// autogenerated by syzkaller (http://github.com/google/syzkaller) #ifndef __NR_sendmmsg #define __NR_sendmmsg 307 #endif #ifndef __NR_mmap #define __NR_mmap 9 #endif #ifndef __NR_socket #define __NR_socket 41 #endif #ifndef __NR_ioctl #define __NR_ioctl 16 #endif #ifndef __NR_connect #define __NR_connect 42 #endif #define _GNU_SOURCE #include #include #include #include static void test(); void loop() { while (1) { test(); } } long r[81]; void test() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(__NR_socket, 0xaul, 0x3ul, 0x6ul); memcpy((void*)0x20334000, "\x73\x69\x74\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00", 16); *(uint16_t*)0x20334010 = (uint16_t)0x2; r[4] = syscall(__NR_ioctl, r[1], 0x8914ul, 0x20334000ul); r[5] = syscall(__NR_socket, 0x2ul, 0x806ul, 0x0ul); memcpy((void*)0x20dc4000, "\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00", 16); *(uint64_t*)0x20dc4010 = (uint64_t)0x0; *(uint64_t*)0x20dc4018 = (uint64_t)0xffffffffffffffff; *(uint16_t*)0x20dc4020 = (uint16_t)0x2; *(uint8_t*)0x20dc4022 = (uint8_t)0x40; *(uint8_t*)0x20dc4023 = (uint8_t)0x2ed5; *(uint8_t*)0x20dc4024 = (uint8_t)0x8; r[13] = syscall(__NR_ioctl, r[5], 0x8922ul, 0x20dc4000ul); r[14] = syscall(__NR_socket, 0xaul, 0x8000000080803ul, 0x200000000fful); *(uint16_t*)0x20ffcfe4 = (uint16_t)0xa; *(uint16_t*)0x20ffcfe6 = (uint16_t)0x204e; *(uint32_t*)0x20ffcfe8 = (uint32_t)0xfffffffffffffffd; *(uint64_t*)0x20ffcfec = (uint64_t)0x0; *(uint64_t*)0x20ffcff4 = (uint64_t)0x100000000000000; *(uint32_t*)0x20ffcffc = (uint32_t)0xfffffffffffffffd; r[21] = syscall(__NR_connect, r[14], 0x20ffcfe4ul, 0x1cul); *(uint64_t*)0x20fe2f40 = (uint64_t)0x0; *(uint32_t*)0x20fe2f48 = (uint32_t)0x0; *(uint64_t*)0x20fe2f50 = (uint64_t)0x20736f70; *(uint64_t*)0x20fe2f58 = (uint64_t)0x3; *(uint64_t*)0x20fe2f60 = (uint64_t)0x20ff3000; *(uint64_t*)0x20fe2f68 = (uint64_t)0x0; *(uint32_t*)0x20fe2f70 = (uint32_t)0x1; *(uint32_t*)0x20fe2f78 = (uint32_t)0x0; *(uint64_t*)0x20fe2f80 = (uint64_t)0x0; *(uint32_t*)0x20fe2f88 = (uint32_t)0x0; *(uint64_t*)0x20fe2f90 = (uint64_t)0x20642000; *(uint64_t*)0x20fe2f98 = (uint64_t)0x2; *(uint64_t*)0x20fe2fa0 = (uint64_t)0x20acee40; *(uint64_t*)0x20fe2fa8 = (uint64_t)0x4; *(uint32_t*)0x20fe2fb0 = (uint32_t)0x4010; *(uint32_t*)0x20fe2fb8 = (uint32_t)0x5; *(uint64_t*)0x20fe2fc0 = (uint64_t)0x0; *(uint32_t*)0x20fe2fc8 = (uint32_t)0x0; *(uint64_t*)0x20fe2fd0 = (uint64_t)0x20ff4797; *(uint64_t*)0x20fe2fd8 = (uint64_t)0x0; *(uint64_t*)0x20fe2fe0 = (uint64_t)0x20f51000; *(uint64_t*)0x20fe2fe8 = (uint64_t)0x1; *(uint32_t*)0x20fe2ff0 = (uint32_t)0x20008000; *(uint32_t*)0x20fe2ff8 = (uint32_t)0x2; *(uint64_t*)0x20736f70 = (uint64_t)0x20a4ff16; *(uint64_t*)0x20736f78 = (uint64_t)0x19; *(uint64_t*)0x20736f80 = (uint64_t)0x20869fff; *(uint64_t*)0x20736f88 = (uint64_t)0x1; *(uint64_t*)0x20736f90 = (uint64_t)0x20b69000; *(uint64_t*)0x20736f98 = (uint64_t)0xe; memcpy((void*)0x20a4ff16, "\x8c\x57\x08\xbb\x94\x12\x40\xba\x9d\x13\xee\x30\xb0\x8c\x4e" "\xb2\x05\xae\x96\x02\xd5\x06\x29\x55\xff", 25); memcpy((void*)0x20869fff, "\xa5", 1); memcpy((void*)0x20b69000, "\xdf\x4b\x85\xcb\x5d\x5f\xd7\xe2\x50\x05\xb2\x5c\xc5\x0e", 14); *(uint64_t*)0x20642000 = (uint64_t)0x20aa4000; *(uint64_t*)0x20642008 = (uint64_t)0x19; *(uint64_t*)0x20642010 = (uint64_t)0x20ff3000; *(uint64_t*)0x20642018 = (uint64_t)0xa6; memcpy((void*)0x20aa4000, "\x01\x45\x00\x00\x00\x1f\x2c\x03\x1d\xd8\xcd\xbd\xce\x3a\x39" "\xbd\x46\x4e\x0f\xcf\x4c\xdc\x18\x8e\x8a", 25); memcpy((void*)0x20ff3000, "\x56\xbe\xdf\x98\x31\x01\xe9\x03\xbb\x60\xd0\xf4\x57\xa4\x4d" "\x46\x07\xb5\xf0\xb2\x5b\xd6\x67\x44\xf9\xd1\x5f\x57\x48\xca" "\x8e\xd5\x8b\x3d\x08\xe8\x46\x23\x86\x5b\xcd\xa5\xdd\xaf\x53" "\x80\x09\xae\xda\xc0\x0f\xdf\x62\xcd\xdb\x0a\xe7\x3f\xe9\x60" "\xc7\x3b\xc4\x5b\xf0\x5c\x09\xad\x36\x31\xbc\x7a\x82\x0a\xb4" "\x8b\x2b\x2a\xc0\x55\x88\xac\xd3\x31\x55\x54\x73\x9c\xa3\x91" "\xff\xe2\x58\xd3\xb6\x7a\x24\xd4\x0f\x09\x69\xca\x49\x7a\xe3" "\xb6\x48\x45\xc9\x9e\x6d\xba\xd7\x2a\x9c\x04\xcb\xea\x26\xe9" "\x19\xa2\x74\xde\x70\x28\xe7\x3f\xfb\x4b\xf9\x79\xd5\x9f\xe5" "\xcf\xa9\x05\xac\xf0\x90\x0f\xa3\x40\x52\x40\x0b\x95\x4f\x43" "\xd5\x44\x5c\x78\xeb\xc4\x2e\x91\x0f\x2a\x6f\xc2\xa4\xe9\xe6" "\x12", 166); *(uint64_t*)0x20acee40 = (uint64_t)0x10; *(uint32_t*)0x20acee48 = (uint32_t)0x88; *(uint32_t*)0x20acee4c = (uint32_t)0x800000006; *(uint64_t*)0x20acee50 = (uint64_t)0x10; *(uint32_t*)0x20acee58 = (uint32_t)0x108; *(uint32_t*)0x20acee5c = (uint32_t)0x9; *(uint64_t*)0x20acee60 = (uint64_t)0x10; *(uint32_t*)0x20acee68 = (uint32_t)0x11f; *(uint32_t*)0x20acee6c = (uint32_t)0x6; *(uint64_t*)0x20acee70 = (uint64_t)0x10; *(uint32_t*)0x20acee78 = (uint32_t)0x10f; *(uint32_t*)0x20acee7c = (uint32_t)0x10001; *(uint64_t*)0x20f51000 = (uint64_t)0x10; *(uint32_t*)0x20f51008 = (uint32_t)0x1; *(uint32_t*)0x20f5100c = (uint32_t)0x7; r[76] = syscall(__NR_sendmmsg, r[14], 0x20fe2f40ul, 0x3ul, 0xc0ul); r[77] = syscall(__NR_socket, 0xaul, 0x3ul, 0x6ul); memcpy((void*)0x20334000, "\x73\x69\x74\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00", 16); *(uint16_t*)0x20334010 = (uint16_t)0x1; r[80] = syscall(__NR_ioctl, r[77], 0x8914ul, 0x20334000ul); } int main() { int i; for (i = 0; i < 8; i++) { if (fork() == 0) { loop(); return 0; } } sleep(1000000); return 0; }