// https://syzkaller.appspot.com/bug?id=ddfaf1d75a1db3b0ed9dfa5bb615a2d50dd8f1da // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 9; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res; switch (call) { case 0: res = syscall(__NR_socket, 0xaul, 2ul, 0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x20000c80, "filter\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000", 32); *(uint32_t*)0x20000ca0 = 0xe; *(uint32_t*)0x20000ca4 = 4; *(uint32_t*)0x20000ca8 = 0x388; *(uint32_t*)0x20000cac = 0x1c0; *(uint32_t*)0x20000cb0 = 0x1c0; *(uint32_t*)0x20000cb4 = 0x1c0; *(uint32_t*)0x20000cb8 = 0; *(uint32_t*)0x20000cbc = 0; *(uint32_t*)0x20000cc0 = 0x2b8; *(uint32_t*)0x20000cc4 = 0x2b8; *(uint32_t*)0x20000cc8 = 0x2b8; *(uint32_t*)0x20000ccc = 0x2b8; *(uint32_t*)0x20000cd0 = 0x2b8; *(uint32_t*)0x20000cd4 = 4; *(uint64_t*)0x20000cd8 = 0; *(uint8_t*)0x20000ce0 = 0; *(uint8_t*)0x20000ce1 = 0; *(uint8_t*)0x20000ce2 = 0; *(uint8_t*)0x20000ce3 = 0; *(uint8_t*)0x20000ce4 = 0; *(uint8_t*)0x20000ce5 = 0; *(uint8_t*)0x20000ce6 = 0; *(uint8_t*)0x20000ce7 = 0; *(uint8_t*)0x20000ce8 = 0; *(uint8_t*)0x20000ce9 = 0; *(uint8_t*)0x20000cea = 0; *(uint8_t*)0x20000ceb = 0; *(uint8_t*)0x20000cec = 0; *(uint8_t*)0x20000ced = 0; *(uint8_t*)0x20000cee = 0; *(uint8_t*)0x20000cef = 0; *(uint8_t*)0x20000cf0 = 0xfe; *(uint8_t*)0x20000cf1 = 0x80; *(uint8_t*)0x20000cf2 = 0; *(uint8_t*)0x20000cf3 = 0; *(uint8_t*)0x20000cf4 = 0; *(uint8_t*)0x20000cf5 = 0; *(uint8_t*)0x20000cf6 = 0; *(uint8_t*)0x20000cf7 = 0; *(uint8_t*)0x20000cf8 = 0; *(uint8_t*)0x20000cf9 = 0; *(uint8_t*)0x20000cfa = 0; *(uint8_t*)0x20000cfb = 0; *(uint8_t*)0x20000cfc = 0; *(uint8_t*)0x20000cfd = 0; *(uint8_t*)0x20000cfe = 0; *(uint8_t*)0x20000cff = 0; *(uint32_t*)0x20000d00 = htobe32(0); *(uint32_t*)0x20000d04 = htobe32(0); *(uint32_t*)0x20000d08 = htobe32(0); *(uint32_t*)0x20000d0c = htobe32(0); *(uint32_t*)0x20000d10 = htobe32(0); *(uint32_t*)0x20000d14 = htobe32(0); *(uint32_t*)0x20000d18 = htobe32(0); *(uint32_t*)0x20000d1c = htobe32(0); memcpy((void*)0x20000d20, "vlan0\000\000\000\000\000\000\000\000\000\000\000", 16); memcpy((void*)0x20000d30, "ip6gre0\000\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x20000d40 = 0; *(uint8_t*)0x20000d50 = 0; *(uint16_t*)0x20000d60 = 0; *(uint8_t*)0x20000d62 = 0; *(uint8_t*)0x20000d63 = 0; *(uint8_t*)0x20000d64 = 0; *(uint32_t*)0x20000d68 = 0; *(uint16_t*)0x20000d6c = 0xa8; *(uint16_t*)0x20000d6e = 0xf0; *(uint32_t*)0x20000d70 = 0; *(uint64_t*)0x20000d78 = 0; *(uint64_t*)0x20000d80 = 0; *(uint16_t*)0x20000d88 = 0x48; memcpy((void*)0x20000d8a, "TEE\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000", 29); *(uint8_t*)0x20000da7 = 1; *(uint8_t*)0x20000da8 = -1; *(uint8_t*)0x20000da9 = 1; *(uint8_t*)0x20000daa = 0; *(uint8_t*)0x20000dab = 0; *(uint8_t*)0x20000dac = 0; *(uint8_t*)0x20000dad = 0; *(uint8_t*)0x20000dae = 0; *(uint8_t*)0x20000daf = 0; *(uint8_t*)0x20000db0 = 0; *(uint8_t*)0x20000db1 = 0; *(uint8_t*)0x20000db2 = 0; *(uint8_t*)0x20000db3 = 0; *(uint8_t*)0x20000db4 = 0; *(uint8_t*)0x20000db5 = 0; *(uint8_t*)0x20000db6 = 0; *(uint8_t*)0x20000db7 = 1; memcpy((void*)0x20000db8, "ip6erspan0\000\000\000\000\000\000", 16); *(uint64_t*)0x20000dc8 = 0; *(uint8_t*)0x20000dd0 = -1; *(uint8_t*)0x20000dd1 = 2; *(uint8_t*)0x20000dd2 = 0; *(uint8_t*)0x20000dd3 = 0; *(uint8_t*)0x20000dd4 = 0; *(uint8_t*)0x20000dd5 = 0; *(uint8_t*)0x20000dd6 = 0; *(uint8_t*)0x20000dd7 = 0; *(uint8_t*)0x20000dd8 = 0; *(uint8_t*)0x20000dd9 = 0; *(uint8_t*)0x20000dda = 0; *(uint8_t*)0x20000ddb = 0; *(uint8_t*)0x20000ddc = 0; *(uint8_t*)0x20000ddd = 0; *(uint8_t*)0x20000dde = 0; *(uint8_t*)0x20000ddf = 1; *(uint8_t*)0x20000de0 = 0; *(uint8_t*)0x20000de1 = 0; *(uint8_t*)0x20000de2 = 0; *(uint8_t*)0x20000de3 = 0; *(uint8_t*)0x20000de4 = 0; *(uint8_t*)0x20000de5 = 0; *(uint8_t*)0x20000de6 = 0; *(uint8_t*)0x20000de7 = 0; *(uint8_t*)0x20000de8 = 0; *(uint8_t*)0x20000de9 = 0; *(uint8_t*)0x20000dea = 0; *(uint8_t*)0x20000deb = 0; *(uint8_t*)0x20000dec = 0; *(uint8_t*)0x20000ded = 0; *(uint8_t*)0x20000dee = 0; *(uint8_t*)0x20000def = 0; *(uint32_t*)0x20000df0 = htobe32(0); *(uint32_t*)0x20000df4 = htobe32(0); *(uint32_t*)0x20000df8 = htobe32(0); *(uint32_t*)0x20000dfc = htobe32(0); *(uint32_t*)0x20000e00 = htobe32(0); *(uint32_t*)0x20000e04 = htobe32(0); *(uint32_t*)0x20000e08 = htobe32(0); *(uint32_t*)0x20000e0c = htobe32(0); memcpy((void*)0x20000e10, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16); memcpy((void*)0x20000e20, "team_slave_0\000\000\000\000", 16); *(uint8_t*)0x20000e30 = 0; *(uint8_t*)0x20000e40 = 0; *(uint16_t*)0x20000e50 = 0; *(uint8_t*)0x20000e52 = 0; *(uint8_t*)0x20000e53 = 0; *(uint8_t*)0x20000e54 = 2; *(uint32_t*)0x20000e58 = 0; *(uint16_t*)0x20000e5c = 0xa8; *(uint16_t*)0x20000e5e = 0xd0; *(uint32_t*)0x20000e60 = 0; *(uint64_t*)0x20000e68 = 0; *(uint64_t*)0x20000e70 = 0; *(uint16_t*)0x20000e78 = 0x28; memcpy((void*)0x20000e7a, "REJECT\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000", 29); *(uint8_t*)0x20000e97 = 0; *(uint32_t*)0x20000e98 = 0; *(uint8_t*)0x20000ea0 = 0; *(uint8_t*)0x20000ea1 = 0; *(uint8_t*)0x20000ea2 = 0; *(uint8_t*)0x20000ea3 = 0; *(uint8_t*)0x20000ea4 = 0; *(uint8_t*)0x20000ea5 = 0; *(uint8_t*)0x20000ea6 = 0; *(uint8_t*)0x20000ea7 = 0; *(uint8_t*)0x20000ea8 = 0; *(uint8_t*)0x20000ea9 = 0; *(uint8_t*)0x20000eaa = 0; *(uint8_t*)0x20000eab = 0; *(uint8_t*)0x20000eac = 0; *(uint8_t*)0x20000ead = 0; *(uint8_t*)0x20000eae = 0; *(uint8_t*)0x20000eaf = 0; *(uint8_t*)0x20000eb0 = 0; *(uint8_t*)0x20000eb1 = 0; *(uint8_t*)0x20000eb2 = 0; *(uint8_t*)0x20000eb3 = 0; *(uint8_t*)0x20000eb4 = 0; *(uint8_t*)0x20000eb5 = 0; *(uint8_t*)0x20000eb6 = 0; *(uint8_t*)0x20000eb7 = 0; *(uint8_t*)0x20000eb8 = 0; *(uint8_t*)0x20000eb9 = 0; *(uint8_t*)0x20000eba = 0; *(uint8_t*)0x20000ebb = 0; *(uint8_t*)0x20000ebc = 0; *(uint8_t*)0x20000ebd = 0; *(uint8_t*)0x20000ebe = 0; *(uint8_t*)0x20000ebf = 0; *(uint8_t*)0x20000ec0 = 0; *(uint8_t*)0x20000ec1 = 0; *(uint8_t*)0x20000ec2 = 0; *(uint8_t*)0x20000ec3 = 0; *(uint8_t*)0x20000ec4 = 0; *(uint8_t*)0x20000ec5 = 0; *(uint8_t*)0x20000ec6 = 0; *(uint8_t*)0x20000ec7 = 0; *(uint8_t*)0x20000ec8 = 0; *(uint8_t*)0x20000ec9 = 0; *(uint8_t*)0x20000eca = 0; *(uint8_t*)0x20000ecb = 0; *(uint8_t*)0x20000ecc = 0; *(uint8_t*)0x20000ecd = 0; *(uint8_t*)0x20000ece = 0; *(uint8_t*)0x20000ecf = 0; *(uint8_t*)0x20000ed0 = 0; *(uint8_t*)0x20000ed1 = 0; *(uint8_t*)0x20000ed2 = 0; *(uint8_t*)0x20000ed3 = 0; *(uint8_t*)0x20000ed4 = 0; *(uint8_t*)0x20000ed5 = 0; *(uint8_t*)0x20000ed6 = 0; *(uint8_t*)0x20000ed7 = 0; *(uint8_t*)0x20000ed8 = 0; *(uint8_t*)0x20000ed9 = 0; *(uint8_t*)0x20000eda = 0; *(uint8_t*)0x20000edb = 0; *(uint8_t*)0x20000edc = 0; *(uint8_t*)0x20000edd = 0; *(uint8_t*)0x20000ede = 0; *(uint8_t*)0x20000edf = 0; *(uint8_t*)0x20000ee0 = 0; *(uint8_t*)0x20000ee1 = 0; *(uint8_t*)0x20000ee2 = 0; *(uint8_t*)0x20000ee3 = 0; *(uint8_t*)0x20000ee4 = 0; *(uint8_t*)0x20000ee5 = 0; *(uint8_t*)0x20000ee6 = 0; *(uint8_t*)0x20000ee7 = 0; *(uint8_t*)0x20000ee8 = 0; *(uint8_t*)0x20000ee9 = 0; *(uint8_t*)0x20000eea = 0; *(uint8_t*)0x20000eeb = 0; *(uint8_t*)0x20000eec = 0; *(uint8_t*)0x20000eed = 0; *(uint8_t*)0x20000eee = 0; *(uint8_t*)0x20000eef = 0; *(uint8_t*)0x20000ef0 = 0; *(uint8_t*)0x20000ef1 = 0; *(uint8_t*)0x20000ef2 = 0; *(uint8_t*)0x20000ef3 = 0; *(uint8_t*)0x20000ef4 = 0; *(uint8_t*)0x20000ef5 = 0; *(uint8_t*)0x20000ef6 = 0; *(uint8_t*)0x20000ef7 = 0; *(uint8_t*)0x20000ef8 = 0; *(uint8_t*)0x20000ef9 = 0; *(uint8_t*)0x20000efa = 0; *(uint8_t*)0x20000efb = 0; *(uint8_t*)0x20000efc = 0; *(uint8_t*)0x20000efd = 0; *(uint8_t*)0x20000efe = 0; *(uint8_t*)0x20000eff = 0; *(uint8_t*)0x20000f00 = 0; *(uint8_t*)0x20000f01 = 0; *(uint8_t*)0x20000f02 = 0; *(uint8_t*)0x20000f03 = 0; *(uint8_t*)0x20000f04 = 0; *(uint8_t*)0x20000f05 = 0; *(uint8_t*)0x20000f06 = 0; *(uint8_t*)0x20000f07 = 0; *(uint8_t*)0x20000f08 = 0; *(uint8_t*)0x20000f09 = 0; *(uint8_t*)0x20000f0a = 0; *(uint8_t*)0x20000f0b = 0; *(uint8_t*)0x20000f0c = 0; *(uint8_t*)0x20000f0d = 0; *(uint8_t*)0x20000f0e = 0; *(uint8_t*)0x20000f0f = 0; *(uint8_t*)0x20000f10 = 0; *(uint8_t*)0x20000f11 = 0; *(uint8_t*)0x20000f12 = 0; *(uint8_t*)0x20000f13 = 0; *(uint8_t*)0x20000f14 = 0; *(uint8_t*)0x20000f15 = 0; *(uint8_t*)0x20000f16 = 0; *(uint8_t*)0x20000f17 = 0; *(uint8_t*)0x20000f18 = 0; *(uint8_t*)0x20000f19 = 0; *(uint8_t*)0x20000f1a = 0; *(uint8_t*)0x20000f1b = 0; *(uint8_t*)0x20000f1c = 0; *(uint8_t*)0x20000f1d = 0; *(uint8_t*)0x20000f1e = 0; *(uint8_t*)0x20000f1f = 0; *(uint8_t*)0x20000f20 = 0; *(uint8_t*)0x20000f21 = 0; *(uint8_t*)0x20000f22 = 0; *(uint8_t*)0x20000f23 = 0; *(uint8_t*)0x20000f24 = 0; *(uint8_t*)0x20000f25 = 0; *(uint8_t*)0x20000f26 = 0; *(uint8_t*)0x20000f27 = 0; *(uint32_t*)0x20000f28 = 0; *(uint16_t*)0x20000f2c = 0xd0; *(uint16_t*)0x20000f2e = 0xf8; *(uint32_t*)0x20000f30 = 0; *(uint64_t*)0x20000f38 = 0; *(uint64_t*)0x20000f40 = 0; *(uint16_t*)0x20000f48 = 0x28; memcpy((void*)0x20000f4a, "hl\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000", 29); *(uint8_t*)0x20000f67 = 0; *(uint8_t*)0x20000f68 = 0; *(uint8_t*)0x20000f69 = 0; *(uint16_t*)0x20000f70 = 0x28; memcpy((void*)0x20000f72, "AUDIT\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000", 29); *(uint8_t*)0x20000f8f = 0; *(uint8_t*)0x20000f90 = 0; *(uint8_t*)0x20000f98 = 0; *(uint8_t*)0x20000f99 = 0; *(uint8_t*)0x20000f9a = 0; *(uint8_t*)0x20000f9b = 0; *(uint8_t*)0x20000f9c = 0; *(uint8_t*)0x20000f9d = 0; *(uint8_t*)0x20000f9e = 0; *(uint8_t*)0x20000f9f = 0; *(uint8_t*)0x20000fa0 = 0; *(uint8_t*)0x20000fa1 = 0; *(uint8_t*)0x20000fa2 = 0; *(uint8_t*)0x20000fa3 = 0; *(uint8_t*)0x20000fa4 = 0; *(uint8_t*)0x20000fa5 = 0; *(uint8_t*)0x20000fa6 = 0; *(uint8_t*)0x20000fa7 = 0; *(uint8_t*)0x20000fa8 = 0; *(uint8_t*)0x20000fa9 = 0; *(uint8_t*)0x20000faa = 0; *(uint8_t*)0x20000fab = 0; *(uint8_t*)0x20000fac = 0; *(uint8_t*)0x20000fad = 0; *(uint8_t*)0x20000fae = 0; *(uint8_t*)0x20000faf = 0; *(uint8_t*)0x20000fb0 = 0; *(uint8_t*)0x20000fb1 = 0; *(uint8_t*)0x20000fb2 = 0; *(uint8_t*)0x20000fb3 = 0; *(uint8_t*)0x20000fb4 = 0; *(uint8_t*)0x20000fb5 = 0; *(uint8_t*)0x20000fb6 = 0; *(uint8_t*)0x20000fb7 = 0; *(uint8_t*)0x20000fb8 = 0; *(uint8_t*)0x20000fb9 = 0; *(uint8_t*)0x20000fba = 0; *(uint8_t*)0x20000fbb = 0; *(uint8_t*)0x20000fbc = 0; *(uint8_t*)0x20000fbd = 0; *(uint8_t*)0x20000fbe = 0; *(uint8_t*)0x20000fbf = 0; *(uint8_t*)0x20000fc0 = 0; *(uint8_t*)0x20000fc1 = 0; *(uint8_t*)0x20000fc2 = 0; *(uint8_t*)0x20000fc3 = 0; *(uint8_t*)0x20000fc4 = 0; *(uint8_t*)0x20000fc5 = 0; *(uint8_t*)0x20000fc6 = 0; *(uint8_t*)0x20000fc7 = 0; *(uint8_t*)0x20000fc8 = 0; *(uint8_t*)0x20000fc9 = 0; *(uint8_t*)0x20000fca = 0; *(uint8_t*)0x20000fcb = 0; *(uint8_t*)0x20000fcc = 0; *(uint8_t*)0x20000fcd = 0; *(uint8_t*)0x20000fce = 0; *(uint8_t*)0x20000fcf = 0; *(uint8_t*)0x20000fd0 = 0; *(uint8_t*)0x20000fd1 = 0; *(uint8_t*)0x20000fd2 = 0; *(uint8_t*)0x20000fd3 = 0; *(uint8_t*)0x20000fd4 = 0; *(uint8_t*)0x20000fd5 = 0; *(uint8_t*)0x20000fd6 = 0; *(uint8_t*)0x20000fd7 = 0; *(uint8_t*)0x20000fd8 = 0; *(uint8_t*)0x20000fd9 = 0; *(uint8_t*)0x20000fda = 0; *(uint8_t*)0x20000fdb = 0; *(uint8_t*)0x20000fdc = 0; *(uint8_t*)0x20000fdd = 0; *(uint8_t*)0x20000fde = 0; *(uint8_t*)0x20000fdf = 0; *(uint8_t*)0x20000fe0 = 0; *(uint8_t*)0x20000fe1 = 0; *(uint8_t*)0x20000fe2 = 0; *(uint8_t*)0x20000fe3 = 0; *(uint8_t*)0x20000fe4 = 0; *(uint8_t*)0x20000fe5 = 0; *(uint8_t*)0x20000fe6 = 0; *(uint8_t*)0x20000fe7 = 0; *(uint8_t*)0x20000fe8 = 0; *(uint8_t*)0x20000fe9 = 0; *(uint8_t*)0x20000fea = 0; *(uint8_t*)0x20000feb = 0; *(uint8_t*)0x20000fec = 0; *(uint8_t*)0x20000fed = 0; *(uint8_t*)0x20000fee = 0; *(uint8_t*)0x20000fef = 0; *(uint8_t*)0x20000ff0 = 0; *(uint8_t*)0x20000ff1 = 0; *(uint8_t*)0x20000ff2 = 0; *(uint8_t*)0x20000ff3 = 0; *(uint8_t*)0x20000ff4 = 0; *(uint8_t*)0x20000ff5 = 0; *(uint8_t*)0x20000ff6 = 0; *(uint8_t*)0x20000ff7 = 0; *(uint8_t*)0x20000ff8 = 0; *(uint8_t*)0x20000ff9 = 0; *(uint8_t*)0x20000ffa = 0; *(uint8_t*)0x20000ffb = 0; *(uint8_t*)0x20000ffc = 0; *(uint8_t*)0x20000ffd = 0; *(uint8_t*)0x20000ffe = 0; *(uint8_t*)0x20000fff = 0; *(uint8_t*)0x20001000 = 0; *(uint8_t*)0x20001001 = 0; *(uint8_t*)0x20001002 = 0; *(uint8_t*)0x20001003 = 0; *(uint8_t*)0x20001004 = 0; *(uint8_t*)0x20001005 = 0; *(uint8_t*)0x20001006 = 0; *(uint8_t*)0x20001007 = 0; *(uint8_t*)0x20001008 = 0; *(uint8_t*)0x20001009 = 0; *(uint8_t*)0x2000100a = 0; *(uint8_t*)0x2000100b = 0; *(uint8_t*)0x2000100c = 0; *(uint8_t*)0x2000100d = 0; *(uint8_t*)0x2000100e = 0; *(uint8_t*)0x2000100f = 0; *(uint8_t*)0x20001010 = 0; *(uint8_t*)0x20001011 = 0; *(uint8_t*)0x20001012 = 0; *(uint8_t*)0x20001013 = 0; *(uint8_t*)0x20001014 = 0; *(uint8_t*)0x20001015 = 0; *(uint8_t*)0x20001016 = 0; *(uint8_t*)0x20001017 = 0; *(uint8_t*)0x20001018 = 0; *(uint8_t*)0x20001019 = 0; *(uint8_t*)0x2000101a = 0; *(uint8_t*)0x2000101b = 0; *(uint8_t*)0x2000101c = 0; *(uint8_t*)0x2000101d = 0; *(uint8_t*)0x2000101e = 0; *(uint8_t*)0x2000101f = 0; *(uint32_t*)0x20001020 = 0; *(uint16_t*)0x20001024 = 0xa8; *(uint16_t*)0x20001026 = 0xd0; *(uint32_t*)0x20001028 = 0; *(uint64_t*)0x20001030 = 0; *(uint64_t*)0x20001038 = 0; *(uint16_t*)0x20001040 = 0x28; memcpy((void*)0x20001042, "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000", 29); *(uint8_t*)0x2000105f = 0; *(uint32_t*)0x20001060 = 0xfffffffe; syscall(__NR_setsockopt, r[0], 0x29ul, 0x40ul, 0x20000c80ul, 0x3e8ul); break; case 2: res = syscall(__NR_pipe, 0x20000040ul); if (res != -1) { r[1] = *(uint32_t*)0x20000040; r[2] = *(uint32_t*)0x20000044; } break; case 3: res = syscall(__NR_socket, 2ul, 2ul, 0ul); if (res != -1) r[3] = res; break; case 4: syscall(__NR_close, r[3]); break; case 5: *(uint64_t*)0x20000300 = 0; *(uint32_t*)0x20000308 = 0; *(uint64_t*)0x20000310 = 0x200002c0; *(uint64_t*)0x200002c0 = 0x20000000; memcpy((void*)0x20000000, "\x60\x00\x00\x00\x30\x00\x3d\xfa\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x4c\x00\x01\x00\x48\x00\x01\x00\x07\x00\x01\x00" "\x78\x74\x00\x00\x38\x00\x02\x80\x2a\x00\x06\x00\x26\x00\x00\x00" "\x6e\x67\x6c\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x47\x3c\x02\xef\x00\x03\x00\x00\x00\x00" "\x00\x00\x00\x00\x08\x00\x02", 87); *(uint64_t*)0x200002c8 = 1; *(uint64_t*)0x20000318 = 1; *(uint64_t*)0x20000320 = 0; *(uint64_t*)0x20000328 = 0; *(uint32_t*)0x20000330 = 0; syscall(__NR_sendmsg, -1, 0x20000300ul, 0ul); break; case 6: syscall(__NR_write, r[2], 0x20000000ul, 0xfffffeccul); break; case 7: syscall(__NR_socket, 0x10ul, 3ul, 0ul); break; case 8: syscall(__NR_splice, r[1], 0ul, r[3], 0ul, 0x4ffe0ul, 0ul); break; } } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); loop(); return 0; }