// https://syzkaller.appspot.com/bug?id=0e3c97f1c4112e102c9988afd5eff079350eab7f // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = {8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0}; static const char default_lang_id[] = {4, USB_DT_STRING, 0x09, 0x04}; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)( int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic( int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable( fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // syz_usb_connect arguments: [ // speed: usb_device_speed = 0x0 (8 bytes) // dev_len: len = 0x2d (8 bytes) // dev: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {12 01 00 02 19 82 30 20 13 04 23 60 e5 ec 01 02 // 03 01 09 02 1b 00 01 00 00 60 02 09 04 84 00 01 ee 48 b1 00 09 05 // 82} (length 0x27) // } // } // } // conn_descs: nil // ] // returns fd_usb memcpy((void*)0x200000000d00, "\x12\x01\x00\x02\x19\x82\x30\x20\x13\x04\x23\x60\xe5\xec\x01\x02\x03" "\x01\x09\x02\x1b\x00\x01\x00\x00\x60\x02\x09\x04\x84\x00\x01\xee\x48" "\xb1\x00\x09\x05\x82", 39); syz_usb_connect(/*speed=*/0, /*dev_len=*/0x2d, /*dev=*/0x200000000d00, /*conn_descs=*/0); // syz_mount_image$erofs arguments: [ // fs: ptr[in, buffer] { // buffer: {65 72 6f 66 73 00} (length 0x6) // } // dir: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) // } // flags: mount_flags = 0x8000c6 (8 bytes) // opts: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {9f 63 43 f0 3b 35 f7 dd c6 4e be e8 7f 64 29 f7 // 4f df 32 46 b3 82 c2 54 40 f7 6f a6 46 da 3c 9c df c4 ea 2b 2e 4c // 43 8e c0 82 6e e9 b0 be ce 57 35 d0 b0 e1 d5 36 39 b4 96 7e 8d 56 // 73 13 ba 19 68 93 06 0d 54 ce 13 ef 07 c7 5b bf e9 6e 88 a8 35 40 // a2 ac ab ac 8f a5 a3 de 41 b4 03 14 df 4f 40 df cf b4 57 2f c0 98 // c7 b0 be e3 81 4e 46 bb 48 a1 59 40 d1 94 ca d5 ed 98 8f f9 a6 d3 // c4 fd 48 af 27 d5 e8 5f 40 35 38 79 23 d9 00 e7 56 40 c2 5e f8 34 // 26 0c 0d 62 9e 0d 9f f1 41 d4 a4 f8 a1 66 36 65 1d ec ac f7 2a 99 // 9a 9e 60 e4 67 00 ba ff 7f 3b d8 95 4d 84 e2 59 34 6a 4b 42 73 cd // 06 16 3d 95 09 e5 26 7a db ce f5 cc b4 6e ec 97 44 39 89 0f f6 f2 // 06 10 f1 be ac 19 4b 81 04 7f 55 b8 ba 3c 28 5d 67 d2 df 2d 7b 1a // 77 91 ed ec 93 e0 0c 32 86 c8 31 eb 27 db 0d 8a 31 b0 81 fa b6 dc // fb c2 35 2f 3b 7e ea e1 9d 6c fd 85 e3 7c 09 5b 6b 1f f9 48 59 ce // df 36 f0 6b 73 cf f3 f7 97 67 5f b3 3f 43 a9 a0 f7 bb f8 94 fb 52 // 1e 77 41 29 f9 0b 91 b1 f0 45 98 fd 63 7f 7e 2d af ae da a7 42 3d // 08 61 d4 ab ae c3 7a f0 69 a4 64 e6 83 04 97 ad 18 2e 96 85 a1 16 // 53 bf b6 6f e9 cd 53 76 bd 7c b5 2b 81 c3 f1 c8 f2 1a 9f aa f0 51 // 91 88 0b 37 5f 56 b0 96 0a 8c 51 a4 4a f2 e8 3f 38 47 39 db 34 9f // 6c 6e 1f a7 f1 bc 5f 12 f1 84 e1 8a 10 c1 5b 4e 22 6f e2 bd 7a e6 // a1 aa 5f 3e 64 16 ff f1 c5 d3 86 9a 3e 7f d3 8f 6d a1 ff db 61 13 // 8d 0d 93 a7 25 f5 cf 75 e9 0c 3f b9 3d a2 8c 30 c5 4e 05 00 ee 3a // 4c 8c 98 24 1b 88 f0 b9 7b 6e bf 3b e3 0f 63 71 1f 37 4e 11 91 fc // 6f 1f bd e2 ba a1 d8 83 30 75 58 40 ee 4d ee 16 42 af 07 33 df 37 // c0 73 86 a2 d2 7d 7c 4f f6 19 2c 91 00 3a 4d ff 66 46 b6 da 9d f6 // 0a 92 7d d9 17 67 b4 f5 fc e2 58 f5 27 d7 22 1a e2 54 76 ed e3 6e // d0 bf 37 79 96 22 81 97 f9 85 a0 a8 a2 b0 93 22 b3 9e 6b ad 65 d2 // d9 d0 40 0e fa 3d 0b ae 22 05 0b d1 24 ac 2d ac 10 70 f5 64 fe 6e // 61 06 d0 50 c9 27 da e2 7e c3 8c 49 56 b2 67 54 82 7d 9a 03 49 c7 // f4 d3 e3 0f 0b 5d d4 5f ff d2 23 df 66 39 ad 86 bc 70 ff 77 80 c1 // bb 60 6f 39 f4 dc 46 cf 16 7b b4 3a 83 a3 e5 70 18 78 76 01 63 19 // 4a 1e 10 e8 28 0f 12 6d 54 03 ed ac fd 65 cf 19 2b 5a 18 e7 97 64 // 90 6e 3d 2a 37 3d 7c 63 55 2a 53 94 7f 06 c3 aa 9e 55 79 29 78 80 // 33 d6 a3 4d f0 3f ba 31 c8 e5 3d 53 3f ec a5 8d 58 6a 5a 85 74 86 // 44 e5 70 97 e3 d0 d5 db d3 dc 85 3e f7 e0 86 39 69 a3 43 a7 9b 23 // 44 9c eb 43 10 4f f8 e8 3d 32 7e b6 16 e1 ae e6 e5 ce 83 f7 31 30 // 21 93 0e e4 15 3e 99 fc 24 6d 6a b0 3b 6c 1c dc 33 5e 19 e6 90 80 // 75 25 94 b3 ca 99 33 d2 61 55 d4 f1 a7 1e 7d f1 8b 05 c8 7f 6f 02 // a5 17 e6 97 c3 63 84 28 a7 59 ce 2d 6b 9c 32 72 56 a5 9e ec 2a a6 // 30 e8 db 6d da 93 0a cc a5 b8 fe bc 28 72 ce f9 9a b6 e6 18 03 ab // 75 5e 98 38 4c 02 ef 30 1e e3 01 86 2c c4 ea 0f 12 ba 41 76 2a f4 // 1f 64 d9 65 fa a4 5e b4 e6 ed 1c 3d de ea 93 c4 ca 73 a2 16 d7 fe // a0 0c 3a fc b4 a8 18 77 7d b3 f5 6a 8b 12 53 87 f9 0f 87 45 eb 73 // e8 7e 6e 7c f8 f4 2f 12 c8 24 c6 53 25 31 70 e7 19 02 c6 68 9c 66 // 09 33 ff af 5e b0 94 b0 93 27 f3 de 41 8a fc 33 d2 3f f8 a7 0a 3c // 83 78 d6 1f 18 6a f1 6b 9b d2 80 94 9e 82 c8 c6 68 28 3b ee ea 4a // 78 f7 32 a3 5d 43 c5 ac ce 7e c1 a5 36 50 3f f4 82 c5 98 e4 51 e9 // 65 67 c3 7a 64 9f f6 bd 93 27 5a 65 2a b2 f9 58 26 a2 49 7d a8 dc // b5 34 80 24 4e 56 87 9f d1 20 6e 70 f7 a3 4c 2c a4 49 63 3a 26 24 // 78 5b 96 71 00 a6 16 56 ce 7a 25 82 ee 17 26 cb f6 7c de c5 ab 23 // 8c 3d 2d 6e 15 2c f0 8f 39 f4 28 78 93 32 83 42 0a 62 fb a7 b1 9c // 12 8b b3 45 f3 8d 02 6d 55 37 1c ba a5 9b 07 90 6e 78 36 7a 0b 1f // 8b fa 8b 9b f0 34 17 69 f1 2c 38 36 2e 56 94 6c 09 36 4b b5 7b 28 // a7 42 05 39 92 64 90 0d 49 95 51 bd d4 ca 64 96 2e 7c 10 9d d4 d7 // 70 33 6c 6d 24 35 39 8b 9c 0b b9 9f cf 8d 79 58 85 78 f0 01 19 ae // 18 5f 59 1e bc b4 f2 fc e3 dd e2 6c eb 5a fb ff 63 91 4c a0 35 a3 // f5 fd 30 70 b5 2d bc 1f e4 a4 37 49 76 53 84 78 c0 9e 84 c8 3e 40 // 5d 1f 13 39 78 a5 2d c7 ad 83 f0 56 e0 d3 ca 60 a4 90 ae c7 64 b5 // fd 7d 00 ec cb 21 5f 03 c3 ee f8 95 bc a7 61 d6 94 f7 8d d3 13 8a // 53 2c a1 7f 2a 68 fe 7d 44 7e 4e 5b df f5 0d 33 e7 ca 64 d6 c8 7f // dc 4c ec a5 a8 0c 28 46 31 2e 5d f9 a5 81 2d 2b ec c1 60 29 a2 bf // 88 89 80 e3 35 09 c7 7f 8e d3 e1 0a f8 44 8b 87 ed b2 4b fb 5e c2 // f3 ac 0a ed 5d 64 fe 15 c6 d0 e5 c8 92 5a c8 dc d3 49 43 21 60 d1 // 65 01 f9 20 44 a9 8d 97 6a 95 83 e4 75 14 20 11 51 6b 75 b5 b7 c9 // 09 72 41 a9 e5 53 57 3f 7d a5 e1 1c 1b 65 5a ac 1d bc c5 6b 08 8f // ac 69 5e b1 54 c9 a7 07 2e 6f c1 75 3b 37 7b 77 a4 0c f8 d6 e5 7b // 23 33 c3 99 19 43 10 2b 7d 0f 1f 97 13 54 1e 14 f8 77 9f c4 6b 74 // 46 77 14 ae ea bf fa b3 64 ff 78 5c c9 31 12 8a 34 30 e0 d1 9d 09 // 3e fc 85 90 56 36 b0 48 5e 36 74 5b 65 d4 92 96 85 de 48 96 fe 5d // 41 a0 b5 9e 88 17 8c 08 b3 00 36 ea 37 18 b1 67 c4 61 2c 09 ce 5d // 87 bf cb 30 a3 02 4f 5d c4 85 c2 ec 5f b3 9f cd 7f bb e3 28 a8 84 // cb 27 29 ba 28 fe ba 2c 8d 1a 94 3e e6 34 9b fe 2d a2 2e e3 0b 72 // 1c 01 12 28 55 61 09 9b be d4 f3 f7 e2 2c 85 fe 65 4a 98 4f 64 40 // 54 ae c0 8b 43 29 f0 0b e7 c4 78 6b 2e ad 00 f9 22 eb 16 a7 b7 c6 // c2 4c 2c 23 02 8a ef e0 87 8b 91 5c d7 c2 cb c1 90 2b 6f db 86 25 // 81 23 41 fd fc 3d 79 87 73 af 7f a2 fd fa de 0e bb b9 ec 0a 84 47 // 35 8f 82 49 0f c2 e2 5b 12 6d ac 67 cd 5d af ed b0 7e 4b f8 72 ea // e0 80 2f 0c d3 ec 37 fe 0c 8a 2f 0a d4 e1 07 d4 75 43 9b b2 05 75 // 2c a3 f0 38 3f 7b 19 f0 de 1f da 74 35 2c ce c3 70 70 9c 22 04 69 // 8c 3b cf 9e 13 a6 54 da ed 7c f1 20 ce 76 b9 86 4f 55 33 90 c5 bb // 5d 4b c0 63 87 75 3e a7 40 89 b2 01 b9 fd 79 b5 82 f0 9b 04 68 ae // 6a e3 53 59 a8 ac 2c 2d d9 51 3e 8a 75 f9 4b f9 75 d8 36 70 76 d3 // 24 6b 07 93 ee a5 61 54 d5 77 c0 e4 de bb 61 a8 7c 80 3a b5 e8 43 // 91 81 3a 6a 16 df 27 0b 16 18 c8 5f 5e 1d fb eb 9c 43 48 51 5d ca // d8 d3 48 a3 f6 b2 5b cc 11 a0 c9 50 69 b3 81 1c d4 37 7a 21 bf 90 // af 76 54 46 1d 63 af 09 d0 03 76 24 40 41 a6 f1 f7 b2 e5 d8 6e f1 // 9c f8 8f df 92 78 7d 4b bd 50 20 3f ae 56 b7 90 60 b2 f4 8f d9 1b // 41 1a 1d 6f 20 7c 0f 6e ef e6 f9 0a 7c d9 8a 66 2d 1c bb a7 e8 2e // 28 3c 07 61 3a 1a 36 71 08 95 b9 25 09 97 4b 62 3f 47 76 74 e6 5c // 31 90 f7 a8 c3 d7 7f 5f 9c 2c 7b 8d ce c6 98 42 ec 6a ee 2d 1f 9b // b1 ed 9d 08 9d 64 8e d8 bf 70 c5 50 09 a5 7d 12 11 22 c8 68 0c a0 // c1 51 a8 e6 85 bd 33 56 d5 02 f0 87 67 1d 18 96 84 d2 d0 48 5f 4c // 1c 9b a2 6b ba 8d 3c e3 78 23 b7 c9 f3 33 df 9d 58 95 53 59 09 e7 // 6d 3b 2b bd 28 16 7c 0c ba 62 ba 39 d5 cc e0 f0 c7 f3 95 4e b5 f3 // 08 6a 90 89 2d 54 85 6f 4b c3 2f 73 08 34 1c 76 02 c0 36 bb 98 42 // ba d9 04 45 b1 4c 3f 1c 74 72 53 d7 74 54 db ad 9c 6c 4e 78 a7 bc // 54 6f 47 01 18 da e7 e2 a8 20 69 47 01 37 53 11 6a 9a b7 55 59 1d // b3 b7 07 0c 4f 2b 89 83 f1 db 7f 22 a4 a5 23 7a 39 73 05 c5 82 05 // c7 69 dd 57 66 84 a5 ee ac 80 21 37 64 5e a0 a6 06 e6 4e db 6c 3c // 70 4c cf 46 e7 90 8e 07 be 70 fd 29 e2 3c 7e 22 96 44 48 03 a6 3b // ad 7e 5d 0f 49 41 a5 4e 78 c1 8b 6c a1 8f c8 f6 fd 4c be aa 30 f1 // 5b c4 cd 6d f5 76 6e 09 48 47 37 ae 6f 86 24 ac 83 9f b6 6a 6e 56 // 52 29 9e c4 2d ba ef b0 c6 20 c8 23 2d 1f 87 d0 d5 bb ad 3e d7 7d // 54 fc b4 0e 1c a7 76 c8 59 ae 5c 2c 2d ba 4d b6 9f e4 c4 d2 e2 7a // 8a c4 fd 52 2f 7f 35 0f ca 67 93 14 55 9a 0d 6c ef 4b 0f ee c7 00 // bd 0e a7 2c 76 5a 2d 7f 2b 09 ed 30 33 54 ba 6d 44 f9 de d3 2a b3 // eb ba 65 fd 1f 63 12 26 63 a5 8d 95 f3 b9 8f 55 0d 5e 69 84 4d f5 // b1 0d 96 d0 36 f0 41 e8 97 ed 69 ca 01 0f 98 00 7f fb e8 91 7f b5 // de 8d af 55 6a c7 2e 29 ad ef 74 b0 af 82 be 3b 3b 51 cd 96 74 da // 89 91 9b e0 93 02 4f cf f5 e9 28 7d e0 73 96 90 16 e0 80 e1 76 7a // 1c e3 5f 17 2e 67 6e fe 86 01 1e c5 9b f8 06 e0 59 c3 5f 48 43 7b // 76 68 05 64 03 4a c6 08 80 b8 9d 2c 11 bf 63 d6 aa b4 23 59 f5 f3 // dd 47 73 00 f7 c9 20 7b 72 27 a0 1d 9f f8 b8 fa 95 96 24 3b 75 72 // 93 3f 1b 3e 8e 65 9b 28 a4 41 9c 3c 5e 92 6f fd e9 db c0 b5 fa 2d // d6 44 eb 32 f5 6e fb cf 09 46 b9 78 df 6e d4 0d 1f e7 9d d8 91 1d // 06 81 db 52 94 38 a4 04 9a 10 a4 9d 3d 45 e3 7e 29 94 c8 93 9e 36 // 4f 07 db a8 7b 10 35 22 c2 00 39 e4 ae 61 10 2d b8 8e 3f 13 74 f2 // c7 88 fa be 12 a7 31 b4 6a ac 3c c7 c7 27 47 ca 87 c9 6d 7c 09 f2 // c4 7f bd 4e 9e 5b e6 3b d6 b4 23 71 9e e1 b5 ba 0c e8 63 c1 eb c8 // bc 80 dc 75 7b 81 1a d1 c7 82 55 f6 1c 52 8c e3 53 52 7b a6 ae 7a // 32 4f ca 73 2e c7 2f d7 4a 32 e6 b8 3d d7 02 59 e7 d5 05 f1 bc 6a // e5 78 74 10 1d ad 86 3b cd 1e e0 51 d3 9b 6d e0 59 22 3e ad ed 2b // 36 c5 03 1e 15 9d 58 79 3a 53 9f f7 5a e9 40 73 44 38 4e 5e e2 0f // 6a 59 b7 ce 17 3b f6 df e7 c5 e1 ad 21 58 b9 0e 0a 98 92 85 0f b9 // e0 cd 1d ac eb 76 6a 5f 8d 94 9d cd 1d ab 81 28 87 c2 53 29 a0 91 // d4 37 1c 39 3b 47 b5 af e5 98 05 9d 43 56 ce 78 80 0a c6 41 2a 0b // 12 90 34 4e 39 60 5b 01 13 25 1f 58 6f 66 ba ca 16 f0 d6 47 7f 9d // de d2 36 02 24 1b fb 28 62 4e 85 81 8e 42 b6 02 14 e3 51 4a eb b5 // 07 6e eb ca 24 91 8a 9b 83 0e b1 0c 99 d7 d4 03 8f b7 77 a7 ee f6 // a9 48 db 28 14 63 bf f8 92 7d f3 69 14 65 d0 cf 78 97 67 2c 77 8e // 48 10 ed b4 e8 f5 4d df ad 72 bd 95 cc f3 57 9a 4a f3 5c 9a 39 f7 // 8f 12 e7 39 a3 b1 77 8a ad 80 52 bf ef 06 46 18 23 f7 01 8a 06 e7 // ba 1f f8 a9 ed 88 12 9d c5 41 3e 92 73 ec d6 d6 03 c0 8c 14 37 68 // e0 f0 8a 1a 2a c0 5e 01 64 c3 4c 9f c4 09 68 eb 39 ed 82 f3 77 36 // 41 fa 75 4d dc cd 02 fa 89 a0 4a 51 13 c7 aa ef 49 71 44 e0 df f1 // d7 aa 3d 46 47 e6 5f 61 0a 52 eb 36 83 f6 c9 a5 35 52 8d 0f d7 ce // 47 2e be ba 1b 51 c0 4b 0a ad 63 92 86 75 08 06 40 20 97 ec 9c 13 // 95 a9 a6 67 35 e9 ba b7 72 55 19 93 b3 58 2b 15 c6 14 00 73 9c ca // 57 ed 3e 1b 02 cc 22 83 ce 72 d9 78 c9 b0 c9 61 65 16 70 e6 61 ef // 1e 57 f7 27 af 3a 1e 2a 52 01 2b 2b f5 01 63 6e 28 5a 17 a5 fc 01 // 6a 56 1f b4 dc 09 44 80 4c 2c a9 61 3c b7 d1 a5 d9 12 73 4d 35 3d // 19 71 3f ee 49 e7 a4 d7 d1 69 fd d6 55 eb a8 ab 2a 87 eb ee 38 1e // ac 8a 47 57 06 3b 39 97 75 e6 e9 7f d2 ef 76 28 31 41 aa 62 9a 67 // 03 fc 37 87 38 3f 19 62 8c 58 a5 86 6f f2 b9 53 33 29 91 88 e1 b1 // 07 80 fc d2 58 12 b7 be 75 fa 33 6c 9b b4 10 0d 5b d8 e9 70 46 dd // 98 12 9e cb e7 d4 df be 32 4e 6c 93 0c ee 3f 1c 50 03 1f 32 da 9a // be 8b 5d d7 ce 37 ad 83 1f a4 bb 61 15 98 4d df 6f 05 22 64 22 db // 49 ff e5 66 c4 d0 c4 33 44 52 50 eb c0 7a 36 29 d5 39 19 1a 0e cd // 28 af 5e 72 29 90 69 bf a4 4d 1f 7b 25 00 ca 35 5b 28 5b ea ce 54 // 93 e9 57 13 bc 04 cc f6 35 d3 57 93 93 6c af be d5 87 f2 71 0c ed // ac ca 0d 20 fd 40 e6 e0 02 a6 4c 20 2a 6c 26 d9 51 e6 ad d0 58 b1 // 75 aa 0f 86 6f 2a f4 6c 87 b1 dd 06 e1 90 07 3c d6 3d 78 96 8b 83 // 96 00 3b 46 05 99 ce 83 c3 bd 80 bf 46 b0 41 61 ba 88 74 5f 10 22 // 50 d6 43 1d 68 42 c6 b5 47 df b3 6a f9 5c 78 d9 25 0b ca 59 d7 68 // 11 c8 03 99 ed a6 b9 4f 0e 83 d1 c7 f5 e4 0e 6f 99 9a 02 e4 a7 34 // 3d fb a9 c0 83 61 64 af 4a 55 46 23 3d 3f ae 04 2d b0 ea 2f 21 f3 // 01 6b 5f cc 01 66 8c 71 69 7e 27 ea c8 01 5a 93 e7 89 5d f2 64 2d // 32 03 76 70 3d ba 3f be 75 ff 3f 15 59 30 e5 cd 73 1a 43 b9 72 ba // 61 fc b1 1d f6 77 cd 25 8d 1a 25 96 ce 5d 4a 95 bd c2 56 33 ec c3 // 19 a0 9e 5f 0b 69 7c 46 d2 4b 8a eb 4e 7f f0 bd dc 31 da 63 89 86 // bb 75 bb 48 25 f0 f1 12 8d b5 c4 95 db 0a 80 f3 da ce 0d 7e 7c 89 // c4 16 d4 20 31 c3 d6 07 41 15 dc ce 4a fd ff 42 43 12 a0 5a 8d 1d // 0c f9 0f e9 4e 9c 61 56 5f f1 ab ed 12 d5 eb 24 26 4a 8d ab 82 35 // bf 12 10 d5 dc 76 76 8d 03 03 ba e6 55 b6 58 b2 26 a3 03 9d 51 ec // 3d 6b ce 5d b2 81 9c cb a3 2d ed d8 59 9a 42 74 eb f9 a7 3a 76 b8 // 06 5a f4 6d e0 9f 75 d7 36 50 49 df e7 c0 30 