// https://syzkaller.appspot.com/bug?id=371873989564922b25b65a0c8bebb3e702ebe24a // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; *(uint64_t*)0x20000800 = 0; *(uint32_t*)0x20000808 = 0; *(uint64_t*)0x20000810 = 0x20000700; *(uint64_t*)0x20000700 = 0x200009c0; memcpy( (void*)0x200009c0, "\xec\x66\x31\x89\xd3\x34\x8b\xf1\x3f\x87\x2a\x46\x83\x52\xb7\x24\x82\xb5" "\xb2\xb3\x64\xa2\x9c\x6f\x0f\x2c\x4e\x74\x1b\xf6\x45\x7d\x14\x18\x45\x5e" "\x15\x72\x53\x23\x16\x81\xa3\x88\x9f\x39\xb3\xda\x6b\x60\xdb\xe4\x04\xcb" "\x9a\x14\x5d\x0d\x49\xcf\xd1\x66\x8a\x32\xb9\x6f\xf3\x02\x97\x57\x48\x99" "\x3a\x8a\x53\x41\x44\xd2\x11\xc6\x81\xff\x3d\x91\xff\xa4\x36\xd4\x0b\x9a" "\xfe\x64\x8e\xc8\xbd\xe2\xf7\x55\x3f\xb5\xd3\xf3\xb8\x42\x38\x73\x90\x3a" "\xbd\x02\x42\x84\xbf\xd0\x15\x11\xc1\x49\xb6\x10\x18\x51\xf7\xaa\xe4\x67" "\x5d\xf7\x6e\x7d\x32\xd7\xb9\x16\x59\xe4\xad\xcc\x14\xdd\xff\xf8\xa2\xb4" "\x9d\x13\x93\xde\x72\xb9\xd9\x70\xee\x7f\x45\xa7\x55\xc1\xd9\xf7\xb4\xd4" "\x3e\x37\xe1\x7d\x6e\xaf\xf5\xfe\x35\x2d\x50\x7e\xb0\x42\x4a\xb9\x37\x98" "\x0a\xe8\xfa\xe8\xa9\x06\x2b\x65\x1a\x53\xb6\x54\x37\x33\xe2\x59\xee\x30" "\x83\xa3\x08\xa7\x8a\xc5\x0f\x09\x72\x62\x9b\x74\xe6\xaa\xde\xfe\xdf\x23" "\x52\xd0\x24\xd8\xf2\x7d\x4b\xc8\x70\x34\x93\xb0\x8b\xbe\x75\xe3\x4e\xe5" "\x79\x6d\x0d\x27\x5c\xae\x3d\x3c\x0e\xba\x17\x9e\x14\x5f\xee\xe0\xc8\xac" "\xc9\x8a\xf7\x88\x8a\x37\x4d\xbe\x70\x5e\x05\x8f\xc5\x65\xe4\x06\x77\x89" "\x0a\x39\xe6\x99\x9a\xe4\x72\x02\xa9\x23\x78\x03\xe9\xee\xe3\x0f\x36\x87" "\x25\xca\x85\x71\xa8\xf6\xa8\xba\x39\x69\x05\xf4\xf0\x23\xa6\x0a\xcb\x64" "\x4b\xab\x6b\x0b\x89\x64\xaa\x51\x4c\x37\xf2\x35\x09\xc6\x85\x64\x8d\x6a" "\xdb\x0e\x23\x0a\xca\x69\x0c\x91\xe6\x64\xbc\x49\xfa\x30\xae\x42\xa2\xc7" "\x1a\xbc\x75\x17\x18\x1d\x41\x57\xef\x99\x66\x28\xb3\x62\x4f\x36\x75\x19" "\x97\x03\x66\xac\xca\x85\xd3\x99\xe2\xc7\x70\x39\x30\xe2\xab\xd4\xbd\xba" "\xc0\x76\x23\x0a\xd1\x63\x68\xcc\xb3\x50\x35\x7d\x57\x62\x6e\xa4\x7a\x15" "\xf0\xfa\x16\xbd\x5e\xfa\x82\x33\xfa\x3e\xa1\x18\x3d\xa7\x30\x20\x4a\x45" "\x5a\x67\x3c\x78\x3c\x10\xa2\x64\x11\xc5\xde\x81\x66\x99\xf7\xaf\x34\x01" "\xb9\xf3\x85\x92\xa4\xcd\x9f\x3f\x0b\x7d\xe1\x8c\xd6\x9f\x83\x1e\xee\x87" "\xa3\xd2\xed\xb6\x4e\xcf\x51\x7d\x20\x1f\x32\xf8\x6b\x80\xfc\xd3\x28\x73" "\x30\xf2\x86\x46\x52\x60\x37\x05\x27\xe6\x11\x6d\xf0\x65\x10\x01\x40\x55" "\x63\x62\x2e\x14\xaf\x71\x5f\x6c\x3d\xd1\x0e\x19\x86\xe3\xb9\x5e\xbf\x61" "\x8f\xf4\x2b\xdd\x7a\x74\xf0\xd0\xcc\x2c\xc8\xda\xb1\x04\x8e\xb5\xfd\xbf" "\xb7\x2c\xb1\x6f\x9e\x2a\x19\x6b\x51\x27\x20\xcb\xfb\xb4\x69\x6f\x29\x12" "\x00\xa1\x53\xc3\x83\xcc\x44\x10\x91\xc6\x26\x49\xa8\x8e\xf1\x73\xa4\x2e" "\xce\xd9\x3a\x37\x4e\x4f\x0a\x07\x82\x44\xe5\x6c\x14\xb3\xc4\xcc\x96\x25" "\xb3\xe9\xe1\x85\x38\x39\xec\xb0\x0d\x6c\xfc\x2d\x23\x98\x63\x49\x35\xae" "\xdd\x9a\x54\x5e\x4b\x13\x89\x5a\x3b\x8b\x05\xc8\xfc\xa9\xaf\x2b\xba\x82" "\x76\x2d\xb8\x5a\x44\x9f\x5d\x9c\x6f\xf8\x7b\x72\x4f\x19\xdc\x18\x05\xec" "\xa5\x84\x45\xe6\x77\x82\xa3\x0f\x03\xe7\xb1\x27\x26\x85\xab\x83\x06\xc2" "\x55\x60\x43\x60\xb0\xd6\xe5\x3c\xc4\x43\xb0\xb8\x1b\xcf\x92\xb4\x70\xb8" "\x73\x4b\x7b\x7b\x2c\xcf\x2d\x51\xfc\x1a\x8b\x43\xd8\xdb\xa2\x90\xe8\x75" "\xf3\x5b\x0b\xdb\x66\x79\x0a\x3b\xb4\xd8\x39\x1c\x5f\xdd\xe5\xf4\x61\xb5" "\x92\x2c\x56\xf8\xa8\x58\x86\x5c\x0f\xd8\xb3\x9c\xb7\x9e\x8e\x18\x23\x42" "\xef\x03\x98\x64\x1c\xa3\xc7\x66\x20\x48\x27\x05\x87\x8f\xf0\xd9\xfe\x2e" "\xaa\xe1\x8a\x8a\xd7\x33\x13\x66\x3e\x36\xfe\xca\x9b\xae\x81\x83\x44\x82" "\xbb\x19\xc6\x51\xe2\x73\xbc\x04\x33\x39\x63\xf2\xa6\x4d\x51\x67\x61\x28" "\x0d\xb4\x5f\xc4\x21\x7b\x5c\x2a\xb7\x3a\x8a\x04\xc5\xd2\xc2\xac\xed\x37" "\xbb\x28\x25\xd1\x7f\x68\xc4\xd6\x5d\xfc\xc5\x40\x57\xa4\x6f\x04\x5b\xf4" "\x35\x39\x1b\x73\x04\xee\x37\x69\x77\x22\x0e\x71\xe9\x79\x19\xcd\x67\xe3" "\xf0\xf0\xf6\x3e\x0d\xce\xe8\xd9\x0d\x80\xea\xd1\x2a\x5e\xda\x22\xdb\x21" "\x7b\xd3\x62\xc1\xa4\xf9\x24\x4c\x99\xda\x91\xd6\x18\xc6\xb7\x1b\x21\xed" "\x80\x82\x6d\x4d\xf9\x5a\xee\x10\x78\x6e\x61\xb3\x14\x10\x02\xe3\x42\x49" "\x0f\x2d\x84\x20\x51\x30\x5d\x2e\x8d\x41\xac\xa5\x80\xa1\x3c\xd4\x8a\x85" "\x0e\xad\xa7\xdf\xee\x4b\xda\x67\xa5\x49\x1a\xcf\x4c\xfd\xd3\x91\x91\x35" "\xe7\xb1\x13\xa1\x97\x35\x95\xb9\x9d\x6b\xa1\x52\xae\x8c\xc6\x3f\xd9\x5c" "\x1d\x7d\x4a\x59\xb0\x38\xc4\x26\xff\xdb\x94\x9f\xe1\xa6\x00\x4d\xf2\xbb" "\xae\x2a\xcc\xe3\xf5\x72\x04\x19\xdc\x59\x72\x29\xf2\xd1\x20\xc6\x89\xb0" "\x7a\x34\x4e\x75\xf4\xc6\x31\xd8\x3b\x31\x30\xcc\x92\x74\x12\xda\xa9\x60" "\x7c\x8c\x0f\xa2\x54\xcd\xe2\x73\x06\x36\x0a\x9a\x5d\x18\xff\x9d\x4d\x4e" "\xd3\x81\x62\xa5\x20\x2b\xa2\x14\xdb\x44\x86\x88\x7b\x58\x31\xd7\x27\xbd" "\x93\xe6\xe7\xcd\xdf\xa4\xd3\x48\x0c\xb3\xb4\x68\x3b\x1d\xe5\x2b\xdf\xf5" "\x34\x01\x67\x19\x32\x40\x51\xf8\x1b\xdf\x49\xa5\xc1\x2d\xd7\xb3\x89\x10" "\x7b\x3e\xb5\xdc\x48\x58\xca\xeb\xe8\xc0\xa9\x86\x6f\xf6\x32\xde\xeb\xc1" "\x64\x92\xf9\x5d\x20\x2c\xe0\xf4\x54\x47\x6a\xb7\x78\x71\xd3\x18\x8e\xc8" "\x3f\xc7\x4f\x2e\xc1\x05\x58\x93\xb2\xa1\x38\xcc\xe2\x7a\xc5\x55\x3c\x54" "\x96\xcb\xf1\x47\x00\x2a\x9c\x55\xfd\xb2\x02\x96\x9a\x48\x02\xca\x35\x56" "\x45\x3a\x58\xd2\xaa\x8e\x19\xf4\x0e\x57\x7f\xa2\x80\x62\x54\x68\xd3\x85" "\xaf\x86\x59\xa0\xf3\xab\x69\xfa\xbf\x4f\xa1\x32\x6f\x7a\x7e\xba\xd9\x8a" "\x23\x95\x8c\x91\xf2\x8c\x4b\x03\xff\x9f\x34\x3b\x6e\xcd\xb8\x2e\x82\x0b" "\xcb\x7d\xe6\xf5\x1d\x0f\xcf\xbb\xce\xf9\x02\xd2\x1a\x7e\xed\x03\xea\x12" "\x53\x63\xb7\x58\x08\x50\x22\xad\xe2\x74\x51\xba\x5e\x0a\xcd\x9a\x00\x44" "\xec\x50\x57\x1d\x23\x48\x55\x44\x8b\xe1\x32\xe1\x45\x17\xae\x38\xb7\x98" "\x48\x2c\xc0\x7e\x1c\x00\x9c\x1a\x4c\xdd\x5c\x42\xf3\x86\x2d\xd6\xd4\xc3" "\xb1\x8f\x9c\x41\xd0\xbf\x5b\x70\x9d\x74\x28\x77\xef\x7e\xe6\xd9\x93\x2c" "\x6d\x7a\x9f\xd0\x9b\xed\xe9\xf8\x06\x45\xa5\xc4\xb9\x7a\xe4\x87\x34\x98" "\x51\x31\xf9\x48\xbf\x20\xe9\x3f\x82\xb9\x3d\x6e\x69\x47\x94\x91\x15\x8d" "\x83\x65\x52\x44\xd9\x1b\xb5\xe9\xdf\xdf\x10\x3e\x22\x38\xa9\x5a\x92\xf3" "\x57\x50\x76\x9b\x87\xdc\xe1\xd0\xe8\xba\xc4\xe6\xee\x54\x67\xf9\x80\x0a" "\x12\xfe\x27\xa2\xc8\xf7\x27\xbb\xda\x61\x78\x99\xca\x26\xd1\x3e\xc3\xb6" "\x8b\x4a\xcd\x72\x00\xb3\x20\x68\x52\xaa\xfb\x13\xc9\x46\x81\x41\x3e\xe7" "\xd0\x98\x7f\x4d\x06\x7b\x4b\xc5\xfc\x5e\x01\xeb\xe9\xbd\xbf\xc0\x19\x82" "\x32\xf9\x2d\xa3\x37\x1d\x12\x02\x33\x88\xf8\x6a\x4b\xb4\xdb\x9b\xd5\x59" "\x57\x0a\xef\x27\xa9\x68\x12\xdd\x25\x83\xc7\x27\x32\x92\x22\x66\xb9\x8c" "\x89\xc2\x64\x31\x15\x77\x62\x1c\xeb\x26\x25\xda\xc0\xaf\x0f\xd0\x8f\x5c" "\x27\xa6\x58\x64\x57\x77\xcb\x36\xd6\x87\xd6\xf0\xe6\x83\x55\x87\xcb\xe6" "\x5e\xd9\x22\xcb\xd1\x19\x0b\x1d\x60\x25\x90\x24\xbe\x61\xe7\xe3\x2b\x1e" "\xcb\x5e\x72\x79\x91\x03\xc3\xa3\xea\x91\x19\x16\x67\x41\x8f\xed\xf7\x9d" "\x83\x92\x00\xee\x75\xda\x4d\x68\xfd\x6f\xac\xdd\x12\x43\xf3\x07\x27\xc4" "\x0c\x6a\x7c\x4f\xfa\x3d\x93\x7f\x4c\x21\xb0\x76\xd1\x46\xf4\x39\xd8\x96" "\x12\x58\x52\x6d\x56\x33\x6f\x7d\x94\xe9\x45\xf9\x00\x53\xef\x86\x5d\xd9" "\xf9\x39\xb1\x2d\x8b\x6b\x72\xb1\xf2\x0a\x05\x0b\x69\xb8\xa3\xb8\xbc\x88" "\x58\x47\x66\xbf\x97\x83\x11\x6c\x8f\xc8\xc4\x88\x3f\x8d\xca\x31\xdb\xfd" "\x27\x75\x67\x5d\x86\x81\x36\xe5\xf5\xe1\x6e\x35\x08\x98\x67\x50\xfa\x88" "\x25\x23\x1f\xed\x43\xae\x2b\x44\x4f\x59\x92\x01\x1f\x0b\x80\xb1\xf3\xb0" "\xe3\x97\xff\x98\xfe\x81\xda\x3b\xd0\x05\x93\x32\x9f\x30\x14\x31\x5f\xb4" "\x82\x8f\xdf\xec\x77\xc8\xf3\xc8\xa9\x22\x78\x86\x6f\x7d\x29\x9f\x9a\x08" "\x18\xe3\x6d\x1b\xba\xd6\x29\xa6\x13\x45\xe0\x1e\x49\x5d\xfc\x44\x12\xfc" "\xc8\xb6\x4e\xac\x52\x59\xde\x21\xda\xe5\xf5\xb3\x4c\x06\xee\x81\xc0\xe4" "\x6b\x12\x20\x3b\x63\x9c\xfe\xf7\xf1\x28\x71\x28\x7a\xbc\xa6\xb2\xf7\x0f" "\xfa\x2c\xb2\x25\x58\x5b\xfb\xf2\xc0\xcd\x01\x0b\xdd\x1b\x2b\x3f\x56\x00" "\x16\xe4\xdb\x6c\x30\xa2\x6e\x51\x7b\x60\x86\x33\xaa\x40\xab\x18\x02\xda" "\x8e\x94\x18\x8b\xad\x14\xab\x00\x7e\x41\x5e\xc4\x1c\x3d\xab\xf4\xd2\x81" "\x7a\x43\xa0\x82\x31\x35\x29\xe4\xa8\x05\x96\x80\x7b\x78\x5a\xf9\x39\x11" "\x17\xf7\x80\xdb\x63\x7f\x22\x14\xbb\x80\x82\x37\x33\x03\xda\x88\x9f\xfd" "\x89\xfa\x43\xf4\xcc\xa4\x27\xb4\x3e\x3c\x17\x94\x2d\x31\x4a\x57\x71\x12" "\xcf\xb3\x1e\x84\x1a\xe4\x0f\xd1\x82\x20\xe9\xaa\xa2\x4e\x38\x29\x36\xc0" "\xb8\x59\xa3\xa4\x25\xc2\x01\x8b\x09\x3e\x42\x64\x8b\x75\x17\xdc\xce\x9a" "\xf1\x36\x6d\xc5\xea\x8f\xd5\x75\x00\x1c\xbe\x88\x0d\xdb\xb0\xa7\x68\x03" "\x3e\xe3\x80\x2c\x68\xc4\xb2\xfc\x29\x0f\xcb\x84\xf1\xe3\x33\x18\x54\x3f" "\xd2\xdd\xf0\x65\x50\x3c\x07\x67\xc8\x6f\xcd\xe6\x93\x17\x97\xf2\x75\xee" "\x4c\x14\x9d\x61\x6f\xf0\x2a\x9a\x01\x9c\x22\x3c\x16\xcf\xd6\xe6\x18\xb0" "\x7c\x7b\xd8\x00\x9d\x32\x01\xa9\x2b\x91\xa0\x94\x4f\xf2\x1d\x71\xff\xc5" "\x3c\x39\xb7\xa3\x18\xc6\x45\x1d\x80\xb0\x5f\x9d\x9c\x81\xfd\x1a\x78\xef" "\x35\xe1\x4c\xbe\xbc\x1b\x4e\x2d\xe2\x80\x39\x30\x10\x42\xc0\xfa\x09\xad" "\x2e\x43\xd5\xf7\x8a\xb4\x10\x42\x18\xba\xb2\xda\x50\x34\x05\x0b\xbf\x62" "\x5c\x68\x03\x49\x6d\xd3\xd7\x7b\x57\x4a\xed\x51\xba\xdd\x3e\x99\x67\x54" "\x80\x14\xb8\xb3\x18\xdf\xb2\xe0\xa6\xce\x66\x37\xce\xe7\x86\x80\x6e\xc0" "\x6b\x35\x9d\x65\x69\xc6\x5d\xf2\xe5\x38\xb4\x38\x62\xbe\x27\xd4\xdd\xb2" "\x71\x04\x47\xed\x7e\x56\xcb\x4a\x02\x77\x9c\x87\x67\xe1\x10\x56\xcf\xac" "\xa1\xab\x1a\xea\x20\xd4\x19\x8a\x05\x0e\x98\x69\x5a\xe3\xf2\xa0\xaa\xdb" "\x5b\x34\xb6\xb9\x45\x37\x9b\x81\x25\x9e\xbe\x7a\xbe\x6d\x3c\xa2\x3c\xae" "\x04\x84\x29\xb6\xc8\x50\x81\x37\x06\xf5\x92\x31\x03\x4f\xce\x07\xc4\x11" "\x19\x61\x19\x3d\x58\x1e\x3b\xbb\xd6\xc9\xaf\xd8\xb3\xd1\xe0\x60\x48\x07" "\xdb\xd8\x80\xd2\xcc\xc5\x26\x68\x18\xa1\x82\x87\xe8\xc4\xbd\xa3\x11\xbe" "\x83\xc6\xf1\xc5\xe7\xf5\x71\xb9\xf5\xab\x1f\x84\xf8\x25\x2d\xf9\xd6\x2f" "\x75\x86\x5a\xdc\xdd\x61\xea\xaf\x7d\xf4\xcb\xdd\x99\x4a\xb1\x7d\x2d\x5d" "\x68\x4f\x95\x71\x5d\x46\x36\xa6\xcb\x69\xfa\x26\x19\xc6\xb7\x6e\xe0\x60" "\x20\x2a\x0a\x8c\x93\x4a\xa5\x37\xd2\xc5\xcf\x73\x61\x42\x34\x9b\x19\xfb" "\x9b\x53\x2b\x05\xe6\xdf\xf0\x5c\x4c\x63\x5f\x41\x34\xbc\xc0\xef\x2e\x38" "\xc3\xfd\x75\xd8\x66\x4d\x7d\xfa\x31\x39\xe1\xb2\xc2\xcb\xbd\xbe\x4f\xc0" "\xe2\xe8\x08\x70\xad\xe3\x68\xb7\x30\xd4\xc0\x69\x46\xb6\x08\x08\x89\x91" "\xf3\x46\x76\x5a\xfa\xad\x67\x65\xe5\xa1\x62\x67\xb2\xd2\x49\xee\x22\xea" "\x1c\x6c\xb8\x5d\x5d\x0f\x8e\xe4\x82\x04\xa5\xdc\x48\xae\x64\x15\xe3\x80" "\x2f\xd8\xa4\x31\xd2\x49\xf9\x5c\x72\xf6\x89\x59\x78\xb3\x6c\x42\x4e\x40" "\xf8\x3d\xfe\x1d\x0c\xa0\x1d\xca\x14\xc4\xa3\x08\xe9\x26\xfe\x72\x6e\xa0" "\xb4\x56\xdc\xd9\x76\x14\x7e\x61\x74\x46\x75\xf8\x1f\x38\xbd\x5e\xf0\x6e" "\xd7\x66\x92\xac\x8a\xc0\x37\x44\xc8\xdc\x31\x3f\x06\xaa\x28\x83\x2a\x32" "\x86\xe6\x26\xd5\xe2\x9c\x74\x8c\x21\x16\x44\x75\xc7\x39\xd3\xf6\xc6\xad" "\x04\x6f\xbb\x1a\x14\x98\x67\xfa\xf7\x70\xc0\x89\xb3\x51\x3a\x06\x49\xd7" "\x87\x20\x8f\x06\xe7\xdb\x6f\x8a\x44\xa9\xe3\x2c\x6b\xd8\xdd\x9c\xca\x53" "\xbc\xd8\xba\x7e\xc4\x9d\x40\x68\xd7\x01\x8b\x4c\x8f\xbd\x13\x07\x0f\x9b" "\x0d\x02\xd3\x68\x6b\x54\xf9\x6a\x21\xe7\x4e\x34\x6c\x38\x0a\x99\xf2\x1f" "\x33\x92\x5d\x4a\x39\xd5\x10\x84\x2e\xd8\x4f\x26\x05\xa1\x50\x51\xa7\x84" "\xd8\x21\x63\x64\xc2\xf8\xec\x79\xf7\x88\x4e\xc1\x51\xac\x56\xd1\x1e\x30" "\xe0\x58\xd2\xc4\x99\x98\x14\x7c\x1d\x54\xe0\x4a\xea\x5d\x2e\x9b\xcc\x5b" "\xf0\x51\x69\x0d\x7a\xa9\x05\xfd\xd6\x85\x28\x30\x9a\xfd\xa3\xfd\x59\x20" "\xce\xcf\xae\x73\xf6\xd5\xf8\x96\x2e\x64\x7f\x5e\x90\x97\x48\xff\x91\x05" "\x09\x71\x18\xfe\xec\xf2\x8d\x6d\x51\x4e\xde\x8c\xb2\xd4\x20\x1d\xa6\xef" "\xc9\xf3\xc2\x48\x93\x57\x0b\x22\x7d\xfe\x67\x31\x58\xe6\xc1\x7b\xfc\xd9" "\x16\x25\xbc\x4f\x87\xeb\x6f\xc6\x7e\x5b\x64\x7b\x18\x23\x1d", 2643); *(uint64_t*)0x20000708 = 0xa53; *(uint64_t*)0x20000818 = 1; *(uint64_t*)0x20000820 = 0; *(uint64_t*)0x20000828 = 0; *(uint32_t*)0x20000830 = 0; syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0x20000800ul, /*f=*/0ul); *(uint32_t*)0x200009c0 = 0x12; *(uint32_t*)0x200009c4 = 4; *(uint32_t*)0x200009c8 = 8; *(uint32_t*)0x200009cc = 8; *(uint32_t*)0x200009d0 = 0; *(uint32_t*)0x200009d4 = -1; *(uint32_t*)0x200009d8 = 0; memset((void*)0x200009dc, 0, 16); *(uint32_t*)0x200009ec = 0; *(uint32_t*)0x200009f0 = -1; *(uint32_t*)0x200009f4 = 0; *(uint32_t*)0x200009f8 = 0; *(uint32_t*)0x200009fc = 0; *(uint64_t*)0x20000a00 = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200009c0ul, /*size=*/0x48ul); if (res != -1) r[0] = res; *(uint32_t*)0x200000c0 = 0; *(uint32_t*)0x200000c4 = 0xc; *(uint64_t*)0x200000c8 = 0x20000440; *(uint8_t*)0x20000440 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000441, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000441, 0, 4, 4); *(uint16_t*)0x20000442 = 0; *(uint32_t*)0x20000444 = 0; *(uint8_t*)0x20000448 = 0; *(uint8_t*)0x20000449 = 0; *(uint16_t*)0x2000044a = 0; *(uint32_t*)0x2000044c = 0; *(uint8_t*)0x20000450 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000451, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000451, 1, 4, 4); *(uint16_t*)0x20000452 = 0; *(uint32_t*)0x20000454 = r[0]; *(uint8_t*)0x20000458 = 0; *(uint8_t*)0x20000459 = 0; *(uint16_t*)0x2000045a = 0; *(uint32_t*)0x2000045c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000460, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000460, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000460, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000461, 8, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000461, 0, 4, 4); *(uint16_t*)0x20000462 = 0; *(uint32_t*)0x20000464 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000468, 3, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000468, 3, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x20000468, 3, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x20000469, 0xa, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000469, 8, 4, 4); *(uint16_t*)0x2000046a = 0xfff8; *(uint32_t*)0x2000046c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000470, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000470, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000470, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000471, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000471, 0xa, 4, 4); *(uint16_t*)0x20000472 = 0; *(uint32_t*)0x20000474 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000478, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000478, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000478, 0, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000479, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000479, 0, 4, 4); *(uint16_t*)0x2000047a = 0; *(uint32_t*)0x2000047c = 0xfffffff8; STORE_BY_BITMASK(uint8_t, , 0x20000480, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000480, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000480, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000481, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000481, 0, 4, 4); *(uint16_t*)0x20000482 = 0; *(uint32_t*)0x20000484 = 8; STORE_BY_BITMASK(uint8_t, , 0x20000488, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000488, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000488, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000489, 4, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000489, 0, 4, 4); *(uint16_t*)0x2000048a = 0; *(uint32_t*)0x2000048c = 0; *(uint8_t*)0x20000490 = 0x85; *(uint8_t*)0x20000491 = 0; *(uint16_t*)0x20000492 = 0; *(uint32_t*)0x20000494 = 3; *(uint8_t*)0x20000498 = 0x95; *(uint8_t*)0x20000499 = 0; *(uint16_t*)0x2000049a = 0; *(uint32_t*)0x2000049c = 0; *(uint64_t*)0x200000d0 = 0; *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; memset((void*)0x200000f0, 0, 16); *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = -1; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul); *(uint32_t*)0x200000c0 = 0x11; *(uint32_t*)0x200000c4 = 0xc; *(uint64_t*)0x200000c8 = 0x20000440; *(uint64_t*)0x200000d0 = 0x20000240; memcpy((void*)0x20000240, "GPL\000", 4); *(uint32_t*)0x200000d8 = 0; *(uint32_t*)0x200000dc = 0; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; memset((void*)0x200000f0, 0, 16); *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = -1; *(uint32_t*)0x2000010c = 0; *(uint64_t*)0x20000110 = 0; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 0; *(uint64_t*)0x20000120 = 0; *(uint32_t*)0x20000128 = 0; *(uint32_t*)0x2000012c = 0; *(uint32_t*)0x20000130 = 0; *(uint32_t*)0x20000134 = 0; *(uint64_t*)0x20000138 = 0; *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x2000014c = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul); if (res != -1) r[1] = res; *(uint64_t*)0x20000940 = 0x20000640; memcpy((void*)0x20000640, "console\000", 8); *(uint32_t*)0x20000948 = r[1]; syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0x20000940ul, /*size=*/0x10ul); syscall(__NR_bpf, /*cmd=*/0x11ul, /*arg=*/0ul, /*size=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); for (procid = 0; procid < 5; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }