// https://syzkaller.appspot.com/bug?id=5101796504d79279e2e581005061b0976559feb0 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // bpf$PROG_LOAD arguments: [ // cmd: const = 0x5 (8 bytes) // arg: ptr[in, bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]]] { // bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, // bpf_btf_id[opt], fd_bpf_prog[opt]] { // type: bpf_prog_type = 0x4 (4 bytes) // ninsn: bytesize8 = 0xe (4 bytes) // insns: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {b7 02 00 00 c0 00 00 00 bf a3 00 00 00 00 00 // 00 07 03 00 00 00 fe ff ff 7a 0a f0 ff 23 00 00 00 79 a4 f0 ff // 00 00 00 00 b7 06 00 00 ff ff ff ff 2d 64 05 00 00 00 00 00 65 // 04 04 00 01 00 01 01 14 04 00 00 11 00 00 00 b7 03 00 00 00 00 // 00 00 6a 0a 00 fe 00 00 00 00 85 00 00 00 32 00 00 00 b7 00 00 // 00 01 00 00 00 95 00 00 00 00 00 00 00 75 cd c4 b5 7b 0c 65 75 // 2a 3a d5 00 00 00 7d dd 00 00 cb 45 00 63 de db a7 67 ad e5 1f // 7f 1f 66 ac d1 91 00 00 20 00 00 00 00 00 00 00 ff 7f 00 00 b5 // 2f 17 ce e1 9d 00 01 00 00 00 00 00 00 00 00 00 cb 04 fc bb 4e // 4d 0b 9b af e3 ba 43 13 51 a5 8a 88 5b a9 91 8d 37 b0 56 b9 bb // d1 1b 6b 9f 6c f7 db 6d 57 46 20 26 00 00 00 00 00 00 80 62 d7 // 7e 85 ce f4 a2 ab 93 8f 65 aa c3 3c 4d 62 0d e2 c9 b7 dc 10 d7 // d3 13 f9 f5 76 06 b8 3b 99 4f c4 05 1a de 12 f4 1d ef f6 df 6a // 93 6b 4e c3 82 7c 73 9b b3 9a ad 16 cc 75 fe 36 92 58 67 3b 5d // f1 1c c2 af b5 36 11 cc 32 a7 90 bc 0b 80 e8 0e ae 8f 5e 64 be // 2c 9d 2d 29 db 3d 36 dd 0c f8 f7 9a 01 5c 7b d3 f1 5a a6 aa db // ea b2 a0 16 85 10 8e 61 aa 00 00 00 00 00 00 00 00 00 00 00 00 // 00 c6 7c 6c 6a 06 e8 28 e5 21 6f 60 1b 19 db 1a f1 b5 d3 56 d0 // f0 62 13 7d 86 6d 11 be 4b a3 f0 15 1f db bd 4e 97 d6 2e cc 64 // 5e 14 3a 60 f1 08 00 00 00 00 00 00 00 82 61 51 e3 b4 2b ca e9 // 52 39 ef 5c a2 a7 30 a0 0c 87 c4 93 db 03 00 e6 3f da 97 a2 96 // 82 00 00 00 00 01 00 00 00 ee cc 95 2a 3f d2 c4 6f 3c 1c de 71 // a1 9d 1a 29 82 49 2a 21 0e 00 d2 bf ea 3b 8d 18 8d f2 ef f8 d5 // 6a aa e7 d3 2a 2e 18 00 22 53 73 95 01 9f 02 ec 4b 85 f6 aa d7 // fa ca 08 8d e9 b2 67 97 a8 44 6b 16 c2 8d 85 f2 25 99 2d bd d5 // bb 01 ba 51 50 89 51 c7 a7 d6 ca 09 16 c3 a1 29 12 71 56 49 c2 // b1 c7 19 2a 42 51 b5 9d 37 8d 3f 00 00 00 00 00 00 00 66 5c 8b // 7e 89 ed df c3 78 3f 6c 91 29 a7 c5 f8 ee 5f 50 57 9e 2f 63 8f // 7e b1 2f 63 be 72 a3 d8 1a b3 24 d6 e4 17 b1 c2 cb fd ca da 0a // 16 e3 17 90 e2 6c f1 95 88 a7 e0 49 6e e2 78 22 24 cf 30 f8 10 // da 86 cf 1a 32 04 f4 c9 40 4f 5d 73 21 a4 fe fc 4d 1c 91 39 ca // 4b 65 b9 99 09 95 00 00 00 6b 42 07 7c a6 0f de cb 27 17 e2 1f // 8f 18 7b 18 66 10 8b 6e 8c 71 e2 60 32 17 60 66 37 ec e1 fa 89 // 91 7e 13 1f 40 34 a8 38 3e 99 c3 56 8f d0 42 01 b3 7c d9 2c a6 // eb f9 4a 2d 83 10 f7 03 27 75 cf d7 56 52 f8 7b 03 9d 54 30 b3 // c6 64 3e 91 46 d2 47 8c e3 13 44 b5 54 ac a7 67 00 00 00 00 00 // 00 00 10 c6 56 08 fd a6 ed 5d 08 e7 a7 96 04 2a a1 27 d8 74 10 // 57 87 d0 34 7a a3 78 01 fa ff 5b 90 50 80 3a 19 ff 62 05 aa 5c // 26 3e 40 7a 2f 7d e5 6f 7a 00 00 e0 94 fa 4e 3f 05 52 8c aa b5 // a4 30 c0 8d d8 10 bc 97 20 4b 76 7d d9 69 72 1a 26 aa 74 00 00 // 00 00 00 bc 43 3f e2 d0 a6 ef 2a 8a 91 cd 3c b3 05 aa 80 da de // f8 b0 ca ca 78 00 00 00 00 00 00 00 00 86 3e 21 db 41 5a 22 2b // b1 a7 ab 94 bf e4 a7 41 57 d7 94 f9 d0 43 0c 2c 0e b5 63 35 05 // 59 82 98 65 a3 dd 08 fb 31 bd 08 01 e0 9a a3 ee 45 e6 1a 56 fc // 83 07 64 51 cf f7 63 2e 49 a4 1e ad b5 04 4a 0d 5f 73 d6 93 21 // 61 ae 5e 9c e2 18 a3 5c d8 e7 b7 47 88 7b 1a 74 79 89 82 d0 b4 // 92 c3 f0 ff 53 18 9d 80 73 3e b0 4f 81 24 87 7b 64 8f f4 38 f7 // d6 6c 7e fc c0 9a 8f 33 30 b6 c2 2d 14 e8 0d b8 e5 60 8b de ab // 93 88 b7 58 a1 5f 4c e7 03 90 c2 14 bc 68 38 79 8f 5b 9b 0b 50 // 0d 4e 8b 51 74 f3 29 b8 50 1c 6f eb 7a 69 82 bc ea 74 a0 f2 ce // d7 fa 20 59 23 4a 8d 10 b7 f0 59 71 51 d5 c9 06 7d 57 d8 5f 4a // e9 33 ea f5 17 4b a1 22 f3 f7 02 ef 86 95 57 8d 3c 08 56 2c 9f // c1 85 f0 f6 5d 11 b4 c5 8a e5 25 00 cb e9 9c de 37 58 a5 cb e6 // 09 3d d3 28 ac 82 0e 2d e3 09 d2 5a 32 46 47 aa df fc ec f0 f3 // bb ae da 7a f4 43 6d 9f fb ce 1b 24 0a 2f 5e 34 6e ba 88 12 e6 // 32 9e 01 b0 87 bd e7 da 4a 64 48 f4 78 10 2e 90 c8 13 4f 53 1d // e0 8d 4c f4 f6 f3 5b 15 a2 02 54 4c 0c ed 0c 17 15 fd 3a 90 09 // 9f 78 5a 13 a2 41 2b ed ba 29 81 dd 22 bd 9d 73 6c 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 eb 6f ec 8d 7d 2f 77 f4 d4 // 70 a9 ca a5 b1 bf c0 0c d1 d4 08 30 ac 35 f2 29 f8 ff e1 c0 2a // 63 d3 c2 d9} (length 0x4ea) // } // } // } // license: ptr[in, buffer] { // buffer: {47 50 4c 00} (length 0x4) // } // loglev: int32 = 0x0 (4 bytes) // logsize: len = 0x0 (4 bytes) // log: nil // kern_version: bpf_kern_version = 0x41000 (4 bytes) // flags: bpf_prog_load_flags = 0x0 (4 bytes) // prog_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) prog_ifindex: ifindex (resource) expected_attach_type: // union bpf_prog_attach_types { // fallback: bpf_attach_types = 0x0 (4 bytes) // } // btf_fd: fd_btf (resource) // func_info_rec_size: const = 0x8 (4 bytes) // func_info: ptr[in, bpf_func_info] { // bpf_func_info { // insn_off: int32 = 0x4 (4 bytes) // type_id: int32 = 0x0 (4 bytes) // } // } // func_info_cnt: len = 0x8 (4 bytes) // line_info_rec_size: const = 0x10 (4 bytes) // line_info: ptr[in, bpf_line_info] { // bpf_line_info { // insn_off: int32 = 0x0 (4 bytes) // file_name_off: int32 = 0x0 (4 bytes) // line_off: int32 = 0x0 (4 bytes) // line_col: int32 = 0x0 (4 bytes) // } // } // line_info_cnt: len = 0x10 (4 bytes) // attach_btf_id: bpf_btf_id (resource) // attach_prog_fd: fd_bpf_prog (resource) // core_relo_cnt: len = 0x0 (4 bytes) // fd_array: nil // core_relos: nil // core_relo_rec_size: const = 0x10 (4 bytes) // log_true_size: int32 = 0x0 (4 bytes) // prog_token_fd: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_prog_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_pad_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // size: len = 0x25 (8 bytes) // ] // returns fd_bpf_prog *(uint32_t*)0x200000000200 = 4; *(uint32_t*)0x200000000204 = 0xe; *(uint64_t*)0x200000000208 = 0x2000000015c0; memcpy( (void*)0x2000000015c0, "\xb7\x02\x00\x00\xc0\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07\x03" "\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\x23\x00\x00\x00\x79\xa4\xf0\xff" "\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05\x00\x00\x00" "\x00\x00\x65\x04\x04\x00\x01\x00\x01\x01\x14\x04\x00\x00\x11\x00\x00\x00" "\xb7\x03\x00\x00\x00\x00\x00\x00\x6a\x0a\x00\xfe\x00\x00\x00\x00\x85\x00" "\x00\x00\x32\x00\x00\x00\xb7\x00\x00\x00\x01\x00\x00\x00\x95\x00\x00\x00" "\x00\x00\x00\x00\x75\xcd\xc4\xb5\x7b\x0c\x65\x75\x2a\x3a\xd5\x00\x00\x00" "\x7d\xdd\x00\x00\xcb\x45\x00\x63\xde\xdb\xa7\x67\xad\xe5\x1f\x7f\x1f\x66" "\xac\xd1\x91\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\xff\x7f\x00\x00\xb5" "\x2f\x17\xce\xe1\x9d\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcb\x04" "\xfc\xbb\x4e\x4d\x0b\x9b\xaf\xe3\xba\x43\x13\x51\xa5\x8a\x88\x5b\xa9\x91" "\x8d\x37\xb0\x56\xb9\xbb\xd1\x1b\x6b\x9f\x6c\xf7\xdb\x6d\x57\x46\x20\x26" "\x00\x00\x00\x00\x00\x00\x80\x62\xd7\x7e\x85\xce\xf4\xa2\xab\x93\x8f\x65" "\xaa\xc3\x3c\x4d\x62\x0d\xe2\xc9\xb7\xdc\x10\xd7\xd3\x13\xf9\xf5\x76\x06" "\xb8\x3b\x99\x4f\xc4\x05\x1a\xde\x12\xf4\x1d\xef\xf6\xdf\x6a\x93\x6b\x4e" "\xc3\x82\x7c\x73\x9b\xb3\x9a\xad\x16\xcc\x75\xfe\x36\x92\x58\x67\x3b\x5d" "\xf1\x1c\xc2\xaf\xb5\x36\x11\xcc\x32\xa7\x90\xbc\x0b\x80\xe8\x0e\xae\x8f" "\x5e\x64\xbe\x2c\x9d\x2d\x29\xdb\x3d\x36\xdd\x0c\xf8\xf7\x9a\x01\x5c\x7b" "\xd3\xf1\x5a\xa6\xaa\xdb\xea\xb2\xa0\x16\x85\x10\x8e\x61\xaa\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc6\x7c\x6c\x6a\x06\xe8\x28\xe5" "\x21\x6f\x60\x1b\x19\xdb\x1a\xf1\xb5\xd3\x56\xd0\xf0\x62\x13\x7d\x86\x6d" "\x11\xbe\x4b\xa3\xf0\x15\x1f\xdb\xbd\x4e\x97\xd6\x2e\xcc\x64\x5e\x14\x3a" "\x60\xf1\x08\x00\x00\x00\x00\x00\x00\x00\x82\x61\x51\xe3\xb4\x2b\xca\xe9" "\x52\x39\xef\x5c\xa2\xa7\x30\xa0\x0c\x87\xc4\x93\xdb\x03\x00\xe6\x3f\xda" "\x97\xa2\x96\x82\x00\x00\x00\x00\x01\x00\x00\x00\xee\xcc\x95\x2a\x3f\xd2" "\xc4\x6f\x3c\x1c\xde\x71\xa1\x9d\x1a\x29\x82\x49\x2a\x21\x0e\x00\xd2\xbf" "\xea\x3b\x8d\x18\x8d\xf2\xef\xf8\xd5\x6a\xaa\xe7\xd3\x2a\x2e\x18\x00\x22" "\x53\x73\x95\x01\x9f\x02\xec\x4b\x85\xf6\xaa\xd7\xfa\xca\x08\x8d\xe9\xb2" "\x67\x97\xa8\x44\x6b\x16\xc2\x8d\x85\xf2\x25\x99\x2d\xbd\xd5\xbb\x01\xba" "\x51\x50\x89\x51\xc7\xa7\xd6\xca\x09\x16\xc3\xa1\x29\x12\x71\x56\x49\xc2" "\xb1\xc7\x19\x2a\x42\x51\xb5\x9d\x37\x8d\x3f\x00\x00\x00\x00\x00\x00\x00" "\x66\x5c\x8b\x7e\x89\xed\xdf\xc3\x78\x3f\x6c\x91\x29\xa7\xc5\xf8\xee\x5f" "\x50\x57\x9e\x2f\x63\x8f\x7e\xb1\x2f\x63\xbe\x72\xa3\xd8\x1a\xb3\x24\xd6" "\xe4\x17\xb1\xc2\xcb\xfd\xca\xda\x0a\x16\xe3\x17\x90\xe2\x6c\xf1\x95\x88" "\xa7\xe0\x49\x6e\xe2\x78\x22\x24\xcf\x30\xf8\x10\xda\x86\xcf\x1a\x32\x04" "\xf4\xc9\x40\x4f\x5d\x73\x21\xa4\xfe\xfc\x4d\x1c\x91\x39\xca\x4b\x65\xb9" "\x99\x09\x95\x00\x00\x00\x6b\x42\x07\x7c\xa6\x0f\xde\xcb\x27\x17\xe2\x1f" "\x8f\x18\x7b\x18\x66\x10\x8b\x6e\x8c\x71\xe2\x60\x32\x17\x60\x66\x37\xec" "\xe1\xfa\x89\x91\x7e\x13\x1f\x40\x34\xa8\x38\x3e\x99\xc3\x56\x8f\xd0\x42" "\x01\xb3\x7c\xd9\x2c\xa6\xeb\xf9\x4a\x2d\x83\x10\xf7\x03\x27\x75\xcf\xd7" "\x56\x52\xf8\x7b\x03\x9d\x54\x30\xb3\xc6\x64\x3e\x91\x46\xd2\x47\x8c\xe3" "\x13\x44\xb5\x54\xac\xa7\x67\x00\x00\x00\x00\x00\x00\x00\x10\xc6\x56\x08" "\xfd\xa6\xed\x5d\x08\xe7\xa7\x96\x04\x2a\xa1\x27\xd8\x