// https://syzkaller.appspot.com/bug?id=72d04c9002935958913af6cac25b42d8f22265f8 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const int kInitNetNsFd = 201; static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 3; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = -1; res = syz_init_net_socket(0x27, 2, 1); if (res != -1) r[0] = res; break; case 1: *(uint16_t*)0x20000300 = 0x27; *(uint32_t*)0x20000304 = 0; *(uint32_t*)0x20000308 = 0; *(uint32_t*)0x2000030c = 0; *(uint8_t*)0x20000310 = 0; *(uint8_t*)0x20000311 = 0; memcpy((void*)0x20000312, "\x1e\x0e\x15\x69\xe5\xab\xa3\x6a\x54\x83\xb4\xa9\xcb\x9f\x5b\x9c" "\xa6\x24\x55\x2c\x2b\xa7\x77\xd7\xaf\x3d\xe4\x14\xcb\xf6\x5c\xe4" "\xda\xa3\x6a\x9e\x17\x13\xc2\x7c\xd3\xb2\xbd\x8c\x3c\x95\x72\x2d" "\xf7\x18\x13\xeb\x66\xdd\x81\xf9\xc0\xd4\xcd\x6a\x0d\x7f\xec", 63); *(uint64_t*)0x20000358 = 0x16; syscall(__NR_bind, r[0], 0x20000300ul, 0x60ul); { int i; for (i = 0; i < 64; i++) { syscall(__NR_bind, r[0], 0x20000300ul, 0x60ul); } } break; case 2: *(uint64_t*)0x20004540 = 0x20000040; *(uint16_t*)0x20000040 = 0x27; *(uint32_t*)0x20000044 = 1; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x2000004c = 1; *(uint8_t*)0x20000050 = 6; *(uint8_t*)0x20000051 = 6; memcpy((void*)0x20000052, "\x00\xf4\x03\xf6\x52\x99\x62\x08\x0c\xf0\xba\xb1\xaa\x2b\xe5\xaf" "\x30\x87\x6e\xed\x22\x4f\x22\x7b\x07\x4c\x27\x7a\x7e\x87\x91\xe8" "\xe8\xc4\xde\x06\xb2\x2d\x24\x39\x83\x52\x94\xb2\x2c\x52\x52\xde" "\xb3\xda\xac\xae\xfb\x3d\x97\x4b\x81\xeb\xfe\xfd\x33\x3f\xa3", 63); *(uint64_t*)0x20000098 = 0x14; *(uint32_t*)0x20004548 = 0x60; *(uint64_t*)0x20004550 = 0x20000240; *(uint64_t*)0x20000240 = 0x20000380; memcpy( (void*)0x20000380, "\x4c\x28\xd5\xbd\xad\x60\xdd\x07\xff\xb0\xde\x11\xee\x3e\x00\x78\x33" "\x7d\xfb\x2b\x00\xfe\x77\xdc\x47\xa7\x28\xd0\x27\x76\x36\x40\x93\x3e" "\x68\x73\x51\x71\x3b\xc4\x0e\x6f\xc3\x72\xb0\xd9\x7b\x42\x4b\x1b\x8e" "\xad\x6e\x2c\xba\x25\xbd\xe7\x06\x32\x18\x13\x87\x09\x4d\x4e\x3e\x33" "\xd2\x6e\xba\xca\xa5\x09\x31\x76\x6b\x5d\x17\xfa\x3e\x92\x48\x0d\x62" "\x20\x3e\x39\x85\x54\xd0\x48\x3b\xe5\x9a\xd6\xd4\xea\x87\xd3\x1d\xd3" "\x6b\xee\xd4\x6c\xd3\xaa\x67\xb4\xa6\xbc\x4d\xba\xd1\xb5\xeb\x30\x09" "\x14\xfe\xff\x47\xb5\xe7\xcd\xc5\x0a\xb3\xaf\x3a\x5c\xb9\xa7\x94\x03" "\x30\xc4\xff\x71\x98\xcb\x5f\x8f\xab\x38\x91\x9b\x4c\x99\xf8\xa4\xef" "\x44\x2e\x44\xd3\xb8\xc8\x2f\x95\x7a\x36\x72\x3a\x58\x3e\xa2\xe2\x77" "\x70\x6a\xd4\x3b\xa3\xa8\xd9\x14\x83\x47\x9a\xae\xd5\x96\xc0\xf7\x2a" "\xf4\xcc\x73\x0d\x8c\x6e\xf6\xa5\x76\xbf\xfb\x9f\x2e\x6c\x34\x8a\xcf" "\x8c\x5f\x8c\x7c\x10\xfa\x59\x14\x81\x66\x75\x6b\x9b\xc9\xcb\xd8\x22" "\x6e\xf4\x67\x55\xe6\x86\xb5\xe9\x75\x86\x6b\xb6\xe4\xe1\xb2\x78\xad" "\x18\x4e\xcb\x6b\x5f\xee\xa6\x41\x02\x5b\xb6\x43\xa0\x13\x8d\x6f\xab" "\x10\xa3\xcb\x14\xa4\x85\xd6\x71\x73\x22\x88\xf6\xf8\xb5\xab\x0a\x69" "\xc4\x29\xa4\x27\xe2\xf6\x64\x5b\xf7\xa3\xb8\x12\x3c\xfb\xbf\x37\x15" "\x2a\xb9\xf3\xd3\x3d\x37\x38\xb8\x93\x17\x09\xcc\x54\x58\x30\x16\x0b" "\x61\x01\xf6\x1b\x72\xef\xb9\x8a\xe9\x38\x20\x10\x70\x31\x4e\x66\xff" "\xac\x3a\x07\xbf\xbe\xf7\xa8\xb3\xab\xd4\x4f\x70\x14\x28\xac\x97\x68" "\x43\x5c\xcc\x87\xc8\x2b\xa4\xd8\x6c\x68\x12\x8a\x8b\xef\x12\x1b\x7b" "\x12\xbd\x62\xcc\xa8\xf4\x53\x27\x01\xd2\x56\xad\x5f\x77\xbd\x28\xd4" "\x28\x51\x59\x06\x83\xc7\x71\x23\x58\x7c\x74\x68\x38\x8b\x76\x8d\x34" "\x39\x35\x06\x08\xe8\xb6\xc9\x37\x65\x7b\x97\xad\x46\xe8\xa7\x8b\x51" "\xa6\xee\xe5\x74\xc8\xfc\x82\x01\xbf\x1e\xb9\x7c\x7b\x3d\xb0\x2c\xfb" "\x09\x79\x4a\xbe\x65\xc6\x04\x48\xa8\x4b\x2d\x2d\x56\xfa\x4a\x06\x47" "\xaa\x45\x4c\x2e\x75\x6c\x9d\x19\x65\xd5\x8d\xbd\x7c\x3d\x9b\xe4\x60" "\x92\x4e\xcd\xab\xa5\x20\x92\xa7\x41\xb5\x75\x66\x2d\xbd\x30\x06\xa9" "\x6b\x03\xe0\x40\x51\x95\x48\xa5\x85\xce\xd9\xc9\x8d\xe0\x04\x7b\x7c" "\xd7\xd2\x45\xc2\x3f\xa9\xc7\x2a\x27\x56\xe2\xca\x6f\xd2\x87\x03\x8c" "\xee\x75\xf9\x1a\x3b\x8b\x86\xa1\xa9\x64\x5f\xaa\x44\x65\x18\x8f\x29" "\x00\x0f\xa1\x60\x14\x98\x88\xcd\xc3\x0d\x84\x91\x02\xe9\x6f\x5d\xb4" "\x94\xaa\xd8\xd4\xae\x50\xe4\x86\xaa\x1a\x1e\xc0\x5e\x64\x75\x3e\xbe" "\xa7\x13\xa1\xb7\xb2\x44\xea\x66\xdd\xcc\x9b\x5b\x60\x06\x85\x82\x68" "\xe9\x14\xdb\xa2\xca\x6e\x2c\x50\xd6\x6b\x23\x1e\x0e\xa4\x71\xf2\x28" "\xc8\xb8\x35\x33\x03\xf5\x0c\xd8\x3e\x21\x87\xf2\xbc\x3d\xfd\x69\x45" "\xc8\x21\x63\xcc\x37\xa6\x3d\x92\x17\x6c\xe0\x46\x08\x87\x1a\x13\x19" "\xf3\xef\x04\x0a\xf5\x78\x1b\xca\x5e\x41\x66\x94\x16\xd3\xc9\x2e\x63" "\x99\x36\xc0\x1d\x78\x33\xa0\xed\x66\xa4\x98\x02\x16\xa7\xb8\x31\xb3" "\xf2\x20\x3b\x39\x21\xfb\x3d\xd2\x84\xb3\xb9\xcb\x80\xb4\xa3\x72\x30" "\x5a\xd8\x65\x50\xd1\xdf\xf7\xc1\x94\x08\x2b\x1b\x9d\xb9\x77\x35\x81" "\xcc\x51\xb4\x2f\x59\x3c\x9a\xee\xcf\x7c\x69\x01\x98\x45\xcf\xb6\xd9" "\xf1\x12\xfa\xf2\xea\xc2\x26\x6e\xcf\x51\x05\x97\xd2\x7b\x3d\xe2\x99" "\x47\x5f\x14\xd7\x5f\x55\x5b\xee\x61\xe8\x4a\x79\x96\xf2\xbd\xa2\x9e" "\x74\xca\x93\x8b\x79\xe2\x30\x94\x3e\x7d\x73\xc9\x0e\xbb\x24\xd8\x33" "\x44\x07\x67\xc0\xf9\xb2\xe4\x20\x69\xc9\x38\x5a\x3a\xda\xa7\xc3\xa7" "\x35\xc8\x8a\x7c\x62\xd5\x3a\x5b\x38\x69\x5b\x89\x9e\x11\xd8\x25\x1c" "\x98\xf7\xb4\x18\x20\x10\x38\xb7\x39\xf8\x97\x54\x1d\x61\x75\xec\x6d" "\xae\xed\xbe\x59\x3b\x24\xbc\x7f\x50\x76\xf2\x41\x2e\x52\xcc\xcb\x25" "\x45\x5c\xfc\x17\x3e\x1d\xfb\xcf\x48\x8f\x45\x48\x73\xaf\xd1\xf0\xe2" "\x56\x90\x55\xdd\xfe\x81\xb2\xcd\x64\x63\xda\xcf\x2f\xb1\x70\x86\x96" "\xae\x9f\x29\xa8\x55\x8c\xeb\x05\x8e\xea\x2b\xf1\xb6\xe6\xe2\x25\x4b" "\x3b\x2d\x7c\x5b\x6f\xf0\xb8\x79\x8e\xd7\xa3\xf6\x70\xc1\x7a\xee\x51" "\x51\x2c\xa7\x97\x21\xfe\x44\x6f\x23\x8e\x57\x71\xf6\x17\xca\xe5\xa1" "\x52\x52\xc1\xaa\x55\x98\x43\x11\x1f\xb5\x0a\x97\xaf\x50\xae\x77\xef" "\xaa\x9b\xd4\xe7\x0d\x70\x6c\x51\xfa\x31\x4a\x21\x0f\xdc\x81\x2a\x3a" "\x5c\xff\xb0\xd1\xb9\xe4\x6a\x83\xb0\xa7\x23\xa7\x2d\x5a\x1c\x43\xde" "\x75\x20\x79\xb5\x02\xaf\xe9\xfa\x65\x8d\xa4\x3d\x29\xe9\x9e\xd5\x39" "\xa0\x63\x36\x52\x6f\x5e\x2b\x5f\xfa\x45\xdf\x3a\xd0\x07\x82\x45\xca" "\x4f\x10\x97\x79\x52\xf6\x02\xa1\xd7\x08\x74\x9b\x1f\x85\xd7\x32\x6a" "\x9b\xf7\xcc\x52\xaa\x32\x5f\xac\xd2\xef\xaa\x6e\xd2\x87\x06\xe2\x3d" "\xfa\x48\x50\x10\x0b\x26\xdf\x3a\x1a\xb3\xd0\x80\x05\x80\x26\xd5\x38" "\x13\xd3\xe1\xf0\x52\xef\x93\xb6\x99\xd3\x4e\xbc\x1c\xed\xde\x84\xcb" "\x3c\x2a\x9e\xf5\xcd\x95\x76\x66\x75\x6a\xff\x40\xc0\x21\x42\xb5\x3d" "\x03\xf7\x93\x44\x28\x15\xee\x49\x5f\x54\xf1\x6e\x19\x01\x97\x8e\x0a" "\xce\x0c\x87\x23\x6d\x20\xe8\x6a\xa1\xcf\x92\xd2\x37\xe9\xa8\xec\x2b" "\x6d\xdc\x32\xff\x42\x5d\x2b\xf7\x32\x7c\xf3\x04\xcf\x3e\x53\xd1\x9b" "\x2e\x37\x6c\xed\xb5\xda\x1d\xed\xee\xfd\x47\xdf\x86\x61\xbf\xb7\xd4" "\x9b\x1f\xb3\x27\x75\x8e\xb0\x17\xde\x03\x15\x62\x9d\x83\x63\x32\xa0" "\x95\x3b\x92\x84\x64\xbc\x59\xa5\x75\xa8\x11\xbf\x5b\x0b\xf3\x6c\xaf" "\x0f\x7f\xa3\x97\x15\x79\xb7\x51\xb6\x91\xa7\x33\x60\x67\x85\xe2\x7b" "\xe4\xb6\x73\x13\x08\x95\x62\x29\x8f\xf8\x9a\x8f\xea\x30\x40\x4d\x62" "\xe1\x99\x92\xc7\x3e\x99\x2a\x72\x0a\xcb\xba\x3d\x9a\x1c\x5e\x26\x38" "\x56\x90\xea\xd7\xf7\x68\x44\xff\xce\x2e\xbc\x08\xd7\x60\xaa\xbb\x4e" "\x6c\x41\x51\x9c\xf7\x07\x61\x41\x06\xb2\x76\x93\x2d\xf1\x43\xbb\x66" "\xc6\x8d\xe3\x1b\x2d\x0c\xc1\x83\x56\x7a\x7a\xa4\xf6\xf7\xeb\x28\x03" "\x49\x92\xb8\x61\x5b\xd5\x4d\xfc\x66\x49\x25\x2b\x3b\x24\x3c\x36\x3b" "\x79\x95\x37\x20\x8c\x74\x28\x78\x80\xea\x6a\xaa\x72\x18\x7a\x19\xc0" "\xfa\x3a\x42\xb1\x41\x57\x86\x65\x32\xd6\xb6\xe7\x03\x7c\x02\xb6\xe3" "\x20\x97\x18\x00\xde\x17\x0e\x0d\x59\x32\x0d\x9d\xb4\x8b\xb4\xcd\x2f" "\x20\x33\x8b\xd2\xc1\x9b\xde\xfd\x05\x83\x2c\x25\xb3\x21\x68\x58\x87" "\xbd\xb3\x2d\xf0\xed\xa6\x7a\x23\x44\x48\x92\x39\x07\xff\x73\x25\x4e" "\x01\xa7\x38\x6a\x68\x9e\xe7\xca\x08\x0b\xa2\x0f\x9c\xc7\xf2\x6b\xf1" "\xab\x67\xee\xa6\xe6\x4c\x2f\x3a\x4f\x64\xea\xb5\x8e\x73\x20\x18\xf2" "\xf9\x58\x9f\x03\x9d\x67\xcf\xdf\x69\xaa\xcf\x3a\xa7\xfa\x80\x7a\x70" "\xbe\x90\x0b\xdb\x13\xa9\x05\xcd\x54\x47\x98\xf3\x16\xeb\x60\xd0\x6a" "\x31\xc1\x4d\x08\xfa\xf0\x48\xe6\x03\x26\x17\x3e\xe2\x00\x90\x2e\x37" "\x07\xcf\xbb\x01\xfd\x33\x87\x19\x0f\x71\x1e\xe6\xcb\x17\xad\x9b\xbd" "\x53\x99\x13\x20\x9f\xe2\x90\x9a\x33\x85\xb9\x0b\x8f\xc6\xc4\xf6\x48" "\x37\x9b\x00\x0e\x66\x4e\xda\x3a\x17\x98\x13\x5d\x5b\x2a\x21\x54\x11" "\xe7\xb0\x53\x70\x51\x02\x9f\x10\x91\xb5\x2a\x65\x3d\xc8\xc5\x2a\xc9" "\xd6\x33\xdf\xdd\x4c\x77\x2e\xd0\x60\xd7\xa4\xb5\x01\xf6\xa8\xbd\xe1" "\xe7\xb4\x15\x68\x08\x7f\x7c\x7b\x56\x82\x8d\x03\xa0\x5b\x9e\xf1\x38" "\xeb\x62\x90\x9c\xad\x31\xb2\x52\x62\x1e\xbf\xa4\x4b\xd5\x4e\xcd\x88" "\x1f\x26\x99\x3c\xf6\x21\x92\x57\x6c\xb4\x1c\x81\x37\x14\x13\x7b\x09" "\xda\x23\x39\xef\x08\x52\xb2\x2e\x93\x30\x65\x77\x39\xac\x57\x06\x77" "\x61\x7f\xe0\x5e\xc1\x6c\x0a\xb0\x85\x0b\x66\x69\x1f\xfb\x71\x79\x63" "\xae\x9c\xed\x48\xa4\xbd\x26\x80\xa3\x6b\x1e\xcb\x4d\xda\xe1\x63\x77" "\x3e\x94\x5e\xd2\x3e\xb6\x5a\x03\xb7\xe7\x8f\x6d\x4c\xc7\x65\xe8\x38" "\x86\x22\xcd\x63\x11\xe5\x8d\xef\x5b\x91\x1a\x28\xb8\x85\x07\x64\x41" "\x07\xe8\xa1\xfe\x58\x8e\xd6\xe8\xe1\x01\x39\xd9\x09\xb4\x81\xa4\xe8" "\x91\xa6\xfb\xac\xab\xa6\x7c\x3c\xb6\xfd\x34\xc4\x61\xf3\x1d\x60\x13" "\xc7\x5c\xb8\x7f\x85\xed\xf5\x17\x25\x56\xf7\xb3\x6c\x19\x6c\x7e\xe4" "\x12\x25\xbd\xaa\xff\x45\x13\x0d\x7a\xcf\x29\xf3\x82\xea\xcb\xd5\x11" "\x4b\x04\xb0\xf1\x24\xb5\x45\x2e\x1e\x97\xb8\x5a\xa0\xcb\x59\x49\x5b" "\x05\x91\x41\x76\xb6\x78\x0e\x35\x45\x0a\x05\xc3\x6d\xdb\xce\xb8\x69" "\x8a\x9f\x02\x09\x01\xf9\x36\xff\x78\x17\x97\xa6\x4a\xf4\x3c\xd9\x33" "\x5f\x39\x5c\x6e\xd6\xe7\x07\x18\x01\xa0\x24\x07\x96\x9b\x88\x70\xfb" "\x7b\x12\x26\x20\x34\xc3\xbc\x17\x98\xb4\xa9\xc6\x59\x31\x45\x75\xe8" "\xa1\x2f\x62\x5e\xcb\x69\x3a\x89\xb2\x0d\xda\x0e\x11\x8c\x27\xeb\xc4" "\x90\x81\x67\xa0\xee\x6c\xb4\xc0\x48\xaf\x70\x82\x47\xc5\xf8\x2f\xa8" "\x15\x9b\xa6\x8f\x6a\x83\xf7\xa9\x26\x7e\x59\x68\xc0\xcb\x64\xb9\x62" "\x4d\xae\x7c\x46\xa8\xe7\x97\x45\xd5\xc1\x41\xa2\xe2\xb5\x32\x91\x05" "\xd8\xd6\x15\x6e\x32\x0f\x67\x98\x98\x1e\x85\xdf\xc6\x87\x1c\x92\xa5" "\xcf\xc5\xfa\x90\xa9\xf5\x9e\x5e\x7f\xb9\x9d\x73\x8d\xe4\xdf\x65\xc7" "\x4f\x95\x2f\x26\x96\x1e\x82\x41\x7a\x0f\x5f\x49\x48\xec\x11\xda\x26" "\xdc\xe6\xe5\xa7\x82\x84\xb3\x89\x09\x4a\x59\xc1\x97\xbc\xe2\x72\x91" "\x8e\x0b\xc9\x40\xf5\x3e\xe0\x84\x3c\x29\x22\x82\xc5\x08\x2c\x88\xc8" "\xb1\xae\x26\xc1\x8a\x27\xfd\x91\xdf\x17\xc1\xe8\x5f\xd3\x08\x13\x64" "\x31\x42\x5f\x0c\x0e\xea\xfb\xa2\x81\x9a\xe8\x1b\xec\xda\x8a\xcf\x72" "\x78\x1b\xe4\x1a\x9b\xf3\xf0\xed\x29\x9e\x12\x29\x19\x31\xd6\x34\x5d" "\x04\x0a\x5e\x95\xbd\x4f\x6b\x25\x21\xa6\xdb\x6f\xf4\x2e\x28\xd6\xb3" "\x5a\xd3\x86\x05\x2f\x19\x37\x18\x00\x09\x46\xcf\xad\x19\xb0\x3e\xd7" "\x67\xe6\x53\x6c\xe0\xf4\xcd\xd2\x30\xae\x3c\xe2\x5a\x30\xaf\xa9\x0f" "\xde\x0c\xac\x5a\xa6\xee\xcf\x4c\xdd\x5d\xab\xf2\xfd\xf5\x31\x54\xdc" "\x37\x7c\x6a\x79\xf7\xdf\xc6\x95\xb3\xd4\x61\xec\xf6\xc1\xdf\x97\x3c" "\xc7\x2f\x91\xf9\x55\x19\xd2\xf2\x88\x0e\xda\x39\x59\x7b\xa4\xd6\x7c" "\x20\x43\x6c\x07\x66\x0f\x38\xf9\x9f\xce\x3b\x3b\x50\x74\xe1\xcd\xc2" "\xe1\xca\x2a\xd2\xc9\x35\xea\x38\xa0\x73\xb2\x7a\x8d\x45\x45\xcf\x3e" "\x37\x8a\x28\x78\x8c\xf2\xb3\xb2\x6e\xe6\xeb\x0d\xfe\xec\x20\x59\x89" "\xc6\x62\x1c\x66\x45\xc5\x76\xd6\x73\x92\x35\xa7\x4d\xb1\x1d\xcf\x6e" "\x1a\x02\xc3\xc3\x57\xfb\x95\xbb\xee\xd2\x16\xd7\xaa\xc8\xcd\x6f\x9c" "\x92\xe7\x97\x6a\xb2\xe8\xee\xd3\x85\x7b\xc3\xbd\x6f\x34\xaa\x2a\x17" "\x4f\xb5\x8b\x6d\xab\x14\x09\x2d\x5f\x1d\x8d\x99\xc1\x59\x67\xff\xc6" "\x7f\x0c\xb2\xdd\xa8\x1a\x95\x49\x59\x45\x00\xfa\x6f\x81\xa1\x6b\x24" "\x49\xbe\x31\xbb\x9e\x28\x12\xb4\x28\x88\xfe\x29\x23\xd4\x7c\x88\x27" "\x01\x4f\x04\xc5\x1c\xd5\xcd\xf9\xa1\xab\x42\xfa\xba\xbf\x2c\x82\xe0" "\x03\x81\x47\x15\x92\xf1\x13\xcc\x19\x3e\x06\xee\x37\x51\xe7\xa7\x5b" "\xa1\x4f\xeb\xab\x5c\x27\xcc\xa4\x32\x6c\x87\x2a\xe2\xd3\xd7\x5a\x3d" "\x1d\x7b\xf4\xce\x3c\x09\xe7\x4f\xbd\xfc\x84\x4d\x2d\x5f\xe1\xa0\xcd" "\xc4\x24\x3b\xcb\xf1\x5e\x48\x70\x17\x37\xa6\x06\xf7\x8f\x36\xa7\x0a" "\x54\x46\xb2\xaf\x84\xfc\xa3\x33\x70\x82\x8d\xcb\x76\x95\xc4\xe9\x99" "\x36\xfd\x2f\x0a\x11\xed\xbf\x1c\xe6\xc5\xe7\x0e\x99\x93\xd8\x12\xac" "\x63\x27\x5c\x6e\xa7\x8b\x16\xcf\x94\x28\x3f\x37\xb7\x62\x9b\x02\x01" "\x85\x9e\xe1\xc2\x87\x73\xfc\x44\x6a\xe6\xe9\x9b\x1c\xbc\xa8\xa4\x9b" "\xa8\x71\x14\xdb\x85\x67\x00\xc5\x3f\x95\xd1\xb0\x9e\x7f\x54\xc0\x48" "\xf6\x7b\x22\x64\x16\xb5\x48\xbe\x9b\x6b\xc1\xde\xbc\xe9\x57\xac\x3a" "\xf2\x11\xac\xe9\x41\xb1\x64\x56\x87\x52\x8b\x78\x24\x59\x45\x13\x18" "\x83\x2a\x2d\x6c\x2b\xf4\x8a\xd0\x88\xb8\x0c\xc9\x95\x46\x49\x18\x5c" "\x26\xb6\x4d\x24\x8b\x30\xf3\xcf\xb4\x7b\xb0\x32\x68\x86\x53\xf8\xa8" "\xbb\x1e\x6a\x31\x97\x46\x8d\x23\x2e\x38\xaa\xc7\x4a\x04\xb1\xc7\x02" "\x43\xcc\x00\xac\xcb\xfd\x72\x5b\xa1\x39\x63\x25\x06\x09\xb9\x23\x0a" "\xac\xb5\xd8\x0e\x0f\x76\x96\x64\xb6\x83\x1d\xd4\x89\xc6\x89\x6c\x78" "\x1e\xe3\x05\x83\x3e\xb5\x74\xd8\xd5\x45\xc6\xcf\xa0\xe6\x78\xa9\x32" "\x83\x9e\xe1\xca\xc3\x1e\x0f\x2b\x78\x3a\x7f\xeb\x5b\x24\x32\xe3\x69" "\x28\x18\x1d\x75\x69\x24\x25\xd4\x2a\x47\xcc\xf7\xc6\x49\x43\xfc\x3c" "\xc1\xb4\x11\x64\x6a\x04\x87\x61\xa1\xee\x6c\x03\x0b\x02\xed\xcc\x65" "\x5a\xbf\x6b\xd3\x56\x5f\x6b\x98\x62\x99\x58\x40\x25\x49\x1b\xc9\x18" "\xb2\x6d\x15\x2f\x13\x57\xbd\x6d\x36\x97\x03\xbe\x75\x7f\xe6\x45\xf3" "\xa1\x31\xfa\x8d\x1d\xe4\x6d\x71\xff\x43\xd1\x4f\x16\xc4\x0f\xf5\xa8" "\xf0\x54\xea\xbf\x1f\x32\x65\xfa\x39\x9b\x3b\xc5\xd2\x98\x26\x22\x9b" "\x7b\x6e\x06\xc8\xaf\xe7\x53\xf7\x86\x1f\x2d\x0e\x77\xce\x11\x4e\x16" "\x61\xc8\x6d\xab\x72\xf1\xef\xa1\x39\x3f\x41\x3d\xfe\x00\x56\x5e\x13" "\x49\x2b\x0b\x4c\xb8\x7d\xec\xb5\xcb\x69\x20\x4e\x5a\xef\x83\x17\xdc" "\x4e\x6d\x63\xce\xe0\xde\x6f\x18\x16\xce\x88\x4b\x00\x20\x6f\xc2\xa5" "\x4e\xda\x69\xbc\x0a\x76\x3e\xf1\xbc\xd4\xd5\x39\xf9\xca\xa3\xba\x3d" "\x6e\x32\xf4\xde\xc3\xcc\xee\xda\xd4\x4b\x08\x19\xe1\x4c\xc8\x74\x1e" "\xfe\xd8\x88\xee\x7f\xe2\xd5\x1c\x24\x6e\xa9\xff\xb7\xed\xa1\x24\xd6" "\xf3\x9a\x89\x5d\x89\xd2\x33\x06\x98\x61\xae\x34\x23\x3e\x52\xf6\x18" "\x8c\x28\x10\x64\xa1\xcb\x4e\x35\x32\x3d\x44\x8d\x4e\xac\x98\x56\x52" "\x4c\x18\xe8\x3a\x0f\xc3\x18\x7e\xac\x19\xa6\xa4\x35\x1a\x56\xee\x82" "\x92\x3a\xcd\x45\xfe\x68\x4d\x49\xa8\xa6\xd0\xf4\xf8\x15\x4e\x08\x18" "\x11\x8f\xae\xb2\x0f\xad\xfe\x42\x21\xce\x71\x4c\x07\x8c\x49\x02\x5f" "\x57\x6d\x8c\x84\x11\x5d\x4d\xa3\xe9\x4a\x41\xb4\xe2\x74\x34\xc7\x25" "\x40\x7e\x11\x47\x9c\x9a\x82\x9f\x40\x0d\xf1\x41\xdb\xf0\x73\xb5\x81" "\xfc\x88\x81\xb7\x8a\xa1\x31\x9b\xd0\xe1\xe4\x9f\x14\x3a\xff\xdb\xe7" "\x07\x39\xc4\x02\xf7\xc6\x39\x5d\x89\x70\x43\x45\x19\x19\x4b\xd6\xa6" "\x97\x1f\xa2\x77\x4a\x3d\xb3\xca\x8c\x4a\x08\xc6\x44\x74\xfe\x1b\x5f" "\x04\x21\xe5\x54\x70\x5a\xff\x88\x35\x11\x52\xee\xa1\x26\x5d\xc4\x06" "\x9e\x60\xfa\x9f\x74\xf8\xb4\xa4\x18\x66\x6b\x22\xd3\xf8\xd1\x46\x9e" "\x4f\x4a\xb1\xcd\xb5\xc9\x7a\x8c\xd4\xbf\x72\x23\xf3\x71\x35\x4a\x47" "\x0d\x4f\x9f\xa9\x51\xdc\x26\xdd\x71\x10\x95\x1d\x2f\x74\xed\x08\xd1" "\xf3\xb6\xf0\x90\x49\x85\xab\xab\xc3\x2c\xf8\x43\x0b\xf3\xf9\xb2\xb6" "\xcf\x62\x2f\x0f\x41\x0a\x5b\xf9\x76\x69\x82\xc1\x82\xe1\x1a\x0d\x50" "\xca\x7e\x6b\x12\x15\x96\x9b\xc9\x4c\xe2\x7a\x0a\x5b\xda\x8c\x76\x81" "\x49\x7f\xf7\xc4\xe0\x51\xfe\xb7\xbc\x85\x36\xed\x49\x6c\x17\xc9\xed" "\x99\xd9\x3c\x16\x73\xba\x8b\x62\x83\x5e\xe0\xa8\xe7\x01\x1a\x03\xba" "\x80\x04\x96\x6e\x7f\x61\x8d\x53\x53\x62\xc9\xda\xa0\xae\xee\x5c\x17" "\x8e\xa8\xf4\x65\x36\x2c\x81\x87\x08\xaa\x3a\xe9\x6b\xeb\x92\xcc\x41" "\x14\xcb\x46\x62\xca\xd8\x2c\xed\x89\x62\xf3\x73\x37\x81\x56\xff\x8a" "\x44\x4f\xa9\x8a\x82\x1c\x86\xde\xc4\x73\xf1\x5b\x69\xf4\x0d\xe9\x1e" "\xa5\x22\x5c\xab\xfe\x56\x98\xf8\xe4\x13\xdd\x21\x61\xc8\x4b\x63\x45" "\xeb\x8f\x9b\x66\xf0\x63\xca\x44\x5f\x77\x3c\xa9\xa0\xd9\x85\x1e\x2d" "\x05\x03\xb7\x05\x10\xa2\x7d\xd9\x14\xa8\x14\x21\x79\xb2\x8a\x2d\x2f" "\xb7\xc1\x8e\x1c\xeb\x74\x18\x75\x08\x1b\x57\x45\x8f\xd3\x20\xeb\xe1" "\xea\x0b\xd1\xfa\xe3\x46\x47\xcb\x68\x28\x5c\x13\x12\x28\xe3\x90\x66" "\xd1\xb5\x45\xeb\x69\xf0\x8f\x4d\x25\xfb\xe1\x0e\x9f\x62\x78\xfd\xfa" "\x2f\x60\x47\x26\xc8\x7f\xeb\x9e\xab\x83\x5e\xac\x7f\xf8\xe2\x98\x7b" "\xc2\xe2\x57\x29\xcf\x8b\xc3\xaa\xab\x19\x8a\x0b\x8c\x36\xfe\x45\x6a" "\x33\xbc\x18\xfa\x79\x61\x59\xb5\xe9\xfa\x80\x5e\x10\xf0\x45\xe8\xee" "\x2f\x3a\x96\x82\xe0\x9d\xe1\x9c\xea\xbc\xa4\x1f\x59\x35\x44\x48\x80" "\xf8\x88\x71\xb4\x99\xb5\x8b\xf7\x82\x5f\x40\x73\x5b\x7b\x61\xf5\x8d" "\xba\x87\xb4\x10\x62\x7c\xd3\x6d\xaf\x4b\xd3\xff\xa6\xc0\x89\x09\x82" "\x9c\x55\x21\xba\xdd\x29\x60\x44\x41\xf4\x87\x9f\xce\x3b\x38\x4b\xe6" "\xea\xc2\xae\x8d\xc6\xe4\x61\xa5\xc6\x5a\xa1\x53\x75\x93\xfb\xf6\x6e" "\x0d\x63\x01\x78\xa0\x0f\x65\x7b\x99\x22\xb8\x45\xbf\x50\x6a\x90\x0e" "\x4e\x5c\xce\x56\xa3\x28\xc1\xbc\xf9\x1a\x61\x74\xed\xa4\xc1\x53\xe7" "\x86\xf3\x6b\x05\x51\xcf\x4a\x91\x0d\x32\x1c\xf5\x33\xf0\x77\xfe\x72" "\xf2\xea\xd1\xbc\x34\x61\xb0\xd1\xd1\xa8\x7a\x9b\x00\x0d\x66\x09\x2f" "\x8a\x52\xa7\xa1\x50\x51\x57\x60\x4e\x49\x70\x3a\x61\xf7\xc4\xd2\xca" "\xca\x3a\x61\xce\x2a\xdd\xb6\xf4\x65\x7c\xd1\xd8\x42\x18\x54\xd8\x75" "\x82\x1c\xa7\xa1\xdb\xc8\xe6\x5b\x05\x68\x03\x44\x1b\x4b\xed\xe5\x88" "\x2d\x0b\x12\xcf\x5b\xad\x35\xa8\x66\x70\xd2\x88\xa6\xbe\x04\xf0\x47" "\x38\xe2\x2b\xd4\x71\xd0\x45\x30\x13\xa9\x9f\xbe\xb1\xa0\xdd\x36\x08" "\xd5\xc2\x6a\x8c\x3b\x22\x7a\x65\xd1\x09\xde\x91\xa9\xec\x31\x9e\xba" "\x63\xe8\x61\x30\x61\xe4\x84\x2c\xae\xba\x41\x1f\xae\x5a\xa1\x12\x9d" "\xb7\xa9\xc6\x6b\x41\x53\xc1\xd4\x0e\x1f\x07\xec\x2c\xa9\xd4\xed\x9a" "\x5d\x1f\x65\xe2\xc5\x2f\xd3\xbb\x6b\x6f\x67\x11\x66\x11\x6b\xf1\x3f" "\x13\x65\x32\x77\x3c\x5a\xbf\xdf\x61\xa8\xfd\x89\xcf\x09\xef\x99\x4a" "\x8d\xf8\x4f\x98\x24\x5f\xeb\xe3\x26\x5c\x02\xd7\x6a\x4d\xa6\x4a\x61" "\x7c\x86\x8c\xfa\x6f\x40\xef\xbc\x7f\x52\xd1\x22\x9c\xf5\x8b\xc0\xd6" "\xc0\x0c\x1a\xbe\xfe\xd6\xfc\xae\xe8\xb0\xeb\xa5\xdf\x99\x8c\x80\x03" "\xc8\xd9\xbf\x51\xb4\x84\xd1\xa9\xbd\x13\x1d\x1c\xf4\xf2\x3a\x2f\xd2" "\x49\x13\x46\xbe\x68\x1a\xa9\xeb\x3f\xfb\x8f\x33\x84\xdb\xe5\xdc\x35" "\x9f\x74\x72\xd9\x67\x6f\x4a\x1b\xbd\x63\x75\xbc\xb0\xcc\x53\xc9\xd4" "\x07\xb7\x40\x30\x03\x44\xc5\x8f\xe1\xa4\x48\xfa\x7e\xb0\xa1\x4e\x54" "\xe7\x50\x18\x25\x42\x1c\x38\x20\xe8\x73\x65\xef\x7d\x64\x75\x00\xd7" "\xcc\x1a\x14\x8b\xb5\xb8\xe9\x47\x24\x51\xcb\x48\x30\xaa\xe6\x53\xd5" "\xeb\xf7\x4f\x71\x46\x97\x56\xd6\x82\xeb\x8e\xff\x8d\xaa\x75\x0a\x01" "\xea\xb5\xbb\x40\x7c\x85\xf2\xbf\xe2\x9d\xd7\xce\x75\x72\x2e\xfa\x22" "\x7d\xee\x37\x73\xa8\x93\x68\x09\x38\xf1\xf5\xbf\x7c\xb5\xbd\x2b\x82" "\x00\xaa\xb3\xc9\x58\xbe\xf8\x96\x55\x91\x4b\xa7\xf1\x64\xa0\x8d\x7c" "\x8d\x46\xf6\xeb\x67\x23\x61\x60\x36\x86\x1c\x01\x1b\x8d\xf0\xfa\xb5" "\x19\x48\xbd\x11\x66\x23\xdc\x52\xb3\x4e\x07\xe3\xd3\x48\x69\x95\xc1" "\xcb\xd6\x10\xde\x91\xc7\x65\x4b\x15\x60\xed\x68\xbd\x8b\x22\xea\x13" "\xac\xe6\xae\x38\x92\xa5\xbe\xfb\xd3\x6b\x45\xf0\x06\xa4\xe3\x28\x2b" "\xff\x5d\x22\x76\xb6\x14\x60\x49\xf2\xc3\x9a\x52\x1b\x25\x66\x3f\x5a" "\x8c\x4b\x03\x9d\x1e\x3e\x49\x58\x29\x4a\xa6\x79\x60\x66\x4d\x9d\xe3" "\x7f\x9c\x47\x6f\x9c\x88\x83\x77\x69\x47\x1d\xa0\xb8\x4a\x14\xf5\x0c" "\xfc\xa9\x58\x88\xb2\xef\xba\x78\x26\x78\x47\x75\x1e\x47\x89\x72\xa2" "\x19\x00\x19\x38\x34\x08\xc2\xc0\xae\xb8\x5a\xe4\xc9\x13\xcd\xcc", 4096); *(uint64_t*)0x20000248 = 0x1000; *(uint64_t*)0x20000250 = 0; *(uint64_t*)0x20000258 = 0; *(uint64_t*)0x20000260 = 0; *(uint64_t*)0x20000268 = 0; *(uint64_t*)0x20004558 = 3; *(uint64_t*)0x20004560 = 0; *(uint64_t*)0x20004568 = 0; *(uint32_t*)0x20004570 = 0x80; *(uint64_t*)0x20004578 = 0; *(uint32_t*)0x20004580 = 0; *(uint64_t*)0x20004588 = 0; *(uint64_t*)0x20004590 = 0; *(uint64_t*)0x20004598 = 0; *(uint64_t*)0x200045a0 = 0; *(uint32_t*)0x200045a8 = 0x40000; *(uint64_t*)0x200045b0 = 0; *(uint32_t*)0x200045b8 = 0; *(uint64_t*)0x200045c0 = 0x20001a00; *(uint64_t*)0x20001a00 = 0x20001640; *(uint64_t*)0x20001a08 = 0; *(uint64_t*)0x20001a10 = 0; *(uint64_t*)0x20001a18 = 0; *(uint64_t*)0x20001a20 = 0; *(uint64_t*)0x20001a28 = 0; *(uint64_t*)0x20001a30 = 0; *(uint64_t*)0x20001a38 = 0; *(uint64_t*)0x20001a40 = 0; *(uint64_t*)0x20001a48 = 0; *(uint64_t*)0x200045c8 = 5; *(uint64_t*)0x200045d0 = 0; *(uint64_t*)0x200045d8 = 0; *(uint32_t*)0x200045e0 = 0x4000045; *(uint64_t*)0x200045e8 = 0x20002ac0; *(uint16_t*)0x20002ac0 = 0x27; *(uint32_t*)0x20002ac4 = 0; *(uint32_t*)0x20002ac8 = 2; *(uint32_t*)0x20002acc = 2; *(uint8_t*)0x20002ad0 = 4; *(uint8_t*)0x20002ad1 = 0x3f; memcpy((void*)0x20002ad2, "\xc5\x7b\xa7\xe1\x82\x61\x09\xd4\x9d\x7f\x81\x1b\x9a\xe8\x2f\x8a" "\xea\x44\x14\x05\xa8\xcb\x33\xaa\x79\x39\x49\xc9\x0b\x9a\xe5\x3a" "\xcf\x3a\xca\x77\x25\x1f\x5c\x80\x76\x43\xdd\xc4\x9d\x23\x7e\xf0" "\xdd\xda\x53\x67\x3f\x66\xcb\x93\xf4\x25\xac\xa0\x34\x27\x27", 63); *(uint64_t*)0x20002b18 = 0xa; *(uint32_t*)0x200045f0 = 0x60; *(uint64_t*)0x200045f8 = 0; *(uint64_t*)0x20004600 = 0; *(uint64_t*)0x20004608 = 0; *(uint64_t*)0x20004610 = 0; *(uint32_t*)0x20004618 = 0x4050; *(uint64_t*)0x20004620 = 0; *(uint32_t*)0x20004628 = 0; *(uint64_t*)0x20004630 = 0; *(uint64_t*)0x20004638 = 0; *(uint64_t*)0x20004640 = 0; *(uint64_t*)0x20004648 = 0; *(uint32_t*)0x20004650 = 0x4000; *(uint64_t*)0x20004658 = 0; *(uint32_t*)0x20004660 = 0; *(uint64_t*)0x20004668 = 0; *(uint64_t*)0x20004670 = 0; *(uint64_t*)0x20004678 = 0; *(uint64_t*)0x20004680 = 0; *(uint32_t*)0x20004688 = 0x8000; syscall(__NR_sendmmsg, r[0], 0x20004540ul, 6ul, 0x40ul); { int i; for (i = 0; i < 64; i++) { syscall(__NR_sendmmsg, r[0], 0x20004540ul, 6ul, 0x40ul); } } break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }