// https://syzkaller.appspot.com/bug?id=ffdf2711c935a1b72550b3334420d7a3b168f335 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static uintptr_t syz_open_procfs(uintptr_t a0, uintptr_t a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == (uintptr_t)-1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static void execute_one(); extern unsigned long long procid; void loop() { while (1) { execute_one(); } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } #ifndef __NR_mlock2 #define __NR_mlock2 325 #endif #ifndef __NR_renameat2 #define __NR_renameat2 316 #endif #ifndef __NR_userfaultfd #define __NR_userfaultfd 323 #endif uint64_t r[65] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: res = syscall(__NR_inotify_init1, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_fcntl, r[0], 8, -1); break; case 2: res = syscall(__NR_fcntl, r[0], 0x10, 0x2045fff8); if (res != -1) r[1] = *(uint32_t*)0x2045fffc; break; case 3: syscall(__NR_ptrace, 0x4206, r[1], 0, 0x100020); break; case 4: memcpy((void*)0x20000100, "/dev/sg#", 9); res = syz_open_dev(0x20000100, 0, 0x7ff); if (res != -1) r[2] = res; break; case 5: *(uint32_t*)0x2012f000 = 0x50; *(uint32_t*)0x2012f004 = 0; *(uint64_t*)0x2012f008 = 0; *(uint32_t*)0x2012f010 = 7; *(uint32_t*)0x2012f014 = 0x1a; *(uint32_t*)0x2012f018 = 0; *(uint32_t*)0x2012f01c = 0; *(uint16_t*)0x2012f020 = 0; *(uint16_t*)0x2012f022 = 0; *(uint32_t*)0x2012f024 = 0; *(uint32_t*)0x2012f028 = 0; *(uint32_t*)0x2012f02c = 0; *(uint32_t*)0x2012f030 = 0; *(uint32_t*)0x2012f034 = 0; *(uint32_t*)0x2012f038 = 0; *(uint32_t*)0x2012f03c = 0; *(uint32_t*)0x2012f040 = 0; *(uint32_t*)0x2012f044 = 0; *(uint32_t*)0x2012f048 = 0; *(uint32_t*)0x2012f04c = 0; syscall(__NR_write, r[2], 0x2012f000, 0x50); break; case 6: *(uint8_t*)0x20019ffb = 0x73; *(uint8_t*)0x20019ffc = 0x79; *(uint8_t*)0x20019ffd = 0x7a; *(uint8_t*)0x20019ffe = 0x20; *(uint8_t*)0x20019fff = 0; syscall(__NR_keyctl, 1, 0x20019ffb); break; case 7: *(uint8_t*)0x20000000 = 0x73; *(uint8_t*)0x20000001 = 0x79; *(uint8_t*)0x20000002 = 0x7a; *(uint8_t*)0x20000003 = 0x20; *(uint8_t*)0x20000004 = 0; syscall(__NR_keyctl, 1, 0x20000000); break; case 8: memcpy((void*)0x2014a000, "/dev/usbmon#", 13); syz_open_dev(0x2014a000, -1, -1); break; case 9: memcpy((void*)0x20000000, "/dev/autofs", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0, 0); if (res != -1) r[3] = res; break; case 10: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xfffffff9; *(uint16_t*)0x20000048 = 0x30; *(uint32_t*)0x20000080 = 0xc; res = syscall(__NR_getsockopt, 0xffffff9c, 0x84, 0x72, 0x20000040, 0x20000080); if (res != -1) r[4] = *(uint32_t*)0x20000040; break; case 11: *(uint32_t*)0x200000c0 = r[4]; *(uint16_t*)0x200000c4 = 0xa; *(uint16_t*)0x200000c6 = htobe16(0x4e22); *(uint32_t*)0x200000c8 = 0; *(uint8_t*)0x200000cc = 0xfe; *(uint8_t*)0x200000cd = 0x80; *(uint8_t*)0x200000ce = 0; *(uint8_t*)0x200000cf = 0; *(uint8_t*)0x200000d0 = 0; *(uint8_t*)0x200000d1 = 0; *(uint8_t*)0x200000d2 = 0; *(uint8_t*)0x200000d3 = 0; *(uint8_t*)0x200000d4 = 0; *(uint8_t*)0x200000d5 = 0; *(uint8_t*)0x200000d6 = 0; *(uint8_t*)0x200000d7 = 0; *(uint8_t*)0x200000d8 = 0; *(uint8_t*)0x200000d9 = 0; *(uint8_t*)0x200000da = 0; *(uint8_t*)0x200000db = 0xaa; *(uint32_t*)0x200000dc = 0xf4d9; *(uint32_t*)0x20000180 = 0x84; syscall(__NR_getsockopt, r[3], 0x84, 6, 0x200000c0, 0x20000180); break; case 12: memcpy((void*)0x2003f154, "./file0", 8); syscall(__NR_mkdirat, -1, 0x2003f154, 0); break; case 13: memcpy((void*)0x204daff8, "./file0", 8); res = syscall(__NR_open, 0x204daff8, 0, 0); if (res != -1) r[5] = res; break; case 14: memcpy((void*)0x208deff8, "./file0", 8); res = syscall(__NR_openat, r[5], 0x208deff8, 0, 0); if (res != -1) r[6] = res; break; case 15: syscall(__NR_getdents, r[5], 0x20000040, 0x89); break; case 16: memcpy((void*)0x20e20000, "./file0", 8); memcpy((void*)0x200e4000, "./file0", 8); memcpy((void*)0x2044fff9, "autofs", 7); syscall(__NR_mount, 0x20e20000, 0x200e4000, 0x2044fff9, 0x1000, 0x206b8000); break; case 17: memcpy((void*)0x2001fff7, "./file0/file0", 14); memcpy((void*)0x2001fff8, "./file0", 8); syscall(__NR_symlinkat, 0x2001fff7, r[6], 0x2001fff8); break; case 18: memcpy((void*)0x20000000, "./file0", 8); memcpy((void*)0x20000100, "./file0/file0/file0/file0", 26); syscall(__NR_renameat2, r[6], 0x20000000, -1, 0x20000100, 0); break; case 19: *(uint32_t*)0x2000b000 = 0x20080522; *(uint32_t*)0x2000b004 = 0; *(uint32_t*)0x2000cfe8 = 0; *(uint32_t*)0x2000cfec = 0; *(uint32_t*)0x2000cff0 = 0; *(uint32_t*)0x2000cff4 = 0; *(uint32_t*)0x2000cff8 = 0; *(uint32_t*)0x2000cffc = 0; syscall(__NR_capset, 0x2000b000, 0x2000cfe8); break; case 20: syscall(__NR_sendto, -1, 0x20000040, 0, 0x11, 0, 0); break; case 21: syscall(__NR_setns, -1, 0); break; case 22: syscall(__NR_inotify_init); break; case 23: syscall(__NR_fcntl, -1, 0xa, 0x2d); break; case 24: syscall(__NR_userfaultfd, 0); break; case 25: memcpy((void*)0x20015000, "/dev/input/mice", 16); res = syz_open_dev(0x20015000, 0, 0x82); if (res != -1) r[7] = res; break; case 26: *(uint32_t*)0x20000200 = 0; *(uint32_t*)0x20000204 = 0; *(uint32_t*)0x20000208 = 0; *(uint32_t*)0x2000020c = 0; *(uint32_t*)0x20000210 = 0; syscall(__NR_getgroups, 5, 0x20000200); break; case 27: memcpy((void*)0x20000280, "\x74\x65\x61\x6d\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint32_t*)0x20000290 = 0; syscall(__NR_ioctl, r[7], 0x8933, 0x20000280); break; case 28: syscall(__NR_prctl, 0xc, 2); break; case 29: syscall(__NR_eventfd, 2); break; case 30: *(uint64_t*)0x20001340 = 0x20000100; *(uint32_t*)0x20001348 = 0x24a; *(uint64_t*)0x20001350 = 0x20000080; *(uint64_t*)0x20001358 = 0; *(uint64_t*)0x20001360 = 0x20001240; *(uint64_t*)0x20001368 = 0xdc; *(uint32_t*)0x20001370 = 5; syscall(__NR_recvmsg, -1, 0x20001340, 0x4000000000000000); break; case 31: res = syscall(__NR_socket, 0x11, 0, 0x300); if (res != -1) r[8] = res; break; case 32: *(uint32_t*)0x20006ffc = 6; syscall(__NR_setsockopt, r[8], 0x107, 0x14, 0x20006ffc, 4); break; case 33: syscall(__NR_socket, 0x11, 2, 0x300); break; case 34: memcpy((void*)0x20000180, "/dev/sequencer", 15); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000180, 0x42, 0); break; case 35: *(uint32_t*)0x20000440 = 0; *(uint32_t*)0x20000480 = 4; syscall(__NR_getsockopt, -1, 0x84, 0xd, 0x20000440, 0x20000480); break; case 36: *(uint32_t*)0x20000380 = 0; *(uint32_t*)0x20000384 = 8; *(uint32_t*)0x200005c0 = 8; syscall(__NR_getsockopt, -1, 0x84, 0x11, 0x20000380, 0x200005c0); break; case 37: *(uint32_t*)0x20000680 = 0; *(uint16_t*)0x20000688 = 2; *(uint16_t*)0x2000068a = htobe16(0x4e21); *(uint32_t*)0x2000068c = htobe32(0x7f000001); *(uint8_t*)0x20000690 = 0; *(uint8_t*)0x20000691 = 0; *(uint8_t*)0x20000692 = 0; *(uint8_t*)0x20000693 = 0; *(uint8_t*)0x20000694 = 0; *(uint8_t*)0x20000695 = 0; *(uint8_t*)0x20000696 = 0; *(uint8_t*)0x20000697 = 0; *(uint16_t*)0x20000708 = 0x904e; *(uint16_t*)0x2000070a = 8; *(uint32_t*)0x20000740 = 0x90; syscall(__NR_getsockopt, -1, 0x84, 0x1f, 0x20000680, 0x20000740); break; case 38: memcpy((void*)0x20000140, "./cgroup.cpu", 13); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000140, 0x200002, 0); if (res != -1) r[9] = res; break; case 39: syscall(__NR_fchdir, r[9]); break; case 40: res = syscall(__NR_socket, 2, 1, 0); if (res != -1) r[10] = res; break; case 41: *(uint16_t*)0x20000540 = 0x27; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = 2; *(uint32_t*)0x2000054c = 2; *(uint8_t*)0x20000550 = 7; *(uint8_t*)0x20000551 = 6; memcpy((void*)0x20000552, "\x40\x21\xbc\x5c\x62\xa8\xb6\x00\x55\x4f\xd2\x17\xa1\x52\xdb\x8c" "\x5e\x20\x26\x90\xff\x5e\x10\x6c\x7c\x39\x52\xd6\x06\x0c\x48\x1c" "\xf1\x1e\x79\x13\xf8\x83\xdd\xd2\x96\xbf\xa5\x47\x92\x16\xaf\x34" "\x0d\x0d\x68\x91\x0e\x8d\x8a\xdb\x38\x8f\x56\x2a\x8d\x67\x18", 63); *(uint64_t*)0x20000598 = 0x3d; syscall(__NR_connect, -1, 0x20000540, 0x60); break; case 42: memcpy((void*)0x20000000, "\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000010 = 0; syscall(__NR_ioctl, r[10], 0x8914, 0x20000000); break; case 43: memcpy((void*)0x20001d40, "\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20001d50 = 0xfff; syscall(__NR_ioctl, r[10], 0x8914, 0x20001d40); break; case 44: memcpy((void*)0x200000c0, "\x73\x65\x63\x75\x72\x69\x74\x79\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x200000e0 = 0; *(uint32_t*)0x200000e4 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = 0; *(uint32_t*)0x200000f4 = 0; *(uint32_t*)0x200000f8 = 0; *(uint32_t*)0x200000fc = 0; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint32_t*)0x20000040 = 0x54; syscall(__NR_getsockopt, -1, 0, 0x40, 0x200000c0, 0x20000040); break; case 45: res = syscall(__NR_socket, 2, 5, 0x84); if (res != -1) r[11] = res; break; case 46: *(uint32_t*)0x20000180 = 0; syscall(__NR_setsockopt, r[11], 0x84, 0x21, 0x20000180, 0xfe57); break; case 47: syscall(__NR_socket, 2, 1, 0x84); break; case 48: res = syscall(__NR_socket, 0x10, 3, 0); if (res != -1) r[12] = res; break; case 49: *(uint32_t*)0x20cecffc = 0; syscall(__NR_setsockopt, r[12], 1, 8, 0x20cecffc, 4); break; case 50: syscall(__NR_write, r[12], 0x2095c000, 0); break; case 51: memcpy((void*)0x20ac3000, "./control", 10); res = syscall(__NR_open, 0x20ac3000, 2, 0); if (res != -1) r[13] = res; break; case 52: memcpy((void*)0x20563000, "./file0", 8); syscall(__NR_openat, r[13], 0x20563000, 0, 0); break; case 53: res = syscall(__NR_socket, 2, 1, 0); if (res != -1) r[14] = res; break; case 54: syscall(__NR_ioctl, r[14], 0x8904, 0x20000100); break; case 55: memcpy((void*)0x20000080, "keyring", 8); *(uint8_t*)0x200000c0 = 0x73; *(uint8_t*)0x200000c1 = 0x79; *(uint8_t*)0x200000c2 = 0x7a; *(uint8_t*)0x200000c3 = 0x21; *(uint8_t*)0x200000c4 = 0; res = syscall(__NR_add_key, 0x20000080, 0x200000c0, 0, 0, 0xfffffff9); if (res != -1) r[15] = res; break; case 56: syscall(__NR_keyctl, 0xf, r[15], 0x701); break; case 57: memcpy((void*)0x20000000, "/selinux/checkreqprot", 22); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0x200, 0); break; case 58: res = syscall(__NR_socket, 0x18, 0, 4); if (res != -1) r[16] = res; break; case 59: *(uint16_t*)0x20000140 = 0x18; *(uint32_t*)0x20000142 = 1; *(uint32_t*)0x20000146 = 0; *(uint32_t*)0x2000014a = r[16]; *(uint32_t*)0x2000014e = 3; *(uint32_t*)0x20000152 = 1; *(uint32_t*)0x20000156 = 3; *(uint32_t*)0x2000015a = 0; *(uint16_t*)0x2000015e = 0xa; *(uint16_t*)0x20000160 = htobe16(0x4e21); *(uint32_t*)0x20000162 = 0x200; *(uint64_t*)0x20000166 = htobe64(0); *(uint64_t*)0x2000016e = htobe64(1); *(uint32_t*)0x20000176 = 4; syscall(__NR_connect, r[16], 0x20000140, 0x80); break; case 60: memcpy((void*)0x20000000, "/dev/net/tun", 13); res = syz_open_dev(0x20000000, 0, 0); if (res != -1) r[17] = res; break; case 61: memcpy((void*)0x20000040, "\x62\x63\x73\x66\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000050 = 0x400; syscall(__NR_ioctl, r[17], 0x400454d9, 0x20000040); break; case 62: *(uint32_t*)0x20000080 = 0x20; syscall(__NR_ioctl, r[17], 0x400454d8, 0x20000080); break; case 63: memcpy((void*)0x20000000, "/dev/pktcdvd/control", 21); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0x100, 0); if (res != -1) r[18] = res; break; case 64: *(uint32_t*)0x20000040 = 0; *(uint16_t*)0x20000044 = 5; *(uint32_t*)0x20000080 = 8; res = syscall(__NR_getsockopt, 0xffffff9c, 0x84, 0x18, 0x20000040, 0x20000080); if (res != -1) r[19] = *(uint32_t*)0x20000040; break; case 65: *(uint32_t*)0x200000c0 = r[19]; *(uint16_t*)0x200000c4 = 2; *(uint16_t*)0x200000c6 = 0; *(uint32_t*)0x200000c8 = 7; *(uint32_t*)0x200000cc = 0xff; *(uint32_t*)0x200000d0 = 9; *(uint32_t*)0x20000100 = 0x14; res = syscall(__NR_getsockopt, r[18], 0x84, 1, 0x200000c0, 0x20000100); if (res != -1) r[20] = *(uint32_t*)0x200000c0; break; case 66: syscall(__NR_prctl, 0xc, 1); break; case 67: syscall(__NR_sched_rr_get_interval, 0, 0x200001c0); break; case 68: *(uint16_t*)0x20000340 = 0; *(uint8_t*)0x20000342 = 0; *(uint32_t*)0x20000344 = 0x4e23; syscall(__NR_recvfrom, r[18], 0x20000240, 0xe8, 0x2000, 0x20000340, 0x6e); break; case 69: syscall(__NR_pread64, -1, 0x200003c0, 0x63, 0xf); break; case 70: memcpy((void*)0x20000440, "systemv!", 9); syscall(__NR_ioctl, -1, 0x41007701, 0x20000440); break; case 71: *(uint16_t*)0x20000500 = 0xa; *(uint16_t*)0x20000502 = htobe16(0x4e23); *(uint32_t*)0x20000504 = 1; *(uint8_t*)0x20000508 = 0xfe; *(uint8_t*)0x20000509 = 0x80; *(uint8_t*)0x2000050a = 0; *(uint8_t*)0x2000050b = 0; *(uint8_t*)0x2000050c = 0; *(uint8_t*)0x2000050d = 0; *(uint8_t*)0x2000050e = 0; *(uint8_t*)0x2000050f = 0; *(uint8_t*)0x20000510 = 0; *(uint8_t*)0x20000511 = 0; *(uint8_t*)0x20000512 = 0; *(uint8_t*)0x20000513 = 0; *(uint8_t*)0x20000514 = 0; *(uint8_t*)0x20000515 = 0; *(uint8_t*)0x20000516 = 0; *(uint8_t*)0x20000517 = 0x1c; *(uint32_t*)0x20000518 = 0xfffffffd; syscall(__NR_sendto, -1, 0x20000480, 0, 0x4000, 0x20000500, 0x1c); break; case 72: *(uint32_t*)0x20000540 = r[20]; *(uint32_t*)0x20000544 = 0x20; *(uint32_t*)0x20000580 = 8; res = syscall(__NR_getsockopt, r[18], 0x84, 0x13, 0x20000540, 0x20000580); if (res != -1) r[21] = *(uint32_t*)0x20000540; break; case 73: syscall(__NR_clock_gettime, 3, 0x200005c0); break; case 74: *(uint32_t*)0x20000600 = 6; *(uint32_t*)0x20000640 = 4; syscall(__NR_getsockopt, r[18], 0x103, 3, 0x20000600, 0x20000640); break; case 75: memcpy((void*)0x20000680, "com.apple.system.Security", 26); syscall(__NR_fremovexattr, -1, 0x20000680); break; case 76: *(uint16_t*)0x200006c0 = 0x9a; *(uint16_t*)0x200006c2 = 0; *(uint16_t*)0x200006c4 = 0x20e; *(uint32_t*)0x200006c8 = 0x3f; *(uint32_t*)0x200006cc = 0x8001; *(uint32_t*)0x200006d0 = 9; *(uint32_t*)0x200006d4 = 1; *(uint32_t*)0x200006d8 = 9; *(uint32_t*)0x200006dc = r[21]; syscall(__NR_setsockopt, r[18], 0x84, 0xa, 0x200006c0, 0x20); break; case 77: syscall(__NR_ioctl, r[18], 0x800454d7, 0x20000700); break; case 78: memcpy((void*)0x20000740, "/selinux/user", 14); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000740, 2, 0); break; case 79: *(uint32_t*)0x200007c0 = 4; syscall(__NR_getsockopt, r[18], 1, 0x10, 0x20000780, 0x200007c0); break; case 80: *(uint32_t*)0x20000800 = r[20]; syscall(__NR_setsockopt, r[18], 0x84, 0x78, 0x20000800, 4); break; case 81: *(uint32_t*)0x20000840 = r[21]; *(uint32_t*)0x20000844 = 0; *(uint32_t*)0x200008c0 = 8; syscall(__NR_getsockopt, r[18], 0x84, 0x6d, 0x20000840, 0x200008c0); break; case 82: *(uint32_t*)0x20000940 = 0xc; syscall(__NR_getpeername, r[18], 0x20000900, 0x20000940); break; case 83: memcpy((void*)0x20000980, "./file0", 8); *(uint64_t*)0x20000c00 = 0x200009c0; memcpy((void*)0x200009c0, "/dev/pktcdvd/control", 21); *(uint64_t*)0x20000c08 = 0x20000a00; memcpy((void*)0x20000a00, "com.apple.system.Security", 26); *(uint64_t*)0x20000c10 = 0x20000a40; memcpy((void*)0x20000a40, "/dev/pktcdvd/control", 21); *(uint64_t*)0x20000c18 = 0x20000a80; memcpy((void*)0x20000a80, "com.apple.system.Security", 26); *(uint64_t*)0x20000c20 = 0x20000ac0; memcpy((void*)0x20000ac0, "com.apple.system.Security", 26); *(uint64_t*)0x20000c28 = 0x20000b00; memcpy((void*)0x20000b00, "", 1); *(uint64_t*)0x20000c30 = 0x20000b40; memcpy((void*)0x20000b40, "\x5c\xb8\x74\x72\x75\x73\x74\x65\x64\x77\x6c\x61" "\x6e\x30\x75\x73\x65\x72\x5b\x00", 20); *(uint64_t*)0x20000c38 = 0x20000b80; memcpy((void*)0x20000b80, "systemv!", 9); *(uint64_t*)0x20000c40 = 0x20000bc0; memcpy((void*)0x20000bc0, "cpuseteth12[systemnodev^!vmnet0#*ppp1user,", 43); *(uint64_t*)0x20000cc0 = 0x20000c80; memcpy((void*)0x20000c80, ")", 2); syscall(__NR_execve, 0x20000980, 0x20000c00, 0x20000cc0); break; case 84: *(uint16_t*)0x20000d00 = 0xfff8; *(uint64_t*)0x20000d40 = 2; syscall(__NR_getsockopt, r[18], 0x112, 0xd, 0x20000d00, 0x20000d40); break; case 85: *(uint16_t*)0x20000d80 = 0xa; *(uint16_t*)0x20000d82 = htobe16(0x4e22); *(uint32_t*)0x20000d84 = 6; *(uint8_t*)0x20000d88 = 0xfe; *(uint8_t*)0x20000d89 = 0x80; *(uint8_t*)0x20000d8a = 0; *(uint8_t*)0x20000d8b = 0; *(uint8_t*)0x20000d8c = 0; *(uint8_t*)0x20000d8d = 0; *(uint8_t*)0x20000d8e = 0; *(uint8_t*)0x20000d8f = 0; *(uint8_t*)0x20000d90 = 0; *(uint8_t*)0x20000d91 = 0; *(uint8_t*)0x20000d92 = 0; *(uint8_t*)0x20000d93 = 0; *(uint8_t*)0x20000d94 = 0; *(uint8_t*)0x20000d95 = 0; *(uint8_t*)0x20000d96 = 0; *(uint8_t*)0x20000d97 = 0xbb; *(uint32_t*)0x20000d98 = 0x45a; syscall(__NR_setsockopt, r[18], 0x84, 0x6e, 0x20000d80, 0x1c); break; case 86: *(uint32_t*)0x20000e00 = 0xc; syscall(__NR_getsockopt, r[18], 0, 8, 0x20000dc0, 0x20000e00); break; case 87: memcpy((void*)0x20000f40, "./file0", 8); *(uint64_t*)0x20001100 = 0x20000f80; memcpy((void*)0x20000f80, "%", 2); *(uint64_t*)0x20001108 = 0x20000fc0; memcpy((void*)0x20000fc0, "cgroup", 7); *(uint64_t*)0x20001110 = 0x20001000; memcpy((void*)0x20001000, "\xa0\x00", 2); *(uint64_t*)0x20001118 = 0x20001040; memcpy((void*)0x20001040, "", 1); *(uint64_t*)0x20001120 = 0x20001080; memcpy((void*)0x20001080, "com.apple.system.Security", 26); *(uint64_t*)0x20001128 = 0x200010c0; memcpy((void*)0x200010c0, "", 1); *(uint64_t*)0x20001300 = 0x20001140; memcpy((void*)0x20001140, "com.apple.system.Security", 26); *(uint64_t*)0x20001308 = 0x20001180; memcpy((void*)0x20001180, "", 1); *(uint64_t*)0x20001310 = 0x200011c0; memcpy((void*)0x200011c0, ")", 2); *(uint64_t*)0x20001318 = 0x20001200; memcpy((void*)0x20001200, ",--*vboxnet0[.", 15); *(uint64_t*)0x20001320 = 0x20001240; memcpy((void*)0x20001240, "systemv!", 9); *(uint64_t*)0x20001328 = 0x20001280; memcpy((void*)0x20001280, "mime_typel/em0wlan1user{bdevposix_acl_access/", 46); *(uint64_t*)0x20001330 = 0x200012c0; memcpy((void*)0x200012c0, "", 1); syscall(__NR_execve, 0x20000f40, 0x20001100, 0x20001300); break; case 88: *(uint64_t*)0x20001340 = 0; *(uint64_t*)0x20001348 = 0; *(uint64_t*)0x20001350 = 0; *(uint64_t*)0x20001358 = 0xffff; *(uint64_t*)0x20001360 = 1; *(uint32_t*)0x20001368 = 0; *(uint32_t*)0x2000136c = 0xf; *(uint32_t*)0x20001370 = 2; *(uint32_t*)0x20001374 = 0; memcpy((void*)0x20001378, "\x72\x74\x6d\xb2\xa3\xb9\xf3\xa4\xa5\x48\x4d\x9d\x2f\xb0\x2e\xee" "\xf2\x9b\x64\x10\x90\x4b\x95\x72\x9c\x8b\xf8\x52\xca\xad\x2c\x35" "\x9e\xf5\x96\x6b\x3e\x8e\x4a\xf8\xde\x1a\x95\x85\x75\x0b\x16\xcb" "\xde\x64\x89\x5c\xfe\xb5\x8a\x76\xfb\x7d\xad\x82\xd4\x44\x28\xfd", 64); memcpy((void*)0x200013b8, "\x92\x1e\x8b\xd9\x5c\x43\x15\x51\xe8\x1b\xcb\x5f\xe3\xc5\x8c\x85" "\x0a\x3d\x82\xa0\x92\xb5\x12\xe4\xaa\x97\x5b\x3d\x1c\x81\xe4\xeb" "\x80\x00\x0c\xfb\x3f\xc5\xd8\x74\x01\x02\x84\x54\xa9\xef\xb3\xf6" "\x69\x90\x40\x12\x80\x63\x15\xd8\xf9\x1d\x70\x38\xfc\x12\xf3\xee", 64); memcpy((void*)0x200013f8, "\x57\x24\x24\x36\xa3\x55\x03\x2c\x7e\xf5\x33\x2e" "\x69\x62\xa6\x34\x61\xab\x87\xae\x37\x13\xf0\x99" "\x43\x78\xbb\xb6\x48\x6c\xe1\xa9", 32); *(uint64_t*)0x20001418 = 9; *(uint64_t*)0x20001420 = 5; syscall(__NR_ioctl, r[18], 0x4c04, 0x20001340); break; case 89: *(uint32_t*)0x20001440 = 2; syscall(__NR_setsockopt, r[18], 0x29, 1, 0x20001440, 4); break; case 90: memcpy((void*)0x204cfff3, "/dev/snd/seq", 13); res = syz_open_dev(0x204cfff3, 0, 0); if (res != -1) r[22] = res; break; case 91: *(uint8_t*)0x20006fa8 = 0; *(uint8_t*)0x20006fa9 = 0; *(uint32_t*)0x20006fac = -1; *(uint32_t*)0x20006fb0 = 0; *(uint32_t*)0x20006fb4 = 0; *(uint8_t*)0x20006fb8 = 0; *(uint8_t*)0x20006fb9 = 0; *(uint8_t*)0x20006fba = 0; *(uint32_t*)0x20006fbc = 0; *(uint8_t*)0x20006fc0 = 0; *(uint8_t*)0x20006fc1 = 0; *(uint8_t*)0x20006fc2 = 0; *(uint8_t*)0x20006fc3 = 0; *(uint8_t*)0x20006fc4 = 0; *(uint8_t*)0x20006fc5 = 0; *(uint8_t*)0x20006fc6 = 0; *(uint8_t*)0x20006fc7 = 0; *(uint8_t*)0x20006fc8 = 0; *(uint8_t*)0x20006fc9 = 0; *(uint8_t*)0x20006fca = 0; *(uint8_t*)0x20006fcb = 0; *(uint8_t*)0x20006fcc = 0; *(uint8_t*)0x20006fcd = 0; *(uint8_t*)0x20006fce = 0; *(uint8_t*)0x20006fcf = 0; *(uint8_t*)0x20006fd0 = 0; *(uint8_t*)0x20006fd1 = 0; *(uint8_t*)0x20006fd2 = 0; *(uint8_t*)0x20006fd3 = 0; *(uint8_t*)0x20006fd4 = 0; *(uint8_t*)0x20006fd5 = 0; *(uint8_t*)0x20006fd6 = 0; *(uint8_t*)0x20006fd7 = 0; *(uint8_t*)0x20006fd8 = 0; *(uint8_t*)0x20006fd9 = 0; *(uint8_t*)0x20006fda = 0; *(uint8_t*)0x20006fdb = 0; *(uint8_t*)0x20006fdc = 0; *(uint8_t*)0x20006fdd = 0; *(uint8_t*)0x20006fde = 0; *(uint8_t*)0x20006fdf = 0; *(uint8_t*)0x20006fe0 = 0; *(uint8_t*)0x20006fe1 = 0; *(uint8_t*)0x20006fe2 = 0; *(uint8_t*)0x20006fe3 = 0; *(uint8_t*)0x20006fe4 = 0; *(uint8_t*)0x20006fe5 = 0; *(uint8_t*)0x20006fe6 = 0; *(uint8_t*)0x20006fe7 = 0; *(uint8_t*)0x20006fe8 = 0; *(uint8_t*)0x20006fe9 = 0; *(uint8_t*)0x20006fea = 0; *(uint8_t*)0x20006feb = 0; *(uint8_t*)0x20006fec = 0; *(uint8_t*)0x20006fed = 0; *(uint8_t*)0x20006fee = 0; *(uint8_t*)0x20006fef = 0; *(uint8_t*)0x20006ff0 = 0; *(uint8_t*)0x20006ff1 = 0; *(uint8_t*)0x20006ff2 = 0; *(uint8_t*)0x20006ff3 = 0; *(uint8_t*)0x20006ff4 = 0; *(uint8_t*)0x20006ff5 = 0; *(uint8_t*)0x20006ff6 = 0; *(uint8_t*)0x20006ff7 = 0; *(uint8_t*)0x20006ff8 = 0; *(uint8_t*)0x20006ff9 = 0; *(uint8_t*)0x20006ffa = 0; *(uint8_t*)0x20006ffb = 0; *(uint8_t*)0x20006ffc = 0; *(uint8_t*)0x20006ffd = 0; *(uint8_t*)0x20006ffe = 0; *(uint8_t*)0x20006fff = 0; syscall(__NR_ioctl, r[22], 0xc058534f, 0x20006fa8); break; case 92: memcpy((void*)0x20000000, "/dev/sequencer", 15); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0x84000, 0); if (res != -1) r[23] = res; break; case 93: syscall(__NR_ioctl, r[23], 0x8903, 0x20000440); break; case 94: *(uint32_t*)0x20000480 = 0x1000; *(uint64_t*)0x200004c0 = 4; syscall(__NR_getsockopt, r[23], 0x112, 7, 0x20000480, 0x200004c0); break; case 95: res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[24] = res; break; case 96: syscall(__NR_socket, 0xa, 3, 0x3a); break; case 97: syscall(__NR_setns, r[24], 0xc000000); break; case 98: *(uint32_t*)0x20494000 = 4; syscall(__NR_getsockopt, r[24], 1, 0x2c, 0x2047a000, 0x20494000); break; case 99: res = syscall(__NR_socket, 2, 2, 0); if (res != -1) r[25] = res; break; case 100: memcpy((void*)0x20000100, "\x74\x75\x6e\x6c\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000110 = 2; *(uint16_t*)0x20000112 = htobe16(0x4e20); *(uint32_t*)0x20000114 = htobe32(0x7f000001); *(uint8_t*)0x20000118 = 0; *(uint8_t*)0x20000119 = 0; *(uint8_t*)0x2000011a = 0; *(uint8_t*)0x2000011b = 0; *(uint8_t*)0x2000011c = 0; *(uint8_t*)0x2000011d = 0; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; syscall(__NR_ioctl, r[25], 0x891a, 0x20000100); break; case 101: *(uint64_t*)0x20000400 = 0x20000080; *(uint16_t*)0x20000080 = 0x26; memcpy((void*)0x20000082, "\x72\x6e\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000094 = 0; memcpy((void*)0x20000098, "\x6a\x69\x74\x74\x65\x72\x65\x6e\x74\x72\x6f\x70\x79\x5f\x72\x6e" "\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20000408 = 0x80; *(uint64_t*)0x20000410 = 0x200003c0; *(uint64_t*)0x200003c0 = 0x20000100; *(uint64_t*)0x200003c8 = 0; *(uint64_t*)0x20000418 = 1; *(uint64_t*)0x20000420 = 0; *(uint64_t*)0x20000428 = 0; *(uint32_t*)0x20000430 = 0x40; syscall(__NR_sendmsg, -1, 0x20000400, 0); break; case 102: syscall(__NR_socket, 0x10, 3, 0); break; case 103: res = syscall(__NR_socket, 0x11, 2, 0x300); if (res != -1) r[26] = res; break; case 104: *(uint32_t*)0x20006ffc = 6; syscall(__NR_setsockopt, r[26], 0x107, 0x14, 0x20006ffc, 4); break; case 105: *(uint16_t*)0x20008000 = 0xa; *(uint16_t*)0x20008002 = htobe16(0x4e20); *(uint32_t*)0x20008004 = 4; *(uint8_t*)0x20008008 = -1; *(uint8_t*)0x20008009 = 2; *(uint8_t*)0x2000800a = 0; *(uint8_t*)0x2000800b = 0; *(uint8_t*)0x2000800c = 0; *(uint8_t*)0x2000800d = 0; *(uint8_t*)0x2000800e = 0; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 0; *(uint8_t*)0x20008011 = 0; *(uint8_t*)0x20008012 = 0; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0; *(uint8_t*)0x20008015 = 0; *(uint8_t*)0x20008016 = 0; *(uint8_t*)0x20008017 = 1; *(uint32_t*)0x20008018 = 0; syscall(__NR_sendto, r[26], 0x20010000, 0, 0, 0x20008000, 0x1c); break; case 106: res = syscall(__NR_socket, 0x18, 1, 1); if (res != -1) r[27] = res; break; case 107: syscall(__NR_ioctl, -1, 0x540b, 0); break; case 108: memcpy((void*)0x20000080, "/dev/input/mice", 16); res = syz_open_dev(0x20000080, 0, 0); if (res != -1) r[28] = res; break; case 109: syscall(__NR_ioctl, r[28], 0x80605414, 0x20000500); break; case 110: *(uint16_t*)0x20e71000 = 0x18; *(uint32_t*)0x20e71002 = 1; *(uint32_t*)0x20e71006 = 0; *(uint32_t*)0x20e7100a = -1; *(uint16_t*)0x20e7100e = 2; *(uint16_t*)0x20e71010 = 0; *(uint16_t*)0x20e71012 = 0; *(uint16_t*)0x20e71014 = 0; *(uint16_t*)0x20e71016 = 0xa; *(uint16_t*)0x20e71018 = htobe16(0x4e20); *(uint32_t*)0x20e7101a = 0; *(uint8_t*)0x20e7101e = -1; *(uint8_t*)0x20e7101f = 1; *(uint8_t*)0x20e71020 = 0; *(uint8_t*)0x20e71021 = 0; *(uint8_t*)0x20e71022 = 0; *(uint8_t*)0x20e71023 = 0; *(uint8_t*)0x20e71024 = 0; *(uint8_t*)0x20e71025 = 0; *(uint8_t*)0x20e71026 = 0; *(uint8_t*)0x20e71027 = 0; *(uint8_t*)0x20e71028 = 0; *(uint8_t*)0x20e71029 = 0; *(uint8_t*)0x20e7102a = 0; *(uint8_t*)0x20e7102b = 0; *(uint8_t*)0x20e7102c = 0; *(uint8_t*)0x20e7102d = 1; *(uint32_t*)0x20e7102e = 0; syscall(__NR_connect, r[27], 0x20e71000, 0x2e6); break; case 111: memcpy((void*)0x20efa000, "./file0", 8); syscall(__NR_mkdir, 0x20efa000, 0); break; case 112: memcpy((void*)0x20000340, "/selinux/avc/cache_threshold", 29); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000340, 2, 0); break; case 113: memcpy((void*)0x20000000, "./file0/file0", 14); res = syscall(__NR_creat, 0x20000000, 0); if (res != -1) r[29] = res; break; case 114: memcpy((void*)0x200003c0, "./file0/file0", 14); memcpy((void*)0x20000400, "./file0/file0", 14); memcpy((void*)0x20000440, "qnx6", 5); syscall(__NR_mount, 0x200003c0, 0x20000400, 0x20000440, 0x811, 0x20000480); break; case 115: memcpy((void*)0x20000140, "./file0/file0", 14); memcpy((void*)0x20000100, "./file0", 8); memcpy((void*)0x200000c0, "v7", 3); syscall(__NR_mount, 0x20000140, 0x20000100, 0x200000c0, 0x2000, 0x20000040); break; case 116: syscall(__NR_socketpair, 0xa, 0x80001, 1, 0x200028c0); break; case 117: syscall(__NR_ioctl, r[29], 0x80044584, 0x20000180); break; case 118: syscall(__NR_getpriority, 2, 0); break; case 119: syscall(__NR_setregid, 0, 0); break; case 120: memcpy((void*)0x20000040, "threaded", 9); syscall(__NR_write, r[29], 0x20000040, 9); break; case 121: memcpy((void*)0x20000000, "/selinux/mls", 13); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0, 0); break; case 122: memcpy((void*)0x20000100, "./cgroup.cpu", 13); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0x200002, 0); if (res != -1) r[30] = res; break; case 123: memcpy((void*)0x20000040, "/dev/sg#", 9); res = syz_open_dev(0x20000040, 0x6120, 0x101000); if (res != -1) r[31] = res; break; case 124: syscall(__NR_fcntl, r[30], 0x40b, 0x20000180); break; case 125: syscall(__NR_write, r[31], 0x20000280, 0); break; case 126: syscall(__NR_fchdir, r[30]); break; case 127: memcpy((void*)0x20000700, "./bus", 6); res = syscall(__NR_creat, 0x20000700, 0); if (res != -1) r[32] = res; break; case 128: syscall(__NR_ioctl, r[31], 0x5462, 0x20000080); break; case 129: syscall(__NR_ftruncate, -1, 0x80003); break; case 130: *(uint64_t*)0x20d83ff8 = 0; syscall(__NR_sendfile, r[32], -1, 0x20d83ff8, 0x8000fffffffe); break; case 131: syscall(__NR_ioctl, r[31], 0x80084503, 0x20000200); break; case 132: res = syscall(__NR_socket, 0x10, 3, 6); if (res != -1) r[33] = res; break; case 133: *(uint64_t*)0x200000c0 = 0x20000040; *(uint16_t*)0x20000040 = 0x10; *(uint16_t*)0x20000042 = 0; *(uint32_t*)0x20000044 = 0; *(uint32_t*)0x20000048 = 0; *(uint32_t*)0x200000c8 = 0xc; *(uint64_t*)0x200000d0 = 0x20000080; *(uint64_t*)0x20000080 = 0x200001c0; *(uint32_t*)0x200001c0 = 0; *(uint64_t*)0x20000088 = 3; *(uint64_t*)0x200000d8 = 1; *(uint64_t*)0x200000e0 = 0; *(uint64_t*)0x200000e8 = 0; *(uint32_t*)0x200000f0 = 0; syscall(__NR_sendmsg, r[33], 0x200000c0, 0); break; case 134: memcpy((void*)0x20000000, "/dev/vga_arbiter", 17); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0xd0240, 0); if (res != -1) r[34] = res; break; case 135: memcpy((void*)0x20000100, "\x62\x63\x73\x68\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000110 = 4; *(uint16_t*)0x20000112 = htobe16(8); *(uint32_t*)0x20000114 = htobe32(8); memcpy((void*)0x20000118, "\xa9\xde\x17\x69\x15\x2f", 6); *(uint8_t*)0x2000011e = 3; *(uint8_t*)0x2000011f = 0; syscall(__NR_ioctl, r[34], 0x8915, 0x20000100); break; case 136: *(uint64_t*)0x200066c0 = 0; *(uint32_t*)0x200066c8 = 0; *(uint64_t*)0x200066d0 = 0x20001a80; *(uint64_t*)0x20001a80 = 0x200019c0; *(uint64_t*)0x20001a88 = 0; *(uint64_t*)0x200066d8 = 1; *(uint64_t*)0x200066e0 = 0x20001b40; *(uint64_t*)0x200066e8 = 0; *(uint32_t*)0x200066f0 = 0; *(uint32_t*)0x200066f8 = 0; *(uint64_t*)0x20006700 = 0x20002540; *(uint16_t*)0x20002540 = 0; memcpy((void*)0x20002542, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 108); *(uint32_t*)0x20006708 = 0x80; *(uint64_t*)0x20006710 = 0x20003980; *(uint64_t*)0x20006718 = 0; *(uint64_t*)0x20006720 = 0x20003a00; *(uint64_t*)0x20006728 = 0; *(uint32_t*)0x20006730 = 0; *(uint32_t*)0x20006738 = 0; syscall(__NR_sendmmsg, -1, 0x200066c0, 2, 0); break; case 137: *(uint32_t*)0x20000040 = 0; *(uint32_t*)0x20000044 = 0xd61; *(uint32_t*)0x20000048 = 0xffff6633; *(uint32_t*)0x2000004c = 1; *(uint32_t*)0x20000050 = 7; *(uint32_t*)0x20000054 = 0x29b; syscall(__NR_ioctl, -1, 0x401845e0, 0x20000040); break; case 138: memcpy((void*)0x20000000, "./file0", 8); res = syscall(__NR_creat, 0x20000000, 8); if (res != -1) r[35] = res; break; case 139: res = syscall(__NR_socket, 0x11, 3, 0x300); if (res != -1) r[36] = res; break; case 140: *(uint16_t*)0x20000040 = 0x28; *(uint16_t*)0x20000042 = 0; *(uint32_t*)0x20000044 = 0; *(uint32_t*)0x20000048 = -1; *(uint32_t*)0x2000004c = 0; res = syscall(__NR_accept4, -1, 0x20000040, 0x10, 0x800); if (res != -1) r[37] = res; break; case 141: memcpy((void*)0x200000c0, "./file0", 8); res = syscall(__NR_creat, 0x200000c0, 0x11); if (res != -1) r[38] = res; break; case 142: *(uint32_t*)0x20000100 = r[35]; *(uint16_t*)0x20000104 = 0x2000; *(uint16_t*)0x20000106 = 0; *(uint32_t*)0x20000108 = r[36]; *(uint16_t*)0x2000010c = 8; *(uint16_t*)0x2000010e = 0; *(uint32_t*)0x20000110 = r[37]; *(uint16_t*)0x20000114 = 0x1000; *(uint16_t*)0x20000116 = 0; *(uint32_t*)0x20000118 = r[38]; *(uint16_t*)0x2000011c = 0x6088; *(uint16_t*)0x2000011e = 0; syscall(__NR_poll, 0x20000100, 4, 0x1e); break; case 143: memcpy((void*)0x20000080, "/dev/snd/seq", 13); res = syz_open_dev(0x20000080, 0, 0); if (res != -1) r[39] = res; break; case 144: *(uint8_t*)0x20000140 = 0; *(uint8_t*)0x20000141 = 1; *(uint8_t*)0x20000142 = 0xf; *(uint8_t*)0x20000143 = 1; *(uint32_t*)0x20000144 = 0; *(uint32_t*)0x20000148 = 0; *(uint8_t*)0x2000014c = 0; *(uint8_t*)0x2000014d = 0; *(uint8_t*)0x2000014e = 0; *(uint8_t*)0x2000014f = 0; *(uint8_t*)0x20000150 = 0; *(uint8_t*)0x20000151 = 0; *(uint8_t*)0x20000152 = 0; *(uint8_t*)0x20000153 = 0; *(uint8_t*)0x20000154 = 0; *(uint8_t*)0x20000155 = 0; *(uint8_t*)0x20000156 = 0; *(uint8_t*)0x20000157 = 0; *(uint8_t*)0x20000158 = 0; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 0; *(uint8_t*)0x2000015b = 0; *(uint8_t*)0x2000015c = 0; *(uint8_t*)0x2000015d = 0; *(uint8_t*)0x2000015e = 0; *(uint8_t*)0x2000015f = 0; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0; *(uint8_t*)0x20000164 = 0; *(uint8_t*)0x20000165 = 0; *(uint8_t*)0x20000166 = 0; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 0; *(uint8_t*)0x20000169 = 0; *(uint8_t*)0x2000016a = 0; *(uint8_t*)0x2000016b = 0; *(uint8_t*)0x2000016c = 0; *(uint8_t*)0x2000016d = 0; *(uint8_t*)0x2000016e = 0; *(uint8_t*)0x2000016f = 0; *(uint8_t*)0x20000170 = 0; *(uint8_t*)0x20000171 = 0; *(uint8_t*)0x20000172 = 0; *(uint8_t*)0x20000173 = 0; *(uint8_t*)0x20000174 = 0; *(uint8_t*)0x20000175 = 0; *(uint8_t*)0x20000176 = 0; *(uint8_t*)0x20000177 = 0; *(uint8_t*)0x20000178 = 0; *(uint8_t*)0x20000179 = 0; *(uint8_t*)0x2000017a = 0; *(uint8_t*)0x2000017b = 0; *(uint8_t*)0x2000017c = 0; *(uint8_t*)0x2000017d = 0; *(uint8_t*)0x2000017e = 0; *(uint8_t*)0x2000017f = 0; *(uint8_t*)0x20000180 = 0; *(uint8_t*)0x20000181 = 0; *(uint8_t*)0x20000182 = 0; *(uint8_t*)0x20000183 = 0; *(uint8_t*)0x20000184 = 0; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 0; *(uint8_t*)0x20000187 = 0; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint8_t*)0x2000018c = 0; *(uint8_t*)0x2000018d = 0; *(uint8_t*)0x2000018e = 0; *(uint8_t*)0x2000018f = 0; syscall(__NR_ioctl, r[39], 