dvyukov · January 12, 2016 16:24
diff --git a/gistfile1.txt b/gistfile1.txt
 // autogenerated by syzkaller (http://github.com/google/syzkaller)
 #include <unistd.h>
 #include <sys/syscall.h>
 #include <string.h>
 #include <stdint.h>
 #include <pthread.h>

 long r[58];

 void *thr(void *arg)
 {
 	switch ((long)arg) {
 	case 0:
 		r[0] = syscall(SYS_mmap, 0x20000000ul, 0x39000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
 		break;
 	case 1:
 		r[1] = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
 		break;
 	case 2:
 		*(uint16_t*)0x2002c02a = (uint16_t)0x26;
 		memcpy((void*)0x2002c02c, "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
 		*(uint32_t*)0x2002c03a = (uint32_t)0x8;
 		*(uint32_t*)0x2002c03e = (uint32_t)0x800;
 		memcpy((void*)0x2002c042, "\x63\x74\x72\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64);
 		r[7] = syscall(SYS_bind, r[1], 0x2002c02aul, 0x58ul, 0, 0, 0);
 		break;
 	case 3:
 		memcpy((void*)0x200340d3, "\xd4\x4f\x77\x66\x54\xf2\x63\xd1\xbe\x7c\x6b\xac\xa6\x65\xc1\x0f\x2f\xbd\xea\x09\x2f\x44", 22);
 		r[9] = syscall(SYS_setsockopt, r[1], 0x117ul, 0x1ul, 0x200340d3ul, 0x16ul, 0);
 		break;
 	case 4:
 		r[10] = syscall(SYS_accept4, r[1], 0x0ul, 0x20034000ul, 0x80800ul, 0, 0);
 		break;
 	case 5:
 		r[11] = syscall(SYS_dup3, r[10], r[1], 0x80000ul, 0, 0, 0);
 		break;
 	case 6:
 		r[12] = syscall(SYS_fcntl, r[1], 0x4ul, 0x2000ul, 0, 0, 0);
 		break;
 	case 7:
 		r[13] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
 		break;
 	case 8:
 		r[14] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
 		break;
 	case 9:
 		r[15] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
 		break;
 	case 10:
 		r[16] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
 		break;
 	case 11:
 		*(uint64_t*)0x2000bdfc = (uint64_t)0x20039fdc;
 		*(uint32_t*)0x2000be04 = (uint32_t)0x80;
 		*(uint64_t*)0x2000be0c = (uint64_t)0x20035000;
 		*(uint64_t*)0x2000be14 = (uint64_t)0x4;
 		*(uint64_t*)0x2000be1c = (uint64_t)0x20039605;
 		*(uint64_t*)0x2000be24 = (uint64_t)0x8e;
 		*(uint32_t*)0x2000be2c = (uint32_t)0x7;
 		*(uint64_t*)0x20035000 = (uint64_t)0x20039489;
 		*(uint64_t*)0x20035008 = (uint64_t)0x5a;
 		*(uint64_t*)0x20035010 = (uint64_t)0x20039000;
 		*(uint64_t*)0x20035018 = (uint64_t)0xf;
 		*(uint64_t*)0x20035020 = (uint64_t)0x20034fef;
 		*(uint64_t*)0x20035028 = (uint64_t)0x28;
 		*(uint64_t*)0x20035030 = (uint64_t)0x20012164;
 		*(uint64_t*)0x20035038 = (uint64_t)0xd4;
 		r[32] = syscall(SYS_recvmsg, r[11], 0x2000bdfcul, 0x0ul, 0, 0, 0);
 		break;
 	case 12:
 		*(uint64_t*)0x20038fc8 = (uint64_t)0x2003175e;
 		*(uint32_t*)0x20038fd0 = (uint32_t)0x3;
 		*(uint64_t*)0x20038fd8 = (uint64_t)0x20000000;
 		*(uint64_t*)0x20038fe0 = (uint64_t)0x2;
 		*(uint64_t*)0x20038fe8 = (uint64_t)0x20017fe0;
 		*(uint64_t*)0x20038ff0 = (uint64_t)0x2;
 		*(uint32_t*)0x20038ff8 = (uint32_t)0x1;
 		*(uint16_t*)0x20031761 = (uint16_t)0x1;
 		*(uint8_t*)0x20031763 = (uint8_t)0xfffffffffffffff8;
 		*(uint64_t*)0x20000000 = (uint64_t)0x20032e5a;
 		*(uint64_t*)0x20000008 = (uint64_t)0x7d;
 		*(uint64_t*)0x20000010 = (uint64_t)0x20000000;
 		*(uint64_t*)0x20000018 = (uint64_t)0x0;
 		memcpy((void*)0x20032e5a, "\xe4\x1e\x44\x85\x9f\x85\x21\x40\xa8\x01\xbd\xd9\xda\x6f\x9f\x65\x7a\x1f\xa6\xb9\x0f\x16\xe5\xa0\xd1\x1e\x13\xa3\x52\x95\xb1\x19\x5f\xd2\xd7\xe0\xfa\x89\xfb\xa8\xf9\xa0\x02\x34\x8f\xd5\x32\xb7\x3c\xfe\x82\x5a\xca\x44\x8b\x8d\xd8\x65\x97\xf5\x2f\xb7\x32\xa8\xe6\x0d\xf5\x2d\x79\x0e\xd3\x0b\x18\xa2\xd4\x2e\x73\xa6\x5a\xa0\x09\xf4\x1b\x9e\xb3\x89\x96\xde\xe0\xa8\x48\x52\x9b\x11\xc1\xe3\xf5\x3e\xcb\x49\x56\x66\x1b\xd8\x96\xf7\x2c\x8c\x73\xd1\x21\x00\x6e\xbc\x3b\xc5\x1f\x37\x06\xdb\x2c\xbb\x57\xea\x99", 125);
 		*(uint64_t*)0x20017ff4 = (uint64_t)0x14;
 		*(uint32_t*)0x20017ffc = (uint32_t)0x1;
 		*(uint32_t*)0x20018000 = (uint32_t)0x1;
 		*(uint32_t*)0x20018004 = (uint32_t)0xffffffffffffffff;
 		*(uint64_t*)0x20018024 = (uint64_t)0x14;
 		*(uint32_t*)0x2001802c = (uint32_t)0x1;
 		*(uint32_t*)0x20018030 = (uint32_t)0x1;
 		*(uint32_t*)0x20018034 = r[11];
 		*(uint32_t*)0x20018038 = r[11];
 		*(uint32_t*)0x2001803c = r[11];
 		r[57] = syscall(SYS_sendmmsg, r[11], 0x20038fc8ul, 0x1ul, 0x801ul, 0, 0);
 		break;
 	}
 	return 0;
 }

 int main()
 {
 	long i;
 	pthread_t th[13];

 	memset(r, -1, sizeof(r));
 	for (i = 0; i < 13; i++) {
 		pthread_create(&th[i], 0, thr, (void*)i);
 		usleep(10000);
 	}
 	for (i = 0; i < 13; i++) {
 		pthread_create(&th[i], 0, thr, (void*)i);
 		if (i%2==0)
 			usleep(10000);
 	}
 	usleep(100000);
 	return 0;
 }
	// autogenerated by syzkaller (http://github.com/google/syzkaller)
	#include <unistd.h>
	#include <sys/syscall.h>
	#include <string.h>
	#include <stdint.h>
	#include <pthread.h>

	long r[58];

	void thr(void arg)
	{
	switch ((long)arg) {
	case 0:
	r[0] = syscall(SYS_mmap, 0x20000000ul, 0x39000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
	break;
	case 1:
	r[1] = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
	break;
	case 2:
	(uint16_t)0x2002c02a = (uint16_t)0x26;
	memcpy((void*)0x2002c02c, "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
	(uint32_t)0x2002c03a = (uint32_t)0x8;
	(uint32_t)0x2002c03e = (uint32_t)0x800;
	memcpy((void*)0x2002c042, "\x63\x74\x72\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64);
	r[7] = syscall(SYS_bind, r[1], 0x2002c02aul, 0x58ul, 0, 0, 0);
	break;
	case 3:
	memcpy((void*)0x200340d3, "\xd4\x4f\x77\x66\x54\xf2\x63\xd1\xbe\x7c\x6b\xac\xa6\x65\xc1\x0f\x2f\xbd\xea\x09\x2f\x44", 22);
	r[9] = syscall(SYS_setsockopt, r[1], 0x117ul, 0x1ul, 0x200340d3ul, 0x16ul, 0);
	break;
	case 4:
	r[10] = syscall(SYS_accept4, r[1], 0x0ul, 0x20034000ul, 0x80800ul, 0, 0);
	break;
	case 5:
	r[11] = syscall(SYS_dup3, r[10], r[1], 0x80000ul, 0, 0, 0);
	break;
	case 6:
	r[12] = syscall(SYS_fcntl, r[1], 0x4ul, 0x2000ul, 0, 0, 0);
	break;
	case 7:
	r[13] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
	break;
	case 8:
	r[14] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
	break;
	case 9:
	r[15] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
	break;
	case 10:
	r[16] = syscall(SYS_mmap, 0x20039000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
	break;
	case 11:
	(uint64_t)0x2000bdfc = (uint64_t)0x20039fdc;
	(uint32_t)0x2000be04 = (uint32_t)0x80;
	(uint64_t)0x2000be0c = (uint64_t)0x20035000;
	(uint64_t)0x2000be14 = (uint64_t)0x4;
	(uint64_t)0x2000be1c = (uint64_t)0x20039605;
	(uint64_t)0x2000be24 = (uint64_t)0x8e;
	(uint32_t)0x2000be2c = (uint32_t)0x7;
	(uint64_t)0x20035000 = (uint64_t)0x20039489;
	(uint64_t)0x20035008 = (uint64_t)0x5a;
	(uint64_t)0x20035010 = (uint64_t)0x20039000;
	(uint64_t)0x20035018 = (uint64_t)0xf;
	(uint64_t)0x20035020 = (uint64_t)0x20034fef;
	(uint64_t)0x20035028 = (uint64_t)0x28;
	(uint64_t)0x20035030 = (uint64_t)0x20012164;
	(uint64_t)0x20035038 = (uint64_t)0xd4;
	r[32] = syscall(SYS_recvmsg, r[11], 0x2000bdfcul, 0x0ul, 0, 0, 0);
	break;
	case 12:
	(uint64_t)0x20038fc8 = (uint64_t)0x2003175e;
	(uint32_t)0x20038fd0 = (uint32_t)0x3;
	(uint64_t)0x20038fd8 = (uint64_t)0x20000000;
	(uint64_t)0x20038fe0 = (uint64_t)0x2;
	(uint64_t)0x20038fe8 = (uint64_t)0x20017fe0;
	(uint64_t)0x20038ff0 = (uint64_t)0x2;
	(uint32_t)0x20038ff8 = (uint32_t)0x1;
	(uint16_t)0x20031761 = (uint16_t)0x1;
	(uint8_t)0x20031763 = (uint8_t)0xfffffffffffffff8;
	(uint64_t)0x20000000 = (uint64_t)0x20032e5a;
	(uint64_t)0x20000008 = (uint64_t)0x7d;
	(uint64_t)0x20000010 = (uint64_t)0x20000000;
	(uint64_t)0x20000018 = (uint64_t)0x0;
	memcpy((void*)0x20032e5a, "\xe4\x1e\x44\x85\x9f\x85\x21\x40\xa8\x01\xbd\xd9\xda\x6f\x9f\x65\x7a\x1f\xa6\xb9\x0f\x16\xe5\xa0\xd1\x1e\x13\xa3\x52\x95\xb1\x19\x5f\xd2\xd7\xe0\xfa\x89\xfb\xa8\xf9\xa0\x02\x34\x8f\xd5\x32\xb7\x3c\xfe\x82\x5a\xca\x44\x8b\x8d\xd8\x65\x97\xf5\x2f\xb7\x32\xa8\xe6\x0d\xf5\x2d\x79\x0e\xd3\x0b\x18\xa2\xd4\x2e\x73\xa6\x5a\xa0\x09\xf4\x1b\x9e\xb3\x89\x96\xde\xe0\xa8\x48\x52\x9b\x11\xc1\xe3\xf5\x3e\xcb\x49\x56\x66\x1b\xd8\x96\xf7\x2c\x8c\x73\xd1\x21\x00\x6e\xbc\x3b\xc5\x1f\x37\x06\xdb\x2c\xbb\x57\xea\x99", 125);
	(uint64_t)0x20017ff4 = (uint64_t)0x14;
	(uint32_t)0x20017ffc = (uint32_t)0x1;
	(uint32_t)0x20018000 = (uint32_t)0x1;
	(uint32_t)0x20018004 = (uint32_t)0xffffffffffffffff;
	(uint64_t)0x20018024 = (uint64_t)0x14;
	(uint32_t)0x2001802c = (uint32_t)0x1;
	(uint32_t)0x20018030 = (uint32_t)0x1;
	(uint32_t)0x20018034 = r[11];
	(uint32_t)0x20018038 = r[11];
	(uint32_t)0x2001803c = r[11];
	r[57] = syscall(SYS_sendmmsg, r[11], 0x20038fc8ul, 0x1ul, 0x801ul, 0, 0);
	break;
	}
	return 0;
	}

	int main()
	{
	long i;
	pthread_t th[13];

	memset(r, -1, sizeof(r));
	for (i = 0; i < 13; i++) {
	pthread_create(&th[i], 0, thr, (void*)i);
	usleep(10000);
	}
	for (i = 0; i < 13; i++) {
	pthread_create(&th[i], 0, thr, (void*)i);
	if (i%2==0)
	usleep(10000);
	}
	usleep(100000);
	return 0;
	}