04 d1 4a ac d5 ee c8 // ce 52 52 ef bc 93 ba 3d 7f 81 ae 65 89 0c fe b0 77 be bd ef f1 47 // e6 39 9b 8e 9c 65 53 cf 8e 54 a1 a6 c1 ee b8 84 63 27 5e 8a a4 89 // 6b 58 65 6a 68 bb d5 fb 05 75 b8 94 09 1a d7 cb 5f b3 66 cb c2 9a // 6b 57 6a 3c 75 06 9d 8f b5 1e f2 af 8f ea 44 87 16 7c 3b 78 ad cf // 16 cf 4c 45 09 ba e2 a4 fb 0c 5f 4c 84 f9 73 05 ac c6 59 3e f9 5b // b5 ef 1b 2d b5 0f 86 1f ec ab 29 7f 11 13 e9 79 19 2a 5d 42 aa c3 // 79 24 29 78 e5 eb 70 e5 5e a5 e5 02 26 be 03 90 dd 75 8a a3 54 0d // 58 ed 86 e7 bd 4c 9a cd 8c e4 49 af ba f0 4f 33 de 0f 4d 8a 52 69 // a2 bb a3 59 ab ee 39 fd 22 2f 5e 32 c4 98 9c 46 bd 23 c1 70 20 57 // 27 3c 10 e7 c4 c3 d5 57 6e d9 2d 1f a2 05 26 d4 00 2c 93 23 a6 f9 // 04 78 2d 4b a3 cd d2 ad 14 99 56 9c b1 46 6a f3 df 60 31 ba ce 8f // 6e 9a 07 7e 65 57 f9 4c 3f f8 cc 01 5b 8d 6a 82 f8 34 90 2f bf e9 // 66 7c 24 fb b7 d2 af 3f af 7b 22 aa a0 32 3e ca c4 ee ac a3 d1 10 // be db b6 58 4e c5 2b c7 85 5f cf 27 12 32 66 8f 15 93 ee 6f 2a 84 // ab 39 44 a9 d8 a0 eb 5e 12 df b7 76 8d b8 91 18 18 6d b8 7e 4a 51 // f9 8a 36 59 0f de a5 e7 a6 35 b0 42 a5 86 ce a1 29 a3 c4 ac fe 9d // 6d 15 4e 0c 61 4a e8 46 6a 18 b4 f3 7a 47 b5 8c 64 7f 6e c3 fb cf // 4e b9 28 ea 05 08 43 26 0c a0 1f 3d 20 b7 7a e5 ec ed 11 b5 f1 7b // 92 10 63 e1 2c b7 d5 91 4d d7 16 8e a5 17 ef e7 56 9c 5f 25 c0 9c // be 42 a6 37 a6 6f 70 c8 28 9c a7 f9 a1 1e 49 4c ea 83 5b 16 d4 48 // 0a 75 c9 ad 6d 97 20 0f 2c f8 ee 8f 1c c4 8f d7 5d 2e 98 db 79 97 // e3 26 32 0b a3 b2 2d fc 88 02} (length 0x1000) // } // } // } // chdir: int8 = 0x0 (1 bytes) // size: len = 0x17d (8 bytes) // img: ptr[in, buffer] { // buffer: (compressed buffer with length 0x17d) // } // ] // returns fd_dir memcpy((void*)0x2000000003c0, "erofs\000", 6); memcpy((void*)0x200000000880, "./file0\000", 8); memcpy( (void*)0x200000001c40, "\x9f\x63\x43\xf0\x3b\x35\xf7\xdd\xc6\x4e\xbe\xe8\x7f\x64\x29\xf7\x4f\xdf" "\x32\x46\xb3\x82\xc2\x54\x40\xf7\x6f\xa6\x46\xda\x3c\x9c\xdf\xc4\xea\x2b" "\x2e\x4c\x43\x8e\xc0\x82\x6e\xe9\xb0\xbe\xce\x57\x35\xd0\xb0\xe1\xd5\x36" "\x39\xb4\x96\x7e\x8d\x56\x73\x13\xba\x19\x68\x93\x06\x0d\x54\xce\x13\xef" "\x07\xc7\x5b\xbf\xe9\x6e\x88\xa8\x35\x40\xa2\xac\xab\xac\x8f\xa5\xa3\xde" "\x41\xb4\x03\x14\xdf\x4f\x40\xdf\xcf\xb4\x57\x2f\xc0\x98\xc7\xb0\xbe\xe3" "\x81\x4e\x46\xbb\x48\xa1\x59\x40\xd1\x94\xca\xd5\xed\x98\x8f\xf9\xa6\xd3" "\xc4\xfd\x48\xaf\x27\xd5\xe8\x5f\x40\x35\x38\x79\x23\xd9\x00\xe7\x56\x40" "\xc2\x5e\xf8\x34\x26\x0c\x0d\x62\x9e\x0d\x9f\xf1\x41\xd4\xa4\xf8\xa1\x66" "\x36\x65\x1d\xec\xac\xf7\x2a\x99\x9a\x9e\x60\xe4\x67\x00\xba\xff\x7f\x3b" "\xd8\x95\x4d\x84\xe2\x59\x34\x6a\x4b\x42\x73\xcd\x06\x16\x3d\x95\x09\xe5" "\x26\x7a\xdb\xce\xf5\xcc\xb4\x6e\xec\x97\x44\x39\x89\x0f\xf6\xf2\x06\x10" "\xf1\xbe\xac\x19\x4b\x81\x04\x7f\x55\xb8\xba\x3c\x28\x5d\x67\xd2\xdf\x2d" "\x7b\x1a\x77\x91\xed\xec\x93\xe0\x0c\x32\x86\xc8\x31\xeb\x27\xdb\x0d\x8a" "\x31\xb0\x81\xfa\xb6\xdc\xfb\xc2\x35\x2f\x3b\x7e\xea\xe1\x9d\x6c\xfd\x85" "\xe3\x7c\x09\x5b\x6b\x1f\xf9\x48\x59\xce\xdf\x36\xf0\x6b\x73\xcf\xf3\xf7" "\x97\x67\x5f\xb3\x3f\x43\xa9\xa0\xf7\xbb\xf8\x94\xfb\x52\x1e\x77\x41\x29" "\xf9\x0b\x91\xb1\xf0\x45\x98\xfd\x63\x7f\x7e\x2d\xaf\xae\xda\xa7\x42\x3d" "\x08\x61\xd4\xab\xae\xc3\x7a\xf0\x69\xa4\x64\xe6\x83\x04\x97\xad\x18\x2e" "\x96\x85\xa1\x16\x53\xbf\xb6\x6f\xe9\xcd\x53\x76\xbd\x7c\xb5\x2b\x81\xc3" "\xf1\xc8\xf2\x1a\x9f\xaa\xf0\x51\x91\x88\x0b\x37\x5f\x56\xb0\x96\x0a\x8c" "\x51\xa4\x4a\xf2\xe8\x3f\x38\x47\x39\xdb\x34\x9f\x6c\x6e\x1f\xa7\xf1\xbc" "\x5f\x12\xf1\x84\xe1\x8a\x10\xc1\x5b\x4e\x22\x6f\xe2\xbd\x7a\xe6\xa1\xaa" "\x5f\x3e\x64\x16\xff\xf1\xc5\xd3\x86\x9a\x3e\x7f\xd3\x8f\x6d\xa1\xff\xdb" "\x61\x13\x8d\x0d\x93\xa7\x25\xf5\xcf\x75\xe9\x0c\x3f\xb9\x3d\xa2\x8c\x30" "\xc5\x4e\x05\x00\xee\x3a\x4c\x8c\x98\x24\x1b\x88\xf0\xb9\x7b\x6e\xbf\x3b" "\xe3\x0f\x63\x71\x1f\x37\x4e\x11\x91\xfc\x6f\x1f\xbd\xe2\xba\xa1\xd8\x83" "\x30\x75\x58\x40\xee\x4d\xee\x16\x42\xaf\x07\x33\xdf\x37\xc0\x73\x86\xa2" "\xd2\x7d\x7c\x4f\xf6\x19\x2c\x91\x00\x3a\x4d\xff\x66\x46\xb6\xda\x9d\xf6" "\x0a\x92\x7d\xd9\x17\x67\xb4\xf5\xfc\xe2\x58\xf5\x27\xd7\x22\x1a\xe2\x54" "\x76\xed\xe3\x6e\xd0\xbf\x37\x79\x96\x22\x81\x97\xf9\x85\xa0\xa8\xa2\xb0" "\x93\x22\xb3\x9e\x6b\xad\x65\xd2\xd9\xd0\x40\x0e\xfa\x3d\x0b\xae\x22\x05" "\x0b\xd1\x24\xac\x2d\xac\x10\x70\xf5\x64\xfe\x6e\x61\x06\xd0\x50\xc9\x27" "\xda\xe2\x7e\xc3\x8c\x49\x56\xb2\x67\x54\x82\x7d\x9a\x03\x49\xc7\xf4\xd3" "\xe3\x0f\x0b\x5d\xd4\x5f\xff\xd2\x23\xdf\x66\x39\xad\x86\xbc\x70\xff\x77" "\x80\xc1\xbb\x60\x6f\x39\xf4\xdc\x46\xcf\x16\x7b\xb4\x3a\x83\xa3\xe5\x70" "\x18\x78\x76\x01\x63\x19\x4a\x1e\x10\xe8\x28\x0f\x12\x6d\x54\x03\xed\xac" "\xfd\x65\xcf\x19\x2b\x5a\x18\xe7\x97\x64\x90\x6e\x3d\x2a\x37\x3d\x7c\x63" "\x55\x2a\x53\x94\x7f\x06\xc3\xaa\x9e\x55\x79\x29\x78\x80\x33\xd6\xa3\x4d" "\xf0\x3f\xba\x31\xc8\xe5\x3d\x53\x3f\xec\xa5\x8d\x58\x6a\x5a\x85\x74\x86" "\x44\xe5\x70\x97\xe3\xd0\xd5\xdb\xd3\xdc\x85\x3e\xf7\xe0\x86\x39\x69\xa3" "\x43\xa7\x9b\x23\x44\x9c\xeb\x43\x10\x4f\xf8\xe8\x3d\x32\x7e\xb6\x16\xe1" "\xae\xe6\xe5\xce\x83\xf7\x31\x30\x21\x93\x0e\xe4\x15\x3e\x99\xfc\x24\x6d" "\x6a\xb0\x3b\x6c\x1c\xdc\x33\x5e\x19\xe6\x90\x80\x75\x25\x94\xb3\xca\x99" "\x33\xd2\x61\x55\xd4\xf1\xa7\x1e\x7d\xf1\x8b\x05\xc8\x7f\x6f\x02\xa5\x17" "\xe6\x97\xc3\x63\x84\x28\xa7\x59\xce\x2d\x6b\x9c\x32\x72\x56\xa5\x9e\xec" "\x2a\xa6\x30\xe8\xdb\x6d\xda\x93\x0a\xcc\xa5\xb8\xfe\xbc\x28\x72\xce\xf9" "\x9a\xb6\xe6\x18\x03\xab\x75\x5e\x98\x38\x4c\x02\xef\x30\x1e\xe3\x01\x86" "\x2c\xc4\xea\x0f\x12\xba\x41\x76\x2a\xf4\x1f\x64\xd9\x65\xfa\xa4\x5e\xb4" "\xe6\xed\x1c\x3d\xde\xea\x93\xc4\xca\x73\xa2\x16\xd7\xfe\xa0\x0c\x3a\xfc" "\xb4\xa8\x18\x77\x7d\xb3\xf5\x6a\x8b\x12\x53\x87\xf9\x0f\x87\x45\xeb\x73" "\xe8\x7e\x6e\x7c\xf8\xf4\x2f\x12\xc8\x24\xc6\x53\x25\x31\x70\xe7\x19\x02" "\xc6\x68\x9c\x66\x09\x33\xff\xaf\x5e\xb0\x94\xb0\x93\x27\xf3\xde\x41\x8a" "\xfc\x33\xd2\x3f\xf8\xa7\x0a\x3c\x83\x78\xd6\x1f\x18\x6a\xf1\x6b\x9b\xd2" "\x80\x94\x9e\x82\xc8\xc6\x68\x28\x3b\xee\xea\x4a\x78\xf7\x32\xa3\x5d\x43" "\xc5\xac\xce\x7e\xc1\xa5\x36\x50\x3f\xf4\x82\xc5\x98\xe4\x51\xe9\x65\x67" "\xc3\x7a\x64\x9f\xf6\xbd\x93\x27\x5a\x65\x2a\xb2\xf9\x58\x26\xa2\x49\x7d" "\xa8\xdc\xb5\x34\x80\x24\x4e\x56\x87\x9f\xd1\x20\x6e\x70\xf7\xa3\x4c\x2c" "\xa4\x49\x63\x3a\x26\x24\x78\x5b\x96\x71\x00\xa6\x16\x56\xce\x7a\x25\x82" "\xee\x17\x26\xcb\xf6\x7c\xde\xc5\xab\x23\x8c\x3d\x2d\x6e\x15\x2c\xf0\x8f" "\x39\xf4\x28\x78\x93\x32\x83\x42\x0a\x62\xfb\xa7\xb1\x9c\x12\x8b\xb3\x45" "\xf3\x8d\x02\x6d\x55\x37\x1c\xba\xa5\x9b\x07\x90\x6e\x78\x36\x7a\x0b\x1f" "\x8b\xfa\x8b\x9b\xf0\x34\x17\x69\xf1\x2c\x38\x36\x2e\x56\x94\x6c\x09\x36" "\x4b\xb5\x7b\x28\xa7\x42\x05\x39\x92\x64\x90\x0d\x49\x95\x51\xbd\xd4\xca" "\x64\x96\x2e\x7c\x10\x9d\xd4\xd7\x70\x33\x6c\x6d\x24\x35\x39\x8b\x9c\x0b" "\xb9\x9f\xcf\x8d\x79\x58\x85\x78\xf0\x01\x19\xae\x18\x5f\x59\x1e\xbc\xb4" "\xf2\xfc\xe3\xdd\xe2\x6c\xeb\x5a\xfb\xff\x63\x91\x4c\xa0\x35\xa3\xf5\xfd" "\x30\x70\xb5\x2d\xbc\x1f\xe4\xa4\x37\x49\x76\x53\x84\x78\xc0\x9e\x84\xc8" "\x3e\x40\x5d\x1f\x13\x39\x78\xa5\x2d\xc7\xad\x83\xf0\x56\xe0\xd3\xca\x60" "\xa4\x90\xae\xc7\x64\xb5\xfd\x7d\x00\xec\xcb\x21\x5f\x03\xc3\xee\xf8\x95" "\xbc\xa7\x61\xd6\x94\xf7\x8d\xd3\x13\x8a\x53\x2c\xa1\x7f\x2a\x68\xfe\x7d" "\x44\x7e\x4e\x5b\xdf\xf5\x0d\x33\xe7\xca\x64\xd6\xc8\x7f\xdc\x4c\xec\xa5" "\xa8\x0c\x28\x46\x31\x2e\x5d\xf9\xa5\x81\x2d\x2b\xec\xc1\x60\x29\xa2\xbf" "\x88\x89\x80\xe3\x35\x09\xc7\x7f\x8e\xd3\xe1\x0a\xf8\x44\x8b\x87\xed\xb2" "\x4b\xfb\x5e\xc2\xf3\xac\x0a\xed\x5d\x64\xfe\x15\xc6\xd0\xe5\xc8\x92\x5a" "\xc8\xdc\xd3\x49\x43\x21\x60\xd1\x65\x01\xf9\x20\x44\xa9\x8d\x97\x6a\x95" "\x83\xe4\x75\x14\x20\x11\x51\x6b\x75\xb5\xb7\xc9\x09\x72\x41\xa9\xe5\x53" "\x57\x3f\x7d\xa5\xe1\x1c\x1b\x65\x5a\xac\x1d\xbc\xc5\x6b\x08\x8f\xac\x69" "\x5e\xb1\x54\xc9\xa7\x07\x2e\x6f\xc1\x75\x3b\x37\x7b\x77\xa4\x0c\xf8\xd6" "\xe5\x7b\x23\x33\xc3\x99\x19\x43\x10\x2b\x7d\x0f\x1f\x97\x13\x54\x1e\x14" "\xf8\x77\x9f\xc4\x6b\x74\x46\x77\x14\xae\xea\xbf\xfa\xb3\x64\xff\x78\x5c" "\xc9\x31\x12\x8a\x34\x30\xe0\xd1\x9d\x09\x3e\xfc\x85\x90\x56\x36\xb0\x48" "\x5e\x36\x74\x5b\x65\xd4\x92\x96\x85\xde\x48\x96\xfe\x5d\x41\xa0\xb5\x9e" "\x88\x17\x8c\x08\xb3\x00\x36\xea\x37\x18\xb1\x67\xc4\x61\x2c\x09\xce\x5d" "\x87\xbf\xcb\x30\xa3\x02\x4f\x5d\xc4\x85\xc2\xec\x5f\xb3\x9f\xcd\x7f\xbb" "\xe3\x28\xa8\x84\xcb\x27\x29\xba\x28\xfe\xba\x2c\x8d\x1a\x94\x3e\xe6\x34" "\x9b\xfe\x2d\xa2\x2e\xe3\x0b\x72\x1c\x01\x12\x28\x55\x61\x09\x9b\xbe\xd4" "\xf3\xf7\xe2\x2c\x85\xfe\x65\x4a\x98\x4f\x64\x40\x54\xae\xc0\x8b\x43\x29" "\xf0\x0b\xe7\xc4\x78\x6b\x2e\xad\x00\xf9\x22\xeb\x16\xa7\xb7\xc6\xc2\x4c" "\x2c\x23\x02\x8a\xef\xe0\x87\x8b\x91\x5c\xd7\xc2\xcb\xc1\x90\x2b\x6f\xdb" "\x86\x25\x81\x23\x41\xfd\xfc\x3d\x79\x87\x73\xaf\x7f\xa2\xfd\xfa\xde\x0e" "\xbb\xb9\xec\x0a\x84\x47\x35\x8f\x82\x49\x0f\xc2\xe2\x5b\x12\x6d\xac\x67" "\xcd\x5d\xaf\xed\xb0\x7e\x4b\xf8\x72\xea\xe0\x80\x2f\x0c\xd3\xec\x37\xfe" "\x0c\x8a\x2f\x0a\xd4\xe1\x07\xd4\x75\x43\x9b\xb2\x05\x75\x2c\xa3\xf0\x38" "\x3f\x7b\x19\xf0\xde\x1f\xda\x74\x35\x2c\xce\xc3\x70\x70\x9c\x22\x04\x69" "\x8c\x3b\xcf\x9e\x13\xa6\x54\xda\xed\x7c\xf1\x20\xce\x76\xb9\x86\x4f\x55" "\x33\x90\xc5\xbb\x5d\x4b\xc0\x63\x87\x75\x3e\xa7\x40\x89\xb2\x01\xb9\xfd" "\x79\xb5\x82\xf0\x9b\x04\x68\xae\x6a\xe3\x53\x59\xa8\xac\x2c\x2d\xd9\x51" "\x3e\x8a\x75\xf9\x4b\xf9\x75\xd8\x36\x70\x76\xd3\x24\x6b\x07\x93\xee\xa5" "\x61\x54\xd5\x77\xc0\xe4\xde\xbb\x61\xa8\x7c\x80\x3a\xb5\xe8\x43\x91\x81" "\x3a\x6a\x16\xdf\x27\x0b\x16\x18\xc8\x5f\x5e\x1d\xfb\xeb\x9c\x43\x48\x51" "\x5d\xca\xd8\xd3\x48\xa3\xf6\xb2\x5b\xcc\x11\xa0\xc9\x50\x69\xb3\x81\x1c" "\xd4\x37\x7a\x21\xbf\x90\xaf\x76\x54\x46\x1d\x63\xaf\x09\xd0\x03\x76\x24" "\x40\x41\xa6\xf1\xf7\xb2\xe5\xd8\x6e\xf1\x9c\xf8\x8f\xdf\x92\x78\x7d\x4b" "\xbd\x50\x20\x3f\xae\x56\xb7\x90\x60\xb2\xf4\x8f\xd9\x1b\x41\x1a\x1d\x6f" "\x20\x7c\x0f\x6e\xef\xe6\xf9\x0a\x7c\xd9\x8a\x66\x2d\x1c\xbb\xa7\xe8\x2e" "\x28\x3c\x07\x61\x3a\x1a\x36\x71\x08\x95\xb9\x25\x09\x97\x4b\x62\x3f\x47" "\x76\x74\xe6\x5c\x31\x90\xf7\xa8\xc3\xd7\x7f\x5f\x9c\x2c\x7b\x8d\xce\xc6" "\x98\x42\xec\x6a\xee\x2d\x1f\x9b\xb1\xed\x9d\x08\x9d\x64\x8e\xd8\xbf\x70" "\xc5\x50\x09\xa5\x7d\x12\x11\x22\xc8\x68\x0c\xa0\xc1\x51\xa8\xe6\x85\xbd" "\x33\x56\xd5\x02\xf0\x87\x67\x1d\x18\x96\x84\xd2\xd0\x48\x5f\x4c\x1c\x9b" "\xa2\x6b\xba\x8d\x3c\xe3\x78\x23\xb7\xc9\xf3\x33\xdf\x9d\x58\x95\x53\x59" "\x09\xe7\x6d\x3b\x2b\xbd\x28\x16\x7c\x0c\xba\x62\xba\x39\xd5\xcc\xe0\xf0" "\xc7\xf3\x95\x4e\xb5\xf3\x08\x6a\x90\x89\x2d\x54\x85\x6f\x4b\xc3\x2f\x73" "\x08\x34\x1c\x76\x02\xc0\x36\xbb\x98\x42\xba\xd9\x04\x45\xb1\x4c\x3f\x1c" "\x74\x72\x53\xd7\x74\x54\xdb\xad\x9c\x6c\x4e\x78\xa7\xbc\x54\x6f\x47\x01" "\x18\xda\xe7\xe2\xa8\x20\x69\x47\x01\x37\x53\x11\x6a\x9a\xb7\x55\x59\x1d" "\xb3\xb7\x07\x0c\x4f\x2b\x89\x83\xf1\xdb\x7f\x22\xa4\xa5\x23\x7a\x39\x73" "\x05\xc5\x82\x05\xc7\x69\xdd\x57\x66\x84\xa5\xee\xac\x80\x21\x37\x64\x5e" "\xa0\xa6\x06\xe6\x4e\xdb\x6c\x3c\x70\x4c\xcf\x46\xe7\x90\x8e\x07\xbe\x70" "\xfd\x29\xe2\x3c\x7e\x22\x96\x44\x48\x03\xa6\x3b\xad\x7e\x5d\x0f\x49\x41" "\xa5\x4e\x78\xc1\x8b\x6c\xa1\x8f\xc8\xf6\xfd\x4c\xbe\xaa\x30\xf1\x5b\xc4" "\xcd\x6d\xf5\x76\x6e\x09\x48\x47\x37\xae\x6f\x86\x24\xac\x83\x9f\xb6\x6a" "\x6e\x56\x52\x29\x9e\xc4\x2d\xba\xef\xb0\xc6\x20\xc8\x23\x2d\x1f\x87\xd0" "\xd5\xbb\xad\x3e\xd7\x7d\x54\xfc\xb4\x0e\x1c\xa7\x76\xc8\x59\xae\x5c\x2c" "\x2d\xba\x4d\xb6\x9f\xe4\xc4\xd2\xe2\x7a\x8a\xc4\xfd\x52\x2f\x7f\x35\x0f" "\xca\x67\x93\x14\x55\x9a\x0d\x6c\xef\x4b\x0f\xee\xc7\x00\xbd\x0e\xa7\x2c" "\x76\x5a\x2d\x7f\x2b\x09\xed\x30\x33\x54\xba\x6d\x44\xf9\xde\xd3\x2a\xb3" "\xeb\xba\x65\xfd\x1f\x63\x12\x26\x63\xa5\x8d\x95\xf3\xb9\x8f\x55\x0d\x5e" "\x69\x84\x4d\xf5\xb1\x0d\x96\xd0\x36\xf0\x41\xe8\x97\xed\x69\xca\x01\x0f" "\x98\x00\x7f\xfb\xe8\x91\x7f\xb5\xde\x8d\xaf\x55\x6a\xc7\x2e\x29\xad\xef" "\x74\xb0\xaf\x82\xbe\x3b\x3b\x51\xcd\x96\x74\xda\x89\x91\x9b\xe0\x93\x02" "\x4f\xcf\xf5\xe9\x28\x7d\xe0\x73\x96\x90\x16\xe0\x80\xe1\x76\x7a\x1c\xe3" "\x5f\x17\x2e\x67\x6e\xfe\x86\x01\x1e\xc5\x9b\xf8\x06\xe0\x59\xc3\x5f\x48" "\x43\x7b\x76\x68\x05\x64\x03\x4a\xc6\x08\x80\xb8\x9d\x2c\x11\xbf\x63\xd6" "\xaa\xb4\x23\x59\xf5\xf3\xdd\x47\x73\x00\xf7\xc9\x20\x7b\x72\x27\xa0\x1d" "\x9f\xf8\xb8\xfa\x95\x96\x24\x3b\x75\x72\x93\x3f\x1b\x3e\x8e\x65\x9b\x28" "\xa4\x41\x9c\x3c\x5e\x92\x6f\xfd\xe9\xdb\xc0\xb5\xfa\x2d\xd6\x44\xeb\x32" "\xf5\x6e\xfb\xcf\x09\x46\xb9\x78\xdf\x6e\xd4\x0d\x1f\xe7\x9d\xd8\x91\x1d" "\x06\x81\xdb\x52\x94\x38\xa4\x04\x9a\x10\xa4\x9d\x3d\x45\xe3\x7e\x29\x94" "\xc8\x93\x9e\x36\x4f\x07\xdb\xa8\x7b\x10\x35\x22\xc2\x00\x39\xe4\xae\x61" "\x10\x2d\xb8\x8e\x3f\x13\x74\xf2\xc7\x88\xfa\xbe\x12\xa7\x31\xb4\x6a\xac" "\x3c\xc7\xc7\x27\x47\xca\x87\xc9\x6d\x7c\x09\xf2\xc4\x7f\xbd\x4e\x9e\x5b" "\xe6\x3b\xd6\xb4\x23\x71\x9e\xe1\xb5\xba\x0c\xe8\x63\xc1\xeb\xc8\xbc\x80" "\xdc\x75\x7b\x81\x1a\xd1\xc7\x82\x55\xf6\x1c\x52\x8c\xe3\x53\x52\x7b\xa6" "\xae\x7a\x32\x4f\xca\x73\x2e\xc7\x2f\xd7\x4a\x32\xe6\xb8\x3d\xd7\x02\x59" "\xe7\xd5\x05\xf1\xbc\x6a\xe5\x78\x74\x10\x1d\xad\x86\x3b\xcd\x1e\xe0\x51" "\xd3\x9b\x6d\xe0\x59\x22\x3e\xad\xed\x2b\x36\xc5\x03\x1e\x15\x9d\x58\x79" "\x3a\x53\x9f\xf7\x5a\xe9\x40\x73\x44\x38\x4e\x5e\xe2\x0f\x6a\x59\xb7\xce" "\x17\x3b\xf6\xdf\xe7\xc5\xe1\xad\x21\x58\xb9\x0e\x0a\x98\x92\x85\x0f\xb9" "\xe0\xcd\x1d\xac\xeb\x76\x6a\x5f\x8d\x94\x9d\xcd\x1d\xab\x81\x28\x87\xc2" "\x53\x29\xa0\x91\xd4\x37\x1c\x39\x3b\x47\xb5\xaf\xe5\x98\x05\x9d\x43\x56" "\xce\x78\x80\x0a\xc6\x41\x2a\x0b\x12\x90\x34\x4e\x39\x60\x5b\x01\x13\x25" "\x1f\x58\x6f\x66\xba\xca\x16\xf0\xd6\x47\x7f\x9d\xde\xd2\x36\x02\x24\x1b" "\xfb\x28\x62\x4e\x85\x81\x8e\x42\xb6\x02\x14\xe3\x51\x4a\xeb\xb5\x07\x6e" "\xeb\xca\x24\x91\x8a\x9b\x83\x0e\xb1\x0c\x99\xd7\xd4\x03\x8f\xb7\x77\xa7" "\xee\xf6\xa9\x48\xdb\x28\x14\x63\xbf\xf8\x92\x7d\xf3\x69\x14\x65\xd0\xcf" "\x78\x97\x67\x2c\x77\x8e\x48\x10\xed\xb4\xe8\xf5\x4d\xdf\xad\x72\xbd\x95" "\xcc\xf3\x57\x9a\x4a\xf3\x5c\x9a\x39\xf7\x8f\x12\xe7\x39\xa3\xb1\x77\x8a" "\xad\x80\x52\xbf\xef\x06\x46\x18\x23\xf7\x01\x8a\x06\xe7\xba\x1f\xf8\xa9" "\xed\x88\x12\x9d\xc5\x41\x3e\x92\x73\xec\xd6\xd6\x03\xc0\x8c\x14\x37\x68" "\xe0\xf0\x8a\x1a\x2a\xc0\x5e\x01\x64\xc3\x4c\x9f\xc4\x09\x68\xeb\x39\xed" "\x82\xf3\x77\x36\x41\xfa\x75\x4d\xdc\xcd\x02\xfa\x89\xa0\x4a\x51\x13\xc7" "\xaa\xef\x49\x71\x44\xe0\xdf\xf1\xd7\xaa\x3d\x46\x47\xe6\x5f\x61\x0a\x52" "\xeb\x36\x83\xf6\xc9\xa5\x35\x52\x8d\x0f\xd7\xce\x47\x2e\xbe\xba\x1b\x51" "\xc0\x4b\x0a\xad\x63\x92\x86\x75\x08\x06\x40\x20\x97\xec\x9c\x13\x95\xa9" "\xa6\x67\x35\xe9\xba\xb7\x72\x55\x19\x93\xb3\x58\x2b\x15\xc6\x14\x00\x73" "\x9c\xca\x57\xed\x3e\x1b\x02\xcc\x22\x83\xce\x72\xd9\x78\xc9\xb0\xc9\x61" "\x65\x16\x70\xe6\x61\xef\x1e\x57\xf7\x27\xaf\x3a\x1e\x2a\x52\x01\x2b\x2b" "\xf5\x01\x63\x6e\x28\x5a\x17\xa5\xfc\x01\x6a\x56\x1f\xb4\xdc\x09\x44\x80" "\x4c\x2c\xa9\x61\x3c\xb7\xd1\xa5\xd9\x12\x73\x4d\x35\x3d\x19\x71\x3f\xee" "\x49\xe7\xa4\xd7\xd1\x69\xfd\xd6\x55\xeb\xa8\xab\x2a\x87\xeb\xee\x38\x1e" "\xac\x8a\x47\x57\x06\x3b\x39\x97\x75\xe6\xe9\x7f\xd2\xef\x76\x28\x31\x41" "\xaa\x62\x9a\x67\x03\xfc\x37\x87\x38\x3f\x19\x62\x8c\x58\xa5\x86\x6f\xf2" "\xb9\x53\x33\x29\x91\x88\xe1\xb1\x07\x80\xfc\xd2\x58\x12\xb7\xbe\x75\xfa" "\x33\x6c\x9b\xb4\x10\x0d\x5b\xd8\xe9\x70\x46\xdd\x98\x12\x9e\xcb\xe7\xd4" "\xdf\xbe\x32\x4e\x6c\x93\x0c\xee\x3f\x1c\x50\x03\x1f\x32\xda\x9a\xbe\x8b" "\x5d\xd7\xce\x37\xad\x83\x1f\xa4\xbb\x61\x15\x98\x4d\xdf\x6f\x05\x22\x64" "\x22\xdb\x49\xff\xe5\x66\xc4\xd0\xc4\x33\x44\x52\x50\xeb\xc0\x7a\x36\x29" "\xd5\x39\x19\x1a\x0e\xcd\x28\xaf\x5e\x72\x29\x90\x69\xbf\xa4\x4d\x1f\x7b" "\x25\x00\xca\x35\x5b\x28\x5b\xea\xce\x54\x93\xe9\x57\x13\xbc\x04\xcc\xf6" "\x35\xd3\x57\x93\x93\x6c\xaf\xbe\xd5\x87\xf2\x71\x0c\xed\xac\xca\x0d\x20" "\xfd\x40\xe6\xe0\x02\xa6\x4c\x20\x2a\x6c\x26\xd9\x51\xe6\xad\xd0\x58\xb1" "\x75\xaa\x0f\x86\x6f\x2a\xf4\x6c\x87\xb1\xdd\x06\xe1\x90\x07\x3c\xd6\x3d" "\x78\x96\x8b\x83\x96\x00\x3b\x46\x05\x99\xce\x83\xc3\xbd\x80\xbf\x46\xb0" "\x41\x61\xba\x88\x74\x5f\x10\x22\x50\xd6\x43\x1d\x68\x42\xc6\xb5\x47\xdf" "\xb3\x6a\xf9\x5c\x78\xd9\x25\x0b\xca\x59\xd7\x68\x11\xc8\x03\x99\xed\xa6" "\xb9\x4f\x0e\x83\xd1\xc7\xf5\xe4\x0e\x6f\x99\x9a\x02\xe4\xa7\x34\x3d\xfb" "\xa9\xc0\x83\x61\x64\xaf\x4a\x55\x46\x23\x3d\x3f\xae\x04\x2d\xb0\xea\x2f" "\x21\xf3\x01\x6b\x5f\xcc\x01\x66\x8c\x71\x69\x7e\x27\xea\xc8\x01\x5a\x93" "\xe7\x89\x5d\xf2\x64\x2d\x32\x03\x76\x70\x3d\xba\x3f\xbe\x75\xff\x3f\x15" "\x59\x30\xe5\xcd\x73\x1a\x43\xb9\x72\xba\x61\xfc\xb1\x1d\xf6\x77\xcd\x25" "\x8d\x1a\x25\x96\xce\x5d\x4a\x95\xbd\xc2\x56\x33\xec\xc3\x19\xa0\x9e\x5f" "\x0b\x69\x7c\x46\xd2\x4b\x8a\xeb\x4e\x7f\xf0\xbd\xdc\x31\xda\x63\x89\x86" "\xbb\x75\xbb\x48\x25\xf0\xf1\x12\x8d\xb5\xc4\x95\xdb\x0a\x80\xf3\xda\xce" "\x0d\x7e\x7c\x89\xc4\x16\xd4\x20\x31\xc3\xd6\x07\x41\x15\xdc\xce\x4a\xfd" "\xff\x42\x43\x12\xa0\x5a\x8d\x1d\x0c\xf9\x0f\xe9\x4e\x9c\x61\x56\x5f\xf1" "\xab\xed\x12\xd5\xeb\x24\x26\x4a\x8d\xab\x82\x35\xbf\x12\x10\xd5\xdc\x76" "\x76\x8d\x03\x03\xba\xe6\x55\xb6\x58\xb2\x26\xa3\x03\x9d\x51\xec\x3d\x6b" "\xce\x5d\xb2\x81\x9c\xcb\xa3\x2d\xed\xd8\x59\x9a\x42\x74\xeb\xf9\xa7\x3a" "\x76\xb8\x06\x5a\xf4\x6d\xe0\x9f\x75\xd7\x36\x50\x49\xdf\xe7\xc0\x30\x04" "\xd1\x4a\xac\xd5\xee\xc8\xce\x52\x52\xef\xbc\x93\xba\x3d\x7f\x81\xae\x65" "\x89\x0c\xfe\xb0\x77\xbe\xbd\xef\xf1\x47\xe6\x39\x9b\x8e\x9c\x65\x53\xcf" "\x8e\x54\xa1\xa6\xc1\xee\xb8\x84\x63\x27\x5e\x8a\xa4\x89\x6b\x58\x65\x6a" "\x68\xbb\xd5\xfb\x05\x75\xb8\x94\x09\x1a\xd7\xcb\x5f\xb3\x66\xcb\xc2\x9a" "\x6b\x57\x6a\x3c\x75\x06\x9d\x8f\xb5\x1e\xf2\xaf\x8f\xea\x44\x87\x16\x7c" "\x3b\x78\xad\xcf\x16\xcf\x4c\x45\x09\xba\xe2\xa4\xfb\x0c\x5f\x4c\x84\xf9" "\x73\x05\xac\xc6\x59\x3e\xf9\x5b\xb5\xef\x1b\x2d\xb5\x0f\x86\x1f\xec\xab" "\x29\x7f\x11\x13\xe9\x79\x19\x2a\x5d\x42\xaa\xc3\x79\x24\x29\x78\xe5\xeb" "\x70\xe5\x5e\xa5\xe5\x02\x26\xbe\x03\x90\xdd\x75\x8a\xa3\x54\x0d\x58\xed" "\x86\xe7\xbd\x4c\x9a\xcd\x8c\xe4\x49\xaf\xba\xf0\x4f\x33\xde\x0f\x4d\x8a" "\x52\x69\xa2\xbb\xa3\x59\xab\xee\x39\xfd\x22\x2f\x5e\x32\xc4\x98\x9c\x46" "\xbd\x23\xc1\x70\x20\x57\x27\x3c\x10\xe7\xc4\xc3\xd5\x57\x6e\xd9\x2d\x1f" "\xa2\x05\x26\xd4\x00\x2c\x93\x23\xa6\xf9\x04\x78\x2d\x4b\xa3\xcd\xd2\xad" "\x14\x99\x56\x9c\xb1\x46\x6a\xf3\xdf\x60\x31\xba\xce\x8f\x6e\x9a\x07\x7e" "\x65\x57\xf9\x4c\x3f\xf8\xcc\x01\x5b\x8d\x6a\x82\xf8\x34\x90\x2f\xbf\xe9" "\x66\x7c\x24\xfb\xb7\xd2\xaf\x3f\xaf\x7b\x22\xaa\xa0\x32\x3e\xca\xc4\xee" "\xac\xa3\xd1\x10\xbe\xdb\xb6\x58\x4e\xc5\x2b\xc7\x85\x5f\xcf\x27\x12\x32" "\x66\x8f\x15\x93\xee\x6f\x2a\x84\xab\x39\x44\xa9\xd8\xa0\xeb\x5e\x12\xdf" "\xb7\x76\x8d\xb8\x91\x18\x18\x6d\xb8\x7e\x4a\x51\xf9\x8a\x36\x59\x0f\xde" "\xa5\xe7\xa6\x35\xb0\x42\xa5\x86\xce\xa1\x29\xa3\xc4\xac\xfe\x9d\x6d\x15" "\x4e\x0c\x61\x4a\xe8\x46\x6a\x18\xb4\xf3\x7a\x47\xb5\x8c\x64\x7f\x6e\xc3" "\xfb\xcf\x4e\xb9\x28\xea\x05\x08\x43\x26\x0c\xa0\x1f\x3d\x20\xb7\x7a\xe5" "\xec\xed\x11\xb5\xf1\x7b\x92\x10\x63\xe1\x2c\xb7\xd5\x91\x4d\xd7\x16\x8e" "\xa5\x17\xef\xe7\x56\x9c\x5f\x25\xc0\x9c\xbe\x42\xa6\x37\xa6\x6f\x70\xc8" "\x28\x9c\xa7\xf9\xa1\x1e\x49\x4c\xea\x83\x5b\x16\xd4\x48\x0a\x75\xc9\xad" "\x6d\x97\x20\x0f\x2c\xf8\xee\x8f\x1c\xc4\x8f\xd7\x5d\x2e\x98\xdb\x79\x97" "\xe3\x26\x32\x0b\xa3\xb2\x2d\xfc\x88\x02", 4096); memcpy( (void*)0x200000001ac0, "\x78\x9c\xec\x98\xb1\x4f\xfa\x40\x14\xc7\xbf\xef\xca\x0f\xf2\x33\x2e\xae" "\x2e\x0e\x12\xc5\xc1\xd2\x16\x35\x2e\xc4\xb0\x39\x9a\x88\x1a\x37\x09\x54" "\x82\x16\x31\xd0\x41\x98\x74\xf1\xff\x70\x76\x70\x76\xf3\x8f\x30\xce\xea" "\x60\x5c\x18\xdd\x4c\x6a\x7a\x3d\xe8\x41\x04\x75\xd0\xc4\xf8\x3e\xc3\xe3" "\xfb\xb8\x77\xd7\x77\xaf\xc9\x77\x28\x18\x86\xf9\xb3\x3c\x3e\xbc\xdc\xaf" "\x15\xef\x84\x01\x60\x12\x69\xa4\xd4\xff\xcf\x46\x5c\x23\xb4\xfa\xd7\xdb" "\xf3\x72\x6b\x6a\x3d\x7f\x39\xf7\x94\xbf\x4e\x35\xae\x86\xcf\x23\x00\x41" "\xf0\xf9\xe7\x27\x00\xdc\x14\x0c\xf8\x2a\x0f\x82\xc1\xdd\x69\xf5\x5b\x84" "\xe8\xeb\x2d\x08\x2c\x28\xbd\x03\x82\xa9\xf4\x1e\x04\xb6\x95\x76\x41\xd8" "\x55\xfa\x40\xd3\x8d\xb0\xde\x34\xf7\x6b\x9e\x6b\x96\x1b\x5e\x25\x14\x56" "\x18\xec\x30\x38\x61\xc8\x0d\xf7\xd7\x3d\x23\x54\xb4\xfe\x48\x5b\x6f\xb5" "\x3b\x87\x25\xcf\x73\x9b\xdf\x28\x3e\x9a\x5f\xb7\x20\x90\xd7\xfa\xd3\xdf" "\x57\x6f\x36\x96\x36\x3f\x1b\x02\xb6\xd2\x39\x10\x36\x95\x5e\x45\xaa\x37" "\x9b\x68\x24\xda\xfd\xa7\x13\xf1\xf9\xc6\x0f\xdf\x9f\x05\x0b\x16\xbf\x4d" "\xc4\xfe\x14\x5c\x10\xe6\x35\x7f\x4a\x68\xfe\x91\xf5\xeb\xc7\xd9\x56\xbb" "\xb3\x58\xab\x97\xaa\x6e\xd5\x3d\x72\x9c\xdc\x8a\xb5\x64\x59\xcb\x4e\x56" "\x1a\x51\x14\xc7\xf8\xdf\x7f\xe9\x4f\x13\xda\xf9\xff\x46\xd4\x26\x29\x89" "\x93\x92\xef\x37\xed\x28\xf6\x73\x27\x8a\xef\x39\xae\x90\xfe\x27\x90\x99" "\x8d\xf2\xd0\xfb\x93\x23\xbb\x89\xd6\x49\xed\x23\xa9\x32\xc6\x98\x72\x86" "\x61\x18\x86\x61\x18\x86\x61\x18\x86\x61\x18\x86\x61\x98\x2f\x30\x03\x92" "\x5f\x41\x25\x74\x8a\x38\x19\xc0\xd9\x90\xd5\x6f\x01\x00\x00\xff\xff\xda" "\x9f\x73\x00", 381); syz_mount_image( /*fs=*/0x2000000003c0, /*dir=*/0x200000000880, /*flags=MS_I_VERSION|MS_NOSUID|MS_NODEV|MS_MANDLOCK|0x80*/ 0x8000c6, /*opts=*/0x200000001c40, /*chdir=*/0, /*size=*/0x17d, /*img=*/0x200000001ac0); // mount$overlay arguments: [ // src: const = 0x0 (8 bytes) // dst: nil // type: nil // flags: mount_flags = 0x0 (8 bytes) // opts: nil // ] syscall(__NR_mount, /*src=*/0ul, /*dst=*/0ul, /*type=*/0ul, /*flags=*/0ul, /*opts=*/0ul); // sendmsg$nl_route arguments: [ // fd: sock_nl_route (resource) // msg: nil // f: send_flags = 0x8000002 (8 bytes) // ] syscall(__NR_sendmsg, /*fd=*/(intptr_t)-1, /*msg=*/0ul, /*f=*/0x8000002ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; for (procid = 0; procid < 5; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }