Created
January 12, 2016 10:49
-
-
Save dvyukov/0bfc7714a09769ed80c0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| mmap(&(0x7f0000000000)=nil, (0x1e000), 0x3, 0x32, 0xffffffffffffffff, 0x0) | |
| r0 = socket(0xa, 0x1, 0x6) | |
| bind(r0, &(0x7f0000018000)="0a0033d6efe55c65000000000000000000000000000000014d3aa6ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x80) | |
| connect(r0, &(0x7f0000017000-0x1c)="0a0033d60e32665600000000000000000000000000000001bffed7fd", 0x1c) | |
| remap_file_pages(&(0x7f0000009000)=nil, (0x1000), 0x4, 0x9, 0x100) | |
| readahead(r0, 0x1, 0xfffffffffffffffc) | |
| setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000008000)=0x4, 0x4) | |
| sendto(r0, &(0x7f0000018000-0x7e)="5fb2a8739cb82b9265a174e31e8840f70c985969321a275144c0a933c2bb4a419ce2e504326fab0321f709e8652ab22c1a4a174d8741a646ff386d3c188631378b5f577672974330c62c76f0e2ff680d5da135a3b75667313fe3bed579d46e57577bb8ea7140c8de83605630cd3984732b0f81694c0e74df44912f9fce9d53", 0x7f, 0x8000, &(0x7f0000012000+0x778)="1000", 0x2) | |
| read(r0, &(0x7f0000012000+0x225)=nil, 0x21) | |
| fcntl$getownex(0xffffffffffffffff, 0x10, &(0x7f0000018000)={0x0, 0x0}) | |
| r1 = socket$sctp(0x2, 0x5, 0x84) | |
| setsockopt$ip_msfilter(r1, 0x0, 0x29, &(0x7f0000019000)={0x0, 0x0, 0x0, 0x0, []}, 0x10) | |
| r2 = fcntl$dupfd(r1, 0x406, r0) | |
| ioctl$TIOCGSID(r2, 0x540f, &(0x7f000001c000+0xa18)=<r3=>0x0) | |
| ptrace$getregset(0x4204, r3, 0x2, &(0x7f000001b000+0x8ae)={&(0x7f000001b000)=nil, 0x38}) | |
| r4 = dup(r0) | |
| mmap(&(0x7f000001e000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0) | |
| mmap(&(0x7f000001e000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0) | |
| pipe2(&(0x7f0000000000+0x891)={<r5=>0x0, <r6=>0x0}, 0x80000) | |
| mmap(&(0x7f000001f000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0) | |
| read(r0, &(0x7f000001f000)=nil, 0xf0) | |
| getsockopt$ipv6_int(r0, 0x29, 0x3e, &(0x7f000001d000+0x7b7)=0x0, &(0x7f000001d000+0xc50)=nil) | |
| splice(r0, 0x0, r6, 0x0, 0x3, 0x2) | |
| setsockopt$SCTP_AUTH_ACTIVE_KEY(r4, 0x84, 0x18, &(0x7f0000018000)={0xe, 0x6}, 0x8) | |
| r7 = memfd_create(&(0x7f0000005000-0xf)="2f7b776c616e3173656c696e757800", 0x2) | |
| write$fuse_notify_retrieve(r5, &(0x7f000001d000-0x30)={0x30, 0x2, 0x0, 0xc5, 0x7, 0xffffffffffffffa7, 0x9}, 0x30) | |
| recvmmsg(r0, &(0x7f0000013000+0x301)=[{&(0x7f0000013000+0xe63)=nil, 0x8, &(0x7f0000013000+0x407)=[{&(0x7f0000013000)=nil, 0xc1}, {&(0x7f0000014000-0x4d)=nil, 0xa6}, {&(0x7f0000013000+0xdcd)=nil, 0xb8}], 0x3, &(0x7f0000013000)=nil, 0xd9, 0x390}, {&(0x7f0000014000-0x80)=nil, 0x80, &(0x7f0000013000+0x907)=[{&(0x7f0000014000-0xd)=nil, 0x1d}], 0x1, &(0x7f0000014000-0x1000)=nil, 0x1000, 0x2}, {&(0x7f0000014000-0x80)=nil, 0x80, &(0x7f0000013000)=[{&(0x7f0000014000-0x38)=nil, 0xa4}, {&(0x7f0000014000-0x43)=nil, 0x43}], 0x2, &(0x7f0000013000+0xdcc)=nil, 0xe0, 0x7}], 0x3, 0x100) | |
| ioctl$TCSETAF(r7, 0x5404, &(0x7f0000013000-0x11)={0x1169, 0x3, 0x0, 0x7, 0x44, 0x0, 0x777, 0x7, 0x0, 0x12bb}) | |
| ioctl$KDSIGACCEPT(r7, 0x4b4e, 0x1) | |
| pivot_root(&(0x7f0000013000)="2e2f66696c653000", &(0x7f0000013000+0x6ac)="2e2f66696c653000") | |
| */ | |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) | |
| #include <unistd.h> | |
| #include <sys/syscall.h> | |
| #include <string.h> | |
| #include <stdint.h> | |
| #include <pthread.h> | |
| long r[99]; | |
| int main() | |
| { | |
| memset(r, -1, sizeof(r)); | |
| r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1e000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); | |
| r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x6ul, 0, 0, 0); | |
| memcpy((void*)0x20018000, "\x0a\x00\x33\xd6\xef\xe5\x5c\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x4d\x3a\xa6\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); | |
| r[3] = syscall(SYS_bind, r[1], 0x20018000ul, 0x80ul, 0, 0, 0); | |
| memcpy((void*)0x20016fe4, "\x0a\x00\x33\xd6\x0e\x32\x66\x56\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xbf\xfe\xd7\xfd", 28); | |
| r[5] = syscall(SYS_connect, r[1], 0x20016fe4ul, 0x1cul, 0, 0, 0); | |
| r[6] = syscall(SYS_remap_file_pages, 0x20009000ul, 0x1000ul, 0x4ul, 0x9ul, 0x100ul, 0); | |
| r[7] = syscall(SYS_readahead, r[1], 0x1ul, 0xfffffffffffffffcul, 0, 0, 0); | |
| *(uint32_t*)0x20008000 = (uint32_t)0x4; | |
| r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20008000ul, 0x4ul, 0); | |
| memcpy((void*)0x20017f82, "\x5f\xb2\xa8\x73\x9c\xb8\x2b\x92\x65\xa1\x74\xe3\x1e\x88\x40\xf7\x0c\x98\x59\x69\x32\x1a\x27\x51\x44\xc0\xa9\x33\xc2\xbb\x4a\x41\x9c\xe2\xe5\x04\x32\x6f\xab\x03\x21\xf7\x09\xe8\x65\x2a\xb2\x2c\x1a\x4a\x17\x4d\x87\x41\xa6\x46\xff\x38\x6d\x3c\x18\x86\x31\x37\x8b\x5f\x57\x76\x72\x97\x43\x30\xc6\x2c\x76\xf0\xe2\xff\x68\x0d\x5d\xa1\x35\xa3\xb7\x56\x67\x31\x3f\xe3\xbe\xd5\x79\xd4\x6e\x57\x57\x7b\xb8\xea\x71\x40\xc8\xde\x83\x60\x56\x30\xcd\x39\x84\x73\x2b\x0f\x81\x69\x4c\x0e\x74\xdf\x44\x91\x2f\x9f\xce\x9d\x53", 127); | |
| memcpy((void*)0x20012778, "\x10\x00", 2); | |
| r[12] = syscall(SYS_sendto, r[1], 0x20017f82ul, 0x7ful, 0x8000ul, 0x20012778ul, 0x2ul); | |
| r[13] = syscall(SYS_read, r[1], 0x20012225ul, 0x21ul, 0, 0, 0); | |
| r[14] = syscall(SYS_fcntl, 0xfffffffffffffffful, 0x10ul, 0x20018000ul, 0, 0, 0); | |
| r[15] = syscall(SYS_socket, 0x2ul, 0x5ul, 0x84ul, 0, 0, 0); | |
| *(uint32_t*)0x20019000 = (uint32_t)0x0; | |
| *(uint32_t*)0x20019004 = (uint32_t)0x0; | |
| *(uint32_t*)0x20019008 = (uint32_t)0x0; | |
| *(uint32_t*)0x2001900c = (uint32_t)0x0; | |
| r[20] = syscall(SYS_setsockopt, r[15], 0x0ul, 0x29ul, 0x20019000ul, 0x10ul, 0); | |
| r[21] = syscall(SYS_fcntl, r[15], 0x406ul, r[1], 0, 0, 0); | |
| r[22] = syscall(SYS_ioctl, r[21], 0x540ful, 0x2001ca18ul, 0, 0, 0); | |
| if (r[22] != -1) | |
| r[23] = *(uint32_t*)0x2001ca18; | |
| *(uint64_t*)0x2001b8ae = (uint64_t)0x2001b000; | |
| *(uint64_t*)0x2001b8b6 = (uint64_t)0x38; | |
| r[26] = syscall(SYS_ptrace, 0x4204ul, r[23], 0x2ul, 0x2001b8aeul, 0, 0); | |
| r[27] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0); | |
| r[28] = syscall(SYS_mmap, 0x2001e000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); | |
| r[29] = syscall(SYS_mmap, 0x2001e000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); | |
| r[30] = syscall(SYS_pipe2, 0x20000891ul, 0x80000ul, 0, 0, 0, 0); | |
| if (r[30] != -1) | |
| r[31] = *(uint32_t*)0x20000891; | |
| if (r[30] != -1) | |
| r[32] = *(uint32_t*)0x20000895; | |
| r[33] = syscall(SYS_mmap, 0x2001f000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); | |
| r[34] = syscall(SYS_read, r[1], 0x2001f000ul, 0xf0ul, 0, 0, 0); | |
| r[35] = syscall(SYS_getsockopt, r[1], 0x29ul, 0x3eul, 0x2001d7b7ul, 0x2001dc50ul, 0); | |
| r[36] = syscall(SYS_splice, r[1], 0x0ul, r[32], 0x0ul, 0x3ul, 0x2ul); | |
| *(uint32_t*)0x20018000 = (uint32_t)0xe; | |
| *(uint16_t*)0x20018004 = (uint16_t)0x6; | |
| r[39] = syscall(SYS_setsockopt, r[27], 0x84ul, 0x18ul, 0x20018000ul, 0x8ul, 0); | |
| memcpy((void*)0x20004ff1, "\x2f\x7b\x77\x6c\x61\x6e\x31\x73\x65\x6c\x69\x6e\x75\x78\x00", 15); | |
| r[41] = syscall(SYS_memfd_create, 0x20004ff1ul, 0x2ul, 0, 0, 0, 0); | |
| *(uint32_t*)0x2001cfd0 = (uint32_t)0x30; | |
| *(uint32_t*)0x2001cfd4 = (uint32_t)0x2; | |
| *(uint64_t*)0x2001cfd8 = (uint64_t)0x0; | |
| *(uint64_t*)0x2001cfe0 = (uint64_t)0xc5; | |
| *(uint64_t*)0x2001cfe8 = (uint64_t)0x7; | |
| *(uint64_t*)0x2001cff0 = (uint64_t)0xffffffffffffffa7; | |
| *(uint32_t*)0x2001cff8 = (uint32_t)0x9; | |
| r[49] = syscall(SYS_write, r[31], 0x2001cfd0ul, 0x30ul, 0, 0, 0); | |
| *(uint64_t*)0x20013301 = (uint64_t)0x20013e63; | |
| *(uint32_t*)0x20013309 = (uint32_t)0x8; | |
| *(uint64_t*)0x20013311 = (uint64_t)0x20013407; | |
| *(uint64_t*)0x20013319 = (uint64_t)0x3; | |
| *(uint64_t*)0x20013321 = (uint64_t)0x20013000; | |
| *(uint64_t*)0x20013329 = (uint64_t)0xd9; | |
| *(uint32_t*)0x20013331 = (uint32_t)0x390; | |
| *(uint64_t*)0x20013339 = (uint64_t)0x20013f80; | |
| *(uint32_t*)0x20013341 = (uint32_t)0x80; | |
| *(uint64_t*)0x20013349 = (uint64_t)0x20013907; | |
| *(uint64_t*)0x20013351 = (uint64_t)0x1; | |
| *(uint64_t*)0x20013359 = (uint64_t)0x20013000; | |
| *(uint64_t*)0x20013361 = (uint64_t)0x1000; | |
| *(uint32_t*)0x20013369 = (uint32_t)0x2; | |
| *(uint64_t*)0x20013371 = (uint64_t)0x20013f80; | |
| *(uint32_t*)0x20013379 = (uint32_t)0x80; | |
| *(uint64_t*)0x20013381 = (uint64_t)0x20013000; | |
| *(uint64_t*)0x20013389 = (uint64_t)0x2; | |
| *(uint64_t*)0x20013391 = (uint64_t)0x20013dcc; | |
| *(uint64_t*)0x20013399 = (uint64_t)0xe0; | |
| *(uint32_t*)0x200133a1 = (uint32_t)0x7; | |
| *(uint64_t*)0x20013407 = (uint64_t)0x20013000; | |
| *(uint64_t*)0x2001340f = (uint64_t)0xc1; | |
| *(uint64_t*)0x20013417 = (uint64_t)0x20013fb3; | |
| *(uint64_t*)0x2001341f = (uint64_t)0xa6; | |
| *(uint64_t*)0x20013427 = (uint64_t)0x20013dcd; | |
| *(uint64_t*)0x2001342f = (uint64_t)0xb8; | |
| *(uint64_t*)0x20013907 = (uint64_t)0x20013ff3; | |
| *(uint64_t*)0x2001390f = (uint64_t)0x1d; | |
| *(uint64_t*)0x20013000 = (uint64_t)0x20013fc8; | |
| *(uint64_t*)0x20013008 = (uint64_t)0xa4; | |
| *(uint64_t*)0x20013010 = (uint64_t)0x20013fbd; | |
| *(uint64_t*)0x20013018 = (uint64_t)0x43; | |
| r[83] = syscall(SYS_recvmmsg, r[1], 0x20013301ul, 0x3ul, 0x100ul, 0, 0); | |
| *(uint16_t*)0x20012fef = (uint16_t)0x1169; | |
| *(uint16_t*)0x20012ff1 = (uint16_t)0x3; | |
| *(uint16_t*)0x20012ff3 = (uint16_t)0x0; | |
| *(uint16_t*)0x20012ff5 = (uint16_t)0x7; | |
| *(uint8_t*)0x20012ff7 = (uint8_t)0x44; | |
| *(uint8_t*)0x20012ff8 = (uint8_t)0x0; | |
| *(uint8_t*)0x20012ff9 = (uint8_t)0x777; | |
| *(uint8_t*)0x20012ffa = (uint8_t)0x7; | |
| *(uint32_t*)0x20012ffb = (uint32_t)0x0; | |
| *(uint8_t*)0x20012fff = (uint8_t)0x12bb; | |
| r[94] = syscall(SYS_ioctl, r[41], 0x5404ul, 0x20012feful, 0, 0, 0); | |
| r[95] = syscall(SYS_ioctl, r[41], 0x4b4eul, 0x1ul, 0, 0, 0); | |
| memcpy((void*)0x20013000, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); | |
| memcpy((void*)0x200136ac, "\x2e\x2f\x66\x69\x6c\x65\x30\x00", 8); | |
| r[98] = syscall(SYS_pivot_root, 0x20013000ul, 0x200136acul, 0, 0, 0, 0); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment