// https://syzkaller.appspot.com/bug?id=7640a984d2f9e78d171819154508d4c350b9b077 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { pthread_mutex_t mu; pthread_cond_t cv; int state; } event_t; static void event_init(event_t* ev) { if (pthread_mutex_init(&ev->mu, 0)) exit(1); if (pthread_cond_init(&ev->cv, 0)) exit(1); ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { pthread_mutex_lock(&ev->mu); if (ev->state) exit(1); ev->state = 1; pthread_mutex_unlock(&ev->mu); pthread_cond_broadcast(&ev->cv); } static void event_wait(event_t* ev) { pthread_mutex_lock(&ev->mu); while (!ev->state) pthread_cond_wait(&ev->cv, &ev->mu); pthread_mutex_unlock(&ev->mu); } static int event_isset(event_t* ev) { pthread_mutex_lock(&ev->mu); int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; pthread_mutex_lock(&ev->mu); for (;;) { if (ev->state) break; uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; pthread_cond_timedwait(&ev->cv, &ev->mu, &ts); now = current_time_ms(); if (now - start > timeout) break; } int res = ev->state; pthread_mutex_unlock(&ev->mu); return res; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 8; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } #ifndef SYS_fcntl #define SYS_fcntl 92 #endif #ifndef SYS_mmap #define SYS_mmap 197 #endif #ifndef SYS_open #define SYS_open 5 #endif #ifndef SYS_sendmsg #define SYS_sendmsg 28 #endif uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "./file0\000", 8); syscall(SYS_open, 0x20000000ul, 0x200ul, 0ul); break; case 1: memcpy((void*)0x20000080, "./file0\000", 8); res = syscall(SYS_open, 0x20000080ul, 0x800ul, 0ul); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x20000080, "./file0\000", 8); res = syscall(SYS_open, 0x20000080ul, 0ul, 0ul); if (res != -1) r[1] = res; break; case 3: *(uint16_t*)0x20000040 = 0; *(uint16_t*)0x20000042 = 0; *(uint64_t*)0x20000048 = 0x802; *(uint64_t*)0x20000050 = 0x2000100000001; *(uint32_t*)0x20000058 = 0; syscall(SYS_fcntl, r[1], 9ul, 0x20000040ul); break; case 4: *(uint64_t*)0x200013c0 = 0; *(uint32_t*)0x200013c8 = 0xa; *(uint64_t*)0x200013d0 = 0x200011c0; *(uint64_t*)0x200011c0 = 0x20000040; memcpy((void*)0x20000040, "\xf5\x7c\x17\x91\x24\xba\xd7\x1e\xba\xb4\x18\x4c\x7c\x92\xb3\x41" "\x8b\x20\xa9\x67\x04\x5b\x56\xd5\x59\x54\xa1\x9e\x0a\x19\xde\xc3" "\xb1\x5c\xcb\x3f\x54\xd9\xfe\x6b\x1c\x7e\xbb\x72\x0b\x8f\x5c\x79" "\x4e\x39\xb6\x32\x6f\x68\x64\x76\x25\xf7\xf2\xb9\xb8\x4e\xd0\x10" "\xd5\x0f\x33\x9b\x29\xdb\xf5\x0d\x5f\x41\xbc\xbb\x97\xd3\x10\xc0" "\x22\xc4\x9a\x38\xbb\xc4\x27\xb2\x0c\x86\x91\x0c\xf3\x48\x39\xb9" "\x86\x72\xd6\x8c\xb8\x32\xa7\xa4\xc1\xe7", 106); *(uint64_t*)0x200011c8 = 0x6a; *(uint64_t*)0x200011d0 = 0; *(uint64_t*)0x200011d8 = 0; *(uint64_t*)0x200011e0 = 0x20000100; memcpy( (void*)0x20000100, "\x4a\xdf\xc7\xac\x43\xcb\x07\x70\x36\x83\x14\xea\xc8\xc3\xf6\x21\xee" "\x88\xae\x0d\x22\xeb\xb3\xbe\x94\x1d\x1d\xee\xb2\xf4\xb6\xb3\x91\xdb" "\x92\x38\x81\xac\xfc\xe3\xc0\x74\x83\x8f\x90\xf4\x62\xc3\x94\x28\x59" "\x0a\x6c\xd6\xea\x13\x54\x35\x34\x47\xb7\x0b\xf1\x70\x8e\xbf\x86\xc7" "\x35\x1e\x98\xd0\xd5\x1d\x67\xa5\x16\x37\xbf\x21\x94\xd2\x82\x08\x17" "\x71\x91\x72\x35\x61\xf1\x04\x05\xe0\xa3\xba\x2b\xe9\xf7\x9f\xaa\xa2" "\x41\xdf\x6d\x4e\x7b\x1c\x91\x33\x4d\x58\xbc\x43\x05\xff\x68\xc3\x90" "\x56\x49\x0e\x3b\x0d\xec\x16\xfe\xd2\xb6\xe1\xae\x07\x27\x2a\x80\x12" "\x81\x71\x61\x49\x03\x4b\x6e\x87\x4a\x8e\x5d\x40\x07\x9e\x2f\x18\x1a" "\xb5\xa0\xaf\x52\x16\xeb\x9b\xb9\x47\x9e\x25\x6e\x64\xbb\xf9\x4b\xf4" "\x35\x66\x25\x56\x96\x59\x9b\x35\x1b\xd1\x7e\xeb\xe0\xa4\x1d\x5f\x8e" "\xe3\x18\xdf\xf0\x73\xc2\x6c\x0f\x1f\x92\x24\xf1\x77\x24\xf9\x2e\xc9" "\xaa\xf4\x59\x63\xc7\xee\x00\x76\x82\x8d\x7d\x18\xbf\x32\xa3\xd7\xe2" "\x57\x3f\x94\xc9\xa1\xfa\xee\x3a\xee\x33\x61\x1e\x6c\x95\x8b\xd8\xea" "\x29\x89\xa1\x23\xb7\x63\x10\x31\x85\xdd\x7d\x16\x77\x26\x19\xc4\xcb" "\xdb\xd2\x35\x7b\xac\x4d\xad\xf4\xda\x61\x44\xa5\x5a\x93\xad\xb3\x21" "\xc3\xdb\x65\xd6\xe7\x6d\xa7\x9d\xbb\x35\xbc\x87\x99\x48\x6b\xe8\x06" "\x2f\x1b\x5b\xcc\x18\x6a\xd7\x91\xe6\xb6\x9e\x3f\xff\xf3\x3e\x51\xc1" "\x38\x86\x82\xea\xeb\x2e\x95\xe0\x9b\x90\xb7\x74\x76\x50\xfb\x05\xda" "\xd0\x0c\xa0\xec\x3e\x82\x05\xfe\x05\xe4\x2b\xe0\xc0\x1c\x38\x98\xb9" "\xd0\x31\xa5\x5c\x03\x65\xaa\x44\xe2\x3d\x1b\x33\x9f\xbb\x7e\x78\x1a" "\x1c\x51\xe3\x29\x43\x76\x55\xb9\xe4\x5d\xd9\x07\xc0\x40\x8a\x91\xd8" "\x6a\xcd\x50\x19\xfe\x21\xbc\x7e\xa8\x91\x30\x04\x8d\x0b\xfb\x2a\xa4" "\xfe\xa0\x4e\x83\x51\x8f\xcd\x1a\xd0\xda\xdd\x2c\xe2\xe9\x14\xae\xde" "\x3b\xe5\x46\x5e\x03\xc6\x7e\xd1\xcb\x00\xed\x74\x4c\x2c\xb3\x3b\xea" "\x9a\x58\x4e\x67\x6d\x54\x01\xde\x4e\x50\x27\xc6\xe8\x8b\xea\x35\xc3" "\xc7\x1e\x60\x01\x8b\x2b\xca\x9f\xf7\x92\x22\xdc\x09\x4c\x48\x16\x5a" "\xe4\x05\x98\x16\xb9\x60\x3a\xcc\x2a\x33\xee\xed\x94\x84\xd4\xa8\xf6" "\x48\x9e\xa5\x70\x4a\x04\x87\x8c\x05\x7d\x8d\x38\x93\x2a\x27\x1f\xee" "\x74\x7b\xfa\x6b\xe8\x5c\xaf\x07\x86\x6b\xc5\x14\x5f\xf8\xb6\x35\x40" "\xef\x84\xe0\x77\x7c\x0c\x05\xae\x3b\x9f\xbb\x41\xc7\xd3\xf2\x59\x18" "\xa5\xda\x3e\x51\xfa\x67\xbf\xb9\x83\x37\xda\x93\xde\x10\xc6\x1c\x1c" "\x85\x3a\x01\x5d\xc9\xa1\x26\xf6\x6e\xcb\x0a\xcc\xbb\x34\x72\x46\xde" "\x14\x8e\x5c\x17\x87\xb0\x3e\xe7\x52\x09\x7a\x39\x77\xbb\xb7\x66\x03" "\xcd\xbf\x17\x8f\xde\x33\x68\x4f\x66\x0d\x67\x44\x2c\xa8\xf8\x9f\xc6" "\xc2\x2f\xd7\xa6\x53\x3e\x8b\x15\xe8\x31\xfc\x5d\x2a\x9f\xe4\xe4\xdc" "\x85\xd8\xa2\xdb\xdf\x18\x4f\x73\x07\xd9\x5e\x0a\xbb\x4e\xc9\xa1\x64" "\xcd\xda\xe5\x01\x46\x31\x28\x4a\x70\x98\xee\xb4\x9a\xf9\xc2\x37\x8e" "\xbb\x2b\x41\xd3\xa8\x8e\x16\x1f\x42\x3c\xb9\x89\x0e\xfa\xe2\xe5\x3e" "\xf9\x33\xd5\x95\x3b\x5c\x81\x3e\xa8\x90\x61\xa5\x61\x00\x81\xe4\x84" "\xfc\xa3\x8a\x5d\x96\xc2\xe8\x13\xa4\x4d\x08\x04\xe6\xde\x9f\xe9\x9d" "\xdb\x9e\x5d\x2f\x0b\x28\x7f\xeb\xd5\xed\xfa\xca\x07\xc8\xf9\x39\xb1" "\xdf\x59\x51\xae\x59\x47\x6f\xcf\x9e\x60\x55\xb2\x32\x52\x5a\x83\x23" "\x47\xfa\x04\x6b\xcc\x9b\x0f\x41\xf4\x55\xb4\x00\x6f\x06\xe6\x1d\xab" "\x42\xb7\x26\xef\xff\xa7\x45\x8f\x2a\x34\x96\xa7\xee\x33\xd9\x7a\x35" "\xd9\x0f\x35\x41\x09\x0e\xca\x14\xc2\x7f\xb6\xb9\x4a\xc5\x1e\x0c\xcc" "\x99\x8a\xb9\xfc\x48\xfa\xf8\xe6\x53\x59\xff\x49\x24\xe0\xb3\xe3\xcd" "\xdb\x11\xe9\x5d\xe4\x1e\x59\x37\xdd\x7d\x65\xa4\x3d\xd3\x69\x2a\xe4" "\x0a\x86\xb0\x84\xeb\x46\xb9\xe6\x28\x11\xa2\xed\x23\xfa\xc9\x3c\xe7" "\xd9\x03\xc8\x4b\x4b\xe9\xce\xab\x7d\xde\xe1\x65\x62\x01\x5c\xdb\x1e" "\x67\xde\xf0\x9d\x6c\x5c\x49\xdf\x76\x80\xd2\x33\x20\xff\xdd\x73\x4c" "\x13\x6f\x23\xb2\x08\x98\xe4\xe5\xa9\x96\xe5\x1d\x21\x06\x05\xba\xcc" "\x4a\x2c\x75\x5d\x11\x9c\x9f\xe8\xbb\x72\xc2\x64\x39\xd6\xaa\x95\xb9" "\xce\xa4\x6c\xcc\xb7\xe5\x71\x28\x3d\xae\xe9\xb0\xed\x20\x7b\xac\x22" "\xbd\x51\x0b\xdc\x64\x60\x03\x8c\x6f\x3d\x41\x94\x5a\x1b\x9b\xce\x23" "\xc0\xfe\x32\xda\x7a\x66\x3c\x41\x5b\xe0\x29\x1b\x76\x92\xa5\xde\xe8" "\xe9\xa7\xe7\x6d\x9a\xb1\xf6\x88\xcf\x22\xc6\x23\x21\x37\xc2\xc8\x2c" "\x13\x31\x58\x41\x8c\xe4\x2f\x3f\x2b\x60\x7f\xd3\x34\xd4\x18\x12\x37" "\xd2\x9b\xd8\xfa\x3f\x89\x4b\xfd\xdb\x9a\x8b\xfa\xb1\xd2\xa1\xde\xd5" "\xb3\x15\x15\xd5\x46\xaa\xc7\xf1\x2a\x08\x03\x93\x3c\x54\x4d\x45\x21" "\x71\xc1\x89\xf1\xf0\xec\x1c\x92\xbb\xde\x70\x80\x42\x46\x82\x41\xe7" "\x89\xdb\xee\x83\x92\x30\xd4\xb2\xa0\xad\xb5\x7a\x81\x68\x26\x1f\x98" "\xf7\x63\x29\xb1\x8e\x6b\xd7\x01\x32\x9c\x6f\x59\x2e\x2a\x78\xc9\x9c" "\x2d\x15\xde\x14\x91\xd2\x0c\xee\xbc\xb2\x25\x5c\xed\xdc\x78\xd9\x74" "\xe9\x92\x12\xb6\x02\x78\x7f\x4d\x10\x50\x30\x90\x61\x9f\xf5\x35\x24" "\x44\x89\x0a\x4e\xb6\x10\xfe\x2d\xa3\x33\x13\x21\x54\xe6\xe2\xd4\x57" "\x2a\x6d\x8c\x2c\x3c\x27\x9d\x11\xb3\x68\xda\xeb\xd8\xfa\x3e\x2f\x6d" "\xb4\xd3\x28\xa7\xe9\xe2\x2b\xc2\xf5\x70\xb2\x01\xa2\x5b\x08\x63\x83" "\x6e\x70\x22\xe4\x29\x1c\x68\x5b\x1d\x2d\xb9\xa1\x79\xc7\x33\xc1\x1d" "\x69\x0c\x8c\xbe\xd5\x32\x1f\xe8\xe3\xf4\x14\xed\x7d\xac\x38\x0a\x8b" "\x56\x25\xa0\x71\xea\xcb\xa5\x30\x35\x67\xdd\x08\x56\x8a\xf2\x41\x21" "\x62\x4c\x14\x1b\x0c\x76\xc4\x66\xe1\x3f\xc5\x05\xa0\x4e\x35\x81\xbd" "\x01\x38\x1a\xee\x47\xf8\xbb\xb1\xd7\x98\xc3\x2a\xf0\xfc\x1d\xc3\x0f" "\x5e\x3c\x7b\xc8\xd9\x7b\x99\xca\x38\xed\x98\x0d\x8f\x5f\x16\xec\xbb" "\xc6\xe9\xbb\x1a\x36\xf8\x13\x5a\xf7\xbd\x7f\xc9\xf3\xe5\xa8\x36\x19" "\x31\x34\x53\xbe\x66\xa8\x4f\x28\xf1\xac\xed\x88\x90\xdf\xde\xab\xdb" "\xe4\x5a\xd4\x2d\x3f\xf9\xf1\x02\x70\x5a\xc7\x0d\x5b\xe1\xa3\xb1\x4d" "\x10\x09\xc6\xc4\x71\x8d\xfa\xdc\x7a\x99\xe7\x66\x59\xdb\xba\xd4\x78" "\xdf\x67\x33\xc8\x11\xe3\x1e\x09\x53\x8c\x20\x93\xa0\x29\x2f\xe3\x96" "\x38\x3d\x57\xd2\x6a\x46\xd3\x7b\xf5\xa3\xcf\xd1\x9e\xa5\x02\x68\xd9" "\x1c\x2e\x21\x3d\xea\x98\x20\x6e\x80\xea\xca\x65\x6a\x71\xd4\x36\x3e" "\x33\x0e\x9d\xcd\xcd\x6d\xca\x48\xf3\xc1\x40\xe0\xbb\xde\x9f\xde\x1c" "\x52\x22\x53\xe0\x85\x3b\x71\xc2\xf1\x66\x4c\xa7\xc6\xe9\xe4\x9c\x14" "\x8c\x0d\x0a\x06\x24\x4e\x86\x69\x96\x5f\x9a\x97\x0c\x28\x0c\x8c\x4f" "\xca\x28\x57\x4b\xf5\xcc\x09\x8c\x55\xe7\x69\xa1\x7b\x7c\x8f\x7e\x0d" "\x06\x37\xb8\x09\x9c\xb6\x97\x81\xea\x40\xcf\x33\x55\x5b\x9d\xd5\x76" "\xe7\xa0\x05\x16\xf2\xbc\xfe\xc5\x30\x13\xdb\x29\x1b\xc5\xad\xa5\x49" "\xba\x46\x31\xbd\xb1\xf2\x93\xe5\x6d\xe7\xfa\x91\x50\xcc\xc4\x92\x93" "\x59\xa1\x21\xd6\x61\x0a\x5d\xf4\x88\x81\x2d\x7d\xf9\x95\x69\xe9\x7a" "\xf5\xcf\x64\xb8\x77\xc3\x2b\x87\xea\xb4\x99\xbb\xcb\xe0\x6a\xf3\x51" "\x1c\xc9\x75\x2a\x57\x78\x8c\x6e\x75\x92\x8c\xa2\x8a\xf1\x17\x82\xb1" "\x7f\x6d\x76\xaf\x9f\x8f\xc3\xc5\xbb\x97\x8a\xd6\x71\x37\xc6\x4c\x45" "\x8d\xda\xe2\xa3\x50\x05\x1c\x13\x3a\x33\x23\xf4\x21\x8d\x39\xe5\x3e" "\x32\x40\x48\xf1\x24\xf0\x60\x2f\xb0\x93\xac\x1f\x39\xf5\xb3\xb4\x14" "\x02\x2b\x64\x0f\x62\x9c\xdd\xcf\xdc\xf5\x6a\xf5\x46\xb5\x3e\x05\x2a" "\x40\xff\x2e\x81\xdb\x6e\xd9\x0f\xcf\x43\xe8\xf0\x43\x60\x2e\xf4\x59" "\xc6\x38\xc0\xdd\x1b\x5a\x18\x62\xb5\x02\x2b\xb2\xef\x45\x5f\x57\xc9" "\x6f\x07\xc0\x3d\x7b\x82\xe7\x4c\xb1\x19\xe0\xd8\xd7\x1f\x08\x50\x6d" "\x88\x29\x23\x86\x7c\xf4\x94\x9f\xed\x6a\x30\xe9\xd5\xdc\xc8\xf9\x2e" "\xe7\x98\xfc\xc6\xb8\x4a\xaa\x74\x45\x0f\x39\x0e\x80\x9e\x3a\xc2\x8e" "\xc8\x49\x75\x68\x9c\x25\x5d\x6b\x2b\x4b\x1c\x8e\xe5\x04\x87\xde\x34" "\x1d\x05\x65\x5b\x3c\xb0\xd8\xeb\x68\xcc\x14\x27\x5d\xc2\xe8\xc9\x11" "\x9e\x85\xb1\xb9\x7f\xcc\xa8\xd7\xc0\x6e\x42\x48\xdd\xee\xee\x55\x8e" "\x2c\xe6\x09\x27\x2d\x63\xf4\x36\x40\x75\x4a\x7e\x00\xc1\xef\xa8\xbc" "\xb0\xc2\xfc\x3f\x03\x1a\xab\xd7\xbc\xbb\x42\x4a\xe7\x06\x21\x27\xbe" "\xac\x14\xb8\x48\xad\x8c\xb1\xa9\x33\x22\xbe\x24\x12\xf0\x80\xdc\xdd" "\x1d\xc1\xf9\xaa\x92\x34\x80\xe3\xf8\x68\xd4\xad\x05\xd6\x05\x32\x8f" "\x27\x43\xd4\x58\xef\x64\x95\x63\x14\xf0\x19\x47\xd7\xaa\x52\xb5\x93" "\x3e\x49\x8b\xb9\x3b\x14\x30\x0d\x10\x57\xf6\x33\x53\x5e\x08\x02\xbf" "\xb9\xcb\x0a\x81\xde\xbd\xfe\xf0\x8e\xc7\x80\x68\xe5\x22\xb0\xce\xeb" "\x0c\x15\x86\x5b\xcc\xe1\x66\xd1\xb5\x85\x2c\x84\x26\x7b\x09\xfd\x6b" "\xd2\x90\x27\x1f\x2e\xc9\xf6\x69\xee\xae\xee\xc4\xd4\x9d\x34\x5c\x33" "\x52\xb7\x3b\x31\x38\xe3\x68\x74\x43\x59\xb4\x79\xc3\xf8\x0c\x24\xc8" "\x56\x6a\xe3\x3b\xd7\x62\xe9\x41\x27\x6b\xee\x59\xb8\x3f\x52\xd0\x62" "\x50\xa6\x33\x77\x13\x9c\x88\x35\xc9\x1d\x4e\xc6\x21\x12\x33\x9b\x64" "\x74\xba\x14\xf1\x6a\x88\x1b\x49\x19\x48\x78\x12\x2b\xae\xbf\x78\xad" "\x26\xe8\xb8\xf6\x52\x67\x8b\xc8\xdd\xff\x81\x5b\xc1\xf3\xa2\x54\xac" "\xa1\xe8\x4e\x58\x1d\x7c\x90\x93\xc9\x08\xab\x31\x7a\x80\x16\xc9\x4e" "\x4d\x0f\x47\xa3\x20\xcb\x74\x6e\xc0\xa5\x0a\x57\xd5\xeb\xf9\xf5\x7a" "\xdc\xb2\x4f\x9f\x86\xc8\xfb\x00\x5f\x4d\x01\x99\x48\x28\x18\x3b\x9d" "\x89\xba\x4f\x52\x27\x6d\xbc\x26\x53\x4c\x39\x4f\x51\x1e\xbe\x2b\xc3" "\x75\x44\x96\xa3\x88\x7d\xbf\x06\x05\xd0\xf7\x35\x0c\xb2\xf6\x97\xcf" "\x9a\x1c\x86\x2a\xbe\x6d\x5e\x9b\xa8\xa6\x0d\x1e\x68\x4b\x07\xc3\xe3" "\x81\xbb\x29\x41\x3f\xea\xf6\xe5\x30\xd8\x83\xac\xa1\x78\xcc\x28\x17" "\x9d\x9c\x3e\x14\x3b\x69\x91\x29\xa2\x79\x41\x71\x28\x23\xc3\xc0\x7a" "\x82\xe5\x52\xf5\x35\x78\x79\xc9\xd0\xf9\xba\xd2\x84\xaf\x98\xdb\x26" "\x63\x99\x83\xfc\xee\x58\x84\xf0\xc2\xcd\x07\xdd\x03\x94\xf2\xb9\x9c" "\xfa\x95\x55\xe3\xb7\xb8\x9f\x68\xa1\xb4\xfb\x33\x52\xaf\x80\xd8\xac" "\x39\x6f\xcb\x75\x64\x5b\xd8\x8a\x01\x7d\x3e\xf2\xab\x03\x41\xfd\x48" "\xb9\xb7\x9a\x94\xcf\x84\x81\x22\x36\xdb\x20\x02\x5b\xe4\xa3\x62\x32" "\xff\x2e\x76\x10\x6c\x7e\x91\xcf\xeb\x08\x22\x78\x07\x20\x40\xb5\x76" "\xd2\x4d\xc9\xe4\x34\x52\x78\x5e\xa9\x47\x3c\xd1\xd8\x63\x6f\x9c\x93" "\x07\x3f\x4b\x6d\xf9\x7e\x19\x7a\x0e\x3d\x57\x4a\xcb\xc8\xb4\xe0\xcf" "\x2f\x88\x35\xff\x72\xfd\x55\x68\xb3\xd1\x59\x18\xb9\xa4\xa4\x9d\x46" "\x43\xe2\xaf\x35\x0d\x50\xb4\x4a\x4b\x89\x9f\x38\x3e\x6e\xe7\xc0\xad" "\xc4\x87\x26\x95\xaf\xbf\xd7\x7b\x9e\x9a\x0f\x90\x62\x92\x9d\x81\xd7" "\xc3\xe6\x25\x7b\x9d\x43\xfb\xa1\x2b\xda\x2a\x6e\x6d\x56\x84\x1a\x67" "\x74\x4d\x2f\xfe\x70\x9c\xa5\x1c\xc9\xed\x9a\x09\xd4\x91\x64\xb0\x16" "\x9c\x42\xf3\x47\x98\x01\xb6\x3c\x8a\x97\xfb\x9c\x4a\x4e\x54\x2e\xf1" "\x47\x75\xf2\x6a\xb7\x8a\x68\xf6\xa6\x20\x81\x3f\x5c\x63\x74\x0c\x2c" "\x32\x49\x73\xfa\xcf\x7e\xb4\x78\x2f\xc4\xa1\x00\x1e\x3d\xdb\x0b\x6e" "\x06\x33\x8e\x86\x17\xf4\x9d\x8b\xb9\x51\xd6\x98\xef\x45\xa8\x43\x6d" "\x5b\xe4\x7c\x7c\x65\xc2\x06\x89\xc7\xc8\xff\x97\x05\x47\x68\x4a\xa8" "\x00\x8f\xf8\x6a\xd3\xd0\x00\x77\x12\xf4\x6a\x8e\x72\x9b\x3a\x3a\x14" "\xc1\x69\x7d\xdb\xcd\x5a\x8f\x2b\xe8\x0a\x80\xfd\xac\x76\x0e\xc3\xdc" "\x06\xb7\xa7\x29\x5b\x4f\xec\x66\x45\xe7\xaa\x0b\x0f\x71\x6a\xff\x2f" "\x14\x65\x00\x2b\x95\x98\x02\xb8\x4a\xf4\x05\x8d\x4a\x97\x48\x60\xe3" "\x40\xc9\xb7\xb8\x93\x22\x17\x4d\xfc\xde\xa3\x6f\x24\x90\x9e\xa0\xd5" "\x76\x70\xb4\x8f\xc6\xad\xf7\xdd\x72\x1a\x61\x20\xa1\x35\xac\xf0\xb8" "\x31\x18\xc9\x5d\x6b\x60\x56\x0e\xa7\x05\xa2\xbb\x69\x5f\xd7\x1b\xb0" "\xe3\xcb\x17\x79\x52\x5b\x17\xd5\x5c\x7f\x24\x03\xad\xf9\x82\xd9\x2a" "\x36\xe0\xd1\x40\xdd\x27\xd2\x02\x2a\x5e\x12\xbc\xb6\x4a\x4a\x93\xd3" "\x3e\x4e\xae\x03\x7b\x1e\x9f\xbc\x95\xcd\x2f\xd6\x0f\x56\xa5\xdc\x37" "\xe4\x04\xe1\xf9\x07\x1b\xcd\x1f\x9d\xe0\xb7\xe8\x56\xe3\xd9\x08\xd0" "\xe2\x10\xb1\xb4\xec\xa3\x58\x8b\x27\x83\x8c\x76\x78\xfd\x9d\xf4\xb5" "\xb9\x43\x76\x51\xb7\xb8\x24\xb1\x1f\xbe\x5b\x1f\xc8\x16\xb3\xc6\x33" "\x99\xee\x70\xc7\x46\x09\xce\x05\x97\xee\xef\x65\x75\x62\xd3\x7f\x93" "\xeb\xc5\x3a\x93\x57\x0f\x2a\xa9\x3e\xb0\xe9\xa5\x33\x0c\xcc\xd2\x01" "\xdb\xb9\x80\x25\x22\x73\xe0\x6f\xd5\xcf\x8b\xe3\x19\xc1\x71\xaa\x8a" "\x92\xf7\x74\x29\x43\x56\x7d\xa1\xef\xdf\x1c\x81\x2c\x0f\xd9\x4f\x75" "\x7d\x52\x93\x1f\x55\x0e\xcc\xb8\x4e\xab\xca\xfa\x80\x91\xc9\x03\xf9" "\x54\x7f\x80\x78\x22\x16\x21\x70\x15\xdd\xc2\xd0\x6e\xa9\xf4\x67\xed" "\x88\x99\x56\xc2\xf8\x9d\x76\x06\x4c\x3d\xad\xa1\x88\xdf\xed\x2b\x18" "\x9c\xdf\x31\x59\x6d\x8e\x56\x6a\xfc\x7c\xb7\x50\xa8\x94\x5c\x14\x04" "\x31\x4f\xfa\xb6\x0c\x04\x9f\xa2\xe0\xb4\x18\xaa\xd9\x59\xd0\x41\xc0" "\x3c\xb3\x3b\x00\x38\x8b\x63\xb2\xf2\x4b\x68\xd5\xbb\x98\xd6\xe8\x88" "\x2e\x75\x9a\x02\x81\x75\xd4\x1e\xf6\x9d\x34\x9a\xd6\xfa\xc2\x67\x0e" "\x7d\xaf\x3e\x7b\x87\x19\xf9\xaa\x65\x99\xfb\xa5\xc4\xf6\x95\xb8\x8d" "\x52\x58\xc9\xbc\x40\xd2\x69\x6a\x85\x4a\xad\xfe\x06\x98\x8b\xa4\x4e" "\x34\x3a\x6d\x94\xca\x60\x34\x87\xc3\x41\x7d\xfd\x2c\x39\x93\x0e\x15" "\x21\x96\x5a\xfd\x3d\x8c\xdb\x96\xfa\x0f\x44\x3a\x3a\x00\x24\x32\xa3" "\x74\x90\xbe\x15\xeb\xc6\x48\x86\x43\xbc\x40\x33\xe3\xaf\x3c\x2e\x64" "\x77\x94\x90\x9b\xa2\x71\x77\x3b\x5c\x1c\x08\x57\xd9\xc3\x91\xd2\xef" "\x30\x91\xe2\x03\x81\xf1\x19\xfe\x3b\xa3\x60\xff\x41\x75\xff\x13\x6b" "\x02\x92\xf5\x0a\xbc\x1d\x0f\x2a\xbd\x29\xfd\x7c\x2b\x8e\xb3\xdb\x62" "\x14\xfb\xee\x1b\x49\xc4\x96\xda\x05\x64\xeb\x48\xb3\x76\x82\xd4\x1e" "\xf3\x31\xcb\xc2\xe4\xf6\x0e\xea\xf5\x2a\xb6\x39\x01\xb3\x20\x50\x1b" "\xee\xf2\x0b\x3a\xca\xf8\xae\x11\xb6\xbe\x20\x30\x2b\x52\x25\x70\xcc" "\xaf\x8f\x23\x1d\x8a\xf8\x34\x7b\x4e\xb5\x87\x56\xa2\x18\xd8\x57\xff" "\xe8\x9c\x57\x44\x4e\xd7\x1d\xc9\x05\x37\xb6\xcb\x11\x12\x11\x38\xe1" "\x5f\xc0\x7a\xe2\xc0\x8d\x02\x4b\x19\xee\x77\xf4\xb0\x90\x01\xf9\x9d" "\x0f\x28\x1a\x80\xe8\xe2\x96\x72\x23\x5d\x4a\x97\xea\x20\x98\x02\x7d" "\x21\x31\x2d\xe5\xf7\x86\x03\x1e\xb6\x3e\xfe\x18\xdb\x9f\xb2\x7b\xfa" "\x31\x95\xfc\x3a\x59\x2b\x89\x1e\x3b\x04\x39\xd0\x1c\x35\xaa\x24\x7e" "\x3a\x4a\x35\x3c\xd7\xa2\xf2\x0b\xa0\x32\x3a\x65\x30\x1e\x62\xe8\x10" "\xaf\x8b\x48\x14\x9a\x6d\x1c\x9d\xe7\x9b\x5d\x2e\xe1\xf7\x50\x0c\x61" "\x71\x38\x6b\xb7\x7d\x61\x8f\x88\x8f\x7c\xe8\x6e\x70\x1b\xd1\x64\x10" "\xcb\x46\x92\xe8\x73\xfd\x83\xff\xd0\x8e\x50\x13\x72\x31\x5d\x40\xa9" "\x83\x17\x51\x25\x69\xd1\x48\x87\x92\x01\xf8\x3f\x3c\xde\xa5\x8a\xd9" "\x0b\xfe\xb0\x80\xe3\x39\xd9\x70\xe2\x15\xab\x30\xe2\x51\x27\xb4\x00" "\x0e\x5a\x1e\x1d\x8e\x48\x94\x88\x27\x5b\x1e\xb3\x35\x6e\x05\x05\x92" "\x1a\x38\xac\x0d\xda\xa5\xe4\x5f\xf1\xb8\x2b\x1f\xe2\xa1\xe6\x4a\x1b" "\x28\xc1\x37\x63\xb1\xd4\x5b\x84\x4c\xc9\xa9\x4a\x25\xc7\xee\xb4\xa7" "\x2a\x18\x9c\x49\xea\xb3\x9e\xe2\x1d\x82\x91\x21\x0c\xe5\xd2\x4b\x93" "\x3f\x90\xfe\xf8\xec\x16\xdc\x4d\x3c\xbf\x60\x11\xe9\x99\x8d\x02\x9b" "\x55\x66\x3d\x46\x23\x6a\x58\x4a\xd8\xdf\x86\x2c\x48\x64\xa5\x31\x8d" "\xf0\x2b\x78\xc9\x8d\x8b\x88\x83\xdd\xe3\xf1\x70\x49\x30\x10\x79\x1b" "\xb3\x31\x99\x30\x5d\xab\xb3\x05\x1b\x18\xc4\x37\x1f\x83\x77\x5b\xfa" "\x1b\x97\x37\x7a\x23\xa4\x28\x8b\xfe\xa4\x69\x16\xb4\xba\xd0\x0c\xe8" "\x88\x88\xff\xf9\xb7\x10\x7b\x32\xb2\x97\x18\x3d\x01\x6b\x2f\x60\x31" "\x83\xda\xed\x16\xf0\xef\x4c\xcb\x64\x70\x73\xfa\xa2\xe4\x59\x63\x21" "\x9b\x13\x3e\x3b\x60\x02\x42\xd7\x36\xbd\x84\xe5\x5d\x56\x92\x53\x8d" "\xd6\x46\x57\x61\x54\xb2\xfc\x65\x83\x52\xe4\xf6\xeb\x1f\x5a\x4c\xec" "\x2a\xc4\xf1\xf8\x81\x6f\xa3\x48\xf5\x66\x46\xdd\x66\xcb\xfa\x1a\x80" "\x7b\xec\x81\xd7\x6f\x17\xd0\x4e\x1f\x1e\xa6\x47\x74\x76\x4b\x39\x55" "\x3a\x3f\x85\x74\xc1\x61\x36\x06\xa9\x75\x24\xc1\x52\x78\xac\x25\xf1" "\x8c\xea\xf1\x18\x2c\xd2\x83\xce\x88\x4c\x8e\xc2\x27\xc6\x2d\x1a\xf0" "\x59\x63\xbe\xf0\xc9\x1a\xd9\xc7\x0e\x2d\xe6\x8f\x97\x76\x31\x81\xec" "\x8c\x9f\xfd\x93\x7f\xb9\x2b\x35\x47\xde\x9c\x99\x7a\xb6\xaa\xf1\x36" "\x98\x44\x17\xd7\xed\x4b\xb3\xdf\x58\x1d\x96\xfd\x24\x9e\xdb\xdd\x07" "\xb0\x4e\xba\xbc\x21\xea\x92\x07\xdc\xf0\x9a\xc2\x26\xe4\x87\xa8\x4b" "\x5f\xec\x40\x43\xab\x0f\xb3\x0c\xc0\x5b\xb4\xa5\x1f\x79\x30\x68\x15" "\x84\xff\x15\x6e\xf3\x44\xc4\x89\x37\xfd\x33\x0c\x5e\x3c\x3c\x4b\x44" "\x14\x62\x43\x4f\xef\x7e\xdb\xdf\x58\x41\x89\x90\xe7\xae\xa6\x94\xe6" "\xf3\x50\x13\x86\x30\xab\xfb\xca\xa4\xd7\xfc\x69\xfe\x50\x12\x15\x5a" "\xc0\xa6\x51\x05\x31\x6d\xdc\x8d\x44\xc3\xcf\xfa\x9c\xc2\xe5\x12\x20" "\xbe\x86\x25\x06\x05\x68\xe4\xfd\x5c\x65\x69\x10\x0a\xca\xfe\xda\x4b" "\x04\x32\x86\x61\x98\xaa\x9a\x2c\xf8\xce\xbf\x02\x07\x8e\x84\x78\x4a" "\x14\xda\x65\x0e\xa0\x52\xca\xd7\x05\x36\xce\xde\x28\x81\x1c\x95\xa6" "\x17\xb3\xe2\x2d\xfc\xbb\x40\xbf\x7d\xa0\x8b\xc5\x18\xb0\x01\x36\xf1" "\x22\x6e\xf8\x22\x0a\xaa\x7d\x01\x6c\x82\x07\xb6\xf7\xff\xbf\x60\xd4" "\xc2\x56\xdd\x6c\x10\x1e\x8f\x17\xfd\xf9\x81\x85\x33\x8a\xe4\x63\xa2" "\x53\x1c\x73\x81\x95\x14\x41\xf3\xea\x59\xb0\x9e\x8d\x6e\x58\x15\x8e" "\xed\xdc\x63\x8f\x7f\x1a\x2e\x4c\xf9\x6c\x6e\x90\x12\xae\xc8\x57\xeb" "\xbe\xd5\x26\x90\x95\x78\xf8\x67\x13\xed\x69\x76\xa4\x78\x66\x2a\xd5" "\x6f\x72\xb4\xf9\xed\x98\x7c\x95\x31\x7f\xd1\x97\x0b\x7e\xbc\xf8\x6c" "\x50\x44\xd6\xe2\x17\x3f\x9d\xc8\x76\xe1\xf5\x2c\xdd\x5e\x91\x94\x82" "\xf1\x44\x4b\x31\xfb\xd7\x2f\x95\xad\xa6\xa5\xcf\xcd\xe1\xb1\x93\x19" "\xe9\xe0\x83\x62\x37\x9d\x8e\xe9\x51\x25\xb2\xda\x37\x77\xd8\x86\x35" "\xf7\xb2\x44\x61\xd2\x80\x9f\xe8\xc5\x2b\x8c\x1c\xd0\x77\xac\x9e\x81" "\xfc\xcf\x9e\x4f\x45\x90\xbd\xe4\x64\x31\xd9\x97\xbf\x64\x8e\x59\x39" "\xc5\x18\xf0\x2a\xe5\xb8\x99\x24\xf1\xea\xf5\x5d\xea\xc8\x3a\xae\x9f" "\xab\x46\x09\x03\xea\xf7\xd9\x2e\x2e\x6d\xdf\x85\xc4\x3c\x64\x2e\x37" "\xf6\xb8\x38\xa2\x79\x5c\xe2\xb9\xaf\x6f\x2a\xba\x1d\x9e\xc6\xfe\x9c" "\xee\x3c\x66\x64\xb2\x0a\x69\x7e\x92\xd6\x43\xb6\x67\xb0\x80\x15\x4c" "\xb7\x93\xe6\x95\xc4\x14\xf8\x42\x2a\xac\x01\xbc\x48\xf2\x9e\x18\x27" "\xe1\x6f\x3a\x5d\x93\x7d\xa5\x1f\xe5\xc6\xe5\x28\x52\x0a\x3d\xfa\xc0" "\xd7\x05\x2e\x13\x29\x94\x04\xec\x6e\x90\x4d\x0f\x5c\x79\xe2\x46\xb8" "\x54\x4f\x82\xf6\xd4\x79\x0b\x2d\x12\x44\xa6\x9c\xc8\x52\x60\x50\x97" "\xfd\x90\x25\x59\xf5\xc6\xf8\x94\x17\xf4\x87\xee\x0b\xff\x30\xa0\xc7" "\x02\x8e\x23\x46\xae\x3c\xc0\x6c", 4088); *(uint64_t*)0x200011e8 = 0xff8; *(uint64_t*)0x200013d8 = 3; *(uint64_t*)0x200013e0 = 0; *(uint64_t*)0x200013e8 = 0; *(uint32_t*)0x200013f0 = 0; syscall(SYS_sendmsg, -1, 0x200013c0ul, 8ul); break; case 5: memcpy((void*)0x20000140, "./file0\000", 8); res = syscall(SYS_open, 0x20000140ul, 0ul, 0ul); if (res != -1) r[2] = res; break; case 6: *(uint16_t*)0x20000180 = 0; *(uint16_t*)0x20000182 = 1; *(uint64_t*)0x20000188 = 0; *(uint64_t*)0x20000190 = 0x2000100000002; *(uint32_t*)0x20000198 = 0; syscall(SYS_fcntl, r[2], 9ul, 0x20000180ul); break; case 7: *(uint16_t*)0x200001c0 = 0; *(uint16_t*)0x200001c2 = 0; *(uint64_t*)0x200001c8 = 0x1000000000000000; *(uint64_t*)0x200001d0 = 0x2000100000001; *(uint32_t*)0x200001d8 = 0; syscall(SYS_fcntl, r[0], 9ul, 0x200001c0ul); break; } } int main(void) { syscall(SYS_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x1012ul, -1, 0ul, 0ul); loop(); return 0; }