// https://syzkaller.appspot.com/bug?id=e4ef56b03491445f0a1cca5af5c308cf08bc7ac1 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$nullb arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6e 75 6c 6c 62 30 00} (length 0xc) // } // flags: open_flags = 0xa4242 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_block memcpy((void*)0x200000000000, "/dev/nullb0\000", 12); res = syscall( __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=O_TRUNC|O_NOFOLLOW|O_DIRECT|O_CREAT|O_CLOEXEC|0x2*/ 0xa4242, /*mode=*/0); if (res != -1) r[0] = res; // mmap arguments: [ // addr: VMA[0xb36000] // len: len = 0xb36000 (8 bytes) // prot: mmap_prot = 0x2000007 (8 bytes) // flags: mmap_flags = 0x38011 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul, /*prot=PROT_GROWSUP|PROT_WRITE|PROT_READ|PROT_EXEC*/ 0x2000007ul, /*flags=MAP_STACK|MAP_POPULATE|MAP_NONBLOCK|MAP_FIXED|0x1*/ 0x38011ul, /*fd=*/r[0], /*offset=*/0ul); // madvise arguments: [ // addr: VMA[0xc00000] // len: len = 0xc00000 (8 bytes) // advice: madvise_flags = 0xe (8 bytes) // ] syscall(__NR_madvise, /*addr=*/0x200000000000ul, /*len=*/0xc00000ul, /*advice=MADV_HUGEPAGE*/ 0xeul); // openat$sndtimer arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: nil // flags: open_flags = 0x0 (4 bytes) // ] // returns fd_sndtimer syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0ul, /*flags=*/0, 0); // migrate_pages arguments: [ // pid: pid (resource) // maxnode: intptr = 0x5 (8 bytes) // old: nil // new: nil // ] syscall(__NR_migrate_pages, /*pid=*/0, /*maxnode=*/5ul, /*old=*/0ul, /*new=*/0ul); // openat$binderfs arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2e 2f 62 69 6e 64 65 72 66 73 2f 62 69 6e 64 65 72 31 00} // (length 0x13) // } // flags: binder_open_flags = 0x0 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_binder memcpy((void*)0x200000000000, "./binderfs/binder1\000", 19); syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=*/0, /*mode=*/0); // openat$rtc arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: nil // flags: open_flags = 0x0 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_rtc res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[1] = res; // ioctl$RTC_PIE_OFF arguments: [ // fd: fd_rtc (resource) // cmd: const = 0x7006 (4 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x7006, 0); // socket$nl_route arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_nl_route syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0); // socket$rds arguments: [ // domain: const = 0x15 (8 bytes) // type: const = 0x5 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_rds res = syscall(__NR_socket, /*domain=*/0x15ul, /*type=*/5ul, /*proto=*/0); if (res != -1) r[2] = res; // bind$rds arguments: [ // fd: sock_rds (resource) // addr: ptr[in, sockaddr_in] { // sockaddr_in { // family: const = 0x2 (2 bytes) // port: int16be = 0x0 (2 bytes) // addr: union ipv4_addr { // loopback: const = 0x7f000001 (4 bytes) // } // pad = 0x0 (8 bytes) // } // } // addrlen: len = 0x10 (8 bytes) // ] *(uint16_t*)0x200000000840 = 2; *(uint16_t*)0x200000000842 = htobe16(0); *(uint32_t*)0x200000000844 = htobe32(0x7f000001); syscall(__NR_bind, /*fd=*/r[2], /*addr=*/0x200000000840ul, /*addrlen=*/0x10ul); // sendmsg$rds arguments: [ // fd: sock_rds (resource) // msg: ptr[in, msghdr_rds] { // msghdr_rds { // addr: ptr[in, sockaddr_in] { // sockaddr_in { // family: const = 0x2 (2 bytes) // port: int16be = 0x0 (2 bytes) // addr: union ipv4_addr { // remote: ipv4_addr_t[const[187, int8]] { // a0: const = 0xac (1 bytes) // a1: const = 0x14 (1 bytes) // a2: const = 0x14 (1 bytes) // a3: const = 0xbb (1 bytes) // } // } // pad = 0x0 (8 bytes) // } // } // addrlen: len = 0x10 (4 bytes) // pad = 0x0 (4 bytes) // vec: nil // vlen: len = 0x0 (8 bytes) // ctrl: ptr[in, array[cmsghdr_rds]] { // array[cmsghdr_rds] { // union cmsghdr_rds { // mask_cswp: cmsghdr_rds_t[RDS_CMSG_MASKED_ATOMIC_CSWP, // rds_atomic_args] { // cmsg_len: len = 0x58 (8 bytes) // cmsg_level: const = 0x114 (4 bytes) // cmsg_type: const = 0x9 (4 bytes) // data: rds_atomic_args { // cookie: rds_rdma_cookie_t { // key: int32 = 0x4 (4 bytes) // off: int32 = 0x4 (4 bytes) // } // local_addr: ptr[in, int64] { // int64 = 0x4a78 (8 bytes) // } // remote_addr: nil // arg1: int64 = 0x7ff (8 bytes) // arg2: int64 = 0x9 (8 bytes) // mask1: int64 = 0x81 (8 bytes) // mask2: int64 = 0x2 (8 bytes) // flags: rds_rdma_flags = 0x4 (8 bytes) // user_token: int64 = 0x8001 (8 bytes) // } // } // } // union cmsghdr_rds { // mask_fadd: cmsghdr_rds_t[RDS_CMSG_MASKED_ATOMIC_FADD, // rds_atomic_args] { // cmsg_len: len = 0x58 (8 bytes) // cmsg_level: const = 0x114 (4 bytes) // cmsg_type: const = 0x8 (4 bytes) // data: rds_atomic_args { // cookie: rds_rdma_cookie_t { // key: int32 = 0x0 (4 bytes) // off: int32 = 0x6 (4 bytes) // } // local_addr: nil // remote_addr: nil // arg1: int64 = 0x4 (8 bytes) // arg2: int64 = 0x0 (8 bytes) // mask1: int64 = 0x0 (8 bytes) // mask2: int64 = 0x0 (8 bytes) // flags: rds_rdma_flags = 0xf9 (8 bytes) // user_token: int64 = 0x0 (8 bytes) // } // } // } // } // } // ctrllen: bytesize = 0xb0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x2000000004c0 = 0x200000000740; *(uint16_t*)0x200000000740 = 2; *(uint16_t*)0x200000000742 = htobe16(0); *(uint8_t*)0x200000000744 = 0xac; *(uint8_t*)0x200000000745 = 0x14; *(uint8_t*)0x200000000746 = 0x14; *(uint8_t*)0x200000000747 = 0xbb; *(uint32_t*)0x2000000004c8 = 0x10; *(uint64_t*)0x2000000004d0 = 0; *(uint64_t*)0x2000000004d8 = 0; *(uint64_t*)0x2000000004e0 = 0x2000000005c0; *(uint64_t*)0x2000000005c0 = 0x58; *(uint32_t*)0x2000000005c8 = 0x114; *(uint32_t*)0x2000000005cc = 9; *(uint32_t*)0x2000000005d0 = 4; *(uint32_t*)0x2000000005d4 = 4; *(uint64_t*)0x2000000005d8 = 0x200000000440; *(uint64_t*)0x200000000440 = 0x4a78; *(uint64_t*)0x2000000005e0 = 0; *(uint64_t*)0x2000000005e8 = 0x7ff; *(uint64_t*)0x2000000005f0 = 9; *(uint64_t*)0x2000000005f8 = 0x81; *(uint64_t*)0x200000000600 = 2; *(uint64_t*)0x200000000608 = 4; *(uint64_t*)0x200000000610 = 0x8001; *(uint64_t*)0x200000000618 = 0x58; *(uint32_t*)0x200000000620 = 0x114; *(uint32_t*)0x200000000624 = 8; *(uint32_t*)0x200000000628 = 0; *(uint32_t*)0x20000000062c = 6; *(uint64_t*)0x200000000630 = 0; *(uint64_t*)0x200000000638 = 0; *(uint64_t*)0x200000000640 = 4; *(uint64_t*)0x200000000648 = 0; *(uint64_t*)0x200000000650 = 0; *(uint64_t*)0x200000000658 = 0; *(uint64_t*)0x200000000660 = 0xf9; *(uint64_t*)0x200000000668 = 0; *(uint64_t*)0x2000000004e8 = 0xb0; *(uint32_t*)0x2000000004f0 = 0; syscall(__NR_sendmsg, /*fd=*/r[2], /*msg=*/0x2000000004c0ul, /*f=*/0ul); return 0; }