// https://syzkaller.appspot.com/bug?id=7b765435e0b3227e40a8aab0cca847af63ca637a // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void exitf(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir() { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct ipt_get_entries entries; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct xt_counters counters[XT_MAX_ENTRIES]; struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_arptables(void) { struct arpt_get_entries entries; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(ARPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { struct xt_counters counters[XT_MAX_ENTRIES]; struct arpt_get_entries entries; struct arpt_getinfo info; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(ARPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(ARPT_SO_SET_REPLACE)"); } close(fd); } #include #include struct ebt_table_desc { const char* name; struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; }; static struct ebt_table_desc ebt_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, }; static void checkpoint_ebtables(void) { socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; strcpy(table->replace.name, table->name); optlen = sizeof(table->replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(EBT_SO_GET_INIT_INFO)"); } if (table->replace.entries_size > sizeof(table->entrytable)) fail("table size is too large: %u", table->replace.entries_size); table->replace.num_counters = 0; table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen)) fail("getsockopt(EBT_SO_GET_INIT_ENTRIES)"); } close(fd); } static void reset_ebtables() { struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; socklen_t optlen; unsigned i, j, h; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; if (table->replace.valid_hooks == 0) continue; memset(&replace, 0, sizeof(replace)); strcpy(replace.name, table->name); optlen = sizeof(replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) fail("getsockopt(EBT_SO_GET_INFO)"); replace.num_counters = 0; for (h = 0; h < NF_BR_NUMHOOKS; h++) table->replace.hook_entry[h] = 0; if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { memset(&entrytable, 0, sizeof(entrytable)); replace.entries = entrytable; optlen = sizeof(replace) + replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) fail("getsockopt(EBT_SO_GET_ENTRIES)"); if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) continue; } for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { if (table->replace.valid_hooks & (1 << h)) { table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j; j++; } } optlen = sizeof(table->replace) + table->replace.entries_size; if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) fail("setsockopt(EBT_SO_SET_ENTRIES)"); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting", dir); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static void test(); void loop() { int iter; checkpoint_net_namespace(); for (iter = 0;; iter++) { char cwdbuf[256]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("loop fork failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } remove_dir(cwdbuf); reset_net_namespace(); } } #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_epoll_ctl #define __NR_epoll_ctl 255 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 370 #endif #ifndef __NR_poll #define __NR_poll 168 #endif #ifndef __NR_mount #define __NR_mount 21 #endif #ifndef __NR_execveat #define __NR_execveat 358 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #ifndef __NR_socket #define __NR_socket 359 #endif #ifndef __NR_bind #define __NR_bind 361 #endif #ifndef __NR_sendto #define __NR_sendto 369 #endif #ifndef __NR_connect #define __NR_connect 362 #endif #ifndef __NR_accept4 #define __NR_accept4 364 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 366 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_getsockopt #define __NR_getsockopt 365 #endif #ifndef __NR_readv #define __NR_readv 145 #endif #ifndef __NR_socketpair #define __NR_socketpair 360 #endif #ifndef __NR_dup #define __NR_dup 41 #endif #ifndef __NR_dup3 #define __NR_dup3 330 #endif #ifndef __NR_epoll_create1 #define __NR_epoll_create1 329 #endif #ifndef __NR_perf_event_open #define __NR_perf_event_open 336 #endif #ifndef __NR_mkdir #define __NR_mkdir 39 #endif #ifndef __NR_ftruncate #define __NR_ftruncate 93 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[20]; void test() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_socket, 0x15, 5, 0); *(uint32_t*)0x206dbffc = 0; syscall(__NR_setsockopt, r[0], 1, 8, 0x206dbffc, 4); r[1] = syscall(__NR_dup3, r[0], r[0], 0x80000); syscall(__NR_ioctl, r[1], 0x7709, 0); *(uint16_t*)0x208a5ff0 = 2; *(uint16_t*)0x208a5ff2 = htobe16(0x4e20); *(uint32_t*)0x208a5ff4 = htobe32(0x7f000001); *(uint8_t*)0x208a5ff8 = 0; *(uint8_t*)0x208a5ff9 = 0; *(uint8_t*)0x208a5ffa = 0; *(uint8_t*)0x208a5ffb = 0; *(uint8_t*)0x208a5ffc = 0; *(uint8_t*)0x208a5ffd = 0; *(uint8_t*)0x208a5ffe = 0; *(uint8_t*)0x208a5fff = 0; syscall(__NR_bind, r[0], 0x208a5ff0, 0x10); memcpy( (void*)0x20f7db7f, "\xba\x67\x13\x68\xd1\x01\x00\x00\x00\x49\x00\x00\x00\x01\x00\x00\x00\x01" "\x8b\xe4\x9e\x93\x01\x44\x28\x65\x31\x99\x97\xd0\xef\xdb\x2f\x54\xb6\xa1" "\x0c\x73\x27\x75\x74\x82\xbf\xce\x94\x5c\x2a\x91\xfb\x8d\xfa\xfc\x1d\x3f" "\x56\xbc\x54\x3a\xb8\x73\x21\xe1\x2c\xca\x08\xa7\x44\xa2\xd1\x28\xb0\x06" "\x34\xbc\x88\x21\x51\xd3\x68\x09\x22\x9a\x96\xbc\x34\x37\xef\x15\x94\x89" "\x38\x4a\xde\x07\x7b\xa2\x95\xea\xc2\x88\x2d\xbf\xd3\x78\x1d\xd4\xd4\xe6" "\x09\xc4\x26\x28\xdb\xb7\x09\xb3\xeb\x1f\xa0\x30\x00\x90\x45\xdd\x98\xb9" "\xe6\xd7\x7b\x6c\xec\x9c\xeb\x68\x55\x95\xd4\x39\x95\xe0\xf0\x4c\x32\x26" "\x09\x43\xad\xd7\x98\x31\xe6\x61\xc6\xa3\x51\xde\xdc\x8b\x9d\x22\x0f\xbf" "\x9f\xb6\xe4\x4f\xb6\xa6\x29\xce\x9a\x82\x02\x51\x24\xfe\xc9\xf3\xee\x75" "\x1f\x7d\xa0\xcd\x7e\x79\x9b\xe8\x8d\xdb\xda\xc2\x0b\x48\xe8\x90\xff\x81" "\xd7\xfa\x28\xc2\xd0\x17\xd7\x93\x2f\x25\x69\x03\x87\x40\x46\x1a\xcc\xd4" "\x58\x2f\x57\x6e\x4f\xdb\x61\x50\xa3\x39\x9f\x82\x66\xbc\x19\xeb\x94\x36" "\x48\xad\x1a\xd8\x14\x20\xed\x6c\x38\x24\x36\xe4\x74\x39\x0c\x89\x95\xe8" "\x29\xe4\xf9\xdf\x43\xee\xd8\x5a\x60\xb9\xee\x25\x4e\x31\xeb\x62\x90\x08" "\x57\xfa\x13\x4e\x76\xcc\x64\x88\x03\x34\xad\xbf\xf0\x69\xa2\xe5\xe6\x47" "\xd2\xed\x36\xa9\x6b\x23\x83\x4b\x6f\x6c\xa6\xb8\x11\x3b\xaf\x4c\xf3\x03" "\x47\xfb\xb7\xff\xc3\x0a\xea\x99\x87\x2c\xc0\xdb\xa0\x3b\x07\xd3\x34\x7b" "\x2d\x25\x7e\xdb\xe2\x73\x3c\x26\xb7\x33\x7a\x79\x96\x2d\x8c\xe8\x54\x69" "\xe3\xbc\xbe\x0e\x4a\x48\xa6\xae\x69\xd1\x3f\x2d\x4b\x51\x55\xb3\x90\xef" "\x67\xaa\x71\x4b\x82\xb6\x31\x3e\xe2\x77\xcb\x89\x86\xec\xa5\xdb\x2e\x97" "\xcb\x1a\xe2\x24\x3b\xba\x80\x27\x4f\x61\x4e\xce\x52\x1b\xae\xf4\x43\x39" "\x4b\x4c\x16\x1c\xb9\xae\x92\x6e\x21\x89\x25\x78\xb4\x9c\xfd\x6e\xfe\x1c" "\xb1\x57\x21\x48\xc1\x0d\x92\x21\x8e\xd7\x3e\xc1\x16\xa1\x8d\xe8\x0a\xc4" "\x2d\x27\x26\xa4\x52\x3a\x76\x4f\xc6\xdc\x35\x6c\x5f\xbb\xf9\xd2\xc9\x47" "\xae\x3b\xc9\xa3\xdc\x76\x09\x9f\x32\x57\xc8\xd5\x95\x28\x76\x15\x1b\x03" "\x26\xd8\xcb\x1d\x56\x83\xee\x4a\xb5\xde\xd9\xa3\x4c\x00\xac\x1b\x03\xf3" "\x46\x27\xec\x18\xa7\xc2\xe9\x2c\x87\xb7\x89\x65\x49\xcf\xab\x5e\xb5\x5f" "\xa8\x5a\x97\x09\x94\xbd\x4b\x22\xb5\xf0\xd0\x45\xe2\x41\x25\x6d\x06\xf4" "\x85\xa4\x7b\x4a\x55\xed\x38\x9b\xc1\x73\x45\x41\x23\x2c\xd4\x19\x08\xb5" "\xcf\xa4\xb8\xfc\xfc\xaf\xce\x50\x0a\x0c\x7a\xe9\x97\x67\x71\x3a\x98\xe7" "\x92\x7a\xa6\x9f\x6c\xcd\x7d\xae\xa6\x2f\x19\xce\xb8\x25\x59\xf4\x18\x99" "\xc9\xa9\xae\xe9\x91\x13\xe7\xe6\x4b\x5f\x8b\x98\x24\xbe\x9f\xdb\xfa\x4d" "\xd4\x99\x56\x73\xd8\x82\xbb\x4d\xae\xb6\x44\x13\xb3\x34\xe1\x14\x96\x5d" "\x2b\xa3\xce\xa8\x05\x1e\x69\x25\x08\x70\x1b\x94\x00\xcb\x12\xea\xe4\x57" "\xf8\xb8\x54\x99\x44\x09\x1b\x72\x91\x60\x93\x99\x18\xd8\xfc\xae\x61\x1a" "\x48\xed\x66\x5f\x77\x0d\xb6\x37\x48\x7a\x23\x6d\xa1\xa5\x8b\xa7\x56\x66" "\x68\x65\x1a\x77\x17\x1f\xc4\xfe\x50\x64\x96\xd1\x90\x59\x34\x3d\xbe\x4f" "\x42\x66\x25\xd3\xf2\xb7\x05\xf5\x45\x81\x37\x23\x61\x77\x0b\xf5\xa9\x09" "\x8a\x9f\xaf\xef\xaf\x54\x64\x26\xb2\x94\x23\x9a\xc3\x3e\x31\x86\xe4\xd5" "\x8a\xd2\xfa\x99\x5a\x6a\xd4\xdc\x07\x4e\x7c\xca\x11\xae\xad\x10\x95\x63" "\xb2\x07\x6c\x7c\x6e\x9f\x57\xec\x63\xdf\x96\x08\x04\xe2\xe7\xf9\xd8\x44" "\x4d\xe9\x55\x0c\xca\x3d\xf7\x83\x4d\x86\x4e\x97\x77\x29\x1c\x2e\x1f\x62" "\x05\xde\x2e\x43\xdc\x99\x5a\xb8\xbb\x15\x15\xa3\x65\xef\xc2\x83\x0f\xa3" "\xe7\xa1\xdd\x13\x7f\x55\x0d\x60\x35\x21\x2b\xc1\xf5\x1c\x3b\x4c\xee\xa4" "\x30\xdf\x49\xff\xc9\x21\x00\x84\xef\x15\x6a\xd7\xe0\xd2\x19\xef\xd6\xc1" "\x16\x69\x37\x35\xb4\x45\x21\xd3\x89\x96\x9a\x3a\x65\x61\x7c\xd2\xfd\x6e" "\x14\x06\x06\x01\xce\xe4\xcd\x05\x4c\xf3\x6f\xe0\x48\xb5\x7d\x1d\x9e\xe3" "\xca\xd2\xa7\x35\x52\x44\x99\x26\xb4\xa6\xb0\x3f\xbe\x9c\x0e\xc6\x83\x57" "\xe1\xfb\xe5\x2e\xd7\x7b\x67\xf5\x87\x0c\x0a\xef\xb7\xee\x82\x36\x74\x7e" "\x0d\x67\xa2\x67\x25\xfb\x51\x55\x44\xcb\xbe\x84\x64\xda\x94\xcf\xd8\xc0" "\xb9\x4b\xb4\xe5\x1a\x26\x3b\x17\x49\xbd\x0a\x7c\xf6\x51\x93\x1f\x80\x6d" "\x1b\x92\x8d\x1f\x99\x94\xf1\xad\x4d\x50\xe6\xa5\xcd\x7a\x8e\x4e\x68\x7f" "\x85\x64\xfd\xac\xc8\x64\x01\x3d\x09\x5b\xa9\xd5\x70\x9e\xce\xd3\xc2\x8e" "\xab\xda\x47\x6d\x17\x7a\x78\x36\x40\x0a\x01\xe0\x2b\xee\xd5\xa6\x63\x6d" "\x40\x64\xfd\xda\x34\x49\x67\xad\x86\x82\xd1\x4b\x87\xc7\x17\x27\xcb\x66" "\xbe\x27\xd1\xd3\x91\x91\xf4\x22\x3c\x54\x5b\x62\xfb\x5d\x60\x26\x2b\xa8" "\x07\x6a\x65\xdb\xc1\x94\xce\xe1\xdf\x84\x6c\x58\x4b\x7b\xbe\x9d\xce\x6e" "\x68\x95\xb2\xcb\xbb\x64\xb0\x3b\x55\x54\x8b\x84\x5c\xc3\xde\x2f\x93\x9e" "\xf9\x18\x42\x1a\xf9\xa5\xe9\x15\x7e\x83\x76\x51\x24\x52\x99\xc0\x39\x92" "\xd0\xdd\xee\x06\xbd\x22\xa3\x15\x22\xac\xa0\xf3\x09\xb1\xfe\xcc\xeb\xc0" "\xb1\xc0\xed\x9d\x21\xc1\x9b\xfd\x15\xcd\x31\x3f\xf6\x43\x94\xfd\x6a\x10" "\x90\x48\x90\xc9\xf6\xd6\x46\xb0\x26\xf2\x72\x53\xe8\xf5\x84\xc3\xff\xd2" "\x0a\xd6\x7e\x8b\x62\xed\x76\x76\x70\x6d\x40\xbc\x5c\x80\xe3\x76\x98\x0b" "\x81", 1153); *(uint16_t*)0x2069affb = 2; *(uint16_t*)0x2069affd = htobe16(0x4e20); *(uint32_t*)0x2069afff = htobe32(0x7f000001); *(uint8_t*)0x2069b003 = 0; *(uint8_t*)0x2069b004 = 0; *(uint8_t*)0x2069b005 = 0; *(uint8_t*)0x2069b006 = 0; *(uint8_t*)0x2069b007 = 0; *(uint8_t*)0x2069b008 = 0; *(uint8_t*)0x2069b009 = 0; *(uint8_t*)0x2069b00a = 0; syscall(__NR_sendto, r[0], 0x20f7db7f, 0x481, 0, 0x2069affb, 0x10); *(uint8_t*)0x20000000 = 6; syscall(__NR_setsockopt, r[0], 0x84, 0x15, 0x20000000, 1); *(uint16_t*)0x20000040 = 2; *(uint16_t*)0x20000042 = htobe16(0x4e22); *(uint8_t*)0x20000044 = 0xac; *(uint8_t*)0x20000045 = 0x14; *(uint8_t*)0x20000046 = 0; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; syscall(__NR_bind, r[0], 0x20000040, 0x10); *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 5; *(uint32_t*)0x20000040 = 8; if (syscall(__NR_getsockopt, r[0], 0x84, 0x75, 0x20000000, 0x20000040) != -1) r[2] = *(uint32_t*)0x20000000; *(uint32_t*)0x20000080 = r[2]; *(uint16_t*)0x20000084 = 0xbb; *(uint16_t*)0x20000086 = 0x597a; syscall(__NR_setsockopt, r[0], 0x84, 0x7c, 0x20000080, 8); memcpy((void*)0x200000c0, "./file0", 8); r[3] = syscall(__NR_openat, 0xffffff9c, 0x200000c0, 0x80, 0); *(uint32_t*)0x20000100 = 4; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0x40000001; *(uint32_t*)0x2000010c = 0xfffffff8; *(uint32_t*)0x20000110 = 0x4b5; *(uint32_t*)0x20000114 = 0xff; *(uint32_t*)0x20000118 = 6; *(uint32_t*)0x2000011c = 0; *(uint32_t*)0x20000120 = 0xc0000001; *(uint32_t*)0x20000124 = 5; *(uint32_t*)0x20000128 = 0x100; *(uint32_t*)0x2000012c = 0xbdf; *(uint32_t*)0x20000130 = 0x3f; *(uint32_t*)0x20000134 = 0; *(uint32_t*)0x20000138 = 0xc000000f; *(uint32_t*)0x2000013c = 5; *(uint32_t*)0x20000140 = 6; *(uint32_t*)0x20000144 = 0x8001; *(uint32_t*)0x20000148 = 3; *(uint32_t*)0x2000014c = 0; *(uint32_t*)0x20000150 = 0xc0000019; *(uint32_t*)0x20000154 = 0; *(uint32_t*)0x20000158 = 4; *(uint32_t*)0x2000015c = 0x800; *(uint32_t*)0x20000160 = 2; *(uint32_t*)0x20000164 = 0; syscall(__NR_ioctl, r[3], 0x4008ae8a, 0x20000100); r[4] = syscall(__NR_epoll_create1, 0x80000); *(uint32_t*)0x20f24000 = 0; *(uint64_t*)0x20f24004 = 0; syscall(__NR_epoll_ctl, r[4], 1, r[0], 0x20f24000); *(uint32_t*)0x207af000 = 0x20dd0fe6; *(uint32_t*)0x207af004 = 0x1a; syscall(__NR_readv, r[0], 0x207af000, 1); memcpy((void*)0x20000040, "/dev/autofs", 12); syscall(__NR_openat, 0xffffff9c, 0x20000040, 0x101100, 0); *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x2000004c = 0; *(uint32_t*)0x20000050 = 8; *(uint32_t*)0x20000054 = 6; *(uint32_t*)0x20000058 = 0x16; *(uint32_t*)0x2000005c = 0x10; memcpy((void*)0x20000060, "\x48\xaa\xeb\x46\x47\x66\x97\xe0\xda\x05\x3a\x1e\x15\x57\x08\x10\x42" "\x0c\x0e\x07\x4d\x47\xe4\xe1\x35\xff\xef\x18\x67\xeb\xdc\xc1\x58\xd5" "\x72\x87\x48\x82\xf5\x5f\x1d\x47\x91\xe2\xe9\x34\x2f\x1d\xcd\x0c\x63" "\xd6\xb9\x8e\x7d\x07\x45\x78\x6f\x56\x31\x0b\x8d\x4c", 64); memcpy((void*)0x200000a0, "\x54\x80\x0f\x47\x0a\x86\xbc\x85\x10\xf3\xec\x37" "\x6e\x46\xd3\x16\x26\xd0\xce\xae\xcf\x98\x74\xc1" "\x5c\x32\x20\x67\x65\xab\x9e\xe9", 32); *(uint32_t*)0x200000c0 = 8; *(uint32_t*)0x200000c4 = 6; *(uint32_t*)0x200000c8 = 0; syscall(__NR_ioctl, -1, 0x4c02, 0x20000040); *(uint32_t*)0x20000080 = 0xb; syscall(__NR_getsockopt, -1, 0x84, 0xb, 0x20000040, 0x20000080); syscall(__NR_socket, 0x18, 1, 1); r[5] = syscall(__NR_socket, 2, 2, 0); *(uint32_t*)0x2025c000 = 2; *(uint32_t*)0x2025c004 = 0x78; *(uint8_t*)0x2025c008 = 0xe3; *(uint8_t*)0x2025c009 = 0; *(uint8_t*)0x2025c00a = 0; *(uint8_t*)0x2025c00b = 0; *(uint32_t*)0x2025c00c = 0; *(uint64_t*)0x2025c010 = 0; *(uint64_t*)0x2025c018 = 0; *(uint64_t*)0x2025c020 = 0; STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0x10000003, 5, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0x80000000000, 24, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 29, 35); *(uint32_t*)0x2025c030 = 0; *(uint32_t*)0x2025c034 = 0; *(uint64_t*)0x2025c038 = 0xffffffff; *(uint64_t*)0x2025c040 = 4; *(uint64_t*)0x2025c048 = 0; *(uint64_t*)0x2025c050 = 0; *(uint64_t*)0x2025c058 = 0; *(uint32_t*)0x2025c060 = 0; *(uint64_t*)0x2025c068 = 0; *(uint32_t*)0x2025c070 = 0; *(uint16_t*)0x2025c074 = 0; *(uint16_t*)0x2025c076 = 0; syscall(__NR_perf_event_open, 0x2025c000, 0, -1, -1, 0); *(uint16_t*)0x20e92000 = 0x18; *(uint32_t*)0x20e92002 = 1; *(uint32_t*)0x20e92006 = 0; *(uint32_t*)0x20e9200a = r[5]; *(uint16_t*)0x20e9200e = 2; *(uint16_t*)0x20e92010 = htobe16(0x4e21); *(uint8_t*)0x20e92012 = 0xac; *(uint8_t*)0x20e92013 = 0x14; *(uint8_t*)0x20e92014 = 0; *(uint8_t*)0x20e92015 = 0xbb; *(uint8_t*)0x20e92016 = 0; *(uint8_t*)0x20e92017 = 0; *(uint8_t*)0x20e92018 = 0; *(uint8_t*)0x20e92019 = 0; *(uint8_t*)0x20e9201a = 0; *(uint8_t*)0x20e9201b = 0; *(uint8_t*)0x20e9201c = 0; *(uint8_t*)0x20e9201d = 0; *(uint32_t*)0x20e9201e = 2; *(uint32_t*)0x20e92022 = 0; *(uint32_t*)0x20e92026 = 4; *(uint32_t*)0x20e9202a = 0; syscall(__NR_connect, -1, 0x20e92000, 0x2e); syscall(__NR_mmap, 0x200d8000, 0x3000, 1, 0x11, -1, 0x57); r[6] = syscall(__NR_socket, 0x1d, 2, 2); *(uint32_t*)0x20001fc8 = 0x20010000; *(uint16_t*)0x20010000 = 0x1d; *(uint32_t*)0x20010004 = 0; *(uint32_t*)0x20010008 = 0; *(uint32_t*)0x2001000c = 0; *(uint32_t*)0x20001fcc = 0xb; *(uint32_t*)0x20001fd0 = 0x20017ff0; *(uint32_t*)0x20017ff0 = 0x20007000; STORE_BY_BITMASK(uint32_t, 0x20007000, 1, 0, 29); STORE_BY_BITMASK(uint32_t, 0x20007000, 0, 29, 1); STORE_BY_BITMASK(uint32_t, 0x20007000, 0, 30, 1); STORE_BY_BITMASK(uint32_t, 0x20007000, 0, 31, 1); *(uint8_t*)0x20007004 = 0x23; *(uint8_t*)0x20007005 = 0; *(uint8_t*)0x20007006 = 0; *(uint8_t*)0x20007007 = 0; memcpy((void*)0x20007008, "\x03\x27\xe1\x9a\x2b\x01\x00\x00\x00\x00\x00\x00\x00\xf9\x03\x00\x08" "\x99\x00\x39\x96\x6a\x7d\x5c\xb2\xbd\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x07\x49\x6e\x68\x66\x85\x6b\x76\xb5\x01\x00\x00\x00\x00\x00\x00" "\x00\x00\x06\x00\x00\x00\x01\x18\xfa\x1e\xfd\x9b\x0b", 64); *(uint32_t*)0x20017ff4 = 0x48; *(uint32_t*)0x20001fd4 = 1; *(uint32_t*)0x20001fd8 = 0; *(uint32_t*)0x20001fdc = 0; *(uint32_t*)0x20001fe0 = 0; syscall(__NR_sendmsg, r[6], 0x20001fc8, 0); *(uint32_t*)0x20000040 = 0x10; syscall(__NR_accept4, r[6], 0x20000000, 0x20000040, 0x80800); *(uint32_t*)0x20004fc0 = 9; *(uint32_t*)0x20004fc4 = 0xffffff9c; *(uint32_t*)0x20004fc8 = 0; syscall(__NR_ioctl, -1, 0xc00caee0, 0x20004fc0); r[7] = syscall(__NR_socket, 2, 0x80001, 0); memcpy((void*)0x20000080, "\x6e\x61\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x200000a0 = 0x1b; *(uint32_t*)0x200000a4 = 5; *(uint32_t*)0x200000a8 = 0x3e0; *(uint32_t*)0x200000ac = 0x16c; *(uint32_t*)0x200000b0 = 0xa4; *(uint32_t*)0x200000b4 = -1; *(uint32_t*)0x200000b8 = 0x16c; *(uint32_t*)0x200000bc = 0x16c; *(uint32_t*)0x200000c0 = 0x34c; *(uint32_t*)0x200000c4 = 0x34c; *(uint32_t*)0x200000c8 = -1; *(uint32_t*)0x200000cc = 0x34c; *(uint32_t*)0x200000d0 = 0x34c; *(uint32_t*)0x200000d4 = 5; *(uint32_t*)0x200000d8 = 0x20000000; *(uint8_t*)0x200000dc = 0; *(uint8_t*)0x200000dd = 0; *(uint8_t*)0x200000de = 0; *(uint8_t*)0x200000df = 0; *(uint8_t*)0x200000e0 = 0; *(uint8_t*)0x200000e1 = 0; *(uint8_t*)0x200000e2 = 0; *(uint8_t*)0x200000e3 = 0; *(uint8_t*)0x200000e4 = 0; *(uint8_t*)0x200000e5 = 0; *(uint8_t*)0x200000e6 = 0; *(uint8_t*)0x200000e7 = 0; *(uint8_t*)0x200000e8 = 0; *(uint8_t*)0x200000e9 = 0; *(uint8_t*)0x200000ea = 0; *(uint8_t*)0x200000eb = 0; *(uint8_t*)0x200000ec = 0; *(uint8_t*)0x200000ed = 0; *(uint8_t*)0x200000ee = 0; *(uint8_t*)0x200000ef = 0; *(uint8_t*)0x200000f0 = 0; *(uint8_t*)0x200000f1 = 0; *(uint8_t*)0x200000f2 = 0; *(uint8_t*)0x200000f3 = 0; *(uint8_t*)0x200000f4 = 0; *(uint8_t*)0x200000f5 = 0; *(uint8_t*)0x200000f6 = 0; *(uint8_t*)0x200000f7 = 0; *(uint8_t*)0x200000f8 = 0; *(uint8_t*)0x200000f9 = 0; *(uint8_t*)0x200000fa = 0; *(uint8_t*)0x200000fb = 0; *(uint8_t*)0x200000fc = 0; *(uint8_t*)0x200000fd = 0; *(uint8_t*)0x200000fe = 0; *(uint8_t*)0x200000ff = 0; *(uint8_t*)0x20000100 = 0; *(uint8_t*)0x20000101 = 0; *(uint8_t*)0x20000102 = 0; *(uint8_t*)0x20000103 = 0; *(uint8_t*)0x20000104 = 0; *(uint8_t*)0x20000105 = 0; *(uint8_t*)0x20000106 = 0; *(uint8_t*)0x20000107 = 0; *(uint8_t*)0x20000108 = 0; *(uint8_t*)0x20000109 = 0; *(uint8_t*)0x2000010a = 0; *(uint8_t*)0x2000010b = 0; *(uint8_t*)0x2000010c = 0; *(uint8_t*)0x2000010d = 0; *(uint8_t*)0x2000010e = 0; *(uint8_t*)0x2000010f = 0; *(uint8_t*)0x20000110 = 0; *(uint8_t*)0x20000111 = 0; *(uint8_t*)0x20000112 = 0; *(uint8_t*)0x20000113 = 0; *(uint8_t*)0x20000114 = 0; *(uint8_t*)0x20000115 = 0; *(uint8_t*)0x20000116 = 0; *(uint8_t*)0x20000117 = 0; *(uint8_t*)0x20000118 = 0; *(uint8_t*)0x20000119 = 0; *(uint8_t*)0x2000011a = 0; *(uint8_t*)0x2000011b = 0; *(uint8_t*)0x2000011c = 0; *(uint8_t*)0x2000011d = 0; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0; *(uint8_t*)0x20000124 = 0; *(uint8_t*)0x20000125 = 0; *(uint8_t*)0x20000126 = 0; *(uint8_t*)0x20000127 = 0; *(uint8_t*)0x20000128 = 0; *(uint8_t*)0x20000129 = 0; *(uint8_t*)0x2000012a = 0; *(uint8_t*)0x2000012b = 0; *(uint8_t*)0x2000012c = 0; *(uint8_t*)0x2000012d = 0; *(uint8_t*)0x2000012e = 0; *(uint8_t*)0x2000012f = 0; *(uint32_t*)0x20000130 = 0; *(uint16_t*)0x20000134 = 0x70; *(uint16_t*)0x20000136 = 0xa4; *(uint32_t*)0x20000138 = 0; *(uint64_t*)0x2000013c = 0; *(uint64_t*)0x20000144 = 0; *(uint16_t*)0x2000014c = 0x34; memcpy((void*)0x2000014e, "\x53\x4e\x41\x54\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000016b = 0; *(uint32_t*)0x2000016c = 1; *(uint32_t*)0x20000170 = 0; *(uint32_t*)0x20000174 = htobe32(0xe0000001); *(uint32_t*)0x20000178 = htobe32(0xe0000001); *(uint16_t*)0x2000017c = 0; *(uint16_t*)0x2000017e = 0; *(uint8_t*)0x20000180 = 0; *(uint8_t*)0x20000181 = 0; *(uint8_t*)0x20000182 = 0; *(uint8_t*)0x20000183 = 0; *(uint8_t*)0x20000184 = 0; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 0; *(uint8_t*)0x20000187 = 0; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint8_t*)0x2000018c = 0; *(uint8_t*)0x2000018d = 0; *(uint8_t*)0x2000018e = 0; *(uint8_t*)0x2000018f = 0; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint8_t*)0x20000192 = 0; *(uint8_t*)0x20000193 = 0; *(uint8_t*)0x20000194 = 0; *(uint8_t*)0x20000195 = 0; *(uint8_t*)0x20000196 = 0; *(uint8_t*)0x20000197 = 0; *(uint8_t*)0x20000198 = 0; *(uint8_t*)0x20000199 = 0; *(uint8_t*)0x2000019a = 0; *(uint8_t*)0x2000019b = 0; *(uint8_t*)0x2000019c = 0; *(uint8_t*)0x2000019d = 0; *(uint8_t*)0x2000019e = 0; *(uint8_t*)0x2000019f = 0; *(uint8_t*)0x200001a0 = 0; *(uint8_t*)0x200001a1 = 0; *(uint8_t*)0x200001a2 = 0; *(uint8_t*)0x200001a3 = 0; *(uint8_t*)0x200001a4 = 0; *(uint8_t*)0x200001a5 = 0; *(uint8_t*)0x200001a6 = 0; *(uint8_t*)0x200001a7 = 0; *(uint8_t*)0x200001a8 = 0; *(uint8_t*)0x200001a9 = 0; *(uint8_t*)0x200001aa = 0; *(uint8_t*)0x200001ab = 0; *(uint8_t*)0x200001ac = 0; *(uint8_t*)0x200001ad = 0; *(uint8_t*)0x200001ae = 0; *(uint8_t*)0x200001af = 0; *(uint8_t*)0x200001b0 = 0; *(uint8_t*)0x200001b1 = 0; *(uint8_t*)0x200001b2 = 0; *(uint8_t*)0x200001b3 = 0; *(uint8_t*)0x200001b4 = 0; *(uint8_t*)0x200001b5 = 0; *(uint8_t*)0x200001b6 = 0; *(uint8_t*)0x200001b7 = 0; *(uint8_t*)0x200001b8 = 0; *(uint8_t*)0x200001b9 = 0; *(uint8_t*)0x200001ba = 0; *(uint8_t*)0x200001bb = 0; *(uint8_t*)0x200001bc = 0; *(uint8_t*)0x200001bd = 0; *(uint8_t*)0x200001be = 0; *(uint8_t*)0x200001bf = 0; *(uint8_t*)0x200001c0 = 0; *(uint8_t*)0x200001c1 = 0; *(uint8_t*)0x200001c2 = 0; *(uint8_t*)0x200001c3 = 0; *(uint8_t*)0x200001c4 = 0; *(uint8_t*)0x200001c5 = 0; *(uint8_t*)0x200001c6 = 0; *(uint8_t*)0x200001c7 = 0; *(uint8_t*)0x200001c8 = 0; *(uint8_t*)0x200001c9 = 0; *(uint8_t*)0x200001ca = 0; *(uint8_t*)0x200001cb = 0; *(uint8_t*)0x200001cc = 0; *(uint8_t*)0x200001cd = 0; *(uint8_t*)0x200001ce = 0; *(uint8_t*)0x200001cf = 0; *(uint8_t*)0x200001d0 = 0; *(uint8_t*)0x200001d1 = 0; *(uint8_t*)0x200001d2 = 0; *(uint8_t*)0x200001d3 = 0; *(uint32_t*)0x200001d4 = 0; *(uint16_t*)0x200001d8 = 0x94; *(uint16_t*)0x200001da = 0xc8; *(uint32_t*)0x200001dc = 0; *(uint64_t*)0x200001e0 = 0; *(uint64_t*)0x200001e8 = 0; *(uint16_t*)0x200001f0 = 0x24; memcpy((void*)0x200001f2, "\x73\x6f\x63\x6b\x65\x74\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000020f = 1; *(uint8_t*)0x20000210 = 0; *(uint16_t*)0x20000214 = 0x34; memcpy((void*)0x20000216, "\x44\x4e\x41\x54\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20000233 = 0; *(uint32_t*)0x20000234 = 1; *(uint32_t*)0x20000238 = 0; *(uint32_t*)0x2000023c = htobe32(0xe0000001); *(uint8_t*)0x20000240 = 0xac; *(uint8_t*)0x20000241 = 0x14; *(uint8_t*)0x20000242 = 0; *(uint8_t*)0x20000243 = 0; *(uint16_t*)0x20000244 = 0; *(uint16_t*)0x20000246 = 0; *(uint32_t*)0x20000248 = htobe32(0xe0000001); *(uint8_t*)0x2000024c = 0xac; *(uint8_t*)0x2000024d = 0x14; *(uint8_t*)0x2000024e = 0; *(uint8_t*)0x2000024f = 0xbb; *(uint32_t*)0x20000250 = htobe32(0); *(uint32_t*)0x20000254 = htobe32(0); *(uint8_t*)0x20000258 = 0x73; *(uint8_t*)0x20000259 = 0x79; *(uint8_t*)0x2000025a = 0x7a; *(uint8_t*)0x2000025b = 0; *(uint8_t*)0x2000025c = 0; memcpy((void*)0x20000268, "\xd6\xf8\x1f\xdf\x62\xda\x82\xea\xb0\x14\xf9\x72\x65\xd0\xca\x68", 16); *(uint8_t*)0x20000278 = 0; *(uint8_t*)0x20000279 = 0; *(uint8_t*)0x2000027a = 0; *(uint8_t*)0x2000027b = 0; *(uint8_t*)0x2000027c = 0; *(uint8_t*)0x2000027d = 0; *(uint8_t*)0x2000027e = 0; *(uint8_t*)0x2000027f = 0; *(uint8_t*)0x20000280 = 0; *(uint8_t*)0x20000281 = 0; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 0; *(uint8_t*)0x20000284 = 0; *(uint8_t*)0x20000285 = 0; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = -1; *(uint8_t*)0x20000289 = 0; *(uint8_t*)0x2000028a = 0; *(uint8_t*)0x2000028b = 0; *(uint8_t*)0x2000028c = 0; *(uint8_t*)0x2000028d = 0; *(uint8_t*)0x2000028e = 0; *(uint8_t*)0x2000028f = 0; *(uint8_t*)0x20000290 = 0; *(uint8_t*)0x20000291 = 0; *(uint8_t*)0x20000292 = 0; *(uint8_t*)0x20000293 = 0; *(uint8_t*)0x20000294 = 0; *(uint8_t*)0x20000295 = 0; *(uint8_t*)0x20000296 = 0; *(uint8_t*)0x20000297 = 0; *(uint16_t*)0x20000298 = 0; *(uint8_t*)0x2000029a = 0; *(uint8_t*)0x2000029b = 0; *(uint32_t*)0x2000029c = 0; *(uint16_t*)0x200002a0 = 0x94; *(uint16_t*)0x200002a2 = 0xc8; *(uint32_t*)0x200002a4 = 0; *(uint64_t*)0x200002a8 = 0; *(uint64_t*)0x200002b0 = 0; *(uint16_t*)0x200002b8 = 0x24; memcpy((void*)0x200002ba, "\x73\x65\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200002d7 = 1; *(uint16_t*)0x200002d8 = 0; *(uint8_t*)0x200002da = 0; *(uint8_t*)0x200002db = 0; *(uint16_t*)0x200002dc = 0x34; memcpy((void*)0x200002de, "\x4e\x45\x54\x4d\x41\x50\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200002fb = 0; *(uint32_t*)0x200002fc = 1; *(uint32_t*)0x20000300 = 0; *(uint32_t*)0x20000304 = htobe32(0); *(uint32_t*)0x20000308 = htobe32(0); *(uint16_t*)0x2000030c = 0; *(uint16_t*)0x2000030e = 0; *(uint8_t*)0x20000310 = 0; *(uint8_t*)0x20000311 = 0; *(uint8_t*)0x20000312 = 0; *(uint8_t*)0x20000313 = 0; *(uint8_t*)0x20000314 = 0; *(uint8_t*)0x20000315 = 0; *(uint8_t*)0x20000316 = 0; *(uint8_t*)0x20000317 = 0; *(uint8_t*)0x20000318 = 0; *(uint8_t*)0x20000319 = 0; *(uint8_t*)0x2000031a = 0; *(uint8_t*)0x2000031b = 0; *(uint8_t*)0x2000031c = 0; *(uint8_t*)0x2000031d = 0; *(uint8_t*)0x2000031e = 0; *(uint8_t*)0x2000031f = 0; *(uint8_t*)0x20000320 = 0; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint8_t*)0x20000324 = 0; *(uint8_t*)0x20000325 = 0; *(uint8_t*)0x20000326 = 0; *(uint8_t*)0x20000327 = 0; *(uint8_t*)0x20000328 = 0; *(uint8_t*)0x20000329 = 0; *(uint8_t*)0x2000032a = 0; *(uint8_t*)0x2000032b = 0; *(uint8_t*)0x2000032c = 0; *(uint8_t*)0x2000032d = 0; *(uint8_t*)0x2000032e = 0; *(uint8_t*)0x2000032f = 0; *(uint8_t*)0x20000330 = 0; *(uint8_t*)0x20000331 = 0; *(uint8_t*)0x20000332 = 0; *(uint8_t*)0x20000333 = 0; *(uint8_t*)0x20000334 = 0; *(uint8_t*)0x20000335 = 0; *(uint8_t*)0x20000336 = 0; *(uint8_t*)0x20000337 = 0; *(uint8_t*)0x20000338 = 0; *(uint8_t*)0x20000339 = 0; *(uint8_t*)0x2000033a = 0; *(uint8_t*)0x2000033b = 0; *(uint8_t*)0x2000033c = 0; *(uint8_t*)0x2000033d = 0; *(uint8_t*)0x2000033e = 0; *(uint8_t*)0x2000033f = 0; *(uint8_t*)0x20000340 = 0; *(uint8_t*)0x20000341 = 0; *(uint8_t*)0x20000342 = 0; *(uint8_t*)0x20000343 = 0; *(uint8_t*)0x20000344 = 0; *(uint8_t*)0x20000345 = 0; *(uint8_t*)0x20000346 = 0; *(uint8_t*)0x20000347 = 0; *(uint8_t*)0x20000348 = 0; *(uint8_t*)0x20000349 = 0; *(uint8_t*)0x2000034a = 0; *(uint8_t*)0x2000034b = 0; *(uint8_t*)0x2000034c = 0; *(uint8_t*)0x2000034d = 0; *(uint8_t*)0x2000034e = 0; *(uint8_t*)0x2000034f = 0; *(uint8_t*)0x20000350 = 0; *(uint8_t*)0x20000351 = 0; *(uint8_t*)0x20000352 = 0; *(uint8_t*)0x20000353 = 0; *(uint8_t*)0x20000354 = 0; *(uint8_t*)0x20000355 = 0; *(uint8_t*)0x20000356 = 0; *(uint8_t*)0x20000357 = 0; *(uint8_t*)0x20000358 = 0; *(uint8_t*)0x20000359 = 0; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 0; *(uint8_t*)0x2000035c = 0; *(uint8_t*)0x2000035d = 0; *(uint8_t*)0x2000035e = 0; *(uint8_t*)0x2000035f = 0; *(uint8_t*)0x20000360 = 0; *(uint8_t*)0x20000361 = 0; *(uint8_t*)0x20000362 = 0; *(uint8_t*)0x20000363 = 0; *(uint32_t*)0x20000364 = 0; *(uint16_t*)0x20000368 = 0xe4; *(uint16_t*)0x2000036a = 0x118; *(uint32_t*)0x2000036c = 0; *(uint64_t*)0x20000370 = 0; *(uint64_t*)0x20000378 = 0; *(uint16_t*)0x20000380 = 0x24; memcpy((void*)0x20000382, "\x69\x63\x6d\x70\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000039f = 0; *(uint8_t*)0x200003a0 = 0; *(uint8_t*)0x200003a1 = 0; *(uint8_t*)0x200003a2 = 0; *(uint8_t*)0x200003a3 = 0; *(uint16_t*)0x200003a4 = 0x50; memcpy((void*)0x200003a6, "\x6f\x73\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200003c3 = 0; memcpy((void*)0x200003c4, "\x73\x79\x7a\x30\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x200003e4 = 0; *(uint32_t*)0x200003e8 = 0; *(uint32_t*)0x200003ec = 0; *(uint32_t*)0x200003f0 = 0; *(uint16_t*)0x200003f4 = 0x34; memcpy((void*)0x200003f6, "\x53\x4e\x41\x54\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20000413 = 0; *(uint32_t*)0x20000414 = 1; *(uint32_t*)0x20000418 = 0; *(uint32_t*)0x2000041c = htobe32(0xe0000002); *(uint32_t*)0x20000420 = htobe32(-1); *(uint16_t*)0x20000424 = 0; *(uint16_t*)0x20000426 = 0; *(uint8_t*)0x20000428 = 0; *(uint8_t*)0x20000429 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 0; *(uint8_t*)0x2000042c = 0; *(uint8_t*)0x2000042d = 0; *(uint8_t*)0x2000042e = 0; *(uint8_t*)0x2000042f = 0; *(uint8_t*)0x20000430 = 0; *(uint8_t*)0x20000431 = 0; *(uint8_t*)0x20000432 = 0; *(uint8_t*)0x20000433 = 0; *(uint8_t*)0x20000434 = 0; *(uint8_t*)0x20000435 = 0; *(uint8_t*)0x20000436 = 0; *(uint8_t*)0x20000437 = 0; *(uint8_t*)0x20000438 = 0; *(uint8_t*)0x20000439 = 0; *(uint8_t*)0x2000043a = 0; *(uint8_t*)0x2000043b = 0; *(uint8_t*)0x2000043c = 0; *(uint8_t*)0x2000043d = 0; *(uint8_t*)0x2000043e = 0; *(uint8_t*)0x2000043f = 0; *(uint8_t*)0x20000440 = 0; *(uint8_t*)0x20000441 = 0; *(uint8_t*)0x20000442 = 0; *(uint8_t*)0x20000443 = 0; *(uint8_t*)0x20000444 = 0; *(uint8_t*)0x20000445 = 0; *(uint8_t*)0x20000446 = 0; *(uint8_t*)0x20000447 = 0; *(uint8_t*)0x20000448 = 0; *(uint8_t*)0x20000449 = 0; *(uint8_t*)0x2000044a = 0; *(uint8_t*)0x2000044b = 0; *(uint8_t*)0x2000044c = 0; *(uint8_t*)0x2000044d = 0; *(uint8_t*)0x2000044e = 0; *(uint8_t*)0x2000044f = 0; *(uint8_t*)0x20000450 = 0; *(uint8_t*)0x20000451 = 0; *(uint8_t*)0x20000452 = 0; *(uint8_t*)0x20000453 = 0; *(uint8_t*)0x20000454 = 0; *(uint8_t*)0x20000455 = 0; *(uint8_t*)0x20000456 = 0; *(uint8_t*)0x20000457 = 0; *(uint8_t*)0x20000458 = 0; *(uint8_t*)0x20000459 = 0; *(uint8_t*)0x2000045a = 0; *(uint8_t*)0x2000045b = 0; *(uint8_t*)0x2000045c = 0; *(uint8_t*)0x2000045d = 0; *(uint8_t*)0x2000045e = 0; *(uint8_t*)0x2000045f = 0; *(uint8_t*)0x20000460 = 0; *(uint8_t*)0x20000461 = 0; *(uint8_t*)0x20000462 = 0; *(uint8_t*)0x20000463 = 0; *(uint8_t*)0x20000464 = 0; *(uint8_t*)0x20000465 = 0; *(uint8_t*)0x20000466 = 0; *(uint8_t*)0x20000467 = 0; *(uint8_t*)0x20000468 = 0; *(uint8_t*)0x20000469 = 0; *(uint8_t*)0x2000046a = 0; *(uint8_t*)0x2000046b = 0; *(uint8_t*)0x2000046c = 0; *(uint8_t*)0x2000046d = 0; *(uint8_t*)0x2000046e = 0; *(uint8_t*)0x2000046f = 0; *(uint8_t*)0x20000470 = 0; *(uint8_t*)0x20000471 = 0; *(uint8_t*)0x20000472 = 0; *(uint8_t*)0x20000473 = 0; *(uint8_t*)0x20000474 = 0; *(uint8_t*)0x20000475 = 0; *(uint8_t*)0x20000476 = 0; *(uint8_t*)0x20000477 = 0; *(uint8_t*)0x20000478 = 0; *(uint8_t*)0x20000479 = 0; *(uint8_t*)0x2000047a = 0; *(uint8_t*)0x2000047b = 0; *(uint32_t*)0x2000047c = 0; *(uint16_t*)0x20000480 = 0x70; *(uint16_t*)0x20000482 = 0x94; *(uint32_t*)0x20000484 = 0; *(uint64_t*)0x20000488 = 0; *(uint64_t*)0x20000490 = 0; *(uint16_t*)0x20000498 = 0x24; memcpy((void*)0x2000049a, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200004b7 = 0; *(uint32_t*)0x200004b8 = 0xfffffffe; syscall(__NR_setsockopt, r[7], 0, 0x40, 0x20000080, 0x43c); *(uint32_t*)0x2001d000 = 2; *(uint32_t*)0x2001d004 = 0x78; *(uint8_t*)0x2001d008 = 0xe2; *(uint8_t*)0x2001d009 = 0; *(uint8_t*)0x2001d00a = 0; *(uint8_t*)0x2001d00b = 0; *(uint32_t*)0x2001d00c = 0; *(uint64_t*)0x2001d010 = 0; *(uint64_t*)0x2001d018 = 0; *(uint64_t*)0x2001d020 = 0; STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0xff, 5, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 24, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 29, 35); *(uint32_t*)0x2001d030 = 0; *(uint32_t*)0x2001d034 = 0; *(uint64_t*)0x2001d038 = 0x20000000; *(uint64_t*)0x2001d040 = 0; *(uint64_t*)0x2001d048 = 0; *(uint64_t*)0x2001d050 = 0; *(uint64_t*)0x2001d058 = 0; *(uint32_t*)0x2001d060 = 0; *(uint64_t*)0x2001d068 = 0; *(uint32_t*)0x2001d070 = 0; *(uint16_t*)0x2001d074 = 0; *(uint16_t*)0x2001d076 = 0; syscall(__NR_perf_event_open, 0x2001d000, 0, 0, -1, 0); *(uint8_t*)0x20000100 = 0x58; *(uint8_t*)0x20000101 = 4; *(uint8_t*)0x20000102 = 0; *(uint8_t*)0x20000103 = 0; *(uint32_t*)0x20000104 = 0xfffffffb; *(uint8_t*)0x20000108 = 4; *(uint8_t*)0x20000109 = 8; *(uint8_t*)0x2000010a = 0xe7; *(uint8_t*)0x2000010b = -1; *(uint8_t*)0x2000010c = 0; *(uint8_t*)0x2000010d = 0x40; *(uint8_t*)0x2000010e = 1; *(uint8_t*)0x2000010f = 0; *(uint32_t*)0x20000110 = 0x7fffffff; *(uint32_t*)0x20000114 = 7; *(uint8_t*)0x20000118 = 0x7f; *(uint8_t*)0x20000119 = 4; *(uint8_t*)0x2000011a = 0x94; *(uint8_t*)0x2000011b = 5; syscall(__NR_ioctl, -1, 0x4040aea0, 0x20000100); *(uint32_t*)0x20000100 = 0x10001; *(uint32_t*)0x20000104 = 0; *(uint64_t*)0x20000108 = 9; *(uint64_t*)0x20000110 = 0x3e0000000; *(uint64_t*)0x20000118 = -1; *(uint64_t*)0x20000120 = 9; *(uint64_t*)0x20000128 = 0x1ff; *(uint64_t*)0x20000130 = 0x40; *(uint64_t*)0x20000138 = 6; *(uint64_t*)0x20000140 = 0xcc; syscall(__NR_ioctl, -1, 0x4048ae9b, 0x20000100); *(uint32_t*)0x20000180 = 6; *(uint32_t*)0x20000184 = 0x200000c0; syscall(__NR_ioctl, -1, 0xc0086426, 0x20000180); memcpy((void*)0x20000040, "/dev/dmmidi#", 13); syz_open_dev(0x20000040, 1, 0x40040); r[8] = syscall(__NR_socket, 0x10, 3, 0); if (syscall(__NR_socketpair, 0x11, 3, 0x300, 0x20000000) != -1) r[9] = *(uint32_t*)0x20000000; *(uint32_t*)0x20000000 = 0xb24; syscall(__NR_setsockopt, r[8], 1, 1, 0x20000000, 4); memcpy((void*)0x20000040, "\x4c\x63\xd7\x01\xcd\xe6\x7b\xf3\x9c\xd6\xfa\x04" "\xbe\x9b\xaf\xbe\xa0\x64\x0c\x4f\x9d\x49\x53\x6f" "\xa2\xb7\x86\x95", 28); *(uint16_t*)0x20000080 = 0x27; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 7; *(uint32_t*)0x2000008c = 0; *(uint8_t*)0x20000090 = 0x8b; *(uint8_t*)0x20000091 = 8; memcpy((void*)0x20000092, "\x5c\x42\x02\xac\x71\x82\x09\xd4\x6e\xe0\xe8\x34\xe3\xb4\x70\x4f\x8c" "\x7a\x28\x2d\x6c\xcf\xb0\x27\xb6\x3b\x76\x90\x4b\xf0\xb7\xc4\x68\xc4" "\x5c\x0f\x60\xc5\x3d\xff\x09\x33\x69\x5d\xfc\x65\x6b\x22\xdd\xd7\x9e" "\xfd\x95\x0f\x31\x80\x94\x46\xd4\x0c\x9b\x8e\xf9", 63); *(uint32_t*)0x200000d4 = 0xed5; syscall(__NR_sendto, r[9], 0x20000040, 0x1c, 0x10, 0x20000080, 0x58); if (syscall(__NR_socketpair, 4, 0x801, 0xcb, 0x20000000) != -1) { r[10] = *(uint32_t*)0x20000000; r[11] = *(uint32_t*)0x20000004; } *(uint32_t*)0x20000040 = 0; syscall(__NR_ioctl, r[10], 0x40044591, 0x20000040); *(uint8_t*)0x20e02000 = 0x73; *(uint8_t*)0x20e02001 = 0x79; *(uint8_t*)0x20e02002 = 0x7a; *(uint8_t*)0x20e02003 = 0; *(uint8_t*)0x20e02004 = 0; *(uint32_t*)0x20e02010 = 0; *(uint8_t*)0x20e02014 = 0; *(uint8_t*)0x20e02015 = 0; *(uint8_t*)0x20e02016 = 0; *(uint8_t*)0x20e02017 = 0; *(uint8_t*)0x20e02018 = 0; *(uint8_t*)0x20e02019 = 0; *(uint8_t*)0x20e0201a = 0; *(uint8_t*)0x20e0201b = 0; *(uint8_t*)0x20e0201c = 0; *(uint8_t*)0x20e0201d = 0; *(uint8_t*)0x20e0201e = 0; *(uint8_t*)0x20e0201f = 0; *(uint8_t*)0x20e02020 = 0; *(uint8_t*)0x20e02021 = 0; *(uint8_t*)0x20e02022 = 0; *(uint8_t*)0x20e02023 = 0; *(uint8_t*)0x20e02024 = 0; *(uint8_t*)0x20e02025 = 0; *(uint8_t*)0x20e02026 = 0; *(uint8_t*)0x20e02027 = 0; if (syscall(__NR_ioctl, -1, 0x8933, 0x20e02000) != -1) r[12] = *(uint32_t*)0x20e02010; *(uint8_t*)0x20000080 = 0x73; *(uint8_t*)0x20000081 = 0x79; *(uint8_t*)0x20000082 = 0x7a; *(uint8_t*)0x20000083 = 0x30; *(uint8_t*)0x20000084 = 0; *(uint16_t*)0x20000090 = 2; syscall(__NR_ioctl, r[10], 0x8924, 0x20000080); *(uint32_t*)0x209e7000 = 0x2077a000; *(uint16_t*)0x2077a000 = 0x10; *(uint16_t*)0x2077a002 = 0; *(uint32_t*)0x2077a004 = 0; *(uint32_t*)0x2077a008 = 0x4400000; *(uint32_t*)0x209e7004 = 0xc; *(uint32_t*)0x209e7008 = 0x209ceff0; *(uint32_t*)0x209ceff0 = 0x20000080; *(uint32_t*)0x20000080 = 0x24; *(uint16_t*)0x20000084 = 0x1c; *(uint16_t*)0x20000086 = 0x211; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 0; *(uint8_t*)0x20000090 = 2; *(uint8_t*)0x20000091 = 0; *(uint16_t*)0x20000092 = 0; *(uint32_t*)0x20000094 = r[12]; *(uint16_t*)0x20000098 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint16_t*)0x2000009c = 8; *(uint16_t*)0x2000009e = 1; *(uint32_t*)0x200000a0 = htobe32(0x7f000001); *(uint32_t*)0x209ceff4 = 0x24; *(uint32_t*)0x209e700c = 1; *(uint32_t*)0x209e7010 = 0; *(uint32_t*)0x209e7014 = 0; *(uint32_t*)0x209e7018 = 0; syscall(__NR_sendmsg, r[11], 0x209e7000, 0); memcpy((void*)0x20000180, "/dev/hwrng", 11); r[13] = syscall(__NR_openat, 0xffffff9c, 0x20000180, 0x80, 0); *(uint32_t*)0x200010c0 = 0; syscall(__NR_setsockopt, r[11], 0x103, 1, 0x200010c0, 4); *(uint32_t*)0x20000140 = 0x20000040; *(uint16_t*)0x20000040 = 0x1d; *(uint32_t*)0x20000044 = r[12]; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x2000004c = 0; *(uint32_t*)0x20000144 = 0x10; *(uint32_t*)0x20000148 = 0x20000100; *(uint32_t*)0x20000100 = 0x20000080; *(uint32_t*)0x20000080 = 5; *(uint32_t*)0x20000084 = 0x100; *(uint32_t*)0x20000088 = 0x9ca; *(uint32_t*)0x2000008c = 0x77359400; *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000094 = 0; *(uint32_t*)0x20000098 = 0; STORE_BY_BITMASK(uint32_t, 0x2000009c, 2, 0, 29); STORE_BY_BITMASK(uint32_t, 0x2000009c, 5, 29, 1); STORE_BY_BITMASK(uint32_t, 0x2000009c, 5, 30, 1); STORE_BY_BITMASK(uint32_t, 0x2000009c, 6, 31, 1); *(uint32_t*)0x200000a0 = 1; STORE_BY_BITMASK(uint32_t, 0x200000a4, 3, 0, 29); STORE_BY_BITMASK(uint32_t, 0x200000a4, 1, 29, 1); STORE_BY_BITMASK(uint32_t, 0x200000a4, 5, 30, 1); STORE_BY_BITMASK(uint32_t, 0x200000a4, 1, 31, 1); *(uint8_t*)0x200000a8 = 6; *(uint8_t*)0x200000a9 = 2; *(uint8_t*)0x200000aa = 0; *(uint8_t*)0x200000ab = 0; memcpy((void*)0x200000ac, "\xcb\x9f\xfb\xa0\xd7\x64\x26\x09\x42\x4d\x8d\x04\x9a\xdd\x3f\x55\x56" "\xa4\x48\x40\x46\x69\xc7\x2d\xe4\x5d\xe0\x0b\xa2\x70\x7c\xad\x77\xab" "\xfb\xad\x37\xa4\x42\x8f\xcc\x0e\xfc\xd7\x6c\x16\xf0\x00\x62\x01\xf8" "\x88\xdd\x92\xc4\xdb\xdb\xad\x5c\x2d\x63\x1a\x38\x33", 64); *(uint32_t*)0x20000104 = 0x6c; *(uint32_t*)0x2000014c = 1; *(uint32_t*)0x20000150 = 0; *(uint32_t*)0x20000154 = 0; *(uint32_t*)0x20000158 = 0x20000001; syscall(__NR_sendmsg, r[13], 0x20000140, 0x40); memcpy((void*)0x20001140, "/dev/snd/pcmC#D#c", 18); syz_open_dev(0x20001140, 0x1f914add, 0x42600); memcpy((void*)0x203c6ff1, "/dev/vhost-net", 15); r[14] = syscall(__NR_openat, 0xffffff9c, 0x203c6ff1, 2, 0); *(uint64_t*)0x20c97ff8 = 0; syscall(__NR_ioctl, r[14], 0xaf01, 0x20c97ff8); *(uint32_t*)0x20fd3000 = 6; *(uint32_t*)0x20fd3004 = 0; *(uint64_t*)0x20fd3008 = 0; *(uint64_t*)0x20fd3010 = 0xa6; *(uint64_t*)0x20fd3018 = 0x2042af5a; *(uint64_t*)0x20fd3020 = 0; *(uint64_t*)0x20fd3028 = 0; *(uint64_t*)0x20fd3030 = 0xcf; *(uint64_t*)0x20fd3038 = 0x201a2000; *(uint64_t*)0x20fd3040 = 0; *(uint64_t*)0x20fd3048 = 0; *(uint64_t*)0x20fd3050 = 0x5d3490f7f8629b88; *(uint64_t*)0x20fd3058 = 0x203c9fec; *(uint64_t*)0x20fd3060 = 0; *(uint64_t*)0x20fd3068 = 0; *(uint64_t*)0x20fd3070 = 0x15; *(uint64_t*)0x20fd3078 = 0x20384000; *(uint64_t*)0x20fd3080 = 0; *(uint64_t*)0x20fd3088 = 0; *(uint64_t*)0x20fd3090 = 0xc2; *(uint64_t*)0x20fd3098 = 0x2051e000; *(uint64_t*)0x20fd30a0 = 0; *(uint64_t*)0x20fd30a8 = 0; *(uint64_t*)0x20fd30b0 = 5; *(uint64_t*)0x20fd30b8 = 0x20421000; *(uint64_t*)0x20fd30c0 = 0; syscall(__NR_ioctl, r[14], 0x4008af03, 0x20fd3000); *(uint32_t*)0x20d7c000 = 0; *(uint32_t*)0x20d7c004 = -1; syscall(__NR_ioctl, r[14], 0x4008af30, 0x20d7c000); r[15] = syscall(__NR_dup, r[14]); memcpy((void*)0x20000040, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x20000060 = 7; *(uint32_t*)0x20000064 = 4; *(uint32_t*)0x20000068 = 0x3e8; *(uint32_t*)0x2000006c = 0; *(uint32_t*)0x20000070 = 0x1f4; *(uint32_t*)0x20000074 = 0x1f4; *(uint32_t*)0x20000078 = 0x304; *(uint32_t*)0x2000007c = 0x304; *(uint32_t*)0x20000080 = 0x304; *(uint32_t*)0x20000084 = 4; *(uint32_t*)0x20000088 = 0x20000000; *(uint8_t*)0x2000008c = 0xac; *(uint8_t*)0x2000008d = 0x14; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0xaa; *(uint8_t*)0x20000090 = 0xac; *(uint8_t*)0x20000091 = 0x14; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0xaa; *(uint32_t*)0x20000094 = htobe32(0xffffff00); *(uint32_t*)0x20000098 = htobe32(-1); *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint8_t*)0x200000a0 = 0; *(uint8_t*)0x200000a1 = 0; *(uint8_t*)0x200000a2 = 0; *(uint8_t*)0x200000a3 = 0; *(uint8_t*)0x200000a4 = 0; *(uint8_t*)0x200000a5 = 0; *(uint8_t*)0x200000a6 = 0; *(uint8_t*)0x200000a7 = 0; *(uint8_t*)0x200000a8 = 0; *(uint8_t*)0x200000a9 = 0; *(uint8_t*)0x200000aa = 0; *(uint8_t*)0x200000ab = 0; *(uint8_t*)0x200000ac = -1; *(uint8_t*)0x200000ad = 0; *(uint8_t*)0x200000ae = -1; *(uint8_t*)0x200000af = 0; *(uint8_t*)0x200000b0 = -1; *(uint8_t*)0x200000b1 = 0; *(uint8_t*)0x200000b2 = 0; *(uint8_t*)0x200000b3 = 0; *(uint8_t*)0x200000b4 = 0; *(uint8_t*)0x200000b5 = 0; *(uint8_t*)0x200000b6 = 0; *(uint8_t*)0x200000b7 = 0; *(uint8_t*)0x200000b8 = 0; *(uint8_t*)0x200000b9 = 0; *(uint8_t*)0x200000ba = 0; *(uint8_t*)0x200000bb = 0; *(uint8_t*)0x200000bc = 0; *(uint8_t*)0x200000bd = 0; *(uint8_t*)0x200000be = 0; *(uint8_t*)0x200000bf = 0; *(uint8_t*)0x200000c0 = 0; *(uint8_t*)0x200000c1 = 0; *(uint8_t*)0x200000c2 = 0; *(uint8_t*)0x200000c3 = 0; *(uint8_t*)0x200000c4 = 0; *(uint8_t*)0x200000c5 = 0; *(uint8_t*)0x200000c6 = 0; *(uint8_t*)0x200000c7 = 0; *(uint8_t*)0x200000c8 = 0; *(uint8_t*)0x200000c9 = 0; *(uint8_t*)0x200000ca = 0; *(uint8_t*)0x200000cb = 0; *(uint8_t*)0x200000cc = -1; *(uint8_t*)0x200000cd = 0; *(uint8_t*)0x200000ce = -1; *(uint8_t*)0x200000cf = -1; *(uint8_t*)0x200000d0 = -1; *(uint8_t*)0x200000d1 = 0; *(uint8_t*)0x200000d2 = 0; *(uint8_t*)0x200000d3 = 0; *(uint8_t*)0x200000d4 = 0; *(uint8_t*)0x200000d5 = 0; *(uint8_t*)0x200000d6 = 0; *(uint8_t*)0x200000d7 = 0; *(uint8_t*)0x200000d8 = 0; *(uint8_t*)0x200000d9 = 0; *(uint8_t*)0x200000da = 0; *(uint8_t*)0x200000db = 0; *(uint16_t*)0x200000dc = htobe16(0xfff8); *(uint16_t*)0x200000de = htobe16(0x1ff); *(uint16_t*)0x200000e0 = htobe16(7); *(uint16_t*)0x200000e2 = htobe16(6); *(uint16_t*)0x200000e4 = htobe16(0xf001); *(uint16_t*)0x200000e6 = htobe16(1); *(uint8_t*)0x200000e8 = 0x73; *(uint8_t*)0x200000e9 = 0x79; *(uint8_t*)0x200000ea = 0x7a; *(uint8_t*)0x200000eb = 0x30; *(uint8_t*)0x200000ec = 0; memcpy((void*)0x200000f8, "\x51\xde\x7d\xcc\xda\xc9\xb3\xea\xa4\x16\xd0\x67\x04\xf7\x48\xa7", 16); *(uint8_t*)0x20000108 = 0x64; *(uint8_t*)0x20000109 = 0; *(uint8_t*)0x2000010a = 0; *(uint8_t*)0x2000010b = 0; *(uint8_t*)0x2000010c = 0; *(uint8_t*)0x2000010d = 0; *(uint8_t*)0x2000010e = 0; *(uint8_t*)0x2000010f = 0; *(uint8_t*)0x20000110 = 0; *(uint8_t*)0x20000111 = 0; *(uint8_t*)0x20000112 = 0; *(uint8_t*)0x20000113 = 0; *(uint8_t*)0x20000114 = 0; *(uint8_t*)0x20000115 = 0; *(uint8_t*)0x20000116 = 0; *(uint8_t*)0x20000117 = 0; *(uint8_t*)0x20000118 = 0; *(uint8_t*)0x20000119 = 0; *(uint8_t*)0x2000011a = 0; *(uint8_t*)0x2000011b = 0; *(uint8_t*)0x2000011c = 0; *(uint8_t*)0x2000011d = 0; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0; *(uint8_t*)0x20000124 = 0; *(uint8_t*)0x20000125 = 0; *(uint8_t*)0x20000126 = 0; *(uint8_t*)0x20000127 = 0; *(uint8_t*)0x20000128 = 0; *(uint16_t*)0x2000012a = 0x20; *(uint16_t*)0x20000130 = 0xc0; *(uint16_t*)0x20000132 = 0xe4; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x2000013c = 0; *(uint64_t*)0x20000144 = 0; *(uint16_t*)0x2000014c = 0x24; memcpy((void*)0x2000014e, "\x4e\x46\x51\x55\x45\x55\x45\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000016b = 1; *(uint16_t*)0x2000016c = 3; *(uint16_t*)0x2000016e = 4; *(uint8_t*)0x20000170 = 0; *(uint8_t*)0x20000171 = 0; *(uint8_t*)0x20000172 = 0; *(uint8_t*)0x20000173 = 0; *(uint8_t*)0x20000174 = 0; *(uint8_t*)0x20000175 = 0; *(uint8_t*)0x20000176 = 0; *(uint8_t*)0x20000177 = 0; *(uint8_t*)0x20000178 = 0; *(uint8_t*)0x20000179 = 0; *(uint8_t*)0x2000017a = 0; *(uint8_t*)0x2000017b = 0; *(uint8_t*)0x2000017c = 0; *(uint8_t*)0x2000017d = 0; *(uint8_t*)0x2000017e = 0; *(uint8_t*)0x2000017f = 0; *(uint8_t*)0x20000180 = 0; *(uint8_t*)0x20000181 = 0; *(uint8_t*)0x20000182 = 0; *(uint8_t*)0x20000183 = 0; *(uint8_t*)0x20000184 = 0; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 0; *(uint8_t*)0x20000187 = 0; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint8_t*)0x2000018c = 0; *(uint8_t*)0x2000018d = 0; *(uint8_t*)0x2000018e = 0; *(uint8_t*)0x2000018f = 0; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint8_t*)0x20000192 = 0; *(uint8_t*)0x20000193 = 0; *(uint8_t*)0x20000194 = 0; *(uint8_t*)0x20000195 = 0; *(uint8_t*)0x20000196 = 0; *(uint8_t*)0x20000197 = 0; *(uint8_t*)0x20000198 = 0; *(uint8_t*)0x20000199 = 0; *(uint8_t*)0x2000019a = 0; *(uint8_t*)0x2000019b = 0; *(uint8_t*)0x2000019c = 0; *(uint8_t*)0x2000019d = 0; *(uint8_t*)0x2000019e = 0; *(uint8_t*)0x2000019f = 0; *(uint8_t*)0x200001a0 = 0; *(uint8_t*)0x200001a1 = 0; *(uint8_t*)0x200001a2 = 0; *(uint8_t*)0x200001a3 = 0; *(uint8_t*)0x200001a4 = 0; *(uint8_t*)0x200001a5 = 0; *(uint8_t*)0x200001a6 = 0; *(uint8_t*)0x200001a7 = 0; *(uint8_t*)0x200001a8 = 0; *(uint8_t*)0x200001a9 = 0; *(uint8_t*)0x200001aa = 0; *(uint8_t*)0x200001ab = 0; *(uint8_t*)0x200001ac = 0; *(uint8_t*)0x200001ad = 0; *(uint8_t*)0x200001ae = 0; *(uint8_t*)0x200001af = 0; *(uint8_t*)0x200001b0 = 0; *(uint8_t*)0x200001b1 = 0; *(uint8_t*)0x200001b2 = 0; *(uint8_t*)0x200001b3 = 0; *(uint8_t*)0x200001b4 = 0; *(uint8_t*)0x200001b5 = 0; *(uint8_t*)0x200001b6 = 0; *(uint8_t*)0x200001b7 = 0; *(uint8_t*)0x200001b8 = 0; *(uint8_t*)0x200001b9 = 0; *(uint8_t*)0x200001ba = 0; *(uint8_t*)0x200001bb = 0; *(uint8_t*)0x200001bc = 0; *(uint8_t*)0x200001bd = 0; *(uint8_t*)0x200001be = 0; *(uint8_t*)0x200001bf = 0; *(uint8_t*)0x200001c0 = 0; *(uint8_t*)0x200001c1 = 0; *(uint8_t*)0x200001c2 = 0; *(uint8_t*)0x200001c3 = 0; *(uint8_t*)0x200001c4 = 0; *(uint8_t*)0x200001c5 = 0; *(uint8_t*)0x200001c6 = 0; *(uint8_t*)0x200001c7 = 0; *(uint8_t*)0x200001c8 = 0; *(uint8_t*)0x200001c9 = 0; *(uint8_t*)0x200001ca = 0; *(uint8_t*)0x200001cb = 0; *(uint8_t*)0x200001cc = 0; *(uint8_t*)0x200001cd = 0; *(uint8_t*)0x200001ce = 0; *(uint8_t*)0x200001cf = 0; *(uint8_t*)0x200001d0 = 0; *(uint8_t*)0x200001d1 = 0; *(uint8_t*)0x200001d2 = 0; *(uint8_t*)0x200001d3 = 0; *(uint8_t*)0x200001d4 = 0; *(uint8_t*)0x200001d5 = 0; *(uint8_t*)0x200001d6 = 0; *(uint8_t*)0x200001d7 = 0; *(uint8_t*)0x200001d8 = 0; *(uint8_t*)0x200001d9 = 0; *(uint8_t*)0x200001da = 0; *(uint8_t*)0x200001db = 0; *(uint8_t*)0x200001dc = 0; *(uint8_t*)0x200001dd = 0; *(uint8_t*)0x200001de = 0; *(uint8_t*)0x200001df = 0; *(uint8_t*)0x200001e0 = 0; *(uint8_t*)0x200001e1 = 0; *(uint8_t*)0x200001e2 = 0; *(uint8_t*)0x200001e3 = 0; *(uint8_t*)0x200001e4 = 0; *(uint8_t*)0x200001e5 = 0; *(uint8_t*)0x200001e6 = 0; *(uint8_t*)0x200001e7 = 0; *(uint8_t*)0x200001e8 = 0; *(uint8_t*)0x200001e9 = 0; *(uint8_t*)0x200001ea = 0; *(uint8_t*)0x200001eb = 0; *(uint8_t*)0x200001ec = 0; *(uint8_t*)0x200001ed = 0; *(uint8_t*)0x200001ee = 0; *(uint8_t*)0x200001ef = 0; *(uint8_t*)0x200001f0 = 0; *(uint8_t*)0x200001f1 = 0; *(uint8_t*)0x200001f2 = 0; *(uint8_t*)0x200001f3 = 0; *(uint8_t*)0x200001f4 = 0; *(uint8_t*)0x200001f5 = 0; *(uint8_t*)0x200001f6 = 0; *(uint8_t*)0x200001f7 = 0; *(uint8_t*)0x200001f8 = 0; *(uint8_t*)0x200001f9 = 0; *(uint8_t*)0x200001fa = 0; *(uint8_t*)0x200001fb = 0; *(uint8_t*)0x200001fc = 0; *(uint8_t*)0x200001fd = 0; *(uint8_t*)0x200001fe = 0; *(uint8_t*)0x200001ff = 0; *(uint8_t*)0x20000200 = 0; *(uint8_t*)0x20000201 = 0; *(uint8_t*)0x20000202 = 0; *(uint8_t*)0x20000203 = 0; *(uint8_t*)0x20000204 = 0; *(uint8_t*)0x20000205 = 0; *(uint8_t*)0x20000206 = 0; *(uint8_t*)0x20000207 = 0; *(uint8_t*)0x20000208 = 0; *(uint8_t*)0x20000209 = 0; *(uint8_t*)0x2000020a = 0; *(uint8_t*)0x2000020b = 0; *(uint8_t*)0x2000020c = 0; *(uint8_t*)0x2000020d = 0; *(uint8_t*)0x2000020e = 0; *(uint8_t*)0x2000020f = 0; *(uint8_t*)0x20000210 = 0; *(uint8_t*)0x20000211 = 0; *(uint8_t*)0x20000212 = 0; *(uint8_t*)0x20000213 = 0; *(uint16_t*)0x20000214 = 0xc0; *(uint16_t*)0x20000216 = 0x110; *(uint32_t*)0x20000218 = 0; *(uint64_t*)0x20000220 = 0; *(uint64_t*)0x20000228 = 0; *(uint16_t*)0x20000230 = 0x50; memcpy((void*)0x20000232, "\x6d\x61\x6e\x67\x6c\x65\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000024f = 0; *(uint8_t*)0x20000250 = 0; *(uint8_t*)0x20000251 = 0; *(uint8_t*)0x20000252 = 0; *(uint8_t*)0x20000253 = 0; *(uint8_t*)0x20000254 = 0; *(uint8_t*)0x20000255 = 0; *(uint8_t*)0x20000260 = 0; *(uint8_t*)0x20000261 = 0; *(uint8_t*)0x20000262 = 0; *(uint8_t*)0x20000263 = 0; *(uint8_t*)0x20000264 = 0; *(uint8_t*)0x20000265 = 0; *(uint8_t*)0x20000266 = 0; *(uint8_t*)0x20000267 = 0; *(uint8_t*)0x20000268 = 0; *(uint8_t*)0x20000269 = 0; *(uint8_t*)0x2000026a = 0; *(uint8_t*)0x2000026b = 0; *(uint8_t*)0x2000026c = 0; *(uint8_t*)0x2000026d = 0; *(uint8_t*)0x2000026e = 0; *(uint8_t*)0x2000026f = 0; *(uint32_t*)0x20000270 = htobe32(0); *(uint8_t*)0x20000274 = 0xac; *(uint8_t*)0x20000275 = 0x14; *(uint8_t*)0x20000276 = 0; *(uint8_t*)0x20000277 = 0xe; *(uint8_t*)0x20000278 = 2; *(uint32_t*)0x2000027c = 0; *(uint8_t*)0x20000280 = 0; *(uint8_t*)0x20000281 = 0; *(uint8_t*)0x20000282 = 0; *(uint8_t*)0x20000283 = 0; *(uint8_t*)0x20000284 = 0; *(uint8_t*)0x20000285 = 0; *(uint8_t*)0x20000286 = 0; *(uint8_t*)0x20000287 = 0; *(uint8_t*)0x20000288 = 0; *(uint8_t*)0x20000289 = 0; *(uint8_t*)0x2000028a = 0; *(uint8_t*)0x2000028b = 0; *(uint8_t*)0x2000028c = 0; *(uint8_t*)0x2000028d = 0; *(uint8_t*)0x2000028e = 0; *(uint8_t*)0x2000028f = 0; *(uint8_t*)0x20000290 = 0; *(uint8_t*)0x20000291 = 0; *(uint8_t*)0x20000292 = 0; *(uint8_t*)0x20000293 = 0; *(uint8_t*)0x20000294 = 0; *(uint8_t*)0x20000295 = 0; *(uint8_t*)0x20000296 = 0; *(uint8_t*)0x20000297 = 0; *(uint8_t*)0x20000298 = 0; *(uint8_t*)0x20000299 = 0; *(uint8_t*)0x2000029a = 0; *(uint8_t*)0x2000029b = 0; *(uint8_t*)0x2000029c = 0; *(uint8_t*)0x2000029d = 0; *(uint8_t*)0x2000029e = 0; *(uint8_t*)0x2000029f = 0; *(uint8_t*)0x200002a0 = 0; *(uint8_t*)0x200002a1 = 0; *(uint8_t*)0x200002a2 = 0; *(uint8_t*)0x200002a3 = 0; *(uint8_t*)0x200002a4 = 0; *(uint8_t*)0x200002a5 = 0; *(uint8_t*)0x200002a6 = 0; *(uint8_t*)0x200002a7 = 0; *(uint8_t*)0x200002a8 = 0; *(uint8_t*)0x200002a9 = 0; *(uint8_t*)0x200002aa = 0; *(uint8_t*)0x200002ab = 0; *(uint8_t*)0x200002ac = 0; *(uint8_t*)0x200002ad = 0; *(uint8_t*)0x200002ae = 0; *(uint8_t*)0x200002af = 0; *(uint8_t*)0x200002b0 = 0; *(uint8_t*)0x200002b1 = 0; *(uint8_t*)0x200002b2 = 0; *(uint8_t*)0x200002b3 = 0; *(uint8_t*)0x200002b4 = 0; *(uint8_t*)0x200002b5 = 0; *(uint8_t*)0x200002b6 = 0; *(uint8_t*)0x200002b7 = 0; *(uint8_t*)0x200002b8 = 0; *(uint8_t*)0x200002b9 = 0; *(uint8_t*)0x200002ba = 0; *(uint8_t*)0x200002bb = 0; *(uint8_t*)0x200002bc = 0; *(uint8_t*)0x200002bd = 0; *(uint8_t*)0x200002be = 0; *(uint8_t*)0x200002bf = 0; *(uint8_t*)0x200002c0 = 0; *(uint8_t*)0x200002c1 = 0; *(uint8_t*)0x200002c2 = 0; *(uint8_t*)0x200002c3 = 0; *(uint8_t*)0x200002c4 = 0; *(uint8_t*)0x200002c5 = 0; *(uint8_t*)0x200002c6 = 0; *(uint8_t*)0x200002c7 = 0; *(uint8_t*)0x200002c8 = 0; *(uint8_t*)0x200002c9 = 0; *(uint8_t*)0x200002ca = 0; *(uint8_t*)0x200002cb = 0; *(uint8_t*)0x200002cc = 0; *(uint8_t*)0x200002cd = 0; *(uint8_t*)0x200002ce = 0; *(uint8_t*)0x200002cf = 0; *(uint8_t*)0x200002d0 = 0; *(uint8_t*)0x200002d1 = 0; *(uint8_t*)0x200002d2 = 0; *(uint8_t*)0x200002d3 = 0; *(uint8_t*)0x200002d4 = 0; *(uint8_t*)0x200002d5 = 0; *(uint8_t*)0x200002d6 = 0; *(uint8_t*)0x200002d7 = 0; *(uint8_t*)0x200002d8 = 0; *(uint8_t*)0x200002d9 = 0; *(uint8_t*)0x200002da = 0; *(uint8_t*)0x200002db = 0; *(uint8_t*)0x200002dc = 0; *(uint8_t*)0x200002dd = 0; *(uint8_t*)0x200002de = 0; *(uint8_t*)0x200002df = 0; *(uint8_t*)0x200002e0 = 0; *(uint8_t*)0x200002e1 = 0; *(uint8_t*)0x200002e2 = 0; *(uint8_t*)0x200002e3 = 0; *(uint8_t*)0x200002e4 = 0; *(uint8_t*)0x200002e5 = 0; *(uint8_t*)0x200002e6 = 0; *(uint8_t*)0x200002e7 = 0; *(uint8_t*)0x200002e8 = 0; *(uint8_t*)0x200002e9 = 0; *(uint8_t*)0x200002ea = 0; *(uint8_t*)0x200002eb = 0; *(uint8_t*)0x200002ec = 0; *(uint8_t*)0x200002ed = 0; *(uint8_t*)0x200002ee = 0; *(uint8_t*)0x200002ef = 0; *(uint8_t*)0x200002f0 = 0; *(uint8_t*)0x200002f1 = 0; *(uint8_t*)0x200002f2 = 0; *(uint8_t*)0x200002f3 = 0; *(uint8_t*)0x200002f4 = 0; *(uint8_t*)0x200002f5 = 0; *(uint8_t*)0x200002f6 = 0; *(uint8_t*)0x200002f7 = 0; *(uint8_t*)0x200002f8 = 0; *(uint8_t*)0x200002f9 = 0; *(uint8_t*)0x200002fa = 0; *(uint8_t*)0x200002fb = 0; *(uint8_t*)0x200002fc = 0; *(uint8_t*)0x200002fd = 0; *(uint8_t*)0x200002fe = 0; *(uint8_t*)0x200002ff = 0; *(uint8_t*)0x20000300 = 0; *(uint8_t*)0x20000301 = 0; *(uint8_t*)0x20000302 = 0; *(uint8_t*)0x20000303 = 0; *(uint8_t*)0x20000304 = 0; *(uint8_t*)0x20000305 = 0; *(uint8_t*)0x20000306 = 0; *(uint8_t*)0x20000307 = 0; *(uint8_t*)0x20000308 = 0; *(uint8_t*)0x20000309 = 0; *(uint8_t*)0x2000030a = 0; *(uint8_t*)0x2000030b = 0; *(uint8_t*)0x2000030c = 0; *(uint8_t*)0x2000030d = 0; *(uint8_t*)0x2000030e = 0; *(uint8_t*)0x2000030f = 0; *(uint8_t*)0x20000310 = 0; *(uint8_t*)0x20000311 = 0; *(uint8_t*)0x20000312 = 0; *(uint8_t*)0x20000313 = 0; *(uint8_t*)0x20000314 = 0; *(uint8_t*)0x20000315 = 0; *(uint8_t*)0x20000316 = 0; *(uint8_t*)0x20000317 = 0; *(uint8_t*)0x20000318 = 0; *(uint8_t*)0x20000319 = 0; *(uint8_t*)0x2000031a = 0; *(uint8_t*)0x2000031b = 0; *(uint8_t*)0x2000031c = 0; *(uint8_t*)0x2000031d = 0; *(uint8_t*)0x2000031e = 0; *(uint8_t*)0x2000031f = 0; *(uint8_t*)0x20000320 = 0; *(uint8_t*)0x20000321 = 0; *(uint8_t*)0x20000322 = 0; *(uint8_t*)0x20000323 = 0; *(uint16_t*)0x20000324 = 0xc0; *(uint16_t*)0x20000326 = 0x110; *(uint32_t*)0x20000328 = 0; *(uint64_t*)0x20000330 = 0; *(uint64_t*)0x20000338 = 0; *(uint16_t*)0x20000340 = 0x50; memcpy((void*)0x20000342, "\x6d\x61\x6e\x67\x6c\x65\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000035f = 0; *(uint8_t*)0x20000360 = 0; *(uint8_t*)0x20000361 = 0; *(uint8_t*)0x20000362 = 0; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0; *(uint8_t*)0x20000365 = 0; *(uint8_t*)0x20000366 = 0; *(uint8_t*)0x20000367 = 0; *(uint8_t*)0x20000368 = 0; *(uint8_t*)0x20000369 = 0; *(uint8_t*)0x2000036a = 0; *(uint8_t*)0x2000036b = 0; *(uint8_t*)0x2000036c = 0; *(uint8_t*)0x2000036d = 0; *(uint8_t*)0x2000036e = 0; *(uint8_t*)0x2000036f = 0; *(uint8_t*)0x20000370 = 0xaa; *(uint8_t*)0x20000371 = 0xaa; *(uint8_t*)0x20000372 = 0xaa; *(uint8_t*)0x20000373 = 0xaa; *(uint8_t*)0x20000374 = 0; *(uint8_t*)0x20000375 = 0xaa; *(uint32_t*)0x20000380 = htobe32(0xe0000002); *(uint8_t*)0x20000384 = 0xac; *(uint8_t*)0x20000385 = 0x14; *(uint8_t*)0x20000386 = 0; *(uint8_t*)0x20000387 = 0xf; *(uint8_t*)0x20000388 = 0xf; *(uint32_t*)0x2000038c = 1; *(uint8_t*)0x20000390 = 0; *(uint8_t*)0x20000391 = 0; *(uint8_t*)0x20000392 = 0; *(uint8_t*)0x20000393 = 0; *(uint8_t*)0x20000394 = 0; *(uint8_t*)0x20000395 = 0; *(uint8_t*)0x20000396 = 0; *(uint8_t*)0x20000397 = 0; *(uint8_t*)0x20000398 = 0; *(uint8_t*)0x20000399 = 0; *(uint8_t*)0x2000039a = 0; *(uint8_t*)0x2000039b = 0; *(uint8_t*)0x2000039c = 0; *(uint8_t*)0x2000039d = 0; *(uint8_t*)0x2000039e = 0; *(uint8_t*)0x2000039f = 0; *(uint8_t*)0x200003a0 = 0; *(uint8_t*)0x200003a1 = 0; *(uint8_t*)0x200003a2 = 0; *(uint8_t*)0x200003a3 = 0; *(uint8_t*)0x200003a4 = 0; *(uint8_t*)0x200003a5 = 0; *(uint8_t*)0x200003a6 = 0; *(uint8_t*)0x200003a7 = 0; *(uint8_t*)0x200003a8 = 0; *(uint8_t*)0x200003a9 = 0; *(uint8_t*)0x200003aa = 0; *(uint8_t*)0x200003ab = 0; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint8_t*)0x200003b6 = 0; *(uint8_t*)0x200003b7 = 0; *(uint8_t*)0x200003b8 = 0; *(uint8_t*)0x200003b9 = 0; *(uint8_t*)0x200003ba = 0; *(uint8_t*)0x200003bb = 0; *(uint8_t*)0x200003bc = 0; *(uint8_t*)0x200003bd = 0; *(uint8_t*)0x200003be = 0; *(uint8_t*)0x200003bf = 0; *(uint8_t*)0x200003c0 = 0; *(uint8_t*)0x200003c1 = 0; *(uint8_t*)0x200003c2 = 0; *(uint8_t*)0x200003c3 = 0; *(uint8_t*)0x200003c4 = 0; *(uint8_t*)0x200003c5 = 0; *(uint8_t*)0x200003c6 = 0; *(uint8_t*)0x200003c7 = 0; *(uint8_t*)0x200003c8 = 0; *(uint8_t*)0x200003c9 = 0; *(uint8_t*)0x200003ca = 0; *(uint8_t*)0x200003cb = 0; *(uint8_t*)0x200003cc = 0; *(uint8_t*)0x200003cd = 0; *(uint8_t*)0x200003ce = 0; *(uint8_t*)0x200003cf = 0; *(uint8_t*)0x200003d0 = 0; *(uint8_t*)0x200003d1 = 0; *(uint8_t*)0x200003d2 = 0; *(uint8_t*)0x200003d3 = 0; *(uint8_t*)0x200003d4 = 0; *(uint8_t*)0x200003d5 = 0; *(uint8_t*)0x200003d6 = 0; *(uint8_t*)0x200003d7 = 0; *(uint8_t*)0x200003d8 = 0; *(uint8_t*)0x200003d9 = 0; *(uint8_t*)0x200003da = 0; *(uint8_t*)0x200003db = 0; *(uint8_t*)0x200003dc = 0; *(uint8_t*)0x200003dd = 0; *(uint8_t*)0x200003de = 0; *(uint8_t*)0x200003df = 0; *(uint8_t*)0x200003e0 = 0; *(uint8_t*)0x200003e1 = 0; *(uint8_t*)0x200003e2 = 0; *(uint8_t*)0x200003e3 = 0; *(uint8_t*)0x200003e4 = 0; *(uint8_t*)0x200003e5 = 0; *(uint8_t*)0x200003e6 = 0; *(uint8_t*)0x200003e7 = 0; *(uint8_t*)0x200003e8 = 0; *(uint8_t*)0x200003e9 = 0; *(uint8_t*)0x200003ea = 0; *(uint8_t*)0x200003eb = 0; *(uint8_t*)0x200003ec = 0; *(uint8_t*)0x200003ed = 0; *(uint8_t*)0x200003ee = 0; *(uint8_t*)0x200003ef = 0; *(uint8_t*)0x200003f0 = 0; *(uint8_t*)0x200003f1 = 0; *(uint8_t*)0x200003f2 = 0; *(uint8_t*)0x200003f3 = 0; *(uint8_t*)0x200003f4 = 0; *(uint8_t*)0x200003f5 = 0; *(uint8_t*)0x200003f6 = 0; *(uint8_t*)0x200003f7 = 0; *(uint8_t*)0x200003f8 = 0; *(uint8_t*)0x200003f9 = 0; *(uint8_t*)0x200003fa = 0; *(uint8_t*)0x200003fb = 0; *(uint8_t*)0x200003fc = 0; *(uint8_t*)0x200003fd = 0; *(uint8_t*)0x200003fe = 0; *(uint8_t*)0x200003ff = 0; *(uint8_t*)0x20000400 = 0; *(uint8_t*)0x20000401 = 0; *(uint8_t*)0x20000402 = 0; *(uint8_t*)0x20000403 = 0; *(uint8_t*)0x20000404 = 0; *(uint8_t*)0x20000405 = 0; *(uint8_t*)0x20000406 = 0; *(uint8_t*)0x20000407 = 0; *(uint8_t*)0x20000408 = 0; *(uint8_t*)0x20000409 = 0; *(uint8_t*)0x2000040a = 0; *(uint8_t*)0x2000040b = 0; *(uint8_t*)0x2000040c = 0; *(uint8_t*)0x2000040d = 0; *(uint8_t*)0x2000040e = 0; *(uint8_t*)0x2000040f = 0; *(uint8_t*)0x20000410 = 0; *(uint8_t*)0x20000411 = 0; *(uint8_t*)0x20000412 = 0; *(uint8_t*)0x20000413 = 0; *(uint8_t*)0x20000414 = 0; *(uint8_t*)0x20000415 = 0; *(uint8_t*)0x20000416 = 0; *(uint8_t*)0x20000417 = 0; *(uint8_t*)0x20000418 = 0; *(uint8_t*)0x20000419 = 0; *(uint8_t*)0x2000041a = 0; *(uint8_t*)0x2000041b = 0; *(uint8_t*)0x2000041c = 0; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0; *(uint8_t*)0x2000041f = 0; *(uint8_t*)0x20000420 = 0; *(uint8_t*)0x20000421 = 0; *(uint8_t*)0x20000422 = 0; *(uint8_t*)0x20000423 = 0; *(uint8_t*)0x20000424 = 0; *(uint8_t*)0x20000425 = 0; *(uint8_t*)0x20000426 = 0; *(uint8_t*)0x20000427 = 0; *(uint8_t*)0x20000428 = 0; *(uint8_t*)0x20000429 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 0; *(uint8_t*)0x2000042c = 0; *(uint8_t*)0x2000042d = 0; *(uint8_t*)0x2000042e = 0; *(uint8_t*)0x2000042f = 0; *(uint8_t*)0x20000430 = 0; *(uint8_t*)0x20000431 = 0; *(uint8_t*)0x20000432 = 0; *(uint8_t*)0x20000433 = 0; *(uint16_t*)0x20000434 = 0xc0; *(uint16_t*)0x20000436 = 0xe4; *(uint32_t*)0x20000438 = 0; *(uint64_t*)0x20000440 = 0; *(uint64_t*)0x20000448 = 0; *(uint16_t*)0x20000450 = 0x24; memcpy((void*)0x20000452, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000046f = 0; *(uint32_t*)0x20000470 = 0xfffffffe; syscall(__NR_setsockopt, r[15], 0, 0x60, 0x20000040, 0x434); memcpy((void*)0x20000240, "/dev/qat_adf_ctl", 17); r[16] = syscall(__NR_openat, 0xffffff9c, 0x20000240, 0xfe, 0); *(uint32_t*)0x20000040 = 2; syscall(__NR_ioctl, r[16], 0x400454da, 0x20000040); syscall(__NR_epoll_create1, 0x80000); memcpy((void*)0x20000080, "/dev/qat_adf_ctl", 17); syscall(__NR_ioctl, r[16], 0x40042406, 0x20000080); memcpy((void*)0x20632000, "./file0", 8); syscall(__NR_mkdir, 0x20632000, 0); memcpy((void*)0x2087a000, "./file0", 8); memcpy((void*)0x20014ff8, "./file0", 8); memcpy((void*)0x20014000, "proc", 5); memcpy((void*)0x20000000, "j", 1); syscall(__NR_mount, 0x2087a000, 0x20014ff8, 0x20014000, 0, 0x20000000); memcpy((void*)0x20fd5000, "./file0", 8); *(uint32_t*)0x20000000 = 0x20fd5000; memcpy((void*)0x20fd5000, "\x6e\x65\x74\x2f\x0c\x00\x00\x00\x00\x00\x04\x00\x00", 13); syscall(__NR_execveat, -1, 0x20fd5000, 0x20393fc8, 0x20000000, 0); memcpy((void*)0x20000000, "/dev/admmidi#", 14); r[17] = syz_open_dev(0x20000000, 0x20, 0x400000); r[18] = syscall(__NR_socket, 0x1a, 3, 0); *(uint16_t*)0x20000080 = 0x28; *(uint16_t*)0x20000082 = 0; *(uint32_t*)0x20000084 = 0xfffffffd; *(uint32_t*)0x20000088 = -1; *(uint32_t*)0x2000008c = 0; r[19] = syscall(__NR_accept4, 0xffffff9c, 0x20000080, 0x10, 0x7ff); *(uint32_t*)0x20000100 = r[17]; *(uint16_t*)0x20000104 = 0x200; *(uint16_t*)0x20000106 = 0; *(uint32_t*)0x20000108 = -1; *(uint16_t*)0x2000010c = 0x80; *(uint16_t*)0x2000010e = 0; *(uint32_t*)0x20000110 = r[18]; *(uint16_t*)0x20000114 = 8; *(uint16_t*)0x20000116 = 0; *(uint32_t*)0x20000118 = r[19]; *(uint16_t*)0x2000011c = 0x1000; *(uint16_t*)0x2000011e = 0; *(uint32_t*)0x20000120 = -1; *(uint16_t*)0x20000124 = 4; *(uint16_t*)0x20000126 = 0; syscall(__NR_poll, 0x20000100, 5, 0x200); *(uint32_t*)0x2000a000 = 2; *(uint32_t*)0x2000a004 = 0x78; *(uint8_t*)0x2000a008 = 0; *(uint8_t*)0x2000a009 = 0; *(uint8_t*)0x2000a00a = 0; *(uint8_t*)0x2000a00b = 0; *(uint32_t*)0x2000a00c = 0; *(uint64_t*)0x2000a010 = 0; *(uint64_t*)0x2000a018 = 0; *(uint64_t*)0x2000a020 = 0; STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 5, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 24, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x2000a028, 0, 29, 35); *(uint32_t*)0x2000a030 = 0; *(uint32_t*)0x2000a034 = 0xfffffffc; *(uint64_t*)0x2000a038 = -1; *(uint64_t*)0x2000a040 = 0; *(uint64_t*)0x2000a048 = 0x200000400; *(uint64_t*)0x2000a050 = 4; *(uint64_t*)0x2000a058 = 0; *(uint32_t*)0x2000a060 = 0; *(uint64_t*)0x2000a068 = 0; *(uint32_t*)0x2000a070 = 0; *(uint16_t*)0x2000a074 = 0; *(uint16_t*)0x2000a076 = 0; syscall(__NR_perf_event_open, 0x2000a000, 0, 0, -1, 0); memcpy((void*)0x20935000, "./file0", 8); syscall(__NR_mkdir, 0x20935000, 0); *(uint32_t*)0x20d2af88 = 2; *(uint32_t*)0x20d2af8c = 0x78; *(uint8_t*)0x20d2af90 = 0xe2; *(uint8_t*)0x20d2af91 = 0; *(uint8_t*)0x20d2af92 = 0; *(uint8_t*)0x20d2af93 = 0; *(uint32_t*)0x20d2af94 = 0; *(uint64_t*)0x20d2af98 = 0; *(uint64_t*)0x20d2afa0 = 0; *(uint64_t*)0x20d2afa8 = 0; STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0xff, 5, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 24, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x20d2afb0, 0, 29, 35); *(uint32_t*)0x20d2afb8 = 0; *(uint32_t*)0x20d2afbc = 0; *(uint64_t*)0x20d2afc0 = 0x20000000; *(uint64_t*)0x20d2afc8 = 0; *(uint64_t*)0x20d2afd0 = 0; *(uint64_t*)0x20d2afd8 = 0; *(uint64_t*)0x20d2afe0 = 0; *(uint32_t*)0x20d2afe8 = 0; *(uint64_t*)0x20d2aff0 = 0; *(uint32_t*)0x20d2aff8 = 0; *(uint16_t*)0x20d2affc = 0; *(uint16_t*)0x20d2affe = 0; syscall(__NR_perf_event_open, 0x20d2af88, 0, 0, -1, 0); *(uint32_t*)0x20000080 = 4; syscall(__NR_getsockopt, -1, 0x101, 7, 0x20000040, 0x20000080); syscall(__NR_ftruncate, -1, 0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); char* cwd = get_current_dir_name(); for (;;) { if (chdir(cwd)) fail("failed to chdir"); use_temporary_dir(); loop(); } }