// https://syzkaller.appspot.com/bug?id=566325c29e627765e4f5d223163e5c15191f0f46 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } uint64_t r[1] = {0xffffffffffffffff}; void loop() { long res = 0; res = syscall(__NR_socket, 0xa, 2, 0); if (res != -1) r[0] = res; *(uint16_t*)0x200000c0 = 0xa; *(uint16_t*)0x200000c2 = htobe16(0x4e20); *(uint32_t*)0x200000c4 = 0; *(uint8_t*)0x200000c8 = 0; *(uint8_t*)0x200000c9 = 0; *(uint8_t*)0x200000ca = 0; *(uint8_t*)0x200000cb = 0; *(uint8_t*)0x200000cc = 0; *(uint8_t*)0x200000cd = 0; *(uint8_t*)0x200000ce = 0; *(uint8_t*)0x200000cf = 0; *(uint8_t*)0x200000d0 = 0; *(uint8_t*)0x200000d1 = 0; *(uint8_t*)0x200000d2 = 0; *(uint8_t*)0x200000d3 = 0; *(uint8_t*)0x200000d4 = 0; *(uint8_t*)0x200000d5 = 0; *(uint8_t*)0x200000d6 = 0; *(uint8_t*)0x200000d7 = 0; *(uint32_t*)0x200000d8 = 0; syscall(__NR_connect, r[0], 0x200000c0, 0x1c); *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint64_t*)0x20000090 = 0x20000040; *(uint64_t*)0x20000098 = 0; *(uint64_t*)0x200000a0 = 0x20002000; *(uint64_t*)0x200000a8 = 0; *(uint32_t*)0x200000b0 = 0; syscall(__NR_sendmsg, r[0], 0x20000080, 0x8000); *(uint64_t*)0x20000180 = 0; *(uint32_t*)0x20000188 = 0; *(uint64_t*)0x20000190 = 0x20002ff0; *(uint64_t*)0x20002ff0 = 0x20000040; memcpy((void*)0x20000040, "\xbc\xe5", 2); *(uint64_t*)0x20002ff8 = 2; *(uint64_t*)0x20000198 = 1; *(uint64_t*)0x200001a0 = 0x2000ae80; *(uint64_t*)0x200001a8 = 0; *(uint32_t*)0x200001b0 = 0; syscall(__NR_sendmsg, r[0], 0x20000180, 0); *(uint8_t*)0x20000240 = 0xaa; *(uint8_t*)0x20000241 = 0xaa; *(uint8_t*)0x20000242 = 0xaa; *(uint8_t*)0x20000243 = 0xaa; *(uint8_t*)0x20000244 = 0xaa; *(uint8_t*)0x20000245 = 0x13; *(uint8_t*)0x20000246 = 1; *(uint8_t*)0x20000247 = 0x80; *(uint8_t*)0x20000248 = 0xc2; *(uint8_t*)0x20000249 = 0; *(uint8_t*)0x2000024a = 0; *(uint8_t*)0x2000024b = 3; *(uint16_t*)0x2000024c = htobe16(0x9100); STORE_BY_BITMASK(uint16_t, 0x2000024e, 9, 0, 3); STORE_BY_BITMASK(uint16_t, 0x2000024e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x2000024e, 4, 4, 12); *(uint16_t*)0x20000250 = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, 0x20000252, 0x8e, 0, 3); STORE_BY_BITMASK(uint16_t, 0x20000252, 0x40, 3, 1); STORE_BY_BITMASK(uint16_t, 0x20000252, 0, 4, 12); *(uint16_t*)0x20000254 = htobe16(0xd); STORE_BY_BITMASK(uint32_t, 0x20000256, 2, 0, 29); STORE_BY_BITMASK(uint32_t, 0x20000256, 5, 29, 1); STORE_BY_BITMASK(uint32_t, 0x20000256, 8, 30, 1); STORE_BY_BITMASK(uint32_t, 0x20000256, 5, 31, 1); *(uint8_t*)0x2000025a = 0x16; *(uint8_t*)0x2000025b = 2; *(uint8_t*)0x2000025c = 0; *(uint8_t*)0x2000025d = 0; memcpy((void*)0x2000025e, "\xa5\x71\x0b\xe6\xd1\x8f\xb1\xe3\x77\x57\xf5\x04\x93\xe8\x07\x23\x67" "\xbc\x00\x92\xeb\x64\x9d\xd1\xa3\xa6\x4d\x5e\xb3\x03\xf1\xd2\x08\xc6" "\xab\x29\xe3\x1b\x31\x20\xe5\x79\x6c\x16\x04\x86\xae\x03\x32\xef\x10" "\xbe\x48\x76\x89\xdd\xa0\xf5\x4b\x60\x56\xc8\xdd\xbb", 64); *(uint32_t*)0x200002c0 = 1; *(uint32_t*)0x200002c4 = 2; *(uint32_t*)0x200002c8 = 0x65e; *(uint32_t*)0x200002cc = 0xf66; *(uint32_t*)0x200002d0 = 0x417; *(uint32_t*)0x200002d4 = 0x3ae; } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }