// https://syzkaller.appspot.com/bug?id=130cae4a4387fae6614fccf5eed180400ea30948 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; *(uint32_t*)0x20000200 = 0xc; *(uint32_t*)0x20000204 = 0xe; *(uint64_t*)0x20000208 = 0x20000580; memcpy( (void*)0x20000580, "\xb7\x02\x00\x00\x01\x00\x00\x00\xbf\xa3\x00\x00\x00\x00\x00\x00\x07\x03" "\x00\x00\x00\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x79\xa4\xf0\xff" "\x00\x00\x00\x00\xb7\x06\x00\x00\xff\xff\xff\xff\x2d\x64\x05\x00\x00\x00" "\x00\x00\x65\x04\x04\x00\x01\x00\x00\x00\x04\x04\x00\x00\x01\x00\x7d\x60" "\xb7\x03\x00\x00\x01\x00\x00\x00\x6a\x0a\x00\xfe\x00\x00\x00\x00\x85\x00" "\x00\x00\x0d\x00\x00\x00\xb7\x00\x00\x00\x00\x00\x00\x00\x95\x00\x00\x00" "\x00\x00\x00\x00\x49\x6c\x06\x00\x7f\xb4\x78\x28\x37\xf8\xc8\x90\x3a\x43" "\x1c\xa7\x11\xfc\xd0\xcd\xf2\x14\x6e\xc5\x61\x75\x03\x79\x58\xe2\x71\xf6" "\x0d\x25\xb7\x93\x7f\x02\x00\x05\x00\x5a\x07\x6d\x83\x92\x3d\xd2\x9c\x03" "\x40\x55\xb6\x7d\xaf\xe6\xc8\xdc\x3d\x5d\x78\x7a\x74\xa0\x09\x1f\xf1\x10" "\x02\x6e\x67\x62\x6d\x2e\xfe\x31\xab\x7e\xa0\xc3\x4f\x17\xe3\xad\x6e\xa4" "\x06\x62\x20\x03\xb5\x38\xdf\xd8\xe0\x12\xe7\x95\x78\xe5\x1b\xc7\x30\x99" "\xe9\x0f\x45\x2d\x7c\xbd\xb9\xcd\x38\xbd\xb2\xca\x8e\xeb\x07\x00\xab\x3a" "\x14\x81\x7a\xc6\x1e\x4d\xd1\x11\x83\xa1\x34\x77\xbf\x7e\x06\x0e\x36\x70" "\xef\x0e\x78\x9f\x65\xf1\x32\x8d\x67\x04\x90\x2c\xbe\x7b\xc0\x4b\x82\xd2" "\x78\x9c\xb1\x32\xb8\x66\x7c\x21\x47\x66\x19\xf2\x8d\x99\x61\xb6\x3e\x1a" "\x64\x2a\x00\x00\x00\x00\x00\x00\x00\xf6\xc2\xa6\x60\xa1\x7e\x3c\x18\x4b" "\x75\x1c\x51\x16\x0f\xbc\xbb\xf3\x5b\x1e\x7b\xe6\x14\x8b\xa5\x32\xe6\x08" "\x3b\xe8\x93\x58\xb2\xd0\x24\x21\x79\x7e\xea\x09\xc3\x46\xdf\xeb\xd3\x1a" "\x08\xb3\x28\x08\xb8\x02\x00\x00\x00\x00\x00\x00\x00\xb1\xa1\x3f\x3d\xd0" "\x41\xe0\x2a\xe7\x11\x13\x61\x0e\x10\xd8\x58\xe8\x32\x7a\xf0\x1f\xb6\xc8" "\x6a\xda\xc1\x22\x33\xf9\xa1\xfb\x9c\x2a\xec\x00\xb4\xee\xa0\xc6\xe9\x57" "\x67\xd4\x2b\x4e\x54\x86\x1d\x02\x27\xdb\xfd\x2e\x6d\x7f\x71\x5a\x7f\x3d" "\xea\xdd\x02\x00\x00\x00\x00\x00\x00\x00\x37\x67\xd2\xe2\x4f\x29\x6e\xa0" "\x18\x2b\xab\xc1\x8c\xae\x2e\xd4\xb4\x39\x0a\xf9\xa9\xce\xaf\xd0\x7e\xd0" "\x0b\x00\x00\x00\x2c\xab\x15\x4a\xd0\x29\xa1\x19\xca\x3c\x97\x27\x80\x87" "\x00\x14\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x2d" "\xfa\x83\x2b\xdf\xf1\x90\xad\xc5\xf9\xd5\x55\xca\x2c\x46\x61\x08\x11\xa4" "\xe7\x8e\x94\xd6\xa1\x33\x53\x9b\x4e\x39\xa1\x37\xe8\x79\x79\x3c\xe5\x77" "\x7f\xca\x90\x37\x68\xbf\x93\x14\x72\xd4\xab\x6b\x17\x03\x08\x7d\x22\xb5" "\x95\x00\x00\x00\x00\x01\x00\x00\x00\xcb\x8b\xea\x23\x9e\xdc\xb5\x0e\x90" "\xa6\x60\x37\x5a\xcf\x43\xaa\x14\x99\x8f\x3c\x67\x45\x91\x69\xeb\xb5\xf3" "\x66\x78\x95\x4f\xc6\x28\xef\x23\xcb\x78\xbe\x38\x34\x4e\x12\xd5\x0e\xa4" "\x9c\x5e\xef\x21\x9d\x29\x99\x9b\xa9\xb6\x01\x7e\x05\x06\xe8\xe6\xdb\xd7" "\xe8\x31\x04\xdd\x0d\x3c\x7c\x90\xbd\x3c\xf0\x70\xd5\xc3\x7f\x74\x75\x5c" "\x2c\x0f\xac\x82\x3e\x4c\x83\xd7\x8b\xfe\xbb\x64\xdb\xeb\x16\xb2\x9f\x92" "\x45\x71\x92\x3d\x3b\xff\xa8\x0a\x42\x3c\xce\xaf\xa2\x43\x86\x11\x08\x97" "\xe1\x47\xb7\xb8\x78\xdf\x1b\xa7\xd8\x87\xd0\x2e\x48\xab\xda\xaa\xa2\xde" "\xd6\xd4\x21\xa9\x7c\x3b\x5a\x00\xcc\x01\x4b\x01\x71\xe5\x35\x69\x9e\x9b" "\xe0\x7d\x62\x46\xde\x8d\xe2\xc5\x7b\xc1\xda\x71\x94\x2d\xf9\x87\xae\x3e" "\xec\x9e\x1f\x4b\xd5\xc8\xbe\x85\xb1\x9f\xcd\x90\x46\x09\x9c\x2c\x24\x60" "\x3e\xce\x05\xcf\xd0\xbc\x45\x45\xd9\xc6\x9b\xfc\xdb\x84\xcd\x2d\x8c\x33" "\x4e\x24\x0c\xd2\x64\xb4\xfb\x4f\x79\x13\x06\x3f\xb8\xf8\x0b\xb3\xc1\xbe" "\xc6\x38\xd8\x30\x04\x79\xf9\xde\x30\xcf\xab\x01\x4c\x23\x7d\xce\x13\x48" "\x53\x52\x06\xf7\xb0\x60\xbc\x32\x0a\xa9\x92\x68\x39\x2d\x8b\x8b\x95\xfb" "\xfb\xec\x94\xcc\xf3\xfd\x7f\x85\xc1\xab\x56\x01\x85\xcb\xe9\xe3\x4b\xe1" "\xdc\x42\xcb\x20\xf1\x77\x85\xd2\x3d\x20\x1e\xe7\x3f\x3d\x6b\xd0\xa2\xf3" "\x22\x5d\x68\x4e\x34\x5d\xa1\x68\xfb\x46\x85\xcf\xd2\xc8\xa5\xf9\x35\xe0" "\x1b\xe6\x43\x71\xb4\x00\x3c\x68\x9e\xbc\x54\x03\xa4\xe8\x75\x10\xff\x60" "\xd1\x4b\x31\x9a\x0a\x31\xc1\x22\x46\xb5\x5d\x19\xd7\x88\x23\xf4\x37\x72" "\xce\xcd\x4a\xa4\xf2\x47\xde\x6c\x40\x4b\x93\x1b\x19\x8f\xa3\xf9\x7d\x66" "\xe5\x45\xdc\x74\x6b\x1d\xf5\xfc\xef\x67\x35\xfc\x6f\xa0\xfb\x09\x68\xd2" "\x79\x6a\x17\xa6\x47\x48\x60\x6a\xfd\x7e\x8c\x4c\xe0\x1a\x77\x43\x31\x3c" "\xd1\xcd\x3a\x7e\x52\x64\x9a\xda\xbc\xb2\x77\x81\xd7\x0b\x36\x93\xdd\xb6" "\xb2\xe4\x03\x7a\x9e\x74\xde\xa8\xb4\x30\x91\x1e\x24\xe5\x8f\xe7\x99\x96" "\x2b\xac\xd3\x87\x70\xf7\x9c\xe5\x33\xdc\x9f\x28\xa8\xdc\x1b\xa1\x2d\x05" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\x6b\x3c\xe8\xf5\xce" "\xdf\xaa\xe8\x2e\x3d\xff\xf6\xe4\x9e\x2c\x5c\xf2\x53\xbd\x42\x36\xbf\xd1" "\xd4\xfd\xeb\xd3\x6f\x54\x15\xec\x99\xa7\x44\x47\xcb\x66\xa4\xef\xf7\x99" "\xf2\xc8\x4b\x93\xed\x70\xa8\xf7\xa2\x1f\x39\xc9\x6c\x8a\xec\x13\xd1\x67" "\x9b\xc5\xb5\xa9\x9f\x34\x0b\x81\xc5\x68\x4b\xce\x12\xc0\x76\x9b\x77\x4e" "\x35\x5f\x2c\x44\xb0\x43\xb2\x2f\xe3\x9a\x7f\x00\x05\x25\x3b\x9b\x66\x4c" "\x8a\x0f\x9c\x9b\x31\xea\x2b\x47\xa2\xeb\xdc\xd8\xaf\x3d\xa0\x0f\xf9\xc4" "\x51\x68\xb2\x5b\xac\x84\xef\xc5\xa7\x98\x42\x57\xa2\x24\x15\x36\xb2\xd3" "\x88\x48\x0c\x0b\xe2\x7b\x55\xb5\x03\xb2\xb9\x87\xb9\x4b\x03\x05\xd6\x38" "\xd8\xd8\x83\x28\x4f\xf9\x93\xb0\x4c\xd0\xc0\x10\x2c\x27\x69\xe3\xd8\x83" "\x90\xb8\x13\x8d\xc2\xf4\xd5\x52\xfd\x6b\x26\x3b\x4b\xde\xe8\x15\x99\x43" "\xad\x51\xf0\x80\x2f\x62\x15\xaf\x90\x38\xff\x59\x66\x26\x32\xa0\x79\xbc" "\xd4\x5a\x54\xcd\xa9\xe8\x00\x16\xa9\xb9\xab\x9c\xa5\xb1\x49\x6a\xc5\xe9" "\x00\x12\x92\xf4\x56\xbb\x48\x5a\x48\xb7\x29\x1a\x2d\x75\xce\x48\x37\x0c" "\x70\x8b\x0d\xe2\x0a\x4b\x50\xd3\x82\xdc\xc2\xb6\x12\xf5\xd2\xe0\x5f\x5a" "\x08\x7a\x40\xbc\x56\x83\xb1\x98\x3d\x4d\x27\x5c\x56\xaf\x5d\x7c\xe8\x80" "\x21\x23\x3d\x95\x94\x16\x84\xe4\x55\x25\x46\x3c\x59\xc3\x1e\x47\x32\xaa" "\x03\x31\x60\x4c\x6f\xa3\x7c\x90\xe0\xf5\x97\x35\xbb\x44\x45\x88\x2d\x93" "\xbe\x36\xab\x75\xe1\x90\x5f\x7e\x9d\xa0\xe6\xa7\x3f\xc4\x23\x97\x2c\x7c" "\x11\x0b\x50\x7f\x9e\x78\xdc\x84\x24\x12\x56\x3a\x85\xde\x05\x91\xe0\xba" "\x2d\xa5\x66\x71\x5b\x6e\xa0\x0c\x2a\xfc\x19\xc2\x00\x51\x78\x84\xee\xe5" "\x27\xde\xa9\x12\x0d\xc7\x98\xf4\x28\xb2\x14\xf2\x12\xcb\xf3\xaa\x58\x4b" "\xf5\xcb\xc9\x5a\x4a\x51\xb2\x81\x90\x87\x9f\xaa\xa2\xff\xf7\x11\xcf\xfb" "\x4c\xba\xa6\x17\xa6\xfe\xa6\x63\x68\xfa\x97\xd9\xb0\x04\xa8\xaa\xbd\xb4" "\x2c\xfd\xdf\xb5\xb5\xdf\xf8\x20\x98\x37\x02\xac\x2d\xf2\x2d\xb3\xb1\x9a" "\x11\x27\x13\x1d\x1c\x55\x14\x6e\x6f\xe8\x35\x46\x00\x56\x06\xc8\xca\xb8" "\xd9\x04\x88\xbf\x95\x97\x86\x33\xee\xcb\xd4\x29\x88\x31\x66\xfe\xb6\x5d" "\x4d\x96\x68\x9a\x5e\xe4\x56\xcc\x13\xb3\x75\x1f\x04\x4c\xec\xdb\xde\xbc" "\x64\xa2\x46\x1a\xee\x63\xf2\x63\xbf\x43\x08\x57\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x1a\x04\xf6\xe6\xe2\xb2\x38\x4e\x91\x2d\x2e\x56\x00\xc2\x99\x7c\x04\xdc" "\x2d\x52\x80\x08\x51\x5a\xa0\xc7\xdd\x60\xf8\x32\x1f\xff\x1a\x25\xd3\x94" "\xe1\x35\x33\x85\xa2\x05\x45\xec\xbe\x8a\x5d\xbc\x92\x37\x2a\xcf\x15\x0b" "\x49\x12\x23\xf5\x3d\xfa\x44\x4d\xc1\x76\xcb\xad\x99\xb2\x4a\x5b\x51\x48" "\x6b\x1b\xb7\xee\x41\x56\x18\xd5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x2a\x61\xfb\xa0\x62\xd6\xd1\x6b\x9d\x3d\x5a\x1b\x26\x41" "\x94\x06\x75\xa8\x4a\x53\xb1\x00\x00\xa9\xb8\xb2\xb6\x44\xc6\xaa\x17\xaa" "\x0e\x47\x94\x4a\xb7\xe9\x4f\x94\x81\xc6\x03\xc1\xe2\x63\x9b\xc8\x4a\x92" "\xb1\xc9\x32\x68\xa6\x79\x5a\xb0\x9c\xee\x16\xca\x0c\x79\x59\xe3\x8f\x74" "\xcb\xe0\xe4\x02\x77\x47\x85\x40\x27\xab\x45\xb2\x29\x5d\x9c\xd4\xa6\x12" "\x8b\x35\x00\xc2\x38\xa1\xd2\x20\xf0\x32\x0e\xdc\xcf\x8f\xc8\x13\x57\xd2" "\xf1\x03\xf9\x15\xe4\x19\x91\x75\xe7\x67\x97\x8d\x99\xac\x07\x90\x7e\x4b" "\xea\xf9\xfc\xac\x62\xea\x39\xcc\x15\x9f\x81\xb5\xff\x8a\x2e\xb7\x16\x17" "\x76\xae\xd9\x69\x26\xef\x4f\xd7\xed\x19\x16\xa4\x02\xeb\xdb\x2b\x1f\xbd" "\x88\xc7\x4f\x94\x4d\xba\x80\xef\x7d\xf8\xfd\xce\xfb\xb9\xb2\x2a\x48\x92" "\xe3\xdd\x99\x01\x7b\x13\x70\xc2\x7e\x37\xd3\xd9\x1d\xff\xba\x5a\x92\x39" "\xf2\x8d\x54\xf2\x3c\x2b\x8f\xdb\xd0\xc8\x55\xdf\xc6\xab\xe4\x15\xdc\x57" "\x67", 1855); *(uint64_t*)0x20000210 = 0x20000340; memcpy((void*)0x20000340, "syzkaller\000", 10); *(uint32_t*)0x20000218 = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000220 = 0; *(uint32_t*)0x20000228 = 0; *(uint32_t*)0x2000022c = 0; *(uint8_t*)0x20000230 = 0; *(uint8_t*)0x20000231 = 0; *(uint8_t*)0x20000232 = 0; *(uint8_t*)0x20000233 = 0; *(uint8_t*)0x20000234 = 0; *(uint8_t*)0x20000235 = 0; *(uint8_t*)0x20000236 = 0; *(uint8_t*)0x20000237 = 0; *(uint8_t*)0x20000238 = 0; *(uint8_t*)0x20000239 = 0; *(uint8_t*)0x2000023a = 0; *(uint8_t*)0x2000023b = 0; *(uint8_t*)0x2000023c = 0; *(uint8_t*)0x2000023d = 0; *(uint8_t*)0x2000023e = 0; *(uint8_t*)0x2000023f = 0; *(uint32_t*)0x20000240 = 0; *(uint32_t*)0x20000244 = 0; *(uint32_t*)0x20000248 = -1; *(uint32_t*)0x2000024c = 8; *(uint64_t*)0x20000250 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000258 = 0; *(uint32_t*)0x2000025c = 0x10; *(uint64_t*)0x20000260 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint32_t*)0x20000268 = 0; *(uint32_t*)0x2000026c = 0; *(uint32_t*)0x20000270 = -1; res = syscall(__NR_bpf, 5ul, 0x20000200ul, 0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x20000080 = r[0]; *(uint32_t*)0x20000084 = 0x2a0; *(uint32_t*)0x20000088 = 0xe; *(uint32_t*)0x2000008c = 0xd; *(uint64_t*)0x20000090 = 0x20000500; memcpy((void*)0x20000500, "\xb9\xff\x03\x00\x60\x0d\x69\x8c\xb8\x9e\x14\xf0\x05\x05\x1f\xff\xff" "\xff\x00\x00\x40\x00\x63\x2f\x77\xfb\x05\x14\x14\x0e\xe9\x34\xa0\xa6" "\x62\x07\x9f\x4b\x4d\x2f\x87\xe5\xfe\xca\x6a\xab\x84\x50\x13\xf2\x32" "\x5f\x1a\x39\x01\x01\x08\x03\x8d\xa1\x92\x44\x25\x18\x1a\xa5", 66); *(uint64_t*)0x20000098 = 0; *(uint32_t*)0x200000a0 = 0x100; *(uint32_t*)0x200000a4 = 0x60000000; *(uint32_t*)0x200000a8 = 0xb20c; *(uint32_t*)0x200000ac = 0xfffffe09; *(uint64_t*)0x200000b0 = 0x20000000; *(uint64_t*)0x200000b8 = 0x20000000; syscall(__NR_bpf, 0xaul, 0x20000080ul, 0x28ul); res = syscall(__NR_socket, 0x10ul, 3ul, 0); if (res != -1) r[1] = res; *(uint32_t*)0x20000180 = 6; *(uint32_t*)0x20000184 = 4; *(uint64_t*)0x20000188 = 0x20000200; *(uint8_t*)0x20000200 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000201, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 4, 4); *(uint16_t*)0x20000202 = 0; *(uint32_t*)0x20000204 = 0; *(uint8_t*)0x20000208 = 0; *(uint8_t*)0x20000209 = 0; *(uint16_t*)0x2000020a = 0; *(uint32_t*)0x2000020c = 0; *(uint8_t*)0x20000210 = 0x85; *(uint8_t*)0x20000211 = 0; *(uint16_t*)0x20000212 = 0; *(uint32_t*)0x20000214 = 0x2c; *(uint8_t*)0x20000218 = 0x95; *(uint8_t*)0x20000219 = 0; *(uint16_t*)0x2000021a = 0; *(uint32_t*)0x2000021c = 0; *(uint64_t*)0x20000190 = 0x200000c0; memcpy((void*)0x200000c0, "GPL\000", 4); *(uint32_t*)0x20000198 = 4; *(uint32_t*)0x2000019c = 0x1000; *(uint64_t*)0x200001a0 = 0x2062b000; *(uint32_t*)0x200001a8 = 0; *(uint32_t*)0x200001ac = 0; *(uint8_t*)0x200001b0 = 0; *(uint8_t*)0x200001b1 = 0; *(uint8_t*)0x200001b2 = 0; *(uint8_t*)0x200001b3 = 0; *(uint8_t*)0x200001b4 = 0; *(uint8_t*)0x200001b5 = 0; *(uint8_t*)0x200001b6 = 0; *(uint8_t*)0x200001b7 = 0; *(uint8_t*)0x200001b8 = 0; *(uint8_t*)0x200001b9 = 0; *(uint8_t*)0x200001ba = 0; *(uint8_t*)0x200001bb = 0; *(uint8_t*)0x200001bc = 0; *(uint8_t*)0x200001bd = 0; *(uint8_t*)0x200001be = 0; *(uint8_t*)0x200001bf = 0; *(uint32_t*)0x200001c0 = 0; *(uint32_t*)0x200001c4 = 0; *(uint32_t*)0x200001c8 = -1; *(uint32_t*)0x200001cc = 8; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0x10; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint32_t*)0x200001ec = 0; *(uint32_t*)0x200001f0 = -1; res = syscall(__NR_bpf, 5ul, 0x20000180ul, 0x70ul); if (res != -1) r[2] = res; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint64_t*)0x20000150 = 0x20000080; *(uint64_t*)0x20000080 = 0x20000000; *(uint32_t*)0x20000000 = 0x34; *(uint16_t*)0x20000004 = 0x10; *(uint16_t*)0x20000006 = 0x801; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint8_t*)0x20000010 = 0; *(uint8_t*)0x20000011 = 0; *(uint16_t*)0x20000012 = 0; *(uint32_t*)0x20000014 = 0; *(uint32_t*)0x20000018 = 0; *(uint32_t*)0x2000001c = 0; *(uint16_t*)0x20000020 = 0xc; STORE_BY_BITMASK(uint16_t, , 0x20000022, 0x2b, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000023, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000023, 1, 7, 1); *(uint16_t*)0x20000024 = 8; *(uint16_t*)0x20000026 = 1; *(uint32_t*)0x20000028 = r[2]; *(uint16_t*)0x2000002c = 8; *(uint16_t*)0x2000002e = 0x1b; *(uint32_t*)0x20000030 = 0; *(uint64_t*)0x20000088 = 0x34; *(uint64_t*)0x20000158 = 1; *(uint64_t*)0x20000160 = 0; *(uint64_t*)0x20000168 = 0; *(uint32_t*)0x20000170 = 0; syscall(__NR_sendmsg, r[1], 0x20000140ul, 0ul); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); loop(); return 0; }