| // WARNING in netlink_ack (2) |
| // https://syzkaller.appspot.com/bug?id=5dc0ef7e00db7ce7b45a9a3737f61f9b11c559aa |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <endian.h> |
| #include <stdint.h> |
| #include <string.h> |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| long r[1]; |
| void loop() |
| { |
| memset(r, -1, sizeof(r)); |
| syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); |
| r[0] = syscall(__NR_socket, 0x10, 3, 0); |
| memcpy((void*)0x20f67000, "\x9a\xdc\x01\xce", 4); |
| syscall(__NR_setsockopt, r[0], 0x10e, 0xb, 0x20f67000, 4); |
| *(uint64_t*)0x201dcfc8 = 0x20c19ffd; |
| *(uint32_t*)0x201dcfd0 = 0xc; |
| *(uint64_t*)0x201dcfd8 = 0x2078dfc0; |
| *(uint64_t*)0x201dcfe0 = 4; |
| *(uint64_t*)0x201dcfe8 = 0x20000000; |
| *(uint64_t*)0x201dcff0 = 0; |
| *(uint32_t*)0x201dcff8 = 0x80; |
| *(uint16_t*)0x20c19ffd = 0x10; |
| *(uint16_t*)0x20c19fff = 0; |
| *(uint32_t*)0x20c1a001 = 0; |
| *(uint32_t*)0x20c1a005 = 4; |
| *(uint64_t*)0x2078dfc0 = 0x2046c000; |
| *(uint64_t*)0x2078dfc8 = 0x1b8; |
| *(uint64_t*)0x2078dfd0 = 0x20fc5000; |
| *(uint64_t*)0x2078dfd8 = 0x16c; |
| *(uint64_t*)0x2078dfe0 = 0x20618e90; |
| *(uint64_t*)0x2078dfe8 = 0xc8; |
| *(uint64_t*)0x2078dff0 = 0x20093000; |
| *(uint64_t*)0x2078dff8 = 0xb0; |
| *(uint32_t*)0x2046c000 = 0x9c; |
| *(uint16_t*)0x2046c004 = 0x13; |
| *(uint16_t*)0x2046c006 = 0x201; |
| *(uint32_t*)0x2046c008 = 0x70bd2c; |
| *(uint32_t*)0x2046c00c = 0x25dfdbfd; |
| *(uint16_t*)0x2046c010 = 0xc; |
| *(uint16_t*)0x2046c012 = 2; |
| memcpy((void*)0x2046c018, ".", 2); |
| *(uint16_t*)0x2046c01c = 4; |
| *(uint16_t*)0x2046c01e = 0x74; |
| *(uint16_t*)0x2046c020 = 0xc; |
| *(uint16_t*)0x2046c022 = 0x46; |
| *(uint16_t*)0x2046c024 = 4; |
| *(uint16_t*)0x2046c026 = 0x52; |
| *(uint16_t*)0x2046c028 = 4; |
| *(uint16_t*)0x2046c02a = 0x36; |
| *(uint16_t*)0x2046c02c = 0xc; |
| *(uint16_t*)0x2046c02e = 0x78; |
| *(uint32_t*)0x2046c034 = 0; |
| *(uint16_t*)0x2046c038 = 0x1c; |
| *(uint16_t*)0x2046c03a = 0x52; |
| *(uint16_t*)0x2046c03c = 0xc; |
| *(uint16_t*)0x2046c03e = 0x65; |
| memcpy((void*)0x2046c044, "%%", 3); |
| *(uint16_t*)0x2046c048 = 8; |
| *(uint16_t*)0x2046c04a = 0; |
| *(uint16_t*)0x2046c050 = 4; |
| *(uint16_t*)0x2046c052 = 0x49; |
| *(uint16_t*)0x2046c054 = 0xc; |
| *(uint16_t*)0x2046c056 = 0x7d; |
| *(uint32_t*)0x2046c05c = 0; |
| *(uint16_t*)0x2046c060 = 0x20; |
| *(uint16_t*)0x2046c062 = 0x64; |
| *(uint16_t*)0x2046c064 = 4; |
| *(uint16_t*)0x2046c066 = 0x81; |
| *(uint16_t*)0x2046c068 = 0xc; |
| *(uint16_t*)0x2046c06a = 0x1e; |
| *(uint32_t*)0x2046c070 = r[0]; |
| *(uint16_t*)0x2046c074 = 4; |
| *(uint16_t*)0x2046c076 = 0x48; |
| *(uint16_t*)0x2046c078 = 4; |
| *(uint16_t*)0x2046c07a = 0x24; |
| *(uint16_t*)0x2046c07c = 4; |
| *(uint16_t*)0x2046c07e = 0x8c; |
| *(uint16_t*)0x2046c080 = 0x1c; |
| *(uint16_t*)0x2046c082 = 3; |
| *(uint16_t*)0x2046c084 = 0x18; |
| *(uint16_t*)0x2046c086 = 0x95; |
| memcpy((void*)0x2046c08c, |
| "\x76\x62\x6f\x78\x6e\x65\x74\x31\x28\x65\x74\x68\x31\x1c\x00", 15); |
| *(uint32_t*)0x2046c09c = 0x14; |
| *(uint16_t*)0x2046c0a0 = 0x31; |
| *(uint16_t*)0x2046c0a2 = 1; |
| *(uint32_t*)0x2046c0a4 = 0x70bd26; |
| *(uint32_t*)0x2046c0a8 = 0x25dfdbfb; |
| *(uint16_t*)0x2046c0ac = 4; |
| *(uint16_t*)0x2046c0ae = 0x70; |
| *(uint32_t*)0x2046c0b0 = 0x64; |
| *(uint16_t*)0x2046c0b4 = 0x2e; |
| *(uint16_t*)0x2046c0b6 = 0x900; |
| *(uint32_t*)0x2046c0b8 = 0x70bd27; |
| *(uint32_t*)0x2046c0bc = 0x25dfdbfe; |
| *(uint16_t*)0x2046c0c0 = 8; |
| *(uint16_t*)0x2046c0c2 = 0x55; |
| *(uint16_t*)0x2046c0c8 = 0x18; |
| *(uint16_t*)0x2046c0ca = 0x45; |
| *(uint16_t*)0x2046c0cc = 0xc; |
| *(uint16_t*)0x2046c0ce = 0x8f; |
| *(uint32_t*)0x2046c0d4 = 0; |
| *(uint16_t*)0x2046c0d8 = 8; |
| *(uint16_t*)0x2046c0da = 0x30; |
| *(uint16_t*)0x2046c0e0 = 0x1c; |
| *(uint16_t*)0x2046c0e2 = 0x6e; |
| *(uint16_t*)0x2046c0e4 = 0xc; |
| *(uint16_t*)0x2046c0e6 = 0xe; |
| *(uint32_t*)0x2046c0ec = r[0]; |
| *(uint16_t*)0x2046c0f0 = 0xc; |
| *(uint16_t*)0x2046c0f2 = 0x17; |
| *(uint32_t*)0x2046c0f8 = 0; |
| *(uint16_t*)0x2046c0fc = 0x10; |
| *(uint16_t*)0x2046c0fe = 0x50; |
| *(uint64_t*)0x2046c104 = 1; |
| *(uint16_t*)0x2046c10c = 4; |
| *(uint16_t*)0x2046c10e = 0x36; |
| *(uint16_t*)0x2046c110 = 4; |
| *(uint16_t*)0x2046c112 = 0x41; |
| *(uint32_t*)0x2046c114 = 0x78; |
| *(uint16_t*)0x2046c118 = 0x27; |
| *(uint16_t*)0x2046c11a = 0x324; |
| *(uint32_t*)0x2046c11c = 0x70bd2a; |
| *(uint32_t*)0x2046c120 = 0x25dfdbfc; |
| *(uint16_t*)0x2046c124 = 8; |
| *(uint16_t*)0x2046c126 = 0x88; |
| *(uint16_t*)0x2046c128 = 4; |
| *(uint16_t*)0x2046c12a = 0x93; |
| *(uint16_t*)0x2046c12c = 8; |
| *(uint16_t*)0x2046c12e = 0x8b; |
| *(uint16_t*)0x2046c134 = 4; |
| *(uint16_t*)0x2046c136 = 0x30; |
| *(uint16_t*)0x2046c138 = 0x44; |
| *(uint16_t*)0x2046c13a = 0x67; |
| *(uint16_t*)0x2046c13c = 0x28; |
| *(uint16_t*)0x2046c13e = 0x4d; |
| memcpy((void*)0x2046c144, "-userppp1vboxnet1ppp1trusted&", 30); |
| *(uint16_t*)0x2046c164 = 0xc; |
| *(uint16_t*)0x2046c166 = 0x3a; |
| *(uint32_t*)0x2046c16c = 7; |
| *(uint16_t*)0x2046c170 = 0xc; |
| *(uint16_t*)0x2046c172 = 0x45; |
| *(uint32_t*)0x2046c178 = 0x3138; |
| *(uint16_t*)0x2046c17c = 4; |
| *(uint16_t*)0x2046c17e = 0x17; |
| *(uint16_t*)0x2046c180 = 0xc; |
| *(uint16_t*)0x2046c182 = 0x18; |
| *(uint32_t*)0x2046c188 = 0x58f; |
| *(uint32_t*)0x2046c18c = 0x2c; |
| *(uint16_t*)0x2046c190 = 0x1c; |
| *(uint16_t*)0x2046c192 = 1; |
| *(uint32_t*)0x2046c194 = 0x70bd26; |
| *(uint32_t*)0x2046c198 = 0x25dfdbfc; |
| *(uint16_t*)0x2046c19c = 0x1c; |
| *(uint16_t*)0x2046c19e = 0x55; |
| *(uint16_t*)0x2046c1a0 = 4; |
| *(uint16_t*)0x2046c1a2 = 0x23; |
| *(uint16_t*)0x2046c1a4 = 0xc; |
| *(uint16_t*)0x2046c1a6 = 0x7c; |
| *(uint32_t*)0x2046c1ac = 0; |
| *(uint16_t*)0x2046c1b0 = 8; |
| *(uint16_t*)0x2046c1b2 = 0x87; |
| *(uint32_t*)0x20fc5000 = 0x20; |
| *(uint16_t*)0x20fc5004 = 0x29; |
| *(uint16_t*)0x20fc5006 = 0x204; |
| *(uint32_t*)0x20fc5008 = 0x70bd25; |
| *(uint32_t*)0x20fc500c = 0x25dfdbfc; |
| *(uint16_t*)0x20fc5010 = 0x10; |
| *(uint16_t*)0x20fc5012 = 0x33; |
| *(uint64_t*)0x20fc5018 = 1; |
| *(uint32_t*)0x20fc5020 = 0x18; |
| *(uint16_t*)0x20fc5024 = 0x33; |
| *(uint16_t*)0x20fc5026 = 0x100; |
| *(uint32_t*)0x20fc5028 = 0x70bd26; |
| *(uint32_t*)0x20fc502c = 0x25dfdbfd; |
| *(uint16_t*)0x20fc5030 = 4; |
| *(uint16_t*)0x20fc5032 = 0x7c; |
| *(uint16_t*)0x20fc5034 = 4; |
| *(uint16_t*)0x20fc5036 = 0x6c; |
| *(uint32_t*)0x20fc5038 = 0x68; |
| *(uint16_t*)0x20fc503c = 0x42; |
| *(uint16_t*)0x20fc503e = 0xc02; |
| *(uint32_t*)0x20fc5040 = 0x70bd27; |
| *(uint32_t*)0x20fc5044 = 0x25dfdbfc; |
| *(uint16_t*)0x20fc5048 = 0x1c; |
| *(uint16_t*)0x20fc504a = 4; |
| *(uint16_t*)0x20fc504c = 4; |
| *(uint16_t*)0x20fc504e = 0x16; |
| *(uint16_t*)0x20fc5050 = 0xc; |
| *(uint16_t*)0x20fc5052 = 0x74; |
| *(uint32_t*)0x20fc5058 = 0; |
| *(uint16_t*)0x20fc505c = 4; |
| *(uint16_t*)0x20fc505e = 0x86; |
