// https://syzkaller.appspot.com/bug?id=bc2bc9da2825a560d04dbe2039655f62599b27d7 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (hdr->nlmsg_type == NLMSG_DONE) { *reply_len = 0; return 0; } if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } const int kInitNetNsFd = 239; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_CMD_RELOAD 37 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 #define DEVLINK_ATTR_NETNS_FD 138 static int netlink_devlink_id_get(struct nlmsg* nlmsg, int sock) { struct genlmsghdr genlhdr; struct nlattr* attr; int err, n; uint16_t id = 0; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME, strlen(DEVLINK_FAMILY_NAME) + 1); err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n); if (err) { return -1; } attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); /* recv ack */ return id; } static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd) { struct genlmsghdr genlhdr; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_RELOAD; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd)); err = netlink_send(&nlmsg, sock); if (err) { } error: close(sock); } static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len); if (err) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } static void initialize_devlink_pci(void) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); int ret = setns(kInitNetNsFd, 0); if (ret == -1) exit(1); netlink_devlink_netns_move("pci", "0000:00:10.0", netns); ret = setns(netns, 0); if (ret == -1) exit(1); close(netns); initialize_devlink_ports("pci", "0000:00:10.0", "netpci"); } #define MAX_FDS 30 static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_devlink_pci(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { int fd; for (fd = 3; fd < MAX_FDS; fd++) close(fd); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); close_fds(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } #ifndef __NR_statx #define __NR_statx 332 #endif uint64_t r[86] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(__NR_socket, 1ul, 0x10000000805ul, 0ul); if (res != -1) r[0] = res; NONFAILING(*(uint32_t*)0x20000000 = 0x80); res = syscall(__NR_getsockname, r[0], 0x20000140ul, 0x20000000ul); if (res != -1) NONFAILING(r[1] = *(uint32_t*)0x2000014a); NONFAILING(memcpy((void*)0x20000080, "./file0\000", 8)); res = syscall(__NR_open, 0x20000080ul, 0xa4042ul, 0x11cul); if (res != -1) r[2] = res; res = syscall(__NR_clock_gettime, 0ul, 0x200001c0ul); if (res != -1) { NONFAILING(r[3] = *(uint64_t*)0x200001c0); NONFAILING(r[4] = *(uint64_t*)0x200001c8); } NONFAILING(memcpy((void*)0x200000c0, "./file0\000", 8)); NONFAILING(*(uint64_t*)0x20000200 = r[3]); NONFAILING(*(uint64_t*)0x20000208 = r[4] / 1000 + 30000); NONFAILING(*(uint64_t*)0x20000210 = 0); NONFAILING(*(uint64_t*)0x20000218 = 0x2710); syscall(__NR_utimensat, r[2], 0x200000c0ul, 0x20000200ul, 0ul); NONFAILING(memcpy((void*)0x20000180, "memory.events\000", 14)); res = syscall(__NR_openat, 0xffffff9c, 0x20000180ul, 0x26e1ul, 0ul); if (res != -1) r[5] = res; syscall(__NR_close, r[5]); syscall(__NR_close, r[5]); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[6] = res; NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, r[6], 0x20000280ul, 0x6eul); NONFAILING(*(uint64_t*)0x20000100 = 0xffff); syscall(__NR_ioctl, -1, 0x40087602ul, 0x20000100ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[7] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[7], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[7], 0); syscall(__NR_accept, r[7], 0ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[8] = res; syscall(__NR_listen, r[8], 0); res = syscall(__NR_accept, r[8], 0ul, 0ul); if (res != -1) r[9] = res; syscall(__NR_ioctl, r[9], 0x5411ul, 0x20000040ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[10] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[10], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[10], 0); res = syscall(__NR_accept, r[10], 0ul, 0ul); if (res != -1) r[11] = res; syscall(__NR_ioctl, r[11], 0x5411ul, 0x20000040ul); res = syscall(__NR_timerfd_create, 0ul, 0ul); if (res != -1) r[12] = res; res = syscall(__NR_fcntl, r[12], 9ul, 0); if (res != -1) r[13] = res; syscall(__NR_fcntl, r[12], 8ul, r[13]); syscall(__NR_setreuid, 0xee00, 0); NONFAILING(memcpy((void*)0x20001f00, "\351\037q\211Y\036\2223aK\000", 11)); syscall(__NR_statx, 0xffffff9c, 0x20001f00ul, 0x2000ul, 0x3d351abfbbc950acul, 0x20001f40ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[14] = res; NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, r[14], 0x20000280ul, 0x6eul); res = syscall(__NR_socketpair, 1ul, 5ul, 0, 0x20002300ul); if (res != -1) NONFAILING(r[15] = *(uint32_t*)0x20002304); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[16] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[16], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[16], 0); res = syscall(__NR_accept, r[16], 0ul, 0ul); if (res != -1) r[17] = res; syscall(__NR_ioctl, r[17], 0x5411ul, 0x20000040ul); NONFAILING(*(uint64_t*)0x20002400 = 0); NONFAILING(*(uint32_t*)0x20002408 = 0); NONFAILING(*(uint64_t*)0x20002410 = 0x20000240); NONFAILING(*(uint64_t*)0x20000240 = 0); NONFAILING(*(uint64_t*)0x20000248 = 0); NONFAILING(*(uint64_t*)0x20000250 = 0x20000200); NONFAILING(memcpy((void*)0x20000200, "\xba\x62\xbc\x2b\xa0\x5d\x32\xc4\x36" "\x19\x1c\x52\xdd\xd2\x70\x23\x82\xd6" "\xbb\x24\x15\xef\xb7\xa5\x96\x8d\x2c" "\xc3\x6e\x9f\xf7\x3e\x33\x5e\x37\xb2" "\x27\x26\x99\xc1\xb8\x33\x88\xa3\x8b", 45)); NONFAILING(*(uint64_t*)0x20000258 = 0x2d); NONFAILING(*(uint64_t*)0x20002418 = 2); NONFAILING(*(uint64_t*)0x20002420 = 0x20000380); NONFAILING(*(uint64_t*)0x20000380 = 0x24); NONFAILING(*(uint32_t*)0x20000388 = 1); NONFAILING(*(uint32_t*)0x2000038c = 1); NONFAILING(*(uint32_t*)0x20000390 = r[9]); NONFAILING(*(uint32_t*)0x20000394 = r[11]); NONFAILING(*(uint32_t*)0x20000398 = -1); NONFAILING(*(uint32_t*)0x2000039c = -1); NONFAILING(*(uint32_t*)0x200003a0 = -1); NONFAILING(*(uint64_t*)0x20002428 = 0x28); NONFAILING(*(uint32_t*)0x20002430 = 4); NONFAILING(*(uint64_t*)0x20002438 = 0x200003c0); NONFAILING(*(uint16_t*)0x200003c0 = 1); NONFAILING(memcpy( (void*)0x200003c2, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); NONFAILING(*(uint32_t*)0x20002440 = 0x6e); NONFAILING(*(uint64_t*)0x20002448 = 0x20000900); NONFAILING(*(uint64_t*)0x20000900 = 0x20000440); NONFAILING(memcpy( (void*)0x20000440, "\xac\xa8\x1b\xcf\x0a\xf0\x45\x6e\xd3\x60\x69\x97\xbc\xa7\x01\x4e\xb9\x5d" "\x11\xa9\x40\x0d\xa5\xd5\x7e\x33\x67\xe7\xb0\xe4\xb0\x67\x1d\xc3\xe4\x47" "\xfa\xa5\x19\x53\xf8\xc8\xda\x0d\x6c\x95\xc5\x1e\xfc\x04\x94\x60\xdf\xaa" "\xd5\x3c\x64\x87\xfd\x9a\xee\x07\xa2\x35\x7a\x16\xca\xfb\x20\x99\x6d\x4c" "\x20\x3b\xb7\x21\x9c\xaf\xc2\xda\x53\x86\x45\x0c\x74\x40\xdb\x17\x48\x57" "\x2a\xb7\x64\x8f\xd0\xf6\xb1\xae\xa6\x53\xd1\x13\x18\x6a\xc7\x53\x5d\x24" "\xbe\xc4\x39\xdf\xb0\x0b\x5a\x09\x53\xc0\xe4\x80\x14\x14\x29\xfc\xd5\x36" "\xc1\x72\x5a\x5a\xa7\xc9\xee\xfd\x38\x8f\xa4\x31\xad\x16\x76\xbd\xb6\x89" "\x13\xa5\x21\x85\x57\x64\xee\xe6\x54\xae\xec\xee\x2f\x3c\x4c\xef\xb1\x30" "\xbd\xea\xc4\xca\xd2\x1c\x72\x63\xca\x2f\x16\x93\x79\xa4\xa8\xfb\xbd\x15" "\x24\x29\xb2\x62\x8b\x57\x6a\x38\x1d\xb0\x83\x08\x02\xc5\xc6\x9d\x83\xcc" "\x64\x52\xde\x87\xda\x5b\xa4\x93\xe4\xfe\x4d\x53\x9f\xac\xff\x24\x63\x55" "\x5b\x06\xec\x0f\x4c\xd7\x0c\x84\x9a\x21\x26\x9a\xc4\xf7\x88\x76\x82\xdc" "\x23\x41\xb8\xa3\x92\xe3\x26\xab\xbb\xe2\x0f\xc3\x4f\xb8", 248)); NONFAILING(*(uint64_t*)0x20000908 = 0xf8); NONFAILING(*(uint64_t*)0x20000910 = 0x20000540); NONFAILING(memcpy( (void*)0x20000540, "\xa6\xe8\x49\x92\x58\x17\xc5\x2a\x65\x00\xf1\xfa\x3f\x26\x77\x04\xda", 17)); NONFAILING(*(uint64_t*)0x20000918 = 0x11); NONFAILING(*(uint64_t*)0x20000920 = 0x20000580); NONFAILING(memcpy( (void*)0x20000580, "\xfc\x48\xb5\x07\x10\xf1\x99\x2d\x70\x7f\x71\xa8\x53\x63\x90\x6b\x5c\x18" "\xf7\xcd\x90\x44\x12\xd2\x25\x18\x8d\x59\xfa\xb8\x59\xf1\x94\xab\x95\x72" "\x2b\x73\x12\x4b\x7c\x34\xe7\x93\x17\xc5\xe7\x8b\x36\x63\x88\x7a\xb3\x5c" "\x3f\x87\x62\x2c\x90\xd5\x46\x3c\x13\x66\x53\x52\x07\x76\xe2\x1a\xf4\xb6" "\xd2\xd5\x7d\x47\xf1\xd4\x6e\xfb\x9a\x34\xe4\xfa\xa6\xc7\x91\x87\xcf\x91" "\x83\x0b\xd2\xc1\xe5\x6b\x73\x10\x8b\x4b\xb7\x35\xe8\x50\x8f\xb3\xc3\xdc" "\xeb\x48\x40\xdc\xf6\x38\x0f\xb4\x4f\x07\xa8\x75\xdf\xcf\xef\x09\x2d\x8c" "\x13\xe2\x17\xca\x27\x47\xcc\xc4\xef\xe2\xbb\x9d\x40", 139)); NONFAILING(*(uint64_t*)0x20000928 = 0x8b); NONFAILING(*(uint64_t*)0x20000930 = 0); NONFAILING(*(uint64_t*)0x20000938 = 0); NONFAILING(*(uint64_t*)0x20000940 = 