? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/dashboard/app (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ? github.com/google/syzkaller/pkg/html/pages [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ? github.com/google/syzkaller/pkg/signal [no test files] ? github.com/google/syzkaller/pkg/testutil [no test files] ? github.com/google/syzkaller/pkg/tools [no test files] ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/darwin/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ? github.com/google/syzkaller/syz-runner [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbed [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] ok github.com/google/syzkaller/executor 5.481s ok github.com/google/syzkaller/pkg/asset (cached) ok github.com/google/syzkaller/pkg/ast 0.562s ok github.com/google/syzkaller/pkg/auth (cached) ok github.com/google/syzkaller/pkg/bisect (cached) ok github.com/google/syzkaller/pkg/build (cached) ok github.com/google/syzkaller/pkg/compiler 1.781s ok github.com/google/syzkaller/pkg/config (cached) --- FAIL: TestReportGenerator (0.76s) --- FAIL: TestReportGenerator/netbsd-amd64 (0.00s) --- FAIL: TestReportGenerator/netbsd-amd64/good (0.00s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64good903418629/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64good903418629/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/no-coverage (0.01s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64no-coverage2798280797/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64no-coverage2798280797/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/no-pcs (0.01s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64no-pcs1078149964/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64no-pcs1078149964/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/bad-pcs (0.01s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64bad-pcs1300603310/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64bad-pcs1300603310/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error --- FAIL: TestReportGenerator/netbsd-amd64/no-debug-info (0.02s) report_test.go:205: failed to start /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [/syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ -c -fpie -w -x c -o /tmp/TestReportGeneratornetbsd-amd64no-debug-info1535905202/001/kcov.o /tmp/TestReportGeneratornetbsd-amd64no-debug-info1535905202/001/kcov.c -DASLR_BASE -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384]: fork/exec /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++: exec format error FAIL FAIL github.com/google/syzkaller/pkg/cover 1.158s ok github.com/google/syzkaller/pkg/cover/backend (cached) --- FAIL: TestGenerate (1.58s) --- FAIL: TestGenerate/netbsd/amd64 (0.02s) testutil.go:33: seed=1684181988843553332 testutil.go:33: seed=1684181988864441450 --- FAIL: TestGenerate/netbsd/amd64/single_syz_emit_ethernet (0.18s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_emit_ethernet(0x21, &(0x7f0000000000)="437d572f6f1aa5d41a51cabf7b39099732f92b232f8dfad8b7776099a378d03e34") csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor889389380 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_execute_func (0.16s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_execute_func(&(0x7f0000000000)="26263e66440f72e4efc402c0f3d740de6804450f421ec42135596100c403097d309342dae90f1865f946dc7bd38f0878a6d50c") csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); memcpy((void*)0x20000000, "\x26\x26\x3e\x66\x44\x0f\x72\xe4\xef\xc4\x02\xc0\xf3\xd7\x40\xde\x68\x04\x45\x0f\x42\x1e\xc4\x21\x35\x59\x61\x00\xc4\x03\x09\x7d\x30\x93\x42\xda\xe9\x0f\x18\x65\xf9\x46\xdc\x7b\xd3\x8f\x08\x78\xa6\xd5\x0c", 51); syz_execute_func(0x20000000); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor739989412 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_extract_tcp_res (0.19s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_extract_tcp_res(&(0x7f0000000000), 0x9dc, 0xff) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2345387082 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_usb_connect (0.20s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: syz_usb_connect(0x4, 0x526, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x514, 0x2, 0x7f, 0x4, 0x80, 0x68, [{{0x9, 0x4, 0x7f, 0x7, 0xf, 0x0, 0x0, 0x0, 0x6, [], [{{0x9, 0x5, 0x4, 0x10, 0x400, 0x6, 0x1, 0x7, [@generic={0xce, 0x21, "652dc4a0214887c93a5b8551829efa217882899ced9790f81cd25c10affb6b72510db76ff4903ed4eb69d2332793d9bee4f5ff99efa070a842cc8eb10a3933062e4ed7d9890abefe63f18839f34bd697dbfff3ee57bf8b1b1d22a55aa49c391c5b82145ef79ea03579760ce261368408818bb1e46dd2416533895780b0a68c6216dec2ffcf0e39ee76719bef6829c80350e6ddb785ee586cb2fa94d0826badd3c0a2499e0577576c1c04f1a4694ca99787465359bfeda46920d2551a14f661e9587ab28ade55ded1639ac51f"}, @generic={0x8d, 0xa, "4ef618a6bb22c5d422b941d76c531a9c102538f032665e73ba92ad5460e81a6259178b41814e22b2f2dd4deb65aeba07ec1a9c566e71cd0fc4f2e5051a1168d7deb051c7a3177e5333fb7aa5509fbff8048c8c809fad1d06a8523db9a1017f0199c46387c9e3e61a2d7d0da87397118798e6b58f42a96f60c012894b300237ddad33eac3a5b2a337d5b840"}]}}, {{0x9, 0x5, 0xb, 0x10, 0x10, 0x3, 0x1, 0x7f}}, {{0x9, 0x5, 0x5, 0x2, 0x200, 0x5, 0xf7, 0x3}}, {{0x9, 0x5, 0xa, 0x0, 0x40, 0xfa, 0x0, 0x5}}, {{0x9, 0x5, 0x0, 0x1, 0x200, 0x1, 0x5, 0xfd, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x81, 0xbe4}]}}, {{0x9, 0x5, 0x8, 0x0, 0x20, 0x7, 0x4, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x1, 0x5}]}}, {{0x9, 0x5, 0xd, 0x4, 0x200, 0x8, 0xff, 0x8, [@uac_iso={0x7, 0x25, 0x1, 0x83, 0x0, 0x6}]}}, {{0x9, 0x5, 0x3, 0x1, 0xff3ca924a6802f0f, 0xe1, 0x78, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x2, 0x1}, @generic={0xd7, 0xf, "534308433563a2497053dbe77cd9e8befb2348da762f15c69d7055377ad39719e62ad40947fbc66a6cad60f2c9d2a95601740818eb5d7ea4e0c5250d9bd049cbffe337f7c4d9f46ea3d3069a1e264617b853a4b9f09e9fdba5f83427aadad0e13549d1283b88a7ec1c6effee72b7edb9a490dbeb1cc99f30844c989725374e0766335348a8a7ea7a67c8cf88c7398498dac8d29bc496e188ac655b0d1ff82c852c6ba76d22f26cd9656b61759efcf52aa1163e1c4082313bba4191a431f289547b3b3ed27a6b6e3ce39c006a98cea3108fc54f240b"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x400, 0xc2, 0x7d, 0x2}}, {{0x9, 0x5, 0xe, 0x4, 0x20, 0x0, 0x1f}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x7, 0xab, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x2, 0x731}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x5}]}}, {{0x9, 0x5, 0x2, 0x3, 0x40, 0x7, 0x8, 0x3f}}, {{0x9, 0x5, 0x0, 0x0, 0x20, 0x6, 0x5, 0x3}}, {{0x9, 0x5, 0x6, 0x0, 0x200, 0x7, 0x80, 0xa1, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0x8080}, @generic={0xf1, 0x10, "52aacfee5b0c7abb59e186e4105f45d01d0b9116ed1931adb3c9d1e3e0607abfdf393bd4a8391969bc03e71064f99c9f80792faf7e16aca60fa19abc2442f4717abf8cb13d56bccb38f137f60dce1cfedf3d44cb5867dfda666f15e4ddcaace8ca8eb2eb5580092a879977c385e8e3b107a5e17df95d4f2f7bfd28241262a029b9887ecf13d0625eeba43cff6f39bf35034ed443c408508b4e4e9942afad9cba9a1e334cb70ee6fe809425961bcbc28a03e4ee332b7bf4067f99a308069fea4260bdf2065f625d089ecbba1765e956028b1ed30b5fa524d7b3c59c350ddc0833ba455e41e6117891ec134435215576"}]}}, {{0x9, 0x5, 0x3, 0x10, 0x3ff, 0x4, 0x7f, 0x4}}]}}, {{0x9, 0x4, 0x8, 0x4, 0x7, 0x0, 0x0, 0x0, 0x81, [@uac_as={[@format_type_i_discrete={0x11, 0x24, 0x2, 0x1, 0x5, 0x1, 0x7, 0x1, "87a65ec614127ed51e"}, @as_header={0x7, 0x24, 0x1, 0x49, 0x1, 0x1001}]}], [{{0x9, 0x5, 0x0, 0x0, 0x3ff, 0xfe, 0xd6, 0x7}}, {{0x9, 0x5, 0xf, 0x10, 0x10, 0x0, 0x9}}, {{0x9, 0x5, 0xc, 0x8, 0x40, 0x2, 0xea, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3f, 0x40}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0x1, 0x3}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0x0, 0x3, 0x2, [@generic={0x72, 0x31, "80075b78ddc52e8795b0c462eae7e15f19e5c399e09ae459012cf0b89ead8aafb0ffad2e581547bd7b652ba32dc92645e49a10ff3e99fb9ac4e93718f499c280fb9c565c855788a82b504c0e99144ca233afc084718fda37257e79a849b2e7d25e8f7b969ae799e91a7ca8ed139767ec"}]}}, {{0x9, 0x5, 0xd, 0x0, 0x40, 0xf8, 0x40, 0x20, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x0, 0x20}, @generic={0x39, 0x21, "3bffba8de1dacbbcfae22023b81f1717772678810f406b8b5c3a13bee3f99d5c238e1b4df3648451a26b32673bd52c803819c7fdc7c915"}]}}, {{0x9, 0x5, 0x6, 0x4, 0x3ff, 0x6, 0x9, 0x1}}, {{0x9, 0x5, 0x1, 0x0, 0x200, 0x6, 0x0, 0x94, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x7c, 0x1}]}}]}}]}}]}}, &(0x7f0000000940)={0xa, &(0x7f0000000540)={0xa, 0x6, 0x310, 0x8, 0x7f, 0x4, 0x20, 0x5a}, 0x29, &(0x7f0000000580)={0x5, 0xf, 0x29, 0x4, [@ptm_cap={0x3}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x8, 0x0, 0x7, 0x4}, @ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x0, "79eb16ec3c3b00282919ec5dabf41e0b"}]}, 0x6, [{0xd6, &(0x7f00000005c0)=@string={0xd6, 0x3, "28dc0f3e2d2cbf02ca36a4e5d1b0f0ddfe55cacac8c4fba9cf77e2d4a69759c8f73083b5f491c1aa8d6d6b23333df0e868fec3daa788c8563e11fb66a376aaad37c0ea818a9b065a9a5ab9d563ac6a59b05edfdbffbad7cd0ec0c4b96fee18b13451b465b19eeb4b060da21335d15884cdf799af63a14069f3392f03c8ec50adbd67aff0509ca458ac811aff470193e646741336b23aefaa8774ac86cf83ebc1d8563cc6b2186d821b387e80b2bf920759c14bab6d5b898305e8e92953a4e0e3ea2f265945ad798b654c24abb6efb8af3de0839c"}}, {0x4, &(0x7f00000006c0)=@lang_id={0x4, 0x3, 0x404}}, {0xd6, &(0x7f0000000700)=@string={0xd6, 0x3, "dcb5606fb81916b204abe301666b981cb5a37c2d011dbbb0220859df5d8626ec7bd4fbc2ee0224769f8ee08bdf8be98d235eb0843b8e7a3a581616d9d8949234626dd98cf049426c445bb64a4163222df3af91199d329d7ed541f45aed1250a820f2eafb7a2fedd7325d19955612ce92a1164a6770e2c6502a80aa0cf14034509be6c5680d6775dafd4afac614478937b1c43d8db3203e7fc516c20784335989789ce46ebf28e5b181d47f96691786cf494b198a3d0b9d9008ddfe248632af3d6912c6ad2cfeb001b9c04e86764762207b35102b"}}, {0xb3, &(0x7f0000000800)=@string={0xb3, 0x3, "344540a5883c73f2b8d66e36144a9fcce70bd6cf4b0feeee92711e25192232dfd3aaef70525466fc4f8d13ef20e2f01a7a70611854c4c0aaa792a586ac4c66ce00610c7bd282ab3465bb4f09518e46f974a933eade5645c8c2a0b0a2112c42a10cb98f1f1f5d613f1f65fdc0143f14581894070baf90adb17824c5b2eaae40c6971122352ec0b162643548a9aa27dbb26fbbdf71d94e8ba9481c03e8d8dae2f53e42072988afd5ba7d2688949da1c81a60"}}, {0x27, &(0x7f00000008c0)=@string={0x27, 0x3, "114ef1b19030d1621ea9752dce6daba0512fe247f38144e1e90d3382e63ac12341f2765fbf"}}, {0x4, &(0x7f0000000900)=@lang_id={0x4, 0x3, 0x1c09}}]}) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); *(uint8_t*)0x20000000 = 0x12; *(uint8_t*)0x20000001 = 1; *(uint16_t*)0x20000002 = 0x200; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; *(uint8_t*)0x20000006 = 0; *(uint8_t*)0x20000007 = 8; *(uint16_t*)0x20000008 = 0; *(uint16_t*)0x2000000a = 0; *(uint16_t*)0x2000000c = 0; *(uint8_t*)0x2000000e = 1; *(uint8_t*)0x2000000f = 2; *(uint8_t*)0x20000010 = 3; *(uint8_t*)0x20000011 = 1; *(uint8_t*)0x20000012 = 9; *(uint8_t*)0x20000013 = 2; *(uint16_t*)0x20000014 = 0x514; *(uint8_t*)0x20000016 = 2; *(uint8_t*)0x20000017 = 0x7f; *(uint8_t*)0x20000018 = 4; *(uint8_t*)0x20000019 = 0x80; *(uint8_t*)0x2000001a = 0x68; *(uint8_t*)0x2000001b = 9; *(uint8_t*)0x2000001c = 4; *(uint8_t*)0x2000001d = 0x7f; *(uint8_t*)0x2000001e = 7; *(uint8_t*)0x2000001f = 0xf; *(uint8_t*)0x20000020 = 0; *(uint8_t*)0x20000021 = 0; *(uint8_t*)0x20000022 = 0; *(uint8_t*)0x20000023 = 6; *(uint8_t*)0x20000024 = 9; *(uint8_t*)0x20000025 = 5; *(uint8_t*)0x20000026 = 4; *(uint8_t*)0x20000027 = 0x10; *(uint16_t*)0x20000028 = 0x400; *(uint8_t*)0x2000002a = 6; *(uint8_t*)0x2000002b = 1; *(uint8_t*)0x2000002c = 7; *(uint8_t*)0x2000002d = 0xce; *(uint8_t*)0x2000002e = 0x21; memcpy((void*)0x2000002f, "\x65\x2d\xc4\xa0\x21\x48\x87\xc9\x3a\x5b\x85\x51\x82\x9e\xfa\x21\x78\x82\x89\x9c\xed\x97\x90\xf8\x1c\xd2\x5c\x10\xaf\xfb\x6b\x72\x51\x0d\xb7\x6f\xf4\x90\x3e\xd4\xeb\x69\xd2\x33\x27\x93\xd9\xbe\xe4\xf5\xff\x99\xef\xa0\x70\xa8\x42\xcc\x8e\xb1\x0a\x39\x33\x06\x2e\x4e\xd7\xd9\x89\x0a\xbe\xfe\x63\xf1\x88\x39\xf3\x4b\xd6\x97\xdb\xff\xf3\xee\x57\xbf\x8b\x1b\x1d\x22\xa5\x5a\xa4\x9c\x39\x1c\x5b\x82\x14\x5e\xf7\x9e\xa0\x35\x79\x76\x0c\xe2\x61\x36\x84\x08\x81\x8b\xb1\xe4\x6d\xd2\x41\x65\x33\x89\x57\x80\xb0\xa6\x8c\x62\x16\xde\xc2\xff\xcf\x0e\x39\xee\x76\x71\x9b\xef\x68\x29\xc8\x03\x50\xe6\xdd\xb7\x85\xee\x58\x6c\xb2\xfa\x94\xd0\x82\x6b\xad\xd3\xc0\xa2\x49\x9e\x05\x77\x57\x6c\x1c\x04\xf1\xa4\x69\x4c\xa9\x97\x87\x46\x53\x59\xbf\xed\xa4\x69\x20\xd2\x55\x1a\x14\xf6\x61\xe9\x58\x7a\xb2\x8a\xde\x55\xde\xd1\x63\x9a\xc5\x1f", 204); *(uint8_t*)0x200000fb = 0x8d; *(uint8_t*)0x200000fc = 0xa; memcpy((void*)0x200000fd, "\x4e\xf6\x18\xa6\xbb\x22\xc5\xd4\x22\xb9\x41\xd7\x6c\x53\x1a\x9c\x10\x25\x38\xf0\x32\x66\x5e\x73\xba\x92\xad\x54\x60\xe8\x1a\x62\x59\x17\x8b\x41\x81\x4e\x22\xb2\xf2\xdd\x4d\xeb\x65\xae\xba\x07\xec\x1a\x9c\x56\x6e\x71\xcd\x0f\xc4\xf2\xe5\x05\x1a\x11\x68\xd7\xde\xb0\x51\xc7\xa3\x17\x7e\x53\x33\xfb\x7a\xa5\x50\x9f\xbf\xf8\x04\x8c\x8c\x80\x9f\xad\x1d\x06\xa8\x52\x3d\xb9\xa1\x01\x7f\x01\x99\xc4\x63\x87\xc9\xe3\xe6\x1a\x2d\x7d\x0d\xa8\x73\x97\x11\x87\x98\xe6\xb5\x8f\x42\xa9\x6f\x60\xc0\x12\x89\x4b\x30\x02\x37\xdd\xad\x33\xea\xc3\xa5\xb2\xa3\x37\xd5\xb8\x40", 139); *(uint8_t*)0x20000188 = 9; *(uint8_t*)0x20000189 = 5; *(uint8_t*)0x2000018a = 0xb; *(uint8_t*)0x2000018b = 0x10; *(uint16_t*)0x2000018c = 0x10; *(uint8_t*)0x2000018e = 3; *(uint8_t*)0x2000018f = 1; *(uint8_t*)0x20000190 = 0x7f; *(uint8_t*)0x20000191 = 9; *(uint8_t*)0x20000192 = 5; *(uint8_t*)0x20000193 = 5; *(uint8_t*)0x20000194 = 2; *(uint16_t*)0x20000195 = 0x200; *(uint8_t*)0x20000197 = 5; *(uint8_t*)0x20000198 = 0xf7; *(uint8_t*)0x20000199 = 3; *(uint8_t*)0x2000019a = 9; *(uint8_t*)0x2000019b = 5; *(uint8_t*)0x2000019c = 0xa; *(uint8_t*)0x2000019d = 0; *(uint16_t*)0x2000019e = 0x40; *(uint8_t*)0x200001a0 = 0xfa; *(uint8_t*)0x200001a1 = 0; *(uint8_t*)0x200001a2 = 5; *(uint8_t*)0x200001a3 = 9; *(uint8_t*)0x200001a4 = 5; *(uint8_t*)0x200001a5 = 0; *(uint8_t*)0x200001a6 = 1; *(uint16_t*)0x200001a7 = 0x200; *(uint8_t*)0x200001a9 = 1; *(uint8_t*)0x200001aa = 5; *(uint8_t*)0x200001ab = 0xfd; *(uint8_t*)0x200001ac = 7; *(uint8_t*)0x200001ad = 0x25; *(uint8_t*)0x200001ae = 1; *(uint8_t*)0x200001af = 0x80; *(uint8_t*)0x200001b0 = 0x81; *(uint16_t*)0x200001b1 = 0xbe4; *(uint8_t*)0x200001b3 = 9; *(uint8_t*)0x200001b4 = 5; *(uint8_t*)0x200001b5 = 8; *(uint8_t*)0x200001b6 = 0; *(uint16_t*)0x200001b7 = 0x20; *(uint8_t*)0x200001b9 = 7; *(uint8_t*)0x200001ba = 4; *(uint8_t*)0x200001bb = 0x80; *(uint8_t*)0x200001bc = 7; *(uint8_t*)0x200001bd = 0x25; *(uint8_t*)0x200001be = 1; *(uint8_t*)0x200001bf = 0; *(uint8_t*)0x200001c0 = 1; *(uint16_t*)0x200001c1 = 5; *(uint8_t*)0x200001c3 = 9; *(uint8_t*)0x200001c4 = 5; *(uint8_t*)0x200001c5 = 0xd; *(uint8_t*)0x200001c6 = 4; *(uint16_t*)0x200001c7 = 0x200; *(uint8_t*)0x200001c9 = 8; *(uint8_t*)0x200001ca = -1; *(uint8_t*)0x200001cb = 8; *(uint8_t*)0x200001cc = 7; *(uint8_t*)0x200001cd = 0x25; *(uint8_t*)0x200001ce = 1; *(uint8_t*)0x200001cf = 0x83; *(uint8_t*)0x200001d0 = 0; *(uint16_t*)0x200001d1 = 6; *(uint8_t*)0x200001d3 = 9; *(uint8_t*)0x200001d4 = 5; *(uint8_t*)0x200001d5 = 3; *(uint8_t*)0x200001d6 = 1; *(uint16_t*)0x200001d7 = 0x2f0f; *(uint8_t*)0x200001d9 = 0xe1; *(uint8_t*)0x200001da = 0x78; *(uint8_t*)0x200001db = 0x80; *(uint8_t*)0x200001dc = 7; *(uint8_t*)0x200001dd = 0x25; *(uint8_t*)0x200001de = 1; *(uint8_t*)0x200001df = 0x82; *(uint8_t*)0x200001e0 = 2; *(uint16_t*)0x200001e1 = 1; *(uint8_t*)0x200001e3 = 0xd7; *(uint8_t*)0x200001e4 = 0xf; memcpy((void*)0x200001e5, "\x53\x43\x08\x43\x35\x63\xa2\x49\x70\x53\xdb\xe7\x7c\xd9\xe8\xbe\xfb\x23\x48\xda\x76\x2f\x15\xc6\x9d\x70\x55\x37\x7a\xd3\x97\x19\xe6\x2a\xd4\x09\x47\xfb\xc6\x6a\x6c\xad\x60\xf2\xc9\xd2\xa9\x56\x01\x74\x08\x18\xeb\x5d\x7e\xa4\xe0\xc5\x25\x0d\x9b\xd0\x49\xcb\xff\xe3\x37\xf7\xc4\xd9\xf4\x6e\xa3\xd3\x06\x9a\x1e\x26\x46\x17\xb8\x53\xa4\xb9\xf0\x9e\x9f\xdb\xa5\xf8\x34\x27\xaa\xda\xd0\xe1\x35\x49\xd1\x28\x3b\x88\xa7\xec\x1c\x6e\xff\xee\x72\xb7\xed\xb9\xa4\x90\xdb\xeb\x1c\xc9\x9f\x30\x84\x4c\x98\x97\x25\x37\x4e\x07\x66\x33\x53\x48\xa8\xa7\xea\x7a\x67\xc8\xcf\x88\xc7\x39\x84\x98\xda\xc8\xd2\x9b\xc4\x96\xe1\x88\xac\x65\x5b\x0d\x1f\xf8\x2c\x85\x2c\x6b\xa7\x6d\x22\xf2\x6c\xd9\x65\x6b\x61\x75\x9e\xfc\xf5\x2a\xa1\x16\x3e\x1c\x40\x82\x31\x3b\xba\x41\x91\xa4\x31\xf2\x89\x54\x7b\x3b\x3e\xd2\x7a\x6b\x6e\x3c\xe3\x9c\x00\x6a\x98\xce\xa3\x10\x8f\xc5\x4f\x24\x0b", 213); *(uint8_t*)0x200002ba = 9; *(uint8_t*)0x200002bb = 5; *(uint8_t*)0x200002bc = 6; *(uint8_t*)0x200002bd = 0; *(uint16_t*)0x200002be = 0x400; *(uint8_t*)0x200002c0 = 0xc2; *(uint8_t*)0x200002c1 = 0x7d; *(uint8_t*)0x200002c2 = 2; *(uint8_t*)0x200002c3 = 9; *(uint8_t*)0x200002c4 = 5; *(uint8_t*)0x200002c5 = 0xe; *(uint8_t*)0x200002c6 = 4; *(uint16_t*)0x200002c7 = 0x20; *(uint8_t*)0x200002c9 = 0; *(uint8_t*)0x200002ca = 0x1f; *(uint8_t*)0x200002cb = 0; *(uint8_t*)0x200002cc = 9; *(uint8_t*)0x200002cd = 5; *(uint8_t*)0x200002ce = 0xd; *(uint8_t*)0x200002cf = 0x10; *(uint16_t*)0x200002d0 = 0x200; *(uint8_t*)0x200002d2 = 7; *(uint8_t*)0x200002d3 = 0xab; *(uint8_t*)0x200002d4 = 7; *(uint8_t*)0x200002d5 = 7; *(uint8_t*)0x200002d6 = 0x25; *(uint8_t*)0x200002d7 = 1; *(uint8_t*)0x200002d8 = 0x81; *(uint8_t*)0x200002d9 = 2; *(uint16_t*)0x200002da = 0x731; *(uint8_t*)0x200002dc = 7; *(uint8_t*)0x200002dd = 0x25; *(uint8_t*)0x200002de = 1; *(uint8_t*)0x200002df = 0; *(uint8_t*)0x200002e0 = 5; *(uint16_t*)0x200002e1 = 0; *(uint8_t*)0x200002e3 = 9; *(uint8_t*)0x200002e4 = 5; *(uint8_t*)0x200002e5 = 2; *(uint8_t*)0x200002e6 = 3; *(uint16_t*)0x200002e7 = 0x40; *(uint8_t*)0x200002e9 = 7; *(uint8_t*)0x200002ea = 8; *(uint8_t*)0x200002eb = 0x3f; *(uint8_t*)0x200002ec = 9; *(uint8_t*)0x200002ed = 5; *(uint8_t*)0x200002ee = 0; *(uint8_t*)0x200002ef = 0; *(uint16_t*)0x200002f0 = 0x20; *(uint8_t*)0x200002f2 = 6; *(uint8_t*)0x200002f3 = 5; *(uint8_t*)0x200002f4 = 3; *(uint8_t*)0x200002f5 = 9; *(uint8_t*)0x200002f6 = 5; *(uint8_t*)0x200002f7 = 6; *(uint8_t*)0x200002f8 = 0; *(uint16_t*)0x200002f9 = 0x200; *(uint8_t*)0x200002fb = 7; *(uint8_t*)0x200002fc = 0x80; *(uint8_t*)0x200002fd = 0xa1; *(uint8_t*)0x200002fe = 7; *(uint8_t*)0x200002ff = 0x25; *(uint8_t*)0x20000300 = 1; *(uint8_t*)0x20000301 = 0x82; *(uint8_t*)0x20000302 = 6; *(uint16_t*)0x20000303 = 0x8080; *(uint8_t*)0x20000305 = 0xf1; *(uint8_t*)0x20000306 = 0x10; memcpy((void*)0x20000307, "\x52\xaa\xcf\xee\x5b\x0c\x7a\xbb\x59\xe1\x86\xe4\x10\x5f\x45\xd0\x1d\x0b\x91\x16\xed\x19\x31\xad\xb3\xc9\xd1\xe3\xe0\x60\x7a\xbf\xdf\x39\x3b\xd4\xa8\x39\x19\x69\xbc\x03\xe7\x10\x64\xf9\x9c\x9f\x80\x79\x2f\xaf\x7e\x16\xac\xa6\x0f\xa1\x9a\xbc\x24\x42\xf4\x71\x7a\xbf\x8c\xb1\x3d\x56\xbc\xcb\x38\xf1\x37\xf6\x0d\xce\x1c\xfe\xdf\x3d\x44\xcb\x58\x67\xdf\xda\x66\x6f\x15\xe4\xdd\xca\xac\xe8\xca\x8e\xb2\xeb\x55\x80\x09\x2a\x87\x99\x77\xc3\x85\xe8\xe3\xb1\x07\xa5\xe1\x7d\xf9\x5d\x4f\x2f\x7b\xfd\x28\x24\x12\x62\xa0\x29\xb9\x88\x7e\xcf\x13\xd0\x62\x5e\xeb\xa4\x3c\xff\x6f\x39\xbf\x35\x03\x4e\xd4\x43\xc4\x08\x50\x8b\x4e\x4e\x99\x42\xaf\xad\x9c\xba\x9a\x1e\x33\x4c\xb7\x0e\xe6\xfe\x80\x94\x25\x96\x1b\xcb\xc2\x8a\x03\xe4\xee\x33\x2b\x7b\xf4\x06\x7f\x99\xa3\x08\x06\x9f\xea\x42\x60\xbd\xf2\x06\x5f\x62\x5d\x08\x9e\xcb\xba\x17\x65\xe9\x56\x02\x8b\x1e\xd3\x0b\x5f\xa5\x24\xd7\xb3\xc5\x9c\x35\x0d\xdc\x08\x33\xba\x45\x5e\x41\xe6\x11\x78\x91\xec\x13\x44\x35\x21\x55\x76", 239); *(uint8_t*)0x200003f6 = 9; *(uint8_t*)0x200003f7 = 5; *(uint8_t*)0x200003f8 = 3; *(uint8_t*)0x200003f9 = 0x10; *(uint16_t*)0x200003fa = 0x3ff; *(uint8_t*)0x200003fc = 4; *(uint8_t*)0x200003fd = 0x7f; *(uint8_t*)0x200003fe = 4; *(uint8_t*)0x200003ff = 9; *(uint8_t*)0x20000400 = 4; *(uint8_t*)0x20000401 = 8; *(uint8_t*)0x20000402 = 4; *(uint8_t*)0x20000403 = 7; *(uint8_t*)0x20000404 = 0; *(uint8_t*)0x20000405 = 0; *(uint8_t*)0x20000406 = 0; *(uint8_t*)0x20000407 = 0x81; *(uint8_t*)0x20000408 = 0x11; *(uint8_t*)0x20000409 = 0x24; *(uint8_t*)0x2000040a = 2; *(uint8_t*)0x2000040b = 1; *(uint8_t*)0x2000040c = 5; *(uint8_t*)0x2000040d = 1; *(uint8_t*)0x2000040e = 7; *(uint8_t*)0x2000040f = 1; memcpy((void*)0x20000410, "\x87\xa6\x5e\xc6\x14\x12\x7e\xd5\x1e", 9); *(uint8_t*)0x20000419 = 7; *(uint8_t*)0x2000041a = 0x24; *(uint8_t*)0x2000041b = 1; *(uint8_t*)0x2000041c = 0x49; *(uint8_t*)0x2000041d = 1; *(uint16_t*)0x2000041e = 0x1001; *(uint8_t*)0x20000420 = 9; *(uint8_t*)0x20000421 = 5; *(uint8_t*)0x20000422 = 0; *(uint8_t*)0x20000423 = 0; *(uint16_t*)0x20000424 = 0x3ff; *(uint8_t*)0x20000426 = 0xfe; *(uint8_t*)0x20000427 = 0xd6; *(uint8_t*)0x20000428 = 7; *(uint8_t*)0x20000429 = 9; *(uint8_t*)0x2000042a = 5; *(uint8_t*)0x2000042b = 0xf; *(uint8_t*)0x2000042c = 0x10; *(uint16_t*)0x2000042d = 0x10; *(uint8_t*)0x2000042f = 0; *(uint8_t*)0x20000430 = 9; *(uint8_t*)0x20000431 = 0; *(uint8_t*)0x20000432 = 9; *(uint8_t*)0x20000433 = 5; *(uint8_t*)0x20000434 = 0xc; *(uint8_t*)0x20000435 = 8; *(uint16_t*)0x20000436 = 0x40; *(uint8_t*)0x20000438 = 2; *(uint8_t*)0x20000439 = 0xea; *(uint8_t*)0x2000043a = 0x81; *(uint8_t*)0x2000043b = 7; *(uint8_t*)0x2000043c = 0x25; *(uint8_t*)0x2000043d = 1; *(uint8_t*)0x2000043e = 3; *(uint8_t*)0x2000043f = 0x3f; *(uint16_t*)0x20000440 = 0x40; *(uint8_t*)0x20000442 = 7; *(uint8_t*)0x20000443 = 0x25; *(uint8_t*)0x20000444 = 1; *(uint8_t*)0x20000445 = 0x81; *(uint8_t*)0x20000446 = 1; *(uint16_t*)0x20000447 = 3; *(uint8_t*)0x20000449 = 9; *(uint8_t*)0x2000044a = 5; *(uint8_t*)0x2000044b = 0xc; *(uint8_t*)0x2000044c = 0; *(uint16_t*)0x2000044d = 0x400; *(uint8_t*)0x2000044f = 0; *(uint8_t*)0x20000450 = 3; *(uint8_t*)0x20000451 = 2; *(uint8_t*)0x20000452 = 0x72; *(uint8_t*)0x20000453 = 0x31; memcpy((void*)0x20000454, "\x80\x07\x5b\x78\xdd\xc5\x2e\x87\x95\xb0\xc4\x62\xea\xe7\xe1\x5f\x19\xe5\xc3\x99\xe0\x9a\xe4\x59\x01\x2c\xf0\xb8\x9e\xad\x8a\xaf\xb0\xff\xad\x2e\x58\x15\x47\xbd\x7b\x65\x2b\xa3\x2d\xc9\x26\x45\xe4\x9a\x10\xff\x3e\x99\xfb\x9a\xc4\xe9\x37\x18\xf4\x99\xc2\x80\xfb\x9c\x56\x5c\x85\x57\x88\xa8\x2b\x50\x4c\x0e\x99\x14\x4c\xa2\x33\xaf\xc0\x84\x71\x8f\xda\x37\x25\x7e\x79\xa8\x49\xb2\xe7\xd2\x5e\x8f\x7b\x96\x9a\xe7\x99\xe9\x1a\x7c\xa8\xed\x13\x97\x67\xec", 112); *(uint8_t*)0x200004c4 = 9; *(uint8_t*)0x200004c5 = 5; *(uint8_t*)0x200004c6 = 0xd; *(uint8_t*)0x200004c7 = 0; *(uint16_t*)0x200004c8 = 0x40; *(uint8_t*)0x200004ca = 0xf8; *(uint8_t*)0x200004cb = 0x40; *(uint8_t*)0x200004cc = 0x20; *(uint8_t*)0x200004cd = 7; *(uint8_t*)0x200004ce = 0x25; *(uint8_t*)0x200004cf = 1; *(uint8_t*)0x200004d0 = 0x80; *(uint8_t*)0x200004d1 = 0; *(uint16_t*)0x200004d2 = 0x20; *(uint8_t*)0x200004d4 = 0x39; *(uint8_t*)0x200004d5 = 0x21; memcpy((void*)0x200004d6, "\x3b\xff\xba\x8d\xe1\xda\xcb\xbc\xfa\xe2\x20\x23\xb8\x1f\x17\x17\x77\x26\x78\x81\x0f\x40\x6b\x8b\x5c\x3a\x13\xbe\xe3\xf9\x9d\x5c\x23\x8e\x1b\x4d\xf3\x64\x84\x51\xa2\x6b\x32\x67\x3b\xd5\x2c\x80\x38\x19\xc7\xfd\xc7\xc9\x15", 55); *(uint8_t*)0x2000050d = 9; *(uint8_t*)0x2000050e = 5; *(uint8_t*)0x2000050f = 6; *(uint8_t*)0x20000510 = 4; *(uint16_t*)0x20000511 = 0x3ff; *(uint8_t*)0x20000513 = 6; *(uint8_t*)0x20000514 = 9; *(uint8_t*)0x20000515 = 1; *(uint8_t*)0x20000516 = 9; *(uint8_t*)0x20000517 = 5; *(uint8_t*)0x20000518 = 1; *(uint8_t*)0x20000519 = 0; *(uint16_t*)0x2000051a = 0x200; *(uint8_t*)0x2000051c = 6; *(uint8_t*)0x2000051d = 0; *(uint8_t*)0x2000051e = 0x94; *(uint8_t*)0x2000051f = 7; *(uint8_t*)0x20000520 = 0x25; *(uint8_t*)0x20000521 = 1; *(uint8_t*)0x20000522 = 0x80; *(uint8_t*)0x20000523 = 0x7c; *(uint16_t*)0x20000524 = 1; *(uint32_t*)0x20000940 = 0xa; *(uint64_t*)0x20000944 = 0x20000540; *(uint8_t*)0x20000540 = 0xa; *(uint8_t*)0x20000541 = 6; *(uint16_t*)0x20000542 = 0x310; *(uint8_t*)0x20000544 = 8; *(uint8_t*)0x20000545 = 0x7f; *(uint8_t*)0x20000546 = 4; *(uint8_t*)0x20000547 = 0x20; *(uint8_t*)0x20000548 = 0x5a; *(uint8_t*)0x20000549 = 0; *(uint32_t*)0x2000094c = 0x29; *(uint64_t*)0x20000950 = 0x20000580; *(uint8_t*)0x20000580 = 5; *(uint8_t*)0x20000581 = 0xf; *(uint16_t*)0x20000582 = 0x29; *(uint8_t*)0x20000584 = 4; *(uint8_t*)0x20000585 = 3; *(uint8_t*)0x20000586 = 0x10; *(uint8_t*)0x20000587 = 0xb; *(uint8_t*)0x20000588 = 0xa; *(uint8_t*)0x20000589 = 0x10; *(uint8_t*)0x2000058a = 3; *(uint8_t*)0x2000058b = 2; *(uint16_t*)0x2000058c = 8; *(uint8_t*)0x2000058e = 0; *(uint8_t*)0x2000058f = 7; *(uint16_t*)0x20000590 = 4; *(uint8_t*)0x20000592 = 3; *(uint8_t*)0x20000593 = 0x10; *(uint8_t*)0x20000594 = 0xb; *(uint8_t*)0x20000595 = 0x14; *(uint8_t*)0x20000596 = 0x10; *(uint8_t*)0x20000597 = 4; *(uint8_t*)0x20000598 = 0; memcpy((void*)0x20000599, "\x79\xeb\x16\xec\x3c\x3b\x00\x28\x29\x19\xec\x5d\xab\xf4\x1e\x0b", 16); *(uint32_t*)0x20000958 = 6; *(uint32_t*)0x2000095c = 0xd6; *(uint64_t*)0x20000960 = 0x200005c0; *(uint8_t*)0x200005c0 = 0xd6; *(uint8_t*)0x200005c1 = 3; memcpy((void*)0x200005c2, "\x28\xdc\x0f\x3e\x2d\x2c\xbf\x02\xca\x36\xa4\xe5\xd1\xb0\xf0\xdd\xfe\x55\xca\xca\xc8\xc4\xfb\xa9\xcf\x77\xe2\xd4\xa6\x97\x59\xc8\xf7\x30\x83\xb5\xf4\x91\xc1\xaa\x8d\x6d\x6b\x23\x33\x3d\xf0\xe8\x68\xfe\xc3\xda\xa7\x88\xc8\x56\x3e\x11\xfb\x66\xa3\x76\xaa\xad\x37\xc0\xea\x81\x8a\x9b\x06\x5a\x9a\x5a\xb9\xd5\x63\xac\x6a\x59\xb0\x5e\xdf\xdb\xff\xba\xd7\xcd\x0e\xc0\xc4\xb9\x6f\xee\x18\xb1\x34\x51\xb4\x65\xb1\x9e\xeb\x4b\x06\x0d\xa2\x13\x35\xd1\x58\x84\xcd\xf7\x99\xaf\x63\xa1\x40\x69\xf3\x39\x2f\x03\xc8\xec\x50\xad\xbd\x67\xaf\xf0\x50\x9c\xa4\x58\xac\x81\x1a\xff\x47\x01\x93\xe6\x46\x74\x13\x36\xb2\x3a\xef\xaa\x87\x74\xac\x86\xcf\x83\xeb\xc1\xd8\x56\x3c\xc6\xb2\x18\x6d\x82\x1b\x38\x7e\x80\xb2\xbf\x92\x07\x59\xc1\x4b\xab\x6d\x5b\x89\x83\x05\xe8\xe9\x29\x53\xa4\xe0\xe3\xea\x2f\x26\x59\x45\xad\x79\x8b\x65\x4c\x24\xab\xb6\xef\xb8\xaf\x3d\xe0\x83\x9c", 212); *(uint32_t*)0x20000968 = 4; *(uint64_t*)0x2000096c = 0x200006c0; *(uint8_t*)0x200006c0 = 4; *(uint8_t*)0x200006c1 = 3; *(uint16_t*)0x200006c2 = 0x404; *(uint32_t*)0x20000974 = 0xd6; *(uint64_t*)0x20000978 = 0x20000700; *(uint8_t*)0x20000700 = 0xd6; *(uint8_t*)0x20000701 = 3; memcpy((void*)0x20000702, "\xdc\xb5\x60\x6f\xb8\x19\x16\xb2\x04\xab\xe3\x01\x66\x6b\x98\x1c\xb5\xa3\x7c\x2d\x01\x1d\xbb\xb0\x22\x08\x59\xdf\x5d\x86\x26\xec\x7b\xd4\xfb\xc2\xee\x02\x24\x76\x9f\x8e\xe0\x8b\xdf\x8b\xe9\x8d\x23\x5e\xb0\x84\x3b\x8e\x7a\x3a\x58\x16\x16\xd9\xd8\x94\x92\x34\x62\x6d\xd9\x8c\xf0\x49\x42\x6c\x44\x5b\xb6\x4a\x41\x63\x22\x2d\xf3\xaf\x91\x19\x9d\x32\x9d\x7e\xd5\x41\xf4\x5a\xed\x12\x50\xa8\x20\xf2\xea\xfb\x7a\x2f\xed\xd7\x32\x5d\x19\x95\x56\x12\xce\x92\xa1\x16\x4a\x67\x70\xe2\xc6\x50\x2a\x80\xaa\x0c\xf1\x40\x34\x50\x9b\xe6\xc5\x68\x0d\x67\x75\xda\xfd\x4a\xfa\xc6\x14\x47\x89\x37\xb1\xc4\x3d\x8d\xb3\x20\x3e\x7f\xc5\x16\xc2\x07\x84\x33\x59\x89\x78\x9c\xe4\x6e\xbf\x28\xe5\xb1\x81\xd4\x7f\x96\x69\x17\x86\xcf\x49\x4b\x19\x8a\x3d\x0b\x9d\x90\x08\xdd\xfe\x24\x86\x32\xaf\x3d\x69\x12\xc6\xad\x2c\xfe\xb0\x01\xb9\xc0\x4e\x86\x76\x47\x62\x20\x7b\x35\x10\x2b", 212); *(uint32_t*)0x20000980 = 0xb3; *(uint64_t*)0x20000984 = 0x20000800; *(uint8_t*)0x20000800 = 0xb3; *(uint8_t*)0x20000801 = 3; memcpy((void*)0x20000802, "\x34\x45\x40\xa5\x88\x3c\x73\xf2\xb8\xd6\x6e\x36\x14\x4a\x9f\xcc\xe7\x0b\xd6\xcf\x4b\x0f\xee\xee\x92\x71\x1e\x25\x19\x22\x32\xdf\xd3\xaa\xef\x70\x52\x54\x66\xfc\x4f\x8d\x13\xef\x20\xe2\xf0\x1a\x7a\x70\x61\x18\x54\xc4\xc0\xaa\xa7\x92\xa5\x86\xac\x4c\x66\xce\x00\x61\x0c\x7b\xd2\x82\xab\x34\x65\xbb\x4f\x09\x51\x8e\x46\xf9\x74\xa9\x33\xea\xde\x56\x45\xc8\xc2\xa0\xb0\xa2\x11\x2c\x42\xa1\x0c\xb9\x8f\x1f\x1f\x5d\x61\x3f\x1f\x65\xfd\xc0\x14\x3f\x14\x58\x18\x94\x07\x0b\xaf\x90\xad\xb1\x78\x24\xc5\xb2\xea\xae\x40\xc6\x97\x11\x22\x35\x2e\xc0\xb1\x62\x64\x35\x48\xa9\xaa\x27\xdb\xb2\x6f\xbb\xdf\x71\xd9\x4e\x8b\xa9\x48\x1c\x03\xe8\xd8\xda\xe2\xf5\x3e\x42\x07\x29\x88\xaf\xd5\xba\x7d\x26\x88\x94\x9d\xa1\xc8\x1a\x60", 177); *(uint32_t*)0x2000098c = 0x27; *(uint64_t*)0x20000990 = 0x200008c0; *(uint8_t*)0x200008c0 = 0x27; *(uint8_t*)0x200008c1 = 3; memcpy((void*)0x200008c2, "\x11\x4e\xf1\xb1\x90\x30\xd1\x62\x1e\xa9\x75\x2d\xce\x6d\xab\xa0\x51\x2f\xe2\x47\xf3\x81\x44\xe1\xe9\x0d\x33\x82\xe6\x3a\xc1\x23\x41\xf2\x76\x5f\xbf", 37); *(uint32_t*)0x20000998 = 4; *(uint64_t*)0x2000099c = 0x20000900; *(uint8_t*)0x20000900 = 4; *(uint8_t*)0x20000901 = 3; *(uint16_t*)0x20000902 = 0x1c09; syz_usb_connect(4, 0x526, 0x20000000, 0x20000940); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2929141479 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/single_syz_usb_disconnect (0.20s) csource_test.go:150: opts: {Threaded:false Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_usb_connect(0x5, 0xc57, &(0x7f0000000000)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xc45, 0x4, 0x3f, 0x1, 0x20, 0x83, [{{0x9, 0x4, 0x7, 0x7, 0xb, 0x0, 0x0, 0x0, 0x7f, [@uac_as={[@format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x7f, 0x3, 0x8, 0x9, "2a0f", "26f6"}, @format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x0, 0x3, 0x7, 0x80, "db", ']'}]}], [{{0x9, 0x5, 0x0, 0x0, 0x10, 0x9, 0x6, 0xc0, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x40, 0x6}]}}, {{0x9, 0x5, 0x80, 0x0, 0x10, 0x0, 0x3b, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x3, 0x9}]}}, {{0x9, 0x5, 0xe, 0x8, 0x200, 0x9, 0xf8, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x81, 0x800}]}}, {{0x9, 0x5, 0x8, 0x0, 0x10, 0x1f, 0x2, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x5, 0x7}]}}, {{0x9, 0x5, 0x8, 0x4, 0x40, 0xa1, 0x8, 0x7f, [@generic={0xc1, 0x6, "e6af4f4d721d90c2762cc94dc6159d3e93bcbbbbaa2c1a8647cdd203c747246afbae5742db64e77b0704a7f957b82c1e957dadcba1160e1318826a8b53dda1b79975d45d2c339322ddb1695507b9507fa3c2ca14f5b76e8a2b2e6bb34db6144a0f787fdb0f2e9b89f4ab54bd8c3f39f7bcdd8e8b0155ac1c334ff0872a65e941f07455f29968c37557243013743845acb41d880ba2ed308c88b3043e8b82f49df3413bf83609a58f4dfa7526e6e1ff494616138c50e05ab2c9e51561dc1151"}, @generic={0x2b, 0x10, "431fa3449c9c644e2a45cdd129a04461d16c416a48f6d9ad45f0d1cbf32086dce178046112d4dc081c"}]}}, {{0x9, 0x5, 0x80, 0x4e076ee4fb7f9f15, 0x600, 0x3f, 0x4, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x40, 0x20, 0x8000}, @generic={0x2a, 0x21, "d91fbd9c4bbcef40946236bfd1bb97ad106656e7ba5229030d0385cfd29361cc78fd14139dd42145"}]}}, {{0x9, 0x5, 0x0, 0x10, 0x3ff, 0x0, 0x7f, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x3, 0x6}]}}, {{0x9, 0x5, 0x0, 0x10, 0x3ff, 0x7f, 0x8, 0x9, [@generic={0xf1, 0x30, "1a8a6e6f09eb96de81760047970f0f77b8965ae767014456eb2bfea464c4791197e3d2f2151b198375d69a88be01d94bf9a7421ed40f13bbcb08650c3d1e85d28bef05abfba42f2f63a144d59387f344d14296d37079c38f82907feeded34ca3e460e3ddd082bb7c519a76c6c928b1dc5247401eec386cbe47836a1f8b9fae81a5e341b624447dd4f96734ab8c9da5191497a510ee49a743a949918d7c73a05aeee48d71922299eb3f51ebdafac2ec22946250b470eafcb7f00e193c7da87ae406f713d456dc77fd77b9579a71fe06dc59d974f2f3040cff4fee487d5c4664c1af9c830e637f12764bbb5a48446eee"}]}}, {{0x9, 0x5, 0xf, 0xc, 0x20, 0x80, 0xaf, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x1, 0x2}]}}, {{0x9, 0x5, 0x1, 0x0, 0x8, 0x20, 0x2, 0x2, [@generic={0x71, 0x5, "1baa9b7f94b19d499d568e246b93e22d95bcff2d14bf6626fc74c65819b6e8a10b97fada7d96a8128a2da3b4b42130b0105d6ba2a12bbf232e29a68fa8d66f515b9d9175d5f904ffb0e3c2109ba01ef275d5058f974fdae5f1979ec4daf15f9153e9600362a92dc84d65263f89bf1a"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7, 0x3}]}}, {{0x9, 0x5, 0xf, 0x3, 0x20, 0x40, 0x7, 0x3, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0x81, 0xfe}]}}]}}, {{0x9, 0x4, 0x0, 0x4, 0x4, 0x0, 0x0, 0x0, 0x5, [@uac_control={{0xa, 0x24, 0x1, 0x2, 0x4}, [@selector_unit={0x7, 0x24, 0x5, 0x1, 0x2, "0147"}, @selector_unit={0x7, 0x24, 0x5, 0x2, 0xfd, "f8e3"}, @extension_unit={0xc, 0x24, 0x8, 0x1, 0x9c6, 0x0, "2b215316ef"}, @input_terminal={0xc, 0x24, 0x2, 0x4, 0x204, 0x6, 0x5, 0x995d, 0xc, 0x6}]}], [{{0x9, 0x5, 0x3, 0x10, 0x20, 0xff, 0x80, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0xff, 0x8001}]}}, {{0x9, 0x5, 0x6, 0x0, 0x448, 0xff, 0x3f, 0x76, [@generic={0x6f, 0x11, "da23cb30d23b24966ce614d1ee6450361dfca9305ac76d5b4099b84d25f04ec079b74c3a059613b7460f272b6868fb63b848e4bf13ba31c09382bdbf307cfa8cdf59407d48ed2d3b2a06a6623d03b61514b87e6dab90d3783b78acf78dd2142615997dfb54adb9bc2f6f6753bf"}]}}, {{0x9, 0x5, 0xb, 0x3, 0x200, 0x5, 0x1, 0x9, [@generic={0xe4, 0x8, "f0ea4afa7a842cc9d1dc5a8e5d0436f02fbbbb1c2dec2814398b263bd0b1e2b3704ed17ac7ae74ce761455b56acc0798ded8834824b9c5ef8eaa57a1291f2f052da647f2c3c0b4e04349f4b55246a46ed78ff3a4f003262a488aa7ed0b4fed8056ade65d9e9f23001dfbe3167de2407c8de62193b897a867a1ae2641164c133fbd128f6c77b490d69ecdc3343379f82ded105139d6cfea5e50935c430c902b35c7e5376d9d7a274c07cfc77bd3d5c82178b1a9e880922f7b89e4e2e663b4a10e6b435c4c3f590e7c0960df11f753c2650777409c9762d40ebd98daac279fce95f431"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x1, 0x2}]}}, {{0x9, 0x5, 0x5, 0x0, 0x10, 0x2, 0x5, 0x4, [@generic={0x88, 0x21, "a23f902a86412cf81979197a0896009c1eb18fc5bc5f867e8088da0a16f3d0c7e566ad5a004c7982e84811cb3a32865c01755cd2e340186b34e0e4ef94a8a3a96202ff71d7f02f122bf1bd617286331dbcef6262b569a9f7b04358ea35ed8185b889c8598ff156851da7751e597a1093581cdbd1aac360049d0fcab8267c7b43214295dc35ec"}]}}]}}, {{0x9, 0x4, 0x80, 0xff, 0x4, 0x0, 0x0, 0x0, 0x80, [@hid_hid={0x9, 0x21, 0x8000, 0x5, 0x1, {0x22, 0xcc8}}, @cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "09985bde97c2"}, {0x5, 0x24, 0x0, 0x2b5}, {0xd, 0x24, 0xf, 0x1, 0x9a01, 0x3, 0x1f, 0x7f}, {0x6, 0x24, 0x1a, 0x7, 0x30}, [@mdlm_detail={0xe1, 0x24, 0x13, 0x5, "07f24d4e3bd8a4c5a2467a7b6076d0402d1bb967b5c9ddb83d221414401f2f1296765c43ba584d21f7197c44c5dcfc986ab74fba69293fcc61173df9a74d4ef3dfeb47acfef5b9a35888708408557fdb5f74c1717485bd905d760de15ecee60eea4e9b9b6ca9e32b3214981d1a4582bd2099a9bbf89a0d3e33259789345ea1f09ad71e6a9f3dafbd04f1d9c98dabe5018d78db5cbe8c15f7e723da5a75f5e486e0fb1b8abfd5ed097cd2797d94b09330c5da2129df240e361aa939bb54f445adac0133c03c3dee271fe46f1d55d4ceb2dedd0de83400d6aa7a6ddb14a5"}]}], [{{0x9, 0x5, 0x4, 0x0, 0x200, 0x92, 0x20, 0x1f, [@generic={0xae, 0x23, "ff52f22cfcc4a1aaf65ed96100c9579cb7b6bdf608e083d8b76cd890efc8254da48ae0dcf1aa08722181aacd2b8ec39049a4edc719b199cfc2f058f3e7ac9276e4da511a844b2be714c2f73ff9e526bef19ee0d031d14190042dea36561214b416e8179ea206fbd8e76117804f37b91e38a8e7929a169da2208cd3136971a15e47683f7f9f1a727d6f6c2acc5e7b6b149982a0450944fe6e90d596351b85bfc08c87ced852ec8666b246f966"}]}}, {{0x9, 0x5, 0x80, 0x0, 0x10, 0x4, 0x1, 0x1, [@generic={0x5a, 0x7, "5918c0d1e34474bb649f86d95b58500a7695b3e0670a41048712e653aa310196964548cd3b61282f2929c8d9af8bdc14f534773cf8b4587acba0ac802bf87217b24e97aed0c4be03e7111fdaebf632dccde2ab99a3ad1b7d"}]}}, {{0x9, 0x5, 0xc, 0x0, 0x20, 0x0, 0x7f, 0x3f, [@generic={0x51, 0x4, "3648c9fe065c350750ebe53d811cb4458d35becb8394e55a4b924711d13248a39e0bdcf26c530a2bb3e3252aeb7dd773c40990063f30c163d660f3993a8a4423cdd39be12aa87f7c794768c0704e58"}, @generic={0x83, 0xc, "10c912997e4aef4957a78f0a7c50e9fddcbab0ba6d759d9594029ce12ad96964570395b6b19429170f6e5341f0a7218d5d95341c7aec043c2590b204c8171db1aaadd21fa0662dffb4b716dd206e7dd6bac27f37e90ef2e26e34f0d6839fc21a46b9f5d9c359efa2fbd96a01222b4e2075b3094dc0794daeb4ec35af06d96e7b1d"}]}}, {{0x9, 0x5, 0x1, 0x3, 0x10, 0x1, 0x1, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0xc0, 0x1f, 0xfff9}]}}]}}, {{0x9, 0x4, 0x6, 0x1, 0x8, 0x0, 0x0, 0x0, 0x0, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x80, 0x9, 0x1}, @format_type_ii_discrete={0xc, 0x24, 0x2, 0x2, 0x0, 0x25, 0xd1, "82688e"}, @format_type_i_continuous={0xa, 0x24, 0x2, 0x1, 0x80, 0x4, 0xf9, 0x7, "a2", "e4"}, @format_type_ii_discrete={0xc, 0x24, 0x2, 0x2, 0x8, 0x7d, 0x3f, "58e6a1"}]}], [{{0x9, 0x5, 0xf, 0x8, 0x20, 0x0, 0x3, 0x80, [@uac_iso={0x7, 0x25, 0x1, 0x82, 0x6, 0xfffb}]}}, {{0x9, 0x5, 0x9, 0x8, 0x3ff, 0x7f, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x6, 0x8}, @generic={0xd4, 0x24, "62391b1fe2fa93b5dc5ffec94df0cfd9a7fa764674e7ebb2b4211be43809b778b6a1b7747c689ee8d9b7007a9b0ad632b1b6b9dce6f679131039d14ff7ef5f1551422fbfb474995f50dcf18314eeade2b09937ad1c87166a9ff6a9f30ecf291c74d0f4d8c4ab47adb0746f933b8308e07420a600e2ee5bc2fa4a9324d25f623b7360828c0a531df1dc32d7631a74dfc722db3f894af811217f9155c92ccd88298b9fbf540aaa44f42853a51910d962b55b87c59b5bae88a5797737b6ab2c6d99610c58cf1151e4ac7a11184eef545106f1bc"}]}}, {{0x9, 0x5, 0xd, 0x10, 0x200, 0x8, 0xf0, 0x1, [@generic={0xd, 0x5, "0d5b7bb2b0aaa2462af825"}, @uac_iso={0x7, 0x25, 0x1, 0x81, 0xff, 0x83}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x2, 0x9, 0x1, [@generic={0xe3, 0x7, "7a0c5781a1e0408843c7a9b1ecb1452cb73bb70261af4965234f0684887d0b16ebbc01588cece081982edd39289b1e922c448904c82afda46b69f7d94f8c0a6baa026a88356d28416e39418f18c606ddaf5c6b9d9cad58f5db2bbfa35d4a8a6990e1e91473e5185391ab377026d5bfc55fbfc6ee655990dc45fcc5630484e8a4a9671768a2783b7236254d6443d7c949d95121026d0461b245c6f706deed088efb46013a1e185e483445abd460c0e0c271617a4281a54d9d65bacf88d7d6f19c4671f01ed508c9b5f2329a7d8ce406cdf6c828018ff18269e0b46711cfd77623a9"}]}}, {{0x9, 0x5, 0x3, 0xa, 0x200, 0x8, 0xff, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x20, 0x3}]}}, {{0x9, 0x5, 0x80, 0x4, 0x400, 0x49, 0x3, 0x1, [@generic={0xf5, 0x30, "52a07c7d996e3f77395e9957e05af5c69124f5caee799fdb09cad9a153f681388517f754b3698e0c6260d454e5f6c9978a0a06749edac82318c804a6d7242be88798c3d963ec0c5f44958788d7a35a55542d6e13dfa0dcc4ccb9a6be28b92c92d8f35722b9af6d277401ced45fff8034cd1ca66e6ad54a67ad3f1d85e45e9c8df8f4f996984c4080611e9f33de993cd5de47acd47ca00ad15935066e038c371b281dcbde4c57da919c2f5eaac7154f0ee6b6aff6512b40965dfe33ff51daa9a503096076e6c734ff437e24ac907fb3d391dfb7b74f5001694497246d1dc30d9c70265c6afd2a9dcbc91997bf52c57a526b2aee"}, @generic={0x44, 0x1, "09d53dc7fb22bf037ac17492d3a29e90a3ad1df4bff3aa221e5edaf6823fe20f85082587ad024927577a37dec32b0f4f611e5f0d6df48770844194ea263a409afdef"}]}}, {{0x9, 0x5, 0xc, 0x1, 0x3ff, 0x1e, 0x3, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x6, 0x6}]}}, {{0x9, 0x5, 0x2, 0x3, 0x10, 0x5, 0x4, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x1}]}}]}}]}}]}}, &(0x7f0000000f00)={0xa, &(0x7f0000000c80)={0xa, 0x6, 0x110, 0x9, 0x4, 0x81, 0x20, 0x1f}, 0x19, &(0x7f0000000cc0)={0x5, 0xf, 0x19, 0x1, [@ss_container_id={0x14, 0x10, 0x4, 0x46, "d7c16f61f8309b9fc9a6512c870ad542"}]}, 0x6, [{0x4, &(0x7f0000000d00)=@lang_id={0x4, 0x3, 0x1407}}, {0x4, &(0x7f0000000d40)=@lang_id={0x4, 0x3, 0x809}}, {0x4, &(0x7f0000000d80)=@lang_id={0x4, 0x3, 0x1809}}, {0x4, &(0x7f0000000dc0)=@lang_id={0x4, 0x3, 0x448}}, {0x4, &(0x7f0000000e00)=@lang_id={0x4, 0x3, 0xc09}}, {0xb7, &(0x7f0000000e40)=@string={0xb7, 0x3, "4493e6b7e881cccecb38c739792afd4db839a8c6ea636bd34a60f544debaad817eb1cb5294633bbd5345055f4dabe9e65e5a43a5d74468635f4842818ff90923abd58a955fd1b60619294991d749ef7ce512b097419c3a7c314959a4c821968bc74396978bc085ec4fc814c0a9cc3a2c5a78c9e376676fba67870367d932de05fa43a4122da889b9845f139f82c92db0fa8aeba9d56b16bc3396de655fa70057ec73b64fe9fa08a8e6901eca5868197a4635b58ade"}}]}) syz_usb_disconnect(r0) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS_mmap #define SYS_mmap 197 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); intptr_t res = 0; *(uint8_t*)0x20000000 = 0x12; *(uint8_t*)0x20000001 = 1; *(uint16_t*)0x20000002 = 0x250; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0; *(uint8_t*)0x20000006 = 0; *(uint8_t*)0x20000007 = 8; *(uint16_t*)0x20000008 = 0; *(uint16_t*)0x2000000a = 0; *(uint16_t*)0x2000000c = 0; *(uint8_t*)0x2000000e = 1; *(uint8_t*)0x2000000f = 2; *(uint8_t*)0x20000010 = 3; *(uint8_t*)0x20000011 = 1; *(uint8_t*)0x20000012 = 9; *(uint8_t*)0x20000013 = 2; *(uint16_t*)0x20000014 = 0xc45; *(uint8_t*)0x20000016 = 4; *(uint8_t*)0x20000017 = 0x3f; *(uint8_t*)0x20000018 = 1; *(uint8_t*)0x20000019 = 0x20; *(uint8_t*)0x2000001a = 0x83; *(uint8_t*)0x2000001b = 9; *(uint8_t*)0x2000001c = 4; *(uint8_t*)0x2000001d = 7; *(uint8_t*)0x2000001e = 7; *(uint8_t*)0x2000001f = 0xb; *(uint8_t*)0x20000020 = 0; *(uint8_t*)0x20000021 = 0; *(uint8_t*)0x20000022 = 0; *(uint8_t*)0x20000023 = 0x7f; *(uint8_t*)0x20000024 = 0xc; *(uint8_t*)0x20000025 = 0x24; *(uint8_t*)0x20000026 = 2; *(uint8_t*)0x20000027 = 1; *(uint8_t*)0x20000028 = 0x7f; *(uint8_t*)0x20000029 = 3; *(uint8_t*)0x2000002a = 8; *(uint8_t*)0x2000002b = 9; memcpy((void*)0x2000002c, "\x2a\x0f", 2); memcpy((void*)0x2000002e, "\x26\xf6", 2); *(uint8_t*)0x20000030 = 0xa; *(uint8_t*)0x20000031 = 0x24; *(uint8_t*)0x20000032 = 2; *(uint8_t*)0x20000033 = 1; *(uint8_t*)0x20000034 = 0; *(uint8_t*)0x20000035 = 3; *(uint8_t*)0x20000036 = 7; *(uint8_t*)0x20000037 = 0x80; memset((void*)0x20000038, 219, 1); memset((void*)0x20000039, 93, 1); *(uint8_t*)0x2000003a = 9; *(uint8_t*)0x2000003b = 5; *(uint8_t*)0x2000003c = 0; *(uint8_t*)0x2000003d = 0; *(uint16_t*)0x2000003e = 0x10; *(uint8_t*)0x20000040 = 9; *(uint8_t*)0x20000041 = 6; *(uint8_t*)0x20000042 = 0xc0; *(uint8_t*)0x20000043 = 7; *(uint8_t*)0x20000044 = 0x25; *(uint8_t*)0x20000045 = 1; *(uint8_t*)0x20000046 = 0x81; *(uint8_t*)0x20000047 = 0x40; *(uint16_t*)0x20000048 = 6; *(uint8_t*)0x2000004a = 9; *(uint8_t*)0x2000004b = 5; *(uint8_t*)0x2000004c = 0x80; *(uint8_t*)0x2000004d = 0; *(uint16_t*)0x2000004e = 0x10; *(uint8_t*)0x20000050 = 0; *(uint8_t*)0x20000051 = 0x3b; *(uint8_t*)0x20000052 = 6; *(uint8_t*)0x20000053 = 7; *(uint8_t*)0x20000054 = 0x25; *(uint8_t*)0x20000055 = 1; *(uint8_t*)0x20000056 = 0x80; *(uint8_t*)0x20000057 = 3; *(uint16_t*)0x20000058 = 9; *(uint8_t*)0x2000005a = 9; *(uint8_t*)0x2000005b = 5; *(uint8_t*)0x2000005c = 0xe; *(uint8_t*)0x2000005d = 8; *(uint16_t*)0x2000005e = 0x200; *(uint8_t*)0x20000060 = 9; *(uint8_t*)0x20000061 = 0xf8; *(uint8_t*)0x20000062 = 1; *(uint8_t*)0x20000063 = 7; *(uint8_t*)0x20000064 = 0x25; *(uint8_t*)0x20000065 = 1; *(uint8_t*)0x20000066 = 1; *(uint8_t*)0x20000067 = 0x81; *(uint16_t*)0x20000068 = 0x800; *(uint8_t*)0x2000006a = 9; *(uint8_t*)0x2000006b = 5; *(uint8_t*)0x2000006c = 8; *(uint8_t*)0x2000006d = 0; *(uint16_t*)0x2000006e = 0x10; *(uint8_t*)0x20000070 = 0x1f; *(uint8_t*)0x20000071 = 2; *(uint8_t*)0x20000072 = 7; *(uint8_t*)0x20000073 = 7; *(uint8_t*)0x20000074 = 0x25; *(uint8_t*)0x20000075 = 1; *(uint8_t*)0x20000076 = 2; *(uint8_t*)0x20000077 = 5; *(uint16_t*)0x20000078 = 7; *(uint8_t*)0x2000007a = 9; *(uint8_t*)0x2000007b = 5; *(uint8_t*)0x2000007c = 8; *(uint8_t*)0x2000007d = 4; *(uint16_t*)0x2000007e = 0x40; *(uint8_t*)0x20000080 = 0xa1; *(uint8_t*)0x20000081 = 8; *(uint8_t*)0x20000082 = 0x7f; *(uint8_t*)0x20000083 = 0xc1; *(uint8_t*)0x20000084 = 6; memcpy((void*)0x20000085, "\xe6\xaf\x4f\x4d\x72\x1d\x90\xc2\x76\x2c\xc9\x4d\xc6\x15\x9d\x3e\x93\xbc\xbb\xbb\xaa\x2c\x1a\x86\x47\xcd\xd2\x03\xc7\x47\x24\x6a\xfb\xae\x57\x42\xdb\x64\xe7\x7b\x07\x04\xa7\xf9\x57\xb8\x2c\x1e\x95\x7d\xad\xcb\xa1\x16\x0e\x13\x18\x82\x6a\x8b\x53\xdd\xa1\xb7\x99\x75\xd4\x5d\x2c\x33\x93\x22\xdd\xb1\x69\x55\x07\xb9\x50\x7f\xa3\xc2\xca\x14\xf5\xb7\x6e\x8a\x2b\x2e\x6b\xb3\x4d\xb6\x14\x4a\x0f\x78\x7f\xdb\x0f\x2e\x9b\x89\xf4\xab\x54\xbd\x8c\x3f\x39\xf7\xbc\xdd\x8e\x8b\x01\x55\xac\x1c\x33\x4f\xf0\x87\x2a\x65\xe9\x41\xf0\x74\x55\xf2\x99\x68\xc3\x75\x57\x24\x30\x13\x74\x38\x45\xac\xb4\x1d\x88\x0b\xa2\xed\x30\x8c\x88\xb3\x04\x3e\x8b\x82\xf4\x9d\xf3\x41\x3b\xf8\x36\x09\xa5\x8f\x4d\xfa\x75\x26\xe6\xe1\xff\x49\x46\x16\x13\x8c\x50\xe0\x5a\xb2\xc9\xe5\x15\x61\xdc\x11\x51", 191); *(uint8_t*)0x20000144 = 0x2b; *(uint8_t*)0x20000145 = 0x10; memcpy((void*)0x20000146, "\x43\x1f\xa3\x44\x9c\x9c\x64\x4e\x2a\x45\xcd\xd1\x29\xa0\x44\x61\xd1\x6c\x41\x6a\x48\xf6\xd9\xad\x45\xf0\xd1\xcb\xf3\x20\x86\xdc\xe1\x78\x04\x61\x12\xd4\xdc\x08\x1c", 41); *(uint8_t*)0x2000016f = 9; *(uint8_t*)0x20000170 = 5; *(uint8_t*)0x20000171 = 0x80; *(uint8_t*)0x20000172 = 0x15; *(uint16_t*)0x20000173 = 0x600; *(uint8_t*)0x20000175 = 0x3f; *(uint8_t*)0x20000176 = 4; *(uint8_t*)0x20000177 = 6; *(uint8_t*)0x20000178 = 7; *(uint8_t*)0x20000179 = 0x25; *(uint8_t*)0x2000017a = 1; *(uint8_t*)0x2000017b = 0x40; *(uint8_t*)0x2000017c = 0x20; *(uint16_t*)0x2000017d = 0x8000; *(uint8_t*)0x2000017f = 0x2a; *(uint8_t*)0x20000180 = 0x21; memcpy((void*)0x20000181, "\xd9\x1f\xbd\x9c\x4b\xbc\xef\x40\x94\x62\x36\xbf\xd1\xbb\x97\xad\x10\x66\x56\xe7\xba\x52\x29\x03\x0d\x03\x85\xcf\xd2\x93\x61\xcc\x78\xfd\x14\x13\x9d\xd4\x21\x45", 40); *(uint8_t*)0x200001a9 = 9; *(uint8_t*)0x200001aa = 5; *(uint8_t*)0x200001ab = 0; *(uint8_t*)0x200001ac = 0x10; *(uint16_t*)0x200001ad = 0x3ff; *(uint8_t*)0x200001af = 0; *(uint8_t*)0x200001b0 = 0x7f; *(uint8_t*)0x200001b1 = 9; *(uint8_t*)0x200001b2 = 7; *(uint8_t*)0x200001b3 = 0x25; *(uint8_t*)0x200001b4 = 1; *(uint8_t*)0x200001b5 = 1; *(uint8_t*)0x200001b6 = 3; *(uint16_t*)0x200001b7 = 6; *(uint8_t*)0x200001b9 = 9; *(uint8_t*)0x200001ba = 5; *(uint8_t*)0x200001bb = 0; *(uint8_t*)0x200001bc = 0x10; *(uint16_t*)0x200001bd = 0x3ff; *(uint8_t*)0x200001bf = 0x7f; *(uint8_t*)0x200001c0 = 8; *(uint8_t*)0x200001c1 = 9; *(uint8_t*)0x200001c2 = 0xf1; *(uint8_t*)0x200001c3 = 0x30; memcpy((void*)0x200001c4, "\x1a\x8a\x6e\x6f\x09\xeb\x96\xde\x81\x76\x00\x47\x97\x0f\x0f\x77\xb8\x96\x5a\xe7\x67\x01\x44\x56\xeb\x2b\xfe\xa4\x64\xc4\x79\x11\x97\xe3\xd2\xf2\x15\x1b\x19\x83\x75\xd6\x9a\x88\xbe\x01\xd9\x4b\xf9\xa7\x42\x1e\xd4\x0f\x13\xbb\xcb\x08\x65\x0c\x3d\x1e\x85\xd2\x8b\xef\x05\xab\xfb\xa4\x2f\x2f\x63\xa1\x44\xd5\x93\x87\xf3\x44\xd1\x42\x96\xd3\x70\x79\xc3\x8f\x82\x90\x7f\xee\xde\xd3\x4c\xa3\xe4\x60\xe3\xdd\xd0\x82\xbb\x7c\x51\x9a\x76\xc6\xc9\x28\xb1\xdc\x52\x47\x40\x1e\xec\x38\x6c\xbe\x47\x83\x6a\x1f\x8b\x9f\xae\x81\xa5\xe3\x41\xb6\x24\x44\x7d\xd4\xf9\x67\x34\xab\x8c\x9d\xa5\x19\x14\x97\xa5\x10\xee\x49\xa7\x43\xa9\x49\x91\x8d\x7c\x73\xa0\x5a\xee\xe4\x8d\x71\x92\x22\x99\xeb\x3f\x51\xeb\xda\xfa\xc2\xec\x22\x94\x62\x50\xb4\x70\xea\xfc\xb7\xf0\x0e\x19\x3c\x7d\xa8\x7a\xe4\x06\xf7\x13\xd4\x56\xdc\x77\xfd\x77\xb9\x57\x9a\x71\xfe\x06\xdc\x59\xd9\x74\xf2\xf3\x04\x0c\xff\x4f\xee\x48\x7d\x5c\x46\x64\xc1\xaf\x9c\x83\x0e\x63\x7f\x12\x76\x4b\xbb\x5a\x48\x44\x6e\xee", 239); *(uint8_t*)0x200002b3 = 9; *(uint8_t*)0x200002b4 = 5; *(uint8_t*)0x200002b5 = 0xf; *(uint8_t*)0x200002b6 = 0xc; *(uint16_t*)0x200002b7 = 0x20; *(uint8_t*)0x200002b9 = 0x80; *(uint8_t*)0x200002ba = 0xaf; *(uint8_t*)0x200002bb = 1; *(uint8_t*)0x200002bc = 7; *(uint8_t*)0x200002bd = 0x25; *(uint8_t*)0x200002be = 1; *(uint8_t*)0x200002bf = 2; *(uint8_t*)0x200002c0 = 1; *(uint16_t*)0x200002c1 = 2; *(uint8_t*)0x200002c3 = 9; *(uint8_t*)0x200002c4 = 5; *(uint8_t*)0x200002c5 = 1; *(uint8_t*)0x200002c6 = 0; *(uint16_t*)0x200002c7 = 8; *(uint8_t*)0x200002c9 = 0x20; *(uint8_t*)0x200002ca = 2; *(uint8_t*)0x200002cb = 2; *(uint8_t*)0x200002cc = 0x71; *(uint8_t*)0x200002cd = 5; memcpy((void*)0x200002ce, "\x1b\xaa\x9b\x7f\x94\xb1\x9d\x49\x9d\x56\x8e\x24\x6b\x93\xe2\x2d\x95\xbc\xff\x2d\x14\xbf\x66\x26\xfc\x74\xc6\x58\x19\xb6\xe8\xa1\x0b\x97\xfa\xda\x7d\x96\xa8\x12\x8a\x2d\xa3\xb4\xb4\x21\x30\xb0\x10\x5d\x6b\xa2\xa1\x2b\xbf\x23\x2e\x29\xa6\x8f\xa8\xd6\x6f\x51\x5b\x9d\x91\x75\xd5\xf9\x04\xff\xb0\xe3\xc2\x10\x9b\xa0\x1e\xf2\x75\xd5\x05\x8f\x97\x4f\xda\xe5\xf1\x97\x9e\xc4\xda\xf1\x5f\x91\x53\xe9\x60\x03\x62\xa9\x2d\xc8\x4d\x65\x26\x3f\x89\xbf\x1a", 111); *(uint8_t*)0x2000033d = 7; *(uint8_t*)0x2000033e = 0x25; *(uint8_t*)0x2000033f = 1; *(uint8_t*)0x20000340 = 0x80; *(uint8_t*)0x20000341 = 7; *(uint16_t*)0x20000342 = 3; *(uint8_t*)0x20000344 = 9; *(uint8_t*)0x20000345 = 5; *(uint8_t*)0x20000346 = 0xf; *(uint8_t*)0x20000347 = 3; *(uint16_t*)0x20000348 = 0x20; *(uint8_t*)0x2000034a = 0x40; *(uint8_t*)0x2000034b = 7; *(uint8_t*)0x2000034c = 3; *(uint8_t*)0x2000034d = 7; *(uint8_t*)0x2000034e = 0x25; *(uint8_t*)0x2000034f = 1; *(uint8_t*)0x20000350 = 2; *(uint8_t*)0x20000351 = 0x81; *(uint16_t*)0x20000352 = 0xfe; *(uint8_t*)0x20000354 = 9; *(uint8_t*)0x20000355 = 4; *(uint8_t*)0x20000356 = 0; *(uint8_t*)0x20000357 = 4; *(uint8_t*)0x20000358 = 4; *(uint8_t*)0x20000359 = 0; *(uint8_t*)0x2000035a = 0; *(uint8_t*)0x2000035b = 0; *(uint8_t*)0x2000035c = 5; *(uint8_t*)0x2000035d = 0xa; *(uint8_t*)0x2000035e = 0x24; *(uint8_t*)0x2000035f = 1; *(uint16_t*)0x20000360 = 2; *(uint8_t*)0x20000362 = 4; *(uint8_t*)0x20000363 = 2; *(uint8_t*)0x20000364 = 1; *(uint8_t*)0x20000365 = 2; *(uint8_t*)0x20000366 = 7; *(uint8_t*)0x20000367 = 0x24; *(uint8_t*)0x20000368 = 5; *(uint8_t*)0x20000369 = 1; *(uint8_t*)0x2000036a = 2; memcpy((void*)0x2000036b, "\x01\x47", 2); *(uint8_t*)0x2000036d = 7; *(uint8_t*)0x2000036e = 0x24; *(uint8_t*)0x2000036f = 5; *(uint8_t*)0x20000370 = 2; *(uint8_t*)0x20000371 = 0xfd; memcpy((void*)0x20000372, "\xf8\xe3", 2); *(uint8_t*)0x20000374 = 0xc; *(uint8_t*)0x20000375 = 0x24; *(uint8_t*)0x20000376 = 8; *(uint8_t*)0x20000377 = 1; *(uint16_t*)0x20000378 = 0x9c6; *(uint8_t*)0x2000037a = 0; memcpy((void*)0x2000037b, "\x2b\x21\x53\x16\xef", 5); *(uint8_t*)0x20000380 = 0xc; *(uint8_t*)0x20000381 = 0x24; *(uint8_t*)0x20000382 = 2; *(uint8_t*)0x20000383 = 4; *(uint16_t*)0x20000384 = 0x204; *(uint8_t*)0x20000386 = 6; *(uint8_t*)0x20000387 = 5; *(uint16_t*)0x20000388 = 0x995d; *(uint8_t*)0x2000038a = 0xc; *(uint8_t*)0x2000038b = 6; *(uint8_t*)0x2000038c = 9; *(uint8_t*)0x2000038d = 5; *(uint8_t*)0x2000038e = 3; *(uint8_t*)0x2000038f = 0x10; *(uint16_t*)0x20000390 = 0x20; *(uint8_t*)0x20000392 = -1; *(uint8_t*)0x20000393 = 0x80; *(uint8_t*)0x20000394 = 6; *(uint8_t*)0x20000395 = 7; *(uint8_t*)0x20000396 = 0x25; *(uint8_t*)0x20000397 = 1; *(uint8_t*)0x20000398 = 3; *(uint8_t*)0x20000399 = -1; *(uint16_t*)0x2000039a = 0x8001; *(uint8_t*)0x2000039c = 9; *(uint8_t*)0x2000039d = 5; *(uint8_t*)0x2000039e = 6; *(uint8_t*)0x2000039f = 0; *(uint16_t*)0x200003a0 = 0x448; *(uint8_t*)0x200003a2 = -1; *(uint8_t*)0x200003a3 = 0x3f; *(uint8_t*)0x200003a4 = 0x76; *(uint8_t*)0x200003a5 = 0x6f; *(uint8_t*)0x200003a6 = 0x11; memcpy((void*)0x200003a7, "\xda\x23\xcb\x30\xd2\x3b\x24\x96\x6c\xe6\x14\xd1\xee\x64\x50\x36\x1d\xfc\xa9\x30\x5a\xc7\x6d\x5b\x40\x99\xb8\x4d\x25\xf0\x4e\xc0\x79\xb7\x4c\x3a\x05\x96\x13\xb7\x46\x0f\x27\x2b\x68\x68\xfb\x63\xb8\x48\xe4\xbf\x13\xba\x31\xc0\x93\x82\xbd\xbf\x30\x7c\xfa\x8c\xdf\x59\x40\x7d\x48\xed\x2d\x3b\x2a\x06\xa6\x62\x3d\x03\xb6\x15\x14\xb8\x7e\x6d\xab\x90\xd3\x78\x3b\x78\xac\xf7\x8d\xd2\x14\x26\x15\x99\x7d\xfb\x54\xad\xb9\xbc\x2f\x6f\x67\x53\xbf", 109); *(uint8_t*)0x20000414 = 9; *(uint8_t*)0x20000415 = 5; *(uint8_t*)0x20000416 = 0xb; *(uint8_t*)0x20000417 = 3; *(uint16_t*)0x20000418 = 0x200; *(uint8_t*)0x2000041a = 5; *(uint8_t*)0x2000041b = 1; *(uint8_t*)0x2000041c = 9; *(uint8_t*)0x2000041d = 0xe4; *(uint8_t*)0x2000041e = 8; memcpy((void*)0x2000041f, "\xf0\xea\x4a\xfa\x7a\x84\x2c\xc9\xd1\xdc\x5a\x8e\x5d\x04\x36\xf0\x2f\xbb\xbb\x1c\x2d\xec\x28\x14\x39\x8b\x26\x3b\xd0\xb1\xe2\xb3\x70\x4e\xd1\x7a\xc7\xae\x74\xce\x76\x14\x55\xb5\x6a\xcc\x07\x98\xde\xd8\x83\x48\x24\xb9\xc5\xef\x8e\xaa\x57\xa1\x29\x1f\x2f\x05\x2d\xa6\x47\xf2\xc3\xc0\xb4\xe0\x43\x49\xf4\xb5\x52\x46\xa4\x6e\xd7\x8f\xf3\xa4\xf0\x03\x26\x2a\x48\x8a\xa7\xed\x0b\x4f\xed\x80\x56\xad\xe6\x5d\x9e\x9f\x23\x00\x1d\xfb\xe3\x16\x7d\xe2\x40\x7c\x8d\xe6\x21\x93\xb8\x97\xa8\x67\xa1\xae\x26\x41\x16\x4c\x13\x3f\xbd\x12\x8f\x6c\x77\xb4\x90\xd6\x9e\xcd\xc3\x34\x33\x79\xf8\x2d\xed\x10\x51\x39\xd6\xcf\xea\x5e\x50\x93\x5c\x43\x0c\x90\x2b\x35\xc7\xe5\x37\x6d\x9d\x7a\x27\x4c\x07\xcf\xc7\x7b\xd3\xd5\xc8\x21\x78\xb1\xa9\xe8\x80\x92\x2f\x7b\x89\xe4\xe2\xe6\x63\xb4\xa1\x0e\x6b\x43\x5c\x4c\x3f\x59\x0e\x7c\x09\x60\xdf\x11\xf7\x53\xc2\x65\x07\x77\x40\x9c\x97\x62\xd4\x0e\xbd\x98\xda\xac\x27\x9f\xce\x95\xf4\x31", 226); *(uint8_t*)0x20000501 = 7; *(uint8_t*)0x20000502 = 0x25; *(uint8_t*)0x20000503 = 1; *(uint8_t*)0x20000504 = 0; *(uint8_t*)0x20000505 = 1; *(uint16_t*)0x20000506 = 2; *(uint8_t*)0x20000508 = 9; *(uint8_t*)0x20000509 = 5; *(uint8_t*)0x2000050a = 5; *(uint8_t*)0x2000050b = 0; *(uint16_t*)0x2000050c = 0x10; *(uint8_t*)0x2000050e = 2; *(uint8_t*)0x2000050f = 5; *(uint8_t*)0x20000510 = 4; *(uint8_t*)0x20000511 = 0x88; *(uint8_t*)0x20000512 = 0x21; memcpy((void*)0x20000513, "\xa2\x3f\x90\x2a\x86\x41\x2c\xf8\x19\x79\x19\x7a\x08\x96\x00\x9c\x1e\xb1\x8f\xc5\xbc\x5f\x86\x7e\x80\x88\xda\x0a\x16\xf3\xd0\xc7\xe5\x66\xad\x5a\x00\x4c\x79\x82\xe8\x48\x11\xcb\x3a\x32\x86\x5c\x01\x75\x5c\xd2\xe3\x40\x18\x6b\x34\xe0\xe4\xef\x94\xa8\xa3\xa9\x62\x02\xff\x71\xd7\xf0\x2f\x12\x2b\xf1\xbd\x61\x72\x86\x33\x1d\xbc\xef\x62\x62\xb5\x69\xa9\xf7\xb0\x43\x58\xea\x35\xed\x81\x85\xb8\x89\xc8\x59\x8f\xf1\x56\x85\x1d\xa7\x75\x1e\x59\x7a\x10\x93\x58\x1c\xdb\xd1\xaa\xc3\x60\x04\x9d\x0f\xca\xb8\x26\x7c\x7b\x43\x21\x42\x95\xdc\x35\xec", 134); *(uint8_t*)0x20000599 = 9; *(uint8_t*)0x2000059a = 4; *(uint8_t*)0x2000059b = 0x80; *(uint8_t*)0x2000059c = -1; *(uint8_t*)0x2000059d = 4; *(uint8_t*)0x2000059e = 0; *(uint8_t*)0x2000059f = 0; *(uint8_t*)0x200005a0 = 0; *(uint8_t*)0x200005a1 = 0x80; *(uint8_t*)0x200005a2 = 9; *(uint8_t*)0x200005a3 = 0x21; *(uint16_t*)0x200005a4 = 0x8000; *(uint8_t*)0x200005a6 = 5; *(uint8_t*)0x200005a7 = 1; *(uint8_t*)0x200005a8 = 0x22; *(uint16_t*)0x200005a9 = 0xcc8; *(uint8_t*)0x200005ab = 0xb; *(uint8_t*)0x200005ac = 0x24; *(uint8_t*)0x200005ad = 6; *(uint8_t*)0x200005ae = 0; *(uint8_t*)0x200005af = 1; memcpy((void*)0x200005b0, "\x09\x98\x5b\xde\x97\xc2", 6); *(uint8_t*)0x200005b6 = 5; *(uint8_t*)0x200005b7 = 0x24; *(uint8_t*)0x200005b8 = 0; *(uint16_t*)0x200005b9 = 0x2b5; *(uint8_t*)0x200005bb = 0xd; *(uint8_t*)0x200005bc = 0x24; *(uint8_t*)0x200005bd = 0xf; *(uint8_t*)0x200005be = 1; *(uint32_t*)0x200005bf = 0x9a01; *(uint16_t*)0x200005c3 = 3; *(uint16_t*)0x200005c5 = 0x1f; *(uint8_t*)0x200005c7 = 0x7f; *(uint8_t*)0x200005c8 = 6; *(uint8_t*)0x200005c9 = 0x24; *(uint8_t*)0x200005ca = 0x1a; *(uint16_t*)0x200005cb = 7; *(uint8_t*)0x200005cd = 0x30; *(uint8_t*)0x200005ce = 0xe1; *(uint8_t*)0x200005cf = 0x24; *(uint8_t*)0x200005d0 = 0x13; *(uint8_t*)0x200005d1 = 5; memcpy((void*)0x200005d2, "\x07\xf2\x4d\x4e\x3b\xd8\xa4\xc5\xa2\x46\x7a\x7b\x60\x76\xd0\x40\x2d\x1b\xb9\x67\xb5\xc9\xdd\xb8\x3d\x22\x14\x14\x40\x1f\x2f\x12\x96\x76\x5c\x43\xba\x58\x4d\x21\xf7\x19\x7c\x44\xc5\xdc\xfc\x98\x6a\xb7\x4f\xba\x69\x29\x3f\xcc\x61\x17\x3d\xf9\xa7\x4d\x4e\xf3\xdf\xeb\x47\xac\xfe\xf5\xb9\xa3\x58\x88\x70\x84\x08\x55\x7f\xdb\x5f\x74\xc1\x71\x74\x85\xbd\x90\x5d\x76\x0d\xe1\x5e\xce\xe6\x0e\xea\x4e\x9b\x9b\x6c\xa9\xe3\x2b\x32\x14\x98\x1d\x1a\x45\x82\xbd\x20\x99\xa9\xbb\xf8\x9a\x0d\x3e\x33\x25\x97\x89\x34\x5e\xa1\xf0\x9a\xd7\x1e\x6a\x9f\x3d\xaf\xbd\x04\xf1\xd9\xc9\x8d\xab\xe5\x01\x8d\x78\xdb\x5c\xbe\x8c\x15\xf7\xe7\x23\xda\x5a\x75\xf5\xe4\x86\xe0\xfb\x1b\x8a\xbf\xd5\xed\x09\x7c\xd2\x79\x7d\x94\xb0\x93\x30\xc5\xda\x21\x29\xdf\x24\x0e\x36\x1a\xa9\x39\xbb\x54\xf4\x45\xad\xac\x01\x33\xc0\x3c\x3d\xee\x27\x1f\xe4\x6f\x1d\x55\xd4\xce\xb2\xde\xdd\x0d\xe8\x34\x00\xd6\xaa\x7a\x6d\xdb\x14\xa5", 221); *(uint8_t*)0x200006af = 9; *(uint8_t*)0x200006b0 = 5; *(uint8_t*)0x200006b1 = 4; *(uint8_t*)0x200006b2 = 0; *(uint16_t*)0x200006b3 = 0x200; *(uint8_t*)0x200006b5 = 0x92; *(uint8_t*)0x200006b6 = 0x20; *(uint8_t*)0x200006b7 = 0x1f; *(uint8_t*)0x200006b8 = 0xae; *(uint8_t*)0x200006b9 = 0x23; memcpy((void*)0x200006ba, "\xff\x52\xf2\x2c\xfc\xc4\xa1\xaa\xf6\x5e\xd9\x61\x00\xc9\x57\x9c\xb7\xb6\xbd\xf6\x08\xe0\x83\xd8\xb7\x6c\xd8\x90\xef\xc8\x25\x4d\xa4\x8a\xe0\xdc\xf1\xaa\x08\x72\x21\x81\xaa\xcd\x2b\x8e\xc3\x90\x49\xa4\xed\xc7\x19\xb1\x99\xcf\xc2\xf0\x58\xf3\xe7\xac\x92\x76\xe4\xda\x51\x1a\x84\x4b\x2b\xe7\x14\xc2\xf7\x3f\xf9\xe5\x26\xbe\xf1\x9e\xe0\xd0\x31\xd1\x41\x90\x04\x2d\xea\x36\x56\x12\x14\xb4\x16\xe8\x17\x9e\xa2\x06\xfb\xd8\xe7\x61\x17\x80\x4f\x37\xb9\x1e\x38\xa8\xe7\x92\x9a\x16\x9d\xa2\x20\x8c\xd3\x13\x69\x71\xa1\x5e\x47\x68\x3f\x7f\x9f\x1a\x72\x7d\x6f\x6c\x2a\xcc\x5e\x7b\x6b\x14\x99\x82\xa0\x45\x09\x44\xfe\x6e\x90\xd5\x96\x35\x1b\x85\xbf\xc0\x8c\x87\xce\xd8\x52\xec\x86\x66\xb2\x46\xf9\x66", 172); *(uint8_t*)0x20000766 = 9; *(uint8_t*)0x20000767 = 5; *(uint8_t*)0x20000768 = 0x80; *(uint8_t*)0x20000769 = 0; *(uint16_t*)0x2000076a = 0x10; *(uint8_t*)0x2000076c = 4; *(uint8_t*)0x2000076d = 1; *(uint8_t*)0x2000076e = 1; *(uint8_t*)0x2000076f = 0x5a; *(uint8_t*)0x20000770 = 7; memcpy((void*)0x20000771, "\x59\x18\xc0\xd1\xe3\x44\x74\xbb\x64\x9f\x86\xd9\x5b\x58\x50\x0a\x76\x95\xb3\xe0\x67\x0a\x41\x04\x87\x12\xe6\x53\xaa\x31\x01\x96\x96\x45\x48\xcd\x3b\x61\x28\x2f\x29\x29\xc8\xd9\xaf\x8b\xdc\x14\xf5\x34\x77\x3c\xf8\xb4\x58\x7a\xcb\xa0\xac\x80\x2b\xf8\x72\x17\xb2\x4e\x97\xae\xd0\xc4\xbe\x03\xe7\x11\x1f\xda\xeb\xf6\x32\xdc\xcd\xe2\xab\x99\xa3\xad\x1b\x7d", 88); *(uint8_t*)0x200007c9 = 9; *(uint8_t*)0x200007ca = 5; *(uint8_t*)0x200007cb = 0xc; *(uint8_t*)0x200007cc = 0; *(uint16_t*)0x200007cd = 0x20; *(uint8_t*)0x200007cf = 0; *(uint8_t*)0x200007d0 = 0x7f; *(uint8_t*)0x200007d1 = 0x3f; *(uint8_t*)0x200007d2 = 0x51; *(uint8_t*)0x200007d3 = 4; memcpy((void*)0x200007d4, "\x36\x48\xc9\xfe\x06\x5c\x35\x07\x50\xeb\xe5\x3d\x81\x1c\xb4\x45\x8d\x35\xbe\xcb\x83\x94\xe5\x5a\x4b\x92\x47\x11\xd1\x32\x48\xa3\x9e\x0b\xdc\xf2\x6c\x53\x0a\x2b\xb3\xe3\x25\x2a\xeb\x7d\xd7\x73\xc4\x09\x90\x06\x3f\x30\xc1\x63\xd6\x60\xf3\x99\x3a\x8a\x44\x23\xcd\xd3\x9b\xe1\x2a\xa8\x7f\x7c\x79\x47\x68\xc0\x70\x4e\x58", 79); *(uint8_t*)0x20000823 = 0x83; *(uint8_t*)0x20000824 = 0xc; memcpy((void*)0x20000825, "\x10\xc9\x12\x99\x7e\x4a\xef\x49\x57\xa7\x8f\x0a\x7c\x50\xe9\xfd\xdc\xba\xb0\xba\x6d\x75\x9d\x95\x94\x02\x9c\xe1\x2a\xd9\x69\x64\x57\x03\x95\xb6\xb1\x94\x29\x17\x0f\x6e\x53\x41\xf0\xa7\x21\x8d\x5d\x95\x34\x1c\x7a\xec\x04\x3c\x25\x90\xb2\x04\xc8\x17\x1d\xb1\xaa\xad\xd2\x1f\xa0\x66\x2d\xff\xb4\xb7\x16\xdd\x20\x6e\x7d\xd6\xba\xc2\x7f\x37\xe9\x0e\xf2\xe2\x6e\x34\xf0\xd6\x83\x9f\xc2\x1a\x46\xb9\xf5\xd9\xc3\x59\xef\xa2\xfb\xd9\x6a\x01\x22\x2b\x4e\x20\x75\xb3\x09\x4d\xc0\x79\x4d\xae\xb4\xec\x35\xaf\x06\xd9\x6e\x7b\x1d", 129); *(uint8_t*)0x200008a6 = 9; *(uint8_t*)0x200008a7 = 5; *(uint8_t*)0x200008a8 = 1; *(uint8_t*)0x200008a9 = 3; *(uint16_t*)0x200008aa = 0x10; *(uint8_t*)0x200008ac = 1; *(uint8_t*)0x200008ad = 1; *(uint8_t*)0x200008ae = -1; *(uint8_t*)0x200008af = 7; *(uint8_t*)0x200008b0 = 0x25; *(uint8_t*)0x200008b1 = 1; *(uint8_t*)0x200008b2 = 0xc0; *(uint8_t*)0x200008b3 = 0x1f; *(uint16_t*)0x200008b4 = 0xfff9; *(uint8_t*)0x200008b6 = 9; *(uint8_t*)0x200008b7 = 4; *(uint8_t*)0x200008b8 = 6; *(uint8_t*)0x200008b9 = 1; *(uint8_t*)0x200008ba = 8; *(uint8_t*)0x200008bb = 0; *(uint8_t*)0x200008bc = 0; *(uint8_t*)0x200008bd = 0; *(uint8_t*)0x200008be = 0; *(uint8_t*)0x200008bf = 7; *(uint8_t*)0x200008c0 = 0x24; *(uint8_t*)0x200008c1 = 1; *(uint8_t*)0x200008c2 = 0x80; *(uint8_t*)0x200008c3 = 9; *(uint16_t*)0x200008c4 = 1; *(uint8_t*)0x200008c6 = 0xc; *(uint8_t*)0x200008c7 = 0x24; *(uint8_t*)0x200008c8 = 2; *(uint8_t*)0x200008c9 = 2; *(uint16_t*)0x200008ca = 0; *(uint16_t*)0x200008cc = 0x25; *(uint8_t*)0x200008ce = 0xd1; memcpy((void*)0x200008cf, "\x82\x68\x8e", 3); *(uint8_t*)0x200008d2 = 0xa; *(uint8_t*)0x200008d3 = 0x24; *(uint8_t*)0x200008d4 = 2; *(uint8_t*)0x200008d5 = 1; *(uint8_t*)0x200008d6 = 0x80; *(uint8_t*)0x200008d7 = 4; *(uint8_t*)0x200008d8 = 0xf9; *(uint8_t*)0x200008d9 = 7; memset((void*)0x200008da, 162, 1); memset((void*)0x200008db, 228, 1); *(uint8_t*)0x200008dc = 0xc; *(uint8_t*)0x200008dd = 0x24; *(uint8_t*)0x200008de = 2; *(uint8_t*)0x200008df = 2; *(uint16_t*)0x200008e0 = 8; *(uint16_t*)0x200008e2 = 0x7d; *(uint8_t*)0x200008e4 = 0x3f; memcpy((void*)0x200008e5, "\x58\xe6\xa1", 3); *(uint8_t*)0x200008e8 = 9; *(uint8_t*)0x200008e9 = 5; *(uint8_t*)0x200008ea = 0xf; *(uint8_t*)0x200008eb = 8; *(uint16_t*)0x200008ec = 0x20; *(uint8_t*)0x200008ee = 0; *(uint8_t*)0x200008ef = 3; *(uint8_t*)0x200008f0 = 0x80; *(uint8_t*)0x200008f1 = 7; *(uint8_t*)0x200008f2 = 0x25; *(uint8_t*)0x200008f3 = 1; *(uint8_t*)0x200008f4 = 0x82; *(uint8_t*)0x200008f5 = 6; *(uint16_t*)0x200008f6 = 0xfffb; *(uint8_t*)0x200008f8 = 9; *(uint8_t*)0x200008f9 = 5; *(uint8_t*)0x200008fa = 9; *(uint8_t*)0x200008fb = 8; *(uint16_t*)0x200008fc = 0x3ff; *(uint8_t*)0x200008fe = 0x7f; *(uint8_t*)0x200008ff = 7; *(uint8_t*)0x20000900 = 0; *(uint8_t*)0x20000901 = 7; *(uint8_t*)0x20000902 = 0x25; *(uint8_t*)0x20000903 = 1; *(uint8_t*)0x20000904 = 0; *(uint8_t*)0x20000905 = 6; *(uint16_t*)0x20000906 = 8; *(uint8_t*)0x20000908 = 0xd4; *(uint8_t*)0x20000909 = 0x24; memcpy((void*)0x2000090a, "\x62\x39\x1b\x1f\xe2\xfa\x93\xb5\xdc\x5f\xfe\xc9\x4d\xf0\xcf\xd9\xa7\xfa\x76\x46\x74\xe7\xeb\xb2\xb4\x21\x1b\xe4\x38\x09\xb7\x78\xb6\xa1\xb7\x74\x7c\x68\x9e\xe8\xd9\xb7\x00\x7a\x9b\x0a\xd6\x32\xb1\xb6\xb9\xdc\xe6\xf6\x79\x13\x10\x39\xd1\x4f\xf7\xef\x5f\x15\x51\x42\x2f\xbf\xb4\x74\x99\x5f\x50\xdc\xf1\x83\x14\xee\xad\xe2\xb0\x99\x37\xad\x1c\x87\x16\x6a\x9f\xf6\xa9\xf3\x0e\xcf\x29\x1c\x74\xd0\xf4\xd8\xc4\xab\x47\xad\xb0\x74\x6f\x93\x3b\x83\x08\xe0\x74\x20\xa6\x00\xe2\xee\x5b\xc2\xfa\x4a\x93\x24\xd2\x5f\x62\x3b\x73\x60\x82\x8c\x0a\x53\x1d\xf1\xdc\x32\xd7\x63\x1a\x74\xdf\xc7\x22\xdb\x3f\x89\x4a\xf8\x11\x21\x7f\x91\x55\xc9\x2c\xcd\x88\x29\x8b\x9f\xbf\x54\x0a\xaa\x44\xf4\x28\x53\xa5\x19\x10\xd9\x62\xb5\x5b\x87\xc5\x9b\x5b\xae\x88\xa5\x79\x77\x37\xb6\xab\x2c\x6d\x99\x61\x0c\x58\xcf\x11\x51\xe4\xac\x7a\x11\x18\x4e\xef\x54\x51\x06\xf1\xbc", 210); *(uint8_t*)0x200009dc = 9; *(uint8_t*)0x200009dd = 5; *(uint8_t*)0x200009de = 0xd; *(uint8_t*)0x200009df = 0x10; *(uint16_t*)0x200009e0 = 0x200; *(uint8_t*)0x200009e2 = 8; *(uint8_t*)0x200009e3 = 0xf0; *(uint8_t*)0x200009e4 = 1; *(uint8_t*)0x200009e5 = 0xd; *(uint8_t*)0x200009e6 = 5; memcpy((void*)0x200009e7, "\x0d\x5b\x7b\xb2\xb0\xaa\xa2\x46\x2a\xf8\x25", 11); *(uint8_t*)0x200009f2 = 7; *(uint8_t*)0x200009f3 = 0x25; *(uint8_t*)0x200009f4 = 1; *(uint8_t*)0x200009f5 = 0x81; *(uint8_t*)0x200009f6 = -1; *(uint16_t*)0x200009f7 = 0x83; *(uint8_t*)0x200009f9 = 9; *(uint8_t*)0x200009fa = 5; *(uint8_t*)0x200009fb = 7; *(uint8_t*)0x200009fc = 0x10; *(uint16_t*)0x200009fd = 0x3ff; *(uint8_t*)0x200009ff = 2; *(uint8_t*)0x20000a00 = 9; *(uint8_t*)0x20000a01 = 1; *(uint8_t*)0x20000a02 = 0xe3; *(uint8_t*)0x20000a03 = 7; memcpy((void*)0x20000a04, "\x7a\x0c\x57\x81\xa1\xe0\x40\x88\x43\xc7\xa9\xb1\xec\xb1\x45\x2c\xb7\x3b\xb7\x02\x61\xaf\x49\x65\x23\x4f\x06\x84\x88\x7d\x0b\x16\xeb\xbc\x01\x58\x8c\xec\xe0\x81\x98\x2e\xdd\x39\x28\x9b\x1e\x92\x2c\x44\x89\x04\xc8\x2a\xfd\xa4\x6b\x69\xf7\xd9\x4f\x8c\x0a\x6b\xaa\x02\x6a\x88\x35\x6d\x28\x41\x6e\x39\x41\x8f\x18\xc6\x06\xdd\xaf\x5c\x6b\x9d\x9c\xad\x58\xf5\xdb\x2b\xbf\xa3\x5d\x4a\x8a\x69\x90\xe1\xe9\x14\x73\xe5\x18\x53\x91\xab\x37\x70\x26\xd5\xbf\xc5\x5f\xbf\xc6\xee\x65\x59\x90\xdc\x45\xfc\xc5\x63\x04\x84\xe8\xa4\xa9\x67\x17\x68\xa2\x78\x3b\x72\x36\x25\x4d\x64\x43\xd7\xc9\x49\xd9\x51\x21\x02\x6d\x04\x61\xb2\x45\xc6\xf7\x06\xde\xed\x08\x8e\xfb\x46\x01\x3a\x1e\x18\x5e\x48\x34\x45\xab\xd4\x60\xc0\xe0\xc2\x71\x61\x7a\x42\x81\xa5\x4d\x9d\x65\xba\xcf\x88\xd7\xd6\xf1\x9c\x46\x71\xf0\x1e\xd5\x08\xc9\xb5\xf2\x32\x9a\x7d\x8c\xe4\x06\xcd\xf6\xc8\x28\x01\x8f\xf1\x82\x69\xe0\xb4\x67\x11\xcf\xd7\x76\x23\xa9", 225); *(uint8_t*)0x20000ae5 = 9; *(uint8_t*)0x20000ae6 = 5; *(uint8_t*)0x20000ae7 = 3; *(uint8_t*)0x20000ae8 = 0xa; *(uint16_t*)0x20000ae9 = 0x200; *(uint8_t*)0x20000aeb = 8; *(uint8_t*)0x20000aec = -1; *(uint8_t*)0x20000aed = -1; *(uint8_t*)0x20000aee = 7; *(uint8_t*)0x20000aef = 0x25; *(uint8_t*)0x20000af0 = 1; *(uint8_t*)0x20000af1 = 0x80; *(uint8_t*)0x20000af2 = 0x20; *(uint16_t*)0x20000af3 = 3; *(uint8_t*)0x20000af5 = 9; *(uint8_t*)0x20000af6 = 5; *(uint8_t*)0x20000af7 = 0x80; *(uint8_t*)0x20000af8 = 4; *(uint16_t*)0x20000af9 = 0x400; *(uint8_t*)0x20000afb = 0x49; *(uint8_t*)0x20000afc = 3; *(uint8_t*)0x20000afd = 1; *(uint8_t*)0x20000afe = 0xf5; *(uint8_t*)0x20000aff = 0x30; memcpy((void*)0x20000b00, "\x52\xa0\x7c\x7d\x99\x6e\x3f\x77\x39\x5e\x99\x57\xe0\x5a\xf5\xc6\x91\x24\xf5\xca\xee\x79\x9f\xdb\x09\xca\xd9\xa1\x53\xf6\x81\x38\x85\x17\xf7\x54\xb3\x69\x8e\x0c\x62\x60\xd4\x54\xe5\xf6\xc9\x97\x8a\x0a\x06\x74\x9e\xda\xc8\x23\x18\xc8\x04\xa6\xd7\x24\x2b\xe8\x87\x98\xc3\xd9\x63\xec\x0c\x5f\x44\x95\x87\x88\xd7\xa3\x5a\x55\x54\x2d\x6e\x13\xdf\xa0\xdc\xc4\xcc\xb9\xa6\xbe\x28\xb9\x2c\x92\xd8\xf3\x57\x22\xb9\xaf\x6d\x27\x74\x01\xce\xd4\x5f\xff\x80\x34\xcd\x1c\xa6\x6e\x6a\xd5\x4a\x67\xad\x3f\x1d\x85\xe4\x5e\x9c\x8d\xf8\xf4\xf9\x96\x98\x4c\x40\x80\x61\x1e\x9f\x33\xde\x99\x3c\xd5\xde\x47\xac\xd4\x7c\xa0\x0a\xd1\x59\x35\x06\x6e\x03\x8c\x37\x1b\x28\x1d\xcb\xde\x4c\x57\xda\x91\x9c\x2f\x5e\xaa\xc7\x15\x4f\x0e\xe6\xb6\xaf\xf6\x51\x2b\x40\x96\x5d\xfe\x33\xff\x51\xda\xa9\xa5\x03\x09\x60\x76\xe6\xc7\x34\xff\x43\x7e\x24\xac\x90\x7f\xb3\xd3\x91\xdf\xb7\xb7\x4f\x50\x01\x69\x44\x97\x24\x6d\x1d\xc3\x0d\x9c\x70\x26\x5c\x6a\xfd\x2a\x9d\xcb\xc9\x19\x97\xbf\x52\xc5\x7a\x52\x6b\x2a\xee", 243); *(uint8_t*)0x20000bf3 = 0x44; *(uint8_t*)0x20000bf4 = 1; memcpy((void*)0x20000bf5, "\x09\xd5\x3d\xc7\xfb\x22\xbf\x03\x7a\xc1\x74\x92\xd3\xa2\x9e\x90\xa3\xad\x1d\xf4\xbf\xf3\xaa\x22\x1e\x5e\xda\xf6\x82\x3f\xe2\x0f\x85\x08\x25\x87\xad\x02\x49\x27\x57\x7a\x37\xde\xc3\x2b\x0f\x4f\x61\x1e\x5f\x0d\x6d\xf4\x87\x70\x84\x41\x94\xea\x26\x3a\x40\x9a\xfd\xef", 66); *(uint8_t*)0x20000c37 = 9; *(uint8_t*)0x20000c38 = 5; *(uint8_t*)0x20000c39 = 0xc; *(uint8_t*)0x20000c3a = 1; *(uint16_t*)0x20000c3b = 0x3ff; *(uint8_t*)0x20000c3d = 0x1e; *(uint8_t*)0x20000c3e = 3; *(uint8_t*)0x20000c3f = 9; *(uint8_t*)0x20000c40 = 7; *(uint8_t*)0x20000c41 = 0x25; *(uint8_t*)0x20000c42 = 1; *(uint8_t*)0x20000c43 = 1; *(uint8_t*)0x20000c44 = 6; *(uint16_t*)0x20000c45 = 6; *(uint8_t*)0x20000c47 = 9; *(uint8_t*)0x20000c48 = 5; *(uint8_t*)0x20000c49 = 2; *(uint8_t*)0x20000c4a = 3; *(uint16_t*)0x20000c4b = 0x10; *(uint8_t*)0x20000c4d = 5; *(uint8_t*)0x20000c4e = 4; *(uint8_t*)0x20000c4f = 1; *(uint8_t*)0x20000c50 = 7; *(uint8_t*)0x20000c51 = 0x25; *(uint8_t*)0x20000c52 = 1; *(uint8_t*)0x20000c53 = 1; *(uint8_t*)0x20000c54 = 1; *(uint16_t*)0x20000c55 = 0; *(uint32_t*)0x20000f00 = 0xa; *(uint64_t*)0x20000f04 = 0x20000c80; *(uint8_t*)0x20000c80 = 0xa; *(uint8_t*)0x20000c81 = 6; *(uint16_t*)0x20000c82 = 0x110; *(uint8_t*)0x20000c84 = 9; *(uint8_t*)0x20000c85 = 4; *(uint8_t*)0x20000c86 = 0x81; *(uint8_t*)0x20000c87 = 0x20; *(uint8_t*)0x20000c88 = 0x1f; *(uint8_t*)0x20000c89 = 0; *(uint32_t*)0x20000f0c = 0x19; *(uint64_t*)0x20000f10 = 0x20000cc0; *(uint8_t*)0x20000cc0 = 5; *(uint8_t*)0x20000cc1 = 0xf; *(uint16_t*)0x20000cc2 = 0x19; *(uint8_t*)0x20000cc4 = 1; *(uint8_t*)0x20000cc5 = 0x14; *(uint8_t*)0x20000cc6 = 0x10; *(uint8_t*)0x20000cc7 = 4; *(uint8_t*)0x20000cc8 = 0x46; memcpy((void*)0x20000cc9, "\xd7\xc1\x6f\x61\xf8\x30\x9b\x9f\xc9\xa6\x51\x2c\x87\x0a\xd5\x42", 16); *(uint32_t*)0x20000f18 = 6; *(uint32_t*)0x20000f1c = 4; *(uint64_t*)0x20000f20 = 0x20000d00; *(uint8_t*)0x20000d00 = 4; *(uint8_t*)0x20000d01 = 3; *(uint16_t*)0x20000d02 = 0x1407; *(uint32_t*)0x20000f28 = 4; *(uint64_t*)0x20000f2c = 0x20000d40; *(uint8_t*)0x20000d40 = 4; *(uint8_t*)0x20000d41 = 3; *(uint16_t*)0x20000d42 = 0x809; *(uint32_t*)0x20000f34 = 4; *(uint64_t*)0x20000f38 = 0x20000d80; *(uint8_t*)0x20000d80 = 4; *(uint8_t*)0x20000d81 = 3; *(uint16_t*)0x20000d82 = 0x1809; *(uint32_t*)0x20000f40 = 4; *(uint64_t*)0x20000f44 = 0x20000dc0; *(uint8_t*)0x20000dc0 = 4; *(uint8_t*)0x20000dc1 = 3; *(uint16_t*)0x20000dc2 = 0x448; *(uint32_t*)0x20000f4c = 4; *(uint64_t*)0x20000f50 = 0x20000e00; *(uint8_t*)0x20000e00 = 4; *(uint8_t*)0x20000e01 = 3; *(uint16_t*)0x20000e02 = 0xc09; *(uint32_t*)0x20000f58 = 0xb7; *(uint64_t*)0x20000f5c = 0x20000e40; *(uint8_t*)0x20000e40 = 0xb7; *(uint8_t*)0x20000e41 = 3; memcpy((void*)0x20000e42, "\x44\x93\xe6\xb7\xe8\x81\xcc\xce\xcb\x38\xc7\x39\x79\x2a\xfd\x4d\xb8\x39\xa8\xc6\xea\x63\x6b\xd3\x4a\x60\xf5\x44\xde\xba\xad\x81\x7e\xb1\xcb\x52\x94\x63\x3b\xbd\x53\x45\x05\x5f\x4d\xab\xe9\xe6\x5e\x5a\x43\xa5\xd7\x44\x68\x63\x5f\x48\x42\x81\x8f\xf9\x09\x23\xab\xd5\x8a\x95\x5f\xd1\xb6\x06\x19\x29\x49\x91\xd7\x49\xef\x7c\xe5\x12\xb0\x97\x41\x9c\x3a\x7c\x31\x49\x59\xa4\xc8\x21\x96\x8b\xc7\x43\x96\x97\x8b\xc0\x85\xec\x4f\xc8\x14\xc0\xa9\xcc\x3a\x2c\x5a\x78\xc9\xe3\x76\x67\x6f\xba\x67\x87\x03\x67\xd9\x32\xde\x05\xfa\x43\xa4\x12\x2d\xa8\x89\xb9\x84\x5f\x13\x9f\x82\xc9\x2d\xb0\xfa\x8a\xeb\xa9\xd5\x6b\x16\xbc\x33\x96\xde\x65\x5f\xa7\x00\x57\xec\x73\xb6\x4f\xe9\xfa\x08\xa8\xe6\x90\x1e\xca\x58\x68\x19\x7a\x46\x35\xb5\x8a\xde", 181); res = -1; res = syz_usb_connect(5, 0xc57, 0x20000000, 0x20000f00); if (res != -1) r[0] = res; syz_usb_disconnect(r[0]); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2061724795 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/2 (0.18s) csource_test.go:150: opts: {Threaded:true Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __stat50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (fail_nth: 1) compat_50___msgctl13$IPC_SET(0x0, 0x1, &(0x7f0000000200)={{0x5a3e, 0x0, r1, 0xffffffffffffffff, 0xffffffffffffffff, 0x20, 0x400}, 0x9, 0x62e81dc5, 0x81, 0x5, 0x4, 0x8, 0x9, &(0x7f0000000100)={0x0, 0x20e1, 0xfffd, 0x1}, &(0x7f00000001c0)={&(0x7f0000000180)={&(0x7f0000000140)={0x0, 0x7ff, 0x9, 0x1}, 0x8000000000000000, 0x6, 0x8}, 0x8, 0x5, 0x20}, 0x400}) (async) chown(&(0x7f0000000280)='./file0\x00', r0, 0x0) (rerun: 4) compat_14___semctl$GETALL(0x0, 0x0, 0x6, &(0x7f00000002c0)) compat_14___semctl$SETVAL(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000380)=@buf=&(0x7f0000000340)={{r0, r1, 0x80, 0x5a3, 0x100, 0x1, 0x4897}, 0x7fff, 0x7, 0x0, &(0x7f0000000300)={0x800, 0x7, 0x2, 0x9}}) semctl$GETNCNT(0xffffffffffffffff, 0x4, 0x3, &(0x7f00000003c0)=""/4) r2 = semget$private(0x0, 0x3, 0x2) compat_14___semctl$GETNCNT(r2, 0x0, 0x3) semop(r2, &(0x7f0000000400)=[{0x4, 0x7, 0x2000}, {0x4, 0x1f, 0x800}, {0x1, 0x7, 0x400}], 0x3) compat_14___semctl$IPC_STAT(r2, 0x0, 0x2, &(0x7f0000000440)) syz_emit_ethernet(0x8, &(0x7f0000000000)="03d03df5c2dcc049") syz_execute_func(&(0x7f0000000040)="c421c16d149fc462baf76fed2666450f3800813be70eb16640253633f0408182a0bc302200800000c48281926cd992660f4f99c0f800003626660f124e32f26e660f382ab500000080") syz_extract_tcp_res(&(0x7f00000000c0), 0xfffffffa, 0x8000) syz_usb_connect(0x5, 0x77e, &(0x7f0000000100)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0xbf, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x76c, 0x3, 0x7, 0x17, 0x30, 0x3d, [{{0x9, 0x4, 0x8e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, [@uac_as={[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x1f, 0x7, 0x7f, "11c06824606e6e241d"}]}]}}, {{0x9, 0x4, 0x0, 0x3f, 0xd, 0x0, 0x0, 0x0, 0x1f, [@generic={0xe0, 0xa, "b71aa8dbef28ec508e40e57e0f21e51ceb5eacb80bb3f7ed35e29bad265b99dbbcbb655b87cbc776843703a876dc2dd2216c56771dd13f2cae3eae772586cacf7cdb24a918924ba342e5a84cb77541172a5b4100bcd721c00bcc1d590d5bae2e602b8a29aa649516b39d745c546613730dec4957df6dc6591993b9027afe3eb2172a49b3b589f5322cc76fd421d8b9acaf9f326c835214aa33da004adaae6689efebb028a649b7edc82333f89fd100b6da5d60c3e1349bd30d2cff8ae56ccbed46e09f6662c6b2c2e7cbd887fbc447db5d6887eb1cc1378ed310ec7d004c"}, @cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "4b66fafbc9e4"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0x80000000, 0x4}, {0x6, 0x24, 0x1a, 0xfffa, 0x12}, [@obex={0x5, 0x24, 0x15, 0x5}, @mdlm={0x15, 0x24, 0x12, 0x5}, @dmm={0x7, 0x24, 0x14, 0x4}, @mdlm_detail={0xe5, 0x24, 0x13, 0x7, "8f0d5f90cf98b479fae069bfd83c7e4ef5afe012495f0ee23062fe5f81be0ef82ff410318f82c5300ba5a5ad175dacf741e1d1956b8bb156e5b546644c1750916d0381b49c7bd160323bde2ff8c1379a319c3add3fbd86aa169749f6108844bd19644cafebba5d70989e95144300d6b508edd1662f759828aad78d18d710553cb7f5df43b7b560bb4f4869de9ebe5e126356507d10f2c8d9b83f661fbf0bd5131ce9c059b60e620da0f7516ad6d70c75de7dd4b37d9c379134e6036df428e1f541dbee9f58a4a374ff6cb6ae0468f49c616418a2760066457439952bb5b93f4f33"}, @mdlm={0x15, 0x24, 0x12, 0xec}]}], [{{0x9, 0x5, 0xf, 0x1d, 0x10, 0x0, 0x80, 0x74}}, {{0x9, 0x5, 0x2, 0x3, 0x10, 0x9f, 0x7d, 0xff, [@generic={0x52, 0xe, "ecf4ce492b20b2d508a9180c01192d8e124f6e790aedfc35213b1d14c68c63686631f697532da005bc5013d62c6d5c18b5c5c4f2263b42b582b7333b47373cdf666159745a6a53d518a4ae7c51abaaa8"}, @generic={0x15, 0x23, "dc333ea4d2d7351ec6d273b68ce3d5d1e2c2cf"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x4, 0x9, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x5, 0xfffc}, @generic={0x35, 0x2, "59a66019fb9adfb5950997712b8b3c1cb4c4a0abbf8ea41dd4dd5936bde7fbe23ff642c176c355ef4728022f3d7d833860fbcf"}]}}, {{0x9, 0x5, 0x0, 0x10, 0x8, 0x1, 0x1}}, {{0x9, 0x5, 0x1, 0x2, 0x0, 0x0, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x9f36}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x3}]}}, {{0x9, 0x5, 0xc, 0x10, 0x200, 0x15, 0x2, 0x0, [@generic={0x5b, 0x23, "1925294e2c16954f8313825e71ea536e7077d7130cee3a802cb3c8005ef6d9211068286c7a4c20cb87fd2cdc5aeedb171fd67ddc74c3f029aab0bfa9a63e5de5a53579666cef0fb7c876efc0a5d3382c346e1f9a78b7356c22"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x40, 0x18, 0x3f, 0x8}}, {{0x9, 0x5, 0xd, 0x1, 0x0, 0x9, 0xff, 0x3, [@generic={0xdc, 0x23, "ccd53fc81156a91ff426eb001fbf43c8551fda170ed36a97eba7a32c3115ec5e9a8182734012aa12ddcc6e93d85eaafbda4ab1cff6bcb2afecd8aa8c58b27a75e5a4ddc50cc673edc82ff13115eb8f50ddd1ed2695337ca85b88264db59eb1304216a301d42f2902d5c06b17592bb21d2af1d092f5d7373aefdb907ffc8179abd68b11ef10be844e03816806f045f0a5ef3ba0ac5bd843a46fa3b72b862de1728647adc3f3bbcd53ce881e6b5a6c6ec797d32cc13918e3da4b3ea20dd6893c2c7ca47aa51bee047a361feff716cef3dae50b6ca72a2b764fa4cf"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x3f}]}}, {{0x9, 0x5, 0x1, 0x2, 0x20, 0xb9, 0x86, 0x40, [@generic={0x84, 0x8, "ab514debe16aea41f067e846f8939c5d4f6fce3a7d25eaee2c0651f92fe24417bdf9256f3f9b583492b2e4fe6b2b4bad9c1f4a8b26d74c60aeda9478a64876891b3a75ffce4001853b93bd0fd8a165a7fa83fbc6b95aed880f02224f1222b150b746981a4b55288f564d8d6af643c0fd291571d70cc56024dd73e500c5efe9bc9b72"}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x0, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0xf9, 0xd8, 0xf9}}, {{0x9, 0x5, 0x3, 0xc, 0x8, 0x81, 0x0, 0x3f}}, {{0x9, 0x5, 0xd, 0x0, 0x252d10ce716ea2f3, 0xbe, 0x6, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x2, 0x2}]}}, {{0x9, 0x5, 0x8, 0x3a51d77e4fce6a1c, 0x20, 0x4, 0x8, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0xff, 0xffe0}, @generic={0xf2, 0x31, "2fb2b9747b651ae66e5d861f9efc61bdd19495f163625975e7bae800ee004867b5a813b7b9dbc55eb0b751b8d758e9cba4a3b4f6830e5f85df740efcf290c77df212ee62fc94cc504b1e5422ffbf9f87ed05b4e762feed6535fd702825631db7636c869c9f1299320d98e1cf740a94e226af5608a799e1c999ee2b4ab5146f852ed9874065fb37c285811c77789df8a1798c2670419747679338a3299349ae3ec49eedcb39256d551a4ffba9595167c1779a7247b94aebc5792e53fbc94c066c16fe77020492e0a308d5ba5fdec952c4095b7563347be3f2ab70873375e6116c394003cc0c5cdbdcb004f96c6c4ff235"}]}}]}}, {{0x9, 0x4, 0x3, 0x6, 0x5, 0x0, 0x0, 0x0, 0xc8, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x3, 0x4}, @format_type_i_discrete={0xf, 0x24, 0x2, 0x1, 0x81, 0x2, 0x1, 0x1, "b3d2feb3920056"}]}], [{{0x9, 0x5, 0x6, 0x4, 0x400, 0x0, 0x6, 0x3, [@generic={0x11, 0x4, "39a66425220fb1a99e556b2dfb1838"}]}}, {{0x9, 0x5, 0xa, 0x4, 0x50, 0x79, 0x9, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x10, 0x0, 0xe5, 0x1, [@generic={0xc, 0x8, "6271ead39e76c55f403f"}, @generic={0x1d, 0x22, "93f92077e6f8fb302785e13e57cc86fc2a7a97621a1cd78498cc60"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x10, 0xfb, 0x70, 0x9, [@generic={0xa5, 0xc5f45b4d7fc4460a, "aa016effd795b21fece55d47621811ef08e6eaf7a4f3fbf70f9191eec875bd45ba572cf2ef7f10f3a505ff71ef3ef1a42a7349f198cc1e7524a30e948c6334e706023fcaecc3cf51d8cc354dffdec9e33058456186dfe0453f8fb8ce8770fff3a35e7bc7be1982bc0fdb248b776f995d492694172d25affd8607f000dbea29d9b57de7bc89d328a63c5e9f3430aa094d1f14e2ea84446260097323f8483641d5308b57"}]}}, {{0x9, 0x5, 0x8c, 0x8, 0x40, 0x4, 0x5, 0x3}}]}}]}}]}}, &(0x7f0000000d40)={0xa, &(0x7f0000000880)={0xa, 0x6, 0x250, 0x1, 0x8, 0xcf, 0x20, 0x6}, 0xa7, &(0x7f00000008c0)={0x5, 0xf, 0xa7, 0x6, [@ssp_cap={0x18, 0x10, 0xa, 0x8, 0x3, 0x9, 0xf, 0x0, [0xffc030, 0xc030, 0x3f30]}, @ss_container_id={0x14, 0x10, 0x4, 0xfe, "edcaa525c23e27c47ce42420c044bb79"}, @ptm_cap={0x3}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x1c, 0x6, 0x0, 0x8}, @generic={0x69, 0x10, 0x1, "f0917a409f20823fe21e124dc671ac8313beb328f263a5967548b9ffe8bd38ca2b5638e90e09b00ad4000d975c28f280602443968fb75443f4833a05f936ed00b575a11e1181f19f62f7010a8559d4422269ba17c569a5d2ca580210a2811923216ff38f6c21"}]}, 0x9, [{0x2e, &(0x7f0000000980)=@string={0x2e, 0x3, "c0ca326abb6f9f4be8fde5ec0fda56568a3aee017d4851f5e177f27c6723cc4b66148d068a4fc215c3412242"}}, {0x4, &(0x7f00000009c0)=@lang_id={0x4, 0x3, 0x140a}}, {0x101, &(0x7f0000000a00)=@string={0x101, 0x3, "b544e4b10f95e3903dd7a1b4fcaade5c4143d90f68fcf3f0d83282c324f0d4a7e65f27803e19d95678a88da9f99c403cb3265270a9964dcd759ff727ed3cdb427b2ac3c5f71ddeb5ea16a0377a0ed22e54a24a8ae1475137620142605682be281297ff87f2081ada2329520e8e87828043b65d663c960e1001cdd66551891230a367e307d00abe3a52cc07335d6d39eac44c43f1b70c13cafa5b2c7aca4c95724375599a859c39e4c0e4da7b2c906e43288f117494feddbec0230716e31e46f531875fc7eff85e6f2f36517fa02a116fce7a95fba5fa3dff697ce8716fc85aa4d0f6f24b0401f2c4db9aec9af775a041992c234d2307bfda122484cc460e90"}}, {0x4, &(0x7f0000000b40)=@lang_id={0x4, 0x3, 0x804}}, {0x4, &(0x7f0000000b80)=@lang_id={0x4, 0x3, 0x400a}}, {0x4, &(0x7f0000000bc0)=@lang_id={0x4, 0x3, 0x42b}}, {0x4, &(0x7f0000000c00)=@lang_id={0x4, 0x3, 0x3009}}, {0xa5, &(0x7f0000000c40)=@string={0xa5, 0x3, "84389b092a5b3d06bfd89509d072a73f111a14aa4619785c4fe2448520d344b0309136ab091e792a36d6c3addbe839a59d0372bdb54265ba32c2fa75175518bee640f7a15dd0112606ec278989fea051f6a69b9753675b81fe2e64ebe334568e086b24704be9db1fa5645a8af526ed97a90c027a2b4f90ed9c2af5e9ba528431c93fea752e8d8489d4ef977f5a3ac6c8dbacfc145fdb5f7bca681b6f3bd764d06cbe0b"}}, {0x4, &(0x7f0000000d00)=@lang_id={0x4, 0x3, 0x44d}}]}) r3 = syz_usb_connect$cdc_ncm(0x1, 0x8f, &(0x7f0000000e00)={{0x12, 0x1, 0x310, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x7d, 0x2, 0x1, 0x1, 0x1d0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5, 0x24, 0x0, 0x81}, {0xd, 0x24, 0xf, 0x1, 0x3fffc000, 0xba60, 0x1, 0x1}, {0x6, 0x24, 0x1a, 0x1}, [@mbim={0xc, 0x24, 0x1b, 0x1b7, 0x50f, 0x6, 0x5b, 0x81, 0x9}, @mdlm={0x15, 0x24, 0x12, 0x5f}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x1, 0x6, 0x2}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0xcc, 0x6, 0x9b}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x1, 0x6, 0x1}}}}}}}]}}, &(0x7f0000001300)={0xa, &(0x7f0000000ec0)={0xa, 0x6, 0x200, 0x0, 0x1, 0x13, 0x8, 0xff}, 0xff, &(0x7f0000000f00)={0x5, 0xf, 0xff, 0x6, [@ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x1, "433e988ee5f358ef3f4e653faf4ee765"}, @generic={0xa, 0x10, 0xb, "d374d6ca9cfdff"}, @generic={0xe, 0x10, 0xb, "e4e12848c1c9e1ace27001"}, @ssp_cap={0x1c, 0x10, 0xa, 0x40, 0x4, 0x4, 0xf0f, 0x8000, [0xff0000, 0xc0, 0xff003f, 0xc00f]}, @generic={0xaf, 0x10, 0x1, "cbabda0f979afcbd15737d315ab69ac532bda02642debca33a83185a92738f4d04cec695223d9f52b803ad72644bd3df5774949b6ed6377cdf5da5b1d8200de161f5b0f610c78f5c79a00db86492ecdf464204c009a9474a05f0f6351819703f383eca0f29a01e52f7b0b1f921ef92c3e630287707e0617fe8cf2672ef1dee5e7c5f8a37415f54b241f0b93ae6f3402e17b6fec466b83827f4e42c57af90ea0b735a10b5cc4a9ed14461cb3c"}]}, 0x9, [{0x4, &(0x7f0000001000)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000001040)=@lang_id={0x4, 0x3, 0x44c}}, {0x46, &(0x7f0000001080)=@string={0x46, 0x3, "d34169f972886d91885fb4e663d3b95efcbdf2ac7fb6a48b8f5d44f490a6d5db2086fa938c10f7751b90c3993bbfad670a7f80d35886c2cc30291ab2ce67011d1b0d6cf4"}}, {0x4, &(0x7f0000001100)=@lang_id={0x4, 0x3, 0x40a}}, {0x36, &(0x7f0000001140)=@string={0x36, 0x3, "064cab2cae36ef5623749bcb7993b310c0f700e526dda0223a1e4b6f160079c7b1cdb2a8b043ea8325ecc0eed64d543981a396b7"}}, {0x5, &(0x7f0000001180)=@string={0x5, 0x3, 'Ka\x00'}}, {0x4, &(0x7f00000011c0)=@lang_id={0x4, 0x3, 0x500a}}, {0x4, &(0x7f0000001200)=@lang_id={0x4, 0x3, 0x4ff}}, {0x8f, &(0x7f0000001240)=@string={0x8f, 0x3, "37cc0c18f2d09bfc3aa76989d36d449db57ff95c9d3d3cb0402d8235dc712201eea4c3182ff76cbdbbe5315c116827a35fa27a3904c66396503f48370555f62791c61546e4121aa688c1c7c57d955aedd9eec2b307d4e587e1aed08679b2728acd321bc4f83ee268d8149d81bbc128c58e178cd17d2b8136b834c1e9b1d7d3d137ae9b4c27e6b1ba93df07e852"}}]}) syz_usb_disconnect(r3) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___stat50 #define SYS___stat50 439 #endif #ifndef SYS_chown #define SYS_chown 16 #endif #ifndef SYS_compat_14___semctl #define SYS_compat_14___semctl 220 #endif #ifndef SYS_compat_50___msgctl13 #define SYS_compat_50___msgctl13 302 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_semctl #define SYS_semctl 442 #endif #ifndef SYS_semget #define SYS_semget 221 #endif #ifndef SYS_semop #define SYS_semop 222 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 14; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 3000 : 0) + (call == 13 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[4] = {0x0, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); inject_fault(1); res = syscall(SYS___stat50, 0x20000000ul, 0x20000040ul); if (res != -1) { r[0] = *(uint32_t*)0x2000005c; r[1] = *(uint32_t*)0x20000060; } break; case 1: *(uint32_t*)0x20000200 = 0x5a3e; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = r[1]; *(uint32_t*)0x2000020c = -1; *(uint32_t*)0x20000210 = -1; *(uint32_t*)0x20000214 = 0x20; *(uint16_t*)0x20000218 = 0x400; *(uint16_t*)0x2000021a = 0; *(uint64_t*)0x20000220 = 0; *(uint64_t*)0x20000228 = 0; *(uint64_t*)0x20000230 = 9; *(uint64_t*)0x20000238 = 0x62e81dc5; *(uint32_t*)0x20000240 = 0x81; *(uint32_t*)0x20000244 = 5; *(uint64_t*)0x20000248 = 4; *(uint64_t*)0x20000250 = 8; *(uint64_t*)0x20000258 = 9; *(uint64_t*)0x20000260 = 0x20000100; *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0x20e1; *(uint16_t*)0x20000110 = 0xfffd; *(uint16_t*)0x20000112 = 1; *(uint64_t*)0x20000268 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000180; *(uint64_t*)0x20000180 = 0x20000140; *(uint64_t*)0x20000140 = 0; *(uint64_t*)0x20000148 = 0x7ff; *(uint16_t*)0x20000150 = 9; *(uint16_t*)0x20000152 = 1; *(uint64_t*)0x20000188 = 0x8000000000000000; *(uint16_t*)0x20000190 = 6; *(uint16_t*)0x20000192 = 8; *(uint64_t*)0x200001c8 = 8; *(uint16_t*)0x200001d0 = 5; *(uint16_t*)0x200001d2 = 0x20; *(uint64_t*)0x20000270 = 0x400; syscall(SYS_compat_50___msgctl13, 0, 1ul, 0x20000200ul); break; case 2: memcpy((void*)0x20000280, "./file0\000", 8); syscall(SYS_chown, 0x20000280ul, r[0], 0); { int i; for(i = 0; i < 4; i++) { syscall(SYS_chown, 0x20000280ul, r[0], 0); } } break; case 3: syscall(SYS_compat_14___semctl, 0, 0ul, 6ul, 0x200002c0ul); break; case 4: *(uint64_t*)0x20000380 = 0x20000340; *(uint32_t*)0x20000340 = r[0]; *(uint32_t*)0x20000344 = r[1]; *(uint32_t*)0x20000348 = 0x80; *(uint32_t*)0x2000034c = 0x5a3; *(uint32_t*)0x20000350 = 0x100; *(uint16_t*)0x20000354 = 1; *(uint64_t*)0x20000358 = 0x4897; *(uint16_t*)0x20000360 = 0x7fff; *(uint64_t*)0x20000368 = 7; *(uint64_t*)0x20000370 = 0; *(uint64_t*)0x20000378 = 0x20000300; *(uint16_t*)0x20000300 = 0x800; *(uint32_t*)0x20000304 = 7; *(uint16_t*)0x20000308 = 2; *(uint16_t*)0x2000030a = 9; syscall(SYS_compat_14___semctl, -1, 0ul, 8ul, 0x20000380ul); break; case 5: syscall(SYS_semctl, -1, 4ul, 3ul, 0x200003c0ul); break; case 6: res = syscall(SYS_semget, 0ul, 3ul, 2ul); if (res != -1) r[2] = res; break; case 7: syscall(SYS_compat_14___semctl, r[2], 0ul, 3ul, 0); break; case 8: *(uint16_t*)0x20000400 = 4; *(uint16_t*)0x20000402 = 7; *(uint16_t*)0x20000404 = 0x2000; *(uint16_t*)0x20000406 = 4; *(uint16_t*)0x20000408 = 0x1f; *(uint16_t*)0x2000040a = 0x800; *(uint16_t*)0x2000040c = 1; *(uint16_t*)0x2000040e = 7; *(uint16_t*)0x20000410 = 0x400; syscall(SYS_semop, r[2], 0x20000400ul, 3ul); break; case 9: syscall(SYS_compat_14___semctl, r[2], 0ul, 2ul, 0x20000440ul); break; case 10: memcpy((void*)0x20000040, "\xc4\x21\xc1\x6d\x14\x9f\xc4\x62\xba\xf7\x6f\xed\x26\x66\x45\x0f\x38\x00\x81\x3b\xe7\x0e\xb1\x66\x40\x25\x36\x33\xf0\x40\x81\x82\xa0\xbc\x30\x22\x00\x80\x00\x00\xc4\x82\x81\x92\x6c\xd9\x92\x66\x0f\x4f\x99\xc0\xf8\x00\x00\x36\x26\x66\x0f\x12\x4e\x32\xf2\x6e\x66\x0f\x38\x2a\xb5\x00\x00\x00\x80", 73); syz_execute_func(0x20000040); break; case 11: *(uint8_t*)0x20000100 = 0x12; *(uint8_t*)0x20000101 = 1; *(uint16_t*)0x20000102 = 0x300; *(uint8_t*)0x20000104 = 0; *(uint8_t*)0x20000105 = 0; *(uint8_t*)0x20000106 = 0; *(uint8_t*)0x20000107 = 0xbf; *(uint16_t*)0x20000108 = 0; *(uint16_t*)0x2000010a = 0; *(uint16_t*)0x2000010c = 0; *(uint8_t*)0x2000010e = 1; *(uint8_t*)0x2000010f = 2; *(uint8_t*)0x20000110 = 3; *(uint8_t*)0x20000111 = 1; *(uint8_t*)0x20000112 = 9; *(uint8_t*)0x20000113 = 2; *(uint16_t*)0x20000114 = 0x76c; *(uint8_t*)0x20000116 = 3; *(uint8_t*)0x20000117 = 7; *(uint8_t*)0x20000118 = 0x17; *(uint8_t*)0x20000119 = 0x30; *(uint8_t*)0x2000011a = 0x3d; *(uint8_t*)0x2000011b = 9; *(uint8_t*)0x2000011c = 4; *(uint8_t*)0x2000011d = 0x8e; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0x62; *(uint8_t*)0x20000124 = 0x12; *(uint8_t*)0x20000125 = 0x24; *(uint8_t*)0x20000126 = 2; *(uint8_t*)0x20000127 = 2; *(uint16_t*)0x20000128 = 0x1f; *(uint16_t*)0x2000012a = 7; *(uint8_t*)0x2000012c = 0x7f; memcpy((void*)0x2000012d, "\x11\xc0\x68\x24\x60\x6e\x6e\x24\x1d", 9); *(uint8_t*)0x20000136 = 9; *(uint8_t*)0x20000137 = 4; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0x3f; *(uint8_t*)0x2000013a = 0xd; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0x1f; *(uint8_t*)0x2000013f = 0xe0; *(uint8_t*)0x20000140 = 0xa; memcpy((void*)0x20000141, "\xb7\x1a\xa8\xdb\xef\x28\xec\x50\x8e\x40\xe5\x7e\x0f\x21\xe5\x1c\xeb\x5e\xac\xb8\x0b\xb3\xf7\xed\x35\xe2\x9b\xad\x26\x5b\x99\xdb\xbc\xbb\x65\x5b\x87\xcb\xc7\x76\x84\x37\x03\xa8\x76\xdc\x2d\xd2\x21\x6c\x56\x77\x1d\xd1\x3f\x2c\xae\x3e\xae\x77\x25\x86\xca\xcf\x7c\xdb\x24\xa9\x18\x92\x4b\xa3\x42\xe5\xa8\x4c\xb7\x75\x41\x17\x2a\x5b\x41\x00\xbc\xd7\x21\xc0\x0b\xcc\x1d\x59\x0d\x5b\xae\x2e\x60\x2b\x8a\x29\xaa\x64\x95\x16\xb3\x9d\x74\x5c\x54\x66\x13\x73\x0d\xec\x49\x57\xdf\x6d\xc6\x59\x19\x93\xb9\x02\x7a\xfe\x3e\xb2\x17\x2a\x49\xb3\xb5\x89\xf5\x32\x2c\xc7\x6f\xd4\x21\xd8\xb9\xac\xaf\x9f\x32\x6c\x83\x52\x14\xaa\x33\xda\x00\x4a\xda\xae\x66\x89\xef\xeb\xb0\x28\xa6\x49\xb7\xed\xc8\x23\x33\xf8\x9f\xd1\x00\xb6\xda\x5d\x60\xc3\xe1\x34\x9b\xd3\x0d\x2c\xff\x8a\xe5\x6c\xcb\xed\x46\xe0\x9f\x66\x62\xc6\xb2\xc2\xe7\xcb\xd8\x87\xfb\xc4\x47\xdb\x5d\x68\x87\xeb\x1c\xc1\x37\x8e\xd3\x10\xec\x7d\x00\x4c", 222); *(uint8_t*)0x2000021f = 0xb; *(uint8_t*)0x20000220 = 0x24; *(uint8_t*)0x20000221 = 6; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 1; memcpy((void*)0x20000224, "\x4b\x66\xfa\xfb\xc9\xe4", 6); *(uint8_t*)0x2000022a = 5; *(uint8_t*)0x2000022b = 0x24; *(uint8_t*)0x2000022c = 0; *(uint16_t*)0x2000022d = 6; *(uint8_t*)0x2000022f = 0xd; *(uint8_t*)0x20000230 = 0x24; *(uint8_t*)0x20000231 = 0xf; *(uint8_t*)0x20000232 = 1; *(uint32_t*)0x20000233 = 0x80000000; *(uint16_t*)0x20000237 = 4; *(uint16_t*)0x20000239 = 0; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 6; *(uint8_t*)0x2000023d = 0x24; *(uint8_t*)0x2000023e = 0x1a; *(uint16_t*)0x2000023f = 0xfffa; *(uint8_t*)0x20000241 = 0x12; *(uint8_t*)0x20000242 = 5; *(uint8_t*)0x20000243 = 0x24; *(uint8_t*)0x20000244 = 0x15; *(uint16_t*)0x20000245 = 5; *(uint8_t*)0x20000247 = 0x15; *(uint8_t*)0x20000248 = 0x24; *(uint8_t*)0x20000249 = 0x12; *(uint16_t*)0x2000024a = 5; *(uint64_t*)0x2000024c = 0x14f5e048ba817a3; *(uint64_t*)0x20000254 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000025c = 7; *(uint8_t*)0x2000025d = 0x24; *(uint8_t*)0x2000025e = 0x14; *(uint16_t*)0x2000025f = 4; *(uint16_t*)0x20000261 = 0; *(uint8_t*)0x20000263 = 0xe5; *(uint8_t*)0x20000264 = 0x24; *(uint8_t*)0x20000265 = 0x13; *(uint8_t*)0x20000266 = 7; memcpy((void*)0x20000267, "\x8f\x0d\x5f\x90\xcf\x98\xb4\x79\xfa\xe0\x69\xbf\xd8\x3c\x7e\x4e\xf5\xaf\xe0\x12\x49\x5f\x0e\xe2\x30\x62\xfe\x5f\x81\xbe\x0e\xf8\x2f\xf4\x10\x31\x8f\x82\xc5\x30\x0b\xa5\xa5\xad\x17\x5d\xac\xf7\x41\xe1\xd1\x95\x6b\x8b\xb1\x56\xe5\xb5\x46\x64\x4c\x17\x50\x91\x6d\x03\x81\xb4\x9c\x7b\xd1\x60\x32\x3b\xde\x2f\xf8\xc1\x37\x9a\x31\x9c\x3a\xdd\x3f\xbd\x86\xaa\x16\x97\x49\xf6\x10\x88\x44\xbd\x19\x64\x4c\xaf\xeb\xba\x5d\x70\x98\x9e\x95\x14\x43\x00\xd6\xb5\x08\xed\xd1\x66\x2f\x75\x98\x28\xaa\xd7\x8d\x18\xd7\x10\x55\x3c\xb7\xf5\xdf\x43\xb7\xb5\x60\xbb\x4f\x48\x69\xde\x9e\xbe\x5e\x12\x63\x56\x50\x7d\x10\xf2\xc8\xd9\xb8\x3f\x66\x1f\xbf\x0b\xd5\x13\x1c\xe9\xc0\x59\xb6\x0e\x62\x0d\xa0\xf7\x51\x6a\xd6\xd7\x0c\x75\xde\x7d\xd4\xb3\x7d\x9c\x37\x91\x34\xe6\x03\x6d\xf4\x28\xe1\xf5\x41\xdb\xee\x9f\x58\xa4\xa3\x74\xff\x6c\xb6\xae\x04\x68\xf4\x9c\x61\x64\x18\xa2\x76\x00\x66\x45\x74\x39\x95\x2b\xb5\xb9\x3f\x4f\x33", 225); *(uint8_t*)0x20000348 = 0x15; *(uint8_t*)0x20000349 = 0x24; *(uint8_t*)0x2000034a = 0x12; *(uint16_t*)0x2000034b = 0xec; *(uint64_t*)0x2000034d = 0x14f5e048ba817a3; *(uint64_t*)0x20000355 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000035d = 9; *(uint8_t*)0x2000035e = 5; *(uint8_t*)0x2000035f = 0xf; *(uint8_t*)0x20000360 = 0x1d; *(uint16_t*)0x20000361 = 0x10; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0x80; *(uint8_t*)0x20000365 = 0x74; *(uint8_t*)0x20000366 = 9; *(uint8_t*)0x20000367 = 5; *(uint8_t*)0x20000368 = 2; *(uint8_t*)0x20000369 = 3; *(uint16_t*)0x2000036a = 0x10; *(uint8_t*)0x2000036c = 0x9f; *(uint8_t*)0x2000036d = 0x7d; *(uint8_t*)0x2000036e = -1; *(uint8_t*)0x2000036f = 0x52; *(uint8_t*)0x20000370 = 0xe; memcpy((void*)0x20000371, "\xec\xf4\xce\x49\x2b\x20\xb2\xd5\x08\xa9\x18\x0c\x01\x19\x2d\x8e\x12\x4f\x6e\x79\x0a\xed\xfc\x35\x21\x3b\x1d\x14\xc6\x8c\x63\x68\x66\x31\xf6\x97\x53\x2d\xa0\x05\xbc\x50\x13\xd6\x2c\x6d\x5c\x18\xb5\xc5\xc4\xf2\x26\x3b\x42\xb5\x82\xb7\x33\x3b\x47\x37\x3c\xdf\x66\x61\x59\x74\x5a\x6a\x53\xd5\x18\xa4\xae\x7c\x51\xab\xaa\xa8", 80); *(uint8_t*)0x200003c1 = 0x15; *(uint8_t*)0x200003c2 = 0x23; memcpy((void*)0x200003c3, "\xdc\x33\x3e\xa4\xd2\xd7\x35\x1e\xc6\xd2\x73\xb6\x8c\xe3\xd5\xd1\xe2\xc2\xcf", 19); *(uint8_t*)0x200003d6 = 9; *(uint8_t*)0x200003d7 = 5; *(uint8_t*)0x200003d8 = 0xb; *(uint8_t*)0x200003d9 = 0; *(uint16_t*)0x200003da = 0x10; *(uint8_t*)0x200003dc = 4; *(uint8_t*)0x200003dd = 9; *(uint8_t*)0x200003de = 0; *(uint8_t*)0x200003df = 7; *(uint8_t*)0x200003e0 = 0x25; *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0; *(uint8_t*)0x200003e3 = 5; *(uint16_t*)0x200003e4 = 0xfffc; *(uint8_t*)0x200003e6 = 0x35; *(uint8_t*)0x200003e7 = 2; memcpy((void*)0x200003e8, "\x59\xa6\x60\x19\xfb\x9a\xdf\xb5\x95\x09\x97\x71\x2b\x8b\x3c\x1c\xb4\xc4\xa0\xab\xbf\x8e\xa4\x1d\xd4\xdd\x59\x36\xbd\xe7\xfb\xe2\x3f\xf6\x42\xc1\x76\xc3\x55\xef\x47\x28\x02\x2f\x3d\x7d\x83\x38\x60\xfb\xcf", 51); *(uint8_t*)0x2000041b = 9; *(uint8_t*)0x2000041c = 5; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0x10; *(uint16_t*)0x2000041f = 8; *(uint8_t*)0x20000421 = 1; *(uint8_t*)0x20000422 = 1; *(uint8_t*)0x20000423 = 0; *(uint8_t*)0x20000424 = 9; *(uint8_t*)0x20000425 = 5; *(uint8_t*)0x20000426 = 1; *(uint8_t*)0x20000427 = 2; *(uint16_t*)0x20000428 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 9; *(uint8_t*)0x2000042c = 6; *(uint8_t*)0x2000042d = 7; *(uint8_t*)0x2000042e = 0x25; *(uint8_t*)0x2000042f = 1; *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 9; *(uint16_t*)0x20000432 = 0x9f36; *(uint8_t*)0x20000434 = 7; *(uint8_t*)0x20000435 = 0x25; *(uint8_t*)0x20000436 = 1; *(uint8_t*)0x20000437 = 3; *(uint8_t*)0x20000438 = 9; *(uint16_t*)0x20000439 = 3; *(uint8_t*)0x2000043b = 9; *(uint8_t*)0x2000043c = 5; *(uint8_t*)0x2000043d = 0xc; *(uint8_t*)0x2000043e = 0x10; *(uint16_t*)0x2000043f = 0x200; *(uint8_t*)0x20000441 = 0x15; *(uint8_t*)0x20000442 = 2; *(uint8_t*)0x20000443 = 0; *(uint8_t*)0x20000444 = 0x5b; *(uint8_t*)0x20000445 = 0x23; memcpy((void*)0x20000446, "\x19\x25\x29\x4e\x2c\x16\x95\x4f\x83\x13\x82\x5e\x71\xea\x53\x6e\x70\x77\xd7\x13\x0c\xee\x3a\x80\x2c\xb3\xc8\x00\x5e\xf6\xd9\x21\x10\x68\x28\x6c\x7a\x4c\x20\xcb\x87\xfd\x2c\xdc\x5a\xee\xdb\x17\x1f\xd6\x7d\xdc\x74\xc3\xf0\x29\xaa\xb0\xbf\xa9\xa6\x3e\x5d\xe5\xa5\x35\x79\x66\x6c\xef\x0f\xb7\xc8\x76\xef\xc0\xa5\xd3\x38\x2c\x34\x6e\x1f\x9a\x78\xb7\x35\x6c\x22", 89); *(uint8_t*)0x2000049f = 9; *(uint8_t*)0x200004a0 = 5; *(uint8_t*)0x200004a1 = 0xb; *(uint8_t*)0x200004a2 = 0; *(uint16_t*)0x200004a3 = 0x40; *(uint8_t*)0x200004a5 = 0x18; *(uint8_t*)0x200004a6 = 0x3f; *(uint8_t*)0x200004a7 = 8; *(uint8_t*)0x200004a8 = 9; *(uint8_t*)0x200004a9 = 5; *(uint8_t*)0x200004aa = 0xd; *(uint8_t*)0x200004ab = 1; *(uint16_t*)0x200004ac = 0; *(uint8_t*)0x200004ae = 9; *(uint8_t*)0x200004af = -1; *(uint8_t*)0x200004b0 = 3; *(uint8_t*)0x200004b1 = 0xdc; *(uint8_t*)0x200004b2 = 0x23; memcpy((void*)0x200004b3, "\xcc\xd5\x3f\xc8\x11\x56\xa9\x1f\xf4\x26\xeb\x00\x1f\xbf\x43\xc8\x55\x1f\xda\x17\x0e\xd3\x6a\x97\xeb\xa7\xa3\x2c\x31\x15\xec\x5e\x9a\x81\x82\x73\x40\x12\xaa\x12\xdd\xcc\x6e\x93\xd8\x5e\xaa\xfb\xda\x4a\xb1\xcf\xf6\xbc\xb2\xaf\xec\xd8\xaa\x8c\x58\xb2\x7a\x75\xe5\xa4\xdd\xc5\x0c\xc6\x73\xed\xc8\x2f\xf1\x31\x15\xeb\x8f\x50\xdd\xd1\xed\x26\x95\x33\x7c\xa8\x5b\x88\x26\x4d\xb5\x9e\xb1\x30\x42\x16\xa3\x01\xd4\x2f\x29\x02\xd5\xc0\x6b\x17\x59\x2b\xb2\x1d\x2a\xf1\xd0\x92\xf5\xd7\x37\x3a\xef\xdb\x90\x7f\xfc\x81\x79\xab\xd6\x8b\x11\xef\x10\xbe\x84\x4e\x03\x81\x68\x06\xf0\x45\xf0\xa5\xef\x3b\xa0\xac\x5b\xd8\x43\xa4\x6f\xa3\xb7\x2b\x86\x2d\xe1\x72\x86\x47\xad\xc3\xf3\xbb\xcd\x53\xce\x88\x1e\x6b\x5a\x6c\x6e\xc7\x97\xd3\x2c\xc1\x39\x18\xe3\xda\x4b\x3e\xa2\x0d\xd6\x89\x3c\x2c\x7c\xa4\x7a\xa5\x1b\xee\x04\x7a\x36\x1f\xef\xf7\x16\xce\xf3\xda\xe5\x0b\x6c\xa7\x2a\x2b\x76\x4f\xa4\xcf", 218); *(uint8_t*)0x2000058d = 7; *(uint8_t*)0x2000058e = 0x25; *(uint8_t*)0x2000058f = 1; *(uint8_t*)0x20000590 = 0x80; *(uint8_t*)0x20000591 = 5; *(uint16_t*)0x20000592 = 0x3f; *(uint8_t*)0x20000594 = 9; *(uint8_t*)0x20000595 = 5; *(uint8_t*)0x20000596 = 1; *(uint8_t*)0x20000597 = 2; *(uint16_t*)0x20000598 = 0x20; *(uint8_t*)0x2000059a = 0xb9; *(uint8_t*)0x2000059b = 0x86; *(uint8_t*)0x2000059c = 0x40; *(uint8_t*)0x2000059d = 0x84; *(uint8_t*)0x2000059e = 8; memcpy((void*)0x2000059f, "\xab\x51\x4d\xeb\xe1\x6a\xea\x41\xf0\x67\xe8\x46\xf8\x93\x9c\x5d\x4f\x6f\xce\x3a\x7d\x25\xea\xee\x2c\x06\x51\xf9\x2f\xe2\x44\x17\xbd\xf9\x25\x6f\x3f\x9b\x58\x34\x92\xb2\xe4\xfe\x6b\x2b\x4b\xad\x9c\x1f\x4a\x8b\x26\xd7\x4c\x60\xae\xda\x94\x78\xa6\x48\x76\x89\x1b\x3a\x75\xff\xce\x40\x01\x85\x3b\x93\xbd\x0f\xd8\xa1\x65\xa7\xfa\x83\xfb\xc6\xb9\x5a\xed\x88\x0f\x02\x22\x4f\x12\x22\xb1\x50\xb7\x46\x98\x1a\x4b\x55\x28\x8f\x56\x4d\x8d\x6a\xf6\x43\xc0\xfd\x29\x15\x71\xd7\x0c\xc5\x60\x24\xdd\x73\xe5\x00\xc5\xef\xe9\xbc\x9b\x72", 130); *(uint8_t*)0x20000621 = 7; *(uint8_t*)0x20000622 = 0x25; *(uint8_t*)0x20000623 = 1; *(uint8_t*)0x20000624 = 1; *(uint8_t*)0x20000625 = 0; *(uint16_t*)0x20000626 = 9; *(uint8_t*)0x20000628 = 9; *(uint8_t*)0x20000629 = 5; *(uint8_t*)0x2000062a = 5; *(uint8_t*)0x2000062b = 2; *(uint16_t*)0x2000062c = 0x10; *(uint8_t*)0x2000062e = 0xf9; *(uint8_t*)0x2000062f = 0xd8; *(uint8_t*)0x20000630 = 0xf9; *(uint8_t*)0x20000631 = 9; *(uint8_t*)0x20000632 = 5; *(uint8_t*)0x20000633 = 3; *(uint8_t*)0x20000634 = 0xc; *(uint16_t*)0x20000635 = 8; *(uint8_t*)0x20000637 = 0x81; *(uint8_t*)0x20000638 = 0; *(uint8_t*)0x20000639 = 0x3f; *(uint8_t*)0x2000063a = 9; *(uint8_t*)0x2000063b = 5; *(uint8_t*)0x2000063c = 0xd; *(uint8_t*)0x2000063d = 0; *(uint16_t*)0x2000063e = 0xa2f3; *(uint8_t*)0x20000640 = 0xbe; *(uint8_t*)0x20000641 = 6; *(uint8_t*)0x20000642 = 7; *(uint8_t*)0x20000643 = 7; *(uint8_t*)0x20000644 = 0x25; *(uint8_t*)0x20000645 = 1; *(uint8_t*)0x20000646 = 0x81; *(uint8_t*)0x20000647 = 2; *(uint16_t*)0x20000648 = 2; *(uint8_t*)0x2000064a = 9; *(uint8_t*)0x2000064b = 5; *(uint8_t*)0x2000064c = 8; *(uint8_t*)0x2000064d = 0x1c; *(uint16_t*)0x2000064e = 0x20; *(uint8_t*)0x20000650 = 4; *(uint8_t*)0x20000651 = 8; *(uint8_t*)0x20000652 = 9; *(uint8_t*)0x20000653 = 7; *(uint8_t*)0x20000654 = 0x25; *(uint8_t*)0x20000655 = 1; *(uint8_t*)0x20000656 = 0x81; *(uint8_t*)0x20000657 = -1; *(uint16_t*)0x20000658 = 0xffe0; *(uint8_t*)0x2000065a = 0xf2; *(uint8_t*)0x2000065b = 0x31; memcpy((void*)0x2000065c, "\x2f\xb2\xb9\x74\x7b\x65\x1a\xe6\x6e\x5d\x86\x1f\x9e\xfc\x61\xbd\xd1\x94\x95\xf1\x63\x62\x59\x75\xe7\xba\xe8\x00\xee\x00\x48\x67\xb5\xa8\x13\xb7\xb9\xdb\xc5\x5e\xb0\xb7\x51\xb8\xd7\x58\xe9\xcb\xa4\xa3\xb4\xf6\x83\x0e\x5f\x85\xdf\x74\x0e\xfc\xf2\x90\xc7\x7d\xf2\x12\xee\x62\xfc\x94\xcc\x50\x4b\x1e\x54\x22\xff\xbf\x9f\x87\xed\x05\xb4\xe7\x62\xfe\xed\x65\x35\xfd\x70\x28\x25\x63\x1d\xb7\x63\x6c\x86\x9c\x9f\x12\x99\x32\x0d\x98\xe1\xcf\x74\x0a\x94\xe2\x26\xaf\x56\x08\xa7\x99\xe1\xc9\x99\xee\x2b\x4a\xb5\x14\x6f\x85\x2e\xd9\x87\x40\x65\xfb\x37\xc2\x85\x81\x1c\x77\x78\x9d\xf8\xa1\x79\x8c\x26\x70\x41\x97\x47\x67\x93\x38\xa3\x29\x93\x49\xae\x3e\xc4\x9e\xed\xcb\x39\x25\x6d\x55\x1a\x4f\xfb\xa9\x59\x51\x67\xc1\x77\x9a\x72\x47\xb9\x4a\xeb\xc5\x79\x2e\x53\xfb\xc9\x4c\x06\x6c\x16\xfe\x77\x02\x04\x92\xe0\xa3\x08\xd5\xba\x5f\xde\xc9\x52\xc4\x09\x5b\x75\x63\x34\x7b\xe3\xf2\xab\x70\x87\x33\x75\xe6\x11\x6c\x39\x40\x03\xcc\x0c\x5c\xdb\xdc\xb0\x04\xf9\x6c\x6c\x4f\xf2\x35", 240); *(uint8_t*)0x2000074c = 9; *(uint8_t*)0x2000074d = 4; *(uint8_t*)0x2000074e = 3; *(uint8_t*)0x2000074f = 6; *(uint8_t*)0x20000750 = 5; *(uint8_t*)0x20000751 = 0; *(uint8_t*)0x20000752 = 0; *(uint8_t*)0x20000753 = 0; *(uint8_t*)0x20000754 = 0xc8; *(uint8_t*)0x20000755 = 7; *(uint8_t*)0x20000756 = 0x24; *(uint8_t*)0x20000757 = 1; *(uint8_t*)0x20000758 = 0; *(uint8_t*)0x20000759 = 3; *(uint16_t*)0x2000075a = 4; *(uint8_t*)0x2000075c = 0xf; *(uint8_t*)0x2000075d = 0x24; *(uint8_t*)0x2000075e = 2; *(uint8_t*)0x2000075f = 1; *(uint8_t*)0x20000760 = 0x81; *(uint8_t*)0x20000761 = 2; *(uint8_t*)0x20000762 = 1; *(uint8_t*)0x20000763 = 1; memcpy((void*)0x20000764, "\xb3\xd2\xfe\xb3\x92\x00\x56", 7); *(uint8_t*)0x2000076b = 9; *(uint8_t*)0x2000076c = 5; *(uint8_t*)0x2000076d = 6; *(uint8_t*)0x2000076e = 4; *(uint16_t*)0x2000076f = 0x400; *(uint8_t*)0x20000771 = 0; *(uint8_t*)0x20000772 = 6; *(uint8_t*)0x20000773 = 3; *(uint8_t*)0x20000774 = 0x11; *(uint8_t*)0x20000775 = 4; memcpy((void*)0x20000776, "\x39\xa6\x64\x25\x22\x0f\xb1\xa9\x9e\x55\x6b\x2d\xfb\x18\x38", 15); *(uint8_t*)0x20000785 = 9; *(uint8_t*)0x20000786 = 5; *(uint8_t*)0x20000787 = 0xa; *(uint8_t*)0x20000788 = 4; *(uint16_t*)0x20000789 = 0x50; *(uint8_t*)0x2000078b = 0x79; *(uint8_t*)0x2000078c = 9; *(uint8_t*)0x2000078d = -1; *(uint8_t*)0x2000078e = 7; *(uint8_t*)0x2000078f = 0x25; *(uint8_t*)0x20000790 = 1; *(uint8_t*)0x20000791 = 1; *(uint8_t*)0x20000792 = 9; *(uint16_t*)0x20000793 = 7; *(uint8_t*)0x20000795 = 9; *(uint8_t*)0x20000796 = 5; *(uint8_t*)0x20000797 = 2; *(uint8_t*)0x20000798 = 0x10; *(uint16_t*)0x20000799 = 0x10; *(uint8_t*)0x2000079b = 0; *(uint8_t*)0x2000079c = 0xe5; *(uint8_t*)0x2000079d = 1; *(uint8_t*)0x2000079e = 0xc; *(uint8_t*)0x2000079f = 8; memcpy((void*)0x200007a0, "\x62\x71\xea\xd3\x9e\x76\xc5\x5f\x40\x3f", 10); *(uint8_t*)0x200007aa = 0x1d; *(uint8_t*)0x200007ab = 0x22; memcpy((void*)0x200007ac, "\x93\xf9\x20\x77\xe6\xf8\xfb\x30\x27\x85\xe1\x3e\x57\xcc\x86\xfc\x2a\x7a\x97\x62\x1a\x1c\xd7\x84\x98\xcc\x60", 27); *(uint8_t*)0x200007c7 = 9; *(uint8_t*)0x200007c8 = 5; *(uint8_t*)0x200007c9 = 0xa; *(uint8_t*)0x200007ca = 0; *(uint16_t*)0x200007cb = 0x10; *(uint8_t*)0x200007cd = 0xfb; *(uint8_t*)0x200007ce = 0x70; *(uint8_t*)0x200007cf = 9; *(uint8_t*)0x200007d0 = 0xa5; *(uint8_t*)0x200007d1 = 0xa; memcpy((void*)0x200007d2, "\xaa\x01\x6e\xff\xd7\x95\xb2\x1f\xec\xe5\x5d\x47\x62\x18\x11\xef\x08\xe6\xea\xf7\xa4\xf3\xfb\xf7\x0f\x91\x91\xee\xc8\x75\xbd\x45\xba\x57\x2c\xf2\xef\x7f\x10\xf3\xa5\x05\xff\x71\xef\x3e\xf1\xa4\x2a\x73\x49\xf1\x98\xcc\x1e\x75\x24\xa3\x0e\x94\x8c\x63\x34\xe7\x06\x02\x3f\xca\xec\xc3\xcf\x51\xd8\xcc\x35\x4d\xff\xde\xc9\xe3\x30\x58\x45\x61\x86\xdf\xe0\x45\x3f\x8f\xb8\xce\x87\x70\xff\xf3\xa3\x5e\x7b\xc7\xbe\x19\x82\xbc\x0f\xdb\x24\x8b\x77\x6f\x99\x5d\x49\x26\x94\x17\x2d\x25\xaf\xfd\x86\x07\xf0\x00\xdb\xea\x29\xd9\xb5\x7d\xe7\xbc\x89\xd3\x28\xa6\x3c\x5e\x9f\x34\x30\xaa\x09\x4d\x1f\x14\xe2\xea\x84\x44\x62\x60\x09\x73\x23\xf8\x48\x36\x41\xd5\x30\x8b\x57", 163); *(uint8_t*)0x20000875 = 9; *(uint8_t*)0x20000876 = 5; *(uint8_t*)0x20000877 = 0x8c; *(uint8_t*)0x20000878 = 8; *(uint16_t*)0x20000879 = 0x40; *(uint8_t*)0x2000087b = 4; *(uint8_t*)0x2000087c = 5; *(uint8_t*)0x2000087d = 3; *(uint32_t*)0x20000d40 = 0xa; *(uint64_t*)0x20000d44 = 0x20000880; *(uint8_t*)0x20000880 = 0xa; *(uint8_t*)0x20000881 = 6; *(uint16_t*)0x20000882 = 0x250; *(uint8_t*)0x20000884 = 1; *(uint8_t*)0x20000885 = 8; *(uint8_t*)0x20000886 = 0xcf; *(uint8_t*)0x20000887 = 0x20; *(uint8_t*)0x20000888 = 6; *(uint8_t*)0x20000889 = 0; *(uint32_t*)0x20000d4c = 0xa7; *(uint64_t*)0x20000d50 = 0x200008c0; *(uint8_t*)0x200008c0 = 5; *(uint8_t*)0x200008c1 = 0xf; *(uint16_t*)0x200008c2 = 0xa7; *(uint8_t*)0x200008c4 = 6; *(uint8_t*)0x200008c5 = 0x18; *(uint8_t*)0x200008c6 = 0x10; *(uint8_t*)0x200008c7 = 0xa; *(uint8_t*)0x200008c8 = 8; STORE_BY_BITMASK(uint32_t, , 0x200008c9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200008c9, 9, 5, 27); *(uint16_t*)0x200008cd = 0xf; *(uint16_t*)0x200008cf = 0; *(uint32_t*)0x200008d1 = 0xffc030; *(uint32_t*)0x200008d5 = 0xc030; *(uint32_t*)0x200008d9 = 0x3f30; *(uint8_t*)0x200008dd = 0x14; *(uint8_t*)0x200008de = 0x10; *(uint8_t*)0x200008df = 4; *(uint8_t*)0x200008e0 = 0xfe; memcpy((void*)0x200008e1, "\xed\xca\xa5\x25\xc2\x3e\x27\xc4\x7c\xe4\x24\x20\xc0\x44\xbb\x79", 16); *(uint8_t*)0x200008f1 = 3; *(uint8_t*)0x200008f2 = 0x10; *(uint8_t*)0x200008f3 = 0xb; *(uint8_t*)0x200008f4 = 3; *(uint8_t*)0x200008f5 = 0x10; *(uint8_t*)0x200008f6 = 0xb; *(uint8_t*)0x200008f7 = 7; *(uint8_t*)0x200008f8 = 0x10; *(uint8_t*)0x200008f9 = 2; STORE_BY_BITMASK(uint32_t, , 0x200008fa, 0x1c, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fc, 8, 0, 16); *(uint8_t*)0x200008fe = 0x69; *(uint8_t*)0x200008ff = 0x10; *(uint8_t*)0x20000900 = 1; memcpy((void*)0x20000901, "\xf0\x91\x7a\x40\x9f\x20\x82\x3f\xe2\x1e\x12\x4d\xc6\x71\xac\x83\x13\xbe\xb3\x28\xf2\x63\xa5\x96\x75\x48\xb9\xff\xe8\xbd\x38\xca\x2b\x56\x38\xe9\x0e\x09\xb0\x0a\xd4\x00\x0d\x97\x5c\x28\xf2\x80\x60\x24\x43\x96\x8f\xb7\x54\x43\xf4\x83\x3a\x05\xf9\x36\xed\x00\xb5\x75\xa1\x1e\x11\x81\xf1\x9f\x62\xf7\x01\x0a\x85\x59\xd4\x42\x22\x69\xba\x17\xc5\x69\xa5\xd2\xca\x58\x02\x10\xa2\x81\x19\x23\x21\x6f\xf3\x8f\x6c\x21", 102); *(uint32_t*)0x20000d58 = 9; *(uint32_t*)0x20000d5c = 0x2e; *(uint64_t*)0x20000d60 = 0x20000980; *(uint8_t*)0x20000980 = 0x2e; *(uint8_t*)0x20000981 = 3; memcpy((void*)0x20000982, "\xc0\xca\x32\x6a\xbb\x6f\x9f\x4b\xe8\xfd\xe5\xec\x0f\xda\x56\x56\x8a\x3a\xee\x01\x7d\x48\x51\xf5\xe1\x77\xf2\x7c\x67\x23\xcc\x4b\x66\x14\x8d\x06\x8a\x4f\xc2\x15\xc3\x41\x22\x42", 44); *(uint32_t*)0x20000d68 = 4; *(uint64_t*)0x20000d6c = 0x200009c0; *(uint8_t*)0x200009c0 = 4; *(uint8_t*)0x200009c1 = 3; *(uint16_t*)0x200009c2 = 0x140a; *(uint32_t*)0x20000d74 = 0x101; *(uint64_t*)0x20000d78 = 0x20000a00; *(uint8_t*)0x20000a00 = 1; *(uint8_t*)0x20000a01 = 3; memcpy((void*)0x20000a02, "\xb5\x44\xe4\xb1\x0f\x95\xe3\x90\x3d\xd7\xa1\xb4\xfc\xaa\xde\x5c\x41\x43\xd9\x0f\x68\xfc\xf3\xf0\xd8\x32\x82\xc3\x24\xf0\xd4\xa7\xe6\x5f\x27\x80\x3e\x19\xd9\x56\x78\xa8\x8d\xa9\xf9\x9c\x40\x3c\xb3\x26\x52\x70\xa9\x96\x4d\xcd\x75\x9f\xf7\x27\xed\x3c\xdb\x42\x7b\x2a\xc3\xc5\xf7\x1d\xde\xb5\xea\x16\xa0\x37\x7a\x0e\xd2\x2e\x54\xa2\x4a\x8a\xe1\x47\x51\x37\x62\x01\x42\x60\x56\x82\xbe\x28\x12\x97\xff\x87\xf2\x08\x1a\xda\x23\x29\x52\x0e\x8e\x87\x82\x80\x43\xb6\x5d\x66\x3c\x96\x0e\x10\x01\xcd\xd6\x65\x51\x89\x12\x30\xa3\x67\xe3\x07\xd0\x0a\xbe\x3a\x52\xcc\x07\x33\x5d\x6d\x39\xea\xc4\x4c\x43\xf1\xb7\x0c\x13\xca\xfa\x5b\x2c\x7a\xca\x4c\x95\x72\x43\x75\x59\x9a\x85\x9c\x39\xe4\xc0\xe4\xda\x7b\x2c\x90\x6e\x43\x28\x8f\x11\x74\x94\xfe\xdd\xbe\xc0\x23\x07\x16\xe3\x1e\x46\xf5\x31\x87\x5f\xc7\xef\xf8\x5e\x6f\x2f\x36\x51\x7f\xa0\x2a\x11\x6f\xce\x7a\x95\xfb\xa5\xfa\x3d\xff\x69\x7c\xe8\x71\x6f\xc8\x5a\xa4\xd0\xf6\xf2\x4b\x04\x01\xf2\xc4\xdb\x9a\xec\x9a\xf7\x75\xa0\x41\x99\x2c\x23\x4d\x23\x07\xbf\xda\x12\x24\x84\xcc\x46\x0e\x90", 255); *(uint32_t*)0x20000d80 = 4; *(uint64_t*)0x20000d84 = 0x20000b40; *(uint8_t*)0x20000b40 = 4; *(uint8_t*)0x20000b41 = 3; *(uint16_t*)0x20000b42 = 0x804; *(uint32_t*)0x20000d8c = 4; *(uint64_t*)0x20000d90 = 0x20000b80; *(uint8_t*)0x20000b80 = 4; *(uint8_t*)0x20000b81 = 3; *(uint16_t*)0x20000b82 = 0x400a; *(uint32_t*)0x20000d98 = 4; *(uint64_t*)0x20000d9c = 0x20000bc0; *(uint8_t*)0x20000bc0 = 4; *(uint8_t*)0x20000bc1 = 3; *(uint16_t*)0x20000bc2 = 0x42b; *(uint32_t*)0x20000da4 = 4; *(uint64_t*)0x20000da8 = 0x20000c00; *(uint8_t*)0x20000c00 = 4; *(uint8_t*)0x20000c01 = 3; *(uint16_t*)0x20000c02 = 0x3009; *(uint32_t*)0x20000db0 = 0xa5; *(uint64_t*)0x20000db4 = 0x20000c40; *(uint8_t*)0x20000c40 = 0xa5; *(uint8_t*)0x20000c41 = 3; memcpy((void*)0x20000c42, "\x84\x38\x9b\x09\x2a\x5b\x3d\x06\xbf\xd8\x95\x09\xd0\x72\xa7\x3f\x11\x1a\x14\xaa\x46\x19\x78\x5c\x4f\xe2\x44\x85\x20\xd3\x44\xb0\x30\x91\x36\xab\x09\x1e\x79\x2a\x36\xd6\xc3\xad\xdb\xe8\x39\xa5\x9d\x03\x72\xbd\xb5\x42\x65\xba\x32\xc2\xfa\x75\x17\x55\x18\xbe\xe6\x40\xf7\xa1\x5d\xd0\x11\x26\x06\xec\x27\x89\x89\xfe\xa0\x51\xf6\xa6\x9b\x97\x53\x67\x5b\x81\xfe\x2e\x64\xeb\xe3\x34\x56\x8e\x08\x6b\x24\x70\x4b\xe9\xdb\x1f\xa5\x64\x5a\x8a\xf5\x26\xed\x97\xa9\x0c\x02\x7a\x2b\x4f\x90\xed\x9c\x2a\xf5\xe9\xba\x52\x84\x31\xc9\x3f\xea\x75\x2e\x8d\x84\x89\xd4\xef\x97\x7f\x5a\x3a\xc6\xc8\xdb\xac\xfc\x14\x5f\xdb\x5f\x7b\xca\x68\x1b\x6f\x3b\xd7\x64\xd0\x6c\xbe\x0b", 163); *(uint32_t*)0x20000dbc = 4; *(uint64_t*)0x20000dc0 = 0x20000d00; *(uint8_t*)0x20000d00 = 4; *(uint8_t*)0x20000d01 = 3; *(uint16_t*)0x20000d02 = 0x44d; syz_usb_connect(5, 0x77e, 0x20000100, 0x20000d40); break; case 12: *(uint8_t*)0x20000e00 = 0x12; *(uint8_t*)0x20000e01 = 1; *(uint16_t*)0x20000e02 = 0x310; *(uint8_t*)0x20000e04 = 2; *(uint8_t*)0x20000e05 = 0; *(uint8_t*)0x20000e06 = 0; *(uint8_t*)0x20000e07 = 0x20; *(uint16_t*)0x20000e08 = 0x525; *(uint16_t*)0x20000e0a = 0xa4a1; *(uint16_t*)0x20000e0c = 0x40; *(uint8_t*)0x20000e0e = 1; *(uint8_t*)0x20000e0f = 2; *(uint8_t*)0x20000e10 = 3; *(uint8_t*)0x20000e11 = 1; *(uint8_t*)0x20000e12 = 9; *(uint8_t*)0x20000e13 = 2; *(uint16_t*)0x20000e14 = 0x7d; *(uint8_t*)0x20000e16 = 2; *(uint8_t*)0x20000e17 = 1; *(uint8_t*)0x20000e18 = 1; *(uint8_t*)0x20000e19 = 0xd0; *(uint8_t*)0x20000e1a = 0; *(uint8_t*)0x20000e1b = 9; *(uint8_t*)0x20000e1c = 4; *(uint8_t*)0x20000e1d = 0; *(uint8_t*)0x20000e1e = 0; *(uint8_t*)0x20000e1f = 1; *(uint8_t*)0x20000e20 = 2; *(uint8_t*)0x20000e21 = 0xd; *(uint8_t*)0x20000e22 = 0; *(uint8_t*)0x20000e23 = 0; *(uint8_t*)0x20000e24 = 5; *(uint8_t*)0x20000e25 = 0x24; *(uint8_t*)0x20000e26 = 6; *(uint8_t*)0x20000e27 = 0; *(uint8_t*)0x20000e28 = 1; *(uint8_t*)0x20000e29 = 5; *(uint8_t*)0x20000e2a = 0x24; *(uint8_t*)0x20000e2b = 0; *(uint16_t*)0x20000e2c = 0x81; *(uint8_t*)0x20000e2e = 0xd; *(uint8_t*)0x20000e2f = 0x24; *(uint8_t*)0x20000e30 = 0xf; *(uint8_t*)0x20000e31 = 1; *(uint32_t*)0x20000e32 = 0x3fffc000; *(uint16_t*)0x20000e36 = 0xba60; *(uint16_t*)0x20000e38 = 1; *(uint8_t*)0x20000e3a = 1; *(uint8_t*)0x20000e3b = 6; *(uint8_t*)0x20000e3c = 0x24; *(uint8_t*)0x20000e3d = 0x1a; *(uint16_t*)0x20000e3e = 1; *(uint8_t*)0x20000e40 = 0; *(uint8_t*)0x20000e41 = 0xc; *(uint8_t*)0x20000e42 = 0x24; *(uint8_t*)0x20000e43 = 0x1b; *(uint16_t*)0x20000e44 = 0x1b7; *(uint16_t*)0x20000e46 = 0x50f; *(uint8_t*)0x20000e48 = 6; *(uint8_t*)0x20000e49 = 0x5b; *(uint16_t*)0x20000e4a = 0x81; *(uint8_t*)0x20000e4c = 9; *(uint8_t*)0x20000e4d = 0x15; *(uint8_t*)0x20000e4e = 0x24; *(uint8_t*)0x20000e4f = 0x12; *(uint16_t*)0x20000e50 = 0x5f; *(uint64_t*)0x20000e52 = 0x14f5e048ba817a3; *(uint64_t*)0x20000e5a = 0x2a397ecbffc007a6; *(uint8_t*)0x20000e62 = 9; *(uint8_t*)0x20000e63 = 5; *(uint8_t*)0x20000e64 = 0x81; *(uint8_t*)0x20000e65 = 3; *(uint16_t*)0x20000e66 = 0x10; *(uint8_t*)0x20000e68 = 1; *(uint8_t*)0x20000e69 = 6; *(uint8_t*)0x20000e6a = 2; *(uint8_t*)0x20000e6b = 9; *(uint8_t*)0x20000e6c = 4; *(uint8_t*)0x20000e6d = 1; *(uint8_t*)0x20000e6e = 0; *(uint8_t*)0x20000e6f = 0; *(uint8_t*)0x20000e70 = 2; *(uint8_t*)0x20000e71 = 0xd; *(uint8_t*)0x20000e72 = 0; *(uint8_t*)0x20000e73 = 0; *(uint8_t*)0x20000e74 = 9; *(uint8_t*)0x20000e75 = 4; *(uint8_t*)0x20000e76 = 1; *(uint8_t*)0x20000e77 = 1; *(uint8_t*)0x20000e78 = 2; *(uint8_t*)0x20000e79 = 2; *(uint8_t*)0x20000e7a = 0xd; *(uint8_t*)0x20000e7b = 0; *(uint8_t*)0x20000e7c = 0; *(uint8_t*)0x20000e7d = 9; *(uint8_t*)0x20000e7e = 5; *(uint8_t*)0x20000e7f = 0x82; *(uint8_t*)0x20000e80 = 2; *(uint16_t*)0x20000e81 = 8; *(uint8_t*)0x20000e83 = 0xcc; *(uint8_t*)0x20000e84 = 6; *(uint8_t*)0x20000e85 = 0x9b; *(uint8_t*)0x20000e86 = 9; *(uint8_t*)0x20000e87 = 5; *(uint8_t*)0x20000e88 = 3; *(uint8_t*)0x20000e89 = 2; *(uint16_t*)0x20000e8a = 0x400; *(uint8_t*)0x20000e8c = 1; *(uint8_t*)0x20000e8d = 6; *(uint8_t*)0x20000e8e = 1; *(uint32_t*)0x20001300 = 0xa; *(uint64_t*)0x20001304 = 0x20000ec0; *(uint8_t*)0x20000ec0 = 0xa; *(uint8_t*)0x20000ec1 = 6; *(uint16_t*)0x20000ec2 = 0x200; *(uint8_t*)0x20000ec4 = 0; *(uint8_t*)0x20000ec5 = 1; *(uint8_t*)0x20000ec6 = 0x13; *(uint8_t*)0x20000ec7 = 8; *(uint8_t*)0x20000ec8 = -1; *(uint8_t*)0x20000ec9 = 0; *(uint32_t*)0x2000130c = 0xff; *(uint64_t*)0x20001310 = 0x20000f00; *(uint8_t*)0x20000f00 = 5; *(uint8_t*)0x20000f01 = 0xf; *(uint16_t*)0x20000f02 = 0xff; *(uint8_t*)0x20000f04 = 6; *(uint8_t*)0x20000f05 = 3; *(uint8_t*)0x20000f06 = 0x10; *(uint8_t*)0x20000f07 = 0xb; *(uint8_t*)0x20000f08 = 0x14; *(uint8_t*)0x20000f09 = 0x10; *(uint8_t*)0x20000f0a = 4; *(uint8_t*)0x20000f0b = 1; memcpy((void*)0x20000f0c, "\x43\x3e\x98\x8e\xe5\xf3\x58\xef\x3f\x4e\x65\x3f\xaf\x4e\xe7\x65", 16); *(uint8_t*)0x20000f1c = 0xa; *(uint8_t*)0x20000f1d = 0x10; *(uint8_t*)0x20000f1e = 0xb; memcpy((void*)0x20000f1f, "\xd3\x74\xd6\xca\x9c\xfd\xff", 7); *(uint8_t*)0x20000f26 = 0xe; *(uint8_t*)0x20000f27 = 0x10; *(uint8_t*)0x20000f28 = 0xb; memcpy((void*)0x20000f29, "\xe4\xe1\x28\x48\xc1\xc9\xe1\xac\xe2\x70\x01", 11); *(uint8_t*)0x20000f34 = 0x1c; *(uint8_t*)0x20000f35 = 0x10; *(uint8_t*)0x20000f36 = 0xa; *(uint8_t*)0x20000f37 = 0x40; STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 5, 27); *(uint16_t*)0x20000f3c = 0xf0f; *(uint16_t*)0x20000f3e = 0x8000; *(uint32_t*)0x20000f40 = 0xff0000; *(uint32_t*)0x20000f44 = 0xc0; *(uint32_t*)0x20000f48 = 0xff003f; *(uint32_t*)0x20000f4c = 0xc00f; *(uint8_t*)0x20000f50 = 0xaf; *(uint8_t*)0x20000f51 = 0x10; *(uint8_t*)0x20000f52 = 1; memcpy((void*)0x20000f53, "\xcb\xab\xda\x0f\x97\x9a\xfc\xbd\x15\x73\x7d\x31\x5a\xb6\x9a\xc5\x32\xbd\xa0\x26\x42\xde\xbc\xa3\x3a\x83\x18\x5a\x92\x73\x8f\x4d\x04\xce\xc6\x95\x22\x3d\x9f\x52\xb8\x03\xad\x72\x64\x4b\xd3\xdf\x57\x74\x94\x9b\x6e\xd6\x37\x7c\xdf\x5d\xa5\xb1\xd8\x20\x0d\xe1\x61\xf5\xb0\xf6\x10\xc7\x8f\x5c\x79\xa0\x0d\xb8\x64\x92\xec\xdf\x46\x42\x04\xc0\x09\xa9\x47\x4a\x05\xf0\xf6\x35\x18\x19\x70\x3f\x38\x3e\xca\x0f\x29\xa0\x1e\x52\xf7\xb0\xb1\xf9\x21\xef\x92\xc3\xe6\x30\x28\x77\x07\xe0\x61\x7f\xe8\xcf\x26\x72\xef\x1d\xee\x5e\x7c\x5f\x8a\x37\x41\x5f\x54\xb2\x41\xf0\xb9\x3a\xe6\xf3\x40\x2e\x17\xb6\xfe\xc4\x66\xb8\x38\x27\xf4\xe4\x2c\x57\xaf\x90\xea\x0b\x73\x5a\x10\xb5\xcc\x4a\x9e\xd1\x44\x61\xcb\x3c", 172); *(uint32_t*)0x20001318 = 9; *(uint32_t*)0x2000131c = 4; *(uint64_t*)0x20001320 = 0x20001000; *(uint8_t*)0x20001000 = 4; *(uint8_t*)0x20001001 = 3; *(uint16_t*)0x20001002 = 0x807; *(uint32_t*)0x20001328 = 4; *(uint64_t*)0x2000132c = 0x20001040; *(uint8_t*)0x20001040 = 4; *(uint8_t*)0x20001041 = 3; *(uint16_t*)0x20001042 = 0x44c; *(uint32_t*)0x20001334 = 0x46; *(uint64_t*)0x20001338 = 0x20001080; *(uint8_t*)0x20001080 = 0x46; *(uint8_t*)0x20001081 = 3; memcpy((void*)0x20001082, "\xd3\x41\x69\xf9\x72\x88\x6d\x91\x88\x5f\xb4\xe6\x63\xd3\xb9\x5e\xfc\xbd\xf2\xac\x7f\xb6\xa4\x8b\x8f\x5d\x44\xf4\x90\xa6\xd5\xdb\x20\x86\xfa\x93\x8c\x10\xf7\x75\x1b\x90\xc3\x99\x3b\xbf\xad\x67\x0a\x7f\x80\xd3\x58\x86\xc2\xcc\x30\x29\x1a\xb2\xce\x67\x01\x1d\x1b\x0d\x6c\xf4", 68); *(uint32_t*)0x20001340 = 4; *(uint64_t*)0x20001344 = 0x20001100; *(uint8_t*)0x20001100 = 4; *(uint8_t*)0x20001101 = 3; *(uint16_t*)0x20001102 = 0x40a; *(uint32_t*)0x2000134c = 0x36; *(uint64_t*)0x20001350 = 0x20001140; *(uint8_t*)0x20001140 = 0x36; *(uint8_t*)0x20001141 = 3; memcpy((void*)0x20001142, "\x06\x4c\xab\x2c\xae\x36\xef\x56\x23\x74\x9b\xcb\x79\x93\xb3\x10\xc0\xf7\x00\xe5\x26\xdd\xa0\x22\x3a\x1e\x4b\x6f\x16\x00\x79\xc7\xb1\xcd\xb2\xa8\xb0\x43\xea\x83\x25\xec\xc0\xee\xd6\x4d\x54\x39\x81\xa3\x96\xb7", 52); *(uint32_t*)0x20001358 = 5; *(uint64_t*)0x2000135c = 0x20001180; *(uint8_t*)0x20001180 = 5; *(uint8_t*)0x20001181 = 3; memcpy((void*)0x20001182, "Ka\000", 3); *(uint32_t*)0x20001364 = 4; *(uint64_t*)0x20001368 = 0x200011c0; *(uint8_t*)0x200011c0 = 4; *(uint8_t*)0x200011c1 = 3; *(uint16_t*)0x200011c2 = 0x500a; *(uint32_t*)0x20001370 = 4; *(uint64_t*)0x20001374 = 0x20001200; *(uint8_t*)0x20001200 = 4; *(uint8_t*)0x20001201 = 3; *(uint16_t*)0x20001202 = 0x4ff; *(uint32_t*)0x2000137c = 0x8f; *(uint64_t*)0x20001380 = 0x20001240; *(uint8_t*)0x20001240 = 0x8f; *(uint8_t*)0x20001241 = 3; memcpy((void*)0x20001242, "\x37\xcc\x0c\x18\xf2\xd0\x9b\xfc\x3a\xa7\x69\x89\xd3\x6d\x44\x9d\xb5\x7f\xf9\x5c\x9d\x3d\x3c\xb0\x40\x2d\x82\x35\xdc\x71\x22\x01\xee\xa4\xc3\x18\x2f\xf7\x6c\xbd\xbb\xe5\x31\x5c\x11\x68\x27\xa3\x5f\xa2\x7a\x39\x04\xc6\x63\x96\x50\x3f\x48\x37\x05\x55\xf6\x27\x91\xc6\x15\x46\xe4\x12\x1a\xa6\x88\xc1\xc7\xc5\x7d\x95\x5a\xed\xd9\xee\xc2\xb3\x07\xd4\xe5\x87\xe1\xae\xd0\x86\x79\xb2\x72\x8a\xcd\x32\x1b\xc4\xf8\x3e\xe2\x68\xd8\x14\x9d\x81\xbb\xc1\x28\xc5\x8e\x17\x8c\xd1\x7d\x2b\x81\x36\xb8\x34\xc1\xe9\xb1\xd7\xd3\xd1\x37\xae\x9b\x4c\x27\xe6\xb1\xba\x93\xdf\x07\xe8\x52", 141); res = -1; res = syz_usb_connect(1, 0x8f, 0x20000e00, 0x20001300); if (res != -1) r[3] = res; break; case 13: syz_usb_disconnect(r[3]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor3876327066 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/0 (0.21s) csource_test.go:150: opts: {Threaded:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __stat50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (fail_nth: 1) compat_50___msgctl13$IPC_SET(0x0, 0x1, &(0x7f0000000200)={{0x5a3e, 0x0, r1, 0xffffffffffffffff, 0xffffffffffffffff, 0x20, 0x400}, 0x9, 0x62e81dc5, 0x81, 0x5, 0x4, 0x8, 0x9, &(0x7f0000000100)={0x0, 0x20e1, 0xfffd, 0x1}, &(0x7f00000001c0)={&(0x7f0000000180)={&(0x7f0000000140)={0x0, 0x7ff, 0x9, 0x1}, 0x8000000000000000, 0x6, 0x8}, 0x8, 0x5, 0x20}, 0x400}) (async) chown(&(0x7f0000000280)='./file0\x00', r0, 0x0) (rerun: 4) compat_14___semctl$GETALL(0x0, 0x0, 0x6, &(0x7f00000002c0)) compat_14___semctl$SETVAL(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000380)=@buf=&(0x7f0000000340)={{r0, r1, 0x80, 0x5a3, 0x100, 0x1, 0x4897}, 0x7fff, 0x7, 0x0, &(0x7f0000000300)={0x800, 0x7, 0x2, 0x9}}) semctl$GETNCNT(0xffffffffffffffff, 0x4, 0x3, &(0x7f00000003c0)=""/4) r2 = semget$private(0x0, 0x3, 0x2) compat_14___semctl$GETNCNT(r2, 0x0, 0x3) semop(r2, &(0x7f0000000400)=[{0x4, 0x7, 0x2000}, {0x4, 0x1f, 0x800}, {0x1, 0x7, 0x400}], 0x3) compat_14___semctl$IPC_STAT(r2, 0x0, 0x2, &(0x7f0000000440)) syz_emit_ethernet(0x8, &(0x7f0000000000)="03d03df5c2dcc049") syz_execute_func(&(0x7f0000000040)="c421c16d149fc462baf76fed2666450f3800813be70eb16640253633f0408182a0bc302200800000c48281926cd992660f4f99c0f800003626660f124e32f26e660f382ab500000080") syz_extract_tcp_res(&(0x7f00000000c0), 0xfffffffa, 0x8000) syz_usb_connect(0x5, 0x77e, &(0x7f0000000100)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0xbf, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x76c, 0x3, 0x7, 0x17, 0x30, 0x3d, [{{0x9, 0x4, 0x8e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, [@uac_as={[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x1f, 0x7, 0x7f, "11c06824606e6e241d"}]}]}}, {{0x9, 0x4, 0x0, 0x3f, 0xd, 0x0, 0x0, 0x0, 0x1f, [@generic={0xe0, 0xa, "b71aa8dbef28ec508e40e57e0f21e51ceb5eacb80bb3f7ed35e29bad265b99dbbcbb655b87cbc776843703a876dc2dd2216c56771dd13f2cae3eae772586cacf7cdb24a918924ba342e5a84cb77541172a5b4100bcd721c00bcc1d590d5bae2e602b8a29aa649516b39d745c546613730dec4957df6dc6591993b9027afe3eb2172a49b3b589f5322cc76fd421d8b9acaf9f326c835214aa33da004adaae6689efebb028a649b7edc82333f89fd100b6da5d60c3e1349bd30d2cff8ae56ccbed46e09f6662c6b2c2e7cbd887fbc447db5d6887eb1cc1378ed310ec7d004c"}, @cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "4b66fafbc9e4"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0x80000000, 0x4}, {0x6, 0x24, 0x1a, 0xfffa, 0x12}, [@obex={0x5, 0x24, 0x15, 0x5}, @mdlm={0x15, 0x24, 0x12, 0x5}, @dmm={0x7, 0x24, 0x14, 0x4}, @mdlm_detail={0xe5, 0x24, 0x13, 0x7, "8f0d5f90cf98b479fae069bfd83c7e4ef5afe012495f0ee23062fe5f81be0ef82ff410318f82c5300ba5a5ad175dacf741e1d1956b8bb156e5b546644c1750916d0381b49c7bd160323bde2ff8c1379a319c3add3fbd86aa169749f6108844bd19644cafebba5d70989e95144300d6b508edd1662f759828aad78d18d710553cb7f5df43b7b560bb4f4869de9ebe5e126356507d10f2c8d9b83f661fbf0bd5131ce9c059b60e620da0f7516ad6d70c75de7dd4b37d9c379134e6036df428e1f541dbee9f58a4a374ff6cb6ae0468f49c616418a2760066457439952bb5b93f4f33"}, @mdlm={0x15, 0x24, 0x12, 0xec}]}], [{{0x9, 0x5, 0xf, 0x1d, 0x10, 0x0, 0x80, 0x74}}, {{0x9, 0x5, 0x2, 0x3, 0x10, 0x9f, 0x7d, 0xff, [@generic={0x52, 0xe, "ecf4ce492b20b2d508a9180c01192d8e124f6e790aedfc35213b1d14c68c63686631f697532da005bc5013d62c6d5c18b5c5c4f2263b42b582b7333b47373cdf666159745a6a53d518a4ae7c51abaaa8"}, @generic={0x15, 0x23, "dc333ea4d2d7351ec6d273b68ce3d5d1e2c2cf"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x4, 0x9, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x5, 0xfffc}, @generic={0x35, 0x2, "59a66019fb9adfb5950997712b8b3c1cb4c4a0abbf8ea41dd4dd5936bde7fbe23ff642c176c355ef4728022f3d7d833860fbcf"}]}}, {{0x9, 0x5, 0x0, 0x10, 0x8, 0x1, 0x1}}, {{0x9, 0x5, 0x1, 0x2, 0x0, 0x0, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x9f36}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x3}]}}, {{0x9, 0x5, 0xc, 0x10, 0x200, 0x15, 0x2, 0x0, [@generic={0x5b, 0x23, "1925294e2c16954f8313825e71ea536e7077d7130cee3a802cb3c8005ef6d9211068286c7a4c20cb87fd2cdc5aeedb171fd67ddc74c3f029aab0bfa9a63e5de5a53579666cef0fb7c876efc0a5d3382c346e1f9a78b7356c22"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x40, 0x18, 0x3f, 0x8}}, {{0x9, 0x5, 0xd, 0x1, 0x0, 0x9, 0xff, 0x3, [@generic={0xdc, 0x23, "ccd53fc81156a91ff426eb001fbf43c8551fda170ed36a97eba7a32c3115ec5e9a8182734012aa12ddcc6e93d85eaafbda4ab1cff6bcb2afecd8aa8c58b27a75e5a4ddc50cc673edc82ff13115eb8f50ddd1ed2695337ca85b88264db59eb1304216a301d42f2902d5c06b17592bb21d2af1d092f5d7373aefdb907ffc8179abd68b11ef10be844e03816806f045f0a5ef3ba0ac5bd843a46fa3b72b862de1728647adc3f3bbcd53ce881e6b5a6c6ec797d32cc13918e3da4b3ea20dd6893c2c7ca47aa51bee047a361feff716cef3dae50b6ca72a2b764fa4cf"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x3f}]}}, {{0x9, 0x5, 0x1, 0x2, 0x20, 0xb9, 0x86, 0x40, [@generic={0x84, 0x8, "ab514debe16aea41f067e846f8939c5d4f6fce3a7d25eaee2c0651f92fe24417bdf9256f3f9b583492b2e4fe6b2b4bad9c1f4a8b26d74c60aeda9478a64876891b3a75ffce4001853b93bd0fd8a165a7fa83fbc6b95aed880f02224f1222b150b746981a4b55288f564d8d6af643c0fd291571d70cc56024dd73e500c5efe9bc9b72"}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x0, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0xf9, 0xd8, 0xf9}}, {{0x9, 0x5, 0x3, 0xc, 0x8, 0x81, 0x0, 0x3f}}, {{0x9, 0x5, 0xd, 0x0, 0x252d10ce716ea2f3, 0xbe, 0x6, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x2, 0x2}]}}, {{0x9, 0x5, 0x8, 0x3a51d77e4fce6a1c, 0x20, 0x4, 0x8, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0xff, 0xffe0}, @generic={0xf2, 0x31, "2fb2b9747b651ae66e5d861f9efc61bdd19495f163625975e7bae800ee004867b5a813b7b9dbc55eb0b751b8d758e9cba4a3b4f6830e5f85df740efcf290c77df212ee62fc94cc504b1e5422ffbf9f87ed05b4e762feed6535fd702825631db7636c869c9f1299320d98e1cf740a94e226af5608a799e1c999ee2b4ab5146f852ed9874065fb37c285811c77789df8a1798c2670419747679338a3299349ae3ec49eedcb39256d551a4ffba9595167c1779a7247b94aebc5792e53fbc94c066c16fe77020492e0a308d5ba5fdec952c4095b7563347be3f2ab70873375e6116c394003cc0c5cdbdcb004f96c6c4ff235"}]}}]}}, {{0x9, 0x4, 0x3, 0x6, 0x5, 0x0, 0x0, 0x0, 0xc8, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x3, 0x4}, @format_type_i_discrete={0xf, 0x24, 0x2, 0x1, 0x81, 0x2, 0x1, 0x1, "b3d2feb3920056"}]}], [{{0x9, 0x5, 0x6, 0x4, 0x400, 0x0, 0x6, 0x3, [@generic={0x11, 0x4, "39a66425220fb1a99e556b2dfb1838"}]}}, {{0x9, 0x5, 0xa, 0x4, 0x50, 0x79, 0x9, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x10, 0x0, 0xe5, 0x1, [@generic={0xc, 0x8, "6271ead39e76c55f403f"}, @generic={0x1d, 0x22, "93f92077e6f8fb302785e13e57cc86fc2a7a97621a1cd78498cc60"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x10, 0xfb, 0x70, 0x9, [@generic={0xa5, 0xc5f45b4d7fc4460a, "aa016effd795b21fece55d47621811ef08e6eaf7a4f3fbf70f9191eec875bd45ba572cf2ef7f10f3a505ff71ef3ef1a42a7349f198cc1e7524a30e948c6334e706023fcaecc3cf51d8cc354dffdec9e33058456186dfe0453f8fb8ce8770fff3a35e7bc7be1982bc0fdb248b776f995d492694172d25affd8607f000dbea29d9b57de7bc89d328a63c5e9f3430aa094d1f14e2ea84446260097323f8483641d5308b57"}]}}, {{0x9, 0x5, 0x8c, 0x8, 0x40, 0x4, 0x5, 0x3}}]}}]}}]}}, &(0x7f0000000d40)={0xa, &(0x7f0000000880)={0xa, 0x6, 0x250, 0x1, 0x8, 0xcf, 0x20, 0x6}, 0xa7, &(0x7f00000008c0)={0x5, 0xf, 0xa7, 0x6, [@ssp_cap={0x18, 0x10, 0xa, 0x8, 0x3, 0x9, 0xf, 0x0, [0xffc030, 0xc030, 0x3f30]}, @ss_container_id={0x14, 0x10, 0x4, 0xfe, "edcaa525c23e27c47ce42420c044bb79"}, @ptm_cap={0x3}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x1c, 0x6, 0x0, 0x8}, @generic={0x69, 0x10, 0x1, "f0917a409f20823fe21e124dc671ac8313beb328f263a5967548b9ffe8bd38ca2b5638e90e09b00ad4000d975c28f280602443968fb75443f4833a05f936ed00b575a11e1181f19f62f7010a8559d4422269ba17c569a5d2ca580210a2811923216ff38f6c21"}]}, 0x9, [{0x2e, &(0x7f0000000980)=@string={0x2e, 0x3, "c0ca326abb6f9f4be8fde5ec0fda56568a3aee017d4851f5e177f27c6723cc4b66148d068a4fc215c3412242"}}, {0x4, &(0x7f00000009c0)=@lang_id={0x4, 0x3, 0x140a}}, {0x101, &(0x7f0000000a00)=@string={0x101, 0x3, "b544e4b10f95e3903dd7a1b4fcaade5c4143d90f68fcf3f0d83282c324f0d4a7e65f27803e19d95678a88da9f99c403cb3265270a9964dcd759ff727ed3cdb427b2ac3c5f71ddeb5ea16a0377a0ed22e54a24a8ae1475137620142605682be281297ff87f2081ada2329520e8e87828043b65d663c960e1001cdd66551891230a367e307d00abe3a52cc07335d6d39eac44c43f1b70c13cafa5b2c7aca4c95724375599a859c39e4c0e4da7b2c906e43288f117494feddbec0230716e31e46f531875fc7eff85e6f2f36517fa02a116fce7a95fba5fa3dff697ce8716fc85aa4d0f6f24b0401f2c4db9aec9af775a041992c234d2307bfda122484cc460e90"}}, {0x4, &(0x7f0000000b40)=@lang_id={0x4, 0x3, 0x804}}, {0x4, &(0x7f0000000b80)=@lang_id={0x4, 0x3, 0x400a}}, {0x4, &(0x7f0000000bc0)=@lang_id={0x4, 0x3, 0x42b}}, {0x4, &(0x7f0000000c00)=@lang_id={0x4, 0x3, 0x3009}}, {0xa5, &(0x7f0000000c40)=@string={0xa5, 0x3, "84389b092a5b3d06bfd89509d072a73f111a14aa4619785c4fe2448520d344b0309136ab091e792a36d6c3addbe839a59d0372bdb54265ba32c2fa75175518bee640f7a15dd0112606ec278989fea051f6a69b9753675b81fe2e64ebe334568e086b24704be9db1fa5645a8af526ed97a90c027a2b4f90ed9c2af5e9ba528431c93fea752e8d8489d4ef977f5a3ac6c8dbacfc145fdb5f7bca681b6f3bd764d06cbe0b"}}, {0x4, &(0x7f0000000d00)=@lang_id={0x4, 0x3, 0x44d}}]}) r3 = syz_usb_connect$cdc_ncm(0x1, 0x8f, &(0x7f0000000e00)={{0x12, 0x1, 0x310, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x7d, 0x2, 0x1, 0x1, 0x1d0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5, 0x24, 0x0, 0x81}, {0xd, 0x24, 0xf, 0x1, 0x3fffc000, 0xba60, 0x1, 0x1}, {0x6, 0x24, 0x1a, 0x1}, [@mbim={0xc, 0x24, 0x1b, 0x1b7, 0x50f, 0x6, 0x5b, 0x81, 0x9}, @mdlm={0x15, 0x24, 0x12, 0x5f}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x1, 0x6, 0x2}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0xcc, 0x6, 0x9b}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x1, 0x6, 0x1}}}}}}}]}}, &(0x7f0000001300)={0xa, &(0x7f0000000ec0)={0xa, 0x6, 0x200, 0x0, 0x1, 0x13, 0x8, 0xff}, 0xff, &(0x7f0000000f00)={0x5, 0xf, 0xff, 0x6, [@ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x1, "433e988ee5f358ef3f4e653faf4ee765"}, @generic={0xa, 0x10, 0xb, "d374d6ca9cfdff"}, @generic={0xe, 0x10, 0xb, "e4e12848c1c9e1ace27001"}, @ssp_cap={0x1c, 0x10, 0xa, 0x40, 0x4, 0x4, 0xf0f, 0x8000, [0xff0000, 0xc0, 0xff003f, 0xc00f]}, @generic={0xaf, 0x10, 0x1, "cbabda0f979afcbd15737d315ab69ac532bda02642debca33a83185a92738f4d04cec695223d9f52b803ad72644bd3df5774949b6ed6377cdf5da5b1d8200de161f5b0f610c78f5c79a00db86492ecdf464204c009a9474a05f0f6351819703f383eca0f29a01e52f7b0b1f921ef92c3e630287707e0617fe8cf2672ef1dee5e7c5f8a37415f54b241f0b93ae6f3402e17b6fec466b83827f4e42c57af90ea0b735a10b5cc4a9ed14461cb3c"}]}, 0x9, [{0x4, &(0x7f0000001000)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000001040)=@lang_id={0x4, 0x3, 0x44c}}, {0x46, &(0x7f0000001080)=@string={0x46, 0x3, "d34169f972886d91885fb4e663d3b95efcbdf2ac7fb6a48b8f5d44f490a6d5db2086fa938c10f7751b90c3993bbfad670a7f80d35886c2cc30291ab2ce67011d1b0d6cf4"}}, {0x4, &(0x7f0000001100)=@lang_id={0x4, 0x3, 0x40a}}, {0x36, &(0x7f0000001140)=@string={0x36, 0x3, "064cab2cae36ef5623749bcb7993b310c0f700e526dda0223a1e4b6f160079c7b1cdb2a8b043ea8325ecc0eed64d543981a396b7"}}, {0x5, &(0x7f0000001180)=@string={0x5, 0x3, 'Ka\x00'}}, {0x4, &(0x7f00000011c0)=@lang_id={0x4, 0x3, 0x500a}}, {0x4, &(0x7f0000001200)=@lang_id={0x4, 0x3, 0x4ff}}, {0x8f, &(0x7f0000001240)=@string={0x8f, 0x3, "37cc0c18f2d09bfc3aa76989d36d449db57ff95c9d3d3cb0402d8235dc712201eea4c3182ff76cbdbbe5315c116827a35fa27a3904c66396503f48370555f62791c61546e4121aa688c1c7c57d955aedd9eec2b307d4e587e1aed08679b2728acd321bc4f83ee268d8149d81bbc128c58e178cd17d2b8136b834c1e9b1d7d3d137ae9b4c27e6b1ba93df07e852"}}]}) syz_usb_disconnect(r3) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___stat50 #define SYS___stat50 439 #endif #ifndef SYS_chown #define SYS_chown 16 #endif #ifndef SYS_compat_14___semctl #define SYS_compat_14___semctl 220 #endif #ifndef SYS_compat_50___msgctl13 #define SYS_compat_50___msgctl13 302 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_semctl #define SYS_semctl 442 #endif #ifndef SYS_semget #define SYS_semget 221 #endif #ifndef SYS_semop #define SYS_semop 222 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[4] = {0x0, 0x0, 0x0, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000000, "./file0\000", 8); inject_fault(1); res = syscall(SYS___stat50, 0x20000000ul, 0x20000040ul); if (res != -1) { r[0] = *(uint32_t*)0x2000005c; r[1] = *(uint32_t*)0x20000060; } *(uint32_t*)0x20000200 = 0x5a3e; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = r[1]; *(uint32_t*)0x2000020c = -1; *(uint32_t*)0x20000210 = -1; *(uint32_t*)0x20000214 = 0x20; *(uint16_t*)0x20000218 = 0x400; *(uint16_t*)0x2000021a = 0; *(uint64_t*)0x20000220 = 0; *(uint64_t*)0x20000228 = 0; *(uint64_t*)0x20000230 = 9; *(uint64_t*)0x20000238 = 0x62e81dc5; *(uint32_t*)0x20000240 = 0x81; *(uint32_t*)0x20000244 = 5; *(uint64_t*)0x20000248 = 4; *(uint64_t*)0x20000250 = 8; *(uint64_t*)0x20000258 = 9; *(uint64_t*)0x20000260 = 0x20000100; *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0x20e1; *(uint16_t*)0x20000110 = 0xfffd; *(uint16_t*)0x20000112 = 1; *(uint64_t*)0x20000268 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000180; *(uint64_t*)0x20000180 = 0x20000140; *(uint64_t*)0x20000140 = 0; *(uint64_t*)0x20000148 = 0x7ff; *(uint16_t*)0x20000150 = 9; *(uint16_t*)0x20000152 = 1; *(uint64_t*)0x20000188 = 0x8000000000000000; *(uint16_t*)0x20000190 = 6; *(uint16_t*)0x20000192 = 8; *(uint64_t*)0x200001c8 = 8; *(uint16_t*)0x200001d0 = 5; *(uint16_t*)0x200001d2 = 0x20; *(uint64_t*)0x20000270 = 0x400; syscall(SYS_compat_50___msgctl13, 0, 1ul, 0x20000200ul); memcpy((void*)0x20000280, "./file0\000", 8); syscall(SYS_chown, 0x20000280ul, r[0], 0); { int i; for(i = 0; i < 4; i++) { syscall(SYS_chown, 0x20000280ul, r[0], 0); } } syscall(SYS_compat_14___semctl, 0, 0ul, 6ul, 0x200002c0ul); *(uint64_t*)0x20000380 = 0x20000340; *(uint32_t*)0x20000340 = r[0]; *(uint32_t*)0x20000344 = r[1]; *(uint32_t*)0x20000348 = 0x80; *(uint32_t*)0x2000034c = 0x5a3; *(uint32_t*)0x20000350 = 0x100; *(uint16_t*)0x20000354 = 1; *(uint64_t*)0x20000358 = 0x4897; *(uint16_t*)0x20000360 = 0x7fff; *(uint64_t*)0x20000368 = 7; *(uint64_t*)0x20000370 = 0; *(uint64_t*)0x20000378 = 0x20000300; *(uint16_t*)0x20000300 = 0x800; *(uint32_t*)0x20000304 = 7; *(uint16_t*)0x20000308 = 2; *(uint16_t*)0x2000030a = 9; syscall(SYS_compat_14___semctl, -1, 0ul, 8ul, 0x20000380ul); syscall(SYS_semctl, -1, 4ul, 3ul, 0x200003c0ul); res = syscall(SYS_semget, 0ul, 3ul, 2ul); if (res != -1) r[2] = res; syscall(SYS_compat_14___semctl, r[2], 0ul, 3ul, 0); *(uint16_t*)0x20000400 = 4; *(uint16_t*)0x20000402 = 7; *(uint16_t*)0x20000404 = 0x2000; *(uint16_t*)0x20000406 = 4; *(uint16_t*)0x20000408 = 0x1f; *(uint16_t*)0x2000040a = 0x800; *(uint16_t*)0x2000040c = 1; *(uint16_t*)0x2000040e = 7; *(uint16_t*)0x20000410 = 0x400; syscall(SYS_semop, r[2], 0x20000400ul, 3ul); syscall(SYS_compat_14___semctl, r[2], 0ul, 2ul, 0x20000440ul); memcpy((void*)0x20000040, "\xc4\x21\xc1\x6d\x14\x9f\xc4\x62\xba\xf7\x6f\xed\x26\x66\x45\x0f\x38\x00\x81\x3b\xe7\x0e\xb1\x66\x40\x25\x36\x33\xf0\x40\x81\x82\xa0\xbc\x30\x22\x00\x80\x00\x00\xc4\x82\x81\x92\x6c\xd9\x92\x66\x0f\x4f\x99\xc0\xf8\x00\x00\x36\x26\x66\x0f\x12\x4e\x32\xf2\x6e\x66\x0f\x38\x2a\xb5\x00\x00\x00\x80", 73); syz_execute_func(0x20000040); *(uint8_t*)0x20000100 = 0x12; *(uint8_t*)0x20000101 = 1; *(uint16_t*)0x20000102 = 0x300; *(uint8_t*)0x20000104 = 0; *(uint8_t*)0x20000105 = 0; *(uint8_t*)0x20000106 = 0; *(uint8_t*)0x20000107 = 0xbf; *(uint16_t*)0x20000108 = 0; *(uint16_t*)0x2000010a = 0; *(uint16_t*)0x2000010c = 0; *(uint8_t*)0x2000010e = 1; *(uint8_t*)0x2000010f = 2; *(uint8_t*)0x20000110 = 3; *(uint8_t*)0x20000111 = 1; *(uint8_t*)0x20000112 = 9; *(uint8_t*)0x20000113 = 2; *(uint16_t*)0x20000114 = 0x76c; *(uint8_t*)0x20000116 = 3; *(uint8_t*)0x20000117 = 7; *(uint8_t*)0x20000118 = 0x17; *(uint8_t*)0x20000119 = 0x30; *(uint8_t*)0x2000011a = 0x3d; *(uint8_t*)0x2000011b = 9; *(uint8_t*)0x2000011c = 4; *(uint8_t*)0x2000011d = 0x8e; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0x62; *(uint8_t*)0x20000124 = 0x12; *(uint8_t*)0x20000125 = 0x24; *(uint8_t*)0x20000126 = 2; *(uint8_t*)0x20000127 = 2; *(uint16_t*)0x20000128 = 0x1f; *(uint16_t*)0x2000012a = 7; *(uint8_t*)0x2000012c = 0x7f; memcpy((void*)0x2000012d, "\x11\xc0\x68\x24\x60\x6e\x6e\x24\x1d", 9); *(uint8_t*)0x20000136 = 9; *(uint8_t*)0x20000137 = 4; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0x3f; *(uint8_t*)0x2000013a = 0xd; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0x1f; *(uint8_t*)0x2000013f = 0xe0; *(uint8_t*)0x20000140 = 0xa; memcpy((void*)0x20000141, "\xb7\x1a\xa8\xdb\xef\x28\xec\x50\x8e\x40\xe5\x7e\x0f\x21\xe5\x1c\xeb\x5e\xac\xb8\x0b\xb3\xf7\xed\x35\xe2\x9b\xad\x26\x5b\x99\xdb\xbc\xbb\x65\x5b\x87\xcb\xc7\x76\x84\x37\x03\xa8\x76\xdc\x2d\xd2\x21\x6c\x56\x77\x1d\xd1\x3f\x2c\xae\x3e\xae\x77\x25\x86\xca\xcf\x7c\xdb\x24\xa9\x18\x92\x4b\xa3\x42\xe5\xa8\x4c\xb7\x75\x41\x17\x2a\x5b\x41\x00\xbc\xd7\x21\xc0\x0b\xcc\x1d\x59\x0d\x5b\xae\x2e\x60\x2b\x8a\x29\xaa\x64\x95\x16\xb3\x9d\x74\x5c\x54\x66\x13\x73\x0d\xec\x49\x57\xdf\x6d\xc6\x59\x19\x93\xb9\x02\x7a\xfe\x3e\xb2\x17\x2a\x49\xb3\xb5\x89\xf5\x32\x2c\xc7\x6f\xd4\x21\xd8\xb9\xac\xaf\x9f\x32\x6c\x83\x52\x14\xaa\x33\xda\x00\x4a\xda\xae\x66\x89\xef\xeb\xb0\x28\xa6\x49\xb7\xed\xc8\x23\x33\xf8\x9f\xd1\x00\xb6\xda\x5d\x60\xc3\xe1\x34\x9b\xd3\x0d\x2c\xff\x8a\xe5\x6c\xcb\xed\x46\xe0\x9f\x66\x62\xc6\xb2\xc2\xe7\xcb\xd8\x87\xfb\xc4\x47\xdb\x5d\x68\x87\xeb\x1c\xc1\x37\x8e\xd3\x10\xec\x7d\x00\x4c", 222); *(uint8_t*)0x2000021f = 0xb; *(uint8_t*)0x20000220 = 0x24; *(uint8_t*)0x20000221 = 6; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 1; memcpy((void*)0x20000224, "\x4b\x66\xfa\xfb\xc9\xe4", 6); *(uint8_t*)0x2000022a = 5; *(uint8_t*)0x2000022b = 0x24; *(uint8_t*)0x2000022c = 0; *(uint16_t*)0x2000022d = 6; *(uint8_t*)0x2000022f = 0xd; *(uint8_t*)0x20000230 = 0x24; *(uint8_t*)0x20000231 = 0xf; *(uint8_t*)0x20000232 = 1; *(uint32_t*)0x20000233 = 0x80000000; *(uint16_t*)0x20000237 = 4; *(uint16_t*)0x20000239 = 0; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 6; *(uint8_t*)0x2000023d = 0x24; *(uint8_t*)0x2000023e = 0x1a; *(uint16_t*)0x2000023f = 0xfffa; *(uint8_t*)0x20000241 = 0x12; *(uint8_t*)0x20000242 = 5; *(uint8_t*)0x20000243 = 0x24; *(uint8_t*)0x20000244 = 0x15; *(uint16_t*)0x20000245 = 5; *(uint8_t*)0x20000247 = 0x15; *(uint8_t*)0x20000248 = 0x24; *(uint8_t*)0x20000249 = 0x12; *(uint16_t*)0x2000024a = 5; *(uint64_t*)0x2000024c = 0x14f5e048ba817a3; *(uint64_t*)0x20000254 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000025c = 7; *(uint8_t*)0x2000025d = 0x24; *(uint8_t*)0x2000025e = 0x14; *(uint16_t*)0x2000025f = 4; *(uint16_t*)0x20000261 = 0; *(uint8_t*)0x20000263 = 0xe5; *(uint8_t*)0x20000264 = 0x24; *(uint8_t*)0x20000265 = 0x13; *(uint8_t*)0x20000266 = 7; memcpy((void*)0x20000267, "\x8f\x0d\x5f\x90\xcf\x98\xb4\x79\xfa\xe0\x69\xbf\xd8\x3c\x7e\x4e\xf5\xaf\xe0\x12\x49\x5f\x0e\xe2\x30\x62\xfe\x5f\x81\xbe\x0e\xf8\x2f\xf4\x10\x31\x8f\x82\xc5\x30\x0b\xa5\xa5\xad\x17\x5d\xac\xf7\x41\xe1\xd1\x95\x6b\x8b\xb1\x56\xe5\xb5\x46\x64\x4c\x17\x50\x91\x6d\x03\x81\xb4\x9c\x7b\xd1\x60\x32\x3b\xde\x2f\xf8\xc1\x37\x9a\x31\x9c\x3a\xdd\x3f\xbd\x86\xaa\x16\x97\x49\xf6\x10\x88\x44\xbd\x19\x64\x4c\xaf\xeb\xba\x5d\x70\x98\x9e\x95\x14\x43\x00\xd6\xb5\x08\xed\xd1\x66\x2f\x75\x98\x28\xaa\xd7\x8d\x18\xd7\x10\x55\x3c\xb7\xf5\xdf\x43\xb7\xb5\x60\xbb\x4f\x48\x69\xde\x9e\xbe\x5e\x12\x63\x56\x50\x7d\x10\xf2\xc8\xd9\xb8\x3f\x66\x1f\xbf\x0b\xd5\x13\x1c\xe9\xc0\x59\xb6\x0e\x62\x0d\xa0\xf7\x51\x6a\xd6\xd7\x0c\x75\xde\x7d\xd4\xb3\x7d\x9c\x37\x91\x34\xe6\x03\x6d\xf4\x28\xe1\xf5\x41\xdb\xee\x9f\x58\xa4\xa3\x74\xff\x6c\xb6\xae\x04\x68\xf4\x9c\x61\x64\x18\xa2\x76\x00\x66\x45\x74\x39\x95\x2b\xb5\xb9\x3f\x4f\x33", 225); *(uint8_t*)0x20000348 = 0x15; *(uint8_t*)0x20000349 = 0x24; *(uint8_t*)0x2000034a = 0x12; *(uint16_t*)0x2000034b = 0xec; *(uint64_t*)0x2000034d = 0x14f5e048ba817a3; *(uint64_t*)0x20000355 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000035d = 9; *(uint8_t*)0x2000035e = 5; *(uint8_t*)0x2000035f = 0xf; *(uint8_t*)0x20000360 = 0x1d; *(uint16_t*)0x20000361 = 0x10; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0x80; *(uint8_t*)0x20000365 = 0x74; *(uint8_t*)0x20000366 = 9; *(uint8_t*)0x20000367 = 5; *(uint8_t*)0x20000368 = 2; *(uint8_t*)0x20000369 = 3; *(uint16_t*)0x2000036a = 0x10; *(uint8_t*)0x2000036c = 0x9f; *(uint8_t*)0x2000036d = 0x7d; *(uint8_t*)0x2000036e = -1; *(uint8_t*)0x2000036f = 0x52; *(uint8_t*)0x20000370 = 0xe; memcpy((void*)0x20000371, "\xec\xf4\xce\x49\x2b\x20\xb2\xd5\x08\xa9\x18\x0c\x01\x19\x2d\x8e\x12\x4f\x6e\x79\x0a\xed\xfc\x35\x21\x3b\x1d\x14\xc6\x8c\x63\x68\x66\x31\xf6\x97\x53\x2d\xa0\x05\xbc\x50\x13\xd6\x2c\x6d\x5c\x18\xb5\xc5\xc4\xf2\x26\x3b\x42\xb5\x82\xb7\x33\x3b\x47\x37\x3c\xdf\x66\x61\x59\x74\x5a\x6a\x53\xd5\x18\xa4\xae\x7c\x51\xab\xaa\xa8", 80); *(uint8_t*)0x200003c1 = 0x15; *(uint8_t*)0x200003c2 = 0x23; memcpy((void*)0x200003c3, "\xdc\x33\x3e\xa4\xd2\xd7\x35\x1e\xc6\xd2\x73\xb6\x8c\xe3\xd5\xd1\xe2\xc2\xcf", 19); *(uint8_t*)0x200003d6 = 9; *(uint8_t*)0x200003d7 = 5; *(uint8_t*)0x200003d8 = 0xb; *(uint8_t*)0x200003d9 = 0; *(uint16_t*)0x200003da = 0x10; *(uint8_t*)0x200003dc = 4; *(uint8_t*)0x200003dd = 9; *(uint8_t*)0x200003de = 0; *(uint8_t*)0x200003df = 7; *(uint8_t*)0x200003e0 = 0x25; *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0; *(uint8_t*)0x200003e3 = 5; *(uint16_t*)0x200003e4 = 0xfffc; *(uint8_t*)0x200003e6 = 0x35; *(uint8_t*)0x200003e7 = 2; memcpy((void*)0x200003e8, "\x59\xa6\x60\x19\xfb\x9a\xdf\xb5\x95\x09\x97\x71\x2b\x8b\x3c\x1c\xb4\xc4\xa0\xab\xbf\x8e\xa4\x1d\xd4\xdd\x59\x36\xbd\xe7\xfb\xe2\x3f\xf6\x42\xc1\x76\xc3\x55\xef\x47\x28\x02\x2f\x3d\x7d\x83\x38\x60\xfb\xcf", 51); *(uint8_t*)0x2000041b = 9; *(uint8_t*)0x2000041c = 5; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0x10; *(uint16_t*)0x2000041f = 8; *(uint8_t*)0x20000421 = 1; *(uint8_t*)0x20000422 = 1; *(uint8_t*)0x20000423 = 0; *(uint8_t*)0x20000424 = 9; *(uint8_t*)0x20000425 = 5; *(uint8_t*)0x20000426 = 1; *(uint8_t*)0x20000427 = 2; *(uint16_t*)0x20000428 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 9; *(uint8_t*)0x2000042c = 6; *(uint8_t*)0x2000042d = 7; *(uint8_t*)0x2000042e = 0x25; *(uint8_t*)0x2000042f = 1; *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 9; *(uint16_t*)0x20000432 = 0x9f36; *(uint8_t*)0x20000434 = 7; *(uint8_t*)0x20000435 = 0x25; *(uint8_t*)0x20000436 = 1; *(uint8_t*)0x20000437 = 3; *(uint8_t*)0x20000438 = 9; *(uint16_t*)0x20000439 = 3; *(uint8_t*)0x2000043b = 9; *(uint8_t*)0x2000043c = 5; *(uint8_t*)0x2000043d = 0xc; *(uint8_t*)0x2000043e = 0x10; *(uint16_t*)0x2000043f = 0x200; *(uint8_t*)0x20000441 = 0x15; *(uint8_t*)0x20000442 = 2; *(uint8_t*)0x20000443 = 0; *(uint8_t*)0x20000444 = 0x5b; *(uint8_t*)0x20000445 = 0x23; memcpy((void*)0x20000446, "\x19\x25\x29\x4e\x2c\x16\x95\x4f\x83\x13\x82\x5e\x71\xea\x53\x6e\x70\x77\xd7\x13\x0c\xee\x3a\x80\x2c\xb3\xc8\x00\x5e\xf6\xd9\x21\x10\x68\x28\x6c\x7a\x4c\x20\xcb\x87\xfd\x2c\xdc\x5a\xee\xdb\x17\x1f\xd6\x7d\xdc\x74\xc3\xf0\x29\xaa\xb0\xbf\xa9\xa6\x3e\x5d\xe5\xa5\x35\x79\x66\x6c\xef\x0f\xb7\xc8\x76\xef\xc0\xa5\xd3\x38\x2c\x34\x6e\x1f\x9a\x78\xb7\x35\x6c\x22", 89); *(uint8_t*)0x2000049f = 9; *(uint8_t*)0x200004a0 = 5; *(uint8_t*)0x200004a1 = 0xb; *(uint8_t*)0x200004a2 = 0; *(uint16_t*)0x200004a3 = 0x40; *(uint8_t*)0x200004a5 = 0x18; *(uint8_t*)0x200004a6 = 0x3f; *(uint8_t*)0x200004a7 = 8; *(uint8_t*)0x200004a8 = 9; *(uint8_t*)0x200004a9 = 5; *(uint8_t*)0x200004aa = 0xd; *(uint8_t*)0x200004ab = 1; *(uint16_t*)0x200004ac = 0; *(uint8_t*)0x200004ae = 9; *(uint8_t*)0x200004af = -1; *(uint8_t*)0x200004b0 = 3; *(uint8_t*)0x200004b1 = 0xdc; *(uint8_t*)0x200004b2 = 0x23; memcpy((void*)0x200004b3, "\xcc\xd5\x3f\xc8\x11\x56\xa9\x1f\xf4\x26\xeb\x00\x1f\xbf\x43\xc8\x55\x1f\xda\x17\x0e\xd3\x6a\x97\xeb\xa7\xa3\x2c\x31\x15\xec\x5e\x9a\x81\x82\x73\x40\x12\xaa\x12\xdd\xcc\x6e\x93\xd8\x5e\xaa\xfb\xda\x4a\xb1\xcf\xf6\xbc\xb2\xaf\xec\xd8\xaa\x8c\x58\xb2\x7a\x75\xe5\xa4\xdd\xc5\x0c\xc6\x73\xed\xc8\x2f\xf1\x31\x15\xeb\x8f\x50\xdd\xd1\xed\x26\x95\x33\x7c\xa8\x5b\x88\x26\x4d\xb5\x9e\xb1\x30\x42\x16\xa3\x01\xd4\x2f\x29\x02\xd5\xc0\x6b\x17\x59\x2b\xb2\x1d\x2a\xf1\xd0\x92\xf5\xd7\x37\x3a\xef\xdb\x90\x7f\xfc\x81\x79\xab\xd6\x8b\x11\xef\x10\xbe\x84\x4e\x03\x81\x68\x06\xf0\x45\xf0\xa5\xef\x3b\xa0\xac\x5b\xd8\x43\xa4\x6f\xa3\xb7\x2b\x86\x2d\xe1\x72\x86\x47\xad\xc3\xf3\xbb\xcd\x53\xce\x88\x1e\x6b\x5a\x6c\x6e\xc7\x97\xd3\x2c\xc1\x39\x18\xe3\xda\x4b\x3e\xa2\x0d\xd6\x89\x3c\x2c\x7c\xa4\x7a\xa5\x1b\xee\x04\x7a\x36\x1f\xef\xf7\x16\xce\xf3\xda\xe5\x0b\x6c\xa7\x2a\x2b\x76\x4f\xa4\xcf", 218); *(uint8_t*)0x2000058d = 7; *(uint8_t*)0x2000058e = 0x25; *(uint8_t*)0x2000058f = 1; *(uint8_t*)0x20000590 = 0x80; *(uint8_t*)0x20000591 = 5; *(uint16_t*)0x20000592 = 0x3f; *(uint8_t*)0x20000594 = 9; *(uint8_t*)0x20000595 = 5; *(uint8_t*)0x20000596 = 1; *(uint8_t*)0x20000597 = 2; *(uint16_t*)0x20000598 = 0x20; *(uint8_t*)0x2000059a = 0xb9; *(uint8_t*)0x2000059b = 0x86; *(uint8_t*)0x2000059c = 0x40; *(uint8_t*)0x2000059d = 0x84; *(uint8_t*)0x2000059e = 8; memcpy((void*)0x2000059f, "\xab\x51\x4d\xeb\xe1\x6a\xea\x41\xf0\x67\xe8\x46\xf8\x93\x9c\x5d\x4f\x6f\xce\x3a\x7d\x25\xea\xee\x2c\x06\x51\xf9\x2f\xe2\x44\x17\xbd\xf9\x25\x6f\x3f\x9b\x58\x34\x92\xb2\xe4\xfe\x6b\x2b\x4b\xad\x9c\x1f\x4a\x8b\x26\xd7\x4c\x60\xae\xda\x94\x78\xa6\x48\x76\x89\x1b\x3a\x75\xff\xce\x40\x01\x85\x3b\x93\xbd\x0f\xd8\xa1\x65\xa7\xfa\x83\xfb\xc6\xb9\x5a\xed\x88\x0f\x02\x22\x4f\x12\x22\xb1\x50\xb7\x46\x98\x1a\x4b\x55\x28\x8f\x56\x4d\x8d\x6a\xf6\x43\xc0\xfd\x29\x15\x71\xd7\x0c\xc5\x60\x24\xdd\x73\xe5\x00\xc5\xef\xe9\xbc\x9b\x72", 130); *(uint8_t*)0x20000621 = 7; *(uint8_t*)0x20000622 = 0x25; *(uint8_t*)0x20000623 = 1; *(uint8_t*)0x20000624 = 1; *(uint8_t*)0x20000625 = 0; *(uint16_t*)0x20000626 = 9; *(uint8_t*)0x20000628 = 9; *(uint8_t*)0x20000629 = 5; *(uint8_t*)0x2000062a = 5; *(uint8_t*)0x2000062b = 2; *(uint16_t*)0x2000062c = 0x10; *(uint8_t*)0x2000062e = 0xf9; *(uint8_t*)0x2000062f = 0xd8; *(uint8_t*)0x20000630 = 0xf9; *(uint8_t*)0x20000631 = 9; *(uint8_t*)0x20000632 = 5; *(uint8_t*)0x20000633 = 3; *(uint8_t*)0x20000634 = 0xc; *(uint16_t*)0x20000635 = 8; *(uint8_t*)0x20000637 = 0x81; *(uint8_t*)0x20000638 = 0; *(uint8_t*)0x20000639 = 0x3f; *(uint8_t*)0x2000063a = 9; *(uint8_t*)0x2000063b = 5; *(uint8_t*)0x2000063c = 0xd; *(uint8_t*)0x2000063d = 0; *(uint16_t*)0x2000063e = 0xa2f3; *(uint8_t*)0x20000640 = 0xbe; *(uint8_t*)0x20000641 = 6; *(uint8_t*)0x20000642 = 7; *(uint8_t*)0x20000643 = 7; *(uint8_t*)0x20000644 = 0x25; *(uint8_t*)0x20000645 = 1; *(uint8_t*)0x20000646 = 0x81; *(uint8_t*)0x20000647 = 2; *(uint16_t*)0x20000648 = 2; *(uint8_t*)0x2000064a = 9; *(uint8_t*)0x2000064b = 5; *(uint8_t*)0x2000064c = 8; *(uint8_t*)0x2000064d = 0x1c; *(uint16_t*)0x2000064e = 0x20; *(uint8_t*)0x20000650 = 4; *(uint8_t*)0x20000651 = 8; *(uint8_t*)0x20000652 = 9; *(uint8_t*)0x20000653 = 7; *(uint8_t*)0x20000654 = 0x25; *(uint8_t*)0x20000655 = 1; *(uint8_t*)0x20000656 = 0x81; *(uint8_t*)0x20000657 = -1; *(uint16_t*)0x20000658 = 0xffe0; *(uint8_t*)0x2000065a = 0xf2; *(uint8_t*)0x2000065b = 0x31; memcpy((void*)0x2000065c, "\x2f\xb2\xb9\x74\x7b\x65\x1a\xe6\x6e\x5d\x86\x1f\x9e\xfc\x61\xbd\xd1\x94\x95\xf1\x63\x62\x59\x75\xe7\xba\xe8\x00\xee\x00\x48\x67\xb5\xa8\x13\xb7\xb9\xdb\xc5\x5e\xb0\xb7\x51\xb8\xd7\x58\xe9\xcb\xa4\xa3\xb4\xf6\x83\x0e\x5f\x85\xdf\x74\x0e\xfc\xf2\x90\xc7\x7d\xf2\x12\xee\x62\xfc\x94\xcc\x50\x4b\x1e\x54\x22\xff\xbf\x9f\x87\xed\x05\xb4\xe7\x62\xfe\xed\x65\x35\xfd\x70\x28\x25\x63\x1d\xb7\x63\x6c\x86\x9c\x9f\x12\x99\x32\x0d\x98\xe1\xcf\x74\x0a\x94\xe2\x26\xaf\x56\x08\xa7\x99\xe1\xc9\x99\xee\x2b\x4a\xb5\x14\x6f\x85\x2e\xd9\x87\x40\x65\xfb\x37\xc2\x85\x81\x1c\x77\x78\x9d\xf8\xa1\x79\x8c\x26\x70\x41\x97\x47\x67\x93\x38\xa3\x29\x93\x49\xae\x3e\xc4\x9e\xed\xcb\x39\x25\x6d\x55\x1a\x4f\xfb\xa9\x59\x51\x67\xc1\x77\x9a\x72\x47\xb9\x4a\xeb\xc5\x79\x2e\x53\xfb\xc9\x4c\x06\x6c\x16\xfe\x77\x02\x04\x92\xe0\xa3\x08\xd5\xba\x5f\xde\xc9\x52\xc4\x09\x5b\x75\x63\x34\x7b\xe3\xf2\xab\x70\x87\x33\x75\xe6\x11\x6c\x39\x40\x03\xcc\x0c\x5c\xdb\xdc\xb0\x04\xf9\x6c\x6c\x4f\xf2\x35", 240); *(uint8_t*)0x2000074c = 9; *(uint8_t*)0x2000074d = 4; *(uint8_t*)0x2000074e = 3; *(uint8_t*)0x2000074f = 6; *(uint8_t*)0x20000750 = 5; *(uint8_t*)0x20000751 = 0; *(uint8_t*)0x20000752 = 0; *(uint8_t*)0x20000753 = 0; *(uint8_t*)0x20000754 = 0xc8; *(uint8_t*)0x20000755 = 7; *(uint8_t*)0x20000756 = 0x24; *(uint8_t*)0x20000757 = 1; *(uint8_t*)0x20000758 = 0; *(uint8_t*)0x20000759 = 3; *(uint16_t*)0x2000075a = 4; *(uint8_t*)0x2000075c = 0xf; *(uint8_t*)0x2000075d = 0x24; *(uint8_t*)0x2000075e = 2; *(uint8_t*)0x2000075f = 1; *(uint8_t*)0x20000760 = 0x81; *(uint8_t*)0x20000761 = 2; *(uint8_t*)0x20000762 = 1; *(uint8_t*)0x20000763 = 1; memcpy((void*)0x20000764, "\xb3\xd2\xfe\xb3\x92\x00\x56", 7); *(uint8_t*)0x2000076b = 9; *(uint8_t*)0x2000076c = 5; *(uint8_t*)0x2000076d = 6; *(uint8_t*)0x2000076e = 4; *(uint16_t*)0x2000076f = 0x400; *(uint8_t*)0x20000771 = 0; *(uint8_t*)0x20000772 = 6; *(uint8_t*)0x20000773 = 3; *(uint8_t*)0x20000774 = 0x11; *(uint8_t*)0x20000775 = 4; memcpy((void*)0x20000776, "\x39\xa6\x64\x25\x22\x0f\xb1\xa9\x9e\x55\x6b\x2d\xfb\x18\x38", 15); *(uint8_t*)0x20000785 = 9; *(uint8_t*)0x20000786 = 5; *(uint8_t*)0x20000787 = 0xa; *(uint8_t*)0x20000788 = 4; *(uint16_t*)0x20000789 = 0x50; *(uint8_t*)0x2000078b = 0x79; *(uint8_t*)0x2000078c = 9; *(uint8_t*)0x2000078d = -1; *(uint8_t*)0x2000078e = 7; *(uint8_t*)0x2000078f = 0x25; *(uint8_t*)0x20000790 = 1; *(uint8_t*)0x20000791 = 1; *(uint8_t*)0x20000792 = 9; *(uint16_t*)0x20000793 = 7; *(uint8_t*)0x20000795 = 9; *(uint8_t*)0x20000796 = 5; *(uint8_t*)0x20000797 = 2; *(uint8_t*)0x20000798 = 0x10; *(uint16_t*)0x20000799 = 0x10; *(uint8_t*)0x2000079b = 0; *(uint8_t*)0x2000079c = 0xe5; *(uint8_t*)0x2000079d = 1; *(uint8_t*)0x2000079e = 0xc; *(uint8_t*)0x2000079f = 8; memcpy((void*)0x200007a0, "\x62\x71\xea\xd3\x9e\x76\xc5\x5f\x40\x3f", 10); *(uint8_t*)0x200007aa = 0x1d; *(uint8_t*)0x200007ab = 0x22; memcpy((void*)0x200007ac, "\x93\xf9\x20\x77\xe6\xf8\xfb\x30\x27\x85\xe1\x3e\x57\xcc\x86\xfc\x2a\x7a\x97\x62\x1a\x1c\xd7\x84\x98\xcc\x60", 27); *(uint8_t*)0x200007c7 = 9; *(uint8_t*)0x200007c8 = 5; *(uint8_t*)0x200007c9 = 0xa; *(uint8_t*)0x200007ca = 0; *(uint16_t*)0x200007cb = 0x10; *(uint8_t*)0x200007cd = 0xfb; *(uint8_t*)0x200007ce = 0x70; *(uint8_t*)0x200007cf = 9; *(uint8_t*)0x200007d0 = 0xa5; *(uint8_t*)0x200007d1 = 0xa; memcpy((void*)0x200007d2, "\xaa\x01\x6e\xff\xd7\x95\xb2\x1f\xec\xe5\x5d\x47\x62\x18\x11\xef\x08\xe6\xea\xf7\xa4\xf3\xfb\xf7\x0f\x91\x91\xee\xc8\x75\xbd\x45\xba\x57\x2c\xf2\xef\x7f\x10\xf3\xa5\x05\xff\x71\xef\x3e\xf1\xa4\x2a\x73\x49\xf1\x98\xcc\x1e\x75\x24\xa3\x0e\x94\x8c\x63\x34\xe7\x06\x02\x3f\xca\xec\xc3\xcf\x51\xd8\xcc\x35\x4d\xff\xde\xc9\xe3\x30\x58\x45\x61\x86\xdf\xe0\x45\x3f\x8f\xb8\xce\x87\x70\xff\xf3\xa3\x5e\x7b\xc7\xbe\x19\x82\xbc\x0f\xdb\x24\x8b\x77\x6f\x99\x5d\x49\x26\x94\x17\x2d\x25\xaf\xfd\x86\x07\xf0\x00\xdb\xea\x29\xd9\xb5\x7d\xe7\xbc\x89\xd3\x28\xa6\x3c\x5e\x9f\x34\x30\xaa\x09\x4d\x1f\x14\xe2\xea\x84\x44\x62\x60\x09\x73\x23\xf8\x48\x36\x41\xd5\x30\x8b\x57", 163); *(uint8_t*)0x20000875 = 9; *(uint8_t*)0x20000876 = 5; *(uint8_t*)0x20000877 = 0x8c; *(uint8_t*)0x20000878 = 8; *(uint16_t*)0x20000879 = 0x40; *(uint8_t*)0x2000087b = 4; *(uint8_t*)0x2000087c = 5; *(uint8_t*)0x2000087d = 3; *(uint32_t*)0x20000d40 = 0xa; *(uint64_t*)0x20000d44 = 0x20000880; *(uint8_t*)0x20000880 = 0xa; *(uint8_t*)0x20000881 = 6; *(uint16_t*)0x20000882 = 0x250; *(uint8_t*)0x20000884 = 1; *(uint8_t*)0x20000885 = 8; *(uint8_t*)0x20000886 = 0xcf; *(uint8_t*)0x20000887 = 0x20; *(uint8_t*)0x20000888 = 6; *(uint8_t*)0x20000889 = 0; *(uint32_t*)0x20000d4c = 0xa7; *(uint64_t*)0x20000d50 = 0x200008c0; *(uint8_t*)0x200008c0 = 5; *(uint8_t*)0x200008c1 = 0xf; *(uint16_t*)0x200008c2 = 0xa7; *(uint8_t*)0x200008c4 = 6; *(uint8_t*)0x200008c5 = 0x18; *(uint8_t*)0x200008c6 = 0x10; *(uint8_t*)0x200008c7 = 0xa; *(uint8_t*)0x200008c8 = 8; STORE_BY_BITMASK(uint32_t, , 0x200008c9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200008c9, 9, 5, 27); *(uint16_t*)0x200008cd = 0xf; *(uint16_t*)0x200008cf = 0; *(uint32_t*)0x200008d1 = 0xffc030; *(uint32_t*)0x200008d5 = 0xc030; *(uint32_t*)0x200008d9 = 0x3f30; *(uint8_t*)0x200008dd = 0x14; *(uint8_t*)0x200008de = 0x10; *(uint8_t*)0x200008df = 4; *(uint8_t*)0x200008e0 = 0xfe; memcpy((void*)0x200008e1, "\xed\xca\xa5\x25\xc2\x3e\x27\xc4\x7c\xe4\x24\x20\xc0\x44\xbb\x79", 16); *(uint8_t*)0x200008f1 = 3; *(uint8_t*)0x200008f2 = 0x10; *(uint8_t*)0x200008f3 = 0xb; *(uint8_t*)0x200008f4 = 3; *(uint8_t*)0x200008f5 = 0x10; *(uint8_t*)0x200008f6 = 0xb; *(uint8_t*)0x200008f7 = 7; *(uint8_t*)0x200008f8 = 0x10; *(uint8_t*)0x200008f9 = 2; STORE_BY_BITMASK(uint32_t, , 0x200008fa, 0x1c, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fc, 8, 0, 16); *(uint8_t*)0x200008fe = 0x69; *(uint8_t*)0x200008ff = 0x10; *(uint8_t*)0x20000900 = 1; memcpy((void*)0x20000901, "\xf0\x91\x7a\x40\x9f\x20\x82\x3f\xe2\x1e\x12\x4d\xc6\x71\xac\x83\x13\xbe\xb3\x28\xf2\x63\xa5\x96\x75\x48\xb9\xff\xe8\xbd\x38\xca\x2b\x56\x38\xe9\x0e\x09\xb0\x0a\xd4\x00\x0d\x97\x5c\x28\xf2\x80\x60\x24\x43\x96\x8f\xb7\x54\x43\xf4\x83\x3a\x05\xf9\x36\xed\x00\xb5\x75\xa1\x1e\x11\x81\xf1\x9f\x62\xf7\x01\x0a\x85\x59\xd4\x42\x22\x69\xba\x17\xc5\x69\xa5\xd2\xca\x58\x02\x10\xa2\x81\x19\x23\x21\x6f\xf3\x8f\x6c\x21", 102); *(uint32_t*)0x20000d58 = 9; *(uint32_t*)0x20000d5c = 0x2e; *(uint64_t*)0x20000d60 = 0x20000980; *(uint8_t*)0x20000980 = 0x2e; *(uint8_t*)0x20000981 = 3; memcpy((void*)0x20000982, "\xc0\xca\x32\x6a\xbb\x6f\x9f\x4b\xe8\xfd\xe5\xec\x0f\xda\x56\x56\x8a\x3a\xee\x01\x7d\x48\x51\xf5\xe1\x77\xf2\x7c\x67\x23\xcc\x4b\x66\x14\x8d\x06\x8a\x4f\xc2\x15\xc3\x41\x22\x42", 44); *(uint32_t*)0x20000d68 = 4; *(uint64_t*)0x20000d6c = 0x200009c0; *(uint8_t*)0x200009c0 = 4; *(uint8_t*)0x200009c1 = 3; *(uint16_t*)0x200009c2 = 0x140a; *(uint32_t*)0x20000d74 = 0x101; *(uint64_t*)0x20000d78 = 0x20000a00; *(uint8_t*)0x20000a00 = 1; *(uint8_t*)0x20000a01 = 3; memcpy((void*)0x20000a02, "\xb5\x44\xe4\xb1\x0f\x95\xe3\x90\x3d\xd7\xa1\xb4\xfc\xaa\xde\x5c\x41\x43\xd9\x0f\x68\xfc\xf3\xf0\xd8\x32\x82\xc3\x24\xf0\xd4\xa7\xe6\x5f\x27\x80\x3e\x19\xd9\x56\x78\xa8\x8d\xa9\xf9\x9c\x40\x3c\xb3\x26\x52\x70\xa9\x96\x4d\xcd\x75\x9f\xf7\x27\xed\x3c\xdb\x42\x7b\x2a\xc3\xc5\xf7\x1d\xde\xb5\xea\x16\xa0\x37\x7a\x0e\xd2\x2e\x54\xa2\x4a\x8a\xe1\x47\x51\x37\x62\x01\x42\x60\x56\x82\xbe\x28\x12\x97\xff\x87\xf2\x08\x1a\xda\x23\x29\x52\x0e\x8e\x87\x82\x80\x43\xb6\x5d\x66\x3c\x96\x0e\x10\x01\xcd\xd6\x65\x51\x89\x12\x30\xa3\x67\xe3\x07\xd0\x0a\xbe\x3a\x52\xcc\x07\x33\x5d\x6d\x39\xea\xc4\x4c\x43\xf1\xb7\x0c\x13\xca\xfa\x5b\x2c\x7a\xca\x4c\x95\x72\x43\x75\x59\x9a\x85\x9c\x39\xe4\xc0\xe4\xda\x7b\x2c\x90\x6e\x43\x28\x8f\x11\x74\x94\xfe\xdd\xbe\xc0\x23\x07\x16\xe3\x1e\x46\xf5\x31\x87\x5f\xc7\xef\xf8\x5e\x6f\x2f\x36\x51\x7f\xa0\x2a\x11\x6f\xce\x7a\x95\xfb\xa5\xfa\x3d\xff\x69\x7c\xe8\x71\x6f\xc8\x5a\xa4\xd0\xf6\xf2\x4b\x04\x01\xf2\xc4\xdb\x9a\xec\x9a\xf7\x75\xa0\x41\x99\x2c\x23\x4d\x23\x07\xbf\xda\x12\x24\x84\xcc\x46\x0e\x90", 255); *(uint32_t*)0x20000d80 = 4; *(uint64_t*)0x20000d84 = 0x20000b40; *(uint8_t*)0x20000b40 = 4; *(uint8_t*)0x20000b41 = 3; *(uint16_t*)0x20000b42 = 0x804; *(uint32_t*)0x20000d8c = 4; *(uint64_t*)0x20000d90 = 0x20000b80; *(uint8_t*)0x20000b80 = 4; *(uint8_t*)0x20000b81 = 3; *(uint16_t*)0x20000b82 = 0x400a; *(uint32_t*)0x20000d98 = 4; *(uint64_t*)0x20000d9c = 0x20000bc0; *(uint8_t*)0x20000bc0 = 4; *(uint8_t*)0x20000bc1 = 3; *(uint16_t*)0x20000bc2 = 0x42b; *(uint32_t*)0x20000da4 = 4; *(uint64_t*)0x20000da8 = 0x20000c00; *(uint8_t*)0x20000c00 = 4; *(uint8_t*)0x20000c01 = 3; *(uint16_t*)0x20000c02 = 0x3009; *(uint32_t*)0x20000db0 = 0xa5; *(uint64_t*)0x20000db4 = 0x20000c40; *(uint8_t*)0x20000c40 = 0xa5; *(uint8_t*)0x20000c41 = 3; memcpy((void*)0x20000c42, "\x84\x38\x9b\x09\x2a\x5b\x3d\x06\xbf\xd8\x95\x09\xd0\x72\xa7\x3f\x11\x1a\x14\xaa\x46\x19\x78\x5c\x4f\xe2\x44\x85\x20\xd3\x44\xb0\x30\x91\x36\xab\x09\x1e\x79\x2a\x36\xd6\xc3\xad\xdb\xe8\x39\xa5\x9d\x03\x72\xbd\xb5\x42\x65\xba\x32\xc2\xfa\x75\x17\x55\x18\xbe\xe6\x40\xf7\xa1\x5d\xd0\x11\x26\x06\xec\x27\x89\x89\xfe\xa0\x51\xf6\xa6\x9b\x97\x53\x67\x5b\x81\xfe\x2e\x64\xeb\xe3\x34\x56\x8e\x08\x6b\x24\x70\x4b\xe9\xdb\x1f\xa5\x64\x5a\x8a\xf5\x26\xed\x97\xa9\x0c\x02\x7a\x2b\x4f\x90\xed\x9c\x2a\xf5\xe9\xba\x52\x84\x31\xc9\x3f\xea\x75\x2e\x8d\x84\x89\xd4\xef\x97\x7f\x5a\x3a\xc6\xc8\xdb\xac\xfc\x14\x5f\xdb\x5f\x7b\xca\x68\x1b\x6f\x3b\xd7\x64\xd0\x6c\xbe\x0b", 163); *(uint32_t*)0x20000dbc = 4; *(uint64_t*)0x20000dc0 = 0x20000d00; *(uint8_t*)0x20000d00 = 4; *(uint8_t*)0x20000d01 = 3; *(uint16_t*)0x20000d02 = 0x44d; syz_usb_connect(5, 0x77e, 0x20000100, 0x20000d40); *(uint8_t*)0x20000e00 = 0x12; *(uint8_t*)0x20000e01 = 1; *(uint16_t*)0x20000e02 = 0x310; *(uint8_t*)0x20000e04 = 2; *(uint8_t*)0x20000e05 = 0; *(uint8_t*)0x20000e06 = 0; *(uint8_t*)0x20000e07 = 0x20; *(uint16_t*)0x20000e08 = 0x525; *(uint16_t*)0x20000e0a = 0xa4a1; *(uint16_t*)0x20000e0c = 0x40; *(uint8_t*)0x20000e0e = 1; *(uint8_t*)0x20000e0f = 2; *(uint8_t*)0x20000e10 = 3; *(uint8_t*)0x20000e11 = 1; *(uint8_t*)0x20000e12 = 9; *(uint8_t*)0x20000e13 = 2; *(uint16_t*)0x20000e14 = 0x7d; *(uint8_t*)0x20000e16 = 2; *(uint8_t*)0x20000e17 = 1; *(uint8_t*)0x20000e18 = 1; *(uint8_t*)0x20000e19 = 0xd0; *(uint8_t*)0x20000e1a = 0; *(uint8_t*)0x20000e1b = 9; *(uint8_t*)0x20000e1c = 4; *(uint8_t*)0x20000e1d = 0; *(uint8_t*)0x20000e1e = 0; *(uint8_t*)0x20000e1f = 1; *(uint8_t*)0x20000e20 = 2; *(uint8_t*)0x20000e21 = 0xd; *(uint8_t*)0x20000e22 = 0; *(uint8_t*)0x20000e23 = 0; *(uint8_t*)0x20000e24 = 5; *(uint8_t*)0x20000e25 = 0x24; *(uint8_t*)0x20000e26 = 6; *(uint8_t*)0x20000e27 = 0; *(uint8_t*)0x20000e28 = 1; *(uint8_t*)0x20000e29 = 5; *(uint8_t*)0x20000e2a = 0x24; *(uint8_t*)0x20000e2b = 0; *(uint16_t*)0x20000e2c = 0x81; *(uint8_t*)0x20000e2e = 0xd; *(uint8_t*)0x20000e2f = 0x24; *(uint8_t*)0x20000e30 = 0xf; *(uint8_t*)0x20000e31 = 1; *(uint32_t*)0x20000e32 = 0x3fffc000; *(uint16_t*)0x20000e36 = 0xba60; *(uint16_t*)0x20000e38 = 1; *(uint8_t*)0x20000e3a = 1; *(uint8_t*)0x20000e3b = 6; *(uint8_t*)0x20000e3c = 0x24; *(uint8_t*)0x20000e3d = 0x1a; *(uint16_t*)0x20000e3e = 1; *(uint8_t*)0x20000e40 = 0; *(uint8_t*)0x20000e41 = 0xc; *(uint8_t*)0x20000e42 = 0x24; *(uint8_t*)0x20000e43 = 0x1b; *(uint16_t*)0x20000e44 = 0x1b7; *(uint16_t*)0x20000e46 = 0x50f; *(uint8_t*)0x20000e48 = 6; *(uint8_t*)0x20000e49 = 0x5b; *(uint16_t*)0x20000e4a = 0x81; *(uint8_t*)0x20000e4c = 9; *(uint8_t*)0x20000e4d = 0x15; *(uint8_t*)0x20000e4e = 0x24; *(uint8_t*)0x20000e4f = 0x12; *(uint16_t*)0x20000e50 = 0x5f; *(uint64_t*)0x20000e52 = 0x14f5e048ba817a3; *(uint64_t*)0x20000e5a = 0x2a397ecbffc007a6; *(uint8_t*)0x20000e62 = 9; *(uint8_t*)0x20000e63 = 5; *(uint8_t*)0x20000e64 = 0x81; *(uint8_t*)0x20000e65 = 3; *(uint16_t*)0x20000e66 = 0x10; *(uint8_t*)0x20000e68 = 1; *(uint8_t*)0x20000e69 = 6; *(uint8_t*)0x20000e6a = 2; *(uint8_t*)0x20000e6b = 9; *(uint8_t*)0x20000e6c = 4; *(uint8_t*)0x20000e6d = 1; *(uint8_t*)0x20000e6e = 0; *(uint8_t*)0x20000e6f = 0; *(uint8_t*)0x20000e70 = 2; *(uint8_t*)0x20000e71 = 0xd; *(uint8_t*)0x20000e72 = 0; *(uint8_t*)0x20000e73 = 0; *(uint8_t*)0x20000e74 = 9; *(uint8_t*)0x20000e75 = 4; *(uint8_t*)0x20000e76 = 1; *(uint8_t*)0x20000e77 = 1; *(uint8_t*)0x20000e78 = 2; *(uint8_t*)0x20000e79 = 2; *(uint8_t*)0x20000e7a = 0xd; *(uint8_t*)0x20000e7b = 0; *(uint8_t*)0x20000e7c = 0; *(uint8_t*)0x20000e7d = 9; *(uint8_t*)0x20000e7e = 5; *(uint8_t*)0x20000e7f = 0x82; *(uint8_t*)0x20000e80 = 2; *(uint16_t*)0x20000e81 = 8; *(uint8_t*)0x20000e83 = 0xcc; *(uint8_t*)0x20000e84 = 6; *(uint8_t*)0x20000e85 = 0x9b; *(uint8_t*)0x20000e86 = 9; *(uint8_t*)0x20000e87 = 5; *(uint8_t*)0x20000e88 = 3; *(uint8_t*)0x20000e89 = 2; *(uint16_t*)0x20000e8a = 0x400; *(uint8_t*)0x20000e8c = 1; *(uint8_t*)0x20000e8d = 6; *(uint8_t*)0x20000e8e = 1; *(uint32_t*)0x20001300 = 0xa; *(uint64_t*)0x20001304 = 0x20000ec0; *(uint8_t*)0x20000ec0 = 0xa; *(uint8_t*)0x20000ec1 = 6; *(uint16_t*)0x20000ec2 = 0x200; *(uint8_t*)0x20000ec4 = 0; *(uint8_t*)0x20000ec5 = 1; *(uint8_t*)0x20000ec6 = 0x13; *(uint8_t*)0x20000ec7 = 8; *(uint8_t*)0x20000ec8 = -1; *(uint8_t*)0x20000ec9 = 0; *(uint32_t*)0x2000130c = 0xff; *(uint64_t*)0x20001310 = 0x20000f00; *(uint8_t*)0x20000f00 = 5; *(uint8_t*)0x20000f01 = 0xf; *(uint16_t*)0x20000f02 = 0xff; *(uint8_t*)0x20000f04 = 6; *(uint8_t*)0x20000f05 = 3; *(uint8_t*)0x20000f06 = 0x10; *(uint8_t*)0x20000f07 = 0xb; *(uint8_t*)0x20000f08 = 0x14; *(uint8_t*)0x20000f09 = 0x10; *(uint8_t*)0x20000f0a = 4; *(uint8_t*)0x20000f0b = 1; memcpy((void*)0x20000f0c, "\x43\x3e\x98\x8e\xe5\xf3\x58\xef\x3f\x4e\x65\x3f\xaf\x4e\xe7\x65", 16); *(uint8_t*)0x20000f1c = 0xa; *(uint8_t*)0x20000f1d = 0x10; *(uint8_t*)0x20000f1e = 0xb; memcpy((void*)0x20000f1f, "\xd3\x74\xd6\xca\x9c\xfd\xff", 7); *(uint8_t*)0x20000f26 = 0xe; *(uint8_t*)0x20000f27 = 0x10; *(uint8_t*)0x20000f28 = 0xb; memcpy((void*)0x20000f29, "\xe4\xe1\x28\x48\xc1\xc9\xe1\xac\xe2\x70\x01", 11); *(uint8_t*)0x20000f34 = 0x1c; *(uint8_t*)0x20000f35 = 0x10; *(uint8_t*)0x20000f36 = 0xa; *(uint8_t*)0x20000f37 = 0x40; STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 5, 27); *(uint16_t*)0x20000f3c = 0xf0f; *(uint16_t*)0x20000f3e = 0x8000; *(uint32_t*)0x20000f40 = 0xff0000; *(uint32_t*)0x20000f44 = 0xc0; *(uint32_t*)0x20000f48 = 0xff003f; *(uint32_t*)0x20000f4c = 0xc00f; *(uint8_t*)0x20000f50 = 0xaf; *(uint8_t*)0x20000f51 = 0x10; *(uint8_t*)0x20000f52 = 1; memcpy((void*)0x20000f53, "\xcb\xab\xda\x0f\x97\x9a\xfc\xbd\x15\x73\x7d\x31\x5a\xb6\x9a\xc5\x32\xbd\xa0\x26\x42\xde\xbc\xa3\x3a\x83\x18\x5a\x92\x73\x8f\x4d\x04\xce\xc6\x95\x22\x3d\x9f\x52\xb8\x03\xad\x72\x64\x4b\xd3\xdf\x57\x74\x94\x9b\x6e\xd6\x37\x7c\xdf\x5d\xa5\xb1\xd8\x20\x0d\xe1\x61\xf5\xb0\xf6\x10\xc7\x8f\x5c\x79\xa0\x0d\xb8\x64\x92\xec\xdf\x46\x42\x04\xc0\x09\xa9\x47\x4a\x05\xf0\xf6\x35\x18\x19\x70\x3f\x38\x3e\xca\x0f\x29\xa0\x1e\x52\xf7\xb0\xb1\xf9\x21\xef\x92\xc3\xe6\x30\x28\x77\x07\xe0\x61\x7f\xe8\xcf\x26\x72\xef\x1d\xee\x5e\x7c\x5f\x8a\x37\x41\x5f\x54\xb2\x41\xf0\xb9\x3a\xe6\xf3\x40\x2e\x17\xb6\xfe\xc4\x66\xb8\x38\x27\xf4\xe4\x2c\x57\xaf\x90\xea\x0b\x73\x5a\x10\xb5\xcc\x4a\x9e\xd1\x44\x61\xcb\x3c", 172); *(uint32_t*)0x20001318 = 9; *(uint32_t*)0x2000131c = 4; *(uint64_t*)0x20001320 = 0x20001000; *(uint8_t*)0x20001000 = 4; *(uint8_t*)0x20001001 = 3; *(uint16_t*)0x20001002 = 0x807; *(uint32_t*)0x20001328 = 4; *(uint64_t*)0x2000132c = 0x20001040; *(uint8_t*)0x20001040 = 4; *(uint8_t*)0x20001041 = 3; *(uint16_t*)0x20001042 = 0x44c; *(uint32_t*)0x20001334 = 0x46; *(uint64_t*)0x20001338 = 0x20001080; *(uint8_t*)0x20001080 = 0x46; *(uint8_t*)0x20001081 = 3; memcpy((void*)0x20001082, "\xd3\x41\x69\xf9\x72\x88\x6d\x91\x88\x5f\xb4\xe6\x63\xd3\xb9\x5e\xfc\xbd\xf2\xac\x7f\xb6\xa4\x8b\x8f\x5d\x44\xf4\x90\xa6\xd5\xdb\x20\x86\xfa\x93\x8c\x10\xf7\x75\x1b\x90\xc3\x99\x3b\xbf\xad\x67\x0a\x7f\x80\xd3\x58\x86\xc2\xcc\x30\x29\x1a\xb2\xce\x67\x01\x1d\x1b\x0d\x6c\xf4", 68); *(uint32_t*)0x20001340 = 4; *(uint64_t*)0x20001344 = 0x20001100; *(uint8_t*)0x20001100 = 4; *(uint8_t*)0x20001101 = 3; *(uint16_t*)0x20001102 = 0x40a; *(uint32_t*)0x2000134c = 0x36; *(uint64_t*)0x20001350 = 0x20001140; *(uint8_t*)0x20001140 = 0x36; *(uint8_t*)0x20001141 = 3; memcpy((void*)0x20001142, "\x06\x4c\xab\x2c\xae\x36\xef\x56\x23\x74\x9b\xcb\x79\x93\xb3\x10\xc0\xf7\x00\xe5\x26\xdd\xa0\x22\x3a\x1e\x4b\x6f\x16\x00\x79\xc7\xb1\xcd\xb2\xa8\xb0\x43\xea\x83\x25\xec\xc0\xee\xd6\x4d\x54\x39\x81\xa3\x96\xb7", 52); *(uint32_t*)0x20001358 = 5; *(uint64_t*)0x2000135c = 0x20001180; *(uint8_t*)0x20001180 = 5; *(uint8_t*)0x20001181 = 3; memcpy((void*)0x20001182, "Ka\000", 3); *(uint32_t*)0x20001364 = 4; *(uint64_t*)0x20001368 = 0x200011c0; *(uint8_t*)0x200011c0 = 4; *(uint8_t*)0x200011c1 = 3; *(uint16_t*)0x200011c2 = 0x500a; *(uint32_t*)0x20001370 = 4; *(uint64_t*)0x20001374 = 0x20001200; *(uint8_t*)0x20001200 = 4; *(uint8_t*)0x20001201 = 3; *(uint16_t*)0x20001202 = 0x4ff; *(uint32_t*)0x2000137c = 0x8f; *(uint64_t*)0x20001380 = 0x20001240; *(uint8_t*)0x20001240 = 0x8f; *(uint8_t*)0x20001241 = 3; memcpy((void*)0x20001242, "\x37\xcc\x0c\x18\xf2\xd0\x9b\xfc\x3a\xa7\x69\x89\xd3\x6d\x44\x9d\xb5\x7f\xf9\x5c\x9d\x3d\x3c\xb0\x40\x2d\x82\x35\xdc\x71\x22\x01\xee\xa4\xc3\x18\x2f\xf7\x6c\xbd\xbb\xe5\x31\x5c\x11\x68\x27\xa3\x5f\xa2\x7a\x39\x04\xc6\x63\x96\x50\x3f\x48\x37\x05\x55\xf6\x27\x91\xc6\x15\x46\xe4\x12\x1a\xa6\x88\xc1\xc7\xc5\x7d\x95\x5a\xed\xd9\xee\xc2\xb3\x07\xd4\xe5\x87\xe1\xae\xd0\x86\x79\xb2\x72\x8a\xcd\x32\x1b\xc4\xf8\x3e\xe2\x68\xd8\x14\x9d\x81\xbb\xc1\x28\xc5\x8e\x17\x8c\xd1\x7d\x2b\x81\x36\xb8\x34\xc1\xe9\xb1\xd7\xd3\xd1\x37\xae\x9b\x4c\x27\xe6\xb1\xba\x93\xdf\x07\xe8\x52", 141); res = -1; res = syz_usb_connect(1, 0x8f, 0x20000e00, 0x20001300); if (res != -1) r[3] = res; syz_usb_disconnect(r[3]); } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor1656244022 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/4 (0.21s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __stat50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (fail_nth: 1) compat_50___msgctl13$IPC_SET(0x0, 0x1, &(0x7f0000000200)={{0x5a3e, 0x0, r1, 0xffffffffffffffff, 0xffffffffffffffff, 0x20, 0x400}, 0x9, 0x62e81dc5, 0x81, 0x5, 0x4, 0x8, 0x9, &(0x7f0000000100)={0x0, 0x20e1, 0xfffd, 0x1}, &(0x7f00000001c0)={&(0x7f0000000180)={&(0x7f0000000140)={0x0, 0x7ff, 0x9, 0x1}, 0x8000000000000000, 0x6, 0x8}, 0x8, 0x5, 0x20}, 0x400}) (async) chown(&(0x7f0000000280)='./file0\x00', r0, 0x0) (rerun: 4) compat_14___semctl$GETALL(0x0, 0x0, 0x6, &(0x7f00000002c0)) compat_14___semctl$SETVAL(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000380)=@buf=&(0x7f0000000340)={{r0, r1, 0x80, 0x5a3, 0x100, 0x1, 0x4897}, 0x7fff, 0x7, 0x0, &(0x7f0000000300)={0x800, 0x7, 0x2, 0x9}}) semctl$GETNCNT(0xffffffffffffffff, 0x4, 0x3, &(0x7f00000003c0)=""/4) r2 = semget$private(0x0, 0x3, 0x2) compat_14___semctl$GETNCNT(r2, 0x0, 0x3) semop(r2, &(0x7f0000000400)=[{0x4, 0x7, 0x2000}, {0x4, 0x1f, 0x800}, {0x1, 0x7, 0x400}], 0x3) compat_14___semctl$IPC_STAT(r2, 0x0, 0x2, &(0x7f0000000440)) syz_emit_ethernet(0x8, &(0x7f0000000000)="03d03df5c2dcc049") syz_execute_func(&(0x7f0000000040)="c421c16d149fc462baf76fed2666450f3800813be70eb16640253633f0408182a0bc302200800000c48281926cd992660f4f99c0f800003626660f124e32f26e660f382ab500000080") syz_extract_tcp_res(&(0x7f00000000c0), 0xfffffffa, 0x8000) syz_usb_connect(0x5, 0x77e, &(0x7f0000000100)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0xbf, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x76c, 0x3, 0x7, 0x17, 0x30, 0x3d, [{{0x9, 0x4, 0x8e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, [@uac_as={[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x1f, 0x7, 0x7f, "11c06824606e6e241d"}]}]}}, {{0x9, 0x4, 0x0, 0x3f, 0xd, 0x0, 0x0, 0x0, 0x1f, [@generic={0xe0, 0xa, "b71aa8dbef28ec508e40e57e0f21e51ceb5eacb80bb3f7ed35e29bad265b99dbbcbb655b87cbc776843703a876dc2dd2216c56771dd13f2cae3eae772586cacf7cdb24a918924ba342e5a84cb77541172a5b4100bcd721c00bcc1d590d5bae2e602b8a29aa649516b39d745c546613730dec4957df6dc6591993b9027afe3eb2172a49b3b589f5322cc76fd421d8b9acaf9f326c835214aa33da004adaae6689efebb028a649b7edc82333f89fd100b6da5d60c3e1349bd30d2cff8ae56ccbed46e09f6662c6b2c2e7cbd887fbc447db5d6887eb1cc1378ed310ec7d004c"}, @cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "4b66fafbc9e4"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0x80000000, 0x4}, {0x6, 0x24, 0x1a, 0xfffa, 0x12}, [@obex={0x5, 0x24, 0x15, 0x5}, @mdlm={0x15, 0x24, 0x12, 0x5}, @dmm={0x7, 0x24, 0x14, 0x4}, @mdlm_detail={0xe5, 0x24, 0x13, 0x7, "8f0d5f90cf98b479fae069bfd83c7e4ef5afe012495f0ee23062fe5f81be0ef82ff410318f82c5300ba5a5ad175dacf741e1d1956b8bb156e5b546644c1750916d0381b49c7bd160323bde2ff8c1379a319c3add3fbd86aa169749f6108844bd19644cafebba5d70989e95144300d6b508edd1662f759828aad78d18d710553cb7f5df43b7b560bb4f4869de9ebe5e126356507d10f2c8d9b83f661fbf0bd5131ce9c059b60e620da0f7516ad6d70c75de7dd4b37d9c379134e6036df428e1f541dbee9f58a4a374ff6cb6ae0468f49c616418a2760066457439952bb5b93f4f33"}, @mdlm={0x15, 0x24, 0x12, 0xec}]}], [{{0x9, 0x5, 0xf, 0x1d, 0x10, 0x0, 0x80, 0x74}}, {{0x9, 0x5, 0x2, 0x3, 0x10, 0x9f, 0x7d, 0xff, [@generic={0x52, 0xe, "ecf4ce492b20b2d508a9180c01192d8e124f6e790aedfc35213b1d14c68c63686631f697532da005bc5013d62c6d5c18b5c5c4f2263b42b582b7333b47373cdf666159745a6a53d518a4ae7c51abaaa8"}, @generic={0x15, 0x23, "dc333ea4d2d7351ec6d273b68ce3d5d1e2c2cf"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x4, 0x9, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x5, 0xfffc}, @generic={0x35, 0x2, "59a66019fb9adfb5950997712b8b3c1cb4c4a0abbf8ea41dd4dd5936bde7fbe23ff642c176c355ef4728022f3d7d833860fbcf"}]}}, {{0x9, 0x5, 0x0, 0x10, 0x8, 0x1, 0x1}}, {{0x9, 0x5, 0x1, 0x2, 0x0, 0x0, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x9f36}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x3}]}}, {{0x9, 0x5, 0xc, 0x10, 0x200, 0x15, 0x2, 0x0, [@generic={0x5b, 0x23, "1925294e2c16954f8313825e71ea536e7077d7130cee3a802cb3c8005ef6d9211068286c7a4c20cb87fd2cdc5aeedb171fd67ddc74c3f029aab0bfa9a63e5de5a53579666cef0fb7c876efc0a5d3382c346e1f9a78b7356c22"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x40, 0x18, 0x3f, 0x8}}, {{0x9, 0x5, 0xd, 0x1, 0x0, 0x9, 0xff, 0x3, [@generic={0xdc, 0x23, "ccd53fc81156a91ff426eb001fbf43c8551fda170ed36a97eba7a32c3115ec5e9a8182734012aa12ddcc6e93d85eaafbda4ab1cff6bcb2afecd8aa8c58b27a75e5a4ddc50cc673edc82ff13115eb8f50ddd1ed2695337ca85b88264db59eb1304216a301d42f2902d5c06b17592bb21d2af1d092f5d7373aefdb907ffc8179abd68b11ef10be844e03816806f045f0a5ef3ba0ac5bd843a46fa3b72b862de1728647adc3f3bbcd53ce881e6b5a6c6ec797d32cc13918e3da4b3ea20dd6893c2c7ca47aa51bee047a361feff716cef3dae50b6ca72a2b764fa4cf"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x3f}]}}, {{0x9, 0x5, 0x1, 0x2, 0x20, 0xb9, 0x86, 0x40, [@generic={0x84, 0x8, "ab514debe16aea41f067e846f8939c5d4f6fce3a7d25eaee2c0651f92fe24417bdf9256f3f9b583492b2e4fe6b2b4bad9c1f4a8b26d74c60aeda9478a64876891b3a75ffce4001853b93bd0fd8a165a7fa83fbc6b95aed880f02224f1222b150b746981a4b55288f564d8d6af643c0fd291571d70cc56024dd73e500c5efe9bc9b72"}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x0, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0xf9, 0xd8, 0xf9}}, {{0x9, 0x5, 0x3, 0xc, 0x8, 0x81, 0x0, 0x3f}}, {{0x9, 0x5, 0xd, 0x0, 0x252d10ce716ea2f3, 0xbe, 0x6, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x2, 0x2}]}}, {{0x9, 0x5, 0x8, 0x3a51d77e4fce6a1c, 0x20, 0x4, 0x8, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0xff, 0xffe0}, @generic={0xf2, 0x31, "2fb2b9747b651ae66e5d861f9efc61bdd19495f163625975e7bae800ee004867b5a813b7b9dbc55eb0b751b8d758e9cba4a3b4f6830e5f85df740efcf290c77df212ee62fc94cc504b1e5422ffbf9f87ed05b4e762feed6535fd702825631db7636c869c9f1299320d98e1cf740a94e226af5608a799e1c999ee2b4ab5146f852ed9874065fb37c285811c77789df8a1798c2670419747679338a3299349ae3ec49eedcb39256d551a4ffba9595167c1779a7247b94aebc5792e53fbc94c066c16fe77020492e0a308d5ba5fdec952c4095b7563347be3f2ab70873375e6116c394003cc0c5cdbdcb004f96c6c4ff235"}]}}]}}, {{0x9, 0x4, 0x3, 0x6, 0x5, 0x0, 0x0, 0x0, 0xc8, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x3, 0x4}, @format_type_i_discrete={0xf, 0x24, 0x2, 0x1, 0x81, 0x2, 0x1, 0x1, "b3d2feb3920056"}]}], [{{0x9, 0x5, 0x6, 0x4, 0x400, 0x0, 0x6, 0x3, [@generic={0x11, 0x4, "39a66425220fb1a99e556b2dfb1838"}]}}, {{0x9, 0x5, 0xa, 0x4, 0x50, 0x79, 0x9, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x10, 0x0, 0xe5, 0x1, [@generic={0xc, 0x8, "6271ead39e76c55f403f"}, @generic={0x1d, 0x22, "93f92077e6f8fb302785e13e57cc86fc2a7a97621a1cd78498cc60"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x10, 0xfb, 0x70, 0x9, [@generic={0xa5, 0xc5f45b4d7fc4460a, "aa016effd795b21fece55d47621811ef08e6eaf7a4f3fbf70f9191eec875bd45ba572cf2ef7f10f3a505ff71ef3ef1a42a7349f198cc1e7524a30e948c6334e706023fcaecc3cf51d8cc354dffdec9e33058456186dfe0453f8fb8ce8770fff3a35e7bc7be1982bc0fdb248b776f995d492694172d25affd8607f000dbea29d9b57de7bc89d328a63c5e9f3430aa094d1f14e2ea84446260097323f8483641d5308b57"}]}}, {{0x9, 0x5, 0x8c, 0x8, 0x40, 0x4, 0x5, 0x3}}]}}]}}]}}, &(0x7f0000000d40)={0xa, &(0x7f0000000880)={0xa, 0x6, 0x250, 0x1, 0x8, 0xcf, 0x20, 0x6}, 0xa7, &(0x7f00000008c0)={0x5, 0xf, 0xa7, 0x6, [@ssp_cap={0x18, 0x10, 0xa, 0x8, 0x3, 0x9, 0xf, 0x0, [0xffc030, 0xc030, 0x3f30]}, @ss_container_id={0x14, 0x10, 0x4, 0xfe, "edcaa525c23e27c47ce42420c044bb79"}, @ptm_cap={0x3}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x1c, 0x6, 0x0, 0x8}, @generic={0x69, 0x10, 0x1, "f0917a409f20823fe21e124dc671ac8313beb328f263a5967548b9ffe8bd38ca2b5638e90e09b00ad4000d975c28f280602443968fb75443f4833a05f936ed00b575a11e1181f19f62f7010a8559d4422269ba17c569a5d2ca580210a2811923216ff38f6c21"}]}, 0x9, [{0x2e, &(0x7f0000000980)=@string={0x2e, 0x3, "c0ca326abb6f9f4be8fde5ec0fda56568a3aee017d4851f5e177f27c6723cc4b66148d068a4fc215c3412242"}}, {0x4, &(0x7f00000009c0)=@lang_id={0x4, 0x3, 0x140a}}, {0x101, &(0x7f0000000a00)=@string={0x101, 0x3, "b544e4b10f95e3903dd7a1b4fcaade5c4143d90f68fcf3f0d83282c324f0d4a7e65f27803e19d95678a88da9f99c403cb3265270a9964dcd759ff727ed3cdb427b2ac3c5f71ddeb5ea16a0377a0ed22e54a24a8ae1475137620142605682be281297ff87f2081ada2329520e8e87828043b65d663c960e1001cdd66551891230a367e307d00abe3a52cc07335d6d39eac44c43f1b70c13cafa5b2c7aca4c95724375599a859c39e4c0e4da7b2c906e43288f117494feddbec0230716e31e46f531875fc7eff85e6f2f36517fa02a116fce7a95fba5fa3dff697ce8716fc85aa4d0f6f24b0401f2c4db9aec9af775a041992c234d2307bfda122484cc460e90"}}, {0x4, &(0x7f0000000b40)=@lang_id={0x4, 0x3, 0x804}}, {0x4, &(0x7f0000000b80)=@lang_id={0x4, 0x3, 0x400a}}, {0x4, &(0x7f0000000bc0)=@lang_id={0x4, 0x3, 0x42b}}, {0x4, &(0x7f0000000c00)=@lang_id={0x4, 0x3, 0x3009}}, {0xa5, &(0x7f0000000c40)=@string={0xa5, 0x3, "84389b092a5b3d06bfd89509d072a73f111a14aa4619785c4fe2448520d344b0309136ab091e792a36d6c3addbe839a59d0372bdb54265ba32c2fa75175518bee640f7a15dd0112606ec278989fea051f6a69b9753675b81fe2e64ebe334568e086b24704be9db1fa5645a8af526ed97a90c027a2b4f90ed9c2af5e9ba528431c93fea752e8d8489d4ef977f5a3ac6c8dbacfc145fdb5f7bca681b6f3bd764d06cbe0b"}}, {0x4, &(0x7f0000000d00)=@lang_id={0x4, 0x3, 0x44d}}]}) r3 = syz_usb_connect$cdc_ncm(0x1, 0x8f, &(0x7f0000000e00)={{0x12, 0x1, 0x310, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x7d, 0x2, 0x1, 0x1, 0x1d0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5, 0x24, 0x0, 0x81}, {0xd, 0x24, 0xf, 0x1, 0x3fffc000, 0xba60, 0x1, 0x1}, {0x6, 0x24, 0x1a, 0x1}, [@mbim={0xc, 0x24, 0x1b, 0x1b7, 0x50f, 0x6, 0x5b, 0x81, 0x9}, @mdlm={0x15, 0x24, 0x12, 0x5f}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x1, 0x6, 0x2}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0xcc, 0x6, 0x9b}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x1, 0x6, 0x1}}}}}}}]}}, &(0x7f0000001300)={0xa, &(0x7f0000000ec0)={0xa, 0x6, 0x200, 0x0, 0x1, 0x13, 0x8, 0xff}, 0xff, &(0x7f0000000f00)={0x5, 0xf, 0xff, 0x6, [@ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x1, "433e988ee5f358ef3f4e653faf4ee765"}, @generic={0xa, 0x10, 0xb, "d374d6ca9cfdff"}, @generic={0xe, 0x10, 0xb, "e4e12848c1c9e1ace27001"}, @ssp_cap={0x1c, 0x10, 0xa, 0x40, 0x4, 0x4, 0xf0f, 0x8000, [0xff0000, 0xc0, 0xff003f, 0xc00f]}, @generic={0xaf, 0x10, 0x1, "cbabda0f979afcbd15737d315ab69ac532bda02642debca33a83185a92738f4d04cec695223d9f52b803ad72644bd3df5774949b6ed6377cdf5da5b1d8200de161f5b0f610c78f5c79a00db86492ecdf464204c009a9474a05f0f6351819703f383eca0f29a01e52f7b0b1f921ef92c3e630287707e0617fe8cf2672ef1dee5e7c5f8a37415f54b241f0b93ae6f3402e17b6fec466b83827f4e42c57af90ea0b735a10b5cc4a9ed14461cb3c"}]}, 0x9, [{0x4, &(0x7f0000001000)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000001040)=@lang_id={0x4, 0x3, 0x44c}}, {0x46, &(0x7f0000001080)=@string={0x46, 0x3, "d34169f972886d91885fb4e663d3b95efcbdf2ac7fb6a48b8f5d44f490a6d5db2086fa938c10f7751b90c3993bbfad670a7f80d35886c2cc30291ab2ce67011d1b0d6cf4"}}, {0x4, &(0x7f0000001100)=@lang_id={0x4, 0x3, 0x40a}}, {0x36, &(0x7f0000001140)=@string={0x36, 0x3, "064cab2cae36ef5623749bcb7993b310c0f700e526dda0223a1e4b6f160079c7b1cdb2a8b043ea8325ecc0eed64d543981a396b7"}}, {0x5, &(0x7f0000001180)=@string={0x5, 0x3, 'Ka\x00'}}, {0x4, &(0x7f00000011c0)=@lang_id={0x4, 0x3, 0x500a}}, {0x4, &(0x7f0000001200)=@lang_id={0x4, 0x3, 0x4ff}}, {0x8f, &(0x7f0000001240)=@string={0x8f, 0x3, "37cc0c18f2d09bfc3aa76989d36d449db57ff95c9d3d3cb0402d8235dc712201eea4c3182ff76cbdbbe5315c116827a35fa27a3904c66396503f48370555f62791c61546e4121aa688c1c7c57d955aedd9eec2b307d4e587e1aed08679b2728acd321bc4f83ee268d8149d81bbc128c58e178cd17d2b8136b834c1e9b1d7d3d137ae9b4c27e6b1ba93df07e852"}}]}) syz_usb_disconnect(r3) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___stat50 #define SYS___stat50 439 #endif #ifndef SYS_chown #define SYS_chown 16 #endif #ifndef SYS_compat_14___semctl #define SYS_compat_14___semctl 220 #endif #ifndef SYS_compat_50___msgctl13 #define SYS_compat_50___msgctl13 302 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_semctl #define SYS_semctl 442 #endif #ifndef SYS_semget #define SYS_semget 221 #endif #ifndef SYS_semop #define SYS_semop 222 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 14; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 3000 : 0) + (call == 13 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[4] = {0x0, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); inject_fault(1); res = syscall(SYS___stat50, 0x20000000ul, 0x20000040ul); if (res != -1) { r[0] = *(uint32_t*)0x2000005c; r[1] = *(uint32_t*)0x20000060; } break; case 1: *(uint32_t*)0x20000200 = 0x5a3e; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = r[1]; *(uint32_t*)0x2000020c = -1; *(uint32_t*)0x20000210 = -1; *(uint32_t*)0x20000214 = 0x20; *(uint16_t*)0x20000218 = 0x400; *(uint16_t*)0x2000021a = 0; *(uint64_t*)0x20000220 = 0; *(uint64_t*)0x20000228 = 0; *(uint64_t*)0x20000230 = 9; *(uint64_t*)0x20000238 = 0x62e81dc5; *(uint32_t*)0x20000240 = 0x81; *(uint32_t*)0x20000244 = 5; *(uint64_t*)0x20000248 = 4; *(uint64_t*)0x20000250 = 8; *(uint64_t*)0x20000258 = 9; *(uint64_t*)0x20000260 = 0x20000100; *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0x20e1; *(uint16_t*)0x20000110 = 0xfffd; *(uint16_t*)0x20000112 = 1; *(uint64_t*)0x20000268 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000180; *(uint64_t*)0x20000180 = 0x20000140; *(uint64_t*)0x20000140 = 0; *(uint64_t*)0x20000148 = 0x7ff; *(uint16_t*)0x20000150 = 9; *(uint16_t*)0x20000152 = 1; *(uint64_t*)0x20000188 = 0x8000000000000000; *(uint16_t*)0x20000190 = 6; *(uint16_t*)0x20000192 = 8; *(uint64_t*)0x200001c8 = 8; *(uint16_t*)0x200001d0 = 5; *(uint16_t*)0x200001d2 = 0x20; *(uint64_t*)0x20000270 = 0x400; syscall(SYS_compat_50___msgctl13, 0, 1ul, 0x20000200ul); break; case 2: memcpy((void*)0x20000280, "./file0\000", 8); syscall(SYS_chown, 0x20000280ul, r[0], 0); { int i; for(i = 0; i < 4; i++) { syscall(SYS_chown, 0x20000280ul, r[0], 0); } } break; case 3: syscall(SYS_compat_14___semctl, 0, 0ul, 6ul, 0x200002c0ul); break; case 4: *(uint64_t*)0x20000380 = 0x20000340; *(uint32_t*)0x20000340 = r[0]; *(uint32_t*)0x20000344 = r[1]; *(uint32_t*)0x20000348 = 0x80; *(uint32_t*)0x2000034c = 0x5a3; *(uint32_t*)0x20000350 = 0x100; *(uint16_t*)0x20000354 = 1; *(uint64_t*)0x20000358 = 0x4897; *(uint16_t*)0x20000360 = 0x7fff; *(uint64_t*)0x20000368 = 7; *(uint64_t*)0x20000370 = 0; *(uint64_t*)0x20000378 = 0x20000300; *(uint16_t*)0x20000300 = 0x800; *(uint32_t*)0x20000304 = 7; *(uint16_t*)0x20000308 = 2; *(uint16_t*)0x2000030a = 9; syscall(SYS_compat_14___semctl, -1, 0ul, 8ul, 0x20000380ul); break; case 5: syscall(SYS_semctl, -1, 4ul, 3ul, 0x200003c0ul); break; case 6: res = syscall(SYS_semget, 0ul, 3ul, 2ul); if (res != -1) r[2] = res; break; case 7: syscall(SYS_compat_14___semctl, r[2], 0ul, 3ul, 0); break; case 8: *(uint16_t*)0x20000400 = 4; *(uint16_t*)0x20000402 = 7; *(uint16_t*)0x20000404 = 0x2000; *(uint16_t*)0x20000406 = 4; *(uint16_t*)0x20000408 = 0x1f; *(uint16_t*)0x2000040a = 0x800; *(uint16_t*)0x2000040c = 1; *(uint16_t*)0x2000040e = 7; *(uint16_t*)0x20000410 = 0x400; syscall(SYS_semop, r[2], 0x20000400ul, 3ul); break; case 9: syscall(SYS_compat_14___semctl, r[2], 0ul, 2ul, 0x20000440ul); break; case 10: memcpy((void*)0x20000040, "\xc4\x21\xc1\x6d\x14\x9f\xc4\x62\xba\xf7\x6f\xed\x26\x66\x45\x0f\x38\x00\x81\x3b\xe7\x0e\xb1\x66\x40\x25\x36\x33\xf0\x40\x81\x82\xa0\xbc\x30\x22\x00\x80\x00\x00\xc4\x82\x81\x92\x6c\xd9\x92\x66\x0f\x4f\x99\xc0\xf8\x00\x00\x36\x26\x66\x0f\x12\x4e\x32\xf2\x6e\x66\x0f\x38\x2a\xb5\x00\x00\x00\x80", 73); syz_execute_func(0x20000040); break; case 11: *(uint8_t*)0x20000100 = 0x12; *(uint8_t*)0x20000101 = 1; *(uint16_t*)0x20000102 = 0x300; *(uint8_t*)0x20000104 = 0; *(uint8_t*)0x20000105 = 0; *(uint8_t*)0x20000106 = 0; *(uint8_t*)0x20000107 = 0xbf; *(uint16_t*)0x20000108 = 0; *(uint16_t*)0x2000010a = 0; *(uint16_t*)0x2000010c = 0; *(uint8_t*)0x2000010e = 1; *(uint8_t*)0x2000010f = 2; *(uint8_t*)0x20000110 = 3; *(uint8_t*)0x20000111 = 1; *(uint8_t*)0x20000112 = 9; *(uint8_t*)0x20000113 = 2; *(uint16_t*)0x20000114 = 0x76c; *(uint8_t*)0x20000116 = 3; *(uint8_t*)0x20000117 = 7; *(uint8_t*)0x20000118 = 0x17; *(uint8_t*)0x20000119 = 0x30; *(uint8_t*)0x2000011a = 0x3d; *(uint8_t*)0x2000011b = 9; *(uint8_t*)0x2000011c = 4; *(uint8_t*)0x2000011d = 0x8e; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0x62; *(uint8_t*)0x20000124 = 0x12; *(uint8_t*)0x20000125 = 0x24; *(uint8_t*)0x20000126 = 2; *(uint8_t*)0x20000127 = 2; *(uint16_t*)0x20000128 = 0x1f; *(uint16_t*)0x2000012a = 7; *(uint8_t*)0x2000012c = 0x7f; memcpy((void*)0x2000012d, "\x11\xc0\x68\x24\x60\x6e\x6e\x24\x1d", 9); *(uint8_t*)0x20000136 = 9; *(uint8_t*)0x20000137 = 4; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0x3f; *(uint8_t*)0x2000013a = 0xd; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0x1f; *(uint8_t*)0x2000013f = 0xe0; *(uint8_t*)0x20000140 = 0xa; memcpy((void*)0x20000141, "\xb7\x1a\xa8\xdb\xef\x28\xec\x50\x8e\x40\xe5\x7e\x0f\x21\xe5\x1c\xeb\x5e\xac\xb8\x0b\xb3\xf7\xed\x35\xe2\x9b\xad\x26\x5b\x99\xdb\xbc\xbb\x65\x5b\x87\xcb\xc7\x76\x84\x37\x03\xa8\x76\xdc\x2d\xd2\x21\x6c\x56\x77\x1d\xd1\x3f\x2c\xae\x3e\xae\x77\x25\x86\xca\xcf\x7c\xdb\x24\xa9\x18\x92\x4b\xa3\x42\xe5\xa8\x4c\xb7\x75\x41\x17\x2a\x5b\x41\x00\xbc\xd7\x21\xc0\x0b\xcc\x1d\x59\x0d\x5b\xae\x2e\x60\x2b\x8a\x29\xaa\x64\x95\x16\xb3\x9d\x74\x5c\x54\x66\x13\x73\x0d\xec\x49\x57\xdf\x6d\xc6\x59\x19\x93\xb9\x02\x7a\xfe\x3e\xb2\x17\x2a\x49\xb3\xb5\x89\xf5\x32\x2c\xc7\x6f\xd4\x21\xd8\xb9\xac\xaf\x9f\x32\x6c\x83\x52\x14\xaa\x33\xda\x00\x4a\xda\xae\x66\x89\xef\xeb\xb0\x28\xa6\x49\xb7\xed\xc8\x23\x33\xf8\x9f\xd1\x00\xb6\xda\x5d\x60\xc3\xe1\x34\x9b\xd3\x0d\x2c\xff\x8a\xe5\x6c\xcb\xed\x46\xe0\x9f\x66\x62\xc6\xb2\xc2\xe7\xcb\xd8\x87\xfb\xc4\x47\xdb\x5d\x68\x87\xeb\x1c\xc1\x37\x8e\xd3\x10\xec\x7d\x00\x4c", 222); *(uint8_t*)0x2000021f = 0xb; *(uint8_t*)0x20000220 = 0x24; *(uint8_t*)0x20000221 = 6; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 1; memcpy((void*)0x20000224, "\x4b\x66\xfa\xfb\xc9\xe4", 6); *(uint8_t*)0x2000022a = 5; *(uint8_t*)0x2000022b = 0x24; *(uint8_t*)0x2000022c = 0; *(uint16_t*)0x2000022d = 6; *(uint8_t*)0x2000022f = 0xd; *(uint8_t*)0x20000230 = 0x24; *(uint8_t*)0x20000231 = 0xf; *(uint8_t*)0x20000232 = 1; *(uint32_t*)0x20000233 = 0x80000000; *(uint16_t*)0x20000237 = 4; *(uint16_t*)0x20000239 = 0; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 6; *(uint8_t*)0x2000023d = 0x24; *(uint8_t*)0x2000023e = 0x1a; *(uint16_t*)0x2000023f = 0xfffa; *(uint8_t*)0x20000241 = 0x12; *(uint8_t*)0x20000242 = 5; *(uint8_t*)0x20000243 = 0x24; *(uint8_t*)0x20000244 = 0x15; *(uint16_t*)0x20000245 = 5; *(uint8_t*)0x20000247 = 0x15; *(uint8_t*)0x20000248 = 0x24; *(uint8_t*)0x20000249 = 0x12; *(uint16_t*)0x2000024a = 5; *(uint64_t*)0x2000024c = 0x14f5e048ba817a3; *(uint64_t*)0x20000254 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000025c = 7; *(uint8_t*)0x2000025d = 0x24; *(uint8_t*)0x2000025e = 0x14; *(uint16_t*)0x2000025f = 4; *(uint16_t*)0x20000261 = 0; *(uint8_t*)0x20000263 = 0xe5; *(uint8_t*)0x20000264 = 0x24; *(uint8_t*)0x20000265 = 0x13; *(uint8_t*)0x20000266 = 7; memcpy((void*)0x20000267, "\x8f\x0d\x5f\x90\xcf\x98\xb4\x79\xfa\xe0\x69\xbf\xd8\x3c\x7e\x4e\xf5\xaf\xe0\x12\x49\x5f\x0e\xe2\x30\x62\xfe\x5f\x81\xbe\x0e\xf8\x2f\xf4\x10\x31\x8f\x82\xc5\x30\x0b\xa5\xa5\xad\x17\x5d\xac\xf7\x41\xe1\xd1\x95\x6b\x8b\xb1\x56\xe5\xb5\x46\x64\x4c\x17\x50\x91\x6d\x03\x81\xb4\x9c\x7b\xd1\x60\x32\x3b\xde\x2f\xf8\xc1\x37\x9a\x31\x9c\x3a\xdd\x3f\xbd\x86\xaa\x16\x97\x49\xf6\x10\x88\x44\xbd\x19\x64\x4c\xaf\xeb\xba\x5d\x70\x98\x9e\x95\x14\x43\x00\xd6\xb5\x08\xed\xd1\x66\x2f\x75\x98\x28\xaa\xd7\x8d\x18\xd7\x10\x55\x3c\xb7\xf5\xdf\x43\xb7\xb5\x60\xbb\x4f\x48\x69\xde\x9e\xbe\x5e\x12\x63\x56\x50\x7d\x10\xf2\xc8\xd9\xb8\x3f\x66\x1f\xbf\x0b\xd5\x13\x1c\xe9\xc0\x59\xb6\x0e\x62\x0d\xa0\xf7\x51\x6a\xd6\xd7\x0c\x75\xde\x7d\xd4\xb3\x7d\x9c\x37\x91\x34\xe6\x03\x6d\xf4\x28\xe1\xf5\x41\xdb\xee\x9f\x58\xa4\xa3\x74\xff\x6c\xb6\xae\x04\x68\xf4\x9c\x61\x64\x18\xa2\x76\x00\x66\x45\x74\x39\x95\x2b\xb5\xb9\x3f\x4f\x33", 225); *(uint8_t*)0x20000348 = 0x15; *(uint8_t*)0x20000349 = 0x24; *(uint8_t*)0x2000034a = 0x12; *(uint16_t*)0x2000034b = 0xec; *(uint64_t*)0x2000034d = 0x14f5e048ba817a3; *(uint64_t*)0x20000355 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000035d = 9; *(uint8_t*)0x2000035e = 5; *(uint8_t*)0x2000035f = 0xf; *(uint8_t*)0x20000360 = 0x1d; *(uint16_t*)0x20000361 = 0x10; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0x80; *(uint8_t*)0x20000365 = 0x74; *(uint8_t*)0x20000366 = 9; *(uint8_t*)0x20000367 = 5; *(uint8_t*)0x20000368 = 2; *(uint8_t*)0x20000369 = 3; *(uint16_t*)0x2000036a = 0x10; *(uint8_t*)0x2000036c = 0x9f; *(uint8_t*)0x2000036d = 0x7d; *(uint8_t*)0x2000036e = -1; *(uint8_t*)0x2000036f = 0x52; *(uint8_t*)0x20000370 = 0xe; memcpy((void*)0x20000371, "\xec\xf4\xce\x49\x2b\x20\xb2\xd5\x08\xa9\x18\x0c\x01\x19\x2d\x8e\x12\x4f\x6e\x79\x0a\xed\xfc\x35\x21\x3b\x1d\x14\xc6\x8c\x63\x68\x66\x31\xf6\x97\x53\x2d\xa0\x05\xbc\x50\x13\xd6\x2c\x6d\x5c\x18\xb5\xc5\xc4\xf2\x26\x3b\x42\xb5\x82\xb7\x33\x3b\x47\x37\x3c\xdf\x66\x61\x59\x74\x5a\x6a\x53\xd5\x18\xa4\xae\x7c\x51\xab\xaa\xa8", 80); *(uint8_t*)0x200003c1 = 0x15; *(uint8_t*)0x200003c2 = 0x23; memcpy((void*)0x200003c3, "\xdc\x33\x3e\xa4\xd2\xd7\x35\x1e\xc6\xd2\x73\xb6\x8c\xe3\xd5\xd1\xe2\xc2\xcf", 19); *(uint8_t*)0x200003d6 = 9; *(uint8_t*)0x200003d7 = 5; *(uint8_t*)0x200003d8 = 0xb; *(uint8_t*)0x200003d9 = 0; *(uint16_t*)0x200003da = 0x10; *(uint8_t*)0x200003dc = 4; *(uint8_t*)0x200003dd = 9; *(uint8_t*)0x200003de = 0; *(uint8_t*)0x200003df = 7; *(uint8_t*)0x200003e0 = 0x25; *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0; *(uint8_t*)0x200003e3 = 5; *(uint16_t*)0x200003e4 = 0xfffc; *(uint8_t*)0x200003e6 = 0x35; *(uint8_t*)0x200003e7 = 2; memcpy((void*)0x200003e8, "\x59\xa6\x60\x19\xfb\x9a\xdf\xb5\x95\x09\x97\x71\x2b\x8b\x3c\x1c\xb4\xc4\xa0\xab\xbf\x8e\xa4\x1d\xd4\xdd\x59\x36\xbd\xe7\xfb\xe2\x3f\xf6\x42\xc1\x76\xc3\x55\xef\x47\x28\x02\x2f\x3d\x7d\x83\x38\x60\xfb\xcf", 51); *(uint8_t*)0x2000041b = 9; *(uint8_t*)0x2000041c = 5; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0x10; *(uint16_t*)0x2000041f = 8; *(uint8_t*)0x20000421 = 1; *(uint8_t*)0x20000422 = 1; *(uint8_t*)0x20000423 = 0; *(uint8_t*)0x20000424 = 9; *(uint8_t*)0x20000425 = 5; *(uint8_t*)0x20000426 = 1; *(uint8_t*)0x20000427 = 2; *(uint16_t*)0x20000428 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 9; *(uint8_t*)0x2000042c = 6; *(uint8_t*)0x2000042d = 7; *(uint8_t*)0x2000042e = 0x25; *(uint8_t*)0x2000042f = 1; *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 9; *(uint16_t*)0x20000432 = 0x9f36; *(uint8_t*)0x20000434 = 7; *(uint8_t*)0x20000435 = 0x25; *(uint8_t*)0x20000436 = 1; *(uint8_t*)0x20000437 = 3; *(uint8_t*)0x20000438 = 9; *(uint16_t*)0x20000439 = 3; *(uint8_t*)0x2000043b = 9; *(uint8_t*)0x2000043c = 5; *(uint8_t*)0x2000043d = 0xc; *(uint8_t*)0x2000043e = 0x10; *(uint16_t*)0x2000043f = 0x200; *(uint8_t*)0x20000441 = 0x15; *(uint8_t*)0x20000442 = 2; *(uint8_t*)0x20000443 = 0; *(uint8_t*)0x20000444 = 0x5b; *(uint8_t*)0x20000445 = 0x23; memcpy((void*)0x20000446, "\x19\x25\x29\x4e\x2c\x16\x95\x4f\x83\x13\x82\x5e\x71\xea\x53\x6e\x70\x77\xd7\x13\x0c\xee\x3a\x80\x2c\xb3\xc8\x00\x5e\xf6\xd9\x21\x10\x68\x28\x6c\x7a\x4c\x20\xcb\x87\xfd\x2c\xdc\x5a\xee\xdb\x17\x1f\xd6\x7d\xdc\x74\xc3\xf0\x29\xaa\xb0\xbf\xa9\xa6\x3e\x5d\xe5\xa5\x35\x79\x66\x6c\xef\x0f\xb7\xc8\x76\xef\xc0\xa5\xd3\x38\x2c\x34\x6e\x1f\x9a\x78\xb7\x35\x6c\x22", 89); *(uint8_t*)0x2000049f = 9; *(uint8_t*)0x200004a0 = 5; *(uint8_t*)0x200004a1 = 0xb; *(uint8_t*)0x200004a2 = 0; *(uint16_t*)0x200004a3 = 0x40; *(uint8_t*)0x200004a5 = 0x18; *(uint8_t*)0x200004a6 = 0x3f; *(uint8_t*)0x200004a7 = 8; *(uint8_t*)0x200004a8 = 9; *(uint8_t*)0x200004a9 = 5; *(uint8_t*)0x200004aa = 0xd; *(uint8_t*)0x200004ab = 1; *(uint16_t*)0x200004ac = 0; *(uint8_t*)0x200004ae = 9; *(uint8_t*)0x200004af = -1; *(uint8_t*)0x200004b0 = 3; *(uint8_t*)0x200004b1 = 0xdc; *(uint8_t*)0x200004b2 = 0x23; memcpy((void*)0x200004b3, "\xcc\xd5\x3f\xc8\x11\x56\xa9\x1f\xf4\x26\xeb\x00\x1f\xbf\x43\xc8\x55\x1f\xda\x17\x0e\xd3\x6a\x97\xeb\xa7\xa3\x2c\x31\x15\xec\x5e\x9a\x81\x82\x73\x40\x12\xaa\x12\xdd\xcc\x6e\x93\xd8\x5e\xaa\xfb\xda\x4a\xb1\xcf\xf6\xbc\xb2\xaf\xec\xd8\xaa\x8c\x58\xb2\x7a\x75\xe5\xa4\xdd\xc5\x0c\xc6\x73\xed\xc8\x2f\xf1\x31\x15\xeb\x8f\x50\xdd\xd1\xed\x26\x95\x33\x7c\xa8\x5b\x88\x26\x4d\xb5\x9e\xb1\x30\x42\x16\xa3\x01\xd4\x2f\x29\x02\xd5\xc0\x6b\x17\x59\x2b\xb2\x1d\x2a\xf1\xd0\x92\xf5\xd7\x37\x3a\xef\xdb\x90\x7f\xfc\x81\x79\xab\xd6\x8b\x11\xef\x10\xbe\x84\x4e\x03\x81\x68\x06\xf0\x45\xf0\xa5\xef\x3b\xa0\xac\x5b\xd8\x43\xa4\x6f\xa3\xb7\x2b\x86\x2d\xe1\x72\x86\x47\xad\xc3\xf3\xbb\xcd\x53\xce\x88\x1e\x6b\x5a\x6c\x6e\xc7\x97\xd3\x2c\xc1\x39\x18\xe3\xda\x4b\x3e\xa2\x0d\xd6\x89\x3c\x2c\x7c\xa4\x7a\xa5\x1b\xee\x04\x7a\x36\x1f\xef\xf7\x16\xce\xf3\xda\xe5\x0b\x6c\xa7\x2a\x2b\x76\x4f\xa4\xcf", 218); *(uint8_t*)0x2000058d = 7; *(uint8_t*)0x2000058e = 0x25; *(uint8_t*)0x2000058f = 1; *(uint8_t*)0x20000590 = 0x80; *(uint8_t*)0x20000591 = 5; *(uint16_t*)0x20000592 = 0x3f; *(uint8_t*)0x20000594 = 9; *(uint8_t*)0x20000595 = 5; *(uint8_t*)0x20000596 = 1; *(uint8_t*)0x20000597 = 2; *(uint16_t*)0x20000598 = 0x20; *(uint8_t*)0x2000059a = 0xb9; *(uint8_t*)0x2000059b = 0x86; *(uint8_t*)0x2000059c = 0x40; *(uint8_t*)0x2000059d = 0x84; *(uint8_t*)0x2000059e = 8; memcpy((void*)0x2000059f, "\xab\x51\x4d\xeb\xe1\x6a\xea\x41\xf0\x67\xe8\x46\xf8\x93\x9c\x5d\x4f\x6f\xce\x3a\x7d\x25\xea\xee\x2c\x06\x51\xf9\x2f\xe2\x44\x17\xbd\xf9\x25\x6f\x3f\x9b\x58\x34\x92\xb2\xe4\xfe\x6b\x2b\x4b\xad\x9c\x1f\x4a\x8b\x26\xd7\x4c\x60\xae\xda\x94\x78\xa6\x48\x76\x89\x1b\x3a\x75\xff\xce\x40\x01\x85\x3b\x93\xbd\x0f\xd8\xa1\x65\xa7\xfa\x83\xfb\xc6\xb9\x5a\xed\x88\x0f\x02\x22\x4f\x12\x22\xb1\x50\xb7\x46\x98\x1a\x4b\x55\x28\x8f\x56\x4d\x8d\x6a\xf6\x43\xc0\xfd\x29\x15\x71\xd7\x0c\xc5\x60\x24\xdd\x73\xe5\x00\xc5\xef\xe9\xbc\x9b\x72", 130); *(uint8_t*)0x20000621 = 7; *(uint8_t*)0x20000622 = 0x25; *(uint8_t*)0x20000623 = 1; *(uint8_t*)0x20000624 = 1; *(uint8_t*)0x20000625 = 0; *(uint16_t*)0x20000626 = 9; *(uint8_t*)0x20000628 = 9; *(uint8_t*)0x20000629 = 5; *(uint8_t*)0x2000062a = 5; *(uint8_t*)0x2000062b = 2; *(uint16_t*)0x2000062c = 0x10; *(uint8_t*)0x2000062e = 0xf9; *(uint8_t*)0x2000062f = 0xd8; *(uint8_t*)0x20000630 = 0xf9; *(uint8_t*)0x20000631 = 9; *(uint8_t*)0x20000632 = 5; *(uint8_t*)0x20000633 = 3; *(uint8_t*)0x20000634 = 0xc; *(uint16_t*)0x20000635 = 8; *(uint8_t*)0x20000637 = 0x81; *(uint8_t*)0x20000638 = 0; *(uint8_t*)0x20000639 = 0x3f; *(uint8_t*)0x2000063a = 9; *(uint8_t*)0x2000063b = 5; *(uint8_t*)0x2000063c = 0xd; *(uint8_t*)0x2000063d = 0; *(uint16_t*)0x2000063e = 0xa2f3; *(uint8_t*)0x20000640 = 0xbe; *(uint8_t*)0x20000641 = 6; *(uint8_t*)0x20000642 = 7; *(uint8_t*)0x20000643 = 7; *(uint8_t*)0x20000644 = 0x25; *(uint8_t*)0x20000645 = 1; *(uint8_t*)0x20000646 = 0x81; *(uint8_t*)0x20000647 = 2; *(uint16_t*)0x20000648 = 2; *(uint8_t*)0x2000064a = 9; *(uint8_t*)0x2000064b = 5; *(uint8_t*)0x2000064c = 8; *(uint8_t*)0x2000064d = 0x1c; *(uint16_t*)0x2000064e = 0x20; *(uint8_t*)0x20000650 = 4; *(uint8_t*)0x20000651 = 8; *(uint8_t*)0x20000652 = 9; *(uint8_t*)0x20000653 = 7; *(uint8_t*)0x20000654 = 0x25; *(uint8_t*)0x20000655 = 1; *(uint8_t*)0x20000656 = 0x81; *(uint8_t*)0x20000657 = -1; *(uint16_t*)0x20000658 = 0xffe0; *(uint8_t*)0x2000065a = 0xf2; *(uint8_t*)0x2000065b = 0x31; memcpy((void*)0x2000065c, "\x2f\xb2\xb9\x74\x7b\x65\x1a\xe6\x6e\x5d\x86\x1f\x9e\xfc\x61\xbd\xd1\x94\x95\xf1\x63\x62\x59\x75\xe7\xba\xe8\x00\xee\x00\x48\x67\xb5\xa8\x13\xb7\xb9\xdb\xc5\x5e\xb0\xb7\x51\xb8\xd7\x58\xe9\xcb\xa4\xa3\xb4\xf6\x83\x0e\x5f\x85\xdf\x74\x0e\xfc\xf2\x90\xc7\x7d\xf2\x12\xee\x62\xfc\x94\xcc\x50\x4b\x1e\x54\x22\xff\xbf\x9f\x87\xed\x05\xb4\xe7\x62\xfe\xed\x65\x35\xfd\x70\x28\x25\x63\x1d\xb7\x63\x6c\x86\x9c\x9f\x12\x99\x32\x0d\x98\xe1\xcf\x74\x0a\x94\xe2\x26\xaf\x56\x08\xa7\x99\xe1\xc9\x99\xee\x2b\x4a\xb5\x14\x6f\x85\x2e\xd9\x87\x40\x65\xfb\x37\xc2\x85\x81\x1c\x77\x78\x9d\xf8\xa1\x79\x8c\x26\x70\x41\x97\x47\x67\x93\x38\xa3\x29\x93\x49\xae\x3e\xc4\x9e\xed\xcb\x39\x25\x6d\x55\x1a\x4f\xfb\xa9\x59\x51\x67\xc1\x77\x9a\x72\x47\xb9\x4a\xeb\xc5\x79\x2e\x53\xfb\xc9\x4c\x06\x6c\x16\xfe\x77\x02\x04\x92\xe0\xa3\x08\xd5\xba\x5f\xde\xc9\x52\xc4\x09\x5b\x75\x63\x34\x7b\xe3\xf2\xab\x70\x87\x33\x75\xe6\x11\x6c\x39\x40\x03\xcc\x0c\x5c\xdb\xdc\xb0\x04\xf9\x6c\x6c\x4f\xf2\x35", 240); *(uint8_t*)0x2000074c = 9; *(uint8_t*)0x2000074d = 4; *(uint8_t*)0x2000074e = 3; *(uint8_t*)0x2000074f = 6; *(uint8_t*)0x20000750 = 5; *(uint8_t*)0x20000751 = 0; *(uint8_t*)0x20000752 = 0; *(uint8_t*)0x20000753 = 0; *(uint8_t*)0x20000754 = 0xc8; *(uint8_t*)0x20000755 = 7; *(uint8_t*)0x20000756 = 0x24; *(uint8_t*)0x20000757 = 1; *(uint8_t*)0x20000758 = 0; *(uint8_t*)0x20000759 = 3; *(uint16_t*)0x2000075a = 4; *(uint8_t*)0x2000075c = 0xf; *(uint8_t*)0x2000075d = 0x24; *(uint8_t*)0x2000075e = 2; *(uint8_t*)0x2000075f = 1; *(uint8_t*)0x20000760 = 0x81; *(uint8_t*)0x20000761 = 2; *(uint8_t*)0x20000762 = 1; *(uint8_t*)0x20000763 = 1; memcpy((void*)0x20000764, "\xb3\xd2\xfe\xb3\x92\x00\x56", 7); *(uint8_t*)0x2000076b = 9; *(uint8_t*)0x2000076c = 5; *(uint8_t*)0x2000076d = 6; *(uint8_t*)0x2000076e = 4; *(uint16_t*)0x2000076f = 0x400; *(uint8_t*)0x20000771 = 0; *(uint8_t*)0x20000772 = 6; *(uint8_t*)0x20000773 = 3; *(uint8_t*)0x20000774 = 0x11; *(uint8_t*)0x20000775 = 4; memcpy((void*)0x20000776, "\x39\xa6\x64\x25\x22\x0f\xb1\xa9\x9e\x55\x6b\x2d\xfb\x18\x38", 15); *(uint8_t*)0x20000785 = 9; *(uint8_t*)0x20000786 = 5; *(uint8_t*)0x20000787 = 0xa; *(uint8_t*)0x20000788 = 4; *(uint16_t*)0x20000789 = 0x50; *(uint8_t*)0x2000078b = 0x79; *(uint8_t*)0x2000078c = 9; *(uint8_t*)0x2000078d = -1; *(uint8_t*)0x2000078e = 7; *(uint8_t*)0x2000078f = 0x25; *(uint8_t*)0x20000790 = 1; *(uint8_t*)0x20000791 = 1; *(uint8_t*)0x20000792 = 9; *(uint16_t*)0x20000793 = 7; *(uint8_t*)0x20000795 = 9; *(uint8_t*)0x20000796 = 5; *(uint8_t*)0x20000797 = 2; *(uint8_t*)0x20000798 = 0x10; *(uint16_t*)0x20000799 = 0x10; *(uint8_t*)0x2000079b = 0; *(uint8_t*)0x2000079c = 0xe5; *(uint8_t*)0x2000079d = 1; *(uint8_t*)0x2000079e = 0xc; *(uint8_t*)0x2000079f = 8; memcpy((void*)0x200007a0, "\x62\x71\xea\xd3\x9e\x76\xc5\x5f\x40\x3f", 10); *(uint8_t*)0x200007aa = 0x1d; *(uint8_t*)0x200007ab = 0x22; memcpy((void*)0x200007ac, "\x93\xf9\x20\x77\xe6\xf8\xfb\x30\x27\x85\xe1\x3e\x57\xcc\x86\xfc\x2a\x7a\x97\x62\x1a\x1c\xd7\x84\x98\xcc\x60", 27); *(uint8_t*)0x200007c7 = 9; *(uint8_t*)0x200007c8 = 5; *(uint8_t*)0x200007c9 = 0xa; *(uint8_t*)0x200007ca = 0; *(uint16_t*)0x200007cb = 0x10; *(uint8_t*)0x200007cd = 0xfb; *(uint8_t*)0x200007ce = 0x70; *(uint8_t*)0x200007cf = 9; *(uint8_t*)0x200007d0 = 0xa5; *(uint8_t*)0x200007d1 = 0xa; memcpy((void*)0x200007d2, "\xaa\x01\x6e\xff\xd7\x95\xb2\x1f\xec\xe5\x5d\x47\x62\x18\x11\xef\x08\xe6\xea\xf7\xa4\xf3\xfb\xf7\x0f\x91\x91\xee\xc8\x75\xbd\x45\xba\x57\x2c\xf2\xef\x7f\x10\xf3\xa5\x05\xff\x71\xef\x3e\xf1\xa4\x2a\x73\x49\xf1\x98\xcc\x1e\x75\x24\xa3\x0e\x94\x8c\x63\x34\xe7\x06\x02\x3f\xca\xec\xc3\xcf\x51\xd8\xcc\x35\x4d\xff\xde\xc9\xe3\x30\x58\x45\x61\x86\xdf\xe0\x45\x3f\x8f\xb8\xce\x87\x70\xff\xf3\xa3\x5e\x7b\xc7\xbe\x19\x82\xbc\x0f\xdb\x24\x8b\x77\x6f\x99\x5d\x49\x26\x94\x17\x2d\x25\xaf\xfd\x86\x07\xf0\x00\xdb\xea\x29\xd9\xb5\x7d\xe7\xbc\x89\xd3\x28\xa6\x3c\x5e\x9f\x34\x30\xaa\x09\x4d\x1f\x14\xe2\xea\x84\x44\x62\x60\x09\x73\x23\xf8\x48\x36\x41\xd5\x30\x8b\x57", 163); *(uint8_t*)0x20000875 = 9; *(uint8_t*)0x20000876 = 5; *(uint8_t*)0x20000877 = 0x8c; *(uint8_t*)0x20000878 = 8; *(uint16_t*)0x20000879 = 0x40; *(uint8_t*)0x2000087b = 4; *(uint8_t*)0x2000087c = 5; *(uint8_t*)0x2000087d = 3; *(uint32_t*)0x20000d40 = 0xa; *(uint64_t*)0x20000d44 = 0x20000880; *(uint8_t*)0x20000880 = 0xa; *(uint8_t*)0x20000881 = 6; *(uint16_t*)0x20000882 = 0x250; *(uint8_t*)0x20000884 = 1; *(uint8_t*)0x20000885 = 8; *(uint8_t*)0x20000886 = 0xcf; *(uint8_t*)0x20000887 = 0x20; *(uint8_t*)0x20000888 = 6; *(uint8_t*)0x20000889 = 0; *(uint32_t*)0x20000d4c = 0xa7; *(uint64_t*)0x20000d50 = 0x200008c0; *(uint8_t*)0x200008c0 = 5; *(uint8_t*)0x200008c1 = 0xf; *(uint16_t*)0x200008c2 = 0xa7; *(uint8_t*)0x200008c4 = 6; *(uint8_t*)0x200008c5 = 0x18; *(uint8_t*)0x200008c6 = 0x10; *(uint8_t*)0x200008c7 = 0xa; *(uint8_t*)0x200008c8 = 8; STORE_BY_BITMASK(uint32_t, , 0x200008c9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200008c9, 9, 5, 27); *(uint16_t*)0x200008cd = 0xf; *(uint16_t*)0x200008cf = 0; *(uint32_t*)0x200008d1 = 0xffc030; *(uint32_t*)0x200008d5 = 0xc030; *(uint32_t*)0x200008d9 = 0x3f30; *(uint8_t*)0x200008dd = 0x14; *(uint8_t*)0x200008de = 0x10; *(uint8_t*)0x200008df = 4; *(uint8_t*)0x200008e0 = 0xfe; memcpy((void*)0x200008e1, "\xed\xca\xa5\x25\xc2\x3e\x27\xc4\x7c\xe4\x24\x20\xc0\x44\xbb\x79", 16); *(uint8_t*)0x200008f1 = 3; *(uint8_t*)0x200008f2 = 0x10; *(uint8_t*)0x200008f3 = 0xb; *(uint8_t*)0x200008f4 = 3; *(uint8_t*)0x200008f5 = 0x10; *(uint8_t*)0x200008f6 = 0xb; *(uint8_t*)0x200008f7 = 7; *(uint8_t*)0x200008f8 = 0x10; *(uint8_t*)0x200008f9 = 2; STORE_BY_BITMASK(uint32_t, , 0x200008fa, 0x1c, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fc, 8, 0, 16); *(uint8_t*)0x200008fe = 0x69; *(uint8_t*)0x200008ff = 0x10; *(uint8_t*)0x20000900 = 1; memcpy((void*)0x20000901, "\xf0\x91\x7a\x40\x9f\x20\x82\x3f\xe2\x1e\x12\x4d\xc6\x71\xac\x83\x13\xbe\xb3\x28\xf2\x63\xa5\x96\x75\x48\xb9\xff\xe8\xbd\x38\xca\x2b\x56\x38\xe9\x0e\x09\xb0\x0a\xd4\x00\x0d\x97\x5c\x28\xf2\x80\x60\x24\x43\x96\x8f\xb7\x54\x43\xf4\x83\x3a\x05\xf9\x36\xed\x00\xb5\x75\xa1\x1e\x11\x81\xf1\x9f\x62\xf7\x01\x0a\x85\x59\xd4\x42\x22\x69\xba\x17\xc5\x69\xa5\xd2\xca\x58\x02\x10\xa2\x81\x19\x23\x21\x6f\xf3\x8f\x6c\x21", 102); *(uint32_t*)0x20000d58 = 9; *(uint32_t*)0x20000d5c = 0x2e; *(uint64_t*)0x20000d60 = 0x20000980; *(uint8_t*)0x20000980 = 0x2e; *(uint8_t*)0x20000981 = 3; memcpy((void*)0x20000982, "\xc0\xca\x32\x6a\xbb\x6f\x9f\x4b\xe8\xfd\xe5\xec\x0f\xda\x56\x56\x8a\x3a\xee\x01\x7d\x48\x51\xf5\xe1\x77\xf2\x7c\x67\x23\xcc\x4b\x66\x14\x8d\x06\x8a\x4f\xc2\x15\xc3\x41\x22\x42", 44); *(uint32_t*)0x20000d68 = 4; *(uint64_t*)0x20000d6c = 0x200009c0; *(uint8_t*)0x200009c0 = 4; *(uint8_t*)0x200009c1 = 3; *(uint16_t*)0x200009c2 = 0x140a; *(uint32_t*)0x20000d74 = 0x101; *(uint64_t*)0x20000d78 = 0x20000a00; *(uint8_t*)0x20000a00 = 1; *(uint8_t*)0x20000a01 = 3; memcpy((void*)0x20000a02, "\xb5\x44\xe4\xb1\x0f\x95\xe3\x90\x3d\xd7\xa1\xb4\xfc\xaa\xde\x5c\x41\x43\xd9\x0f\x68\xfc\xf3\xf0\xd8\x32\x82\xc3\x24\xf0\xd4\xa7\xe6\x5f\x27\x80\x3e\x19\xd9\x56\x78\xa8\x8d\xa9\xf9\x9c\x40\x3c\xb3\x26\x52\x70\xa9\x96\x4d\xcd\x75\x9f\xf7\x27\xed\x3c\xdb\x42\x7b\x2a\xc3\xc5\xf7\x1d\xde\xb5\xea\x16\xa0\x37\x7a\x0e\xd2\x2e\x54\xa2\x4a\x8a\xe1\x47\x51\x37\x62\x01\x42\x60\x56\x82\xbe\x28\x12\x97\xff\x87\xf2\x08\x1a\xda\x23\x29\x52\x0e\x8e\x87\x82\x80\x43\xb6\x5d\x66\x3c\x96\x0e\x10\x01\xcd\xd6\x65\x51\x89\x12\x30\xa3\x67\xe3\x07\xd0\x0a\xbe\x3a\x52\xcc\x07\x33\x5d\x6d\x39\xea\xc4\x4c\x43\xf1\xb7\x0c\x13\xca\xfa\x5b\x2c\x7a\xca\x4c\x95\x72\x43\x75\x59\x9a\x85\x9c\x39\xe4\xc0\xe4\xda\x7b\x2c\x90\x6e\x43\x28\x8f\x11\x74\x94\xfe\xdd\xbe\xc0\x23\x07\x16\xe3\x1e\x46\xf5\x31\x87\x5f\xc7\xef\xf8\x5e\x6f\x2f\x36\x51\x7f\xa0\x2a\x11\x6f\xce\x7a\x95\xfb\xa5\xfa\x3d\xff\x69\x7c\xe8\x71\x6f\xc8\x5a\xa4\xd0\xf6\xf2\x4b\x04\x01\xf2\xc4\xdb\x9a\xec\x9a\xf7\x75\xa0\x41\x99\x2c\x23\x4d\x23\x07\xbf\xda\x12\x24\x84\xcc\x46\x0e\x90", 255); *(uint32_t*)0x20000d80 = 4; *(uint64_t*)0x20000d84 = 0x20000b40; *(uint8_t*)0x20000b40 = 4; *(uint8_t*)0x20000b41 = 3; *(uint16_t*)0x20000b42 = 0x804; *(uint32_t*)0x20000d8c = 4; *(uint64_t*)0x20000d90 = 0x20000b80; *(uint8_t*)0x20000b80 = 4; *(uint8_t*)0x20000b81 = 3; *(uint16_t*)0x20000b82 = 0x400a; *(uint32_t*)0x20000d98 = 4; *(uint64_t*)0x20000d9c = 0x20000bc0; *(uint8_t*)0x20000bc0 = 4; *(uint8_t*)0x20000bc1 = 3; *(uint16_t*)0x20000bc2 = 0x42b; *(uint32_t*)0x20000da4 = 4; *(uint64_t*)0x20000da8 = 0x20000c00; *(uint8_t*)0x20000c00 = 4; *(uint8_t*)0x20000c01 = 3; *(uint16_t*)0x20000c02 = 0x3009; *(uint32_t*)0x20000db0 = 0xa5; *(uint64_t*)0x20000db4 = 0x20000c40; *(uint8_t*)0x20000c40 = 0xa5; *(uint8_t*)0x20000c41 = 3; memcpy((void*)0x20000c42, "\x84\x38\x9b\x09\x2a\x5b\x3d\x06\xbf\xd8\x95\x09\xd0\x72\xa7\x3f\x11\x1a\x14\xaa\x46\x19\x78\x5c\x4f\xe2\x44\x85\x20\xd3\x44\xb0\x30\x91\x36\xab\x09\x1e\x79\x2a\x36\xd6\xc3\xad\xdb\xe8\x39\xa5\x9d\x03\x72\xbd\xb5\x42\x65\xba\x32\xc2\xfa\x75\x17\x55\x18\xbe\xe6\x40\xf7\xa1\x5d\xd0\x11\x26\x06\xec\x27\x89\x89\xfe\xa0\x51\xf6\xa6\x9b\x97\x53\x67\x5b\x81\xfe\x2e\x64\xeb\xe3\x34\x56\x8e\x08\x6b\x24\x70\x4b\xe9\xdb\x1f\xa5\x64\x5a\x8a\xf5\x26\xed\x97\xa9\x0c\x02\x7a\x2b\x4f\x90\xed\x9c\x2a\xf5\xe9\xba\x52\x84\x31\xc9\x3f\xea\x75\x2e\x8d\x84\x89\xd4\xef\x97\x7f\x5a\x3a\xc6\xc8\xdb\xac\xfc\x14\x5f\xdb\x5f\x7b\xca\x68\x1b\x6f\x3b\xd7\x64\xd0\x6c\xbe\x0b", 163); *(uint32_t*)0x20000dbc = 4; *(uint64_t*)0x20000dc0 = 0x20000d00; *(uint8_t*)0x20000d00 = 4; *(uint8_t*)0x20000d01 = 3; *(uint16_t*)0x20000d02 = 0x44d; syz_usb_connect(5, 0x77e, 0x20000100, 0x20000d40); break; case 12: *(uint8_t*)0x20000e00 = 0x12; *(uint8_t*)0x20000e01 = 1; *(uint16_t*)0x20000e02 = 0x310; *(uint8_t*)0x20000e04 = 2; *(uint8_t*)0x20000e05 = 0; *(uint8_t*)0x20000e06 = 0; *(uint8_t*)0x20000e07 = 0x20; *(uint16_t*)0x20000e08 = 0x525; *(uint16_t*)0x20000e0a = 0xa4a1; *(uint16_t*)0x20000e0c = 0x40; *(uint8_t*)0x20000e0e = 1; *(uint8_t*)0x20000e0f = 2; *(uint8_t*)0x20000e10 = 3; *(uint8_t*)0x20000e11 = 1; *(uint8_t*)0x20000e12 = 9; *(uint8_t*)0x20000e13 = 2; *(uint16_t*)0x20000e14 = 0x7d; *(uint8_t*)0x20000e16 = 2; *(uint8_t*)0x20000e17 = 1; *(uint8_t*)0x20000e18 = 1; *(uint8_t*)0x20000e19 = 0xd0; *(uint8_t*)0x20000e1a = 0; *(uint8_t*)0x20000e1b = 9; *(uint8_t*)0x20000e1c = 4; *(uint8_t*)0x20000e1d = 0; *(uint8_t*)0x20000e1e = 0; *(uint8_t*)0x20000e1f = 1; *(uint8_t*)0x20000e20 = 2; *(uint8_t*)0x20000e21 = 0xd; *(uint8_t*)0x20000e22 = 0; *(uint8_t*)0x20000e23 = 0; *(uint8_t*)0x20000e24 = 5; *(uint8_t*)0x20000e25 = 0x24; *(uint8_t*)0x20000e26 = 6; *(uint8_t*)0x20000e27 = 0; *(uint8_t*)0x20000e28 = 1; *(uint8_t*)0x20000e29 = 5; *(uint8_t*)0x20000e2a = 0x24; *(uint8_t*)0x20000e2b = 0; *(uint16_t*)0x20000e2c = 0x81; *(uint8_t*)0x20000e2e = 0xd; *(uint8_t*)0x20000e2f = 0x24; *(uint8_t*)0x20000e30 = 0xf; *(uint8_t*)0x20000e31 = 1; *(uint32_t*)0x20000e32 = 0x3fffc000; *(uint16_t*)0x20000e36 = 0xba60; *(uint16_t*)0x20000e38 = 1; *(uint8_t*)0x20000e3a = 1; *(uint8_t*)0x20000e3b = 6; *(uint8_t*)0x20000e3c = 0x24; *(uint8_t*)0x20000e3d = 0x1a; *(uint16_t*)0x20000e3e = 1; *(uint8_t*)0x20000e40 = 0; *(uint8_t*)0x20000e41 = 0xc; *(uint8_t*)0x20000e42 = 0x24; *(uint8_t*)0x20000e43 = 0x1b; *(uint16_t*)0x20000e44 = 0x1b7; *(uint16_t*)0x20000e46 = 0x50f; *(uint8_t*)0x20000e48 = 6; *(uint8_t*)0x20000e49 = 0x5b; *(uint16_t*)0x20000e4a = 0x81; *(uint8_t*)0x20000e4c = 9; *(uint8_t*)0x20000e4d = 0x15; *(uint8_t*)0x20000e4e = 0x24; *(uint8_t*)0x20000e4f = 0x12; *(uint16_t*)0x20000e50 = 0x5f; *(uint64_t*)0x20000e52 = 0x14f5e048ba817a3; *(uint64_t*)0x20000e5a = 0x2a397ecbffc007a6; *(uint8_t*)0x20000e62 = 9; *(uint8_t*)0x20000e63 = 5; *(uint8_t*)0x20000e64 = 0x81; *(uint8_t*)0x20000e65 = 3; *(uint16_t*)0x20000e66 = 0x10; *(uint8_t*)0x20000e68 = 1; *(uint8_t*)0x20000e69 = 6; *(uint8_t*)0x20000e6a = 2; *(uint8_t*)0x20000e6b = 9; *(uint8_t*)0x20000e6c = 4; *(uint8_t*)0x20000e6d = 1; *(uint8_t*)0x20000e6e = 0; *(uint8_t*)0x20000e6f = 0; *(uint8_t*)0x20000e70 = 2; *(uint8_t*)0x20000e71 = 0xd; *(uint8_t*)0x20000e72 = 0; *(uint8_t*)0x20000e73 = 0; *(uint8_t*)0x20000e74 = 9; *(uint8_t*)0x20000e75 = 4; *(uint8_t*)0x20000e76 = 1; *(uint8_t*)0x20000e77 = 1; *(uint8_t*)0x20000e78 = 2; *(uint8_t*)0x20000e79 = 2; *(uint8_t*)0x20000e7a = 0xd; *(uint8_t*)0x20000e7b = 0; *(uint8_t*)0x20000e7c = 0; *(uint8_t*)0x20000e7d = 9; *(uint8_t*)0x20000e7e = 5; *(uint8_t*)0x20000e7f = 0x82; *(uint8_t*)0x20000e80 = 2; *(uint16_t*)0x20000e81 = 8; *(uint8_t*)0x20000e83 = 0xcc; *(uint8_t*)0x20000e84 = 6; *(uint8_t*)0x20000e85 = 0x9b; *(uint8_t*)0x20000e86 = 9; *(uint8_t*)0x20000e87 = 5; *(uint8_t*)0x20000e88 = 3; *(uint8_t*)0x20000e89 = 2; *(uint16_t*)0x20000e8a = 0x400; *(uint8_t*)0x20000e8c = 1; *(uint8_t*)0x20000e8d = 6; *(uint8_t*)0x20000e8e = 1; *(uint32_t*)0x20001300 = 0xa; *(uint64_t*)0x20001304 = 0x20000ec0; *(uint8_t*)0x20000ec0 = 0xa; *(uint8_t*)0x20000ec1 = 6; *(uint16_t*)0x20000ec2 = 0x200; *(uint8_t*)0x20000ec4 = 0; *(uint8_t*)0x20000ec5 = 1; *(uint8_t*)0x20000ec6 = 0x13; *(uint8_t*)0x20000ec7 = 8; *(uint8_t*)0x20000ec8 = -1; *(uint8_t*)0x20000ec9 = 0; *(uint32_t*)0x2000130c = 0xff; *(uint64_t*)0x20001310 = 0x20000f00; *(uint8_t*)0x20000f00 = 5; *(uint8_t*)0x20000f01 = 0xf; *(uint16_t*)0x20000f02 = 0xff; *(uint8_t*)0x20000f04 = 6; *(uint8_t*)0x20000f05 = 3; *(uint8_t*)0x20000f06 = 0x10; *(uint8_t*)0x20000f07 = 0xb; *(uint8_t*)0x20000f08 = 0x14; *(uint8_t*)0x20000f09 = 0x10; *(uint8_t*)0x20000f0a = 4; *(uint8_t*)0x20000f0b = 1; memcpy((void*)0x20000f0c, "\x43\x3e\x98\x8e\xe5\xf3\x58\xef\x3f\x4e\x65\x3f\xaf\x4e\xe7\x65", 16); *(uint8_t*)0x20000f1c = 0xa; *(uint8_t*)0x20000f1d = 0x10; *(uint8_t*)0x20000f1e = 0xb; memcpy((void*)0x20000f1f, "\xd3\x74\xd6\xca\x9c\xfd\xff", 7); *(uint8_t*)0x20000f26 = 0xe; *(uint8_t*)0x20000f27 = 0x10; *(uint8_t*)0x20000f28 = 0xb; memcpy((void*)0x20000f29, "\xe4\xe1\x28\x48\xc1\xc9\xe1\xac\xe2\x70\x01", 11); *(uint8_t*)0x20000f34 = 0x1c; *(uint8_t*)0x20000f35 = 0x10; *(uint8_t*)0x20000f36 = 0xa; *(uint8_t*)0x20000f37 = 0x40; STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 5, 27); *(uint16_t*)0x20000f3c = 0xf0f; *(uint16_t*)0x20000f3e = 0x8000; *(uint32_t*)0x20000f40 = 0xff0000; *(uint32_t*)0x20000f44 = 0xc0; *(uint32_t*)0x20000f48 = 0xff003f; *(uint32_t*)0x20000f4c = 0xc00f; *(uint8_t*)0x20000f50 = 0xaf; *(uint8_t*)0x20000f51 = 0x10; *(uint8_t*)0x20000f52 = 1; memcpy((void*)0x20000f53, "\xcb\xab\xda\x0f\x97\x9a\xfc\xbd\x15\x73\x7d\x31\x5a\xb6\x9a\xc5\x32\xbd\xa0\x26\x42\xde\xbc\xa3\x3a\x83\x18\x5a\x92\x73\x8f\x4d\x04\xce\xc6\x95\x22\x3d\x9f\x52\xb8\x03\xad\x72\x64\x4b\xd3\xdf\x57\x74\x94\x9b\x6e\xd6\x37\x7c\xdf\x5d\xa5\xb1\xd8\x20\x0d\xe1\x61\xf5\xb0\xf6\x10\xc7\x8f\x5c\x79\xa0\x0d\xb8\x64\x92\xec\xdf\x46\x42\x04\xc0\x09\xa9\x47\x4a\x05\xf0\xf6\x35\x18\x19\x70\x3f\x38\x3e\xca\x0f\x29\xa0\x1e\x52\xf7\xb0\xb1\xf9\x21\xef\x92\xc3\xe6\x30\x28\x77\x07\xe0\x61\x7f\xe8\xcf\x26\x72\xef\x1d\xee\x5e\x7c\x5f\x8a\x37\x41\x5f\x54\xb2\x41\xf0\xb9\x3a\xe6\xf3\x40\x2e\x17\xb6\xfe\xc4\x66\xb8\x38\x27\xf4\xe4\x2c\x57\xaf\x90\xea\x0b\x73\x5a\x10\xb5\xcc\x4a\x9e\xd1\x44\x61\xcb\x3c", 172); *(uint32_t*)0x20001318 = 9; *(uint32_t*)0x2000131c = 4; *(uint64_t*)0x20001320 = 0x20001000; *(uint8_t*)0x20001000 = 4; *(uint8_t*)0x20001001 = 3; *(uint16_t*)0x20001002 = 0x807; *(uint32_t*)0x20001328 = 4; *(uint64_t*)0x2000132c = 0x20001040; *(uint8_t*)0x20001040 = 4; *(uint8_t*)0x20001041 = 3; *(uint16_t*)0x20001042 = 0x44c; *(uint32_t*)0x20001334 = 0x46; *(uint64_t*)0x20001338 = 0x20001080; *(uint8_t*)0x20001080 = 0x46; *(uint8_t*)0x20001081 = 3; memcpy((void*)0x20001082, "\xd3\x41\x69\xf9\x72\x88\x6d\x91\x88\x5f\xb4\xe6\x63\xd3\xb9\x5e\xfc\xbd\xf2\xac\x7f\xb6\xa4\x8b\x8f\x5d\x44\xf4\x90\xa6\xd5\xdb\x20\x86\xfa\x93\x8c\x10\xf7\x75\x1b\x90\xc3\x99\x3b\xbf\xad\x67\x0a\x7f\x80\xd3\x58\x86\xc2\xcc\x30\x29\x1a\xb2\xce\x67\x01\x1d\x1b\x0d\x6c\xf4", 68); *(uint32_t*)0x20001340 = 4; *(uint64_t*)0x20001344 = 0x20001100; *(uint8_t*)0x20001100 = 4; *(uint8_t*)0x20001101 = 3; *(uint16_t*)0x20001102 = 0x40a; *(uint32_t*)0x2000134c = 0x36; *(uint64_t*)0x20001350 = 0x20001140; *(uint8_t*)0x20001140 = 0x36; *(uint8_t*)0x20001141 = 3; memcpy((void*)0x20001142, "\x06\x4c\xab\x2c\xae\x36\xef\x56\x23\x74\x9b\xcb\x79\x93\xb3\x10\xc0\xf7\x00\xe5\x26\xdd\xa0\x22\x3a\x1e\x4b\x6f\x16\x00\x79\xc7\xb1\xcd\xb2\xa8\xb0\x43\xea\x83\x25\xec\xc0\xee\xd6\x4d\x54\x39\x81\xa3\x96\xb7", 52); *(uint32_t*)0x20001358 = 5; *(uint64_t*)0x2000135c = 0x20001180; *(uint8_t*)0x20001180 = 5; *(uint8_t*)0x20001181 = 3; memcpy((void*)0x20001182, "Ka\000", 3); *(uint32_t*)0x20001364 = 4; *(uint64_t*)0x20001368 = 0x200011c0; *(uint8_t*)0x200011c0 = 4; *(uint8_t*)0x200011c1 = 3; *(uint16_t*)0x200011c2 = 0x500a; *(uint32_t*)0x20001370 = 4; *(uint64_t*)0x20001374 = 0x20001200; *(uint8_t*)0x20001200 = 4; *(uint8_t*)0x20001201 = 3; *(uint16_t*)0x20001202 = 0x4ff; *(uint32_t*)0x2000137c = 0x8f; *(uint64_t*)0x20001380 = 0x20001240; *(uint8_t*)0x20001240 = 0x8f; *(uint8_t*)0x20001241 = 3; memcpy((void*)0x20001242, "\x37\xcc\x0c\x18\xf2\xd0\x9b\xfc\x3a\xa7\x69\x89\xd3\x6d\x44\x9d\xb5\x7f\xf9\x5c\x9d\x3d\x3c\xb0\x40\x2d\x82\x35\xdc\x71\x22\x01\xee\xa4\xc3\x18\x2f\xf7\x6c\xbd\xbb\xe5\x31\x5c\x11\x68\x27\xa3\x5f\xa2\x7a\x39\x04\xc6\x63\x96\x50\x3f\x48\x37\x05\x55\xf6\x27\x91\xc6\x15\x46\xe4\x12\x1a\xa6\x88\xc1\xc7\xc5\x7d\x95\x5a\xed\xd9\xee\xc2\xb3\x07\xd4\xe5\x87\xe1\xae\xd0\x86\x79\xb2\x72\x8a\xcd\x32\x1b\xc4\xf8\x3e\xe2\x68\xd8\x14\x9d\x81\xbb\xc1\x28\xc5\x8e\x17\x8c\xd1\x7d\x2b\x81\x36\xb8\x34\xc1\xe9\xb1\xd7\xd3\xd1\x37\xae\x9b\x4c\x27\xe6\xb1\xba\x93\xdf\x07\xe8\x52", 141); res = -1; res = syz_usb_connect(1, 0x8f, 0x20000e00, 0x20001300); if (res != -1) r[3] = res; break; case 13: syz_usb_disconnect(r[3]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor1703147534 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/12 (0.22s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __stat50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (fail_nth: 1) compat_50___msgctl13$IPC_SET(0x0, 0x1, &(0x7f0000000200)={{0x5a3e, 0x0, r1, 0xffffffffffffffff, 0xffffffffffffffff, 0x20, 0x400}, 0x9, 0x62e81dc5, 0x81, 0x5, 0x4, 0x8, 0x9, &(0x7f0000000100)={0x0, 0x20e1, 0xfffd, 0x1}, &(0x7f00000001c0)={&(0x7f0000000180)={&(0x7f0000000140)={0x0, 0x7ff, 0x9, 0x1}, 0x8000000000000000, 0x6, 0x8}, 0x8, 0x5, 0x20}, 0x400}) (async) chown(&(0x7f0000000280)='./file0\x00', r0, 0x0) (rerun: 4) compat_14___semctl$GETALL(0x0, 0x0, 0x6, &(0x7f00000002c0)) compat_14___semctl$SETVAL(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000380)=@buf=&(0x7f0000000340)={{r0, r1, 0x80, 0x5a3, 0x100, 0x1, 0x4897}, 0x7fff, 0x7, 0x0, &(0x7f0000000300)={0x800, 0x7, 0x2, 0x9}}) semctl$GETNCNT(0xffffffffffffffff, 0x4, 0x3, &(0x7f00000003c0)=""/4) r2 = semget$private(0x0, 0x3, 0x2) compat_14___semctl$GETNCNT(r2, 0x0, 0x3) semop(r2, &(0x7f0000000400)=[{0x4, 0x7, 0x2000}, {0x4, 0x1f, 0x800}, {0x1, 0x7, 0x400}], 0x3) compat_14___semctl$IPC_STAT(r2, 0x0, 0x2, &(0x7f0000000440)) syz_emit_ethernet(0x8, &(0x7f0000000000)="03d03df5c2dcc049") syz_execute_func(&(0x7f0000000040)="c421c16d149fc462baf76fed2666450f3800813be70eb16640253633f0408182a0bc302200800000c48281926cd992660f4f99c0f800003626660f124e32f26e660f382ab500000080") syz_extract_tcp_res(&(0x7f00000000c0), 0xfffffffa, 0x8000) syz_usb_connect(0x5, 0x77e, &(0x7f0000000100)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0xbf, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x76c, 0x3, 0x7, 0x17, 0x30, 0x3d, [{{0x9, 0x4, 0x8e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, [@uac_as={[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x1f, 0x7, 0x7f, "11c06824606e6e241d"}]}]}}, {{0x9, 0x4, 0x0, 0x3f, 0xd, 0x0, 0x0, 0x0, 0x1f, [@generic={0xe0, 0xa, "b71aa8dbef28ec508e40e57e0f21e51ceb5eacb80bb3f7ed35e29bad265b99dbbcbb655b87cbc776843703a876dc2dd2216c56771dd13f2cae3eae772586cacf7cdb24a918924ba342e5a84cb77541172a5b4100bcd721c00bcc1d590d5bae2e602b8a29aa649516b39d745c546613730dec4957df6dc6591993b9027afe3eb2172a49b3b589f5322cc76fd421d8b9acaf9f326c835214aa33da004adaae6689efebb028a649b7edc82333f89fd100b6da5d60c3e1349bd30d2cff8ae56ccbed46e09f6662c6b2c2e7cbd887fbc447db5d6887eb1cc1378ed310ec7d004c"}, @cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "4b66fafbc9e4"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0x80000000, 0x4}, {0x6, 0x24, 0x1a, 0xfffa, 0x12}, [@obex={0x5, 0x24, 0x15, 0x5}, @mdlm={0x15, 0x24, 0x12, 0x5}, @dmm={0x7, 0x24, 0x14, 0x4}, @mdlm_detail={0xe5, 0x24, 0x13, 0x7, "8f0d5f90cf98b479fae069bfd83c7e4ef5afe012495f0ee23062fe5f81be0ef82ff410318f82c5300ba5a5ad175dacf741e1d1956b8bb156e5b546644c1750916d0381b49c7bd160323bde2ff8c1379a319c3add3fbd86aa169749f6108844bd19644cafebba5d70989e95144300d6b508edd1662f759828aad78d18d710553cb7f5df43b7b560bb4f4869de9ebe5e126356507d10f2c8d9b83f661fbf0bd5131ce9c059b60e620da0f7516ad6d70c75de7dd4b37d9c379134e6036df428e1f541dbee9f58a4a374ff6cb6ae0468f49c616418a2760066457439952bb5b93f4f33"}, @mdlm={0x15, 0x24, 0x12, 0xec}]}], [{{0x9, 0x5, 0xf, 0x1d, 0x10, 0x0, 0x80, 0x74}}, {{0x9, 0x5, 0x2, 0x3, 0x10, 0x9f, 0x7d, 0xff, [@generic={0x52, 0xe, "ecf4ce492b20b2d508a9180c01192d8e124f6e790aedfc35213b1d14c68c63686631f697532da005bc5013d62c6d5c18b5c5c4f2263b42b582b7333b47373cdf666159745a6a53d518a4ae7c51abaaa8"}, @generic={0x15, 0x23, "dc333ea4d2d7351ec6d273b68ce3d5d1e2c2cf"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x4, 0x9, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x5, 0xfffc}, @generic={0x35, 0x2, "59a66019fb9adfb5950997712b8b3c1cb4c4a0abbf8ea41dd4dd5936bde7fbe23ff642c176c355ef4728022f3d7d833860fbcf"}]}}, {{0x9, 0x5, 0x0, 0x10, 0x8, 0x1, 0x1}}, {{0x9, 0x5, 0x1, 0x2, 0x0, 0x0, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x9f36}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x3}]}}, {{0x9, 0x5, 0xc, 0x10, 0x200, 0x15, 0x2, 0x0, [@generic={0x5b, 0x23, "1925294e2c16954f8313825e71ea536e7077d7130cee3a802cb3c8005ef6d9211068286c7a4c20cb87fd2cdc5aeedb171fd67ddc74c3f029aab0bfa9a63e5de5a53579666cef0fb7c876efc0a5d3382c346e1f9a78b7356c22"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x40, 0x18, 0x3f, 0x8}}, {{0x9, 0x5, 0xd, 0x1, 0x0, 0x9, 0xff, 0x3, [@generic={0xdc, 0x23, "ccd53fc81156a91ff426eb001fbf43c8551fda170ed36a97eba7a32c3115ec5e9a8182734012aa12ddcc6e93d85eaafbda4ab1cff6bcb2afecd8aa8c58b27a75e5a4ddc50cc673edc82ff13115eb8f50ddd1ed2695337ca85b88264db59eb1304216a301d42f2902d5c06b17592bb21d2af1d092f5d7373aefdb907ffc8179abd68b11ef10be844e03816806f045f0a5ef3ba0ac5bd843a46fa3b72b862de1728647adc3f3bbcd53ce881e6b5a6c6ec797d32cc13918e3da4b3ea20dd6893c2c7ca47aa51bee047a361feff716cef3dae50b6ca72a2b764fa4cf"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x3f}]}}, {{0x9, 0x5, 0x1, 0x2, 0x20, 0xb9, 0x86, 0x40, [@generic={0x84, 0x8, "ab514debe16aea41f067e846f8939c5d4f6fce3a7d25eaee2c0651f92fe24417bdf9256f3f9b583492b2e4fe6b2b4bad9c1f4a8b26d74c60aeda9478a64876891b3a75ffce4001853b93bd0fd8a165a7fa83fbc6b95aed880f02224f1222b150b746981a4b55288f564d8d6af643c0fd291571d70cc56024dd73e500c5efe9bc9b72"}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x0, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0xf9, 0xd8, 0xf9}}, {{0x9, 0x5, 0x3, 0xc, 0x8, 0x81, 0x0, 0x3f}}, {{0x9, 0x5, 0xd, 0x0, 0x252d10ce716ea2f3, 0xbe, 0x6, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x2, 0x2}]}}, {{0x9, 0x5, 0x8, 0x3a51d77e4fce6a1c, 0x20, 0x4, 0x8, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0xff, 0xffe0}, @generic={0xf2, 0x31, "2fb2b9747b651ae66e5d861f9efc61bdd19495f163625975e7bae800ee004867b5a813b7b9dbc55eb0b751b8d758e9cba4a3b4f6830e5f85df740efcf290c77df212ee62fc94cc504b1e5422ffbf9f87ed05b4e762feed6535fd702825631db7636c869c9f1299320d98e1cf740a94e226af5608a799e1c999ee2b4ab5146f852ed9874065fb37c285811c77789df8a1798c2670419747679338a3299349ae3ec49eedcb39256d551a4ffba9595167c1779a7247b94aebc5792e53fbc94c066c16fe77020492e0a308d5ba5fdec952c4095b7563347be3f2ab70873375e6116c394003cc0c5cdbdcb004f96c6c4ff235"}]}}]}}, {{0x9, 0x4, 0x3, 0x6, 0x5, 0x0, 0x0, 0x0, 0xc8, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x3, 0x4}, @format_type_i_discrete={0xf, 0x24, 0x2, 0x1, 0x81, 0x2, 0x1, 0x1, "b3d2feb3920056"}]}], [{{0x9, 0x5, 0x6, 0x4, 0x400, 0x0, 0x6, 0x3, [@generic={0x11, 0x4, "39a66425220fb1a99e556b2dfb1838"}]}}, {{0x9, 0x5, 0xa, 0x4, 0x50, 0x79, 0x9, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x10, 0x0, 0xe5, 0x1, [@generic={0xc, 0x8, "6271ead39e76c55f403f"}, @generic={0x1d, 0x22, "93f92077e6f8fb302785e13e57cc86fc2a7a97621a1cd78498cc60"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x10, 0xfb, 0x70, 0x9, [@generic={0xa5, 0xc5f45b4d7fc4460a, "aa016effd795b21fece55d47621811ef08e6eaf7a4f3fbf70f9191eec875bd45ba572cf2ef7f10f3a505ff71ef3ef1a42a7349f198cc1e7524a30e948c6334e706023fcaecc3cf51d8cc354dffdec9e33058456186dfe0453f8fb8ce8770fff3a35e7bc7be1982bc0fdb248b776f995d492694172d25affd8607f000dbea29d9b57de7bc89d328a63c5e9f3430aa094d1f14e2ea84446260097323f8483641d5308b57"}]}}, {{0x9, 0x5, 0x8c, 0x8, 0x40, 0x4, 0x5, 0x3}}]}}]}}]}}, &(0x7f0000000d40)={0xa, &(0x7f0000000880)={0xa, 0x6, 0x250, 0x1, 0x8, 0xcf, 0x20, 0x6}, 0xa7, &(0x7f00000008c0)={0x5, 0xf, 0xa7, 0x6, [@ssp_cap={0x18, 0x10, 0xa, 0x8, 0x3, 0x9, 0xf, 0x0, [0xffc030, 0xc030, 0x3f30]}, @ss_container_id={0x14, 0x10, 0x4, 0xfe, "edcaa525c23e27c47ce42420c044bb79"}, @ptm_cap={0x3}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x1c, 0x6, 0x0, 0x8}, @generic={0x69, 0x10, 0x1, "f0917a409f20823fe21e124dc671ac8313beb328f263a5967548b9ffe8bd38ca2b5638e90e09b00ad4000d975c28f280602443968fb75443f4833a05f936ed00b575a11e1181f19f62f7010a8559d4422269ba17c569a5d2ca580210a2811923216ff38f6c21"}]}, 0x9, [{0x2e, &(0x7f0000000980)=@string={0x2e, 0x3, "c0ca326abb6f9f4be8fde5ec0fda56568a3aee017d4851f5e177f27c6723cc4b66148d068a4fc215c3412242"}}, {0x4, &(0x7f00000009c0)=@lang_id={0x4, 0x3, 0x140a}}, {0x101, &(0x7f0000000a00)=@string={0x101, 0x3, "b544e4b10f95e3903dd7a1b4fcaade5c4143d90f68fcf3f0d83282c324f0d4a7e65f27803e19d95678a88da9f99c403cb3265270a9964dcd759ff727ed3cdb427b2ac3c5f71ddeb5ea16a0377a0ed22e54a24a8ae1475137620142605682be281297ff87f2081ada2329520e8e87828043b65d663c960e1001cdd66551891230a367e307d00abe3a52cc07335d6d39eac44c43f1b70c13cafa5b2c7aca4c95724375599a859c39e4c0e4da7b2c906e43288f117494feddbec0230716e31e46f531875fc7eff85e6f2f36517fa02a116fce7a95fba5fa3dff697ce8716fc85aa4d0f6f24b0401f2c4db9aec9af775a041992c234d2307bfda122484cc460e90"}}, {0x4, &(0x7f0000000b40)=@lang_id={0x4, 0x3, 0x804}}, {0x4, &(0x7f0000000b80)=@lang_id={0x4, 0x3, 0x400a}}, {0x4, &(0x7f0000000bc0)=@lang_id={0x4, 0x3, 0x42b}}, {0x4, &(0x7f0000000c00)=@lang_id={0x4, 0x3, 0x3009}}, {0xa5, &(0x7f0000000c40)=@string={0xa5, 0x3, "84389b092a5b3d06bfd89509d072a73f111a14aa4619785c4fe2448520d344b0309136ab091e792a36d6c3addbe839a59d0372bdb54265ba32c2fa75175518bee640f7a15dd0112606ec278989fea051f6a69b9753675b81fe2e64ebe334568e086b24704be9db1fa5645a8af526ed97a90c027a2b4f90ed9c2af5e9ba528431c93fea752e8d8489d4ef977f5a3ac6c8dbacfc145fdb5f7bca681b6f3bd764d06cbe0b"}}, {0x4, &(0x7f0000000d00)=@lang_id={0x4, 0x3, 0x44d}}]}) r3 = syz_usb_connect$cdc_ncm(0x1, 0x8f, &(0x7f0000000e00)={{0x12, 0x1, 0x310, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x7d, 0x2, 0x1, 0x1, 0x1d0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5, 0x24, 0x0, 0x81}, {0xd, 0x24, 0xf, 0x1, 0x3fffc000, 0xba60, 0x1, 0x1}, {0x6, 0x24, 0x1a, 0x1}, [@mbim={0xc, 0x24, 0x1b, 0x1b7, 0x50f, 0x6, 0x5b, 0x81, 0x9}, @mdlm={0x15, 0x24, 0x12, 0x5f}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x1, 0x6, 0x2}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0xcc, 0x6, 0x9b}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x1, 0x6, 0x1}}}}}}}]}}, &(0x7f0000001300)={0xa, &(0x7f0000000ec0)={0xa, 0x6, 0x200, 0x0, 0x1, 0x13, 0x8, 0xff}, 0xff, &(0x7f0000000f00)={0x5, 0xf, 0xff, 0x6, [@ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x1, "433e988ee5f358ef3f4e653faf4ee765"}, @generic={0xa, 0x10, 0xb, "d374d6ca9cfdff"}, @generic={0xe, 0x10, 0xb, "e4e12848c1c9e1ace27001"}, @ssp_cap={0x1c, 0x10, 0xa, 0x40, 0x4, 0x4, 0xf0f, 0x8000, [0xff0000, 0xc0, 0xff003f, 0xc00f]}, @generic={0xaf, 0x10, 0x1, "cbabda0f979afcbd15737d315ab69ac532bda02642debca33a83185a92738f4d04cec695223d9f52b803ad72644bd3df5774949b6ed6377cdf5da5b1d8200de161f5b0f610c78f5c79a00db86492ecdf464204c009a9474a05f0f6351819703f383eca0f29a01e52f7b0b1f921ef92c3e630287707e0617fe8cf2672ef1dee5e7c5f8a37415f54b241f0b93ae6f3402e17b6fec466b83827f4e42c57af90ea0b735a10b5cc4a9ed14461cb3c"}]}, 0x9, [{0x4, &(0x7f0000001000)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000001040)=@lang_id={0x4, 0x3, 0x44c}}, {0x46, &(0x7f0000001080)=@string={0x46, 0x3, "d34169f972886d91885fb4e663d3b95efcbdf2ac7fb6a48b8f5d44f490a6d5db2086fa938c10f7751b90c3993bbfad670a7f80d35886c2cc30291ab2ce67011d1b0d6cf4"}}, {0x4, &(0x7f0000001100)=@lang_id={0x4, 0x3, 0x40a}}, {0x36, &(0x7f0000001140)=@string={0x36, 0x3, "064cab2cae36ef5623749bcb7993b310c0f700e526dda0223a1e4b6f160079c7b1cdb2a8b043ea8325ecc0eed64d543981a396b7"}}, {0x5, &(0x7f0000001180)=@string={0x5, 0x3, 'Ka\x00'}}, {0x4, &(0x7f00000011c0)=@lang_id={0x4, 0x3, 0x500a}}, {0x4, &(0x7f0000001200)=@lang_id={0x4, 0x3, 0x4ff}}, {0x8f, &(0x7f0000001240)=@string={0x8f, 0x3, "37cc0c18f2d09bfc3aa76989d36d449db57ff95c9d3d3cb0402d8235dc712201eea4c3182ff76cbdbbe5315c116827a35fa27a3904c66396503f48370555f62791c61546e4121aa688c1c7c57d955aedd9eec2b307d4e587e1aed08679b2728acd321bc4f83ee268d8149d81bbc128c58e178cd17d2b8136b834c1e9b1d7d3d137ae9b4c27e6b1ba93df07e852"}}]}) syz_usb_disconnect(r3) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___stat50 #define SYS___stat50 439 #endif #ifndef SYS_chown #define SYS_chown 16 #endif #ifndef SYS_compat_14___semctl #define SYS_compat_14___semctl 220 #endif #ifndef SYS_compat_50___msgctl13 #define SYS_compat_50___msgctl13 302 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_semctl #define SYS_semctl 442 #endif #ifndef SYS_semget #define SYS_semget 221 #endif #ifndef SYS_semop #define SYS_semop 222 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 14; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 3000 : 0) + (call == 13 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[4] = {0x0, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); inject_fault(1); res = syscall(SYS___stat50, 0x20000000ul, 0x20000040ul); if (res != -1) { r[0] = *(uint32_t*)0x2000005c; r[1] = *(uint32_t*)0x20000060; } break; case 1: *(uint32_t*)0x20000200 = 0x5a3e; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = r[1]; *(uint32_t*)0x2000020c = -1; *(uint32_t*)0x20000210 = -1; *(uint32_t*)0x20000214 = 0x20; *(uint16_t*)0x20000218 = 0x400; *(uint16_t*)0x2000021a = 0; *(uint64_t*)0x20000220 = 0; *(uint64_t*)0x20000228 = 0; *(uint64_t*)0x20000230 = 9; *(uint64_t*)0x20000238 = 0x62e81dc5; *(uint32_t*)0x20000240 = 0x81; *(uint32_t*)0x20000244 = 5; *(uint64_t*)0x20000248 = 4; *(uint64_t*)0x20000250 = 8; *(uint64_t*)0x20000258 = 9; *(uint64_t*)0x20000260 = 0x20000100; *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0x20e1; *(uint16_t*)0x20000110 = 0xfffd; *(uint16_t*)0x20000112 = 1; *(uint64_t*)0x20000268 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000180; *(uint64_t*)0x20000180 = 0x20000140; *(uint64_t*)0x20000140 = 0; *(uint64_t*)0x20000148 = 0x7ff; *(uint16_t*)0x20000150 = 9; *(uint16_t*)0x20000152 = 1; *(uint64_t*)0x20000188 = 0x8000000000000000; *(uint16_t*)0x20000190 = 6; *(uint16_t*)0x20000192 = 8; *(uint64_t*)0x200001c8 = 8; *(uint16_t*)0x200001d0 = 5; *(uint16_t*)0x200001d2 = 0x20; *(uint64_t*)0x20000270 = 0x400; syscall(SYS_compat_50___msgctl13, 0, 1ul, 0x20000200ul); break; case 2: memcpy((void*)0x20000280, "./file0\000", 8); syscall(SYS_chown, 0x20000280ul, r[0], 0); { int i; for(i = 0; i < 4; i++) { syscall(SYS_chown, 0x20000280ul, r[0], 0); } } break; case 3: syscall(SYS_compat_14___semctl, 0, 0ul, 6ul, 0x200002c0ul); break; case 4: *(uint64_t*)0x20000380 = 0x20000340; *(uint32_t*)0x20000340 = r[0]; *(uint32_t*)0x20000344 = r[1]; *(uint32_t*)0x20000348 = 0x80; *(uint32_t*)0x2000034c = 0x5a3; *(uint32_t*)0x20000350 = 0x100; *(uint16_t*)0x20000354 = 1; *(uint64_t*)0x20000358 = 0x4897; *(uint16_t*)0x20000360 = 0x7fff; *(uint64_t*)0x20000368 = 7; *(uint64_t*)0x20000370 = 0; *(uint64_t*)0x20000378 = 0x20000300; *(uint16_t*)0x20000300 = 0x800; *(uint32_t*)0x20000304 = 7; *(uint16_t*)0x20000308 = 2; *(uint16_t*)0x2000030a = 9; syscall(SYS_compat_14___semctl, -1, 0ul, 8ul, 0x20000380ul); break; case 5: syscall(SYS_semctl, -1, 4ul, 3ul, 0x200003c0ul); break; case 6: res = syscall(SYS_semget, 0ul, 3ul, 2ul); if (res != -1) r[2] = res; break; case 7: syscall(SYS_compat_14___semctl, r[2], 0ul, 3ul, 0); break; case 8: *(uint16_t*)0x20000400 = 4; *(uint16_t*)0x20000402 = 7; *(uint16_t*)0x20000404 = 0x2000; *(uint16_t*)0x20000406 = 4; *(uint16_t*)0x20000408 = 0x1f; *(uint16_t*)0x2000040a = 0x800; *(uint16_t*)0x2000040c = 1; *(uint16_t*)0x2000040e = 7; *(uint16_t*)0x20000410 = 0x400; syscall(SYS_semop, r[2], 0x20000400ul, 3ul); break; case 9: syscall(SYS_compat_14___semctl, r[2], 0ul, 2ul, 0x20000440ul); break; case 10: memcpy((void*)0x20000040, "\xc4\x21\xc1\x6d\x14\x9f\xc4\x62\xba\xf7\x6f\xed\x26\x66\x45\x0f\x38\x00\x81\x3b\xe7\x0e\xb1\x66\x40\x25\x36\x33\xf0\x40\x81\x82\xa0\xbc\x30\x22\x00\x80\x00\x00\xc4\x82\x81\x92\x6c\xd9\x92\x66\x0f\x4f\x99\xc0\xf8\x00\x00\x36\x26\x66\x0f\x12\x4e\x32\xf2\x6e\x66\x0f\x38\x2a\xb5\x00\x00\x00\x80", 73); syz_execute_func(0x20000040); break; case 11: *(uint8_t*)0x20000100 = 0x12; *(uint8_t*)0x20000101 = 1; *(uint16_t*)0x20000102 = 0x300; *(uint8_t*)0x20000104 = 0; *(uint8_t*)0x20000105 = 0; *(uint8_t*)0x20000106 = 0; *(uint8_t*)0x20000107 = 0xbf; *(uint16_t*)0x20000108 = 0; *(uint16_t*)0x2000010a = 0; *(uint16_t*)0x2000010c = 0; *(uint8_t*)0x2000010e = 1; *(uint8_t*)0x2000010f = 2; *(uint8_t*)0x20000110 = 3; *(uint8_t*)0x20000111 = 1; *(uint8_t*)0x20000112 = 9; *(uint8_t*)0x20000113 = 2; *(uint16_t*)0x20000114 = 0x76c; *(uint8_t*)0x20000116 = 3; *(uint8_t*)0x20000117 = 7; *(uint8_t*)0x20000118 = 0x17; *(uint8_t*)0x20000119 = 0x30; *(uint8_t*)0x2000011a = 0x3d; *(uint8_t*)0x2000011b = 9; *(uint8_t*)0x2000011c = 4; *(uint8_t*)0x2000011d = 0x8e; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0x62; *(uint8_t*)0x20000124 = 0x12; *(uint8_t*)0x20000125 = 0x24; *(uint8_t*)0x20000126 = 2; *(uint8_t*)0x20000127 = 2; *(uint16_t*)0x20000128 = 0x1f; *(uint16_t*)0x2000012a = 7; *(uint8_t*)0x2000012c = 0x7f; memcpy((void*)0x2000012d, "\x11\xc0\x68\x24\x60\x6e\x6e\x24\x1d", 9); *(uint8_t*)0x20000136 = 9; *(uint8_t*)0x20000137 = 4; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0x3f; *(uint8_t*)0x2000013a = 0xd; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0x1f; *(uint8_t*)0x2000013f = 0xe0; *(uint8_t*)0x20000140 = 0xa; memcpy((void*)0x20000141, "\xb7\x1a\xa8\xdb\xef\x28\xec\x50\x8e\x40\xe5\x7e\x0f\x21\xe5\x1c\xeb\x5e\xac\xb8\x0b\xb3\xf7\xed\x35\xe2\x9b\xad\x26\x5b\x99\xdb\xbc\xbb\x65\x5b\x87\xcb\xc7\x76\x84\x37\x03\xa8\x76\xdc\x2d\xd2\x21\x6c\x56\x77\x1d\xd1\x3f\x2c\xae\x3e\xae\x77\x25\x86\xca\xcf\x7c\xdb\x24\xa9\x18\x92\x4b\xa3\x42\xe5\xa8\x4c\xb7\x75\x41\x17\x2a\x5b\x41\x00\xbc\xd7\x21\xc0\x0b\xcc\x1d\x59\x0d\x5b\xae\x2e\x60\x2b\x8a\x29\xaa\x64\x95\x16\xb3\x9d\x74\x5c\x54\x66\x13\x73\x0d\xec\x49\x57\xdf\x6d\xc6\x59\x19\x93\xb9\x02\x7a\xfe\x3e\xb2\x17\x2a\x49\xb3\xb5\x89\xf5\x32\x2c\xc7\x6f\xd4\x21\xd8\xb9\xac\xaf\x9f\x32\x6c\x83\x52\x14\xaa\x33\xda\x00\x4a\xda\xae\x66\x89\xef\xeb\xb0\x28\xa6\x49\xb7\xed\xc8\x23\x33\xf8\x9f\xd1\x00\xb6\xda\x5d\x60\xc3\xe1\x34\x9b\xd3\x0d\x2c\xff\x8a\xe5\x6c\xcb\xed\x46\xe0\x9f\x66\x62\xc6\xb2\xc2\xe7\xcb\xd8\x87\xfb\xc4\x47\xdb\x5d\x68\x87\xeb\x1c\xc1\x37\x8e\xd3\x10\xec\x7d\x00\x4c", 222); *(uint8_t*)0x2000021f = 0xb; *(uint8_t*)0x20000220 = 0x24; *(uint8_t*)0x20000221 = 6; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 1; memcpy((void*)0x20000224, "\x4b\x66\xfa\xfb\xc9\xe4", 6); *(uint8_t*)0x2000022a = 5; *(uint8_t*)0x2000022b = 0x24; *(uint8_t*)0x2000022c = 0; *(uint16_t*)0x2000022d = 6; *(uint8_t*)0x2000022f = 0xd; *(uint8_t*)0x20000230 = 0x24; *(uint8_t*)0x20000231 = 0xf; *(uint8_t*)0x20000232 = 1; *(uint32_t*)0x20000233 = 0x80000000; *(uint16_t*)0x20000237 = 4; *(uint16_t*)0x20000239 = 0; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 6; *(uint8_t*)0x2000023d = 0x24; *(uint8_t*)0x2000023e = 0x1a; *(uint16_t*)0x2000023f = 0xfffa; *(uint8_t*)0x20000241 = 0x12; *(uint8_t*)0x20000242 = 5; *(uint8_t*)0x20000243 = 0x24; *(uint8_t*)0x20000244 = 0x15; *(uint16_t*)0x20000245 = 5; *(uint8_t*)0x20000247 = 0x15; *(uint8_t*)0x20000248 = 0x24; *(uint8_t*)0x20000249 = 0x12; *(uint16_t*)0x2000024a = 5; *(uint64_t*)0x2000024c = 0x14f5e048ba817a3; *(uint64_t*)0x20000254 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000025c = 7; *(uint8_t*)0x2000025d = 0x24; *(uint8_t*)0x2000025e = 0x14; *(uint16_t*)0x2000025f = 4; *(uint16_t*)0x20000261 = 0; *(uint8_t*)0x20000263 = 0xe5; *(uint8_t*)0x20000264 = 0x24; *(uint8_t*)0x20000265 = 0x13; *(uint8_t*)0x20000266 = 7; memcpy((void*)0x20000267, "\x8f\x0d\x5f\x90\xcf\x98\xb4\x79\xfa\xe0\x69\xbf\xd8\x3c\x7e\x4e\xf5\xaf\xe0\x12\x49\x5f\x0e\xe2\x30\x62\xfe\x5f\x81\xbe\x0e\xf8\x2f\xf4\x10\x31\x8f\x82\xc5\x30\x0b\xa5\xa5\xad\x17\x5d\xac\xf7\x41\xe1\xd1\x95\x6b\x8b\xb1\x56\xe5\xb5\x46\x64\x4c\x17\x50\x91\x6d\x03\x81\xb4\x9c\x7b\xd1\x60\x32\x3b\xde\x2f\xf8\xc1\x37\x9a\x31\x9c\x3a\xdd\x3f\xbd\x86\xaa\x16\x97\x49\xf6\x10\x88\x44\xbd\x19\x64\x4c\xaf\xeb\xba\x5d\x70\x98\x9e\x95\x14\x43\x00\xd6\xb5\x08\xed\xd1\x66\x2f\x75\x98\x28\xaa\xd7\x8d\x18\xd7\x10\x55\x3c\xb7\xf5\xdf\x43\xb7\xb5\x60\xbb\x4f\x48\x69\xde\x9e\xbe\x5e\x12\x63\x56\x50\x7d\x10\xf2\xc8\xd9\xb8\x3f\x66\x1f\xbf\x0b\xd5\x13\x1c\xe9\xc0\x59\xb6\x0e\x62\x0d\xa0\xf7\x51\x6a\xd6\xd7\x0c\x75\xde\x7d\xd4\xb3\x7d\x9c\x37\x91\x34\xe6\x03\x6d\xf4\x28\xe1\xf5\x41\xdb\xee\x9f\x58\xa4\xa3\x74\xff\x6c\xb6\xae\x04\x68\xf4\x9c\x61\x64\x18\xa2\x76\x00\x66\x45\x74\x39\x95\x2b\xb5\xb9\x3f\x4f\x33", 225); *(uint8_t*)0x20000348 = 0x15; *(uint8_t*)0x20000349 = 0x24; *(uint8_t*)0x2000034a = 0x12; *(uint16_t*)0x2000034b = 0xec; *(uint64_t*)0x2000034d = 0x14f5e048ba817a3; *(uint64_t*)0x20000355 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000035d = 9; *(uint8_t*)0x2000035e = 5; *(uint8_t*)0x2000035f = 0xf; *(uint8_t*)0x20000360 = 0x1d; *(uint16_t*)0x20000361 = 0x10; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0x80; *(uint8_t*)0x20000365 = 0x74; *(uint8_t*)0x20000366 = 9; *(uint8_t*)0x20000367 = 5; *(uint8_t*)0x20000368 = 2; *(uint8_t*)0x20000369 = 3; *(uint16_t*)0x2000036a = 0x10; *(uint8_t*)0x2000036c = 0x9f; *(uint8_t*)0x2000036d = 0x7d; *(uint8_t*)0x2000036e = -1; *(uint8_t*)0x2000036f = 0x52; *(uint8_t*)0x20000370 = 0xe; memcpy((void*)0x20000371, "\xec\xf4\xce\x49\x2b\x20\xb2\xd5\x08\xa9\x18\x0c\x01\x19\x2d\x8e\x12\x4f\x6e\x79\x0a\xed\xfc\x35\x21\x3b\x1d\x14\xc6\x8c\x63\x68\x66\x31\xf6\x97\x53\x2d\xa0\x05\xbc\x50\x13\xd6\x2c\x6d\x5c\x18\xb5\xc5\xc4\xf2\x26\x3b\x42\xb5\x82\xb7\x33\x3b\x47\x37\x3c\xdf\x66\x61\x59\x74\x5a\x6a\x53\xd5\x18\xa4\xae\x7c\x51\xab\xaa\xa8", 80); *(uint8_t*)0x200003c1 = 0x15; *(uint8_t*)0x200003c2 = 0x23; memcpy((void*)0x200003c3, "\xdc\x33\x3e\xa4\xd2\xd7\x35\x1e\xc6\xd2\x73\xb6\x8c\xe3\xd5\xd1\xe2\xc2\xcf", 19); *(uint8_t*)0x200003d6 = 9; *(uint8_t*)0x200003d7 = 5; *(uint8_t*)0x200003d8 = 0xb; *(uint8_t*)0x200003d9 = 0; *(uint16_t*)0x200003da = 0x10; *(uint8_t*)0x200003dc = 4; *(uint8_t*)0x200003dd = 9; *(uint8_t*)0x200003de = 0; *(uint8_t*)0x200003df = 7; *(uint8_t*)0x200003e0 = 0x25; *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0; *(uint8_t*)0x200003e3 = 5; *(uint16_t*)0x200003e4 = 0xfffc; *(uint8_t*)0x200003e6 = 0x35; *(uint8_t*)0x200003e7 = 2; memcpy((void*)0x200003e8, "\x59\xa6\x60\x19\xfb\x9a\xdf\xb5\x95\x09\x97\x71\x2b\x8b\x3c\x1c\xb4\xc4\xa0\xab\xbf\x8e\xa4\x1d\xd4\xdd\x59\x36\xbd\xe7\xfb\xe2\x3f\xf6\x42\xc1\x76\xc3\x55\xef\x47\x28\x02\x2f\x3d\x7d\x83\x38\x60\xfb\xcf", 51); *(uint8_t*)0x2000041b = 9; *(uint8_t*)0x2000041c = 5; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0x10; *(uint16_t*)0x2000041f = 8; *(uint8_t*)0x20000421 = 1; *(uint8_t*)0x20000422 = 1; *(uint8_t*)0x20000423 = 0; *(uint8_t*)0x20000424 = 9; *(uint8_t*)0x20000425 = 5; *(uint8_t*)0x20000426 = 1; *(uint8_t*)0x20000427 = 2; *(uint16_t*)0x20000428 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 9; *(uint8_t*)0x2000042c = 6; *(uint8_t*)0x2000042d = 7; *(uint8_t*)0x2000042e = 0x25; *(uint8_t*)0x2000042f = 1; *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 9; *(uint16_t*)0x20000432 = 0x9f36; *(uint8_t*)0x20000434 = 7; *(uint8_t*)0x20000435 = 0x25; *(uint8_t*)0x20000436 = 1; *(uint8_t*)0x20000437 = 3; *(uint8_t*)0x20000438 = 9; *(uint16_t*)0x20000439 = 3; *(uint8_t*)0x2000043b = 9; *(uint8_t*)0x2000043c = 5; *(uint8_t*)0x2000043d = 0xc; *(uint8_t*)0x2000043e = 0x10; *(uint16_t*)0x2000043f = 0x200; *(uint8_t*)0x20000441 = 0x15; *(uint8_t*)0x20000442 = 2; *(uint8_t*)0x20000443 = 0; *(uint8_t*)0x20000444 = 0x5b; *(uint8_t*)0x20000445 = 0x23; memcpy((void*)0x20000446, "\x19\x25\x29\x4e\x2c\x16\x95\x4f\x83\x13\x82\x5e\x71\xea\x53\x6e\x70\x77\xd7\x13\x0c\xee\x3a\x80\x2c\xb3\xc8\x00\x5e\xf6\xd9\x21\x10\x68\x28\x6c\x7a\x4c\x20\xcb\x87\xfd\x2c\xdc\x5a\xee\xdb\x17\x1f\xd6\x7d\xdc\x74\xc3\xf0\x29\xaa\xb0\xbf\xa9\xa6\x3e\x5d\xe5\xa5\x35\x79\x66\x6c\xef\x0f\xb7\xc8\x76\xef\xc0\xa5\xd3\x38\x2c\x34\x6e\x1f\x9a\x78\xb7\x35\x6c\x22", 89); *(uint8_t*)0x2000049f = 9; *(uint8_t*)0x200004a0 = 5; *(uint8_t*)0x200004a1 = 0xb; *(uint8_t*)0x200004a2 = 0; *(uint16_t*)0x200004a3 = 0x40; *(uint8_t*)0x200004a5 = 0x18; *(uint8_t*)0x200004a6 = 0x3f; *(uint8_t*)0x200004a7 = 8; *(uint8_t*)0x200004a8 = 9; *(uint8_t*)0x200004a9 = 5; *(uint8_t*)0x200004aa = 0xd; *(uint8_t*)0x200004ab = 1; *(uint16_t*)0x200004ac = 0; *(uint8_t*)0x200004ae = 9; *(uint8_t*)0x200004af = -1; *(uint8_t*)0x200004b0 = 3; *(uint8_t*)0x200004b1 = 0xdc; *(uint8_t*)0x200004b2 = 0x23; memcpy((void*)0x200004b3, "\xcc\xd5\x3f\xc8\x11\x56\xa9\x1f\xf4\x26\xeb\x00\x1f\xbf\x43\xc8\x55\x1f\xda\x17\x0e\xd3\x6a\x97\xeb\xa7\xa3\x2c\x31\x15\xec\x5e\x9a\x81\x82\x73\x40\x12\xaa\x12\xdd\xcc\x6e\x93\xd8\x5e\xaa\xfb\xda\x4a\xb1\xcf\xf6\xbc\xb2\xaf\xec\xd8\xaa\x8c\x58\xb2\x7a\x75\xe5\xa4\xdd\xc5\x0c\xc6\x73\xed\xc8\x2f\xf1\x31\x15\xeb\x8f\x50\xdd\xd1\xed\x26\x95\x33\x7c\xa8\x5b\x88\x26\x4d\xb5\x9e\xb1\x30\x42\x16\xa3\x01\xd4\x2f\x29\x02\xd5\xc0\x6b\x17\x59\x2b\xb2\x1d\x2a\xf1\xd0\x92\xf5\xd7\x37\x3a\xef\xdb\x90\x7f\xfc\x81\x79\xab\xd6\x8b\x11\xef\x10\xbe\x84\x4e\x03\x81\x68\x06\xf0\x45\xf0\xa5\xef\x3b\xa0\xac\x5b\xd8\x43\xa4\x6f\xa3\xb7\x2b\x86\x2d\xe1\x72\x86\x47\xad\xc3\xf3\xbb\xcd\x53\xce\x88\x1e\x6b\x5a\x6c\x6e\xc7\x97\xd3\x2c\xc1\x39\x18\xe3\xda\x4b\x3e\xa2\x0d\xd6\x89\x3c\x2c\x7c\xa4\x7a\xa5\x1b\xee\x04\x7a\x36\x1f\xef\xf7\x16\xce\xf3\xda\xe5\x0b\x6c\xa7\x2a\x2b\x76\x4f\xa4\xcf", 218); *(uint8_t*)0x2000058d = 7; *(uint8_t*)0x2000058e = 0x25; *(uint8_t*)0x2000058f = 1; *(uint8_t*)0x20000590 = 0x80; *(uint8_t*)0x20000591 = 5; *(uint16_t*)0x20000592 = 0x3f; *(uint8_t*)0x20000594 = 9; *(uint8_t*)0x20000595 = 5; *(uint8_t*)0x20000596 = 1; *(uint8_t*)0x20000597 = 2; *(uint16_t*)0x20000598 = 0x20; *(uint8_t*)0x2000059a = 0xb9; *(uint8_t*)0x2000059b = 0x86; *(uint8_t*)0x2000059c = 0x40; *(uint8_t*)0x2000059d = 0x84; *(uint8_t*)0x2000059e = 8; memcpy((void*)0x2000059f, "\xab\x51\x4d\xeb\xe1\x6a\xea\x41\xf0\x67\xe8\x46\xf8\x93\x9c\x5d\x4f\x6f\xce\x3a\x7d\x25\xea\xee\x2c\x06\x51\xf9\x2f\xe2\x44\x17\xbd\xf9\x25\x6f\x3f\x9b\x58\x34\x92\xb2\xe4\xfe\x6b\x2b\x4b\xad\x9c\x1f\x4a\x8b\x26\xd7\x4c\x60\xae\xda\x94\x78\xa6\x48\x76\x89\x1b\x3a\x75\xff\xce\x40\x01\x85\x3b\x93\xbd\x0f\xd8\xa1\x65\xa7\xfa\x83\xfb\xc6\xb9\x5a\xed\x88\x0f\x02\x22\x4f\x12\x22\xb1\x50\xb7\x46\x98\x1a\x4b\x55\x28\x8f\x56\x4d\x8d\x6a\xf6\x43\xc0\xfd\x29\x15\x71\xd7\x0c\xc5\x60\x24\xdd\x73\xe5\x00\xc5\xef\xe9\xbc\x9b\x72", 130); *(uint8_t*)0x20000621 = 7; *(uint8_t*)0x20000622 = 0x25; *(uint8_t*)0x20000623 = 1; *(uint8_t*)0x20000624 = 1; *(uint8_t*)0x20000625 = 0; *(uint16_t*)0x20000626 = 9; *(uint8_t*)0x20000628 = 9; *(uint8_t*)0x20000629 = 5; *(uint8_t*)0x2000062a = 5; *(uint8_t*)0x2000062b = 2; *(uint16_t*)0x2000062c = 0x10; *(uint8_t*)0x2000062e = 0xf9; *(uint8_t*)0x2000062f = 0xd8; *(uint8_t*)0x20000630 = 0xf9; *(uint8_t*)0x20000631 = 9; *(uint8_t*)0x20000632 = 5; *(uint8_t*)0x20000633 = 3; *(uint8_t*)0x20000634 = 0xc; *(uint16_t*)0x20000635 = 8; *(uint8_t*)0x20000637 = 0x81; *(uint8_t*)0x20000638 = 0; *(uint8_t*)0x20000639 = 0x3f; *(uint8_t*)0x2000063a = 9; *(uint8_t*)0x2000063b = 5; *(uint8_t*)0x2000063c = 0xd; *(uint8_t*)0x2000063d = 0; *(uint16_t*)0x2000063e = 0xa2f3; *(uint8_t*)0x20000640 = 0xbe; *(uint8_t*)0x20000641 = 6; *(uint8_t*)0x20000642 = 7; *(uint8_t*)0x20000643 = 7; *(uint8_t*)0x20000644 = 0x25; *(uint8_t*)0x20000645 = 1; *(uint8_t*)0x20000646 = 0x81; *(uint8_t*)0x20000647 = 2; *(uint16_t*)0x20000648 = 2; *(uint8_t*)0x2000064a = 9; *(uint8_t*)0x2000064b = 5; *(uint8_t*)0x2000064c = 8; *(uint8_t*)0x2000064d = 0x1c; *(uint16_t*)0x2000064e = 0x20; *(uint8_t*)0x20000650 = 4; *(uint8_t*)0x20000651 = 8; *(uint8_t*)0x20000652 = 9; *(uint8_t*)0x20000653 = 7; *(uint8_t*)0x20000654 = 0x25; *(uint8_t*)0x20000655 = 1; *(uint8_t*)0x20000656 = 0x81; *(uint8_t*)0x20000657 = -1; *(uint16_t*)0x20000658 = 0xffe0; *(uint8_t*)0x2000065a = 0xf2; *(uint8_t*)0x2000065b = 0x31; memcpy((void*)0x2000065c, "\x2f\xb2\xb9\x74\x7b\x65\x1a\xe6\x6e\x5d\x86\x1f\x9e\xfc\x61\xbd\xd1\x94\x95\xf1\x63\x62\x59\x75\xe7\xba\xe8\x00\xee\x00\x48\x67\xb5\xa8\x13\xb7\xb9\xdb\xc5\x5e\xb0\xb7\x51\xb8\xd7\x58\xe9\xcb\xa4\xa3\xb4\xf6\x83\x0e\x5f\x85\xdf\x74\x0e\xfc\xf2\x90\xc7\x7d\xf2\x12\xee\x62\xfc\x94\xcc\x50\x4b\x1e\x54\x22\xff\xbf\x9f\x87\xed\x05\xb4\xe7\x62\xfe\xed\x65\x35\xfd\x70\x28\x25\x63\x1d\xb7\x63\x6c\x86\x9c\x9f\x12\x99\x32\x0d\x98\xe1\xcf\x74\x0a\x94\xe2\x26\xaf\x56\x08\xa7\x99\xe1\xc9\x99\xee\x2b\x4a\xb5\x14\x6f\x85\x2e\xd9\x87\x40\x65\xfb\x37\xc2\x85\x81\x1c\x77\x78\x9d\xf8\xa1\x79\x8c\x26\x70\x41\x97\x47\x67\x93\x38\xa3\x29\x93\x49\xae\x3e\xc4\x9e\xed\xcb\x39\x25\x6d\x55\x1a\x4f\xfb\xa9\x59\x51\x67\xc1\x77\x9a\x72\x47\xb9\x4a\xeb\xc5\x79\x2e\x53\xfb\xc9\x4c\x06\x6c\x16\xfe\x77\x02\x04\x92\xe0\xa3\x08\xd5\xba\x5f\xde\xc9\x52\xc4\x09\x5b\x75\x63\x34\x7b\xe3\xf2\xab\x70\x87\x33\x75\xe6\x11\x6c\x39\x40\x03\xcc\x0c\x5c\xdb\xdc\xb0\x04\xf9\x6c\x6c\x4f\xf2\x35", 240); *(uint8_t*)0x2000074c = 9; *(uint8_t*)0x2000074d = 4; *(uint8_t*)0x2000074e = 3; *(uint8_t*)0x2000074f = 6; *(uint8_t*)0x20000750 = 5; *(uint8_t*)0x20000751 = 0; *(uint8_t*)0x20000752 = 0; *(uint8_t*)0x20000753 = 0; *(uint8_t*)0x20000754 = 0xc8; *(uint8_t*)0x20000755 = 7; *(uint8_t*)0x20000756 = 0x24; *(uint8_t*)0x20000757 = 1; *(uint8_t*)0x20000758 = 0; *(uint8_t*)0x20000759 = 3; *(uint16_t*)0x2000075a = 4; *(uint8_t*)0x2000075c = 0xf; *(uint8_t*)0x2000075d = 0x24; *(uint8_t*)0x2000075e = 2; *(uint8_t*)0x2000075f = 1; *(uint8_t*)0x20000760 = 0x81; *(uint8_t*)0x20000761 = 2; *(uint8_t*)0x20000762 = 1; *(uint8_t*)0x20000763 = 1; memcpy((void*)0x20000764, "\xb3\xd2\xfe\xb3\x92\x00\x56", 7); *(uint8_t*)0x2000076b = 9; *(uint8_t*)0x2000076c = 5; *(uint8_t*)0x2000076d = 6; *(uint8_t*)0x2000076e = 4; *(uint16_t*)0x2000076f = 0x400; *(uint8_t*)0x20000771 = 0; *(uint8_t*)0x20000772 = 6; *(uint8_t*)0x20000773 = 3; *(uint8_t*)0x20000774 = 0x11; *(uint8_t*)0x20000775 = 4; memcpy((void*)0x20000776, "\x39\xa6\x64\x25\x22\x0f\xb1\xa9\x9e\x55\x6b\x2d\xfb\x18\x38", 15); *(uint8_t*)0x20000785 = 9; *(uint8_t*)0x20000786 = 5; *(uint8_t*)0x20000787 = 0xa; *(uint8_t*)0x20000788 = 4; *(uint16_t*)0x20000789 = 0x50; *(uint8_t*)0x2000078b = 0x79; *(uint8_t*)0x2000078c = 9; *(uint8_t*)0x2000078d = -1; *(uint8_t*)0x2000078e = 7; *(uint8_t*)0x2000078f = 0x25; *(uint8_t*)0x20000790 = 1; *(uint8_t*)0x20000791 = 1; *(uint8_t*)0x20000792 = 9; *(uint16_t*)0x20000793 = 7; *(uint8_t*)0x20000795 = 9; *(uint8_t*)0x20000796 = 5; *(uint8_t*)0x20000797 = 2; *(uint8_t*)0x20000798 = 0x10; *(uint16_t*)0x20000799 = 0x10; *(uint8_t*)0x2000079b = 0; *(uint8_t*)0x2000079c = 0xe5; *(uint8_t*)0x2000079d = 1; *(uint8_t*)0x2000079e = 0xc; *(uint8_t*)0x2000079f = 8; memcpy((void*)0x200007a0, "\x62\x71\xea\xd3\x9e\x76\xc5\x5f\x40\x3f", 10); *(uint8_t*)0x200007aa = 0x1d; *(uint8_t*)0x200007ab = 0x22; memcpy((void*)0x200007ac, "\x93\xf9\x20\x77\xe6\xf8\xfb\x30\x27\x85\xe1\x3e\x57\xcc\x86\xfc\x2a\x7a\x97\x62\x1a\x1c\xd7\x84\x98\xcc\x60", 27); *(uint8_t*)0x200007c7 = 9; *(uint8_t*)0x200007c8 = 5; *(uint8_t*)0x200007c9 = 0xa; *(uint8_t*)0x200007ca = 0; *(uint16_t*)0x200007cb = 0x10; *(uint8_t*)0x200007cd = 0xfb; *(uint8_t*)0x200007ce = 0x70; *(uint8_t*)0x200007cf = 9; *(uint8_t*)0x200007d0 = 0xa5; *(uint8_t*)0x200007d1 = 0xa; memcpy((void*)0x200007d2, "\xaa\x01\x6e\xff\xd7\x95\xb2\x1f\xec\xe5\x5d\x47\x62\x18\x11\xef\x08\xe6\xea\xf7\xa4\xf3\xfb\xf7\x0f\x91\x91\xee\xc8\x75\xbd\x45\xba\x57\x2c\xf2\xef\x7f\x10\xf3\xa5\x05\xff\x71\xef\x3e\xf1\xa4\x2a\x73\x49\xf1\x98\xcc\x1e\x75\x24\xa3\x0e\x94\x8c\x63\x34\xe7\x06\x02\x3f\xca\xec\xc3\xcf\x51\xd8\xcc\x35\x4d\xff\xde\xc9\xe3\x30\x58\x45\x61\x86\xdf\xe0\x45\x3f\x8f\xb8\xce\x87\x70\xff\xf3\xa3\x5e\x7b\xc7\xbe\x19\x82\xbc\x0f\xdb\x24\x8b\x77\x6f\x99\x5d\x49\x26\x94\x17\x2d\x25\xaf\xfd\x86\x07\xf0\x00\xdb\xea\x29\xd9\xb5\x7d\xe7\xbc\x89\xd3\x28\xa6\x3c\x5e\x9f\x34\x30\xaa\x09\x4d\x1f\x14\xe2\xea\x84\x44\x62\x60\x09\x73\x23\xf8\x48\x36\x41\xd5\x30\x8b\x57", 163); *(uint8_t*)0x20000875 = 9; *(uint8_t*)0x20000876 = 5; *(uint8_t*)0x20000877 = 0x8c; *(uint8_t*)0x20000878 = 8; *(uint16_t*)0x20000879 = 0x40; *(uint8_t*)0x2000087b = 4; *(uint8_t*)0x2000087c = 5; *(uint8_t*)0x2000087d = 3; *(uint32_t*)0x20000d40 = 0xa; *(uint64_t*)0x20000d44 = 0x20000880; *(uint8_t*)0x20000880 = 0xa; *(uint8_t*)0x20000881 = 6; *(uint16_t*)0x20000882 = 0x250; *(uint8_t*)0x20000884 = 1; *(uint8_t*)0x20000885 = 8; *(uint8_t*)0x20000886 = 0xcf; *(uint8_t*)0x20000887 = 0x20; *(uint8_t*)0x20000888 = 6; *(uint8_t*)0x20000889 = 0; *(uint32_t*)0x20000d4c = 0xa7; *(uint64_t*)0x20000d50 = 0x200008c0; *(uint8_t*)0x200008c0 = 5; *(uint8_t*)0x200008c1 = 0xf; *(uint16_t*)0x200008c2 = 0xa7; *(uint8_t*)0x200008c4 = 6; *(uint8_t*)0x200008c5 = 0x18; *(uint8_t*)0x200008c6 = 0x10; *(uint8_t*)0x200008c7 = 0xa; *(uint8_t*)0x200008c8 = 8; STORE_BY_BITMASK(uint32_t, , 0x200008c9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200008c9, 9, 5, 27); *(uint16_t*)0x200008cd = 0xf; *(uint16_t*)0x200008cf = 0; *(uint32_t*)0x200008d1 = 0xffc030; *(uint32_t*)0x200008d5 = 0xc030; *(uint32_t*)0x200008d9 = 0x3f30; *(uint8_t*)0x200008dd = 0x14; *(uint8_t*)0x200008de = 0x10; *(uint8_t*)0x200008df = 4; *(uint8_t*)0x200008e0 = 0xfe; memcpy((void*)0x200008e1, "\xed\xca\xa5\x25\xc2\x3e\x27\xc4\x7c\xe4\x24\x20\xc0\x44\xbb\x79", 16); *(uint8_t*)0x200008f1 = 3; *(uint8_t*)0x200008f2 = 0x10; *(uint8_t*)0x200008f3 = 0xb; *(uint8_t*)0x200008f4 = 3; *(uint8_t*)0x200008f5 = 0x10; *(uint8_t*)0x200008f6 = 0xb; *(uint8_t*)0x200008f7 = 7; *(uint8_t*)0x200008f8 = 0x10; *(uint8_t*)0x200008f9 = 2; STORE_BY_BITMASK(uint32_t, , 0x200008fa, 0x1c, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fc, 8, 0, 16); *(uint8_t*)0x200008fe = 0x69; *(uint8_t*)0x200008ff = 0x10; *(uint8_t*)0x20000900 = 1; memcpy((void*)0x20000901, "\xf0\x91\x7a\x40\x9f\x20\x82\x3f\xe2\x1e\x12\x4d\xc6\x71\xac\x83\x13\xbe\xb3\x28\xf2\x63\xa5\x96\x75\x48\xb9\xff\xe8\xbd\x38\xca\x2b\x56\x38\xe9\x0e\x09\xb0\x0a\xd4\x00\x0d\x97\x5c\x28\xf2\x80\x60\x24\x43\x96\x8f\xb7\x54\x43\xf4\x83\x3a\x05\xf9\x36\xed\x00\xb5\x75\xa1\x1e\x11\x81\xf1\x9f\x62\xf7\x01\x0a\x85\x59\xd4\x42\x22\x69\xba\x17\xc5\x69\xa5\xd2\xca\x58\x02\x10\xa2\x81\x19\x23\x21\x6f\xf3\x8f\x6c\x21", 102); *(uint32_t*)0x20000d58 = 9; *(uint32_t*)0x20000d5c = 0x2e; *(uint64_t*)0x20000d60 = 0x20000980; *(uint8_t*)0x20000980 = 0x2e; *(uint8_t*)0x20000981 = 3; memcpy((void*)0x20000982, "\xc0\xca\x32\x6a\xbb\x6f\x9f\x4b\xe8\xfd\xe5\xec\x0f\xda\x56\x56\x8a\x3a\xee\x01\x7d\x48\x51\xf5\xe1\x77\xf2\x7c\x67\x23\xcc\x4b\x66\x14\x8d\x06\x8a\x4f\xc2\x15\xc3\x41\x22\x42", 44); *(uint32_t*)0x20000d68 = 4; *(uint64_t*)0x20000d6c = 0x200009c0; *(uint8_t*)0x200009c0 = 4; *(uint8_t*)0x200009c1 = 3; *(uint16_t*)0x200009c2 = 0x140a; *(uint32_t*)0x20000d74 = 0x101; *(uint64_t*)0x20000d78 = 0x20000a00; *(uint8_t*)0x20000a00 = 1; *(uint8_t*)0x20000a01 = 3; memcpy((void*)0x20000a02, "\xb5\x44\xe4\xb1\x0f\x95\xe3\x90\x3d\xd7\xa1\xb4\xfc\xaa\xde\x5c\x41\x43\xd9\x0f\x68\xfc\xf3\xf0\xd8\x32\x82\xc3\x24\xf0\xd4\xa7\xe6\x5f\x27\x80\x3e\x19\xd9\x56\x78\xa8\x8d\xa9\xf9\x9c\x40\x3c\xb3\x26\x52\x70\xa9\x96\x4d\xcd\x75\x9f\xf7\x27\xed\x3c\xdb\x42\x7b\x2a\xc3\xc5\xf7\x1d\xde\xb5\xea\x16\xa0\x37\x7a\x0e\xd2\x2e\x54\xa2\x4a\x8a\xe1\x47\x51\x37\x62\x01\x42\x60\x56\x82\xbe\x28\x12\x97\xff\x87\xf2\x08\x1a\xda\x23\x29\x52\x0e\x8e\x87\x82\x80\x43\xb6\x5d\x66\x3c\x96\x0e\x10\x01\xcd\xd6\x65\x51\x89\x12\x30\xa3\x67\xe3\x07\xd0\x0a\xbe\x3a\x52\xcc\x07\x33\x5d\x6d\x39\xea\xc4\x4c\x43\xf1\xb7\x0c\x13\xca\xfa\x5b\x2c\x7a\xca\x4c\x95\x72\x43\x75\x59\x9a\x85\x9c\x39\xe4\xc0\xe4\xda\x7b\x2c\x90\x6e\x43\x28\x8f\x11\x74\x94\xfe\xdd\xbe\xc0\x23\x07\x16\xe3\x1e\x46\xf5\x31\x87\x5f\xc7\xef\xf8\x5e\x6f\x2f\x36\x51\x7f\xa0\x2a\x11\x6f\xce\x7a\x95\xfb\xa5\xfa\x3d\xff\x69\x7c\xe8\x71\x6f\xc8\x5a\xa4\xd0\xf6\xf2\x4b\x04\x01\xf2\xc4\xdb\x9a\xec\x9a\xf7\x75\xa0\x41\x99\x2c\x23\x4d\x23\x07\xbf\xda\x12\x24\x84\xcc\x46\x0e\x90", 255); *(uint32_t*)0x20000d80 = 4; *(uint64_t*)0x20000d84 = 0x20000b40; *(uint8_t*)0x20000b40 = 4; *(uint8_t*)0x20000b41 = 3; *(uint16_t*)0x20000b42 = 0x804; *(uint32_t*)0x20000d8c = 4; *(uint64_t*)0x20000d90 = 0x20000b80; *(uint8_t*)0x20000b80 = 4; *(uint8_t*)0x20000b81 = 3; *(uint16_t*)0x20000b82 = 0x400a; *(uint32_t*)0x20000d98 = 4; *(uint64_t*)0x20000d9c = 0x20000bc0; *(uint8_t*)0x20000bc0 = 4; *(uint8_t*)0x20000bc1 = 3; *(uint16_t*)0x20000bc2 = 0x42b; *(uint32_t*)0x20000da4 = 4; *(uint64_t*)0x20000da8 = 0x20000c00; *(uint8_t*)0x20000c00 = 4; *(uint8_t*)0x20000c01 = 3; *(uint16_t*)0x20000c02 = 0x3009; *(uint32_t*)0x20000db0 = 0xa5; *(uint64_t*)0x20000db4 = 0x20000c40; *(uint8_t*)0x20000c40 = 0xa5; *(uint8_t*)0x20000c41 = 3; memcpy((void*)0x20000c42, "\x84\x38\x9b\x09\x2a\x5b\x3d\x06\xbf\xd8\x95\x09\xd0\x72\xa7\x3f\x11\x1a\x14\xaa\x46\x19\x78\x5c\x4f\xe2\x44\x85\x20\xd3\x44\xb0\x30\x91\x36\xab\x09\x1e\x79\x2a\x36\xd6\xc3\xad\xdb\xe8\x39\xa5\x9d\x03\x72\xbd\xb5\x42\x65\xba\x32\xc2\xfa\x75\x17\x55\x18\xbe\xe6\x40\xf7\xa1\x5d\xd0\x11\x26\x06\xec\x27\x89\x89\xfe\xa0\x51\xf6\xa6\x9b\x97\x53\x67\x5b\x81\xfe\x2e\x64\xeb\xe3\x34\x56\x8e\x08\x6b\x24\x70\x4b\xe9\xdb\x1f\xa5\x64\x5a\x8a\xf5\x26\xed\x97\xa9\x0c\x02\x7a\x2b\x4f\x90\xed\x9c\x2a\xf5\xe9\xba\x52\x84\x31\xc9\x3f\xea\x75\x2e\x8d\x84\x89\xd4\xef\x97\x7f\x5a\x3a\xc6\xc8\xdb\xac\xfc\x14\x5f\xdb\x5f\x7b\xca\x68\x1b\x6f\x3b\xd7\x64\xd0\x6c\xbe\x0b", 163); *(uint32_t*)0x20000dbc = 4; *(uint64_t*)0x20000dc0 = 0x20000d00; *(uint8_t*)0x20000d00 = 4; *(uint8_t*)0x20000d01 = 3; *(uint16_t*)0x20000d02 = 0x44d; syz_usb_connect(5, 0x77e, 0x20000100, 0x20000d40); break; case 12: *(uint8_t*)0x20000e00 = 0x12; *(uint8_t*)0x20000e01 = 1; *(uint16_t*)0x20000e02 = 0x310; *(uint8_t*)0x20000e04 = 2; *(uint8_t*)0x20000e05 = 0; *(uint8_t*)0x20000e06 = 0; *(uint8_t*)0x20000e07 = 0x20; *(uint16_t*)0x20000e08 = 0x525; *(uint16_t*)0x20000e0a = 0xa4a1; *(uint16_t*)0x20000e0c = 0x40; *(uint8_t*)0x20000e0e = 1; *(uint8_t*)0x20000e0f = 2; *(uint8_t*)0x20000e10 = 3; *(uint8_t*)0x20000e11 = 1; *(uint8_t*)0x20000e12 = 9; *(uint8_t*)0x20000e13 = 2; *(uint16_t*)0x20000e14 = 0x7d; *(uint8_t*)0x20000e16 = 2; *(uint8_t*)0x20000e17 = 1; *(uint8_t*)0x20000e18 = 1; *(uint8_t*)0x20000e19 = 0xd0; *(uint8_t*)0x20000e1a = 0; *(uint8_t*)0x20000e1b = 9; *(uint8_t*)0x20000e1c = 4; *(uint8_t*)0x20000e1d = 0; *(uint8_t*)0x20000e1e = 0; *(uint8_t*)0x20000e1f = 1; *(uint8_t*)0x20000e20 = 2; *(uint8_t*)0x20000e21 = 0xd; *(uint8_t*)0x20000e22 = 0; *(uint8_t*)0x20000e23 = 0; *(uint8_t*)0x20000e24 = 5; *(uint8_t*)0x20000e25 = 0x24; *(uint8_t*)0x20000e26 = 6; *(uint8_t*)0x20000e27 = 0; *(uint8_t*)0x20000e28 = 1; *(uint8_t*)0x20000e29 = 5; *(uint8_t*)0x20000e2a = 0x24; *(uint8_t*)0x20000e2b = 0; *(uint16_t*)0x20000e2c = 0x81; *(uint8_t*)0x20000e2e = 0xd; *(uint8_t*)0x20000e2f = 0x24; *(uint8_t*)0x20000e30 = 0xf; *(uint8_t*)0x20000e31 = 1; *(uint32_t*)0x20000e32 = 0x3fffc000; *(uint16_t*)0x20000e36 = 0xba60; *(uint16_t*)0x20000e38 = 1; *(uint8_t*)0x20000e3a = 1; *(uint8_t*)0x20000e3b = 6; *(uint8_t*)0x20000e3c = 0x24; *(uint8_t*)0x20000e3d = 0x1a; *(uint16_t*)0x20000e3e = 1; *(uint8_t*)0x20000e40 = 0; *(uint8_t*)0x20000e41 = 0xc; *(uint8_t*)0x20000e42 = 0x24; *(uint8_t*)0x20000e43 = 0x1b; *(uint16_t*)0x20000e44 = 0x1b7; *(uint16_t*)0x20000e46 = 0x50f; *(uint8_t*)0x20000e48 = 6; *(uint8_t*)0x20000e49 = 0x5b; *(uint16_t*)0x20000e4a = 0x81; *(uint8_t*)0x20000e4c = 9; *(uint8_t*)0x20000e4d = 0x15; *(uint8_t*)0x20000e4e = 0x24; *(uint8_t*)0x20000e4f = 0x12; *(uint16_t*)0x20000e50 = 0x5f; *(uint64_t*)0x20000e52 = 0x14f5e048ba817a3; *(uint64_t*)0x20000e5a = 0x2a397ecbffc007a6; *(uint8_t*)0x20000e62 = 9; *(uint8_t*)0x20000e63 = 5; *(uint8_t*)0x20000e64 = 0x81; *(uint8_t*)0x20000e65 = 3; *(uint16_t*)0x20000e66 = 0x10; *(uint8_t*)0x20000e68 = 1; *(uint8_t*)0x20000e69 = 6; *(uint8_t*)0x20000e6a = 2; *(uint8_t*)0x20000e6b = 9; *(uint8_t*)0x20000e6c = 4; *(uint8_t*)0x20000e6d = 1; *(uint8_t*)0x20000e6e = 0; *(uint8_t*)0x20000e6f = 0; *(uint8_t*)0x20000e70 = 2; *(uint8_t*)0x20000e71 = 0xd; *(uint8_t*)0x20000e72 = 0; *(uint8_t*)0x20000e73 = 0; *(uint8_t*)0x20000e74 = 9; *(uint8_t*)0x20000e75 = 4; *(uint8_t*)0x20000e76 = 1; *(uint8_t*)0x20000e77 = 1; *(uint8_t*)0x20000e78 = 2; *(uint8_t*)0x20000e79 = 2; *(uint8_t*)0x20000e7a = 0xd; *(uint8_t*)0x20000e7b = 0; *(uint8_t*)0x20000e7c = 0; *(uint8_t*)0x20000e7d = 9; *(uint8_t*)0x20000e7e = 5; *(uint8_t*)0x20000e7f = 0x82; *(uint8_t*)0x20000e80 = 2; *(uint16_t*)0x20000e81 = 8; *(uint8_t*)0x20000e83 = 0xcc; *(uint8_t*)0x20000e84 = 6; *(uint8_t*)0x20000e85 = 0x9b; *(uint8_t*)0x20000e86 = 9; *(uint8_t*)0x20000e87 = 5; *(uint8_t*)0x20000e88 = 3; *(uint8_t*)0x20000e89 = 2; *(uint16_t*)0x20000e8a = 0x400; *(uint8_t*)0x20000e8c = 1; *(uint8_t*)0x20000e8d = 6; *(uint8_t*)0x20000e8e = 1; *(uint32_t*)0x20001300 = 0xa; *(uint64_t*)0x20001304 = 0x20000ec0; *(uint8_t*)0x20000ec0 = 0xa; *(uint8_t*)0x20000ec1 = 6; *(uint16_t*)0x20000ec2 = 0x200; *(uint8_t*)0x20000ec4 = 0; *(uint8_t*)0x20000ec5 = 1; *(uint8_t*)0x20000ec6 = 0x13; *(uint8_t*)0x20000ec7 = 8; *(uint8_t*)0x20000ec8 = -1; *(uint8_t*)0x20000ec9 = 0; *(uint32_t*)0x2000130c = 0xff; *(uint64_t*)0x20001310 = 0x20000f00; *(uint8_t*)0x20000f00 = 5; *(uint8_t*)0x20000f01 = 0xf; *(uint16_t*)0x20000f02 = 0xff; *(uint8_t*)0x20000f04 = 6; *(uint8_t*)0x20000f05 = 3; *(uint8_t*)0x20000f06 = 0x10; *(uint8_t*)0x20000f07 = 0xb; *(uint8_t*)0x20000f08 = 0x14; *(uint8_t*)0x20000f09 = 0x10; *(uint8_t*)0x20000f0a = 4; *(uint8_t*)0x20000f0b = 1; memcpy((void*)0x20000f0c, "\x43\x3e\x98\x8e\xe5\xf3\x58\xef\x3f\x4e\x65\x3f\xaf\x4e\xe7\x65", 16); *(uint8_t*)0x20000f1c = 0xa; *(uint8_t*)0x20000f1d = 0x10; *(uint8_t*)0x20000f1e = 0xb; memcpy((void*)0x20000f1f, "\xd3\x74\xd6\xca\x9c\xfd\xff", 7); *(uint8_t*)0x20000f26 = 0xe; *(uint8_t*)0x20000f27 = 0x10; *(uint8_t*)0x20000f28 = 0xb; memcpy((void*)0x20000f29, "\xe4\xe1\x28\x48\xc1\xc9\xe1\xac\xe2\x70\x01", 11); *(uint8_t*)0x20000f34 = 0x1c; *(uint8_t*)0x20000f35 = 0x10; *(uint8_t*)0x20000f36 = 0xa; *(uint8_t*)0x20000f37 = 0x40; STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 5, 27); *(uint16_t*)0x20000f3c = 0xf0f; *(uint16_t*)0x20000f3e = 0x8000; *(uint32_t*)0x20000f40 = 0xff0000; *(uint32_t*)0x20000f44 = 0xc0; *(uint32_t*)0x20000f48 = 0xff003f; *(uint32_t*)0x20000f4c = 0xc00f; *(uint8_t*)0x20000f50 = 0xaf; *(uint8_t*)0x20000f51 = 0x10; *(uint8_t*)0x20000f52 = 1; memcpy((void*)0x20000f53, "\xcb\xab\xda\x0f\x97\x9a\xfc\xbd\x15\x73\x7d\x31\x5a\xb6\x9a\xc5\x32\xbd\xa0\x26\x42\xde\xbc\xa3\x3a\x83\x18\x5a\x92\x73\x8f\x4d\x04\xce\xc6\x95\x22\x3d\x9f\x52\xb8\x03\xad\x72\x64\x4b\xd3\xdf\x57\x74\x94\x9b\x6e\xd6\x37\x7c\xdf\x5d\xa5\xb1\xd8\x20\x0d\xe1\x61\xf5\xb0\xf6\x10\xc7\x8f\x5c\x79\xa0\x0d\xb8\x64\x92\xec\xdf\x46\x42\x04\xc0\x09\xa9\x47\x4a\x05\xf0\xf6\x35\x18\x19\x70\x3f\x38\x3e\xca\x0f\x29\xa0\x1e\x52\xf7\xb0\xb1\xf9\x21\xef\x92\xc3\xe6\x30\x28\x77\x07\xe0\x61\x7f\xe8\xcf\x26\x72\xef\x1d\xee\x5e\x7c\x5f\x8a\x37\x41\x5f\x54\xb2\x41\xf0\xb9\x3a\xe6\xf3\x40\x2e\x17\xb6\xfe\xc4\x66\xb8\x38\x27\xf4\xe4\x2c\x57\xaf\x90\xea\x0b\x73\x5a\x10\xb5\xcc\x4a\x9e\xd1\x44\x61\xcb\x3c", 172); *(uint32_t*)0x20001318 = 9; *(uint32_t*)0x2000131c = 4; *(uint64_t*)0x20001320 = 0x20001000; *(uint8_t*)0x20001000 = 4; *(uint8_t*)0x20001001 = 3; *(uint16_t*)0x20001002 = 0x807; *(uint32_t*)0x20001328 = 4; *(uint64_t*)0x2000132c = 0x20001040; *(uint8_t*)0x20001040 = 4; *(uint8_t*)0x20001041 = 3; *(uint16_t*)0x20001042 = 0x44c; *(uint32_t*)0x20001334 = 0x46; *(uint64_t*)0x20001338 = 0x20001080; *(uint8_t*)0x20001080 = 0x46; *(uint8_t*)0x20001081 = 3; memcpy((void*)0x20001082, "\xd3\x41\x69\xf9\x72\x88\x6d\x91\x88\x5f\xb4\xe6\x63\xd3\xb9\x5e\xfc\xbd\xf2\xac\x7f\xb6\xa4\x8b\x8f\x5d\x44\xf4\x90\xa6\xd5\xdb\x20\x86\xfa\x93\x8c\x10\xf7\x75\x1b\x90\xc3\x99\x3b\xbf\xad\x67\x0a\x7f\x80\xd3\x58\x86\xc2\xcc\x30\x29\x1a\xb2\xce\x67\x01\x1d\x1b\x0d\x6c\xf4", 68); *(uint32_t*)0x20001340 = 4; *(uint64_t*)0x20001344 = 0x20001100; *(uint8_t*)0x20001100 = 4; *(uint8_t*)0x20001101 = 3; *(uint16_t*)0x20001102 = 0x40a; *(uint32_t*)0x2000134c = 0x36; *(uint64_t*)0x20001350 = 0x20001140; *(uint8_t*)0x20001140 = 0x36; *(uint8_t*)0x20001141 = 3; memcpy((void*)0x20001142, "\x06\x4c\xab\x2c\xae\x36\xef\x56\x23\x74\x9b\xcb\x79\x93\xb3\x10\xc0\xf7\x00\xe5\x26\xdd\xa0\x22\x3a\x1e\x4b\x6f\x16\x00\x79\xc7\xb1\xcd\xb2\xa8\xb0\x43\xea\x83\x25\xec\xc0\xee\xd6\x4d\x54\x39\x81\xa3\x96\xb7", 52); *(uint32_t*)0x20001358 = 5; *(uint64_t*)0x2000135c = 0x20001180; *(uint8_t*)0x20001180 = 5; *(uint8_t*)0x20001181 = 3; memcpy((void*)0x20001182, "Ka\000", 3); *(uint32_t*)0x20001364 = 4; *(uint64_t*)0x20001368 = 0x200011c0; *(uint8_t*)0x200011c0 = 4; *(uint8_t*)0x200011c1 = 3; *(uint16_t*)0x200011c2 = 0x500a; *(uint32_t*)0x20001370 = 4; *(uint64_t*)0x20001374 = 0x20001200; *(uint8_t*)0x20001200 = 4; *(uint8_t*)0x20001201 = 3; *(uint16_t*)0x20001202 = 0x4ff; *(uint32_t*)0x2000137c = 0x8f; *(uint64_t*)0x20001380 = 0x20001240; *(uint8_t*)0x20001240 = 0x8f; *(uint8_t*)0x20001241 = 3; memcpy((void*)0x20001242, "\x37\xcc\x0c\x18\xf2\xd0\x9b\xfc\x3a\xa7\x69\x89\xd3\x6d\x44\x9d\xb5\x7f\xf9\x5c\x9d\x3d\x3c\xb0\x40\x2d\x82\x35\xdc\x71\x22\x01\xee\xa4\xc3\x18\x2f\xf7\x6c\xbd\xbb\xe5\x31\x5c\x11\x68\x27\xa3\x5f\xa2\x7a\x39\x04\xc6\x63\x96\x50\x3f\x48\x37\x05\x55\xf6\x27\x91\xc6\x15\x46\xe4\x12\x1a\xa6\x88\xc1\xc7\xc5\x7d\x95\x5a\xed\xd9\xee\xc2\xb3\x07\xd4\xe5\x87\xe1\xae\xd0\x86\x79\xb2\x72\x8a\xcd\x32\x1b\xc4\xf8\x3e\xe2\x68\xd8\x14\x9d\x81\xbb\xc1\x28\xc5\x8e\x17\x8c\xd1\x7d\x2b\x81\x36\xb8\x34\xc1\xe9\xb1\xd7\xd3\xd1\x37\xae\x9b\x4c\x27\xe6\xb1\xba\x93\xdf\x07\xe8\x52", 141); res = -1; res = syz_usb_connect(1, 0x8f, 0x20000e00, 0x20001300); if (res != -1) r[3] = res; break; case 13: syz_usb_disconnect(r[3]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); do_sandbox_none(); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor2049687571 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/5 (0.20s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: __stat50(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (fail_nth: 1) compat_50___msgctl13$IPC_SET(0x0, 0x1, &(0x7f0000000200)={{0x5a3e, 0x0, r1, 0xffffffffffffffff, 0xffffffffffffffff, 0x20, 0x400}, 0x9, 0x62e81dc5, 0x81, 0x5, 0x4, 0x8, 0x9, &(0x7f0000000100)={0x0, 0x20e1, 0xfffd, 0x1}, &(0x7f00000001c0)={&(0x7f0000000180)={&(0x7f0000000140)={0x0, 0x7ff, 0x9, 0x1}, 0x8000000000000000, 0x6, 0x8}, 0x8, 0x5, 0x20}, 0x400}) (async) chown(&(0x7f0000000280)='./file0\x00', r0, 0x0) (rerun: 4) compat_14___semctl$GETALL(0x0, 0x0, 0x6, &(0x7f00000002c0)) compat_14___semctl$SETVAL(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000380)=@buf=&(0x7f0000000340)={{r0, r1, 0x80, 0x5a3, 0x100, 0x1, 0x4897}, 0x7fff, 0x7, 0x0, &(0x7f0000000300)={0x800, 0x7, 0x2, 0x9}}) semctl$GETNCNT(0xffffffffffffffff, 0x4, 0x3, &(0x7f00000003c0)=""/4) r2 = semget$private(0x0, 0x3, 0x2) compat_14___semctl$GETNCNT(r2, 0x0, 0x3) semop(r2, &(0x7f0000000400)=[{0x4, 0x7, 0x2000}, {0x4, 0x1f, 0x800}, {0x1, 0x7, 0x400}], 0x3) compat_14___semctl$IPC_STAT(r2, 0x0, 0x2, &(0x7f0000000440)) syz_emit_ethernet(0x8, &(0x7f0000000000)="03d03df5c2dcc049") syz_execute_func(&(0x7f0000000040)="c421c16d149fc462baf76fed2666450f3800813be70eb16640253633f0408182a0bc302200800000c48281926cd992660f4f99c0f800003626660f124e32f26e660f382ab500000080") syz_extract_tcp_res(&(0x7f00000000c0), 0xfffffffa, 0x8000) syz_usb_connect(0x5, 0x77e, &(0x7f0000000100)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0xbf, 0x0, 0x0, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x76c, 0x3, 0x7, 0x17, 0x30, 0x3d, [{{0x9, 0x4, 0x8e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, [@uac_as={[@format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x1f, 0x7, 0x7f, "11c06824606e6e241d"}]}]}}, {{0x9, 0x4, 0x0, 0x3f, 0xd, 0x0, 0x0, 0x0, 0x1f, [@generic={0xe0, 0xa, "b71aa8dbef28ec508e40e57e0f21e51ceb5eacb80bb3f7ed35e29bad265b99dbbcbb655b87cbc776843703a876dc2dd2216c56771dd13f2cae3eae772586cacf7cdb24a918924ba342e5a84cb77541172a5b4100bcd721c00bcc1d590d5bae2e602b8a29aa649516b39d745c546613730dec4957df6dc6591993b9027afe3eb2172a49b3b589f5322cc76fd421d8b9acaf9f326c835214aa33da004adaae6689efebb028a649b7edc82333f89fd100b6da5d60c3e1349bd30d2cff8ae56ccbed46e09f6662c6b2c2e7cbd887fbc447db5d6887eb1cc1378ed310ec7d004c"}, @cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "4b66fafbc9e4"}, {0x5, 0x24, 0x0, 0x6}, {0xd, 0x24, 0xf, 0x1, 0x80000000, 0x4}, {0x6, 0x24, 0x1a, 0xfffa, 0x12}, [@obex={0x5, 0x24, 0x15, 0x5}, @mdlm={0x15, 0x24, 0x12, 0x5}, @dmm={0x7, 0x24, 0x14, 0x4}, @mdlm_detail={0xe5, 0x24, 0x13, 0x7, "8f0d5f90cf98b479fae069bfd83c7e4ef5afe012495f0ee23062fe5f81be0ef82ff410318f82c5300ba5a5ad175dacf741e1d1956b8bb156e5b546644c1750916d0381b49c7bd160323bde2ff8c1379a319c3add3fbd86aa169749f6108844bd19644cafebba5d70989e95144300d6b508edd1662f759828aad78d18d710553cb7f5df43b7b560bb4f4869de9ebe5e126356507d10f2c8d9b83f661fbf0bd5131ce9c059b60e620da0f7516ad6d70c75de7dd4b37d9c379134e6036df428e1f541dbee9f58a4a374ff6cb6ae0468f49c616418a2760066457439952bb5b93f4f33"}, @mdlm={0x15, 0x24, 0x12, 0xec}]}], [{{0x9, 0x5, 0xf, 0x1d, 0x10, 0x0, 0x80, 0x74}}, {{0x9, 0x5, 0x2, 0x3, 0x10, 0x9f, 0x7d, 0xff, [@generic={0x52, 0xe, "ecf4ce492b20b2d508a9180c01192d8e124f6e790aedfc35213b1d14c68c63686631f697532da005bc5013d62c6d5c18b5c5c4f2263b42b582b7333b47373cdf666159745a6a53d518a4ae7c51abaaa8"}, @generic={0x15, 0x23, "dc333ea4d2d7351ec6d273b68ce3d5d1e2c2cf"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x10, 0x4, 0x9, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x5, 0xfffc}, @generic={0x35, 0x2, "59a66019fb9adfb5950997712b8b3c1cb4c4a0abbf8ea41dd4dd5936bde7fbe23ff642c176c355ef4728022f3d7d833860fbcf"}]}}, {{0x9, 0x5, 0x0, 0x10, 0x8, 0x1, 0x1}}, {{0x9, 0x5, 0x1, 0x2, 0x0, 0x0, 0x9, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x9f36}, @uac_iso={0x7, 0x25, 0x1, 0x3, 0x9, 0x3}]}}, {{0x9, 0x5, 0xc, 0x10, 0x200, 0x15, 0x2, 0x0, [@generic={0x5b, 0x23, "1925294e2c16954f8313825e71ea536e7077d7130cee3a802cb3c8005ef6d9211068286c7a4c20cb87fd2cdc5aeedb171fd67ddc74c3f029aab0bfa9a63e5de5a53579666cef0fb7c876efc0a5d3382c346e1f9a78b7356c22"}]}}, {{0x9, 0x5, 0xb, 0x0, 0x40, 0x18, 0x3f, 0x8}}, {{0x9, 0x5, 0xd, 0x1, 0x0, 0x9, 0xff, 0x3, [@generic={0xdc, 0x23, "ccd53fc81156a91ff426eb001fbf43c8551fda170ed36a97eba7a32c3115ec5e9a8182734012aa12ddcc6e93d85eaafbda4ab1cff6bcb2afecd8aa8c58b27a75e5a4ddc50cc673edc82ff13115eb8f50ddd1ed2695337ca85b88264db59eb1304216a301d42f2902d5c06b17592bb21d2af1d092f5d7373aefdb907ffc8179abd68b11ef10be844e03816806f045f0a5ef3ba0ac5bd843a46fa3b72b862de1728647adc3f3bbcd53ce881e6b5a6c6ec797d32cc13918e3da4b3ea20dd6893c2c7ca47aa51bee047a361feff716cef3dae50b6ca72a2b764fa4cf"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x5, 0x3f}]}}, {{0x9, 0x5, 0x1, 0x2, 0x20, 0xb9, 0x86, 0x40, [@generic={0x84, 0x8, "ab514debe16aea41f067e846f8939c5d4f6fce3a7d25eaee2c0651f92fe24417bdf9256f3f9b583492b2e4fe6b2b4bad9c1f4a8b26d74c60aeda9478a64876891b3a75ffce4001853b93bd0fd8a165a7fa83fbc6b95aed880f02224f1222b150b746981a4b55288f564d8d6af643c0fd291571d70cc56024dd73e500c5efe9bc9b72"}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x0, 0x9}]}}, {{0x9, 0x5, 0x5, 0x2, 0x10, 0xf9, 0xd8, 0xf9}}, {{0x9, 0x5, 0x3, 0xc, 0x8, 0x81, 0x0, 0x3f}}, {{0x9, 0x5, 0xd, 0x0, 0x252d10ce716ea2f3, 0xbe, 0x6, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0x2, 0x2}]}}, {{0x9, 0x5, 0x8, 0x3a51d77e4fce6a1c, 0x20, 0x4, 0x8, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x81, 0xff, 0xffe0}, @generic={0xf2, 0x31, "2fb2b9747b651ae66e5d861f9efc61bdd19495f163625975e7bae800ee004867b5a813b7b9dbc55eb0b751b8d758e9cba4a3b4f6830e5f85df740efcf290c77df212ee62fc94cc504b1e5422ffbf9f87ed05b4e762feed6535fd702825631db7636c869c9f1299320d98e1cf740a94e226af5608a799e1c999ee2b4ab5146f852ed9874065fb37c285811c77789df8a1798c2670419747679338a3299349ae3ec49eedcb39256d551a4ffba9595167c1779a7247b94aebc5792e53fbc94c066c16fe77020492e0a308d5ba5fdec952c4095b7563347be3f2ab70873375e6116c394003cc0c5cdbdcb004f96c6c4ff235"}]}}]}}, {{0x9, 0x4, 0x3, 0x6, 0x5, 0x0, 0x0, 0x0, 0xc8, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x0, 0x3, 0x4}, @format_type_i_discrete={0xf, 0x24, 0x2, 0x1, 0x81, 0x2, 0x1, 0x1, "b3d2feb3920056"}]}], [{{0x9, 0x5, 0x6, 0x4, 0x400, 0x0, 0x6, 0x3, [@generic={0x11, 0x4, "39a66425220fb1a99e556b2dfb1838"}]}}, {{0x9, 0x5, 0xa, 0x4, 0x50, 0x79, 0x9, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9, 0x7}]}}, {{0x9, 0x5, 0x2, 0x10, 0x10, 0x0, 0xe5, 0x1, [@generic={0xc, 0x8, "6271ead39e76c55f403f"}, @generic={0x1d, 0x22, "93f92077e6f8fb302785e13e57cc86fc2a7a97621a1cd78498cc60"}]}}, {{0x9, 0x5, 0xa, 0x0, 0x10, 0xfb, 0x70, 0x9, [@generic={0xa5, 0xc5f45b4d7fc4460a, "aa016effd795b21fece55d47621811ef08e6eaf7a4f3fbf70f9191eec875bd45ba572cf2ef7f10f3a505ff71ef3ef1a42a7349f198cc1e7524a30e948c6334e706023fcaecc3cf51d8cc354dffdec9e33058456186dfe0453f8fb8ce8770fff3a35e7bc7be1982bc0fdb248b776f995d492694172d25affd8607f000dbea29d9b57de7bc89d328a63c5e9f3430aa094d1f14e2ea84446260097323f8483641d5308b57"}]}}, {{0x9, 0x5, 0x8c, 0x8, 0x40, 0x4, 0x5, 0x3}}]}}]}}]}}, &(0x7f0000000d40)={0xa, &(0x7f0000000880)={0xa, 0x6, 0x250, 0x1, 0x8, 0xcf, 0x20, 0x6}, 0xa7, &(0x7f00000008c0)={0x5, 0xf, 0xa7, 0x6, [@ssp_cap={0x18, 0x10, 0xa, 0x8, 0x3, 0x9, 0xf, 0x0, [0xffc030, 0xc030, 0x3f30]}, @ss_container_id={0x14, 0x10, 0x4, 0xfe, "edcaa525c23e27c47ce42420c044bb79"}, @ptm_cap={0x3}, @ptm_cap={0x3}, @ext_cap={0x7, 0x10, 0x2, 0x1c, 0x6, 0x0, 0x8}, @generic={0x69, 0x10, 0x1, "f0917a409f20823fe21e124dc671ac8313beb328f263a5967548b9ffe8bd38ca2b5638e90e09b00ad4000d975c28f280602443968fb75443f4833a05f936ed00b575a11e1181f19f62f7010a8559d4422269ba17c569a5d2ca580210a2811923216ff38f6c21"}]}, 0x9, [{0x2e, &(0x7f0000000980)=@string={0x2e, 0x3, "c0ca326abb6f9f4be8fde5ec0fda56568a3aee017d4851f5e177f27c6723cc4b66148d068a4fc215c3412242"}}, {0x4, &(0x7f00000009c0)=@lang_id={0x4, 0x3, 0x140a}}, {0x101, &(0x7f0000000a00)=@string={0x101, 0x3, "b544e4b10f95e3903dd7a1b4fcaade5c4143d90f68fcf3f0d83282c324f0d4a7e65f27803e19d95678a88da9f99c403cb3265270a9964dcd759ff727ed3cdb427b2ac3c5f71ddeb5ea16a0377a0ed22e54a24a8ae1475137620142605682be281297ff87f2081ada2329520e8e87828043b65d663c960e1001cdd66551891230a367e307d00abe3a52cc07335d6d39eac44c43f1b70c13cafa5b2c7aca4c95724375599a859c39e4c0e4da7b2c906e43288f117494feddbec0230716e31e46f531875fc7eff85e6f2f36517fa02a116fce7a95fba5fa3dff697ce8716fc85aa4d0f6f24b0401f2c4db9aec9af775a041992c234d2307bfda122484cc460e90"}}, {0x4, &(0x7f0000000b40)=@lang_id={0x4, 0x3, 0x804}}, {0x4, &(0x7f0000000b80)=@lang_id={0x4, 0x3, 0x400a}}, {0x4, &(0x7f0000000bc0)=@lang_id={0x4, 0x3, 0x42b}}, {0x4, &(0x7f0000000c00)=@lang_id={0x4, 0x3, 0x3009}}, {0xa5, &(0x7f0000000c40)=@string={0xa5, 0x3, "84389b092a5b3d06bfd89509d072a73f111a14aa4619785c4fe2448520d344b0309136ab091e792a36d6c3addbe839a59d0372bdb54265ba32c2fa75175518bee640f7a15dd0112606ec278989fea051f6a69b9753675b81fe2e64ebe334568e086b24704be9db1fa5645a8af526ed97a90c027a2b4f90ed9c2af5e9ba528431c93fea752e8d8489d4ef977f5a3ac6c8dbacfc145fdb5f7bca681b6f3bd764d06cbe0b"}}, {0x4, &(0x7f0000000d00)=@lang_id={0x4, 0x3, 0x44d}}]}) r3 = syz_usb_connect$cdc_ncm(0x1, 0x8f, &(0x7f0000000e00)={{0x12, 0x1, 0x310, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x7d, 0x2, 0x1, 0x1, 0x1d0, 0x0, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0x5}, {0x5, 0x24, 0x0, 0x81}, {0xd, 0x24, 0xf, 0x1, 0x3fffc000, 0xba60, 0x1, 0x1}, {0x6, 0x24, 0x1a, 0x1}, [@mbim={0xc, 0x24, 0x1b, 0x1b7, 0x50f, 0x6, 0x5b, 0x81, 0x9}, @mdlm={0x15, 0x24, 0x12, 0x5f}]}, {{0x9, 0x5, 0x81, 0x3, 0x10, 0x1, 0x6, 0x2}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x8, 0xcc, 0x6, 0x9b}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x1, 0x6, 0x1}}}}}}}]}}, &(0x7f0000001300)={0xa, &(0x7f0000000ec0)={0xa, 0x6, 0x200, 0x0, 0x1, 0x13, 0x8, 0xff}, 0xff, &(0x7f0000000f00)={0x5, 0xf, 0xff, 0x6, [@ptm_cap={0x3}, @ss_container_id={0x14, 0x10, 0x4, 0x1, "433e988ee5f358ef3f4e653faf4ee765"}, @generic={0xa, 0x10, 0xb, "d374d6ca9cfdff"}, @generic={0xe, 0x10, 0xb, "e4e12848c1c9e1ace27001"}, @ssp_cap={0x1c, 0x10, 0xa, 0x40, 0x4, 0x4, 0xf0f, 0x8000, [0xff0000, 0xc0, 0xff003f, 0xc00f]}, @generic={0xaf, 0x10, 0x1, "cbabda0f979afcbd15737d315ab69ac532bda02642debca33a83185a92738f4d04cec695223d9f52b803ad72644bd3df5774949b6ed6377cdf5da5b1d8200de161f5b0f610c78f5c79a00db86492ecdf464204c009a9474a05f0f6351819703f383eca0f29a01e52f7b0b1f921ef92c3e630287707e0617fe8cf2672ef1dee5e7c5f8a37415f54b241f0b93ae6f3402e17b6fec466b83827f4e42c57af90ea0b735a10b5cc4a9ed14461cb3c"}]}, 0x9, [{0x4, &(0x7f0000001000)=@lang_id={0x4, 0x3, 0x807}}, {0x4, &(0x7f0000001040)=@lang_id={0x4, 0x3, 0x44c}}, {0x46, &(0x7f0000001080)=@string={0x46, 0x3, "d34169f972886d91885fb4e663d3b95efcbdf2ac7fb6a48b8f5d44f490a6d5db2086fa938c10f7751b90c3993bbfad670a7f80d35886c2cc30291ab2ce67011d1b0d6cf4"}}, {0x4, &(0x7f0000001100)=@lang_id={0x4, 0x3, 0x40a}}, {0x36, &(0x7f0000001140)=@string={0x36, 0x3, "064cab2cae36ef5623749bcb7993b310c0f700e526dda0223a1e4b6f160079c7b1cdb2a8b043ea8325ecc0eed64d543981a396b7"}}, {0x5, &(0x7f0000001180)=@string={0x5, 0x3, 'Ka\x00'}}, {0x4, &(0x7f00000011c0)=@lang_id={0x4, 0x3, 0x500a}}, {0x4, &(0x7f0000001200)=@lang_id={0x4, 0x3, 0x4ff}}, {0x8f, &(0x7f0000001240)=@string={0x8f, 0x3, "37cc0c18f2d09bfc3aa76989d36d449db57ff95c9d3d3cb0402d8235dc712201eea4c3182ff76cbdbbe5315c116827a35fa27a3904c66396503f48370555f62791c61546e4121aa688c1c7c57d955aedd9eec2b307d4e587e1aed08679b2728acd321bc4f83ee268d8149d81bbc128c58e178cd17d2b8136b834c1e9b1d7d3d137ae9b4c27e6b1ba93df07e852"}}]}) syz_usb_disconnect(r3) csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef SYS___stat50 #define SYS___stat50 439 #endif #ifndef SYS_chown #define SYS_chown 16 #endif #ifndef SYS_compat_14___semctl #define SYS_compat_14___semctl 220 #endif #ifndef SYS_compat_50___msgctl13 #define SYS_compat_50___msgctl13 302 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_semctl #define SYS_semctl 442 #endif #ifndef SYS_semget #define SYS_semget 221 #endif #ifndef SYS_semop #define SYS_semop 222 #endif static unsigned long long procid; static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct usb_endpoint_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bEndpointAddress; uint8_t bmAttributes; uint16_t wMaxPacketSize; uint8_t bInterval; uint8_t bRefresh; uint8_t bSynchAddress; } __attribute__((packed)); struct usb_device_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint16_t idVendor; uint16_t idProduct; uint16_t bcdDevice; uint8_t iManufacturer; uint8_t iProduct; uint8_t iSerialNumber; uint8_t bNumConfigurations; } __attribute__((packed)); struct usb_config_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t wTotalLength; uint8_t bNumInterfaces; uint8_t bConfigurationValue; uint8_t iConfiguration; uint8_t bmAttributes; uint8_t bMaxPower; } __attribute__((packed)); struct usb_interface_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bNumEndpoints; uint8_t bInterfaceClass; uint8_t bInterfaceSubClass; uint8_t bInterfaceProtocol; uint8_t iInterface; } __attribute__((packed)); struct usb_ctrlrequest { uint8_t bRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t wLength; } __attribute__((packed)); struct usb_qualifier_descriptor { uint8_t bLength; uint8_t bDescriptorType; uint16_t bcdUSB; uint8_t bDeviceClass; uint8_t bDeviceSubClass; uint8_t bDeviceProtocol; uint8_t bMaxPacketSize0; uint8_t bNumConfigurations; uint8_t bRESERVED; } __attribute__((packed)); #define USB_TYPE_MASK (0x03 << 5) #define USB_TYPE_STANDARD (0x00 << 5) #define USB_TYPE_CLASS (0x01 << 5) #define USB_TYPE_VENDOR (0x02 << 5) #define USB_TYPE_RESERVED (0x03 << 5) #define USB_DT_DEVICE 0x01 #define USB_DT_CONFIG 0x02 #define USB_DT_STRING 0x03 #define USB_DT_INTERFACE 0x04 #define USB_DT_ENDPOINT 0x05 #define USB_DT_DEVICE_QUALIFIER 0x06 #define USB_DT_OTHER_SPEED_CONFIG 0x07 #define USB_DT_INTERFACE_POWER 0x08 #define USB_DT_OTG 0x09 #define USB_DT_DEBUG 0x0a #define USB_DT_INTERFACE_ASSOCIATION 0x0b #define USB_DT_SECURITY 0x0c #define USB_DT_KEY 0x0d #define USB_DT_ENCRYPTION_TYPE 0x0e #define USB_DT_BOS 0x0f #define USB_DT_DEVICE_CAPABILITY 0x10 #define USB_DT_WIRELESS_ENDPOINT_COMP 0x11 #define USB_DT_WIRE_ADAPTER 0x21 #define USB_DT_RPIPE 0x22 #define USB_DT_CS_RADIO_CONTROL 0x23 #define USB_DT_PIPE_USAGE 0x24 #define USB_DT_SS_ENDPOINT_COMP 0x30 #define USB_DT_SSP_ISOC_ENDPOINT_COMP 0x31 #define USB_REQ_GET_STATUS 0x00 #define USB_REQ_CLEAR_FEATURE 0x01 #define USB_REQ_SET_FEATURE 0x03 #define USB_REQ_SET_ADDRESS 0x05 #define USB_REQ_GET_DESCRIPTOR 0x06 #define USB_REQ_SET_DESCRIPTOR 0x07 #define USB_REQ_GET_CONFIGURATION 0x08 #define USB_REQ_SET_CONFIGURATION 0x09 #define USB_REQ_GET_INTERFACE 0x0A #define USB_REQ_SET_INTERFACE 0x0B #define USB_REQ_SYNCH_FRAME 0x0C #define USB_REQ_SET_SEL 0x30 #define USB_REQ_SET_ISOCH_DELAY 0x31 #define USB_REQ_SET_ENCRYPTION 0x0D #define USB_REQ_GET_ENCRYPTION 0x0E #define USB_REQ_RPIPE_ABORT 0x0E #define USB_REQ_SET_HANDSHAKE 0x0F #define USB_REQ_RPIPE_RESET 0x0F #define USB_REQ_GET_HANDSHAKE 0x10 #define USB_REQ_SET_CONNECTION 0x11 #define USB_REQ_SET_SECURITY_DATA 0x12 #define USB_REQ_GET_SECURITY_DATA 0x13 #define USB_REQ_SET_WUSB_DATA 0x14 #define USB_REQ_LOOPBACK_DATA_WRITE 0x15 #define USB_REQ_LOOPBACK_DATA_READ 0x16 #define USB_REQ_SET_INTERFACE_DS 0x17 #define USB_REQ_GET_PARTNER_PDO 20 #define USB_REQ_GET_BATTERY_STATUS 21 #define USB_REQ_SET_PDO 22 #define USB_REQ_GET_VDM 23 #define USB_REQ_SEND_VDM 24 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } static int vhci_open(void) { char path[1024]; snprintf(path, sizeof(path), "/dev/vhci%llu", procid); return open(path, O_RDWR); } static int vhci_setport(int fd, u_int port) { struct vhci_ioc_set_port args; args.port = port; return ioctl(fd, VHCI_IOC_SET_PORT, &args); } static int vhci_usb_attach(int fd) { return ioctl(fd, VHCI_IOC_USB_ATTACH, NULL); } static int vhci_usb_recv(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = read(fd, ptr, size); if (done < 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static int vhci_usb_send(int fd, void* buf, size_t size) { uint8_t* ptr = (uint8_t*)buf; while (1) { ssize_t done = write(fd, ptr, size); if (done <= 0) return -1; if ((size_t)done == size) return 0; size -= done; ptr += done; } } static volatile long syz_usb_connect_impl(int fd, uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } if (vhci_setport(fd, 1)) exit(1); if (vhci_usb_attach(fd)) { return -1; } bool done = false; while (!done) { vhci_request_t req; if (vhci_usb_recv(fd, &req, sizeof(req))) { return -1; } if (req.type != VHCI_REQ_CTRL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; char data[4096]; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (!lookup_connect_response_in(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &qual, &response_data, &response_length)) { return -1; } } else { if (!lookup_connect_response_out(fd, descs, (const struct usb_ctrlrequest*)&req.u.ctrl, &done)) { return -1; } response_data = NULL; response_length = UGETW(req.u.ctrl.wLength); } if ((req.u.ctrl.bmRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && req.u.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { } if (response_length > sizeof(data)) response_length = 0; if ((uint32_t)UGETW(req.u.ctrl.wLength) < response_length) response_length = UGETW(req.u.ctrl.wLength); if (response_data) memcpy(data, response_data, response_length); else memset(data, 0, response_length); int rv = 0; if (req.u.ctrl.bmRequestType & UE_DIR_IN) { if (response_length > 0) { vhci_response_t res; res.size = response_length; rv = vhci_usb_send(fd, &res, sizeof(res)); if (rv == 0) rv = vhci_usb_send(fd, data, response_length); } } else { rv = vhci_usb_recv(fd, data, response_length); } if (rv < 0) { return -1; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; if (!dev) { return -1; } int fd = vhci_open(); if (fd < 0) exit(1); long res = syz_usb_connect_impl(fd, speed, dev_len, dev, descs, &lookup_connect_response_out_generic); close(fd); return res; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static void setup_fault(void) { if (chmod("/dev/fault", 0666)) exit(1); } static int inject_fault(int nth) { struct fault_ioc_enable en; int fd; fd = open("/dev/fault", O_RDWR); if (fd == -1) exit(1); en.scope = FAULT_SCOPE_LWP; en.mode = 0; en.nth = nth + 1; if (ioctl(fd, FAULT_IOC_ENABLE, &en) != 0) exit(1); return fd; } static void sandbox_common() { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 14; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 11 ? 3000 : 0) + (call == 12 ? 3000 : 0) + (call == 13 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[4] = {0x0, 0x0, 0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); inject_fault(1); res = syscall(SYS___stat50, 0x20000000ul, 0x20000040ul); if (res != -1) { r[0] = *(uint32_t*)0x2000005c; r[1] = *(uint32_t*)0x20000060; } break; case 1: *(uint32_t*)0x20000200 = 0x5a3e; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = r[1]; *(uint32_t*)0x2000020c = -1; *(uint32_t*)0x20000210 = -1; *(uint32_t*)0x20000214 = 0x20; *(uint16_t*)0x20000218 = 0x400; *(uint16_t*)0x2000021a = 0; *(uint64_t*)0x20000220 = 0; *(uint64_t*)0x20000228 = 0; *(uint64_t*)0x20000230 = 9; *(uint64_t*)0x20000238 = 0x62e81dc5; *(uint32_t*)0x20000240 = 0x81; *(uint32_t*)0x20000244 = 5; *(uint64_t*)0x20000248 = 4; *(uint64_t*)0x20000250 = 8; *(uint64_t*)0x20000258 = 9; *(uint64_t*)0x20000260 = 0x20000100; *(uint64_t*)0x20000100 = 0; *(uint64_t*)0x20000108 = 0x20e1; *(uint16_t*)0x20000110 = 0xfffd; *(uint16_t*)0x20000112 = 1; *(uint64_t*)0x20000268 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000180; *(uint64_t*)0x20000180 = 0x20000140; *(uint64_t*)0x20000140 = 0; *(uint64_t*)0x20000148 = 0x7ff; *(uint16_t*)0x20000150 = 9; *(uint16_t*)0x20000152 = 1; *(uint64_t*)0x20000188 = 0x8000000000000000; *(uint16_t*)0x20000190 = 6; *(uint16_t*)0x20000192 = 8; *(uint64_t*)0x200001c8 = 8; *(uint16_t*)0x200001d0 = 5; *(uint16_t*)0x200001d2 = 0x20; *(uint64_t*)0x20000270 = 0x400; syscall(SYS_compat_50___msgctl13, 0, 1ul, 0x20000200ul); break; case 2: memcpy((void*)0x20000280, "./file0\000", 8); syscall(SYS_chown, 0x20000280ul, r[0], 0); { int i; for(i = 0; i < 4; i++) { syscall(SYS_chown, 0x20000280ul, r[0], 0); } } break; case 3: syscall(SYS_compat_14___semctl, 0, 0ul, 6ul, 0x200002c0ul); break; case 4: *(uint64_t*)0x20000380 = 0x20000340; *(uint32_t*)0x20000340 = r[0]; *(uint32_t*)0x20000344 = r[1]; *(uint32_t*)0x20000348 = 0x80; *(uint32_t*)0x2000034c = 0x5a3; *(uint32_t*)0x20000350 = 0x100; *(uint16_t*)0x20000354 = 1; *(uint64_t*)0x20000358 = 0x4897; *(uint16_t*)0x20000360 = 0x7fff; *(uint64_t*)0x20000368 = 7; *(uint64_t*)0x20000370 = 0; *(uint64_t*)0x20000378 = 0x20000300; *(uint16_t*)0x20000300 = 0x800; *(uint32_t*)0x20000304 = 7; *(uint16_t*)0x20000308 = 2; *(uint16_t*)0x2000030a = 9; syscall(SYS_compat_14___semctl, -1, 0ul, 8ul, 0x20000380ul); break; case 5: syscall(SYS_semctl, -1, 4ul, 3ul, 0x200003c0ul); break; case 6: res = syscall(SYS_semget, 0ul, 3ul, 2ul); if (res != -1) r[2] = res; break; case 7: syscall(SYS_compat_14___semctl, r[2], 0ul, 3ul, 0); break; case 8: *(uint16_t*)0x20000400 = 4; *(uint16_t*)0x20000402 = 7; *(uint16_t*)0x20000404 = 0x2000; *(uint16_t*)0x20000406 = 4; *(uint16_t*)0x20000408 = 0x1f; *(uint16_t*)0x2000040a = 0x800; *(uint16_t*)0x2000040c = 1; *(uint16_t*)0x2000040e = 7; *(uint16_t*)0x20000410 = 0x400; syscall(SYS_semop, r[2], 0x20000400ul, 3ul); break; case 9: syscall(SYS_compat_14___semctl, r[2], 0ul, 2ul, 0x20000440ul); break; case 10: memcpy((void*)0x20000040, "\xc4\x21\xc1\x6d\x14\x9f\xc4\x62\xba\xf7\x6f\xed\x26\x66\x45\x0f\x38\x00\x81\x3b\xe7\x0e\xb1\x66\x40\x25\x36\x33\xf0\x40\x81\x82\xa0\xbc\x30\x22\x00\x80\x00\x00\xc4\x82\x81\x92\x6c\xd9\x92\x66\x0f\x4f\x99\xc0\xf8\x00\x00\x36\x26\x66\x0f\x12\x4e\x32\xf2\x6e\x66\x0f\x38\x2a\xb5\x00\x00\x00\x80", 73); syz_execute_func(0x20000040); break; case 11: *(uint8_t*)0x20000100 = 0x12; *(uint8_t*)0x20000101 = 1; *(uint16_t*)0x20000102 = 0x300; *(uint8_t*)0x20000104 = 0; *(uint8_t*)0x20000105 = 0; *(uint8_t*)0x20000106 = 0; *(uint8_t*)0x20000107 = 0xbf; *(uint16_t*)0x20000108 = 0; *(uint16_t*)0x2000010a = 0; *(uint16_t*)0x2000010c = 0; *(uint8_t*)0x2000010e = 1; *(uint8_t*)0x2000010f = 2; *(uint8_t*)0x20000110 = 3; *(uint8_t*)0x20000111 = 1; *(uint8_t*)0x20000112 = 9; *(uint8_t*)0x20000113 = 2; *(uint16_t*)0x20000114 = 0x76c; *(uint8_t*)0x20000116 = 3; *(uint8_t*)0x20000117 = 7; *(uint8_t*)0x20000118 = 0x17; *(uint8_t*)0x20000119 = 0x30; *(uint8_t*)0x2000011a = 0x3d; *(uint8_t*)0x2000011b = 9; *(uint8_t*)0x2000011c = 4; *(uint8_t*)0x2000011d = 0x8e; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; *(uint8_t*)0x20000120 = 0; *(uint8_t*)0x20000121 = 0; *(uint8_t*)0x20000122 = 0; *(uint8_t*)0x20000123 = 0x62; *(uint8_t*)0x20000124 = 0x12; *(uint8_t*)0x20000125 = 0x24; *(uint8_t*)0x20000126 = 2; *(uint8_t*)0x20000127 = 2; *(uint16_t*)0x20000128 = 0x1f; *(uint16_t*)0x2000012a = 7; *(uint8_t*)0x2000012c = 0x7f; memcpy((void*)0x2000012d, "\x11\xc0\x68\x24\x60\x6e\x6e\x24\x1d", 9); *(uint8_t*)0x20000136 = 9; *(uint8_t*)0x20000137 = 4; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0x3f; *(uint8_t*)0x2000013a = 0xd; *(uint8_t*)0x2000013b = 0; *(uint8_t*)0x2000013c = 0; *(uint8_t*)0x2000013d = 0; *(uint8_t*)0x2000013e = 0x1f; *(uint8_t*)0x2000013f = 0xe0; *(uint8_t*)0x20000140 = 0xa; memcpy((void*)0x20000141, "\xb7\x1a\xa8\xdb\xef\x28\xec\x50\x8e\x40\xe5\x7e\x0f\x21\xe5\x1c\xeb\x5e\xac\xb8\x0b\xb3\xf7\xed\x35\xe2\x9b\xad\x26\x5b\x99\xdb\xbc\xbb\x65\x5b\x87\xcb\xc7\x76\x84\x37\x03\xa8\x76\xdc\x2d\xd2\x21\x6c\x56\x77\x1d\xd1\x3f\x2c\xae\x3e\xae\x77\x25\x86\xca\xcf\x7c\xdb\x24\xa9\x18\x92\x4b\xa3\x42\xe5\xa8\x4c\xb7\x75\x41\x17\x2a\x5b\x41\x00\xbc\xd7\x21\xc0\x0b\xcc\x1d\x59\x0d\x5b\xae\x2e\x60\x2b\x8a\x29\xaa\x64\x95\x16\xb3\x9d\x74\x5c\x54\x66\x13\x73\x0d\xec\x49\x57\xdf\x6d\xc6\x59\x19\x93\xb9\x02\x7a\xfe\x3e\xb2\x17\x2a\x49\xb3\xb5\x89\xf5\x32\x2c\xc7\x6f\xd4\x21\xd8\xb9\xac\xaf\x9f\x32\x6c\x83\x52\x14\xaa\x33\xda\x00\x4a\xda\xae\x66\x89\xef\xeb\xb0\x28\xa6\x49\xb7\xed\xc8\x23\x33\xf8\x9f\xd1\x00\xb6\xda\x5d\x60\xc3\xe1\x34\x9b\xd3\x0d\x2c\xff\x8a\xe5\x6c\xcb\xed\x46\xe0\x9f\x66\x62\xc6\xb2\xc2\xe7\xcb\xd8\x87\xfb\xc4\x47\xdb\x5d\x68\x87\xeb\x1c\xc1\x37\x8e\xd3\x10\xec\x7d\x00\x4c", 222); *(uint8_t*)0x2000021f = 0xb; *(uint8_t*)0x20000220 = 0x24; *(uint8_t*)0x20000221 = 6; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 1; memcpy((void*)0x20000224, "\x4b\x66\xfa\xfb\xc9\xe4", 6); *(uint8_t*)0x2000022a = 5; *(uint8_t*)0x2000022b = 0x24; *(uint8_t*)0x2000022c = 0; *(uint16_t*)0x2000022d = 6; *(uint8_t*)0x2000022f = 0xd; *(uint8_t*)0x20000230 = 0x24; *(uint8_t*)0x20000231 = 0xf; *(uint8_t*)0x20000232 = 1; *(uint32_t*)0x20000233 = 0x80000000; *(uint16_t*)0x20000237 = 4; *(uint16_t*)0x20000239 = 0; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 6; *(uint8_t*)0x2000023d = 0x24; *(uint8_t*)0x2000023e = 0x1a; *(uint16_t*)0x2000023f = 0xfffa; *(uint8_t*)0x20000241 = 0x12; *(uint8_t*)0x20000242 = 5; *(uint8_t*)0x20000243 = 0x24; *(uint8_t*)0x20000244 = 0x15; *(uint16_t*)0x20000245 = 5; *(uint8_t*)0x20000247 = 0x15; *(uint8_t*)0x20000248 = 0x24; *(uint8_t*)0x20000249 = 0x12; *(uint16_t*)0x2000024a = 5; *(uint64_t*)0x2000024c = 0x14f5e048ba817a3; *(uint64_t*)0x20000254 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000025c = 7; *(uint8_t*)0x2000025d = 0x24; *(uint8_t*)0x2000025e = 0x14; *(uint16_t*)0x2000025f = 4; *(uint16_t*)0x20000261 = 0; *(uint8_t*)0x20000263 = 0xe5; *(uint8_t*)0x20000264 = 0x24; *(uint8_t*)0x20000265 = 0x13; *(uint8_t*)0x20000266 = 7; memcpy((void*)0x20000267, "\x8f\x0d\x5f\x90\xcf\x98\xb4\x79\xfa\xe0\x69\xbf\xd8\x3c\x7e\x4e\xf5\xaf\xe0\x12\x49\x5f\x0e\xe2\x30\x62\xfe\x5f\x81\xbe\x0e\xf8\x2f\xf4\x10\x31\x8f\x82\xc5\x30\x0b\xa5\xa5\xad\x17\x5d\xac\xf7\x41\xe1\xd1\x95\x6b\x8b\xb1\x56\xe5\xb5\x46\x64\x4c\x17\x50\x91\x6d\x03\x81\xb4\x9c\x7b\xd1\x60\x32\x3b\xde\x2f\xf8\xc1\x37\x9a\x31\x9c\x3a\xdd\x3f\xbd\x86\xaa\x16\x97\x49\xf6\x10\x88\x44\xbd\x19\x64\x4c\xaf\xeb\xba\x5d\x70\x98\x9e\x95\x14\x43\x00\xd6\xb5\x08\xed\xd1\x66\x2f\x75\x98\x28\xaa\xd7\x8d\x18\xd7\x10\x55\x3c\xb7\xf5\xdf\x43\xb7\xb5\x60\xbb\x4f\x48\x69\xde\x9e\xbe\x5e\x12\x63\x56\x50\x7d\x10\xf2\xc8\xd9\xb8\x3f\x66\x1f\xbf\x0b\xd5\x13\x1c\xe9\xc0\x59\xb6\x0e\x62\x0d\xa0\xf7\x51\x6a\xd6\xd7\x0c\x75\xde\x7d\xd4\xb3\x7d\x9c\x37\x91\x34\xe6\x03\x6d\xf4\x28\xe1\xf5\x41\xdb\xee\x9f\x58\xa4\xa3\x74\xff\x6c\xb6\xae\x04\x68\xf4\x9c\x61\x64\x18\xa2\x76\x00\x66\x45\x74\x39\x95\x2b\xb5\xb9\x3f\x4f\x33", 225); *(uint8_t*)0x20000348 = 0x15; *(uint8_t*)0x20000349 = 0x24; *(uint8_t*)0x2000034a = 0x12; *(uint16_t*)0x2000034b = 0xec; *(uint64_t*)0x2000034d = 0x14f5e048ba817a3; *(uint64_t*)0x20000355 = 0x2a397ecbffc007a6; *(uint8_t*)0x2000035d = 9; *(uint8_t*)0x2000035e = 5; *(uint8_t*)0x2000035f = 0xf; *(uint8_t*)0x20000360 = 0x1d; *(uint16_t*)0x20000361 = 0x10; *(uint8_t*)0x20000363 = 0; *(uint8_t*)0x20000364 = 0x80; *(uint8_t*)0x20000365 = 0x74; *(uint8_t*)0x20000366 = 9; *(uint8_t*)0x20000367 = 5; *(uint8_t*)0x20000368 = 2; *(uint8_t*)0x20000369 = 3; *(uint16_t*)0x2000036a = 0x10; *(uint8_t*)0x2000036c = 0x9f; *(uint8_t*)0x2000036d = 0x7d; *(uint8_t*)0x2000036e = -1; *(uint8_t*)0x2000036f = 0x52; *(uint8_t*)0x20000370 = 0xe; memcpy((void*)0x20000371, "\xec\xf4\xce\x49\x2b\x20\xb2\xd5\x08\xa9\x18\x0c\x01\x19\x2d\x8e\x12\x4f\x6e\x79\x0a\xed\xfc\x35\x21\x3b\x1d\x14\xc6\x8c\x63\x68\x66\x31\xf6\x97\x53\x2d\xa0\x05\xbc\x50\x13\xd6\x2c\x6d\x5c\x18\xb5\xc5\xc4\xf2\x26\x3b\x42\xb5\x82\xb7\x33\x3b\x47\x37\x3c\xdf\x66\x61\x59\x74\x5a\x6a\x53\xd5\x18\xa4\xae\x7c\x51\xab\xaa\xa8", 80); *(uint8_t*)0x200003c1 = 0x15; *(uint8_t*)0x200003c2 = 0x23; memcpy((void*)0x200003c3, "\xdc\x33\x3e\xa4\xd2\xd7\x35\x1e\xc6\xd2\x73\xb6\x8c\xe3\xd5\xd1\xe2\xc2\xcf", 19); *(uint8_t*)0x200003d6 = 9; *(uint8_t*)0x200003d7 = 5; *(uint8_t*)0x200003d8 = 0xb; *(uint8_t*)0x200003d9 = 0; *(uint16_t*)0x200003da = 0x10; *(uint8_t*)0x200003dc = 4; *(uint8_t*)0x200003dd = 9; *(uint8_t*)0x200003de = 0; *(uint8_t*)0x200003df = 7; *(uint8_t*)0x200003e0 = 0x25; *(uint8_t*)0x200003e1 = 1; *(uint8_t*)0x200003e2 = 0; *(uint8_t*)0x200003e3 = 5; *(uint16_t*)0x200003e4 = 0xfffc; *(uint8_t*)0x200003e6 = 0x35; *(uint8_t*)0x200003e7 = 2; memcpy((void*)0x200003e8, "\x59\xa6\x60\x19\xfb\x9a\xdf\xb5\x95\x09\x97\x71\x2b\x8b\x3c\x1c\xb4\xc4\xa0\xab\xbf\x8e\xa4\x1d\xd4\xdd\x59\x36\xbd\xe7\xfb\xe2\x3f\xf6\x42\xc1\x76\xc3\x55\xef\x47\x28\x02\x2f\x3d\x7d\x83\x38\x60\xfb\xcf", 51); *(uint8_t*)0x2000041b = 9; *(uint8_t*)0x2000041c = 5; *(uint8_t*)0x2000041d = 0; *(uint8_t*)0x2000041e = 0x10; *(uint16_t*)0x2000041f = 8; *(uint8_t*)0x20000421 = 1; *(uint8_t*)0x20000422 = 1; *(uint8_t*)0x20000423 = 0; *(uint8_t*)0x20000424 = 9; *(uint8_t*)0x20000425 = 5; *(uint8_t*)0x20000426 = 1; *(uint8_t*)0x20000427 = 2; *(uint16_t*)0x20000428 = 0; *(uint8_t*)0x2000042a = 0; *(uint8_t*)0x2000042b = 9; *(uint8_t*)0x2000042c = 6; *(uint8_t*)0x2000042d = 7; *(uint8_t*)0x2000042e = 0x25; *(uint8_t*)0x2000042f = 1; *(uint8_t*)0x20000430 = 3; *(uint8_t*)0x20000431 = 9; *(uint16_t*)0x20000432 = 0x9f36; *(uint8_t*)0x20000434 = 7; *(uint8_t*)0x20000435 = 0x25; *(uint8_t*)0x20000436 = 1; *(uint8_t*)0x20000437 = 3; *(uint8_t*)0x20000438 = 9; *(uint16_t*)0x20000439 = 3; *(uint8_t*)0x2000043b = 9; *(uint8_t*)0x2000043c = 5; *(uint8_t*)0x2000043d = 0xc; *(uint8_t*)0x2000043e = 0x10; *(uint16_t*)0x2000043f = 0x200; *(uint8_t*)0x20000441 = 0x15; *(uint8_t*)0x20000442 = 2; *(uint8_t*)0x20000443 = 0; *(uint8_t*)0x20000444 = 0x5b; *(uint8_t*)0x20000445 = 0x23; memcpy((void*)0x20000446, "\x19\x25\x29\x4e\x2c\x16\x95\x4f\x83\x13\x82\x5e\x71\xea\x53\x6e\x70\x77\xd7\x13\x0c\xee\x3a\x80\x2c\xb3\xc8\x00\x5e\xf6\xd9\x21\x10\x68\x28\x6c\x7a\x4c\x20\xcb\x87\xfd\x2c\xdc\x5a\xee\xdb\x17\x1f\xd6\x7d\xdc\x74\xc3\xf0\x29\xaa\xb0\xbf\xa9\xa6\x3e\x5d\xe5\xa5\x35\x79\x66\x6c\xef\x0f\xb7\xc8\x76\xef\xc0\xa5\xd3\x38\x2c\x34\x6e\x1f\x9a\x78\xb7\x35\x6c\x22", 89); *(uint8_t*)0x2000049f = 9; *(uint8_t*)0x200004a0 = 5; *(uint8_t*)0x200004a1 = 0xb; *(uint8_t*)0x200004a2 = 0; *(uint16_t*)0x200004a3 = 0x40; *(uint8_t*)0x200004a5 = 0x18; *(uint8_t*)0x200004a6 = 0x3f; *(uint8_t*)0x200004a7 = 8; *(uint8_t*)0x200004a8 = 9; *(uint8_t*)0x200004a9 = 5; *(uint8_t*)0x200004aa = 0xd; *(uint8_t*)0x200004ab = 1; *(uint16_t*)0x200004ac = 0; *(uint8_t*)0x200004ae = 9; *(uint8_t*)0x200004af = -1; *(uint8_t*)0x200004b0 = 3; *(uint8_t*)0x200004b1 = 0xdc; *(uint8_t*)0x200004b2 = 0x23; memcpy((void*)0x200004b3, "\xcc\xd5\x3f\xc8\x11\x56\xa9\x1f\xf4\x26\xeb\x00\x1f\xbf\x43\xc8\x55\x1f\xda\x17\x0e\xd3\x6a\x97\xeb\xa7\xa3\x2c\x31\x15\xec\x5e\x9a\x81\x82\x73\x40\x12\xaa\x12\xdd\xcc\x6e\x93\xd8\x5e\xaa\xfb\xda\x4a\xb1\xcf\xf6\xbc\xb2\xaf\xec\xd8\xaa\x8c\x58\xb2\x7a\x75\xe5\xa4\xdd\xc5\x0c\xc6\x73\xed\xc8\x2f\xf1\x31\x15\xeb\x8f\x50\xdd\xd1\xed\x26\x95\x33\x7c\xa8\x5b\x88\x26\x4d\xb5\x9e\xb1\x30\x42\x16\xa3\x01\xd4\x2f\x29\x02\xd5\xc0\x6b\x17\x59\x2b\xb2\x1d\x2a\xf1\xd0\x92\xf5\xd7\x37\x3a\xef\xdb\x90\x7f\xfc\x81\x79\xab\xd6\x8b\x11\xef\x10\xbe\x84\x4e\x03\x81\x68\x06\xf0\x45\xf0\xa5\xef\x3b\xa0\xac\x5b\xd8\x43\xa4\x6f\xa3\xb7\x2b\x86\x2d\xe1\x72\x86\x47\xad\xc3\xf3\xbb\xcd\x53\xce\x88\x1e\x6b\x5a\x6c\x6e\xc7\x97\xd3\x2c\xc1\x39\x18\xe3\xda\x4b\x3e\xa2\x0d\xd6\x89\x3c\x2c\x7c\xa4\x7a\xa5\x1b\xee\x04\x7a\x36\x1f\xef\xf7\x16\xce\xf3\xda\xe5\x0b\x6c\xa7\x2a\x2b\x76\x4f\xa4\xcf", 218); *(uint8_t*)0x2000058d = 7; *(uint8_t*)0x2000058e = 0x25; *(uint8_t*)0x2000058f = 1; *(uint8_t*)0x20000590 = 0x80; *(uint8_t*)0x20000591 = 5; *(uint16_t*)0x20000592 = 0x3f; *(uint8_t*)0x20000594 = 9; *(uint8_t*)0x20000595 = 5; *(uint8_t*)0x20000596 = 1; *(uint8_t*)0x20000597 = 2; *(uint16_t*)0x20000598 = 0x20; *(uint8_t*)0x2000059a = 0xb9; *(uint8_t*)0x2000059b = 0x86; *(uint8_t*)0x2000059c = 0x40; *(uint8_t*)0x2000059d = 0x84; *(uint8_t*)0x2000059e = 8; memcpy((void*)0x2000059f, "\xab\x51\x4d\xeb\xe1\x6a\xea\x41\xf0\x67\xe8\x46\xf8\x93\x9c\x5d\x4f\x6f\xce\x3a\x7d\x25\xea\xee\x2c\x06\x51\xf9\x2f\xe2\x44\x17\xbd\xf9\x25\x6f\x3f\x9b\x58\x34\x92\xb2\xe4\xfe\x6b\x2b\x4b\xad\x9c\x1f\x4a\x8b\x26\xd7\x4c\x60\xae\xda\x94\x78\xa6\x48\x76\x89\x1b\x3a\x75\xff\xce\x40\x01\x85\x3b\x93\xbd\x0f\xd8\xa1\x65\xa7\xfa\x83\xfb\xc6\xb9\x5a\xed\x88\x0f\x02\x22\x4f\x12\x22\xb1\x50\xb7\x46\x98\x1a\x4b\x55\x28\x8f\x56\x4d\x8d\x6a\xf6\x43\xc0\xfd\x29\x15\x71\xd7\x0c\xc5\x60\x24\xdd\x73\xe5\x00\xc5\xef\xe9\xbc\x9b\x72", 130); *(uint8_t*)0x20000621 = 7; *(uint8_t*)0x20000622 = 0x25; *(uint8_t*)0x20000623 = 1; *(uint8_t*)0x20000624 = 1; *(uint8_t*)0x20000625 = 0; *(uint16_t*)0x20000626 = 9; *(uint8_t*)0x20000628 = 9; *(uint8_t*)0x20000629 = 5; *(uint8_t*)0x2000062a = 5; *(uint8_t*)0x2000062b = 2; *(uint16_t*)0x2000062c = 0x10; *(uint8_t*)0x2000062e = 0xf9; *(uint8_t*)0x2000062f = 0xd8; *(uint8_t*)0x20000630 = 0xf9; *(uint8_t*)0x20000631 = 9; *(uint8_t*)0x20000632 = 5; *(uint8_t*)0x20000633 = 3; *(uint8_t*)0x20000634 = 0xc; *(uint16_t*)0x20000635 = 8; *(uint8_t*)0x20000637 = 0x81; *(uint8_t*)0x20000638 = 0; *(uint8_t*)0x20000639 = 0x3f; *(uint8_t*)0x2000063a = 9; *(uint8_t*)0x2000063b = 5; *(uint8_t*)0x2000063c = 0xd; *(uint8_t*)0x2000063d = 0; *(uint16_t*)0x2000063e = 0xa2f3; *(uint8_t*)0x20000640 = 0xbe; *(uint8_t*)0x20000641 = 6; *(uint8_t*)0x20000642 = 7; *(uint8_t*)0x20000643 = 7; *(uint8_t*)0x20000644 = 0x25; *(uint8_t*)0x20000645 = 1; *(uint8_t*)0x20000646 = 0x81; *(uint8_t*)0x20000647 = 2; *(uint16_t*)0x20000648 = 2; *(uint8_t*)0x2000064a = 9; *(uint8_t*)0x2000064b = 5; *(uint8_t*)0x2000064c = 8; *(uint8_t*)0x2000064d = 0x1c; *(uint16_t*)0x2000064e = 0x20; *(uint8_t*)0x20000650 = 4; *(uint8_t*)0x20000651 = 8; *(uint8_t*)0x20000652 = 9; *(uint8_t*)0x20000653 = 7; *(uint8_t*)0x20000654 = 0x25; *(uint8_t*)0x20000655 = 1; *(uint8_t*)0x20000656 = 0x81; *(uint8_t*)0x20000657 = -1; *(uint16_t*)0x20000658 = 0xffe0; *(uint8_t*)0x2000065a = 0xf2; *(uint8_t*)0x2000065b = 0x31; memcpy((void*)0x2000065c, "\x2f\xb2\xb9\x74\x7b\x65\x1a\xe6\x6e\x5d\x86\x1f\x9e\xfc\x61\xbd\xd1\x94\x95\xf1\x63\x62\x59\x75\xe7\xba\xe8\x00\xee\x00\x48\x67\xb5\xa8\x13\xb7\xb9\xdb\xc5\x5e\xb0\xb7\x51\xb8\xd7\x58\xe9\xcb\xa4\xa3\xb4\xf6\x83\x0e\x5f\x85\xdf\x74\x0e\xfc\xf2\x90\xc7\x7d\xf2\x12\xee\x62\xfc\x94\xcc\x50\x4b\x1e\x54\x22\xff\xbf\x9f\x87\xed\x05\xb4\xe7\x62\xfe\xed\x65\x35\xfd\x70\x28\x25\x63\x1d\xb7\x63\x6c\x86\x9c\x9f\x12\x99\x32\x0d\x98\xe1\xcf\x74\x0a\x94\xe2\x26\xaf\x56\x08\xa7\x99\xe1\xc9\x99\xee\x2b\x4a\xb5\x14\x6f\x85\x2e\xd9\x87\x40\x65\xfb\x37\xc2\x85\x81\x1c\x77\x78\x9d\xf8\xa1\x79\x8c\x26\x70\x41\x97\x47\x67\x93\x38\xa3\x29\x93\x49\xae\x3e\xc4\x9e\xed\xcb\x39\x25\x6d\x55\x1a\x4f\xfb\xa9\x59\x51\x67\xc1\x77\x9a\x72\x47\xb9\x4a\xeb\xc5\x79\x2e\x53\xfb\xc9\x4c\x06\x6c\x16\xfe\x77\x02\x04\x92\xe0\xa3\x08\xd5\xba\x5f\xde\xc9\x52\xc4\x09\x5b\x75\x63\x34\x7b\xe3\xf2\xab\x70\x87\x33\x75\xe6\x11\x6c\x39\x40\x03\xcc\x0c\x5c\xdb\xdc\xb0\x04\xf9\x6c\x6c\x4f\xf2\x35", 240); *(uint8_t*)0x2000074c = 9; *(uint8_t*)0x2000074d = 4; *(uint8_t*)0x2000074e = 3; *(uint8_t*)0x2000074f = 6; *(uint8_t*)0x20000750 = 5; *(uint8_t*)0x20000751 = 0; *(uint8_t*)0x20000752 = 0; *(uint8_t*)0x20000753 = 0; *(uint8_t*)0x20000754 = 0xc8; *(uint8_t*)0x20000755 = 7; *(uint8_t*)0x20000756 = 0x24; *(uint8_t*)0x20000757 = 1; *(uint8_t*)0x20000758 = 0; *(uint8_t*)0x20000759 = 3; *(uint16_t*)0x2000075a = 4; *(uint8_t*)0x2000075c = 0xf; *(uint8_t*)0x2000075d = 0x24; *(uint8_t*)0x2000075e = 2; *(uint8_t*)0x2000075f = 1; *(uint8_t*)0x20000760 = 0x81; *(uint8_t*)0x20000761 = 2; *(uint8_t*)0x20000762 = 1; *(uint8_t*)0x20000763 = 1; memcpy((void*)0x20000764, "\xb3\xd2\xfe\xb3\x92\x00\x56", 7); *(uint8_t*)0x2000076b = 9; *(uint8_t*)0x2000076c = 5; *(uint8_t*)0x2000076d = 6; *(uint8_t*)0x2000076e = 4; *(uint16_t*)0x2000076f = 0x400; *(uint8_t*)0x20000771 = 0; *(uint8_t*)0x20000772 = 6; *(uint8_t*)0x20000773 = 3; *(uint8_t*)0x20000774 = 0x11; *(uint8_t*)0x20000775 = 4; memcpy((void*)0x20000776, "\x39\xa6\x64\x25\x22\x0f\xb1\xa9\x9e\x55\x6b\x2d\xfb\x18\x38", 15); *(uint8_t*)0x20000785 = 9; *(uint8_t*)0x20000786 = 5; *(uint8_t*)0x20000787 = 0xa; *(uint8_t*)0x20000788 = 4; *(uint16_t*)0x20000789 = 0x50; *(uint8_t*)0x2000078b = 0x79; *(uint8_t*)0x2000078c = 9; *(uint8_t*)0x2000078d = -1; *(uint8_t*)0x2000078e = 7; *(uint8_t*)0x2000078f = 0x25; *(uint8_t*)0x20000790 = 1; *(uint8_t*)0x20000791 = 1; *(uint8_t*)0x20000792 = 9; *(uint16_t*)0x20000793 = 7; *(uint8_t*)0x20000795 = 9; *(uint8_t*)0x20000796 = 5; *(uint8_t*)0x20000797 = 2; *(uint8_t*)0x20000798 = 0x10; *(uint16_t*)0x20000799 = 0x10; *(uint8_t*)0x2000079b = 0; *(uint8_t*)0x2000079c = 0xe5; *(uint8_t*)0x2000079d = 1; *(uint8_t*)0x2000079e = 0xc; *(uint8_t*)0x2000079f = 8; memcpy((void*)0x200007a0, "\x62\x71\xea\xd3\x9e\x76\xc5\x5f\x40\x3f", 10); *(uint8_t*)0x200007aa = 0x1d; *(uint8_t*)0x200007ab = 0x22; memcpy((void*)0x200007ac, "\x93\xf9\x20\x77\xe6\xf8\xfb\x30\x27\x85\xe1\x3e\x57\xcc\x86\xfc\x2a\x7a\x97\x62\x1a\x1c\xd7\x84\x98\xcc\x60", 27); *(uint8_t*)0x200007c7 = 9; *(uint8_t*)0x200007c8 = 5; *(uint8_t*)0x200007c9 = 0xa; *(uint8_t*)0x200007ca = 0; *(uint16_t*)0x200007cb = 0x10; *(uint8_t*)0x200007cd = 0xfb; *(uint8_t*)0x200007ce = 0x70; *(uint8_t*)0x200007cf = 9; *(uint8_t*)0x200007d0 = 0xa5; *(uint8_t*)0x200007d1 = 0xa; memcpy((void*)0x200007d2, "\xaa\x01\x6e\xff\xd7\x95\xb2\x1f\xec\xe5\x5d\x47\x62\x18\x11\xef\x08\xe6\xea\xf7\xa4\xf3\xfb\xf7\x0f\x91\x91\xee\xc8\x75\xbd\x45\xba\x57\x2c\xf2\xef\x7f\x10\xf3\xa5\x05\xff\x71\xef\x3e\xf1\xa4\x2a\x73\x49\xf1\x98\xcc\x1e\x75\x24\xa3\x0e\x94\x8c\x63\x34\xe7\x06\x02\x3f\xca\xec\xc3\xcf\x51\xd8\xcc\x35\x4d\xff\xde\xc9\xe3\x30\x58\x45\x61\x86\xdf\xe0\x45\x3f\x8f\xb8\xce\x87\x70\xff\xf3\xa3\x5e\x7b\xc7\xbe\x19\x82\xbc\x0f\xdb\x24\x8b\x77\x6f\x99\x5d\x49\x26\x94\x17\x2d\x25\xaf\xfd\x86\x07\xf0\x00\xdb\xea\x29\xd9\xb5\x7d\xe7\xbc\x89\xd3\x28\xa6\x3c\x5e\x9f\x34\x30\xaa\x09\x4d\x1f\x14\xe2\xea\x84\x44\x62\x60\x09\x73\x23\xf8\x48\x36\x41\xd5\x30\x8b\x57", 163); *(uint8_t*)0x20000875 = 9; *(uint8_t*)0x20000876 = 5; *(uint8_t*)0x20000877 = 0x8c; *(uint8_t*)0x20000878 = 8; *(uint16_t*)0x20000879 = 0x40; *(uint8_t*)0x2000087b = 4; *(uint8_t*)0x2000087c = 5; *(uint8_t*)0x2000087d = 3; *(uint32_t*)0x20000d40 = 0xa; *(uint64_t*)0x20000d44 = 0x20000880; *(uint8_t*)0x20000880 = 0xa; *(uint8_t*)0x20000881 = 6; *(uint16_t*)0x20000882 = 0x250; *(uint8_t*)0x20000884 = 1; *(uint8_t*)0x20000885 = 8; *(uint8_t*)0x20000886 = 0xcf; *(uint8_t*)0x20000887 = 0x20; *(uint8_t*)0x20000888 = 6; *(uint8_t*)0x20000889 = 0; *(uint32_t*)0x20000d4c = 0xa7; *(uint64_t*)0x20000d50 = 0x200008c0; *(uint8_t*)0x200008c0 = 5; *(uint8_t*)0x200008c1 = 0xf; *(uint16_t*)0x200008c2 = 0xa7; *(uint8_t*)0x200008c4 = 6; *(uint8_t*)0x200008c5 = 0x18; *(uint8_t*)0x200008c6 = 0x10; *(uint8_t*)0x200008c7 = 0xa; *(uint8_t*)0x200008c8 = 8; STORE_BY_BITMASK(uint32_t, , 0x200008c9, 3, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x200008c9, 9, 5, 27); *(uint16_t*)0x200008cd = 0xf; *(uint16_t*)0x200008cf = 0; *(uint32_t*)0x200008d1 = 0xffc030; *(uint32_t*)0x200008d5 = 0xc030; *(uint32_t*)0x200008d9 = 0x3f30; *(uint8_t*)0x200008dd = 0x14; *(uint8_t*)0x200008de = 0x10; *(uint8_t*)0x200008df = 4; *(uint8_t*)0x200008e0 = 0xfe; memcpy((void*)0x200008e1, "\xed\xca\xa5\x25\xc2\x3e\x27\xc4\x7c\xe4\x24\x20\xc0\x44\xbb\x79", 16); *(uint8_t*)0x200008f1 = 3; *(uint8_t*)0x200008f2 = 0x10; *(uint8_t*)0x200008f3 = 0xb; *(uint8_t*)0x200008f4 = 3; *(uint8_t*)0x200008f5 = 0x10; *(uint8_t*)0x200008f6 = 0xb; *(uint8_t*)0x200008f7 = 7; *(uint8_t*)0x200008f8 = 0x10; *(uint8_t*)0x200008f9 = 2; STORE_BY_BITMASK(uint32_t, , 0x200008fa, 0x1c, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 6, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fb, 0, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x200008fc, 8, 0, 16); *(uint8_t*)0x200008fe = 0x69; *(uint8_t*)0x200008ff = 0x10; *(uint8_t*)0x20000900 = 1; memcpy((void*)0x20000901, "\xf0\x91\x7a\x40\x9f\x20\x82\x3f\xe2\x1e\x12\x4d\xc6\x71\xac\x83\x13\xbe\xb3\x28\xf2\x63\xa5\x96\x75\x48\xb9\xff\xe8\xbd\x38\xca\x2b\x56\x38\xe9\x0e\x09\xb0\x0a\xd4\x00\x0d\x97\x5c\x28\xf2\x80\x60\x24\x43\x96\x8f\xb7\x54\x43\xf4\x83\x3a\x05\xf9\x36\xed\x00\xb5\x75\xa1\x1e\x11\x81\xf1\x9f\x62\xf7\x01\x0a\x85\x59\xd4\x42\x22\x69\xba\x17\xc5\x69\xa5\xd2\xca\x58\x02\x10\xa2\x81\x19\x23\x21\x6f\xf3\x8f\x6c\x21", 102); *(uint32_t*)0x20000d58 = 9; *(uint32_t*)0x20000d5c = 0x2e; *(uint64_t*)0x20000d60 = 0x20000980; *(uint8_t*)0x20000980 = 0x2e; *(uint8_t*)0x20000981 = 3; memcpy((void*)0x20000982, "\xc0\xca\x32\x6a\xbb\x6f\x9f\x4b\xe8\xfd\xe5\xec\x0f\xda\x56\x56\x8a\x3a\xee\x01\x7d\x48\x51\xf5\xe1\x77\xf2\x7c\x67\x23\xcc\x4b\x66\x14\x8d\x06\x8a\x4f\xc2\x15\xc3\x41\x22\x42", 44); *(uint32_t*)0x20000d68 = 4; *(uint64_t*)0x20000d6c = 0x200009c0; *(uint8_t*)0x200009c0 = 4; *(uint8_t*)0x200009c1 = 3; *(uint16_t*)0x200009c2 = 0x140a; *(uint32_t*)0x20000d74 = 0x101; *(uint64_t*)0x20000d78 = 0x20000a00; *(uint8_t*)0x20000a00 = 1; *(uint8_t*)0x20000a01 = 3; memcpy((void*)0x20000a02, "\xb5\x44\xe4\xb1\x0f\x95\xe3\x90\x3d\xd7\xa1\xb4\xfc\xaa\xde\x5c\x41\x43\xd9\x0f\x68\xfc\xf3\xf0\xd8\x32\x82\xc3\x24\xf0\xd4\xa7\xe6\x5f\x27\x80\x3e\x19\xd9\x56\x78\xa8\x8d\xa9\xf9\x9c\x40\x3c\xb3\x26\x52\x70\xa9\x96\x4d\xcd\x75\x9f\xf7\x27\xed\x3c\xdb\x42\x7b\x2a\xc3\xc5\xf7\x1d\xde\xb5\xea\x16\xa0\x37\x7a\x0e\xd2\x2e\x54\xa2\x4a\x8a\xe1\x47\x51\x37\x62\x01\x42\x60\x56\x82\xbe\x28\x12\x97\xff\x87\xf2\x08\x1a\xda\x23\x29\x52\x0e\x8e\x87\x82\x80\x43\xb6\x5d\x66\x3c\x96\x0e\x10\x01\xcd\xd6\x65\x51\x89\x12\x30\xa3\x67\xe3\x07\xd0\x0a\xbe\x3a\x52\xcc\x07\x33\x5d\x6d\x39\xea\xc4\x4c\x43\xf1\xb7\x0c\x13\xca\xfa\x5b\x2c\x7a\xca\x4c\x95\x72\x43\x75\x59\x9a\x85\x9c\x39\xe4\xc0\xe4\xda\x7b\x2c\x90\x6e\x43\x28\x8f\x11\x74\x94\xfe\xdd\xbe\xc0\x23\x07\x16\xe3\x1e\x46\xf5\x31\x87\x5f\xc7\xef\xf8\x5e\x6f\x2f\x36\x51\x7f\xa0\x2a\x11\x6f\xce\x7a\x95\xfb\xa5\xfa\x3d\xff\x69\x7c\xe8\x71\x6f\xc8\x5a\xa4\xd0\xf6\xf2\x4b\x04\x01\xf2\xc4\xdb\x9a\xec\x9a\xf7\x75\xa0\x41\x99\x2c\x23\x4d\x23\x07\xbf\xda\x12\x24\x84\xcc\x46\x0e\x90", 255); *(uint32_t*)0x20000d80 = 4; *(uint64_t*)0x20000d84 = 0x20000b40; *(uint8_t*)0x20000b40 = 4; *(uint8_t*)0x20000b41 = 3; *(uint16_t*)0x20000b42 = 0x804; *(uint32_t*)0x20000d8c = 4; *(uint64_t*)0x20000d90 = 0x20000b80; *(uint8_t*)0x20000b80 = 4; *(uint8_t*)0x20000b81 = 3; *(uint16_t*)0x20000b82 = 0x400a; *(uint32_t*)0x20000d98 = 4; *(uint64_t*)0x20000d9c = 0x20000bc0; *(uint8_t*)0x20000bc0 = 4; *(uint8_t*)0x20000bc1 = 3; *(uint16_t*)0x20000bc2 = 0x42b; *(uint32_t*)0x20000da4 = 4; *(uint64_t*)0x20000da8 = 0x20000c00; *(uint8_t*)0x20000c00 = 4; *(uint8_t*)0x20000c01 = 3; *(uint16_t*)0x20000c02 = 0x3009; *(uint32_t*)0x20000db0 = 0xa5; *(uint64_t*)0x20000db4 = 0x20000c40; *(uint8_t*)0x20000c40 = 0xa5; *(uint8_t*)0x20000c41 = 3; memcpy((void*)0x20000c42, "\x84\x38\x9b\x09\x2a\x5b\x3d\x06\xbf\xd8\x95\x09\xd0\x72\xa7\x3f\x11\x1a\x14\xaa\x46\x19\x78\x5c\x4f\xe2\x44\x85\x20\xd3\x44\xb0\x30\x91\x36\xab\x09\x1e\x79\x2a\x36\xd6\xc3\xad\xdb\xe8\x39\xa5\x9d\x03\x72\xbd\xb5\x42\x65\xba\x32\xc2\xfa\x75\x17\x55\x18\xbe\xe6\x40\xf7\xa1\x5d\xd0\x11\x26\x06\xec\x27\x89\x89\xfe\xa0\x51\xf6\xa6\x9b\x97\x53\x67\x5b\x81\xfe\x2e\x64\xeb\xe3\x34\x56\x8e\x08\x6b\x24\x70\x4b\xe9\xdb\x1f\xa5\x64\x5a\x8a\xf5\x26\xed\x97\xa9\x0c\x02\x7a\x2b\x4f\x90\xed\x9c\x2a\xf5\xe9\xba\x52\x84\x31\xc9\x3f\xea\x75\x2e\x8d\x84\x89\xd4\xef\x97\x7f\x5a\x3a\xc6\xc8\xdb\xac\xfc\x14\x5f\xdb\x5f\x7b\xca\x68\x1b\x6f\x3b\xd7\x64\xd0\x6c\xbe\x0b", 163); *(uint32_t*)0x20000dbc = 4; *(uint64_t*)0x20000dc0 = 0x20000d00; *(uint8_t*)0x20000d00 = 4; *(uint8_t*)0x20000d01 = 3; *(uint16_t*)0x20000d02 = 0x44d; syz_usb_connect(5, 0x77e, 0x20000100, 0x20000d40); break; case 12: *(uint8_t*)0x20000e00 = 0x12; *(uint8_t*)0x20000e01 = 1; *(uint16_t*)0x20000e02 = 0x310; *(uint8_t*)0x20000e04 = 2; *(uint8_t*)0x20000e05 = 0; *(uint8_t*)0x20000e06 = 0; *(uint8_t*)0x20000e07 = 0x20; *(uint16_t*)0x20000e08 = 0x525; *(uint16_t*)0x20000e0a = 0xa4a1; *(uint16_t*)0x20000e0c = 0x40; *(uint8_t*)0x20000e0e = 1; *(uint8_t*)0x20000e0f = 2; *(uint8_t*)0x20000e10 = 3; *(uint8_t*)0x20000e11 = 1; *(uint8_t*)0x20000e12 = 9; *(uint8_t*)0x20000e13 = 2; *(uint16_t*)0x20000e14 = 0x7d; *(uint8_t*)0x20000e16 = 2; *(uint8_t*)0x20000e17 = 1; *(uint8_t*)0x20000e18 = 1; *(uint8_t*)0x20000e19 = 0xd0; *(uint8_t*)0x20000e1a = 0; *(uint8_t*)0x20000e1b = 9; *(uint8_t*)0x20000e1c = 4; *(uint8_t*)0x20000e1d = 0; *(uint8_t*)0x20000e1e = 0; *(uint8_t*)0x20000e1f = 1; *(uint8_t*)0x20000e20 = 2; *(uint8_t*)0x20000e21 = 0xd; *(uint8_t*)0x20000e22 = 0; *(uint8_t*)0x20000e23 = 0; *(uint8_t*)0x20000e24 = 5; *(uint8_t*)0x20000e25 = 0x24; *(uint8_t*)0x20000e26 = 6; *(uint8_t*)0x20000e27 = 0; *(uint8_t*)0x20000e28 = 1; *(uint8_t*)0x20000e29 = 5; *(uint8_t*)0x20000e2a = 0x24; *(uint8_t*)0x20000e2b = 0; *(uint16_t*)0x20000e2c = 0x81; *(uint8_t*)0x20000e2e = 0xd; *(uint8_t*)0x20000e2f = 0x24; *(uint8_t*)0x20000e30 = 0xf; *(uint8_t*)0x20000e31 = 1; *(uint32_t*)0x20000e32 = 0x3fffc000; *(uint16_t*)0x20000e36 = 0xba60; *(uint16_t*)0x20000e38 = 1; *(uint8_t*)0x20000e3a = 1; *(uint8_t*)0x20000e3b = 6; *(uint8_t*)0x20000e3c = 0x24; *(uint8_t*)0x20000e3d = 0x1a; *(uint16_t*)0x20000e3e = 1; *(uint8_t*)0x20000e40 = 0; *(uint8_t*)0x20000e41 = 0xc; *(uint8_t*)0x20000e42 = 0x24; *(uint8_t*)0x20000e43 = 0x1b; *(uint16_t*)0x20000e44 = 0x1b7; *(uint16_t*)0x20000e46 = 0x50f; *(uint8_t*)0x20000e48 = 6; *(uint8_t*)0x20000e49 = 0x5b; *(uint16_t*)0x20000e4a = 0x81; *(uint8_t*)0x20000e4c = 9; *(uint8_t*)0x20000e4d = 0x15; *(uint8_t*)0x20000e4e = 0x24; *(uint8_t*)0x20000e4f = 0x12; *(uint16_t*)0x20000e50 = 0x5f; *(uint64_t*)0x20000e52 = 0x14f5e048ba817a3; *(uint64_t*)0x20000e5a = 0x2a397ecbffc007a6; *(uint8_t*)0x20000e62 = 9; *(uint8_t*)0x20000e63 = 5; *(uint8_t*)0x20000e64 = 0x81; *(uint8_t*)0x20000e65 = 3; *(uint16_t*)0x20000e66 = 0x10; *(uint8_t*)0x20000e68 = 1; *(uint8_t*)0x20000e69 = 6; *(uint8_t*)0x20000e6a = 2; *(uint8_t*)0x20000e6b = 9; *(uint8_t*)0x20000e6c = 4; *(uint8_t*)0x20000e6d = 1; *(uint8_t*)0x20000e6e = 0; *(uint8_t*)0x20000e6f = 0; *(uint8_t*)0x20000e70 = 2; *(uint8_t*)0x20000e71 = 0xd; *(uint8_t*)0x20000e72 = 0; *(uint8_t*)0x20000e73 = 0; *(uint8_t*)0x20000e74 = 9; *(uint8_t*)0x20000e75 = 4; *(uint8_t*)0x20000e76 = 1; *(uint8_t*)0x20000e77 = 1; *(uint8_t*)0x20000e78 = 2; *(uint8_t*)0x20000e79 = 2; *(uint8_t*)0x20000e7a = 0xd; *(uint8_t*)0x20000e7b = 0; *(uint8_t*)0x20000e7c = 0; *(uint8_t*)0x20000e7d = 9; *(uint8_t*)0x20000e7e = 5; *(uint8_t*)0x20000e7f = 0x82; *(uint8_t*)0x20000e80 = 2; *(uint16_t*)0x20000e81 = 8; *(uint8_t*)0x20000e83 = 0xcc; *(uint8_t*)0x20000e84 = 6; *(uint8_t*)0x20000e85 = 0x9b; *(uint8_t*)0x20000e86 = 9; *(uint8_t*)0x20000e87 = 5; *(uint8_t*)0x20000e88 = 3; *(uint8_t*)0x20000e89 = 2; *(uint16_t*)0x20000e8a = 0x400; *(uint8_t*)0x20000e8c = 1; *(uint8_t*)0x20000e8d = 6; *(uint8_t*)0x20000e8e = 1; *(uint32_t*)0x20001300 = 0xa; *(uint64_t*)0x20001304 = 0x20000ec0; *(uint8_t*)0x20000ec0 = 0xa; *(uint8_t*)0x20000ec1 = 6; *(uint16_t*)0x20000ec2 = 0x200; *(uint8_t*)0x20000ec4 = 0; *(uint8_t*)0x20000ec5 = 1; *(uint8_t*)0x20000ec6 = 0x13; *(uint8_t*)0x20000ec7 = 8; *(uint8_t*)0x20000ec8 = -1; *(uint8_t*)0x20000ec9 = 0; *(uint32_t*)0x2000130c = 0xff; *(uint64_t*)0x20001310 = 0x20000f00; *(uint8_t*)0x20000f00 = 5; *(uint8_t*)0x20000f01 = 0xf; *(uint16_t*)0x20000f02 = 0xff; *(uint8_t*)0x20000f04 = 6; *(uint8_t*)0x20000f05 = 3; *(uint8_t*)0x20000f06 = 0x10; *(uint8_t*)0x20000f07 = 0xb; *(uint8_t*)0x20000f08 = 0x14; *(uint8_t*)0x20000f09 = 0x10; *(uint8_t*)0x20000f0a = 4; *(uint8_t*)0x20000f0b = 1; memcpy((void*)0x20000f0c, "\x43\x3e\x98\x8e\xe5\xf3\x58\xef\x3f\x4e\x65\x3f\xaf\x4e\xe7\x65", 16); *(uint8_t*)0x20000f1c = 0xa; *(uint8_t*)0x20000f1d = 0x10; *(uint8_t*)0x20000f1e = 0xb; memcpy((void*)0x20000f1f, "\xd3\x74\xd6\xca\x9c\xfd\xff", 7); *(uint8_t*)0x20000f26 = 0xe; *(uint8_t*)0x20000f27 = 0x10; *(uint8_t*)0x20000f28 = 0xb; memcpy((void*)0x20000f29, "\xe4\xe1\x28\x48\xc1\xc9\xe1\xac\xe2\x70\x01", 11); *(uint8_t*)0x20000f34 = 0x1c; *(uint8_t*)0x20000f35 = 0x10; *(uint8_t*)0x20000f36 = 0xa; *(uint8_t*)0x20000f37 = 0x40; STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x20000f38, 4, 5, 27); *(uint16_t*)0x20000f3c = 0xf0f; *(uint16_t*)0x20000f3e = 0x8000; *(uint32_t*)0x20000f40 = 0xff0000; *(uint32_t*)0x20000f44 = 0xc0; *(uint32_t*)0x20000f48 = 0xff003f; *(uint32_t*)0x20000f4c = 0xc00f; *(uint8_t*)0x20000f50 = 0xaf; *(uint8_t*)0x20000f51 = 0x10; *(uint8_t*)0x20000f52 = 1; memcpy((void*)0x20000f53, "\xcb\xab\xda\x0f\x97\x9a\xfc\xbd\x15\x73\x7d\x31\x5a\xb6\x9a\xc5\x32\xbd\xa0\x26\x42\xde\xbc\xa3\x3a\x83\x18\x5a\x92\x73\x8f\x4d\x04\xce\xc6\x95\x22\x3d\x9f\x52\xb8\x03\xad\x72\x64\x4b\xd3\xdf\x57\x74\x94\x9b\x6e\xd6\x37\x7c\xdf\x5d\xa5\xb1\xd8\x20\x0d\xe1\x61\xf5\xb0\xf6\x10\xc7\x8f\x5c\x79\xa0\x0d\xb8\x64\x92\xec\xdf\x46\x42\x04\xc0\x09\xa9\x47\x4a\x05\xf0\xf6\x35\x18\x19\x70\x3f\x38\x3e\xca\x0f\x29\xa0\x1e\x52\xf7\xb0\xb1\xf9\x21\xef\x92\xc3\xe6\x30\x28\x77\x07\xe0\x61\x7f\xe8\xcf\x26\x72\xef\x1d\xee\x5e\x7c\x5f\x8a\x37\x41\x5f\x54\xb2\x41\xf0\xb9\x3a\xe6\xf3\x40\x2e\x17\xb6\xfe\xc4\x66\xb8\x38\x27\xf4\xe4\x2c\x57\xaf\x90\xea\x0b\x73\x5a\x10\xb5\xcc\x4a\x9e\xd1\x44\x61\xcb\x3c", 172); *(uint32_t*)0x20001318 = 9; *(uint32_t*)0x2000131c = 4; *(uint64_t*)0x20001320 = 0x20001000; *(uint8_t*)0x20001000 = 4; *(uint8_t*)0x20001001 = 3; *(uint16_t*)0x20001002 = 0x807; *(uint32_t*)0x20001328 = 4; *(uint64_t*)0x2000132c = 0x20001040; *(uint8_t*)0x20001040 = 4; *(uint8_t*)0x20001041 = 3; *(uint16_t*)0x20001042 = 0x44c; *(uint32_t*)0x20001334 = 0x46; *(uint64_t*)0x20001338 = 0x20001080; *(uint8_t*)0x20001080 = 0x46; *(uint8_t*)0x20001081 = 3; memcpy((void*)0x20001082, "\xd3\x41\x69\xf9\x72\x88\x6d\x91\x88\x5f\xb4\xe6\x63\xd3\xb9\x5e\xfc\xbd\xf2\xac\x7f\xb6\xa4\x8b\x8f\x5d\x44\xf4\x90\xa6\xd5\xdb\x20\x86\xfa\x93\x8c\x10\xf7\x75\x1b\x90\xc3\x99\x3b\xbf\xad\x67\x0a\x7f\x80\xd3\x58\x86\xc2\xcc\x30\x29\x1a\xb2\xce\x67\x01\x1d\x1b\x0d\x6c\xf4", 68); *(uint32_t*)0x20001340 = 4; *(uint64_t*)0x20001344 = 0x20001100; *(uint8_t*)0x20001100 = 4; *(uint8_t*)0x20001101 = 3; *(uint16_t*)0x20001102 = 0x40a; *(uint32_t*)0x2000134c = 0x36; *(uint64_t*)0x20001350 = 0x20001140; *(uint8_t*)0x20001140 = 0x36; *(uint8_t*)0x20001141 = 3; memcpy((void*)0x20001142, "\x06\x4c\xab\x2c\xae\x36\xef\x56\x23\x74\x9b\xcb\x79\x93\xb3\x10\xc0\xf7\x00\xe5\x26\xdd\xa0\x22\x3a\x1e\x4b\x6f\x16\x00\x79\xc7\xb1\xcd\xb2\xa8\xb0\x43\xea\x83\x25\xec\xc0\xee\xd6\x4d\x54\x39\x81\xa3\x96\xb7", 52); *(uint32_t*)0x20001358 = 5; *(uint64_t*)0x2000135c = 0x20001180; *(uint8_t*)0x20001180 = 5; *(uint8_t*)0x20001181 = 3; memcpy((void*)0x20001182, "Ka\000", 3); *(uint32_t*)0x20001364 = 4; *(uint64_t*)0x20001368 = 0x200011c0; *(uint8_t*)0x200011c0 = 4; *(uint8_t*)0x200011c1 = 3; *(uint16_t*)0x200011c2 = 0x500a; *(uint32_t*)0x20001370 = 4; *(uint64_t*)0x20001374 = 0x20001200; *(uint8_t*)0x20001200 = 4; *(uint8_t*)0x20001201 = 3; *(uint16_t*)0x20001202 = 0x4ff; *(uint32_t*)0x2000137c = 0x8f; *(uint64_t*)0x20001380 = 0x20001240; *(uint8_t*)0x20001240 = 0x8f; *(uint8_t*)0x20001241 = 3; memcpy((void*)0x20001242, "\x37\xcc\x0c\x18\xf2\xd0\x9b\xfc\x3a\xa7\x69\x89\xd3\x6d\x44\x9d\xb5\x7f\xf9\x5c\x9d\x3d\x3c\xb0\x40\x2d\x82\x35\xdc\x71\x22\x01\xee\xa4\xc3\x18\x2f\xf7\x6c\xbd\xbb\xe5\x31\x5c\x11\x68\x27\xa3\x5f\xa2\x7a\x39\x04\xc6\x63\x96\x50\x3f\x48\x37\x05\x55\xf6\x27\x91\xc6\x15\x46\xe4\x12\x1a\xa6\x88\xc1\xc7\xc5\x7d\x95\x5a\xed\xd9\xee\xc2\xb3\x07\xd4\xe5\x87\xe1\xae\xd0\x86\x79\xb2\x72\x8a\xcd\x32\x1b\xc4\xf8\x3e\xe2\x68\xd8\x14\x9d\x81\xbb\xc1\x28\xc5\x8e\x17\x8c\xd1\x7d\x2b\x81\x36\xb8\x34\xc1\xe9\xb1\xd7\xd3\xd1\x37\xae\x9b\x4c\x27\xe6\xb1\xba\x93\xdf\x07\xe8\x52", 141); res = -1; res = syz_usb_connect(1, 0x8f, 0x20000e00, 0x20001300); if (res != -1) r[3] = res; break; case 13: syz_usb_disconnect(r[3]); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); setup_fault(); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } compiler invocation: /syzkaller/shared/netbsd/tools/bin/x86_64--netbsd-g++ [-o /tmp/syz-executor851826285 -DGOOS_netbsd=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 --sysroot /syzkaller/shared/netbsd/dest/ -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384] --- FAIL: TestGenerate/netbsd/amd64/3 (0.20s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/1 (0.20s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/16 (0.21s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/10 (0.23s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/15 (0.24s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/7 (0.22s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/9 (0.24s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/14 (0.25s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/11 (0.23s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/6 (0.23s) csource_test.go:148: --- FAIL: TestGenerate/netbsd/amd64/8 (0.26s) csource_test.go:148: FAIL FAIL github.com/google/syzkaller/pkg/csource 2.928s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore (cached) ok github.com/google/syzkaller/pkg/host (cached) ok github.com/google/syzkaller/pkg/html (cached) ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/image (cached) ok github.com/google/syzkaller/pkg/instance (cached) ok github.com/google/syzkaller/pkg/ipc (cached) ok github.com/google/syzkaller/pkg/kconfig 0.380s ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig (cached) ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report (cached) ok github.com/google/syzkaller/pkg/repro (cached) ok github.com/google/syzkaller/pkg/runtest (cached) ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/stats (cached) ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ok github.com/google/syzkaller/pkg/tool (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/prog (cached) ok github.com/google/syzkaller/prog/test (cached) ok github.com/google/syzkaller/sys/linux (cached) ok github.com/google/syzkaller/sys/netbsd (cached) ok github.com/google/syzkaller/sys/openbsd (cached) ok github.com/google/syzkaller/syz-ci (cached) ok github.com/google/syzkaller/syz-fuzzer (cached) ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ok github.com/google/syzkaller/syz-manager (cached) ok github.com/google/syzkaller/syz-verifier (cached) ok github.com/google/syzkaller/tools/syz-kconf (cached) ok github.com/google/syzkaller/tools/syz-linter (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/parser (cached) ok github.com/google/syzkaller/tools/syz-trace2syz/proggen (cached) ok github.com/google/syzkaller/vm (cached) ok github.com/google/syzkaller/vm/isolated (cached) ok github.com/google/syzkaller/vm/proxyapp (cached) ok github.com/google/syzkaller/vm/vmimpl (cached) FAIL