// https://syzkaller.appspot.com/bug?id=1557fb40b5ed0a1ed2ba18268e04da194674d770 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void exitf(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir() { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting", dir); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static void execute_one(); extern unsigned long long procid; static void loop() { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); execute_one(); int fd; for (fd = 3; fd < 30; fd++) close(fd); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 5 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } remove_dir(cwdbuf); } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (__atomic_load_n(&running, __ATOMIC_RELAXED)) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_bpf #define __NR_bpf 321 #endif uint64_t r[24] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; unsigned long long procid; void execute_call(int call) { long res; switch (call) { case 0: memcpy((void*)0x20000040, "/dev/uinput", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0); if (res != -1) r[0] = res; break; case 1: syscall(__NR_mprotect, 0x20000000, 0x600000, 0xa); break; case 2: syscall(__NR_ioctl, r[0], 0x8004552d, 0x20000180); break; case 3: memcpy((void*)0x20000000, "/dev/snd/seq", 13); syz_open_dev(0x20000000, 0, 0); break; case 4: *(uint64_t*)0x20000080 = 0; syscall(__NR_ioctl, -1, 0x4008af00, 0x20000080); break; case 5: res = syscall(__NR_epoll_create, 1); if (res != -1) r[1] = res; break; case 6: res = syscall(__NR_dup3, -1, -1, 0x80000); if (res != -1) r[2] = res; break; case 7: syscall(__NR_socket, 0x1d, 2, 2); break; case 8: *(uint32_t*)0x20000000 = 0x101; syscall(__NR_ioctl, r[2], 0x5416, 0x20000000); break; case 9: *(uint32_t*)0x200000c0 = 0; *(uint64_t*)0x200000c4 = 0; syscall(__NR_epoll_ctl, -1, 1, -1, 0x200000c0); break; case 10: syscall(__NR_socket, 0xa, 1, 0); break; case 11: syscall(__NR_ioctl, -1, 0x8912, 0x20000300); break; case 12: *(uint32_t*)0x20000100 = -1; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 1; *(uint32_t*)0x2000010c = 7; *(uint64_t*)0x20000110 = 0x20000040; *(uint32_t*)0x20000118 = 2; syscall(__NR_bpf, 0x10, 0x20000100, 0x20); break; case 13: *(uint32_t*)0x2000d000 = 0; *(uint64_t*)0x2000d004 = 0; syscall(__NR_epoll_ctl, r[1], 1, -1, 0x2000d000); break; case 14: *(uint32_t*)0x20000180 = 2; *(uint32_t*)0x20000184 = 0x70; *(uint8_t*)0x20000188 = 0xe5; *(uint8_t*)0x20000189 = 0; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint32_t*)0x2000018c = 0; *(uint64_t*)0x20000190 = 0; *(uint64_t*)0x20000198 = 0; *(uint64_t*)0x200001a0 = 0; STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 1, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 2, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 3, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0x1f, 5, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 5, 6, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 7, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 9, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 6, 11, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 14, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 15, 2); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 18, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 20, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 1, 24, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 25, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 27, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, 0x200001a8, 0, 29, 35); *(uint32_t*)0x200001b0 = 0; *(uint32_t*)0x200001b4 = 0; *(uint64_t*)0x200001b8 = 0x80000001; *(uint64_t*)0x200001c0 = 0; *(uint64_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0; *(uint32_t*)0x200001d8 = 0; *(uint32_t*)0x200001dc = 0; *(uint64_t*)0x200001e0 = 0; *(uint32_t*)0x200001e8 = 0; *(uint16_t*)0x200001ec = 0; *(uint16_t*)0x200001ee = 0; syscall(__NR_perf_event_open, 0x20000180, 0, 0, -1, 0); break; case 15: *(uint32_t*)0x20000280 = 8; *(uint16_t*)0x20000284 = 2; *(uint16_t*)0x20000286 = 1; *(uint16_t*)0x20000288 = 0x1f; *(uint16_t*)0x2000028a = 6; *(uint16_t*)0x2000028c = 8; *(uint16_t*)0x2000028e = 4; *(uint16_t*)0x20000290 = 0xefbb; *(uint16_t*)0x20000292 = 2; *(uint32_t*)0x200002c0 = 0x14; syscall(__NR_getsockopt, r[2], 0x84, 0x16, 0x20000280, 0x200002c0); break; case 16: memcpy((void*)0x20000200, "/dev/loop#", 11); res = syz_open_dev(0x20000200, 0, 0x82); if (res != -1) r[3] = res; break; case 17: memcpy((void*)0x20000140, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x76" "\x8e\x05\xf7\xc1\x55\xad\x7d\xc6\x94\x7c\x57\x3e\x5a\x69\x24\x4e" "\x76\x38\x2c\x0a\xa6\x3d\x57\x5e\xa3\x59\x7f\x8b\x17\x28\x27\x7e" "\xf7\x6b\x30\x54\x4d\x7b\xa9\x2d\xcf\x97\x8f\x1f\x81\xdc\x1b\x7f" "\x8f\x7b\x34\x51\xda\xda\x02\xec\xb4\xf1\xdd\xcc\x8b\x52\x41\xda" "\x89\x45\x66\x6e\x00\x73\xc2\x5a\x62\x87\xc6\x4d\xbe\xa3\x7a", 95); res = syscall(__NR_memfd_create, 0x20000140, 0); if (res != -1) r[4] = res; break; case 18: *(uint64_t*)0x20000340 = 0x20000080; *(uint64_t*)0x20000348 = 0; syscall(__NR_pwritev, r[4], 0x20000340, 1, 0x81806); break; case 19: *(uint32_t*)0x20000380 = 7; *(uint8_t*)0x20000384 = 0x33; *(uint16_t*)0x20000385 = 2; syscall(__NR_write, r[3], 0x20000380, 7); break; case 20: syscall(__NR_socket, 0xa, 0, 0); break; case 21: memcpy((void*)0x20000040, "./cgroup", 9); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0x200002, 0); if (res != -1) r[5] = res; break; case 22: memcpy((void*)0x20000180, "memory.high", 12); res = syscall(__NR_openat, r[5], 0x20000180, 2, 0); if (res != -1) r[6] = res; break; case 23: sprintf((char*)0x20000000, "0x%016llx", (long long)0); syscall(__NR_write, r[6], 0x20000000, 0); break; case 24: syscall(__NR_ioctl, r[3], 0x4c00, r[4]); break; case 25: *(uint64_t*)0x20000240 = 0x300; syscall(__NR_sendfile, r[3], r[3], 0x20000240, 0x20000102000007); break; case 26: res = syscall(__NR_socket, 0xa, 0x1000000000002, 0); if (res != -1) r[7] = res; break; case 27: syscall(__NR_ioctl, r[7], 0x8912, 0x20000280); break; case 28: *(uint8_t*)0x20000200 = 0xaa; *(uint8_t*)0x20000201 = 0xaa; *(uint8_t*)0x20000202 = 0xaa; *(uint8_t*)0x20000203 = 0xaa; *(uint8_t*)0x20000204 = 0xaa; *(uint8_t*)0x20000205 = 0xaa; memcpy((void*)0x20000206, "\xa2\x9a\xb0\x89\x3f\xde", 6); *(uint16_t*)0x2000020c = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, 0x2000020e, 0, 0, 4); STORE_BY_BITMASK(uint8_t, 0x2000020e, 6, 4, 4); memcpy((void*)0x2000020f, "?:T", 3); *(uint16_t*)0x20000212 = htobe16(0x14); *(uint8_t*)0x20000214 = 0x2f; *(uint8_t*)0x20000215 = 0; *(uint8_t*)0x20000216 = 0xfe; *(uint8_t*)0x20000217 = 0x80; *(uint8_t*)0x20000218 = 0; *(uint8_t*)0x20000219 = 0; *(uint8_t*)0x2000021a = 0; *(uint8_t*)0x2000021b = 0; *(uint8_t*)0x2000021c = 0; *(uint8_t*)0x2000021d = 0; *(uint8_t*)0x2000021e = 0; *(uint8_t*)0x2000021f = 0; *(uint8_t*)0x20000220 = 0; *(uint8_t*)0x20000221 = 0; *(uint8_t*)0x20000222 = 0; *(uint8_t*)0x20000223 = 0; *(uint8_t*)0x20000224 = 0; *(uint8_t*)0x20000225 = 0xbb; *(uint8_t*)0x20000226 = -1; *(uint8_t*)0x20000227 = 2; *(uint8_t*)0x20000228 = 0; *(uint8_t*)0x20000229 = 0; *(uint8_t*)0x2000022a = 0; *(uint8_t*)0x2000022b = 0; *(uint8_t*)0x2000022c = 0; *(uint8_t*)0x2000022d = 0; *(uint8_t*)0x2000022e = 0; *(uint8_t*)0x2000022f = 0; *(uint8_t*)0x20000230 = 0; *(uint8_t*)0x20000231 = 0; *(uint8_t*)0x20000232 = 0; *(uint8_t*)0x20000233 = 0; *(uint8_t*)0x20000234 = 0; *(uint8_t*)0x20000235 = 1; *(uint16_t*)0x20000236 = htobe16(0); *(uint16_t*)0x20000238 = htobe16(0x883e); *(uint32_t*)0x2000023a = 0x41424344; *(uint32_t*)0x2000023e = 0x41424344; STORE_BY_BITMASK(uint8_t, 0x20000242, 0, 0, 1); STORE_BY_BITMASK(uint8_t, 0x20000242, 0, 1, 3); STORE_BY_BITMASK(uint8_t, 0x20000242, 5, 4, 4); *(uint8_t*)0x20000243 = 0; *(uint16_t*)0x20000244 = htobe16(0); *(uint16_t*)0x20000246 = htobe16(0); *(uint16_t*)0x20000248 = htobe16(0); *(uint32_t*)0x200004c0 = 0; *(uint32_t*)0x200004c4 = 0; *(uint32_t*)0x200004c8 = 0; *(uint32_t*)0x200004cc = 0; *(uint32_t*)0x200004d0 = 0; *(uint32_t*)0x200004d4 = 0; struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x20000216, 16); csum_inet_update(&csum_1, (const uint8_t*)0x20000226, 16); uint32_t csum_1_chunk_2 = 0x14000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 4); uint32_t csum_1_chunk_3 = 0x6000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 4); csum_inet_update(&csum_1, (const uint8_t*)0x20000236, 20); *(uint16_t*)0x20000246 = csum_inet_digest(&csum_1); break; case 29: *(uint64_t*)0x20008f40 = 0x20000000; *(uint16_t*)0x20000000 = 0x26; memcpy((void*)0x20000002, "\x61\x65\x61\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20000010 = 0; *(uint32_t*)0x20000014 = 0; memcpy((void*)0x20000018, "\x6d\x6f\x72\x75\x73\x36\x34\x30\x2d\x67\x65\x6e\x65\x72\x69\x63" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20008f48 = 0x80; *(uint64_t*)0x20008f50 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000500; *(uint64_t*)0x200001c8 = 0; *(uint64_t*)0x200001d0 = 0x20000080; memcpy((void*)0x20000080, "\xee\xe2\xd9\xc5\x2c\xa8\x59\x77\xf8\xe7\xd6\x8a" "\xbc\xfc\x43\xa2\x7b\xda\x49\xd7\xaa\x10", 22); *(uint64_t*)0x200001d8 = 0x16; *(uint64_t*)0x200001e0 = 0x200000c0; *(uint64_t*)0x200001e8 = 0; *(uint64_t*)0x20008f58 = 3; *(uint64_t*)0x20008f60 = 0x20001500; *(uint64_t*)0x20001500 = 0x80; *(uint32_t*)0x20001508 = 0x11e; *(uint32_t*)0x2000150c = 2; memcpy((void*)0x20001510, "\x8d\x5d\xfe\x72\xaa\x59\x56\xdf\xb7\xa7\x32\xf3\x32\xa7\x3e\xf6" "\x11\x7a\x8b\x88\xf7\x9d\x96\x42\x84\x52\x01\x12\xfe\xc9\xff\x31" "\xfc\xfc\xc6\x68\xf2\x8d\x1f\x52\x54\xad\xac\xed\x72\x40\xb0\xda" "\xe8\xbc\x01\xf0\xaa\x20\x7d\xb7\xa0\xa5\xc5\x97\x1e\x15\xc5\x8e" "\x31\xc5\x8a\x43\x4a\x3a\x0c\x12\x6b\x89\x54\xf3\x99\x0c\x3b\xb5" "\x9b\x80\x30\x60\x84\xb5\x10\x35\x2f\xe3\xfa\x0d\x29\xd4\xc5\x5f" "\x37\x2f\x08\xda\x60\x32\xbc\x0c\x74\x24\xa4", 107); *(uint64_t*)0x20001580 = 0x10; *(uint32_t*)0x20001588 = 0x11d; *(uint32_t*)0x2000158c = 6; *(uint64_t*)0x20001590 = 0x10; *(uint32_t*)0x20001598 = 0x10d; *(uint32_t*)0x2000159c = 4; *(uint64_t*)0x200015a0 = 0x10; *(uint32_t*)0x200015a8 = 0x10d; *(uint32_t*)0x200015ac = 0xea0a; *(uint64_t*)0x200015b0 = 0x10; *(uint32_t*)0x200015b8 = 0x117; *(uint32_t*)0x200015bc = 0x80000000; *(uint64_t*)0x200015c0 = 0x10; *(uint32_t*)0x200015c8 = 0x119; *(uint32_t*)0x200015cc = 7; *(uint64_t*)0x200015d0 = 0x10; *(uint32_t*)0x200015d8 = 0x13a; *(uint32_t*)0x200015dc = 1; *(uint64_t*)0x200015e0 = 0x10; *(uint32_t*)0x200015e8 = 0x19f; *(uint32_t*)0x200015ec = 0; *(uint64_t*)0x200015f0 = 0x10; *(uint32_t*)0x200015f8 = 0x102; *(uint32_t*)0x200015fc = 0x3bcb; *(uint64_t*)0x20001600 = 0x10; *(uint32_t*)0x20001608 = 0; *(uint32_t*)0x2000160c = 0x7a; *(uint64_t*)0x20008f68 = 0x110; *(uint32_t*)0x20008f70 = 0x10; *(uint32_t*)0x20008f78 = 7; *(uint64_t*)0x20008f80 = 0x200002c0; *(uint16_t*)0x200002c0 = 0x19; memcpy((void*)0x200002c2, "\x81\x32\xff\xec\x7d\x1a\x5e\xb8\xfa\x6d\x10\xfd\x3d\x13\x67\x36" "\x28\xc2\xeb\x97\x69\x31\x8c\xe7\xe4\x42\x3b\x6d\x6c\x03\x24\xa6" "\xa4\x7c\x9e\x69\x53\x9e\xb4\xdf\xbc\x56\x0f\xdf\x6e\xca\x64\x6a" "\x1d\xcd\x60\xf8\xca\xd0\x5b\x6d\xd4\x65\x85\x53\xaf\x77\x8a\x1e" "\xd6\xa7\x0a\xee\x72\x25\x9f\xb6\xe1\x3d\xf4\x3e\x61\xae\x94\xbc" "\x72\x98\x54\xe7\x22\xbb\x6c\x3a\x4d\x85\xac\xdc\x10\x75\xad\x77" "\xaf\x7a\x82\xaf\x9f\x78\x06\x08\xdf\x0a\x8a\xc0\x4b\x93\x82\x2f" "\x44\xc6\x61\x19\x30\x65\xc7\x9a\x6c\x6b\x13\x8b\xf4\xd3", 126); *(uint32_t*)0x20008f88 = 0x80; *(uint64_t*)0x20008f90 = 0x20000480; *(uint64_t*)0x20000480 = 0x20000340; *(uint64_t*)0x20000488 = 0; *(uint64_t*)0x20000490 = 0x20001bc0; *(uint64_t*)0x20000498 = 0; *(uint64_t*)0x200004a0 = 0x20001cc0; *(uint64_t*)0x200004a8 = 0; *(uint64_t*)0x200004b0 = 0x20000440; *(uint64_t*)0x200004b8 = 0; *(uint64_t*)0x20008f98 = 4; *(uint64_t*)0x20008fa0 = 0x20001dc0; *(uint64_t*)0x20001dc0 = 0x10; *(uint32_t*)0x20001dc8 = 0x110; *(uint32_t*)0x20001dcc = 0x7fffffff; *(uint64_t*)0x20001dd0 = 0x10; *(uint32_t*)0x20001dd8 = 0x10b; *(uint32_t*)0x20001ddc = 4; *(uint64_t*)0x20001de0 = 0x18; *(uint32_t*)0x20001de8 = 0x108; *(uint32_t*)0x20001dec = 0x7d7; memcpy((void*)0x20001df0, "\xb1\x40\x86\x63\x16\x88\xd1\x3d", 8); *(uint64_t*)0x20001df8 = 0x10; *(uint32_t*)0x20001e00 = 0x7627d7f7; *(uint32_t*)0x20001e04 = 0x1ff; *(uint64_t*)0x20001e08 = 0x10; *(uint32_t*)0x20001e10 = 0x112; *(uint32_t*)0x20001e14 = 9; *(uint64_t*)0x20008fa8 = 0x58; *(uint32_t*)0x20008fb0 = 0x40; *(uint32_t*)0x20008fb8 = 0x20; *(uint64_t*)0x20008fc0 = 0x20002180; *(uint16_t*)0x20002180 = 0; memcpy((void*)0x20002182, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 108); *(uint32_t*)0x20008fc8 = 0x80; *(uint64_t*)0x20008fd0 = 0x200024c0; *(uint64_t*)0x200024c0 = 0x20002200; *(uint64_t*)0x200024c8 = 0; *(uint64_t*)0x200024d0 = 0x20002300; *(uint64_t*)0x200024d8 = 0; *(uint64_t*)0x200024e0 = 0x20002400; *(uint64_t*)0x200024e8 = 0; *(uint64_t*)0x20008fd8 = 3; *(uint64_t*)0x20008fe0 = 0x20002500; *(uint64_t*)0x20002500 = 0x10; *(uint32_t*)0x20002508 = 0x10b; *(uint32_t*)0x2000250c = 2; *(uint64_t*)0x20002510 = 0x10; *(uint32_t*)0x20002518 = 0x39; *(uint32_t*)0x2000251c = 0; *(uint64_t*)0x20008fe8 = 0x20; *(uint32_t*)0x20008ff0 = 0x44; *(uint32_t*)0x20008ff8 = 8; *(uint64_t*)0x20009000 = 0x20002640; *(uint16_t*)0x20002640 = 0x18; *(uint32_t*)0x20002642 = 2; *(uint16_t*)0x20002646 = htobe16(3); *(uint8_t*)0x2000264a = 0xac; *(uint8_t*)0x2000264b = 0x14; *(uint8_t*)0x2000264c = 0x14; *(uint8_t*)0x2000264d = 0x11; *(uint32_t*)0x20009008 = 0x80; *(uint64_t*)0x20009010 = 0x20004840; *(uint64_t*)0x20004840 = 0x200026c0; *(uint64_t*)0x20004848 = 0; *(uint64_t*)0x20004850 = 0x200027c0; *(uint64_t*)0x20004858 = 0; *(uint64_t*)0x20004860 = 0x200037c0; *(uint64_t*)0x20004868 = 0; *(uint64_t*)0x20004870 = 0x200047c0; *(uint64_t*)0x20004878 = 0; *(uint64_t*)0x20009018 = 4; *(uint64_t*)0x20009020 = 0x20004880; *(uint64_t*)0x20004880 = 0x10; *(uint32_t*)0x20004888 = 0x11f; *(uint32_t*)0x2000488c = 2; *(uint64_t*)0x20004890 = 0x10; *(uint32_t*)0x20004898 = 0x115; *(uint32_t*)0x2000489c = 0x400; *(uint64_t*)0x200048a0 = 0x10; *(uint32_t*)0x200048a8 = 0x101; *(uint32_t*)0x200048ac = 4; *(uint64_t*)0x200048b0 = 0x60; *(uint32_t*)0x200048b8 = 0x116; *(uint32_t*)0x200048bc = 0xfffff3cc; memcpy((void*)0x200048c0, "\x52\x22\xf6\x86\xf4\x69\xb1\xea\xf6\x4f\xac\x87\xff\x9d\x45\x73" "\x91\x56\x38\x6f\xbd\x61\xf4\x70\xad\xd5\xa4\xa5\xcc\x4a\x44\x16" "\x42\x37\x14\x03\x2d\x96\x94\xbe\x86\xb3\xd3\xa0\x2b\x66\x71\x8d" "\x41\x63\x04\x35\x9b\x18\x6f\xf7\xe4\x58\x52\x66\xc1\x4a\x5e\x95" "\x7c\x1f\xb2\xf5\xd4\xd3\xae\xe7\x02\x2d\x59\xa7\xe2\x2d\x85\xe4", 80); *(uint64_t*)0x20004910 = 0x10; *(uint32_t*)0x20004918 = 0x1ff; *(uint32_t*)0x2000491c = 0x7fff; *(uint64_t*)0x20004920 = 0x10; *(uint32_t*)0x20004928 = 0x117; *(uint32_t*)0x2000492c = 5; *(uint64_t*)0x20009028 = 0xb0; *(uint32_t*)0x20009030 = 0x4000000; *(uint32_t*)0x20009038 = 0xf092; *(uint64_t*)0x20009040 = 0x20004c00; *(uint16_t*)0x20004c00 = 0x1a; *(uint16_t*)0x20004c02 = 0x32f; *(uint8_t*)0x20004c04 = 0; *(uint8_t*)0x20004c05 = 4; *(uint8_t*)0x20004c06 = 0; *(uint8_t*)0x20004c07 = 8; *(uint8_t*)0x20004c08 = 0xaa; *(uint8_t*)0x20004c09 = 0xaa; *(uint8_t*)0x20004c0a = 0xaa; *(uint8_t*)0x20004c0b = 0xaa; *(uint8_t*)0x20004c0c = 0xaa; *(uint8_t*)0x20004c0d = 0xbb; *(uint32_t*)0x20009048 = 0x80; *(uint64_t*)0x20009050 = 0x20004ec0; *(uint64_t*)0x20004ec0 = 0x20004c80; *(uint64_t*)0x20004ec8 = 0; *(uint64_t*)0x20004ed0 = 0x20004d00; *(uint64_t*)0x20004ed8 = 0; *(uint64_t*)0x20004ee0 = 0x20004dc0; memcpy((void*)0x20004dc0, "\x9e\x5e\xb9\x5c\xa5\x87\xe5\x85\xe5\xad\x71\x9d\x20\x18\xf1\x51" "\x12\x54\x4d\xa2\x06\x74\x1f\xd7\xf5\x79\x6b\x58\x24\x41\x9b\xea" "\xc1\x48\x83\x68\xac\x3d\x6f\xb3\x47\x3e\x3e\x81\x6c\x26\x92\x04" "\xeb\x39\x5f\x2b\x41\xb8\x8d\xf7\xd8\xa5\x58\x90\x9f\x2b\x48\x71" "\xf1\x54\x0f\xf8\xdf\xda\xe4\x97\x34\x5e\xb1\x71\xbe\x7e\x8c\x55" "\x02\xb8\x66\x84\x72\x1a\x73\xb3\xaf\x6c\x85\x6c\x75\xed\x4a\x0a" "\x1b\x78\x4e\x89\x10\x38\x11\xfc\x6f\x36\xdb\xc7\xa9\x5b\xb7\xfb" "\x1d\x87\x81\x39\x01\xcf\xb8\x01\x4e\x18\xaa\xaa\x80\x05\xe4\xbb" "\xef\xfe\x94\x49\xc1\x3f\xfa\x96\xe5\xf0\x4a\xe2\x94\x04\x8d\x00" "\x0b\xe3\x2f\x0f\xec\x06\x5e\xec\x4f\x7b\xa0\x78\x75\x96\xe7\x74" "\xbb\x80\x04\x2d\x58\xb5\x34\x97\x5e\x6e\xb6\xaa\xad\x1a\x06\xc9" "\x16\x21\xda\xb9\xf0\x86\xb1\xdb\xc5\x5b\x65\x16\xaf\x15\xb7\x1a" "\x50\x47\xcc\x8e\x13\xbd\x3e\xb9\xb1\xb6\xb8\x0c\xc0\x50\x1e\x6c" "\x8a\x6c\x16\x1b\xd4\x01\x00\xad\x06", 217); *(uint64_t*)0x20004ee8 = 0xd9; *(uint64_t*)0x20009058 = 3; *(uint64_t*)0x20009060 = 0x20004f00; *(uint64_t*)0x20004f00 = 0x10; *(uint32_t*)0x20004f08 = 0xff; *(uint32_t*)0x20004f0c = 0x40; *(uint64_t*)0x20009068 = 0x10; *(uint32_t*)0x20009070 = 0x200000c0; *(uint32_t*)0x20009078 = 0; *(uint64_t*)0x20009080 = 0x20004f80; *(uint16_t*)0x20004f80 = 0; memcpy((void*)0x20004f82, "\x2e\x2f\x66\x69\x6c\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 108); *(uint32_t*)0x20009088 = 0x80; *(uint64_t*)0x20009090 = 0x20005280; *(uint64_t*)0x20005280 = 0x20005000; memcpy((void*)0x20005000, "\x32\x53\x63\xf1\x81\x4e\x7c\x9e\x6f\x23\xc2\x33" "\x52\x2b\x95\xcc\xa1\xce\x7c\xa8\xca\x32\x73\xdb" "\x8d\x50\xb8\x4a\xdd\x7c\x22\xe1\x49\xc0\xd4\xd4" "\xc9\xe2\x7f\xc9\x4c\x4e\x50\x8b\xdd\xa1\xf9\xd9" "\xa8\xff\x47\x8d", 52); *(uint64_t*)0x20005288 = 0x34; *(uint64_t*)0x20005290 = 0x20005040; *(uint64_t*)0x20005298 = 0; *(uint64_t*)0x200052a0 = 0x20005080; *(uint64_t*)0x200052a8 = 0; *(uint64_t*)0x200052b0 = 0x20005100; *(uint64_t*)0x200052b8 = 0; *(uint64_t*)0x200052c0 = 0x20005180; *(uint64_t*)0x200052c8 = 0; *(uint64_t*)0x20009098 = 5; *(uint64_t*)0x200090a0 = 0x20005300; *(uint64_t*)0x20005300 = 0x10; *(uint32_t*)0x20005308 = 0x18f; *(uint32_t*)0x2000530c = 7; *(uint64_t*)0x20005310 = 0x78; *(uint32_t*)0x20005318 = 0x11; *(uint32_t*)0x2000531c = 7; memcpy((void*)0x20005320, "\x69\x89\xc6\x52\x2d\x45\xdd\x93\xa1\xdc\x20\xd5\xc6\x58\xf1\x70" "\x03\x4d\xd4\xd7\x8a\xc1\xb5\xbd\x0a\x19\x30\x09\x95\x10\xfb\x84" "\x48\xae\xcb\xa0\x6f\x1c\x32\xf1\xa4\x0f\xd1\x13\xdd\xaa\x75\x73" "\xeb\x8c\xe7\x31\x2d\x57\x65\x6f\xa7\x0d\x44\x00\xb3\x0e\x94\x59" "\x7f\x90\x0b\x28\x1c\xd9\xfd\xd6\x2d\x69\x24\x05\x94\xfa\x3a\xb8" "\x1a\x7e\x19\x27\x1e\x97\xc5\x5b\xe3\x4f\xab\x70\xd0\x4c\x7a\xfa" "\xb0\xde\x18\xc0", 100); *(uint64_t*)0x20005388 = 0x10; *(uint32_t*)0x20005390 = 0x88; *(uint32_t*)0x20005394 = 4; *(uint64_t*)0x200090a8 = 0x98; *(uint32_t*)0x200090b0 = 0x8004; *(uint32_t*)0x200090b8 = 2; *(uint64_t*)0x200090c0 = 0; *(uint32_t*)0x200090c8 = 0; *(uint64_t*)0x200090d0 = 0x20007700; *(uint64_t*)0x20007700 = 0x200054c0; *(uint64_t*)0x20007708 = 0; *(uint64_t*)0x20007710 = 0x20005500; *(uint64_t*)0x20007718 = 0; *(uint64_t*)0x20007720 = 0x20006500; *(uint64_t*)0x20007728 = 0; *(uint64_t*)0x20007730 = 0x200065c0; *(uint64_t*)0x20007738 = 0; *(uint64_t*)0x20007740 = 0x20006600; *(uint64_t*)0x20007748 = 0; *(uint64_t*)0x20007750 = 0x20006700; *(uint64_t*)0x20007758 = 0; *(uint64_t*)0x200090d8 = 6; *(uint64_t*)0x200090e0 = 0x20007780; *(uint64_t*)0x20007780 = 0x10; *(uint32_t*)0x20007788 = 0x112; *(uint32_t*)0x2000778c = 6; *(uint64_t*)0x200090e8 = 0x10; *(uint32_t*)0x200090f0 = 0x90; *(uint32_t*)0x200090f8 = 0x800; *(uint64_t*)0x20009100 = 0x20007880; *(uint16_t*)0x20007880 = 0x1f; *(uint16_t*)0x20007882 = 0xdb0; *(uint8_t*)0x20007884 = 0xfa; *(uint8_t*)0x20007885 = 0x58; *(uint8_t*)0x20007886 = 8; *(uint8_t*)0x20007887 = 5; *(uint8_t*)0x20007888 = 0x7f; *(uint8_t*)0x20007889 = 0x3f; *(uint16_t*)0x2000788a = 0xff; *(uint8_t*)0x2000788c = 0x20; *(uint32_t*)0x20009108 = 0x80; *(uint64_t*)0x20009110 = 0x20007c40; *(uint64_t*)0x20007c40 = 0x20007900; *(uint64_t*)0x20007c48 = 0; *(uint64_t*)0x20007c50 = 0x20007a00; *(uint64_t*)0x20007c58 = 0; *(uint64_t*)0x20007c60 = 0x20007b00; *(uint64_t*)0x20007c68 = 0; *(uint64_t*)0x20007c70 = 0x20007b40; *(uint64_t*)0x20007c78 = 0; *(uint64_t*)0x20009118 = 4; *(uint64_t*)0x20009120 = 0x20007c80; *(uint64_t*)0x20007c80 = 0x10; *(uint32_t*)0x20007c88 = 0x105; *(uint32_t*)0x20007c8c = 0x20; *(uint64_t*)0x20007c90 = 0x10; *(uint32_t*)0x20007c98 = 0x1ff; *(uint32_t*)0x20007c9c = 5; *(uint64_t*)0x20007ca0 = 0x28; *(uint32_t*)0x20007ca8 = 0; *(uint32_t*)0x20007cac = 8; memcpy((void*)0x20007cb0, "\xeb\x53\x42\x47\xb2\xed\x84\x67\x36\xe3\x94\xdf" "\x21\x3a\xac\xef\xf4\x0b\xc2", 19); *(uint64_t*)0x20007cc8 = 0xa0; *(uint32_t*)0x20007cd0 = 0x1ff; *(uint32_t*)0x20007cd4 = 6; memcpy((void*)0x20007cd8, "\x56\xfc\xd3\x27\xfc\xde\x93\x56\xe8\xa6\x51\x3c\x71\xaa\xed\x46" "\x94\x3d\x1f\xb2\x9a\x36\xbf\xe6\x37\xfc\xe0\x15\xcc\x46\x48\x4c" "\x03\x39\xb7\x71\xf4\x91\xb9\x8b\xfe\xf4\xfd\x91\xa1\x4b\x4b\xba" "\xda\xa0\xdd\x1b\xca\x64\x83\x0b\x0c\x9c\xdc\x25\xc5\x2f\x62\xe2" "\x49\x08\x7e\x6d\x3b\x30\xa8\xb4\x9c\x42\x24\xaa\x93\x11\xb2\x01" "\xf4\xa1\x9d\x80\x92\x5f\x02\x5c\xf4\xe5\x5d\xa3\xf3\x39\x6d\x30" "\x1c\xcf\x88\xe5\x2e\x72\x91\x9c\xea\x97\x47\xdc\x38\x4e\x25\x77" "\xfd\xc0\x86\x2e\x86\x92\xf0\xb6\xcb\x22\x6a\x09\xb2\xa3\x44\x78" "\x6f\x5b\x37\xd2\xa5\xb2\x05\xfb\x7b\x32\x7d\x7e\xd8\xab", 142); *(uint64_t*)0x20007d68 = 0x10; *(uint32_t*)0x20007d70 = 0x107; *(uint32_t*)0x20007d74 = 4; *(uint64_t*)0x20007d78 = 0xd8; *(uint32_t*)0x20007d80 = 0x11; *(uint32_t*)0x20007d84 = 9; memcpy((void*)0x20007d88, "\x9e\xa2\xb7\xd4\xff\x52\x6e\x8e\x8d\x90\x08\xa2\x98\x12\x11\x93" "\x97\x8f\x3a\x29\x73\x36\xa0\xc3\x20\xca\xbc\x64\x1b\xaa\xc0\x15" "\x5f\xb0\xbb\xba\xb7\xca\x85\x8d\xe6\xee\x30\x0e\x08\x96\x71\x5c" "\x26\x7d\x17\x19\xd9\x77\x5c\xbe\x14\x6a\x6e\xbe\x51\xff\xa5\x6b" "\x34\x91\x06\x91\x82\xca\xe7\xf4\xec\xd5\x78\x04\x03\xec\x28\x79" "\x94\xd4\x34\x6f\x0a\x79\x9c\x3a\xe0\xa6\xd4\xad\x00\x97\xff\x2c" "\x6f\xa2\xc2\x3d\x47\x35\xf0\x34\xb8\x48\xd5\x5d\xf9\xa4\xfe\x4b" "\x8a\xc5\x36\x83\x87\x48\x64\x8d\xca\xab\x33\xa8\x5a\x66\xc2\xde" "\xe3\xe6\x20\x00\x81\xa9\x44\xde\xba\x33\x7d\xee\xb4\xc1\x03\x29" "\xd0\xe6\x79\x65\xbe\x38\x0b\x55\x09\xcc\xf8\x39\x1e\xad\x6a\xb3" "\x35\x54\x22\x53\x83\x55\x26\x3c\x9e\x82\xde\x48\x85\xd1\x34\xe6" "\xab\x52\x8d\x76\x55\xe9\x1a\xd5\x64\xf0\xa5\x39\x22\x2a\x2e\xca" "\x7a\x08\xd0", 195); *(uint64_t*)0x20009128 = 0x1d0; *(uint32_t*)0x20009130 = 0x40; *(uint32_t*)0x20009138 = 1; syscall(__NR_sendmmsg, r[7], 0x20008f40, 8, 0x10); break; case 30: res = syscall(__NR_getpgrp, -1); if (res != -1) r[8] = res; break; case 31: memcpy((void*)0x20000180, "/dev/vcs", 9); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000180, 2, 0); break; case 32: *(uint64_t*)0x20000240 = 0x20000200; memcpy((void*)0x20000200, "cpuacct.usage_sys", 18); *(uint32_t*)0x20000248 = 0xffffff9c; syscall(__NR_bpf, 0x11, 0x20000240, 0x10); break; case 33: memcpy((void*)0x20000280, "/dev/autofs", 12); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000280, 0x402000, 0); break; case 34: memcpy((void*)0x20000300, "/dev/hwrng", 11); syscall(__NR_openat, 0xffffffffffffff9c, 0x20000300, 0, 0); break; case 35: res = syscall(__NR_pipe, 0x20000380); if (res != -1) r[9] = *(uint32_t*)0x20000384; break; case 36: memcpy((void*)0x200003c0, "cpuacct.usage_percpu_user", 26); res = syscall(__NR_openat, r[9], 0x200003c0, 0, 0); if (res != -1) r[10] = res; break; case 37: *(uint32_t*)0x200000c0 = 7; *(uint32_t*)0x200000c4 = 0x70; *(uint8_t*)0x200000c8 = 0x64; *(uint8_t*)0x200000c9 = -1; *(uint8_t*)0x200000ca = 0x14; *(uint8_t*)0x200000cb = 3; *(uint32_t*)0x200000cc = 0; *(uint64_t*)0x200000d0 = 0x200; *(uint64_t*)0x200000d8 = 0x40; *(uint64_t*)0x200000e0 = 4; STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x2c, 0, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 1, 1, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x1f, 2, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x7818, 3, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 2, 4, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x4d, 6, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x7fffffff, 7, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 3, 8, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 4, 9, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 9, 10, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 5, 11, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0xff, 13, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x10ae, 14, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x855b, 15, 2); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0, 17, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x1f, 18, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 5, 19, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 8, 20, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 2, 21, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0, 22, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0, 23, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0x200, 24, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 5, 25, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 8, 26, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0xbc, 27, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 1, 28, 1); STORE_BY_BITMASK(uint64_t, 0x200000e8, 0, 29, 35); *(uint32_t*)0x200000f0 = 2; *(uint32_t*)0x200000f4 = 2; *(uint64_t*)0x200000f8 = 0x20000000; *(uint64_t*)0x20000100 = 3; *(uint64_t*)0x20000108 = 0x400; *(uint64_t*)0x20000110 = 1; *(uint32_t*)0x20000118 = 0; *(uint32_t*)0x2000011c = 6; *(uint64_t*)0x20000120 = 0xe04; *(uint32_t*)0x20000128 = 0xffff; *(uint16_t*)0x2000012c = 0xbd1; *(uint16_t*)0x2000012e = 0; syscall(__NR_perf_event_open, 0x200000c0, r[8], 5, r[10], 0xa); break; case 38: memcpy((void*)0x20000080, "/dev/net/tun", 13); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000080, 0, 0); if (res != -1) r[11] = res; break; case 39: memcpy((void*)0x200001c0, "\x00\x00\xbd\x68\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x84", 16); *(uint16_t*)0x200001d0 = 2; syscall(__NR_ioctl, r[11], 0x400454ca, 0x200001c0); break; case 40: res = syscall(__NR_socket, 0x11, 3, 0x300); if (res != -1) r[12] = res; break; case 41: res = syscall(__NR_dup2, r[12], r[11]); if (res != -1) r[13] = res; break; case 42: *(uint32_t*)0x20000040 = 0; syscall(__NR_setsockopt, r[13], 6, 0x37, 0x20000040, 0x2da); break; case 43: res = syscall(__NR_socket, 0xa, 5, 0); if (res != -1) r[14] = res; break; case 44: syscall(__NR_ioctl, r[14], 0x40049409, r[14]); break; case 45: *(uint32_t*)0x20d10ffc = 3; syscall(__NR_setsockopt, r[14], 0, 0xf, 0x20d10ffc, 4); break; case 46: *(uint16_t*)0x20000200 = 2; *(uint16_t*)0x20000202 = htobe16(0); *(uint32_t*)0x20000204 = htobe32(0); *(uint8_t*)0x20000208 = 0; *(uint8_t*)0x20000209 = 0; *(uint8_t*)0x2000020a = 0; *(uint8_t*)0x2000020b = 0; *(uint8_t*)0x2000020c = 0; *(uint8_t*)0x2000020d = 0; *(uint8_t*)0x2000020e = 0; *(uint8_t*)0x2000020f = 0; *(uint16_t*)0x20000210 = 2; *(uint16_t*)0x20000212 = htobe16(0); *(uint32_t*)0x20000214 = htobe32(0x7f000001); *(uint8_t*)0x20000218 = 0; *(uint8_t*)0x20000219 = 0; *(uint8_t*)0x2000021a = 0; *(uint8_t*)0x2000021b = 0; *(uint8_t*)0x2000021c = 0; *(uint8_t*)0x2000021d = 0; *(uint8_t*)0x2000021e = 0; *(uint8_t*)0x2000021f = 0; syscall(__NR_setsockopt, r[14], 0x84, 0x64, 0x20000200, 0x20); break; case 47: res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[15] = res; break; case 48: *(uint32_t*)0x20000040 = 9; syscall(__NR_setsockopt, r[15], 6, 0x19, 0x20000040, 4); break; case 49: *(uint16_t*)0x20000280 = 0xa; *(uint16_t*)0x20000282 = htobe16(0); *(uint32_t*)0x20000284 = 0; *(uint64_t*)0x20000288 = htobe64(0); *(uint64_t*)0x20000290 = htobe64(1); *(uint32_t*)0x20000298 = 0; *(uint16_t*)0x20000300 = 0; *(uint16_t*)0x20000302 = 4; *(uint32_t*)0x20000304 = 0; memcpy((void*)0x20000308, "\xbb\x3e\x3c\x09\xb4\x9a\x97\xd5\xc8\xa1\x5f\x5e\xd7\x55\x68\x9b" "\x13\x69\x8a\x6f\x0e\x57\x99\x27\x96\xf6\x5e\xd1\x5c\xc1\x79\x71" "\x14\x61\xf1\x61\x6c\xa2\xa4\xeb\x03\xe9\x2e\x99\xfc\xa3\xbc\x38" "\x54\x9a\xa1\xc6\x84\xed\x47\x75\xb9\x9d\x7f\x1d\x49\x89\x3b\x8d" "\xd3\x23\xec\x53\x7e\x8b\xa6\x67\x2c\xe3\x3e\xde\xdb\xa8\xbf\x7d", 80); syscall(__NR_setsockopt, r[15], 6, 0xe, 0x20000280, 0xd8); break; case 50: *(uint32_t*)0x200000c0 = 1; syscall(__NR_setsockopt, r[15], 6, 0x13, 0x200000c0, 0x151); break; case 51: *(uint16_t*)0x20000140 = 0xa; *(uint16_t*)0x20000142 = htobe16(0); *(uint32_t*)0x20000144 = 0; *(uint8_t*)0x20000148 = 0; *(uint8_t*)0x20000149 = 0; *(uint8_t*)0x2000014a = 0; *(uint8_t*)0x2000014b = 0; *(uint8_t*)0x2000014c = 0; *(uint8_t*)0x2000014d = 0; *(uint8_t*)0x2000014e = 0; *(uint8_t*)0x2000014f = 0; *(uint8_t*)0x20000150 = 0; *(uint8_t*)0x20000151 = 0; *(uint8_t*)0x20000152 = -1; *(uint8_t*)0x20000153 = -1; *(uint8_t*)0x20000154 = 0xac; *(uint8_t*)0x20000155 = 0x14; *(uint8_t*)0x20000156 = 0x14; *(uint8_t*)0x20000157 = 0x17; *(uint32_t*)0x20000158 = 0; syscall(__NR_connect, r[15], 0x20000140, 0x1c); break; case 52: memcpy((void*)0x20000180, "\x76\x63\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); syscall(__NR_ioctl, r[15], 0x89a1, 0x20000180); break; case 53: *(uint32_t*)0x20000240 = 2; syscall(__NR_setsockopt, r[15], 0x29, 1, 0x20000240, 4); break; case 54: memcpy((void*)0x20000080, "tls", 4); syscall(__NR_setsockopt, r[15], 6, 0x1f, 0x20000080, 0x152); break; case 55: *(uint16_t*)0x20000100 = 0x303; *(uint16_t*)0x20000102 = 0x33; syscall(__NR_setsockopt, r[15], 0x11a, 1, 0x20000100, 0x28); break; case 56: *(uint16_t*)0x20000000 = 0xa; *(uint16_t*)0x20000002 = htobe16(0); *(uint32_t*)0x20000004 = 0; *(uint8_t*)0x20000008 = 0xfe; *(uint8_t*)0x20000009 = 0x80; *(uint8_t*)0x2000000a = 0; *(uint8_t*)0x2000000b = 0; *(uint8_t*)0x2000000c = 0; *(uint8_t*)0x2000000d = 0; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; *(uint8_t*)0x20000010 = 0; *(uint8_t*)0x20000011 = 0; *(uint8_t*)0x20000012 = 0; *(uint8_t*)0x20000013 = 0; *(uint8_t*)0x20000014 = 0; *(uint8_t*)0x20000015 = 0; *(uint8_t*)0x20000016 = 0; *(uint8_t*)0x20000017 = 0xbb; *(uint32_t*)0x20000018 = 0; syscall(__NR_sendto, r[15], 0x200005c0, 0xfffffdef, 0x40, 0x20000000, 0x1c); break; case 57: res = syscall(__NR_timerfd_create, 0, 0); if (res != -1) r[16] = res; break; case 58: syscall(__NR_clock_gettime, 0, 0x20000000); break; case 59: syscall(__NR_unshare, 0x2000400); break; case 60: res = syscall(__NR_clock_gettime, 0, 0x200000c0); if (res != -1) { r[17] = *(uint64_t*)0x200000c0; r[18] = *(uint64_t*)0x200000c8; } break; case 61: *(uint64_t*)0x20000140 = r[17]; *(uint64_t*)0x20000148 = r[18] + 10000000; *(uint64_t*)0x20000150 = 0x77359400; *(uint64_t*)0x20000158 = 0; syscall(__NR_timerfd_settime, r[16], 0x4000000000000203, 0x20000140, 0x20000100); break; case 62: syscall(__NR_ioctl, r[16], 0x2289, 0x20000080); break; case 63: memcpy((void*)0x20000180, "/dev/cuse", 10); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000180, 0x40000, 0); if (res != -1) r[19] = res; break; case 64: *(uint32_t*)0x20000200 = 0; *(uint16_t*)0x20000204 = 0x18; *(uint16_t*)0x20000206 = 0xfa00; *(uint64_t*)0x20000208 = 1; *(uint64_t*)0x20000210 = 0x200001c0; *(uint16_t*)0x20000218 = 0x13f; *(uint8_t*)0x2000021a = 8; *(uint8_t*)0x2000021b = 0; *(uint8_t*)0x2000021c = 0; *(uint8_t*)0x2000021d = 0; *(uint8_t*)0x2000021e = 0; *(uint8_t*)0x2000021f = 0; res = syscall(__NR_write, -1, 0x20000200, 0x20); if (res != -1) r[20] = *(uint32_t*)0x200001c0; break; case 65: *(uint32_t*)0x20000240 = 7; *(uint16_t*)0x20000244 = 8; *(uint16_t*)0x20000246 = 0xfa00; *(uint32_t*)0x20000248 = r[20]; *(uint32_t*)0x2000024c = 8; syscall(__NR_write, r[19], 0x20000240, 0x10); break; case 66: syscall(__NR_timerfd_gettime, r[16], 0x20000040); break; case 67: res = syscall(__NR_socket, 0xc, 0x12, 0); if (res != -1) r[21] = res; break; case 68: memcpy((void*)0x20001440, "\x73\x65\x63\x75\x72\x69\x74\x79\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x20001460 = 0; *(uint32_t*)0x20001464 = 0; *(uint32_t*)0x20001468 = 0; *(uint32_t*)0x2000146c = 0; *(uint32_t*)0x20001470 = 0; *(uint32_t*)0x20001474 = 0; *(uint32_t*)0x20001478 = 0; *(uint32_t*)0x2000147c = 0; *(uint32_t*)0x20001480 = 0; *(uint32_t*)0x20001484 = 0; *(uint32_t*)0x20001488 = 0; *(uint32_t*)0x2000148c = 0; *(uint32_t*)0x20001490 = 0; *(uint32_t*)0x200014c0 = 0x54; syscall(__NR_getsockopt, r[21], 0, 0x40, 0x20001440, 0x200014c0); break; case 69: *(uint16_t*)0x20000100 = 0x26; memcpy((void*)0x20000102, "\x72\x6e\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20000110 = 0; *(uint32_t*)0x20000114 = 0; memcpy((void*)0x20000118, "\x64\x72\x62\x67\x5f\x70\x72\x5f\x73\x68\x61\x35\x31\x32\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); syscall(__NR_bind, -1, 0x20000100, 0x58); break; case 70: memcpy((void*)0x20000240, "\xc6\x26\x26\x2c\x85\x23\xbf\x01\x2c\xf6\x6f", 11); syscall(__NR_ioctl, -1, 0x8912, 0x20000240); break; case 71: *(uint64_t*)0x200000c0 = 0; syscall(__NR_sendfile, -1, -1, 0x200000c0, 0x4000000000000003); break; case 72: syscall(__NR_setsockopt, -1, 0x117, 1, 0x20000080, 0); break; case 73: syscall(__NR_unshare, 0x400); break; case 74: res = syscall(__NR_socket, 0xa, 1, 0x84); if (res != -1) r[22] = res; break; case 75: memcpy((void*)0x20e33fe0, "X", 1); *(uint16_t*)0x2005ffe4 = 0xa; *(uint16_t*)0x2005ffe6 = htobe16(0x4e23); *(uint32_t*)0x2005ffe8 = 0; *(uint64_t*)0x2005ffec = htobe64(0); *(uint64_t*)0x2005fff4 = htobe64(1); *(uint32_t*)0x2005fffc = 0; syscall(__NR_sendto, r[22], 0x20e33fe0, 1, 0, 0x2005ffe4, 0x1c); break; case 76: syscall(__NR_ioctl, -1, 0x80044100, 0x20001f64); break; case 77: syscall(__NR_listen, -1, 0); break; case 78: memcpy((void*)0x200001c0, "/dev/admmidi#", 14); syz_open_dev(0x200001c0, 1, 0x800); break; case 79: memcpy((void*)0x20000080, "/dev/ppp", 9); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000080, 0x2801, 0); if (res != -1) r[23] = res; break; case 80: *(uint16_t*)0x20000140 = 2; *(uint16_t*)0x20000142 = htobe16(0x4e20); *(uint8_t*)0x20000144 = 0xac; *(uint8_t*)0x20000145 = 0x14; *(uint8_t*)0x20000146 = 0x14; *(uint8_t*)0x20000147 = 0x16; *(uint8_t*)0x20000148 = 0; *(uint8_t*)0x20000149 = 0; *(uint8_t*)0x2000014a = 0; *(uint8_t*)0x2000014b = 0; *(uint8_t*)0x2000014c = 0; *(uint8_t*)0x2000014d = 0; *(uint8_t*)0x2000014e = 0; *(uint8_t*)0x2000014f = 0; *(uint16_t*)0x20000150 = 7; *(uint8_t*)0x20000152 = 0xaa; *(uint8_t*)0x20000153 = 0xaa; *(uint8_t*)0x20000154 = 0xaa; *(uint8_t*)0x20000155 = 0xaa; *(uint8_t*)0x20000156 = 0xaa; *(uint8_t*)0x20000157 = 0xbb; *(uint32_t*)0x20000160 = 0x20; *(uint16_t*)0x20000164 = 2; *(uint16_t*)0x20000166 = htobe16(0x4e23); *(uint32_t*)0x20000168 = htobe32(0x7f000001); *(uint8_t*)0x2000016c = 0; *(uint8_t*)0x2000016d = 0; *(uint8_t*)0x2000016e = 0; *(uint8_t*)0x2000016f = 0; *(uint8_t*)0x20000170 = 0; *(uint8_t*)0x20000171 = 0; *(uint8_t*)0x20000172 = 0; *(uint8_t*)0x20000173 = 0; memcpy((void*)0x20000174, "\x69\x70\x64\x64\x70\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); syscall(__NR_ioctl, r[23], 0x8955, 0x20000140); break; case 81: memcpy((void*)0x20000500, "./file0/file0", 14); syscall(__NR_mkdirat, 0xffffff9c, 0x20000500, 0); break; case 82: *(uint64_t*)0x200000c0 = 0; *(uint64_t*)0x200000c8 = 0; *(uint64_t*)0x200000d0 = 0; syscall(__NR_ioctl, -1, 0x8941, 0x200000c0); break; case 83: syscall(__NR_read, -1, 0x20000180, 0xff4e); break; case 84: syscall(__NR_read, -1, 0x20000280, 1); break; case 85: memcpy((void*)0x20000080, "/dev/usbmon#", 13); syz_open_dev(0x20000080, 9, 0x103800); break; case 86: syscall(__NR_mmap, 0x20011000, 0x3000, 4, 0x32, -1, 0); break; case 87: syscall(__NR_fcntl, -1, 0x406, -1); break; case 88: memcpy((void*)0x20000240, "./file0", 8); memcpy((void*)0x20000280, "os2.", 4); memcpy((void*)0x20000284, "wlan1]@", 8); syscall(__NR_getxattr, 0x20000240, 0x20000280, 0x200002c0, 0x84); break; case 89: syscall(__NR_close, -1); break; case 90: syscall(__NR_rt_sigpending, 0x200002c0, 8); break; } } void execute_one() { execute(91); collide = 1; execute(91); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); char* cwd = get_current_dir_name(); for (procid = 0; procid < 8; procid++) { if (fork() == 0) { for (;;) { if (chdir(cwd)) fail("failed to chdir"); use_temporary_dir(); loop(); } } } sleep(1000000); return 0; }