// https://syzkaller.appspot.com/bug?id=f10ee477162a6f234fa4fc7120fa57a4586533c8 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define MAX_FDS 30 static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); setup_binderfs(); loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); close_fds(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[12] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; *(uint32_t*)0x20000180 = 1; *(uint32_t*)0x20000184 = 0x80; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint32_t*)0x2000018c = 0; *(uint64_t*)0x20000190 = 0x1ff; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 38, 26); *(uint32_t*)0x200001b0 = 0; *(uint32_t*)0x200001b4 = 0; *(uint64_t*)0x200001b8 = 0x20000640; *(uint64_t*)0x200001c0 = 0; *(uint64_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint16_t*)0x200001ec = 0; *(uint16_t*)0x200001ee = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint64_t*)0x200001f8 = 0; syscall(__NR_perf_event_open, /*attr=*/0x20000180ul, /*pid=*/0, /*cpu=*/0xbffffffffffffffful, /*group=*/-1, /*flags=*/0ul); *(uint32_t*)0x20000200 = 0x18; *(uint32_t*)0x20000204 = 4; *(uint64_t*)0x20000208 = 0x200002c0; memcpy((void*)0x200002c0, "\x18\x01\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\xea\x04\x85" "\x00\x00\x00\x6d\x00\x00\x00\x95", 25); *(uint64_t*)0x20000210 = 0x20000100; memcpy((void*)0x20000100, "GPL\000", 4); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; memset((void*)0x20000230, 0, 16); *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 2; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = 0; *(uint32_t*)0x20000274 = 0; *(uint64_t*)0x20000278 = 0; *(uint64_t*)0x20000280 = 0; *(uint32_t*)0x20000288 = 0x10; *(uint32_t*)0x2000028c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000200ul, /*size=*/0x80ul); if (res != -1) r[0] = res; *(uint64_t*)0x20000280 = 0x20000040; memcpy((void*)0x20000040, "sched_switch\000", 13); *(uint32_t*)0x20000288 = r[0]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x20000280ul, /*size=*/0x10ul); *(uint64_t*)0x200003c0 = 0x20000240; memcpy((void*)0x20000240, "rpcgss_upcall_result\000", 21); *(uint32_t*)0x200003c8 = r[0]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x200003c0ul, /*size=*/0x10ul); syscall(__NR_perf_event_open, /*attr=*/0ul, /*pid=*/0, /*cpu=*/0ul, /*group=*/-1, /*flags=*/0ul); syscall(__NR_perf_event_open, /*attr=*/0ul, /*pid=*/0, /*cpu=*/0xfffefffffffffffful, /*group=*/-1, /*flags=*/0ul); syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x4030582a, /*period=*/0ul); memcpy((void*)0x20000140, "memory.events\000", 14); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000140ul, /*flags=*/0x7a05ul, /*mode=*/0x1700ul); if (res != -1) r[1] = res; *(uint64_t*)0x20000ac0 = 0; *(uint32_t*)0x20000ac8 = 0; *(uint32_t*)0x20000acc = 0; *(uint32_t*)0x20000ad0 = 0; res = syscall(__NR_bpf, /*cmd=*/7ul, /*arg=*/0x20000ac0ul, /*size=*/0x18ul); if (res != -1) r[2] = res; syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x26e1ul, /*mode=*/0ul); memcpy((void*)0x20000640, "blkio.throttle.io_serviced\000", 27); res = syscall(__NR_openat, /*fd=*/-1, /*file=*/0x20000640ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[3] = res; res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x26e1ul, /*mode=*/0ul); if (res != -1) r[4] = res; res = syscall(__NR_bpf, /*cmd=*/0x12ul, /*arg=*/0ul, /*size=*/0ul); if (res != -1) r[5] = res; *(uint32_t*)0x20000180 = 1; *(uint32_t*)0x20000184 = 0x80; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint32_t*)0x2000018c = 0; *(uint64_t*)0x20000190 = 0x1ff; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x200001a8, 0, 38, 26); *(uint32_t*)0x200001b0 = 0; *(uint32_t*)0x200001b4 = 0; *(uint64_t*)0x200001b8 = 1; *(uint64_t*)0x200001c0 = 0; *(uint64_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint16_t*)0x200001ec = 0; *(uint16_t*)0x200001ee = 0; *(uint32_t*)0x200001f0 = 0; *(uint32_t*)0x200001f4 = 0; *(uint64_t*)0x200001f8 = 0; syscall(__NR_perf_event_open, /*attr=*/0x20000180ul, /*pid=*/0, /*cpu=*/0xbffffffffffffffful, /*group=*/-1, /*flags=*/0ul); *(uint32_t*)0x200054c0 = 0xe; *(uint32_t*)0x200054c4 = 0x16; *(uint64_t*)0x200054c8 = 0x20000200; memcpy( (void*)0x20000200, "\x61\x15\x74\x00\x00\x00\x00\x00\x61\x13\x38\x00\x00\x00\x00\x00\xbf\xa0" "\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00\x2d\x03\x01\x00" "\x00\x00\x00\x00\x95\x00\x69\x00\x00\x00\x00\x00\x69\x16\x00\x00\x00\x00" "\x00\x00\xbf\x67\x00\x00\x00\x00\x00\x00\x35\x06\x07\x00\x0f\xff\x07\x20" "\x67\x06\x00\x00\x02\x00\x00\x00\x15\x03\x00\x00\x0e\xe6\x00\x60\xbf\x05" "\x00\x00\x00\x00\x00\x00\x0f\x65\x00\x00\x00\x00\x00\x00\x65\x07\xf9\xff" "\x01\x00\x00\x00\x07\x07\x00\x00\x4d\xdf\xff\xff\x1e\x75\x00\x00\x00\x00" "\x00\x00\xbf\x54\x00\x00\x00\x00\x00\x00\x07\x04\x00\x00\x04\x00\xf9\xff" "\xad\x43\x01\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x15\x00" "\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x32\xed\x3c\x12" "\xdc\x8c\x27\xdf\x8e\xcf\x26\x4e\x0f\x84\xf9\xf1\x7d\x3c\x30\xe3\x2f\x17" "\x54\x55\x8f\x22\x78\xaf\x6d\x71\xd7\x9a\x5e\x12\x81\x4c\xb1\xd8\xa5\xd4" "\x60\x1d\x29\x5c\x45\xa6\xa0\xb9\xbd\xb7\xdd\x39\x97\x03\xca\xc4\xf6\xf3" "\xbe\x4b\x36\x92\x89\xaa\x68\x12\xb8\xe0\x07\xe7\x33\xa9\xa4\xf1\xb0\xaf" "\x3d\xda\x82\xee\x45\xa0\x10\xfb\x94\xfe\x9d\xe5\x7b\x9d\x8a\x81\x42\x61" "\xbd\xb9\x4a\x05\x00\x00\x00\xc6\xc6\x0b\xf7\x0d\x74\x2a\x81\x76\x2b\xab" "\x83\x95\xfa\x64\x81\x0b\x5b\x40\xd8\x93\xea\x8f\xe0\x18\x54\x73\xd5\x1b" "\x54\x6c\xad\x3f\x1d\x5a\xb2\xaf\x27\x54\x6e\x7c\x95\x5c\xce\xfa\x1f\x6a" "\xb6\x89\xb5\x55\x20\x2d\xa2\xe0\xec\x28\x71\xb4\xa7\xe6\x58\x36\x42\x9a" "\x52\x7d\xc4\x7e\xbe\x84\xa4\x23\xb6\xc8\xd3\x45\xdc\x8d\xa3\x08\x5b\x0a" "\xb7\x1c\xa1\xb9\x01\x62\x7b\x56\x2e\xff\x4a\xe7\x60\x02\xd4\x51\x9a\xf6" "\x19\xe3\xcc\xa4\xd6\x9e\x0d\xee\x5e\xb1\x06\x77\x4a\x8f\x3e\x69\x16\xdf" "\x0a\x5c\x1b\xf2\xb2\xbb\x71\xa6\x29\x36\x19\x97\xa7\x5f\xd5\x52\xbd\xc2" "\x06\x43\x8b\x8e\xf4\x90\x1f\xd0\x3c\x29\xdf\xda\x44\x22\x1b\x23\x5c\x8a" "\xc8\x6d\x8a\x29\x7d\xff\x04\x45\xa1\x5f\x21\xdc\xe4\x31\xe5\x67\x23\x88" "\x8f\xb1\x26\xa1\x63\xf1\x6f\x92\x0a\xe2\xfb\x49\x40\x59\xbb\xa8\xe3\xb6" "\x80\x32\x4a\x18\x80\x76\xeb\x68\x5d\x57\xc4\xe9\xb2\xad\x9b\xc1\x14\x2b" "\xa7\xcb\xeb\xe1\x74\xab\xa2\x10\xd7\x39\xa0\x18\xf9\xbb\xec\x63\x22\x2d" "\x20\xce\xca\xc4\xd0\x37\x23\xf1\xc9\x32\xb3\xa6\xaa\x57\xd2\x00\x00\x00" "\x9f\x0f\x53\xac\xbb\x40\xb4\xf8\xe2\x73\x82\x70\xb3\x15\x62\xed\x83\x8b" "\x9d\xf9\x77\x87\xf6\x96\x64\x9a\x46\x2e\x7e\xe4\xbc\xf8\xb0\x7a\x10\xd6" "\x73\x51\x54\xbe\xb4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x40\x00\xbc\x00\xf6\x74\x62\x97\x09\xe7\xe7\x8f\x4d\xdc\x21\x1b\xc3\xeb" "\xe6\xbd\x9d\x42\xca\x01\x40\xa7\xaf\xaa\xb4\x31\x76\xe6\x5e\xc1\x11\x8d" "\x50\xd1\xf3\x47\x2f\x44\x45\xd2\x53\x88\x7a\x5a\xd1\x03\x64\x9a\xfa\x17" "\x69\x08\x84\xf8\x00\x03\x1e\x03\xa6\x51\xbb\x96\x58\x9a\x7e\x2e\x50\x9b" "\xcc\x1d\x16\x13\x47\x62\x3c\xb5\xe7\xac\x46\x29\xc8\xab\x04\x87\x1b\xc4" "\x72\x87\xcd\x31\xcc\x43\xea\x0f\xfb\x56\x7b\x40\x40\x7d\x00\x00\x00\x21" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5f\x37\xd8\x70\x3f\x37\xca\x36\x4a" "\x60\x1a\xe8\x99\xa5\x67\x15\xa0\xa6\x2a\x34\xc6\xc9\x4c\xce\x69\x94\x52" "\x16\x29\xab\x02\x8a\xcf\xc1\xd9\x26\xa0\xf6\xa5\x48\x0a\x55\xc2\x2f\xe3" "\xa5\xac\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc1" "\xeb\x2d\x91\xfb\x79\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xe4\x00\x7b\xe5\x11\xfe\x32\xfb\xc9\x0e\x23\x64\xa5\x5e\x9b\xb6\x6a" "\xd2\xd0\x0f\xea\x25\x94\xe1\x90\xde\xae\x46\xe2\x6c\x59\x6f\x84\xeb\xa9" "\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfb\x00\x00\x00\x00\x82\xfb\x0d\x3c" "\xc3\xaa\x39\xee\x4b\x13\x86\xba\xb5\x61\xcd\xa8\x86\xfa\x64\x29\x94\xca" "\xcd\x47\x3b\x54\x3c\xcb\x5f\x0d\x7b\x63\x92\x4f\x17\xc6\x7b\x13\x63\x1d" "\x22\xa1\x1d\xc3\xc6\x93\x96\x28\x95\x49\x6d\x4f\x6e\x9c\xc5\x4d\xb6\xc7" "\x20\x5a\x6b\x06\x8f\xff\x49\x6d\x2d\xa7\xd6\x32\x7f\x31\xd7\xc8\xcc\x5d" "\x32\x5c\x53\x79\xb0\x36\x3c\xe8\xbd\x1f\x61\xb0\x07\xe1\xff\x5f\x1b\xe1" "\x96\x9a\x1b\xa7\x91\xad\x46\xd8\x00\x00\x00\x00\xc7\xf2\x6a\x03\x37\x30" "\x2f\x3b\x41\xea\xe5\x98\x09\xfd\x05\xd1\x2f\x61\x06\xf1\x17\xb0\x62\xdf" "\x67\xd3\xa6\x47\x32\x65\xdd\x14\x10\xee\xa6\x82\x08\xa3\xf2\x6b\x29\x89" "\xb8\x32\xd8\xb3\x4a\x34\xa4\xf0\x8b\x34\xb3\x04\x20\x65\xac\xaa\x10\x85" "\x6e\x85\x8d\x27\xad\xee\x7d\xaf\x32\x90\x3d\x3f\xc7\x87\x00\xd4\x29\xa2" "\xd4\xc8\xb6\xd8\x03\xeb\x83\xee\xcf\xe4\xc7\xff\x9e\x6a\xb5\xa5\x2e\x83" "\xd0\x89\xda\xd7\xa8\x71\x0e\x02\x54\xf1\xb1\x1c\xce\xd7\xa4\x3c\x8d\xa0" "\xc4\x4d\x2e\xbf\x2f\x3f\x2b\x87\xbe\x4d\x14\x58\x07\x7c\x22\x53\xb0\xc7" "\xc7\xa0\xa9\xfd\xd6\x3b\xf9\x10\xdc\x20\xe5\xcb\x2a\x88\xe5\x9f\xeb\xc4" "\x7f\x12\x12\xa2\x1f\x63\x1d\xba\xa7\x4f\x22\xba\xd0\x50\xe9\x85\x6b\x48" "\xae\x3a\x03\xa4\x97\xc3\x77\x58\x53\x76\x50\xfe\x6d\xb8\x9d\xa3\xc4\x1f" "\xdc\x3d\x78\xe0\x46\xf6\x16\x0e\x17\x41\x29\x9e\x8d\xc2\x99\x06\x87\x0e" "\x64\x31\xed\x1e\xab\x5d\x06\x7a\x18\x3f\x06\x4b\x06\x0a\x8e\xc1\x27\x25" "\xd4\x2e\x3a\x74\x86\x3d\x66\xbe\xe9\x66\xb1\x57\x4f\x8e\x01\xb3\xf3\x4a" "\x26\x7f\xf0\xaf\xa1\xe1\xc7\x58\xa0\x07\x9b\x74\x70\x67\x31\x2e\x98\x15" "\xa2\x1c\xb3\xf1\xf8\x15\x0d\x99\x9d\x78\x85\x4c\xa4\xd3\x11\x6d\xbc\x7e" "\x2b\xf2\x40\x2a\x75\xfd\x7a\x55\x73\x33\x60\x04\x08\x4d\x9d\x87\xb2\x7f" "\x8a\x5d\x91\x21\x7b\x72\x8f\x13\xe3\xee\x20\xe6\x9e\x0f\xfb\x27\x80\xb1" "\xa7\xaf\x13\x7f\xf7\xb4\xff\x13\x96\x04\xfa\xf0\x45\x3b\xed\xf0\xc5\xd7" "\x44\xb5\x27\xc4\xdf\xa1\x08\xcb\xb8\x82\x02\xee\xb8\x1f\x42\x8a\x5b\x3c" "\x29\x98\x48\x64\x9e\x1a\x57\xff\x52\xf6\x57\xa6\x74\x63\xd7\xdb\xf8\x5a" "\xe9\x32\x34\xc2\xcc\x17\xdc\x4a\x5d\xfa\xcb\xa8\xde\xd5\xde\x82\x06\xc8" "\x12\x43\x9a\xb1\x29\xae\x81\x88\x37\xee\x15\x62\x07\x89\xc5\x24\xb3\xba" "\xf4\x9a\x0b\xe9\xbb\x7d\x95\x8d\x5e\x87\xc6\xc0\x9b\xf7\x1a\x89\x4b\xad" "\x62\x93\x47\x82\xcc\x30\x8e\x93\x6d\x76\x37\xe0\x7c\x4a\x2b\x3b\xc8\x7b" "\x0d\xa8\x00\x00\xd9\xef\x41\x8c\xf1\x9e\x7a\x8c\xf8\xff\xff\xff\xce\x91" "\x79\x8a\xdc\x2d\xca\x87\xdd\xd9\xd0\x64\xe0\x81\x38\x34\x09\xed\x29\x12" "\xc8\x11\xc6\x00\xf0\x32\x12\xa5\x33\x1c\x2a\x4e\xad\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x8d\x44\x96\xdc\x86\x2f\xcd\xb0\xee\x67\xfd\xd0\x06" "\xd4\xe4\x66\xe8\xb3\x2b\x3a\xfd\xae\xce\xe9\x86\x2e\xdf\x61\xcd\x0d\xd2" "\x4f\xf2\xdb\xa5\x62\xc5\xae\x5c\x05\x33\x55\xab\xb7\x62\xef\x2a\x5e\xe5" "\xf2\x85\xe3\x33\xb5\x22\xca\x09\xaf\x62\x6c\x6e\x4a\xd1\xc6\x85\x16\x53" "\x88\x00\x00\x15\xde\x7f\x20\x77\xcd\x6d\x96\xa8\xa6\x87\xc9\x7e\x7d\x1d" "\x5c\xc2\x5f\xfe\xbc\x53\xb2\xef\x9d\x57\xcf\x5d\x99\x5b\xad\x3d\xe6\xf5" "\x55\xe9\x61\x6d\x0e\x7c\x25\x82\x05\x66\x8d\xcf\xb3\x5c\x35\x50\xef\x80" "\xe0\xa7\x04\xa7\xd9\xdc\x23\xe1\x74\x2d\xc9\xe7\xd7\xd8\xc3\xb3\xcb\xa2" "\x22\x9c\xd1\xc0\xd8\x04\x69\x81\x78\x94\x93\xb2\x6c\x61\x1c\x40\xb8\x61" "\x57\xd7\xc3\x83\x14\x4b\xff\x71\x15\xf4\x40\xe0\x59\xbd\xfb\x73\x9d\x7c" "\x28\x5d\x6c\x20\x48\xc2\x29\xd1\xfd\x67\x79\x1b\xff\x7f\xa7\x58\xb9\x53" "\xb4\x1c\xf0\x77\x02\x87\x16\xa4\x11\xaf\xef\x49\xf5\x1d\x49\x0f\x09\xce" "\x07\x81\xf2\xd1\x76\x95\x51\xbb\x8f\x88\x2d\xfe\x8d\x14\x91\x14\x26\x66" "\xde\x72\xb2\x30\x35\x63\x76\xb6\x0a\xbc\x0b\x74\x94\xa6\x83\xec\xf9\x64" "\x63\xe8\x97\x44\xea\x22\x8a\xc1\x7f\x7a\xc5\xa0\x6b\x10\x3e\xa8\xc7\x8d" "\x82\xd4\x8d\x77\x00\xb6\x61\x35\x72\x24\xb8\x47\xa6\xad\xce\xd0\x4d\x87" "\xe0\xf4\x01\x9c\xae\x06\x5b\x48\xbe\x01\x95\x6d\x7c\x27\x9e\x82\x32\xe7" "\xf7\xe7\xb4\xb0\xc7\xc7\x40\xcb\x79\x20\x82\x3c\x26\xad\x3e\xc9\x7d\xb1" "\xe0\x9c\x34\x7d\xb2\x20\x85\x1d\x1e\x28\x0e\xa6\xbc\xe4\x0c\x16\x19\x3a" "\x89\x71\x9b\x74\xbe\x94\x56\xaf\xef\x6b\x6b\x56\xee\x88\xb8\x78\x40\x4a" "\x30\x8b\x4e\x94\x71\xe1\x1b\xc2\x50\xc3\x6c\x15\x4c\x20\xc8\x53\x33\x76" "\xe3\x47\xc8\x90\x20\xb7\xef\x95\x99\xea\x49\xee\x6d\x3b\x9b\x35\x5a\xd9" "\xfb\xda\x34\x62\x5d\x24\x31\x68\xd7\x88\xbf\x9a\x68\x1b\x09\xaa\x85\xe0" "\xda\x7d\x76\xf2\xcd\x02\x9e\xe3\xdf\x5d\x3a\x00\xf9\xd7\x0b\x5b\x2d\xe3" "\xf1\x0a\x4d\xc3\x2b\xae\x40\x39\x01\xba\x76\x0c\xd9\xc9\xb5\xfe\x62\x58" "\x27\xed\xae\x4e\x7c\x19\xdc\x6c\x2f\xe7\x01\x79\x7d\xf4\x73\x24\xca\xd9" "\x2d\x8e\xa6\x22\x70\xf8\x9d\x04\x14\x1e\x89\xbe\xe3\xc3\x61\x1a\x99\x6d" "\x9d\x9d\xb0\x05\x08\xad\xc9\x3d\x7b\xb2\x1d\xfe\x11\x74\xab\x2f\x31\xd0" "\x75\xe3\x0e\xe0\x7e\x16\xd2\x8a\xaa\x70\xa3\x5c\x55\x37\x0a\x3a\xf3\x15" "\xcf\x25\xa6\xcc\xe2\xca\xe3\xd6\xc7\x59\x06\x29\x0d\x55\xa2\xa2\x44\x7b" "\xb5\x71\xd6\x99\x15\x22\x13\x6e\xd0\x13\xb8\xf6\xf4\xcf\x0a\x91\x93\x1f" "\x0a\x7d\x88\xd4\xe6\x97\x29\xa7\x7a\x6e\x76\x43\x3c\x1a\x06\x68\x67\x7f" "\x8c\x76\x83\xf7\x79\xd3\x30\x1d\xb1\xf4\x3b\xd7\xdd\x0b\x30\x10\x98\xf5" "\x22\x43\x7e\xc5\xff\x0c\x35\x89\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00", 2038); *(uint64_t*)0x200054d0 = 0x20000100; memcpy((void*)0x20000100, "GPL\000", 4); *(uint32_t*)0x200054d8 = 0; *(uint32_t*)0x200054dc = 0; *(uint64_t*)0x200054e0 = 0; *(uint32_t*)0x200054e8 = 0; *(uint32_t*)0x200054ec = 0; memset((void*)0x200054f0, 0, 16); *(uint32_t*)0x20005500 = 0; *(uint32_t*)0x20005504 = 0; *(uint32_t*)0x20005508 = -1; *(uint32_t*)0x2000550c = 8; *(uint64_t*)0x20005510 = 0; *(uint32_t*)0x20005518 = 0; *(uint32_t*)0x2000551c = 0x10; *(uint64_t*)0x20005520 = 0; *(uint32_t*)0x20005528 = 0; *(uint32_t*)0x2000552c = 0; *(uint32_t*)0x20005530 = -1; *(uint32_t*)0x20005534 = 0; *(uint64_t*)0x20005538 = 0; *(uint64_t*)0x20005540 = 0; *(uint32_t*)0x20005548 = 0x10; *(uint32_t*)0x2000554c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200054c0ul, /*size=*/0x48ul); *(uint32_t*)0x20000800 = 9; *(uint32_t*)0x20000804 = 5; *(uint64_t*)0x20000808 = 0x20000300; *(uint8_t*)0x20000300 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000301, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000301, 0, 4, 4); *(uint16_t*)0x20000302 = 0; *(uint32_t*)0x20000304 = 7; *(uint8_t*)0x20000308 = 0; *(uint8_t*)0x20000309 = 0; *(uint16_t*)0x2000030a = 0; *(uint32_t*)0x2000030c = 8; *(uint8_t*)0x20000310 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000311, 8, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000311, 4, 4, 4); *(uint16_t*)0x20000312 = 0; *(uint32_t*)0x20000314 = 4; *(uint8_t*)0x20000318 = 0; *(uint8_t*)0x20000319 = 0; *(uint16_t*)0x2000031a = 0; *(uint32_t*)0x2000031c = 0; *(uint8_t*)0x20000320 = 0x95; *(uint8_t*)0x20000321 = 0; *(uint16_t*)0x20000322 = 0; *(uint32_t*)0x20000324 = 0; *(uint64_t*)0x20000810 = 0x20000340; memcpy((void*)0x20000340, "GPL\000", 4); *(uint32_t*)0x20000818 = 0x101; *(uint32_t*)0x2000081c = 0xcf; *(uint64_t*)0x20000820 = 0x20000700; *(uint32_t*)0x20000828 = 0x41100; *(uint32_t*)0x2000082c = 0xb; memset((void*)0x20000830, 0, 16); *(uint32_t*)0x20000840 = 0; *(uint32_t*)0x20000844 = 0x1f; *(uint32_t*)0x20000848 = -1; *(uint32_t*)0x2000084c = 8; *(uint64_t*)0x20000850 = 0x200004c0; *(uint32_t*)0x200004c0 = 8; *(uint32_t*)0x200004c4 = 5; *(uint32_t*)0x20000858 = 8; *(uint32_t*)0x2000085c = 0x10; *(uint64_t*)0x20000860 = 0x20000640; *(uint32_t*)0x20000640 = 1; *(uint32_t*)0x20000644 = 4; *(uint32_t*)0x20000648 = 0x320; *(uint32_t*)0x2000064c = 0xe; *(uint32_t*)0x20000868 = 0x10; *(uint32_t*)0x2000086c = -1; *(uint32_t*)0x20000870 = -1; *(uint32_t*)0x20000874 = 0; *(uint64_t*)0x20000878 = 0; *(uint64_t*)0x20000880 = 0; *(uint32_t*)0x20000888 = 0x10; *(uint32_t*)0x2000088c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000800ul, /*size=*/0x80ul); *(uint32_t*)0x200000c0 = 0xb; *(uint32_t*)0x200000c4 = 5; *(uint32_t*)0x200000c8 = 0x10001; *(uint32_t*)0x200000cc = 8; *(uint32_t*)0x200000d0 = 1; *(uint32_t*)0x200000d4 = -1; *(uint32_t*)0x200000d8 = 0; memset((void*)0x200000dc, 0, 16); *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = -1; *(uint32_t*)0x200000f4 = 0; *(uint32_t*)0x200000f8 = 0; *(uint32_t*)0x200000fc = 0; *(uint64_t*)0x20000100 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000c0ul, /*size=*/0x48ul); if (res != -1) r[6] = res; *(uint32_t*)0x20000000 = r[6]; *(uint64_t*)0x20000008 = 0; *(uint64_t*)0x20000010 = 0; *(uint64_t*)0x20000018 = 0; syscall(__NR_bpf, /*cmd=*/3ul, /*arg=*/0x20000000ul, /*size=*/0x20ul); *(uint32_t*)0x200004c0 = 2; *(uint32_t*)0x200004c4 = 4; *(uint32_t*)0x200004c8 = 4; *(uint32_t*)0x200004cc = 8; *(uint32_t*)0x200004d0 = 0; *(uint32_t*)0x200004d4 = -1; *(uint32_t*)0x200004d8 = 0; memset((void*)0x200004dc, 0, 16); *(uint32_t*)0x200004ec = 0; *(uint32_t*)0x200004f0 = -1; *(uint32_t*)0x200004f4 = 0; *(uint32_t*)0x200004f8 = 0; *(uint32_t*)0x200004fc = 0; *(uint64_t*)0x20000500 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200004c0ul, /*size=*/0x48ul); if (res != -1) r[7] = res; *(uint32_t*)0x20000040 = 0xc; *(uint32_t*)0x20000044 = 4; *(uint32_t*)0x20000048 = 4; *(uint32_t*)0x2000004c = 9; *(uint32_t*)0x20000050 = 0; *(uint32_t*)0x20000054 = r[7]; *(uint32_t*)0x20000058 = 1; memset((void*)0x2000005c, 0, 16); *(uint32_t*)0x2000006c = 0; *(uint32_t*)0x20000070 = -1; *(uint32_t*)0x20000074 = 0; *(uint32_t*)0x20000078 = 0; *(uint32_t*)0x2000007c = 0; *(uint64_t*)0x20000080 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000040ul, /*size=*/0x48ul); if (res != -1) r[8] = res; *(uint32_t*)0x200003c0 = r[8]; *(uint64_t*)0x200003c8 = 0x20000300; *(uint64_t*)0x200003d0 = 0x20000000; *(uint64_t*)0x200003d8 = 0; syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x200003c0ul, /*size=*/0x20ul); *(uint32_t*)0x20000400 = 0x1e; *(uint32_t*)0x20000404 = 7; *(uint32_t*)0x20000408 = 0x5c7; *(uint32_t*)0x2000040c = 9; *(uint32_t*)0x20000410 = 0x314; *(uint32_t*)0x20000414 = -1; *(uint32_t*)0x20000418 = 2; memset((void*)0x2000041c, 0, 16); *(uint32_t*)0x2000042c = 0; *(uint32_t*)0x20000430 = -1; *(uint32_t*)0x20000434 = 5; *(uint32_t*)0x20000438 = 4; *(uint32_t*)0x2000043c = 3; *(uint64_t*)0x20000440 = 0xb; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000400ul, /*size=*/0x48ul); if (res != -1) r[9] = res; *(uint32_t*)0x20000500 = 0x11; *(uint32_t*)0x20000504 = 8; *(uint64_t*)0x20000508 = 0x20000100; *(uint8_t*)0x20000100 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000101, 5, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000101, 3, 4, 4); *(uint16_t*)0x20000102 = 0; *(uint32_t*)0x20000104 = 4; *(uint8_t*)0x20000108 = 0; *(uint8_t*)0x20000109 = 0; *(uint16_t*)0x2000010a = 0; *(uint32_t*)0x2000010c = 0; *(uint8_t*)0x20000110 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000111, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000111, 2, 4, 4); *(uint16_t*)0x20000112 = 0; *(uint32_t*)0x20000114 = -1; *(uint8_t*)0x20000118 = 0; *(uint8_t*)0x20000119 = 0; *(uint16_t*)0x2000011a = 0; *(uint32_t*)0x2000011c = 0x3c7; *(uint8_t*)0x20000120 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000121, 6, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000121, 3, 4, 4); *(uint16_t*)0x20000122 = 0; *(uint32_t*)0x20000124 = 4; *(uint8_t*)0x20000128 = 0; *(uint8_t*)0x20000129 = 0; *(uint16_t*)0x2000012a = 0; *(uint32_t*)0x2000012c = 0; *(uint8_t*)0x20000130 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000131, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000131, 3, 4, 4); *(uint16_t*)0x20000132 = 0; *(uint32_t*)0x20000134 = 2; *(uint8_t*)0x20000138 = 0; *(uint8_t*)0x20000139 = 0; *(uint16_t*)0x2000013a = 0; *(uint32_t*)0x2000013c = 0; *(uint64_t*)0x20000510 = 0x20000140; memcpy((void*)0x20000140, "GPL\000", 4); *(uint32_t*)0x20000518 = 1; *(uint32_t*)0x2000051c = 0x86; *(uint64_t*)0x20000520 = 0x200001c0; *(uint32_t*)0x20000528 = 0x40f00; *(uint32_t*)0x2000052c = 0; memset((void*)0x20000530, 0, 16); *(uint32_t*)0x20000540 = 0; *(uint32_t*)0x20000544 = 0; *(uint32_t*)0x20000548 = -1; *(uint32_t*)0x2000054c = 8; *(uint64_t*)0x20000550 = 0; *(uint32_t*)0x20000558 = 0; *(uint32_t*)0x2000055c = 0x10; *(uint64_t*)0x20000560 = 0x20000340; *(uint32_t*)0x20000340 = 5; *(uint32_t*)0x20000344 = 0; *(uint32_t*)0x20000348 = 3; *(uint32_t*)0x2000034c = 0xe6; *(uint32_t*)0x20000568 = 0x10; *(uint32_t*)0x2000056c = 0; *(uint32_t*)0x20000570 = 0; *(uint32_t*)0x20000574 = 0; *(uint64_t*)0x20000578 = 0x20000480; *(uint32_t*)0x20000480 = r[6]; *(uint32_t*)0x20000484 = -1; *(uint32_t*)0x20000488 = -1; *(uint32_t*)0x2000048c = -1; *(uint32_t*)0x20000490 = -1; *(uint32_t*)0x20000494 = -1; *(uint32_t*)0x20000498 = r[8]; *(uint32_t*)0x2000049c = -1; *(uint32_t*)0x200004a0 = r[9]; *(uint64_t*)0x20000580 = 0; *(uint32_t*)0x20000588 = 0x10; *(uint32_t*)0x2000058c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000500ul, /*size=*/0x90ul); *(uint32_t*)0x20000d40 = 0x1b; *(uint32_t*)0x20000d44 = 0; *(uint32_t*)0x20000d48 = 0; *(uint32_t*)0x20000d4c = 0xffff7fff; *(uint32_t*)0x20000d50 = 0; *(uint32_t*)0x20000d54 = r[4]; *(uint32_t*)0x20000d58 = 0x7fff; memset((void*)0x20000d5c, 0, 16); *(uint32_t*)0x20000d6c = 0; *(uint32_t*)0x20000d70 = r[5]; *(uint32_t*)0x20000d74 = 2; *(uint32_t*)0x20000d78 = 3; *(uint32_t*)0x20000d7c = 2; *(uint64_t*)0x20000d80 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000d40ul, /*size=*/0x48ul); if (res != -1) r[10] = res; res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x100002ul, /*mode=*/0ul); if (res != -1) r[11] = res; *(uint64_t*)0x20000040 = 0x18a; syscall(__NR_ioctl, /*fd=*/r[11], /*cmd=*/0xc020660b, /*period=*/0x20000040ul); *(uint32_t*)0x20001100 = r[11]; *(uint64_t*)0x20001108 = 0x20001080; *(uint32_t*)0x20001080 = 0; *(uint64_t*)0x20001110 = 0x200010c0; memcpy((void*)0x200010c0, "%pK \000", 8); *(uint64_t*)0x20001118 = 0; syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x20001100ul, /*size=*/0x20ul); *(uint32_t*)0x20000e00 = 0x18; *(uint32_t*)0x20000e04 = 0x25; *(uint64_t*)0x20000e08 = 0x20000b00; *(uint8_t*)0x20000b00 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000b01, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b01, 0, 4, 4); *(uint16_t*)0x20000b02 = 0; *(uint32_t*)0x20000b04 = 8; *(uint8_t*)0x20000b08 = 0; *(uint8_t*)0x20000b09 = 0; *(uint16_t*)0x20000b0a = 0; *(uint32_t*)0x20000b0c = 7; *(uint8_t*)0x20000b10 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000b11, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b11, 1, 4, 4); *(uint16_t*)0x20000b12 = 0; *(uint32_t*)0x20000b14 = r[2]; *(uint8_t*)0x20000b18 = 0; *(uint8_t*)0x20000b19 = 0; *(uint16_t*)0x20000b1a = 0; *(uint32_t*)0x20000b1c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000b20, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b20, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b20, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b21, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b21, 0, 4, 4); *(uint16_t*)0x20000b22 = 0; *(uint32_t*)0x20000b24 = 0x14; STORE_BY_BITMASK(uint8_t, , 0x20000b28, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b28, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b28, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b29, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b29, 0, 4, 4); *(uint16_t*)0x20000b2a = 0; *(uint32_t*)0x20000b2c = 0; *(uint8_t*)0x20000b30 = 0x85; *(uint8_t*)0x20000b31 = 0; *(uint16_t*)0x20000b32 = 0; *(uint32_t*)0x20000b34 = 0x83; STORE_BY_BITMASK(uint8_t, , 0x20000b38, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b38, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b38, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b39, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b39, 0, 4, 4); *(uint16_t*)0x20000b3a = 0; *(uint32_t*)0x20000b3c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000b40, 5, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b40, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b40, 5, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b41, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b41, 0, 4, 4); *(uint16_t*)0x20000b42 = 1; *(uint32_t*)0x20000b44 = 0; *(uint8_t*)0x20000b48 = 0x95; *(uint8_t*)0x20000b49 = 0; *(uint16_t*)0x20000b4a = 0; *(uint32_t*)0x20000b4c = 0; *(uint8_t*)0x20000b50 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000b51, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b51, 1, 4, 4); *(uint16_t*)0x20000b52 = 0; *(uint32_t*)0x20000b54 = -1; *(uint8_t*)0x20000b58 = 0; *(uint8_t*)0x20000b59 = 0; *(uint16_t*)0x20000b5a = 0; *(uint32_t*)0x20000b5c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000b60, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b60, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b60, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b61, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b61, 0, 4, 4); *(uint16_t*)0x20000b62 = 0; *(uint32_t*)0x20000b64 = 0; *(uint8_t*)0x20000b68 = 0x85; *(uint8_t*)0x20000b69 = 0; *(uint16_t*)0x20000b6a = 0; *(uint32_t*)0x20000b6c = 0x86; *(uint8_t*)0x20000b70 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000b71, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b71, 1, 4, 4); *(uint16_t*)0x20000b72 = 0; *(uint32_t*)0x20000b74 = -1; *(uint8_t*)0x20000b78 = 0; *(uint8_t*)0x20000b79 = 0; *(uint16_t*)0x20000b7a = 0; *(uint32_t*)0x20000b7c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000b80, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b80, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b80, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b81, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b81, 0, 4, 4); *(uint16_t*)0x20000b82 = 0; *(uint32_t*)0x20000b84 = 0; *(uint8_t*)0x20000b88 = 0x85; *(uint8_t*)0x20000b89 = 0; *(uint16_t*)0x20000b8a = 0; *(uint32_t*)0x20000b8c = 0xc; STORE_BY_BITMASK(uint8_t, , 0x20000b90, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000b90, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000b90, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b91, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b91, 0, 4, 4); *(uint16_t*)0x20000b92 = 0; *(uint32_t*)0x20000b94 = 0; *(uint8_t*)0x20000b98 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000b99, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000b99, 0, 4, 4); *(uint16_t*)0x20000b9a = 0; *(uint32_t*)0x20000b9c = 0x800; *(uint8_t*)0x20000ba0 = 0; *(uint8_t*)0x20000ba1 = 0; *(uint16_t*)0x20000ba2 = 0; *(uint32_t*)0x20000ba4 = 6; *(uint8_t*)0x20000ba8 = 0x85; *(uint8_t*)0x20000ba9 = 0; *(uint16_t*)0x20000baa = 0; *(uint32_t*)0x20000bac = 0x88; *(uint8_t*)0x20000bb0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000bb1, 0xb, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000bb1, 1, 4, 4); *(uint16_t*)0x20000bb2 = 0; *(uint32_t*)0x20000bb4 = r[3]; *(uint8_t*)0x20000bb8 = 0; *(uint8_t*)0x20000bb9 = 0; *(uint16_t*)0x20000bba = 0; *(uint32_t*)0x20000bbc = 0; *(uint8_t*)0x20000bc0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000bc1, 6, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000bc1, 5, 4, 4); *(uint16_t*)0x20000bc2 = 0; *(uint32_t*)0x20000bc4 = 0x10; *(uint8_t*)0x20000bc8 = 0; *(uint8_t*)0x20000bc9 = 0; *(uint16_t*)0x20000bca = 0; *(uint32_t*)0x20000bcc = 0; STORE_BY_BITMASK(uint8_t, , 0x20000bd0, 5, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000bd0, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000bd0, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000bd1, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000bd1, 2, 4, 4); *(uint16_t*)0x20000bd2 = 0x42; *(uint32_t*)0x20000bd4 = 1; *(uint8_t*)0x20000bd8 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000bd9, 8, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000bd9, 5, 4, 4); *(uint16_t*)0x20000bda = 0; *(uint32_t*)0x20000bdc = 5; *(uint8_t*)0x20000be0 = 0; *(uint8_t*)0x20000be1 = 0; *(uint16_t*)0x20000be2 = 0; *(uint32_t*)0x20000be4 = 0; *(uint8_t*)0x20000be8 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000be9, 0xb, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000be9, 2, 4, 4); *(uint16_t*)0x20000bea = 0; *(uint32_t*)0x20000bec = r[3]; *(uint8_t*)0x20000bf0 = 0; *(uint8_t*)0x20000bf1 = 0; *(uint16_t*)0x20000bf2 = 0; *(uint32_t*)0x20000bf4 = 0x100; STORE_BY_BITMASK(uint8_t, , 0x20000bf8, 3, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000bf8, 2, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x20000bf8, 9, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x20000bf9, 4, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000bf9, 2, 4, 4); *(uint16_t*)0x20000bfa = 0xfff8; *(uint32_t*)0x20000bfc = 0xffffffef; STORE_BY_BITMASK(uint8_t, , 0x20000c00, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000c00, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000c00, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000c01, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000c01, 9, 4, 4); *(uint16_t*)0x20000c02 = 0; *(uint32_t*)0x20000c04 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000c08, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000c08, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000c08, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000c09, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000c09, 0, 4, 4); *(uint16_t*)0x20000c0a = 0; *(uint32_t*)0x20000c0c = 0; *(uint8_t*)0x20000c10 = 0x85; *(uint8_t*)0x20000c11 = 0; *(uint16_t*)0x20000c12 = 0; *(uint32_t*)0x20000c14 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000c18, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000c18, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000c18, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000c19, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000c19, 0, 4, 4); *(uint16_t*)0x20000c1a = 0; *(uint32_t*)0x20000c1c = 0; *(uint8_t*)0x20000c20 = 0x95; *(uint8_t*)0x20000c21 = 0; *(uint16_t*)0x20000c22 = 0; *(uint32_t*)0x20000c24 = 0; *(uint64_t*)0x20000e10 = 0x200000c0; memcpy((void*)0x200000c0, "syzkaller\000", 10); *(uint32_t*)0x20000e18 = 8; *(uint32_t*)0x20000e1c = 0xdd; *(uint64_t*)0x20000e20 = 0x20000c40; *(uint32_t*)0x20000e28 = 0x40f00; *(uint32_t*)0x20000e2c = 8; memset((void*)0x20000e30, 0, 16); *(uint32_t*)0x20000e40 = 0; *(uint32_t*)0x20000e44 = 0; *(uint32_t*)0x20000e48 = -1; *(uint32_t*)0x20000e4c = 8; *(uint64_t*)0x20000e50 = 0x20000a00; *(uint32_t*)0x20000a00 = 3; *(uint32_t*)0x20000a04 = 5; *(uint32_t*)0x20000e58 = 8; *(uint32_t*)0x20000e5c = 0x10; *(uint64_t*)0x20000e60 = 0x20000a40; *(uint32_t*)0x20000a40 = 0; *(uint32_t*)0x20000a44 = 0xd; *(uint32_t*)0x20000a48 = 0x8a7; *(uint32_t*)0x20000a4c = 0x454; *(uint32_t*)0x20000e68 = 0x10; *(uint32_t*)0x20000e6c = 0; *(uint32_t*)0x20000e70 = 0; *(uint32_t*)0x20000e74 = 1; *(uint64_t*)0x20000e78 = 0x20000a80; *(uint32_t*)0x20000a80 = r[1]; *(uint32_t*)0x20000a84 = r[4]; *(uint32_t*)0x20000a88 = r[10]; *(uint32_t*)0x20000a8c = r[1]; *(uint32_t*)0x20000a90 = r[2]; *(uint32_t*)0x20000a94 = r[1]; *(uint32_t*)0x20000a98 = r[11]; *(uint64_t*)0x20000e80 = 0x20000dc0; *(uint32_t*)0x20000dc0 = 4; *(uint32_t*)0x20000dc4 = 3; *(uint32_t*)0x20000dc8 = 3; *(uint32_t*)0x20000dcc = 0xc; *(uint32_t*)0x20000e88 = 0x10; *(uint32_t*)0x20000e8c = 0xfffffffe; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000e00ul, /*size=*/0x90ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); do_sandbox_none(); return 0; }