// https://syzkaller.appspot.com/bug?id=4595bc1e3e8359e51a86748af853247f2866d174 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include static void execute_one(); extern unsigned long long procid; void loop() { while (1) { execute_one(); } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } uint64_t r[2] = {0xffffffffffffffff, 0x0}; void execute_call(int call) { long res; switch (call) { case 0: memcpy((void*)0x20002840, "./file1", 8); syscall(__NR_open, 0x20002840, 0x100, 0x10); break; case 1: memcpy((void*)0x20000000, "./file0", 8); res = syscall(__NR_openat, 0xffffff9c, 0x20000000, 0x40, 0x20); if (res != -1) r[0] = res; break; case 2: *(uint64_t*)0x20002480 = 0x20000040; *(uint16_t*)0x20000040 = 1; memcpy((void*)0x20000042, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 108); *(uint32_t*)0x20002488 = 0x6e; *(uint64_t*)0x20002490 = 0x20002400; *(uint64_t*)0x20002400 = 0x200000c0; *(uint64_t*)0x20002408 = 0; *(uint64_t*)0x20002410 = 0x20000100; *(uint64_t*)0x20002418 = 0; *(uint64_t*)0x20002420 = 0x20000200; *(uint64_t*)0x20002428 = 0; *(uint64_t*)0x20002430 = 0x200002c0; *(uint64_t*)0x20002438 = 0; *(uint64_t*)0x20002440 = 0x20000380; *(uint64_t*)0x20002448 = 0; *(uint64_t*)0x20002450 = 0x20001380; *(uint64_t*)0x20002458 = 0; *(uint64_t*)0x20002460 = 0x20002380; *(uint64_t*)0x20002468 = 0; *(uint64_t*)0x20002498 = 7; *(uint64_t*)0x200024a0 = 0; *(uint64_t*)0x200024a8 = 0; *(uint32_t*)0x200024b0 = 0x10; syscall(__NR_sendmsg, r[0], 0x20002480, 0x10); break; case 3: *(uint64_t*)0x20004040 = 0x20003e00; *(uint32_t*)0x20004048 = 0x80; *(uint64_t*)0x20004050 = 0x20003fc0; *(uint64_t*)0x20003fc0 = 0x20003e80; *(uint64_t*)0x20003fc8 = 0xf8; *(uint64_t*)0x20003fd0 = 0x20003f80; *(uint64_t*)0x20003fd8 = 0x28; *(uint64_t*)0x20004058 = 2; *(uint64_t*)0x20004060 = 0x20004000; *(uint64_t*)0x20004068 = 0x15; *(uint32_t*)0x20004070 = 0x7fffffff; res = syscall(__NR_recvmsg, r[0], 0x20004040, 0); if (res != -1) r[1] = *(uint32_t*)0x20003e04; break; case 4: *(uint64_t*)0x20004940 = 0x20002900; *(uint16_t*)0x20002900 = 0x10; *(uint16_t*)0x20002902 = 0; *(uint32_t*)0x20002904 = 0; *(uint32_t*)0x20002908 = 0x1088000; *(uint32_t*)0x20004948 = 0xc; *(uint64_t*)0x20004950 = 0x20004900; *(uint64_t*)0x20004900 = 0x20004080; *(uint32_t*)0x20004080 = 0x868; *(uint16_t*)0x20004084 = 0x25; *(uint16_t*)0x20004086 = 0x600; *(uint32_t*)0x20004088 = 0x70bd29; *(uint32_t*)0x2000408c = 0x25dfdbfb; *(uint8_t*)0x20004090 = 0; *(uint32_t*)0x20004094 = r[1]; *(uint16_t*)0x20004098 = -1; *(uint16_t*)0x2000409a = 0xe; *(uint16_t*)0x2000409c = 0; *(uint16_t*)0x2000409e = -1; *(uint16_t*)0x200040a0 = 6; *(uint16_t*)0x200040a2 = 0xffe0; *(uint16_t*)0x200040a4 = 8; *(uint16_t*)0x200040a6 = 1; memcpy((void*)0x200040a8, "cbq", 4); *(uint16_t*)0x200040ac = 0x834; *(uint16_t*)0x200040ae = 2; *(uint16_t*)0x200040b0 = 0x10; *(uint16_t*)0x200040b2 = 3; *(uint16_t*)0x200040b4 = 1; *(uint16_t*)0x200040b6 = 7; *(uint32_t*)0x200040b8 = 0x8000; *(uint32_t*)0x200040bc = 5; *(uint16_t*)0x200040c0 = 0x404; *(uint16_t*)0x200040c2 = 6; *(uint32_t*)0x200040c4 = 0xe167; *(uint32_t*)0x200040c8 = 9; *(uint32_t*)0x200040cc = 1; *(uint32_t*)0x200040d0 = 7; *(uint32_t*)0x200040d4 = 0xffff8000; *(uint32_t*)0x200040d8 = 0xbd8; *(uint32_t*)0x200040dc = 0x40; *(uint32_t*)0x200040e0 = 8; *(uint32_t*)0x200040e4 = 1; *(uint32_t*)0x200040e8 = 3; *(uint32_t*)0x200040ec = 3; *(uint32_t*)0x200040f0 = 8; *(uint32_t*)0x200040f4 = 6; *(uint32_t*)0x200040f8 = 7; *(uint32_t*)0x200040fc = 0x2a9f5e26; *(uint32_t*)0x20004100 = 0xff; *(uint32_t*)0x20004104 = 0; *(uint32_t*)0x20004108 = 0x6e55; *(uint32_t*)0x2000410c = 0x20; *(uint32_t*)0x20004110 = 0xffffff7f; *(uint32_t*)0x20004114 = 1; *(uint32_t*)0x20004118 = 7; *(uint32_t*)0x2000411c = 0; *(uint32_t*)0x20004120 = 0x3e; *(uint32_t*)0x20004124 = 0; *(uint32_t*)0x20004128 = 0x100; *(uint32_t*)0x2000412c = 0x20; *(uint32_t*)0x20004130 = 0x1000; *(uint32_t*)0x20004134 = 3; *(uint32_t*)0x20004138 = 9; *(uint32_t*)0x2000413c = 0x22c; *(uint32_t*)0x20004140 = 0xffff1eb4; *(uint32_t*)0x20004144 = 0; *(uint32_t*)0x20004148 = 0x10001; *(uint32_t*)0x2000414c = 7; *(uint32_t*)0x20004150 = 4; *(uint32_t*)0x20004154 = 6; *(uint32_t*)0x20004158 = 0x7fffffff; *(uint32_t*)0x2000415c = 7; *(uint32_t*)0x20004160 = 4; *(uint32_t*)0x20004164 = 4; *(uint32_t*)0x20004168 = 8; *(uint32_t*)0x2000416c = 0x8000; *(uint32_t*)0x20004170 = 6; *(uint32_t*)0x20004174 = 0; *(uint32_t*)0x20004178 = 0; *(uint32_t*)0x2000417c = 0; *(uint32_t*)0x20004180 = 3; *(uint32_t*)0x20004184 = 2; *(uint32_t*)0x20004188 = 0; *(uint32_t*)0x2000418c = 0x40; *(uint32_t*)0x20004190 = 5; *(uint32_t*)0x20004194 = 4; *(uint32_t*)0x20004198 = 0x2000; *(uint32_t*)0x2000419c = 1; *(uint32_t*)0x200041a0 = 0x7fff; *(uint32_t*)0x200041a4 = 1; *(uint32_t*)0x200041a8 = 0; *(uint32_t*)0x200041ac = 0x30; *(uint32_t*)0x200041b0 = 0x7f; *(uint32_t*)0x200041b4 = 9; *(uint32_t*)0x200041b8 = 6; *(uint32_t*)0x200041bc = 0xffffff11; *(uint32_t*)0x200041c0 = 4; *(uint32_t*)0x200041c4 = -1; *(uint32_t*)0x200041c8 = 0xd; *(uint32_t*)0x200041cc = 1; *(uint32_t*)0x200041d0 = 2; *(uint32_t*)0x200041d4 = 3; *(uint32_t*)0x200041d8 = 0x10000; *(uint32_t*)0x200041dc = 0x183; *(uint32_t*)0x200041e0 = 0; *(uint32_t*)0x200041e4 = 6; *(uint32_t*)0x200041e8 = 0x40; *(uint32_t*)0x200041ec = 0; *(uint32_t*)0x200041f0 = 0x1239; *(uint32_t*)0x200041f4 = 0x800; *(uint32_t*)0x200041f8 = 0x7ec; *(uint32_t*)0x200041fc = 0x80000001; *(uint32_t*)0x20004200 = 3; *(uint32_t*)0x20004204 = 5; *(uint32_t*)0x20004208 = 0xffffffe0; *(uint32_t*)0x2000420c = 6; *(uint32_t*)0x20004210 = 5; *(uint32_t*)0x20004214 = 4; *(uint32_t*)0x20004218 = 2; *(uint32_t*)0x2000421c = 0x20; *(uint32_t*)0x20004220 = 6; *(uint32_t*)0x20004224 = 5; *(uint32_t*)0x20004228 = 6; *(uint32_t*)0x2000422c = 9; *(uint32_t*)0x20004230 = 0x3f; *(uint32_t*)0x20004234 = 9; *(uint32_t*)0x20004238 = 0; *(uint32_t*)0x2000423c = 6; *(uint32_t*)0x20004240 = 4; *(uint32_t*)0x20004244 = 0xfffffe00; *(uint32_t*)0x20004248 = 0x80000000; *(uint32_t*)0x2000424c = 4; *(uint32_t*)0x20004250 = 0xd1; *(uint32_t*)0x20004254 = 0x401; *(uint32_t*)0x20004258 = 0xff; *(uint32_t*)0x2000425c = 0x3f; *(uint32_t*)0x20004260 = 0x80000001; *(uint32_t*)0x20004264 = 7; *(uint32_t*)0x20004268 = 5; *(uint32_t*)0x2000426c = 0x445; *(uint32_t*)0x20004270 = 3; *(uint32_t*)0x20004274 = 4; *(uint32_t*)0x20004278 = 0x4cc; *(uint32_t*)0x2000427c = 0; *(uint32_t*)0x20004280 = 0x80000000; *(uint32_t*)0x20004284 = 0xfffffe01; *(uint32_t*)0x20004288 = 0x20; *(uint32_t*)0x2000428c = 0xec02; *(uint32_t*)0x20004290 = 0; *(uint32_t*)0x20004294 = 3; *(uint32_t*)0x20004298 = 0x200; *(uint32_t*)0x2000429c = 0xffffff2a; *(uint32_t*)0x200042a0 = 7; *(uint32_t*)0x200042a4 = 1; *(uint32_t*)0x200042a8 = 0; *(uint32_t*)0x200042ac = 0x10000; *(uint32_t*)0x200042b0 = 0x20; *(uint32_t*)0x200042b4 = 5; *(uint32_t*)0x200042b8 = 0x63bb3f5d; *(uint32_t*)0x200042bc = 7; *(uint32_t*)0x200042c0 = 0x8000; *(uint32_t*)0x200042c4 = 0x72aa7362; *(uint32_t*)0x200042c8 = 0x10001; *(uint32_t*)0x200042cc = 0xca9; *(uint32_t*)0x200042d0 = 0x80000000; *(uint32_t*)0x200042d4 = 2; *(uint32_t*)0x200042d8 = 8; *(uint32_t*)0x200042dc = 7; *(uint32_t*)0x200042e0 = 8; *(uint32_t*)0x200042e4 = 2; *(uint32_t*)0x200042e8 = 9; *(uint32_t*)0x200042ec = 6; *(uint32_t*)0x200042f0 = 6; *(uint32_t*)0x200042f4 = 3; *(uint32_t*)0x200042f8 = 0x9379; *(uint32_t*)0x200042fc = 0x69e; *(uint32_t*)0x20004300 = 0x728; *(uint32_t*)0x20004304 = 8; *(uint32_t*)0x20004308 = 0x400; *(uint32_t*)0x2000430c = 0x8a; *(uint32_t*)0x20004310 = 3; *(uint32_t*)0x20004314 = 6; *(uint32_t*)0x20004318 = 0xff; *(uint32_t*)0x2000431c = 0; *(uint32_t*)0x20004320 = 0x3ff; *(uint32_t*)0x20004324 = 0x7f; *(uint32_t*)0x20004328 = 0x101; *(uint32_t*)0x2000432c = 8; *(uint32_t*)0x20004330 = 0x200; *(uint32_t*)0x20004334 = 0; *(uint32_t*)0x20004338 = 8; *(uint32_t*)0x2000433c = 0; *(uint32_t*)0x20004340 = 0; *(uint32_t*)0x20004344 = 8; *(uint32_t*)0x20004348 = 0xd50; *(uint32_t*)0x2000434c = 0x81; *(uint32_t*)0x20004350 = 0x401; *(uint32_t*)0x20004354 = 7; *(uint32_t*)0x20004358 = 1; *(uint32_t*)0x2000435c = 0x41; *(uint32_t*)0x20004360 = 0x12; *(uint32_t*)0x20004364 = 7; *(uint32_t*)0x20004368 = 2; *(uint32_t*)0x2000436c = 5; *(uint32_t*)0x20004370 = 0x80000000; *(uint32_t*)0x20004374 = 1; *(uint32_t*)0x20004378 = 0x10000; *(uint32_t*)0x2000437c = 8; *(uint32_t*)0x20004380 = 1; *(uint32_t*)0x20004384 = 0x100; *(uint32_t*)0x20004388 = 8; *(uint32_t*)0x2000438c = 5; *(uint32_t*)0x20004390 = 0; *(uint32_t*)0x20004394 = 0x68d; *(uint32_t*)0x20004398 = 5; *(uint32_t*)0x2000439c = 0x800; *(uint32_t*)0x200043a0 = 3; *(uint32_t*)0x200043a4 = 3; *(uint32_t*)0x200043a8 = 7; *(uint32_t*)0x200043ac = 9; *(uint32_t*)0x200043b0 = 0x200; *(uint32_t*)0x200043b4 = 8; *(uint32_t*)0x200043b8 = 0xffff0000; *(uint32_t*)0x200043bc = 8; *(uint32_t*)0x200043c0 = 0; *(uint32_t*)0x200043c4 = 2; *(uint32_t*)0x200043c8 = 0xfffffff7; *(uint32_t*)0x200043cc = 0; *(uint32_t*)0x200043d0 = 0xffff; *(uint32_t*)0x200043d4 = 0xfffffffd; *(uint32_t*)0x200043d8 = 1; *(uint32_t*)0x200043dc = 0; *(uint32_t*)0x200043e0 = 0x200; *(uint32_t*)0x200043e4 = 0x10000; *(uint32_t*)0x200043e8 = 5; *(uint32_t*)0x200043ec = 0x401; *(uint32_t*)0x200043f0 = 8; *(uint32_t*)0x200043f4 = 0x101; *(uint32_t*)0x200043f8 = 0; *(uint32_t*)0x200043fc = 4; *(uint32_t*)0x20004400 = 0; *(uint32_t*)0x20004404 = 0xac4; *(uint32_t*)0x20004408 = 3; *(uint32_t*)0x2000440c = 9; *(uint32_t*)0x20004410 = 0xde; *(uint32_t*)0x20004414 = 0; *(uint32_t*)0x20004418 = 3; *(uint32_t*)0x2000441c = 5; *(uint32_t*)0x20004420 = 1; *(uint32_t*)0x20004424 = 0x20; *(uint32_t*)0x20004428 = 0xe47; *(uint32_t*)0x2000442c = 3; *(uint32_t*)0x20004430 = 7; *(uint32_t*)0x20004434 = 0xeb5; *(uint32_t*)0x20004438 = 0x80; *(uint32_t*)0x2000443c = 0x100; *(uint32_t*)0x20004440 = 8; *(uint32_t*)0x20004444 = 0; *(uint32_t*)0x20004448 = 0xfff; *(uint32_t*)0x2000444c = 0x101; *(uint32_t*)0x20004450 = 7; *(uint32_t*)0x20004454 = 0x7fffffff; *(uint32_t*)0x20004458 = 0x80e; *(uint32_t*)0x2000445c = 0; *(uint32_t*)0x20004460 = 6; *(uint32_t*)0x20004464 = 8; *(uint32_t*)0x20004468 = 0x7f; *(uint32_t*)0x2000446c = 0xffff; *(uint32_t*)0x20004470 = 4; *(uint32_t*)0x20004474 = 0xc3b4; *(uint32_t*)0x20004478 = 0x3572b62; *(uint32_t*)0x2000447c = 1; *(uint32_t*)0x20004480 = 0x8001; *(uint32_t*)0x20004484 = 8; *(uint32_t*)0x20004488 = 0x400; *(uint32_t*)0x2000448c = 0x10001; *(uint32_t*)0x20004490 = 0x3f; *(uint32_t*)0x20004494 = 0x100; *(uint32_t*)0x20004498 = 5; *(uint32_t*)0x2000449c = 3; *(uint32_t*)0x200044a0 = 2; *(uint32_t*)0x200044a4 = 8; *(uint32_t*)0x200044a8 = 2; *(uint32_t*)0x200044ac = 4; *(uint32_t*)0x200044b0 = 0x10001; *(uint32_t*)0x200044b4 = 5; *(uint32_t*)0x200044b8 = 0x3f; *(uint32_t*)0x200044bc = 4; *(uint32_t*)0x200044c0 = 8; *(uint16_t*)0x200044c4 = 0x404; *(uint16_t*)0x200044c6 = 6; *(uint32_t*)0x200044c8 = 0xb7; *(uint32_t*)0x200044cc = 6; *(uint32_t*)0x200044d0 = 0x7fffffff; *(uint32_t*)0x200044d4 = 0x6ac; *(uint32_t*)0x200044d8 = 0x1ff; *(uint32_t*)0x200044dc = 5; *(uint32_t*)0x200044e0 = 0xe6; *(uint32_t*)0x200044e4 = 0; *(uint32_t*)0x200044e8 = 6; *(uint32_t*)0x200044ec = 0; *(uint32_t*)0x200044f0 = 3; *(uint32_t*)0x200044f4 = 0x6a3ff2d8; *(uint32_t*)0x200044f8 = 8; *(uint32_t*)0x200044fc = 6; *(uint32_t*)0x20004500 = 0x3ff; *(uint32_t*)0x20004504 = 8; *(uint32_t*)0x20004508 = 1; *(uint32_t*)0x2000450c = 6; *(uint32_t*)0x20004510 = 0xeb10; *(uint32_t*)0x20004514 = 0x3ff; *(uint32_t*)0x20004518 = 4; *(uint32_t*)0x2000451c = 0x401; *(uint32_t*)0x20004520 = 0x1ff; *(uint32_t*)0x20004524 = 7; *(uint32_t*)0x20004528 = 0x80; *(uint32_t*)0x2000452c = 9; *(uint32_t*)0x20004530 = -1; *(uint32_t*)0x20004534 = 0x3f; *(uint32_t*)0x20004538 = 3; *(uint32_t*)0x2000453c = 2; *(uint32_t*)0x20004540 = 0; *(uint32_t*)0x20004544 = 0x80000001; *(uint32_t*)0x20004548 = 0x5cb; *(uint32_t*)0x2000454c = 6; *(uint32_t*)0x20004550 = 2; *(uint32_t*)0x20004554 = 0; *(uint32_t*)0x20004558 = 0x40; *(uint32_t*)0x2000455c = 0x40; *(uint32_t*)0x20004560 = 8; *(uint32_t*)0x20004564 = 2; *(uint32_t*)0x20004568 = 4; *(uint32_t*)0x2000456c = 2; *(uint32_t*)0x20004570 = 0xb5; *(uint32_t*)0x20004574 = 3; *(uint32_t*)0x20004578 = 3; *(uint32_t*)0x2000457c = 5; *(uint32_t*)0x20004580 = 8; *(uint32_t*)0x20004584 = 8; *(uint32_t*)0x20004588 = 3; *(uint32_t*)0x2000458c = 5; *(uint32_t*)0x20004590 = 0xf39; *(uint32_t*)0x20004594 = 7; *(uint32_t*)0x20004598 = 0x7fff; *(uint32_t*)0x2000459c = 1; *(uint32_t*)0x200045a0 = 0; *(uint32_t*)0x200045a4 = 3; *(uint32_t*)0x200045a8 = 7; *(uint32_t*)0x200045ac = 0x9f0; *(uint32_t*)0x200045b0 = 0x10000; *(uint32_t*)0x200045b4 = 0x32a25ec5; *(uint32_t*)0x200045b8 = -1; *(uint32_t*)0x200045bc = 1; *(uint32_t*)0x200045c0 = 2; *(uint32_t*)0x200045c4 = 2; *(uint32_t*)0x200045c8 = 1; *(uint32_t*)0x200045cc = 0; *(uint32_t*)0x200045d0 = 0x200; *(uint32_t*)0x200045d4 = 0; *(uint32_t*)0x200045d8 = 0x91c; *(uint32_t*)0x200045dc = 2; *(uint32_t*)0x200045e0 = 0xfff; *(uint32_t*)0x200045e4 = 0x8000; *(uint32_t*)0x200045e8 = 2; *(uint32_t*)0x200045ec = 3; *(uint32_t*)0x200045f0 = 2; *(uint32_t*)0x200045f4 = 3; *(uint32_t*)0x200045f8 = 0x66a; *(uint32_t*)0x200045fc = 7; *(uint32_t*)0x20004600 = 0x8a4; *(uint32_t*)0x20004604 = 0xf7b; *(uint32_t*)0x20004608 = 8; *(uint32_t*)0x2000460c = 5; *(uint32_t*)0x20004610 = 0x3ff; *(uint32_t*)0x20004614 = 9; *(uint32_t*)0x20004618 = 0xf9; *(uint32_t*)0x2000461c = 8; *(uint32_t*)0x20004620 = 6; *(uint32_t*)0x20004624 = 0xd60; *(uint32_t*)0x20004628 = 0x7fff; *(uint32_t*)0x2000462c = 5; *(uint32_t*)0x20004630 = 2; *(uint32_t*)0x20004634 = 1; *(uint32_t*)0x20004638 = 0x847c; *(uint32_t*)0x2000463c = 8; *(uint32_t*)0x20004640 = 4; *(uint32_t*)0x20004644 = 0xfd; *(uint32_t*)0x20004648 = 0x81; *(uint32_t*)0x2000464c = 0x81; *(uint32_t*)0x20004650 = 5; *(uint32_t*)0x20004654 = 0xfffffffd; *(uint32_t*)0x20004658 = 0x1f; *(uint32_t*)0x2000465c = 4; *(uint32_t*)0x20004660 = 0x40; *(uint32_t*)0x20004664 = 0x57; *(uint32_t*)0x20004668 = 9; *(uint32_t*)0x2000466c = 5; *(uint32_t*)0x20004670 = 7; *(uint32_t*)0x20004674 = 6; *(uint32_t*)0x20004678 = 1; *(uint32_t*)0x2000467c = 0x1f; *(uint32_t*)0x20004680 = 0x3f; *(uint32_t*)0x20004684 = 0xbad; *(uint32_t*)0x20004688 = 5; *(uint32_t*)0x2000468c = 1; *(uint32_t*)0x20004690 = 4; *(uint32_t*)0x20004694 = 6; *(uint32_t*)0x20004698 = 0x1ff; *(uint32_t*)0x2000469c = 0; *(uint32_t*)0x200046a0 = 0; *(uint32_t*)0x200046a4 = 2; *(uint32_t*)0x200046a8 = 0x7ff; *(uint32_t*)0x200046ac = 2; *(uint32_t*)0x200046b0 = 3; *(uint32_t*)0x200046b4 = 0x8000; *(uint32_t*)0x200046b8 = 0xfff; *(uint32_t*)0x200046bc = 1; *(uint32_t*)0x200046c0 = -1; *(uint32_t*)0x200046c4 = 0xff; *(uint32_t*)0x200046c8 = 0xfffffbff; *(uint32_t*)0x200046cc = 0; *(uint32_t*)0x200046d0 = 0x80000001; *(uint32_t*)0x200046d4 = 6; *(uint32_t*)0x200046d8 = 8; *(uint32_t*)0x200046dc = 0x100; *(uint32_t*)0x200046e0 = 0x97; *(uint32_t*)0x200046e4 = 0xfa4a; *(uint32_t*)0x200046e8 = 4; *(uint32_t*)0x200046ec = 7; *(uint32_t*)0x200046f0 = 7; *(uint32_t*)0x200046f4 = 0x10000; *(uint32_t*)0x200046f8 = 0; *(uint32_t*)0x200046fc = 5; *(uint32_t*)0x20004700 = 0x7236; *(uint32_t*)0x20004704 = 3; *(uint32_t*)0x20004708 = 0xfffffffa; *(uint32_t*)0x2000470c = 4; *(uint32_t*)0x20004710 = 7; *(uint32_t*)0x20004714 = 1; *(uint32_t*)0x20004718 = 0x401; *(uint32_t*)0x2000471c = 0x70; *(uint32_t*)0x20004720 = 0; *(uint32_t*)0x20004724 = 2; *(uint32_t*)0x20004728 = 0x5a16; *(uint32_t*)0x2000472c = 7; *(uint32_t*)0x20004730 = 0x8000; *(uint32_t*)0x20004734 = 5; *(uint32_t*)0x20004738 = 8; *(uint32_t*)0x2000473c = 0; *(uint32_t*)0x20004740 = 0x72; *(uint32_t*)0x20004744 = 7; *(uint32_t*)0x20004748 = 0x8001; *(uint32_t*)0x2000474c = 8; *(uint32_t*)0x20004750 = 0x10001; *(uint32_t*)0x20004754 = 4; *(uint32_t*)0x20004758 = 8; *(uint32_t*)0x2000475c = 8; *(uint32_t*)0x20004760 = 9; *(uint32_t*)0x20004764 = 5; *(uint32_t*)0x20004768 = 9; *(uint32_t*)0x2000476c = 1; *(uint32_t*)0x20004770 = 0x10000; *(uint32_t*)0x20004774 = 5; *(uint32_t*)0x20004778 = 2; *(uint32_t*)0x2000477c = 0x36; *(uint32_t*)0x20004780 = 0x100; *(uint32_t*)0x20004784 = 0x7f; *(uint32_t*)0x20004788 = 5; *(uint32_t*)0x2000478c = 0x4734dd74; *(uint32_t*)0x20004790 = 8; *(uint32_t*)0x20004794 = 1; *(uint32_t*)0x20004798 = 0xfffff801; *(uint32_t*)0x2000479c = 2; *(uint32_t*)0x200047a0 = 0; *(uint32_t*)0x200047a4 = 5; *(uint32_t*)0x200047a8 = 0; *(uint32_t*)0x200047ac = 0x1ff; *(uint32_t*)0x200047b0 = -1; *(uint32_t*)0x200047b4 = 7; *(uint32_t*)0x200047b8 = 0x80; *(uint32_t*)0x200047bc = 7; *(uint32_t*)0x200047c0 = 0x80; *(uint32_t*)0x200047c4 = 1; *(uint32_t*)0x200047c8 = 0x80000001; *(uint32_t*)0x200047cc = 0xc49a; *(uint32_t*)0x200047d0 = 0; *(uint32_t*)0x200047d4 = 3; *(uint32_t*)0x200047d8 = 0x800; *(uint32_t*)0x200047dc = 6; *(uint32_t*)0x200047e0 = 5; *(uint32_t*)0x200047e4 = 3; *(uint32_t*)0x200047e8 = 0x8eab; *(uint32_t*)0x200047ec = 0x200; *(uint32_t*)0x200047f0 = 0x10000; *(uint32_t*)0x200047f4 = 0x1f; *(uint32_t*)0x200047f8 = 4; *(uint32_t*)0x200047fc = 9; *(uint32_t*)0x20004800 = 1; *(uint32_t*)0x20004804 = 1; *(uint32_t*)0x20004808 = 0x80000001; *(uint32_t*)0x2000480c = 0x20; *(uint32_t*)0x20004810 = 0x6a4; *(uint32_t*)0x20004814 = 6; *(uint32_t*)0x20004818 = 6; *(uint32_t*)0x2000481c = 0x20; *(uint32_t*)0x20004820 = 1; *(uint32_t*)0x20004824 = 0xfffffffc; *(uint32_t*)0x20004828 = 1; *(uint32_t*)0x2000482c = 7; *(uint32_t*)0x20004830 = 6; *(uint32_t*)0x20004834 = 0x8001; *(uint32_t*)0x20004838 = 9; *(uint32_t*)0x2000483c = 8; *(uint32_t*)0x20004840 = 3; *(uint32_t*)0x20004844 = 0; *(uint32_t*)0x20004848 = 0x401; *(uint32_t*)0x2000484c = 1; *(uint32_t*)0x20004850 = 0x80000000; *(uint32_t*)0x20004854 = 0; *(uint32_t*)0x20004858 = 0xff; *(uint32_t*)0x2000485c = 0xff; *(uint32_t*)0x20004860 = 4; *(uint32_t*)0x20004864 = 0; *(uint32_t*)0x20004868 = 0x4e; *(uint32_t*)0x2000486c = 8; *(uint32_t*)0x20004870 = 0x4c; *(uint32_t*)0x20004874 = 0x10000; *(uint32_t*)0x20004878 = 9; *(uint32_t*)0x2000487c = 9; *(uint32_t*)0x20004880 = 0xfffeffff; *(uint32_t*)0x20004884 = 7; *(uint32_t*)0x20004888 = 0x8000; *(uint32_t*)0x2000488c = 7; *(uint32_t*)0x20004890 = 0x800; *(uint32_t*)0x20004894 = 0; *(uint32_t*)0x20004898 = 4; *(uint32_t*)0x2000489c = 0xad51; *(uint32_t*)0x200048a0 = 0x7fffffff; *(uint32_t*)0x200048a4 = 8; *(uint32_t*)0x200048a8 = 0xbe; *(uint32_t*)0x200048ac = 3; *(uint32_t*)0x200048b0 = 0; *(uint32_t*)0x200048b4 = 7; *(uint32_t*)0x200048b8 = 3; *(uint32_t*)0x200048bc = 8; *(uint32_t*)0x200048c0 = 0x8000; *(uint32_t*)0x200048c4 = 0; *(uint16_t*)0x200048c8 = 0x18; *(uint16_t*)0x200048ca = 1; *(uint8_t*)0x200048cc = 0x36; *(uint8_t*)0x200048cd = 1; *(uint8_t*)0x200048ce = 0x1b; *(uint8_t*)0x200048cf = 3; *(uint32_t*)0x200048d0 = 0x6948; *(uint32_t*)0x200048d4 = 0x7fff; *(uint32_t*)0x200048d8 = 9; *(uint32_t*)0x200048dc = 9; *(uint16_t*)0x200048e0 = 8; *(uint16_t*)0x200048e2 = 5; *(uint8_t*)0x200048e4 = 0xfd; *(uint8_t*)0x200048e5 = 1; *(uint64_t*)0x20004908 = 0x868; *(uint64_t*)0x20004958 = 1; *(uint64_t*)0x20004960 = 0; *(uint64_t*)0x20004968 = 0; *(uint32_t*)0x20004970 = 0x48000; syscall(__NR_sendmsg, r[0], 0x20004940, 0x8000); break; case 5: memcpy((void*)0x200024c0, "./file0", 8); syscall(__NR_lstat, 0x200024c0, 0x20002500); break; case 6: memcpy((void*)0x20002580, "./file1", 8); *(uint64_t*)0x20002740 = 0x200025c0; memcpy((void*)0x200025c0, "proc", 5); *(uint64_t*)0x20002748 = 0x20002600; memcpy((void*)0x20002600, ",md5sum", 8); *(uint64_t*)0x20002750 = 0x20002640; memcpy((void*)0x20002640, "trustedprocnodev.*--self", 25); *(uint64_t*)0x20002758 = 0x20002680; memcpy((void*)0x20002680, "!", 2); *(uint64_t*)0x20002760 = 0x200026c0; memcpy((void*)0x200026c0, "^@.vmnet0vmnet1", 16); *(uint64_t*)0x20002768 = 0x20002700; memcpy((void*)0x20002700, "GPLvboxnet1bdev", 16); *(uint64_t*)0x20002800 = 0x20002780; memcpy((void*)0x20002780, ")", 2); *(uint64_t*)0x20002808 = 0x200027c0; memcpy((void*)0x200027c0, "vmnet0ppp1-**", 14); syscall(__NR_execve, 0x20002580, 0x20002740, 0x20002800); break; } } void execute_one() { execute(7); collide = 1; execute(7); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { loop(); } }