// https://syzkaller.appspot.com/bug?id=7329638ab83b70fc8fab07e14c4b2fcdc73af21d // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_write #define __NR_write 4 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); intptr_t res = 0; memcpy((void*)0x20000180, "/dev/fb0\000", 9); res = syscall(__NR_openat, 0xffffff9c, 0x20000180, 0, 0); if (res != -1) r[0] = res; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint32_t*)0x20000010 = 0; *(uint32_t*)0x20000014 = 0; *(uint32_t*)0x20000018 = 4; *(uint32_t*)0x2000001c = 2; *(uint32_t*)0x20000020 = 0; *(uint32_t*)0x20000024 = 0; *(uint32_t*)0x20000028 = 0; *(uint32_t*)0x2000002c = 0; *(uint32_t*)0x20000030 = 0; *(uint32_t*)0x20000034 = 0; *(uint32_t*)0x20000038 = 0; *(uint32_t*)0x2000003c = 0; *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x2000004c = 0; *(uint32_t*)0x20000050 = 0; *(uint32_t*)0x20000054 = 0; *(uint32_t*)0x20000058 = 0; *(uint32_t*)0x2000005c = 0; *(uint32_t*)0x20000060 = 0; *(uint32_t*)0x20000064 = 0; *(uint32_t*)0x20000068 = 0; *(uint32_t*)0x2000006c = 0; *(uint32_t*)0x20000070 = 0; *(uint32_t*)0x20000074 = 0; *(uint32_t*)0x20000078 = 0; *(uint32_t*)0x2000007c = 0; *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000094 = 0; *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x2000009c = 0; syscall(__NR_ioctl, (intptr_t)r[0], 0x4601, 0x20000000); res = syz_open_dev(0xc, 4, 0x15); if (res != -1) r[1] = res; *(uint8_t*)0x20000140 = 0xe; *(uint8_t*)0x20000141 = 0x9b; *(uint8_t*)0x20000142 = 0x41; *(uint8_t*)0x20000143 = 0x9b; *(uint8_t*)0x20000144 = 0; *(uint8_t*)0x20000145 = 0; *(uint8_t*)0x20000146 = 0x50; *(uint8_t*)0x20000147 = 0; *(uint64_t*)0x20000148 = 0; *(uint16_t*)0x20000150 = 0; *(uint16_t*)0x20000152 = 0; *(uint32_t*)0x20000154 = 0; *(uint64_t*)0x20000158 = 0; *(uint64_t*)0x20000160 = 0x40; *(uint64_t*)0x20000168 = 0; *(uint32_t*)0x20000170 = 0; *(uint16_t*)0x20000174 = 0; *(uint16_t*)0x20000176 = 0x38; *(uint16_t*)0x20000178 = 0; *(uint16_t*)0x2000017a = 0; *(uint16_t*)0x2000017c = 0; *(uint16_t*)0x2000017e = 0; *(uint32_t*)0x20000180 = 0; *(uint32_t*)0x20000184 = 0; *(uint64_t*)0x20000188 = 0; *(uint64_t*)0x20000190 = 0; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; *(uint64_t*)0x200001a8 = 0; *(uint64_t*)0x200001b0 = 0; syscall(__NR_write, (intptr_t)r[1], 0x20000140, 0x78); return 0; }