], 0, 0); break; case 2: NONFAILING(*(uint32_t*)0x20000500 = 0x34); NONFAILING(*(uint64_t*)0x20000504 = 0); NONFAILING(*(uint64_t*)0x2000050c = 0); NONFAILING(*(uint64_t*)0x20000514 = 0x200002c0); NONFAILING(*(uint8_t*)0x200002c0 = 0); NONFAILING(*(uint8_t*)0x200002c1 = 0x22); NONFAILING(*(uint32_t*)0x200002c2 = 5); NONFAILING(*(uint8_t*)0x200002c6 = 5); NONFAILING(*(uint8_t*)0x200002c7 = 0xf); NONFAILING(*(uint16_t*)0x200002c8 = 5); NONFAILING(*(uint8_t*)0x200002ca = 0); NONFAILING(*(uint64_t*)0x2000051c = 0); NONFAILING(*(uint64_t*)0x20000524 = 0); NONFAILING(*(uint64_t*)0x2000052c = 0); NONFAILING(*(uint32_t*)0x20000700 = 0xcc); NONFAILING(*(uint64_t*)0x20000704 = 0); NONFAILING(*(uint64_t*)0x2000070c = 0); NONFAILING(*(uint64_t*)0x20000714 = 0); NONFAILING(*(uint64_t*)0x2000071c = 0); NONFAILING(*(uint64_t*)0x20000724 = 0); NONFAILING(*(uint64_t*)0x2000072c = 0); NONFAILING(*(uint64_t*)0x20000734 = 0); NONFAILING(*(uint64_t*)0x2000073c = 0); NONFAILING(*(uint64_t*)0x20000744 = 0); NONFAILING(*(uint64_t*)0x2000074c = 0); NONFAILING(*(uint64_t*)0x20000754 = 0); NONFAILING(*(uint64_t*)0x2000075c = 0); NONFAILING(*(uint64_t*)0x20000764 = 0); NONFAILING(*(uint64_t*)0x2000076c = 0); NONFAILING(*(uint64_t*)0x20000774 = 0); NONFAILING(*(uint64_t*)0x2000077c = 0); NONFAILING(*(uint64_t*)0x20000784 = 0); NONFAILING(*(uint64_t*)0x2000078c = 0); NONFAILING(*(uint64_t*)0x20000794 = 0); NONFAILING(*(uint64_t*)0x2000079c = 0); NONFAILING(*(uint64_t*)0x200007a4 = 0); NONFAILING(*(uint64_t*)0x200007ac = 0); NONFAILING(*(uint64_t*)0x200007b4 = 0); NONFAILING(*(uint64_t*)0x200007bc = 0); NONFAILING(*(uint64_t*)0x200007c4 = 0); syz_usb_control_io(r[0], 0x20000500, 0x20000700); break; case 3: NONFAILING(memcpy((void*)0x20000000, "/dev/hidraw#\000", 13)); syz_open_dev(0x20000000, 0, 0); break; case 4: res = syz_open_dev(0, 0, 0); if (res != -1) r[1] = res; break; case 5: NONFAILING(*(uint8_t*)0x20000040 = 0x12); NONFAILING(*(uint8_t*)0x20000041 = 1); NONFAILING(*(uint16_t*)0x20000042 = 0x110); NONFAILING(*(uint8_t*)0x20000044 = 0); NONFAILING(*(uint8_t*)0x20000045 = 0); NONFAILING(*(uint8_t*)0x20000046 = 0); NONFAILING(*(uint8_t*)0x20000047 = 0x10); NONFAILING(*(uint16_t*)0x20000048 = 0x5ac); NONFAILING(*(uint16_t*)0x2000004a = 0x304); NONFAILING(*(uint16_t*)0x2000004c = 0x40); NONFAILING(*(uint8_t*)0x2000004e = 0x44); NONFAILING(*(uint8_t*)0x2000004f = 0); NONFAILING(*(uint8_t*)0x20000050 = -1); NONFAILING(*(uint8_t*)0x20000051 = 1); NONFAILING(*(uint8_t*)0x20000052 = 9); NONFAILING(*(uint8_t*)0x20000053 = 2); NONFAILING(*(uint16_t*)0x20000054 = 0x2d); NONFAILING(*(uint8_t*)0x20000056 = 1); NONFAILING(*(uint8_t*)0x20000057 = 7); NONFAILING(*(uint8_t*)0x20000058 = 2); NONFAILING(*(uint8_t*)0x20000059 = 0xa0); NONFAILING(*(uint8_t*)0x2000005a = 9); NONFAILING(*(uint8_t*)0x2000005b = 9); NONFAILING(*(uint8_t*)0x2000005c = 4); NONFAILING(*(uint8_t*)0x2000005d = 8); NONFAILING(*(uint8_t*)0x2000005e = 4); NONFAILING(*(uint8_t*)0x2000005f = 0x12); NONFAILING(*(uint8_t*)0x20000060 = 3); NONFAILING(*(uint8_t*)0x20000061 = 1); NONFAILING(*(uint8_t*)0x20000062 = 0); NONFAILING(*(uint8_t*)0x20000063 = 0); NONFAILING(*(uint8_t*)0x20000064 = 9); NONFAILING(*(uint8_t*)0x20000065 = 0x21); NONFAILING(*(uint16_t*)0x20000066 = 9); NONFAILING(*(uint8_t*)0x20000068 = 0); NONFAILING(*(uint8_t*)0x20000069 = 1); NONFAILING(*(uint8_t*)0x2000006a = 0x22); NONFAILING(*(uint16_t*)0x2000006b = 0x680); NONFAILING(*(uint8_t*)0x2000006d = 9); NONFAILING(*(uint8_t*)0x2000006e = 5); NONFAILING(*(uint8_t*)0x2000006f = 0x81); NONFAILING(*(uint8_t*)0x20000070 = 3); NONFAILING(*(uint16_t*)0x20000071 = 0xbb6); NONFAILING(*(uint8_t*)0x20000073 = 2); NONFAILING(*(uint8_t*)0x20000074 = 7); NONFAILING(*(uint8_t*)0x20000075 = 0xd4); NONFAILING(*(uint8_t*)0x20000076 = 9); NONFAILING(*(uint8_t*)0x20000077 = 5); NONFAILING(*(uint8_t*)0x20000078 = 2); NONFAILING(*(uint8_t*)0x20000079 = 3); NONFAILING(*(uint16_t*)0x2000007a = 0); NONFAILING(*(uint8_t*)0x2000007c = 7); NONFAILING(*(uint8_t*)0x2000007d = 0); NONFAILING(*(uint8_t*)0x2000007e = 5); NONFAILING(*(uint32_t*)0x20000480 = 0xa); NONFAILING(*(uint64_t*)0x20000484 = 0x20000080); NONFAILING(*(uint8_t*)0x20000080 = 0xa); NONFAILING(*(uint8_t*)0x20000081 = 6); NONFAILING(*(uint16_t*)0x20000082 = 0); NONFAILING(*(uint8_t*)0x20000084 = 6); NONFAILING(*(uint8_t*)0x20000085 = -1); NONFAILING(*(uint8_t*)0x20000086 = 3); NONFAILING(*(uint8_t*)0x20000087 = 0x40); NONFAILING(*(uint8_t*)0x20000088 = 0); NONFAILING(*(uint8_t*)0x20000089 = 0); NONFAILING(*(uint32_t*)0x2000048c = 0xc5); NONFAILING(*(uint64_t*)0x20000490 = 0x200000c0); NONFAILING(*(uint8_t*)0x200000c0 = 5); NONFAILING(*(uint8_t*)0x200000c1 = 0xf); NONFAILING(*(uint16_t*)0x200000c2 = 0xc5); NONFAILING(*(uint8_t*)0x200000c4 = 3); NONFAILING(*(uint8_t*)0x200000c5 = 0xb); NONFAILING(*(uint8_t*)0x200000c6 = 0x10); NONFAILING(*(uint8_t*)0x200000c7 = 1); NONFAILING(*(uint8_t*)0x200000c8 = 0xc); NONFAILING(*(uint16_t*)0x200000c9 = 0x10); NONFAILING(*(uint8_t*)0x200000cb = 1); NONFAILING(*(uint8_t*)0x200000cc = 1); NONFAILING(*(uint16_t*)0x200000cd = 8); NONFAILING(*(uint8_t*)0x200000cf = -1); NONFAILING(*(uint8_t*)0x200000d0 = 0xaa); NONFAILING(*(uint8_t*)0x200000d1 = 0x10); NONFAILING(*(uint8_t*)0x200000d2 = 2); NONFAILING(memcpy( (void*)0x200000d3, "\xfc\x46\x69\x7f\x23\xee\x29\x2e\xb8\xbf\x56\xe8\x3b\xce\xc5\xcd\xbe" "\x91\xf9\x1c\x8a\xb3\xde\xe0\xf5\x15\x80\xbd\xad\x5d\xb2\x8b\x44\x13" "\x08\x63\xfd\xd0\x1a\x2f\xf5\xd8\xad\xb1\x50\x19\x93\x96\x38\xfe\x44" "\x15\x08\xc9\x92\xd4\xda\xc0\x89\x35\x81\xa2\x65\x6b\x82\x20\x1b\x8f" "\xbc\x68\x80\x7b\xca\x9f\xc5\xa6\xf1\x68\x68\x2a\x71\x74\x5e\x20\xda" "\x99\x03\x9e\xb3\xad\x60\x4b\xcf\x05\xfd\x44\xb9\x1f\x5f\x33\x33\xcf" "\x1c\xd0\x01\xe3\x4f\xd8\xfa\x3e\x60\xc8\x79\xdd\x8a\xc7\x27\x20\x73" "\x07\x48\x13\x3c\xb5\x53\x40\x64\x6c\x81\x69\x14\x76\xd6\xd5\xb3\xf1" "\xfa\x8b\x83\x92\xd0\x24\x13\x85\x6c\x21\x25\x53\xbd\xbd\x66\xf0\x42" "\xe9\x32\x4d\x45\xef\xed\xb4\x35\x37\xcb\x42\x24\x3a\xf6", 167)); NONFAILING(*(uint8_t*)0x2000017a = 0xb); NONFAILING(*(uint8_t*)0x2000017b = 0x10); NONFAILING(*(uint8_t*)0x2000017c = 1); NONFAILING(*(uint8_t*)0x2000017d = 8); NONFAILING(*(uint16_t*)0x2000017e = 0); NONFAILING(*(uint8_t*)0x20000180 = 2); NONFAILING(*(uint8_t*)0x20000181 = -1); NONFAILING(*(uint16_t*)0x20000182 = 2); NONFAILING(*(uint8_t*)0x20000184 = 0); NONFAILING(*(uint32_t*)0x20000498 = 6); NONFAILING(*(uint32_t*)0x2000049c = 0); NONFAILING(*(uint64_t*)0x200004a0 = 0); NONFAILING(*(uint32_t*)0x200004a8 = 0x6c); NONFAILING(*(uint64_t*)0x200004ac = 0x20000240); NONFAILING(*(uint8_t*)0x20000240 = 0x6c); NONFAILING(*(uint8_t*)0x20000241 = 3); NONFAILING(*(uint16_t*)0x20000242 = 0x444f); NONFAILING(memcpy((void*)0x20000244, "\x2c\x9c\x9d\xae\x91\x9c\xe1\xf1\x49\x53\x25\xf6\xcd\x36" "\x56\x70\xa0\x82\x3a\x8b\x3f\x5e\x40\x48\x6e\x57\x13\x51" "\x3a\x71\x45\xc2\x47\x30\x4d\xd4\x0b\xb7\x67\xd9\x5d\x90" "\x09\x9a\x63\xd1\xf4\x11\x25\xb8\x03\xae\xd5\x58\xab\xb5" "\x0a\x98\x43\xc9\x9a\xec\x7a\x0c\x65\x5d\x7f\x82\xbc\x12" "\x18\x55\x45\x96\xbd\x48\xca\xb9\x1b\xb0\xd9\x00\xf9\xa7" "\x8a\x5f\x7e\x5f\x91\xa4\x37\x07\x9b\xae\xb1\x86\xff\xfd" "\x84\xd1\xa4\x75\xdd\x1e", 104)); NONFAILING(*(uint32_t*)0x200004b4 = 0x92); NONFAILING(*(uint64_t*)0x200004b8 = 0x20000300); NONFAILING(*(uint8_t*)0x20000300 = 0x92); NONFAILING(*(uint8_t*)0x20000301 = 3); NONFAILING(*(uint16_t*)0x20000302 = 0); NONFAILING(memcpy( (void*)0x20000304, "\x6f\xab\x6b\x87\x2a\x40\x75\x79\x5f\xe2\x7f\x87\x1d\xa4\x0b\x28\x28" "\xe7\x7b\x33\x9d\xda\x12\xb5\x80\x66\xb1\x44\x2c\x7c\x95\x48\xbf\xd6" "\x62\x81\x9f\x92\x44\xdf\xb8\x28\xda\x0b\x24\x5c\x66\x56\xbf\x5c\xef" "\xda\xb1\x1d\x99\x7d\x34\x0c\xbc\x63\x4d\x3a\x06\x5c\x58\x8e\x74\xc6" "\xa1\xe7\x7a\x04\xc4\x36\x76\x35\x35\xa4\x13\x26\x70\xe4\x39\xeb\x11" "\x28\x9c\x8a\xef\xd5\x1b\xc6\x53\xe2\x04\x21\x53\x5b\x06\x45\x2e\xd7" "\x9f\xb5\xb3\x37\xfc\x8d\x55\x42\x41\x3b\x72\x10\xac\x24\xaa\xb0\x8d" "\x63\xcf\xe9\x05\x55\x0b\x4c\xb8\xf0\xf2\x9a\x41\xbd\x19\x17\x29\x49" "\xcd\xd3\x97\x6b\x06\xfc", 142)); NONFAILING(*(uint32_t*)0x200004c0 = 4); NONFAILING(*(uint64_t*)0x200004c4 = 0x200003c0); NONFAILING(*(uint8_t*)0x200003c0 = 4); NONFAILING(*(uint8_t*)0x200003c1 = 3); NONFAILING(*(uint16_t*)0x200003c2 = 0x2401); NONFAILING(*(uint32_t*)0x200004cc = 0x3e); NONFAILING(*(uint64_t*)0x200004d0 = 0x20000400); NONFAILING(*(uint8_t*)0x20000400 = 0x3e); NONFAILING(*(uint8_t*)0x20000401 = 3); NONFAILING(*(uint16_t*)0x20000402 = 0x541b); NONFAILING(memcpy((void*)0x20000404, "\x14\x87\xcc\xe8\x81\x59\xd6\x72\x19\x87\xbf\x1e\x40\xdd" "\x77\x59\x97\x10\x27\x71\x83\xc8\x29\x3c\xe5\x25\x9f\x59" "\xed\x5b\x73\x00\x40\x69\x6f\xca\xe0\x89\xaa\xc6\xab\xc7" "\x89\x35\xdf\xcf\xd9\xa6\x58\xda\x79\x12\xf6\xca\xa3\x7b" "\x1d\xa3", 58)); NONFAILING(*(uint32_t*)0x200004d8 = 0x11); NONFAILING(*(uint64_t*)0x200004dc = 0x20000440); NONFAILING(*(uint8_t*)0x20000440 = 0x11); NONFAILING(*(uint8_t*)0x20000441 = 3); NONFAILING(*(uint16_t*)0x20000442 = 0x809); NONFAILING(memcpy((void*)0x20000444, "\x07\x25\x18\x43\x89\xc3\x20\xe3\x34\xfc\xf6\xef\x26", 13)); syz_usb_connect(0, 0x3f, 0x20000040, 0x20000480); break; case 6: syscall(__NR_ioctl, r[1], 0x80044801, 0x200015c0); break; case 7: NONFAILING(memcpy((void*)0x20000040, "/dev/input/event#\000", 18)); res = syz_open_dev(0x20000040, 0, 0); if (res != -1) r[2] = res; break; case 8: syscall(__NR_ioctl, r[2], 0x8000450a, 0xb3dc7000); break; case 9: NONFAILING(memcpy((void*)0x20000040, "/dev/input/event#\000", 18)); syz_open_dev(0x20000040, 0, 0); break; case 10: NONFAILING(memcpy((void*)0x20000000, "/dev/usb/hiddev#\000", 17)); res = syz_open_dev(0x20000000, 0x40, 0); if (res != -1) r[3] = res; break; case 11: syscall(__NR_ioctl, r[3], 0x80044801, 0x20000080); break; case 12: syscall(__NR_ioctl, r[3], 0x8000450a, 0xff); break; case 13: NONFAILING(memcpy((void*)0x20000000, "\x12\x01\x00\x00\x00\x00\x00\x20\x6d\x90\xd9\xc3\x40\x00" "\x00\x00\x00\x01\x09\x02\x24\x00\x01\x00\x00\xa0\x00\x09" "\x04\x00\x00\x01\x03\x01\x01\x00\x09\x21\x00\x00\x00\x01" "\x22\x05\x00\x09\x05\x81\x03\x00\xe1\x00\x00\x00", 54)); res = syz_usb_connect(0, 0x36, 0x20000000, 0); if (res != -1) r[4] = res; break; case 14: syz_usb_control_io(r[4], 0, 0); break; case 15: NONFAILING(*(uint32_t*)0x20000500 = 0x34); NONFAILING(*(uint64_t*)0x20000504 = 0); NONFAILING(*(uint64_t*)0x2000050c = 0); NONFAILING(*(uint64_t*)0x20000514 = 0x200002c0); NONFAILING(*(uint8_t*)0x200002c0 = 0); NONFAILING(*(uint8_t*)0x200002c1 = 0x22); NONFAILING(*(uint32_t*)0x200002c2 = 5); NONFAILING(*(uint8_t*)0x200002c6 = 5); NONFAILING(*(uint8_t*)0x200002c7 = 0xf); NONFAILING(*(uint16_t*)0x200002c8 = 5); NONFAILING(*(uint8_t*)0x200002ca = 0); NONFAILING(*(uint64_t*)0x2000051c = 0); NONFAILING(*(uint64_t*)0x20000524 = 0); NONFAILING(*(uint64_t*)0x2000052c = 0); NONFAILING(*(uint32_t*)0x20000700 = 0xcc); NONFAILING(*(uint64_t*)0x20000704 = 0); NONFAILING(*(uint64_t*)0x2000070c = 0); NONFAILING(*(uint64_t*)0x20000714 = 0); NONFAILING(*(uint64_t*)0x2000071c = 0); NONFAILING(*(uint64_t*)0x20000724 = 0); NONFAILING(*(uint64_t*)0x2000072c = 0); NONFAILING(*(uint64_t*)0x20000734 = 0); NONFAILING(*(uint64_t*)0x2000073c = 0); NONFAILING(*(uint64_t*)0x20000744 = 0); NONFAILING(*(uint64_t*)0x2000074c = 0); NONFAILING(*(uint64_t*)0x20000754 = 0); NONFAILING(*(uint64_t*)0x2000075c = 0); NONFAILING(*(uint64_t*)0x20000764 = 0); NONFAILING(*(uint64_t*)0x2000076c = 0); NONFAILING(*(uint64_t*)0x20000774 = 0); NONFAILING(*(uint64_t*)0x2000077c = 0); NONFAILING(*(uint64_t*)0x20000784 = 0); NONFAILING(*(uint64_t*)0x2000078c = 0); NONFAILING(*(uint64_t*)0x20000794 = 0); NONFAILING(*(uint64_t*)0x2000079c = 0); NONFAILING(*(uint64_t*)0x200007a4 = 0); NONFAILING(*(uint64_t*)0x200007ac = 0); NONFAILING(*(uint64_t*)0x200007b4 = 0); NONFAILING(*(uint64_t*)0x200007bc = 0); NONFAILING(*(uint64_t*)0x200007c4 = 0); syz_usb_control_io(r[4], 0x20000500, 0x20000700); break; case 16: NONFAILING(memcpy((void*)0x20000000, "/dev/hidraw#\000", 13)); syz_open_dev(0x20000000, 0, 0); break; case 17: syz_open_dev(0, 0, 0); break; case 18: NONFAILING(*(uint32_t*)0x20000480 = 0xa); NONFAILING(*(uint64_t*)0x20000484 = 0x20000080); NONFAILING(*(uint8_t*)0x20000080 = 0xa); NONFAILING(*(uint8_t*)0x20000081 = 6); NONFAILING(*(uint16_t*)0x20000082 = 0); NONFAILING(*(uint8_t*)0x20000084 = 6); NONFAILING(*(uint8_t*)0x20000085 = -1); NONFAILING(*(uint8_t*)0x20000086 = 3); NONFAILING(*(uint8_t*)0x20000087 = 0x40); NONFAILING(*(uint8_t*)0x20000088 = 0); NONFAILING(*(uint8_t*)0x20000089 = 0); NONFAILING(*(uint32_t*)0x2000048c = 0xc5); NONFAILING(*(uint64_t*)0x20000490 = 0x200000c0); NONFAILING(*(uint8_t*)0x200000c0 = 5); NONFAILING(*(uint8_t*)0x200000c1 = 0xf); NONFAILING(*(uint16_t*)0x200000c2 = 0xc5); NONFAILING(*(uint8_t*)0x200000c4 = 3); NONFAILING(*(uint8_t*)0x200000c5 = 0xb); NONFAILING(*(uint8_t*)0x200000c6 = 0x10); NONFAILING(*(uint8_t*)0x200000c7 = 1); NONFAILING(*(uint8_t*)0x200000c8 = 0xc); NONFAILING(*(uint16_t*)0x200000c9 = 0x10); NONFAILING(*(uint8_t*)0x200000cb = 1); NONFAILING(*(uint8_t*)0x200000cc = 1); NONFAILING(*(uint16_t*)0x200000cd = 8); NONFAILING(*(uint8_t*)0x200000cf = -1); NONFAILING(*(uint8_t*)0x200000d0 = 0xaa); NONFAILING(*(uint8_t*)0x200000d1 = 0x10); NONFAILING(*(uint8_t*)0x200000d2 = 2); NONFAILING(memcpy( (void*)0x200000d3, "\xfc\x46\x69\x7f\x23\xee\x29\x2e\xb8\xbf\x56\xe8\x3b\xce\xc5\xcd\xbe" "\x91\xf9\x1c\x8a\xb3\xde\xe0\xf5\x15\x80\xbd\xad\x5d\xb2\x8b\x44\x13" "\x08\x63\xfd\xd0\x1a\x2f\xf5\xd8\xad\xb1\x50\x19\x93\x96\x38\xfe\x44" "\x15\x08\xc9\x92\xd4\xda\xc0\x89\x35\x81\xa2\x65\x6b\x82\x20\x1b\x8f" "\xbc\x68\x80\x7b\xca\x9f\xc5\xa6\xf1\x68\x68\x2a\x71\x74\x5e\x20\xda" "\x99\x03\x9e\xb3\xad\x60\x4b\xcf\x05\xfd\x44\xb9\x1f\x5f\x33\x33\xcf" "\x1c\xd0\x01\xe3\x4f\xd8\xfa\x3e\x60\xc8\x79\xdd\x8a\xc7\x27\x20\x73" "\x07\x48\x13\x3c\xb5\x53\x40\x64\x6c\x81\x69\x14\x76\xd6\xd5\xb3\xf1" "\xfa\x8b\x83\x92\xd0\x24\x13\x85\x6c\x21\x25\x53\xbd\xbd\x66\xf0\x42" "\xe9\x32\x4d\x45\xef\xed\xb4\x35\x37\xcb\x42\x24\x3a\xf6", 167)); NONFAILING(*(uint8_t*)0x2000017a = 0xb); NONFAILING(*(uint8_t*)0x2000017b = 0x10); NONFAILING(*(uint8_t*)0x2000017c = 1); NONFAILING(*(uint8_t*)0x2000017d = 8); NONFAILING(*(uint16_t*)0x2000017e = 0); NONFAILING(*(uint8_t*)0x20000180 = 2); NONFAILING(*(uint8_t*)0x20000181 = -1); NONFAILING(*(uint16_t*)0x20000182 = 2); NONFAILING(*(uint8_t*)0x20000184 = 0); NONFAILING(*(uint32_t*)0x20000498 = 6); NONFAILING(*(uint32_t*)0x2000049c = 0x59); NONFAILING(*(uint64_t*)0x200004a0 = 0x200001c0); NONFAILING(*(uint8_t*)0x200001c0 = 0x59); NONFAILING(*(uint8_t*)0x200001c1 = 3); NONFAILING(*(uint16_t*)0x200001c2 = 0x2c01); NONFAILING(memcpy( (void*)0x200001c4, "\xb6\xd3\x79\x09\xa6\x33\x18\x1b\x22\x48\xb8\x17\x46\x41\x24\x4d\xa3" "\x2e\x1a\x18\xe2\x9c\x59\xed\x4b\x77\xf1\x35\x92\xa4\xe0\xc3\x5d\x1b" "\xd8\x2a\xc6\x5a\xab\xab\x7e\xc3\x0d\x20\xae\xf1\xa4\x41\x96\xd5\xc7" "\x9b\x20\xff\x77\xac\xda\x27\x48\x16\xec\xe9\x21\xa2\xae\x09\xd3\x61" "\xf3\xef\xd3\x3b\xad\x8c\xc4\xf7\xc9\x0f\x9f\xb5\x74\x6a\xe6\x20\x4e", 85)); NONFAILING(*(uint32_t*)0x200004a8 = 0x6c); NONFAILING(*(uint64_t*)0x200004ac = 0x20000240); NONFAILING(*(uint8_t*)0x20000240 = 0x6c); NONFAILING(*(uint8_t*)0x20000241 = 3); NONFAILING(*(uint16_t*)0x20000242 = 0x444f); NONFAILING(memcpy((void*)0x20000244, "\x2c\x9c\x9d\xae\x91\x9c\xe1\xf1\x49\x53\x25\xf6\xcd\x36" "\x56\x70\xa0\x82\x3a\x8b\x3f\x5e\x40\x48\x6e\x57\x13\x51" "\x3a\x71\x45\xc2\x47\x30\x4d\xd4\x0b\xb7\x67\xd9\x5d\x90" "\x09\x9a\x63\xd1\xf4\x11\x25\xb8\x03\xae\xd5\x58\xab\xb5" "\x0a\x98\x43\xc9\x9a\xec\x7a\x0c\x65\x5d\x7f\x82\xbc\x12" "\x18\x55\x45\x96\xbd\x48\xca\xb9\x1b\xb0\xd9\x00\xf9\xa7" "\x8a\x5f\x7e\x5f\x91\xa4\x37\x07\x9b\xae\xb1\x86\xff\xfd" "\x84\xd1\xa4\x75\xdd\x1e", 104)); NONFAILING(*(uint32_t*)0x200004b4 = 0x92); NONFAILING(*(uint64_t*)0x200004b8 = 0x20000300); NONFAILING(*(uint8_t*)0x20000300 = 0x92); NONFAILING(*(uint8_t*)0x20000301 = 3); NONFAILING(*(uint16_t*)0x20000302 = 0); NONFAILING(memcpy( (void*)0x20000304, "\x6f\xab\x6b\x87\x2a\x40\x75\x79\x5f\xe2\x7f\x87\x1d\xa4\x0b\x28\x28" "\xe7\x7b\x33\x9d\xda\x12\xb5\x80\x66\xb1\x44\x2c\x7c\x95\x48\xbf\xd6" "\x62\x81\x9f\x92\x44\xdf\xb8\x28\xda\x0b\x24\x5c\x66\x56\xbf\x5c\xef" "\xda\xb1\x1d\x99\x7d\x34\x0c\xbc\x63\x4d\x3a\x06\x5c\x58\x8e\x74\xc6" "\xa1\xe7\x7a\x04\xc4\x36\x76\x35\x35\xa4\x13\x26\x70\xe4\x39\xeb\x11" "\x28\x9c\x8a\xef\xd5\x1b\xc6\x53\xe2\x04\x21\x53\x5b\x06\x45\x2e\xd7" "\x9f\xb5\xb3\x37\xfc\x8d\x55\x42\x41\x3b\x72\x10\xac\x24\xaa\xb0\x8d" "\x63\xcf\xe9\x05\x55\x0b\x4c\xb8\xf0\xf2\x9a\x41\xbd\x19\x17\x29\x49" "\xcd\xd3\x97\x6b\x06\xfc", 142)); NONFAILING(*(uint32_t*)0x200004c0 = 0x2e); NONFAILING(*(uint64_t*)0x200004c4 = 0x200003c0); NONFAILING(*(uint8_t*)0x200003c0 = 0x2e); NONFAILING(*(uint8_t*)0x200003c1 = 3); NONFAILING(*(uint16_t*)0x200003c2 = 0x2401); NONFAILING(memcpy((void*)0x200003c4, "\x84\xd0\x41\xe7\x80\xd4\x04\x27\xee" "\xfd\xd8\x02\xb8\x77\xfe\x7a\xeb\x58" "\xaf\xfd\xbf\x97\x49\x54\xd4\x11\xf4" "\xf9\x42\x35\xc1\x0d\x8e\xc2\x0a\x4d" "\xef\xca\x5d\xd2\x57\x93", 42)); NONFAILING(*(uint32_t*)0x200004cc = 0); NONFAILING(*(uint64_t*)0x200004d0 = 0); NONFAILING(*(uint32_t*)0x200004d8 = 0x11); NONFAILING(*(uint64_t*)0x200004dc = 0x20000440); NONFAILING(*(uint8_t*)0x20000440 = 0x11); NONFAILING(*(uint8_t*)0x20000441 = 3); NONFAILING(*(uint16_t*)0x20000442 = 0x809); NONFAILING(memcpy((void*)0x20000444, "\x07\x25\x18\x43\x89\xc3\x20\xe3\x34\xfc\xf6\xef\x26", 13)); syz_usb_connect(5, 0, 0, 0x20000480); break; case 19: NONFAILING(*(uint32_t*)0x20000b80 = 0x34); NONFAILING(*(uint64_t*)0x20000b84 = 0x200005c0); NONFAILING(*(uint8_t*)0x200005c0 = 0x60); NONFAILING(*(uint8_t*)0x200005c1 = 0); NONFAILING(*(uint32_t*)0x200005c2 = 0x7e); NONFAILING(*(uint8_t*)0x200005c6 = 0x7e); NONFAILING(*(uint8_t*)0x200005c7 = 0x2f); NONFAILING(memcpy((void*)0x200005c8, "\xd5\x44\x76\xe2\x79\xdc\x8a\x50\xfd\x1e\x25\x28\x5c\x4a" "\x43\xd8\x60\x98\xb0\x1b\x00\x4a\x06\x73\x16\xb8\x66\xa7" "\xcb\xc7\xff\xce\xdc\x23\xed\xf4\xd1\x70\x95\xe3\x76\x41" "\xaf\xfb\xe4\x3c\xd4\x96\x73\xec\x90\x32\xef\x00\xec\xb3" "\x8e\x4f\xb4\x99\x42\xd7\x43\xf5\xce\xb2\xeb\x59\xc9\x1d" "\x2d\xf1\x72\x66\xef\x0e\x95\x5d\x57\xc1\xd8\x06\x31\xd9" "\xc3\x1a\x42\xf4\xd3\x97\x1f\x15\xa8\x34\xd9\x02\xa4\x63" "\x89\xa5\x6e\xef\x41\x0a\xad\x7f\xdc\x2a\xce\x3e\xc1\x99" "\x09\x5b\x0e\x75\x7b\xbc\xbb\xbc\x07\x62\x36\x11", 124)); NONFAILING(*(uint64_t*)0x20000b8c = 0); NONFAILING(*(uint64_t*)0x20000b94 = 0x20000900); NONFAILING(*(uint8_t*)0x20000900 = 0); NONFAILING(*(uint8_t*)0x20000901 = 0xf); NONFAILING(*(uint32_t*)0x20000902 = 0xe3); NONFAILING(*(uint8_t*)0x20000906 = 5); NONFAILING(*(uint8_t*)0x20000907 = 0xf); NONFAILING(*(uint16_t*)0x20000908 = 0xe3); NONFAILING(*(uint8_t*)0x2000090a = 3); NONFAILING(*(uint8_t*)0x2000090b = 0xa); NONFAILING(*(uint8_t*)0x2000090c = 0x10); NONFAILING(*(uint8_t*)0x2000090d = 3); NONFAILING(*(uint8_t*)0x2000090e = 2); NONFAILING(*(uint16_t*)0x2000090f = 0); NONFAILING(*(uint8_t*)0x20000911 = 8); NONFAILING(*(uint8_t*)0x20000912 = -1); NONFAILING(*(uint16_t*)0x20000913 = 2); NONFAILING(*(uint8_t*)0x20000915 = 0xa); NONFAILING(*(uint8_t*)0x20000916 = 0x10); NONFAILING(*(uint8_t*)0x20000917 = 3); NONFAILING(*(uint8_t*)0x20000918 = 2); NONFAILING(*(uint16_t*)0x20000919 = 0xc); NONFAILING(*(uint8_t*)0x2000091b = 0); NONFAILING(*(uint8_t*)0x2000091c = 9); NONFAILING(*(uint16_t*)0x2000091d = 5); NONFAILING(*(uint8_t*)0x2000091f = 0xca); NONFAILING(*(uint8_t*)0x20000920 = 0x10); NONFAILING(*(uint8_t*)0x20000921 = 3); NONFAILING(memcpy( (void*)0x20000922, "\x59\x8f\x73\x44\x4d\x56\x65\x6f\xce\xc5\x0f\xfb\xdb\xb1\x32\xa4\xdc" "\x49\x13\x28\xc2\xb8\x89\x5e\xcc\x30\xf8\xf9\x42\xc6\x94\xc9\xc1\x8c" "\x63\xaf\x3b\xc1\x5c\xc4\x6a\x16\x8b\x46\xe1\xe3\xb9\x02\x5c\xb9\xa4" "\x0e\xf3\x17\x75\x71\x3e\x38\xf9\x38\x45\xdc\x65\x66\xf4\x63\x80\xba" "\xc1\x9e\x30\xbf\x42\x02\x5d\x19\xc5\xe3\xc3\x51\x91\x57\x80\xd0\xa9" "\x04\x77\x0b\x74\x47\x4e\xf9\x20\x84\x7b\x0d\x70\x03\x9f\xb5\x8a\x8e" "\x9f\xbc\x08\x98\xdf\x82\xfd\x06\xf1\x06\x80\x09\x18\x8a\xbe\x2f\x5e" "\xf6\xcf\x00\x59\xc1\xb5\x46\x64\xc9\xc7\xfc\x96\x79\x61\xa3\x78\x27" "\xd4\x17\x6f\x50\xee\xf6\x10\xb7\x7c\xf4\x94\xc2\xb9\x25\x17\x09\xe6" "\x0f\xaf\xd2\xba\x9b\x95\x2f\x81\xa1\x3b\x99\x5b\x55\x4b\x48\x44\x4c" "\x40\x8d\xeb\x71\x7d\xca\xb5\x74\xf4\x95\x85\x43\x7d\x5d\x7f\xc0\xa6" "\x23\x30\xd2\xd6\xe4\x94\x82\x35\x2f\x3e\xd9\xf2", 199)); NONFAILING(*(uint64_t*)0x20000b9c = 0); NONFAILING(*(uint64_t*)0x20000ba4 = 0x20000680); NONFAILING(*(uint8_t*)0x20000680 = 0x20); NONFAILING(*(uint8_t*)0x20000681 = 0x29); NONFAILING(*(uint32_t*)0x20000682 = 0xf); NONFAILING(*(uint8_t*)0x20000686 = 0xf); NONFAILING(*(uint8_t*)0x20000687 = 0x29); NONFAILING(*(uint8_t*)0x20000688 = 0x46); NONFAILING(*(uint16_t*)0x20000689 = 0); NONFAILING(*(uint8_t*)0x2000068b = 1); NONFAILING(*(uint8_t*)0x2000068c = 8); NONFAILING(memcpy((void*)0x2000068d, "\x76\xd5\xf5\x61", 4)); NONFAILING(memcpy((void*)0x20000691, "T=H\v", 4)); NONFAILING(*(uint64_t*)0x20000bac = 0x200006c0); NONFAILING(*(uint8_t*)0x200006c0 = 0x20); NONFAILING(*(uint8_t*)0x200006c1 = 0x2a); NONFAILING(*(uint32_t*)0x200006c2 = 0xc); NONFAILING(*(uint8_t*)0x200006c6 = 0xc); NONFAILING(*(uint8_t*)0x200006c7 = 0x2a); NONFAILING(*(uint8_t*)0x200006c8 = 0x4a); NONFAILING(*(uint16_t*)0x200006c9 = 4); NONFAILING(*(uint8_t*)0x200006cb = 0x40); NONFAILING(*(uint8_t*)0x200006cc = 0); NONFAILING(*(uint8_t*)0x200006cd = 2); NONFAILING(*(uint16_t*)0x200006ce = 5); NONFAILING(*(uint16_t*)0x200006d0 = 0xf4); NONFAILING(*(uint32_t*)0x200014c0 = 0xcc); NONFAILING(*(uint64_t*)0x200014c4 = 0x20000bc0); NONFAILING(*(uint8_t*)0x20000bc0 = 0x40); NONFAILING(*(uint8_t*)0x20000bc1 = 0xe); NONFAILING(*(uint32_t*)0x20000bc2 = 0); NONFAILING(*(uint64_t*)0x200014cc = 0x20000c00); NONFAILING(*(uint8_t*)0x20000c00 = 0); NONFAILING(*(uint8_t*)0x20000c01 = 0xa); NONFAILING(*(uint32_t*)0x20000c02 = 1); NONFAILING(*(uint8_t*)0x20000c06 = 0); NONFAILING(*(uint64_t*)0x200014d4 = 0x20000c40); NONFAILING(*(uint8_t*)0x20000c40 = 0); NONFAILING(*(uint8_t*)0x20000c41 = 8); NONFAILING(*(uint32_t*)0x20000c42 = 1); NONFAILING(*(uint8_t*)0x20000c46 = 0x40); NONFAILING(*(uint64_t*)0x200014dc = 0x20000c80); NONFAILING(memcpy((void*)0x20000c80, "\000\000\000\000\000\000\000\b", 8)); NONFAILING(*(uint64_t*)0x200014e4 = 0x20000cc0); NONFAILING(*(uint8_t*)0x20000cc0 = 0x20); NONFAILING(*(uint8_t*)0x20000cc1 = 0x82); NONFAILING(*(uint32_t*)0x20000cc2 = 1); NONFAILING(memcpy((void*)0x20000cc6, "\xc5", 1)); NONFAILING(*(uint64_t*)0x200014ec = 0x20000d00); NONFAILING(*(uint8_t*)0x20000d00 = 0x20); NONFAILING(*(uint8_t*)0x20000d01 = 0x83); NONFAILING(*(uint32_t*)0x20000d02 = 2); NONFAILING(memcpy((void*)0x20000d06, "\xa6\xaa", 2)); NONFAILING(*(uint64_t*)0x200014f4 = 0); NONFAILING(*(uint64_t*)0x200014fc = 0x20000d80); NONFAILING(*(uint8_t*)0x20000d80 = 0x20); NONFAILING(*(uint8_t*)0x20000d81 = 0x85); NONFAILING(*(uint32_t*)0x20000d82 = 3); NONFAILING(memcpy((void*)0x20000d86, "\xbd\xa1\x00", 3)); NONFAILING(*(uint64_t*)0x20001504 = 0x20000dc0); NONFAILING(*(uint8_t*)0x20000dc0 = 0x20); NONFAILING(*(uint8_t*)0x20000dc1 = 0); NONFAILING(*(uint32_t*)0x20000dc2 = 0); NONFAILING(*(uint64_t*)0x2000150c = 0); NONFAILING(*(uint64_t*)0x20001514 = 0x20001100); NONFAILING(*(uint8_t*)0x20001100 = 0x20); NONFAILING(*(uint8_t*)0x20001101 = 0); NONFAILING(*(uint32_t*)0x20001102 = 1); NONFAILING(*(uint8_t*)0x20001106 = 1); NONFAILING(*(uint64_t*)0x2000151c = 0x20001140); NONFAILING(*(uint8_t*)0x20001140 = 0x20); NONFAILING(*(uint8_t*)0x20001141 = 0); NONFAILING(*(uint32_t*)0x20001142 = 4); NONFAILING(*(uint16_t*)0x20001146 = 2); NONFAILING(*(uint16_t*)0x20001148 = 1); NONFAILING(*(uint64_t*)0x20001524 = 0x20001180); NONFAILING(*(uint8_t*)0x20001180 = 0x20); NONFAILING(*(uint8_t*)0x20001181 = 0); NONFAILING(*(uint32_t*)0x20001182 = 8); NONFAILING(*(uint16_t*)0x20001186 = 0x82); NONFAILING(*(uint16_t*)0x20001188 = 0x20); NONFAILING(*(uint32_t*)0x2000118a = 0xff00); NONFAILING(*(uint64_t*)0x2000152c = 0x200011c0); NONFAILING(*(uint8_t*)0x200011c0 = 0x20); NONFAILING(*(uint8_t*)0x200011c1 = 0x80); NONFAILING(*(uint32_t*)0x200011c2 = 0x1c); NONFAILING(*(uint16_t*)0x200011c6 = 3); NONFAILING(*(uint16_t*)0x200011c8 = 5); NONFAILING(*(uint32_t*)0x200011ca = 0xbf); NONFAILING(*(uint16_t*)0x200011ce = 0x7376); NONFAILING(*(uint16_t*)0x200011d0 = 0xba0b); NONFAILING(*(uint16_t*)0x200011d2 = 5); NONFAILING(*(uint16_t*)0x200011d4 = 0); NONFAILING(*(uint32_t*)0x200011d6 = 0x10000); NONFAILING(*(uint16_t*)0x200011da = 0x3f5); NONFAILING(*(uint16_t*)0x200011dc = 3); NONFAILING(*(uint16_t*)0x200011de = 0xd9e3); NONFAILING(*(uint16_t*)0x200011e0 = 0x81e); NONFAILING(*(uint64_t*)0x20001534 = 0); NONFAILING(*(uint64_t*)0x2000153c = 0); NONFAILING(*(uint64_t*)0x20001544 = 0x20001280); NONFAILING(*(uint8_t*)0x20001280 = 0x40); NONFAILING(*(uint8_t*)0x20001281 = 0xb); NONFAILING(*(uint32_t*)0x20001282 = 2); NONFAILING(memcpy((void*)0x20001286, "\x11\x7f", 2)); NONFAILING(*(uint64_t*)0x2000154c = 0x200012c0); NONFAILING(*(uint8_t*)0x200012c0 = 0x40); NONFAILING(*(uint8_t*)0x200012c1 = 0xf); NONFAILING(*(uint32_t*)0x200012c2 = 2); NONFAILING(*(uint16_t*)0x200012c6 = 0xf0); NONFAILING(*(uint64_t*)0x20001554 = 0x20001300); NONFAILING(*(uint8_t*)0x20001300 = 0x40); NONFAILING(*(uint8_t*)0x20001301 = 0x13); NONFAILING(*(uint32_t*)0x20001302 = 6); NONFAILING(*(uint8_t*)0x20001306 = 0xaa); NONFAILING(*(uint8_t*)0x20001307 = 0xaa); NONFAILING(*(uint8_t*)0x20001308 = 0xaa); NONFAILING(*(uint8_t*)0x20001309 = 0xaa); NONFAILING(*(uint8_t*)0x2000130a = 0xaa); NONFAILING(*(uint8_t*)0x2000130b = 0xbb); NONFAILING(*(uint64_t*)0x2000155c = 0x20001340); NONFAILING(*(uint8_t*)0x20001340 = 0x40); NONFAILING(*(uint8_t*)0x20001341 = 0x17); NONFAILING(*(uint32_t*)0x20001342 = 6); NONFAILING(*(uint8_t*)0x20001346 = 0xaa); NONFAILING(*(uint8_t*)0x20001347 = 0xaa); NONFAILING(*(uint8_t*)0x20001348 = 0xaa); NONFAILING(*(uint8_t*)0x20001349 = 0xaa); NONFAILING(*(uint8_t*)0x2000134a = 0xaa); NONFAILING(*(uint8_t*)0x2000134b = 0xbb); NONFAILING(*(uint64_t*)0x20001564 = 0x20001380); NONFAILING(*(uint8_t*)0x20001380 = 0x40); NONFAILING(*(uint8_t*)0x20001381 = 0x19); NONFAILING(*(uint32_t*)0x20001382 = 2); NONFAILING(memcpy((void*)0x20001386, "\x4a\xc3", 2)); NONFAILING(*(uint64_t*)0x2000156c = 0x200013c0); NONFAILING(*(uint8_t*)0x200013c0 = 0x40); NONFAILING(*(uint8_t*)0x200013c1 = 0x1a); NONFAILING(*(uint32_t*)0x200013c2 = 2); NONFAILING(*(uint16_t*)0x200013c6 = 0xac); NONFAILING(*(uint64_t*)0x20001574 = 0x20001400); NONFAILING(*(uint8_t*)0x20001400 = 0x40); NONFAILING(*(uint8_t*)0x20001401 = 0x1c); NONFAILING(*(uint32_t*)0x20001402 = 1); NONFAILING(*(uint8_t*)0x20001406 = 0x40); NONFAILING(*(uint64_t*)0x2000157c = 0x20001440); NONFAILING(*(uint8_t*)0x20001440 = 0x40); NONFAILING(*(uint8_t*)0x20001441 = 0x1e); NONFAILING(*(uint32_t*)0x20001442 = 1); NONFAILING(*(uint8_t*)0x20001446 = 1); NONFAILING(*(uint64_t*)0x20001584 = 0x20001480); NONFAILING(*(uint8_t*)0x20001480 = 0x40); NONFAILING(*(uint8_t*)0x20001481 = 0x21); NONFAILING(*(uint32_t*)0x20001482 = 1); NONFAILING(*(uint8_t*)0x20001486 = -1); syz_usb_control_io(r[4], 0x20000b80, 0x200014c0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }