// https://syzkaller.appspot.com/bug?id=4ca9a2af9ec07045c7b98a2a8e8e8f28a51b865a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static long syz_open_procfs(volatile long a0, volatile long a1)
{
char buf[128];
memset(buf, 0, sizeof(buf));
if (a0 == 0) {
snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1);
} else if (a0 == -1) {
snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1);
} else {
snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1);
}
int fd = open(buf, O_RDWR);
if (fd == -1)
fd = open(buf, O_RDONLY);
return fd;
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0ul);
intptr_t res = 0;
memcpy((void*)0x200000c0, "./file1\000", 8);
syscall(__NR_mkdir, 0x200000c0ul, 0ul);
memcpy((void*)0x20000300, "./bus\000", 6);
syscall(__NR_mkdir, 0x20000300ul, 0ul);
memcpy((void*)0x20000280, "./file0\000", 8);
syscall(__NR_mkdir, 0x20000280ul, 0ul);
memcpy((void*)0x20000000, "./bus\000", 6);
memcpy((void*)0x20000080, "overlay\000", 8);
memcpy((void*)0x20000300, "lowerdir=./bus,workdir=./file1,upperdir=./file0",
47);
syscall(__NR_mount, 0x400000ul, 0x20000000ul, 0x20000080ul, 0ul,
0x20000300ul);
memcpy((void*)0x20000140, "./bus\000", 6);
syscall(__NR_chdir, 0x20000140ul);
memcpy((void*)0x20000180, "./file1\000", 8);
syscall(__NR_execve, 0x20000180ul, 0ul, 0ul);
memcpy((void*)0x20000080, "syscall\000", 8);
res = syz_open_procfs(0, 0x20000080);
if (res != -1)
r[0] = res;
memcpy((void*)0x20000040, "./bus\000", 6);
res = syscall(__NR_open, 0x20000040ul, 0x141142ul, 0ul);
if (res != -1)
r[1] = res;
syscall(__NR_sendfile, r[1], r[0], 0ul, 0x209ul);
return 0;
}