// https://syzkaller.appspot.com/bug?id=7aee4547f8bfbd6c7b86331670df496cd7c871d8 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } long r[1]; void loop() { memset(r, -1, sizeof(r)); memcpy((void*)0x20ae8f92, "\xb1\x00\x48\x5c\xaa\x2a", 6); *(uint8_t*)0x20ae8f98 = 0xaa; *(uint8_t*)0x20ae8f99 = 0xaa; *(uint8_t*)0x20ae8f9a = 0xaa; *(uint8_t*)0x20ae8f9b = 0xaa; *(uint8_t*)0x20ae8f9c = 0; *(uint8_t*)0x20ae8f9d = 0; *(uint16_t*)0x20ae8f9e = htobe16(0x800); STORE_BY_BITMASK(uint8_t, 0x20ae8fa0, 5, 0, 4); STORE_BY_BITMASK(uint8_t, 0x20ae8fa0, 4, 4, 4); STORE_BY_BITMASK(uint8_t, 0x20ae8fa1, 0, 0, 2); STORE_BY_BITMASK(uint8_t, 0x20ae8fa1, 0, 2, 6); *(uint16_t*)0x20ae8fa2 = htobe16(0x1c); *(uint16_t*)0x20ae8fa4 = 0; *(uint16_t*)0x20ae8fa6 = htobe16(0); *(uint8_t*)0x20ae8fa8 = 0; *(uint8_t*)0x20ae8fa9 = 0; *(uint16_t*)0x20ae8faa = 0; *(uint32_t*)0x20ae8fac = htobe32(0); *(uint32_t*)0x20ae8fb0 = htobe32(-1); *(uint8_t*)0x20ae8fb4 = 0; *(uint8_t*)0x20ae8fb5 = 0; *(uint16_t*)0x20ae8fb6 = 0; *(uint32_t*)0x20ae8fb8 = htobe32(0xe0000001); *(uint32_t*)0x203b5000 = 0; *(uint32_t*)0x203b5004 = 1; *(uint32_t*)0x203b5008 = 0; struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20ae8fb4, 8); *(uint16_t*)0x20ae8fb6 = csum_inet_digest(&csum_1); struct csum_inet csum_2; csum_inet_init(&csum_2); csum_inet_update(&csum_2, (const uint8_t*)0x20ae8fa0, 20); *(uint16_t*)0x20ae8faa = csum_inet_digest(&csum_2); r[0] = syscall(__NR_socket, 0xa, 2, 0x88); *(uint64_t*)0x2000b000 = 0x2000bfe4; *(uint16_t*)0x2000bfe4 = 0xa; *(uint16_t*)0x2000bfe6 = htobe16(0x4e23); *(uint32_t*)0x2000bfe8 = 0; *(uint8_t*)0x2000bfec = 0xfe; *(uint8_t*)0x2000bfed = 0x80; *(uint8_t*)0x2000bfee = 0; *(uint8_t*)0x2000bfef = 0; *(uint8_t*)0x2000bff0 = 0; *(uint8_t*)0x2000bff1 = 0; *(uint8_t*)0x2000bff2 = 0; *(uint8_t*)0x2000bff3 = 0; *(uint8_t*)0x2000bff4 = 0; *(uint8_t*)0x2000bff5 = 0; *(uint8_t*)0x2000bff6 = 0; *(uint8_t*)0x2000bff7 = 0; *(uint8_t*)0x2000bff8 = 0; *(uint8_t*)0x2000bff9 = 0; *(uint8_t*)0x2000bffa = 0; *(uint8_t*)0x2000bffb = 0xbb; *(uint32_t*)0x2000bffc = 0; *(uint32_t*)0x2000b008 = 0x1c; *(uint64_t*)0x2000b010 = 0x20004000; *(uint64_t*)0x2000b018 = 0; *(uint64_t*)0x2000b020 = 0x20000000; *(uint64_t*)0x20000000 = 0x720; *(uint32_t*)0x20000008 = 0x29; *(uint32_t*)0x2000000c = 3; memcpy( (void*)0x20000010, "\xab\xe1\x40\x56\x36\xdf\x81\x0d\x4c\x0b\x20\x57\xd1\x03\xdc\x16\xb0\x83" "\xaa\x6e\xee\x43\xca\x3c\xa6\x9f\x91\x8a\xa5\xf7\x8f\x9b\xbf\x6d\x80\x35" "\x1b\xaf\x82\x94\xf6\x2e\xca\x4f\x35\x1a\x70\x9d\xbf\x2e\xe8\x2a\x4b\x38" "\x4d\x32\x21\x00\x00\x00\x1f\xc5\x91\xb7\x12\x35\xbd\xae\x4c\x84\xfa\x89" "\x51\x3d\xc4\x06\x0f\xad\xdd\x7a\xfb\xf0\x62\xab\xe4\xf8\x70\x5b\xe6\xa7" "\x63\x76\xfa\xc3\x35\xbb\x50\xf1\xd9\x50\x9f\xce\x77\x97\x49\xe2\x2d\x59" "\x34\x50\x0f\xee\x73\x83\xa6\x5d\xb3\x3f\x6d\xc3\x50\x7b\x9f\x42\x30\x15" "\x0d\xe8\xda\xdb\xc3\xe6\xe9\x56\x44\x22\x4e\x69\xd9\xb7\xdd\x46\x4e\x49" "\x3f\xe0\xb1\xb0\x88\xc3\xfd\xde\xd9\xa9\x48\x95\x7c\xdd\x4a\xf4\x2c\x7f" "\x97\x3b\x7d\xe2\xc7\x98\x3b\xd5\x53\x8d\x6d\x65\x6b\x0a\x9f\x83\x40\xf0" "\xbc\xdb\x11\xc6\xe4\x10\xdd\x35\x4a\xf4\x37\x51\xb6\x90\xa0\x62\x46\x45" "\x35\xc9\xcc\xc2\x0e\x62\xa1\xd2\xd8\xe5\xcd\xff\x67\xfc\x02\x48\xb4\x9b" "\x45\x73\xcd\xb2\xd8\x8b\xe7\x07\xb9\x24\x4a\x5b\x50\xac\x63\x26\x6a\x37" "\xf9\x73\xf2\xf6\xbd\x6b\x82\x41\x25\x51\x4e\x2d\x79\x90\xd2\x11\x9c\x89" "\xc2\xf7\x46\x25\xef\x5f\x48\x32\x6e\x45\x63\xa9\x6a\x24\x16\x7f\x08\xa7" "\xc0\x11\x6f\xa9\xeb\x02\x65\xac\x42\x8e\x2a\x7c\x43\x9e\xcf\x8d\x0a\x54" "\x61\xc0\x28\x8b\x0f\xf0\x54\x49\x9b\xfd\xc4\x17\x06\x0c\x70\xbf\x67\x6e" "\xb1\xa8\x63\x71\x79\xfe\x43\x9b\x08\x2e\x8c\x62\xe5\x6a\x1c\xc6\xb2\x9c" "\xe1\x45\xe2\xa1\xeb\x53\x4a\x99\x05\xd0\x65\xfd\x78\xed\xac\x44\xd7\x32" "\x8a\x33\x35\xb9\x0c\x90\xb9\xd9\xde\x27\x64\xbf\xa2\x6f\xf4\x23\x0e\xfc" "\xab\xc7\x54\x3d\x44\xa4\x0a\xc2\xdd\xe3\x11\x2a\x06\xb0\x82\x76\x5d\xa2" "\x90\x83\x2b\x96\x4b\xd4\x0b\x5b\x92\x1f\xec\x3a\xb0\xea\x64\x7e\x7e\x1b" "\xc9\x0c\x4c\x28\x34\xe5\x58\xec\x12\x0c\xb8\xdc\xaf\x38\x3f\x76\x43\x7d" "\x5d\xeb\x4c\x31\x33\x54\x9c\x5c\x7f\x3d\xad\xfe\xe8\xdb\x5b\xa4\x85\xe6" "\x19\x2f\x5c\xa4\xe1\xc3\x3a\x98\x5d\x2e\x2d\x0b\x3f\x91\x76\xaf\x9b\xca" "\x09\xdc\x3c\x09\x7d\x9f\x14\xcb\x1d\xf0\x2d\xe9\x66\x9e\x46\xa3\x70\xf0" "\x7d\x24\xf3\x24\x03\x5f\x89\x81\x0b\xae\x52\xca\x76\x2b\x43\x0d\x89\xb1" "\xb6\x89\x4c\x15\x22\x64\xdc\x96\x44\xbd\x4e\xe9\x45\x9f\x3b\x05\x4a\xc3" "\xa0\x8e\xaf\x0d\x26\xc7\x0d\x78\x7f\xe5\x3a\x3b\xf9\x7f\x4d\x68\x27\x53" "\x02\x55\x3c\x83\x7d\x4d\xd5\xc0\xb4\xa2\x4e\xcb\x48\x50\xc6\xa8\x7e\x8d" "\x6b\x73\x11\x66\xeb\xbf\x9b\x28\xaf\x80\x99\xb0\xe6\x9f\x09\x26\x7a\xb9" "\x2d\xd6\xe6\x05\xd6\x85\x7d\xd9\x4c\x26\xe4\x5c\x44\x8f\x03\x5e\x00\xe5" "\x06\x58\xab\x8f\x76\xed\xaf\x16\x87\x73\x78\xdc\x0a\x15\x8f\x99\xed\x85" "\xdb\xed\x85\xcd\xe1\xaf\xb3\xd2\x30\xce\x62\x20\x1c\x10\xdf\xb8\x44\xe3" "\x23\x58\x3f\xd7\x3e\x55\x10\xde\x94\x95\xef\x8e\xaa\x0e\x2e\x90\xb2\xbe" "\x60\xb5\x9b\x3d\x51\xfa\x34\xd3\x40\xca\x2f\x5d\x18\x2d\xda\x89\x45\x79" "\xa5\x27\xf2\xc6\x9d\x9b\x34\x0a\x02\xf3\x85\xde\x57\x39\x6c\xd1\xe2\xfe" "\x9c\x00\xe0\x5b\xc3\x5e\x5e\xf2\x94\xa4\x71\x0d\x96\x0a\x1a\x74\x3e\x4e" "\x24\x20\xf7\x59\xdc\xae\xdd\x17\x4d\x0c\xb8\x66\xe4\x11\x74\xe2\x9e\x91" "\x5f\xd5\xd8\xf3\x7f\xfc\x73\x58\x5b\x84\x7b\x8a\x88\x61\x5b\x4f\x7f\xea" "\x33\x42\x27\xbc\x1c\xa9\xcd\xcd\x1a\xb4\x0d\x4d\x05\x3b\xd1\x40\x79\x0a" "\x8a\x59\x46\xc2\x46\x41\x8d\xdd\x17\x67\xc8\x5a\xf7\x91\xaa\x28\xdc\xcb" "\xd0\x87\x8f\x8f\x32\x94\xaa\x9f\x42\x26\x8a\x71\x3c\xe5\x24\xc2\x82\x02" "\x9e\x85\x99\xf4\x1b\x1c\x73\x91\xd1\xad\xfb\xbf\xd6\xf6\x17\x0a\x46\x32" "\x78\x05\x89\x4c\x49\x73\xd5\x34\xde\x75\x22\xfa\xe7\x84\x95\x14\x12\xd4" "\x0a\x20\x60\x44\x59\xdf\x66\x53\xbb\x9e\x70\x63\x1c\xde\x23\xb3\x52\xe1" "\xb2\x61\xc1\xe7\xfa\x30\x61\x26\x32\xe0\xff\xb6\x5d\xde\xd0\x37\x86\xc1" "\xca\x82\x27\x2b\xaa\xf9\xbc\xf0\x7e\x81\x27\x23\xfc\x3b\xd3\x51\x3b\x7f" "\xf9\x35\xb8\x4a\x32\xe8\x77\x4b\xd4\xca\x52\x39\x76\x23\x31\x8c\xba\xcb" "\xbb\xaa\x8f\x66\xe6\x6a\x54\x82\xf3\xe0\x6b\x9f\xea\x51\x4f\xd3\x9a\x3d" "\x81\x06\x08\xfb\xb3\x60\x54\x58\x06\xa5\x93\xa7\x38\xe1\x06\x7b\x9e\x53" "\x87\x89\x14\xae\x56\x7e\x28\x83\x05\x51\xd1\xb5\x90\x66\x23\x39\xda\x58" "\x25\x2d\x97\xa2\xd0\x45\x59\x3c\x4c\x0a\x36\x6b\xd6\xfc\x40\xcb\xc3\x26" "\x05\xf7\x27\x03\x47\x5c\x18\x7e\x1e\xd1\x3b\x5b\x08\x63\x2d\x39\x4e\xb9" "\x87\xa9\x53\x3c\xb9\xea\x1d\x86\xac\xf5\xcf\xb8\x27\x0b\x0d\xb3\xf8\xa6" "\x23\x8b\x45\xc5\x61\x13\xf6\xcc\x94\x32\x4b\x98\xcf\xd7\x59\x52\x64\x06" "\x26\xd1\xf7\x9c\x66\xff\x9e\xf6\x7a\xcc\x54\x5a\xe4\x26\x45\x44\xc3\xdd" "\x7c\x78\x28\x4f\xc5\x3d\x8e\x1b\x6f\x06\x43\xc7\x0d\xa4\xa1\x98\x8a\x06" "\x86\xbc\x9b\xfb\xb4\xc7\xff\x5a\xae\xea\x41\x6d\x77\x04\x9b\x13\x00\x94" "\xa9\x5a\xfd\x95\xf5\xb6\x36\xaf\x11\x1c\xd7\x4e\x66\xa0\x1f\xdb\xa9\x98" "\x74\x9c\x56\x16\xce\xb2\x0e\xcf\x0b\xa9\x60\x45\x4f\x27\xed\x69\xf3\x46" "\x17\x2e\x78\xf7\x1e\x0f\xd0\x3f\xd0\x9c\x2c\x7d\xa4\xa0\x44\x0d\xeb\xf6" "\xfe\x93\x39\x49\x68\x62\x66\xa3\x78\x09\x58\xa5\xd5\x29\x79\x38\xbe\x51" "\x9e\x11\x3f\xad\xd7\x07\x15\x7b\x39\x3d\xf3\x52\x58\xbe\xad\x87\x8a\x1d" "\x4b\x55\xf3\x6b\x2b\x29\x16\xcc\x0a\x5d\xa8\x6d\x99\x98\x75\xd1\x57\x26" "\x58\x18\x16\xcd\x2d\xed\x58\xf7\xf0\x58\xb6\x06\x8a\x9a\x00\xe3\x70\x7c" "\x69\x4e\x69\x0f\xfc\x8c\x8b\x60\x94\xb8\x1c\xf3\xd7\xad\xa2\x15\x34\x04" "\xe8\x8e\x2a\x56\xfb\xfa\xc3\xed\x55\x38\xf5\x90\xed\x59\xc3\x16\xd4\x7e" "\x20\xd3\x04\x99\x8d\x17\x92\xf2\x6b\x46\x0f\xd1\x90\x9b\x11\xa4\xa0\x7f" "\x33\x82\x8d\xc7\x73\x83\x9a\xd1\x17\xf8\x10\xf1\x6e\x75\xe0\x19\xd1\xaa" "\x4f\x2d\xb1\x26\x7e\xcb\xa3\xb8\x4d\x63\x9e\x77\x30\xe8\x98\xaf\x32\x1d" "\xb1\xc2\xf9\xbb\x76\x69\xa9\xfc\x09\xb8\x6b\xb9\x1b\x79\x7a\xdc\x80\x21" "\xf2\xa0\xf5\xca\x84\xe0\xb6\xaa\x4e\x02\xfe\x0e\x97\xa3\x9d\xe6\x97\x21" "\x94\xfd\x5f\xe2\x41\x16\x85\x3c\x29\x5b\xaa\x2e\xd5\x74\xaf\x9e\xc1\xb7" "\xbd\xcd\x62\xc4\x0e\x0b\xe3\xfa\xf2\x08\xf0\x8a\x27\x62\xa8\xac\x62\x65" "\x1d\x37\x76\x8b\x03\x1f\x70\xc6\x43\xb9\xf8\xe7\x75\x30\xcd\xdf\xb7\x1f" "\xfd\x9e\xe5\x5a\x55\x02\x69\x5a\xf5\xf5\x02\x52\x9f\xca\x02\x3d\x95\x5f" "\x2a\x5f\x88\xd0\x40\x35\x08\x3f\x59\x7e\xae\xbe\x3c\xd1\xaa\x5f\x76\xc2" "\xac\x93\x85\x7c\x86\x62\xa8\xbf\x8b\xaa\x8f\x4c\x12\xfe\x73\xb8\x02\x06" "\x67\xf0\x70\x07\xf4\x64\xce\x47\x08\x3a\x7f\x5c\x3e\x5b\xcf\x5b\x80\x6f" "\x01\xb8\x4d\x8b\xf8\x16\x84\x8a\xcb\x28\x2e\x76\x19\x80\x89\xb2\xc5\xaa" "\xdc\x2d\x6c\xe8\xd0\x91\x33\xf8\xc7\x5f\xb2\xd0\x37\x15\x28\x8f\xf7\xd5" "\xfd\xab\x4f\xbd\x58\x7d\x8f\x72\x1e\xf5\x7a\x0f\x04\xb1\x3a\x7d\xc0\xa9" "\x81\x28\x00\x14\xb4\x6f\x39\x78\x68\xe2\xc5\x06\x84\x91\xd7\x99\x96\xc4" "\x05\xf5\xd7\x3a\x27\x21\x6f\xab\x65\xa0\x4d\xb6\x4b\x97\x7a\x83\x23\x36" "\x98\xfa\x2e\x55\x7f\x83\xdb\x0f\x31\xc7\xf2\x27\xbb\xc3\xa4\xc8\x8b\x69" "\xf4\x8c\x59\xfd\xcd\x2f\x26\x4c\x66\xea\xc7\xcc\xde\x70\xb1\x43\x7c\xc2" "\x38\x99\xa0\x11\x72\x30\x26\x8d\x44\xe3\xe3\x9d\xbc\x86\xb7\xeb\xdf\x56" "\xd0\xb5\xa8\x40\xf3\x2e\x9a\x68\x22\x92\xf0\x22\x02\xcd\xb9\x1a\x3a\x11" "\xb2\xb7\x84\x51\xff\xae\x5d\xdd\xe3\x3c\x4c\x56\x0e\x17\x5c\x1e\xff\x0e" "\xac\x00\x5c\x97\x03\xcb\xe5\xe8\x45\xb6\x0a\x07\x96\x74\x60\x9e\x80\x92" "\x1d\x45\x3b\x6d\xa5\x28\x22\x63\xa6\x0a\xf3\x7f\xfb\x89\x0f\x3a\xc6\xb7" "\x05\x94\xba\xd8\x4a\xc9\x3d\xb8\x3a\xa4\x52\x59\x13\x57\x19\x39\x67\x9f" "\x15\xac\x71\xbe\xb0\x5d\xcb\xed\x02\xc7\x9a\x35\x43\x04\xe8\x68\x15\x41" "\x6a\x11\xd6\x72\x9a\xd0\x4d\x44\x8b\xbb\xb1\xfc\x80\x97\x8b\xb7\x53\xee" "\x6a\x50\xaf\xd2\x55\x79\x08\x9d\xb7\xc9\x97\xb7\x1e\x2d\x0a\x53\xc9\xf1" "\x14\x2c\x4e\x55\x37\xc5\x8d\xa6\xbb\xac\x31\x86\xb0\x50\xe1\x77\xc3\x00" "\x96\x0c\x50\x37\xe9\x43\x0f\xb1\x3b\x3d\xf9\xa8\x12\xc5\x65\xf8\x00\x00" "\x00\x00\x00\x00\x1c\x24\x82\x4e\x08\xae\x49\xbf\x08\x1e\x1e\x9b\x5f\x04" "\x87\xef\xbc\xf5\x4d\x8d\x40\xb2\xbb\x62\x8f\xd5\x1d\xb7\x04\xb5\xa6\x76" "\x10", 1801); *(uint64_t*)0x2000b028 = 0x720; *(uint32_t*)0x2000b030 = 0; syscall(__NR_sendmsg, r[0], 0x2000b000, 0x2000c000); *(uint64_t*)0x20001f00 = 0; *(uint32_t*)0x20001f08 = 0; *(uint64_t*)0x20001f10 = 0x20000280; *(uint64_t*)0x20000280 = 0x20000000; *(uint64_t*)0x20000288 = 0; *(uint64_t*)0x20000290 = 0x20000080; *(uint64_t*)0x20000298 = 0; *(uint64_t*)0x200002a0 = 0x200000c0; *(uint64_t*)0x200002a8 = 0; *(uint64_t*)0x200002b0 = 0x20000180; memcpy((void*)0x20000180, "\xfb\x1c\x16\xb9\xf7\x88\x68\x34\x7e\x76\xef\x63\x61\x6c\x74\x05\x63" "\x38\x31\xd9\x7c\x29\x51\xdd\x5c\x6f\xc4\xd9\x45\x03\x14\xe1\xb9\xbe" "\x21\x4a\x03\x24\x1f\x47\x31\x5e\xb5\x6e\x44\x83\x76\x1a\x49\x9a\xf3" "\xee\x30\xab\x8b\x86\xaf\x7c\x19\x48\x39\xe6\xb2\x65\x2d\xa3\x98\x8b" "\x45\xce\xe8\x66\x12\x84\xd8\x81\x05\xf7\xbc\xee\xbb\x54\xb3\x4f\x3e" "\xce\xe5\x47\x49\x18\x43\x6a\x14\xa6\x0a\x4b\x16\x29\x83\x55\xa1\x9a" "\xe5\x5f\x17\xeb\xda\xbc\xe6\xd2\x1f\x57\x56\x11\x5c\xc0\xac\xd1\xee" "\x9b\xa9\x39\x37\x2b\x6e\x8d\xcb\xf8\xac\xb6\x7d\x1c\x7a\xe5\x8d\x41" "\xdf\x8f\xc0\xa8\x25\x59\xc9\x01\xf7\x5c\x1f\xe7\x9f\x23\x04\x39\xdc" "\x53\x2e\xf5\x69\x26\xb4\x2d\x56\x53\x14\x20\xa6\x48\x63\x3e\xd5\x8b" "\x34\xec\xff\xdc\x61\xa4\x1c\xfb\x52\x09\xdf\xe3\xed\x96\x82\xf0\x69" "\xd7\xe6\x4a\x1c\xa4\x56\xdd\x98\x45\x84\x32\x1a\xeb\xdc\x04\x2f\x6e" "\x9f\xc3", 206); *(uint64_t*)0x200002b8 = 0xce; *(uint64_t*)0x20001f18 = 4; *(uint64_t*)0x20001f20 = 0x200002c0; *(uint64_t*)0x200002c0 = 0x10; *(uint32_t*)0x200002c8 = 0x10a; *(uint32_t*)0x200002cc = 2; *(uint64_t*)0x20001f28 = 0x10; *(uint32_t*)0x20001f30 = 0x4044050; *(uint32_t*)0x20001f38 = 0xf2; *(uint64_t*)0x20001f40 = 0x20000380; *(uint16_t*)0x20000380 = 0x18; *(uint32_t*)0x20000382 = 1; *(uint32_t*)0x20000386 = 0; *(uint32_t*)0x2000038a = r[0]; *(uint32_t*)0x2000038e = 4; *(uint32_t*)0x20000392 = 3; *(uint32_t*)0x20000396 = 1; *(uint32_t*)0x2000039a = 3; *(uint16_t*)0x2000039e = 0xa; *(uint16_t*)0x200003a0 = htobe16(0x4e21); *(uint32_t*)0x200003a2 = 0x1e; *(uint8_t*)0x200003a6 = 0; *(uint8_t*)0x200003a7 = 0; *(uint8_t*)0x200003a8 = 0; *(uint8_t*)0x200003a9 = 0; *(uint8_t*)0x200003aa = 0; *(uint8_t*)0x200003ab = 0; *(uint8_t*)0x200003ac = 0; *(uint8_t*)0x200003ad = 0; *(uint8_t*)0x200003ae = 0; *(uint8_t*)0x200003af = 0; *(uint8_t*)0x200003b0 = 0; *(uint8_t*)0x200003b1 = 0; *(uint8_t*)0x200003b2 = 0; *(uint8_t*)0x200003b3 = 0; *(uint8_t*)0x200003b4 = 0; *(uint8_t*)0x200003b5 = 0; *(uint32_t*)0x200003b6 = 7; *(uint32_t*)0x20001f48 = 0x3a; *(uint64_t*)0x20001f50 = 0x20000580; *(uint64_t*)0x20000580 = 0x200003c0; *(uint64_t*)0x20000588 = 0; *(uint64_t*)0x20000590 = 0x200004c0; *(uint64_t*)0x20000598 = 0; *(uint64_t*)0x200005a0 = 0x20000500; *(uint64_t*)0x200005a8 = 0; *(uint64_t*)0x20001f58 = 3; *(uint64_t*)0x20001f60 = 0x200005c0; *(uint64_t*)0x200005c0 = 0x10; *(uint32_t*)0x200005c8 = 0x10c; *(uint32_t*)0x200005cc = 1; *(uint64_t*)0x200005d0 = 0x10; *(uint32_t*)0x200005d8 = 0x1ff; *(uint32_t*)0x200005dc = 5; *(uint64_t*)0x200005e0 = 0x10; *(uint32_t*)0x200005e8 = 0x3a; *(uint32_t*)0x200005ec = 0xffffffb4; *(uint64_t*)0x200005f0 = 0x10; *(uint32_t*)0x200005f8 = 0x11f; *(uint32_t*)0x200005fc = 0; *(uint64_t*)0x20000600 = 0x10; *(uint32_t*)0x20000608 = 0x29; *(uint32_t*)0x2000060c = 0x85; *(uint64_t*)0x20001f68 = 0x50; *(uint32_t*)0x20001f70 = 0x20000040; *(uint32_t*)0x20001f78 = 7; *(uint64_t*)0x20001f80 = 0x20001780; *(uint16_t*)0x20001780 = 4; *(uint16_t*)0x20001782 = htobe16(3); *(uint32_t*)0x20001784 = htobe32(8); memcpy((void*)0x20001788, "\xab\x05\x60\x2e\xe2\x01", 6); *(uint8_t*)0x2000178e = 1; *(uint8_t*)0x2000178f = 0; *(uint32_t*)0x20001f88 = 0x10; *(uint64_t*)0x20001f90 = 0x20001b40; *(uint64_t*)0x20001b40 = 0x200017c0; *(uint64_t*)0x20001b48 = 0; *(uint64_t*)0x20001b50 = 0x20001880; *(uint64_t*)0x20001b58 = 0; *(uint64_t*)0x20001b60 = 0x20001900; *(uint64_t*)0x20001b68 = 0; *(uint64_t*)0x20001b70 = 0x200019c0; *(uint64_t*)0x20001b78 = 0; *(uint64_t*)0x20001b80 = 0x20001a00; *(uint64_t*)0x20001b88 = 0; *(uint64_t*)0x20001b90 = 0x20001ac0; *(uint64_t*)0x20001b98 = 0; *(uint64_t*)0x20001f98 = 6; *(uint64_t*)0x20001fa0 = 0x20001bc0; *(uint64_t*)0x20001bc0 = 0x10; *(uint32_t*)0x20001bc8 = 0x119; *(uint32_t*)0x20001bcc = 5; *(uint64_t*)0x20001bd0 = 0x10; *(uint32_t*)0x20001bd8 = 0x11e; *(uint32_t*)0x20001bdc = 1; *(uint64_t*)0x20001be0 = 0x10; *(uint32_t*)0x20001be8 = 0x1ff; *(uint32_t*)0x20001bec = 0xffffff65; *(uint64_t*)0x20001bf0 = 0x10; *(uint32_t*)0x20001bf8 = 0x10e; *(uint32_t*)0x20001bfc = 0; *(uint64_t*)0x20001c00 = 0x10; *(uint32_t*)0x20001c08 = 0x10d; *(uint32_t*)0x20001c0c = 9; *(uint64_t*)0x20001c10 = 0x10; *(uint32_t*)0x20001c18 = 0x18a; *(uint32_t*)0x20001c1c = 0x370; *(uint64_t*)0x20001fa8 = 0x60; *(uint32_t*)0x20001fb0 = 0x40; *(uint32_t*)0x20001fb8 = 1; syscall(__NR_sendmmsg, r[0], 0x20001f00, 3, 0x20000080); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; }