74\x10\x57\x87\xd0" "\x34\x7a\xa3\x78\x01\xfa\xff\x5b\x90\x50\x80\x3a\x19\xff\x62\x05\xaa\x5c" "\x26\x3e\x40\x7a\x2f\x7d\xe5\x6f\x7a\x00\x00\xe0\x94\xfa\x4e\x3f\x05\x52" "\x8c\xaa\xb5\xa4\x30\xc0\x8d\xd8\x10\xbc\x97\x20\x4b\x76\x7d\xd9\x69\x72" "\x1a\x26\xaa\x74\x00\x00\x00\x00\x00\xbc\x43\x3f\xe2\xd0\xa6\xef\x2a\x8a" "\x91\xcd\x3c\xb3\x05\xaa\x80\xda\xde\xf8\xb0\xca\xca\x78\x00\x00\x00\x00" "\x00\x00\x00\x00\x86\x3e\x21\xdb\x41\x5a\x22\x2b\xb1\xa7\xab\x94\xbf\xe4" "\xa7\x41\x57\xd7\x94\xf9\xd0\x43\x0c\x2c\x0e\xb5\x63\x35\x05\x59\x82\x98" "\x65\xa3\xdd\x08\xfb\x31\xbd\x08\x01\xe0\x9a\xa3\xee\x45\xe6\x1a\x56\xfc" "\x83\x07\x64\x51\xcf\xf7\x63\x2e\x49\xa4\x1e\xad\xb5\x04\x4a\x0d\x5f\x73" "\xd6\x93\x21\x61\xae\x5e\x9c\xe2\x18\xa3\x5c\xd8\xe7\xb7\x47\x88\x7b\x1a" "\x74\x79\x89\x82\xd0\xb4\x92\xc3\xf0\xff\x53\x18\x9d\x80\x73\x3e\xb0\x4f" "\x81\x24\x87\x7b\x64\x8f\xf4\x38\xf7\xd6\x6c\x7e\xfc\xc0\x9a\x8f\x33\x30" "\xb6\xc2\x2d\x14\xe8\x0d\xb8\xe5\x60\x8b\xde\xab\x93\x88\xb7\x58\xa1\x5f" "\x4c\xe7\x03\x90\xc2\x14\xbc\x68\x38\x79\x8f\x5b\x9b\x0b\x50\x0d\x4e\x8b" "\x51\x74\xf3\x29\xb8\x50\x1c\x6f\xeb\x7a\x69\x82\xbc\xea\x74\xa0\xf2\xce" "\xd7\xfa\x20\x59\x23\x4a\x8d\x10\xb7\xf0\x59\x71\x51\xd5\xc9\x06\x7d\x57" "\xd8\x5f\x4a\xe9\x33\xea\xf5\x17\x4b\xa1\x22\xf3\xf7\x02\xef\x86\x95\x57" "\x8d\x3c\x08\x56\x2c\x9f\xc1\x85\xf0\xf6\x5d\x11\xb4\xc5\x8a\xe5\x25\x00" "\xcb\xe9\x9c\xde\x37\x58\xa5\xcb\xe6\x09\x3d\xd3\x28\xac\x82\x0e\x2d\xe3" "\x09\xd2\x5a\x32\x46\x47\xaa\xdf\xfc\xec\xf0\xf3\xbb\xae\xda\x7a\xf4\x43" "\x6d\x9f\xfb\xce\x1b\x24\x0a\x2f\x5e\x34\x6e\xba\x88\x12\xe6\x32\x9e\x01" "\xb0\x87\xbd\xe7\xda\x4a\x64\x48\xf4\x78\x10\x2e\x90\xc8\x13\x4f\x53\x1d" "\xe0\x8d\x4c\xf4\xf6\xf3\x5b\x15\xa2\x02\x54\x4c\x0c\xed\x0c\x17\x15\xfd" "\x3a\x90\x09\x9f\x78\x5a\x13\xa2\x41\x2b\xed\xba\x29\x81\xdd\x22\xbd\x9d" "\x73\x6c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xeb\x6f\xec\x8d\x7d\x2f\x77\xf4\xd4\x70\xa9\xca\xa5\xb1\xbf\xc0\x0c\xd1" "\xd4\x08\x30\xac\x35\xf2\x29\xf8\xff\xe1\xc0\x2a\x63\xd3\xc2\xd9", 1258); *(uint64_t*)0x200000000210 = 0x200000000340; memcpy((void*)0x200000000340, "GPL\000", 4); *(uint32_t*)0x200000000218 = 0; *(uint32_t*)0x20000000021c = 0; *(uint64_t*)0x200000000220 = 0; *(uint32_t*)0x200000000228 = 0x41000; *(uint32_t*)0x20000000022c = 0; memset((void*)0x200000000230, 0, 16); *(uint32_t*)0x200000000240 = 0; *(uint32_t*)0x200000000244 = 0; *(uint32_t*)0x200000000248 = -1; *(uint32_t*)0x20000000024c = 8; *(uint64_t*)0x200000000250 = 0x200000000000; *(uint32_t*)0x200000000000 = 4; *(uint32_t*)0x200000000004 = 0; *(uint32_t*)0x200000000258 = 8; *(uint32_t*)0x20000000025c = 0x10; *(uint64_t*)0x200000000260 = 0x200000000100; *(uint32_t*)0x200000000100 = 0; *(uint32_t*)0x200000000104 = 0; *(uint32_t*)0x200000000108 = 0; *(uint32_t*)0x20000000010c = 0; *(uint32_t*)0x200000000268 = 0x10; *(uint32_t*)0x20000000026c = 0; *(uint32_t*)0x200000000270 = -1; *(uint32_t*)0x200000000274 = 0; *(uint64_t*)0x200000000278 = 0; *(uint64_t*)0x200000000280 = 0; *(uint32_t*)0x200000000288 = 0x10; *(uint32_t*)0x20000000028c = 0; *(uint32_t*)0x200000000290 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000000200ul, /*size=*/0x25ul); if (res != -1) r[0] = res; // bpf$BPF_PROG_TEST_RUN arguments: [ // cmd: const = 0xa (8 bytes) // arg: ptr[in, bpf_test_prog_arg] { // bpf_test_prog_arg { // prog: fd_bpf_prog (resource) // retval: const = 0x702 (4 bytes) // insizedata: len = 0xe (4 bytes) // outsizedata: len = 0x0 (4 bytes) // indata: ptr[in, buffer] { // buffer: {e4 60 33 44 70 b8 d4 80 eb 20 c1 52 86 dd} (length 0xe) // } // outdata: nil // repeat: int32 = 0x8001 (4 bytes) // dur: const = 0x0 (4 bytes) // insizectx: len = 0x0 (4 bytes) // outsizectx: len = 0x0 (4 bytes) // inctx: nil // outctx: nil // flags: bpf_prog_test_run_flags = 0x4 (4 bytes) // cpu: const = 0x0 (4 bytes) // batch_size: int32 = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // size: len = 0x50 (8 bytes) // ] *(uint32_t*)0x200000000080 = r[0]; *(uint32_t*)0x200000000084 = 0x702; *(uint32_t*)0x200000000088 = 0xe; *(uint32_t*)0x20000000008c = 0; *(uint64_t*)0x200000000090 = 0x200000000540; memcpy((void*)0x200000000540, "\xe4\x60\x33\x44\x70\xb8\xd4\x80\xeb\x20\xc1\x52\x86\xdd", 14); *(uint64_t*)0x200000000098 = 0; *(uint32_t*)0x2000000000a0 = 0x8001; *(uint32_t*)0x2000000000a4 = 0; *(uint32_t*)0x2000000000a8 = 0; *(uint32_t*)0x2000000000ac = 0; *(uint64_t*)0x2000000000b0 = 0; *(uint64_t*)0x2000000000b8 = 0; *(uint32_t*)0x2000000000c0 = 4; *(uint32_t*)0x2000000000c4 = 0; *(uint32_t*)0x2000000000c8 = 0; syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x200000000080ul, /*size=*/0x50ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }