// https://syzkaller.appspot.com/bug?id=c7ac769bd7ee15549b8a2be188bcee07d98a5357 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } #define __syscall syscall struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 7; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200001c0, "./bus\000", 6); syscall(SYS_mknod, 0x200001c0ul, 0x2000ul, 0x4086334); /* major = 99, minor = 264244 */ break; case 1: *(uint32_t*)0x200000c0 = 6; *(uint64_t*)0x200000c8 = 0x20000080; *(uint16_t*)0x20000080 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint32_t*)0x20000084 = 0; *(uint16_t*)0x20000088 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint32_t*)0x2000008c = 0; *(uint16_t*)0x20000090 = 0; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint32_t*)0x20000094 = 0; *(uint16_t*)0x20000098 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint32_t*)0x2000009c = 0; *(uint16_t*)0x200000a0 = 0; *(uint8_t*)0x200000a2 = 0; *(uint8_t*)0x200000a3 = 0; *(uint32_t*)0x200000a4 = 0; *(uint16_t*)0x200000a8 = 0x210; *(uint8_t*)0x200000aa = 0; *(uint8_t*)0x200000ab = 0; *(uint32_t*)0x200000ac = 0; syscall(SYS_ioctl, -1, 0x80104277ul, 0x200000c0ul); break; case 2: memcpy((void*)0x20000000, "./bus\000", 6); res = syscall(SYS_open, 0x20000000ul, 0ul, 0ul); if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x20001480 = 0x20000200; memcpy( (void*)0x20000200, "\x9c\xe2\xab\x17\xbf\x69\x1a\xd5\x25\x85\xb5\xa1\x55\xce\x3a\xa1\xef" "\x0b\x1e\x64\x59\x1a\x1b\xe9\xb3\x93\xea\x92\x2f\xa4\x2e\xaa\x71\x98" "\xfd\xd6\x7a\xc9\xa8\xa7\x15\xf9\xac\xda\x87\x86\xd5\xde\x7a\xcc\x06" "\xf8\x32\x58\x06\xc7\x13\x16\x30\x85\x23\x70\xf9\xd1\xaf\x3e\x97\x21" "\x7f\xdb\x66\xd7\xf4\x9d\xb7\x31\xff\x8d\xfd\x87\x87\x74\x7e\x20\x7e" "\x93\x71\x06\x8d\xd3\xc6\xdc\x44\x43\xaa\xb8\x65\xb1\x92\xae\x0f\x37" "\xc1\x5b\x7f\x67\xf2\x38\x65\x3f\x21\x33\x03\x04\x59\xbc\x7e\x1b\x62" "\x2e\xe8\x76\x0b\xde\x4a\xa5\x45\xfc\x3e\x6d\xb9\xbe\x82\x2a\x66\x7e" "\x91\x38\x51\xd9\x7c\x94\xfc\xea\x45\x43\xd8\x53\x0e\x86\x6d\xe9\xac" "\xe1\x44\xd3\x02\xac\x06\x8c\xd3\x18\x29\x3c\x69\x74\x89\xcc\x2f\x78" "\xc9\x22\x68\xde\x98\xa5\x31\x36\xf6\xbf\x0c\xb5\x93\xb3\x6f\x5b\x0c" "\xd6\x33\x30\x90\x7b\x0e\x4f\x06\x32\x80\x0f\x4d\x0e\xaf\x5a\xb3\x7e" "\xb6\x69\x5b\xf4\x26\x4c\x4e\x63\x30\x4a\x6a\x6e\x49\x93\xf1\x45\x0b" "\x84\x55\x51\x59\xdd\xf6\x10\x46\x97\x8e\x89\x32\xfd\xca\x26\x8b\x58" "\x89\x37\x8f\x06\x54\x84\x59\xd2\x15\x81\xa1\x0a\x53\xba\x91\x0e\xaa" "\x77\x19\xa1\x8d\xd2\x10\x0f\x32\xff\x4f\xec\x27\xd8\x61\xd7\x98\x86" "\x97\x07\x9e\x8e\x0f\x25\xb8\xce\xa0\x71\xc9\xb0\x1f\x7b\xef\xd3\x53" "\xcb\x2b\x68\x3e\x95\x51\xb6\x8a\x72\x18\x98\xa3\x49\x42\x96\xb0\x4b" "\xcf\x42\x8c\xb9\xc8\x2f\xab\xbb\x17\x48\xf9\xe9\xfb\x7f\x85\x13\x20" "\x5a\x2f\xa7\xa0\x46\x48\x59\x18\x23\xa5\x98\x29\x5f\x6f\xf5\x1e\xd0" "\x74\xad\x9b\x16\x02\x12\x84\x12\x63\xc0\xf1\x6d\x7a\xc8\xef\x70\x71" "\x54\xde\xb1\x07\xbd\x8f\xc1\x8f\x83\xa1\x21\x93\x81\x50\x0d\x69\x52" "\x95\x15\xe0\xdc\x68\xdd\xd7\x0d\x62\xf6\x2f\x30\x3f\x02\x5b\x8f\x6a" "\x00\x4f\xbe\x71\x60\x10\xe3\x41\x2b\xcf\x07\x45\x88\x16\x47\x2a\xfc" "\x4e\x28\x0c\x92\x74\x5a\xc1\x79\x02\x43\xf6\x05\x8d\x2d\xcf\x3f\x61" "\x4c\x53\x2f\x2b\xef\xfb\xe4\x4b\x06\x2c\x2d\x96\x3e\x10\xfc\xcb\x8e" "\xb3\x58\x4c\x89\xe2\x95\xbf\x02\x3f\x58\x89\x3d\x24\xde\xba\xa9\x88" "\x1c\x9b\x3c\xc6\x2e\x68\x5b\xdd\x8a\x1b\xbe\xbd\xa7\x36\x4a\xa6\xc7" "\x2b\x47\x17\x0c\x64\xf3\xb4\x98\x4d\xa8\xe8\x7c\xec\xdd\xae\xef\x72" "\xce\xd2\xd1\x97\xe1\x06\x96\xde\x51\xcc\x61\x10\xc9\x60\x5a\x15\x55" "\xc4\x20\x1b\xa5\x3d\xf0\xa6\x24\x81\xb4\x75\x15\xe9\xd9\xbd\x8e\xcd" "\x5a\x06\xa3\x3d\x67\x18\x31\xca\xb8\xcf\x04\x4e\x5b\xe0\x6a\xa3\xb6" "\xc6\x3f\x99\x08\x76\xde\x80\xc5\x19\x7a\x19\x38\xb6\x95\x38\x92\x3c" "\x18\x3c\x9a\x83\x81\xbf\x71\xc7\x2b\x52\x10\xcf\x0d\x1b\x80\x95\xbb" "\xd3\xb0\xcc\xe5\x94\xf2\x14\x54\x3b\xcc\xc3\xc3\x8d\x7c\xe4\xbe\xda" "\xc4\xb3\x69\xff\x2d\xb5\xb3\x53\x2e\x35\xe3\x1b\xc6\x41\x1b\x0d\xde" "\x3a\x8e\x82\xc1\x9c\xb7\xb3\xda\xe0\x9e\x61\xe1\x79\x98\x2d\x49\x8a" "\x8d\x3e\x91\x45\xf1\x50\xbf\x65\xbd\x2d\x13\xb9\x90\x57\xca\xd6\x12" "\xf9\xab\x0f\x8c\xb6\xf0\x63\xac\xec\xdd\xc2\x36\x29\x71\x5a\x62\x56" "\x7e\x16\x7f\x44\x94\xd1\x09\xb5\xf1\x69\x67\x29\xc5\x64\x7d\x1e\x1f" "\x99\x05\x5a\x0c\x20\x71\xe2\x48\xed\x81\x63\x75\x99\xfe\x34\x5c\x12" "\x28\x29\x97\x73\xd6\xa7\x61\x95\xde\xb5\x3c\x64\x58\x99\x8f\x63\xbd" "\xc7\x19\x98\x6e\xbd\xe6\x99\x18\xbe\xbe\x74\xeb\x6b\x0c\x55\xc6\x88" "\xd2\xc2\xe1\x38\x04\x9b\x22\x1a\x5f\xb4\x81\x3c\x4f\xdf\x88\x24\x23" "\x5c\x28\x32\x5d\x50\x3c\x47\xc2\x1f\xba\x92\x94\x5d\x31\xb0\xb1\x9b" "\x78\x5b\xa6\xea\xc0\x1e\x70\x0b\x68\x1e\xfb\xda\xd9\xec\xc8\x39\xae" "\xfb\xf5\x57\x12\x65\x49\xa6\x39\xd7\xf0\x0f\x82\xeb\x1c\x09\x4e\x0a" "\xdc\xa9\x0d\xd5\xbd\x76\x65\x3f\x7a\x12\x83\x83\x05\xc4\x3b\x5f\xc9" "\x02\x14\xa2\xca\x52\xe1\x4d\xca\x59\x0a\xc0\x25\xbd\x0b\xe7\x91\x6f" "\x32\x28\x83\x32\x12\x0a\xf1\x6f\x91\x52\xde\x68\x59\x45\xaa\x87\xe9" "\x40\x2c\x83\xe2\x67\x36\xfc\x68\x0f\xcc\xda\x6e\x3b\xa7\x1e\x71\x91" "\xea\xd3\xe5\x69\x4f\x1a\xdc\x8c\xb5\x05\xce\x69\xb2\xcd\xdf\xaa\x1c" "\x03\xf3\x5d\x23\x32\x65\x68\xd2\x55\xd0\x72\xb5\xad\xa4\x01\x6c\xde" "\xdb\x44\xc9\x04\x5e\x8a\xf3\x08\xa8\x54\xde\x5e\x89\xd3\xe3\x84\x9e" "\x42\xa5\x67\x27\xd4\xb0\xda\x5f\x2b\x72\xf0\xe2\x91\x58\x19\xfa\xa8" "\x9f\xd7\x2f\xa2\xea\x2d\xfb\x68\x24\xe7\x87\x38\x9d\x72\x00\x93\x20" "\x31\x1e\x18\xbe\xcc\x11\xdf\x5d\x11\xdc\xf1\xd4\xca\x77\xb0\x3b\x1a" "\xa2\xe9\xb9\x1a\x14\xf7\x3a\xe2\xe5\xeb\x1f\x8f\xfa\x6d\x7a\x6b\xcc" "\x9b\x9e\x26\xfa\x64\xec\x17\xd8\x1b\x19\x4d\xdf\xeb\xbb\xcb\xc6\x26" "\x98\xb6\x03\x0c\x08\x0c\xe0\xab\x30\xa6\xdf\x7e\x8b\x77\xec\x1a\x98" "\x7e\x1d\xa1\x35\xa0\x46\x42\xd4\xf0\xee\xf9\xf4\xe1\xb1\x61\xdc\xa0" "\x97\x5d\xa7\xad\x17\xed\xb5\xae\x1b\x64\xe9\x8a\x8e\x32\x39\x52\x1c" "\x43\xba\xf7\x96\x6a\xee\x87\xca\x18\x92\x9a\x98\x9e\x87\x59\xcf\x7c" "\x73\x37\x87\x98\xf1\x7b\x34\x0d\x76\xc4\xb9\x4b\xae\x4d\xdc\x48\xc3" "\xbc\xb6\xad\xf0\x73\x3b\x5d\x39\xa7\x07\xfa\x32\xf3\x8f\xdc\x7f\x73" "\x75\xc9\x07\xd5\xfe\x74\x1b\xbb\xcf\xec\x67\x33\x2d\x7a\x61\x50\xc4" "\xda\xe6\x50\x04\x96\xdc\x4b\xe6\x41\xcd\x5b\xa8\xc9\x41\x4a\x5b\xd9" "\xaa\x1c\x9e\x9e\x38\x54\x68\x38\x6c\x1f\xa8\x84\x30\xf2\x67\xe8\x20" "\xfb\x84\xb8\x76\x9d\x4c\x9e\x1e\x68\x8e\x62\xae\xcd\xe9\x3f\x84\xed" "\x9d\x4d\x0b\xf5\x57\x6e\x5a\x01\x23\x29\xe9\x9a\x32\x3a\xa0\xc9\x18" "\x90\x56\xf9\xa2\xf3\x98\x73\x67\xdc\x10\x31\xcb\xa6\x44\xc2\x18\x28" "\x5e\x53\x2b\x5d\xd8\xcd\x48\xc1\xaa\x3f\xf4\x66\x72\x2c\xf4\xc2\x30" "\xd8\xe4\xf9\xf8\x5c\x2e\xf3\x58\xf6\x3e\x26\x7c\x62\x09\x08\xf5\x2d" "\x6a\x62\x4e\x77\x48\x27\xb1\xcb\x3a\xb0\xc1\x32\x88\xa5\x7d\x07\x22" "\xbc\xff\x4b\x12\xd7\x26\x22\x40\x4a\x75\x7b\xa4\x5d\x01\x3a\x10\x5b" "\xf7\xa2\x6b\xf5\x75\x70\x35\xa5\x10\xae\xc5\xfe\x18\x91\xd2\xf8\x3a" "\x09\x60\x66\x8f\xb6\x03\xbc\xdb\xd3\x24\x4b\x0c\x1c\x0a\x48\xd4\xb2" "\x47\xf9\xf2\x85\x63\x54\x52\x0d\x48\xaa\xc8\xa7\x51\xa7\xca\xa7\x0f" "\x03\xdc\xd3\xb5\x55\xdf\xd9\xf3\xd6\x6d\x58\x22\x6a\x60\x68\x92\xd4" "\x18\x95\x52\xe6\x4c\x73\xb8\x83\xec\xfe\xe8\xdc\xa7\xd7\x7f\x39\x98" "\x00\x03\x79\xcd\xaa\x06\xcf\xbb\x6b\x57\xb8\x96\xab\x4f\x35\xc7\x40" "\x91\xe5\xd4\x70\xf3\xfa\x4e\xf4\xa7\x98\x25\x16\x2e\x22\xd1\x73\xb6" "\x0d\x80\x20\x27\xf5\xa6\x5e\x36\x03\x4a\x1b\x66\x84\x72\x4f\x20\x19" "\x50\x10\x5c\x18\xb0\xbc\xd7\x6d\xfd\xa8\x7e\x71\x87\x45\x94\x32\x3b" "\x01\x48\x4e\x11\x81\x5e\x71\x5b\x2a\x4f\x20\xd1\xe1\xf6\x6d\x71\x97" "\xf8\x8e\xbc\x9c\x47\x35\xd7\xb3\x47\xce\xb0\xd3\xda\x5e\xbd\x83\x30" "\x4e\x8d\xbe\x09\x6f\xce\x07\xae\x0e\xfa\x82\xc2\xb6\x7a\x2a\x2b\x68" "\x42\x3a\xdf\xe0\x62\xa7\x36\xfa\x8e\x8a\xea\x11\x6a\x65\x89\x18\xf4" "\x95\x41\xb6\x4e\xc9\xce\xe3\xa0\xfd\xf7\xaa\x04\x57\xa6\xd2\x0d\x54" "\xb7\x5e\x6b\xf7\xcb\x26\x86\x3a\x9f\x1e\x34\x60\x74\x2d\x0c\xa4\xdc" "\xd2\x97\x5e\x77\x85\xc8\x09\xb4\x99\x63\x70\x23\x44\x35\x30\xdd\xfa" "\x88\xf2\x0b\x90\xdc\xfd\xa8\xd3\x18\x10\x42\xe6\x2f\x36\xa9\x90\xc5" "\x4c\xe9\xbe\x78\x6c\xa8\xd8\x86\x52\x83\x60\x66\xaf\x05\xc4\x62\xe9" "\xa9\x81\xdc\xd8\x70\x82\xe3\x4c\x7b\xc3\x16\x95\x42\xf0\xce\xc5\x0b" "\xfb\x1a\xb5\xee\xcf\xa2\xbe\xc5\xae\xa2\x33\x7e\xbb\x21\x64\x75\x9a" "\xe0\xf8\x41\x82\x8d\x2c\xf1\x44\xfb\xd9\x18\x80\x5b\xc5\x78\xb4\xda" "\xdf\x43\xd7\x69\xbc\xa4\xfa\xb0\x6c\xcc\x33\x59\x2e\x08\xf6\xe3\xde" "\x2e\x46\x94\xef\xd4\xdc\x84\xdd\x27\xe0\xea\x42\x59\xe9\x19\x68\xde" "\xa4\x95\x4a\x38\xb9\x8f\x3e\xfd\xbd\x5c\x1a\x98\xd9\xbb\xfa\xe7\x12" "\x94\x85\x1d\xd2\xdd\x6a\x07\x86\xba\xda\xf0\x42\x2d\x3d\xf2\x85\xa6" "\x76\x5f\x82\xf5\x19\x7c\x91\x65\xeb\x06\xce\x93\x47\xaa\xfd\x42\x70" "\x0b\x13\x49\x8c\x89\xaf\x69\x05\x2e\xa8\x1f\x74\xae\xc1\xaf\xc2\x19" "\x0d\x99\x73\x00\xd6\xcb\x76\xd0\xf0\x59\x55\x5b\x6d\xd2\x19\xc8\x64" "\xbc\xab\x73\x4c\xff\x0a\x2b\x67\xed\xf6\x72\x0a\x0c\xee\x1e\x00\xb6" "\x41\x33\x60\x1e\xdd\x2b\x7d\xb1\x8a\x3c\x7c\x98\xa1\xa5\xb2\xc7\x65" "\xc3\x12\x60\x8f\x20\xb5\xc1\xb8\x75\x3f\xe8\x4c\xf0\xca\x27\xaf\x97" "\x75\x46\xfe\x3a\x87\xb6\x94\xb0\xf8\x5c\x7c\x99\x81\x97\x61\x8d\xb6" "\xc8\xd0\xb3\xb5\xd0\xd1\x63\x1b\xff\x0d\xd2\x72\xbf\x13\x2f\xa2\xed" "\xf3\x3f\x41\xb4\xb7\x92\x24\x3a\x8f\x5b\x79\x8e\xd0\x11\x54\x3b\xaa" "\x10\x5a\x4d\x16\x88\x32\xb4\x6b\xf1\xf8\xca\x39\x51\x41\x3b\xe1\x9d" "\x31\x1e\x5b\xff\x64\x4a\x47\x1b\xc6\xe9\xb3\x8f\x76\x5d\x8d\x59\xeb" "\x0b\x16\x9e\x51\x30\x53\x2a\x0a\xd5\xce\xd2\x53\x8a\xbc\x2c\x07\x6b" "\xdd\x9b\x1f\xaa\x8e\x08\xb0\x16\xbb\xb5\xa1\xe5\xa0\x27\xfb\x7b\x46" "\x32\x80\x53\xdc\x9a\x9d\x83\xd6\x84\xf2\x87\xf9\x45\x36\xbc\xce\xbd" "\xbd\x7e\x88\x21\xa6\x12\xb2\xa9\x5d\x26\xee\xef\xb0\x6f\x0d\xe1\x34" "\x85\x4d\x08\x0a\xd0\xc5\x46\xae\x5d\x3a\x14\x89\x42\x31\xb7\xc0\x2f" "\xac\x45\x1b\xed\x4c\xd2\x12\x3d\xb4\x21\xce\x0e\x24\x2c\x7e\x6e\x35" "\x6a\x5a\x08\xf0\x24\xaf\xc5\x97\x27\xff\x1c\xd5\x82\x2e\xe1\xd6\xb7" "\xc0\x6b\xd0\x76\x4a\xf2\x31\xfa\x43\x3f\x7a\x6e\xac\x7d\x2f\x31\x79" "\x20\x93\x19\x71\xf4\x7e\x7c\xb2\xac\x81\x28\xad\x0c\x54\x3d\x30\x81" "\x14\xb2\x8f\x8a\x6d\xfd\xfc\x5f\xa7\xf7\xae\x13\x90\x30\x61\x4f\x0f" "\x9b\x9b\xc5\xa7\x5e\xd0\x89\x9b\x17\x32\xc2\x18\x9b\x7e\x89\x30\x1e" "\x66\x7c\xf4\x0d\x35\x0a\x79\x4a\x2a\x23\x88\xe4\xdb\xbc\x77\x41\xf0" "\x5d\xff\xcb\x42\x40\xba\xe2\xcd\x81\x88\x25\xc7\x07\x01\xca\x7e\x6b" "\xbc\xd6\xdf\x3f\xab\x61\x96\x7c\xe1\x62\x69\xcd\x46\x2f\x7c\x4b\x07" "\xd1\x97\x95\xec\x35\xbd\x92\x29\x99\xfe\x9d\xa6\x0b\xe9\xa0\xb2\x66" "\x66\x3b\xd3\xf4\x62\xd5\x6e\x8b\x51\xf7\xc6\xad\x17\x68\x69\x1d\x36" "\xe8\xb4\xe9\xb6\x61\x72\x39\x59\x41\x7e\x5e\x97\x9f\x73\x7a\xa4\x74" "\x13\xb6\x22\x72\x2e\xee\x6e\x5f\x1c\x7f\x17\x8a\x8f\x22\x03\xd4\xeb" "\xc8\x15\xcd\xcf\xa0\xb1\x32\xc6\xc7\x53\xb8\x92\xf5\x60\xec\xab\x9d" "\x60\x7b\x43\x36\xc4\xda\x91\x6d\xcb\xc1\x9b\x89\xcf\xa9\xb0\x90\x6e" "\x60\x77\x91\x04\xe3\xe9\x46\xa2\x73\xd6\xee\xee\x68\x86\x09\x21\x7c" "\xd4\xa6\xf6\x88\xba\x80\x2b\x40\x45\xaa\x04\xac\x3c\x6a\xc1\x6e\x42" "\x12\xef\x37\x2f\xd1\x0e\xf1\x1f\x81\x40\x68\xfa\x7a\x17\x79\x1a\x90" "\x47\xff\x68\x8d\xd3\x65\x8a\x0b\xb6\x3d\x26\x8c\x03\x31\x9a\x01\x0e" "\xe3\x27\x19\xd3\x4b\xe5\xc0\xaa\xf0\x9f\x07\xce\x24\x6b\xd7\x32\x4a" "\xfd\xa6\x17\x7a\x91\x3c\x90\x43\x0a\xa5\x39\x1e\x1e\xa3\x7a\xee\xd8" "\xbe\x04\xa0\xf4\x4f\x7d\x44\x37\x5d\xc6\xf4\xdc\x25\x35\xf1\x89\x06" "\xea\xdc\x4d\xe5\x66\x8b\x66\xe6\x1d\x43\xeb\xec\xa0\x87\x30\xc3\x41" "\xfb\x88\x66\xb8\x38\xb3\xc4\xef\xbc\xa0\x88\xdb\x08\x3b\x62\xe8\x5b" "\x96\x3a\x87\x69\x7c\x27\xf9\x38\x21\x93\x2a\xce\x90\x58\x8f\x0c\x6b" "\xbd\x92\x50\x0a\x2c\x1d\x0a\x82\xf3\xc0\xad\x35\x1c\x51\xe7\xdb\x3a" "\x1c\xfb\xeb\xcc\x51\xde\x6e\xf0\x23\xb2\x84\x7d\x76\xe8\x1c\x1e\xed" "\x08\x4c\xd0\xe8\xc3\x34\xe5\xf8\x6d\x70\x20\x4c\x8a\xdf\xb5\x2e\x5b" "\x06\x38\xf0\xb2\xcd\xa7\x7c\x3f\x71\x70\xbb\xc2\x9b\xea\x6f\x1a\x5d" "\x1e\x7d\x81\xbe\xc8\x6a\xea\x84\x08\x02\x34\x56\xc4\x14\xbb\xeb\x10" "\xe8\xa7\x97\x09\x1f\x77\x69\x07\xcb\x58\x1b\x87\x94\xe6\x48\x01\xc1" "\xc1\x8a\x81\x66\xd2\xb6\x3c\xd1\x5e\x9f\xde\x59\xcc\x04\xa5\xb3\xaf" "\x84\x85\xbd\xb1\x3d\x5b\x65\xcb\x68\x41\x25\x4a\xdf\xbd\xbe\x9e\x08" "\xe0\x96\xc6\xbc\x22\x58\x08\x36\x56\x3d\x0f\x25\xb8\xf8\x9f\x9b\xc0" "\xa3\xf9\xa8\xc6\xb3\xc1\x54\x3b\x7a\xc4\x1e\x5b\x12\x50\x39\xa5\xd2" "\xd4\x29\xd6\x77\x0d\x5f\x6e\x03\xdb\xa7\x5f\x37\x7b\x69\x87\xc4\x7f" "\x1c\x10\xe3\xcc\x9b\x5f\x4b\xb5\x70\x89\x13\x6f\x89\x78\xab\x6b\x12" "\x87\x83\x9c\xc7\xf3\x6b\x53\xc7\x66\x3e\x9d\xac\x9d\x91\x05\x68\xd4" "\xf8\x1b\xd7\x91\x24\xe0\xfa\x12\x63\x4c\x75\x64\x0d\x34\xa0\xa1\xb8" "\xbf\x77\x3b\x12\x3a\x61\x60\xd1\x44\xf9\xd1\x0a\xf0\xba\xca\xec\x56" "\x59\x93\x99\x2f\x60\x2a\x3b\x8a\x69\x83\xe2\x39\x69\x2b\x1e\x36\x6a" "\x3c\x46\x2e\x68\x3d\xef\x35\xa5\x00\x7d\xf1\xcc\x9b\x99\x46\xf4\x10" "\x45\x95\x45\x15\xef\xd9\xc3\x4a\xad\x9a\xf4\x75\xda\x75\xb4\x5e\x5f" "\xa7\xea\x1a\x51\x71\xe9\xfb\xec\xfa\x37\xef\x8c\x08\x61\xbe\xf5\xd9" "\xbd\x9d\xb4\xd2\x15\x36\x74\xc2\x6e\xee\xbb\xc2\x94\x32\x7f\x5c\x4f" "\x1a\xb0\xa6\x1a\xbd\x65\x11\xf6\x6d\xa8\xb5\x9a\xbd\xff\xe7\xb0\x4e" "\xe5\x57\x33\xe8\x00\xe6\x25\x80\x6f\x34\x75\x52\x6f\x48\xcf\xff\x63" "\x34\xfa\xe4\xc2\xe5\x31\x4d\xdc\x45\xd8\x44\x52\x6d\x82\x26\x18\xe2" "\x9e\xf3\xe5\xd9\x31\x55\xe5\xf5\xee\x6b\x15\x11\x13\xf5\x8a\x8e\x3e" "\xba\x12\x5c\x8e\x0f\xda\xeb\xfd\x96\x42\xe9\xad\x85\x34\x3b\xd6\x5f" "\x9a\x34\x67\x74\x88\x4f\x4a\x24\xe5\x2a\x55\x8d\xbb\x89\xe2\x3e\x89" "\xbb\x1a\xcc\x4a\x4d\xfc\x4e\xd7\x89\xe5\xc8\xdc\x0b\x22\x5f\x0f\x7f" "\xff\x47\x51\x29\x76\x9f\x0c\x88\x20\x31\xf7\x56\x81\x79\xb0\xdb\x3c" "\x21\x79\xa2\x1d\x08\x5c\x66\xcd\xde\xdf\x59\x2e\xf3\x9c\xfa\x92\x3b" "\x3a\x83\x26\x8d\xcf\x4b\x6d\xfd\x43\xfe\x4d\x83\x47\x35\x4e\x74\xed" "\x9e\x7f\x21\x2b\xb1\x41\x30\x84\x3d\x1b\x2c\x1b\x08\x96\xd2\x45\x7e" "\x93\xe9\xd7\xa3\xd4\x9a\x49\x59\x2d\xe3\x71\xbb\xf7\x6e\xcb\x12\x86" "\xe7\x81\x7e\x8c\x2e\x32\xcb\x5b\xda\xf2\x07\xf7\xb6\x77\xe6\x2b\x5b" "\x9b\xab\x7b\x63\x59\xda\xc6\x63\xd1\xdd\x5e\x35\x70\x63\xdb\x6d\x97" "\x12\x6c\xda\xd7\xf2\xf9\xc4\x03\x28\x5c\x1f\x4b\x22\x42\xe9\x27\x71" "\x01\xb7\xd6\xd6\x65\x3f\x05\x05\x1b\xfd\xfa\x27\x7f\x27\x83\x8a\x88" "\x6c\x24\x33\x9a\xdb\x6a\x9a\x2d\x48\x55\x83\xf0\xb7\xb8\xeb\xb3\x01" "\x2d\x54\x47\x56\x9b\x85\x64\x9b\x69\x8c\x53\x63\x5a\xbc\x18\xb7\xc2" "\x97\x19\xf3\x51\x33\x06\x7d\xd7\xbb\xfa\x06\xa0\x58\xa5\x73\xd8\xe5" "\x89\x1a\x32\x56\x4a\xec\x18\x81\xdf\x5e\x85\x72\x2f\x90\x77\x49\x56" "\xa8\xa4\x97\x65\x91\x43\x31\xb0\x12\x52\x2e\xf9\x96\x2d\xcb\x45\xf6" "\xd6\x03\x3b\x33\xcc\xa3\xd6\xdf\x0a\x2e\x2c\x16\x4e\x45\x0b\x49\x10" "\x3f\xf8\xeb\x2a\xea\x2b\x55\x1a\xdb\x2f\x99\x77\x60\x90\xdf\x11\x4d" "\xda\x65\x13\xb9\x6a\x9c\xea\xec\x45\xde\xcf\x00\x36\x18\x40\x6c\xfd" "\x95\x29\xb0\xf8\x5b\x17\x81\x1f\xc6\x7e\x7a\x19\xd1\xec\x45\xc0\x46" "\xfd\x8e\xbf\xa1\x52\xee\xa6\x7f\x4e\x7d\xa3\x20\x58\x71\x0b\xc5\x82" "\x4d\x0d\x82\xfd\xd3\x11\x79\xab\xee\xc4\xe0\xab\x37\x18\x79\x9e\xe0" "\xde\xde\x9f\x47\x2c\xe8\x09\xd3\xd2\xd9\x4e\x84\x43\x7b\x0a\x93\x06" "\xf2\x3b\x48\xe4\xca\xcc\xde\x69\xed\xdf\x5b\xdb\xf0\xd2\x4f\x78\x50" "\x3b\x95\xbd\xdf\xaf\xce\x3f\xd4\x98\x72\x7f\x17\xf5\xe7\x9e\xee\xa8" "\xf8\x73\x3d\x1f\xd0\xc3\x04\xb4\xbe\xf2\x48\x76\xa4\xb6\xdc\x18\x88" "\x9c\x3c\x41\x3f\x5a\x48\x79\x6f\x31\x39\x34\x64\x63\xc6\x56\xeb\xc8" "\x77\xa2\xca\x34\x18\xcc\x37\x36\xc6\x8e\x49\x94\x35\x4c\xfe\x00\xa3" "\xda\xf1\x9e\xf5\xf0\x8f\xfa\x3e\x10\x1d\xea\xb2\x0b\x45\xd7\x6a\x28" "\xac\x93\x06\xed\x89\x23\x92\x86\x39\x7a\xf0\xe0\x5d\xf6\x5a\x45\xee" "\x1c\xfe\xdd\xa0\x44\x06\xaf\xac\xb4\x5f\xba\xd5\x8d\xe0\x37\x92\x06" "\xbc\xba\x9a\x04\x0d\x46\xde\xee\xb0\xfa\x02\x7d\xdf\xed\x60\xb4\x46" "\xdd\xfb\x84\xab\x68\x42\xf5\x46\x28\xd9\x2d\x8f\x4b\x49\x2a\xce\x2e" "\x42\x8c\xd5\x30\x02\x2e\x7e\xc3\x9c\x01\x47\x7b\x16\x54\x75\xb9\x42" "\xa3\xc0\x5b\x02\x25\x80\xad\xfd\xe2\xd0\x6d\x0d\xba\x49\x74\xce\x7c" "\xd8\x81\x26\x47\x3b\x45\xc5\x07\x53\x01\x54\xd9\xb4\x05\x54\xb9\x48" "\x96\x48\xb3\xa5\xcb\xa7\x7b\x62\x09\x31\xbb\x2d\xdb\x72\x3d\x55\x12" "\x7e\x9b\xe4\x0c\xe2\x9c\xed\x84\xcd\x4e\xd4\x5f\xab\x7e\x69\xa2\x15" "\x80\xeb\x66\xbf\x79\x24\x3f\x8b\x4c\x82\xb4\x8b\xa5\xbc\x1e\x28\x9b" "\x62\x59\x08\x26\xc4\x24\xfb\xd1\x05\xe7\x72\x97\x15\x74\xf9\xdc\x47" "\x9c\xa9\x93\x01\xdd\xfd\x52\x86\x09\xe6\xe6\x6c\xb5\x74\x09\xca\xa0" "\xea\x28\xf8\x7a\x3a\xfd\xde\x0c\x4a\x91\x38\xc7\x09\x8e\x8d\x80\xed" "\x23\xe6\x96\x6f\x23\xcb\x03\x71\xdd\xfd\x4b\xbb\x4c\xe5\x44\xe2\x1a" "\xfa\x43\xfe\xa4\x26\x1f\xc4\xee\xad\xad\xba\xa4\x2f\xe0\xc8\x61\x5a" "\x7d\xa1\x54\x70\xd2\x4f\xc4\x6b\xa1\xec\x8a\x81\xc4\x77\x1f\xae\x5d" "\x22\x70\x97\x2e\x4a\xa9\x6f\xb5\xc9\x22\xa2\x62\xe1\x14\xcc\x31\xab" "\x2e\x22\x03\xf8\x9e\x3f\x2d\x2e\xd3\x37\xe9\x43\x41\xb2\x13\xd1\x6d" "\x71\x57\xe8\xe2\x59\x91\x36\x95\xa7\x9b\xae\x03\xab\x33\x35\xb6\x50" "\xcc\x41\x96\xee\x37\xbc\xa5\x50\x03\x41\x91\xf0\x27\x65\x3d\x7b\x01" "\x34\xbf\x64\x90\x2b\x09\xce\xd6\x68\x0f\xda\x2d\x04\x30\x86\xcc\x03" "\x2f\xbb\x41\x3a\x60\xaa\xf2\xdd\x8d\x59\x19\xc4\xb6\x5f\xe0\xda\x5f" "\xbf\x09\x31\x39\x99\x69\x3e\x5b\x34\x1f\x47\x4a\xb0\xb7\x41\x87\x86" "\xec\x6d\x27\xbe\xd3\xf8\xbe\xca\xa8\x14\x7a\xcc\x6c\xd4\x5e\x67\x3f" "\x3e\xd4\xb5\xc0\x3b\x7b\x14\x4e\x15\xad\x60\x22\x3a\x11\x92\x22\x0d" "\xb1\x6a\xd7\xac\x9e\x49\x24\x75\xa3\x8d\xef\xb2\x20\xce\x6c\x16\x84" "\xb3\xe3\x78\xcf\xa4\x3e\x3d\xcc\xbe\x4b\xa7\xb9\x95\xa4\x34\x9a\x2f" "\x35\x42\x28\xe1\x7f\x81\x1d\xaa\xf8\x15\xab\x68\xba\xc3\xf7\x07\x9d" "\xb1\x63\xd3\xe6\x3f\x1b\xa9\x15\x24\xc4\x30\x18\xa5\xe8\x2d\xd5\xad" "\xd6\x2c\xb9\x68\x48\x71\x50\x46\xed\xe8\x90\x51\xae\x87\x2d\x28\xad" "\xe6\xd8\xac\xeb\x84\x82\xfb\xb5\xc0\xfc\x25\x0b\xe0\xc4\x9e\xa7\x11" "\x29\xbd\x75\xed\xe2\x52\x66\xb9\x52\x3f\xda\x32\x7a\x38\xb5\x3e\x7f" "\x20\x26\x24\x55\x21\x92\x1f\x14\x6b\xa5\x3b\x2a\xfe\x1e\x56\x0b\x8b" "\xf3\xa7\x91\x35\x32\xd3\xa3\x91\xf5\x2a\x22\xb1\xbb\xe4\x7c\x47\xe9" "\x3a\xa8\x8d\xaf\x71\xa3\x25\x6c\xe2\xa5\x9c\x51\xde\x9c\xd2\x2a\xa7" "\xdf\xc7\x7f\xa7\x0b\x21\x6f\xb0\x95\xda\xac\xba\x9c\xba\x6b\x2b\x04" "\x25\xc6\x46\x9d\x0a\x1c\xe9\x2c\xcd\xc3\x54\xc9\x4a\x02\x0e\x27\x11" "\x09\xde\x68\xf5\x99\x1b\x80\x80\xbd\xc4\xeb\x1f\x80\x71\xf9\xe5\xe7" "\xa6\x9e\xf7\xe2\x33\x9b\xe6\x1e\x49\x94\xd4\x8d\x27\xab\x3c\xec\xf0" "\xc8\xe2\xb4\x50\x98\x00\x88\x09\x14\xd2\xe2\xa8\x0f\xf8\xa9\x8f\x6a" "\x6e\xbc\x97\x51\xc2\x83\xf7\x2a\xa2\x8b\x66\xa3\xc5\xfb\x6c\x94\x47" "\x8d\x5f\x67\xba\x7c\x0b\x57\xdf\xbf\x18\x5b\x6b\x8a\xa1\xf5\xb4\x52" "\xc9\x78\xeb\xcc\xd0\xf8\x18\xf1\xd2\x12\x04\xf0\x50\xdd\x58\xd9\x66" "\xd6\xb1\xa4\x31\x12\x3a\xae\xf9\x1d\x35\x6b\xbe\xe6\x55\xa7\x03\xea" "\x3a\x9e\xe7\xa1\x35\x13\x7a\x54\x94\x8e\x66\x46\x99\x91\x4f\xed\x4f" "\xd1\x15\xb8\x06\xeb\xfd\xfd\xf5\x03\x0b\x11\x2b\xb4\x08\x90\x53", 4096); *(uint64_t*)0x20001488 = 0x1000; *(uint64_t*)0x20001490 = 0; *(uint64_t*)0x20001498 = 0; *(uint64_t*)0x200014a0 = 0; *(uint64_t*)0x200014a8 = 0; *(uint64_t*)0x200014b0 = 0; *(uint64_t*)0x200014b8 = 0; *(uint64_t*)0x200014c0 = 0; *(uint64_t*)0x200014c8 = 0; *(uint64_t*)0x200014d0 = 0; *(uint64_t*)0x200014d8 = 0; syscall(SYS_writev, -1, 0x20001480ul, 6ul); break; case 4: *(uint64_t*)0x20000180 = 0; *(uint32_t*)0x20000188 = 0; *(uint64_t*)0x20000190 = 0; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; *(uint64_t*)0x200001a8 = 0x210; *(uint32_t*)0x200001b0 = 0; syscall(SYS_sendmsg, -1, 0x20000180ul, 0ul); break; case 5: memcpy((void*)0x20000040, "\x34\xcf\x36\x2b\x3c\xe9\xc9\x3d\x7f", 9); syscall(SYS_write, -1, 0x20000040ul, 9ul); break; case 6: *(uint32_t*)0x20000040 = 1; syscall(SYS_ioctl, r[0], 0x82907003ul, 0x20000040ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul); loop(); return 0; }