0x20000740); NONFAILING(memcpy( (void*)0x20000740, "\x8a\x33\x3f\x15\x03\x99\xd5\xbd\xb4\xf8\x45\x8e\x3b\xb3\x6d\x66\x05\x02" "\xf9\x6b\xbb\xb7\x71\x4c\x89\x37\xf5\xd3\x45\x5d\x4f\x3c\x49\x58\x8e\xd0" "\x49\x80\x0e\x5f\xd9\xfa\xcd\x6f\x94\xf9\xdc\xe5\xda\x66\xcd\x89\xf8\x35" "\x2f\x48\x5d\x2e\x94\x23\x68\x65\x32\x3b\x03\xf6\x55\x61\xd5\x1c\x8a\x70" "\x21\x2c\x30\x8a\x84\xc6\xb0\x2a\xea\x50\x59\x77\x98\x83\x3b\x61\x2d\xb2" "\xdd\x89\x56\xfe\xcb\x1b\x51\xc2\xce", 99)); NONFAILING(*(uint64_t*)0x20000948 = 0x63); NONFAILING(*(uint64_t*)0x20000950 = 0x200007c0); NONFAILING(memcpy( (void*)0x200007c0, "\xb7\xc2\x96\x88\x39\xe9\xd1\x20\x53\x97\xcc\x1f\xf3\xbb\xa2\x84\xea\x5c" "\xdd\x58\x7f\x88\x0c\x82\x3a\x29\x7e\x3f\x50\x24\xe5\xdb\x91\x13\xfc\xc8" "\x78\xbd\x78\xa5\xc0\x82\xc6\xd8\x08\x84\x6e\x02\x4e\x20\x2a\xf4\x3d\x4a" "\xbf\xb9\x3c\xfe\x75\x79\xdd\xa3\x42\xd3\xc1\x25\x4d\xdf\x8c\x66\xb4\x9c" "\xca\xa1\x04\xf8\x47\xfa\xa4\xc9\xc7\xcb\xe1\x83\x38\x36\xd5\x0a\xf0\xbc" "\x88\xa6\x88\x1d\xe5\x8b\xbb\x3c\x35\xd8\xcf\x05\xb9\xfe\x08\x9b\x15\x2f" "\xa4\x41\xd5\x6c\x1b\x96\x0f\x17\x2b\xf7\xa5\xd3\x79\xbd\x7d\xc0\xe3\x40" "\xa0\x6b\x8e\xc2\x32\x39\x23\x83\x58\x53\xea\x67\x07\x25\x22\xa5\x11\xc0" "\xbb\x82\x14\x32\x47\x35\xa0\xb0\x0e\xee\x54\x02\x44\x51\x43\x72\xd2\x92" "\x53\xc9\x04\x7d\xc7\x1a\x01\xd0\xe2\xfb\xdb\x92\x78\x94\x05\x31\xd5\xac" "\xc5\xd5\xd2\x4e\x85\x92\x7f\x93\x5b\xf3\x23\x14\xa8\x06\xf8\x1f\xaa\x21" "\x46\x57\xa8\xcb\x71\x30\xec\xa5\x96\x31\x0c\x44\xc3\x62\x74\x81\xcc\xd4" "\x81\x3f", 218)); NONFAILING(*(uint64_t*)0x20000958 = 0xda); NONFAILING(*(uint64_t*)0x20000960 = 0x200008c0); NONFAILING(memcpy((void*)0x200008c0, "\x13\xc6\x0b\x9c\x82\x9a\x64\xa4\x77\x3e\x5c\x1c\x05\x11" "\x80\x3e\x47\x36\x44\x17\x24\xa4\x06\x27\xd6\x52\x15\x4e" "\x7f\xbb\x6d\x5b\x2b\x38\x7e\xef\xaf\x71\xb9\xfe\x94\xbf" "\x3f\x4e\x5b\xcf\x15\x9f\xb9\x17\xda\xb6\xad\xfa\xa5\x3c" "\x89\xf1\x79", 59)); NONFAILING(*(uint64_t*)0x20000968 = 0x3b); NONFAILING(*(uint64_t*)0x20002450 = 7); NONFAILING(*(uint64_t*)0x20002458 = 0); NONFAILING(*(uint64_t*)0x20002460 = 0); NONFAILING(*(uint32_t*)0x20002468 = 0x3d5934bd); NONFAILING(*(uint64_t*)0x20002470 = 0x20000980); NONFAILING(*(uint16_t*)0x20000980 = 1); NONFAILING(*(uint8_t*)0x20000982 = 0); NONFAILING(*(uint32_t*)0x20000984 = 0x4e24); NONFAILING(*(uint32_t*)0x20002478 = 0x6e); NONFAILING(*(uint64_t*)0x20002480 = 0x20001e80); NONFAILING(*(uint64_t*)0x20001e80 = 0); NONFAILING(*(uint64_t*)0x20001e88 = 0); NONFAILING(*(uint64_t*)0x20001e90 = 0x20001a00); NONFAILING(memcpy( (void*)0x20001a00, "\x94\x56\x4a\x52\xc4\xed\x60\x88\x73\xbb\x89\xc0\x51\x77\xc1\x69\x95\xc1" "\xa2\x2f\x05\x61\xed\x83\x3a\xbc\x62\xc5\x32\x68\xea\x9c\x6e\xac\x5d\x77" "\x65\x88\x37\xb1\xc9\x7a\xec\x17\x92\xc4\xb0\xbb\x1e\xf8\x9d\x45\x3f\x2d" "\x27\x21\x9f\x8f\x75\x17\x1e\x56\xdf\x05\xf0\x9d\x6a\x51\xff\x7e\x61\x99" "\x12\x9a\x88\x22\x50\x59\x14\x9a\xb5\x62\x49\x7d\xb1\x16\x91\x62\xcc\x19" "\xc8\xdd\x6e\x53\xed\x8c\xd0\x67\xa6\xbe\xa9\xf0\x64\x5f\xb7\x00\x56\x40" "\xd8\xfc\xbc\xd3\x39\x5b\xc3\x9d\x60\xe3\x29\xe3\x3c\x21\x85\xef", 124)); NONFAILING(*(uint64_t*)0x20001e98 = 0x7c); NONFAILING(*(uint64_t*)0x20001ea0 = 0x20001a80); NONFAILING(memcpy((void*)0x20001a80, "\x7f\xc0\x9b\xf0\x96\x76\xb6\x76\xd5\x18\x74\x3c\x90\x05" "\x3f\xe9\x2b\x14\x2d\xb7\xaf\x04\x09\x13\xc0\x1f\xc3\x9c" "\x1b\xcf\xc7\xc0\xce\x90\xfa\xf5\xd9\x83\x5a\x2e\xb8\xd3" "\x8e\x7d\x9e\x89\xbb\xcf\x29\x80\x6c\xe4\xd2\x12\x50\x57" "\x1b\x5b\x1a\x8f\xc9\x88\xbe\x44\x27\x3e\xe0\xf3\xa6\x95" "\xea\xb3\xda\x18\x5d\x4e", 76)); NONFAILING(*(uint64_t*)0x20001ea8 = 0x4c); NONFAILING(*(uint64_t*)0x20001eb0 = 0x20001b00); NONFAILING(memcpy( (void*)0x20001b00, "\x81\xb4\xce\xbc\x09\x6f\xb3\x4b\xc0\x51\x56\xdb\x3e\x33\x39\x1d\x12\x1e" "\x11\x29\xa9\x4d\xb3\x91\x86\xf2\xf2\xef\x4b\x74\x19\xed\x86\x73\x0a\xf5" "\xf4\xc3\x3c\x98\xde\x07\x39\x94\x1e\xff\x89\x2b\xb7\x89\xa7\x34\x35\x4a" "\x4d\xaf\x51\x5f\xd9\xae\xb8\xec\xd5\xc1\x8b\x9a\x89\x3a\x01\x4d\x90\x27" "\x3e\xc8\x23\xd7\xd4\x0a\xee\xb8\x58\xae\x2a\xe0\x14\x98\xc9\x83\xd7\xde" "\x1d\x3d\x2f\xa5\x0b\xa2\x87\xdf\xc9\xdc\x35\xad\x97\x02\x68\xc4\xbe\xad" "\x21\x3f\x4c\x4f\xf3\xa0\x37\xcf\x15\x67\x6f\xb8\xaa\x54\xec\xfe\xac\xf8" "\xd8\x4d\xe7\xb6\x4e\xe1\xb8\x04\xe8\x87\xdb\x8d\x6d\xce\xe5\x79\xec\x72" "\x90\x77\x43\xf7\x05\x0e\x41\x09\xe8\xa8\xb0\x95\xcf\x2d\x80\x59\x3c\x31" "\x9d\x2a\xe8\xcd\x56\x82\xe0\x0d\x35\x95\x89\x8b\xee\xe9\xd3\xc7\xca\x66" "\x7e\x08\x4b\x2e\x0b\x10\x15\xff\xd4\x24\x1a\x53\x57\x77\xb5\x0d\xcf\x0b" "\x87\xeb\x9e\x82\xec\x68\xe5\x15\x3b\xc3\x37\x69\xd3\x32\x60\xba\x4c\x6b" "\xef\xbb\x12\x15\x48\xb5\x5d\xc7\xc7\x42\xcd\x36\x9b\xda\x9c", 231)); NONFAILING(*(uint64_t*)0x20001eb8 = 0xe7); NONFAILING(*(uint64_t*)0x20001ec0 = 0x20001c00); NONFAILING(memcpy( (void*)0x20001c00, "\x55\x75\x7b\x6c\xc3\xc7\xa3\x33\xbc\xf3\xb4\xab\xc4\x83\xa5\xa5\x22\x36" "\x35\xbf\x7d\x61\x89\xa6\x7a\x55\x9f\x60\xbd\x96\x22\x87\x04\x06\x70\x3c" "\x5e\x5e\xfe\x03\x7f\x53\x91\x82\xd4\x8f\x06\xa0\xad\x0f\xb5\xfa\xb7\x53" "\xef\x8b\xd1\x15\xf9\xb6\x72\xf1\x39\xc5\x5f\x3f\x3c\x21\x6b\x10\xe7\x51" "\x39\xf4\x46\x09\x51\xc9\x76\x3b\xd6\x65\x0d\x1f\x6f\xf8\x31\xfd\x39\x27" "\xad\x50\x6e\x94\x94\x83\xd7\x61\xf5\xcb\xef\x33", 102)); NONFAILING(*(uint64_t*)0x20001ec8 = 0x66); NONFAILING(*(uint64_t*)0x20001ed0 = 0x20001c80); NONFAILING(memcpy( (void*)0x20001c80, "\x5e\x9a\x9a\x2a\x59\xb2\x8f\x53\xf7\x68\x1a\xbe\xe5\x6e\xd5\x1b\x18\x7d" "\x6c\x6e\xd6\x94\x09\x01\xdc\x74\x9e\xd2\xc3\xb6\xf6\x55\x06\x71\xad\x37" "\x2b\x2a\xd8\x9d\xa1\xd6\x82\x72\x57\x1b\x0b\x60\x67\x26\x87\x3a\x93\xf3" "\x96\x9d\x53\x58\x58\x78\xd9\xca\x7c\x0c\x98\x33\x7d\xf2\x48\x0f\x4e\x48" "\xf7\x8f\x37\xf0\xad\xdb\x25\x39\xe5\x26\x0b\x6f\x2f\x8d\x23\x65\x12\x5b" "\x02\x95\x6b\xf6\xab\xdd\xfb\xa1\x4d\x55\x8d\x34\xaa\x88\x21\xad\x1c\x4f" "\x9f\xa5\xf2\xc0\x68\xab\xbd\x35\x72\x4f\xab\xa0\x8b\x16\xf3\x7b\xfa\x58" "\x48\x14\x20\x5e\xcf\x8a\xe8\x84\xb0\x1d\x74\x8b\x35\x6f\x50\x5e\xed\xcc" "\x1c\xb0\x12\xd0\xdd\xce\xbc\xd4\xdb\xf3\xb7\x09\x4a\x54\x97\xa9\x74\xf4" "\x44\xcb\x00\x16\x1a\x66\xac\xb5\x54\x68\x7f\x9a\xdd\x8e\x80\x90\x14\x8f" "\xee\x66\xe1\xc6\xa7\x25\x1e\xbd", 188)); NONFAILING(*(uint64_t*)0x20001ed8 = 0xbc); NONFAILING(*(uint64_t*)0x20001ee0 = 0); NONFAILING(*(uint64_t*)0x20001ee8 = 0); NONFAILING(*(uint64_t*)0x20001ef0 = 0x20001dc0); NONFAILING(*(uint64_t*)0x20001ef8 = 0); NONFAILING(*(uint64_t*)0x20002488 = 8); NONFAILING(*(uint64_t*)0x20002490 = 0); NONFAILING(*(uint64_t*)0x20002498 = 0); NONFAILING(*(uint32_t*)0x200024a0 = 0x4000); NONFAILING(*(uint64_t*)0x200024a8 = 0); NONFAILING(*(uint32_t*)0x200024b0 = 0); NONFAILING(*(uint64_t*)0x200024b8 = 0x20002240); NONFAILING(*(uint64_t*)0x20002240 = 0); NONFAILING(*(uint64_t*)0x20002248 = 0); NONFAILING(*(uint64_t*)0x20002250 = 0x200021c0); NONFAILING(memcpy( (void*)0x200021c0, "\x28\xa5\x2f\x56\x97\x93\x0f\x83\x50\x88\x40\x1d\x2e\x4c\x00\x28\xb6\xd8" "\x17\x03\x8b\xcb\xb2\x09\xe8\xc6\xee\x34\x79\x19\x70\xca\xd6\x06\x54\x4b" "\x3b\xfc\x59\xf2\xd6\xe3\xd9\xb7\xd9\x35\x34\xfd\x04\x26\x24\x4c\xd3\x0b" "\xac\xb3\xe2\x91\x6e\xe3\x2f\xf7\x76\x50\x08\xdf\x60\xaf\xca\x1d\xf7\x5c" "\xaf\x4b\xd4\x51\xc0\xd9\xbf\x54\x25\xca\x3d\xf9\xd6\x4c\x56\xff\x4f\xd0" "\xaf\xff\xb0\x85\x30\x31\xa5\x33\x83\x25\xf9\xb2\xc3\x75\xea\x8a\xeb\x53" "\x53\x03\xbf\x46\x33\x73\x62\xcf\xbe\xfc\xfa\xeb", 120)); NONFAILING(*(uint64_t*)0x20002258 = 0x78); NONFAILING(*(uint64_t*)0x200024c0 = 2); NONFAILING(*(uint64_t*)0x200024c8 = 0x20002380); NONFAILING(*(uint64_t*)0x20002380 = 0x1c); NONFAILING(*(uint32_t*)0x20002388 = 1); NONFAILING(*(uint32_t*)0x2000238c = 1); NONFAILING(*(uint32_t*)0x20002390 = r[14]); NONFAILING(*(uint32_t*)0x20002394 = -1); NONFAILING(*(uint32_t*)0x20002398 = -1); NONFAILING(*(uint64_t*)0x200023a0 = 0x24); NONFAILING(*(uint32_t*)0x200023a8 = 1); NONFAILING(*(uint32_t*)0x200023ac = 1); NONFAILING(*(uint32_t*)0x200023b0 = r[15]); NONFAILING(*(uint32_t*)0x200023b4 = r[6]); NONFAILING(*(uint32_t*)0x200023b8 = -1); NONFAILING(*(uint32_t*)0x200023bc = r[17]); NONFAILING(*(uint32_t*)0x200023c0 = -1); NONFAILING(*(uint64_t*)0x200024d0 = 0x48); NONFAILING(*(uint32_t*)0x200024d8 = 0x20810); syscall(__NR_sendmmsg, r[7], 0x20002400ul, 4ul, 0x81ul); res = syscall(__NR_socketpair, 1ul, 1ul, 0ul, 0x20000000ul); if (res != -1) NONFAILING(r[18] = *(uint32_t*)0x20000000); NONFAILING(*(uint32_t*)0x20000040 = 0); syscall(__NR_ioctl, r[18], 0x5421ul, 0x20000040ul); NONFAILING(*(uint32_t*)0x20001bc0 = 0xc); res = syscall(__NR_getsockopt, r[18], 1ul, 0x11ul, 0x20001b80ul, 0x20001bc0ul); if (res != -1) NONFAILING(r[19] = *(uint32_t*)0x20001b88); res = syscall(__NR_signalfd4, -1, 0ul, 0ul, 0ul); if (res != -1) r[20] = res; syscall(__NR_close, r[20]); syscall(__NR_ioctl, r[20], 0x5411ul, 0x20000080ul); syscall(__NR_ioctl, -1, 0x5411ul, 0x20000080ul); NONFAILING(*(uint64_t*)0x20000140 = 0); res = syscall(__NR_signalfd4, -1, 0x20000140ul, 8ul, 0ul); if (res != -1) r[21] = res; syscall(__NR_close, r[21]); NONFAILING(*(uint64_t*)0x20000140 = 0); res = syscall(__NR_signalfd4, -1, 0x20000140ul, 8ul, 0ul); if (res != -1) r[22] = res; syscall(__NR_close, r[22]); syscall(__NR_ioctl, r[22], 0x5411ul, 0x20000080ul); NONFAILING(*(uint64_t*)0x20000140 = 0); res = syscall(__NR_signalfd4, -1, 0x20000140ul, 8ul, 0ul); if (res != -1) r[23] = res; syscall(__NR_close, r[23]); syscall(__NR_close, -1); syscall(__NR_ioctl, -1, 0x5411ul, 0x20000080ul); NONFAILING(*(uint64_t*)0x20000140 = 0); res = syscall(__NR_signalfd4, -1, 0x20000140ul, 8ul, 0ul); if (res != -1) r[24] = res; syscall(__NR_ioctl, r[24], 0x5411ul, 0x20000080ul); res = syscall(__NR_socket, 2ul, 2ul, 1ul); if (res != -1) r[25] = res; syscall(__NR_socketpair, 1ul, 1ul, 0ul, 0x200000c0ul); syscall(__NR_getpgid, 0); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[26] = res; NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, r[26], 0x20000280ul, 0x6eul); NONFAILING(*(uint64_t*)0x20000100 = 0xffff); syscall(__NR_ioctl, -1, 0x40087602ul, 0x20000100ul); NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, -1, 0x20000080ul, 0x31ul); syscall(__NR_listen, -1, 0); res = syscall(__NR_accept, -1, 0ul, 0ul); if (res != -1) r[27] = res; res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[28] = res; syscall(__NR_bind, r[28], 0ul, 0ul); syscall(__NR_listen, r[28], 0); res = syscall(__NR_accept, r[28], 0ul, 0ul); if (res != -1) r[29] = res; syscall(__NR_ioctl, r[29], 0x5411ul, 0x20000040ul); NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, -1, 0x20000080ul, 0x31ul); res = syscall(__NR_accept, -1, 0ul, 0ul); if (res != -1) r[30] = res; syscall(__NR_ioctl, r[30], 0x5411ul, 0x20000040ul); res = syscall(__NR_timerfd_create, 0ul, 0ul); if (res != -1) r[31] = res; res = syscall(__NR_fcntl, r[31], 9ul, 0); if (res != -1) r[32] = res; syscall(__NR_fcntl, r[31], 8ul, r[32]); res = syscall(__NR_getuid); if (res != -1) r[33] = res; NONFAILING(memcpy((void*)0x20001f00, "\351\037q\211Y\036\2223aK\000", 11)); res = syscall(__NR_statx, 0xffffff9c, 0x20001f00ul, 0x2000ul, 0x3d351abfbbc950acul, 0x20001f40ul); if (res != -1) NONFAILING(r[34] = *(uint32_t*)0x20001f58); NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, -1, 0x20000280ul, 0x6eul); NONFAILING(memcpy((void*)0x20002280, "/dev/urandom\000", 13)); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20002280ul, 0x3183b1a56d9fea87ul, 0ul); if (res != -1) r[35] = res; syscall(__NR_socketpair, 1ul, 5ul, 0, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[36] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[36], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[36], 0); res = syscall(__NR_accept, r[36], 0ul, 0ul); if (res != -1) r[37] = res; syscall(__NR_ioctl, r[37], 0x5411ul, 0x20000040ul); NONFAILING(*(uint64_t*)0x20002400 = 0); NONFAILING(*(uint32_t*)0x20002408 = 0); NONFAILING(*(uint64_t*)0x20002410 = 0x20000240); NONFAILING(*(uint64_t*)0x20000240 = 0x200001c0); NONFAILING(memcpy((void*)0x200001c0, "\x3a\xe9\x9c\xff\x5d\x8c\x69\x1b\xc3" "\xd5\xd2\x14\x5d\x0d\xba\xdf\x7c\xbb" "\x1a\x03\x52\xff\x23\xf5\x34\x26\x65" "\xd8\x4d\x71\x2f\x8e\x87\x19\x6d", 35)); NONFAILING(*(uint64_t*)0x20000248 = 0x23); NONFAILING(*(uint64_t*)0x20000250 = 0x20000200); NONFAILING(*(uint64_t*)0x20000258 = 0); NONFAILING(*(uint64_t*)0x20002418 = 2); NONFAILING(*(uint64_t*)0x20002420 = 0); NONFAILING(*(uint64_t*)0x20002428 = 0); NONFAILING(*(uint32_t*)0x20002430 = 4); NONFAILING(*(uint64_t*)0x20002438 = 0x200003c0); NONFAILING(*(uint16_t*)0x200003c0 = 1); NONFAILING(memcpy( (void*)0x200003c2, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); NONFAILING(*(uint32_t*)0x20002440 = 0x6e); NONFAILING(*(uint64_t*)0x20002448 = 0x20000900); NONFAILING(*(uint64_t*)0x20000900 = 0x20000440); NONFAILING(memcpy( (void*)0x20000440, "\xac\xa8\x1b\xcf\x0a\xf0\x45\x6e\xd3\x60\x69\x97\xbc\xa7\x01\x4e\xb9\x5d" "\x11\xa9\x40\x0d\xa5\xd5\x7e\x33\x67\xe7\xb0\xe4\xb0\x67\x1d\xc3\xe4\x47" "\xfa\xa5\x19\x53\xf8\xc8\xda\x0d\x6c\x95\xc5\x1e\xfc\x04\x94\x60\xdf\xaa" "\xd5\x3c\x64\x87\xfd\x9a\xee\x07\xa2\x35\x7a\x16\xca\xfb\x20\x99\x6d\x4c" "\x20\x3b\xb7\x21\x9c\xaf\xc2\xda\x53\x86\x45\x0c\x74\x40\xdb\x17\x48\x57" "\x2a\xb7\x64\x8f\xd0\xf6\xb1\xae\xa6\x53\xd1\x13\x18\x6a\xc7\x53\x5d\x24" "\xbe\xc4\x39\xdf\xb0\x0b\x5a\x09\x53\xc0\xe4\x80\x14\x14\x29\xfc\xd5\x36" "\xc1\x72\x5a\x5a\xa7\xc9\xee\xfd\x38\x8f\xa4\x31\xad\x16\x76\xbd\xb6\x89" "\x13\xa5\x21\x85\x57\x64\xee\xe6\x54\xae\xec\xee\x2f\x3c\x4c\xef\xb1\x30" "\xbd\xea\xc4\xca\xd2\x1c\x72\x63\xca\x2f\x16\x93\x79\xa4\xa8\xfb\xbd\x15" "\x24\x29\xb2\x62\x8b\x57\x6a\x38\x1d\xb0\x83\x08\x02\xc5\xc6\x9d\x83\xcc" "\x64\x52\xde\x87\xda\x5b\xa4\x93\xe4\xfe\x4d\x53\x9f\xac\xff\x24\x63\x55" "\x5b\x06\xec\x0f\x4c\xd7\x0c\x84\x9a\x21\x26\x9a\xc4\xf7\x88\x76\x82\xdc" "\x23\x41\xb8\xa3\x92\xe3\x26\xab\xbb\xe2\x0f\xc3\x4f\xb8", 248)); NONFAILING(*(uint64_t*)0x20000908 = 0xf8); NONFAILING(*(uint64_t*)0x20000910 = 0x20000540); NONFAILING(memcpy( (void*)0x20000540, "\xa6\xe8\x49\x92\x58\x17\xc5\x2a\x65\x00\xf1\xfa\x3f\x26\x77\x04\xda", 17)); NONFAILING(*(uint64_t*)0x20000918 = 0x11); NONFAILING(*(uint64_t*)0x20000920 = 0x20000580); NONFAILING(memcpy( (void*)0x20000580, "\xfc\x48\xb5\x07\x10\xf1\x99\x2d\x70\x7f\x71\xa8\x53\x63\x90\x6b\x5c\x18" "\xf7\xcd\x90\x44\x12\xd2\x25\x18\x8d\x59\xfa\xb8\x59\xf1\x94\xab\x95\x72" "\x2b\x73\x12\x4b\x7c\x34\xe7\x93\x17\xc5\xe7\x8b\x36\x63\x88\x7a\xb3\x5c" "\x3f\x87\x62\x2c\x90\xd5\x46\x3c\x13\x66\x53\x52\x07\x76\xe2\x1a\xf4\xb6" "\xd2\xd5\x7d\x47\xf1\xd4\x6e\xfb\x9a\x34\xe4\xfa\xa6\xc7\x91\x87\xcf\x91" "\x83\x0b\xd2\xc1\xe5\x6b\x73\x10\x8b\x4b\xb7\x35\xe8\x50\x8f\xb3\xc3\xdc" "\xeb\x48\x40\xdc\xf6\x38\x0f\xb4\x4f\x07\xa8\x75\xdf\xcf\xef\x09\x2d\x8c" "\x13\xe2\x17\xca\x27\x47\xcc\xc4\xef\xe2\xbb\x9d\x40", 139)); NONFAILING(*(uint64_t*)0x20000928 = 0x8b); NONFAILING(*(uint64_t*)0x20000930 = 0); NONFAILING(*(uint64_t*)0x20000938 = 0); NONFAILING(*(uint64_t*)0x20000940 = 0x20000740); NONFAILING(memcpy( (void*)0x20000740, "\x8a\x33\x3f\x15\x03\x99\xd5\xbd\xb4\xf8\x45\x8e\x3b\xb3\x6d\x66\x05\x02" "\xf9\x6b\xbb\xb7\x71\x4c\x89\x37\xf5\xd3\x45\x5d\x4f\x3c\x49\x58\x8e\xd0" "\x49\x80\x0e\x5f\xd9\xfa\xcd\x6f\x94\xf9\xdc\xe5\xda\x66\xcd\x89\xf8\x35" "\x2f\x48\x5d\x2e\x94\x23\x68\x65\x32\x3b\x03\xf6\x55\x61\xd5\x1c\x8a\x70" "\x21\x2c\x30\x8a\x84\xc6\xb0\x2a\xea\x50\x59\x77\x98\x83\x3b\x61\x2d\xb2" "\xdd\x89\x56\xfe\xcb\x1b\x51\xc2\xce", 99)); NONFAILING(*(uint64_t*)0x20000948 = 0x63); NONFAILING(*(uint64_t*)0x20000950 = 0x200007c0); NONFAILING(memcpy( (void*)0x200007c0, "\xb7\xc2\x96\x88\x39\xe9\xd1\x20\x53\x97\xcc\x1f\xf3\xbb\xa2\x84\xea\x5c" "\xdd\x58\x7f\x88\x0c\x82\x3a\x29\x7e\x3f\x50\x24\xe5\xdb\x91\x13\xfc\xc8" "\x78\xbd\x78\xa5\xc0\x82\xc6\xd8\x08\x84\x6e\x02\x4e\x20\x2a\xf4\x3d\x4a" "\xbf\xb9\x3c\xfe\x75\x79\xdd\xa3\x42\xd3\xc1\x25\x4d\xdf\x8c\x66\xb4\x9c" "\xca\xa1\x04\xf8\x47\xfa\xa4\xc9\xc7\xcb\xe1\x83\x38\x36\xd5\x0a\xf0\xbc" "\x88\xa6\x88\x1d\xe5\x8b\xbb\x3c\x35\xd8\xcf\x05\xb9\xfe\x08\x9b\x15\x2f" "\xa4\x41\xd5\x6c\x1b\x96\x0f\x17\x2b\xf7\xa5\xd3\x79\xbd\x7d\xc0\xe3\x40" "\xa0\x6b\x8e\xc2\x32\x39\x23\x83\x58\x53\xea\x67\x07\x25\x22\xa5\x11\xc0" "\xbb\x82\x14\x32\x47\x35\xa0\xb0\x0e\xee\x54\x02\x44\x51\x43\x72\xd2\x92" "\x53\xc9\x04\x7d\xc7\x1a\x01\xd0\xe2\xfb\xdb\x92\x78\x94\x05\x31\xd5\xac" "\xc5\xd5\xd2\x4e\x85\x92\x7f\x93\x5b\xf3\x23\x14\xa8\x06\xf8\x1f\xaa\x21" "\x46\x57\xa8\xcb\x71\x30\xec\xa5\x96\x31\x0c\x44\xc3\x62\x74\x81\xcc\xd4" "\x81\x3f", 218)); NONFAILING(*(uint64_t*)0x20000958 = 0xda); NONFAILING(*(uint64_t*)0x20000960 = 0); NONFAILING(*(uint64_t*)0x20000968 = 0); NONFAILING(*(uint64_t*)0x20002450 = 7); NONFAILING(*(uint64_t*)0x20002458 = 0); NONFAILING(*(uint64_t*)0x20002460 = 0); NONFAILING(*(uint32_t*)0x20002468 = 0x3d5934bd); NONFAILING(*(uint64_t*)0x20002470 = 0x20000980); NONFAILING(*(uint16_t*)0x20000980 = 1); NONFAILING(*(uint8_t*)0x20000982 = 0); NONFAILING(*(uint32_t*)0x20000984 = 0x4e24); NONFAILING(*(uint32_t*)0x20002478 = 0x6e); NONFAILING(*(uint64_t*)0x20002480 = 0); NONFAILING(*(uint64_t*)0x20002488 = 0); NONFAILING(*(uint64_t*)0x20002490 = 0x20002040); NONFAILING(*(uint64_t*)0x20002040 = 0x1c); NONFAILING(*(uint32_t*)0x20002048 = 1); NONFAILING(*(uint32_t*)0x2000204c = 2); NONFAILING(*(uint32_t*)0x20002050 = r[32]); NONFAILING(*(uint32_t*)0x20002054 = r[33]); NONFAILING(*(uint32_t*)0x20002058 = r[34]); NONFAILING(*(uint64_t*)0x20002498 = 0x20); NONFAILING(*(uint32_t*)0x200024a0 = 0x4000); NONFAILING(*(uint64_t*)0x200024a8 = 0x20002080); NONFAILING(*(uint16_t*)0x20002080 = 1); NONFAILING(memcpy((void*)0x20002082, ".\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000", 108)); NONFAILING(*(uint32_t*)0x200024b0 = 0x6e); NONFAILING(*(uint64_t*)0x200024b8 = 0x20002240); NONFAILING(*(uint64_t*)0x20002240 = 0x20002100); NONFAILING(memcpy( (void*)0x20002100, "\xa2\xbb\x99\x46\xee\x23\x03\x6e\xca\xed\xc1\x43\x02\x69\xcf\x9e\xab\xdd" "\x27\x45\xb7\xd2\x9d\xc5\xa1\xcd\x17\x75\xd4\x7a\x71\x55\x4a\x27\x07\x23" "\x75\x2f\x4a\xa2\x85\x73\xf4\x16\x8f\x32\x60\x58\x5a\xb1\xe4\x13\x3b\x73" "\xfb\x26\x4e\x30\x47\xcf\xdc\x48\x92\xde\xb0\xdd\x61\xcb\xa4\x45\xab\xf2" "\x50\x04\x8a\x7e\x88\x1f\xe5\x46\x78\x2a\xfa\xdc\x76\x3c\x48\x46\xa6\xfc" "\x37\x15\x34\xf7\x37\x0b\xf3\x4a\xad\x27\x1f\x53\xdd\x4c\x32\x33\x5e\x5c" "\x99\x0e\x32\x88\xd9\x6e\x8e\x0e\x06\xcd\xba\xbe\x3b\x4b\x82\x51\xa3\x1b" "\x53\x59\x15\x1e\xfd\x84\x63\x03\xb2\xe7\x94\xe9", 138)); NONFAILING(*(uint64_t*)0x20002248 = 0x8a); NONFAILING(*(uint64_t*)0x20002250 = 0x200021c0); NONFAILING(memcpy( (void*)0x200021c0, "\x28\xa5\x2f\x56\x97\x93\x0f\x83\x50\x88\x40\x1d\x2e\x4c\x00\x28\xb6\xd8" "\x17\x03\x8b\xcb\xb2\x09\xe8\xc6\xee\x34\x79\x19\x70\xca\xd6\x06\x54\x4b" "\x3b\xfc\x59\xf2\xd6\xe3\xd9\xb7\xd9\x35\x34\xfd\x04\x26\x24\x4c\xd3\x0b" "\xac\xb3\xe2\x91\x6e\xe3\x2f\xf7\x76\x50\x08\xdf\x60\xaf\xca\x1d\xf7\x5c" "\xaf\x4b\xd4\x51\xc0\xd9\xbf\x54\x25\xca\x3d\xf9\xd6\x4c\x56\xff\x4f\xd0" "\xaf\xff\xb0\x85\x30\x31\xa5\x33\x83\x25\xf9\xb2\xc3\x75\xea\x8a\xeb\x53" "\x53\x03\xbf\x46\x33\x73\x62\xcf\xbe\xfc\xfa\xeb", 120)); NONFAILING(*(uint64_t*)0x20002258 = 0x78); NONFAILING(*(uint64_t*)0x200024c0 = 2); NONFAILING(*(uint64_t*)0x200024c8 = 0x20002540); NONFAILING(memcpy( (void*)0x20002540, "\x1c\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00", 16)); NONFAILING(*(uint32_t*)0x20002550 = -1); NONFAILING(*(uint32_t*)0x20002554 = r[35]); NONFAILING(*(uint32_t*)0x20002558 = -1); NONFAILING(memcpy( (void*)0x2000255c, "\x00\x00\x00\x00\x24\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00" "\x37\xb0\x57\x4a\x9f\xdc\x45\x46\x1d\xab\x3d\xcf\x01\x20\x0a\x19\x84\xf3" "\x11\x9d\xea\x87\x79\x54\x8d\x21\xee\xb8\xab\x5b\x7c\xb0\x69\xbc\xa7\x40" "\x88\x03\x6c\x32\xfa\x53\x64\xe1\xde\x32\x39\x77\xa2\x7f\x06\xb9\x1c\xa1" "\x10\x0c\xed\x6a\xcf\x4b\x2c\xfb\x92\x7c\x54\xab\x9e\x63\x57\x34\x38\xa8" "\x05\xc6\xcc\x1a\x1a\x62\x6b\xee\xbd\xd7\x24\xf3\x2b\xc1\x0d\x91\xbd\x75" "\x75\xec\x40\xdd\x99\xa4\x13\xd2\xc7\x66\x25\x54\x1b\xb5\x85\x58\xa7\x6a" "\xf6\x9e\xf0\x1b\x5d\x29\xb1\x3d\xde\x5b\x97\xc0\xae\x7d\x47\xf9\x00\x73" "\x97\xb1\x9e\x5a\x0f\x67\x85\xb7\xb4\xee\x7b\x56\xba\x87\xd4\x1d\xc2\x20" "\x36\x59\x93\x95\xff\xa7\x09\x59\x8e\x9e\xdf\x54\xb8\x20\x5f\x40\x8a\xf2" "\x6b\x55\xb2\x19\x85\x17\x5f\x50\x78\x0f\x14\x87\x50\x33\x11\x68\xb2\x22" "\xd3\x71\xe1\xbb\xc2\xed\xae\xf5\x1c\xbf\xa2\xc2\x46\x64\x91\x24\xbd\xf4" "\x64\x14\x22\x32\x3a\xeb\xca\xff\xa6\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x92\x48\x07\x58\x73\x73\x7d\xbf\xa1\x06\x2d\x81\x0d\xdc\xd5\x0b" "\x58\xed\x23\x96\x63\xd2\x0c\xa0\xbf\x8d\xa8\x73\x32\x20\x68\x31\xee\x05" "\x55\xd2\x36\x8b\xf9\x4c\x33\x42\x0f\x72\x2f\xed\xa9\xb4\x6c\x4e\xa4\xa6" "\xd4\x08\x01\xda\xa7\x5c\x9f\xb5\xc2\x5b\x20\x49\x61\x0c\xcd\x23\x72\xf6" "\xec\xd4\x38\x10\x57\xb0\x9c\x78\xf1\xbd\xd8\xc9\xc1\xab\x2e\x09\x9c\xe6" "\x4c\x4a\x4d\x1c\x2e\xcb\x45\x88\xe3\x70\x13\x55\x08\x3c\x6b", 339)); NONFAILING(*(uint32_t*)0x200026af = -1); NONFAILING(*(uint32_t*)0x200026b3 = r[26]); NONFAILING(*(uint32_t*)0x200026b7 = -1); NONFAILING(*(uint32_t*)0x200026bb = r[37]); NONFAILING(*(uint32_t*)0x200026bf = -1); NONFAILING(memcpy((void*)0x200026c3, "\000\000\000\000", 4)); NONFAILING(*(uint64_t*)0x200024d0 = 0x187); NONFAILING(*(uint32_t*)0x200024d8 = 0x20810); syscall(__NR_sendmmsg, -1, 0x20002400ul, 4ul, 0x81ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[38] = res; syscall(__NR_socket, 1ul, 1ul, 0ul); syscall(__NR_ioctl, r[38], 0x40087602ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[39] = res; syscall(__NR_listen, r[39], 0); syscall(__NR_accept, r[39], 0ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[40] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[40], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[40], 0); res = syscall(__NR_accept, r[40], 0ul, 0ul); if (res != -1) r[41] = res; syscall(__NR_ioctl, r[41], 0x5411ul, 0x20000040ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[42] = res; syscall(__NR_listen, r[42], 0); res = syscall(__NR_accept, r[42], 0ul, 0ul); if (res != -1) r[43] = res; syscall(__NR_ioctl, r[43], 0x5411ul, 0x20000040ul); res = syscall(__NR_timerfd_create, 0ul, 0ul); if (res != -1) r[44] = res; syscall(__NR_fcntl, r[44], 9ul, 0); res = syscall(__NR_getuid); if (res != -1) r[45] = res; syscall(__NR_setreuid, 0xee00, r[45]); res = syscall(__NR_statx, 0xffffff9c, 0ul, 0x2000ul, 0x3d351abfbbc950acul, 0x20001f40ul); if (res != -1) NONFAILING(r[46] = *(uint32_t*)0x20001f58); NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, -1, 0x20000280ul, 0x6eul); NONFAILING(memcpy((void*)0x20002280, "/dev/urandom\000", 13)); syscall(__NR_openat, 0xffffffffffffff9cul, 0x20002280ul, 0x3183b1a56d9fea87ul, 0ul); syscall(__NR_socketpair, 1ul, 5ul, 0, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[47] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[47], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[47], 0); syscall(__NR_ioctl, -1, 0x5411ul, 0x20000040ul); syscall(__NR_sendmmsg, r[39], 0ul, 0ul, 0x81ul); res = syscall(__NR_fcntl, r[1], 0x10ul, 0x20001c00ul); if (res != -1) NONFAILING(r[48] = *(uint32_t*)0x20001c04); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[49] = res; res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[50] = res; NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, r[50], 0x20000280ul, 0x6eul); NONFAILING(*(uint64_t*)0x20000100 = 0xffff); syscall(__NR_ioctl, r[49], 0x40087602ul, 0x20000100ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[51] = res; syscall(__NR_listen, r[51], 0); syscall(__NR_accept, r[51], 0ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[52] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[52], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[52], 0); res = syscall(__NR_accept, r[52], 0ul, 0ul); if (res != -1) r[53] = res; syscall(__NR_ioctl, r[53], 0x5411ul, 0x20000040ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[54] = res; syscall(__NR_listen, r[54], 0); res = syscall(__NR_accept, r[54], 0ul, 0ul); if (res != -1) r[55] = res; syscall(__NR_ioctl, r[55], 0x5411ul, 0x20000040ul); res = syscall(__NR_timerfd_create, 0ul, 0ul); if (res != -1) r[56] = res; res = syscall(__NR_fcntl, r[56], 9ul, 0); if (res != -1) r[57] = res; syscall(__NR_fcntl, r[56], 8ul, r[57]); res = syscall(__NR_getuid); if (res != -1) r[58] = res; syscall(__NR_setreuid, 0xee00, r[58]); NONFAILING(memcpy((void*)0x20001f00, "\351\037q\211Y\036\2223aK\000", 11)); syscall(__NR_statx, 0xffffff9c, 0x20001f00ul, 0x2000ul, 0x3d351abfbbc950acul, 0x20001f40ul); NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, -1, 0x20000280ul, 0x6eul); syscall(__NR_socketpair, 1ul, 5ul, 0, 0x20002300ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[59] = res; syscall(__NR_bind, r[59], 0ul, 0ul); syscall(__NR_listen, r[59], 0); res = syscall(__NR_accept, r[59], 0ul, 0ul); if (res != -1) r[60] = res; syscall(__NR_ioctl, r[60], 0x5411ul, 0x20000040ul); syscall(__NR_sendmmsg, r[51], 0ul, 0ul, 0x81ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[61] = res; res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[62] = res; syscall(__NR_connect, r[62], 0ul, 0ul); syscall(__NR_ioctl, r[61], 0x40087602ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[63] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[63], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[63], 0); syscall(__NR_accept, r[63], 0ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[64] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[64], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[64], 0); res = syscall(__NR_accept, r[64], 0ul, 0ul); if (res != -1) r[65] = res; syscall(__NR_ioctl, r[65], 0x5411ul, 0x20000040ul); NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, -1, 0x20000080ul, 0x31ul); syscall(__NR_listen, -1, 0); res = syscall(__NR_accept, -1, 0ul, 0ul); if (res != -1) r[66] = res; syscall(__NR_ioctl, r[66], 0x5411ul, 0x20000040ul); res = syscall(__NR_timerfd_create, 0ul, 0ul); if (res != -1) r[67] = res; res = syscall(__NR_fcntl, r[67], 9ul, 0); if (res != -1) r[68] = res; syscall(__NR_fcntl, r[67], 8ul, r[68]); res = syscall(__NR_getuid); if (res != -1) r[69] = res; syscall(__NR_setreuid, 0xee00, r[69]); NONFAILING(*(uint16_t*)0x20000280 = 1); NONFAILING(memcpy( (void*)0x20000282, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_connect, -1, 0x20000280ul, 0x6eul); NONFAILING(memcpy((void*)0x20002280, "/dev/urandom\000", 13)); syscall(__NR_openat, 0xffffffffffffff9cul, 0x20002280ul, 0x3183b1a56d9fea87ul, 0ul); syscall(__NR_socketpair, 1ul, 5ul, 0, 0x20002300ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[70] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[70], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[70], 0); res = syscall(__NR_accept, r[70], 0ul, 0ul); if (res != -1) r[71] = res; syscall(__NR_ioctl, r[71], 0x5411ul, 0x20000040ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[72] = res; res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[73] = res; syscall(__NR_connect, r[73], 0ul, 0ul); NONFAILING(*(uint64_t*)0x20000100 = 0xffff); syscall(__NR_ioctl, r[72], 0x40087602ul, 0x20000100ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[74] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[74], 0x20000080ul, 0x31ul); syscall(__NR_listen, r[74], 0); syscall(__NR_accept, r[74], 0ul, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[75] = res; syscall(__NR_bind, r[75], 0ul, 0ul); syscall(__NR_listen, r[75], 0); res = syscall(__NR_accept, r[75], 0ul, 0ul); if (res != -1) r[76] = res; syscall(__NR_ioctl, r[76], 0x5411ul, 0x20000040ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[77] = res; syscall(__NR_listen, r[77], 0); res = syscall(__NR_accept, r[77], 0ul, 0ul); if (res != -1) r[78] = res; syscall(__NR_ioctl, r[78], 0x5411ul, 0ul); res = syscall(__NR_timerfd_create, 0ul, 0ul); if (res != -1) r[79] = res; syscall(__NR_fcntl, r[79], 8ul, 0); res = syscall(__NR_getuid); if (res != -1) r[80] = res; syscall(__NR_setreuid, 0xee00, r[80]); NONFAILING(memcpy((void*)0x20001f00, "\351\037q\211Y\036\2223aK\000", 11)); res = syscall(__NR_statx, 0xffffff9c, 0x20001f00ul, 0x2000ul, 0x3d351abfbbc950acul, 0x20001f40ul); if (res != -1) NONFAILING(r[81] = *(uint32_t*)0x20001f58); syscall(__NR_socket, 1ul, 1ul, 0ul); NONFAILING(memcpy((void*)0x20002280, "/dev/urandom\000", 13)); syscall(__NR_openat, 0xffffffffffffff9cul, 0x20002280ul, 0x3183b1a56d9fea87ul, 0ul); syscall(__NR_socketpair, 1ul, 5ul, 0, 0ul); res = syscall(__NR_socket, 1ul, 1ul, 0ul); if (res != -1) r[82] = res; NONFAILING(*(uint16_t*)0x20000080 = 1); NONFAILING(memcpy( (void*)0x20000082, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); syscall(__NR_bind, r[82], 0x20000080ul, 0x31ul); res = syscall(__NR_accept, r[82], 0ul, 0ul); if (res != -1) r[83] = res; syscall(__NR_ioctl, r[83], 0x5411ul, 0x20000040ul); NONFAILING(*(uint64_t*)0x20002400 = 0x20000140); NONFAILING(*(uint16_t*)0x20000140 = 1); NONFAILING(memcpy((void*)0x20000142, "\351\037q\211Y\036\2223aK/../" "file0\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000", 108)); NONFAILING(*(uint32_t*)0x20002408 = 0x6e); NONFAILING(*(uint64_t*)0x20002410 = 0x20000240); NONFAILING(*(uint64_t*)0x20000240 = 0x200001c0); NONFAILING(memcpy((void*)0x200001c0, "\x3a\xe9\x9c\xff\x5d\x8c\x69\x1b\xc3" "\xd5\xd2\x14\x5d\x0d\xba\xdf\x7c\xbb" "\x1a\x03\x52\xff\x23\xf5\x34\x26\x65" "\xd8\x4d\x71\x2f\x8e\x87\x19\x6d", 35)); NONFAILING(*(uint64_t*)0x20000248 = 0x23); NONFAILING(*(uint64_t*)0x20000250 = 0x20000200); NONFAILING(*(uint64_t*)0x20000258 = 0); NONFAILING(*(uint64_t*)0x20002418 = 2); NONFAILING(*(uint64_t*)0x20002420 = 0x20000380); NONFAILING(*(uint64_t*)0x20000380 = 0x24); NONFAILING(*(uint32_t*)0x20000388 = 1); NONFAILING(*(uint32_t*)0x2000038c = 1); NONFAILING(*(uint32_t*)0x20000390 = r[76]); NONFAILING(*(uint32_t*)0x20000394 = r[78]); NONFAILING(*(uint32_t*)0x20000398 = r[72]); NONFAILING(*(uint32_t*)0x2000039c = -1); NONFAILING(*(uint32_t*)0x200003a0 = -1); NONFAILING(*(uint64_t*)0x20002428 = 0x28); NONFAILING(*(uint32_t*)0x20002430 = 4); NONFAILING(*(uint64_t*)0x20002438 = 0x200003c0); NONFAILING(*(uint16_t*)0x200003c0 = 1); NONFAILING(memcpy( (void*)0x200003c2, "\351\037q\211Y\036\2223aK\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); NONFAILING(*(uint32_t*)0x20002440 = 0x6e); NONFAILING(*(uint64_t*)0x20002448 = 0x20000900); NONFAILING(*(uint64_t*)0x20000900 = 0); NONFAILING(*(uint64_t*)0x20000908 = 0); NONFAILING(*(uint64_t*)0x20000910 = 0x20000540); NONFAILING(*(uint64_t*)0x20000918 = 0); NONFAILING(*(uint64_t*)0x20000920 = 0x20000580); NONFAILING(memcpy( (void*)0x20000580, "\xfc\x48\xb5\x07\x10\xf1\x99\x2d\x70\x7f\x71\xa8\x53\x63\x90\x6b\x5c\x18" "\xf7\xcd\x90\x44\x12\xd2\x25\x18\x8d\x59\xfa\xb8\x59\xf1\x94\xab\x95\x72" "\x2b\x73\x12\x4b\x7c\x34\xe7\x93\x17\xc5\xe7\x8b\x36\x63\x88\x7a\xb3\x5c" "\x3f\x87\x62\x2c\x90\xd5\x46\x3c\x13\x66\x53\x52\x07\x76\xe2\x1a\xf4\xb6" "\xd2\xd5\x7d\x47\xf1\xd4\x6e\xfb\x9a\x34\xe4\xfa\xa6\xc7\x91\x87\xcf\x91" "\x83\x0b\xd2\xc1\xe5\x6b\x73\x10\x8b\x4b\xb7\x35\xe8\x50\x8f\xb3\xc3\xdc" "\xeb\x48\x40\xdc\xf6\x38\x0f\xb4\x4f\x07\xa8\x75\xdf\xcf\xef\x09\x2d\x8c" "\x13\xe2\x17\xca\x27\x47\xcc\xc4\xef\xe2\xbb\x9d\x40", 139)); NONFAILING(*(uint64_t*)0x20000928 = 0x8b); NONFAILING(*(uint64_t*)0x20000930 = 0); NONFAILING(*(uint64_t*)0x20000938 = 0); NONFAILING(*(uint64_t*)0x20000940 = 0x20000740); NONFAILING(memcpy( (void*)0x20000740, "\x8a\x33\x3f\x15\x03\x99\xd5\xbd\xb4\xf8\x45\x8e\x3b\xb3\x6d\x66\x05\x02" "\xf9\x6b\xbb\xb7\x71\x4c\x89\x37\xf5\xd3\x45\x5d\x4f\x3c\x49\x58\x8e\xd0" "\x49\x80\x0e\x5f\xd9\xfa\xcd\x6f\x94\xf9\xdc\xe5\xda\x66\xcd\x89\xf8\x35" "\x2f\x48\x5d\x2e\x94\x23\x68\x65\x32\x3b\x03\xf6\x55\x61\xd5\x1c\x8a\x70" "\x21\x2c\x30\x8a\x84\xc6\xb0\x2a\xea\x50\x59\x77\x98\x83\x3b\x61\x2d\xb2" "\xdd\x89\x56\xfe\xcb\x1b\x51\xc2\xce", 99)); NONFAILING(*(uint64_t*)0x20000948 = 0x63); NONFAILING(*(uint64_t*)0x20000950 = 0x200007c0); NONFAILING(*(uint64_t*)0x20000958 = 0); NONFAILING(*(uint64_t*)0x20000960 = 0x200008c0); NONFAILING(memcpy((void*)0x200008c0, "\x13\xc6\x0b\x9c\x82\x9a\x64\xa4\x77\x3e\x5c\x1c\x05\x11" "\x80\x3e\x47\x36\x44\x17\x24\xa4\x06\x27\xd6\x52\x15\x4e" "\x7f\xbb\x6d\x5b\x2b\x38\x7e\xef\xaf\x71\xb9\xfe\x94\xbf" "\x3f\x4e\x5b\xcf\x15\x9f\xb9\x17\xda\xb6\xad\xfa\xa5\x3c" "\x89\xf1\x79", 59)); NONFAILING(*(uint64_t*)0x20000968 = 0x3b); NONFAILING(*(uint64_t*)0x20002450 = 7); NONFAILING(*(uint64_t*)0x20002458 = 0); NONFAILING(*(uint64_t*)0x20002460 = 0); NONFAILING(*(uint32_t*)0x20002468 = 0x3d5934bd); NONFAILING(*(uint64_t*)0x20002470 = 0x20000980); NONFAILING(*(uint16_t*)0x20000980 = 1); NONFAILING(*(uint8_t*)0x20000982 = 0); NONFAILING(*(uint32_t*)0x20000984 = 0x4e24); NONFAILING(*(uint32_t*)0x20002478 = 0x6e); NONFAILING(*(uint64_t*)0x20002480 = 0x20001e80); NONFAILING(*(uint64_t*)0x20001e80 = 0); NONFAILING(*(uint64_t*)0x20001e88 = 0); NONFAILING(*(uint64_t*)0x20001e90 = 0x20001a00); NONFAILING(memcpy( (void*)0x20001a00, "\x94\x56\x4a\x52\xc4\xed\x60\x88\x73\xbb\x89\xc0\x51\x77\xc1\x69\x95\xc1" "\xa2\x2f\x05\x61\xed\x83\x3a\xbc\x62\xc5\x32\x68\xea\x9c\x6e\xac\x5d\x77" "\x65\x88\x37\xb1\xc9\x7a\xec\x17\x92\xc4\xb0\xbb\x1e\xf8\x9d\x45\x3f\x2d" "\x27\x21\x9f\x8f\x75\x17\x1e\x56\xdf\x05\xf0\x9d\x6a\x51\xff\x7e\x61\x99" "\x12\x9a\x88\x22\x50\x59\x14\x9a\xb5\x62\x49\x7d\xb1\x16\x91\x62\xcc\x19" "\xc8\xdd\x6e\x53\xed\x8c\xd0\x67\xa6\xbe\xa9\xf0\x64\x5f\xb7\x00\x56\x40" "\xd8\xfc\xbc\xd3\x39\x5b\xc3\x9d\x60\xe3\x29\xe3\x3c\x21\x85\xef", 124)); NONFAILING(*(uint64_t*)0x20001e98 = 0x7c); NONFAILING(*(uint64_t*)0x20001ea0 = 0x20001a80); NONFAILING(memcpy((void*)0x20001a80, "\x7f\xc0\x9b\xf0\x96\x76\xb6\x76\xd5\x18\x74\x3c\x90\x05" "\x3f\xe9\x2b\x14\x2d\xb7\xaf\x04\x09\x13\xc0\x1f\xc3\x9c" "\x1b\xcf\xc7\xc0\xce\x90\xfa\xf5\xd9\x83\x5a\x2e\xb8\xd3" "\x8e\x7d\x9e\x89\xbb\xcf\x29\x80\x6c\xe4\xd2\x12\x50\x57" "\x1b\x5b\x1a\x8f\xc9\x88\xbe\x44\x27\x3e\xe0\xf3\xa6\x95" "\xea\xb3\xda\x18\x5d\x4e", 76)); NONFAILING(*(uint64_t*)0x20001ea8 = 0x4c); NONFAILING(*(uint64_t*)0x20001eb0 = 0); NONFAILING(*(uint64_t*)0x20001eb8 = 0); NONFAILING(*(uint64_t*)0x20001ec0 = 0x20001c00); NONFAILING(memcpy( (void*)0x20001c00, "\x55\x75\x7b\x6c\xc3\xc7\xa3\x33\xbc\xf3\xb4\xab\xc4\x83\xa5\xa5\x22\x36" "\x35\xbf\x7d\x61\x89\xa6\x7a\x55\x9f\x60\xbd\x96\x22\x87\x04\x06\x70\x3c" "\x5e\x5e\xfe\x03\x7f\x53\x91\x82\xd4\x8f\x06\xa0\xad\x0f\xb5\xfa\xb7\x53" "\xef\x8b\xd1\x15\xf9\xb6\x72\xf1\x39\xc5\x5f\x3f\x3c\x21\x6b\x10\xe7\x51" "\x39\xf4\x46\x09\x51\xc9\x76\x3b\xd6\x65\x0d\x1f\x6f\xf8\x31\xfd\x39\x27" "\xad\x50\x6e\x94\x94\x83\xd7\x61\xf5\xcb\xef\x33", 102)); NONFAILING(*(uint64_t*)0x20001ec8 = 0x66); NONFAILING(*(uint64_t*)0x20001ed0 = 0x20001c80); NONFAILING(memcpy( (void*)0x20001c80, "\x5e\x9a\x9a\x2a\x59\xb2\x8f\x53\xf7\x68\x1a\xbe\xe5\x6e\xd5\x1b\x18\x7d" "\x6c\x6e\xd6\x94\x09\x01\xdc\x74\x9e\xd2\xc3\xb6\xf6\x55\x06\x71\xad\x37" "\x2b\x2a\xd8\x9d\xa1\xd6\x82\x72\x57\x1b\x0b\x60\x67\x26\x87\x3a\x93\xf3" "\x96\x9d\x53\x58\x58\x78\xd9\xca\x7c\x0c\x98\x33\x7d\xf2\x48\x0f\x4e\x48" "\xf7\x8f\x37\xf0\xad\xdb\x25\x39\xe5\x26\x0b\x6f\x2f\x8d\x23\x65\x12\x5b" "\x02\x95\x6b\xf6\xab\xdd\xfb\xa1\x4d\x55\x8d\x34\xaa\x88\x21\xad\x1c\x4f" "\x9f\xa5\xf2\xc0\x68\xab\xbd\x35\x72\x4f\xab\xa0\x8b\x16\xf3\x7b\xfa\x58" "\x48\x14\x20\x5e\xcf\x8a\xe8\x84\xb0\x1d\x74\x8b\x35\x6f\x50\x5e\xed\xcc" "\x1c\xb0\x12\xd0\xdd\xce\xbc\xd4\xdb\xf3\xb7\x09\x4a\x54\x97\xa9\x74\xf4" "\x44\xcb\x00\x16\x1a\x66\xac\xb5\x54\x68\x7f\x9a\xdd\x8e\x80\x90\x14\x8f" "\xee\x66\xe1\xc6\xa7\x25\x1e\xbd", 188)); NONFAILING(*(uint64_t*)0x20001ed8 = 0xbc); NONFAILING(*(uint64_t*)0x20001ee0 = 0x20001d40); NONFAILING(memcpy((void*)0x20001d40, "\x42\x6b\xeb\x15\x17\x33\x6c\x3b\xfb\x41\x96\x75\x7b\x48" "\x89\x12\x30\x36\x02\x96\x8c\xe8\x4f\x25\x64\x4a\x2b\x85" "\xc1\x78\x21\x80\x85\xc7\xef\x7d\x10\xa1\xa9\x0d\x53\xdd" "\xde\xc6\xdc\x3b\x3a\x68\xbe\x1d\xc7\x59\x59\xa9\xe5\xd1" "\x56\x66\x2f\x95\xdd\xb3\x1f\x70\xdd\x2d\xce\x43\x3b\x22", 70)); NONFAILING(*(uint64_t*)0x20001ee8 = 0x46); NONFAILING(*(uint64_t*)0x20001ef0 = 0x20001dc0); NONFAILING(memcpy( (void*)0x20001dc0, "\x71\xe7\x20\x8b\xc5\xce\x4d\xe5\xea\xaa\x09\x6a\x91\x2a\xa2\x38\xd0\x04" "\x7f\xfe\xc4\x65\x31\xfe\xf5\xc9\x87\xf8\x4d\x50\x8e\x8b\x58\x36\xc1\xeb" "\x4a\xc9\xae\x46\x16\x33\x64\x6c\xbc\xa1\x60\xae\x29\xe0\xc2\x3f\x95\xb1" "\x73\x37\x8c\xf2\xcd\x45\x56\x3f\x2d\x19\x04\x74\x53\xb6\x0e\xe6\xc3\xa4" "\x30\x11\x33\x26\x1d\x01\x7e\xef\x49\x5c\x06\x06\x4d\x7d\xef\x8e\x47\x0d" "\xaa\x60\x95\xb8\x67\xa4\x1c\x4a\xc0\x87\x13\xa8\x39\x4f\xbd\x52\xf3\x57" "\xaa\x61\xf9\x6b\x43\x3f\xdd\xc1\xd6\xcf\x1a\x76\xe0\xc7\x3b\xa9\x4c\x83" "\xef\x41\x63\xb0\xa7\x29\xcd\x25\x47\x56\x65\x75\xf2\x7f\x03\xee\x77\xa8" "\xff\xc8\xa1\xe4\xd1\x2a\xf2\x1b\xb9\x86\x7e\x52\xa4\x08\x73\x11\x46\x7c" "\xf2\xc2\x92\x41\x4a\xc7\xac\x0d\x4b\xb0\xf0\x37\xa3\x3e\x3c\x47", 178)); NONFAILING(*(uint64_t*)0x20001ef8 = 0xb2); NONFAILING(*(uint64_t*)0x20002488 = 8); NONFAILING(*(uint64_t*)0x20002490 = 0x20002040); NONFAILING(*(uint64_t*)0x20002040 = 0x1c); NONFAILING(*(uint32_t*)0x20002048 = 1); NONFAILING(*(uint32_t*)0x2000204c = 2); NONFAILING(*(uint32_t*)0x20002050 = 0); NONFAILING(*(uint32_t*)0x20002054 = r[80]); NONFAILING(*(uint32_t*)0x20002058 = r[81]); NONFAILING(*(uint64_t*)0x20002498 = 0x20); NONFAILING(*(uint32_t*)0x200024a0 = 0x4000); NONFAILING(*(uint64_t*)0x200024a8 = 0); NONFAILING(*(uint32_t*)0x200024b0 = 0); NONFAILING(*(uint64_t*)0x200024b8 = 0x20002240); NONFAILING(*(uint64_t*)0x20002240 = 0x20002100); NONFAILING(memcpy( (void*)0x20002100, "\xa2\xbb\x99\x46\xee\x23\x03\x6e\xca\xed\xc1\x43\x02\x69\xcf\x9e\xab\xdd" "\x27\x45\xb7\xd2\x9d\xc5\xa1\xcd\x17\x75\xd4\x7a\x71\x55\x4a\x27\x07\x23" "\x75\x2f\x4a\xa2\x85\x73\xf4\x16\x8f\x32\x60\x58\x5a\xb1\xe4\x13\x3b\x73" "\xfb\x26\x4e\x30\x47\xcf\xdc\x48\x92\xde\xb0\xdd\x61\xcb\xa4\x45\xab\xf2" "\x50\x04\x8a\x7e\x88\x1f\xe5\x46\x78\x2a\xfa\xdc\x76\x3c\x48\x46\xa6\xfc" "\x37\x15\x34\xf7\x37\x0b\xf3\x4a\xad\x27\x1f\x53\xdd\x4c\x32\x33\x5e\x5c" "\x99\x0e\x32\x88\xd9\x6e\x8e\x0e\x06\xcd\xba\xbe\x3b\x4b\x82\x51\xa3\x1b" "\x53\x59\x15\x1e\xfd\x84\x63\x03\xb2\xe7\x94\xe9", 138)); NONFAILING(*(uint64_t*)0x20002248 = 0x8a); NONFAILING(*(uint64_t*)0x20002250 = 0); NONFAILING(*(uint64_t*)0x20002258 = 0); NONFAILING(*(uint64_t*)0x200024c0 = 2); NONFAILING(*(uint64_t*)0x200024c8 = 0); NONFAILING(*(uint64_t*)0x200024d0 = 0); NONFAILING(*(uint32_t*)0x200024d8 = 0x20810); syscall(__NR_sendmmsg, r[74], 0x20002400ul, 4ul, 0x81ul); NONFAILING(*(uint32_t*)0x20002340 = 0xc); syscall(__NR_getsockopt, r[27], 1ul, 0x11ul, 0x200022c0ul, 0x20002340ul); NONFAILING(*(uint64_t*)0x20001d40 = 0x20000240); NONFAILING(*(uint16_t*)0x20000240 = 0); NONFAILING(memcpy( (void*)0x20000242, "./" "file0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000", 108)); NONFAILING(*(uint32_t*)0x20001d48 = 0x6e); NONFAILING(*(uint64_t*)0x20001d50 = 0x20001580); NONFAILING(*(uint64_t*)0x20001580 = 0x200002c0); NONFAILING(memcpy((void*)0x200002c0, "\xa1\x4f\xb3\x31\xcf\x84\x7c\xb5\x3e\xac\x65\xd2\xc6\x36" "\xf3\xa7\x2f\x40\x96\xb4\xeb\x6e\xac\xa4\xb1\xae\x52\x53" "\x8b\x27\x3a\xce\x32\x59\x02\x0d\x79\x53\x4f\x0b", 40)); NONFAILING(*(uint64_t*)0x20001588 = 0x28); NONFAILING(*(uint64_t*)0x20001590 = 0x20000300); NONFAILING(memcpy( (void*)0x20000300, "\xc1\xe6\x3a\xde\x42\x9c\xd6\x60\xbf\x32\xd5\x02\x37\x17\x4f\x73\xcf\x6d" "\x5d\xb6\xe0\x2b\x2e\x15\xc6\x2e\xe7\x36\xa0\x89\x96\xcd\x5c\x44\xd1\xe5" "\x05\xb2\x40\xa2\x44\xa3\xc8\x1a\x27\xbf\x85\x8a\x02\x80\x0e\xa2\x48\x09" "\x9c\xe9\xa7\xbb\xf5\x41\x4a\x0b\x69\xcf\xc5\x65\x1a\x81\xac\xe9\xfe\xb6" "\x54\x6d\x48\xfb\xdb\xeb\x01\x42\x91\xd6\xbf\xfa\x8c\x79\xc4\xd5\x4e\xf5" "\x03\x92\x2b\xe3\xb0\xa9\xe7\x0a\xdd\x0e\x64\x73\x79\x4a\x6f\x94\x97\x75" "\x95\xaf\x2c\x1d\xd2\x9a\xbe\xa2\x91\xdb\xa7\x82\xdf\xb7\x08\x73\x76\x04" "\xd5\x40\xb2\x93\x31", 131)); NONFAILING(*(uint64_t*)0x20001598 = 0x83); NONFAILING(*(uint64_t*)0x200015a0 = 0x200003c0); NONFAILING(*(uint64_t*)0x200015a8 = 0); NONFAILING(*(uint64_t*)0x200015b0 = 0x20000400); NONFAILING(memcpy( (void*)0x20000400, "\xa0\x03\x1e\x47\x04\xef\xfe\xca\xd9\x55\xdd\x7f\x5f\x61\x61\xb8\x53\x30" "\x2e\x48\xbb\xd8\x12\x42\xf6\xc6\xd9\x88\x57\x33\x94\x0b\xab\x63\xfd\xec" "\xd0\xa4\x51\xad\x23\xba\x01\x8c\x7a\x6b\x91\xeb\x6c\x49\x3a\x5c\xce\xbe" "\xca\xde\x40\xae\xc4\x5b\xce\xdc\x80\x83\xbc\x49\xa0\x6b\xbc\xda\xac\xd6" "\x40\x18\xec\x00\x56\xb9\xb2\xc9\xb3\xbe\x34\x3c\x3a\x9d\xaf\xb8\x71\x5b" "\x40\x76\xe6\x7c\xb1\xce\xa0\xab\x3d\xc4\x5c\x66\xd3\xbb\xbe\xcf\xf9\x78" "\xdf\xe9\xca\x78\x02\x97\xe4\x12\xa5\x0c\x76\xa1\x99\x02\x7c\xfc\xfc\xa5" "\xa9\x6f\x21\x87\x62\x0a\x30\x2f\xd6\x4b\x77\x1a", 138)); NONFAILING(*(uint64_t*)0x200015b8 = 0x8a); NONFAILING(*(uint64_t*)0x200015c0 = 0x200004c0); NONFAILING(memcpy( (void*)0x200004c0, "\x2c\x50\x78\xf3\x52\x63\xe5\x7c\x8f\xe4\xb1\x2a\x6b\xa2\x6e\x87\x97\xa7" "\x54\x6c\x0b\xcd\x56\x6b\x6d\x79\x7f\xd5\xe7\x8c\xd9\x8b\x2b\x02\xfa\xe1" "\x94\x8a\x69\x80\xbe\x5e\x50\x03\x36\xea\x69\xbc\x33\xc7\x6b\xfd\x38\xa1" "\xbe\x83\x85\x9a\x53\x34\x21\xb0\xf0\x94\x48\x10\xfe\xaf\x3d\x35\xa0\x97" "\x56\x88\x1b\x22\xd6\xea\xa1\x12\x5d\x6f\x5e\x9b\x37\xd2\x54\xeb\xc7\xed" "\x86\xb5\xf4\x5a\x65\xe2\x76\x6c\x64\xe6\x82\x69\x15\xc5\x43\x2a\x4e\x13" "\xeb\xa8\x9c\x86\x87\xe3\xfe\x90\x4b\xc0\xac\x95\x5f\x27\x55\x02\x2c\x47" "\x8c\x00\x59\x0d\xf0\x65\x6e\x8e\x37\xde\x16\x4c\x8a\xb2\x39\x5b\x1a\xc7" "\x90\x3e\xfe\x30\x77\x9c\x0e\x17\x61\x57\x68\x02\xa1\x6e\x57\x7e\xcb\xa4" "\x40\xcf\xaa\xc5\xb8\x6e\xe8\xfd\x5d\xc4\xbd\x79\x7e\x25\x05\x55\x94\xfa" "\x5d\xc6\x77\xe5\xed\xcc\x6e\x62\x7d\x11\x8f\x06\x1c\x5a\xdd\x9e\xfa\xf0" "\x75\x80\x23\x80\xb5\xda\x83\x2b\xb6\x51\x71\xfa\x2a\x84\xa1\xc6\x15\x8b" "\xd1\xb6\x87\x21\x60\x3f\xe3\x67\xd4\xf0\x6b\xe0\xc9\xd7\xa5\xe7\x73\xf5" "\xc8\x17\xe6\xbf\x32\x5e\xb8\x76\xce\xc9\x4b\xf2\x67\x88\x55\x4d\xe6\xfc" "\x5a\x12\x71\x5e\x1c\x60\x92\x38\xea\x11\x9c\xb0\x0f\x70\xc0\xf2\x83\x57" "\xb6\xb1\x67\x0c\x8e\x65\x24\x14\xda\x97\x4d\xd6\x19\x41\x24\x94\x43\xbe" "\x3b\xc8\x77\xd8\xe9\xc1\x0b\x02\xd0\x3f\x3f\xb5\xc9\x8e\xbc\x1a\x21\xe0" "\xee\x69\x8d\x39\x3c\x18\xd3\x11\xe9\x78\x3e\x04\x1c\xc3\xbf\x40\x41\xbf" "\x4d\x43\x67\x78\x07\x46\x81\x8e\x12\x64\x4d\xc7\xf5\x07\x42\xd3\xb1\x74" "\x4c\xf0\x0b\x25\xf6\x79\xd9\xb7\x15\xcf\x28\x23\x9e\x46\xd1\xd7\x5b\xea" "\xb9\x23\x32\x57\x9a\xfa\x0d\xa5\x85\xbb\x10\x2d\x00\xa9\x28\x9a\x4f\x45" "\xab\x5c\xb5\x34\xb1\x38\x70\x2f\x9e\xf4\xd1\x96\xcc\x16\x64\x25\x8d\x6f" "\x84\xd8\x30\x8a\xb7\xad\x7a\x38\x60\x4a\x79\x39\x21\xa7\x23\x4a\xac\xc5" "\xd4\xde\x9c\xdf\x33\x02\xc3\xa3\x7f\xbe\xc0\x48\x61\x46\x10\x06\xe2\xd1" "\xc8\x3a\x38\xd8\x45\x3f\x74\xe5\x8b\xba\x97\x1b\x66\x4e\x55\x25\xa7\xe5" "\x0c\x9d\x6e\xd4\xcb\x4c\x25\x9f\x5f\xa0\x9d\xff\xb3\x54\xf1\xa7\xfb\xe1" "\xbd\x42\xf4\x65\x7e\xee\x5a\x0b\xb7\x02\x8a\x18\xb2\x29\x4e\x5b\xb2\xe9" "\x81\xed\x9d\x13\xac\x4d\xfa\xe8\x96\x17\xfc\xe0\x9c\xce\xdd\xb6\xa7\x49" "\x39\x21\x18\x83\x18\x72\x39\x9e\xf0\xa4\xe3\x18\x04\xa7\xc0\x26\x52\x33" "\x8d\x95\xc0\xb6\xe0\x4e\xdf\x9f\x1d\xdb\xd9\x55\xce\x76\x5d\xe6\xb1\xd8" "\xdf\x83\xad\x70\x64\x30\xc0\x4d\x99\x60\x4e\x78\x46\x06\x47\x75\x82\x9a" "\x7a\xc0\x70\x0a\x69\x22\x16\xad\x1e\x71\xd6\x8c\xfd\x0f\xaf\x41\x6d\xa6" "\xe5\x99\xe3\x86\x4e\x9f\xdf\x48\x8e\x75\xaa\xeb\xf4\x3a\x01\xc2\x6c\x2e" "\x62\xc9\x22\x58\x74\x97\x4e\x52\xbe\x9c\x22\x8f\xc5\x7a\x17\x6e\xfb\x94" "\x37\x97\xf1\xdb\xd4\xbc\x50\x61\x1b\x48\x3f\xad\x77\x7c\x90\xaa\x14\x27" "\x43\xc8\x64\x38\xf9\x19\xe4\x74\x85\x38\xa8\x7f\x9c\xa5\xb8\x69\x2a\xe6" "\xf8\x9f\x49\xe1\x46\x1f\xf1\xe5\x00\xdb\x2d\xd6\x96\x90\x1a\x51\xb0\xb8" "\x59\xaf\x20\x75\x6c\x78\x9a\xb5\x5d\xb8\x6e\x01\xe1\xcf\xc1\x3c\xca\xf9" "\x34\x4d\xd8\x31\x4e\xfb\x7a\x6a\xd4\x18\x8e\x47\xac\x47\xfe\x55\xa1\x75" "\xe8\x59\x3d\x2d\x20\xba\x41\x5a\x04\xb7\x0f\xda\xce\x83\xc3\x02\xd4\xdc" "\x08\xa6\x75\x58\x5d\x1a\x6a\x2b\x74\x7b\xa2\x8b\xe7\x29\x00\x0c\x61\xe1" "\x0c\x69\x6f\xf5\x20\x0a\xb1\x09\xa0\x94\x66\xd2\xc9\x1b\x56\xb1\x5a\xc5" "\xf7\xc0\x00\xe3\x45\x06\x15\x4e\xbc\x52\x67\x61\xbb\x3c\xb0\x47\x94\x96" "\x25\x90\x46\x96\xe5\xd5\xfd\x97\x97\x3f\xf3\x84\x9e\x40\xde\x7b\x8c\xae" "\xf2\xc0\x95\x0b\xa7\x4f\xbd\xfd\xa8\xbc\x3e\x17\xcc\x4e\xd5\xf2\xf7\x13" "\xc0\x34\x04\x96\xd5\x1f\x6a\x8f\xb4\x61\x13\xaf\xeb\x20\x2e\xce\x27\xa7" "\xb4\x66\x01\x4f\xb0\xdb\xea\x33\xf9\xbb\x95\x91\x67\x9f\xa3\xe4\xce\xe1" "\xa0\x25\x1d\xb3\x63\x2e\x78\xb6\x28\x34\x95\x75\x71\x05\xfe\x66\x99\x1d" "\x22\xff\x66\x4c\xda\xbe\x08\x83\x08\x0f\x45\x42\xf3\xd8\x41\x2d\x87\xa6" "\xd3\x1f\xa8\x12\x2e\x3e\xb2\xee\xfe\x74\xf5\x5e\x06\x7a\x76\xee\x55\x79" "\x6b\x1f\x2a\x14\x07\xa4\xee\xc3\xa7\xa0\x8e\xa6\x19\x97\xe9\x29\xde\xf4" "\x82\xfe\xf8\xe2\x17\x87\xe6\x63\xe2\xb1\x25\x41\x9b\x7a\x1a\xfd\x08\x22" "\x98\x31\x46\x6c\x13\x6d\x3c\x62\x7f\xdc\x89\x0f\x2c\xba\xf1\xec\xf5\xb8" "\xb5\xa4\xb0\x4a\x1d\x00\x55\xec\x42\x4b\x42\x2f\x02\x47\x6a\xde\x9f\x98" "\x50\xae\x1b\x6d\x14\x4e\x5b\x21\x64\x6a\xf4\x53\xfc\xbb\x36\x84\xb8\x75" "\x3a\x45\x0c\xa7\x9b\x47\xef\x29\x30\xce\x50\x01\xea\x27\x64\x17\xb3\xb7" "\xba\xdb\x1a\x6c\xb4\xe8\x2e\x41\xb2\xd4\x53\x4c\x59\x3a\xb0\x66\xfa\x89" "\xb3\x1e\x68\x76\x7f\xc1\x2c\xa6\x4c\x26\x54\x9e\x23\x30\x9c\xf4\x14\xf5" "\x86\x08\x7c\xb1\x4b\xde\xb1\x4b\x24\x52\xbd\x3e\x24\x00\x21\x0c\x15\xaa" "\xc8\xb2\x4e\x52\x60\x32\x0b\x5a\xa3\xae\xa4\xa3\x9d\xfc\x59\xc0\xb3\x54" "\xe0\x52\x1e\x78\x37\x8e\xae\x88\x49\xb8\xea\x66\x4b\x95\x9d\x89\x34\xda" "\x1b\x21\x90\x4b\x7d\xfe\x30\x4d\xaa\xc8\xea\xa1\x05\xce\xb2\x7f\x23\xbc" "\x56\x07\x7f\x91\xca\x00\xcb\x67\xd6\x39\xdc\x7a\x67\x23\x0a\x31\xbc\xde" "\xb4\x78\xbd\x3f\xdb\x40\xa1\xa9\x35\x66\x6a\xb9\xe7\x24\xc5\xa1\x48\xa6" "\x5d\x47\xf3\x6d\x7f\xf7\x8a\x75\x44\xf9\x64\x80\x0e\x70\x1e\x76\x84\xdf" "\x11\x6b\x27\x89\x91\x01\xa0\x05\xb3\x9d\x05\x15\x47\x73\x40\xfc\x1d\x38" "\xc9\xbd\x3c\x10\x73\xa2\xcd\x0c\xc2\xe8\x26\x4e\xdf\x87\x0a\xbd\xd3\x8e" "\x94\x57\x74\x57\xce\x68\xfb\xd9\xe7\x53\xd0\x7a\x71\xc0\xa6\x1e\x96\xc6" "\xa9\x45\x1a\xd0\xec\xef\xf7\x95\x7d\xe6\x97\x56\x73\x85\xf7\x67\x80\x64" "\xf7\x83\x0c\xd5\xe7\xc3\xed\xb0\xf3\x13\x8b\x8e\x51\xec\xf3\x46\x9c\x7d" "\xa3\xaa\x5a\x3b\x20\x39\x7d\x31\xd8\x09\x7b\xe1\x86\xaa\xb1\x0a\x9c\xd0" "\x8f\x4d\x6c\x17\x93\x88\x6d\x95\xb8\xf0\x7d\x7d\xce\x88\x9a\x31\x6c\xfe" "\x61\x74\xf4\x87\x36\xf7\xbd\x2b\x08\x2a\xfc\xed\x9c\x3c\xf7\x61\x5e\xbc" "\xaf\x56\x4f\x8b\xc0\x8b\x8b\x1a\x61\x74\x4e\xf9\x2f\xc6\xe4\x9a\x59\x7f" "\x27\x7f\xd5\x3c\x2e\xf1\xdd\x48\x5b\x0b\x66\x04\x90\xb0\x0d\x0d\xf1\x7a" "\xcb\x65\x5d\x80\xe6\x84\x4a\x01\xa9\x05\x39\xa4\x7e\xe1\x27\x4c\x78\xe2" "\x8f\x49\x28\xd7\x74\xf8\xac\x39\x3a\xe0\x94\x3f\x5e\x0f\x32\x4c\x65\x98" "\x55\x21\x53\xed\x46\x73\x15\x68\x41\xaa\xe2\x63\xe8\xcf\x3b\xfd\x2f\xb1" "\x81\x79\xdc\x5c\x35\xfc\x57\xa7\x8e\x77\x9b\x2c\x79\x2b\xee\xeb\xba\x9b" "\xc1\xb3\x35\x11\xa9\x07\x1c\x6b\x18\xb8\x43\x6b\xa1\x18\xe6\x10\xbf\xcf" "\x52\x6e\x13\x0a\x27\xbd\x1b\xf8\xa1\x43\xe9\x81\x7f\xa5\x3a\x64\x26\xa3" "\x2b\x96\xee\xf1\xf1\xd2\x86\xe4\xa8\xcc\x72\x5b\x06\x48\x4d\x46\xd4\xe5" "\x7b\xdc\x12\x9c\x67\xba\x99\xc1\x41\x3d\x06\x6e\xf9\xa4\x9a\x19\xd2\xd5" "\x5d\x48\xb4\xa7\xb9\x10\x2f\xf3\x69\x6d\x83\xd3\x5f\x02\x76\x9e\x99\xff" "\x0b\x6e\x27\x9e\x24\x9b\x7b\x00\x5a\xd6\xda\xd1\x07\x0d\x8c\x49\xce\x0a" "\xcd\x83\xe1\x86\x5b\x80\x7c\xbb\xb4\x98\x2e\xe1\x2b\x13\x13\xcd\x16\xc4" "\x78\xd9\x33\x0f\x2a\xf5\x26\xc0\x43\x5f\x82\xae\xa9\x33\x21\x7e\xd2\xb8" "\x32\xc1\xeb\xa3\xc0\x36\xb7\x39\x3f\x28\x09\xa8\xc3\x4c\x9c\xb7\xaa\x0b" "\xaf\xb9\xde\x13\xc0\x44\xdf\xbd\x47\xc1\x9e\x1a\xea\x89\x3e\x3b\x6d\x7f" "\xe1\x48\xa8\x58\x4e\x25\x3e\x18\x18\x41\x5f\x0f\xc2\x20\xe0\xaa\x1c\xc1" "\xf6\x1f\xbc\x7e\x3a\xb0\xcd\x3f\xbf\xfb\x67\xa4\x8e\xed\xc2\xe7\x58\xa6" "\x0d\xa5\x88\xdc\x70\x7d\x76\x98\x28\x49\x2d\x4f\xd6\x1b\x47\xda\xc0\x7e" "\x2a\x16\xe4\x7a\x73\x11\x2c\x6b\x73\x37\x75\x56\x54\xaa\x16\x36\x21\x9b" "\x2f\x3a\x0c\x25\x28\x80\x00\xd3\xf8\xb1\x68\x42\xcb\x7b\x7f\x97\xa3\x25" "\x7a\x69\x23\x0a\x6c\x1f\x78\xf5\x9c\xb9\xf4\x4c\x93\x5f\x8d\x31\x63\x64" "\x0e\xef\x1c\xfd\x36\xfd\xac\x2c\x8b\xce\x78\xc4\x00\x3f\x88\xfe\x36\x05" "\x64\xf2\x0a\x01\xd0\xca\x6c\x59\xf6\x91\x16\x64\xaa\x27\xd3\xc3\x88\x28" "\x86\x76\x8e\xb0\x42\x7d\x56\x4e\xdf\x5f\x63\x8a\xe3\x63\xb6\xed\x11\x19" "\x11\x5c\x4a\xa1\x41\x18\x28\xc8\x80\x4d\x6a\xee\x4d\x95\x3e\x87\x8c\x07" "\xa0\x39\x04\xbe\x0b\x2d\xb4\x6b\x0e\xbc\xfc\x78\x0e\xa4\x8f\x44\x1e\xff" "\xec\x9c\x16\x8f\x6c\x07\xd5\x3a\x08\x87\x78\x87\x27\xc3\x39\xa0\x6a\xe1" "\x35\x12\x9e\x5f\x2c\x03\x8a\x9b\xb5\xcd\xde\xd9\x25\x2b\xf3\xc3\x04\x0e" "\x6e\xca\x4d\xb0\xa8\x83\xf9\x34\xbc\xae\xa0\xbf\x8d\x00\x2b\xd0\x21\x83" "\x7b\x97\xbc\xa2\xcc\x69\xa1\x11\x30\xd2\x03\xe3\x3e\x42\xc4\x45\xc4\x5f" "\x75\xeb\xb1\xba\x51\x23\x39\xd5\xcf\xef\x23\xb5\x12\xef\x5d\x2f\x38\x73" "\x32\x8a\x56\xae\x10\x3a\xfb\x08\x38\x68\x71\x2b\xfa\xc8\x19\x83\x75\xf8" "\xde\x16\xd1\x16\xcf\x84\xc9\x0c\xb9\x6e\xfa\x86\x05\xdd\xa5\x26\xa6\x08" "\x66\x4b\x98\x8c\x8b\x32\x74\xa3\xd7\x10\x05\xcc\xb7\x9c\xd6\x29\xe7\x44" "\x28\xfe\xe4\x8b\x46\x72\x29\xb8\x30\x0d\xe0\xe9\x2c\x33\xa7\x29\xfc\x65" "\x1c\xee\x26\x24\x6e\x5d\xaf\xea\x01\x9f\x41\x15\x9b\x83\x95\xbb\x37\x02" "\x29\x10\x9d\x49\xd0\xb0\x3c\x95\x0c\xdf\x78\xf1\x66\xce\xe6\x54\x2d\xcf" "\x72\x4c\x6d\xa5\x9d\xed\x65\xb8\x99\xa7\x56\x26\x43\x97\xde\x86\x84\x09" "\xbf\xe0\xd0\x14\xed\x29\xdd\xbb\xa8\x44\x3a\x9a\xfa\x24\x3d\x19\x75\x60" "\xf4\x2e\x85\x29\x15\x8e\x0d\xe3\x31\x0f\xd8\x3f\x1d\xbd\x5d\x60\xa0\x66" "\x44\xa8\x00\x41\x7d\xed\x3f\x8b\xd3\xef\xd0\x35\x5f\x28\x0e\xfc\x95\x81" "\x17\xa4\xe4\x94\x68\x89\xeb\x72\x4f\x23\x80\xdc\x6d\xf4\x63\x39\x60\xa0" "\x5b\x04\xa3\x77\x50\xa4\xce\x26\xa8\x24\xb5\x88\xa2\x3b\x22\xda\xd3\xad" "\xd3\x33\x02\xd8\x37\xd1\x83\x08\x85\x6f\xd2\x56\xae\xab\x2e\xb5\x9f\x50" "\x6b\x9d\x83\xd5\x6e\x96\x74\xd4\x76\x2e\x5b\xff\xdd\xd1\x67\x20\xc9\x1f" "\xc5\x41\x1b\x29\x83\xe0\x9b\x7d\x37\x4c\xa2\xe6\xb4\x9b\x8e\x45\xfe\x87" "\x24\x5e\x34\x75\xe9\xd9\x5c\xb9\x6d\x1d\x87\x0b\x20\xa4\xed\xe6\x6c\xd9" "\xb9\x2c\x31\x1d\x3e\xdb\xbe\x92\xd1\x65\xc4\x64\x7a\xa9\x3f\xe4\xf0\x65" "\x6a\x86\xc5\xad\x0d\x37\xa6\x76\xbb\xb3\xde\x44\x90\xe7\x15\x5f\xf4\x24" "\x4f\x25\x5c\x40\x40\x43\x9b\x08\x93\x0a\x62\x4d\xce\xd6\x09\xe8\xb1\xe1" "\xda\xc9\xa5\xdb\xe9\x8d\xc8\xfd\x4a\x71\xd1\x59\x46\x4f\xba\x24\x5f\x05" "\x38\xad\x9b\x52\x59\xcb\x98\xa6\xcb\x84\x70\xcd\x5d\xa3\x07\x4a\x48\x59" "\x65\x59\x3b\xe5\x84\xe2\xfc\xf1\x98\x7b\xee\xba\x43\x86\x61\x4f\xbc\x06" "\x07\x84\xdc\xb8\x91\x38\x56\xb9\xa5\x5c\x53\x4b\x69\xb5\x03\x1e\x2f\xa9" "\x39\xee\x55\x90\xe7\x79\x75\xa8\xed\x9b\x14\x94\x73\xe7\x2f\x39\xba\x93" "\x5d\x4c\x92\xd0\x76\x78\x06\x7d\x2d\xc7\x89\x0a\xf4\x34\x28\x6a\x29\xde" "\xc7\x02\xda\x0e\x36\xfb\xf8\x13\xb0\xbf\x36\xd8\x4c\x07\x53\xfb\xa4\xa6" "\xb6\xb6\xee\x3a\x63\x07\x01\x33\x08\x84\x13\xb9\x3e\xc6\xe4\xed\xdd\x64" "\xf2\xfc\x75\x54\x81\x6c\xc6\x85\x66\xc2\x8f\x12\x77\x73\x90\xb2\x69\x3a" "\xe2\x54\xbb\x79\x59\x80\x4d\x7c\x3a\x03\x19\x94\x2e\x47\x9c\xf4\x60\xd3" "\x27\x9e\x5a\xcd\xc8\x94\xb0\xab\xa3\xd4\x1e\xa2\x2e\xd8\xf8\x52\xfb\xbb" "\x49\x89\x23\xda\x2c\x12\x4f\x0e\x04\x50\x7c\x72\x2c\xf5\xd5\x6d\x54\x95" "\x69\x66\x0e\x76\xdb\xd1\xdd\xcb\xdc\xea\x62\xf3\xe9\x3f\xfb\x36\x4c\x0c" "\x4d\x92\x77\x9b\x59\xc9\x91\x4c\x7a\x6b\xbb\x80\x12\x53\x2f\x42\xa2\x67" "\x83\x2e\xfa\x1f\x14\x80\xf6\x52\x32\xf8\x37\xcb\x7d\x94\xd7\x25\x85\x19" "\x22\xad\xea\x12\x31\x17\x06\xe3\x56\xe2\x80\xbf\x69\xaf\x6f\x17\x66\x89" "\xa9\x29\x12\xf2\x1c\x95\xd8\x5f\xa8\x3d\xcc\x72\x8c\xd7\x19\xf6\x2f\x93" "\x7d\xbc\xfd\x3c\x6a\x40\xb2\x3b\x7f\xd2\x1b\x7f\xbf\x16\xb9\x27\x12\xa7" "\xc2\xe6\xbf\x37\x91\xbc\xa1\xbe\x6b\xfe\xe3\xa1\xc1\x6f\x39\x90\xd9\x72" "\x7b\xde\x94\x3a\x8e\x96\xa5\x83\xfd\x0b\x64\x24\x9e\x3e\xa5\x11\x30\xff" "\xea\xf6\x29\x6a\x2b\x0b\xc1\xdd\x46\xec\xd1\x5a\x97\xfb\x56\x61\xda\xc5" "\x58\x8e\x96\x61\xa9\x31\x34\x7a\x92\xd7\x9a\x35\xc8\xf5\xb8\x1c\x1c\x40" "\x25\x82\x61\x5e\xfa\x29\xd4\x5d\x2b\x3f\x4d\x7d\xe4\x07\xe7\xc3\xf0\xfa" "\x7b\xeb\x47\x24\x0b\x4e\x93\x9e\x29\x24\xe5\x06\x28\xd4\xbb\x77\xb4\x0d" "\xa0\xa8\xc5\xb5\x43\x8c\xaf\xb9\xa8\x5c\x79\xd0\x84\x30\x39\x13\xdb\x05" "\x7e\x4b\x46\x77\xc2\xdb\xaa\x36\x88\x14\xe4\x04\x74\x79\xa6\xd2\x4f\x48" "\xf6\xca\xe1\xf1\xad\xd8\x62\xcf\x4e\x71\xe9\xd8\xfd\x50\xa5\x2e\xce\x0d" "\x3e\xd7\x9d\xee\xd6\xe0\xcc\x89\x7c\x0b\x81\x7c\x3a\xcd\x90\x6c\x14\x69" "\xcd\xc0\xe1\xc3\xc0\xd2\x9a\x36\x9a\xf9\x6c\x43\x8a\x80\xc1\x2e\x7d\xb3" "\x22\x3d\xe4\xbb\x7a\x9c\x05\xc9\x1c\x85\x98\x31\x80\x5c\x2a\xb2\x0a\xc1" "\xfe\xe2\xd3\x90\xcb\x71\x1d\x52\xbb\xf3\xc9\xc2\xbb\x3a\xeb\x9b\xcd\xae" "\xf3\x25\x1c\x7a\x8f\xd6\x56\x96\x3f\x18\x43\x99\xa3\x36\xf8\x52\x85\x26" "\x2e\xd6\x09\x38\x6f\xdc\x81\xfb\x28\xc8\x9b\x74\xf7\x6b\xa4\x1c\x57\xf9" "\x6a\xad\xb0\x55\xf0\x21\x85\x5f\x92\xaa\xa6\x1d\xe0\xbd\x6b\x67\x4a\x23" "\x1d\xa2\x70\xc6\x4f\x65\x94\xd4\xe6\x5f\xa8\x5d\x10\x9c\xd2\x3a\x91\xfe" "\xdd\xc9\xa5\xb6\x7b\x9a\x37\x89\xae\xc9\x27\x8f\x46\x37\xb4\xd2\xe1\xdb" "\x44\xd7\xb7\xf0\x0a\x85\x1c\xec\xb7\x95\xca\x4f\xdd\xa1\xb9\xa4\xad\x4a" "\x54\x73\xfa\xcb\xde\xb5\xaa\x64\xdf\xd8\x7c\x5b\xe9\x86\x6b\x39\x98\xcf" "\x3d\x65\xa2\x69\x87\x5c\xb9\x7f\x36\xc3\xd8\xe4\xb8\x43\x52\xba\xa4\x31" "\xf0\xbb\x8b\xce\x70\x4f\xbf\x37\xc0\xd7\x23\xd2\x3b\x41\xd2\x5f\x3f\x70" "\x0e\xd4\x18\x2f\x0b\x7c\x4f\x0e\xe2\xfd\x32\x2d\xba\x9b\xba\x63\xb3\x09" "\xd9\x51\x7c\xfe\x4f\xf5\xaa\xec\x9f\x47\xbd\x2b\xd5\xdc\xd5\x73\xa4\x26" "\x9a\x94\x92\xa4\x99\x2d\x01\x4d\x54\x5c\x3c\xe6\x46\x63\xd0\xf6\x47\xe9" "\xec\x62\xe6\x08\xc4\xfa\x58\xef\x1a\x37\x2b\xfa\xcd\x93\xe2\xe5\x4e\x8a" "\xc2\x2e\x5e\xc6\x11\x02\x5d\xa9\x75\xfe\x1b\x18\x41\xe1\xba\xa3\x36\x56" "\xc4\x59\xd0\x02\x32\x50\x02\xf7\x67\xf3\xbf\x10\x88\x32\x29\xc9\xb1\xc7" "\x6c\xab\x7a\xcf\x0f\x7e\x6d\x78\x15\x52\xcd\x8b\x25\x90\x2b\x1a\xd1\x51" "\x1b\x17\x73\xa8\x41\xc5\xb8\x82\x30\xb1\x3d\xcb\x2f\x1f\xa2\xf1\x8a\xb9" "\x9c\x4e\x4c\x9d\xa6\xe8\x20\x6e\xb6\x5d\x84\x17\xc4\xc9\xcb\xcb\xcf\x9d" "\x7e\x50\x06\x74\x85\xf0\x85\xb9\x15\x04\xec\x4c\xe9\x51\x86\x23\x8f\xee" "\xcf\x69\x5e\x86\x06\x72\x29\x07\x71\x50\x7f\xdd\x5d\xa4\x4c\x43\x73\x1e" "\x13\x94\x17\xc4\xa9\xd2\x6f\xc9\x9c\xd5\x14\xca\x3d\x8c\x36\x9d\xd9\x4a" "\x61\x4f\x08\xc0\x71\xdd\x6d\xa0\x24\xe4\xf4\xb9\x4b\xf8\x39\x7d\xc0\xf9" "\xd0\x3d\x52\x3a\x70\x06\x8e\x26\x9a\x5e\x91\x67\xc2\xc2\xdb\xe1\xad\x7e" "\xc5\x66\x0e\x36\xa7\x5d\x29\x07\x4a\x16\x99\x9b\x9c\x7b\x61\xd2\xa2\x7c" "\x90\x73\xea\xa1\xab\xb3\x64\xd3\x72\x08\x2a\xfe\x3e\x58\xaf\x1c\xfa\xb5" "\x8d\x88\x67\x05\x91\xc9\x7c\x34\xfc\x92\xb0\x8f\x41\x39\x17\x1c\x00\xe0" "\xc2\x38\xc4\xc4\xb9\x77\xaa\xc2\x01\xbc\xc5\x08\x6a\xdc\x8e\x0b\x18\x13" "\x82\xf6\xa3\x94\xbe\x5f\xd8\x49\x2b\x92\x02\xf5\x3c\xa9\x46\x13\x0a\xa5" "\xc0\xf8\xc0\x4b\x43\x43\xca\x86\x7c\x04\x7b\xc5\x47\x11\xe2\x22\xd3\x67" "\x7c\x99\x25\x13\xcb\xb9\xdb\x30\xa0\xa8\x25\x35\x00\xfe\xe7\x26\x21\xff" "\xaa\x7d\x50\xe9\xb6\xfb\x4b\x4a\x4c\xfe\xe5\x2a\xbb\x9a\x4c\x07\x54\xec" "\xed\x6c\x88\xb5\x10\xdf\xec\xcc\x45\x7a\xb0\xad\x64\x5f\x08\x14\xdb\x1d" "\x8e\x90\x82\xb9\xd4\xe4\xce\x26\x44\x4a\x20\xc1\x1e\x83\xfa\x98\x5a\x96" "\x3c\xed\xf0\x3a\x44\xd0\x37\x41\x2b\x71\x55\xe3\xb2\xdf\x71\x05\xcc\x16" "\xf9\xe6\x85\x0f\x82\xa1\x1f\xa9\xa8\x22\x59\xf6\x77\xad\xb3\x67\xdd\xbc" "\x1f\xf5\x19\x3c\x5c\xb3\x38\xa1\x3d\x14\xe5\xf4\xcf\x7e\x77\xed\xe1\x27" "\xbe\x5e\xaa\xf4\xfa\xaf\xde\x52\x9b\xd9\x07\x6e\x08\x12\x5b\xbb\xbe\x89" "\xe3\x55\xce\xb6\x9d\xfa\x97\x81\xa3\x60\x60\x2b\x5d\x6e\x30\x68\x79\x56" "\x7b\xe5\x07\x73\x30\x36\xc6\xee\x94\xdd\xda\x2c\xf2\xdd\x72\x53\x6c\x6b" "\x57\xbe\x69\x48\x09\xb5\xf1\x89\x55\x1d\x78\x20\x53\x7f\x71\x39\x23\x8e" "\xd1\xa5\x1a\x6c\x61\xe3\x60\x7a\x50\xe8\x6d\x94\x61\xed\xf5\xe4\xa2\x9e" "\x78\xb9\x60\xf8\xfb\x9d\xa9\x71\xba\xfd\x7c\xa6\xee\xb5\xc3\xf5\xaa\xff" "\x5a\xd8\x4a\x43\xcd\xc6\x67\xfa\xa0\xab\xa8\x6a\x03\x10\xca\x55\xd8\x51" "\x8f\x5a\xb3\xa3\xf6\xf2\x79\xfd\xdf\x85\xea\x30\x0d\x54\x16\xc4\x10\x31" "\x18\x7e\x54\x1c\xe1\xe2\x3f\xa0\x95\xb0\xa3\x45\xce\xc0\xca\x92\xa3\x81" "\x53\x23\x4d\xfe\xda\x8c\xcf\xfd\x5e\x1b\x41\x93\xe8\xd1\x8c\xa2\xa3\x11" "\x02\xad\xdc\x07\xa3\xb3\xb0\xdd\x73\xcf\xb1\x94\x04\x73\xdb\xc3\x25\x1a" "\x17\x39\xc6\x03\x8e\x9e\xd1\x15\xc6\x88\xca\x7b\xa1\xe5\x1a\xef\x86\x2c" "\xe8\x5c\x8d\xa4\xe1\xaf\x4a\xcd\x03\x60\x0a\xdc\x39\xc1\x8e\x2d\xae\x81" "\x84\x3a\x8f\x0f\x38\x52\x9a\xa8\x32\x4b\xc4\x7a\x73\x75\x0d\xeb\x56\xf5" "\x2c\x96\x3e\x50\xa6\x57\x07\x8b\xd2\xda\x93\xc8\xce\x81\x42\x1c\x1c\x1e" "\xd6\x02\x95\x75\xbc\x2f\x0c\xbf\x78\xaa\x1d\x6a\x77\x85\xbf\x0f\x86\xe1" "\xac\x44\x43\xf8\x59\xba\x03\x87\x4c\x1e\xa4\x32\x4f\x2f\x95\xbb\xf5\x37" "\xda\xa2\x5e\xed\x35\x87\x51\x8d\xdb\x12\x32\x07\xfc\xed\xc0\x09\xa1\x1c" "\x26\xdb\x34\xf4\x94\x7d\x12\x47\x41\x27\x26\x2e\x68\xd9\x6f\x5b\x40\xe3" "\x17\x90\x2e\xf6\x8a\x0e\x25\xad\xdb\x99\xf7\x10\xe2\x3e\xd2\xb4\x27\x66" "\xea\x30\xc4\x13\x18\xf2\x5f\xbe\x5f\x84\x52\x68\x7c\x42\x0d\xfd\xec\x6b" "\x53\xd4\x07\xa5\xee\xe3\xdf\x6a\x42\xc8\xcc\x43\x28\x39\xde\xed\xb2\x76" "\x08\x3c\x25\x01\x63\xde\xa1\x34\x4a\x29\x1a\xda\x3a\x77\xb9\x75\x59\xa7" "\x8e\x8d\x65\x14\x10\x04\xac\x23\x1b\x56\xbd\x96\x91\x65\x7d\x93\x84\x83" "\x0a\x4e\x43\x54\xe0\x12\x07\x45\x69\x5e\x08\x77\x2e\xc4\x8a\x8b\x66\x4b" "\x01\x7c\x5a\x2d\x40\xde\xfc\xe0\x5d\xf7\xf1\x7e\x74\x72\x8c\xc4\xbf\x1e" "\x06\xf0\xa1\x93\x3d\x42\xc8\xd6\xaf\xb3\x38\x9a\xf0\x46\x15\xc7\xf8\xe6" "\xa8\x61\x5c\x88\x04\xb3\xd9\xe1\xae\x31\xf3\x24\x5f\xb5\x5a\x89\xab\x45" "\x28\xf9\xcb\xd0\x38\x74\x39\xf4\xed\xe7\xaf\x87\x38\xb1\xe6\xfc\x2b\x1e" "\xca\x42\xc2\x71\x10\xef\xfd\x0b\xb6\x0f\x9f\xae\xf7\x21\x58\x51\x3a\x16" "\x01\xea\x44\x1b\x4d\xb6\x36\xda\xb2\x06\x57\xd3\x40\x5a\x58\x67\xbf\x04" "\xdf\xbe\x22\xd8\xb6\x98\xdc\x0c\x99\x74\x8c\x18\x35\x9e\x19\xd5\x3e\x18" "\x5d\x15\xe0\x83\xc4\xb8\xe3\xad\x35\x05\xf4\xb8\xce\x52\xfd\x15\x29\x1d" "\xbc\xd9\xbe\x64\xf0\x19\xe8\x64\xfc\x89\x35\x23\x4e\xe5\x8d\x12\xce\x69" "\x0b\x1f\x35\xb2\x6a\x35\x64\x92\x21\x81\x68\x9a\x23\xdb\x65\xb0\xf5\x70" "\xaf\xbe\xe7\x8d\x91\x24\x3f\x75\x61\x8f\x26\xd8\xdb\xce\x4d\x84\xb6\x3d" "\x33\xb2\x5a\xe7\xb1\xe1\xd1\xe0\xc1\x51", 4096)); NONFAILING(*(uint64_t*)0x200015c8 = 0x1000); NONFAILING(*(uint64_t*)0x200015d0 = 0x200014c0); NONFAILING(memcpy((void*)0x200014c0, "\x23\x02\x91\x81\xe8\xa2\xa3\xff\x5e\x5a\x9d\x21\xb6\x5e" "\x13\x6d\x6e\xb7\xec\x7f\x54\xe3\x1a\x59\xb9\x22\xde\x75" "\xd3\xa9\x72\xf1\xa1\x07\xbe\xf5\x36\x4f\xf2\x5e\x79\x30" "\x2d\xf4\xc5\x4c\xc0\xfb\xce\xc8\xcb", 51)); NONFAILING(*(uint64_t*)0x200015d8 = 0x33); NONFAILING(*(uint64_t*)0x200015e0 = 0x20001500); NONFAILING(memcpy((void*)0x20001500, "\x63\x4f\x79\x07\x58\x52\xcd\x45\xa2\x28\x03\x98\x43\xef" "\xc7\x36\x36\x49\x80\xd9\x27\x15\x82\xb7\x38\x1c\xe6\x75" "\x8b\xc3\x4b\x96\xde\x9a\xc0\xe4\x50\x18\x44\x63\xf7\xaa" "\x38\x86\x3e\x11\x00\xce\xd3\x73\xa4\x74\x51\xb3\x47\x48" "\xad\xb4\x35\x16\x7b\x42\x87\x15\x0d\x64\x21\x46\xc6\x96" "\x91\xf9\xb1\x35\x14\xb8\x8a\xb0\xdb\xfc\x3e\x12\x73\x05" "\x15\x63\xd9\xce\xdc\x2a\xb6\xe7\xbe", 93)); NONFAILING(*(uint64_t*)0x200015e8 = 0x5d); NONFAILING(*(uint64_t*)0x20001d58 = 7); NONFAILING(*(uint64_t*)0x20001d60 = 0x20001c40); NONFAILING(*(uint64_t*)0x20001c40 = 0x18); NONFAILING(*(uint32_t*)0x20001c48 = 1); NONFAILING(*(uint32_t*)0x20001c4c = 1); NONFAILING(*(uint32_t*)0x20001c50 = r[0]); NONFAILING(*(uint32_t*)0x20001c54 = -1); NONFAILING(*(uint64_t*)0x20001c58 = 0x1c); NONFAILING(*(uint32_t*)0x20001c60 = 1); NONFAILING(*(uint32_t*)0x20001c64 = 2); NONFAILING(*(uint32_t*)0x20001c68 = 0); NONFAILING(*(uint32_t*)0x20001c6c = 0); NONFAILING(*(uint32_t*)0x20001c70 = r[19]); NONFAILING(*(uint64_t*)0x20001c78 = 0x2c); NONFAILING(*(uint32_t*)0x20001c80 = 1); NONFAILING(*(uint32_t*)0x20001c84 = 1); NONFAILING(*(uint32_t*)0x20001c88 = r[20]); NONFAILING(*(uint32_t*)0x20001c8c = -1); NONFAILING(*(uint32_t*)0x20001c90 = -1); NONFAILING(*(uint32_t*)0x20001c94 = r[1]); NONFAILING(*(uint32_t*)0x20001c98 = r[21]); NONFAILING(*(uint32_t*)0x20001c9c = r[22]); NONFAILING(*(uint32_t*)0x20001ca0 = r[23]); NONFAILING(*(uint64_t*)0x20001ca8 = 0x20); NONFAILING(*(uint32_t*)0x20001cb0 = 1); NONFAILING(*(uint32_t*)0x20001cb4 = 1); NONFAILING(*(uint32_t*)0x20001cb8 = r[1]); NONFAILING(*(uint32_t*)0x20001cbc = -1); NONFAILING(*(uint32_t*)0x20001cc0 = r[24]); NONFAILING(*(uint32_t*)0x20001cc4 = r[25]); NONFAILING(*(uint64_t*)0x20001cc8 = 0x1c); NONFAILING(*(uint32_t*)0x20001cd0 = 1); NONFAILING(*(uint32_t*)0x20001cd4 = 2); NONFAILING(*(uint32_t*)0x20001cd8 = 0); NONFAILING(*(uint32_t*)0x20001cdc = r[33]); NONFAILING(*(uint32_t*)0x20001ce0 = r[46]); NONFAILING(*(uint64_t*)0x20001ce8 = 0x1c); NONFAILING(*(uint32_t*)0x20001cf0 = 1); NONFAILING(*(uint32_t*)0x20001cf4 = 2); NONFAILING(*(uint32_t*)0x20001cf8 = r[48]); NONFAILING(*(uint32_t*)0x20001cfc = r[58]); NONFAILING(*(uint32_t*)0x20001d00 = 0); NONFAILING(*(uint64_t*)0x20001d68 = 0xc8); NONFAILING(*(uint32_t*)0x20001d70 = 0x90); syscall(__NR_sendmsg, r[5], 0x20001d40ul, 0x24008801ul); syscall(__NR_close, r[1]); syscall(__NR_socket, 2ul, 2ul, 0ul); res = syscall(__NR_socketpair, 1ul, 5ul, 0ul, 0x20000000ul); if (res != -1) NONFAILING(r[84] = *(uint32_t*)0x20000004); NONFAILING(*(uint64_t*)0x20003b40 = 0x20002d80); NONFAILING(*(uint32_t*)0x20003b48 = 0xd35cac87); NONFAILING(*(uint64_t*)0x20003b50 = 0); NONFAILING(*(uint64_t*)0x20003b58 = 0x46); NONFAILING(*(uint64_t*)0x20003b60 = 0); NONFAILING(*(uint64_t*)0x20003b68 = 0); NONFAILING(*(uint32_t*)0x20003b70 = 0); NONFAILING(*(uint32_t*)0x20003b78 = 0); res = syscall(__NR_recvmmsg, r[84], 0x20003b40ul, 0ul, 0ul, 0ul); if (res != -1) NONFAILING(r[85] = *(uint32_t*)0x20002d8a); NONFAILING(*(uint32_t*)0x20000100 = 0xc); syscall(__NR_getsockopt, r[85], 0ul, 8ul, 0x20000040ul, 0x20000100ul); } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); install_segv_handler(); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; }