0xc0505350, 0x20000140); break; case 145: *(uint64_t*)0x2078b000 = 0xfffffffffffffffa; syscall(__NR_rt_sigprocmask, 0, 0x2078b000, 0, 8); break; case 146: *(uint64_t*)0x20533fa0 = 0; *(uint32_t*)0x20533fa8 = 0x21; *(uint32_t*)0x20533fac = 4; *(uint32_t*)0x20533fb0 = 0; syscall(__NR_timer_create, 7, 0x20533fa0, 0x20bbdffc); break; case 147: *(uint64_t*)0x20000080 = 0; *(uint64_t*)0x20000088 = 0; *(uint64_t*)0x20000090 = 0; *(uint64_t*)0x20000098 = 0; *(uint64_t*)0x200000a0 = 0; *(uint64_t*)0x200000a8 = 0; *(uint64_t*)0x200000b0 = 0; *(uint64_t*)0x200000b8 = 0; *(uint64_t*)0x20000fc0 = 0; *(uint64_t*)0x20000fc8 = 0; *(uint64_t*)0x20000fd0 = 0; *(uint64_t*)0x20000fd8 = 0; *(uint64_t*)0x20000fe0 = 0; *(uint64_t*)0x20000fe8 = 0; *(uint64_t*)0x20000ff0 = 0; *(uint64_t*)0x20000ff8 = 0; *(uint64_t*)0x20013fc0 = 0; *(uint64_t*)0x20013fc8 = 0; *(uint64_t*)0x20013fd0 = 0; *(uint64_t*)0x20013fd8 = 0; *(uint64_t*)0x20013fe0 = 0; *(uint64_t*)0x20013fe8 = 0; *(uint64_t*)0x20013ff0 = 0; *(uint64_t*)0x20013ff8 = 0; *(uint64_t*)0x20000000 = 0; *(uint64_t*)0x20000008 = 0x989680; *(uint64_t*)0x20000ff0 = 0x20000040; *(uint64_t*)0x20000040 = 0; *(uint64_t*)0x20000ff8 = 8; syscall(__NR_pselect6, 0x40, 0x20000080, 0x20000fc0, 0x20013fc0, 0x20000000, 0x20000ff0); break; case 148: memcpy((void*)0x200002c0, "/dev/urandom", 13); syz_open_dev(0x200002c0, 0, 0x400400); break; case 149: syscall(__NR_dup2, 0xffffff9c, 0xffffff9c); break; case 150: syscall(__NR_socket, 0x10, 3, 0x15); break; case 151: syscall(__NR_socketpair, 2, 2, 1, 0x20000300); break; case 152: syscall(__NR_socketpair, 1, 3, 0, 0x20000340); break; case 153: syscall(__NR_timerfd_create, 0, 0x80000); break; case 154: res = syscall(__NR_socketpair, 0xa, 3, 0x3a, 0x20000380); if (res != -1) r[40] = *(uint32_t*)0x20000384; break; case 155: syscall(__NR_close, r[40]); break; case 156: res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[41] = res; break; case 157: *(uint32_t*)0x20000940 = 1; *(uint32_t*)0x20000944 = 0xde; syscall(__NR_setsockopt, r[41], 1, 0xd, 0x20000940, 8); break; case 158: *(uint16_t*)0x20000300 = 0xa; *(uint16_t*)0x20000302 = htobe16(0); *(uint32_t*)0x20000304 = 0; *(uint64_t*)0x20000308 = htobe64(0); *(uint64_t*)0x20000310 = htobe64(1); *(uint32_t*)0x20000318 = 0; *(uint16_t*)0x20000380 = 0; *(uint16_t*)0x20000382 = 6; *(uint32_t*)0x20000384 = 0; memcpy((void*)0x20000388, "\x37\xb5\xe9\xef\x25\x3b\x4a\x17\x81\x4c\x1b\x38\xc9\xb8\x1a\x56" "\xa3\x97\xda\x8b\xcd\xab\xdd\x0e\x93\x83\xbc\xf6\x22\xda\x24\xec" "\xb5\xf4\xff\x8b\x35\x3a\x40\xeb\x80\x32\xa5\xb6\x4a\x6f\xe5\x07" "\x3a\x33\x4e\xeb\x3b\x30\xa3\x54\x76\x0c\xc0\xb9\xd1\x4f\x33\x63" "\x18\x0e\x01\x22\x2d\xb4\xb1\x30\xca\x85\xa3\x73\x74\x0d\x1e\x60", 80); syscall(__NR_setsockopt, r[41], 6, 0xe, 0x20000300, 0xd8); break; case 159: memcpy((void*)0x20000000, "/proc/self/net/pfkey", 21); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0x20100, 0); if (res != -1) r[42] = res; break; case 160: *(uint32_t*)0x200000c0 = 0x14; syscall(__NR_getsockopt, r[42], 6, 0x1d, 0x20000040, 0x200000c0); break; case 161: *(uint16_t*)0x204b5ff0 = 1; *(uint64_t*)0x204b5ff8 = 0x20acbff8; *(uint16_t*)0x20acbff8 = 6; *(uint8_t*)0x20acbffa = 0; *(uint8_t*)0x20acbffb = 0; *(uint32_t*)0x20acbffc = 6; syscall(__NR_setsockopt, r[41], 1, 0x1a, 0x204b5ff0, 0x10); break; case 162: *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0; syscall(__NR_setsockopt, -1, 0x84, 0x11, 0x20000080, 8); break; case 163: *(uint16_t*)0x20000880 = 0xa; *(uint16_t*)0x20000882 = htobe16(0x4e22); *(uint32_t*)0x20000884 = 0; *(uint8_t*)0x20000888 = 0; *(uint8_t*)0x20000889 = 0; *(uint8_t*)0x2000088a = 0; *(uint8_t*)0x2000088b = 0; *(uint8_t*)0x2000088c = 0; *(uint8_t*)0x2000088d = 0; *(uint8_t*)0x2000088e = 0; *(uint8_t*)0x2000088f = 0; *(uint8_t*)0x20000890 = 0; *(uint8_t*)0x20000891 = 0; *(uint8_t*)0x20000892 = 0; *(uint8_t*)0x20000893 = 0; *(uint8_t*)0x20000894 = 0; *(uint8_t*)0x20000895 = 0; *(uint8_t*)0x20000896 = 0; *(uint8_t*)0x20000897 = 0; *(uint32_t*)0x20000898 = 0; syscall(__NR_bind, r[41], 0x20000880, 0xff67); break; case 164: res = syscall(__NR_socketpair, 0, 0, 0, 0x20000540); if (res != -1) r[43] = *(uint32_t*)0x20000544; break; case 165: *(uint64_t*)0x20000680 = 0; *(uint64_t*)0x20000688 = 0; *(uint64_t*)0x20000690 = 0; *(uint64_t*)0x20000698 = 0; syscall(__NR_ioctl, -1, 0xc0206434, 0x20000680); break; case 166: *(uint64_t*)0x200006c0 = 0; *(uint64_t*)0x200006c8 = 0; syscall(__NR_ioctl, -1, 0xc0106438, 0x200006c0); break; case 167: *(uint32_t*)0x20000200 = 0; syscall(__NR_setsockopt, -1, 0x84, 0x21, 0x20000200, 4); break; case 168: *(uint16_t*)0x20000100 = 0xa; *(uint16_t*)0x20000102 = htobe16(0); *(uint32_t*)0x20000104 = 0; *(uint8_t*)0x20000108 = -1; *(uint8_t*)0x20000109 = 2; *(uint8_t*)0x2000010a = 0; *(uint8_t*)0x2000010b = 0; *(uint8_t*)0x2000010c = 0; *(uint8_t*)0x2000010d = 0; *(uint8_t*)0x2000010e = 0; *(uint8_t*)0x2000010f = 0; *(uint8_t*)0x20000110 = 0; *(uint8_t*)0x20000111 = 0; *(uint8_t*)0x20000112 = 0; *(uint8_t*)0x20000113 = 0; *(uint8_t*)0x20000114 = 0; *(uint8_t*)0x20000115 = 0; *(uint8_t*)0x20000116 = 0; *(uint8_t*)0x20000117 = 1; *(uint32_t*)0x20000118 = 0; *(uint16_t*)0x2000011c = 0xa; *(uint16_t*)0x2000011e = htobe16(0); *(uint32_t*)0x20000120 = 0; *(uint8_t*)0x20000124 = -1; *(uint8_t*)0x20000125 = 2; *(uint8_t*)0x20000126 = 0; *(uint8_t*)0x20000127 = 0; *(uint8_t*)0x20000128 = 0; *(uint8_t*)0x20000129 = 0; *(uint8_t*)0x2000012a = 0; *(uint8_t*)0x2000012b = 0; *(uint8_t*)0x2000012c = 0; *(uint8_t*)0x2000012d = 0; *(uint8_t*)0x2000012e = 0; *(uint8_t*)0x2000012f = 0; *(uint8_t*)0x20000130 = 0; *(uint8_t*)0x20000131 = 0; *(uint8_t*)0x20000132 = 0; *(uint8_t*)0x20000133 = 1; *(uint32_t*)0x20000134 = 0; *(uint16_t*)0x20000138 = 0; *(uint32_t*)0x2000013c = 0; *(uint32_t*)0x20000140 = 0; *(uint32_t*)0x20000144 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; *(uint32_t*)0x20000150 = 0; *(uint32_t*)0x20000154 = 0; *(uint32_t*)0x20000158 = 0; syscall(__NR_setsockopt, -1, 0x29, 0xd3, 0x20000100, 0x5c); break; case 169: *(uint16_t*)0x2072e000 = 0xa; *(uint16_t*)0x2072e002 = htobe16(0x4e22); *(uint32_t*)0x2072e004 = 0; *(uint64_t*)0x2072e008 = htobe64(0); *(uint64_t*)0x2072e010 = htobe64(1); *(uint32_t*)0x2072e018 = 0; syscall(__NR_sendto, r[41], 0x202a0b14, 0, 0x200408d4, 0x2072e000, 0x1c); break; case 170: memcpy((void*)0x20000240, "\x48\x4c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2000025d = 0; *(uint32_t*)0x20000280 = 0x1e; syscall(__NR_getsockopt, r[43], 0, 0x63, 0x20000240, 0x20000280); break; case 171: *(uint16_t*)0x20ad9000 = 0x11; *(uint16_t*)0x20ad9002 = htobe16(0); *(uint32_t*)0x20ad9004 = 0; *(uint16_t*)0x20ad9008 = 1; *(uint8_t*)0x20ad900a = 0; *(uint8_t*)0x20ad900b = 6; *(uint8_t*)0x20ad900c = 0xaa; *(uint8_t*)0x20ad900d = 0xaa; *(uint8_t*)0x20ad900e = 0xaa; *(uint8_t*)0x20ad900f = 0xaa; *(uint8_t*)0x20ad9010 = 0; *(uint8_t*)0x20ad9011 = 0; *(uint8_t*)0x20ad9012 = 0; *(uint8_t*)0x20ad9013 = 0; syscall(__NR_sendto, r[41], 0x2092d000, 0, 1, 0x20ad9000, 0x80); break; case 172: syscall(__NR_close, r[41]); break; case 173: memcpy((void*)0x20000080, "net/ip_vs", 10); res = syz_open_procfs(0, 0x20000080); if (res != -1) r[44] = res; break; case 174: *(uint64_t*)0x20000000 = 0x20000280; *(uint64_t*)0x20000008 = 0xb3; syscall(__NR_preadv, r[44], 0x20000000, 1, 0); break; case 175: *(uint16_t*)0x20000040 = 1; *(uint16_t*)0x20000042 = 8; *(uint8_t*)0x20000044 = 0xaa; *(uint8_t*)0x20000045 = 0xaa; *(uint8_t*)0x20000046 = 0xaa; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0xaa; *(uint8_t*)0x20000049 = 0xaa; *(uint8_t*)0x2000004a = 0xaa; *(uint8_t*)0x2000004b = 0xaa; *(uint8_t*)0x2000004c = 0xaa; *(uint8_t*)0x2000004d = 0xaa; *(uint8_t*)0x2000004e = 0xaa; *(uint8_t*)0x2000004f = 0xbb; *(uint8_t*)0x20000050 = -1; *(uint8_t*)0x20000051 = -1; *(uint8_t*)0x20000052 = -1; *(uint8_t*)0x20000053 = -1; *(uint8_t*)0x20000054 = -1; *(uint8_t*)0x20000055 = -1; *(uint8_t*)0x20000056 = 0xaa; *(uint8_t*)0x20000057 = 0xaa; *(uint8_t*)0x20000058 = 0xaa; *(uint8_t*)0x20000059 = 0xaa; *(uint8_t*)0x2000005a = 0xaa; *(uint8_t*)0x2000005b = 0xbb; *(uint8_t*)0x2000005c = 0; *(uint8_t*)0x2000005d = 0; *(uint8_t*)0x2000005e = 0; *(uint8_t*)0x2000005f = 0; *(uint8_t*)0x20000060 = 0; *(uint8_t*)0x20000061 = 0; *(uint8_t*)0x20000062 = 0; *(uint8_t*)0x20000063 = 0; *(uint8_t*)0x20000064 = 0; *(uint8_t*)0x20000065 = 0; *(uint8_t*)0x20000066 = 0; *(uint8_t*)0x20000067 = 0; *(uint8_t*)0x20000068 = -1; *(uint8_t*)0x20000069 = -1; *(uint8_t*)0x2000006a = -1; *(uint8_t*)0x2000006b = -1; *(uint8_t*)0x2000006c = -1; *(uint8_t*)0x2000006d = -1; *(uint8_t*)0x2000006e = -1; *(uint8_t*)0x2000006f = -1; *(uint8_t*)0x20000070 = -1; *(uint8_t*)0x20000071 = -1; *(uint8_t*)0x20000072 = -1; *(uint8_t*)0x20000073 = -1; syscall(__NR_ioctl, r[44], 0x400454d1, 0x20000040); break; case 176: syscall(__NR_ioctl, r[44], 0x4b65, 0x1000000000002); break; case 177: memcpy((void*)0x20000100, "/dev/sg#", 9); res = syz_open_dev(0x20000100, 0, 2); if (res != -1) r[45] = res; break; case 178: syscall(__NR_munlock, 0x20ffa000, 0x4000); break; case 179: syscall(__NR_write, r[45], 0x20000000, 0); break; case 180: syscall(__NR_mlock2, 0x20ffb000, 0x3000, 0); break; case 181: *(uint64_t*)0x2085dff0 = 0x20e94000; *(uint64_t*)0x2085dff8 = 0x10024; syscall(__NR_readv, r[45], 0x2085dff0, 0x146); break; case 182: res = syscall(__NR_socket, 2, 2, 0); if (res != -1) r[46] = res; break; case 183: memcpy((void*)0x20000100, "\x74\x75\x6e\x6c\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000110 = 2; *(uint16_t*)0x20000112 = htobe16(0x4e20); *(uint32_t*)0x20000114 = htobe32(0x7f000001); *(uint8_t*)0x20000118 = 0; *(uint8_t*)0x20000119 = 0; *(uint8_t*)0x2000011a = 0; *(uint8_t*)0x2000011b = 0; *(uint8_t*)0x2000011c = 0; *(uint8_t*)0x2000011d = 0; *(uint8_t*)0x2000011e = 0; *(uint8_t*)0x2000011f = 0; syscall(__NR_ioctl, r[46], 0x891a, 0x20000100); break; case 184: *(uint64_t*)0x20000400 = 0x20000080; *(uint16_t*)0x20000080 = 0x26; memcpy((void*)0x20000082, "\x72\x6e\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000094 = 0; memcpy((void*)0x20000098, "\x6a\x69\x74\x74\x65\x72\x65\x6e\x74\x72\x6f\x70\x79\x5f\x72\x6e" "\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20000408 = 0x80; *(uint64_t*)0x20000410 = 0x200003c0; *(uint64_t*)0x200003c0 = 0x20000100; *(uint64_t*)0x200003c8 = 0; *(uint64_t*)0x20000418 = 1; *(uint64_t*)0x20000420 = 0; *(uint64_t*)0x20000428 = 0; *(uint32_t*)0x20000430 = 0x40; syscall(__NR_sendmsg, -1, 0x20000400, 0); break; case 185: syscall(__NR_socket, 0x10, 3, 0); break; case 186: memcpy((void*)0x200001c0, "\x73\x79\x7a\x5f\x74\x75\x6e\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint32_t*)0x200001d0 = 0; syscall(__NR_ioctl, -1, 0x8933, 0x200001c0); break; case 187: res = syscall(__NR_socket, 0x11, 2, 0x300); if (res != -1) r[47] = res; break; case 188: *(uint32_t*)0x20006ffc = 6; syscall(__NR_setsockopt, r[47], 0x107, 0x14, 0x20006ffc, 4); break; case 189: *(uint16_t*)0x20008000 = 0xa; *(uint16_t*)0x20008002 = htobe16(0x4e20); *(uint32_t*)0x20008004 = 4; *(uint8_t*)0x20008008 = -1; *(uint8_t*)0x20008009 = 2; *(uint8_t*)0x2000800a = 0; *(uint8_t*)0x2000800b = 0; *(uint8_t*)0x2000800c = 0; *(uint8_t*)0x2000800d = 0; *(uint8_t*)0x2000800e = 0; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 0; *(uint8_t*)0x20008011 = 0; *(uint8_t*)0x20008012 = 0; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0; *(uint8_t*)0x20008015 = 0; *(uint8_t*)0x20008016 = 0; *(uint8_t*)0x20008017 = 1; *(uint32_t*)0x20008018 = 0; syscall(__NR_sendto, r[47], 0x20010000, 0, 0, 0x20008000, 0x1c); break; case 190: res = syscall(__NR_socket, 0xa, 2, 0); if (res != -1) r[48] = res; break; case 191: *(uint16_t*)0x20000040 = 0xa; *(uint16_t*)0x20000042 = htobe16(0x4e20); *(uint32_t*)0x20000044 = 0x9688; *(uint8_t*)0x20000048 = -1; *(uint8_t*)0x20000049 = 1; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; *(uint8_t*)0x20000050 = 0; *(uint8_t*)0x20000051 = 0; *(uint8_t*)0x20000052 = 0; *(uint8_t*)0x20000053 = 0; *(uint8_t*)0x20000054 = 0; *(uint8_t*)0x20000055 = 0; *(uint8_t*)0x20000056 = 0; *(uint8_t*)0x20000057 = 1; *(uint32_t*)0x20000058 = 0; syscall(__NR_connect, r[48], 0x20000040, 0x1c); break; case 192: *(uint64_t*)0x20007e00 = 0; *(uint32_t*)0x20007e08 = 0; *(uint64_t*)0x20007e10 = 0x20000380; *(uint64_t*)0x20007e18 = 0; *(uint64_t*)0x20007e20 = 0x200003c0; *(uint64_t*)0x20007e28 = 0; *(uint32_t*)0x20007e30 = 0; *(uint32_t*)0x20007e38 = 0; *(uint64_t*)0x20007e40 = 0x200004c0; *(uint16_t*)0x200004c0 = 0xa; *(uint16_t*)0x200004c2 = htobe16(0x4e22); *(uint32_t*)0x200004c4 = 0; *(uint8_t*)0x200004c8 = -1; *(uint8_t*)0x200004c9 = 2; *(uint8_t*)0x200004ca = 0; *(uint8_t*)0x200004cb = 0; *(uint8_t*)0x200004cc = 0; *(uint8_t*)0x200004cd = 0; *(uint8_t*)0x200004ce = 0; *(uint8_t*)0x200004cf = 0; *(uint8_t*)0x200004d0 = 0; *(uint8_t*)0x200004d1 = 0; *(uint8_t*)0x200004d2 = 0; *(uint8_t*)0x200004d3 = 0; *(uint8_t*)0x200004d4 = 0; *(uint8_t*)0x200004d5 = 0; *(uint8_t*)0x200004d6 = 0; *(uint8_t*)0x200004d7 = 1; *(uint32_t*)0x200004d8 = 0; *(uint32_t*)0x20007e48 = 0x80; *(uint64_t*)0x20007e50 = 0x20000680; *(uint64_t*)0x20007e58 = 0; *(uint64_t*)0x20007e60 = 0x20000080; *(uint64_t*)0x20007e68 = 0; *(uint32_t*)0x20007e70 = 0; *(uint32_t*)0x20007e78 = 0; syscall(__NR_sendmmsg, r[48], 0x20007e00, 2, 0); break; case 193: memcpy((void*)0x20000000, "/selinux/checkreqprot", 22); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0, 0); if (res != -1) r[49] = res; break; case 194: *(uint64_t*)0x200001c0 = 0; *(uint32_t*)0x200001c8 = 0x19; *(uint32_t*)0x200001cc = 4; *(uint32_t*)0x200001d0 = -1; res = syscall(__NR_timer_create, 0, 0x200001c0, 0x20000300); if (res != -1) r[50] = *(uint32_t*)0x20000300; break; case 195: *(uint64_t*)0x20000340 = 0; *(uint64_t*)0x20000348 = 0; *(uint64_t*)0x20000350 = 0; *(uint64_t*)0x20000358 = 0; syscall(__NR_timer_settime, r[50], 0, 0x20000340, 0x200003c0); break; case 196: *(uint32_t*)0x20000240 = 0x14; res = syscall(__NR_accept4, -1, 0x20000200, 0x20000240, 0x80800); if (res != -1) r[51] = *(uint32_t*)0x20000204; break; case 197: *(uint16_t*)0x20000280 = 0x11; *(uint16_t*)0x20000282 = htobe16(2); *(uint32_t*)0x20000284 = r[51]; *(uint16_t*)0x20000288 = 1; *(uint8_t*)0x2000028a = 4; *(uint8_t*)0x2000028b = 6; *(uint8_t*)0x2000028c = 0xaa; *(uint8_t*)0x2000028d = 0xaa; *(uint8_t*)0x2000028e = 0xaa; *(uint8_t*)0x2000028f = 0xaa; *(uint8_t*)0x20000290 = 0xaa; *(uint8_t*)0x20000291 = 0x13; *(uint8_t*)0x20000292 = 0; *(uint8_t*)0x20000293 = 0; syscall(__NR_recvfrom, r[49], 0x200000c0, 0xf0, 0x40000120, 0x20000280, 0x14); break; case 198: *(uint32_t*)0x200002c0 = 4; syscall(__NR_getsockopt, r[49], 0x84, 0x1c, 0x20000380, 0x200002c0); break; case 199: res = syscall(__NR_pipe2, 0x20edeff8, 0); if (res != -1) { r[52] = *(uint32_t*)0x20edeff8; r[53] = *(uint32_t*)0x20edeffc; } break; case 200: syscall(__NR_mmap, 0x20011000, 0x3000, 1, 0x32, -1, 0); break; case 201: memcpy((void*)0x20000000, "./file0", 8); memcpy((void*)0x20000040, "./file0", 8); syscall(__NR_symlink, 0x20000000, 0x20000040); break; case 202: res = syscall(__NR_userfaultfd, 0); if (res != -1) r[54] = res; break; case 203: *(uint64_t*)0x20bc8000 = 0xaa; *(uint64_t*)0x20bc8008 = 0; *(uint64_t*)0x20bc8010 = 0; syscall(__NR_ioctl, r[54], 0xc018aa3f, 0x20bc8000); break; case 204: *(uint8_t*)0x20011fd2 = 0; *(uint8_t*)0x20011fd3 = 0; *(uint8_t*)0x20011fd4 = 0; *(uint8_t*)0x20011fd5 = 0; *(uint64_t*)0x20011fda = 0; *(uint64_t*)0x20011fe2 = 0; *(uint8_t*)0x20011fea = 0; *(uint8_t*)0x20011feb = 0; *(uint8_t*)0x20011fec = 0; *(uint8_t*)0x20011fed = 0; *(uint64_t*)0x20011ff2 = 0x77359400; *(uint64_t*)0x20011ffa = 0; syscall(__NR_write, r[53], 0x20011fd2, 0x1c); break; case 205: syscall(__NR_fcntl, r[52], 0x408, 0); break; case 206: res = syscall(__NR_socket, 0xa, 0x80002, 0x88); if (res != -1) r[55] = res; break; case 207: *(uint32_t*)0x200004c0 = 0; syscall(__NR_setsockopt, -1, 0x84, 0x77, 0x200004c0, 2); break; case 208: *(uint16_t*)0x2001b000 = 0xa; *(uint16_t*)0x2001b002 = htobe16(0); *(uint32_t*)0x2001b004 = 0; *(uint8_t*)0x2001b008 = 0; *(uint8_t*)0x2001b009 = 0; *(uint8_t*)0x2001b00a = 0; *(uint8_t*)0x2001b00b = 0; *(uint8_t*)0x2001b00c = 0; *(uint8_t*)0x2001b00d = 0; *(uint8_t*)0x2001b00e = 0; *(uint8_t*)0x2001b00f = 0; *(uint8_t*)0x2001b010 = 0; *(uint8_t*)0x2001b011 = 0; *(uint8_t*)0x2001b012 = 0; *(uint8_t*)0x2001b013 = 0; *(uint8_t*)0x2001b014 = 0; *(uint8_t*)0x2001b015 = 0; *(uint8_t*)0x2001b016 = 0; *(uint8_t*)0x2001b017 = 0; *(uint32_t*)0x2001b018 = 0; syscall(__NR_sendto, -1, 0x20b0cf6e, 0xffed, 0, 0x2001b000, 0x1c); break; case 209: res = syscall(__NR_dup2, -1, r[55]); if (res != -1) r[56] = res; break; case 210: syscall(__NR_ioctl, -1, 0x641f); break; case 211: res = syscall(__NR_gettid); if (res != -1) r[57] = res; break; case 212: *(uint32_t*)0x20000340 = 0; *(uint16_t*)0x20000344 = 0; *(uint16_t*)0x20000346 = 5; *(uint16_t*)0x20000348 = 9; *(uint16_t*)0x2000034a = 8; *(uint16_t*)0x2000034c = 0; *(uint16_t*)0x2000034e = 4; *(uint16_t*)0x20000350 = 0x3f; syscall(__NR_setsockopt, -1, 0x84, 0x77, 0x20000340, 0x12); break; case 213: *(uint16_t*)0x20000b80 = r[55]; *(uint64_t*)0x20000b82 = 0x200005c0; *(uint64_t*)0x200005c0 = 0; *(uint64_t*)0x200005c8 = r[55]; *(uint64_t*)0x200005d0 = -1; *(uint64_t*)0x200005d8 = 0; *(uint64_t*)0x200005e0 = 0x20000540; *(uint16_t*)0x20000540 = -1; *(uint32_t*)0x20000542 = -1; *(uint16_t*)0x20000546 = -1; *(uint64_t*)0x20000548 = 0; *(uint64_t*)0x20000550 = -1; *(uint64_t*)0x20000558 = 0; *(uint64_t*)0x20000b8a = 0x20000a00; *(uint64_t*)0x20000a00 = 0x20000600; *(uint64_t*)0x20000600 = 0; *(uint32_t*)0x20000608 = -1; *(uint64_t*)0x2000060c = 0; *(uint16_t*)0x20000614 = -1; *(uint16_t*)0x20000a08 = -1; *(uint64_t*)0x20000a0a = -1; *(uint32_t*)0x20000a12 = -1; *(uint64_t*)0x20000a16 = 0x20000780; *(uint16_t*)0x20000a1e = -1; *(uint64_t*)0x20000a20 = 0; *(uint64_t*)0x20000a28 = 0x20000840; *(uint32_t*)0x20000840 = r[57]; *(uint64_t*)0x20000844 = 0; *(uint16_t*)0x2000084c = -1; *(uint32_t*)0x2000084e = -1; *(uint16_t*)0x20000852 = r[57]; *(uint16_t*)0x20000854 = r[56]; *(uint64_t*)0x20000856 = 0; *(uint64_t*)0x2000085e = -1; *(uint64_t*)0x20000866 = -1; *(uint64_t*)0x20000a30 = 0x20000bc0; *(uint64_t*)0x20000bc0 = 0; *(uint16_t*)0x20000bc8 = -1; *(uint64_t*)0x20000bca = -1; *(uint16_t*)0x20000bd2 = -1; *(uint32_t*)0x20000bd4 = r[57]; *(uint64_t*)0x20000bd8 = -1; *(uint64_t*)0x20000be0 = -1; *(uint64_t*)0x20000b92 = 0x20000b00; *(uint64_t*)0x20000b00 = -1; *(uint64_t*)0x20000b08 = -1; *(uint64_t*)0x20000b10 = -1; *(uint64_t*)0x20000b18 = 0x20000a40; *(uint64_t*)0x20000a40 = -1; *(uint64_t*)0x20000a48 = -1; *(uint16_t*)0x20000a50 = -1; *(uint16_t*)0x20000a52 = -1; *(uint16_t*)0x20000a54 = -1; syscall(__NR_ioctl, -1, 0xc008240a, 0x20000b80); break; case 214: *(uint8_t*)0x20000380 = -1; *(uint8_t*)0x20000381 = 1; *(uint8_t*)0x20000382 = 0; *(uint8_t*)0x20000383 = 0; *(uint8_t*)0x20000384 = 0; *(uint8_t*)0x20000385 = 0; *(uint8_t*)0x20000386 = 0; *(uint8_t*)0x20000387 = 0; *(uint8_t*)0x20000388 = 0; *(uint8_t*)0x20000389 = 0; *(uint8_t*)0x2000038a = 0; *(uint8_t*)0x2000038b = 0; *(uint8_t*)0x2000038c = 0; *(uint8_t*)0x2000038d = 0; *(uint8_t*)0x2000038e = 0; *(uint8_t*)0x2000038f = 1; *(uint32_t*)0x20000390 = 0; *(uint8_t*)0x20000394 = 0; *(uint8_t*)0x20000395 = 2; *(uint16_t*)0x20000396 = 1; *(uint16_t*)0x20000398 = -1; *(uint16_t*)0x2000039a = -1; *(uint32_t*)0x2000039c = 9; syscall(__NR_setsockopt, -1, 0x29, 0x20, 0x20000380, 0x20); break; case 215: res = syscall(__NR_socket, 2, 0x4000000000000001, 0); if (res != -1) r[58] = res; break; case 216: *(uint8_t*)0x200006c0 = 0xac; *(uint8_t*)0x200006c1 = 0x14; *(uint8_t*)0x200006c2 = 0x14; *(uint8_t*)0x200006c3 = 0xbb; *(uint32_t*)0x200006d0 = htobe32(0); *(uint16_t*)0x200006e0 = htobe16(0); *(uint16_t*)0x200006e2 = htobe16(0); *(uint16_t*)0x200006e4 = htobe16(0); *(uint16_t*)0x200006e6 = htobe16(0); *(uint16_t*)0x200006e8 = 2; *(uint8_t*)0x200006ea = 0x20; *(uint8_t*)0x200006eb = 0; *(uint8_t*)0x200006ec = 0; *(uint32_t*)0x200006f0 = 0; *(uint32_t*)0x200006f4 = 0; *(uint64_t*)0x200006f8 = 0; *(uint64_t*)0x20000700 = 0; *(uint64_t*)0x20000708 = 0; *(uint64_t*)0x20000710 = 0; *(uint64_t*)0x20000718 = 0; *(uint64_t*)0x20000720 = 0; *(uint64_t*)0x20000728 = 0; *(uint64_t*)0x20000730 = 0; *(uint64_t*)0x20000738 = 0; *(uint64_t*)0x20000740 = 0; *(uint64_t*)0x20000748 = 0; *(uint64_t*)0x20000750 = 0; *(uint32_t*)0x20000758 = 0; *(uint32_t*)0x2000075c = 0; *(uint8_t*)0x20000760 = 1; *(uint8_t*)0x20000761 = 0; *(uint8_t*)0x20000762 = 0; *(uint8_t*)0x20000763 = 0; *(uint8_t*)0x20000768 = 0; *(uint8_t*)0x20000769 = 0; *(uint8_t*)0x2000076a = 0; *(uint8_t*)0x2000076b = 0; *(uint8_t*)0x2000076c = 0; *(uint8_t*)0x2000076d = 0; *(uint8_t*)0x2000076e = 0; *(uint8_t*)0x2000076f = 0; *(uint8_t*)0x20000770 = 0; *(uint8_t*)0x20000771 = 0; *(uint8_t*)0x20000772 = -1; *(uint8_t*)0x20000773 = -1; *(uint32_t*)0x20000774 = htobe32(0xe0000002); *(uint32_t*)0x20000778 = htobe32(0); *(uint8_t*)0x2000077c = -1; *(uint16_t*)0x20000780 = 0; *(uint8_t*)0x20000784 = 0; *(uint8_t*)0x20000785 = 0; *(uint8_t*)0x20000786 = 0; *(uint8_t*)0x20000787 = 0; *(uint8_t*)0x20000788 = 0; *(uint8_t*)0x20000789 = 0; *(uint8_t*)0x2000078a = 0; *(uint8_t*)0x2000078b = 0; *(uint8_t*)0x2000078c = 0; *(uint8_t*)0x2000078d = 0; *(uint8_t*)0x2000078e = -1; *(uint8_t*)0x2000078f = -1; *(uint32_t*)0x20000790 = htobe32(0x7f000001); *(uint32_t*)0x20000794 = 0; *(uint8_t*)0x20000798 = 0; *(uint8_t*)0x20000799 = 0; *(uint8_t*)0x2000079a = 0; *(uint32_t*)0x2000079c = 0; *(uint32_t*)0x200007a0 = 0; *(uint32_t*)0x200007a4 = 0; syscall(__NR_setsockopt, r[58], 0, 0x11, 0x200006c0, 0xe8); break; case 217: *(uint16_t*)0x20deaff0 = 2; *(uint16_t*)0x20deaff2 = htobe16(0); *(uint8_t*)0x20deaff4 = 0xac; *(uint8_t*)0x20deaff5 = 0x14; *(uint8_t*)0x20deaff6 = 0x14; *(uint8_t*)0x20deaff7 = 0xbb; *(uint8_t*)0x20deaff8 = 0; *(uint8_t*)0x20deaff9 = 0; *(uint8_t*)0x20deaffa = 0; *(uint8_t*)0x20deaffb = 0; *(uint8_t*)0x20deaffc = 0; *(uint8_t*)0x20deaffd = 0; *(uint8_t*)0x20deaffe = 0; *(uint8_t*)0x20deafff = 0; syscall(__NR_sendto, r[58], 0x20000000, 0, 0x20000000, 0x20deaff0, 0x10); break; case 218: res = syscall(__NR_pipe, 0x20000000); if (res != -1) r[59] = *(uint32_t*)0x20000004; break; case 219: memcpy((void*)0x20000040, "cgroup.type", 12); syscall(__NR_openat, r[59], 0x20000040, 2, 0); break; case 220: *(uint8_t*)0x200001c0 = -1; *(uint8_t*)0x200001c1 = 2; *(uint8_t*)0x200001c2 = 0; *(uint8_t*)0x200001c3 = 0; *(uint8_t*)0x200001c4 = 0; *(uint8_t*)0x200001c5 = 0; *(uint8_t*)0x200001c6 = 0; *(uint8_t*)0x200001c7 = 0; *(uint8_t*)0x200001c8 = 0; *(uint8_t*)0x200001c9 = 0; *(uint8_t*)0x200001ca = 0; *(uint8_t*)0x200001cb = 0; *(uint8_t*)0x200001cc = 0; *(uint8_t*)0x200001cd = 0; *(uint8_t*)0x200001ce = 0; *(uint8_t*)0x200001cf = 1; *(uint32_t*)0x200001d0 = 0xb; *(uint32_t*)0x200001d4 = 0; syscall(__NR_ioctl, -1, 0x8936, 0x200001c0); break; case 221: syscall(__NR_socket, 0x10, 3, 0); break; case 222: *(uint32_t*)0x20006ffc = 6; syscall(__NR_setsockopt, -1, 0x107, 0x14, 0x20006ffc, 4); break; case 223: syscall(__NR_ioctl, -1, 0x400454cd, 0x304); break; case 224: *(uint32_t*)0x200000c0 = 0x14; syscall(__NR_getsockname, -1, 0x20000080, 0x200000c0); break; case 225: *(uint32_t*)0x2003cff4 = 0; *(uint64_t*)0x2003cff8 = 0; syscall(__NR_epoll_ctl, -1, 3, -1, 0x2003cff4); break; case 226: memcpy((void*)0x2038b000, "user", 5); *(uint8_t*)0x2057f000 = 0x73; *(uint8_t*)0x2057f001 = 0x79; *(uint8_t*)0x2057f002 = 0x7a; *(uint8_t*)0x2057f003 = 0; *(uint8_t*)0x2057f004 = 0; res = syscall(__NR_add_key, 0x2038b000, 0x2057f000, 0x20d6c000, 0, 0); if (res != -1) r[60] = res; break; case 227: syscall(__NR_keyctl, 0x11, r[60], 0); break; case 228: *(uint32_t*)0x20581ff8 = 0x19980330; *(uint32_t*)0x20581ffc = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = 0; *(uint32_t*)0x2000024c = 0; *(uint32_t*)0x20000250 = 0; *(uint32_t*)0x20000254 = 0; syscall(__NR_capset, 0x20581ff8, 0x20000240); break; case 229: syscall(__NR_socket, 0xa, 1, 0); break; case 230: memcpy((void*)0x20000300, "\x2e\x2f\x63\x67\x7e\x65\x74\x00\x7e\x82\x50\x09\x8a\xb8\x61\x9a" "\x20\xb6\xa5\x69\xd6\xdb\x7c\xf8\x74\x8b\x35\xdf\x56\xae\x50\x1a" "\x4d\xb0\x06\xaf\x4a\x0d\x7d\x0b\xc9\xa0\xd9\x88\x79\xb2\x99\xfb" "\x2b\xca\x43\xe4\xea\x72\xe5\x7d\x6e\x47\x09\x6c\x3c\x4a\x3f\x0f" "\xd0\xe5\xb4\x22\xda\x31\xc2\x23\x1e\x98\x5f\x02\x9d\xf2\x29\x61" "\xc9\xe1\x34\x71\x0f\xaa\xd3\x0f\x92\x92\x46\xf5\x39\x29\x96\xfe" "\x93\x89\x38\xf7\x97\x03\x49\x78\xec\x84\x62\xdf\x91\xd8\xbe\xae" "\xd2\x90\x9b\x3c\xb9\x44\x15\x6d\xd5\xd6\xb8\x06\x43\x73\x53\x3b" "\x7b\x62", 130); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000300, 0x200002, 0); break; case 231: *(uint8_t*)0x20000000 = 0; memcpy((void*)0x20000001, "io", 2); *(uint8_t*)0x20000003 = 0x20; *(uint8_t*)0x20000004 = 0; memcpy((void*)0x20000005, "memor", 6); *(uint8_t*)0x2000000b = 0x20; *(uint8_t*)0x2000000c = 0; memcpy((void*)0x2000000d, "memory", 6); *(uint8_t*)0x20000013 = 0x20; *(uint8_t*)0x20000014 = 0; memcpy((void*)0x20000015, "pids", 4); *(uint8_t*)0x20000019 = 0x20; syscall(__NR_write, -1, 0x20000000, 0xfffffe70); break; case 232: memcpy((void*)0x20784fef, "/dev/vga_arbiter", 17); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20784fef, 0, 0); if (res != -1) r[61] = res; break; case 233: syscall(__NR_read, r[61], 0x20000000, 0x86); break; case 234: syscall(__NR_getpgid, 0); break; case 235: syscall(__NR_gettid); break; case 236: *(uint16_t*)0x20000240 = 6; *(uint64_t*)0x20000248 = 0x20000200; *(uint16_t*)0x20000200 = 3; *(uint16_t*)0x20000202 = 9; *(uint16_t*)0x20000204 = 8; *(uint16_t*)0x20000206 = 0; *(uint16_t*)0x20000208 = 3; *(uint16_t*)0x2000020a = 5; *(uint16_t*)0x2000020c = 1; *(uint16_t*)0x2000020e = 0; *(uint16_t*)0x20000210 = 2; *(uint16_t*)0x20000212 = 0xaf; *(uint16_t*)0x20000214 = 8; *(uint16_t*)0x20000216 = 8; syscall(__NR_ioctl, r[61], 0x4b67, 0x20000240); break; case 237: res = syscall(__NR_socket, 0xa, 2, 0x33); if (res != -1) r[62] = res; break; case 238: *(uint32_t*)0x20000080 = 0; syscall(__NR_setsockopt, r[62], 1, 0xc, 0x20000080, 4); break; case 239: *(uint32_t*)0x20000000 = 2; syscall(__NR_setsockopt, r[62], 0x29, 1, 0x20000000, 4); break; case 240: syscall(__NR_socket, 0x11, 2, 0x300); break; case 241: *(uint64_t*)0x20000400 = 0x20000080; *(uint16_t*)0x20000080 = 0x26; memcpy((void*)0x20000082, "\x72\x6e\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000094 = 0; memcpy((void*)0x20000098, "\x6a\x69\x74\x74\x65\x72\x65\x6e\x74\x72\x6f\x70\x79\x5f\x72\x6e" "\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20000408 = 0x80; *(uint64_t*)0x20000410 = 0x200003c0; *(uint64_t*)0x200003c0 = 0x20000100; *(uint64_t*)0x200003c8 = 0; *(uint64_t*)0x20000418 = 1; *(uint64_t*)0x20000420 = 0; *(uint64_t*)0x20000428 = 0; *(uint32_t*)0x20000430 = 0x40; syscall(__NR_sendmsg, -1, 0x20000400, 0); break; case 242: *(uint16_t*)0x20008000 = 0xa; *(uint16_t*)0x20008002 = htobe16(0x4e20); *(uint32_t*)0x20008004 = 4; *(uint8_t*)0x20008008 = -1; *(uint8_t*)0x20008009 = 2; *(uint8_t*)0x2000800a = 0; *(uint8_t*)0x2000800b = 0; *(uint8_t*)0x2000800c = 0; *(uint8_t*)0x2000800d = 0; *(uint8_t*)0x2000800e = 0; *(uint8_t*)0x2000800f = 0; *(uint8_t*)0x20008010 = 0; *(uint8_t*)0x20008011 = 0; *(uint8_t*)0x20008012 = 0; *(uint8_t*)0x20008013 = 0; *(uint8_t*)0x20008014 = 0; *(uint8_t*)0x20008015 = 0; *(uint8_t*)0x20008016 = 0; *(uint8_t*)0x20008017 = 1; *(uint32_t*)0x20008018 = 0; syscall(__NR_sendto, -1, 0x20010000, 0, 0, 0x20008000, 0x1c); break; case 243: memcpy((void*)0x200000c0, "\x69\x66\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x200000d0 = 0x4012; syscall(__NR_ioctl, -1, 0x400454ca, 0x200000c0); break; case 244: *(uint32_t*)0x2001d000 = 2; *(uint32_t*)0x2001d004 = 0x70; *(uint8_t*)0x2001d008 = 6; *(uint8_t*)0x2001d009 = 1; *(uint8_t*)0x2001d00a = 0; *(uint8_t*)0x2001d00b = 0; *(uint32_t*)0x2001d00c = 0; *(uint64_t*)0x2001d010 = 0; *(uint64_t*)0x2001d018 = 0; *(uint64_t*)0x2001d020 = 0; STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, -1, 5, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 24, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x2001d028, 0, 29, 35); *(uint32_t*)0x2001d030 = 0; *(uint32_t*)0x2001d034 = 0; *(uint64_t*)0x2001d038 = 0x20000000; *(uint64_t*)0x2001d040 = 0; *(uint64_t*)0x2001d048 = 0; *(uint64_t*)0x2001d050 = 0; *(uint32_t*)0x2001d058 = 0; *(uint32_t*)0x2001d05c = 0; *(uint64_t*)0x2001d060 = 0; *(uint32_t*)0x2001d068 = 0; *(uint16_t*)0x2001d06c = 0; *(uint16_t*)0x2001d06e = 0; syscall(__NR_perf_event_open, 0x2001d000, 0, 0, -1, 0); break; case 245: break; case 246: res = syscall(__NR_socket, 0x11, 0x100000802, 0); if (res != -1) r[63] = res; break; case 247: memcpy((void*)0x20000140, "/dev/net/tun", 13); res = syz_open_dev(0x20000140, 0, 2); if (res != -1) r[64] = res; break; case 248: memcpy((void*)0x20000040, "\x69\x66\x62\x30\x00\xfa\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00", 16); *(uint16_t*)0x20000050 = 0xca9b; syscall(__NR_ioctl, r[64], 0x400454ca, 0x20000040); break; case 249: memcpy((void*)0x20000000, "\x69\x66\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000010 = 0xa201; syscall(__NR_ioctl, r[63], 0x8914, 0x20000000); break; case 250: *(uint32_t*)0x2025c000 = 2; *(uint32_t*)0x2025c004 = 0x70; *(uint8_t*)0x2025c008 = 0xe6; *(uint8_t*)0x2025c009 = 0; *(uint8_t*)0x2025c00a = 0; *(uint8_t*)0x2025c00b = 0; *(uint32_t*)0x2025c00c = 0; *(uint64_t*)0x2025c010 = 0; *(uint64_t*)0x2025c018 = 0; *(uint64_t*)0x2025c020 = 0; STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0xffff7fffffffffff, 5, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 6, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 11, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 24, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x2025c028, 0, 29, 35); *(uint32_t*)0x2025c030 = 0; *(uint32_t*)0x2025c034 = 0; *(uint64_t*)0x2025c038 = 0x20000000; *(uint64_t*)0x2025c040 = 0; *(uint64_t*)0x2025c048 = 0; *(uint64_t*)0x2025c050 = 0; *(uint32_t*)0x2025c058 = 0; *(uint32_t*)0x2025c05c = 0; *(uint64_t*)0x2025c060 = 0; *(uint32_t*)0x2025c068 = 0; *(uint16_t*)0x2025c06c = 0; *(uint16_t*)0x2025c06e = 0; syscall(__NR_perf_event_open, 0x2025c000, 0, 0, -1, 0); break; case 251: memcpy((void*)0x200000c0, "user", 5); *(uint8_t*)0x20000100 = 0x73; *(uint8_t*)0x20000101 = 0x79; *(uint8_t*)0x20000102 = 0x7a; *(uint8_t*)0x20000103 = 0; *(uint8_t*)0x20000104 = 0; syscall(__NR_add_key, 0x200000c0, 0x20000100, 0x20000140, 0, 0xfffffffb); break; case 252: syscall(__NR_ioctl, -1, 0x80404518, 0x200004c0); break; case 253: syscall(__NR_ioctl, -1, 0x40046207, 0); break; case 254: memcpy((void*)0x20308000, "/dev/loop#", 11); syz_open_dev(0x20308000, 0x200000000, 0x42442); break; case 255: syscall(__NR_socket, 0, 0, 0); break; case 256: syscall(__NR_getpid); break; case 257: *(uint64_t*)0x20f50f90 = 0x20000040; *(uint64_t*)0x20f50f98 = 0; syscall(__NR_pwritev, -1, 0x20f50f90, 1, 0x81006); break; case 258: *(uint16_t*)0x20000500 = 0xa; *(uint16_t*)0x20000502 = htobe16(0x4e22); *(uint32_t*)0x20000504 = 0; *(uint8_t*)0x20000508 = -1; *(uint8_t*)0x20000509 = 2; *(uint8_t*)0x2000050a = 0; *(uint8_t*)0x2000050b = 0; *(uint8_t*)0x2000050c = 0; *(uint8_t*)0x2000050d = 0; *(uint8_t*)0x2000050e = 0; *(uint8_t*)0x2000050f = 0; *(uint8_t*)0x20000510 = 0; *(uint8_t*)0x20000511 = 0; *(uint8_t*)0x20000512 = 0; *(uint8_t*)0x20000513 = 0; *(uint8_t*)0x20000514 = 0; *(uint8_t*)0x20000515 = 0; *(uint8_t*)0x20000516 = 0; *(uint8_t*)0x20000517 = 1; *(uint32_t*)0x20000518 = 0; syscall(__NR_bind, -1, 0x20000500, 0x1c); break; case 259: *(uint32_t*)0x20000680 = 0xfe; syscall(__NR_setsockopt, -1, 6, 2, 0x20000680, 4); break; case 260: *(uint16_t*)0x2031e000 = 0xa; *(uint16_t*)0x2031e002 = htobe16(0x4e22); *(uint32_t*)0x2031e004 = 0; *(uint64_t*)0x2031e008 = htobe64(0); *(uint64_t*)0x2031e010 = htobe64(1); *(uint32_t*)0x2031e018 = 0x100000; syscall(__NR_sendto, -1, 0x200000c0, 0, 0x20000004, 0x2031e000, 0x1c); break; case 261: syscall(__NR_ioctl, -1, 0x4c00, -1); break; case 262: syscall(__NR_fchown, -1, 0, 0); break; case 263: *(uint64_t*)0x20000080 = 0; syscall(__NR_sendfile, -1, -1, 0x20000080, 0x102000004); break; } } void execute_one() { execute(264); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }