// https://syzkaller.appspot.com/bug?id=4710f9eae49ac419af7ea729c9ce8fbabdb7f970 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: res = syscall(__NR_socket, 0x10, 2, 6); if (res != -1) r[0] = res; break; case 1: res = syscall(__NR_socket, 0xa, 3, 0x3c); if (res != -1) r[1] = res; break; case 2: *(uint64_t*)0x20005040 = 0x20000000; *(uint32_t*)0x20005048 = 0x80; *(uint64_t*)0x20005050 = 0x200000c0; *(uint64_t*)0x200000c0 = 0x20000080; *(uint64_t*)0x200000c8 = 0x39; *(uint64_t*)0x200000d0 = 0x20000140; *(uint64_t*)0x200000d8 = 0x46; *(uint64_t*)0x200000e0 = 0x200001c0; *(uint64_t*)0x200000e8 = 0x1000; *(uint64_t*)0x20005058 = 3; *(uint64_t*)0x20005060 = 0; *(uint64_t*)0x20005068 = 0; *(uint32_t*)0x20005070 = 0x57d; *(uint32_t*)0x20005078 = 0xd7e; *(uint64_t*)0x20005080 = 0; *(uint32_t*)0x20005088 = 0; *(uint64_t*)0x20005090 = 0x20001280; *(uint64_t*)0x20001280 = 0x200011c0; *(uint64_t*)0x20001288 = 0xb6; *(uint64_t*)0x20005098 = 1; *(uint64_t*)0x200050a0 = 0x200012c0; *(uint64_t*)0x200050a8 = 0x94; *(uint32_t*)0x200050b0 = 3; *(uint32_t*)0x200050b8 = 7; *(uint64_t*)0x200050c0 = 0x20001380; *(uint32_t*)0x200050c8 = 0x80; *(uint64_t*)0x200050d0 = 0x20001640; *(uint64_t*)0x20001640 = 0x20001400; *(uint64_t*)0x20001648 = 0xdf; *(uint64_t*)0x20001650 = 0x20001500; *(uint64_t*)0x20001658 = 0x97; *(uint64_t*)0x20001660 = 0x200015c0; *(uint64_t*)0x20001668 = 0x56; *(uint64_t*)0x200050d8 = 3; *(uint64_t*)0x200050e0 = 0x20001680; *(uint64_t*)0x200050e8 = 0x7c; *(uint32_t*)0x200050f0 = 0x3ff; *(uint32_t*)0x200050f8 = 4; *(uint64_t*)0x20005100 = 0x20001700; *(uint32_t*)0x20005108 = 0x80; *(uint64_t*)0x20005110 = 0x200019c0; *(uint64_t*)0x200019c0 = 0x20001780; *(uint64_t*)0x200019c8 = 0x32; *(uint64_t*)0x200019d0 = 0x200017c0; *(uint64_t*)0x200019d8 = 0x4c; *(uint64_t*)0x200019e0 = 0x20001840; *(uint64_t*)0x200019e8 = 0xd1; *(uint64_t*)0x200019f0 = 0x20001940; *(uint64_t*)0x200019f8 = 0x60; *(uint64_t*)0x20005118 = 4; *(uint64_t*)0x20005120 = 0x20001a00; *(uint64_t*)0x20005128 = 0x93; *(uint32_t*)0x20005130 = 2; *(uint32_t*)0x20005138 = 0x81; *(uint64_t*)0x20005140 = 0; *(uint32_t*)0x20005148 = 0; *(uint64_t*)0x20005150 = 0x20001b80; *(uint64_t*)0x20001b80 = 0x20001ac0; *(uint64_t*)0x20001b88 = 0xa8; *(uint64_t*)0x20005158 = 1; *(uint64_t*)0x20005160 = 0; *(uint64_t*)0x20005168 = 0; *(uint32_t*)0x20005170 = 0xb8f8; *(uint32_t*)0x20005178 = 9; *(uint64_t*)0x20005180 = 0; *(uint32_t*)0x20005188 = 0; *(uint64_t*)0x20005190 = 0x20001fc0; *(uint64_t*)0x20001fc0 = 0x20001bc0; *(uint64_t*)0x20001fc8 = 0xeb; *(uint64_t*)0x20001fd0 = 0x20001cc0; *(uint64_t*)0x20001fd8 = 0xc3; *(uint64_t*)0x20001fe0 = 0x20001dc0; *(uint64_t*)0x20001fe8 = 0xb6; *(uint64_t*)0x20001ff0 = 0x20001e80; *(uint64_t*)0x20001ff8 = 0x45; *(uint64_t*)0x20002000 = 0x20001f00; *(uint64_t*)0x20002008 = 0x4c; *(uint64_t*)0x20005198 = 5; *(uint64_t*)0x200051a0 = 0x20002040; *(uint64_t*)0x200051a8 = 0xf3; *(uint32_t*)0x200051b0 = 4; *(uint32_t*)0x200051b8 = 4; *(uint64_t*)0x200051c0 = 0x20002140; *(uint32_t*)0x200051c8 = 0x80; *(uint64_t*)0x200051d0 = 0x20003280; *(uint64_t*)0x20003280 = 0x200021c0; *(uint64_t*)0x20003288 = 0x1000; *(uint64_t*)0x20003290 = 0x200031c0; *(uint64_t*)0x20003298 = 0x11; *(uint64_t*)0x200032a0 = 0x20003200; *(uint64_t*)0x200032a8 = 0x7c; *(uint64_t*)0x200051d8 = 3; *(uint64_t*)0x200051e0 = 0; *(uint64_t*)0x200051e8 = 0; *(uint32_t*)0x200051f0 = 2; *(uint32_t*)0x200051f8 = 0xfffffff8; *(uint64_t*)0x20005200 = 0x200032c0; *(uint32_t*)0x20005208 = 0x80; *(uint64_t*)0x20005210 = 0x20004480; *(uint64_t*)0x20004480 = 0x20003340; *(uint64_t*)0x20004488 = 0x2e; *(uint64_t*)0x20004490 = 0x20003380; *(uint64_t*)0x20004498 = 0x1000; *(uint64_t*)0x200044a0 = 0x20004380; *(uint64_t*)0x200044a8 = 0x37; *(uint64_t*)0x200044b0 = 0x200043c0; *(uint64_t*)0x200044b8 = 0xbc; *(uint64_t*)0x20005218 = 4; *(uint64_t*)0x20005220 = 0x200044c0; *(uint64_t*)0x20005228 = 0x7c; *(uint32_t*)0x20005230 = 0x7f; *(uint32_t*)0x20005238 = 3; *(uint64_t*)0x20005240 = 0x20004540; *(uint32_t*)0x20005248 = 0x80; *(uint64_t*)0x20005250 = 0x20004640; *(uint64_t*)0x20004640 = 0x200045c0; *(uint64_t*)0x20004648 = 0x76; *(uint64_t*)0x20005258 = 1; *(uint64_t*)0x20005260 = 0x20004680; *(uint64_t*)0x20005268 = 0x53; *(uint32_t*)0x20005270 = 3; *(uint32_t*)0x20005278 = 0x7509; *(uint64_t*)0x20005280 = 0x20004700; *(uint32_t*)0x20005288 = 0x80; *(uint64_t*)0x20005290 = 0x20004d40; *(uint64_t*)0x20004d40 = 0x20004780; *(uint64_t*)0x20004d48 = 0x81; *(uint64_t*)0x20004d50 = 0x20004840; *(uint64_t*)0x20004d58 = 0x7d; *(uint64_t*)0x20004d60 = 0x200048c0; *(uint64_t*)0x20004d68 = 0x2f; *(uint64_t*)0x20004d70 = 0x20004900; *(uint64_t*)0x20004d78 = 0x9a; *(uint64_t*)0x20004d80 = 0x200049c0; *(uint64_t*)0x20004d88 = 0x46; *(uint64_t*)0x20004d90 = 0x20004a40; *(uint64_t*)0x20004d98 = 0x40; *(uint64_t*)0x20004da0 = 0x20004a80; *(uint64_t*)0x20004da8 = 0x6b; *(uint64_t*)0x20004db0 = 0x20004b00; *(uint64_t*)0x20004db8 = 0xb7; *(uint64_t*)0x20004dc0 = 0x20004bc0; *(uint64_t*)0x20004dc8 = 0x7d; *(uint64_t*)0x20004dd0 = 0x20004c40; *(uint64_t*)0x20004dd8 = 0xc9; *(uint64_t*)0x20005298 = 0xa; *(uint64_t*)0x200052a0 = 0x20004e00; *(uint64_t*)0x200052a8 = 0x38; *(uint32_t*)0x200052b0 = 0x7f; *(uint32_t*)0x200052b8 = 2; *(uint64_t*)0x20004e40 = 0x77359400; *(uint64_t*)0x20004e48 = 0; syscall(__NR_recvmmsg, r[0], 0x20005040, 0xa, 0x40000000, 0x20004e40); break; case 3: memcpy((void*)0x2001bc78, "\x05\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x18\x00\x00\x00\x03\x03\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x2001bc98 = 9; *(uint32_t*)0x2001bc9c = 3; *(uint32_t*)0x2001bca0 = 0xffffff22; *(uint32_t*)0x2001bca4 = 0; *(uint32_t*)0x2001bca8 = -1; *(uint32_t*)0x2001bcac = -1; *(uint32_t*)0x2001bcb0 = 0x120; *(uint32_t*)0x2001bcb4 = -1; *(uint32_t*)0x2001bcb8 = 0x258; *(uint32_t*)0x2001bcbc = -1; *(uint32_t*)0x2001bcc0 = -1; *(uint32_t*)0x2001bcc4 = 0x258; *(uint32_t*)0x2001bcc8 = -1; *(uint32_t*)0x2001bccc = 3; *(uint64_t*)0x2001bcd0 = 0x2002cfd0; *(uint8_t*)0x2001bcd8 = 0; *(uint8_t*)0x2001bcd9 = 0; *(uint8_t*)0x2001bcda = 0; *(uint8_t*)0x2001bcdb = 0; *(uint8_t*)0x2001bcdc = 0; *(uint8_t*)0x2001bcdd = 0; *(uint8_t*)0x2001bcde = 0; *(uint8_t*)0x2001bcdf = 0; *(uint8_t*)0x2001bce0 = 0; *(uint8_t*)0x2001bce1 = 0; *(uint8_t*)0x2001bce2 = 0; *(uint8_t*)0x2001bce3 = 0; *(uint8_t*)0x2001bce4 = 0; *(uint8_t*)0x2001bce5 = 0; *(uint8_t*)0x2001bce6 = 0; *(uint8_t*)0x2001bce7 = 0; *(uint8_t*)0x2001bce8 = 0; *(uint8_t*)0x2001bce9 = 0; *(uint8_t*)0x2001bcea = 0; *(uint8_t*)0x2001bceb = 0; *(uint8_t*)0x2001bcec = 0; *(uint8_t*)0x2001bced = 0; *(uint8_t*)0x2001bcee = 0; *(uint8_t*)0x2001bcef = 0; *(uint8_t*)0x2001bcf0 = 0; *(uint8_t*)0x2001bcf1 = 0; *(uint8_t*)0x2001bcf2 = 0; *(uint8_t*)0x2001bcf3 = 0; *(uint8_t*)0x2001bcf4 = 0; *(uint8_t*)0x2001bcf5 = 0; *(uint8_t*)0x2001bcf6 = 0; *(uint8_t*)0x2001bcf7 = 0; *(uint8_t*)0x2001bcf8 = 0; *(uint8_t*)0x2001bcf9 = 0; *(uint8_t*)0x2001bcfa = 0; *(uint8_t*)0x2001bcfb = 0; *(uint8_t*)0x2001bcfc = 0; *(uint8_t*)0x2001bcfd = 0; *(uint8_t*)0x2001bcfe = 0; *(uint8_t*)0x2001bcff = 0; *(uint8_t*)0x2001bd00 = 0; *(uint8_t*)0x2001bd01 = 0; *(uint8_t*)0x2001bd02 = 0; *(uint8_t*)0x2001bd03 = 0; *(uint8_t*)0x2001bd04 = 0; *(uint8_t*)0x2001bd05 = 0; *(uint8_t*)0x2001bd06 = 0; *(uint8_t*)0x2001bd07 = 0; *(uint8_t*)0x2001bd08 = 0; *(uint8_t*)0x2001bd09 = 0; *(uint8_t*)0x2001bd0a = 0; *(uint8_t*)0x2001bd0b = 0; *(uint8_t*)0x2001bd0c = 0; *(uint8_t*)0x2001bd0d = 0; *(uint8_t*)0x2001bd0e = 0; *(uint8_t*)0x2001bd0f = 0; *(uint8_t*)0x2001bd10 = 0; *(uint8_t*)0x2001bd11 = 0; *(uint8_t*)0x2001bd12 = 0; *(uint8_t*)0x2001bd13 = 0; *(uint8_t*)0x2001bd14 = 0; *(uint8_t*)0x2001bd15 = 0; *(uint8_t*)0x2001bd16 = 0; *(uint8_t*)0x2001bd17 = 0; *(uint8_t*)0x2001bd18 = 0; *(uint8_t*)0x2001bd19 = 0; *(uint8_t*)0x2001bd1a = 0; *(uint8_t*)0x2001bd1b = 0; *(uint8_t*)0x2001bd1c = 0; *(uint8_t*)0x2001bd1d = 0; *(uint8_t*)0x2001bd1e = 0; *(uint8_t*)0x2001bd1f = 0; *(uint8_t*)0x2001bd20 = 0; *(uint8_t*)0x2001bd21 = 0; *(uint8_t*)0x2001bd22 = 0; *(uint8_t*)0x2001bd23 = 0; *(uint8_t*)0x2001bd24 = 0; *(uint8_t*)0x2001bd25 = 0; *(uint8_t*)0x2001bd26 = 0; *(uint8_t*)0x2001bd27 = 0; *(uint8_t*)0x2001bd28 = 0; *(uint8_t*)0x2001bd29 = 0; *(uint8_t*)0x2001bd2a = 0; *(uint8_t*)0x2001bd2b = 0; *(uint8_t*)0x2001bd2c = 0; *(uint8_t*)0x2001bd2d = 0; *(uint8_t*)0x2001bd2e = 0; *(uint8_t*)0x2001bd2f = 0; *(uint8_t*)0x2001bd30 = 0; *(uint8_t*)0x2001bd31 = 0; *(uint8_t*)0x2001bd32 = 0; *(uint8_t*)0x2001bd33 = 0; *(uint8_t*)0x2001bd34 = 0; *(uint8_t*)0x2001bd35 = 0; *(uint8_t*)0x2001bd36 = 0; *(uint8_t*)0x2001bd37 = 0; *(uint8_t*)0x2001bd38 = 0; *(uint8_t*)0x2001bd39 = 0; *(uint8_t*)0x2001bd3a = 0; *(uint8_t*)0x2001bd3b = 0; *(uint8_t*)0x2001bd3c = 0; *(uint8_t*)0x2001bd3d = 0; *(uint8_t*)0x2001bd3e = 0; *(uint8_t*)0x2001bd3f = 0; *(uint8_t*)0x2001bd40 = 0; *(uint8_t*)0x2001bd41 = 0; *(uint8_t*)0x2001bd42 = 0; *(uint8_t*)0x2001bd43 = 0; *(uint8_t*)0x2001bd44 = 0; *(uint8_t*)0x2001bd45 = 0; *(uint8_t*)0x2001bd46 = 0; *(uint8_t*)0x2001bd47 = 0; *(uint8_t*)0x2001bd48 = 0; *(uint8_t*)0x2001bd49 = 0; *(uint8_t*)0x2001bd4a = 0; *(uint8_t*)0x2001bd4b = 0; *(uint8_t*)0x2001bd4c = 0; *(uint8_t*)0x2001bd4d = 0; *(uint8_t*)0x2001bd4e = 0; *(uint8_t*)0x2001bd4f = 0; *(uint8_t*)0x2001bd50 = 0; *(uint8_t*)0x2001bd51 = 0; *(uint8_t*)0x2001bd52 = 0; *(uint8_t*)0x2001bd53 = 0; *(uint8_t*)0x2001bd54 = 0; *(uint8_t*)0x2001bd55 = 0; *(uint8_t*)0x2001bd56 = 0; *(uint8_t*)0x2001bd57 = 0; *(uint8_t*)0x2001bd58 = 0; *(uint8_t*)0x2001bd59 = 0; *(uint8_t*)0x2001bd5a = 0; *(uint8_t*)0x2001bd5b = 0; *(uint8_t*)0x2001bd5c = 0; *(uint8_t*)0x2001bd5d = 0; *(uint8_t*)0x2001bd5e = 0; *(uint8_t*)0x2001bd5f = 0; *(uint32_t*)0x2001bd80 = 0; *(uint16_t*)0x2001bd84 = 0xa8; *(uint16_t*)0x2001bd86 = 0x52; *(uint32_t*)0x2001bd88 = 0; *(uint64_t*)0x2001bd90 = 0; *(uint64_t*)0x2001bd98 = 0; *(uint16_t*)0x2001bda0 = 0x28; memcpy((void*)0x2001bda2, "\x4e\x46\x51\x55\x45\x55\x45\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2001bdbf = 2; *(uint16_t*)0x2001bdc0 = 0; *(uint16_t*)0x2001bdc2 = 0; *(uint16_t*)0x2001bdc4 = 0; *(uint8_t*)0x2001bdc8 = 0; *(uint8_t*)0x2001bdc9 = 0; *(uint8_t*)0x2001bdca = 0; *(uint8_t*)0x2001bdcb = 0; *(uint8_t*)0x2001bdcc = 0; *(uint8_t*)0x2001bdcd = 0; *(uint8_t*)0x2001bdce = 0; *(uint8_t*)0x2001bdcf = 0; *(uint8_t*)0x2001bdd0 = 0; *(uint8_t*)0x2001bdd1 = 0; *(uint8_t*)0x2001bdd2 = 0; *(uint8_t*)0x2001bdd3 = 0; *(uint8_t*)0x2001bdd4 = 0; *(uint8_t*)0x2001bdd5 = 0; *(uint8_t*)0x2001bdd6 = 0; *(uint8_t*)0x2001bdd7 = 0; *(uint8_t*)0x2001bdd8 = 0; *(uint8_t*)0x2001bdd9 = 0; *(uint8_t*)0x2001bdda = 0; *(uint8_t*)0x2001bddb = 0; *(uint8_t*)0x2001bddc = 0; *(uint8_t*)0x2001bddd = 0; *(uint8_t*)0x2001bdde = 0; *(uint8_t*)0x2001bddf = 0; *(uint8_t*)0x2001bde0 = 0; *(uint8_t*)0x2001bde1 = 0; *(uint8_t*)0x2001bde2 = 0; *(uint8_t*)0x2001bde3 = 0; *(uint8_t*)0x2001bde4 = 0; *(uint8_t*)0x2001bde5 = 0; *(uint8_t*)0x2001bde6 = 0; *(uint8_t*)0x2001bde7 = 0; *(uint8_t*)0x2001bde8 = 0; *(uint8_t*)0x2001bde9 = 0; *(uint8_t*)0x2001bdea = 0; *(uint8_t*)0x2001bdeb = 0; *(uint8_t*)0x2001bdec = 0; *(uint8_t*)0x2001bded = 0; *(uint8_t*)0x2001bdee = 0; *(uint8_t*)0x2001bdef = 0; *(uint8_t*)0x2001bdf0 = 0; *(uint8_t*)0x2001bdf1 = 0; *(uint8_t*)0x2001bdf2 = 0; *(uint8_t*)0x2001bdf3 = 0; *(uint8_t*)0x2001bdf4 = 0; *(uint8_t*)0x2001bdf5 = 0; *(uint8_t*)0x2001bdf6 = 0; *(uint8_t*)0x2001bdf7 = 0; *(uint8_t*)0x2001bdf8 = 0; *(uint8_t*)0x2001bdf9 = 0; *(uint8_t*)0x2001bdfa = 0; *(uint8_t*)0x2001bdfb = 0; *(uint8_t*)0x2001bdfc = 0; *(uint8_t*)0x2001bdfd = 0; *(uint8_t*)0x2001bdfe = 0; *(uint8_t*)0x2001bdff = 0; *(uint8_t*)0x2001be00 = 0; *(uint8_t*)0x2001be01 = 0; *(uint8_t*)0x2001be02 = 0; *(uint8_t*)0x2001be03 = 0; *(uint8_t*)0x2001be04 = 0; *(uint8_t*)0x2001be05 = 0; *(uint8_t*)0x2001be06 = 0; *(uint8_t*)0x2001be07 = 0; *(uint8_t*)0x2001be08 = 0; *(uint8_t*)0x2001be09 = 0; *(uint8_t*)0x2001be0a = 0; *(uint8_t*)0x2001be0b = 0; *(uint8_t*)0x2001be0c = 0; *(uint8_t*)0x2001be0d = 0; *(uint8_t*)0x2001be0e = 0; *(uint8_t*)0x2001be0f = 0; *(uint8_t*)0x2001be10 = 0; *(uint8_t*)0x2001be11 = 0; *(uint8_t*)0x2001be12 = 0; *(uint8_t*)0x2001be13 = 0; *(uint8_t*)0x2001be14 = 0; *(uint8_t*)0x2001be15 = 0; *(uint8_t*)0x2001be16 = 0; *(uint8_t*)0x2001be17 = 0; *(uint8_t*)0x2001be18 = 0; *(uint8_t*)0x2001be19 = 0; *(uint8_t*)0x2001be1a = 0; *(uint8_t*)0x2001be1b = 0; *(uint8_t*)0x2001be1c = 0; *(uint8_t*)0x2001be1d = 0; *(uint8_t*)0x2001be1e = 0; *(uint8_t*)0x2001be1f = 0; *(uint8_t*)0x2001be20 = 0; *(uint8_t*)0x2001be21 = 0; *(uint8_t*)0x2001be22 = 0; *(uint8_t*)0x2001be23 = 0; *(uint8_t*)0x2001be24 = 0; *(uint8_t*)0x2001be25 = 0; *(uint8_t*)0x2001be26 = 0; *(uint8_t*)0x2001be27 = 0; *(uint8_t*)0x2001be28 = 0; *(uint8_t*)0x2001be29 = 0; *(uint8_t*)0x2001be2a = 0; *(uint8_t*)0x2001be2b = 0; *(uint8_t*)0x2001be2c = 0; *(uint8_t*)0x2001be2d = 0; *(uint8_t*)0x2001be2e = 0; *(uint8_t*)0x2001be2f = 0; *(uint8_t*)0x2001be30 = 0; *(uint8_t*)0x2001be31 = 0; *(uint8_t*)0x2001be32 = 0; *(uint8_t*)0x2001be33 = 0; *(uint8_t*)0x2001be34 = 0; *(uint8_t*)0x2001be35 = 0; *(uint8_t*)0x2001be36 = 0; *(uint8_t*)0x2001be37 = 0; *(uint8_t*)0x2001be38 = 0; *(uint8_t*)0x2001be39 = 0; *(uint8_t*)0x2001be3a = 0; *(uint8_t*)0x2001be3b = 0; *(uint8_t*)0x2001be3c = 0; *(uint8_t*)0x2001be3d = 0; *(uint8_t*)0x2001be3e = 0; *(uint8_t*)0x2001be3f = 0; *(uint8_t*)0x2001be40 = 0; *(uint8_t*)0x2001be41 = 0; *(uint8_t*)0x2001be42 = 0; *(uint8_t*)0x2001be43 = 0; *(uint8_t*)0x2001be44 = 0; *(uint8_t*)0x2001be45 = 0; *(uint8_t*)0x2001be46 = 0; *(uint8_t*)0x2001be47 = 0; *(uint8_t*)0x2001be48 = 0; *(uint8_t*)0x2001be49 = 0; *(uint8_t*)0x2001be4a = 0; *(uint8_t*)0x2001be4b = 0; *(uint8_t*)0x2001be4c = 0; *(uint8_t*)0x2001be4d = 0; *(uint8_t*)0x2001be4e = 0; *(uint8_t*)0x2001be4f = 0; *(uint32_t*)0x2001be70 = 0; *(uint16_t*)0x2001be74 = 0xa8; *(uint16_t*)0x2001be76 = 0x110; *(uint32_t*)0x2001be78 = 0; *(uint64_t*)0x2001be80 = 0; *(uint64_t*)0x2001be88 = 0; *(uint16_t*)0x2001be90 = 4; memcpy((void*)0x2001be92, "\x43\x54\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2001beaf = 2; *(uint16_t*)0x2001beb0 = 0; *(uint16_t*)0x2001beb2 = 0; *(uint32_t*)0x2001beb4 = 0; *(uint32_t*)0x2001beb8 = 0; memcpy((void*)0x2001bebc, "\x73\x6e\x6d\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); memcpy((void*)0x2001becc, "\x73\x79\x7a\x31\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint64_t*)0x2001bef0 = 0; *(uint8_t*)0x2001bef8 = 0; *(uint8_t*)0x2001bef9 = 0; *(uint8_t*)0x2001befa = 0; *(uint8_t*)0x2001befb = 0; *(uint8_t*)0x2001befc = 0; *(uint8_t*)0x2001befd = 0; *(uint8_t*)0x2001befe = 0; *(uint8_t*)0x2001beff = 0; *(uint8_t*)0x2001bf00 = 0; *(uint8_t*)0x2001bf01 = 0; *(uint8_t*)0x2001bf02 = 0; *(uint8_t*)0x2001bf03 = 0; *(uint8_t*)0x2001bf04 = 0; *(uint8_t*)0x2001bf05 = 0; *(uint8_t*)0x2001bf06 = 0; *(uint8_t*)0x2001bf07 = 0; *(uint8_t*)0x2001bf08 = 0; *(uint8_t*)0x2001bf09 = 0; *(uint8_t*)0x2001bf0a = 0; *(uint8_t*)0x2001bf0b = 0; *(uint8_t*)0x2001bf0c = 0; *(uint8_t*)0x2001bf0d = 0; *(uint8_t*)0x2001bf0e = 0; *(uint8_t*)0x2001bf0f = 0; *(uint8_t*)0x2001bf10 = 0; *(uint8_t*)0x2001bf11 = 0; *(uint8_t*)0x2001bf12 = 0; *(uint8_t*)0x2001bf13 = 0; *(uint8_t*)0x2001bf14 = 0; *(uint8_t*)0x2001bf15 = 0; *(uint8_t*)0x2001bf16 = 0; *(uint8_t*)0x2001bf17 = 0; *(uint8_t*)0x2001bf18 = 0; *(uint8_t*)0x2001bf19 = 0; *(uint8_t*)0x2001bf1a = 0; *(uint8_t*)0x2001bf1b = 0; *(uint8_t*)0x2001bf1c = 0; *(uint8_t*)0x2001bf1d = 0; *(uint8_t*)0x2001bf1e = 0; *(uint8_t*)0x2001bf1f = 0; *(uint8_t*)0x2001bf20 = 0; *(uint8_t*)0x2001bf21 = 0; *(uint8_t*)0x2001bf22 = 0; *(uint8_t*)0x2001bf23 = 0; *(uint8_t*)0x2001bf24 = 0; *(uint8_t*)0x2001bf25 = 0; *(uint8_t*)0x2001bf26 = 0; *(uint8_t*)0x2001bf27 = 0; *(uint8_t*)0x2001bf28 = 0; *(uint8_t*)0x2001bf29 = 0; *(uint8_t*)0x2001bf2a = 0; *(uint8_t*)0x2001bf2b = 0; *(uint8_t*)0x2001bf2c = 0; *(uint8_t*)0x2001bf2d = 0; *(uint8_t*)0x2001bf2e = 0; *(uint8_t*)0x2001bf2f = 0; *(uint8_t*)0x2001bf30 = 0; *(uint8_t*)0x2001bf31 = 0; *(uint8_t*)0x2001bf32 = 0; *(uint8_t*)0x2001bf33 = 0; *(uint8_t*)0x2001bf34 = 0; *(uint8_t*)0x2001bf35 = 0; *(uint8_t*)0x2001bf36 = 0; *(uint8_t*)0x2001bf37 = 0; *(uint8_t*)0x2001bf38 = 0; *(uint8_t*)0x2001bf39 = 0; *(uint8_t*)0x2001bf3a = 0; *(uint8_t*)0x2001bf3b = 0; *(uint8_t*)0x2001bf3c = 0; *(uint8_t*)0x2001bf3d = 0; *(uint8_t*)0x2001bf3e = 0; *(uint8_t*)0x2001bf3f = 0; *(uint8_t*)0x2001bf40 = 0; *(uint8_t*)0x2001bf41 = 0; *(uint8_t*)0x2001bf42 = 0; *(uint8_t*)0x2001bf43 = 0; *(uint8_t*)0x2001bf44 = 0; *(uint8_t*)0x2001bf45 = 0; *(uint8_t*)0x2001bf46 = 0; *(uint8_t*)0x2001bf47 = 0; *(uint8_t*)0x2001bf48 = 0; *(uint8_t*)0x2001bf49 = 0; *(uint8_t*)0x2001bf4a = 0; *(uint8_t*)0x2001bf4b = 0; *(uint8_t*)0x2001bf4c = 0; *(uint8_t*)0x2001bf4d = 0; *(uint8_t*)0x2001bf4e = 0; *(uint8_t*)0x2001bf4f = 0; *(uint8_t*)0x2001bf50 = 0; *(uint8_t*)0x2001bf51 = 0; *(uint8_t*)0x2001bf52 = 0; *(uint8_t*)0x2001bf53 = 0; *(uint8_t*)0x2001bf54 = 0; *(uint8_t*)0x2001bf55 = 0; *(uint8_t*)0x2001bf56 = 0; *(uint8_t*)0x2001bf57 = 0; *(uint8_t*)0x2001bf58 = 0; *(uint8_t*)0x2001bf59 = 0; *(uint8_t*)0x2001bf5a = 0; *(uint8_t*)0x2001bf5b = 0; *(uint8_t*)0x2001bf5c = 0; *(uint8_t*)0x2001bf5d = 0; *(uint8_t*)0x2001bf5e = 0; *(uint8_t*)0x2001bf5f = 0; *(uint8_t*)0x2001bf60 = 0; *(uint8_t*)0x2001bf61 = 0; *(uint8_t*)0x2001bf62 = 0; *(uint8_t*)0x2001bf63 = 0; *(uint8_t*)0x2001bf64 = 0; *(uint8_t*)0x2001bf65 = 0; *(uint8_t*)0x2001bf66 = 0; *(uint8_t*)0x2001bf67 = 0; *(uint8_t*)0x2001bf68 = 0; *(uint8_t*)0x2001bf69 = 0; *(uint8_t*)0x2001bf6a = 0; *(uint8_t*)0x2001bf6b = 0; *(uint8_t*)0x2001bf6c = 0; *(uint8_t*)0x2001bf6d = 0; *(uint8_t*)0x2001bf6e = 0; *(uint8_t*)0x2001bf6f = 0; *(uint8_t*)0x2001bf70 = 0; *(uint8_t*)0x2001bf71 = 0; *(uint8_t*)0x2001bf72 = 0; *(uint8_t*)0x2001bf73 = 0; *(uint8_t*)0x2001bf74 = 0; *(uint8_t*)0x2001bf75 = 0; *(uint8_t*)0x2001bf76 = 0; *(uint8_t*)0x2001bf77 = 0; *(uint8_t*)0x2001bf78 = 0; *(uint8_t*)0x2001bf79 = 0; *(uint8_t*)0x2001bf7a = 0; *(uint8_t*)0x2001bf7b = 0; *(uint8_t*)0x2001bf7c = 0; *(uint8_t*)0x2001bf7d = 0; *(uint8_t*)0x2001bf7e = 0; *(uint8_t*)0x2001bf7f = 0; *(uint32_t*)0x2001bf80 = 0; *(uint16_t*)0x2001bf84 = 0xa8; *(uint16_t*)0x2001bf86 = 0xd0; *(uint32_t*)0x2001bf88 = 0; *(uint64_t*)0x2001bf90 = 0; *(uint64_t*)0x2001bf98 = 0; *(uint16_t*)0x2001bfa0 = 0x28; memcpy((void*)0x2001bfa2, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2001bfbf = 0; *(uint32_t*)0x2001bfc0 = 0xfffffffe; syscall(__NR_setsockopt, r[1], 0x29, 0x22, 0x2001bc78, 0x2e); break; case 4: *(uint64_t*)0x20006000 = 0; *(uint32_t*)0x20006008 = 0; *(uint64_t*)0x20006010 = 0x20006ff0; *(uint64_t*)0x20006ff0 = 0x20005000; memcpy((void*)0x20005000, "\x10\x00\x00\x00\x15\x00\x61\xdd\x18\xc8\x4c\x16\x29\x0c\x72\x9b", 16); *(uint64_t*)0x20006ff8 = 0x10; *(uint64_t*)0x20006018 = 1; *(uint64_t*)0x20006020 = 0x20001f88; *(uint64_t*)0x20006028 = 0; *(uint32_t*)0x20006030 = 0; syscall(__NR_sendmsg, r[0], 0x20006000, 0); break; } } void loop() { execute(5); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }