? github.com/google/syzkaller/dashboard/app [no test files] ? github.com/google/syzkaller/dashboard/dashapi [no test files] ? github.com/google/syzkaller/executor [no test files] ok github.com/google/syzkaller/pkg/ast (cached) ? github.com/google/syzkaller/pkg/bisect [no test files] ok github.com/google/syzkaller/pkg/build 2.934s ok github.com/google/syzkaller/pkg/compiler 4.682s ok github.com/google/syzkaller/pkg/config (cached) ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (8.55s) --- FAIL: TestGenerate/linux/amd64 (0.10s) csource_test.go:68: seed=1556071090334189682 --- FAIL: TestGenerate/linux/amd64/34 (3.55s) csource_test.go:116: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 EnableTun:false EnableNetDev:false EnableNetReset:false EnableCgroups:false EnableBinfmtMisc:false EnableCloseFds:false UseTmpDir:true HandleSegv:true Repro:false Trace:false} program: ioctl$LOOP_SET_STATUS(0xffffffffffffffff, 0x4c02, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x2800000, 0x2, 0x10, 0x0, "ffc1da952ba3a320aeeece1379968b8e38f411eaec6b0496259bfdfca60bfcaabbea1b0c0b172daefcd6f97e2707b72cf95fc79452d0118d6734ef3c00c3c6b5", "7ccfeaa9087c49877bde39b9cdd4f8984ee20bc56cf035e7883e5dee71d189f6", [0x9, 0x5]}) ioctl$UI_SET_RELBIT(0xffffffffffffffff, 0x40045566, 0x7) setsockopt$EBT_SO_SET_COUNTERS(0xffffffffffffffff, 0x0, 0x81, &(0x7f0000000140)={'filter\x00', 0x0, 0x0, 0x0, [], 0x2, &(0x7f00000000c0)=[{}, {}, {}, {}, {}, {}, {}, {}], 0x0, [{}, {}]}, 0x98) ioctl$IOC_PR_PREEMPT_ABORT(0xffffffffffffffff, 0x401870cc, &(0x7f0000000200)={0x3ee, 0x31, 0x80000000, 0x101}) syz_genetlink_get_family_id$ipvs(&(0x7f0000000240)='IPVS\x00') getsockopt$inet_sctp_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, &(0x7f0000000280)={0x0, 0xfffffffffffffffd, 0x4, [0xff, 0x5, 0x8, 0x20]}, &(0x7f00000002c0)=0x10) ioctl$EVIOCGABS2F(0xffffffffffffffff, 0x8018456f, &(0x7f0000000300)=""/87) ioprio_set$uid(0x3, 0x0, 0x0) syz_mount_image$vfat(&(0x7f0000000380)='vfat\x00', &(0x7f00000003c0)='./file0\x00', 0xf61f, 0x3, &(0x7f0000000700)=[{&(0x7f0000000400)="885c0e8e129ee281e4fd0e1d58efce8fc772599890fac820a639a1c3deadb1b707892bf50123c651dcfa6e06161e97490907ac31a026c2f0859b37db10e02ef6c1a28566f0f984a2d614c2f22eb4193d4af2119d06c913c5930a83d0791cd20dc7557d5acba0fc5a6af124719fa314ddafd66659fe8a569be0165ad41eec9fe51daa7ef1eeb6578b0e70a922c70038451c5aead2edb5e580cdb90e983b18e049ff376ba6c5a5ebefc6f568214fabd15f5b59f8cd22e59043a5d5cd62cfaa65772e0f50764e205d1a5ece1024cb84b1397fff7c797528c2fee3b22938f54e", 0xde, 0x4b}, {&(0x7f0000000500)="611974b663b94f0b8420acfb97f1eebfa7e14175c35d4d21b933ecbc0dff1367541721d4cdc73c508bac038b126b2c0a8d4f76330257e2ce0b89ed997981594910cce37ba67ec3a658154cb721893024f884102c45f06eb9fd3fce8d622fa0144b0709277a387f0dbb691fa70dfe51bd3e8561aea131e6e08d303d4a1f48cbd75c07867a20bd5fc002d341960ae6ca61d7ef9594c7914e92e3f0286df1e7377f6886cc815f6b43879de2c3b57a9caaa072981a87d6d1c3d632c44362a1fee714ac141f892025a24dd085fffb325c7f0fb26b95e0112acbf458db3a92b29bf7de299287e092cec0df4dff6d6d3fe71faa54", 0xf1, 0x6}, {&(0x7f0000000600)="d1ac32d43e26b3d3eb8ff29cfb32c1a0c2c5476b860515f93d5130b8a48c6567c25d6992a132166b7ffd5d7736bd5dcad60b4b2f69b1de6748e559fb5de26fae2419c7757a17b142a3062d28a475cada47fdf0840bf30643397ae340476cd6b8893b48fddba320cc34f6c065ee4ec266e1240cd7f53994f14c316e7708a1605e951877aebaace1d2a13c937e0790ff75a8ff8ad6da1a11ec7e95a94a58ce6f16c78bff36982dad1c3dd15e9cabe529979beb9d590d18aa270403bea892409939493f672aa674204c76875a0cb68bea002125", 0xd2, 0x3}], 0x10, &(0x7f0000000780)={[{@uni_xlate='uni_xlate=1'}, {@shortname_winnt='shortname=winnt'}, {@utf8='utf8=1'}, {@utf8no='utf8=0'}, {@shortname_win95='shortname=win95'}, {@shortname_win95='shortname=win95'}, {@shortname_win95='shortname=win95'}, {@utf8='utf8=1'}, {@shortname_winnt='shortname=winnt'}], [{@appraise_type='appraise_type=imasig'}, {@appraise='appraise'}, {@euid_gt={'euid>'}}, {@smackfshat={'smackfshat', 0x3d, '*+)'}}]}) ioctl$FLOPPY_FDEJECT(0xffffffffffffffff, 0x25a) syz_emit_ethernet(0x26, &(0x7f0000000000)={@empty, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}, [], {@llc_tr={0x11, {@snap={0xab, 0xaa, '2', "4f5ec5", 0xed7f, "55cabf46e023d4f9e55cc17e890ff8c6"}}}}}, 0x0) syz_execute_func(&(0x7f0000000040)="c4e1a9fc5bb08f899894656f6d98479747804e830c363e65360f750c8b66664a0f3a223d0a000000056692c4c119e28802000000") syz_extract_tcp_res(&(0x7f0000000080), 0x3, 0x2) syz_genetlink_get_family_id$SEG6(&(0x7f00000000c0)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x7, 0x1) syz_kvm_setup_cpu$arm64(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000000140)=[{0x0, &(0x7f0000000100)="315f6ff52a34436eb42e30b8ad62fcfb8456bc0d4092342fc90f395798cd462299cc9c337bc7bc5a198cc14cc842060b88c0", 0x32}], 0x1, 0x0, &(0x7f0000000180)=[@featur1={0x1, 0x6}], 0x1) syz_mount_image$bfs(&(0x7f00000001c0)='bfs\x00', &(0x7f0000000200)='./file0\x00', 0xffffffffffff21d8, 0x1, &(0x7f0000000300)=[{&(0x7f0000000240)="b17961e3909ff6624ab03ca4715513ca7cd344b6a1fcae08d2ac66ecec98365d8d07c070d467529ba99e346388c8cd5ac685b3655661f7d4679e76c53f18f12c97e0939e82b86f48024b6322b88d66d4d45ffe3ab742c8d9110435e2c50beea24120064787e5fd49cbb470e9cf6268631eaff31506d20e1ea2cc2859744f41140ba0c5a507ef19a4f65e789d9c9ca258bb9fd5fd0374101ec4e094879d61b4ecf24f80804be4416d391e9f79269d8632d94270e36d1a18a1210acad39b65", 0xbe, 0x7}], 0x2200000, 0x0) syz_open_dev$CDROM_DEV_LINK(&(0x7f0000000340)='/dev/cdrom\x00', 0x2, 0x24040) r0 = syz_open_procfs(0x0, &(0x7f0000000380)='environ\x00') syz_open_pts(r0, 0x420000) syz_read_part_table(0x60, 0x6, &(0x7f00000006c0)=[{&(0x7f00000003c0)="7b4f4befea536d1b520c389edf029ae0435ed89d14f8a41455b16fdfaf31faa92a760993f9bd34a38ab548015c927fbb7be8e5e28f3f45c43f262cdaf534dbfcadbd6752c5ae91e849ec28c0ec4cbf4789a292ed66b9c873d21769dda3c840aaeb32", 0x62, 0x8}, {&(0x7f0000000440)="235572df6e243225c0560d797d60d45f46378fca358264f5002ce4a77bd3dbad37ffc5e03044b15821399c13f9c17d7c4eaea5b55f07e75e35a9c9ec4f0edbc6d54bcce39cef33faad333a53fee727a8", 0x50, 0x9}, {&(0x7f00000004c0)="cb1a4e2bfe1877da08a8e72cd9c577cb2e7b7c11a53287d878eceb0afb2d27ea4811a910bf8f7e745dd92315ad42a5fae4a5d7c9a54e1d8d944fc0fecb38fedce83c4d8537af58781b1fcf88101566dab71eb83365134b9f7923e56e9a1d9f065875be", 0x63, 0x4}, {&(0x7f0000000540)="e09f975d93f7a4aecdc6", 0xa, 0x8}, {&(0x7f0000000580)="8158f560c5dd15b582150b06011f58b2ee26bd77e208357e144bc0b327998cbf74d0e28efcfa51d421256961d22b1ad6979b5442a18e7cd18e15f151b297c179683c5c4169e9c6bd04154c2ac7c14cde6eec583c42d5c9677f805019073f35ffcd20a7b5f817af8331707b983842bc66a0d14d409a86e0ed1812ee9a72fe7f63b1a1b8fcee6db2f0fc1365031c096d4debab26972eaa53ff4b75cacde8c4d70a508ff7756ae1354d8a2f48feb032ed3c2d1f06ceec904f01c2b4b6edf612f976c66d69e27a", 0xc5, 0x61}, {&(0x7f0000000680)="31b174ebbd887e5d33218ef370cef8f241bd55bb", 0x14}]) r1 = syz_usb_connect(0x2, 0x446, &(0x7f0000000780)={0x12, 0x1, 0x7, 0x8a, 0xcf, 0x80, 0x4, 0x4e8, 0x4471, 0x6528, 0x4, 0xffffffff80000001, 0x67, 0x1, [{0x9, 0x2, 0x434, 0x1, 0x4e, 0x8000, 0x40, 0x9, [{0x9, 0x4, 0x6a, 0x1, 0xa, 0xd6, 0xf8, 0x9b, 0x0, [@usb_cdc={[@mdlm={0x15, 0x24, 0x12, 0xfffffffffffffa8c, "776bc3d15ad3efe819ca7db7839afa86"}, @country_functional={0xa, 0x24, 0x7, 0x7, 0xff, [0x3, 0x1]}, @mbim={0xc, 0x24, 0x1b, 0x1, 0x2, 0x80, 0x23c6, 0x81, 0xffffffff}, @network_terminal={0x7, 0x24, 0xa, 0x1, 0x1, 0x7, 0xe3}, @ncm={0x6, 0x24, 0x1a, 0xa2, 0x100}, @mbim_extended={0x8, 0x24, 0x1c, 0x20, 0xb2f3, 0x401}, @mbim={0xc, 0x24, 0x1b, 0x3, 0xfff, 0xff, 0x80000001, 0x101, 0x7}, @header={0x5, 0x24, 0x0, 0x100000001}]}], [{0x7, 0x5, 0x1, 0x13, 0x320, 0x1, 0x0, 0x5, [@generic={0x5e, 0x22, "5f96025f20856ad311a3c3c3e0f0831018d726cd9c159cce185fb394f5d7a83968bc4e9cd247a963729f02f56f838b84d94c16910641fca98dd711ea868a7cb35955291940c4bd17721c46181a822745b100c1633a92e45d8ea21be4"}]}, {0x7, 0x5, 0x5, 0x0, 0xa4d5, 0x4, 0x0, 0x4, [@generic={0x69, 0x5, "ede138d2efb4dcc6cfa7dcea8f6fcac1524b0b19862644355eacb386a89eada8850b3a79ac10bc2d9f622fd3e86cc8d5b6a43bfaae41afea715d7060569556b8f7e04fe5b01f90bd9336ccc07d0f4c42dc1d2a07386581643fccc0740d0f522cdcac3690322f0f"}]}, {0x7, 0x5, 0x8, 0x0, 0x5, 0x0, 0xf8, 0x5}, {0x7, 0x5, 0xfff, 0x0, 0x9, 0xfff, 0x7fff, 0xffffffff, [@generic={0x81, 0x15, "7f481047cd7cdd40d7eb7ceeff10bd0532e2cfd3238463f4597ccb8ed3e6c12b54804afc4abb5b119ac8cc6ab355ebeb18c98cec770dac26a1925a8829bd63b05f6a4ace4d3f788b2d9a8e3bad9ec6b1822029df1fe27c208a411eadf2871fffb00cdcb143e7ba21c8e76ca41a535432937936bd7e57e38cd0038fb480ad0d"}]}, {0x7, 0x5, 0x0, 0x2, 0x1, 0x4, 0x1, 0x4}, {0x7, 0x5, 0x8000, 0x4, 0x3, 0x8, 0x7, 0x6}, {0x7, 0x5, 0x1000, 0x4, 0xdb71, 0x4501, 0x0, 0x86c9, [@generic={0x4a, 0xd, "106fa2e03ebf1d8fee72d34b97aad2375e29b28d004958eb7e0b73163019657a65e1db0cb397583825d28797f6f7671c5c713c6a3b64add1aee18e2996fcd025867a7b33432bcd3f"}, @generic={0x3, 0xe, "f4"}]}, {0x7, 0x5, 0x2, 0x0, 0x1f, 0x0, 0x4, 0x9c30, [@generic={0xe0, 0x0, "c424e8b2f3eae82a0df4482a2321231f4fa26e01f9d657afb33384c88d881ec638ce646d7a1e1185e4de116ba4afc04fd8017e293dd0c4f2ee12916a5aff34b07b686f95a68218cfba8ab2136aacf289f35112568df7cfc9c421a66d5d2365efeedab066020232f82a6eda52796d04d633db4b8287e40ea0f807ce9729bea02c40492916ee3842dda15112925ecf6b6696243946e608fc8f8c2dcc7c84a86605f898359f6d759f9164092ae19ff8db38fecfdd6682f3b671f57a70e625ee73f02d3890438fc8570296ff0858b226ec8964a00f4f986cf4248c0e538011f0"}]}, {0x7, 0x5, 0x200, 0x10, 0x7, 0xffff, 0x2, 0x9, [@generic={0x63, 0xd, "0e02c3684a55bc2ebdd97bd905eb5ba265bf9d70d8e73bcbf97a0cf3f546a3b296c87ec5652b96745ed848d884688293e0fe364788c4dbd0ca2a35309c385c852720bb9858edb052c3f0d5a5ce81eff4f49c2f34bdc56e813b3434948b126c7072"}, @generic={0x52, 0x2, "e321577a39d4a9d6a8fb794d6ea64c4b7ea06eccb02a832e17671b8516988f4d06d32bb0f4dc59963a3c43fe9092b1c4593ac9b2e071fd20a35500530ff0d1a5dfe092c2f545d8c77d6265e3b1c2469d"}]}, {0x7, 0x5, 0x9, 0xf, 0x2, 0x6, 0x3242, 0x8000, [@generic={0x4d, 0x0, "1c9ce7493780aa229b9080920e513226bd8e92222a5f7acd31f0ba2a257292f23b3fcf78cb3bd22f3e5f5f79bb056dba472796efe24cb396d936ec167026bf4f376e7ffe017d389c1f0187"}]}]}]}]}, &(0x7f0000001200)={0xa, &(0x7f0000000c00)={0xa, 0x6, 0x265f, 0x9, 0x3, 0x8, 0x70b, 0x9137}, 0x2b, &(0x7f0000000c40)={0x5, 0xf, 0x2b, 0x2, [@ssp_cap={0x1c, 0x10, 0xa, 0x5, 0x4, 0x9, 0xf000, 0x3, [0xc0, 0xffc00f, 0xff0000, 0xcf]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0xc, 0x3, 0x5, 0x2}]}, 0x7, [{0xa9, &(0x7f0000000c80)={0xa9, 0x3, 0x0, "57c205cfe2c516604c3b766da575a569644f32fae2f723d8b5f34b4c3eb628e433b278e3646716a9ecb47760211a5adc95d07db7d28cfe9ca090af771a657fdec25ebd50dc881d3a4ecd86588cd446138b60454c32249977d5654c26a643f7858ba786d293322d2486348a5b6c29ccf229f44ff9752ff5416d45abb8542dd250a6f496b1490f7f9886e2550b480023767a10350fe8a463a38a10d1b8ad0f2f9ae230b76ea1"}}, {0x50, &(0x7f0000000d40)={0x50, 0x3, 0x2c0b, "8ca552e1010f56e30b2cdcc1950d64951357cbafef05cde4cb7caceae4ff66b4dedf350b97445860ff9a97b331b8524b9e578e4ba3ef31d91bf2cc54adf486640082a058384cbd2023d05bf6"}}, {0x60, &(0x7f0000000dc0)={0x60, 0x3, 0x420, "88accdfc3e4437b9da65cf46d3f965944cb6a2ff1782dccfcd77aba13901b7d5d4c2cf928e9be5289915a3c6788ad1badcaef131d30d63f56b54e52cd245dd0aac37983de8258ee9a664da270f42d874fc9b004e6d1acffea8084f0a"}}, {0xa4, &(0x7f0000000e40)={0xa4, 0x3, 0x542f, "42156a1cb546dfe99c88d04d0809ecb545f574c195db38b1728ac1245e40f7e972d67e224d37539607afe7e4dfe1e68ba6bdfb0d4d115ae6f5f55f82805c52abcfed9a2335336c492ea23eec145774fc344802c4b42ac01bb4e271ff38451c41dfceae46fe0b00f46ddd5019c585f6169cbdc7173042c41beb7c24059f844306c357627dd233d23240c17428260f219c8b9b3bb08a3594610fe31c92c3ebaa67"}}, {0xee, &(0x7f0000000f00)={0xee, 0x3, 0x0, "bc6de1f6246549ca116671fec263c45ef27e3a578c0c6cf39e2917764e968578d602f8eddc6bb0462e4382e9f3dbfd45c3835e789749f5f3248990c7998f52569903b9d24862b7ecdd8487f1ac30c81893060bb4999a7acc7dc665cd660b7515aec5afd6aa936628983dc31aca5e680284951280bc83c6ec6e53cceee22839f6fd530b4f1f92a1151283e80e770fd1c551b916e67245a22fbe6ea9e10bc893a59d2e2c0880bfc8cd8e774546c3ff705cdaaf40b42de673e6eaa72a59cf374f0f96e9e8a70b664e31ba4b37203cf4f2b7602ec6be8445af76cf06953444aa6c3c8bc43e62f6353aae6ce7"}}, {0xdf, &(0x7f0000001000)={0xdf, 0x3, 0xf4ff, "a3a4df95b04674f0d59840b42f4cad9c896e73c5fb014b5a5d10e301f72102f54def1439d0df4b3c7b6e4ea95e58331836c1180437f78a1710e54ab731294e96456bb653365f1c9ddcbf2faa394ae85ffb37a12e3fe1a9b498f485da760fbe7d2ed00e84e81bc9beab8696985f66ff7149e6511ccc9449429c348221b6e7c666ac7f5535bb27d9a94363730cc9fc20e43b9931b71d41612fe44d7d1f22cf98e85accca3952fba876f81e74acec61fbef5b6fe0a27e2b8878dfb4d1e3b00b74703caf750f6dd08cb06378454f467638110136f05f9c309c9e1a6413"}}, {0xcf, &(0x7f0000001100)={0xcf, 0x3, 0x0, "69a6461b2d22b542892b454e68deaea36327950276c3904191bbc62280ba9de577928d5a3cd4038a17a6bad40f84a0c7b7fb5491e58f76b489c300d0e42f1e9bc2b49006dbcff9a05c1ce3f665fe530f12750b4f6c9d1254acb112c449d4581dd6465b0afb4eec95e3181de972eac2be6c7ad8efc1fb574e66f5c40c492e04f1be234c968d12dcd504de41485705e2e3789b20eb5a198b2270e5881699be8c7eb5d9f046e40b97d822ad5924aed5a3d25dc583783d10cc8441a9378f2874b72d308c5540ae09fabe37a417"}}]}) syz_usb_control_io(r0, &(0x7f0000001740)={0x34, &(0x7f0000001280)={0x40, 0xa, 0xe5, {0xe5, 0x9, "f8ef8355c97fa960e11e03a2d80e4c31eb570ecb7bcae558f6f494c7225eb3681f7ec6535a10dacb58943c6d7fb9c9033b99c5144f7dfe644e50f34592e504ab57cf59d53759f54f893b5dae4420049f829703fb73816a15c3b2863a9ee6fbbb3e5eae03985ae9b88b3b85eaf46fdc3dfb0bed93137c12bc238399bf894512e5a1e2bcc0e83cd702accb8d5884b34273623060e46ef9ff4b4d8e679e012b1f63b1d0f08e1b2511bae6b87365831e4de1e86fecb906d6634b4d53d2f7b16bff369695fa701943e049b2f54e96ba11e7d1fc1b7c23dade8272451b0f89b0fce395daec8c"}}, &(0x7f0000001380)={0x0, 0x3, 0x8b, {0x8b, 0x3, 0x408, "70eecf5ecc37ea63a1ef43111a26e15ad0b25996a1c2879899db3d59956eb26a5e7bdbf208f3b225952406777f6770c78e9e59d7933525da2fbb81d744c6053c318dc57f40a0159803cc44737ddf73b4b36006a7d2b4727934b739c13cdef954a9c0d4e810108d2437832bb9e86469bfc5ead2bdb1f1904fe610494abaf7a227c5e8769a3b1797"}}, &(0x7f0000001440)={0x0, 0x22, 0x235, {[@short=@item_4={0x3, 0x3, 0xa, "fef33e95"}, @long={0x3, 0x7, 0xf, 0xe3, 0x0, "7377870bbd91a0914220e5dfef1777ed47069f430984ec154663f29210aeda665ab38eeb0940d9817a27f58af91dda88cc089dfc3b629f5c66470301d89d49ea42ab83dd8db5a1cfcb94f1c40c36be91ff9540c4506d3403878961a0bddeec28538179f72cb07c792e121cf45a49c638a5ce855a722cc43d484d7982fbdc12bb09c1c56f2f2c3fe81454cc39edfe4afeb8d15f9b2e3d139aeb64dd50d046f25e7064b9676c3bbc6a621a1bc0efa910563a715c9659805400c519ad65aca2c720f5ee417435f38ede7ffc3351f4097da78d4daa62494688c367c3e109e3dde85eb18b13"}, @short=@item_012={0x0, 0x3}, @long={0x9, 0x0, 0xf, 0x96, 0x2, "d6c633415e0b79a5593713a5d0b8abd17d5b47ccfd3f8740e97e72af7be8bb870959cc377350e549ed4d4f0c8869f30d78a4947b5e6c6e96d1c8f529c81ce085afb95fe5381bf08d15e7797f06ab2ae85ae039812f28504734386f661e756d8e40109efb9ba188b480046fafddb66ea68ab21268f0deb2306ad542b9b2f1aba4e8a5bf809635fab979b992720d2b2304a6b9e1218d7f"}, @short=@item_012={0x2, 0x2, 0x1, 'X#'}, @long={0x4, 0x0, 0xf, 0xaa, 0x5, "524aff9a4c8b8278b35007595cba6fec443ba35d4e83af269f520aba720527041a9fa1ae04cc12d210d4271d3f57162fbd0ca3df89cfda354f1f25810d4c75633c39e365209ab1d9da6f53a46bf6996c8c0c50f2142174d01add0133f38ab6e65b4b29fb719335e71a0db7d0fc39327ace58bfc433757fac80921fe9ea206085a7a8cf4af54c71d606eb20899d7d33d0bb33bfe1f4416aa02425cbf8707c49eb5d5cf37e3336a6eb81ca"}]}}, &(0x7f0000001680)={0x0, 0xf, 0x19, {0x5, 0xf, 0x19, 0x1, [@ssp_cap={0x14, 0x10, 0xa, 0x81, 0x2, 0x20, 0xf00, 0x7, [0x0, 0x3fcf]}]}}, &(0x7f00000016c0)={0x0, 0x29, 0xf, {0xf, 0x29, 0x80000000, 0x18, 0x4c48, 0x1ff, "915b5bb0", "9372e9c8"}}, &(0x7f0000001700)={0x0, 0x2a, 0xc, {0xc, 0x2a, 0xa9, 0x19, 0xfffffffffffffffb, 0x4, 0x3, 0x8001, 0x9}}}, &(0x7f0000001ac0)={0x54, &(0x7f0000001780)={0x20, 0x15, 0xde, "b64cffff456423beb3dc6688665f86abf2264e1857720da0fb4fe6abc08bfa90285d221c7d0799f03c15f2ba813f9dcd3b1e74927454c1b6f3322dda346c52d0a33c34ac013e348856675ef95cfe66457fbf6403d876a5d3dd7b6fde757ab1061c0f622c094bd863886d433b1f2bbf38c3979bc855ec1b5a712dc9a4af456e97900b697486a477cb089de28230459ecab35c912d159e4fb091eeb87e0a4b90f7aea9fb2b4469ac1e0a64fc6f0327488168143b673ffc9ebdfe4446e90050afa50520b078e766403e613f2f7d38d76b4ee30b970828dea109e2cadc8bd93d"}, &(0x7f0000001880), &(0x7f00000018c0)={0x20, 0xa, 0x1, 0x3}, &(0x7f0000001900), &(0x7f0000001940)={0x20, 0x8, 0x1, 0x400}, &(0x7f0000001980)={0x20, 0x0, 0x4, {0x1, 0x1}}, &(0x7f00000019c0)={0x20, 0x0, 0x8, {0x100, 0x20, [0xf]}}, &(0x7f0000001a00)={0x40, 0x1, 0x3, "2fd325"}, &(0x7f0000001a40)={0x40, 0x9, 0x3, "48be0d"}, &(0x7f0000001a80)={0x20, 0x80, 0x1c, {0x5, 0xffffffffffffffff, 0x1, 0x2, 0x7e, 0x5, 0x3, 0x342c, 0x6, 0x999, 0x3, 0xab}}}) syz_usb_disconnect(r1) syz_usb_ep_write(r1, 0x13, 0xb7, &(0x7f0000001b40)="a6ee5097fbb4d1c836d91b050c931bb399d78d69bd2c77349cffd17f2d7587cd334c9d1c491a3c08041c17b9669bc5eb9b237be3b624cf54b10fa7ba2887328498acfb6f4f0684c2727c01bbf077de2ccb8bf71c59ed47a90710bd0ab235490f93042f67729ecee276c0546f5adba7abde8564fb76a953b43941678a865c1547f56395a0dbe66ca1f17c3efe0c0638826764528ddcad81263320645840cf4f56e1911b37641eca19483c4ddbdf0b44525392da16b15e90") csource_test.go:117: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define USB_MAX_EP_NUM 32 struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; unsigned config_length; struct usb_interface_descriptor* iface; struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM]; unsigned eps_num; }; static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config) + sizeof(*index->iface)) return false; index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->config_length = length - sizeof(*index->dev); index->iface = (struct usb_interface_descriptor*)(buffer + sizeof(*index->dev) + sizeof(*index->config)); index->eps_num = 0; size_t offset = 0; while (true) { if (offset == length) break; if (offset + 1 < length) break; uint8_t length = buffer[offset]; uint8_t type = buffer[offset + 1]; if (type == USB_DT_ENDPOINT) { index->eps[index->eps_num] = (struct usb_endpoint_descriptor*)(buffer + offset); index->eps_num++; } if (index->eps_num == USB_MAX_EP_NUM) break; offset += length; } return true; } enum usb_fuzzer_event_type { USB_FUZZER_EVENT_INVALID, USB_FUZZER_EVENT_CONNECT, USB_FUZZER_EVENT_DISCONNECT, USB_FUZZER_EVENT_SUSPEND, USB_FUZZER_EVENT_RESUME, USB_FUZZER_EVENT_CONTROL, }; struct usb_fuzzer_event { uint32_t type; uint32_t length; char data[0]; }; struct usb_fuzzer_init { uint64_t speed; const char* driver_name; const char* device_name; }; struct usb_fuzzer_ep_io { uint16_t ep; uint16_t flags; uint32_t length; char data[0]; }; #define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init) #define USB_FUZZER_IOCTL_RUN _IO('U', 1) #define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 2, struct usb_fuzzer_event) #define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 4, struct usb_endpoint_descriptor) #define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 6, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 8) #define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 9, uint32_t) int usb_fuzzer_open() { return open("/sys/kernel/debug/usb-fuzzer", O_RDWR); } int usb_fuzzer_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_fuzzer_init arg; arg.speed = speed; arg.driver_name = driver; arg.device_name = device; return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg); } int usb_fuzzer_run(int fd) { return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0); } int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_event* event) { return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, event); } int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io); } int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io); } int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc); } int usb_fuzzer_configure(int fd) { return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0); } int usb_fuzzer_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power); } #define USB_MAX_PACKET_SIZE 1024 struct usb_fuzzer_control_event { struct usb_fuzzer_event inner; struct usb_ctrlrequest ctrl; }; struct usb_fuzzer_ep_io_data { struct usb_fuzzer_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static bool lookup_connect_response(struct vusb_connect_descriptors* descs, struct usb_device_index* index, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length, bool* done) { uint8_t str_idx; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (str_idx >= descs->strs_len) return false; *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: *response_data = descs->qual; *response_length = descs->qual_len; return true; default: exit(1); return false; } break; case USB_REQ_SET_CONFIGURATION: *response_length = 0; *response_data = NULL; *done = true; return true; default: exit(1); return false; } break; default: exit(1); return false; } return false; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int64_t speed = a0; int64_t dev_len = a1; char* dev = (char*)a2; struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3; if (!dev) return -1; struct usb_device_index index; memset(&index, 0, sizeof(index)); int rv; NONFAILING(rv = parse_usb_descriptor(dev, dev_len, &index)); if (!rv) return -1; int fd = usb_fuzzer_open(); if (fd < 0) return -1; char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) return -1; rv = usb_fuzzer_run(fd); if (rv < 0) return -1; bool done = false; while (!done) { struct usb_fuzzer_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_event*)&event); if (rv < 0) return -1; if (event.inner.type != USB_FUZZER_EVENT_CONTROL) continue; bool response_found; char* response_data = NULL; uint32_t response_length = 0; NONFAILING(response_found = lookup_connect_response(descs, &index, &event.ctrl, &response_data, &response_length, &done)); if (!response_found) return -1; if (done) { int rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower); if (rv < 0) return -1; rv = usb_fuzzer_configure(fd); if (rv < 0) return -1; unsigned ep; for (ep = 0; ep < index.eps_num; ep++) { rv = usb_fuzzer_ep_enable(fd, index.eps[ep]); if (rv < 0) exit(1); } } struct usb_fuzzer_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); if (event.ctrl.wLength < response.inner.length) response.inner.length = event.ctrl.wLength; usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response); } sleep_ms(200); return fd; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_io_response(struct vusb_descriptors* descs, struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); int resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; struct vusb_descriptors* descs = (struct vusb_descriptors*)a1; struct vusb_responses* resps = (struct vusb_responses*)a2; struct usb_fuzzer_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); int rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_event*)&event); if (rv < 0) return -1; if (event.inner.type != USB_FUZZER_EVENT_CONTROL) return -1; bool response_found; char* response_data = NULL; uint32_t response_length = 0; NONFAILING(response_found = lookup_control_io_response(descs, resps, &event.ctrl, &response_data, &response_length)); if (!response_found) return -1; struct usb_fuzzer_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); if (event.ctrl.wLength < response.inner.length) response.inner.length = event.ctrl.wLength; usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint16_t ep = a1; uint32_t len = a2; char* data = (char*)a3; struct usb_fuzzer_ep_io_data response; response.inner.ep = ep; response.inner.flags = 0; if (len > sizeof(response.data)) len = 0; response.inner.length = len; if (data) memcpy(&response.data[0], data, len); return usb_fuzzer_ep_write(fd, (struct usb_fuzzer_ep_io*)&response); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1)); } else if (a0 == -1) { NONFAILING(snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1)); } else { NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1)); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } const int kInitNetNsFd = 239; static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; NONFAILING(strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ)); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define SYZ_memfd_create 319 static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; int memfd = syscall(SYZ_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; int memfd = syscall(SYZ_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); NONFAILING(strncpy(fs, (char*)fsarg, sizeof(fs) - 1)); memset(opts, 0, sizeof(opts)); NONFAILING(strncpy(opts, (char*)optsarg, sizeof(opts) - 32)); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; NONFAILING(dt[index] = sd); NONFAILING(lt[index] = sd); } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; NONFAILING(dt[index + 1] = 0); NONFAILING(lt[index + 1] = 0); } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 6: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = 0; const void* text = 0; uintptr_t text_size = 0; NONFAILING(text_type = text_array_ptr[0].typ); NONFAILING(text = text_array_ptr[0].text); NONFAILING(text_size = text_array_ptr[0].size); uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr); NONFAILING(pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr); NONFAILING(pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS); sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS); NONFAILING(memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1)); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE); text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); NONFAILING(memcpy(tss16_addr, &tss16, sizeof(tss16))); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); NONFAILING(memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16))); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); NONFAILING(memcpy(tss32_addr, &tss32, sizeof(tss32))); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); NONFAILING(memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32))); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); NONFAILING(memcpy(tss64_addr, &tss64, sizeof(tss64))); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); NONFAILING(memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64))); if (text_size > 1000) text_size = 1000; if (text_prefix) { NONFAILING(memcpy(host_text, text_prefix, text_prefix_size)); void* patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4)); if (patch) NONFAILING(*((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6); uint16_t magic = PREFIX_SIZE; patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic))); if (patch) NONFAILING(*((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size); } NONFAILING(memcpy((void*)(host_text + text_prefix_size), text, text_size)); NONFAILING(*(host_text + text_prefix_size + text_size) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size)); NONFAILING(*(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4); NONFAILING(*(host_mem + ADDR_VAR_HLT) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3)); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0); if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = 0; uint64_t val = 0; NONFAILING(typ = opt_array_ptr[i].typ); NONFAILING(val = opt_array_ptr[i].val); switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; NONFAILING(tss16_addr->flags ^= val); NONFAILING(tss16_cpl3_addr->flags ^= val); NONFAILING(tss32_addr->flags ^= val); NONFAILING(tss32_cpl3_addr->flags ^= val); break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16)); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } #define SYZ_HAVE_RESET_LOOP 1 static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } #define SYZ_HAVE_SETUP_TEST 1 static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); NONFAILING(((void (*)(void))(text))()); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 25; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: NONFAILING(*(uint32_t*)0x20000000 = 0); NONFAILING(*(uint32_t*)0x20000004 = 0); NONFAILING(*(uint32_t*)0x20000008 = 0); NONFAILING(*(uint32_t*)0x2000000c = 0); NONFAILING(*(uint32_t*)0x20000010 = 0x2800000); NONFAILING(*(uint32_t*)0x20000014 = 2); NONFAILING(*(uint32_t*)0x20000018 = 0x10); NONFAILING(*(uint32_t*)0x2000001c = 0); NONFAILING(memcpy((void*)0x20000020, "\xff\xc1\xda\x95\x2b\xa3\xa3\x20\xae\xee\xce\x13\x79\x96\x8b\x8e\x38\xf4\x11\xea\xec\x6b\x04\x96\x25\x9b\xfd\xfc\xa6\x0b\xfc\xaa\xbb\xea\x1b\x0c\x0b\x17\x2d\xae\xfc\xd6\xf9\x7e\x27\x07\xb7\x2c\xf9\x5f\xc7\x94\x52\xd0\x11\x8d\x67\x34\xef\x3c\x00\xc3\xc6\xb5", 64)); NONFAILING(memcpy((void*)0x20000060, "\x7c\xcf\xea\xa9\x08\x7c\x49\x87\x7b\xde\x39\xb9\xcd\xd4\xf8\x98\x4e\xe2\x0b\xc5\x6c\xf0\x35\xe7\x88\x3e\x5d\xee\x71\xd1\x89\xf6", 32)); NONFAILING(*(uint64_t*)0x20000080 = 9); NONFAILING(*(uint64_t*)0x20000088 = 5); NONFAILING(*(uint32_t*)0x20000090 = 0); syscall(__NR_ioctl, -1, 0x4c02, 0x20000000); break; case 1: syscall(__NR_ioctl, -1, 0x40045566, 7); break; case 2: NONFAILING(memcpy((void*)0x20000140, "filter\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 32)); NONFAILING(*(uint32_t*)0x20000160 = 0); NONFAILING(*(uint32_t*)0x20000164 = 0); NONFAILING(*(uint32_t*)0x20000168 = 0); NONFAILING(*(uint64_t*)0x20000170 = 0); NONFAILING(*(uint64_t*)0x20000178 = 0); NONFAILING(*(uint64_t*)0x20000180 = 0); NONFAILING(*(uint64_t*)0x20000188 = 0); NONFAILING(*(uint64_t*)0x20000190 = 0); NONFAILING(*(uint64_t*)0x20000198 = 0); NONFAILING(*(uint32_t*)0x200001a0 = 2); NONFAILING(*(uint64_t*)0x200001a8 = 0x200000c0); NONFAILING(*(uint64_t*)0x200001b0 = 0); NONFAILING(*(uint64_t*)0x200001b8 = 0); NONFAILING(*(uint64_t*)0x200001c0 = 0); NONFAILING(*(uint64_t*)0x200001c8 = 0); NONFAILING(*(uint64_t*)0x200001d0 = 0); syscall(__NR_setsockopt, -1, 0, 0x81, 0x20000140, 0x98); break; case 3: NONFAILING(*(uint64_t*)0x20000200 = 0x3ee); NONFAILING(*(uint64_t*)0x20000208 = 0x31); NONFAILING(*(uint32_t*)0x20000210 = 0x80000000); NONFAILING(*(uint32_t*)0x20000214 = 0x101); syscall(__NR_ioctl, -1, 0x401870cc, 0x20000200); break; case 4: NONFAILING(memcpy((void*)0x20000240, "IPVS\000", 5)); syz_genetlink_get_family_id(0x20000240); break; case 5: NONFAILING(*(uint32_t*)0x20000280 = 0); NONFAILING(*(uint16_t*)0x20000284 = 0xfffd); NONFAILING(*(uint16_t*)0x20000286 = 4); NONFAILING(*(uint16_t*)0x20000288 = 0xff); NONFAILING(*(uint16_t*)0x2000028a = 5); NONFAILING(*(uint16_t*)0x2000028c = 8); NONFAILING(*(uint16_t*)0x2000028e = 0x20); NONFAILING(*(uint32_t*)0x200002c0 = 0x10); syscall(__NR_getsockopt, -1, 0x84, 0x77, 0x20000280, 0x200002c0); break; case 6: syscall(__NR_ioctl, -1, 0x8018456f, 0x20000300); break; case 7: syscall(__NR_ioprio_set, 3, 0, 0); break; case 8: NONFAILING(memcpy((void*)0x20000380, "vfat\000", 5)); NONFAILING(memcpy((void*)0x200003c0, "./file0\000", 8)); NONFAILING(*(uint64_t*)0x20000700 = 0x20000400); NONFAILING(memcpy((void*)0x20000400, "\x88\x5c\x0e\x8e\x12\x9e\xe2\x81\xe4\xfd\x0e\x1d\x58\xef\xce\x8f\xc7\x72\x59\x98\x90\xfa\xc8\x20\xa6\x39\xa1\xc3\xde\xad\xb1\xb7\x07\x89\x2b\xf5\x01\x23\xc6\x51\xdc\xfa\x6e\x06\x16\x1e\x97\x49\x09\x07\xac\x31\xa0\x26\xc2\xf0\x85\x9b\x37\xdb\x10\xe0\x2e\xf6\xc1\xa2\x85\x66\xf0\xf9\x84\xa2\xd6\x14\xc2\xf2\x2e\xb4\x19\x3d\x4a\xf2\x11\x9d\x06\xc9\x13\xc5\x93\x0a\x83\xd0\x79\x1c\xd2\x0d\xc7\x55\x7d\x5a\xcb\xa0\xfc\x5a\x6a\xf1\x24\x71\x9f\xa3\x14\xdd\xaf\xd6\x66\x59\xfe\x8a\x56\x9b\xe0\x16\x5a\xd4\x1e\xec\x9f\xe5\x1d\xaa\x7e\xf1\xee\xb6\x57\x8b\x0e\x70\xa9\x22\xc7\x00\x38\x45\x1c\x5a\xea\xd2\xed\xb5\xe5\x80\xcd\xb9\x0e\x98\x3b\x18\xe0\x49\xff\x37\x6b\xa6\xc5\xa5\xeb\xef\xc6\xf5\x68\x21\x4f\xab\xd1\x5f\x5b\x59\xf8\xcd\x22\xe5\x90\x43\xa5\xd5\xcd\x62\xcf\xaa\x65\x77\x2e\x0f\x50\x76\x4e\x20\x5d\x1a\x5e\xce\x10\x24\xcb\x84\xb1\x39\x7f\xff\x7c\x79\x75\x28\xc2\xfe\xe3\xb2\x29\x38\xf5\x4e", 222)); NONFAILING(*(uint64_t*)0x20000708 = 0xde); NONFAILING(*(uint64_t*)0x20000710 = 0x4b); NONFAILING(*(uint64_t*)0x20000718 = 0x20000500); NONFAILING(memcpy((void*)0x20000500, "\x61\x19\x74\xb6\x63\xb9\x4f\x0b\x84\x20\xac\xfb\x97\xf1\xee\xbf\xa7\xe1\x41\x75\xc3\x5d\x4d\x21\xb9\x33\xec\xbc\x0d\xff\x13\x67\x54\x17\x21\xd4\xcd\xc7\x3c\x50\x8b\xac\x03\x8b\x12\x6b\x2c\x0a\x8d\x4f\x76\x33\x02\x57\xe2\xce\x0b\x89\xed\x99\x79\x81\x59\x49\x10\xcc\xe3\x7b\xa6\x7e\xc3\xa6\x58\x15\x4c\xb7\x21\x89\x30\x24\xf8\x84\x10\x2c\x45\xf0\x6e\xb9\xfd\x3f\xce\x8d\x62\x2f\xa0\x14\x4b\x07\x09\x27\x7a\x38\x7f\x0d\xbb\x69\x1f\xa7\x0d\xfe\x51\xbd\x3e\x85\x61\xae\xa1\x31\xe6\xe0\x8d\x30\x3d\x4a\x1f\x48\xcb\xd7\x5c\x07\x86\x7a\x20\xbd\x5f\xc0\x02\xd3\x41\x96\x0a\xe6\xca\x61\xd7\xef\x95\x94\xc7\x91\x4e\x92\xe3\xf0\x28\x6d\xf1\xe7\x37\x7f\x68\x86\xcc\x81\x5f\x6b\x43\x87\x9d\xe2\xc3\xb5\x7a\x9c\xaa\xa0\x72\x98\x1a\x87\xd6\xd1\xc3\xd6\x32\xc4\x43\x62\xa1\xfe\xe7\x14\xac\x14\x1f\x89\x20\x25\xa2\x4d\xd0\x85\xff\xfb\x32\x5c\x7f\x0f\xb2\x6b\x95\xe0\x11\x2a\xcb\xf4\x58\xdb\x3a\x92\xb2\x9b\xf7\xde\x29\x92\x87\xe0\x92\xce\xc0\xdf\x4d\xff\x6d\x6d\x3f\xe7\x1f\xaa\x54", 241)); NONFAILING(*(uint64_t*)0x20000720 = 0xf1); NONFAILING(*(uint64_t*)0x20000728 = 6); NONFAILING(*(uint64_t*)0x20000730 = 0x20000600); NONFAILING(memcpy((void*)0x20000600, "\xd1\xac\x32\xd4\x3e\x26\xb3\xd3\xeb\x8f\xf2\x9c\xfb\x32\xc1\xa0\xc2\xc5\x47\x6b\x86\x05\x15\xf9\x3d\x51\x30\xb8\xa4\x8c\x65\x67\xc2\x5d\x69\x92\xa1\x32\x16\x6b\x7f\xfd\x5d\x77\x36\xbd\x5d\xca\xd6\x0b\x4b\x2f\x69\xb1\xde\x67\x48\xe5\x59\xfb\x5d\xe2\x6f\xae\x24\x19\xc7\x75\x7a\x17\xb1\x42\xa3\x06\x2d\x28\xa4\x75\xca\xda\x47\xfd\xf0\x84\x0b\xf3\x06\x43\x39\x7a\xe3\x40\x47\x6c\xd6\xb8\x89\x3b\x48\xfd\xdb\xa3\x20\xcc\x34\xf6\xc0\x65\xee\x4e\xc2\x66\xe1\x24\x0c\xd7\xf5\x39\x94\xf1\x4c\x31\x6e\x77\x08\xa1\x60\x5e\x95\x18\x77\xae\xba\xac\xe1\xd2\xa1\x3c\x93\x7e\x07\x90\xff\x75\xa8\xff\x8a\xd6\xda\x1a\x11\xec\x7e\x95\xa9\x4a\x58\xce\x6f\x16\xc7\x8b\xff\x36\x98\x2d\xad\x1c\x3d\xd1\x5e\x9c\xab\xe5\x29\x97\x9b\xeb\x9d\x59\x0d\x18\xaa\x27\x04\x03\xbe\xa8\x92\x40\x99\x39\x49\x3f\x67\x2a\xa6\x74\x20\x4c\x76\x87\x5a\x0c\xb6\x8b\xea\x00\x21\x25", 210)); NONFAILING(*(uint64_t*)0x20000738 = 0xd2); NONFAILING(*(uint64_t*)0x20000740 = 3); NONFAILING(memcpy((void*)0x20000780, "uni_xlate=1", 11)); NONFAILING(*(uint8_t*)0x2000078b = 0x2c); NONFAILING(memcpy((void*)0x2000078c, "shortname=winnt", 15)); NONFAILING(*(uint8_t*)0x2000079b = 0x2c); NONFAILING(memcpy((void*)0x2000079c, "utf8=1", 6)); NONFAILING(*(uint8_t*)0x200007a2 = 0x2c); NONFAILING(memcpy((void*)0x200007a3, "utf8=0", 6)); NONFAILING(*(uint8_t*)0x200007a9 = 0x2c); NONFAILING(memcpy((void*)0x200007aa, "shortname=win95", 15)); NONFAILING(*(uint8_t*)0x200007b9 = 0x2c); NONFAILING(memcpy((void*)0x200007ba, "shortname=win95", 15)); NONFAILING(*(uint8_t*)0x200007c9 = 0x2c); NONFAILING(memcpy((void*)0x200007ca, "shortname=win95", 15)); NONFAILING(*(uint8_t*)0x200007d9 = 0x2c); NONFAILING(memcpy((void*)0x200007da, "utf8=1", 6)); NONFAILING(*(uint8_t*)0x200007e0 = 0x2c); NONFAILING(memcpy((void*)0x200007e1, "shortname=winnt", 15)); NONFAILING(*(uint8_t*)0x200007f0 = 0x2c); NONFAILING(memcpy((void*)0x200007f1, "appraise_type=imasig", 20)); NONFAILING(*(uint8_t*)0x20000805 = 0x2c); NONFAILING(memcpy((void*)0x20000806, "appraise", 8)); NONFAILING(*(uint8_t*)0x2000080e = 0x2c); NONFAILING(memcpy((void*)0x2000080f, "euid>", 5)); NONFAILING(sprintf((char*)0x20000814, "%020llu", (long long)0)); NONFAILING(*(uint8_t*)0x20000828 = 0x2c); NONFAILING(memcpy((void*)0x20000829, "smackfshat", 10)); NONFAILING(*(uint8_t*)0x20000833 = 0x3d); NONFAILING(memcpy((void*)0x20000834, "*+)", 3)); NONFAILING(*(uint8_t*)0x20000837 = 0x2c); NONFAILING(*(uint8_t*)0x20000838 = 0); syz_mount_image(0x20000380, 0x200003c0, 0xf61f, 3, 0x20000700, 0x10, 0x20000780); break; case 9: syscall(__NR_ioctl, -1, 0x25a, 0); break; case 10: NONFAILING(*(uint8_t*)0x20000000 = 0); NONFAILING(*(uint8_t*)0x20000001 = 0); NONFAILING(*(uint8_t*)0x20000002 = 0); NONFAILING(*(uint8_t*)0x20000003 = 0); NONFAILING(*(uint8_t*)0x20000004 = 0); NONFAILING(*(uint8_t*)0x20000005 = 0); NONFAILING(*(uint8_t*)0x20000006 = 1); NONFAILING(*(uint8_t*)0x20000007 = 0x80); NONFAILING(*(uint8_t*)0x20000008 = 0xc2); NONFAILING(*(uint8_t*)0x20000009 = 0); NONFAILING(*(uint8_t*)0x2000000a = 0); NONFAILING(*(uint8_t*)0x2000000b = 0xe); NONFAILING(*(uint16_t*)0x2000000c = htobe16(0x11)); NONFAILING(*(uint8_t*)0x2000000e = 0xab); NONFAILING(*(uint8_t*)0x2000000f = 0xaa); NONFAILING(memcpy((void*)0x20000010, "2", 1)); NONFAILING(memcpy((void*)0x20000011, "\x4f\x5e\xc5", 3)); NONFAILING(*(uint16_t*)0x20000014 = htobe16(0xed7f)); NONFAILING(memcpy((void*)0x20000016, "\x55\xca\xbf\x46\xe0\x23\xd4\xf9\xe5\x5c\xc1\x7e\x89\x0f\xf8\xc6", 16)); break; case 11: NONFAILING(memcpy((void*)0x20000040, "\xc4\xe1\xa9\xfc\x5b\xb0\x8f\x89\x98\x94\x65\x6f\x6d\x98\x47\x97\x47\x80\x4e\x83\x0c\x36\x3e\x65\x36\x0f\x75\x0c\x8b\x66\x66\x4a\x0f\x3a\x22\x3d\x0a\x00\x00\x00\x05\x66\x92\xc4\xc1\x19\xe2\x88\x02\x00\x00\x00", 52)); syz_execute_func(0x20000040); break; case 12: break; case 13: NONFAILING(memcpy((void*)0x200000c0, "SEG6\000", 5)); syz_genetlink_get_family_id(0x200000c0); break; case 14: syz_init_net_socket(3, 7, 1); break; case 15: NONFAILING(*(uint64_t*)0x20000140 = 0); NONFAILING(*(uint64_t*)0x20000148 = 0x20000100); NONFAILING(memcpy((void*)0x20000100, "\x31\x5f\x6f\xf5\x2a\x34\x43\x6e\xb4\x2e\x30\xb8\xad\x62\xfc\xfb\x84\x56\xbc\x0d\x40\x92\x34\x2f\xc9\x0f\x39\x57\x98\xcd\x46\x22\x99\xcc\x9c\x33\x7b\xc7\xbc\x5a\x19\x8c\xc1\x4c\xc8\x42\x06\x0b\x88\xc0", 50)); NONFAILING(*(uint64_t*)0x20000150 = 0x32); NONFAILING(*(uint64_t*)0x20000180 = 1); NONFAILING(*(uint64_t*)0x20000188 = 6); syz_kvm_setup_cpu(-1, -1, 0x20fe5000, 0x20000140, 1, 0, 0x20000180, 1); break; case 16: NONFAILING(memcpy((void*)0x200001c0, "bfs\000", 4)); NONFAILING(memcpy((void*)0x20000200, "./file0\000", 8)); NONFAILING(*(uint64_t*)0x20000300 = 0x20000240); NONFAILING(memcpy((void*)0x20000240, "\xb1\x79\x61\xe3\x90\x9f\xf6\x62\x4a\xb0\x3c\xa4\x71\x55\x13\xca\x7c\xd3\x44\xb6\xa1\xfc\xae\x08\xd2\xac\x66\xec\xec\x98\x36\x5d\x8d\x07\xc0\x70\xd4\x67\x52\x9b\xa9\x9e\x34\x63\x88\xc8\xcd\x5a\xc6\x85\xb3\x65\x56\x61\xf7\xd4\x67\x9e\x76\xc5\x3f\x18\xf1\x2c\x97\xe0\x93\x9e\x82\xb8\x6f\x48\x02\x4b\x63\x22\xb8\x8d\x66\xd4\xd4\x5f\xfe\x3a\xb7\x42\xc8\xd9\x11\x04\x35\xe2\xc5\x0b\xee\xa2\x41\x20\x06\x47\x87\xe5\xfd\x49\xcb\xb4\x70\xe9\xcf\x62\x68\x63\x1e\xaf\xf3\x15\x06\xd2\x0e\x1e\xa2\xcc\x28\x59\x74\x4f\x41\x14\x0b\xa0\xc5\xa5\x07\xef\x19\xa4\xf6\x5e\x78\x9d\x9c\x9c\xa2\x58\xbb\x9f\xd5\xfd\x03\x74\x10\x1e\xc4\xe0\x94\x87\x9d\x61\xb4\xec\xf2\x4f\x80\x80\x4b\xe4\x41\x6d\x39\x1e\x9f\x79\x26\x9d\x86\x32\xd9\x42\x70\xe3\x6d\x1a\x18\xa1\x21\x0a\xca\xd3\x9b\x65", 190)); NONFAILING(*(uint64_t*)0x20000308 = 0xbe); NONFAILING(*(uint64_t*)0x20000310 = 7); syz_mount_image(0x200001c0, 0x20000200, 0xffffffffffff21d8, 1, 0x20000300, 0x2200000, 0); break; case 17: NONFAILING(memcpy((void*)0x20000340, "/dev/cdrom\000", 11)); syz_open_dev(0x20000340, 2, 0x24040); break; case 18: NONFAILING(memcpy((void*)0x20000380, "environ\000", 8)); res = syz_open_procfs(0, 0x20000380); if (res != -1) r[0] = res; break; case 19: syz_open_pts(r[0], 0x420000); break; case 20: NONFAILING(*(uint64_t*)0x200006c0 = 0x200003c0); NONFAILING(memcpy((void*)0x200003c0, "\x7b\x4f\x4b\xef\xea\x53\x6d\x1b\x52\x0c\x38\x9e\xdf\x02\x9a\xe0\x43\x5e\xd8\x9d\x14\xf8\xa4\x14\x55\xb1\x6f\xdf\xaf\x31\xfa\xa9\x2a\x76\x09\x93\xf9\xbd\x34\xa3\x8a\xb5\x48\x01\x5c\x92\x7f\xbb\x7b\xe8\xe5\xe2\x8f\x3f\x45\xc4\x3f\x26\x2c\xda\xf5\x34\xdb\xfc\xad\xbd\x67\x52\xc5\xae\x91\xe8\x49\xec\x28\xc0\xec\x4c\xbf\x47\x89\xa2\x92\xed\x66\xb9\xc8\x73\xd2\x17\x69\xdd\xa3\xc8\x40\xaa\xeb\x32", 98)); NONFAILING(*(uint64_t*)0x200006c8 = 0x62); NONFAILING(*(uint64_t*)0x200006d0 = 8); NONFAILING(*(uint64_t*)0x200006d8 = 0x20000440); NONFAILING(memcpy((void*)0x20000440, "\x23\x55\x72\xdf\x6e\x24\x32\x25\xc0\x56\x0d\x79\x7d\x60\xd4\x5f\x46\x37\x8f\xca\x35\x82\x64\xf5\x00\x2c\xe4\xa7\x7b\xd3\xdb\xad\x37\xff\xc5\xe0\x30\x44\xb1\x58\x21\x39\x9c\x13\xf9\xc1\x7d\x7c\x4e\xae\xa5\xb5\x5f\x07\xe7\x5e\x35\xa9\xc9\xec\x4f\x0e\xdb\xc6\xd5\x4b\xcc\xe3\x9c\xef\x33\xfa\xad\x33\x3a\x53\xfe\xe7\x27\xa8", 80)); NONFAILING(*(uint64_t*)0x200006e0 = 0x50); NONFAILING(*(uint64_t*)0x200006e8 = 9); NONFAILING(*(uint64_t*)0x200006f0 = 0x200004c0); NONFAILING(memcpy((void*)0x200004c0, "\xcb\x1a\x4e\x2b\xfe\x18\x77\xda\x08\xa8\xe7\x2c\xd9\xc5\x77\xcb\x2e\x7b\x7c\x11\xa5\x32\x87\xd8\x78\xec\xeb\x0a\xfb\x2d\x27\xea\x48\x11\xa9\x10\xbf\x8f\x7e\x74\x5d\xd9\x23\x15\xad\x42\xa5\xfa\xe4\xa5\xd7\xc9\xa5\x4e\x1d\x8d\x94\x4f\xc0\xfe\xcb\x38\xfe\xdc\xe8\x3c\x4d\x85\x37\xaf\x58\x78\x1b\x1f\xcf\x88\x10\x15\x66\xda\xb7\x1e\xb8\x33\x65\x13\x4b\x9f\x79\x23\xe5\x6e\x9a\x1d\x9f\x06\x58\x75\xbe", 99)); NONFAILING(*(uint64_t*)0x200006f8 = 0x63); NONFAILING(*(uint64_t*)0x20000700 = 4); NONFAILING(*(uint64_t*)0x20000708 = 0x20000540); NONFAILING(memcpy((void*)0x20000540, "\xe0\x9f\x97\x5d\x93\xf7\xa4\xae\xcd\xc6", 10)); NONFAILING(*(uint64_t*)0x20000710 = 0xa); NONFAILING(*(uint64_t*)0x20000718 = 8); NONFAILING(*(uint64_t*)0x20000720 = 0x20000580); NONFAILING(memcpy((void*)0x20000580, "\x81\x58\xf5\x60\xc5\xdd\x15\xb5\x82\x15\x0b\x06\x01\x1f\x58\xb2\xee\x26\xbd\x77\xe2\x08\x35\x7e\x14\x4b\xc0\xb3\x27\x99\x8c\xbf\x74\xd0\xe2\x8e\xfc\xfa\x51\xd4\x21\x25\x69\x61\xd2\x2b\x1a\xd6\x97\x9b\x54\x42\xa1\x8e\x7c\xd1\x8e\x15\xf1\x51\xb2\x97\xc1\x79\x68\x3c\x5c\x41\x69\xe9\xc6\xbd\x04\x15\x4c\x2a\xc7\xc1\x4c\xde\x6e\xec\x58\x3c\x42\xd5\xc9\x67\x7f\x80\x50\x19\x07\x3f\x35\xff\xcd\x20\xa7\xb5\xf8\x17\xaf\x83\x31\x70\x7b\x98\x38\x42\xbc\x66\xa0\xd1\x4d\x40\x9a\x86\xe0\xed\x18\x12\xee\x9a\x72\xfe\x7f\x63\xb1\xa1\xb8\xfc\xee\x6d\xb2\xf0\xfc\x13\x65\x03\x1c\x09\x6d\x4d\xeb\xab\x26\x97\x2e\xaa\x53\xff\x4b\x75\xca\xcd\xe8\xc4\xd7\x0a\x50\x8f\xf7\x75\x6a\xe1\x35\x4d\x8a\x2f\x48\xfe\xb0\x32\xed\x3c\x2d\x1f\x06\xce\xec\x90\x4f\x01\xc2\xb4\xb6\xed\xf6\x12\xf9\x76\xc6\x6d\x69\xe2\x7a", 197)); NONFAILING(*(uint64_t*)0x20000728 = 0xc5); NONFAILING(*(uint64_t*)0x20000730 = 0x61); NONFAILING(*(uint64_t*)0x20000738 = 0x20000680); NONFAILING(memcpy((void*)0x20000680, "\x31\xb1\x74\xeb\xbd\x88\x7e\x5d\x33\x21\x8e\xf3\x70\xce\xf8\xf2\x41\xbd\x55\xbb", 20)); NONFAILING(*(uint64_t*)0x20000740 = 0x14); NONFAILING(*(uint64_t*)0x20000748 = 0); syz_read_part_table(0x60, 6, 0x200006c0); break; case 21: NONFAILING(*(uint8_t*)0x20000780 = 0x12); NONFAILING(*(uint8_t*)0x20000781 = 1); NONFAILING(*(uint16_t*)0x20000782 = 7); NONFAILING(*(uint8_t*)0x20000784 = 0x8a); NONFAILING(*(uint8_t*)0x20000785 = 0xcf); NONFAILING(*(uint8_t*)0x20000786 = 0x80); NONFAILING(*(uint8_t*)0x20000787 = 4); NONFAILING(*(uint16_t*)0x20000788 = 0x4e8); NONFAILING(*(uint16_t*)0x2000078a = 0x4471); NONFAILING(*(uint16_t*)0x2000078c = 0x6528); NONFAILING(*(uint8_t*)0x2000078e = 4); NONFAILING(*(uint8_t*)0x2000078f = 1); NONFAILING(*(uint8_t*)0x20000790 = 0x67); NONFAILING(*(uint8_t*)0x20000791 = 1); NONFAILING(*(uint8_t*)0x20000792 = 9); NONFAILING(*(uint8_t*)0x20000793 = 2); NONFAILING(*(uint16_t*)0x20000794 = 0x434); NONFAILING(*(uint8_t*)0x20000796 = 1); NONFAILING(*(uint8_t*)0x20000797 = 0x4e); NONFAILING(*(uint8_t*)0x20000798 = 0); NONFAILING(*(uint8_t*)0x20000799 = 0x40); NONFAILING(*(uint8_t*)0x2000079a = 9); NONFAILING(*(uint8_t*)0x2000079b = 9); NONFAILING(*(uint8_t*)0x2000079c = 4); NONFAILING(*(uint8_t*)0x2000079d = 0x6a); NONFAILING(*(uint8_t*)0x2000079e = 1); NONFAILING(*(uint8_t*)0x2000079f = 0xa); NONFAILING(*(uint8_t*)0x200007a0 = 0xd6); NONFAILING(*(uint8_t*)0x200007a1 = 0xf8); NONFAILING(*(uint8_t*)0x200007a2 = 0x9b); NONFAILING(*(uint8_t*)0x200007a3 = 0); NONFAILING(*(uint8_t*)0x200007a4 = 0x15); NONFAILING(*(uint8_t*)0x200007a5 = 0x24); NONFAILING(*(uint8_t*)0x200007a6 = 0x12); NONFAILING(*(uint16_t*)0x200007a7 = 0xfa8c); NONFAILING(memcpy((void*)0x200007a9, "\x77\x6b\xc3\xd1\x5a\xd3\xef\xe8\x19\xca\x7d\xb7\x83\x9a\xfa\x86", 16)); NONFAILING(*(uint8_t*)0x200007b9 = 0xa); NONFAILING(*(uint8_t*)0x200007ba = 0x24); NONFAILING(*(uint8_t*)0x200007bb = 7); NONFAILING(*(uint8_t*)0x200007bc = 7); NONFAILING(*(uint16_t*)0x200007bd = 0xff); NONFAILING(*(uint16_t*)0x200007bf = 3); NONFAILING(*(uint16_t*)0x200007c1 = 1); NONFAILING(*(uint8_t*)0x200007c3 = 0xc); NONFAILING(*(uint8_t*)0x200007c4 = 0x24); NONFAILING(*(uint8_t*)0x200007c5 = 0x1b); NONFAILING(*(uint16_t*)0x200007c6 = 1); NONFAILING(*(uint16_t*)0x200007c8 = 2); NONFAILING(*(uint8_t*)0x200007ca = 0x80); NONFAILING(*(uint8_t*)0x200007cb = 0xc6); NONFAILING(*(uint16_t*)0x200007cc = 0x81); NONFAILING(*(uint8_t*)0x200007ce = -1); NONFAILING(*(uint8_t*)0x200007cf = 7); NONFAILING(*(uint8_t*)0x200007d0 = 0x24); NONFAILING(*(uint8_t*)0x200007d1 = 0xa); NONFAILING(*(uint8_t*)0x200007d2 = 1); NONFAILING(*(uint8_t*)0x200007d3 = 1); NONFAILING(*(uint8_t*)0x200007d4 = 7); NONFAILING(*(uint8_t*)0x200007d5 = 0xe3); NONFAILING(*(uint8_t*)0x200007d6 = 6); NONFAILING(*(uint8_t*)0x200007d7 = 0x24); NONFAILING(*(uint8_t*)0x200007d8 = 0x1a); NONFAILING(*(uint16_t*)0x200007d9 = 0xa2); NONFAILING(*(uint8_t*)0x200007db = 0); NONFAILING(*(uint8_t*)0x200007dc = 8); NONFAILING(*(uint8_t*)0x200007dd = 0x24); NONFAILING(*(uint8_t*)0x200007de = 0x1c); NONFAILING(*(uint16_t*)0x200007df = 0x20); NONFAILING(*(uint8_t*)0x200007e1 = 0xf3); NONFAILING(*(uint16_t*)0x200007e2 = 0x401); NONFAILING(*(uint8_t*)0x200007e4 = 0xc); NONFAILING(*(uint8_t*)0x200007e5 = 0x24); NONFAILING(*(uint8_t*)0x200007e6 = 0x1b); NONFAILING(*(uint16_t*)0x200007e7 = 3); NONFAILING(*(uint16_t*)0x200007e9 = 0xfff); NONFAILING(*(uint8_t*)0x200007eb = -1); NONFAILING(*(uint8_t*)0x200007ec = 1); NONFAILING(*(uint16_t*)0x200007ed = 0x101); NONFAILING(*(uint8_t*)0x200007ef = 7); NONFAILING(*(uint8_t*)0x200007f0 = 5); NONFAILING(*(uint8_t*)0x200007f1 = 0x24); NONFAILING(*(uint8_t*)0x200007f2 = 0); NONFAILING(*(uint16_t*)0x200007f3 = 1); NONFAILING(*(uint8_t*)0x200007f5 = 7); NONFAILING(*(uint8_t*)0x200007f6 = 5); NONFAILING(*(uint8_t*)0x200007f7 = 1); NONFAILING(*(uint8_t*)0x200007f8 = 0x13); NONFAILING(*(uint16_t*)0x200007f9 = 0x320); NONFAILING(*(uint8_t*)0x200007fb = 1); NONFAILING(*(uint8_t*)0x200007fc = 0); NONFAILING(*(uint8_t*)0x200007fd = 5); NONFAILING(*(uint8_t*)0x200007fe = 0x5e); NONFAILING(*(uint8_t*)0x200007ff = 0x22); NONFAILING(memcpy((void*)0x20000800, "\x5f\x96\x02\x5f\x20\x85\x6a\xd3\x11\xa3\xc3\xc3\xe0\xf0\x83\x10\x18\xd7\x26\xcd\x9c\x15\x9c\xce\x18\x5f\xb3\x94\xf5\xd7\xa8\x39\x68\xbc\x4e\x9c\xd2\x47\xa9\x63\x72\x9f\x02\xf5\x6f\x83\x8b\x84\xd9\x4c\x16\x91\x06\x41\xfc\xa9\x8d\xd7\x11\xea\x86\x8a\x7c\xb3\x59\x55\x29\x19\x40\xc4\xbd\x17\x72\x1c\x46\x18\x1a\x82\x27\x45\xb1\x00\xc1\x63\x3a\x92\xe4\x5d\x8e\xa2\x1b\xe4", 92)); NONFAILING(*(uint8_t*)0x2000085c = 7); NONFAILING(*(uint8_t*)0x2000085d = 5); NONFAILING(*(uint8_t*)0x2000085e = 5); NONFAILING(*(uint8_t*)0x2000085f = 0); NONFAILING(*(uint16_t*)0x20000860 = 0xa4d5); NONFAILING(*(uint8_t*)0x20000862 = 4); NONFAILING(*(uint8_t*)0x20000863 = 0); NONFAILING(*(uint8_t*)0x20000864 = 4); NONFAILING(*(uint8_t*)0x20000865 = 0x69); NONFAILING(*(uint8_t*)0x20000866 = 5); NONFAILING(memcpy((void*)0x20000867, "\xed\xe1\x38\xd2\xef\xb4\xdc\xc6\xcf\xa7\xdc\xea\x8f\x6f\xca\xc1\x52\x4b\x0b\x19\x86\x26\x44\x35\x5e\xac\xb3\x86\xa8\x9e\xad\xa8\x85\x0b\x3a\x79\xac\x10\xbc\x2d\x9f\x62\x2f\xd3\xe8\x6c\xc8\xd5\xb6\xa4\x3b\xfa\xae\x41\xaf\xea\x71\x5d\x70\x60\x56\x95\x56\xb8\xf7\xe0\x4f\xe5\xb0\x1f\x90\xbd\x93\x36\xcc\xc0\x7d\x0f\x4c\x42\xdc\x1d\x2a\x07\x38\x65\x81\x64\x3f\xcc\xc0\x74\x0d\x0f\x52\x2c\xdc\xac\x36\x90\x32\x2f\x0f", 103)); NONFAILING(*(uint8_t*)0x200008ce = 7); NONFAILING(*(uint8_t*)0x200008cf = 5); NONFAILING(*(uint8_t*)0x200008d0 = 8); NONFAILING(*(uint8_t*)0x200008d1 = 0); NONFAILING(*(uint16_t*)0x200008d2 = 5); NONFAILING(*(uint8_t*)0x200008d4 = 0); NONFAILING(*(uint8_t*)0x200008d5 = 0xf8); NONFAILING(*(uint8_t*)0x200008d6 = 5); NONFAILING(*(uint8_t*)0x200008d7 = 7); NONFAILING(*(uint8_t*)0x200008d8 = 5); NONFAILING(*(uint8_t*)0x200008d9 = -1); NONFAILING(*(uint8_t*)0x200008da = 0); NONFAILING(*(uint16_t*)0x200008db = 9); NONFAILING(*(uint8_t*)0x200008dd = -1); NONFAILING(*(uint8_t*)0x200008de = -1); NONFAILING(*(uint8_t*)0x200008df = -1); NONFAILING(*(uint8_t*)0x200008e0 = 0x81); NONFAILING(*(uint8_t*)0x200008e1 = 0x15); NONFAILING(memcpy((void*)0x200008e2, "\x7f\x48\x10\x47\xcd\x7c\xdd\x40\xd7\xeb\x7c\xee\xff\x10\xbd\x05\x32\xe2\xcf\xd3\x23\x84\x63\xf4\x59\x7c\xcb\x8e\xd3\xe6\xc1\x2b\x54\x80\x4a\xfc\x4a\xbb\x5b\x11\x9a\xc8\xcc\x6a\xb3\x55\xeb\xeb\x18\xc9\x8c\xec\x77\x0d\xac\x26\xa1\x92\x5a\x88\x29\xbd\x63\xb0\x5f\x6a\x4a\xce\x4d\x3f\x78\x8b\x2d\x9a\x8e\x3b\xad\x9e\xc6\xb1\x82\x20\x29\xdf\x1f\xe2\x7c\x20\x8a\x41\x1e\xad\xf2\x87\x1f\xff\xb0\x0c\xdc\xb1\x43\xe7\xba\x21\xc8\xe7\x6c\xa4\x1a\x53\x54\x32\x93\x79\x36\xbd\x7e\x57\xe3\x8c\xd0\x03\x8f\xb4\x80\xad\x0d", 127)); NONFAILING(*(uint8_t*)0x20000961 = 7); NONFAILING(*(uint8_t*)0x20000962 = 5); NONFAILING(*(uint8_t*)0x20000963 = 0); NONFAILING(*(uint8_t*)0x20000964 = 2); NONFAILING(*(uint16_t*)0x20000965 = 1); NONFAILING(*(uint8_t*)0x20000967 = 4); NONFAILING(*(uint8_t*)0x20000968 = 1); NONFAILING(*(uint8_t*)0x20000969 = 4); NONFAILING(*(uint8_t*)0x2000096a = 7); NONFAILING(*(uint8_t*)0x2000096b = 5); NONFAILING(*(uint8_t*)0x2000096c = 0); NONFAILING(*(uint8_t*)0x2000096d = 4); NONFAILING(*(uint16_t*)0x2000096e = 3); NONFAILING(*(uint8_t*)0x20000970 = 8); NONFAILING(*(uint8_t*)0x20000971 = 7); NONFAILING(*(uint8_t*)0x20000972 = 6); NONFAILING(*(uint8_t*)0x20000973 = 7); NONFAILING(*(uint8_t*)0x20000974 = 5); NONFAILING(*(uint8_t*)0x20000975 = 0); NONFAILING(*(uint8_t*)0x20000976 = 4); NONFAILING(*(uint16_t*)0x20000977 = 0xdb71); NONFAILING(*(uint8_t*)0x20000979 = 1); NONFAILING(*(uint8_t*)0x2000097a = 0); NONFAILING(*(uint8_t*)0x2000097b = 0xc9); NONFAILING(*(uint8_t*)0x2000097c = 0x4a); NONFAILING(*(uint8_t*)0x2000097d = 0xd); NONFAILING(memcpy((void*)0x2000097e, "\x10\x6f\xa2\xe0\x3e\xbf\x1d\x8f\xee\x72\xd3\x4b\x97\xaa\xd2\x37\x5e\x29\xb2\x8d\x00\x49\x58\xeb\x7e\x0b\x73\x16\x30\x19\x65\x7a\x65\xe1\xdb\x0c\xb3\x97\x58\x38\x25\xd2\x87\x97\xf6\xf7\x67\x1c\x5c\x71\x3c\x6a\x3b\x64\xad\xd1\xae\xe1\x8e\x29\x96\xfc\xd0\x25\x86\x7a\x7b\x33\x43\x2b\xcd\x3f", 72)); NONFAILING(*(uint8_t*)0x200009c6 = 3); NONFAILING(*(uint8_t*)0x200009c7 = 0xe); NONFAILING(memcpy((void*)0x200009c8, "\xf4", 1)); NONFAILING(*(uint8_t*)0x200009c9 = 7); NONFAILING(*(uint8_t*)0x200009ca = 5); NONFAILING(*(uint8_t*)0x200009cb = 2); NONFAILING(*(uint8_t*)0x200009cc = 0); NONFAILING(*(uint16_t*)0x200009cd = 0x1f); NONFAILING(*(uint8_t*)0x200009cf = 0); NONFAILING(*(uint8_t*)0x200009d0 = 4); NONFAILING(*(uint8_t*)0x200009d1 = 0x30); NONFAILING(*(uint8_t*)0x200009d2 = 0xe0); NONFAILING(*(uint8_t*)0x200009d3 = 0); NONFAILING(memcpy((void*)0x200009d4, "\xc4\x24\xe8\xb2\xf3\xea\xe8\x2a\x0d\xf4\x48\x2a\x23\x21\x23\x1f\x4f\xa2\x6e\x01\xf9\xd6\x57\xaf\xb3\x33\x84\xc8\x8d\x88\x1e\xc6\x38\xce\x64\x6d\x7a\x1e\x11\x85\xe4\xde\x11\x6b\xa4\xaf\xc0\x4f\xd8\x01\x7e\x29\x3d\xd0\xc4\xf2\xee\x12\x91\x6a\x5a\xff\x34\xb0\x7b\x68\x6f\x95\xa6\x82\x18\xcf\xba\x8a\xb2\x13\x6a\xac\xf2\x89\xf3\x51\x12\x56\x8d\xf7\xcf\xc9\xc4\x21\xa6\x6d\x5d\x23\x65\xef\xee\xda\xb0\x66\x02\x02\x32\xf8\x2a\x6e\xda\x52\x79\x6d\x04\xd6\x33\xdb\x4b\x82\x87\xe4\x0e\xa0\xf8\x07\xce\x97\x29\xbe\xa0\x2c\x40\x49\x29\x16\xee\x38\x42\xdd\xa1\x51\x12\x92\x5e\xcf\x6b\x66\x96\x24\x39\x46\xe6\x08\xfc\x8f\x8c\x2d\xcc\x7c\x84\xa8\x66\x05\xf8\x98\x35\x9f\x6d\x75\x9f\x91\x64\x09\x2a\xe1\x9f\xf8\xdb\x38\xfe\xcf\xdd\x66\x82\xf3\xb6\x71\xf5\x7a\x70\xe6\x25\xee\x73\xf0\x2d\x38\x90\x43\x8f\xc8\x57\x02\x96\xff\x08\x58\xb2\x26\xec\x89\x64\xa0\x0f\x4f\x98\x6c\xf4\x24\x8c\x0e\x53\x80\x11\xf0", 222)); NONFAILING(*(uint8_t*)0x20000ab2 = 7); NONFAILING(*(uint8_t*)0x20000ab3 = 5); NONFAILING(*(uint8_t*)0x20000ab4 = 0); NONFAILING(*(uint8_t*)0x20000ab5 = 0x10); NONFAILING(*(uint16_t*)0x20000ab6 = 7); NONFAILING(*(uint8_t*)0x20000ab8 = -1); NONFAILING(*(uint8_t*)0x20000ab9 = 2); NONFAILING(*(uint8_t*)0x20000aba = 9); NONFAILING(*(uint8_t*)0x20000abb = 0x63); NONFAILING(*(uint8_t*)0x20000abc = 0xd); NONFAILING(memcpy((void*)0x20000abd, "\x0e\x02\xc3\x68\x4a\x55\xbc\x2e\xbd\xd9\x7b\xd9\x05\xeb\x5b\xa2\x65\xbf\x9d\x70\xd8\xe7\x3b\xcb\xf9\x7a\x0c\xf3\xf5\x46\xa3\xb2\x96\xc8\x7e\xc5\x65\x2b\x96\x74\x5e\xd8\x48\xd8\x84\x68\x82\x93\xe0\xfe\x36\x47\x88\xc4\xdb\xd0\xca\x2a\x35\x30\x9c\x38\x5c\x85\x27\x20\xbb\x98\x58\xed\xb0\x52\xc3\xf0\xd5\xa5\xce\x81\xef\xf4\xf4\x9c\x2f\x34\xbd\xc5\x6e\x81\x3b\x34\x34\x94\x8b\x12\x6c\x70\x72", 97)); NONFAILING(*(uint8_t*)0x20000b1e = 0x52); NONFAILING(*(uint8_t*)0x20000b1f = 2); NONFAILING(memcpy((void*)0x20000b20, "\xe3\x21\x57\x7a\x39\xd4\xa9\xd6\xa8\xfb\x79\x4d\x6e\xa6\x4c\x4b\x7e\xa0\x6e\xcc\xb0\x2a\x83\x2e\x17\x67\x1b\x85\x16\x98\x8f\x4d\x06\xd3\x2b\xb0\xf4\xdc\x59\x96\x3a\x3c\x43\xfe\x90\x92\xb1\xc4\x59\x3a\xc9\xb2\xe0\x71\xfd\x20\xa3\x55\x00\x53\x0f\xf0\xd1\xa5\xdf\xe0\x92\xc2\xf5\x45\xd8\xc7\x7d\x62\x65\xe3\xb1\xc2\x46\x9d", 80)); NONFAILING(*(uint8_t*)0x20000b70 = 7); NONFAILING(*(uint8_t*)0x20000b71 = 5); NONFAILING(*(uint8_t*)0x20000b72 = 9); NONFAILING(*(uint8_t*)0x20000b73 = 0xf); NONFAILING(*(uint16_t*)0x20000b74 = 2); NONFAILING(*(uint8_t*)0x20000b76 = 6); NONFAILING(*(uint8_t*)0x20000b77 = 0x42); NONFAILING(*(uint8_t*)0x20000b78 = 0); NONFAILING(*(uint8_t*)0x20000b79 = 0x4d); NONFAILING(*(uint8_t*)0x20000b7a = 0); NONFAILING(memcpy((void*)0x20000b7b, "\x1c\x9c\xe7\x49\x37\x80\xaa\x22\x9b\x90\x80\x92\x0e\x51\x32\x26\xbd\x8e\x92\x22\x2a\x5f\x7a\xcd\x31\xf0\xba\x2a\x25\x72\x92\xf2\x3b\x3f\xcf\x78\xcb\x3b\xd2\x2f\x3e\x5f\x5f\x79\xbb\x05\x6d\xba\x47\x27\x96\xef\xe2\x4c\xb3\x96\xd9\x36\xec\x16\x70\x26\xbf\x4f\x37\x6e\x7f\xfe\x01\x7d\x38\x9c\x1f\x01\x87", 75)); NONFAILING(*(uint32_t*)0x20001200 = 0xa); NONFAILING(*(uint64_t*)0x20001204 = 0x20000c00); NONFAILING(*(uint8_t*)0x20000c00 = 0xa); NONFAILING(*(uint8_t*)0x20000c01 = 6); NONFAILING(*(uint16_t*)0x20000c02 = 0x265f); NONFAILING(*(uint8_t*)0x20000c04 = 9); NONFAILING(*(uint8_t*)0x20000c05 = 3); NONFAILING(*(uint8_t*)0x20000c06 = 8); NONFAILING(*(uint8_t*)0x20000c07 = 0xb); NONFAILING(*(uint8_t*)0x20000c08 = 0x37); NONFAILING(*(uint8_t*)0x20000c09 = 0); NONFAILING(*(uint32_t*)0x2000120c = 0x2b); NONFAILING(*(uint64_t*)0x20001210 = 0x20000c40); NONFAILING(*(uint8_t*)0x20000c40 = 5); NONFAILING(*(uint8_t*)0x20000c41 = 0xf); NONFAILING(*(uint16_t*)0x20000c42 = 0x2b); NONFAILING(*(uint8_t*)0x20000c44 = 2); NONFAILING(*(uint8_t*)0x20000c45 = 0x1c); NONFAILING(*(uint8_t*)0x20000c46 = 0x10); NONFAILING(*(uint8_t*)0x20000c47 = 0xa); NONFAILING(*(uint8_t*)0x20000c48 = 5); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20000c49, 4, 0, 5)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20000c49, 9, 5, 27)); NONFAILING(*(uint16_t*)0x20000c4d = 0xf000); NONFAILING(*(uint16_t*)0x20000c4f = 3); NONFAILING(*(uint32_t*)0x20000c51 = 0xc0); NONFAILING(*(uint32_t*)0x20000c55 = 0xffc00f); NONFAILING(*(uint32_t*)0x20000c59 = 0xff0000); NONFAILING(*(uint32_t*)0x20000c5d = 0xcf); NONFAILING(*(uint8_t*)0x20000c61 = 0xa); NONFAILING(*(uint8_t*)0x20000c62 = 0x10); NONFAILING(*(uint8_t*)0x20000c63 = 3); NONFAILING(*(uint8_t*)0x20000c64 = 2); NONFAILING(*(uint16_t*)0x20000c65 = 0xc); NONFAILING(*(uint8_t*)0x20000c67 = 3); NONFAILING(*(uint8_t*)0x20000c68 = 5); NONFAILING(*(uint16_t*)0x20000c69 = 2); NONFAILING(*(uint32_t*)0x20001218 = 7); NONFAILING(*(uint32_t*)0x2000121c = 0xa9); NONFAILING(*(uint64_t*)0x20001220 = 0x20000c80); NONFAILING(*(uint8_t*)0x20000c80 = 0xa9); NONFAILING(*(uint8_t*)0x20000c81 = 3); NONFAILING(*(uint16_t*)0x20000c82 = 0); NONFAILING(memcpy((void*)0x20000c84, "\x57\xc2\x05\xcf\xe2\xc5\x16\x60\x4c\x3b\x76\x6d\xa5\x75\xa5\x69\x64\x4f\x32\xfa\xe2\xf7\x23\xd8\xb5\xf3\x4b\x4c\x3e\xb6\x28\xe4\x33\xb2\x78\xe3\x64\x67\x16\xa9\xec\xb4\x77\x60\x21\x1a\x5a\xdc\x95\xd0\x7d\xb7\xd2\x8c\xfe\x9c\xa0\x90\xaf\x77\x1a\x65\x7f\xde\xc2\x5e\xbd\x50\xdc\x88\x1d\x3a\x4e\xcd\x86\x58\x8c\xd4\x46\x13\x8b\x60\x45\x4c\x32\x24\x99\x77\xd5\x65\x4c\x26\xa6\x43\xf7\x85\x8b\xa7\x86\xd2\x93\x32\x2d\x24\x86\x34\x8a\x5b\x6c\x29\xcc\xf2\x29\xf4\x4f\xf9\x75\x2f\xf5\x41\x6d\x45\xab\xb8\x54\x2d\xd2\x50\xa6\xf4\x96\xb1\x49\x0f\x7f\x98\x86\xe2\x55\x0b\x48\x00\x23\x76\x7a\x10\x35\x0f\xe8\xa4\x63\xa3\x8a\x10\xd1\xb8\xad\x0f\x2f\x9a\xe2\x30\xb7\x6e\xa1", 165)); NONFAILING(*(uint32_t*)0x20001228 = 0x50); NONFAILING(*(uint64_t*)0x2000122c = 0x20000d40); NONFAILING(*(uint8_t*)0x20000d40 = 0x50); NONFAILING(*(uint8_t*)0x20000d41 = 3); NONFAILING(*(uint16_t*)0x20000d42 = 0x2c0b); NONFAILING(memcpy((void*)0x20000d44, "\x8c\xa5\x52\xe1\x01\x0f\x56\xe3\x0b\x2c\xdc\xc1\x95\x0d\x64\x95\x13\x57\xcb\xaf\xef\x05\xcd\xe4\xcb\x7c\xac\xea\xe4\xff\x66\xb4\xde\xdf\x35\x0b\x97\x44\x58\x60\xff\x9a\x97\xb3\x31\xb8\x52\x4b\x9e\x57\x8e\x4b\xa3\xef\x31\xd9\x1b\xf2\xcc\x54\xad\xf4\x86\x64\x00\x82\xa0\x58\x38\x4c\xbd\x20\x23\xd0\x5b\xf6", 76)); NONFAILING(*(uint32_t*)0x20001234 = 0x60); NONFAILING(*(uint64_t*)0x20001238 = 0x20000dc0); NONFAILING(*(uint8_t*)0x20000dc0 = 0x60); NONFAILING(*(uint8_t*)0x20000dc1 = 3); NONFAILING(*(uint16_t*)0x20000dc2 = 0x420); NONFAILING(memcpy((void*)0x20000dc4, "\x88\xac\xcd\xfc\x3e\x44\x37\xb9\xda\x65\xcf\x46\xd3\xf9\x65\x94\x4c\xb6\xa2\xff\x17\x82\xdc\xcf\xcd\x77\xab\xa1\x39\x01\xb7\xd5\xd4\xc2\xcf\x92\x8e\x9b\xe5\x28\x99\x15\xa3\xc6\x78\x8a\xd1\xba\xdc\xae\xf1\x31\xd3\x0d\x63\xf5\x6b\x54\xe5\x2c\xd2\x45\xdd\x0a\xac\x37\x98\x3d\xe8\x25\x8e\xe9\xa6\x64\xda\x27\x0f\x42\xd8\x74\xfc\x9b\x00\x4e\x6d\x1a\xcf\xfe\xa8\x08\x4f\x0a", 92)); NONFAILING(*(uint32_t*)0x20001240 = 0xa4); NONFAILING(*(uint64_t*)0x20001244 = 0x20000e40); NONFAILING(*(uint8_t*)0x20000e40 = 0xa4); NONFAILING(*(uint8_t*)0x20000e41 = 3); NONFAILING(*(uint16_t*)0x20000e42 = 0x542f); NONFAILING(memcpy((void*)0x20000e44, "\x42\x15\x6a\x1c\xb5\x46\xdf\xe9\x9c\x88\xd0\x4d\x08\x09\xec\xb5\x45\xf5\x74\xc1\x95\xdb\x38\xb1\x72\x8a\xc1\x24\x5e\x40\xf7\xe9\x72\xd6\x7e\x22\x4d\x37\x53\x96\x07\xaf\xe7\xe4\xdf\xe1\xe6\x8b\xa6\xbd\xfb\x0d\x4d\x11\x5a\xe6\xf5\xf5\x5f\x82\x80\x5c\x52\xab\xcf\xed\x9a\x23\x35\x33\x6c\x49\x2e\xa2\x3e\xec\x14\x57\x74\xfc\x34\x48\x02\xc4\xb4\x2a\xc0\x1b\xb4\xe2\x71\xff\x38\x45\x1c\x41\xdf\xce\xae\x46\xfe\x0b\x00\xf4\x6d\xdd\x50\x19\xc5\x85\xf6\x16\x9c\xbd\xc7\x17\x30\x42\xc4\x1b\xeb\x7c\x24\x05\x9f\x84\x43\x06\xc3\x57\x62\x7d\xd2\x33\xd2\x32\x40\xc1\x74\x28\x26\x0f\x21\x9c\x8b\x9b\x3b\xb0\x8a\x35\x94\x61\x0f\xe3\x1c\x92\xc3\xeb\xaa\x67", 160)); NONFAILING(*(uint32_t*)0x2000124c = 0xee); NONFAILING(*(uint64_t*)0x20001250 = 0x20000f00); NONFAILING(*(uint8_t*)0x20000f00 = 0xee); NONFAILING(*(uint8_t*)0x20000f01 = 3); NONFAILING(*(uint16_t*)0x20000f02 = 0); NONFAILING(memcpy((void*)0x20000f04, "\xbc\x6d\xe1\xf6\x24\x65\x49\xca\x11\x66\x71\xfe\xc2\x63\xc4\x5e\xf2\x7e\x3a\x57\x8c\x0c\x6c\xf3\x9e\x29\x17\x76\x4e\x96\x85\x78\xd6\x02\xf8\xed\xdc\x6b\xb0\x46\x2e\x43\x82\xe9\xf3\xdb\xfd\x45\xc3\x83\x5e\x78\x97\x49\xf5\xf3\x24\x89\x90\xc7\x99\x8f\x52\x56\x99\x03\xb9\xd2\x48\x62\xb7\xec\xdd\x84\x87\xf1\xac\x30\xc8\x18\x93\x06\x0b\xb4\x99\x9a\x7a\xcc\x7d\xc6\x65\xcd\x66\x0b\x75\x15\xae\xc5\xaf\xd6\xaa\x93\x66\x28\x98\x3d\xc3\x1a\xca\x5e\x68\x02\x84\x95\x12\x80\xbc\x83\xc6\xec\x6e\x53\xcc\xee\xe2\x28\x39\xf6\xfd\x53\x0b\x4f\x1f\x92\xa1\x15\x12\x83\xe8\x0e\x77\x0f\xd1\xc5\x51\xb9\x16\xe6\x72\x45\xa2\x2f\xbe\x6e\xa9\xe1\x0b\xc8\x93\xa5\x9d\x2e\x2c\x08\x80\xbf\xc8\xcd\x8e\x77\x45\x46\xc3\xff\x70\x5c\xda\xaf\x40\xb4\x2d\xe6\x73\xe6\xea\xa7\x2a\x59\xcf\x37\x4f\x0f\x96\xe9\xe8\xa7\x0b\x66\x4e\x31\xba\x4b\x37\x20\x3c\xf4\xf2\xb7\x60\x2e\xc6\xbe\x84\x45\xaf\x76\xcf\x06\x95\x34\x44\xaa\x6c\x3c\x8b\xc4\x3e\x62\xf6\x35\x3a\xae\x6c\xe7", 234)); NONFAILING(*(uint32_t*)0x20001258 = 0xdf); NONFAILING(*(uint64_t*)0x2000125c = 0x20001000); NONFAILING(*(uint8_t*)0x20001000 = 0xdf); NONFAILING(*(uint8_t*)0x20001001 = 3); NONFAILING(*(uint16_t*)0x20001002 = 0xf4ff); NONFAILING(memcpy((void*)0x20001004, "\xa3\xa4\xdf\x95\xb0\x46\x74\xf0\xd5\x98\x40\xb4\x2f\x4c\xad\x9c\x89\x6e\x73\xc5\xfb\x01\x4b\x5a\x5d\x10\xe3\x01\xf7\x21\x02\xf5\x4d\xef\x14\x39\xd0\xdf\x4b\x3c\x7b\x6e\x4e\xa9\x5e\x58\x33\x18\x36\xc1\x18\x04\x37\xf7\x8a\x17\x10\xe5\x4a\xb7\x31\x29\x4e\x96\x45\x6b\xb6\x53\x36\x5f\x1c\x9d\xdc\xbf\x2f\xaa\x39\x4a\xe8\x5f\xfb\x37\xa1\x2e\x3f\xe1\xa9\xb4\x98\xf4\x85\xda\x76\x0f\xbe\x7d\x2e\xd0\x0e\x84\xe8\x1b\xc9\xbe\xab\x86\x96\x98\x5f\x66\xff\x71\x49\xe6\x51\x1c\xcc\x94\x49\x42\x9c\x34\x82\x21\xb6\xe7\xc6\x66\xac\x7f\x55\x35\xbb\x27\xd9\xa9\x43\x63\x73\x0c\xc9\xfc\x20\xe4\x3b\x99\x31\xb7\x1d\x41\x61\x2f\xe4\x4d\x7d\x1f\x22\xcf\x98\xe8\x5a\xcc\xca\x39\x52\xfb\xa8\x76\xf8\x1e\x74\xac\xec\x61\xfb\xef\x5b\x6f\xe0\xa2\x7e\x2b\x88\x78\xdf\xb4\xd1\xe3\xb0\x0b\x74\x70\x3c\xaf\x75\x0f\x6d\xd0\x8c\xb0\x63\x78\x45\x4f\x46\x76\x38\x11\x01\x36\xf0\x5f\x9c\x30\x9c\x9e\x1a\x64\x13", 219)); NONFAILING(*(uint32_t*)0x20001264 = 0xcf); NONFAILING(*(uint64_t*)0x20001268 = 0x20001100); NONFAILING(*(uint8_t*)0x20001100 = 0xcf); NONFAILING(*(uint8_t*)0x20001101 = 3); NONFAILING(*(uint16_t*)0x20001102 = 0); NONFAILING(memcpy((void*)0x20001104, "\x69\xa6\x46\x1b\x2d\x22\xb5\x42\x89\x2b\x45\x4e\x68\xde\xae\xa3\x63\x27\x95\x02\x76\xc3\x90\x41\x91\xbb\xc6\x22\x80\xba\x9d\xe5\x77\x92\x8d\x5a\x3c\xd4\x03\x8a\x17\xa6\xba\xd4\x0f\x84\xa0\xc7\xb7\xfb\x54\x91\xe5\x8f\x76\xb4\x89\xc3\x00\xd0\xe4\x2f\x1e\x9b\xc2\xb4\x90\x06\xdb\xcf\xf9\xa0\x5c\x1c\xe3\xf6\x65\xfe\x53\x0f\x12\x75\x0b\x4f\x6c\x9d\x12\x54\xac\xb1\x12\xc4\x49\xd4\x58\x1d\xd6\x46\x5b\x0a\xfb\x4e\xec\x95\xe3\x18\x1d\xe9\x72\xea\xc2\xbe\x6c\x7a\xd8\xef\xc1\xfb\x57\x4e\x66\xf5\xc4\x0c\x49\x2e\x04\xf1\xbe\x23\x4c\x96\x8d\x12\xdc\xd5\x04\xde\x41\x48\x57\x05\xe2\xe3\x78\x9b\x20\xeb\x5a\x19\x8b\x22\x70\xe5\x88\x16\x99\xbe\x8c\x7e\xb5\xd9\xf0\x46\xe4\x0b\x97\xd8\x22\xad\x59\x24\xae\xd5\xa3\xd2\x5d\xc5\x83\x78\x3d\x10\xcc\x84\x41\xa9\x37\x8f\x28\x74\xb7\x2d\x30\x8c\x55\x40\xae\x09\xfa\xbe\x37\xa4\x17", 203)); res = syz_usb_connect(2, 0x446, 0x20000780, 0x20001200); if (res != -1) r[1] = res; break; case 22: NONFAILING(*(uint32_t*)0x20001740 = 0x34); NONFAILING(*(uint64_t*)0x20001744 = 0x20001280); NONFAILING(*(uint8_t*)0x20001280 = 0x40); NONFAILING(*(uint8_t*)0x20001281 = 0xa); NONFAILING(*(uint32_t*)0x20001282 = 0xe5); NONFAILING(*(uint8_t*)0x20001286 = 0xe5); NONFAILING(*(uint8_t*)0x20001287 = 9); NONFAILING(memcpy((void*)0x20001288, "\xf8\xef\x83\x55\xc9\x7f\xa9\x60\xe1\x1e\x03\xa2\xd8\x0e\x4c\x31\xeb\x57\x0e\xcb\x7b\xca\xe5\x58\xf6\xf4\x94\xc7\x22\x5e\xb3\x68\x1f\x7e\xc6\x53\x5a\x10\xda\xcb\x58\x94\x3c\x6d\x7f\xb9\xc9\x03\x3b\x99\xc5\x14\x4f\x7d\xfe\x64\x4e\x50\xf3\x45\x92\xe5\x04\xab\x57\xcf\x59\xd5\x37\x59\xf5\x4f\x89\x3b\x5d\xae\x44\x20\x04\x9f\x82\x97\x03\xfb\x73\x81\x6a\x15\xc3\xb2\x86\x3a\x9e\xe6\xfb\xbb\x3e\x5e\xae\x03\x98\x5a\xe9\xb8\x8b\x3b\x85\xea\xf4\x6f\xdc\x3d\xfb\x0b\xed\x93\x13\x7c\x12\xbc\x23\x83\x99\xbf\x89\x45\x12\xe5\xa1\xe2\xbc\xc0\xe8\x3c\xd7\x02\xac\xcb\x8d\x58\x84\xb3\x42\x73\x62\x30\x60\xe4\x6e\xf9\xff\x4b\x4d\x8e\x67\x9e\x01\x2b\x1f\x63\xb1\xd0\xf0\x8e\x1b\x25\x11\xba\xe6\xb8\x73\x65\x83\x1e\x4d\xe1\xe8\x6f\xec\xb9\x06\xd6\x63\x4b\x4d\x53\xd2\xf7\xb1\x6b\xff\x36\x96\x95\xfa\x70\x19\x43\xe0\x49\xb2\xf5\x4e\x96\xba\x11\xe7\xd1\xfc\x1b\x7c\x23\xda\xde\x82\x72\x45\x1b\x0f\x89\xb0\xfc\xe3\x95\xda\xec\x8c", 227)); NONFAILING(*(uint64_t*)0x2000174c = 0x20001380); NONFAILING(*(uint8_t*)0x20001380 = 0); NONFAILING(*(uint8_t*)0x20001381 = 3); NONFAILING(*(uint32_t*)0x20001382 = 0x8b); NONFAILING(*(uint8_t*)0x20001386 = 0x8b); NONFAILING(*(uint8_t*)0x20001387 = 3); NONFAILING(*(uint16_t*)0x20001388 = 0x408); NONFAILING(memcpy((void*)0x2000138a, "\x70\xee\xcf\x5e\xcc\x37\xea\x63\xa1\xef\x43\x11\x1a\x26\xe1\x5a\xd0\xb2\x59\x96\xa1\xc2\x87\x98\x99\xdb\x3d\x59\x95\x6e\xb2\x6a\x5e\x7b\xdb\xf2\x08\xf3\xb2\x25\x95\x24\x06\x77\x7f\x67\x70\xc7\x8e\x9e\x59\xd7\x93\x35\x25\xda\x2f\xbb\x81\xd7\x44\xc6\x05\x3c\x31\x8d\xc5\x7f\x40\xa0\x15\x98\x03\xcc\x44\x73\x7d\xdf\x73\xb4\xb3\x60\x06\xa7\xd2\xb4\x72\x79\x34\xb7\x39\xc1\x3c\xde\xf9\x54\xa9\xc0\xd4\xe8\x10\x10\x8d\x24\x37\x83\x2b\xb9\xe8\x64\x69\xbf\xc5\xea\xd2\xbd\xb1\xf1\x90\x4f\xe6\x10\x49\x4a\xba\xf7\xa2\x27\xc5\xe8\x76\x9a\x3b\x17\x97", 135)); NONFAILING(*(uint64_t*)0x20001754 = 0x20001440); NONFAILING(*(uint8_t*)0x20001440 = 0); NONFAILING(*(uint8_t*)0x20001441 = 0x22); NONFAILING(*(uint32_t*)0x20001442 = 0x235); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001446, 3, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001446, 3, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001446, 0xa, 4, 4)); NONFAILING(memcpy((void*)0x20001447, "\xfe\xf3\x3e\x95", 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000144b, 3, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000144b, 7, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x2000144b, 0xf, 4, 4)); NONFAILING(*(uint8_t*)0x2000144c = 0xe3); NONFAILING(*(uint8_t*)0x2000144d = 0); NONFAILING(memcpy((void*)0x2000144e, "\x73\x77\x87\x0b\xbd\x91\xa0\x91\x42\x20\xe5\xdf\xef\x17\x77\xed\x47\x06\x9f\x43\x09\x84\xec\x15\x46\x63\xf2\x92\x10\xae\xda\x66\x5a\xb3\x8e\xeb\x09\x40\xd9\x81\x7a\x27\xf5\x8a\xf9\x1d\xda\x88\xcc\x08\x9d\xfc\x3b\x62\x9f\x5c\x66\x47\x03\x01\xd8\x9d\x49\xea\x42\xab\x83\xdd\x8d\xb5\xa1\xcf\xcb\x94\xf1\xc4\x0c\x36\xbe\x91\xff\x95\x40\xc4\x50\x6d\x34\x03\x87\x89\x61\xa0\xbd\xde\xec\x28\x53\x81\x79\xf7\x2c\xb0\x7c\x79\x2e\x12\x1c\xf4\x5a\x49\xc6\x38\xa5\xce\x85\x5a\x72\x2c\xc4\x3d\x48\x4d\x79\x82\xfb\xdc\x12\xbb\x09\xc1\xc5\x6f\x2f\x2c\x3f\xe8\x14\x54\xcc\x39\xed\xfe\x4a\xfe\xb8\xd1\x5f\x9b\x2e\x3d\x13\x9a\xeb\x64\xdd\x50\xd0\x46\xf2\x5e\x70\x64\xb9\x67\x6c\x3b\xbc\x6a\x62\x1a\x1b\xc0\xef\xa9\x10\x56\x3a\x71\x5c\x96\x59\x80\x54\x00\xc5\x19\xad\x65\xac\xa2\xc7\x20\xf5\xee\x41\x74\x35\xf3\x8e\xde\x7f\xfc\x33\x51\xf4\x09\x7d\xa7\x8d\x4d\xaa\x62\x49\x46\x88\xc3\x67\xc3\xe1\x09\xe3\xdd\xe8\x5e\xb1\x8b\x13", 227)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001531, 0, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001531, 3, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001531, 0, 4, 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001532, 9, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001532, 0, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20001532, 0xf, 4, 4)); NONFAILING(*(uint8_t*)0x20001533 = 0x96); NONFAILING(*(uint8_t*)0x20001534 = 2); NONFAILING(memcpy((void*)0x20001535, "\xd6\xc6\x33\x41\x5e\x0b\x79\xa5\x59\x37\x13\xa5\xd0\xb8\xab\xd1\x7d\x5b\x47\xcc\xfd\x3f\x87\x40\xe9\x7e\x72\xaf\x7b\xe8\xbb\x87\x09\x59\xcc\x37\x73\x50\xe5\x49\xed\x4d\x4f\x0c\x88\x69\xf3\x0d\x78\xa4\x94\x7b\x5e\x6c\x6e\x96\xd1\xc8\xf5\x29\xc8\x1c\xe0\x85\xaf\xb9\x5f\xe5\x38\x1b\xf0\x8d\x15\xe7\x79\x7f\x06\xab\x2a\xe8\x5a\xe0\x39\x81\x2f\x28\x50\x47\x34\x38\x6f\x66\x1e\x75\x6d\x8e\x40\x10\x9e\xfb\x9b\xa1\x88\xb4\x80\x04\x6f\xaf\xdd\xb6\x6e\xa6\x8a\xb2\x12\x68\xf0\xde\xb2\x30\x6a\xd5\x42\xb9\xb2\xf1\xab\xa4\xe8\xa5\xbf\x80\x96\x35\xfa\xb9\x79\xb9\x92\x72\x0d\x2b\x23\x04\xa6\xb9\xe1\x21\x8d\x7f", 150)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200015cb, 2, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200015cb, 2, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200015cb, 1, 4, 4)); NONFAILING(memcpy((void*)0x200015cc, "X#", 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200015ce, 4, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200015ce, 0, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200015ce, 0xf, 4, 4)); NONFAILING(*(uint8_t*)0x200015cf = 0xaa); NONFAILING(*(uint8_t*)0x200015d0 = 5); NONFAILING(memcpy((void*)0x200015d1, "\x52\x4a\xff\x9a\x4c\x8b\x82\x78\xb3\x50\x07\x59\x5c\xba\x6f\xec\x44\x3b\xa3\x5d\x4e\x83\xaf\x26\x9f\x52\x0a\xba\x72\x05\x27\x04\x1a\x9f\xa1\xae\x04\xcc\x12\xd2\x10\xd4\x27\x1d\x3f\x57\x16\x2f\xbd\x0c\xa3\xdf\x89\xcf\xda\x35\x4f\x1f\x25\x81\x0d\x4c\x75\x63\x3c\x39\xe3\x65\x20\x9a\xb1\xd9\xda\x6f\x53\xa4\x6b\xf6\x99\x6c\x8c\x0c\x50\xf2\x14\x21\x74\xd0\x1a\xdd\x01\x33\xf3\x8a\xb6\xe6\x5b\x4b\x29\xfb\x71\x93\x35\xe7\x1a\x0d\xb7\xd0\xfc\x39\x32\x7a\xce\x58\xbf\xc4\x33\x75\x7f\xac\x80\x92\x1f\xe9\xea\x20\x60\x85\xa7\xa8\xcf\x4a\xf5\x4c\x71\xd6\x06\xeb\x20\x89\x9d\x7d\x33\xd0\xbb\x33\xbf\xe1\xf4\x41\x6a\xa0\x24\x25\xcb\xf8\x70\x7c\x49\xeb\x5d\x5c\xf3\x7e\x33\x36\xa6\xeb\x81\xca", 170)); NONFAILING(*(uint64_t*)0x2000175c = 0x20001680); NONFAILING(*(uint8_t*)0x20001680 = 0); NONFAILING(*(uint8_t*)0x20001681 = 0xf); NONFAILING(*(uint32_t*)0x20001682 = 0x19); NONFAILING(*(uint8_t*)0x20001686 = 5); NONFAILING(*(uint8_t*)0x20001687 = 0xf); NONFAILING(*(uint16_t*)0x20001688 = 0x19); NONFAILING(*(uint8_t*)0x2000168a = 1); NONFAILING(*(uint8_t*)0x2000168b = 0x14); NONFAILING(*(uint8_t*)0x2000168c = 0x10); NONFAILING(*(uint8_t*)0x2000168d = 0xa); NONFAILING(*(uint8_t*)0x2000168e = 0x81); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x2000168f, 2, 0, 5)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x2000168f, 0x20, 5, 27)); NONFAILING(*(uint16_t*)0x20001693 = 0xf00); NONFAILING(*(uint16_t*)0x20001695 = 7); NONFAILING(*(uint32_t*)0x20001697 = 0); NONFAILING(*(uint32_t*)0x2000169b = 0x3fcf); NONFAILING(*(uint64_t*)0x20001764 = 0x200016c0); NONFAILING(*(uint8_t*)0x200016c0 = 0); NONFAILING(*(uint8_t*)0x200016c1 = 0x29); NONFAILING(*(uint32_t*)0x200016c2 = 0xf); NONFAILING(*(uint8_t*)0x200016c6 = 0xf); NONFAILING(*(uint8_t*)0x200016c7 = 0x29); NONFAILING(*(uint8_t*)0x200016c8 = 0); NONFAILING(*(uint16_t*)0x200016c9 = 0x18); NONFAILING(*(uint8_t*)0x200016cb = 0x48); NONFAILING(*(uint8_t*)0x200016cc = -1); NONFAILING(memcpy((void*)0x200016cd, "\x91\x5b\x5b\xb0", 4)); NONFAILING(memcpy((void*)0x200016d1, "\x93\x72\xe9\xc8", 4)); NONFAILING(*(uint64_t*)0x2000176c = 0x20001700); NONFAILING(*(uint8_t*)0x20001700 = 0); NONFAILING(*(uint8_t*)0x20001701 = 0x2a); NONFAILING(*(uint32_t*)0x20001702 = 0xc); NONFAILING(*(uint8_t*)0x20001706 = 0xc); NONFAILING(*(uint8_t*)0x20001707 = 0x2a); NONFAILING(*(uint8_t*)0x20001708 = 0xa9); NONFAILING(*(uint16_t*)0x20001709 = 0x19); NONFAILING(*(uint8_t*)0x2000170b = 0xfb); NONFAILING(*(uint8_t*)0x2000170c = 4); NONFAILING(*(uint8_t*)0x2000170d = 3); NONFAILING(*(uint16_t*)0x2000170e = 0x8001); NONFAILING(*(uint16_t*)0x20001710 = 9); NONFAILING(*(uint32_t*)0x20001ac0 = 0x54); NONFAILING(*(uint64_t*)0x20001ac4 = 0x20001780); NONFAILING(*(uint8_t*)0x20001780 = 0x20); NONFAILING(*(uint8_t*)0x20001781 = 0x15); NONFAILING(*(uint32_t*)0x20001782 = 0xde); NONFAILING(memcpy((void*)0x20001786, "\xb6\x4c\xff\xff\x45\x64\x23\xbe\xb3\xdc\x66\x88\x66\x5f\x86\xab\xf2\x26\x4e\x18\x57\x72\x0d\xa0\xfb\x4f\xe6\xab\xc0\x8b\xfa\x90\x28\x5d\x22\x1c\x7d\x07\x99\xf0\x3c\x15\xf2\xba\x81\x3f\x9d\xcd\x3b\x1e\x74\x92\x74\x54\xc1\xb6\xf3\x32\x2d\xda\x34\x6c\x52\xd0\xa3\x3c\x34\xac\x01\x3e\x34\x88\x56\x67\x5e\xf9\x5c\xfe\x66\x45\x7f\xbf\x64\x03\xd8\x76\xa5\xd3\xdd\x7b\x6f\xde\x75\x7a\xb1\x06\x1c\x0f\x62\x2c\x09\x4b\xd8\x63\x88\x6d\x43\x3b\x1f\x2b\xbf\x38\xc3\x97\x9b\xc8\x55\xec\x1b\x5a\x71\x2d\xc9\xa4\xaf\x45\x6e\x97\x90\x0b\x69\x74\x86\xa4\x77\xcb\x08\x9d\xe2\x82\x30\x45\x9e\xca\xb3\x5c\x91\x2d\x15\x9e\x4f\xb0\x91\xee\xb8\x7e\x0a\x4b\x90\xf7\xae\xa9\xfb\x2b\x44\x69\xac\x1e\x0a\x64\xfc\x6f\x03\x27\x48\x81\x68\x14\x3b\x67\x3f\xfc\x9e\xbd\xfe\x44\x46\xe9\x00\x50\xaf\xa5\x05\x20\xb0\x78\xe7\x66\x40\x3e\x61\x3f\x2f\x7d\x38\xd7\x6b\x4e\xe3\x0b\x97\x08\x28\xde\xa1\x09\xe2\xca\xdc\x8b\xd9\x3d", 222)); NONFAILING(*(uint64_t*)0x20001acc = 0x20001880); NONFAILING(*(uint8_t*)0x20001880 = 0); NONFAILING(*(uint8_t*)0x20001881 = 0xb); NONFAILING(*(uint32_t*)0x20001882 = 0); NONFAILING(*(uint64_t*)0x20001ad4 = 0x200018c0); NONFAILING(*(uint8_t*)0x200018c0 = 0x20); NONFAILING(*(uint8_t*)0x200018c1 = 0xa); NONFAILING(*(uint32_t*)0x200018c2 = 1); NONFAILING(*(uint8_t*)0x200018c6 = 3); NONFAILING(*(uint64_t*)0x20001adc = 0x20001900); NONFAILING(*(uint8_t*)0x20001900 = 0); NONFAILING(*(uint8_t*)0x20001901 = 9); NONFAILING(*(uint32_t*)0x20001902 = 0); NONFAILING(*(uint64_t*)0x20001ae4 = 0x20001940); NONFAILING(*(uint8_t*)0x20001940 = 0x20); NONFAILING(*(uint8_t*)0x20001941 = 8); NONFAILING(*(uint32_t*)0x20001942 = 1); NONFAILING(*(uint8_t*)0x20001946 = 0); NONFAILING(*(uint64_t*)0x20001aec = 0x20001980); NONFAILING(*(uint8_t*)0x20001980 = 0x20); NONFAILING(*(uint8_t*)0x20001981 = 0); NONFAILING(*(uint32_t*)0x20001982 = 4); NONFAILING(*(uint16_t*)0x20001986 = 1); NONFAILING(*(uint16_t*)0x20001988 = 1); NONFAILING(*(uint64_t*)0x20001af4 = 0x200019c0); NONFAILING(*(uint8_t*)0x200019c0 = 0x20); NONFAILING(*(uint8_t*)0x200019c1 = 0); NONFAILING(*(uint32_t*)0x200019c2 = 8); NONFAILING(*(uint16_t*)0x200019c6 = 0x100); NONFAILING(*(uint16_t*)0x200019c8 = 0x20); NONFAILING(*(uint32_t*)0x200019ca = 0xf); NONFAILING(*(uint64_t*)0x20001afc = 0x20001a00); NONFAILING(*(uint8_t*)0x20001a00 = 0x40); NONFAILING(*(uint8_t*)0x20001a01 = 1); NONFAILING(*(uint32_t*)0x20001a02 = 3); NONFAILING(memcpy((void*)0x20001a06, "\x2f\xd3\x25", 3)); NONFAILING(*(uint64_t*)0x20001b04 = 0x20001a40); NONFAILING(*(uint8_t*)0x20001a40 = 0x40); NONFAILING(*(uint8_t*)0x20001a41 = 9); NONFAILING(*(uint32_t*)0x20001a42 = 3); NONFAILING(memcpy((void*)0x20001a46, "\x48\xbe\x0d", 3)); NONFAILING(*(uint64_t*)0x20001b0c = 0x20001a80); NONFAILING(*(uint8_t*)0x20001a80 = 0x20); NONFAILING(*(uint8_t*)0x20001a81 = 0x80); NONFAILING(*(uint32_t*)0x20001a82 = 0x1c); NONFAILING(*(uint16_t*)0x20001a86 = 5); NONFAILING(*(uint16_t*)0x20001a88 = -1); NONFAILING(*(uint32_t*)0x20001a8a = 1); NONFAILING(*(uint16_t*)0x20001a8e = 2); NONFAILING(*(uint16_t*)0x20001a90 = 0x7e); NONFAILING(*(uint16_t*)0x20001a92 = 5); NONFAILING(*(uint16_t*)0x20001a94 = 3); NONFAILING(*(uint32_t*)0x20001a96 = 0x342c); NONFAILING(*(uint16_t*)0x20001a9a = 6); NONFAILING(*(uint16_t*)0x20001a9c = 0x999); NONFAILING(*(uint16_t*)0x20001a9e = 3); NONFAILING(*(uint16_t*)0x20001aa0 = 0xab); syz_usb_control_io(r[0], 0x20001740, 0x20001ac0); break; case 23: syz_usb_disconnect(r[1]); break; case 24: NONFAILING(memcpy((void*)0x20001b40, "\xa6\xee\x50\x97\xfb\xb4\xd1\xc8\x36\xd9\x1b\x05\x0c\x93\x1b\xb3\x99\xd7\x8d\x69\xbd\x2c\x77\x34\x9c\xff\xd1\x7f\x2d\x75\x87\xcd\x33\x4c\x9d\x1c\x49\x1a\x3c\x08\x04\x1c\x17\xb9\x66\x9b\xc5\xeb\x9b\x23\x7b\xe3\xb6\x24\xcf\x54\xb1\x0f\xa7\xba\x28\x87\x32\x84\x98\xac\xfb\x6f\x4f\x06\x84\xc2\x72\x7c\x01\xbb\xf0\x77\xde\x2c\xcb\x8b\xf7\x1c\x59\xed\x47\xa9\x07\x10\xbd\x0a\xb2\x35\x49\x0f\x93\x04\x2f\x67\x72\x9e\xce\xe2\x76\xc0\x54\x6f\x5a\xdb\xa7\xab\xde\x85\x64\xfb\x76\xa9\x53\xb4\x39\x41\x67\x8a\x86\x5c\x15\x47\xf5\x63\x95\xa0\xdb\xe6\x6c\xa1\xf1\x7c\x3e\xfe\x0c\x06\x38\x82\x67\x64\x52\x8d\xdc\xad\x81\x26\x33\x20\x64\x58\x40\xcf\x4f\x56\xe1\x91\x1b\x37\x64\x1e\xca\x19\x48\x3c\x4d\xdb\xdf\x0b\x44\x52\x53\x92\xda\x16\xb1\x5e\x90", 183)); syz_usb_ep_write(r[1], 0x13, 0xb7, 0x20001b40); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_usb_control_io.constprop’: :565:6: error: ‘response_found’ may be used uninitialized in this function [-Werror=maybe-uninitialized] cc1: all warnings being treated as errors compiler invocation: gcc [-o /tmp/syz-executor187089520 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=8192 -m64 -static] FAIL FAIL github.com/google/syzkaller/pkg/csource 17.810s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email 0.398s ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 9.616s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 3.747s ok github.com/google/syzkaller/pkg/ipc 20.061s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 1.753s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 5.453s ok github.com/google/syzkaller/pkg/repro 3.408s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 26.072s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.338s ok github.com/google/syzkaller/pkg/vcs 10.556s ok github.com/google/syzkaller/prog 7.342s ok github.com/google/syzkaller/prog/test 6.187s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ok github.com/google/syzkaller/sys/linux 1.300s ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd 0.158s ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 3.944s ? github.com/google/syzkaller/syz-fuzzer [no test files] ok github.com/google/syzkaller/syz-hub 0.249s ok github.com/google/syzkaller/syz-hub/state 0.339s ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-env [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 1.610s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 3.932s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 11.718s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ? github.com/google/syzkaller/vm/isolated [no test files] ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files]