// https://syzkaller.appspot.com/bug?id=56cf4647f2fcfab696676adc5c54ad870dfd605d // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = {8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0}; static const char default_lang_id[] = {4, USB_DT_STRING, 0x09, 0x04}; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)( int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic( int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable( fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_sysctl() { char mypid[32]; snprintf(mypid, sizeof(mypid), "%d", getpid()); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", mypid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) printf("write to %s failed: %s\n", files[i].name, strerror(errno)); } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 5; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 2 ? 3000 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x20000000, "/dev/usbmon#\000", 13); res = -1; res = syz_open_dev(0x20000000, 0, 0x1a02); if (res != -1) r[0] = res; break; case 1: syscall(__NR_mmap, 0x20000000ul, 0x800000ul, 0x1800003ul, 0x11ul, r[0], 0ul); break; case 2: memcpy( (void*)0x20000040, "\x12\x01\x00\x00\x00\x00\x18\x10\x5e\x04\xda\x07\x00\x00\x00\x00\x00" "\x01\x09\x02\x24\x00\x01\x00\x00\x00\x00\x09\x04\x00\x00\x09\x03\x00" "\x00\x00\x09\x21\x00\x00\x00\x01\x22\x22\x00\x09\x05\x81\x03\x08", 50); syz_usb_connect(0, 0x36, 0x20000040, 0); break; case 3: *(uint32_t*)0x20001940 = r[0]; *(uint64_t*)0x20001948 = 0; *(uint64_t*)0x20001950 = 2; *(uint64_t*)0x20001958 = 0x78; *(uint64_t*)0x20001960 = 0x200018c0; *(uint64_t*)0x200018c0 = 1; *(uint64_t*)0x200018c8 = 6; *(uint64_t*)0x200018d0 = 0x200; *(uint64_t*)0x200018d8 = 2; *(uint64_t*)0x200018e0 = 4; *(uint64_t*)0x200018e8 = 0x8b58; *(uint64_t*)0x200018f0 = 9; *(uint64_t*)0x200018f8 = 5; *(uint64_t*)0x20001900 = 8; *(uint64_t*)0x20001908 = 0x4c; *(uint64_t*)0x20001910 = 0x100; *(uint64_t*)0x20001918 = 0x100000000; *(uint64_t*)0x20001920 = 3; *(uint64_t*)0x20001928 = 1; *(uint64_t*)0x20001930 = 5; memcpy( (void*)0x20001978, "\x48\xc4\x3a\xea\x3a\x62\xa4\xc6\x0c\x02\x7a\x91\xbf\x05\x09\xe4\xc1" "\xaa\xe5\xb0\xa6\x06\xd3\x57\xc3\x42\xc3\x24\x56\x5d\xba\x3b\x40\x89" "\xd7\xda\xf2\x7f\x27\x53\xa5\x06\xf4\x3d\x74\x4c\x24\xdc\x0f\xf8\x8c" "\x74\xa0\xdb\x47\x4b\x9f\xce\x5e\xc7\xe4\x56\x43\xcf\x25\x07\x71\x7f" "\xb2\x3e\x2d\x73\xf7\xc8\x2d\x72\x40\x59\x2f\x67\xcc\xd5\x5c\xfd\xd7" "\x2a\x69\x78\xf5\x2f\xc3\x94\x09\x46\xe2\xfa\x7c\x22\x48\xb9\x41\xa5" "\xa0\x1f\xc7\x22\x7a\x9c\x43\x81\xe7\xc9\x2c\xcf\x69\x06\x2e\xf9\x9b" "\x18\x47\xab\xdb\xe3\x6c\x25\x39\x3a\xb3\xfc\xc3\x7f\x23\x4f\x63\x3a" "\xa3\x96\xba\xe3\x23\x8b\x4a\xe2\xd0\xfa\xe0\x20\x47\x36\xec\xde\x52" "\x24\x77\xf7\xbf\xb6\x37\x58\x72\xf1\x05\x4d\x4d\x74\x53\x6f\x38\x8d" "\x04\x5f\x85\x05\x62\x75\xe4\x51\xb5\x91\xff\xc4\x2c\x4e\x25\xc9\xeb" "\xa7\xc8\xc7\x6a\x41\x00\x6b\x83\x7e\xa3\x91\xff\xa3\xac\x8f\xa5\xce" "\xa7\x29\x54\xd1\x29\x25\x87\xd7\x79\xbb\x81\x6f\x63\xac\x7d\x1f\x76" "\x93\x7d\xdb\x03\x42\x3e\x72\x29\x43\xb7\x3f\x47\xbc\x3d\x3a\x11\x69" "\x0f\xd4\x0d\xfd\x8b\xb3\xe6\x7a\xcc\x37\xdf\xca\x70\xc5\xa7\x03\x74" "\x62\xf2\x81\x5b\xd0\xa2\x81\xae\x93\x56\x05\x11\x6f\x24\xd9\x4f\xbb" "\xcb\x8f\xa7\x88\x3c\xf2\x58\xc5\x5d\x25\xcb\x0a\x51\x87\xff\x09\xf0" "\x19\xb8\xe7\x05\xf0\x1d\x0f\x1a\x41\x21\xfd\xc0\x8e\xd2\x26\x64\xbc" "\xf8\x67\x6e\x13\x36\x00\x54\xd4\x68\x24\xa2\xef\x27\x1c\x94\x83\x5f" "\xc4\x47\xee\x03\xaa\x19\x6c\x0b\x9d\xec\xf4\xb7\x21\x6e\x6f\xd8\xd9" "\x5e\x1f\x78\x23\xc2\x31\x48\x28\xfc\x8c\x38\x3c\x52\x35\xd3\x38\xbc" "\xc0\x91\xb0\x47\xd7\x2d\xc4\xba\xd2\xc8\x3c\x86\x70\x43\xac\xba\xa4" "\xf7\x55\x4d\x20\x85\x4b\xc8\x6d\x49\x39\x39\xb5\x72\x8a\x2e\xa7\xc6" "\x00\x7a\xc3\xdf\x54\xbb\x4a\x2b\xcd\x69\x26\xce\xcc\x91\xa6\x72\x18" "\xbb\x56\x68\x38\x32\xe0\x41\x86\xb8\x30\x98\x1c\x56\xd8\x1e\xea\x11" "\xaa\xac\x6d\x7c\xd3\xbc\x33\x65\x8f\xe1\x0c\x6e\x97\x76\x17\xf8\x4f" "\xf0\x12\x9d\xbe\x04\xdb\x1f\x4e\x01\xef\xe3\x17\x00\xcb\x59\x3a\x68" "\xf0\x07\xc1\xb1\xf2\x49\x28\xea\xed\xbd\xca\xdd\x6f\xbb\xb9\x2e\xf6" "\xce\x11\x15\xfb\x2a\x50\xd9\x90\x61\x28\x10\xb2\x1b\xe6\x92\x5a\x56" "\x27\x20\xf5\x4b\x94\xcd\x23\x9e\x99\x2a\x7e\x72\x14\x13\x1d\x12\xd1" "\xcc\x14\x66\x3e\xf1\x92\xb9\xfa\x6c\x2a\xa4\x82\xbf\x48\xe2\x79\x7f" "\x4b\x6b\x65\x30\xa0\x56\x80\xa8\x3d\xb0\x9c\x44\xf6\x8f\x46\xbf\x94" "\xee\xa6\x48\x44\xa1\xa9\x2a\x80\x92\xc1\x0c\x6f\x1b\x07\x84\x1c\x40" "\x41\xb5\xd8\x42\x7d\xb2\xd7\xc7\xe4\x1d\x50\x8a\xda\xf4\xb6\x0e\x4a" "\x54\xbf\x97\xbb\x52\x93\x19\x40\xe6\x98\xec\xe8\x90\x58\xc6\x82\xb0" "\x75\x27\xbe\x0b\xa2\x8d\x4c\xfa\xef\x4d\x53\x4b\x00\xe5\xa8\x59\x12" "\x3b\x02\xe6\x84\x25\x3c\xc3\x08\x2e\x05\x71\xfa\xe7\x38\xe6\x79\x3e" "\x90\x18\x54\xf3\x0b\xfc\x83\x21\x75\x0d\x09\xc6\x5d\x4a\x35\x2b\xe1" "\xf7\x9d\x5b\x42\x5d\xf9\x98\xed\x4a\x59\x31\xc6\x2a\x12\x66\x76\xf3" "\x65\xcf\xd8\x8b\xc3\xab\xff\x19\x51\xd4\xda\xa6\x80\x0a\xbe\x1a\x6a" "\xe1\xe8\xc8\xa8\x91\x62\x48\x0d\x5c\x15\x2e\x70\x47\xbf\x51\x14\x1a" "\xd4\x3e\xb5\xb3\x5e\xce\x39\x55\xae\x49\x23\xb2\x0f\xb6\x3d\x39\x73" "\xec\x33\x94\x84\x87\x31\xaa\x89\x55\x2f\xe9\x7e\x2f\x48\x76\x34\x1e" "\xd4\x16\x40\xfc\x64\xef\x0c\xa7\x0d\x3c\x21\x05\x81\x05\x75\x9c\x52" "\x82\x19\xf4\xe5\xf5\x0a\x70\x20\xc6\x4d\x06\x62\xd7\x93\xde\x52\x10" "\x8d\x7f\x92\xe6\x50\xe1\x1b\x98\xf2\x09\x62\x0b\x76\x73\x99\x23\x74" "\x46\xb1\x66\x1b\xd0\xf0\x56\xe5\x49\x92\xf3\x8f\x2a\x87\x10\x4d\xbb" "\x80\xb6\xef\xe3\xd3\x31\x56\x23\x55\xcd\x55\x6a\xec\x1f\xe3\x17\xe9" "\xb9\x75\x7d\xc2\x00\x22\x18\x8d\x2c\x10\xe1\x82\x03\x98\xe3\x87\x5e" "\x7f\xb3\xdf\x1c\xfa\xbd\xf9\x93\x04\x1f\x2f\xba\x9a\xae\x01\xb3\x99" "\xfe\x3b\x3a\x64\xf3\x32\x5d\x8a\x05\x8d\x9b\x61\x4b\x83\xda\x22\x53" "\x52\xf7\xd5\x51\x62\xa8\x9f\xbb\x1f\xc9\x9c\x0e\x16\x90\x8d\x30\x96" "\x04\x93\xc8\x43\xa9\xf1\x47\x15\x8f\x2d\x0f\x62\x14\x9f\x20\xeb\x6a" "\x5c\x9f\x32\x96\x14\x08\xbc\x11\xf4\x9b\x72\xc5\xbe\xc5\xb9\x49\x62" "\xe2\x4c\x71\xc4\x66\x00\xe9\xbf\x09\xde\xdd\x90\x8b\x71\x00\x69\x20" "\x0c\xd2\xda\x76\x78\xb8\x62\x20\x87\xc0\xac\xb4\x05\xa0\x83\xe1\xdd" "\x9b\x2a\x11\xc5\x35\xca\x9e\x9a\x43\x30\x4d\xea\x30\xd8\x70\x98\xeb" "\x47\x98\xf9\x87\x7b\x9b\x54\xa9\x98\x5a\x03\xc7\xaa\x64\x04\x5e\xbf" "\xbe\xb4\xa1\xdd\xbd\xc1\xe7\x1d\x14\x83\xd7\xaf\x7f\xaa\x0c\x55\x89" "\xda\x1e\x41\x0d\x66\x8b\xbd\xd8\x39\xb4\xaf\x39\xc0\xd8\x6e\xae\xce" "\x33\xc3\xa0\xac\x16\x8e\x27\xc6\xf9\xe5\x37\x18\x0c\x83\x00\x5a\x25" "\xcd\xc0\xe4\x22\xc8\x5d\x50\xb3\x0e\x09\x01\xb2\xfc\x88\x10\x57\x28" "\x50\x66\x00\x67\x0a\xb3\x08\x57\xb0\xa3\xcd\x5c\x80\x31\x49\xc1\x40" "\x04\xa8\xa1\xdc\xa1\x9e\x0f\xc5\xde\x0e\xfb\x4c\x39\xfe\x34\xdf\x42" "\x3a\x93\x06\xde\xea\x10\xd5\x34\x74\xbf\x6b\x37\xaa\x23\x8e\x2e\x1b" "\x2b\xa2\x52\x78\x46\x78\x2f\x0e\xa7\x22\x32\x01\x87\xaf\x15\x3f\xa5" "\x2c\xb7\x35\xa6\x8f\x97\xb5\x1d\xd2\xe8\x07\x1b\xac\xb7\xe8\x0b\xc2" "\xa9\xd3\x9f\x13\x02\xfe\xed\x95\x4a\x65\x89\x31\xfd\xbd\xd8\xd2\xd2" "\x3f\x2e\x14\x5b\x04\xb6\x61\x63\x1c\x14\x4a\x4f\xa3\xc9\x78\x62\x69" "\x1d\x33\x66\x17\xb4\x65\x93\x97\x05\xab\xa9\xbd\x19\x7e\x5d\x75\x9b" "\xf5\xfc\x8c\x58\x5c\x53\xe9\x7a\x18\xd0\x61\x8d\x06\xb2\x2f\x0c\x0c" "\xae\x58\xcc\xca\xc3\xcb\x04\x63\x06\x30\x1a\xbf\xef\x07\x86\x07\x07" "\x1a\x5f\x32\x40\xca\xa6\xc5\x85\xd3\x2a\xaa\x8c\x7a\x48\x2c\x64\xa3" "\xe7\xca\xba\x6e\x95\x84\x61\xb2\xf4\xce\x86\xe5\xbe\x47\xc0\x46\xbc" "\xb8\x57\xa2\xeb\x37\xee\x88\x12\x30\x7a\xfa\xca\x14\x4f\x83\x97\x19" "\x34\xd9\x38\x93\xe1\x40\x32\x3e\xe3\xf8\xce\x19\x1b\xa9\xa1\x16\x3f" "\x30\x7b\xd0\xfc\xc1\x44\xfe\x6e\x86\x4a\xf9\x51\xed\x4b\x39\xb4\xb9" "\xf4\x06\x16\x93\x6b\xeb\x0f\x5f\x6a\x4c\x43\x75\x9e\x2f\x1c\x95\xdf" "\x59\xfb\xf0\x55\x96\xf3\x32\x37\x9f\x26\xd7\xeb\x30\x96\x72\x46\x26" "\x2f\x11\x50\xae\x19\xc2\xa3\x91\xcb\x54\xab\x4e\xce\x52\xf2\x19\xd5" "\x4c\xaa\xb3\xcd\x2c\xf1\x73\xac\xc7\x52\x11\x7c\xc4\x29\xb5\x74\x7f" "\xfd\x47\x3a\x44\x81\xa9\x84\xa5\x81\x40\x46\xa7\x47\x38\x15\x30\x0f" "\x95\x83\x9c\x7f\x38\x83\x27\xdf\xa5\xe3\x36\xc2\x9c\x63\xa6\xcc\xdf" "\xf4\x00\xf6\xf5\xe0\x58\x69\xda\xb5\x2e\x7d\x73\xea\x73\x3b\x9a\xd2" "\xf4\x57\xbc\x41\x6b\xe6\x39\x64\xfb\x00\x9b\xa8\xce\x57\xa8\x94\x5d" "\x26\x17\xc7\x6b\x37\xe3\x1f\x2d\x45\x06\x5e\x42\xbb\x54\xb8\xc2\x69" "\xcd\x53\x86\x91\xe5\xf8\xb4\x34\xfd\xf3\xf3\xb4\xe0\xfd\x88\x81\x6f" "\xb4\x4d\x14\xeb\x93\x60\xda\x1a\xf4\x93\x61\xb0\xc3\x83\xd0\xc9\xb1" "\xf8\x61\x74\xc2\x6e\xd9\x08\xd9\x25\xf3\x15\x14\xe8\x1a\x7b\xc3\x78" "\xac\xa4\xdb\xaf\x0a\x08\x4a\x1f\x77\xad\x17\xe8\xc7\x0a\xb9\x84\xac" "\xbc\xa2\x16\xab\xca\x15\x7f\x13\x84\x30\xe3\x1a\xd6\xe6\x2a\xf9\x0f" "\xd2\x97\xfa\xc0\x53\x8e\xf4\x37\xde\x67\xda\xab\xb5\x45\xba\x66\x4b" "\x0a\xce\x16\x14\x2c\x0f\x2f\x2f\x47\xf7\xe2\xe4\x98\x86\x45\xc1\x2f" "\x54\x48\xb0\xae\xed\x6f\xb3\xba\xc3\x6e\xab\x02\x34\x53\xd1\xfa\x52" "\xa1\x41\x19\x04\xd9\x6e\xa3\xb2\xe2\xab\x7c\x61\xc6\x4f\xd8\x7f\xac" "\xb2\xed\xea\x8a\x62\xc8\xfc\x64\x69\x39\x02\x79\x81\x91\xf2\x9e\x30" "\x64\x74\x71\xac\xb2\x63\x0a\x80\x2f\xc8\xad\x37\x49\x85\x0e\xd8\x3d" "\xdd\x4d\xfa\x49\x4d\x83\x5c\x80\x2e\x92\x98\x6e\xf8\xae\x39\x7d\x3b" "\xc3\x9e\xda\x4d\x22\x06\xdf\xa8\x10\xef\xa4\x76\xc7\x45\x04\x82\x6e" "\x7d\x03\xc5\xd5\x03\xdc\xa5\xa3\xd8\xea\x0d\xbf\xad\x7d\x79\x1a\x85" "\xe3\xca\x8b\x31\x00\xd6\x1d\xe3\x87\x89\x2f\xb7\xd4\x71\xa9\x21\xdb" "\xd5\x56\x25\x6e\x8d\x6a\xe4\xa6\xdc\x5b\x46\x04\x6f\x73\x8a\x5e\x51" "\x01\x82\x70\x59\x7a\xed\x14\x61\xeb\xe6\xfe\xb5\x5e\xb3\x9d\x9c\x83" "\x6e\xa2\xe3\x5e\x51\x1c\x91\xd7\xd8\xcc\x66\x33\xef\xf2\x97\x2b\xce" "\x67\x5a\xc4\x91\xd6\xb8\x29\xac\xa2\x9d\x56\x7f\x31\x1c\x80\x93\x77" "\xde\x3f\x3b\xe1\x5a\xb3\xc5\x64\x9d\xd5\x23\xb2\xde\xc3\x97\x11\xe1" "\xff\xa5\x1c\x2f\x7c\x2c\xa3\x85\xc6\xb4\x3d\xef\xc9\x2f\xb2\xf5\xbc" "\xdb\xd6\xfb\x00\xf0\x6e\x4e\xe4\x3f\x64\x6e\xe1\xc5\x14\x78\xfa\x31" "\xf2\xcf\x54\xe9\x3e\xd6\x9c\xaa\x78\x74\x5b\x86\xcc\x63\x41\xb4\x56" "\xb4\xb5\xfb\xa4\x7d\x74\x54\x72\x01\x84\xb4\x67\xbb\x8b\xf5\xbd\x32" "\x41\x29\x53\x49\x7e\xd3\x38\xb7\x01\x65\x42\x95\x96\x9f\x87\x6b\x61" "\xed\xe4\x2c\xce\x82\x31\xe1\x17\x0d\x0a\x50\x41\xa9\xfc\x62\xef\x60" "\x74\x62\xe3\xf7\xf7\xab\xb5\xf7\xcc\x69\x7c\x66\x2b\x50\x9b\xa1\x43" "\x29\xed\xad\x64\x96\x90\xf8\xfb\xb0\x4a\x28\x78\xc8\xf3\x9f\x8f\x14" "\x2f\xf5\xd5\x79\x73\xfa\xf1\x10\x3e\x82\x35\xcb\xa6\xd8\x95\xb3\x9b" "\x30\x21\x94\x90\x29\xaf\x2a\x73\xf5\xcb\x03\xe2\x0c\x57\x31\x47\x46" "\x76\x56\x76\x53\x84\x11\x53\xe1\x0c\x3d\xfe\xaf\xb5\x1b\xab\xed\xa3" "\x84\x5a\xfb\xa7\xaf\xd3\x11\x2c\xdf\xf2\x8b\x56\x9a\xf2\x0f\x0a\x97" "\xd4\x28\x61\x16\x3c\xb0\xaf\xb0\xc4\x91\xb2\xdd\xaa\x5e\xaa\x92\x7c" "\xdc\xd8\x7d\x99\x8c\xce\x8f\x7c\x4b\x13\x67\x39\x28\x46\xaf\xd9\x96" "\xb4\xa0\xbe\xc0\x91\x72\x60\xf7\x03\x4b\x32\xb3\xa5\x48\xe3\xec\xcb" "\x5b\xfe\x6c\x81\xe7\xb9\xf6\x80\xb9\x55\x97\x8c\x80\x31\x49\x29\xf7" "\xd9\xb3\xda\x19\x22\x6f\xe0\x83\x83\x4f\x35\xad\xa4\x17\x43\x9e\x88" "\x1d\xb5\xf1\xef\x93\x52\x1e\x11\x68\x0f\x2e\x1f\xda\x27\x88\x3a\x68" "\x0a\xfb\xa8\x7a\xdd\x54\xeb\x85\xc4\xf4\x37\xd4\x33\x71\x3e\xf0\xbe" "\x5e\xff\xd5\x73\x52\x94\x5c\x1b\x7d\xba\x09\x60\x24\x5d\xa1\xa1\x88" "\x47\xc1\x3d\xd7\x7a\x62\xee\x0f\x9d\x2c\x5e\x52\x68\x2e\x99\x47\xbf" "\xf0\xe2\x1b\x0a\x35\x5c\xdc\x96\x5c\xc7\x71\x9b\x4c\x78\x12\x77\x1c" "\x70\xa3\x92\x2a\xef\xda\x90\x4d\x7d\x11\x2a\xac\xbb\x74\x00\x4a\x8f" "\xb3\xdc\xa7\x71\xd2\x41\x93\x2c\x4e\x81\x45\x7a\x19\x09\x0c\xa3\x68" "\x82\xd2\xa7\xb7\x25\xef\x5c\xb7\x5f\x17\x02\xe2\x7d\x93\xc3\x1f\x15" "\x63\x2d\x85\xfe\xc9\x2b\x28\xab\x05\xe8\x69\x33\x46\x80\xc8\xde\xf9" "\xaa\x81\xd7\xa6\x1b\x31\x48\x9c\x66\x1a\x16\x3c\x8c\x02\x15\xf5\x3b" "\x26\xe1\xda\x29\x39\x47\x42\x09\xdb\x19\x6f\xc6\x19\x38\xcd\x5c\x2c" "\x9d\xb4\xd1\x72\x05\xe1\x27\x76\xf5\xc9\x14\x20\x5b\xad\x23\x7f\x96" "\x59\x81\x7b\x56\x83\x9a\x8d\x3c\xfa\xc4\x2e\xed\x1c\xf2\xd2\xe1\xda" "\x6d\xd1\x83\x46\x4a\xc1\x2a\x34\x68\xad\x6c\x0d\x89\xfb\x6d\x51\x7a" "\x35\x40\xa4\x49\xdd\x2e\xbd\x65\xf3\x44\xb4\xe8\x8d\x02\xa2\xa2\xa3" "\xe4\xee\x14\xc5\xff\x21\x25\x3f\x37\x20\xeb\xb9\x1b\x47\xfb\xa2\xf0" "\xa5\xae\x8d\xc9\xbc\xfa\x86\x0e\x04\xff\x3a\xfc\x87\x34\xec\x19\x11" "\x20\x34\xa7\x4a\x17\x33\xd3\x1c\xa1\x45\x87\xaf\xb2\x72\xad\x20\x4b" "\x71\x24\x63\x72\x48\x75\x47\x3a\xdf\x14\xcc\xea\x5f\xc9\x79\xd1\x1d" "\xb4\xea\x47\x04\x8b\xb7\x51\xb8\x3f\x50\x21\x1b\x2d\x3e\x29\x99\x38" "\x2d\x3e\xc7\x5a\x6f\xa3\x3e\xa2\xaa\xd5\xc2\xa2\x8e\x1b\xcd\xfc\xb5" "\xf3\x0c\x4d\x0a\x9e\x4a\x61\x5d\xb1\xbf\xc5\x80\x60\x71\x6f\xa5\xc7" "\x03\x07\x4f\xa9\xf5\x86\xa9\x4e\xb8\x44\x3f\x77\xbc\x43\x5c\x56\x22" "\x3c\xbb\x89\xa9\x1d\x68\x85\xf2\x57\xe7\x83\x64\xcf\x62\xbf\x92\xa2" "\x46\x45\x44\x92\x08\x19\x6d\xd2\xa8\x68\xd8\xca\xa8\xa9\x63\xc0\xd6" "\xa5\x5f\x78\xa3\x0f\x97\x98\x74\xec\x02\xbc\x5a\x65\x7a\xb0\x79\x8c" "\xcc\x1f\xdc\x8b\x74\x61\xbf\x0a\xfd\x7a\xa8\x83\xf5\x0e\x0d\x46\xd0" "\x27\x8f\xc4\x10\xf5\x3b\xac\xcd\x4f\x8b\x7c\xaf\x51\x7c\x42\xb4\xa8" "\x45\x83\xf5\x70\x21\x87\x7d\x99\x94\x2b\x0c\x74\x64\x73\x68\x26\x65" "\xec\xc0\xb3\x90\x84\x48\x70\xdf\x50\x14\x9b\x10\x92\xe4\xf7\x14\x01" "\x4e\x46\x6c\x84\x3b\x68\x84\x57\x58\x03\x4e\x4c\xbd\xb6\x64\xb8\xdf" "\x54\x94\x9e\xd9\x57\xb2\xfe\xcf\x9d\xe1\xb2\x68\x95\xf3\xc4\x94\x2f" "\xbe\x35\x2a\xd8\xdd\x24\x33\xae\x55\xb4\xd9\xd1\xb1\x27\xf3\xac\xab" "\x84\x81\x2c\xab\x96\x4a\xe7\x79\x64\x84\x31\x52\x0a\xb0\xdf\x2f\x08" "\x05\x68\xa4\x1c\xc8\xdf\x01\xc8\x6c\x28\x3e\xc3\xc4\x13\xa4\x93\xf4" "\x8d\x95\x6d\xca\x54\xc1\x64\xf6\xcf\x82\xef\xa9\x38\xe2\x2f\x19\x2d" "\x8b\x4b\x50\x2f\x69\x9e\xc3\x18\xc9\x33\x0f\x2b\xac\x89\xc3\x47\xd9" "\x0a\xde\x91\x11\xff\xd5\x1e\x94\xcf\xef\xaf\x84\xdf\x5f\x46\xe3\xf7" "\x5c\x60\x23\xcc\x63\xfe\xe7\xcd\xab\x59\xe5\xc7\xbe\x7e\x81\x34\xd0" "\x84\x2b\xca\x27\xd5\x7c\xba\xed\x20\xf1\x2f\x42\x54\xb1\x7d\xca\xc7" "\xfe\x23\xdb\xa1\x5a\x79\xb5\xb9\x4a\xbb\xdf\xf4\x3a\x4b\x3c\x8d\xaf" "\xb0\x36\xad\xf6\xb5\x39\x43\x53\xe8\xed\x4c\x4b\x0d\x42\x22\x21\x4c" "\xcd\x5f\x4c\x2b\x0d\xba\xdc\xd9\x13\x0a\x1e\x11\x05\xc8\xb6\xc5\x6c" "\xc0\x83\x47\x23\x27\xf7\x1d\x2a\x60\x13\xaa\x91\x13\x7e\x01\x40\x7d" "\xd4\x6d\x2f\xfa\x59\x8b\xbb\xc3\x1a\x5c\x0a\x05\x1e\xe5\x4a\x0f\x41" "\x97\x35\x5d\x1a\xab\x9a\x84\xfd\xe2\x65\x0a\xd6\x37\x73\xbe\x21\x4e" "\x48\x90\x50\x48\x9d\xab\x2f\x9e\x8f\x25\x60\x7a\xe9\x71\x87\xd7\xbd" "\xc0\x7b\x0a\x94\xa2\x6b\xd2\x59\x7d\xc1\x61\x49\xc1\x16\x6e\x1a\x17" "\xc9\x4c\x72\x24\x9d\x0b\x11\x4f\xa0\x27\x96\xb3\x3e\x83\xab\x3a\xf6" "\x6c\xae\xb5\x95\x58\x03\x58\x71\x75\xd2\xd6\xab\x88\x4b\x55\x29\x0c" "\x36\xc2\xcd\x98\x60\x7d\xc8\x8f\xca\x0e\xcb\xe2\xa8\xb2\x27\x6a\x92" "\x15\xb3\xd4\xa5\xea\x40\x7a\x80\x3d\xcb\x25\xdf\x4f\xe6\x70\xf9\xd5" "\x28\x11\x59\x55\x2f\xa4\x9b\x4a\x4d\xb5\x4d\x21\x4b\xe1\x31\x0e\x5f" "\x0d\xdd\xfa\x33\x56\x86\x85\xd1\x07\x7c\x0f\xfb\xf5\x03\xc3\xb9\x2b" "\x6c\xa4\x9a\x02\xe1\x30\xe9\x46\x96\x25\x2b\x03\x7c\xa8\xc5\x85\xbf" "\x87\xd6\xe4\x09\x78\xf6\x97\xe7\x2b\x4a\x8b\x67\x6f\x93\x78\xd8\x3a" "\x6b\x3d\xc5\x86\x76\x1c\x1b\x43\xd5\x18\xb7\x95\xe8\x46\x99\x47\x2c" "\xf9\x11\x94\x5e\xb5\x7b\xba\xa4\xc4\x58\x92\x13\x4e\x15\x91\xcb\x16" "\xd2\x76\xae\x04\x6f\x4c\x31\x99\x1c\x70\x60\x41\x4e\xc0\x51\x5f\xe3" "\xd4\x45\x75\x9e\x0a\xaa\x5b\xec\x8c\x20\xa5\x4d\xd8\x58\xc3\x94\x49" "\x97\x42\x40\xd7\x63\x31\x55\x63\x6d\x7e\x1c\xe0\xab\x7d\x5d\xee\x1e" "\xd9\x2f\xa9\x4a\x1c\x67\xf5\xea\x77\x92\xdf\x96\xa3\x57\x50\x49\x96" "\xb0\x08\x9a\x4e\xc3\x45\x2f\x24\xac\x9d\x6c\x31\xa2\x78\x36\x97\xcc" "\xf9\x6d\x48\x5a\x1f\x1e\x1b\x24\xd6\xbf\x75\x0a\x8e\x45\x0b\xdf\x3c" "\x9e\x46\xe5\x06\x50\xa9\x80\x75\xc3\x09\x4d\xfb\x9f\xff\x36\x3c\xbe" "\x3f\xdd\x8d\x05\xa9\xf4\x13\xea\x55\x6c\xe7\xd7\xf9\xcf\xb8\xd9\x65" "\x75\xbb\x1a\x26\x9c\xae\xc9\x86\x45\x2f\xc6\xaa\x36\x3c\x50\x00\xc1" "\x45\x13\x82\x72\x87\x9c\xa8\x10\x74\x01\x5f\x55\x9e\x84\x11\x49\xd6" "\xf9\x5b\xbf\xae\x0a\x08\x75\x4c\x72\x40\x62\xf9\xa5\xcc\x0d\xdc\xa4" "\xa9\xf4\x56\x5f\xb8\x88\xd9\x90\x81\xe7\xac\x17\x00\x5d\xa8\xdf\x81" "\x0b\x6e\x6c\x06\x2b\x1f\xf3\xad\x5a\x3b\xb8\x1f\x91\x11\x16\x8f\xda" "\x80\xec\xcc\xb4\x8c\x68\xa0\xd0\xca\x5b\x63\xb9\xf3\xbb\xe3\xa7\x42" "\xd8\x2f\x55\x8f\xba\x86\x47\xc8\xcd\x99\x5f\x91\x9f\xc6\xd8\xab\x46" "\x02\x18\xa5\x63\x4e\x65\xff\x9a\x04\x0b\x3b\x89\x70\xae\x38\x5d\x2f" "\x15\xba\x43\x5a\x5e\x55\x14\xf0\x17\x9e\xa4\x30\xc6\x7a\x8b\x79\x34" "\x5f\x8e\x33\x96\x90\x39\xed\xb0\x9e\x0a\xeb\x6d\x4c\xfb\x34\x64\xee" "\xc2\x4c\xfb\x8a\x92\x42\x26\x8f\xaf\xa9\x0c\xcc\x91\xe2\x2b\x54\xa4" "\x58\x1c\x83\x92\x37\x69\xb2\x02\x2c\x99\xb3\x2b\x64\x03\xa3\x7b\x56" "\x50\x8d\xe2\xae\x58\xe2\x57\x34\xed\x62\x63\xd8\xf1\x25\xc0\x59\xbf" "\xc3\x16\x97\xa9\x6d\xca\xb0\x2f\xa2\xd8\x00\xf3\xde\xfc\x74\x06\x39" "\xc7\x59\x0a\x00\x63\x5b\xaf\x9f\x5a\x0e\x18\x8f\x92\xd4\x5d\x51\xe7" "\x59\xc4\xda\x6f\x6b\xb4\xca\x4a\x5e\x13\x8e\x36\x20\x8a\x1f\x00\x77" "\x10\xa4\x59\xaa\x4b\xfd\x29\xb2\xf8\xcd\x06\x84\x6a\xb1\x47\xe4\xa3" "\x2d\x17\x6d\xff\x33\xe8\xe5\x6a\x26\xe2\x1c\x76\x1f\xea\xf7\x36\xe6" "\xe2\x0a\xab\x60\xd6\xa0\xbb\xb4\xd0\x1e\x7a\x59\x66\x53\x82\xa2\x35" "\xa8\x01\x65\xcc\x32\x8e\x34\x61\xdb\xd7\x10\xb8\x4e\xc3\x2b\x41\x3f" "\xfe\xd4\xfe\x37\x15\xf6\x01\x9c\x5f\x81\xa5\x4b\x34\x44\xe5\xbb\x79" "\x1a\xfb\x6d\x0a\x7f\xb2\x47\xef\xb7\x3a\x54\x39\xe1\x04\x15\x38\xd6" "\xe6\x73\x79\xa2\x45\x07\xa7\x93\xa9\xfe\xa7\xbf\x9f\x7d\xc1\x0b\x02" "\xcc\x87\xe9\xad\xdf\x5e\x61\xf5\x9e\xc7\xc4\x67\xf6\x14\x49\x3a\x3e" "\x5f\xfe\x00\xda\x7f\x89\x58\x90\x99\xdc\x24\x64\xb8\x9d\x5e\x95\xf2" "\x2a\xf6\x76\x5f\xe0\x1b\xa1\x5c\x43\x17\xe2\x25\xd8\x89\xc1\xbb\xdb" "\x0b\xde\x90\xd1\xa3\x4a\xd8\x0e\xd6\x48\xf0\x38\xc5\xa2\x76\x89\x0a" "\x1f\x12\xc1\x48\xea\xc9\x7c\x01\x17\xbd\x65\xca\xfe\xdb\xb1\xa8\xea" "\xa3\x82\x27\xff\x1f\xb9\x23\xa5\xf5\x3f\xc1\x46\xad\x37\x9a\x5e\x64" "\x6a\x1f\x03\x24\xc9\x13\x17\x88\x88\x65\x6c\x49\x8a\x20\x3c\x4c\x69" "\x6a\x1c\xbc\x78\x7e\x80\x3c\x5b\x1c\xb8\xfc\x37\x68\xc2\x7e\xa7\x6e" "\x4f\x4e\xae\x52\x02\x4a\x4a\x6e\xa1\xae\x5d\x25\xe6\x29\x24\x6e\xc3" "\xbd\x3f\xc9\x05\x48\xb8\x2f\xcb\x2b\x2e\x65\xd3\x7d\xd8\xfa\xa1\x04" "\xc1\x49\x3c\x44\xbf\xa9\xf2\x74\xaf\x32\xc2\x58\x15\x65\xd0\xfd\x86" "\x90\x62\x80\x6e\x69\x24\x9c\x5b\xb4\x06\x5a\x39\x98\x43\xe1\x88\x4c" "\x29\xbb\xec\xba\x39\x19\x66\x2d\x30\x93\xb0\x75\x2d\x09\xdd\x52\xde" "\xee\xc7\x5a\x44\x66\xdb\xa0\x37\xd8\xb0\x82\x67\x90\x48\xc6\x57\x42" "\x16\xc3\x0b\xe1\x0b\xde\x07\xe6\x74\xc8\x83\x2b\x33\x3c\xc3\xc4\x42" "\xdf\x5b\xc0\xec\xe3\xa7\x01\x4d\x60\xb7\xdb\x4c\x68\x94\xd4\x21\xc3" "\x8a\xa6\x17\x6a\x94\x8b\x76\x61\x53\x46\xa6\x46\x72\x65\x80\x50\x65" "\x5d\x53\xab\x5b\x16\x37\xa9\xe9\xa1\xb0\x6c\xfe\xe5\xa4\x6a\x12\x22" "\x5a\xca\xc7\x41\xba\x44\xd4\x94\x18\x26\xbf\x25\xfd\x07\xde\x50\x75" "\x62\x53\xa7\x5d\x6a\x03\xdc\x78\xd5\xae\xf4\x37\x3a\xde\x48\xd9\xd7" "\x6f\x1f\xad\xc5\x53\x25\x53\xec\xb0\x4f\x1a\x94\xdf\xb8\x1f\x0b\x07" "\x3f\xb7\x73\x3e\x9d\xc3\xe9\xea\x1f\x81\xb8\xf5\xa6\x3b\x6a\x31\xef" "\x9e\x57\xcf\xa1\x2e\xb5\x80\x63\x84\xbc\xca\x5b\x0c\xd6\x1c\xc7\xde" "\xac\x91\xac\x6b\x21\x8a\x4c\xcd\x3d\x47\x0c\xa1\x8f\x85\x45\x10\xdf" "\xd7\x01\x51\xda\xec\xb5\x76\xae\x71\x45\x29\xb4\x76\x74\x0b\xd3\xc6" "\xa6\x14\x74\xb6\x68\xac\x90\x20\xf1\xeb\x88", 4040); syscall(__NR_ioctl, -1, 0x50009417, 0x20001940ul); break; case 4: syscall(__NR_ioctl, r[0], 0x9208, 6ul); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_sysctl(); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }