// https://syzkaller.appspot.com/bug?id=ff834988a0e05a23199aa0230d9afa4b010c69d2 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // syz_mount_image$udf arguments: [ // fs: ptr[in, buffer] { // buffer: {75 64 66 00} (length 0x4) // } // dir: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8) // } // flags: mount_flags = 0x0 (8 bytes) // opts: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {00 08 9a af c7 27 34 6c 3e 0d 87 28 52 5a 26 41 // b3 b3 16 21 73 0c 58 dc f8 e0 ca 2e 67 67 a4 5a 97 87 76 e9 d2 c6 // 89 fe ab 83 a1 60 d0 0a 77 ae 51 12 cd 4e 71 41 ca d3 33 d7 cb b6 // 9d c6 b3 14 60 9d 38 27 05 9c 11 06 6b a0 b4 b9 5c 12 d2 d9 ff 9c // 88 96 d9 e2 47 bd 55 f9 ff 57 8a 14 e0 e9 d0 ca 07 69 33 96 b0 0d // 2e f4 4a db 48 58 47 5a 07 d5 e8 fa 3e f5 b3 06 fe 8a 5d 1c d2 d8 // e0 6e 7f 88 22 6e ce 09 2c 6a ab f8 87 0e 14 01 24 d5 a4 86 70 51 // 3e 0c 41 9c 99 b7 c5 10 59 59 e7 a5 35 f1 26 94 63 4c f2 72 49 0e // 00 00} (length 0xac) // } // } // } // chdir: int8 = 0x81 (1 bytes) // size: len = 0x4ac (8 bytes) // img: ptr[in, buffer] { // buffer: (compressed buffer with length 0x4ac) // } // ] // returns fd_dir memcpy((void*)0x200000000040, "udf\000", 4); memcpy((void*)0x200000000500, "./file1\000", 8); memcpy( (void*)0x200000000180, "\x00\x08\x9a\xaf\xc7\x27\x34\x6c\x3e\x0d\x87\x28\x52\x5a\x26\x41\xb3\xb3" "\x16\x21\x73\x0c\x58\xdc\xf8\xe0\xca\x2e\x67\x67\xa4\x5a\x97\x87\x76\xe9" "\xd2\xc6\x89\xfe\xab\x83\xa1\x60\xd0\x0a\x77\xae\x51\x12\xcd\x4e\x71\x41" "\xca\xd3\x33\xd7\xcb\xb6\x9d\xc6\xb3\x14\x60\x9d\x38\x27\x05\x9c\x11\x06" "\x6b\xa0\xb4\xb9\x5c\x12\xd2\xd9\xff\x9c\x88\x96\xd9\xe2\x47\xbd\x55\xf9" "\xff\x57\x8a\x14\xe0\xe9\xd0\xca\x07\x69\x33\x96\xb0\x0d\x2e\xf4\x4a\xdb" "\x48\x58\x47\x5a\x07\xd5\xe8\xfa\x3e\xf5\xb3\x06\xfe\x8a\x5d\x1c\xd2\xd8" "\xe0\x6e\x7f\x88\x22\x6e\xce\x09\x2c\x6a\xab\xf8\x87\x0e\x14\x01\x24\xd5" "\xa4\x86\x70\x51\x3e\x0c\x41\x9c\x99\xb7\xc5\x10\x59\x59\xe7\xa5\x35\xf1" "\x26\x94\x63\x4c\xf2\x72\x49\x0e\x00\x00", 172); memcpy( (void*)0x2000000011c0, "\x78\x9c\xec\xdb\x4b\x6c\x1b\x55\x17\xc0\xf1\x73\x3c\xb6\xeb\xb8\xf9\x3e" "\xdc\x07\x69\x8b\xaa\x62\x09\x24\x42\x4b\xdb\x24\x2e\x69\xab\x20\xa1\x3c" "\x88\x40\x6a\x1b\x48\x1a\x10\x15\x0f\x85\xd8\x09\x26\x4e\x1c\xc5\x29\x24" "\x55\x4b\xbb\x04\x76\x2c\xba\x64\xc9\x96\x05\x2b\xc4\x16\x55\x62\x89\x58" "\xa0\x20\xd4\x5d\xe9\x86\x8d\x57\x94\x1d\xe8\x8e\xe7\x65\xd7\x49\xec\x26" "\xf1\x34\xf5\xff\x57\xb5\x77\x1e\xc7\xee\xbd\xf7\xcc\xcc\xbd\xd7\x89\x05" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x88\x0c\xbd\x36\xd8\xd3\xab" "\x61\xd7\x02\x00\x00\xb4\xd2\xa5\x89\xf1\x9e\x0c\xe3\x3f\x00\x00\x6d\xe5" "\x32\xeb\x7f\x00\x00\x80\x76\xa2\x62\xc9\x1f\xa2\x72\x72\xae\xac\x17\xed" "\xfd\x8a\xc4\x85\xfc\xc2\xd5\x95\xc9\x91\xd1\xfa\x2f\xeb\x50\x51\x89\x88" "\x65\xc7\x9b\xbf\x89\xde\xbe\xcc\x99\x97\xfb\xcf\x9e\x73\xcb\x8d\x5f\xbf" "\xdd\x8e\xc8\xd8\xc4\xe5\xc1\xf4\x70\x71\x7e\x71\x29\x57\x2a\xe5\xb2\xe9" "\xc9\x85\xfc\x74\x31\x9b\x6b\xf8\x1d\xb6\xfa\xfa\x5a\xc7\xed\x0e\x48\xcf" "\xcf\x5d\xcd\xce\xcc\x94\xd2\x7d\xa7\x32\x55\xa7\x57\x52\xf7\xf7\xec\xed" "\x4a\x0d\xf4\xbf\x3f\x1c\x77\x63\x27\x47\x46\x47\x27\x02\x31\xd1\xd8\x23" "\xff\xef\x0f\x59\x6f\x86\x1f\x17\x4b\x5e\x14\x95\x4f\x7e\xf8\x4e\x2f\x89" "\x48\x44\xb6\xde\x17\x9b\x5c\x3b\x3b\xad\xc3\x6e\xc4\x71\xbb\x11\x93\x23" "\xa3\x76\x43\x0a\xf9\xa9\x85\x65\x73\x52\x23\x4e\x54\xa4\xba\x4f\xe2\x6e" "\x1f\xb5\x20\x17\x5b\x12\x11\x31\xf5\xd2\xf8\xf6\xac\xd9\x62\x62\xc9\x8f" "\xa2\x32\x74\xba\xac\x63\x22\x62\xb9\xfd\x70\xc2\xfe\x60\xb8\xa1\xfa\x84" "\x21\x6a\x96\xae\x22\xd2\x2d\xbb\x20\x67\x8f\xb1\x3d\x62\xc9\x87\xa2\x72" "\xe7\x74\x4a\xde\x74\xfa\xd5\xce\x7f\x5c\xe4\x7a\xd8\x95\xc3\x8e\x8b\x3a" "\xf7\x7f\x51\xcb\xfa\x96\xfd\x3c\x30\xf7\x93\x79\x6c\x5e\x78\x3b\xfd\xc6" "\xc2\x4c\x31\x10\xab\x11\xe7\x8e\x6a\x66\x7c\xa8\x73\x0f\x86\x3e\x3e\xb4" "\xd2\x63\xfe\x6c\x4a\x88\x25\x63\xf6\x1d\x5f\xd6\xf1\xb0\x2b\x83\x96\xeb" "\x10\x4b\xe6\x45\x25\xfe\xf5\xa7\xf6\xbc\x42\xec\x79\xe9\x53\x03\x67\x8f" "\x3d\x7b\x3e\x38\xc3\x38\xb4\xc9\xfb\x98\xd8\x53\xce\xcd\xd5\xc8\x98\x1c" "\x73\xa6\x0e\x1a\x31\x7f\x1e\xa1\xda\xd8\x16\x09\xb5\xe4\x4f\x51\x79\xf0" "\x7b\xc2\xde\xef\x76\x72\xc3\x4f\x04\xda\x84\x5a\x52\x10\x95\x7f\x6e\x94" "\x55\x6b\xd6\xa5\x56\x60\x7d\xef\xd9\xed\x6b\xc3\x9d\xad\x7f\x47\x62\xb8" "\xb8\xb8\xba\x94\x9f\xfd\x78\xb9\xee\xf9\x64\x62\xf0\xa3\xd2\xf2\xd2\xd4" "\x74\xfd\xd3\x95\xb5\xab\x15\x3c\xb2\xd9\x3a\xb6\x56\xa4\xb9\x25\x59\x52" "\x2b\x2b\xbe\x2f\x3e\x2b\x7b\xaf\x73\xd6\x00\xff\xab\xec\xf9\xb5\xf9\xf6" "\xba\x7f\x2d\x74\xd7\x94\xae\xe0\xf5\xd3\xc8\x76\xc3\xcf\x99\x26\xe6\x51" "\xa6\x4e\xaa\x96\xdc\x13\x95\x99\x0f\x0e\x57\xc6\x19\x49\x36\xdd\x37\xed" "\xc0\xe4\x7f\x54\x54\x4a\xe5\x5f\xd4\xcd\xb4\x93\xff\x68\x65\x2f\x90\xff" "\x57\xfc\xfe\x4b\x68\x75\xe9\xb1\x73\xfb\xff\xca\xe7\x5a\xee\x5c\xe2\xc8" "\x95\x83\xeb\x1d\xdf\x89\xfc\x9b\x3a\x99\xfc\xbf\x2b\x2a\x43\x7f\x1f\x76" "\x3e\xd3\xa8\xe4\xdf\xaa\x89\x35\x71\x5d\xa2\xf2\xde\xed\xa3\x4e\x5c\x24" "\x6e\xe2\xa2\x6e\x73\x2a\xef\x38\x93\x2f\xe4\x7a\x4c\xec\xbf\xa2\xb2\xff" "\x67\x37\x56\xec\xd8\xa4\x13\x7b\xc0\x8f\xed\x35\xb1\x25\x51\xf9\xf2\x4e" "\x75\xec\x5e\x27\xf6\xa0\x1f\xdb\x67\x62\xd7\x44\xe5\xee\x6f\xf5\x63\x9f" "\xf6\x63\x33\x26\x76\xd5\xe4\xeb\x6e\xda\x8d\x4d\x9a\xd8\x63\x4e\x6c\x97" "\x1f\x7b\x6a\xba\x58\xc8\x6e\xd6\xad\x26\xff\x7d\xa2\xf2\xce\xcd\xd7\xd5" "\x6d\xf3\xba\xf9\x0f\xdc\xff\xb7\x6a\x4a\xcf\x43\x39\xdf\x78\x7b\xbb\xf2" "\x9f\x0a\x1c\xbb\xe5\xe4\xf5\x8a\x93\xff\xe8\x26\xf9\xff\x4a\x54\x56\xff" "\x3a\xea\xb6\xdb\xee\x7b\xf7\xb2\xda\x67\xff\xeb\xe7\xdf\xcc\x95\xbf\xbf" "\x5d\x1d\xeb\x4e\x46\xf7\xfb\xb1\xbd\x8d\x36\x2b\x6c\x26\xff\xfb\x44\xe5" "\xfe\xab\x6b\x5e\x9b\x9d\xb6\x39\xbb\x7e\x86\x82\xf9\x7f\x26\x5a\x5d\x7a" "\xfd\x1a\x52\xfe\xf7\x05\x8e\xa5\x9c\x7a\xc5\x9b\xec\x8b\x76\x54\x5a\xbd" "\x36\x37\x55\x28\xe4\x96\xd8\x60\x83\x0d\x36\xbc\x8d\xb0\x9f\x4c\x68\x05" "\x33\xfe\x8f\x9b\x51\xbd\xdf\x52\x77\x1e\xe3\x8c\xff\x9d\x95\x3d\x7f\xc6" "\xf4\xe0\x73\x7f\xfc\x1f\xa8\x29\x3d\x21\x8d\xff\xfb\x03\xc7\x06\x9c\x59" "\x4b\x2c\x2a\x92\x58\x9e\x5f\x8c\x1d\x12\x49\x94\x56\xaf\x9d\xcc\xcf\x4f" "\xcd\xe6\x66\x73\x0b\x99\x33\xfd\x3d\x7d\xe7\xcf\xf4\x64\xce\xc5\xe2\xee" "\xe4\xce\xdf\x6a\xb8\xef\x9e\x04\x26\xff\x27\x44\xe5\xc6\x4f\xbf\x7a\xeb" "\x98\xea\xf9\x5f\xfd\xf9\x7f\xb2\xa6\xf4\x84\x94\xff\x03\xc1\x36\x55\xcd" "\x6b\x1a\xee\x8a\xb6\x64\xf2\xdf\x29\x2a\xfd\xf7\xd6\xbc\xf5\xe6\x46\xf3" "\x7f\x77\xfd\xdf\xfd\x5c\x75\xe9\xdd\x7f\x21\xe5\xff\x60\xe0\x58\xca\xa9" "\x57\x67\x93\x7d\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xbb\x49\x52\x2d\x79\x5e\x54\x56\xc6\x5f\x52\xf7\x3b\x44\x8d\xfc\xfe\x5f" "\xb6\xa6\xf4\x84\xf4\xfb\x5f\x5d\x81\x63\xd9\xed\xff\x5e\x83\xfb\xd5\xa8" "\xaa\x53\x8d\x56\x1d\x00\x00\x00\x00\x00\x00\x00\x00\xa0\x95\x22\x62\xc9" "\x37\xa2\xf2\x82\x94\xf5\xa6\x39\xd0\x29\x72\x31\x58\xe2\x89\xf6\x5f\x00" "\x00\x00\xff\xff\x5e\xae\x42\x17", 1196); syz_mount_image(/*fs=*/0x200000000040, /*dir=*/0x200000000500, /*flags=*/0, /*opts=*/0x200000000180, /*chdir=*/0x81, /*size=*/0x4ac, /*img=*/0x2000000011c0); // openat arguments: [ // fd: fd_dir (resource) // file: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8) // } // flags: open_flags = 0x42 (4 bytes) // mode: open_mode = 0x0 (2 bytes) // ] // returns fd memcpy((void*)0x200000000440, "./file1\000", 8); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000440ul, /*flags=O_CREAT|O_RDWR*/ 0x42, /*mode=*/0); if (res != -1) r[0] = res; // write$UHID_INPUT arguments: [ // fd: fd_uhid (resource) // data: ptr[in, uhid_req[UHID_INPUT, uhid_input_req]] { // uhid_req[UHID_INPUT, uhid_input_req] { // type: const = 0x8 (4 bytes) // data: uhid_input_req { // data: buffer: {da 10 f6 f6 46 82 2d 5e 89 83 29 4a 2c 8b 24 17 d3 // fb b9 d3 b4 c0 f9 6d 0d 3e 90 1b 02 9b 63 14 9e a4 68 21 6f 59 94 // dd 0a 3f bf bb b3 22 ec c6 3a 2b 22 c2 6f e1 df 61 a2 07 01 d6 19 // 42 2f 62 d9 f2 15 08 61 f2 45 b3 3a b4 f7 d9 9d 97 51 3a 9d 3b 74 // 3d 3c 55 60 9b df c0 fa 4e 50 72 d6 bc d0 77 73 ce f7 5c 7b 7f ab // e2 15 8f 60 28 63 e0 b8 b8 b6 5f 1b d2 bd 24 ca a2 7a e5 0e 0a 9d // a4 60 60 0f 62 16 6f 71 df 9c 96 d9 c6 9e 5f d6 d3 59 06 de b9 dd // c6 47 9f eb bc ed b1 e0 d0 c4 cd fd e4 24 43 22 9e 89 1e 29 25 53 // 2a 94 2b 53 f1 d4 c1 e3 f5 1d 45 a6 75 0b 4d 6f ec a6 34 a0 95 84 // c9 5a 05 85 4a 9a b1 d7 ce 2b 16 d2 c9 ff a7 9b 2b 25 22 b5 a6 8a // 44 dd f6 09 8d 10 70 0a cc 14 d4 41 68 83 ed 22 43 8d 60 71 bc e7 // 31 f8 2c 0f fb 3a 28 16 08 b9 24 5e a2 f0 0f 90 06 b5 da f2 b4 e8 // ee 79 7f 9f 96 2b 4b 6e 50 45 b9 b0 dd 8b 72 fc 28 6e c9 ff 8a 5e // aa 4d 33 2e 73 fb b7 7a e8 da 9b 9e cd ea 44 80 68 10 57 bb 34 50 // 60 2f 8f 9f 7e a6 de a3 04 89 02 78 6c a9 a7 78 7c a3 cf ec f6 56 // 64 f4 4b ac 99 67 56 13 e8 7b 8c db ed 22 12 57 41 6b ec c0 ab 91 // 40 ff d7 7e 87 69 5f 51 b0 31 e5 15 0d 32 dd 50 21 00 ee b1 7d 21 // e2 d6 1c e0 29 cb 82 98 3a 1f 81 e7 68 bb e1 79 73 62 53 50 bd a0 // f6 a9 70 f7 0a 2c 25 d3 a3 87 23 5e fb e0 7c da 7a f9 80 62 92 b8 // bf a3 aa 1e 18 30 58 c8 79 89 af 5d 85 29 97 2e bb de d1 29 f6 a0 // 22 87 5d 6d 64 2b a1 3e a1 92 e5 cf 9b fa 7a c3 aa 4c 2d 4c d6 a0 // bf 19 0c 7a c5 3b 37 c9 56 d2 12 63 c3 f1 0e e9 7a 12 3f 32 10 71 // ae 27 b5 d2 c3 da 69 ab 1a 63 75 a3 b3 82 c3 f4 fe 74 c3 0b 51 f5 // e0 a6 92 af f9 98 73 8c 60 17 16 74 f3 f3 8c 41 d9 c6 9f 3f 7c 5f // e4 03 a4 ed 2b 42 d9 90 8d 4a 3c e5 09 51 4f ef 57 52 40 80 e0 9c // e4 5c c6 ba ae 7d 72 e9 6b cc 79 bc 2f 22 d9 02 73 b5 be af 5f f1 // df e0 93 bb 25 2a df 49 26 a9 d0 99 5f b7 2d 08 ee 3c 6c 56 07 22 // b5 1a 44 ae 4a f5 c1 36 21 d3 08 0f 8f f3 96 27 13 ae 55 9d d2 e4 // 69 94 85 a0 f5 70 e9 f5 be cb 23 ef 51 83 22 32 05 70 2b 53 23 4b // c3 f8 52 bd 64 03 4f 21 8a 03 45 75 75 06 d5 c1 58 f5 d3 a4 d3 2f // f6 0d 9b 36 d1 34 30 1e 43 fe ab 47 10 4c 5b 88 ad 95 9d 2c bf ee // 26 30 15 2e f1 5a ff 2a 09 fa 41 e6 92 55 6d ae 29 14 69 70 58 d4 // 7a 0a 05 78 ae 49 9c c4 97 7f 02 dc 18 46 41 30 9e ca f5 c5 88 53 // b0 d9 df 7d 0a 52 16 78 1a a5 28 17 17 6a 9c 97 d8 b8 e8 81 d5 a2 // 8d a4 c2 41 b1 9e 09 e3 ca b4 06 6e af 89 22 09 97 d6 50 27 83 84 // 47 90 f1 e2 98 07 2e f0 7f fe cf b7 02 24 2c 9e df 52 ec d7 57 e8 // 11 d1 e8 4f d1 ec ae 69 06 18 a3 3a 72 f5 9d df 16 d8 e5 ed bc d8 // 7c 65 c1 20 52 e7 1b 0b c2 07 12 6c 45 f2 5b 68 f3 f8 dc ea c6 fc // 36 ad 44 dc 39 ab d1 a3 7f 3f 51 4f a3 57 22 0c 59 21 e3 f9 b0 67 // 70 52 66 90 2c 7c e6 0d d8 90 0c f8 96 39 6f 41 d6 b8 ff 53 7d e0 // 39 50 d7 f1 39 c8 99 fb 52 33 93 0f fe 9f bd 1c 24 31 c6 db 6a 3a // 5e bd d1 d2 5b 6f d4 8b 5b 1a b4 87 0d c4 32 df c1 08 aa 23 18 7a // 90 d8 3a c4 9e 7a 1d 4f d3 c6 fa 92 8c 36 29 7b ca dc 66 01 5a f8 // c8 e8 64 9a b8 af 84 01 5a 12 f0 c0 bf 31 59 d7 a9 91 64 a0 38 43 // 87 52 c3 36 46 47 c1 79 d4 68 bb 82 99 90 1f b9 a5 c0 4a 85 75 53 // 66 c2 18 07 85 d7 3f fc b6 04 29 9c 1e 01 fc 86 6f 24 d2 4e ea bb // f2 c0 f5 d4 98 65 5b 4f 9c 0e 07 55 f9 71 41 b4 02 e2 e5 5f 37 28 // 13 d1 67 1c 00 e8 56 3f 62 18 b9 e7 83 ba 8e 8c 5d e4 2a 70 f5 a4 // b6 12 6e 7b 4c 66 9b 02 35 3e 1e be ef 91 06 bb e3 cc 53 db 03 c8 // c7 af 42 d9 c9 f3 d6 37 eb bb 98 d2 92 00 0f d1 dd 86 e2 7b 17 60 // 56 d0 0c a6 7b a0 de c5 70 fa b9 96 d2 19 51 64 53 78 d8 c5 dc 04 // 6f 39 80 4c 15 70 3a 89 2e 10 91 e2 f0 10 80 8a fb 04 d2 e6 89 24 // 83 ab 26 e0 09 4e 43 d5 33 79 d0 b8 8d 1e 25 5f b6 01 b0 06 f9 69 // 6b 37 d9 53 53 a0 dd dd f0 1c 6c 31 c3 3a 50 67 47 81 44 94 d1 34 // 6e 03 78 21 bf d7 2b 07 b6 fd 2e 41 e6 54 94 61 fd 1d bc bb c8 ae // 09 31 8a 5a d0 fd 29 6d a7 1e 85 36 7f 22 44 09 a1 4f 83 da b6 7e // fd 7d c6 fb 14 86 d2 3e b3 b2 a6 e6 82 0a 3f 14 37 39 6c 0b a4 23 // 94 64 2f 1b c7 20 46 cd 49 39 67 ec 37 7c e4 db 32 87 38 5a bb 61 // ff a7 cd 80 71 2e d6 97 51 8f ec b5 c2 bf 95 70 7d 8d 68 07 7f 02 // 6c 83 9b 95 38 52 0d 61 3c 7d 42 bf f0 7a f2 5b b7 10 61 56 ac 1a // 39 91 69 76 2a 6b a1 94 6e ac d8 f6 cf fd 40 7a 80 3f 91 34 37 09 // 37 2f d2 fb 36 ef 72 dc 80 b0 30 17 7c 57 98 99 78 9c 5a a2 b6 5c // b4 15 40 8d 0f 04 85 af 36 a6 f8 90 2b c2 30 d0 a8 08 01 e7 87 51 // 18 21 1b 56 9d 05 64 bc 56 5b 10 d8 34 26 41 22 d8 00 fc 40 4c f7 // 28 24 c5 6d f9 6f c5 9f fc 68 98 e3 b8 85 b4 04 f6 85 61 ec c3 50 // 26 37 cb fc f4 0c 6f ec 61 48 21 a0 4f 8a 4e 22 b9 29 c7 3e d4 42 // 7a a2 b7 ea d9 67 a0 2a 55 52 fc 29 89 30 29 91 98 e3 7a 14 4f bf // e5 a1 5a 94 57 2b fc 9f 66 09 85 08 3a 09 4d 01 5f e1 e6 1e 31 d1 // 55 d8 19 9f ef 40 f7 da af c4 58 30 35 72 44 a4 11 0f 22 7a 72 de // 24 f4 9b 45 fe 9f ea 66 2b 3e 87 48 95 57 f8 81 92 e8 b4 84 3c 0a // 43 de 6d be be 62 d5 85 3d 65 a9 27 79 3a 16 3a 31 09 3f 70 b7 1d // d2 86 31 3d bf c1 df 29 94 d0 23 d3 d8 bf a5 d0 97 83 c4 03 39 c5 // e3 ae de 50 a1 81 0f 52 da 84 16 de ca 90 2e ba 9c f4 83 18 f2 85 // 01 69 16 9e 40 8d bb a6 2e 09 7d bc b6 29 b0 68 b0 19 15 8c 66 18 // 65 a0 ee 71 0d 9c 56 b8 3f 9a 74 78 b6 22 d6 ed cb 36 8f 4f cf 8d // db e9 b8 2b c3 90 74 e5 35 42 92 11 fa 54 17 d2 37 a3 c2 ab db 69 // 65 5f e1 c8 92 03 fb 30 c3 7c ff c8 36 c0 1f 08 79 c5 5c 6f 1b a3 // 41 4d d6 88 85 70 be a1 d6 08 b3 e3 5c 4b dc 7b 93 dc e8 00 65 c0 // 84 07 b9 8b 43 19 a2 28 bb 52 67 93 ef 48 a0 20 76 6b c2 36 b2 b8 // 40 bb 74 88 f3 fa 9f 4a c3 b7 87 e3 b8 da d6 23 7f 70 57 c8 dd 6d // 82 1e b9 ed ff 0c 7d e8 d3 06 de 12 09 5b 77 d0 2e 02 64 35 0e 26 // 8f b1 d5 d5 4a 72 e1 b9 5f 69 88 6c 79 6c a2 63 88 eb 16 b3 4f 4c // 54 26 c2 79 3c 49 e5 39 28 ff 9a 36 6d c8 94 60 e0 0e 62 d2 95 20 // 58 9b 71 b1 2c 84 7a 59 6c 55 60 e8 bb bc 3e a5 24 a9 57 f5 11 8c // 72 4c b7 1a 8d 04 17 70 fe 4f b9 82 74 36 e5 3e 6d a2 a5 5d ac 13 // ca 95 a6 d3 71 68 f3 24 0d 3a c4 d2 00 40 34 89 27 a0 37 53 53 07 // b9 9c 1e 73 d9 ab fd e4 a5 cd a7 6e 74 79 1f f1 4d 78 ec 82 d9 f3 // a0 18 ac bc b1 81 aa 86 9d 3c 3f 64 45 fd 22 dd 5c 60 ae 33 a5 69 // 00 f0 c8 06 a0 02 26 5b a9 f7 94 18 d1 c9 32 cd 2b fa 6c 72 a4 b7 // 71 4f 1f f5 1d f4 09 93 3f 9b ef 8c e5 39 86 fe 2e e6 0d 38 92 92 // f1 d5 0b be 9f 19 d0 0d c8 86 ef 41 dd 5b 3b be 7e 59 57 cb 4f 46 // a4 b1 f9 aa 91 04 59 8b b8 3d fb c1 7f 1c 1f 64 b8 bc 27 4c 82 b5 // 42 6f 07 37 f6 0c cd d3 f2 e3 0b 7d 3d 26 43 49 e4 c8 12 4d ff 6b // a3 99 70 7e 8d b2 58 c7 4f 57 f0 aa 18 c5 15 98 a4 38 d0 28 96 cf // be 9e 8c 11 1b 40 44 e7 2f ce 3b 12 38 21 ea 40 ce 7f 2a 97 d5 d4 // d1 1a 68 1b 17 b0 d3 f5 01 3f b9 a2 83 81 5d 94 f8 5b 95 57 c2 6b // 80 96 d6 5a 1c 9b 99 22 9b 95 c6 29 f8 b2 f8 b3 b5 fc ef a4 e8 a0 // 75 6d 86 02 f9 9d de 3f fb 7e 1a e2 dd b4 47 61 e3 cb 9c 99 58 3d // a6 de b1 a0 da 4e 8e 85 11 f9 0d d5 90 ab 32 2f 22 65 8f 86 97 09 // 49 42 c5 26 37 92 52 71 76 64 1c e6 82 94 2f 88 d7 3f bd 4e b7 20 // 82 39 bb 26 f1 dc ee 42 5d 84 08 ba 8b a1 6c 3d fa ea 84 4f bf 00 // d2 b0 8a e2 23 1c da 55 d0 86 dc 86 0d 82 94 f7 05 4d 38 45 45 24 // d4 fb 76 e4 09 e3 25 5e c9 80 24 db 4c 7a 02 89 38 8c 16 63 26 13 // 9e cd cf 79 ae 6f 9d 86 e9 66 5d d4 14 f7 64 3b 53 4a 41 f6 f1 43 // 99 1f 2d ee 7d 46 54 fb 7b 9f df 22 db 37 59 a4 5b 78 54 c9 1e 14 // 2e f6 2c 40 13 ef c9 92 48 8c 99 d6 3e 11 ba 12 53 93 71 92 d2 d4 // 18 7c 2c 93 81 71 49 0c 3a 81 d5 3f c9 5c fb b9 70 23 c9 db 5d fb // d9 72 23 87 59 01 ba 54 44 29 e2 45 88 9a ce 8d e2 01 4b 37 8b 56 // 87 3c a6 02 b6 0d 28 f0 6e e5 cc e5 80 ab 4d 6f f8 e6 08 a8 e2 58 // 1b 80 1f 2f 69 91 07 70 8b 8b 20 d6 4f 4e c4 a1 b8 38 c7 ff 1c 05 // b3 e1 97 50 93 31 f9 38 4c 09 b0 46 c0 32 e9 ff 36 3d 7d 88 2e fd // 00 92 17 de 21 ce 2c bc b2 a0 38 d6 b2 aa de 0a 8b 04 69 34 56 80 // e4 e9 0b 4c 75 a3 8d 24 c2 27 97 68 3a bb 72 94 15 cf ed fb df 98 // db 30 0f fa 2b b9 d9 e7 a0 0a 03 dd ea dc b9 f8 c8 aa 32 d9 6b b3 // 50 3c 66 7a c6 57 37 93 9c c0 7d 50 d7 a9 fc d2 1b 7b 02 cf 61 ea // b7 41 ee 7e 89 39 40 82 73 4c 01 75 e2 af 60 66 8c 8a 68 83 2f be // ee f8 54 25 14 73 c4 1d 3d 06 91 d1 a5 ee 96 74 f1 98 93 e8 b5 1a // d3 48 31 40 b2 da c8 4d fa 3c 2f bf d3 05 c4 d5 51 e7 a5 6a e3 07 // 98 aa 53 30 ef ac 50 50 2d 70 47 7b d9 25 23 42 b7 cc 85 2f cb 82 // 99 f7 7a f0 3f e9 3f 15 b7 01 bf a6 3c 9c 71 c1 8c 3a 35 af 18 7b // 7e d9 0a 20 27 8e 80 6f 1e 9a 89 a6 6d 5a a6 98 6f fb 98 25 ac d0 // 02 3d 19 10 ab 1d 41 86 91 ec a8 b6 fe 28 30 94 82 a7 cc 65 be 7e // 1d 00 b4 f0 5a b2 3f ea 84 de 79 6d 24 64 4b 62 53 64 b9 84 3c c1 // 71 a3 a2 b9 bf db 1c 27 59 96 ea d9 49 a2 64 03 16 cf 3c d2 f9 4e // 3f a5 33 84 b7 61 e7 0c 7d d3 8d f4 ec ea 10 13 26 bc c4 76 a7 35 // 3a 8c 76 f2 83 34 5c c2 63 78 ca 67 38 d1 97 8a 87 7a 59 92 63 fc // d6 c6 ce 59 55 64 08 8d 18 df c3 fe 84 10 9a fc b9 d4 53 d0 c1 4e // 0e 19 b8 9d 10 32 58 39 29 75 90 a5 9e 0b 72 fc a9 65 29 ef b7 40 // 33 68 21 18 2c d5 c0 29 a8 73 48 14 25 e7 23 4e ff 61 23 6b 26 76 // 75 72 fb ff 1b 28 e0 bb 68 0c 8e 76 65 86 d5 3e 32 03 1f 55 1e 9d // 86 e9 b0 9d 61 a8 f4 1c 93 ae 0d 7a 43 8e 7a 20 c9 db df e5 02 c2 // 8b 80 16 cc c4 e9 6b 1f cd da ee 6b 33 d9 08 6d 04 35 48 14 a2 b8 // 3b 50 e4 67 72 8f 53 74 f3 d2 a3 29 34 56 84 ad b0 32 89 53 39 b5 // e7 40 6f ad 0c 52 38 00 63 74 d0 ec e4 c3 99 6e 19 12 5e f2 c3 38 // a9 06 d3 4c 03 c8 1e 2e a1 e6 db 11 ec 34 25 63 72 de df 34 c2 68 // 8d 2d a7 dc fe 88 12 1e c3 bc db 2d 10 47 17 c2 29 0f a4 12 ca b7 // 88 31 e8 96 7b 89 41 f2 35 47 4e 16 dc d3 e1 07 3b e6 65 95 65 78 // 76 31 ea 75 0a 89 17 60 6e 02 8c 93 f8 36 16 f4 13 f7 a9 c3 9f 84 // db 47 d1 48 ad 42 91 9a 3a 53 4e fc 56 56 f7 1f 6c 3a ad ef ba 37 // b1 d2 d3 6c 7f 31 da 4d 53 77 4d 0f 1e f4 1b 63 85 9f 18 1d c9 61 // 32 09 65 e3 20 9c 84 cc 0f 20 64 00 b0 08 05 d0 24 d4 2c 21 fb c6 // f2 27 2c ea 3e dc 64 ef 20 a7 4c 67 b2 6c 64 47 35 2f 64 c5 0a 02 // 47 53 8f 09 ac 1c 27 39 18 88 b8 12 87 19 ea e2 9a 1c e8 4e fd b7 // da 7c 95 ac 8a 3f 4b 8e 4d f4 04 45 8a b3 e2 bf 44 e1 4e b2 88 71 // df 99 3e a9 23 de 89 93 50 cf 39 99 82 46 d7 85 b4 a6 ad 6b 76 2e // 92 b4 6d 83 37 4e 28 8a 9c 8d ab 52 b4 a5 fd 8b 30 53 20 20 3c 12 // 33 e1 e9 f2 37 81 34 7b 05 2e 36 9f ce 9d bf 99 1f e1 cf 1b 27 a4 // 35 e4 0a ae 7b 50 f6 4e a3 c3 dd c0 57 7c 62 1d 3e ea 4b 5b 9d 2f // e1 a1 69 96 6a 4a ab 39 b2 20 56 95 66 7e c7 5b 02 e0 64 8f 9c 6d // bf 8a be 3a 0f 96 2a e7 1f 42 96 a8 f4 27 89 cc 51 c8 b4 cc 7d 7d // 14 8f 61 37 5b f4 26 f3 e8 94 cc 0d 09 1e e6 34 53 f9 2e 6a 23 af // ec e1 f8 b5 dd 12 f3 d1 06 ee a4 cd ba bf d6 0d d1 0b d8 35 1c 9b // c8 a9 57 71 8a 29 31 f0 1d f7 7f 0d 19 5b 28 fa bf 92 54 c1 c3 14 // 80 cf 37 5c a5 c3 ab 83 40 4b ba 90 e6 14 a3 32 48 76 0b 54 f5 cb // 4b 27 45 b9 3f fe c1 c4 d7 9a 23 50 58 ba 35 e0 d7 28 ba 10 4b b1 // 8e 7a 87 39 28 5a 4b a6 1c 04 6b 4d ec be a8 6c a6 79 c9 c5 6f 33 // 26 2b d3 6a c8 72 01 88 d3 02 05 65 20 98 51 84 92 6c f7 1a 55 eb // 53 66 fb 1a 2c 83 aa a8 32 b2 09 8b 21 bd 37 d8 28 fe 35 9f 6f 48 // 54 0a 06 74 e1 9b 41 06 ed 13 c7 eb b5 c3 02 4a 47 c9 18 a1 be 9b // 78 ad 05 53 ba d8 88 2b d9 7d f8 ac 66 b7 a1 da b6 16 52 31 34 4b // 4f 05 46 73 40 d0 09 4d 61 6a f4 a2 4b 52 8b 1b e7 bf 73 8e 95 ca // f2 97 47 e6 a4 fe fd b6 7f 1e 7d 81 72 b8 9c fd 33 23 0a b5 d7 96 // 0e 65 dd 3e fc da 30 ef 5b f4 c3 24 a0 e9 22 cd cf e7 1d de 2b cc // db c1 61 64 40 46 2d 4d bf 90 f4 c3 6c 65 43 dc 68 81 78 e6 bf f0 // 06 25 23 ad de ba 3d 58 82 2e 3e bc ea 00 5a 1b 66 27 80 97 6d 87 // 5d b5 8d b7 c9 6b b5 d6 0b 29 93 d7 e0 80 0b 7d cb ee 8e 4c 2a 20 // 68 f2 2e 9f cc 02 74 61 06 f9 17 00 f1 f1 d0 95 30 56 cb fd 9e ac // 32 83 f0 f5 1d d6 74 d1 50 a6 98 51 9a 5b 64 b0 8a 3d a0 f0 19 fc // de 0c 6d 57 81 cf 95 94 07 52 4d cf 30 ba 9a 2d 72 12 df 69 55 41 // 3f 9d eb 45 d8 5c 61 8b 1a b7 2b 05 1c 73 d6 39 b2 df ce 31 c4 39 // 46 f0 eb b0 17 20 81 0a 65 3c 59 03 2b bc 17 d7 b3 78 53 12 7a 02 // b7 06 90 d2 7c fa 61 03 7d c7 60 8e c5 9a 71 c7 d5 fc 5c 81 40 b7 // 86 db 74 39 5d 29 b6 e9 f1 fc 70 bd a2 d3 84 76 d0 99 b8 1c 2d e8 // df 36 6e 9b 64 70 1a c6 1e 13 b8 84 f8 d8 e0 e7 a9 b7 9f b1 fc 78 // e7 d3 9d 01 c0 ca 4f f6 77 de 80 05 e2 32 be 3a 9e d7 45 b9 73 44 // ac ff 8d 27 63 7f fb 6a b7 26 1d fe 93 21 e7 97 e3 29 db a0 fc 1f // 85 9a 71 cf ff 3f 41 c1 d0 6b b5 c0 1b 9e 45 fb 92 91 c4 69 a4 09 // 43 f1 c4 5a 4f 09 63 bf 50 12 81 0b 34 de fa 17 0e 67 1e b9 ca c9 // 15 d8 8a d5 0c 74 80 7e 19 97 5d 52 4e b9 e4 6d 16 e3 0c 0a d1 f7 // df 75 62 eb 15 a2 0b 6f b7 0a b8 0c 91 e6 7f cb 43 da d0 c9 41 b8 // 52 e4 be a4 98 c9 ea d9 8f 33 cd 30 6b 01 9e cc f0 ad 16 f8 52 71 // 06 54 bd 58 27 82 9c 9d b7 4b f2 e1 11 24 84 a6 45 5a b5 ed ca f3 // 0d f9 8a 0b 99 03 12 9c 62 00 01 37 61 a5 9a 09 43 8d 97 a4 aa 48 // c1 83 24 a0 36 fb 7f 20 7c 81 cb 00 06 a2 26 35 6e 46 39 61 16 98 // 9d 76 2d f6 95 ae 06 d2 24 7e f5 c9 24 b0 8f b2 03 1e 80 1a 66 d4 // 85 8d 01 f2 56 f0 f5 56 e7 15 d6 dd e4 b8 7b 21 3a ff ae f9 8b e6 // ec a7 d3 5f 7a a2 fc 44 41} (length 0x1000) size: len = 0x1000 (2 // bytes) // } // } // } // len: len = 0x1006 (8 bytes) // ] *(uint32_t*)0x200000001600 = 8; memcpy( (void*)0x200000001604, "\xda\x10\xf6\xf6\x46\x82\x2d\x5e\x89\x83\x29\x4a\x2c\x8b\x24\x17\xd3\xfb" "\xb9\xd3\xb4\xc0\xf9\x6d\x0d\x3e\x90\x1b\x02\x9b\x63\x14\x9e\xa4\x68\x21" "\x6f\x59\x94\xdd\x0a\x3f\xbf\xbb\xb3\x22\xec\xc6\x3a\x2b\x22\xc2\x6f\xe1" "\xdf\x61\xa2\x07\x01\xd6\x19\x42\x2f\x62\xd9\xf2\x15\x08\x61\xf2\x45\xb3" "\x3a\xb4\xf7\xd9\x9d\x97\x51\x3a\x9d\x3b\x74\x3d\x3c\x55\x60\x9b\xdf\xc0" "\xfa\x4e\x50\x72\xd6\xbc\xd0\x77\x73\xce\xf7\x5c\x7b\x7f\xab\xe2\x15\x8f" "\x60\x28\x63\xe0\xb8\xb8\xb6\x5f\x1b\xd2\xbd\x24\xca\xa2\x7a\xe5\x0e\x0a" "\x9d\xa4\x60\x60\x0f\x62\x16\x6f\x71\xdf\x9c\x96\xd9\xc6\x9e\x5f\xd6\xd3" "\x59\x06\xde\xb9\xdd\xc6\x47\x9f\xeb\xbc\xed\xb1\xe0\xd0\xc4\xcd\xfd\xe4" "\x24\x43\x22\x9e\x89\x1e\x29\x25\x53\x2a\x94\x2b\x53\xf1\xd4\xc1\xe3\xf5" "\x1d\x45\xa6\x75\x0b\x4d\x6f\xec\xa6\x34\xa0\x95\x84\xc9\x5a\x05\x85\x4a" "\x9a\xb1\xd7\xce\x2b\x16\xd2\xc9\xff\xa7\x9b\x2b\x25\x22\xb5\xa6\x8a\x44" "\xdd\xf6\x09\x8d\x10\x70\x0a\xcc\x14\xd4\x41\x68\x83\xed\x22\x43\x8d\x60" "\x71\xbc\xe7\x31\xf8\x2c\x0f\xfb\x3a\x28\x16\x08\xb9\x24\x5e\xa2\xf0\x0f" "\x90\x06\xb5\xda\xf2\xb4\xe8\xee\x79\x7f\x9f\x96\x2b\x4b\x6e\x50\x45\xb9" "\xb0\xdd\x8b\x72\xfc\x28\x6e\xc9\xff\x8a\x5e\xaa\x4d\x33\x2e\x73\xfb\xb7" "\x7a\xe8\xda\x9b\x9e\xcd\xea\x44\x80\x68\x10\x57\xbb\x34\x50\x60\x2f\x8f" "\x9f\x7e\xa6\xde\xa3\x04\x89\x02\x78\x6c\xa9\xa7\x78\x7c\xa3\xcf\xec\xf6" "\x56\x64\xf4\x4b\xac\x99\x67\x56\x13\xe8\x7b\x8c\xdb\xed\x22\x12\x57\x41" "\x6b\xec\xc0\xab\x91\x40\xff\xd7\x7e\x87\x69\x5f\x51\xb0\x31\xe5\x15\x0d" "\x32\xdd\x50\x21\x00\xee\xb1\x7d\x21\xe2\xd6\x1c\xe0\x29\xcb\x82\x98\x3a" "\x1f\x81\xe7\x68\xbb\xe1\x79\x73\x62\x53\x50\xbd\xa0\xf6\xa9\x70\xf7\x0a" "\x2c\x25\xd3\xa3\x87\x23\x5e\xfb\xe0\x7c\xda\x7a\xf9\x80\x62\x92\xb8\xbf" "\xa3\xaa\x1e\x18\x30\x58\xc8\x79\x89\xaf\x5d\x85\x29\x97\x2e\xbb\xde\xd1" "\x29\xf6\xa0\x22\x87\x5d\x6d\x64\x2b\xa1\x3e\xa1\x92\xe5\xcf\x9b\xfa\x7a" "\xc3\xaa\x4c\x2d\x4c\xd6\xa0\xbf\x19\x0c\x7a\xc5\x3b\x37\xc9\x56\xd2\x12" "\x63\xc3\xf1\x0e\xe9\x7a\x12\x3f\x32\x10\x71\xae\x27\xb5\xd2\xc3\xda\x69" "\xab\x1a\x63\x75\xa3\xb3\x82\xc3\xf4\xfe\x74\xc3\x0b\x51\xf5\xe0\xa6\x92" "\xaf\xf9\x98\x73\x8c\x60\x17\x16\x74\xf3\xf3\x8c\x41\xd9\xc6\x9f\x3f\x7c" "\x5f\xe4\x03\xa4\xed\x2b\x42\xd9\x90\x8d\x4a\x3c\xe5\x09\x51\x4f\xef\x57" "\x52\x40\x80\xe0\x9c\xe4\x5c\xc6\xba\xae\x7d\x72\xe9\x6b\xcc\x79\xbc\x2f" "\x22\xd9\x02\x73\xb5\xbe\xaf\x5f\xf1\xdf\xe0\x93\xbb\x25\x2a\xdf\x49\x26" "\xa9\xd0\x99\x5f\xb7\x2d\x08\xee\x3c\x6c\x56\x07\x22\xb5\x1a\x44\xae\x4a" "\xf5\xc1\x36\x21\xd3\x08\x0f\x8f\xf3\x96\x27\x13\xae\x55\x9d\xd2\xe4\x69" "\x94\x85\xa0\xf5\x70\xe9\xf5\xbe\xcb\x23\xef\x51\x83\x22\x32\x05\x70\x2b" "\x53\x23\x4b\xc3\xf8\x52\xbd\x64\x03\x4f\x21\x8a\x03\x45\x75\x75\x06\xd5" "\xc1\x58\xf5\xd3\xa4\xd3\x2f\xf6\x0d\x9b\x36\xd1\x34\x30\x1e\x43\xfe\xab" "\x47\x10\x4c\x5b\x88\xad\x95\x9d\x2c\xbf\xee\x26\x30\x15\x2e\xf1\x5a\xff" "\x2a\x09\xfa\x41\xe6\x92\x55\x6d\xae\x29\x14\x69\x70\x58\xd4\x7a\x0a\x05" "\x78\xae\x49\x9c\xc4\x97\x7f\x02\xdc\x18\x46\x41\x30\x9e\xca\xf5\xc5\x88" "\x53\xb0\xd9\xdf\x7d\x0a\x52\x16\x78\x1a\xa5\x28\x17\x17\x6a\x9c\x97\xd8" "\xb8\xe8\x81\xd5\xa2\x8d\xa4\xc2\x41\xb1\x9e\x09\xe3\xca\xb4\x06\x6e\xaf" "\x89\x22\x09\x97\xd6\x50\x27\x83\x84\x47\x90\xf1\xe2\x98\x07\x2e\xf0\x7f" "\xfe\xcf\xb7\x02\x24\x2c\x9e\xdf\x52\xec\xd7\x57\xe8\x11\xd1\xe8\x4f\xd1" "\xec\xae\x69\x06\x18\xa3\x3a\x72\xf5\x9d\xdf\x16\xd8\xe5\xed\xbc\xd8\x7c" "\x65\xc1\x20\x52\xe7\x1b\x0b\xc2\x07\x12\x6c\x45\xf2\x5b\x68\xf3\xf8\xdc" "\xea\xc6\xfc\x36\xad\x44\xdc\x39\xab\xd1\xa3\x7f\x3f\x51\x4f\xa3\x57\x22" "\x0c\x59\x21\xe3\xf9\xb0\x67\x70\x52\x66\x90\x2c\x7c\xe6\x0d\xd8\x90\x0c" "\xf8\x96\x39\x6f\x41\xd6\xb8\xff\x53\x7d\xe0\x39\x50\xd7\xf1\x39\xc8\x99" "\xfb\x52\x33\x93\x0f\xfe\x9f\xbd\x1c\x24\x31\xc6\xdb\x6a\x3a\x5e\xbd\xd1" "\xd2\x5b\x6f\xd4\x8b\x5b\x1a\xb4\x87\x0d\xc4\x32\xdf\xc1\x08\xaa\x23\x18" "\x7a\x90\xd8\x3a\xc4\x9e\x7a\x1d\x4f\xd3\xc6\xfa\x92\x8c\x36\x29\x7b\xca" "\xdc\x66\x01\x5a\xf8\xc8\xe8\x64\x9a\xb8\xaf\x84\x01\x5a\x12\xf0\xc0\xbf" "\x31\x59\xd7\xa9\x91\x64\xa0\x38\x43\x87\x52\xc3\x36\x46\x47\xc1\x79\xd4" "\x68\xbb\x82\x99\x90\x1f\xb9\xa5\xc0\x4a\x85\x75\x53\x66\xc2\x18\x07\x85" "\xd7\x3f\xfc\xb6\x04\x29\x9c\x1e\x01\xfc\x86\x6f\x24\xd2\x4e\xea\xbb\xf2" "\xc0\xf5\xd4\x98\x65\x5b\x4f\x9c\x0e\x07\x55\xf9\x71\x41\xb4\x02\xe2\xe5" "\x5f\x37\x28\x13\xd1\x67\x1c\x00\xe8\x56\x3f\x62\x18\xb9\xe7\x83\xba\x8e" "\x8c\x5d\xe4\x2a\x70\xf5\xa4\xb6\x12\x6e\x7b\x4c\x66\x9b\x02\x35\x3e\x1e" "\xbe\xef\x91\x06\xbb\xe3\xcc\x53\xdb\x03\xc8\xc7\xaf\x42\xd9\xc9\xf3\xd6" "\x37\xeb\xbb\x98\xd2\x92\x00\x0f\xd1\xdd\x86\xe2\x7b\x17\x60\x56\xd0\x0c" "\xa6\x7b\xa0\xde\xc5\x70\xfa\xb9\x96\xd2\x19\x51\x64\x53\x78\xd8\xc5\xdc" "\x04\x6f\x39\x80\x4c\x15\x70\x3a\x89\x2e\x10\x91\xe2\xf0\x10\x80\x8a\xfb" "\x04\xd2\xe6\x89\x24\x83\xab\x26\xe0\x09\x4e\x43\xd5\x33\x79\xd0\xb8\x8d" "\x1e\x25\x5f\xb6\x01\xb0\x06\xf9\x69\x6b\x37\xd9\x53\x53\xa0\xdd\xdd\xf0" "\x1c\x6c\x31\xc3\x3a\x50\x67\x47\x81\x44\x94\xd1\x34\x6e\x03\x78\x21\xbf" "\xd7\x2b\x07\xb6\xfd\x2e\x41\xe6\x54\x94\x61\xfd\x1d\xbc\xbb\xc8\xae\x09" "\x31\x8a\x5a\xd0\xfd\x29\x6d\xa7\x1e\x85\x36\x7f\x22\x44\x09\xa1\x4f\x83" "\xda\xb6\x7e\xfd\x7d\xc6\xfb\x14\x86\xd2\x3e\xb3\xb2\xa6\xe6\x82\x0a\x3f" "\x14\x37\x39\x6c\x0b\xa4\x23\x94\x64\x2f\x1b\xc7\x20\x46\xcd\x49\x39\x67" "\xec\x37\x7c\xe4\xdb\x32\x87\x38\x5a\xbb\x61\xff\xa7\xcd\x80\x71\x2e\xd6" "\x97\x51\x8f\xec\xb5\xc2\xbf\x95\x70\x7d\x8d\x68\x07\x7f\x02\x6c\x83\x9b" "\x95\x38\x52\x0d\x61\x3c\x7d\x42\xbf\xf0\x7a\xf2\x5b\xb7\x10\x61\x56\xac" "\x1a\x39\x91\x69\x76\x2a\x6b\xa1\x94\x6e\xac\xd8\xf6\xcf\xfd\x40\x7a\x80" "\x3f\x91\x34\x37\x09\x37\x2f\xd2\xfb\x36\xef\x72\xdc\x80\xb0\x30\x17\x7c" "\x57\x98\x99\x78\x9c\x5a\xa2\xb6\x5c\xb4\x15\x40\x8d\x0f\x04\x85\xaf\x36" "\xa6\xf8\x90\x2b\xc2\x30\xd0\xa8\x08\x01\xe7\x87\x51\x18\x21\x1b\x56\x9d" "\x05\x64\xbc\x56\x5b\x10\xd8\x34\x26\x41\x22\xd8\x00\xfc\x40\x4c\xf7\x28" "\x24\xc5\x6d\xf9\x6f\xc5\x9f\xfc\x68\x98\xe3\xb8\x85\xb4\x04\xf6\x85\x61" "\xec\xc3\x50\x26\x37\xcb\xfc\xf4\x0c\x6f\xec\x61\x48\x21\xa0\x4f\x8a\x4e" "\x22\xb9\x29\xc7\x3e\xd4\x42\x7a\xa2\xb7\xea\xd9\x67\xa0\x2a\x55\x52\xfc" "\x29\x89\x30\x29\x91\x98\xe3\x7a\x14\x4f\xbf\xe5\xa1\x5a\x94\x57\x2b\xfc" "\x9f\x66\x09\x85\x08\x3a\x09\x4d\x01\x5f\xe1\xe6\x1e\x31\xd1\x55\xd8\x19" "\x9f\xef\x40\xf7\xda\xaf\xc4\x58\x30\x35\x72\x44\xa4\x11\x0f\x22\x7a\x72" "\xde\x24\xf4\x9b\x45\xfe\x9f\xea\x66\x2b\x3e\x87\x48\x95\x57\xf8\x81\x92" "\xe8\xb4\x84\x3c\x0a\x43\xde\x6d\xbe\xbe\x62\xd5\x85\x3d\x65\xa9\x27\x79" "\x3a\x16\x3a\x31\x09\x3f\x70\xb7\x1d\xd2\x86\x31\x3d\xbf\xc1\xdf\x29\x94" "\xd0\x23\xd3\xd8\xbf\xa5\xd0\x97\x83\xc4\x03\x39\xc5\xe3\xae\xde\x50\xa1" "\x81\x0f\x52\xda\x84\x16\xde\xca\x90\x2e\xba\x9c\xf4\x83\x18\xf2\x85\x01" "\x69\x16\x9e\x40\x8d\xbb\xa6\x2e\x09\x7d\xbc\xb6\x29\xb0\x68\xb0\x19\x15" "\x8c\x66\x18\x65\xa0\xee\x71\x0d\x9c\x56\xb8\x3f\x9a\x74\x78\xb6\x22\xd6" "\xed\xcb\x36\x8f\x4f\xcf\x8d\xdb\xe9\xb8\x2b\xc3\x90\x74\xe5\x35\x42\x92" "\x11\xfa\x54\x17\xd2\x37\xa3\xc2\xab\xdb\x69\x65\x5f\xe1\xc8\x92\x03\xfb" "\x30\xc3\x7c\xff\xc8\x36\xc0\x1f\x08\x79\xc5\x5c\x6f\x1b\xa3\x41\x4d\xd6" "\x88\x85\x70\xbe\xa1\xd6\x08\xb3\xe3\x5c\x4b\xdc\x7b\x93\xdc\xe8\x00\x65" "\xc0\x84\x07\xb9\x8b\x43\x19\xa2\x28\xbb\x52\x67\x93\xef\x48\xa0\x20\x76" "\x6b\xc2\x36\xb2\xb8\x40\xbb\x74\x88\xf3\xfa\x9f\x4a\xc3\xb7\x87\xe3\xb8" "\xda\xd6\x23\x7f\x70\x57\xc8\xdd\x6d\x82\x1e\xb9\xed\xff\x0c\x7d\xe8\xd3" "\x06\xde\x12\x09\x5b\x77\xd0\x2e\x02\x64\x35\x0e\x26\x8f\xb1\xd5\xd5\x4a" "\x72\xe1\xb9\x5f\x69\x88\x6c\x79\x6c\xa2\x63\x88\xeb\x16\xb3\x4f\x4c\x54" "\x26\xc2\x79\x3c\x49\xe5\x39\x28\xff\x9a\x36\x6d\xc8\x94\x60\xe0\x0e\x62" "\xd2\x95\x20\x58\x9b\x71\xb1\x2c\x84\x7a\x59\x6c\x55\x60\xe8\xbb\xbc\x3e" "\xa5\x24\xa9\x57\xf5\x11\x8c\x72\x4c\xb7\x1a\x8d\x04\x17\x70\xfe\x4f\xb9" "\x82\x74\x36\xe5\x3e\x6d\xa2\xa5\x5d\xac\x13\xca\x95\xa6\xd3\x71\x68\xf3" "\x24\x0d\x3a\xc4\xd2\x00\x40\x34\x89\x27\xa0\x37\x53\x53\x07\xb9\x9c\x1e" "\x73\xd9\xab\xfd\xe4\xa5\xcd\xa7\x6e\x74\x79\x1f\xf1\x4d\x78\xec\x82\xd9" "\xf3\xa0\x18\xac\xbc\xb1\x81\xaa\x86\x9d\x3c\x3f\x64\x45\xfd\x22\xdd\x5c" "\x60\xae\x33\xa5\x69\x00\xf0\xc8\x06\xa0\x02\x26\x5b\xa9\xf7\x94\x18\xd1" "\xc9\x32\xcd\x2b\xfa\x6c\x72\xa4\xb7\x71\x4f\x1f\xf5\x1d\xf4\x09\x93\x3f" "\x9b\xef\x8c\xe5\x39\x86\xfe\x2e\xe6\x0d\x38\x92\x92\xf1\xd5\x0b\xbe\x9f" "\x19\xd0\x0d\xc8\x86\xef\x41\xdd\x5b\x3b\xbe\x7e\x59\x57\xcb\x4f\x46\xa4" "\xb1\xf9\xaa\x91\x04\x59\x8b\xb8\x3d\xfb\xc1\x7f\x1c\x1f\x64\xb8\xbc\x27" "\x4c\x82\xb5\x42\x6f\x07\x37\xf6\x0c\xcd\xd3\xf2\xe3\x0b\x7d\x3d\x26\x43" "\x49\xe4\xc8\x12\x4d\xff\x6b\xa3\x99\x70\x7e\x8d\xb2\x58\xc7\x4f\x57\xf0" "\xaa\x18\xc5\x15\x98\xa4\x38\xd0\x28\x96\xcf\xbe\x9e\x8c\x11\x1b\x40\x44" "\xe7\x2f\xce\x3b\x12\x38\x21\xea\x40\xce\x7f\x2a\x97\xd5\xd4\xd1\x1a\x68" "\x1b\x17\xb0\xd3\xf5\x01\x3f\xb9\xa2\x83\x81\x5d\x94\xf8\x5b\x95\x57\xc2" "\x6b\x80\x96\xd6\x5a\x1c\x9b\x99\x22\x9b\x95\xc6\x29\xf8\xb2\xf8\xb3\xb5" "\xfc\xef\xa4\xe8\xa0\x75\x6d\x86\x02\xf9\x9d\xde\x3f\xfb\x7e\x1a\xe2\xdd" "\xb4\x47\x61\xe3\xcb\x9c\x99\x58\x3d\xa6\xde\xb1\xa0\xda\x4e\x8e\x85\x11" "\xf9\x0d\xd5\x90\xab\x32\x2f\x22\x65\x8f\x86\x97\x09\x49\x42\xc5\x26\x37" "\x92\x52\x71\x76\x64\x1c\xe6\x82\x94\x2f\x88\xd7\x3f\xbd\x4e\xb7\x20\x82" "\x39\xbb\x26\xf1\xdc\xee\x42\x5d\x84\x08\xba\x8b\xa1\x6c\x3d\xfa\xea\x84" "\x4f\xbf\x00\xd2\xb0\x8a\xe2\x23\x1c\xda\x55\xd0\x86\xdc\x86\x0d\x82\x94" "\xf7\x05\x4d\x38\x45\x45\x24\xd4\xfb\x76\xe4\x09\xe3\x25\x5e\xc9\x80\x24" "\xdb\x4c\x7a\x02\x89\x38\x8c\x16\x63\x26\x13\x9e\xcd\xcf\x79\xae\x6f\x9d" "\x86\xe9\x66\x5d\xd4\x14\xf7\x64\x3b\x53\x4a\x41\xf6\xf1\x43\x99\x1f\x2d" "\xee\x7d\x46\x54\xfb\x7b\x9f\xdf\x22\xdb\x37\x59\xa4\x5b\x78\x54\xc9\x1e" "\x14\x2e\xf6\x2c\x40\x13\xef\xc9\x92\x48\x8c\x99\xd6\x3e\x11\xba\x12\x53" "\x93\x71\x92\xd2\xd4\x18\x7c\x2c\x93\x81\x71\x49\x0c\x3a\x81\xd5\x3f\xc9" "\x5c\xfb\xb9\x70\x23\xc9\xdb\x5d\xfb\xd9\x72\x23\x87\x59\x01\xba\x54\x44" "\x29\xe2\x45\x88\x9a\xce\x8d\xe2\x01\x4b\x37\x8b\x56\x87\x3c\xa6\x02\xb6" "\x0d\x28\xf0\x6e\xe5\xcc\xe5\x80\xab\x4d\x6f\xf8\xe6\x08\xa8\xe2\x58\x1b" "\x80\x1f\x2f\x69\x91\x07\x70\x8b\x8b\x20\xd6\x4f\x4e\xc4\xa1\xb8\x38\xc7" "\xff\x1c\x05\xb3\xe1\x97\x50\x93\x31\xf9\x38\x4c\x09\xb0\x46\xc0\x32\xe9" "\xff\x36\x3d\x7d\x88\x2e\xfd\x00\x92\x17\xde\x21\xce\x2c\xbc\xb2\xa0\x38" "\xd6\xb2\xaa\xde\x0a\x8b\x04\x69\x34\x56\x80\xe4\xe9\x0b\x4c\x75\xa3\x8d" "\x24\xc2\x27\x97\x68\x3a\xbb\x72\x94\x15\xcf\xed\xfb\xdf\x98\xdb\x30\x0f" "\xfa\x2b\xb9\xd9\xe7\xa0\x0a\x03\xdd\xea\xdc\xb9\xf8\xc8\xaa\x32\xd9\x6b" "\xb3\x50\x3c\x66\x7a\xc6\x57\x37\x93\x9c\xc0\x7d\x50\xd7\xa9\xfc\xd2\x1b" "\x7b\x02\xcf\x61\xea\xb7\x41\xee\x7e\x89\x39\x40\x82\x73\x4c\x01\x75\xe2" "\xaf\x60\x66\x8c\x8a\x68\x83\x2f\xbe\xee\xf8\x54\x25\x14\x73\xc4\x1d\x3d" "\x06\x91\xd1\xa5\xee\x96\x74\xf1\x98\x93\xe8\xb5\x1a\xd3\x48\x31\x40\xb2" "\xda\xc8\x4d\xfa\x3c\x2f\xbf\xd3\x05\xc4\xd5\x51\xe7\xa5\x6a\xe3\x07\x98" "\xaa\x53\x30\xef\xac\x50\x50\x2d\x70\x47\x7b\xd9\x25\x23\x42\xb7\xcc\x85" "\x2f\xcb\x82\x99\xf7\x7a\xf0\x3f\xe9\x3f\x15\xb7\x01\xbf\xa6\x3c\x9c\x71" "\xc1\x8c\x3a\x35\xaf\x18\x7b\x7e\xd9\x0a\x20\x27\x8e\x80\x6f\x1e\x9a\x89" "\xa6\x6d\x5a\xa6\x98\x6f\xfb\x98\x25\xac\xd0\x02\x3d\x19\x10\xab\x1d\x41" "\x86\x91\xec\xa8\xb6\xfe\x28\x30\x94\x82\xa7\xcc\x65\xbe\x7e\x1d\x00\xb4" "\xf0\x5a\xb2\x3f\xea\x84\xde\x79\x6d\x24\x64\x4b\x62\x53\x64\xb9\x84\x3c" "\xc1\x71\xa3\xa2\xb9\xbf\xdb\x1c\x27\x59\x96\xea\xd9\x49\xa2\x64\x03\x16" "\xcf\x3c\xd2\xf9\x4e\x3f\xa5\x33\x84\xb7\x61\xe7\x0c\x7d\xd3\x8d\xf4\xec" "\xea\x10\x13\x26\xbc\xc4\x76\xa7\x35\x3a\x8c\x76\xf2\x83\x34\x5c\xc2\x63" "\x78\xca\x67\x38\xd1\x97\x8a\x87\x7a\x59\x92\x63\xfc\xd6\xc6\xce\x59\x55" "\x64\x08\x8d\x18\xdf\xc3\xfe\x84\x10\x9a\xfc\xb9\xd4\x53\xd0\xc1\x4e\x0e" "\x19\xb8\x9d\x10\x32\x58\x39\x29\x75\x90\xa5\x9e\x0b\x72\xfc\xa9\x65\x29" "\xef\xb7\x40\x33\x68\x21\x18\x2c\xd5\xc0\x29\xa8\x73\x48\x14\x25\xe7\x23" "\x4e\xff\x61\x23\x6b\x26\x76\x75\x72\xfb\xff\x1b\x28\xe0\xbb\x68\x0c\x8e" "\x76\x65\x86\xd5\x3e\x32\x03\x1f\x55\x1e\x9d\x86\xe9\xb0\x9d\x61\xa8\xf4" "\x1c\x93\xae\x0d\x7a\x43\x8e\x7a\x20\xc9\xdb\xdf\xe5\x02\xc2\x8b\x80\x16" "\xcc\xc4\xe9\x6b\x1f\xcd\xda\xee\x6b\x33\xd9\x08\x6d\x04\x35\x48\x14\xa2" "\xb8\x3b\x50\xe4\x67\x72\x8f\x53\x74\xf3\xd2\xa3\x29\x34\x56\x84\xad\xb0" "\x32\x89\x53\x39\xb5\xe7\x40\x6f\xad\x0c\x52\x38\x00\x63\x74\xd0\xec\xe4" "\xc3\x99\x6e\x19\x12\x5e\xf2\xc3\x38\xa9\x06\xd3\x4c\x03\xc8\x1e\x2e\xa1" "\xe6\xdb\x11\xec\x34\x25\x63\x72\xde\xdf\x34\xc2\x68\x8d\x2d\xa7\xdc\xfe" "\x88\x12\x1e\xc3\xbc\xdb\x2d\x10\x47\x17\xc2\x29\x0f\xa4\x12\xca\xb7\x88" "\x31\xe8\x96\x7b\x89\x41\xf2\x35\x47\x4e\x16\xdc\xd3\xe1\x07\x3b\xe6\x65" "\x95\x65\x78\x76\x31\xea\x75\x0a\x89\x17\x60\x6e\x02\x8c\x93\xf8\x36\x16" "\xf4\x13\xf7\xa9\xc3\x9f\x84\xdb\x47\xd1\x48\xad\x42\x91\x9a\x3a\x53\x4e" "\xfc\x56\x56\xf7\x1f\x6c\x3a\xad\xef\xba\x37\xb1\xd2\xd3\x6c\x7f\x31\xda" "\x4d\x53\x77\x4d\x0f\x1e\xf4\x1b\x63\x85\x9f\x18\x1d\xc9\x61\x32\x09\x65" "\xe3\x20\x9c\x84\xcc\x0f\x20\x64\x00\xb0\x08\x05\xd0\x24\xd4\x2c\x21\xfb" "\xc6\xf2\x27\x2c\xea\x3e\xdc\x64\xef\x20\xa7\x4c\x67\xb2\x6c\x64\x47\x35" "\x2f\x64\xc5\x0a\x02\x47\x53\x8f\x09\xac\x1c\x27\x39\x18\x88\xb8\x12\x87" "\x19\xea\xe2\x9a\x1c\xe8\x4e\xfd\xb7\xda\x7c\x95\xac\x8a\x3f\x4b\x8e\x4d" "\xf4\x04\x45\x8a\xb3\xe2\xbf\x44\xe1\x4e\xb2\x88\x71\xdf\x99\x3e\xa9\x23" "\xde\x89\x93\x50\xcf\x39\x99\x82\x46\xd7\x85\xb4\xa6\xad\x6b\x76\x2e\x92" "\xb4\x6d\x83\x37\x4e\x28\x8a\x9c\x8d\xab\x52\xb4\xa5\xfd\x8b\x30\x53\x20" "\x20\x3c\x12\x33\xe1\xe9\xf2\x37\x81\x34\x7b\x05\x2e\x36\x9f\xce\x9d\xbf" "\x99\x1f\xe1\xcf\x1b\x27\xa4\x35\xe4\x0a\xae\x7b\x50\xf6\x4e\xa3\xc3\xdd" "\xc0\x57\x7c\x62\x1d\x3e\xea\x4b\x5b\x9d\x2f\xe1\xa1\x69\x96\x6a\x4a\xab" "\x39\xb2\x20\x56\x95\x66\x7e\xc7\x5b\x02\xe0\x64\x8f\x9c\x6d\xbf\x8a\xbe" "\x3a\x0f\x96\x2a\xe7\x1f\x42\x96\xa8\xf4\x27\x89\xcc\x51\xc8\xb4\xcc\x7d" "\x7d\x14\x8f\x61\x37\x5b\xf4\x26\xf3\xe8\x94\xcc\x0d\x09\x1e\xe6\x34\x53" "\xf9\x2e\x6a\x23\xaf\xec\xe1\xf8\xb5\xdd\x12\xf3\xd1\x06\xee\xa4\xcd\xba" "\xbf\xd6\x0d\xd1\x0b\xd8\x35\x1c\x9b\xc8\xa9\x57\x71\x8a\x29\x31\xf0\x1d" "\xf7\x7f\x0d\x19\x5b\x28\xfa\xbf\x92\x54\xc1\xc3\x14\x80\xcf\x37\x5c\xa5" "\xc3\xab\x83\x40\x4b\xba\x90\xe6\x14\xa3\x32\x48\x76\x0b\x54\xf5\xcb\x4b" "\x27\x45\xb9\x3f\xfe\xc1\xc4\xd7\x9a\x23\x50\x58\xba\x35\xe0\xd7\x28\xba" "\x10\x4b\xb1\x8e\x7a\x87\x39\x28\x5a\x4b\xa6\x1c\x04\x6b\x4d\xec\xbe\xa8" "\x6c\xa6\x79\xc9\xc5\x6f\x33\x26\x2b\xd3\x6a\xc8\x72\x01\x88\xd3\x02\x05" "\x65\x20\x98\x51\x84\x92\x6c\xf7\x1a\x55\xeb\x53\x66\xfb\x1a\x2c\x83\xaa" "\xa8\x32\xb2\x09\x8b\x21\xbd\x37\xd8\x28\xfe\x35\x9f\x6f\x48\x54\x0a\x06" "\x74\xe1\x9b\x41\x06\xed\x13\xc7\xeb\xb5\xc3\x02\x4a\x47\xc9\x18\xa1\xbe" "\x9b\x78\xad\x05\x53\xba\xd8\x88\x2b\xd9\x7d\xf8\xac\x66\xb7\xa1\xda\xb6" "\x16\x52\x31\x34\x4b\x4f\x05\x46\x73\x40\xd0\x09\x4d\x61\x6a\xf4\xa2\x4b" "\x52\x8b\x1b\xe7\xbf\x73\x8e\x95\xca\xf2\x97\x47\xe6\xa4\xfe\xfd\xb6\x7f" "\x1e\x7d\x81\x72\xb8\x9c\xfd\x33\x23\x0a\xb5\xd7\x96\x0e\x65\xdd\x3e\xfc" "\xda\x30\xef\x5b\xf4\xc3\x24\xa0\xe9\x22\xcd\xcf\xe7\x1d\xde\x2b\xcc\xdb" "\xc1\x61\x64\x40\x46\x2d\x4d\xbf\x90\xf4\xc3\x6c\x65\x43\xdc\x68\x81\x78" "\xe6\xbf\xf0\x06\x25\x23\xad\xde\xba\x3d\x58\x82\x2e\x3e\xbc\xea\x00\x5a" "\x1b\x66\x27\x80\x97\x6d\x87\x5d\xb5\x8d\xb7\xc9\x6b\xb5\xd6\x0b\x29\x93" "\xd7\xe0\x80\x0b\x7d\xcb\xee\x8e\x4c\x2a\x20\x68\xf2\x2e\x9f\xcc\x02\x74" "\x61\x06\xf9\x17\x00\xf1\xf1\xd0\x95\x30\x56\xcb\xfd\x9e\xac\x32\x83\xf0" "\xf5\x1d\xd6\x74\xd1\x50\xa6\x98\x51\x9a\x5b\x64\xb0\x8a\x3d\xa0\xf0\x19" "\xfc\xde\x0c\x6d\x57\x81\xcf\x95\x94\x07\x52\x4d\xcf\x30\xba\x9a\x2d\x72" "\x12\xdf\x69\x55\x41\x3f\x9d\xeb\x45\xd8\x5c\x61\x8b\x1a\xb7\x2b\x05\x1c" "\x73\xd6\x39\xb2\xdf\xce\x31\xc4\x39\x46\xf0\xeb\xb0\x17\x20\x81\x0a\x65" "\x3c\x59\x03\x2b\xbc\x17\xd7\xb3\x78\x53\x12\x7a\x02\xb7\x06\x90\xd2\x7c" "\xfa\x61\x03\x7d\xc7\x60\x8e\xc5\x9a\x71\xc7\xd5\xfc\x5c\x81\x40\xb7\x86" "\xdb\x74\x39\x5d\x29\xb6\xe9\xf1\xfc\x70\xbd\xa2\xd3\x84\x76\xd0\x99\xb8" "\x1c\x2d\xe8\xdf\x36\x6e\x9b\x64\x70\x1a\xc6\x1e\x13\xb8\x84\xf8\xd8\xe0" "\xe7\xa9\xb7\x9f\xb1\xfc\x78\xe7\xd3\x9d\x01\xc0\xca\x4f\xf6\x77\xde\x80" "\x05\xe2\x32\xbe\x3a\x9e\xd7\x45\xb9\x73\x44\xac\xff\x8d\x27\x63\x7f\xfb" "\x6a\xb7\x26\x1d\xfe\x93\x21\xe7\x97\xe3\x29\xdb\xa0\xfc\x1f\x85\x9a\x71" "\xcf\xff\x3f\x41\xc1\xd0\x6b\xb5\xc0\x1b\x9e\x45\xfb\x92\x91\xc4\x69\xa4" "\x09\x43\xf1\xc4\x5a\x4f\x09\x63\xbf\x50\x12\x81\x0b\x34\xde\xfa\x17\x0e" "\x67\x1e\xb9\xca\xc9\x15\xd8\x8a\xd5\x0c\x74\x80\x7e\x19\x97\x5d\x52\x4e" "\xb9\xe4\x6d\x16\xe3\x0c\x0a\xd1\xf7\xdf\x75\x62\xeb\x15\xa2\x0b\x6f\xb7" "\x0a\xb8\x0c\x91\xe6\x7f\xcb\x43\xda\xd0\xc9\x41\xb8\x52\xe4\xbe\xa4\x98" "\xc9\xea\xd9\x8f\x33\xcd\x30\x6b\x01\x9e\xcc\xf0\xad\x16\xf8\x52\x71\x06" "\x54\xbd\x58\x27\x82\x9c\x9d\xb7\x4b\xf2\xe1\x11\x24\x84\xa6\x45\x5a\xb5" "\xed\xca\xf3\x0d\xf9\x8a\x0b\x99\x03\x12\x9c\x62\x00\x01\x37\x61\xa5\x9a" "\x09\x43\x8d\x97\xa4\xaa\x48\xc1\x83\x24\xa0\x36\xfb\x7f\x20\x7c\x81\xcb" "\x00\x06\xa2\x26\x35\x6e\x46\x39\x61\x16\x98\x9d\x76\x2d\xf6\x95\xae\x06" "\xd2\x24\x7e\xf5\xc9\x24\xb0\x8f\xb2\x03\x1e\x80\x1a\x66\xd4\x85\x8d\x01" "\xf2\x56\xf0\xf5\x56\xe7\x15\xd6\xdd\xe4\xb8\x7b\x21\x3a\xff\xae\xf9\x8b" "\xe6\xec\xa7\xd3\x5f\x7a\xa2\xfc\x44\x41", 4096); *(uint16_t*)0x200000002604 = 0x1000; syscall(__NR_write, /*fd=*/r[0], /*data=*/0x200000001600ul, /*len=*/0x1006ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }