// https://syzkaller.appspot.com/bug?id=016814f413b437ebf8d530b3775e620a892cf584 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); setup_binderfs(); loop(); exit(1); } #define USLEEP_FORKED_CHILD (3 * 50 * 1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } uint64_t r[7] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void loop(void) { intptr_t res = 0; syscall(__NR_bpf, /*cmd=*/0xful, /*arg=*/0ul, /*size=*/0ul); memcpy((void*)0x20000100, "memory.events\000", 14); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000100ul, /*flags=*/0x100002ul, /*mode=*/0ul); if (res != -1) r[0] = res; memcpy((void*)0x20000140, "FREEZING\000", 9); syscall(__NR_write, /*fd=*/-1, /*buf=*/0x20000140ul, /*len=*/9ul); syscall(__NR_perf_event_open, /*attr=*/0ul, /*pid=*/0, /*cpu=*/0xful, /*group=*/r[0], /*flags=*/0xbul); *(uint32_t*)0x20018c00 = 0x18; *(uint32_t*)0x20018c04 = 3; *(uint64_t*)0x20018c08 = 0x20000300; *(uint64_t*)0x20000300 = -1; sprintf((char*)0x20000308, "0x%016llx", (long long)-1); *(uint16_t*)0x2000031a = 0; sprintf((char*)0x2000031c, "%023llo", (long long)-1); *(uint64_t*)0x20018c10 = 0x20000440; memcpy((void*)0x20000440, "syzkaller\000", 10); *(uint32_t*)0x20018c18 = 0x80000000; *(uint32_t*)0x20018c1c = 0xae; *(uint64_t*)0x20018c20 = 0x20000480; *(uint32_t*)0x20018c28 = 0; *(uint32_t*)0x20018c2c = 0; memset((void*)0x20018c30, 0, 16); *(uint32_t*)0x20018c40 = 0; *(uint32_t*)0x20018c44 = 0; *(uint32_t*)0x20018c48 = -1; *(uint32_t*)0x20018c4c = 8; *(uint64_t*)0x20018c50 = 0; *(uint32_t*)0x20018c58 = 0; *(uint32_t*)0x20018c5c = 0x10; *(uint64_t*)0x20018c60 = 0; *(uint32_t*)0x20018c68 = 0; *(uint32_t*)0x20018c6c = 0; *(uint32_t*)0x20018c70 = 0; *(uint32_t*)0x20018c74 = 0; *(uint64_t*)0x20018c78 = 0; *(uint64_t*)0x20018c80 = 0; *(uint32_t*)0x20018c88 = 0x10; *(uint32_t*)0x20018c8c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20018c00ul, /*size=*/0x80ul); *(uint64_t*)0x20001080 = 0x8408; syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x40082404, /*period=*/0x20001080ul); syz_clone(/*flags=*/0x42001000, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0x20000fc0, /*tls=*/0); memcpy((void*)0x20000140, "memory.events\000", 14); syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000140ul, /*flags=*/0x7a05ul, /*mode=*/0x1700ul); syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0ul, /*size=*/0ul); *(uint64_t*)0x200000c0 = 0x20000040; memcpy((void*)0x20000040, "f2fs_fallocate\000", 15); *(uint32_t*)0x200000c8 = -1; res = syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x200000c0ul, /*size=*/0x10ul); if (res != -1) r[1] = res; *(uint32_t*)0x20000100 = r[1]; *(uint32_t*)0x20000104 = 0; res = syscall(__NR_bpf, /*cmd=*/0xbul, /*arg=*/0x20000100ul, /*size=*/8ul); if (res != -1) r[2] = res; syscall(__NR_write, /*fd=*/r[2], /*buf=*/0x20000500ul, /*len=*/0x20000148ul); syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0ul, /*size=*/0ul); *(uint32_t*)0x20000940 = 1; *(uint32_t*)0x20000944 = 0x80; *(uint8_t*)0x20000948 = -1; *(uint8_t*)0x20000949 = 0x11; *(uint8_t*)0x2000094a = 0x80; *(uint8_t*)0x2000094b = 0xe4; *(uint32_t*)0x2000094c = 0; *(uint64_t*)0x20000950 = 0x180000; *(uint64_t*)0x20000958 = 0x1180; *(uint64_t*)0x20000960 = 4; STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 1, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x20000968, 0, 38, 26); *(uint32_t*)0x20000970 = 8; *(uint32_t*)0x20000974 = 4; *(uint64_t*)0x20000978 = 2; *(uint64_t*)0x20000980 = 0x3ff; *(uint64_t*)0x20000988 = 0x10; *(uint64_t*)0x20000990 = 0xe8c8; *(uint32_t*)0x20000998 = 0xd; *(uint32_t*)0x2000099c = 8; *(uint64_t*)0x200009a0 = 0x4d; *(uint32_t*)0x200009a8 = 9; *(uint16_t*)0x200009ac = 0x80; *(uint16_t*)0x200009ae = 0; *(uint32_t*)0x200009b0 = 0x7f; *(uint32_t*)0x200009b4 = 0; *(uint64_t*)0x200009b8 = 0x101; syscall(__NR_perf_event_open, /*attr=*/0x20000940ul, /*pid=*/0, /*cpu=*/3ul, /*group=*/-1, /*flags=*/0xaul); memcpy((void*)0x200004c0, "\002;\345\b\000\000\234\000\000\000\000\000\000", 13); syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x5452, /*filter=*/0x200004c0ul); *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0x80; *(uint8_t*)0x200001c8 = 0x6f; *(uint8_t*)0x200001c9 = 0x9e; *(uint8_t*)0x200001ca = 0xf0; *(uint8_t*)0x200001cb = 0; *(uint32_t*)0x200001cc = 0; *(uint64_t*)0x200001d0 = 0; *(uint64_t*)0x200001d8 = 0x2002; *(uint64_t*)0x200001e0 = 0; STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 2, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 38, 26); *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 1; *(uint64_t*)0x200001f8 = 0; *(uint64_t*)0x20000200 = 1; *(uint64_t*)0x20000208 = 0xb00; *(uint64_t*)0x20000210 = 0; *(uint32_t*)0x20000218 = 5; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0xffffffa8; *(uint16_t*)0x2000022c = 8; *(uint16_t*)0x2000022e = 0; *(uint32_t*)0x20000230 = 2; *(uint32_t*)0x20000234 = 0; *(uint64_t*)0x20000238 = 0; syscall(__NR_perf_event_open, /*attr=*/0x200001c0ul, /*pid=*/0, /*cpu=*/0xful, /*group=*/-1, /*flags=*/0ul); syscall(__NR_perf_event_open, /*attr=*/0ul, /*pid=*/0, /*cpu=*/-1, /*group=*/r[1], /*flags=*/8ul); memcpy((void*)0x20000100, "memory.events\000", 14); syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000100ul, /*flags=*/0x100002ul, /*mode=*/0ul); memcpy((void*)0x20001000, "FREEZING\000", 9); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x20001000ul, /*len=*/9ul); syscall(__NR_bpf, /*cmd=*/0xful, /*arg=*/0ul, /*size=*/0ul); *(uint32_t*)0x20000200 = 0x18; *(uint32_t*)0x20000204 = 4; *(uint64_t*)0x20000208 = 0x200002c0; memcpy((void*)0x200002c0, "\x18\x01\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x04\x85" "\x00\x00\x00\x6d\x00\x00\x00\x95", 25); *(uint64_t*)0x20000210 = 0x20000100; memcpy((void*)0x20000100, "GPL\000", 4); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 2; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x80ul); if (res != -1) r[3] = res; *(uint64_t*)0x20000280 = 0x20000040; memcpy((void*)0x20000040, "sched_switch\000", 13); *(uint32_t*)0x20000288 = r[3]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x20000280ul, /*size=*/0x10ul); res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=*/1ul, /*proto=*/0, /*fds=*/0x20000000ul); if (res != -1) { r[4] = *(uint32_t*)0x20000000; r[5] = *(uint32_t*)0x20000004; } *(uint64_t*)0x20001580 = 0; *(uint32_t*)0x20001588 = 0; *(uint64_t*)0x20001590 = 0x20001400; *(uint64_t*)0x20001400 = 0x20000080; memcpy((void*)0x20000080, "\x3b\xfd\xd7\x5f\xa5\x71\x78\x52\xd5\x9a\x93\x67\x44\x4a\x21\x30\xe7" "\x2c\xd4\xda\xbc\x88\x54\x53\x2c\xca\x0c\x32\xa5\xb9\xf8\x44\xa4\x61" "\x0c\x75\x25\x65\x0c\xe3\xd3\xb7\x6b\x15\x02\x6d\x93\xe6\xde\xe8\x96" "\x11\x5e\x93\x64\x06\x6a\xa3\xd1\x4e\x33\xef\x73\x2b\x46\x81\x33\x5c" "\x57\x69\x02\x15\x31\x14\xbd\xb9\xc7\x4b\x53\x8a\x71\x11\x5f\xb1\xd1" "\xa6\x3d\x1b\x04\x12\x96\x61\xb2\x9a\xab\x89\xd0\xbe\x99\x9a\x6b\x7c" "\x9b\xea\x75\x5a\xde\xdb\xf3\x05\xa7\x9f\x70\xb7\x1d\x3d\x4c\x98\x57" "\x7b\x49\xdb\x49\x63\xce\x89\xb0\xde\xf5\xe8\x40\xf4\x59\x65\x9c\xb6" "\xf8\x6d\x56\xb0\x69\xa5\xde\x11\xd6\x01\xd3\x48\xff\x88\xca\x6e\x5e" "\x2c\xfe\x40\x17\x68\x80\xb3\x3e\x9e\x8d\xbc\x32\xba\x2e\x6a\x99\xb1" "\xb5\x02\x76\xdc\x4f\x06\x16\x60\x00\xd7\x06\x9a\x3c\xc7\x6f", 185); *(uint64_t*)0x20001408 = 0xb9; *(uint64_t*)0x20001410 = 0x20000180; memcpy((void*)0x20000180, "\x89\x29\x50\xe2\x40\x5e\xe8\x62\x9d\x93\x84\xa9\x1c\x16\xd1\x70\x6a" "\x3e\x61\xf3\x05\x11\x9f\x95\xca\xc0\xf1\x92\x7f\x4c\x20\x5b\x97\x1e" "\xb4\x11\x47\xcb\x1f\x86\x88\x3d\x69\x10\xe6\x8a\xc3\x99\x65\x51\x80" "\x0b\x3e\xc6\x4b\x77\xf8\x44\x4b\x18\x34\x5a\x2c\x8b\x17\x8e\xee\xba" "\x0c\xde\x73\x19\xa5\xa4\x6b\xfe\x7f\x57\x70\xe0\x19\xef\xd9\xd5\x20" "\x69\xed\xcc\xed\x33\xa7\x58\xc4\xe6\x57\xf3\xa7\x92\xdc\x19\x3a\x19" "\x11\xb4\xe8\x2e\xa8\x00\xad\x7a\xfe\x03\xc8\x51\xa8", 115); *(uint64_t*)0x20001418 = 0x73; *(uint64_t*)0x20001420 = 0x20000200; memcpy((void*)0x20000200, "\xa6\x8c\xde\x0d\x56\xb1\x70\xdf\x77\x10\xb5\x4f\x17\xd9\xa3\x9c\x4f" "\x98\xf3\x54\x71\x90", 22); *(uint64_t*)0x20001428 = 0x20000216; *(uint64_t*)0x20001430 = 0x20000240; memcpy( (void*)0x20000240, "\x45\xe0\x44\x00\xf2\xb3\x83\x51\x7a\x08\xc3\x97\xdd\x0a\x76\xe6\x7e\xcf" "\xc8\xe7\x45\x73\xc2\x4d\xed\xd3\xa4\x8f\xb6\x24\x18\xc1\x41\x2f\xdc\xd1" "\x5e\x88\x8c\xb0\xf5\xd0\x2e\x77\xbf\xec\xef\xda\x6b\x06\x4c\x0b\xb2\xb6" "\x6a\x9a\x52\x2e\x63\x87\x3d\xde\x02\x33\x05\x10\x25\x5e\xec\x7d\xfa\x1a" "\xf7\x08\xcd\xab\x59\xfb\x71\xec\xa7\x86\xa3\x59\xa2\xc3\xb0\xcb\xad\x35" "\x14\x4e\xc5\xb0\x69\xc5\x3f\x90\xe4\x33\x39\x84\x5d\xc7\xfd\x14\x0c\x55" "\xb0\x14\x9a\xb3\x8e\xb2\x7c\x14\x0f\x37\x4b\xcc\x2c\x95\xb0\xb1\x21\xd1" "\xa9\x30\x2f\x3a\x01\xb8\x88\x24\x3b\x3f\xc0\xd4\x6f\x0d\xe0", 141); *(uint64_t*)0x20001438 = 0x8d; *(uint64_t*)0x20001440 = 0x20000300; memcpy( (void*)0x20000300, "\x87\xfb\x74\xcf\x4d\x67\xad\xbb\xd0\x62\x63\x7f\x51\x4c\x1f\x5e\xb1\x8d" "\x7b\x44\x2e\x64\x57\xa3\x56\xc6\xcb\x1f\x71\xa4\x3d\xfa\xe7\x73\xc8\x48" "\x9c\xce\x51\x45\xf9\x26\x15\xd4\xbd\xb1\x3e\xf5\x4d\x6a\xe9\x0e\xc7\x73" "\x31\x80\xfc\xf5\xad\xf3\xe1\x3f\xdb\x05\xb5\x7b\x74\x8b\xd1\x4e\xda\x04" "\x2a\x97\xfd\xd8\x44\x98\x30\x4a\x50\x4a\x0a\x15\x9b\x97\x2e\x82\x00\xc2" "\xd0\xf5\x36\xa3\x46\x5e\xc4\x98\xed\x12\xb9\x24\xbd\x13\x40\x57\xdf\x36" "\x12\x9d\x3e\xbe\x3d\xd3\xce\x9f\x06\x71\xe5\x27\x81\x43\xe4\xaf\xa3\xd4" "\x3f\x44\x46\x81\xde\x1b\x5f\x97\x25\xfc\xa3\x4f\xa3\x57\xfe\x21\x54\x98" "\x16\x66\xfb\x9d\xc2\x02\xfc\x17\xa0\x19\x9e\xb1\xc2\x5b\xdd\x10\x05\xe5" "\x90\xe8\x47\x83\xee\x98\x94\xc8\x88\x99\x8d\xc2\x5a\x83\xc1\x4a\xee\xe3" "\x1d\x11\x4a\xcf\xa0\xbc\xd2\x35\xd5\x71\xcd\x76\x5f\x4b\x92\x59\xba\x43" "\xe6\xfc\x30\x29\x1d\x8a\x64\x21\x46\xc4\x77\x18\x98\x03\x0b\x73\x6a\xee" "\xe6\xb2\x47\xab\xb0\x78\x4b\x15\x4e\x10\x4e\x7d\xcd\xa4\x01\xf9\xb1\x73" "\x6f\xea\x30\xa4\x1a\x41\x53\xfe\x6a\x9a\x52\x5b\xd0\xa3\x48\x75\x71\xf9" "\x14\xf0\x5b\x59\x0e\x24\x23\x41\xad\xe2\x89\xd8\xf5\xb8\x42\xc6\xbe\x4a" "\x93\xc2\x75\x5d\xfd\x47\x17\x4d\xef\x78\x2a\x2f\x8f\x61\xc0\x68\xb5\xa0" "\x12\xf0\x2c\x08\x01\x60\x1e\x86\x0d\xef\x78\x81\x21\xe8\x80\x8c\x01\xfe" "\xd4\xc9\x20\xa3\x69\x8d\x0d\x68\x49\x20\x91\x8c\x95\xb1\x7f\x76\xbb\xcb" "\x4f\x26\x5c\x93\x1d\x8f\x79\x56\x0f\xf8\x11\x4b\x70\xf4\xdd\x67\x91\xe2" "\xed\x70\xcf\xeb\x89\x90\x57\x91\xb8\x8b\xe2\x6e\xfe\x1c\x5c\x66\xb7\xb5" "\x0b\x3d\x2b\xe0\xdb\xc0\x66\xdf\xc3\x16\x18\xf9\x50\x7f\x6f\x34\x0b\x85" "\xa2\xf7\x6a\x6d\xca\xc9\xd6\xcc\xc2\x89\xac\xe5\xe5\xfe\xcd\x25\xaf\xe2" "\x2f\xfa\x45\x1f\x5e\x36\x5a\xb3\x3c\xc9\x85\xf2\xe9\xd7\xf7\xfb\x1b\xe4" "\x79\x47\x40\xa9\x42\x15\xd7\xdb\x14\xb0\xff\xce\xc1\x9e\x5e\x3c\x5a\xe0" "\xd8\x57\x8e\xf3\xb6\x5d\x2a\x7a\x77\xa1\x1e\x39\x0a\x6c\x3a\x6b\x39\x10" "\x61\xc8\x86\xb9\x61\xe3\xc2\xf4\x2d\x62\x04\x7b\xfe\x13\x56\xa4\x4b\x84" "\x0d\x3d\x95\x61\x05\xf4\xc0\xfa\x95\xdb\x08\xc4\x93\x3f\x00\xde\x77\xcd" "\xc0\x57\xc2\x8b\x41\xfe\xcf\xc8\x39\x8c\x44\x2b\xe1\xad\x06\x59\x54\xf6" "\xc9\xdf\xeb\x2f\xd7\x20\x7e\x85\x48\xa0\x0a\x1d\x50\xbd\xf5\x22\xd2\xab" "\xfd\xaf\xd7\x17\x23\x61\x6a\x34\x83\x0f\xbf\xa8\xfc\x81\xe0\xc2\x63\x9c" "\xc1\x2f\x36\x3a\x49\x19\xb7\xa0\x0a\xc8\x18\x9d\xad\x3e\x7e\x54\x12\x2a" "\x2e\xf4\x30\xf6\x23\x65\x8d\x5e\x28\x1c\x9a\x19\x44\x29\x95\xbb\x9b\x0e" "\x3f\x7d\x13\xe3\x01\x6b\x6f\x95\x23\xbe\x19\x6b\xf2\x3b\xbc\xc5\xec\x80" "\x2f\x43\xef\x8b\x65\x1d\x68\x8d\x9d\x5a\x44\xf3\x5c\x98\x47\xe4\xc3\x2b" "\xce\x3e\x9e\xbe\xd2\x32\x6a\xda\xdc\x76\xf0\x6a\x19\x5d\xb3\x2c\x80\xb3" "\x09\x0d\x7c\xd6\x5c\x9d\x85\x18\xba\x4e\x52\x8c\x5e\xb5\xc7\xa1\xc5\x69" "\x5b\x21\x59\x5f\xa8\xa8\x62\x17\x34\xbf\xda\x8a\xfd\xdd\x65\xe1\xf3\x7a" "\x19\x90\x22\x0a\x00\xfa\x9b\xd2\xc2\x2b\x01\x17\xce\xb0\x8a\xe6\xaf\x3c" "\x94\x4c\x2e\xca\x92\x4a\xbf\xdd\xad\x06\x5d\x14\x72\xd0\xc3\xf7\x42\xa4" "\x9b\x1e\x78\xc6\x69\x47\x18\x73\x70\x6a\xd1\x57\xd8\x31\xd7\x48\x2b\x77" "\x3f\x07\xb0\x67\x3a\x6c\xe1\xe2\x27\xa7\xa4\xd1\x37\x44\xbf\x45\x94\x34" "\xc0\xab\x1c\x32\x3a\x38\xb1\xa8\x4c\xbf\x1c\xe9\x74\x1f\x2b\x8f\xdc\xc2" "\xe0\x73\xe5\x61\x71\x60\x3d\x03\x5a\xac\xd8\x3e\x71\xd5\x13\x28\x31\xf4" "\xf1\xe8\xbf\x51\x79\x79\xf1\x32\xa3\x3f\xd0\x37\x83\x27\x2e\x9b\x8c\x96" "\xdf\xa4\xe1\xd3\x20\xa5\x8d\x82\xac\xfc\x8d\x3d\x53\xa5\xa5\x2d\xaa\xfe" "\x4d\xc8\xbe\x08\xf4\xad\x53\xe1\x1c\xc2\x13\x74\xb6\xff\x4f\xf5\xea\x2e" "\xcc\x5d\x3f\x7c\x05\x7f\x74\xf0\x09\x8e\x57\xd9\x90\x09\x04\x75\xcd\xaf" "\xfd\xef\x0d\xa9\x17\x65\x3e\xd1\x0f\xb7\x0b\x94\xb7\x2e\x5b\x4d\x95\xcb" "\xea\x0f\xc1\xdd\x25\x79\x63\x5a\xd6\xab\x54\x5b\xa4\xd7\xb6\xd2\xf5\x44" "\x2b\xdb\x78\xbe\xb6\xc8\xed\x62\x94\x2a\x43\x91\x17\x02\x5b\x45\x66\xb4" "\x8d\x9f\x3a\x17\xfd\xf4\x57\x7e\x86\x06\xa4\xbc\x4c\x26\x55\x7e\x58\x31" "\x2f\xd2\xd1\xa5\x41\xeb\xec\x3e\x5a\xe2\x8e\xef\x8b\x2a\xb0\x59\x70\x83" "\x71\x6d\xd1\x28\x89\x33\x55\x70\xee\x78\x39\x53\x0e\xee\x87\x9d\x9b\x13" "\x76\x06\xcd\x4d\xd7\x10\x39\x91\x67\x1b\x44\x64\xbb\x68\x52\x9e\xb1\x9f" "\xb7\xa8\x84\x5e\x34\x91\xbf\xba\xc6\x88\xa8\x7c\xf0\x74\x4f\x42\x9e\xa1" "\x12\x01\x44\x02\x91\x5c\x4c\x1f\x6b\xae\x08\xd6\x89\xd3\xcb\x7d\x64\x1d" "\x7b\xef\xe8\xfc\x74\xa2\x24\x23\x10\xa9\xa3\x67\xa3\x95\x31\xb4\xc8\x6d" "\xa5\xb3\x9d\xf5\x24\xe5\x2f\x33\xff\x9c\x40\xb4\x8c\xb1\x96\xff\xc9\xca" "\x85\x5b\x6e\x69\x8a\xde\x8a\x83\xe5\x2b\x9d\xdc\x50\x31\xff\x09\xe1\x90" "\x7e\x4f\x8b\x0d\x07\xe6\x4e\x1f\xb8\xe4\x27\xf8\x81\x9a\x7b\xe9\x07\xaa" "\x21\x6b\xf8\xe2\xa4\xc7\xcc\x87\xed\x53\xbf\x94\x90\xd4\xcc\x78\x8b\x91" "\xf3\xb9\xf7\x05\xe9\x84\xa7\xe6\x2c\x7a\x49\x5e\x84\x21\xb9\x7c\x39\xdc" "\x95\x4b\x35\x46\x8f\x17\xc6\x68\x23\x34\xf4\xe1\x63\x08\x44\x8f\x45\x7f" "\xae\xff\xff\x6d\x1f\x81\x85\x22\xfa\x44\x1d\x3a\x48\x16\x8b\xdb\x12\xff" "\xeb\xac\xe4\x36\xa3\x91\x5b\x63\x07\x6c\xb6\xa6\x55\x71\x86\x47\xf8\x7e" "\xaa\xf3\x13\xb5\xbb\xd4\x30\x42\x1e\xed\x3a\x22\x15\xe4\x39\x60\x0a\x56" "\xea\xc8\xc6\x52\x91\xeb\x10\x33\x26\xa8\x03\x46\x62\xbd\x33\x7a\xb5\x15" "\x77\xd9\x11\x0e\xc7\x15\x1b\xe5\xcc\x9c\x54\xb2\xa3\x08\x91\xac\xac\x5a" "\xd0\x06\xed\x53\x7d\xbe\xb8\xf1\x6e\xec\xbd\xe7\xcf\x4e\x71\x37\x3f\xaf" "\x3c\x36\xb7\x72\xf6\xd7\xea\x93\x46\x87\x5c\x8c\xf1\x04\x9d\x49\xd4\xf8" "\xeb\x01\xb9\x46\xc1\x1e\x8c\x8e\x3a\xb2\x01\x5f\x28\x21\x67\xac\xdd\xcc" "\x77\xff\xf0\x3e\x1b\xe9\x13\x42\x52\xaf\x0a\xbf\xe5\x38\xb4\xd2\x5f\xc4" "\xff\x87\x4b\x52\xb9\xfb\x09\x96\xb5\xf3\x2b\x41\x41\xdb\xd3\x05\x78\xff" "\x46\xe1\x3e\xf6\xc6\x3f\xc1\x62\x0f\x62\xcb\x11\xa3\xdc\xe4\x01\x99\x39" "\x76\xc2\x72\xa5\xf6\x2f\xde\x3f\x2a\x0e\x65\x4d\x19\xe7\xa3\x9d\xcd\xb6" "\x22\xb9\x52\x6d\x2a\x15\xcc\x18\xe6\xf8\x17\xc9\x16\xa0\x07\x75\x35\x3d" "\xd9\xc8\x95\x4e\x66\xd0\x44\x5b\x59\xbb\x0f\x5e\x6e\x3b\x46\x44\x72\x32" "\xf5\x2a\x0e\x39\x8b\x05\x7d\x12\x3e\xf5\x03\xaf\xcb\xd4\x85\x44\xdb\x64" "\x34\xd2\x02\x5b\xfc\x8d\xab\x72\x26\x2a\x4f\xa5\x42\x6a\x03\x06\x1e\x7f" "\x89\x66\xe0\x08\x6f\xf8\xab\x5a\x91\xab\x59\xf1\x9b\x83\x03\x94\xee\x8b" "\xc7\x6d\x6f\xb4\x81\x6b\x8f\x4c\xde\x35\xb7\xeb\x9d\x38\x11\x22\x8d\x51" "\xc5\x48\x28\xf9\x7f\xd1\xe6\x48\x19\x6c\x81\xbc\x73\xed\x56\x24\x9a\x59" "\xf3\x18\x70\x4e\x84\x65\x6a\x6c\xed\xd2\xb8\xc1\xe1\x80\x8d\x1c\xc6\x48" "\x74\x9a\xbc\x64\x31\x31\xe4\x94\xc0\x13\x36\xd4\xa1\x4b\x86\x09\x65\x6f" "\x2c\x97\x2d\xc2\x3c\x5c\x2e\x43\xfe\x40\x11\x9f\xb8\x8b\x5e\xc2\xaa\xde" "\x35\xc0\x36\x46\xe3\x47\x35\x4c\x49\x3d\xe8\xab\x36\x72\xcc\xf9\x4a\xf0" "\xdf\x33\x3c\x66\x78\x29\x91\x29\xd7\x9b\xe0\xee\xc2\x81\xc5\xb3\x85\x8c" "\xe3\x99\x55\x66\xa3\x90\xb6\x74\x63\x5b\x35\x66\x92\xe3\xe9\xc5\x3a\x08" "\x96\x38\xba\x0d\x69\xe7\x72\xb7\xb4\x10\xa5\xae\x03\xde\x12\xe7\xde\x75" "\x5e\xe5\x59\xe1\x70\x7b\x7b\x80\x03\xaa\xbc\x8e\x2c\xe0\x3c\x01\xe3\x18" "\x3f\xf2\xd9\x32\x62\xf6\xd5\xce\xaa\xfe\xcd\xae\x66\xbc\x7c\xb3\x95\x2c" "\x5a\x65\x71\xd8\x64\xd5\x02\xf2\x81\xdb\x5a\x22\x86\x95\xba\xdc\xa5\xd0" "\x22\xfd\xb6\xda\x56\xab\x15\xdc\x37\x7d\x1c\x1f\x85\x81\xff\x56\xe2\x8c" "\x2b\x2a\x84\xed\xb6\x29\x54\x7d\x28\x27\x5c\x2e\xd5\x71\x10\x3b\x4c\xa7" "\xcd\xeb\x07\x76\xba\x9f\x9d\xff\xcd\x78\xd2\x1c\x3d\x4c\xaa\x92\x89\xed" "\x19\x96\x72\xf4\xe7\xb9\x12\x06\x8c\x49\xc8\x17\x11\x4c\x37\xd3\x7e\xa0" "\x39\x54\xba\xe8\x7d\x1d\xda\xe3\xda\x2a\xd8\x5f\xeb\x2f\xbb\x73\x5b\x75" "\xa5\x1f\x7b\xee\x5c\x8d\x88\xcc\x7b\xf6\x47\x00\xd1\xa4\x6e\xc6\xb6\x31" "\xae\x22\xac\x7b\x06\x73\x0a\x86\xa2\x6b\xdc\xb9\x92\xe1\xc7\xb5\x01\x42" "\xde\x96\xb1\x4a\x84\x68\xe4\x51\x40\x68\xa3\x08\x96\xfc\x67\x7f\xdd\xef" "\xae\xbb\x12\x5c\x69\x3a\x8d\x46\x04\x69\xc7\xfe\x53\x5f\x84\x47\x81\x94" "\x0f\x66\xd6\xab\xd0\x91\x19\x1c\x31\x22\xd5\x84\xf5\xb0\xf5\xb0\xd4\x43" "\x71\x3d\x7d\x51\x86\x12\x4d\x73\xde\x28\xac\xa3\x0b\x71\x9d\x4a\x55\xe0" "\x9d\x25\x9b\xdd\xbf\x16\x99\x5a\xeb\x10\x00\x88\x08\x90\xaf\xbd\x24\xd4" "\x06\x6b\x03\x98\x98\x5a\x40\x99\x9d\xe2\x2c\xe1\x76\x34\x8e\x1c\x1f\x57" "\xea\xf7\x5b\x92\xa1\xe4\xf1\x48\x2e\x89\xa0\x0a\xc2\xcc\x36\xb2\x0e\x36" "\xaf\x9e\xc3\x10\x59\x9c\x19\xa5\xb1\xd6\xf8\xfa\xdb\xa1\x04\xc5\x8c\x80" "\x1c\x66\x33\x31\x5f\x82\xeb\xfa\x88\xfa\xdd\xd0\xb6\x93\xe2\xf8\x27\xf5" "\x86\xc1\xcc\x55\x38\xe9\x3b\xcf\x10\xf8\x1a\xf6\xdd\x7e\xe7\x27\xdf\x3b" "\x50\x18\xc0\xb4\xe3\x1e\x40\xd0\x40\xa4\x75\x03\xb6\xac\xe4\xd2\x9a\x11" "\x62\xce\x48\x73\x51\x82\x52\x55\xf5\x58\x4a\xff\x7c\xbd\x42\x1f\x85\xc3" "\xd9\xfb\xb3\x78\x4a\xbd\x98\x48\xf1\x60\x28\xb6\x8f\x0d\x32\xed\x8b\xb8" "\x01\x06\xe8\xcc\x4a\xcb\x93\x9f\xf8\x8b\xd3\x99\x76\xd1\x66\xb2\xad\xde" "\xbf\x62\x8b\x3f\xcd\x05\x6d\xa2\xf6\x0e\x1b\x90\xf7\xa3\x27\x02\x95\x49" "\x21\x90\x8e\xbc\xcb\x68\x36\x22\xa1\xf5\x74\xce\xba\x69\x51\xbe\xf5\xe7" "\x51\xc3\x38\xc8\x27\x93\x18\xdc\x28\xe3\x6b\x9f\xc2\xbb\x17\xc3\xad\x08" "\xac\xeb\x00\xfc\x38\x8e\x6d\xb1\x12\xa7\x38\xf8\x6a\x4a\x1e\xb1\x15\x26" "\xe1\xb9\xd7\x32\x50\xb3\x26\x28\x5e\xd4\x7c\x43\x98\xd9\x3a\x39\x33\xd9" "\xa7\x84\x24\x9b\x65\xad\x7d\x78\xa1\xf8\x1d\x96\xef\x36\x49\x3e\xd6\x93" "\x04\x5a\x21\x50\xa8\xeb\x43\xce\xcc\x0c\x93\xe7\xd2\x0b\x15\xb3\x9a\x06" "\x46\xb0\x81\xc2\x92\x3b\x81\x63\x65\xb7\xfb\xb4\x16\x83\xa4\x17\x32\xd9" "\x42\xc5\xaa\x12\xfa\xf8\x76\xec\x7f\x03\x6b\xec\xde\x8f\x32\x95\xaf\x6d" "\xac\xff\x38\xd0\x76\xd8\xe0\x62\x60\xfe\xe1\x67\x70\x3b\xb6\x10\x74\x53" "\x74\xa2\x75\x8a\x6b\x88\xe4\x65\xca\x77\xd1\xf3\x10\x5a\xe8\xb6\xb0\x4a" "\x1e\xb5\x09\xfb\x17\x8d\x62\x49\xdb\xbc\x84\xd5\xd1\xd0\x69\x27\x84\x49" "\xa8\x9d\x03\xe4\xa9\xa3\x95\xd8\x17\x0c\x32\x9a\x29\x6c\xfc\x32\x97\x98" "\xcb\x9b\x9f\x10\x78\xd0\x98\xcf\x3f\x98\x9f\xd4\xec\x53\xe0\x13\xfb\xe9" "\x17\xdf\x35\x29\x2d\x44\xfb\x1f\x3d\xa4\xda\x44\x32\xa1\x84\x7d\x47\x21" "\x51\x4a\xde\x8c\xda\x5e\x5c\x0b\x51\x18\x35\x80\xfc\x35\x26\x6a\x97\x0e" "\xbb\xa7\x4f\xae\xda\x56\xd4\xdc\xb5\x6d\xf5\x1f\x96\xad\x23\x74\x52\xce" "\xdb\xd0\xcb\x2b\xee\x11\x27\x13\xc3\xd4\x50\x83\x58\x11\xbf\x3d\xa9\x74" "\x51\x36\xd4\x28\xe1\x48\xfd\x09\x32\xdc\x77\xc8\xd8\xe6\x1a\x16\xc6\x25" "\x24\x1f\xad\x84\x25\xb4\xec\xe3\x94\xee\xdd\x5f\x16\x5b\xd9\x49\x23\xbf" "\xa1\x17\x2b\xe8\xed\xc8\xa4\xfc\xaa\xe5\xf7\x7e\xe8\xcc\x51\x01\x92\xb2" "\x79\x64\xda\x09\xc3\xe8\x4e\xfb\x4b\xc7\x15\x4d\xa1\xa2\x4d\xa8\xb7\xe5" "\x44\xb4\x22\x78\xd2\x57\x46\x87\xec\x76\x14\x3a\xfa\x6c\xf1\x93\xd5\x2a" "\x2a\x7f\x4c\x20\xee\x57\xb6\x05\x6a\x13\x37\xd5\xe4\x08\x11\x7a\x6c\xf1" "\xab\x49\xc8\x98\x0f\x39\x59\x7f\x69\x90\x20\x85\xd3\xe8\xd3\x74\xd4\x4e" "\x6a\xb4\xed\x11\x85\xa2\x6b\xe2\xbc\x72\x81\xe9\xcf\xbb\xeb\x6b\xed\x89" "\x9a\xa1\x92\x4d\x3f\xaa\x06\xd9\x59\x99\xfb\xea\xf2\x33\x74\x94\xe0\xc2" "\xc3\x9e\xef\x5a\x73\xfc\xde\x84\x45\x9a\x9e\xa4\x8d\x4e\x01\x5d\x9e\x5b" "\xb5\x83\x93\x54\x96\x7c\xe0\x2f\x63\x7b\xc8\x67\x8d\x25\x95\xb9\xa9\x18" "\xfc\x36\xb9\x27\xd7\x50\x1f\x0a\xc2\xe3\x47\x1c\xe0\x2b\x5d\xf3\x55\x68" "\x9c\x87\xf1\x91\xef\x53\x90\x90\x0a\x41\xde\xec\x29\x98\x4e\x45\xa8\x78" "\xec\xe9\x64\xb0\x00\x9a\xad\x56\x13\x16\xfc\x3b\x30\xce\x1b\x49\x26\x6d" "\x32\xeb\x17\xcd\x30\xf3\xe1\x7e\x1f\x59\x01\x4e\x8c\x51\x89\x40\xdd\x0a" "\x09\x3d\x13\x49\xc1\xa7\xc2\x58\x19\x63\xbb\xe0\xba\x37\x2b\x64\x26\xe8" "\x1c\x33\xc7\x1b\x2e\xc8\x14\x1c\x57\x13\xe5\x2a\x37\xff\xf0\xa4\x17\xa5" "\xb2\x59\xe1\x42\x0d\x9f\xb6\xa7\x31\xf5\xba\xa0\xcc\x49\x42\x21\x94\x78" "\x95\xaa\x8f\xa1\x47\x45\xa9\x86\xa3\x66\xbf\xf9\xd0\xc2\x39\xa1\x9f\x85" "\x37\x24\x97\x56\x5b\x5b\x70\x3d\xa1\x64\x39\x01\x9d\xf5\xf3\xd2\x9f\x42" "\x47\xfb\x52\x88\x54\xc9\x64\x86\x30\xf0\x3e\x9d\xed\xde\x5a\x08\xa4\x77" "\x28\xea\x6a\x4d\x42\xe6\x2e\xff\x6f\xa3\xbd\x40\x23\x25\xe0\xf4\x38\x7b" "\x60\x17\x1c\x37\xc1\x80\xf9\x58\xad\x80\x95\x57\x79\xc8\x99\x51\x7e\x7e" "\xa7\x6e\xed\x00\x59\x8e\x01\x55\x2e\xaa\xf0\x8b\x72\x3d\xaf\x9d\x46\x6e" "\x8c\x57\xaf\x43\xa1\x5a\x46\x52\x8b\x11\x19\xf5\x07\x4a\xa3\xc5\x1f\x77" "\x35\x7e\xbe\x15\x82\x75\xbc\x06\xb8\x96\x40\xd7\xce\x3c\x0a\x03\xaf\x01" "\x41\x8d\x7d\xc6\xae\x8a\x1b\xe8\xab\x08\xc1\x72\x2d\x66\xd1\xe9\x27\x74" "\x80\xb8\xb1\x78\x44\x76\x67\xc0\x24\xf9\xb7\x8f\x8a\x87\x8a\x2d\x7c\xf8" "\xe8\x3e\x51\x04\xf6\x96\x4b\x29\x07\xa9\x89\xab\xaf\xc7\xd7\xd0\xdf\x94" "\x1a\xbf\x3d\x72\x83\xb6\xa1\x1d\x46\xc2\x91\x1a\x42\x18\x2e\xc2\x7a\xb7" "\x85\xd9\x29\x46\xe1\xee\x8e\xf4\x48\x46\xd5\x61\x85\x0d\x2a\x98\xc3\x05" "\xc3\x82\xf3\x6d\x4c\xfc\x9b\x2b\xfd\x3b\x86\xef\x21\xa0\xd1\x87\xad\xca" "\xfb\xec\x82\x68\xc7\xd6\x62\xa3\x4d\xda\x1c\x83\xc4\x96\x70\x97\x74\x31" "\x33\xbc\x8c\x58\x7e\xdf\x24\x9f\x56\x68\xc3\x4d\xdb\x11\x2f\xa4\xeb\x1b" "\xea\x9c\x8f\x6a\x00\x0f\x1f\x34\x42\x8b\x54\x68\x8a\x5e\x21\x4a\x79\x19" "\x86\x8b\x25\xdb\xe9\x30\xe8\x6a\x24\x3e\xcf\x54\xaf\xe0\xb5\x18\xc6\x47" "\xd0\x48\x73\xd2\xcf\x62\xcb\x2a\xb2\x7f\x00\x01\x55\x37\xa4\xfd\x2e\xa3" "\xdc\x87\x77\xab\xdf\x32\x84\x62\x23\x47\x01\x65\x66\xda\x0b\x9c\x40\x6c" "\xa8\xc4\x06\x94\xe4\x01\x3a\x53\xfb\xf2\xe8\x03\xd5\x1b\x0b\xbe\x5e\x9d" "\xf5\xfc\x74\xf6\x6b\xe6\x18\x85\x63\x57\xcc\xf8\x03\xc5\x3e\xd0\xe3\xb3" "\xfe\x79\xf6\x9f\x0e\xde\x9b\x56\x5d\x8f\x7a\x8c\xe5\xaa\x8c\xbb\x4e\x8f" "\xa6\x1b\xe3\xfd\x00\xff\xb0\x7e\x45\x06\x54\x98\x92\x5c\x14\xc0\xb3\x11" "\x94\x2d\x4e\xd9\x51\xad\x62\x37\xaa\xdb\x54\x05\xbc\x7b\x2d\x79\xe1\xfd" "\x29\x5b\x7c\x2e\xd8\xef\xa8\x83\xe4\x4c\x86\xa5\x05\x3e\x2f\x42\x1c\x6d" "\x4d\xc0\xc4\x7d\x3a\x05\xd9\x11\xdb\x37\xd6\xef\xdb\x8e\x50\xfb\x3f\x06" "\x13\x9a\xc1\x47\xbc\x71\x62\xc2\x1a\xec\xe7\x9e\xaf\x72\xe9\x77\x9f\x19" "\xeb\x53\x95\xce\xc3\xd1\x5a\x75\x94\xea\x70\xa6\xb3\x73\xd9\x86\x51\xd2" "\x21\x5b\x21\x0f\x03\x7e\xa3\xf8\xa5\x7d\xed\x74\x47\x4f\x6f\xdb\x64\xa0" "\x8b\x56\xaf\x52\x16\x8d\xa7\x0b\x30\xae\xe0\x34\x72\xcd\x8b\xee\x5a\xf0" "\x4c\xad\x73\x03\x00\x4a\x4a\xba\x46\x4b\x99", 3251); *(uint64_t*)0x20001448 = 0xcb3; *(uint64_t*)0x20001598 = 5; *(uint64_t*)0x200015a0 = 0x20001480; *(uint64_t*)0x20001480 = 0x1c; *(uint32_t*)0x20001488 = 0; *(uint32_t*)0x2000148c = 8; *(uint32_t*)0x20001490 = 0; *(uint32_t*)0x20001494 = htobe32(0); *(uint32_t*)0x20001498 = htobe32(0xe0000001); *(uint64_t*)0x200015a8 = 0x20; *(uint32_t*)0x200015b0 = 0; syscall(__NR_sendmsg, /*fd=*/r[4], /*msg=*/0x20001580ul, /*f=*/0ul); *(uint64_t*)0x20001140 = 0; *(uint32_t*)0x20001148 = 0; *(uint64_t*)0x20001150 = 0x20001040; *(uint64_t*)0x20001040 = 0; *(uint64_t*)0x20001048 = 0; *(uint64_t*)0x20001158 = 1; *(uint64_t*)0x20001160 = 0; *(uint64_t*)0x20001168 = 0; *(uint32_t*)0x20001170 = 0; syscall(__NR_recvmsg, /*fd=*/r[5], /*msg=*/0x20001140ul, /*f=*/0x40000100ul, 0); *(uint32_t*)0x20000200 = 0xc; *(uint32_t*)0x20000204 = 0xe; *(uint64_t*)0x20000208 = 0x20001f80; *(uint64_t*)0x20001f80 = -1; *(uint64_t*)0x20000210 = 0; *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0x20000940; *(uint32_t*)0x20000940 = 0x2000; *(uint32_t*)0x20000944 = 0; *(uint32_t*)0x20000948 = 0; *(uint32_t*)0x2000094c = 0; *(uint32_t*)0x20000268 = 0x10; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = -1; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x80ul); if (res != -1) r[6] = res; *(uint32_t*)0x20000080 = 0x1b; *(uint32_t*)0x20000084 = 0; *(uint64_t*)0x20000088 = 0; *(uint64_t*)0x20000090 = 0x20000100; memcpy((void*)0x20000100, "GPL\000", 4); *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x2000009c = 0; *(uint64_t*)0x200000a0 = 0; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; memset((void*)0x200000b0, 0, 16); *(uint32_t*)0x200000c0 = 0; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = -1; *(uint32_t*)0x200000cc = 8; *(uint64_t*)0x200000d0 = 0; *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0x10; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = r[6]; *(uint32_t*)0x200000f4 = 0; *(uint64_t*)0x200000f8 = 0; *(uint64_t*)0x20000100 = 0; *(uint32_t*)0x20000108 = 0x10; *(uint32_t*)0x2000010c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000080ul, /*size=*/0x80ul); *(uint32_t*)0x200014c0 = 4; *(uint32_t*)0x200014c4 = 9; *(uint64_t*)0x200014c8 = 0x20001180; *(uint8_t*)0x20001180 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20001181, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20001181, 0, 4, 4); *(uint16_t*)0x20001182 = 0; *(uint32_t*)0x20001184 = 0x3ff; *(uint8_t*)0x20001188 = 0; *(uint8_t*)0x20001189 = 0; *(uint16_t*)0x2000118a = 0; *(uint32_t*)0x2000118c = 0x7fffffff; STORE_BY_BITMASK(uint8_t, , 0x20001190, 5, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20001190, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20001190, 0, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20001191, 5, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20001191, 0, 4, 4); *(uint16_t*)0x20001192 = 0x1c; *(uint32_t*)0x20001194 = 0; *(uint8_t*)0x20001198 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20001199, 8, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20001199, 6, 4, 4); *(uint16_t*)0x2000119a = 0; *(uint32_t*)0x2000119c = 1; *(uint8_t*)0x200011a0 = 0; *(uint8_t*)0x200011a1 = 0; *(uint16_t*)0x200011a2 = 0; *(uint32_t*)0x200011a4 = 0x1000000; STORE_BY_BITMASK(uint8_t, , 0x200011a8, 5, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x200011a8, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x200011a8, 3, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200011a9, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200011a9, 2, 4, 4); *(uint16_t*)0x200011aa = 0; *(uint32_t*)0x200011ac = 4; *(uint8_t*)0x200011b0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x200011b1, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x200011b1, 3, 4, 4); *(uint16_t*)0x200011b2 = 0; *(uint32_t*)0x200011b4 = 4; *(uint8_t*)0x200011b8 = 0; *(uint8_t*)0x200011b9 = 0; *(uint16_t*)0x200011ba = 0; *(uint32_t*)0x200011bc = 0; *(uint8_t*)0x200011c0 = 0x95; *(uint8_t*)0x200011c1 = 0; *(uint16_t*)0x200011c2 = 0; *(uint32_t*)0x200011c4 = 0; *(uint64_t*)0x200014d0 = 0x20001200; memcpy((void*)0x20001200, "GPL\000", 4); *(uint32_t*)0x200014d8 = 4; *(uint32_t*)0x200014dc = 0xba; *(uint64_t*)0x200014e0 = 0x20001240; *(uint32_t*)0x200014e8 = 0x41100; *(uint32_t*)0x200014ec = 0x3f; memset((void*)0x200014f0, 0, 16); *(uint32_t*)0x20001500 = 0; *(uint32_t*)0x20001504 = 0x2d; *(uint32_t*)0x20001508 = -1; *(uint32_t*)0x2000150c = 8; *(uint64_t*)0x20001510 = 0x20001300; *(uint32_t*)0x20001300 = 8; *(uint32_t*)0x20001304 = 5; *(uint32_t*)0x20001518 = 8; *(uint32_t*)0x2000151c = 0x10; *(uint64_t*)0x20001520 = 0x20001340; *(uint32_t*)0x20001340 = 2; *(uint32_t*)0x20001344 = 5; *(uint32_t*)0x20001348 = 6; *(uint32_t*)0x2000134c = 4; *(uint32_t*)0x20001528 = 0x10; *(uint32_t*)0x2000152c = 0; *(uint32_t*)0x20001530 = -1; *(uint32_t*)0x20001534 = 0; *(uint64_t*)0x20001538 = 0; *(uint64_t*)0x20001540 = 0; *(uint32_t*)0x20001548 = 0x10; *(uint32_t*)0x2000154c = 8; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200014c0ul, /*size=*/0x90ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); do_sandbox_none(); return 0; }