| *(uint16_t*)0x20fc5060 = 4; |
| *(uint16_t*)0x20fc5062 = 0x38; |
| *(uint16_t*)0x20fc5064 = 0x3c; |
| *(uint16_t*)0x20fc5066 = 0x59; |
| *(uint16_t*)0x20fc5068 = 0xc; |
| *(uint16_t*)0x20fc506a = 0x4f; |
| *(uint32_t*)0x20fc5070 = r[0]; |
| *(uint16_t*)0x20fc5074 = 8; |
| *(uint16_t*)0x20fc5076 = 0x15; |
| *(uint16_t*)0x20fc507c = 4; |
| *(uint16_t*)0x20fc507e = 0x73; |
| *(uint16_t*)0x20fc5080 = 4; |
| *(uint16_t*)0x20fc5082 = 0x35; |
| *(uint16_t*)0x20fc5084 = 0xc; |
| *(uint16_t*)0x20fc5086 = 0x53; |
| *(uint32_t*)0x20fc508c = 0; |
| *(uint16_t*)0x20fc5090 = 0x10; |
| *(uint16_t*)0x20fc5092 = 0x4c; |
| *(uint64_t*)0x20fc5098 = 8; |
| *(uint32_t*)0x20fc50a0 = 0x10; |
| *(uint16_t*)0x20fc50a4 = 0x16; |
| *(uint16_t*)0x20fc50a6 = 0x600; |
| *(uint32_t*)0x20fc50a8 = 0x70bd2b; |
| *(uint32_t*)0x20fc50ac = 0x25dfdbfd; |
| *(uint32_t*)0x20fc50b0 = 0x20; |
| *(uint16_t*)0x20fc50b4 = 0x15; |
| *(uint16_t*)0x20fc50b6 = 0x2d; |
| *(uint32_t*)0x20fc50b8 = 0x70bd25; |
| *(uint32_t*)0x20fc50bc = 0x25dfdbfe; |
| *(uint16_t*)0x20fc50c0 = 4; |
| *(uint16_t*)0x20fc50c2 = 0x32; |
| *(uint16_t*)0x20fc50c4 = 0xc; |
| *(uint16_t*)0x20fc50c6 = 0x80; |
| *(uint32_t*)0x20fc50cc = r[0]; |
| *(uint32_t*)0x20fc50d0 = 0x14; |
| *(uint16_t*)0x20fc50d4 = 0x3a; |
| *(uint16_t*)0x20fc50d6 = 0x100; |
| *(uint32_t*)0x20fc50d8 = 0x70bd26; |
| *(uint32_t*)0x20fc50dc = 0x25dfdbfb; |
| *(uint16_t*)0x20fc50e0 = 4; |
| *(uint16_t*)0x20fc50e2 = 0x1d; |
| *(uint32_t*)0x20fc50e4 = 0x34; |
| *(uint16_t*)0x20fc50e8 = 0x2b; |
| *(uint16_t*)0x20fc50ea = 0x210; |
| *(uint32_t*)0x20fc50ec = 0x70bd28; |
| *(uint32_t*)0x20fc50f0 = 0x25dfdbfd; |
| *(uint16_t*)0x20fc50f4 = 8; |
| *(uint16_t*)0x20fc50f6 = 0x35; |
| *(uint16_t*)0x20fc50f8 = 4; |
| *(uint16_t*)0x20fc50fa = 0x3e; |
| *(uint16_t*)0x20fc50fc = 0xc; |
| *(uint16_t*)0x20fc50fe = 0; |
| *(uint32_t*)0x20fc5104 = 0; |
| *(uint16_t*)0x20fc5108 = 0xc; |
| *(uint16_t*)0x20fc510a = 0x6c; |
| memcpy((void*)0x20fc5110, "", 1); |
| *(uint16_t*)0x20fc5114 = 4; |
| *(uint16_t*)0x20fc5116 = 0x82; |
| *(uint32_t*)0x20fc5118 = 0x54; |
| *(uint16_t*)0x20fc511c = 0x38; |
| *(uint16_t*)0x20fc511e = 0x400; |
| *(uint32_t*)0x20fc5120 = 0x70bd2a; |
| *(uint32_t*)0x20fc5124 = 0x25dfdbfb; |
| *(uint16_t*)0x20fc5128 = 0xc; |
| *(uint16_t*)0x20fc512a = 0x85; |
| *(uint32_t*)0x20fc5130 = 0; |
| *(uint16_t*)0x20fc5134 = 0xc; |
| *(uint16_t*)0x20fc5136 = 0x45; |
| *(uint32_t*)0x20fc513c = 0; |
| *(uint16_t*)0x20fc5140 = 0x18; |
| *(uint16_t*)0x20fc5142 = 0x48; |
| *(uint16_t*)0x20fc5144 = 4; |
| *(uint16_t*)0x20fc5146 = 0x2e; |
| *(uint16_t*)0x20fc5148 = 0x10; |
| *(uint16_t*)0x20fc514a = 0x8f; |
| *(uint64_t*)0x20fc5150 = 5; |
| *(uint16_t*)0x20fc5158 = 4; |
| *(uint16_t*)0x20fc515a = 0x72; |
| *(uint16_t*)0x20fc515c = 0x10; |
| *(uint16_t*)0x20fc515e = 0x93; |
| *(uint16_t*)0x20fc5160 = 0xc; |
| *(uint16_t*)0x20fc5162 = 0x60; |
| *(uint32_t*)0x20fc5168 = r[0]; |
| *(uint32_t*)0x20618e90 = 0x14; |
| *(uint16_t*)0x20618e94 = 0x1d; |
| *(uint16_t*)0x20618e96 = 0x401; |
| *(uint32_t*)0x20618e98 = 0x70bd25; |
| *(uint32_t*)0x20618e9c = 0x25dfdbfc; |
| *(uint16_t*)0x20618ea0 = 4; |
| *(uint16_t*)0x20618ea2 = 0x6a; |
| *(uint32_t*)0x20618ea4 = 0x4c; |
| *(uint16_t*)0x20618ea8 = 0x3f; |
| *(uint16_t*)0x20618eaa = 0xd08; |
| *(uint32_t*)0x20618eac = 0x70bd26; |
| *(uint32_t*)0x20618eb0 = 0x25dfdbfb; |
| *(uint16_t*)0x20618eb4 = 0x20; |
| *(uint16_t*)0x20618eb6 = 0x74; |
| *(uint16_t*)0x20618eb8 = 4; |
| *(uint16_t*)0x20618eba = 0x32; |
| *(uint16_t*)0x20618ebc = 0xc; |
| *(uint16_t*)0x20618ebe = 0x14; |
| *(uint32_t*)0x20618ec4 = 0; |
| *(uint16_t*)0x20618ec8 = 0xc; |
| *(uint16_t*)0x20618eca = 0x90; |
| *(uint32_t*)0x20618ed0 = r[0]; |
| *(uint16_t*)0x20618ed4 = 4; |
| *(uint16_t*)0x20618ed6 = 0x21; |
| *(uint16_t*)0x20618ed8 = 4; |
| *(uint16_t*)0x20618eda = 0x39; |
| *(uint16_t*)0x20618edc = 0xc; |
| *(uint16_t*)0x20618ede = 0x6a; |
| *(uint32_t*)0x20618ee4 = 0; |
| *(uint16_t*)0x20618ee8 = 8; |
| *(uint16_t*)0x20618eea = 0x1b; |
| *(uint32_t*)0x20618ef0 = 0x1c; |
| *(uint16_t*)0x20618ef4 = 0x2d; |
| *(uint16_t*)0x20618ef6 = 0x800; |
| *(uint32_t*)0x20618ef8 = 0x70bd2c; |
| *(uint32_t*)0x20618efc = 0x25dfdbfb; |
| *(uint16_t*)0x20618f00 = 0xc; |
| *(uint16_t*)0x20618f02 = 0x6f; |
| *(uint32_t*)0x20618f08 = 0; |
| *(uint32_t*)0x20618f0c = 0x2c; |
| *(uint16_t*)0x20618f10 = 0x2c; |
| *(uint16_t*)0x20618f12 = 0x100; |
| *(uint32_t*)0x20618f14 = 0x70bd25; |
| *(uint32_t*)0x20618f18 = 0x25dfdbfe; |
| *(uint16_t*)0x20618f1c = 0x10; |
| *(uint16_t*)0x20618f1e = 0x62; |
| *(uint64_t*)0x20618f24 = 4; |
| *(uint16_t*)0x20618f2c = 0xc; |
| *(uint16_t*)0x20618f2e = 0x15; |
| *(uint32_t*)0x20618f34 = 0; |
| *(uint32_t*)0x20618f38 = 0x20; |
| *(uint16_t*)0x20618f3c = 0x33; |
| *(uint16_t*)0x20618f3e = 0x12; |
| *(uint32_t*)0x20618f40 = 0x70bd2c; |
| *(uint32_t*)0x20618f44 = 0x25dfdbfc; |
| *(uint16_t*)0x20618f48 = 0xc; |
| *(uint16_t*)0x20618f4a = 0x37; |
| *(uint32_t*)0x20618f50 = 0x7fff; |
| *(uint16_t*)0x20618f54 = 4; |
| *(uint16_t*)0x20618f56 = 0x92; |
| *(uint32_t*)0x20093000 = 0x20; |
| *(uint16_t*)0x20093004 = 0x12; |
| *(uint16_t*)0x20093006 = 4; |
| *(uint32_t*)0x20093008 = 0x70bd2b; |
| *(uint32_t*)0x2009300c = 0x25dfdbfe; |
| *(uint16_t*)0x20093010 = 4; |
| *(uint16_t*)0x20093012 = 0xb; |
| *(uint16_t*)0x20093014 = 4; |
| *(uint16_t*)0x20093016 = 4; |
| *(uint16_t*)0x20093018 = 4; |
| *(uint16_t*)0x2009301a = 0x28; |
| *(uint16_t*)0x2009301c = 4; |
| *(uint16_t*)0x2009301e = 0x93; |
| *(uint32_t*)0x20093020 = 0x7c; |
| *(uint16_t*)0x20093024 = 0x3b; |
| *(uint16_t*)0x20093026 = 0xd08; |
| *(uint32_t*)0x20093028 = 0x70bd28; |
| *(uint32_t*)0x2009302c = 0x25dfdbfc; |
| *(uint16_t*)0x20093030 = 0x10; |
| *(uint16_t*)0x20093032 = 9; |
| *(uint64_t*)0x20093038 = 0xffffffffffffffc0; |
| *(uint16_t*)0x20093040 = 8; |
| *(uint16_t*)0x20093042 = 1; |
| *(uint16_t*)0x20093048 = 0xc; |
| *(uint16_t*)0x2009304a = 0x78; |
| *(uint32_t*)0x20093050 = 0; |
| *(uint16_t*)0x20093054 = 0xc; |
| *(uint16_t*)0x20093056 = 0x42; |
| memcpy((void*)0x2009305c, "", 1); |
| *(uint16_t*)0x20093060 = 0x18; |
| *(uint16_t*)0x20093062 = 0x69; |
| *(uint16_t*)0x20093064 = 4; |
| *(uint16_t*)0x20093066 = 0x5b; |
| *(uint16_t*)0x20093068 = 0xc; |
| *(uint16_t*)0x2009306a = 0x12; |
| *(uint32_t*)0x20093070 = 0; |
| *(uint16_t*)0x20093074 = 4; |
| *(uint16_t*)0x20093076 = 0x3a; |
| *(uint16_t*)0x20093078 = 0x1c; |
| *(uint16_t*)0x2009307a = 0x7b; |
| memcpy((void*)0x20093080, "!em0self}selinux", 17); |
| *(uint16_t*)0x20093094 = 8; |
| *(uint16_t*)0x20093096 = 9; |
| *(uint32_t*)0x2009309c = 0x14; |
| *(uint16_t*)0x200930a0 = 0x2d; |
| *(uint16_t*)0x200930a2 = 0x200; |
| *(uint32_t*)0x200930a4 = 0x70bd29; |
| *(uint32_t*)0x200930a8 = 0x25dfdbfd; |
| *(uint16_t*)0x200930ac = 4; |
| *(uint16_t*)0x200930ae = 0x90; |
| syscall(__NR_sendmsg, r[0], 0x201dcfc8, 0x8800); |
| } |
| |
| int main() |
| { |
| loop(); |
| return 0; |
| } |
