// https://syzkaller.appspot.com/bug?id=4595bc1e3e8359e51a86748af853247f2866d174 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } doexit(sig); } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); rv = system(command); if (rv) { if (panic) fail("command '%s' failed: %d", &command[0], rv); } } static int tunfd = -1; static int tun_frags_enabled; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define TUN_IFACE "syz_tun" #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 #define IFF_NAPI_FRAGS 0x0020 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 252; if (dup2(tunfd, kTunFd) < 0) fail("dup2(tunfd, kTunFd) failed"); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNSETIFF) failed"); } if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNGETIFF) failed"); tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE); execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", TUN_IFACE); execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC); execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE); execute_command(1, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE); execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV4, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV6, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip link set dev %s up", TUN_IFACE); } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02hx" #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } static void initialize_netdevices(void) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0", "bond0", "veth0", "veth1", "team0", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team"}; const char* devmasters[] = {"bridge", "bond", "team"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); execute_command(0, "ip link add type veth"); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { execute_command( 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s", devmasters[i], devmasters[i]); execute_command( 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set veth0_to_%s up", devmasters[i]); execute_command(0, "ip link set veth1_to_%s up", devmasters[i]); } execute_command(0, "ip link set bridge_slave_0 up"); execute_command(0, "ip link set bridge_slave_1 up"); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[32]; snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 160 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid < 0) fail("sandbox fork failed"); if (pid) return pid; sandbox_common(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); initialize_netdevices(); loop(); doexit(1); } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0}; void execute_call(int call) { long res; switch (call) { case 0: NONFAILING(memcpy((void*)0x20002840, "./file1", 8)); res = syscall(__NR_open, 0x20002840, 0x100, 0x10); if (res != -1) r[0] = res; break; case 1: res = syscall(__NR_eventfd2, 8, 0x80801); if (res != -1) r[1] = res; break; case 2: NONFAILING(*(uint64_t*)0x20003dc0 = 0x200028c0); NONFAILING(*(uint64_t*)0x200028c0 = 0); NONFAILING(*(uint32_t*)0x200028c8 = 0); NONFAILING(*(uint32_t*)0x200028cc = 0); NONFAILING(*(uint16_t*)0x200028d0 = 0x2cad); NONFAILING(*(uint16_t*)0x200028d2 = 0); NONFAILING(*(uint32_t*)0x200028d4 = r[0]); NONFAILING(*(uint64_t*)0x200028d8 = 0x20002880); NONFAILING(*(uint64_t*)0x200028e0 = 0); NONFAILING(*(uint64_t*)0x200028e8 = 0x10001); NONFAILING(*(uint64_t*)0x200028f0 = 0); NONFAILING(*(uint32_t*)0x200028f8 = 0); NONFAILING(*(uint32_t*)0x200028fc = r[1]); NONFAILING(*(uint64_t*)0x20003dc8 = 0x20002940); NONFAILING(*(uint64_t*)0x20002940 = 0); NONFAILING(*(uint32_t*)0x20002948 = 0); NONFAILING(*(uint32_t*)0x2000294c = 0); NONFAILING(*(uint16_t*)0x20002950 = 0xf); NONFAILING(*(uint16_t*)0x20002952 = 0x48); NONFAILING(*(uint32_t*)0x20002954 = r[1]); NONFAILING(*(uint64_t*)0x20002958 = 0x20003d80); NONFAILING(*(uint64_t*)0x20002960 = 0); NONFAILING(*(uint64_t*)0x20002968 = 0x1000); NONFAILING(*(uint64_t*)0x20002970 = 0); NONFAILING(*(uint32_t*)0x20002978 = 1); NONFAILING(*(uint32_t*)0x2000297c = r[1]); NONFAILING(*(uint64_t*)0x20003dd0 = 0x20002a40); NONFAILING(*(uint64_t*)0x20002a40 = 0); NONFAILING(*(uint32_t*)0x20002a48 = 0); NONFAILING(*(uint32_t*)0x20002a4c = 0); NONFAILING(*(uint16_t*)0x20002a50 = 6); NONFAILING(*(uint16_t*)0x20002a52 = 0x5a67); NONFAILING(*(uint32_t*)0x20002a54 = r[1]); NONFAILING(*(uint64_t*)0x20002a58 = 0x20002980); NONFAILING(*(uint64_t*)0x20002a60 = 0); NONFAILING(*(uint64_t*)0x20002a68 = 0x2fe); NONFAILING(*(uint64_t*)0x20002a70 = 0); NONFAILING(*(uint32_t*)0x20002a78 = 0); NONFAILING(*(uint32_t*)0x20002a7c = r[1]); NONFAILING(*(uint64_t*)0x20003dd8 = 0x20002b00); NONFAILING(*(uint64_t*)0x20002b00 = 0); NONFAILING(*(uint32_t*)0x20002b08 = 0); NONFAILING(*(uint32_t*)0x20002b0c = 0); NONFAILING(*(uint16_t*)0x20002b10 = 0xe); NONFAILING(*(uint16_t*)0x20002b12 = 8); NONFAILING(*(uint32_t*)0x20002b14 = r[1]); NONFAILING(*(uint64_t*)0x20002b18 = 0x20002a80); NONFAILING(*(uint64_t*)0x20002b20 = 0); NONFAILING(*(uint64_t*)0x20002b28 = 9); NONFAILING(*(uint64_t*)0x20002b30 = 0); NONFAILING(*(uint32_t*)0x20002b38 = 0); NONFAILING(*(uint32_t*)0x20002b3c = r[1]); NONFAILING(*(uint64_t*)0x20003de0 = 0x20003b40); NONFAILING(*(uint64_t*)0x20003b40 = 0); NONFAILING(*(uint32_t*)0x20003b48 = 0); NONFAILING(*(uint32_t*)0x20003b4c = 0); NONFAILING(*(uint16_t*)0x20003b50 = 7); NONFAILING(*(uint16_t*)0x20003b52 = 5); NONFAILING(*(uint32_t*)0x20003b54 = r[1]); NONFAILING(*(uint64_t*)0x20003b58 = 0x20002b40); NONFAILING(*(uint64_t*)0x20003b60 = 0); NONFAILING(*(uint64_t*)0x20003b68 = 3); NONFAILING(*(uint64_t*)0x20003b70 = 0); NONFAILING(*(uint32_t*)0x20003b78 = 0); NONFAILING(*(uint32_t*)0x20003b7c = r[1]); NONFAILING(*(uint64_t*)0x20003de8 = 0x20003c40); NONFAILING(*(uint64_t*)0x20003c40 = 0); NONFAILING(*(uint32_t*)0x20003c48 = 0); NONFAILING(*(uint32_t*)0x20003c4c = 0); NONFAILING(*(uint16_t*)0x20003c50 = 0xd); NONFAILING(*(uint16_t*)0x20003c52 = 0xfffc); NONFAILING(*(uint32_t*)0x20003c54 = r[0]); NONFAILING(*(uint64_t*)0x20003c58 = 0x20003b80); NONFAILING(*(uint64_t*)0x20003c60 = 0); NONFAILING(*(uint64_t*)0x20003c68 = 0x100000001); NONFAILING(*(uint64_t*)0x20003c70 = 0); NONFAILING(*(uint32_t*)0x20003c78 = 1); NONFAILING(*(uint32_t*)0x20003c7c = r[1]); NONFAILING(*(uint64_t*)0x20003df0 = 0x20003d00); NONFAILING(*(uint64_t*)0x20003d00 = 0); NONFAILING(*(uint32_t*)0x20003d08 = 0); NONFAILING(*(uint32_t*)0x20003d0c = 0); NONFAILING(*(uint16_t*)0x20003d10 = 0); NONFAILING(*(uint16_t*)0x20003d12 = 0x20); NONFAILING(*(uint32_t*)0x20003d14 = r[1]); NONFAILING(*(uint64_t*)0x20003d18 = 0x20003c80); NONFAILING(*(uint64_t*)0x20003d20 = 0); NONFAILING(*(uint64_t*)0x20003d28 = 6); NONFAILING(*(uint64_t*)0x20003d30 = 0); NONFAILING(*(uint32_t*)0x20003d38 = 1); NONFAILING(*(uint32_t*)0x20003d3c = r[1]); syscall(__NR_io_submit, 0, 7, 0x20003dc0); break; case 3: NONFAILING(memcpy((void*)0x20000000, "./file0", 8)); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x40, 0x20); if (res != -1) r[2] = res; break; case 4: NONFAILING(*(uint64_t*)0x20002480 = 0x20000040); NONFAILING(*(uint16_t*)0x20000040 = 1); NONFAILING(memcpy((void*)0x20000042, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 108)); NONFAILING(*(uint32_t*)0x20002488 = 0x6e); NONFAILING(*(uint64_t*)0x20002490 = 0x20002400); NONFAILING(*(uint64_t*)0x20002400 = 0x200000c0); NONFAILING(*(uint64_t*)0x20002408 = 0); NONFAILING(*(uint64_t*)0x20002410 = 0x20000100); NONFAILING(*(uint64_t*)0x20002418 = 0); NONFAILING(*(uint64_t*)0x20002420 = 0x20000200); NONFAILING(*(uint64_t*)0x20002428 = 0); NONFAILING(*(uint64_t*)0x20002430 = 0x200002c0); NONFAILING(*(uint64_t*)0x20002438 = 0); NONFAILING(*(uint64_t*)0x20002440 = 0x20000380); NONFAILING(*(uint64_t*)0x20002448 = 0); NONFAILING(*(uint64_t*)0x20002450 = 0x20001380); NONFAILING(*(uint64_t*)0x20002458 = 0); NONFAILING(*(uint64_t*)0x20002460 = 0x20002380); NONFAILING(*(uint64_t*)0x20002468 = 0); NONFAILING(*(uint64_t*)0x20002498 = 7); NONFAILING(*(uint64_t*)0x200024a0 = 0); NONFAILING(*(uint64_t*)0x200024a8 = 0); NONFAILING(*(uint32_t*)0x200024b0 = 0x10); syscall(__NR_sendmsg, r[2], 0x20002480, 0x10); break; case 5: NONFAILING(*(uint64_t*)0x20004040 = 0x20003e00); NONFAILING(*(uint32_t*)0x20004048 = 0x80); NONFAILING(*(uint64_t*)0x20004050 = 0x20003fc0); NONFAILING(*(uint64_t*)0x20003fc0 = 0x20003e80); NONFAILING(*(uint64_t*)0x20003fc8 = 0xf8); NONFAILING(*(uint64_t*)0x20003fd0 = 0x20003f80); NONFAILING(*(uint64_t*)0x20003fd8 = 0x28); NONFAILING(*(uint64_t*)0x20004058 = 2); NONFAILING(*(uint64_t*)0x20004060 = 0x20004000); NONFAILING(*(uint64_t*)0x20004068 = 0x15); NONFAILING(*(uint32_t*)0x20004070 = 0x7fffffff); res = syscall(__NR_recvmsg, r[2], 0x20004040, 0); if (res != -1) NONFAILING(r[3] = *(uint32_t*)0x20003e04); break; case 6: NONFAILING(*(uint64_t*)0x20004940 = 0x20002900); NONFAILING(*(uint16_t*)0x20002900 = 0x10); NONFAILING(*(uint16_t*)0x20002902 = 0); NONFAILING(*(uint32_t*)0x20002904 = 0); NONFAILING(*(uint32_t*)0x20002908 = 0x1088000); NONFAILING(*(uint32_t*)0x20004948 = 0xc); NONFAILING(*(uint64_t*)0x20004950 = 0x20004900); NONFAILING(*(uint64_t*)0x20004900 = 0x20004080); NONFAILING(*(uint32_t*)0x20004080 = 0x868); NONFAILING(*(uint16_t*)0x20004084 = 0x25); NONFAILING(*(uint16_t*)0x20004086 = 0x600); NONFAILING(*(uint32_t*)0x20004088 = 0x70bd29); NONFAILING(*(uint32_t*)0x2000408c = 0x25dfdbfb); NONFAILING(*(uint8_t*)0x20004090 = 0); NONFAILING(*(uint32_t*)0x20004094 = r[3]); NONFAILING(*(uint16_t*)0x20004098 = -1); NONFAILING(*(uint16_t*)0x2000409a = 0xe); NONFAILING(*(uint16_t*)0x2000409c = 0); NONFAILING(*(uint16_t*)0x2000409e = -1); NONFAILING(*(uint16_t*)0x200040a0 = 6); NONFAILING(*(uint16_t*)0x200040a2 = 0xffe0); NONFAILING(*(uint16_t*)0x200040a4 = 8); NONFAILING(*(uint16_t*)0x200040a6 = 1); NONFAILING(memcpy((void*)0x200040a8, "cbq", 4)); NONFAILING(*(uint16_t*)0x200040ac = 0x834); NONFAILING(*(uint16_t*)0x200040ae = 2); NONFAILING(*(uint16_t*)0x200040b0 = 0x10); NONFAILING(*(uint16_t*)0x200040b2 = 3); NONFAILING(*(uint16_t*)0x200040b4 = 1); NONFAILING(*(uint16_t*)0x200040b6 = 7); NONFAILING(*(uint32_t*)0x200040b8 = 0x8000); NONFAILING(*(uint32_t*)0x200040bc = 5); NONFAILING(*(uint16_t*)0x200040c0 = 0x404); NONFAILING(*(uint16_t*)0x200040c2 = 6); NONFAILING(*(uint32_t*)0x200040c4 = 0xe167); NONFAILING(*(uint32_t*)0x200040c8 = 9); NONFAILING(*(uint32_t*)0x200040cc = 1); NONFAILING(*(uint32_t*)0x200040d0 = 7); NONFAILING(*(uint32_t*)0x200040d4 = 0xffff8000); NONFAILING(*(uint32_t*)0x200040d8 = 0xbd8); NONFAILING(*(uint32_t*)0x200040dc = 0x40); NONFAILING(*(uint32_t*)0x200040e0 = 8); NONFAILING(*(uint32_t*)0x200040e4 = 1); NONFAILING(*(uint32_t*)0x200040e8 = 3); NONFAILING(*(uint32_t*)0x200040ec = 3); NONFAILING(*(uint32_t*)0x200040f0 = 8); NONFAILING(*(uint32_t*)0x200040f4 = 6); NONFAILING(*(uint32_t*)0x200040f8 = 7); NONFAILING(*(uint32_t*)0x200040fc = 0x2a9f5e26); NONFAILING(*(uint32_t*)0x20004100 = 0xff); NONFAILING(*(uint32_t*)0x20004104 = 0); NONFAILING(*(uint32_t*)0x20004108 = 0x6e55); NONFAILING(*(uint32_t*)0x2000410c = 0x20); NONFAILING(*(uint32_t*)0x20004110 = 0xffffff7f); NONFAILING(*(uint32_t*)0x20004114 = 1); NONFAILING(*(uint32_t*)0x20004118 = 7); NONFAILING(*(uint32_t*)0x2000411c = 0); NONFAILING(*(uint32_t*)0x20004120 = 0x3e); NONFAILING(*(uint32_t*)0x20004124 = 0); NONFAILING(*(uint32_t*)0x20004128 = 0x100); NONFAILING(*(uint32_t*)0x2000412c = 0x20); NONFAILING(*(uint32_t*)0x20004130 = 0x1000); NONFAILING(*(uint32_t*)0x20004134 = 3); NONFAILING(*(uint32_t*)0x20004138 = 9); NONFAILING(*(uint32_t*)0x2000413c = 0x22c); NONFAILING(*(uint32_t*)0x20004140 = 0xffff1eb4); NONFAILING(*(uint32_t*)0x20004144 = 0); NONFAILING(*(uint32_t*)0x20004148 = 0x10001); NONFAILING(*(uint32_t*)0x2000414c = 7); NONFAILING(*(uint32_t*)0x20004150 = 4); NONFAILING(*(uint32_t*)0x20004154 = 6); NONFAILING(*(uint32_t*)0x20004158 = 0x7fffffff); NONFAILING(*(uint32_t*)0x2000415c = 7); NONFAILING(*(uint32_t*)0x20004160 = 4); NONFAILING(*(uint32_t*)0x20004164 = 4); NONFAILING(*(uint32_t*)0x20004168 = 8); NONFAILING(*(uint32_t*)0x2000416c = 0x8000); NONFAILING(*(uint32_t*)0x20004170 = 6); NONFAILING(*(uint32_t*)0x20004174 = 0); NONFAILING(*(uint32_t*)0x20004178 = 0); NONFAILING(*(uint32_t*)0x2000417c = 0); NONFAILING(*(uint32_t*)0x20004180 = 3); NONFAILING(*(uint32_t*)0x20004184 = 2); NONFAILING(*(uint32_t*)0x20004188 = 0); NONFAILING(*(uint32_t*)0x2000418c = 0x40); NONFAILING(*(uint32_t*)0x20004190 = 5); NONFAILING(*(uint32_t*)0x20004194 = 4); NONFAILING(*(uint32_t*)0x20004198 = 0x2000); NONFAILING(*(uint32_t*)0x2000419c = 1); NONFAILING(*(uint32_t*)0x200041a0 = 0x7fff); NONFAILING(*(uint32_t*)0x200041a4 = 1); NONFAILING(*(uint32_t*)0x200041a8 = 0); NONFAILING(*(uint32_t*)0x200041ac = 0x30); NONFAILING(*(uint32_t*)0x200041b0 = 0x7f); NONFAILING(*(uint32_t*)0x200041b4 = 9); NONFAILING(*(uint32_t*)0x200041b8 = 6); NONFAILING(*(uint32_t*)0x200041bc = 0xffffff11); NONFAILING(*(uint32_t*)0x200041c0 = 4); NONFAILING(*(uint32_t*)0x200041c4 = -1); NONFAILING(*(uint32_t*)0x200041c8 = 0xd); NONFAILING(*(uint32_t*)0x200041cc = 1); NONFAILING(*(uint32_t*)0x200041d0 = 2); NONFAILING(*(uint32_t*)0x200041d4 = 3); NONFAILING(*(uint32_t*)0x200041d8 = 0x10000); NONFAILING(*(uint32_t*)0x200041dc = 0x183); NONFAILING(*(uint32_t*)0x200041e0 = 0); NONFAILING(*(uint32_t*)0x200041e4 = 6); NONFAILING(*(uint32_t*)0x200041e8 = 0x40); NONFAILING(*(uint32_t*)0x200041ec = 0); NONFAILING(*(uint32_t*)0x200041f0 = 0x1239); NONFAILING(*(uint32_t*)0x200041f4 = 0x800); NONFAILING(*(uint32_t*)0x200041f8 = 0x7ec); NONFAILING(*(uint32_t*)0x200041fc = 0x80000001); NONFAILING(*(uint32_t*)0x20004200 = 3); NONFAILING(*(uint32_t*)0x20004204 = 5); NONFAILING(*(uint32_t*)0x20004208 = 0xffffffe0); NONFAILING(*(uint32_t*)0x2000420c = 6); NONFAILING(*(uint32_t*)0x20004210 = 5); NONFAILING(*(uint32_t*)0x20004214 = 4); NONFAILING(*(uint32_t*)0x20004218 = 2); NONFAILING(*(uint32_t*)0x2000421c = 0x20); NONFAILING(*(uint32_t*)0x20004220 = 6); NONFAILING(*(uint32_t*)0x20004224 = 5); NONFAILING(*(uint32_t*)0x20004228 = 6); NONFAILING(*(uint32_t*)0x2000422c = 9); NONFAILING(*(uint32_t*)0x20004230 = 0x3f); NONFAILING(*(uint32_t*)0x20004234 = 9); NONFAILING(*(uint32_t*)0x20004238 = 0); NONFAILING(*(uint32_t*)0x2000423c = 6); NONFAILING(*(uint32_t*)0x20004240 = 4); NONFAILING(*(uint32_t*)0x20004244 = 0xfffffe00); NONFAILING(*(uint32_t*)0x20004248 = 0x80000000); NONFAILING(*(uint32_t*)0x2000424c = 4); NONFAILING(*(uint32_t*)0x20004250 = 0xd1); NONFAILING(*(uint32_t*)0x20004254 = 0x401); NONFAILING(*(uint32_t*)0x20004258 = 0xff); NONFAILING(*(uint32_t*)0x2000425c = 0x3f); NONFAILING(*(uint32_t*)0x20004260 = 0x80000001); NONFAILING(*(uint32_t*)0x20004264 = 7); NONFAILING(*(uint32_t*)0x20004268 = 5); NONFAILING(*(uint32_t*)0x2000426c = 0x445); NONFAILING(*(uint32_t*)0x20004270 = 3); NONFAILING(*(uint32_t*)0x20004274 = 4); NONFAILING(*(uint32_t*)0x20004278 = 0x4cc); NONFAILING(*(uint32_t*)0x2000427c = 0); NONFAILING(*(uint32_t*)0x20004280 = 0x80000000); NONFAILING(*(uint32_t*)0x20004284 = 0xfffffe01); NONFAILING(*(uint32_t*)0x20004288 = 0x20); NONFAILING(*(uint32_t*)0x2000428c = 0xec02); NONFAILING(*(uint32_t*)0x20004290 = 0); NONFAILING(*(uint32_t*)0x20004294 = 3); NONFAILING(*(uint32_t*)0x20004298 = 0x200); NONFAILING(*(uint32_t*)0x2000429c = 0xffffff2a); NONFAILING(*(uint32_t*)0x200042a0 = 7); NONFAILING(*(uint32_t*)0x200042a4 = 1); NONFAILING(*(uint32_t*)0x200042a8 = 0); NONFAILING(*(uint32_t*)0x200042ac = 0x10000); NONFAILING(*(uint32_t*)0x200042b0 = 0x20); NONFAILING(*(uint32_t*)0x200042b4 = 5); NONFAILING(*(uint32_t*)0x200042b8 = 0x63bb3f5d); NONFAILING(*(uint32_t*)0x200042bc = 7); NONFAILING(*(uint32_t*)0x200042c0 = 0x8000); NONFAILING(*(uint32_t*)0x200042c4 = 0x72aa7362); NONFAILING(*(uint32_t*)0x200042c8 = 0x10001); NONFAILING(*(uint32_t*)0x200042cc = 0xca9); NONFAILING(*(uint32_t*)0x200042d0 = 0x80000000); NONFAILING(*(uint32_t*)0x200042d4 = 2); NONFAILING(*(uint32_t*)0x200042d8 = 8); NONFAILING(*(uint32_t*)0x200042dc = 7); NONFAILING(*(uint32_t*)0x200042e0 = 8); NONFAILING(*(uint32_t*)0x200042e4 = 2); NONFAILING(*(uint32_t*)0x200042e8 = 9); NONFAILING(*(uint32_t*)0x200042ec = 6); NONFAILING(*(uint32_t*)0x200042f0 = 6); NONFAILING(*(uint32_t*)0x200042f4 = 3); NONFAILING(*(uint32_t*)0x200042f8 = 0x9379); NONFAILING(*(uint32_t*)0x200042fc = 0x69e); NONFAILING(*(uint32_t*)0x20004300 = 0x728); NONFAILING(*(uint32_t*)0x20004304 = 8); NONFAILING(*(uint32_t*)0x20004308 = 0x400); NONFAILING(*(uint32_t*)0x2000430c = 0x8a); NONFAILING(*(uint32_t*)0x20004310 = 3); NONFAILING(*(uint32_t*)0x20004314 = 6); NONFAILING(*(uint32_t*)0x20004318 = 0xff); NONFAILING(*(uint32_t*)0x2000431c = 0); NONFAILING(*(uint32_t*)0x20004320 = 0x3ff); NONFAILING(*(uint32_t*)0x20004324 = 0x7f); NONFAILING(*(uint32_t*)0x20004328 = 0x101); NONFAILING(*(uint32_t*)0x2000432c = 8); NONFAILING(*(uint32_t*)0x20004330 = 0x200); NONFAILING(*(uint32_t*)0x20004334 = 0); NONFAILING(*(uint32_t*)0x20004338 = 8); NONFAILING(*(uint32_t*)0x2000433c = 0); NONFAILING(*(uint32_t*)0x20004340 = 0); NONFAILING(*(uint32_t*)0x20004344 = 8); NONFAILING(*(uint32_t*)0x20004348 = 0xd50); NONFAILING(*(uint32_t*)0x2000434c = 0x81); NONFAILING(*(uint32_t*)0x20004350 = 0x401); NONFAILING(*(uint32_t*)0x20004354 = 7); NONFAILING(*(uint32_t*)0x20004358 = 1); NONFAILING(*(uint32_t*)0x2000435c = 0x41); NONFAILING(*(uint32_t*)0x20004360 = 0x12); NONFAILING(*(uint32_t*)0x20004364 = 7); NONFAILING(*(uint32_t*)0x20004368 = 2); NONFAILING(*(uint32_t*)0x2000436c = 5); NONFAILING(*(uint32_t*)0x20004370 = 0x80000000); NONFAILING(*(uint32_t*)0x20004374 = 1); NONFAILING(*(uint32_t*)0x20004378 = 0x10000); NONFAILING(*(uint32_t*)0x2000437c = 8); NONFAILING(*(uint32_t*)0x20004380 = 1); NONFAILING(*(uint32_t*)0x20004384 = 0x100); NONFAILING(*(uint32_t*)0x20004388 = 8); NONFAILING(*(uint32_t*)0x2000438c = 5); NONFAILING(*(uint32_t*)0x20004390 = 0); NONFAILING(*(uint32_t*)0x20004394 = 0x68d); NONFAILING(*(uint32_t*)0x20004398 = 5); NONFAILING(*(uint32_t*)0x2000439c = 0x800); NONFAILING(*(uint32_t*)0x200043a0 = 3); NONFAILING(*(uint32_t*)0x200043a4 = 3); NONFAILING(*(uint32_t*)0x200043a8 = 7); NONFAILING(*(uint32_t*)0x200043ac = 9); NONFAILING(*(uint32_t*)0x200043b0 = 0x200); NONFAILING(*(uint32_t*)0x200043b4 = 8); NONFAILING(*(uint32_t*)0x200043b8 = 0xffff0000); NONFAILING(*(uint32_t*)0x200043bc = 8); NONFAILING(*(uint32_t*)0x200043c0 = 0); NONFAILING(*(uint32_t*)0x200043c4 = 2); NONFAILING(*(uint32_t*)0x200043c8 = 0xfffffff7); NONFAILING(*(uint32_t*)0x200043cc = 0); NONFAILING(*(uint32_t*)0x200043d0 = 0xffff); NONFAILING(*(uint32_t*)0x200043d4 = 0xfffffffd); NONFAILING(*(uint32_t*)0x200043d8 = 1); NONFAILING(*(uint32_t*)0x200043dc = 0); NONFAILING(*(uint32_t*)0x200043e0 = 0x200); NONFAILING(*(uint32_t*)0x200043e4 = 0x10000); NONFAILING(*(uint32_t*)0x200043e8 = 5); NONFAILING(*(uint32_t*)0x200043ec = 0x401); NONFAILING(*(uint32_t*)0x200043f0 = 8); NONFAILING(*(uint32_t*)0x200043f4 = 0x101); NONFAILING(*(uint32_t*)0x200043f8 = 0); NONFAILING(*(uint32_t*)0x200043fc = 4); NONFAILING(*(uint32_t*)0x20004400 = 0); NONFAILING(*(uint32_t*)0x20004404 = 0xac4); NONFAILING(*(uint32_t*)0x20004408 = 3); NONFAILING(*(uint32_t*)0x2000440c = 9); NONFAILING(*(uint32_t*)0x20004410 = 0xde); NONFAILING(*(uint32_t*)0x20004414 = 0); NONFAILING(*(uint32_t*)0x20004418 = 3); NONFAILING(*(uint32_t*)0x2000441c = 5); NONFAILING(*(uint32_t*)0x20004420 = 1); NONFAILING(*(uint32_t*)0x20004424 = 0x20); NONFAILING(*(uint32_t*)0x20004428 = 0xe47); NONFAILING(*(uint32_t*)0x2000442c = 3); NONFAILING(*(uint32_t*)0x20004430 = 7); NONFAILING(*(uint32_t*)0x20004434 = 0xeb5); NONFAILING(*(uint32_t*)0x20004438 = 0x80); NONFAILING(*(uint32_t*)0x2000443c = 0x100); NONFAILING(*(uint32_t*)0x20004440 = 8); NONFAILING(*(uint32_t*)0x20004444 = 0); NONFAILING(*(uint32_t*)0x20004448 = 0xfff); NONFAILING(*(uint32_t*)0x2000444c = 0x101); NONFAILING(*(uint32_t*)0x20004450 = 7); NONFAILING(*(uint32_t*)0x20004454 = 0x7fffffff); NONFAILING(*(uint32_t*)0x20004458 = 0x80e); NONFAILING(*(uint32_t*)0x2000445c = 0); NONFAILING(*(uint32_t*)0x20004460 = 6); NONFAILING(*(uint32_t*)0x20004464 = 8); NONFAILING(*(uint32_t*)0x20004468 = 0x7f); NONFAILING(*(uint32_t*)0x2000446c = 0xffff); NONFAILING(*(uint32_t*)0x20004470 = 4); NONFAILING(*(uint32_t*)0x20004474 = 0xc3b4); NONFAILING(*(uint32_t*)0x20004478 = 0x3572b62); NONFAILING(*(uint32_t*)0x2000447c = 1); NONFAILING(*(uint32_t*)0x20004480 = 0x8001); NONFAILING(*(uint32_t*)0x20004484 = 8); NONFAILING(*(uint32_t*)0x20004488 = 0x400); NONFAILING(*(uint32_t*)0x2000448c = 0x10001); NONFAILING(*(uint32_t*)0x20004490 = 0x3f); NONFAILING(*(uint32_t*)0x20004494 = 0x100); NONFAILING(*(uint32_t*)0x20004498 = 5); NONFAILING(*(uint32_t*)0x2000449c = 3); NONFAILING(*(uint32_t*)0x200044a0 = 2); NONFAILING(*(uint32_t*)0x200044a4 = 8); NONFAILING(*(uint32_t*)0x200044a8 = 2); NONFAILING(*(uint32_t*)0x200044ac = 4); NONFAILING(*(uint32_t*)0x200044b0 = 0x10001); NONFAILING(*(uint32_t*)0x200044b4 = 5); NONFAILING(*(uint32_t*)0x200044b8 = 0x3f); NONFAILING(*(uint32_t*)0x200044bc = 4); NONFAILING(*(uint32_t*)0x200044c0 = 8); NONFAILING(*(uint16_t*)0x200044c4 = 0x404); NONFAILING(*(uint16_t*)0x200044c6 = 6); NONFAILING(*(uint32_t*)0x200044c8 = 0xb7); NONFAILING(*(uint32_t*)0x200044cc = 6); NONFAILING(*(uint32_t*)0x200044d0 = 0x7fffffff); NONFAILING(*(uint32_t*)0x200044d4 = 0x6ac); NONFAILING(*(uint32_t*)0x200044d8 = 0x1ff); NONFAILING(*(uint32_t*)0x200044dc = 5); NONFAILING(*(uint32_t*)0x200044e0 = 0xe6); NONFAILING(*(uint32_t*)0x200044e4 = 0); NONFAILING(*(uint32_t*)0x200044e8 = 6); NONFAILING(*(uint32_t*)0x200044ec = 0); NONFAILING(*(uint32_t*)0x200044f0 = 3); NONFAILING(*(uint32_t*)0x200044f4 = 0x6a3ff2d8); NONFAILING(*(uint32_t*)0x200044f8 = 8); NONFAILING(*(uint32_t*)0x200044fc = 6); NONFAILING(*(uint32_t*)0x20004500 = 0x3ff); NONFAILING(*(uint32_t*)0x20004504 = 8); NONFAILING(*(uint32_t*)0x20004508 = 1); NONFAILING(*(uint32_t*)0x2000450c = 6); NONFAILING(*(uint32_t*)0x20004510 = 0xeb10); NONFAILING(*(uint32_t*)0x20004514 = 0x3ff); NONFAILING(*(uint32_t*)0x20004518 = 4); NONFAILING(*(uint32_t*)0x2000451c = 0x401); NONFAILING(*(uint32_t*)0x20004520 = 0x1ff); NONFAILING(*(uint32_t*)0x20004524 = 7); NONFAILING(*(uint32_t*)0x20004528 = 0x80); NONFAILING(*(uint32_t*)0x2000452c = 9); NONFAILING(*(uint32_t*)0x20004530 = -1); NONFAILING(*(uint32_t*)0x20004534 = 0x3f); NONFAILING(*(uint32_t*)0x20004538 = 3); NONFAILING(*(uint32_t*)0x2000453c = 2); NONFAILING(*(uint32_t*)0x20004540 = 0); NONFAILING(*(uint32_t*)0x20004544 = 0x80000001); NONFAILING(*(uint32_t*)0x20004548 = 0x5cb); NONFAILING(*(uint32_t*)0x2000454c = 6); NONFAILING(*(uint32_t*)0x20004550 = 2); NONFAILING(*(uint32_t*)0x20004554 = 0); NONFAILING(*(uint32_t*)0x20004558 = 0x40); NONFAILING(*(uint32_t*)0x2000455c = 0x40); NONFAILING(*(uint32_t*)0x20004560 = 8); NONFAILING(*(uint32_t*)0x20004564 = 2); NONFAILING(*(uint32_t*)0x20004568 = 4); NONFAILING(*(uint32_t*)0x2000456c = 2); NONFAILING(*(uint32_t*)0x20004570 = 0xb5); NONFAILING(*(uint32_t*)0x20004574 = 3); NONFAILING(*(uint32_t*)0x20004578 = 3); NONFAILING(*(uint32_t*)0x2000457c = 5); NONFAILING(*(uint32_t*)0x20004580 = 8); NONFAILING(*(uint32_t*)0x20004584 = 8); NONFAILING(*(uint32_t*)0x20004588 = 3); NONFAILING(*(uint32_t*)0x2000458c = 5); NONFAILING(*(uint32_t*)0x20004590 = 0xf39); NONFAILING(*(uint32_t*)0x20004594 = 7); NONFAILING(*(uint32_t*)0x20004598 = 0x7fff); NONFAILING(*(uint32_t*)0x2000459c = 1); NONFAILING(*(uint32_t*)0x200045a0 = 0); NONFAILING(*(uint32_t*)0x200045a4 = 3); NONFAILING(*(uint32_t*)0x200045a8 = 7); NONFAILING(*(uint32_t*)0x200045ac = 0x9f0); NONFAILING(*(uint32_t*)0x200045b0 = 0x10000); NONFAILING(*(uint32_t*)0x200045b4 = 0x32a25ec5); NONFAILING(*(uint32_t*)0x200045b8 = -1); NONFAILING(*(uint32_t*)0x200045bc = 1); NONFAILING(*(uint32_t*)0x200045c0 = 2); NONFAILING(*(uint32_t*)0x200045c4 = 2); NONFAILING(*(uint32_t*)0x200045c8 = 1); NONFAILING(*(uint32_t*)0x200045cc = 0); NONFAILING(*(uint32_t*)0x200045d0 = 0x200); NONFAILING(*(uint32_t*)0x200045d4 = 0); NONFAILING(*(uint32_t*)0x200045d8 = 0x91c); NONFAILING(*(uint32_t*)0x200045dc = 2); NONFAILING(*(uint32_t*)0x200045e0 = 0xfff); NONFAILING(*(uint32_t*)0x200045e4 = 0x8000); NONFAILING(*(uint32_t*)0x200045e8 = 2); NONFAILING(*(uint32_t*)0x200045ec = 3); NONFAILING(*(uint32_t*)0x200045f0 = 2); NONFAILING(*(uint32_t*)0x200045f4 = 3); NONFAILING(*(uint32_t*)0x200045f8 = 0x66a); NONFAILING(*(uint32_t*)0x200045fc = 7); NONFAILING(*(uint32_t*)0x20004600 = 0x8a4); NONFAILING(*(uint32_t*)0x20004604 = 0xf7b); NONFAILING(*(uint32_t*)0x20004608 = 8); NONFAILING(*(uint32_t*)0x2000460c = 5); NONFAILING(*(uint32_t*)0x20004610 = 0x3ff); NONFAILING(*(uint32_t*)0x20004614 = 9); NONFAILING(*(uint32_t*)0x20004618 = 0xf9); NONFAILING(*(uint32_t*)0x2000461c = 8); NONFAILING(*(uint32_t*)0x20004620 = 6); NONFAILING(*(uint32_t*)0x20004624 = 0xd60); NONFAILING(*(uint32_t*)0x20004628 = 0x7fff); NONFAILING(*(uint32_t*)0x2000462c = 5); NONFAILING(*(uint32_t*)0x20004630 = 2); NONFAILING(*(uint32_t*)0x20004634 = 1); NONFAILING(*(uint32_t*)0x20004638 = 0x847c); NONFAILING(*(uint32_t*)0x2000463c = 8); NONFAILING(*(uint32_t*)0x20004640 = 4); NONFAILING(*(uint32_t*)0x20004644 = 0xfd); NONFAILING(*(uint32_t*)0x20004648 = 0x81); NONFAILING(*(uint32_t*)0x2000464c = 0x81); NONFAILING(*(uint32_t*)0x20004650 = 5); NONFAILING(*(uint32_t*)0x20004654 = 0xfffffffd); NONFAILING(*(uint32_t*)0x20004658 = 0x1f); NONFAILING(*(uint32_t*)0x2000465c = 4); NONFAILING(*(uint32_t*)0x20004660 = 0x40); NONFAILING(*(uint32_t*)0x20004664 = 0x57); NONFAILING(*(uint32_t*)0x20004668 = 9); NONFAILING(*(uint32_t*)0x2000466c = 5); NONFAILING(*(uint32_t*)0x20004670 = 7); NONFAILING(*(uint32_t*)0x20004674 = 6); NONFAILING(*(uint32_t*)0x20004678 = 1); NONFAILING(*(uint32_t*)0x2000467c = 0x1f); NONFAILING(*(uint32_t*)0x20004680 = 0x3f); NONFAILING(*(uint32_t*)0x20004684 = 0xbad); NONFAILING(*(uint32_t*)0x20004688 = 5); NONFAILING(*(uint32_t*)0x2000468c = 1); NONFAILING(*(uint32_t*)0x20004690 = 4); NONFAILING(*(uint32_t*)0x20004694 = 6); NONFAILING(*(uint32_t*)0x20004698 = 0x1ff); NONFAILING(*(uint32_t*)0x2000469c = 0); NONFAILING(*(uint32_t*)0x200046a0 = 0); NONFAILING(*(uint32_t*)0x200046a4 = 2); NONFAILING(*(uint32_t*)0x200046a8 = 0x7ff); NONFAILING(*(uint32_t*)0x200046ac = 2); NONFAILING(*(uint32_t*)0x200046b0 = 3); NONFAILING(*(uint32_t*)0x200046b4 = 0x8000); NONFAILING(*(uint32_t*)0x200046b8 = 0xfff); NONFAILING(*(uint32_t*)0x200046bc = 1); NONFAILING(*(uint32_t*)0x200046c0 = -1); NONFAILING(*(uint32_t*)0x200046c4 = 0xff); NONFAILING(*(uint32_t*)0x200046c8 = 0xfffffbff); NONFAILING(*(uint32_t*)0x200046cc = 0); NONFAILING(*(uint32_t*)0x200046d0 = 0x80000001); NONFAILING(*(uint32_t*)0x200046d4 = 6); NONFAILING(*(uint32_t*)0x200046d8 = 8); NONFAILING(*(uint32_t*)0x200046dc = 0x100); NONFAILING(*(uint32_t*)0x200046e0 = 0x97); NONFAILING(*(uint32_t*)0x200046e4 = 0xfa4a); NONFAILING(*(uint32_t*)0x200046e8 = 4); NONFAILING(*(uint32_t*)0x200046ec = 7); NONFAILING(*(uint32_t*)0x200046f0 = 7); NONFAILING(*(uint32_t*)0x200046f4 = 0x10000); NONFAILING(*(uint32_t*)0x200046f8 = 0); NONFAILING(*(uint32_t*)0x200046fc = 5); NONFAILING(*(uint32_t*)0x20004700 = 0x7236); NONFAILING(*(uint32_t*)0x20004704 = 3); NONFAILING(*(uint32_t*)0x20004708 = 0xfffffffa); NONFAILING(*(uint32_t*)0x2000470c = 4); NONFAILING(*(uint32_t*)0x20004710 = 7); NONFAILING(*(uint32_t*)0x20004714 = 1); NONFAILING(*(uint32_t*)0x20004718 = 0x401); NONFAILING(*(uint32_t*)0x2000471c = 0x70); NONFAILING(*(uint32_t*)0x20004720 = 0); NONFAILING(*(uint32_t*)0x20004724 = 2); NONFAILING(*(uint32_t*)0x20004728 = 0x5a16); NONFAILING(*(uint32_t*)0x2000472c = 7); NONFAILING(*(uint32_t*)0x20004730 = 0x8000); NONFAILING(*(uint32_t*)0x20004734 = 5); NONFAILING(*(uint32_t*)0x20004738 = 8); NONFAILING(*(uint32_t*)0x2000473c = 0); NONFAILING(*(uint32_t*)0x20004740 = 0x72); NONFAILING(*(uint32_t*)0x20004744 = 7); NONFAILING(*(uint32_t*)0x20004748 = 0x8001); NONFAILING(*(uint32_t*)0x2000474c = 8); NONFAILING(*(uint32_t*)0x20004750 = 0x10001); NONFAILING(*(uint32_t*)0x20004754 = 4); NONFAILING(*(uint32_t*)0x20004758 = 8); NONFAILING(*(uint32_t*)0x2000475c = 8); NONFAILING(*(uint32_t*)0x20004760 = 9); NONFAILING(*(uint32_t*)0x20004764 = 5); NONFAILING(*(uint32_t*)0x20004768 = 9); NONFAILING(*(uint32_t*)0x2000476c = 1); NONFAILING(*(uint32_t*)0x20004770 = 0x10000); NONFAILING(*(uint32_t*)0x20004774 = 5); NONFAILING(*(uint32_t*)0x20004778 = 2); NONFAILING(*(uint32_t*)0x2000477c = 0x36); NONFAILING(*(uint32_t*)0x20004780 = 0x100); NONFAILING(*(uint32_t*)0x20004784 = 0x7f); NONFAILING(*(uint32_t*)0x20004788 = 5); NONFAILING(*(uint32_t*)0x2000478c = 0x4734dd74); NONFAILING(*(uint32_t*)0x20004790 = 8); NONFAILING(*(uint32_t*)0x20004794 = 1); NONFAILING(*(uint32_t*)0x20004798 = 0xfffff801); NONFAILING(*(uint32_t*)0x2000479c = 2); NONFAILING(*(uint32_t*)0x200047a0 = 0); NONFAILING(*(uint32_t*)0x200047a4 = 5); NONFAILING(*(uint32_t*)0x200047a8 = 0); NONFAILING(*(uint32_t*)0x200047ac = 0x1ff); NONFAILING(*(uint32_t*)0x200047b0 = -1); NONFAILING(*(uint32_t*)0x200047b4 = 7); NONFAILING(*(uint32_t*)0x200047b8 = 0x80); NONFAILING(*(uint32_t*)0x200047bc = 7); NONFAILING(*(uint32_t*)0x200047c0 = 0x80); NONFAILING(*(uint32_t*)0x200047c4 = 1); NONFAILING(*(uint32_t*)0x200047c8 = 0x80000001); NONFAILING(*(uint32_t*)0x200047cc = 0xc49a); NONFAILING(*(uint32_t*)0x200047d0 = 0); NONFAILING(*(uint32_t*)0x200047d4 = 3); NONFAILING(*(uint32_t*)0x200047d8 = 0x800); NONFAILING(*(uint32_t*)0x200047dc = 6); NONFAILING(*(uint32_t*)0x200047e0 = 5); NONFAILING(*(uint32_t*)0x200047e4 = 3); NONFAILING(*(uint32_t*)0x200047e8 = 0x8eab); NONFAILING(*(uint32_t*)0x200047ec = 0x200); NONFAILING(*(uint32_t*)0x200047f0 = 0x10000); NONFAILING(*(uint32_t*)0x200047f4 = 0x1f); NONFAILING(*(uint32_t*)0x200047f8 = 4); NONFAILING(*(uint32_t*)0x200047fc = 9); NONFAILING(*(uint32_t*)0x20004800 = 1); NONFAILING(*(uint32_t*)0x20004804 = 1); NONFAILING(*(uint32_t*)0x20004808 = 0x80000001); NONFAILING(*(uint32_t*)0x2000480c = 0x20); NONFAILING(*(uint32_t*)0x20004810 = 0x6a4); NONFAILING(*(uint32_t*)0x20004814 = 6); NONFAILING(*(uint32_t*)0x20004818 = 6); NONFAILING(*(uint32_t*)0x2000481c = 0x20); NONFAILING(*(uint32_t*)0x20004820 = 1); NONFAILING(*(uint32_t*)0x20004824 = 0xfffffffc); NONFAILING(*(uint32_t*)0x20004828 = 1); NONFAILING(*(uint32_t*)0x2000482c = 7); NONFAILING(*(uint32_t*)0x20004830 = 6); NONFAILING(*(uint32_t*)0x20004834 = 0x8001); NONFAILING(*(uint32_t*)0x20004838 = 9); NONFAILING(*(uint32_t*)0x2000483c = 8); NONFAILING(*(uint32_t*)0x20004840 = 3); NONFAILING(*(uint32_t*)0x20004844 = 0); NONFAILING(*(uint32_t*)0x20004848 = 0x401); NONFAILING(*(uint32_t*)0x2000484c = 1); NONFAILING(*(uint32_t*)0x20004850 = 0x80000000); NONFAILING(*(uint32_t*)0x20004854 = 0); NONFAILING(*(uint32_t*)0x20004858 = 0xff); NONFAILING(*(uint32_t*)0x2000485c = 0xff); NONFAILING(*(uint32_t*)0x20004860 = 4); NONFAILING(*(uint32_t*)0x20004864 = 0); NONFAILING(*(uint32_t*)0x20004868 = 0x4e); NONFAILING(*(uint32_t*)0x2000486c = 8); NONFAILING(*(uint32_t*)0x20004870 = 0x4c); NONFAILING(*(uint32_t*)0x20004874 = 0x10000); NONFAILING(*(uint32_t*)0x20004878 = 9); NONFAILING(*(uint32_t*)0x2000487c = 9); NONFAILING(*(uint32_t*)0x20004880 = 0xfffeffff); NONFAILING(*(uint32_t*)0x20004884 = 7); NONFAILING(*(uint32_t*)0x20004888 = 0x8000); NONFAILING(*(uint32_t*)0x2000488c = 7); NONFAILING(*(uint32_t*)0x20004890 = 0x800); NONFAILING(*(uint32_t*)0x20004894 = 0); NONFAILING(*(uint32_t*)0x20004898 = 4); NONFAILING(*(uint32_t*)0x2000489c = 0xad51); NONFAILING(*(uint32_t*)0x200048a0 = 0x7fffffff); NONFAILING(*(uint32_t*)0x200048a4 = 8); NONFAILING(*(uint32_t*)0x200048a8 = 0xbe); NONFAILING(*(uint32_t*)0x200048ac = 3); NONFAILING(*(uint32_t*)0x200048b0 = 0); NONFAILING(*(uint32_t*)0x200048b4 = 7); NONFAILING(*(uint32_t*)0x200048b8 = 3); NONFAILING(*(uint32_t*)0x200048bc = 8); NONFAILING(*(uint32_t*)0x200048c0 = 0x8000); NONFAILING(*(uint32_t*)0x200048c4 = 0); NONFAILING(*(uint16_t*)0x200048c8 = 0x18); NONFAILING(*(uint16_t*)0x200048ca = 1); NONFAILING(*(uint8_t*)0x200048cc = 0x36); NONFAILING(*(uint8_t*)0x200048cd = 1); NONFAILING(*(uint8_t*)0x200048ce = 0x1b); NONFAILING(*(uint8_t*)0x200048cf = 3); NONFAILING(*(uint32_t*)0x200048d0 = 0x6948); NONFAILING(*(uint32_t*)0x200048d4 = 0x7fff); NONFAILING(*(uint32_t*)0x200048d8 = 9); NONFAILING(*(uint32_t*)0x200048dc = 9); NONFAILING(*(uint16_t*)0x200048e0 = 8); NONFAILING(*(uint16_t*)0x200048e2 = 5); NONFAILING(*(uint8_t*)0x200048e4 = 0xfd); NONFAILING(*(uint8_t*)0x200048e5 = 1); NONFAILING(*(uint64_t*)0x20004908 = 0x868); NONFAILING(*(uint64_t*)0x20004958 = 1); NONFAILING(*(uint64_t*)0x20004960 = 0); NONFAILING(*(uint64_t*)0x20004968 = 0); NONFAILING(*(uint32_t*)0x20004970 = 0x48000); syscall(__NR_sendmsg, r[2], 0x20004940, 0x8000); break; case 7: NONFAILING(memcpy((void*)0x200024c0, "./file0", 8)); syscall(__NR_lstat, 0x200024c0, 0x20002500); break; case 8: NONFAILING(memcpy((void*)0x20002580, "./file1", 8)); NONFAILING(*(uint64_t*)0x20002740 = 0x200025c0); NONFAILING(memcpy((void*)0x200025c0, "proc", 5)); NONFAILING(*(uint64_t*)0x20002748 = 0x20002600); NONFAILING(memcpy((void*)0x20002600, ",md5sum", 8)); NONFAILING(*(uint64_t*)0x20002750 = 0x20002640); NONFAILING(memcpy((void*)0x20002640, "trustedprocnodev.*--self", 25)); NONFAILING(*(uint64_t*)0x20002758 = 0x20002680); NONFAILING(memcpy((void*)0x20002680, "!", 2)); NONFAILING(*(uint64_t*)0x20002760 = 0x200026c0); NONFAILING(memcpy((void*)0x200026c0, "^@.vmnet0vmnet1", 16)); NONFAILING(*(uint64_t*)0x20002768 = 0x20002700); NONFAILING(memcpy((void*)0x20002700, "GPLvboxnet1bdev", 16)); NONFAILING(*(uint64_t*)0x20002800 = 0x20002780); NONFAILING(memcpy((void*)0x20002780, ")", 2)); NONFAILING(*(uint64_t*)0x20002808 = 0x200027c0); NONFAILING(memcpy((void*)0x200027c0, "vmnet0ppp1-**", 14)); syscall(__NR_execve, 0x20002580, 0x20002740, 0x20002800); break; } } void loop() { execute(9); collide = 1; execute(9); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); int pid = do_sandbox_none(); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } return 0; }