// https://syzkaller.appspot.com/bug?id=2bf7b7983c2398ec6f0c4c6c87cb50223e8873f8 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8" "\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06" "\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01" "\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f" "\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00" "\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b" "\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b" "\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a" "\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d" "\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32" "\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00" "\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0" "\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04" "\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e" "\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00" "\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00" "\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c" "\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48" "\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff" "\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0" "\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0" "\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0" "\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00" "\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0" "\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7" "\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00" "\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00" "\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02" "\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09" "\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7" "\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff" "\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff" "\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00" "\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08" "\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04" "\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00" "\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0" "\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7" "\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48" "\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00" "\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00" "\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48" "\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c" "\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93" "\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0" "\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7" "\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00" "\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00" "\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28" "\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a" "\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0" "\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0" "\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0" "\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00" "\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0" "\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00" "\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7" "\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b" "\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b" "\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f" "\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63" "\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24" "\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; msrs->nmsrs = 5; msrs->entries[0].index = MSR_IA32_SYSENTER_CS; msrs->entries[0].data = sel_cs; msrs->entries[1].index = MSR_IA32_SYSENTER_ESP; msrs->entries[1].data = ADDR_STACK0; msrs->entries[2].index = MSR_IA32_SYSENTER_EIP; msrs->entries[2].data = ADDR_VAR_SYSEXIT; msrs->entries[3].index = MSR_IA32_STAR; msrs->entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); msrs->entries[4].index = MSR_IA32_LSTAR; msrs->entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 6: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = 0; const void* text = 0; uintptr_t text_size = 0; text_type = text_array_ptr[0].typ; text = text_array_ptr[0].text; text_size = text_array_ptr[0].size; uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = 0; patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = 0; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = 0; uint64_t val = 0; typ = opt_array_ptr[i].typ; val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: fail("bad kvm setup opt"); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } long r[230]; void loop() { memset(r, -1, sizeof(r)); r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); *(uint64_t*)0x2055fdc0 = (uint64_t)0x207ed000; *(uint32_t*)0x2055fdc8 = (uint32_t)0x80; *(uint64_t*)0x2055fdd0 = (uint64_t)0x20785000; *(uint64_t*)0x2055fdd8 = (uint64_t)0x4; *(uint64_t*)0x2055fde0 = (uint64_t)0x20682bf0; *(uint64_t*)0x2055fde8 = (uint64_t)0x50; *(uint32_t*)0x2055fdf0 = (uint32_t)0x8000; *(uint32_t*)0x2055fdf8 = (uint32_t)0x10001; *(uint64_t*)0x2055fdfc = (uint64_t)0x20000000; *(uint32_t*)0x2055fe04 = (uint32_t)0x0; *(uint64_t*)0x2055fe0c = (uint64_t)0x2036ef90; *(uint64_t*)0x2055fe14 = (uint64_t)0x4; *(uint64_t*)0x2055fe1c = (uint64_t)0x209a2000; *(uint64_t*)0x2055fe24 = (uint64_t)0x0; *(uint32_t*)0x2055fe2c = (uint32_t)0x40081; *(uint32_t*)0x2055fe34 = (uint32_t)0xfffffffffffffffc; *(uint64_t*)0x2055fe38 = (uint64_t)0x20000000; *(uint32_t*)0x2055fe40 = (uint32_t)0x0; *(uint64_t*)0x2055fe48 = (uint64_t)0x2075bfa0; *(uint64_t*)0x2055fe50 = (uint64_t)0x3; *(uint64_t*)0x2055fe58 = (uint64_t)0x20d64e30; *(uint64_t*)0x2055fe60 = (uint64_t)0x20; *(uint32_t*)0x2055fe68 = (uint32_t)0x4880; *(uint32_t*)0x2055fe70 = (uint32_t)0x3; *(uint64_t*)0x2055fe74 = (uint64_t)0x202ed000; *(uint32_t*)0x2055fe7c = (uint32_t)0x10; *(uint64_t*)0x2055fe84 = (uint64_t)0x20a47000; *(uint64_t*)0x2055fe8c = (uint64_t)0x2; *(uint64_t*)0x2055fe94 = (uint64_t)0x20ba8c98; *(uint64_t*)0x2055fe9c = (uint64_t)0x30; *(uint32_t*)0x2055fea4 = (uint32_t)0x8010; *(uint32_t*)0x2055feac = (uint32_t)0x219b; *(uint64_t*)0x2055feb0 = (uint64_t)0x20de3fa0; *(uint32_t*)0x2055feb8 = (uint32_t)0x60; *(uint64_t*)0x2055fec0 = (uint64_t)0x2099e000; *(uint64_t*)0x2055fec8 = (uint64_t)0x3; *(uint64_t*)0x2055fed0 = (uint64_t)0x20acad68; *(uint64_t*)0x2055fed8 = (uint64_t)0x20; *(uint32_t*)0x2055fee0 = (uint32_t)0x880; *(uint32_t*)0x2055fee8 = (uint32_t)0x1ff; *(uint64_t*)0x2055feec = (uint64_t)0x20000000; *(uint32_t*)0x2055fef4 = (uint32_t)0x0; *(uint64_t*)0x2055fefc = (uint64_t)0x20328ff0; *(uint64_t*)0x2055ff04 = (uint64_t)0x1; *(uint64_t*)0x2055ff0c = (uint64_t)0x206ec000; *(uint64_t*)0x2055ff14 = (uint64_t)0x1030; *(uint32_t*)0x2055ff1c = (uint32_t)0x8011; *(uint32_t*)0x2055ff24 = (uint32_t)0x2; *(uint16_t*)0x207ed000 = (uint16_t)0x13; memcpy((void*)0x207ed002, "\xc8\xac\xb0\xce\x24\xd4\xf9\x62\x98\x60\xc3\x60\x77\x63\xad" "\xa3\x87\xa7\x99\xc1\x9e\x6e\xfc\x96\x54\x9e\xe4\xe0\xc8\xaf" "\xd9\x22\xe4\x6a\x41\xe5\x4e\xd7\x2e\x5e\x09\xfe\x32\x93\xd0" "\xc6\xfd\xb2\xc3\x3e\xf0\x89\x9e\x23\x64\xaa\xad\x94\xe5\xe2" "\x2b\x06\x9b\xc3\xc3\x7e\x62\x1f\xfc\xb5\xb9\x8a\xa9\x84\x0b" "\xb1\x71\x19\x44\x23\x49\x35\x1b\x54\x8f\x5a\xbe\x5c\xbd\x61" "\xa8\x3b\xcd\x47\xef\xae\x58\x03\x3a\x98\x16\x8b\x4b\x7d\xdf" "\x37\x17\x45\x61\x38\xe2\x2b\x35\x48\x90\x85\x6f\x49\x5e\x57" "\xd9\x7d\xf0\x06\x75\x83", 126); *(uint64_t*)0x20785000 = (uint64_t)0x20862f78; *(uint64_t*)0x20785008 = (uint64_t)0x88; *(uint64_t*)0x20785010 = (uint64_t)0x20eeaf06; *(uint64_t*)0x20785018 = (uint64_t)0xfa; *(uint64_t*)0x20785020 = (uint64_t)0x20da6000; *(uint64_t*)0x20785028 = (uint64_t)0x7; *(uint64_t*)0x20785030 = (uint64_t)0x206a2fb0; *(uint64_t*)0x20785038 = (uint64_t)0x0; memcpy((void*)0x20862f78, "\xfc\x45\x52\x7f\xd0\x5b\x72\x7f\x61\x99\xdf\x81\x61\x8c\xf6" "\xa7\xda\x46\xc5\xb2\xfc\x2e\x68\x3f\xfa\x32\x99\x74\x83\x4c" "\x33\x7e\x06\x6d\x3e\x9e\x77\xb2\x3b\x92\xf0\x80\x1b\x1e\x82" "\x16\xa0\x9e\x00\xc9\xe6\x4b\xda\xcc\xbe\x4d\xe0\xc0\x9d\xd0" "\x19\x9f\x0a\x25\x18\x77\x5f\x80\x8f\x87\xee\x78\xc3\xfd\x71" "\xf9\x31\x7c\x9e\xf5\xbe\x64\xf7\xc1\x4f\x42\xe8\xc7\xab\xb8" "\x19\x36\x14\x2c\x3b\xe4\x99\x2d\x62\x12\x3a\x44\x67\x34\x59" "\x03\xbc\x6a\x5e\x41\x09\x01\x68\xa5\x6a\x2a\x77\xf6\xb6\x93" "\x23\xda\x33\x54\x73\xd5\x6d\xd7\xe6\x32\xda\x96\x6e\x15\x8f" "\x24", 136); memcpy((void*)0x20eeaf06, "\x68\x50\x3e\x57\x2d\x45\xb6\xb2\x80\x8b\x60\x07\x4f\x02\x32" "\x08\x62\x69\xf6\xe2\x61\x22\x79\xa6\x69\x1a\x4d\x7c\xbe\x8d" "\x4a\xa1\x9c\x09\x93\xef\xf8\x3e\x86\x0d\x64\xe1\xd0\x37\xe5" "\x06\xc2\x5e\x73\x0a\x79\x47\xda\x46\x87\xb6\xd8\x6e\x50\x1f" "\xe1\x2b\x1a\xda\xd1\x98\xad\xc1\xe4\x35\x82\x09\x76\x18\x69" "\x33\x90\xf3\xe9\x49\x3c\x37\xbd\x9c\x98\xf7\xd4\x92\x91\x3f" "\xfe\x6c\x22\x12\x9b\x48\xf6\xdc\xaa\x66\x19\xb5\xb0\x8a\xb3" "\x11\x1b\xac\x49\x07\x85\xf6\xa4\x85\x4c\x82\x30\x31\x1a\x74" "\x5c\x74\x9c\xd1\x2f\xa3\x1c\xed\xb6\xe6\x40\x31\x46\x3f\xde" "\x01\x07\xbb\x50\x02\xec\xce\x9e\x5a\xed\x78\xae\x21\x03\x60" "\x7a\x12\xf8\x7c\x33\x97\xab\x69\x49\x44\x7c\xde\x25\x54\x10" "\x37\x82\x87\x5b\x89\x66\x2b\xc5\xd7\xa4\xc1\x01\xcc\x1d\xb6" "\x4a\x5b\xc0\xb8\xf8\xaa\xce\xb4\x4e\xc7\x23\xc0\xe4\x0f\x46" "\xdd\x5e\x51\x69\x52\x05\x55\xe6\x58\xb3\x54\x0a\xcc\x6e\xcc" "\xb8\xa9\x38\x36\xcb\x75\x51\xfe\x15\x48\x15\xa6\x24\x8d\x3b" "\x54\x26\xf9\x84\xbe\x07\x19\x92\x3d\x32\xaa\xcc\x55\x52\x59" "\xd8\x04\xdd\xf2\x44\x61\xec\xe4\xef\x19", 250); memcpy((void*)0x20da6000, "\xd5\x7c\x8b\x37\xa9\x48\x77", 7); *(uint64_t*)0x20682bf0 = (uint64_t)0x10; *(uint32_t*)0x20682bf8 = (uint32_t)0x1; *(uint32_t*)0x20682bfc = (uint32_t)0x6; *(uint64_t*)0x20682c00 = (uint64_t)0x10; *(uint32_t*)0x20682c08 = (uint32_t)0x0; *(uint32_t*)0x20682c0c = (uint32_t)0xfffffffffffffff9; *(uint64_t*)0x20682c10 = (uint64_t)0x10; *(uint32_t*)0x20682c18 = (uint32_t)0x116; *(uint32_t*)0x20682c1c = (uint32_t)0x80; *(uint64_t*)0x20682c20 = (uint64_t)0x10; *(uint32_t*)0x20682c28 = (uint32_t)0x11d; *(uint32_t*)0x20682c2c = (uint32_t)0x2d; *(uint64_t*)0x20682c30 = (uint64_t)0x10; *(uint32_t*)0x20682c38 = (uint32_t)0x1ff; *(uint32_t*)0x20682c3c = (uint32_t)0xff; *(uint64_t*)0x2036ef90 = (uint64_t)0x20290000; *(uint64_t*)0x2036ef98 = (uint64_t)0x0; *(uint64_t*)0x2036efa0 = (uint64_t)0x20f67fa0; *(uint64_t*)0x2036efa8 = (uint64_t)0x0; *(uint64_t*)0x2036efb0 = (uint64_t)0x20523000; *(uint64_t*)0x2036efb8 = (uint64_t)0x0; *(uint64_t*)0x2036efc0 = (uint64_t)0x2008e000; *(uint64_t*)0x2036efc8 = (uint64_t)0x0; *(uint64_t*)0x2075bfa0 = (uint64_t)0x2054c000; *(uint64_t*)0x2075bfa8 = (uint64_t)0x86; *(uint64_t*)0x2075bfb0 = (uint64_t)0x20499f22; *(uint64_t*)0x2075bfb8 = (uint64_t)0x0; *(uint64_t*)0x2075bfc0 = (uint64_t)0x2039dd35; *(uint64_t*)0x2075bfc8 = (uint64_t)0xb0; memcpy((void*)0x2054c000, "\x2c\x0b\x23\x53\x2d\x9a\x95\x0b\x0b\x02\x42\xb5\xa0\xdb\x13" "\x92\x66\xdc\xfe\x69\xee\x2f\x1b\xc3\xf4\x79\xc9\x40\x36\x4f" "\xe9\x16\x34\xe9\x4c\x79\x26\xd1\x3e\xad\xf4\x7e\x85\x95\xd7" "\xb3\xae\x3e\x30\xc6\x6c\xb6\x1b\xf1\xa6\xff\x74\x32\x01\xb9" "\xb1\x6f\x62\xc4\x85\xc8\x68\x2d\xf0\x33\xd9\x2f\xe9\xae\x53" "\x88\x92\x62\xc8\xc3\x9f\x9f\xcf\xd4\xbe\x2c\xe2\x0a\x30\x12" "\xc8\x53\xb5\xa2\x8d\xfa\x0c\x7a\x23\x5c\xa7\xfb\xfe\xfb\x90" "\xf2\xde\x92\x42\x86\xd3\x90\x74\xc0\xa4\xfb\xc9\xa7\x8e\x9c" "\x9b\x58\x54\x63\xe7\xf8\x9d\xc4\xb7\x83\x27\x53\x41\x33", 134); memcpy((void*)0x2039dd35, "\xa7\xdd\x8f\x07\xa3\xa4\xbc\x89\xc9\xeb\x33\x9e\x7e\x46\x61" "\x67\x1a\x6f\xa2\xfe\xc3\x1d\xcd\x62\xf7\x8f\x54\x29\x95\x32" "\xd7\xdc\x2c\x97\xfb\xe5\x0e\x58\xde\xf7\x82\x62\x74\x11\x79" "\x44\x57\x7c\xda\x39\x68\x4f\x3a\xb5\x12\x20\x8f\x0b\x72\xf3" "\x79\x48\x40\x6a\xa9\xc2\xca\x2f\x8e\x0e\xc4\x24\x2e\x57\xc2" "\x5c\x02\x70\x6d\xcf\xd0\x10\x52\xc2\xf5\xc9\xc0\x0c\x0b\x0f" "\x63\x88\x23\x62\x68\x70\x11\x61\xe9\x28\xaa\xe7\xae\x82\xb4" "\x0b\xc9\xb8\xce\xfc\xac\x74\x85\xe3\xc9\x70\x0b\xef\xcc\x6d" "\xbf\x3c\x6f\x18\xc3\xa5\xb5\x51\x3c\xd8\x39\x90\x02\xe1\x87" "\x5c\x1e\xaf\xf0\xda\xb3\x3d\x92\xba\x00\x66\xfb\xcb\x08\x82" "\x79\xd2\xb0\xac\x31\x2e\xc7\xdb\xaa\x2f\x28\x3f\x67\x79\x5f" "\x79\x20\x32\xec\xb9\xa6\x4e\xc5\xc0\xe8\x5d", 176); *(uint64_t*)0x20d64e30 = (uint64_t)0x10; *(uint32_t*)0x20d64e38 = (uint32_t)0x115; *(uint32_t*)0x20d64e3c = (uint32_t)0x6; *(uint64_t*)0x20d64e40 = (uint64_t)0x10; *(uint32_t*)0x20d64e48 = (uint32_t)0x10d; *(uint32_t*)0x20d64e4c = (uint32_t)0x4; *(uint16_t*)0x202ed000 = (uint16_t)0x307; memcpy((void*)0x202ed002, "\xb2\xc9\x39\xf2\x75\x4a", 6); *(uint8_t*)0x202ed008 = (uint8_t)0x0; *(uint8_t*)0x202ed009 = (uint8_t)0x0; *(uint8_t*)0x202ed00a = (uint8_t)0x0; *(uint8_t*)0x202ed00b = (uint8_t)0x0; *(uint8_t*)0x202ed00c = (uint8_t)0x0; *(uint8_t*)0x202ed00d = (uint8_t)0x0; *(uint8_t*)0x202ed00e = (uint8_t)0x0; *(uint8_t*)0x202ed00f = (uint8_t)0x0; *(uint64_t*)0x20a47000 = (uint64_t)0x20235000; *(uint64_t*)0x20a47008 = (uint64_t)0xa6; *(uint64_t*)0x20a47010 = (uint64_t)0x20831ff0; *(uint64_t*)0x20a47018 = (uint64_t)0x0; memcpy((void*)0x20235000, "\x79\xd9\xfb\xfa\x55\x66\xf2\x61\xb9\xa7\xa9\x02\x8d\x18\x21" "\x90\xca\xe6\x48\x37\x2d\xb2\x1e\x62\x7f\xce\x9e\xfb\xc9\xd0" "\x1c\x3c\x8e\xdf\xe9\x91\x2f\xfa\x29\x7d\x8b\x46\xd2\x1b\xc7" "\x3c\x40\xeb\x92\xdb\xfc\xb0\x0b\x4d\xec\xf0\x2c\xe1\x7f\xe3" "\x35\x92\x22\xa9\x6f\x23\xc7\xf2\x34\x1d\xba\x8b\x19\x71\x16" "\x4c\x95\x19\x07\xe1\x14\x60\x02\xe5\x5e\x69\x47\xc0\xa4\xba" "\xc2\x23\xe7\x3e\x80\x1f\xf8\x81\x27\x52\x08\xd3\x50\x1f\xb0" "\x3b\x43\xe2\x73\xf7\xbb\x38\x66\x98\x0f\x9a\xda\xc4\x7c\xcf" "\xef\x49\xaa\x77\xe5\xd5\x99\x83\x3a\x97\x4e\x94\xd6\x43\xe9" "\x48\x51\xdc\xc7\x79\x51\x49\xc1\xd2\x6a\x27\x32\xa0\x65\xc6" "\x37\x76\xe6\x11\xf6\x8b\xff\xc6\xfb\xe1\x67\xf8\x88\x61\xf1" "\x2e", 166); *(uint64_t*)0x20ba8c98 = (uint64_t)0x10; *(uint32_t*)0x20ba8ca0 = (uint32_t)0x12b; *(uint32_t*)0x20ba8ca4 = (uint32_t)0x0; *(uint64_t*)0x20ba8ca8 = (uint64_t)0x10; *(uint32_t*)0x20ba8cb0 = (uint32_t)0x107; *(uint32_t*)0x20ba8cb4 = (uint32_t)0x1000; *(uint64_t*)0x20ba8cb8 = (uint64_t)0x10; *(uint32_t*)0x20ba8cc0 = (uint32_t)0x10f; *(uint32_t*)0x20ba8cc4 = (uint32_t)0x10000; *(uint16_t*)0x20de3fa0 = (uint16_t)0x27; *(uint32_t*)0x20de3fa4 = (uint32_t)0x5b1; *(uint32_t*)0x20de3fa8 = (uint32_t)0x5; *(uint32_t*)0x20de3fac = (uint32_t)0x7; *(uint8_t*)0x20de3fb0 = (uint8_t)0x6; *(uint8_t*)0x20de3fb1 = (uint8_t)0x10001; memcpy((void*)0x20de3fb2, "\x53\x33\x96\x4c\xfb\x47\x0e\x53\x8b\x46\xb3\x83\x50\x74\x0f" "\x49\x3b\xee\x80\x2c\x12\xd2\xe0\xa2\xa0\x7b\x1e\x01\x37\xfb" "\xcf\xad\xf9\xe9\xe7\xd9\xf4\xbe\x68\x93\xf2\x2e\xb2\x4d\xa4" "\xcf\x6a\xec\x0c\x7e\xf1\x8d\xfb\xbe\x6a\x60\xd3\x2b\x3c\x0b" "\x34\x90\x8f", 63); *(uint64_t*)0x20de3ff8 = (uint64_t)0x100000000; *(uint64_t*)0x2099e000 = (uint64_t)0x202efff7; *(uint64_t*)0x2099e008 = (uint64_t)0x0; *(uint64_t*)0x2099e010 = (uint64_t)0x2008a000; *(uint64_t*)0x2099e018 = (uint64_t)0x0; *(uint64_t*)0x2099e020 = (uint64_t)0x2012b000; *(uint64_t*)0x2099e028 = (uint64_t)0xdd; memcpy((void*)0x2012b000, "\x97\x42\xfb\x01\xc8\x22\xaa\x94\x40\x25\xbe\x08\xa2\x6c\x82" "\xe9\x05\xc6\x52\x34\x39\x68\x15\x8f\xdd\xec\x40\x67\xe1\xe9" "\x6c\xa2\xf8\xda\x0a\x25\xeb\xe9\xf6\x77\x42\xfc\x52\x0b\x51" "\x84\x46\x25\xdb\xd8\x1e\x42\x4c\xa3\xd2\x97\xb3\x57\x0c\x75" "\xfa\x6f\x91\x03\x15\x52\x38\xf9\x50\x3a\x84\xa1\x49\x3d\x5b" "\xed\x93\x6d\xee\xef\x3f\x1e\x24\x88\x4e\xbf\x52\xa5\xf0\x71" "\x90\xba\xbd\x3c\x1d\xb3\x32\x44\xf0\x40\x8a\xc8\x2f\xf9\x40" "\x7d\x4d\x5f\x3f\x57\x3b\x01\x0d\xd2\x6b\x9f\xb7\x04\x11\x7a" "\xf1\x07\x14\x20\xc0\xd5\xa3\x9a\xe3\x97\x4e\x58\xcf\x0a\xf8" "\xfa\xae\xea\x22\xd7\x09\xf2\x78\x4d\x77\x62\x11\x03\xfa\x3c" "\x56\xd3\x20\x56\xfa\x3b\x8a\x71\x12\xb2\xc9\xd9\xf7\x77\x81" "\x8e\x69\x8c\x83\x12\xbc\x13\x63\xb8\xb1\xfa\x1e\x68\xa9\xd9" "\x80\x2c\x65\x49\xd4\x06\x92\x97\x7f\x4f\x04\xa2\xa3\xca\x01" "\x09\x1d\xc4\x3f\x93\xe1\x56\x8f\xae\x28\xa6\xae\xcb\xa3\x72" "\xaa\x6d\x95\x54\xc7\x76\xea\x84\xfb\xd2\x35", 221); *(uint64_t*)0x20acad68 = (uint64_t)0x10; *(uint32_t*)0x20acad70 = (uint32_t)0x116; *(uint32_t*)0x20acad74 = (uint32_t)0x4; *(uint64_t*)0x20acad78 = (uint64_t)0x10; *(uint32_t*)0x20acad80 = (uint32_t)0x10b; *(uint32_t*)0x20acad84 = (uint32_t)0x3aca; *(uint64_t*)0x20328ff0 = (uint64_t)0x20b24000; *(uint64_t*)0x20328ff8 = (uint64_t)0x0; *(uint64_t*)0x206ec000 = (uint64_t)0x10; *(uint32_t*)0x206ec008 = (uint32_t)0x101; *(uint32_t*)0x206ec00c = (uint32_t)0x100000000; *(uint64_t*)0x206ec010 = (uint64_t)0x10; *(uint32_t*)0x206ec018 = (uint32_t)0x88; *(uint32_t*)0x206ec01c = (uint32_t)0x4; *(uint64_t*)0x206ec020 = (uint64_t)0x1010; *(uint32_t*)0x206ec028 = (uint32_t)0x1ff; *(uint32_t*)0x206ec02c = (uint32_t)0x1; memcpy( (void*)0x206ec030, "\x38\x79\x85\xa7\xf3\x37\xd9\x1d\x7a\xbc\x1b\x18\x8b\x20\x16\x0b" "\xe5\x4d\xd6\xc5\x77\x49\x59\xec\x15\xc7\xcc\x44\xd0\x3e\x7b\x9a" "\xc2\x0f\x03\xa2\x31\x7b\x02\x75\x48\x44\x33\x01\x56\x02\xf7\x80" "\x96\x64\x01\x3d\x4d\xbe\xd6\xf6\x4d\x2a\x0b\xfe\x81\x49\xdc\xfd" "\x92\xf6\x24\xc1\x6f\x69\xbe\x93\x0f\x6e\x6e\xd9\x73\xb8\xcc\x63" "\x8a\x7c\xd4\x61\xac\xdf\x6c\x81\xed\xf1\xf1\x9a\x0d\x85\x0b\x9f" "\xf2\x71\x20\xd5\x74\xd0\x80\x6c\x45\x68\x52\x58\xb7\x54\xe7\x2a" "\xf7\x53\xc6\x99\x05\x76\x91\x87\x1b\xee\x88\x79\xfd\x22\x41\xfb" "\x6f\xe7\x50\x33\x60\x9e\xc5\x93\x5a\x18\xc3\x0c\xa0\x79\xc2\xb2" "\x7a\x5f\xeb\x61\xfd\x19\x5c\x2c\xb0\x3a\xfc\x1c\x0f\x45\x03\x97" "\xa8\x5e\x53\x11\xfb\x19\x6a\x13\xe1\x86\x10\x12\xb3\x65\x89\x41" "\x7c\xaa\xb6\xc8\xd5\x9a\xea\xcc\x94\xf0\x66\x12\x77\xc5\xf9\x93" "\x94\x60\x27\xaf\xef\xf0\xe3\xa0\xd3\xda\xf8\x32\x48\x9c\x37\x11" "\x7b\x19\x6a\xf5\x07\x69\x82\x4e\x2b\x34\x3b\xd2\x8e\x9d\x6f\xff" "\xb5\x31\x05\xe2\x02\x99\xff\xd4\xd7\xfb\x49\x52\xef\x24\x92\x32" "\x96\x65\xcd\xf0\xbd\xa6\xbe\xca\x25\x31\xe2\x65\xda\xca\x8a\xbf" "\x6f\xcf\x1f\xcf\x6a\xfa\x95\xb2\x7b\x76\x43\xd0\x94\x4f\x01\x12" "\x9f\xce\xe3\xb4\x33\x8a\xb5\x5a\xc2\xd6\xb6\xb1\x84\x6d\x34\x5c" "\x77\x28\x95\x22\x31\xf9\xb5\xb6\x7e\x84\xc1\xb8\x2a\x57\xde\x80" "\x24\xf0\x8d\x89\x1c\x74\xe9\x72\x75\x98\xb5\xbc\xd7\x33\x4b\xd8" "\x08\x65\x54\x55\x17\x93\x4b\xaf\xe5\x64\xf4\x32\x35\x77\xb7\xa3" "\xf4\x46\xab\x0b\x54\x24\xbd\x07\xa0\x13\x1c\x49\x30\xa4\xf8\x05" "\xa1\x8c\x86\x2d\x4c\xb4\x57\x01\x46\x57\xaa\x2c\x71\x17\x13\x4e" "\xbf\xd4\x57\xc5\xcb\xca\x30\xc3\x97\x49\x91\x28\xeb\x02\xd8\x71" "\x6b\xba\x2c\xb0\x73\x8e\x9f\xcd\x6a\xec\xa9\x87\x46\x05\x54\xac" "\xa1\x74\xf2\x9e\x60\x87\x91\x8c\x73\x53\xeb\x3e\x72\x63\x03\xac" "\x54\x55\x66\x78\x63\xf7\xff\x7e\x39\xf2\xa0\xe8\x46\x8c\x12\x98" "\x50\x6e\x48\xc9\x37\x54\x9d\x64\xf0\x4d\x1b\xde\xe7\x27\xc3\x55" "\xdf\xaf\xb6\x5f\x73\xe1\x3b\xda\x50\xe6\xbc\xda\xb4\x99\x46\x5f" "\xcf\x86\x60\x8c\x3a\x15\x75\x9d\xc8\x4b\x38\xad\xf7\x52\xc5\x34" "\xb7\xcd\xee\x4a\xd8\xd5\xae\x8f\x85\x4d\xcf\x89\xd8\x9f\xed\x8d" "\x88\xae\x6b\xd2\x85\xf4\xc8\xf5\xcf\xc1\xec\x85\x07\x06\x12\x3d" "\x1e\xa1\xf4\xbe\xce\x95\xe3\x72\x12\x51\xc2\x6f\x09\x66\xe3\xc5" "\x96\x9e\xdb\xb2\x6c\x9e\xaf\x21\xe3\x96\xb1\x3e\x5d\xc6\x94\x02" "\x01\x1f\x58\x70\x65\x3d\xf6\x1a\x7b\xad\xe1\xbd\x1a\xed\x3d\xd6" "\x16\x3b\x66\xb6\x0e\x9b\xde\xbb\xe3\xf9\x58\x99\x27\x4c\xd4\xe7" "\x28\x2a\x5b\xa6\x95\x2a\xd6\x09\xd8\xbc\xcd\xfa\x71\xef\x2c\x12" "\x9a\x9a\xb8\x24\xe4\xf3\xcf\x4b\x7f\xda\xe6\xe7\x1b\x71\xe1\xf0" "\x1c\x79\xee\x9f\x43\x2e\x42\x38\xc3\xbc\x2c\xa7\x6a\x47\xaf\xdd" "\x53\x78\x51\xfe\x76\xa5\xa1\x6c\xc8\x13\x9c\x7b\x6a\xec\xb2\xd5" "\x5e\xc3\x77\x88\x40\xce\x3f\x79\x08\xcb\x4a\xe8\x2a\xe3\x83\x6f" "\xd6\x6d\xf8\x7a\x6e\x4a\x85\xec\xf7\x76\xea\x2b\xd1\x22\x02\xe7" "\xa3\xc5\x36\x61\x08\x1f\x1a\xa1\xfb\xe1\x2c\x5e\xf7\x3f\xc7\x8d" "\x29\x28\xb7\x12\x58\xd0\x79\xec\x70\x2a\x8d\xad\x6e\x51\x2b\x05" "\x0a\x71\x43\xbc\x99\xb8\xc0\xe3\xcd\x42\xa5\xd3\x32\xcf\x51\xbb" "\xa9\xa6\x48\xbb\xd5\x05\x68\x57\xc9\xd8\x60\xb9\xfc\xf5\x95\xb6" "\x46\x1f\xba\xc0\x2a\x00\xa8\xd0\xb5\x8b\x58\xd9\x26\xb9\x05\x40" "\x94\xa3\x2f\xec\x64\x34\x02\x5e\xc9\x81\x69\xde\xce\xdc\x37\x95" "\xeb\xdb\xc0\x66\xeb\xef\x08\xa9\x7b\xdf\xd4\x9f\xeb\x90\x47\x8e" "\xe8\xd5\x6a\xca\x58\xb9\x62\x77\x63\x79\x64\x3a\x34\x02\xfa\x78" "\x25\xbd\x4d\xcb\xa3\x50\x3f\x82\xfb\xdc\xc9\xfa\xda\x95\xd8\x0f" "\x1c\x6c\x15\x5f\xda\xe7\x8c\x22\x4f\xb6\x80\x70\x5a\x89\xec\xf3" "\x08\x1c\x1d\x69\x4f\x0d\x70\xb5\xb6\x2d\x4b\x48\xbe\xb9\x7e\x6a" "\x4d\xf6\x1a\x19\x4d\x54\xf5\xfb\x3a\xba\x21\xa7\xc4\xfc\xaf\x9b" "\xe1\xba\x6a\x23\x1f\x79\xa6\x4a\xc2\xc3\xaa\x7a\x36\x1d\x84\x80" "\xbe\xff\x2e\x21\x2a\xf8\x88\x05\x0e\x7a\x6e\xb0\x14\x9e\xa3\x27" "\x06\xe8\x9a\x83\xf7\x2c\x5b\x20\xf1\x8a\xcb\xc6\xd2\x49\x6d\xd6" "\xc5\xec\x4c\x94\xfc\x29\x40\xb5\x11\xbd\x87\x21\x1b\x76\xbb\x8b" "\xd4\x2a\xc2\x0f\x0d\xba\xf9\x6a\x51\xec\xa8\x1f\xa2\x89\xc6\xf7" "\x2d\x4e\xd1\x8b\x86\xc6\x27\xbb\xb4\x17\x2a\x5d\x03\xef\x44\x69" "\x19\xb0\x55\x03\xc6\xaf\xd1\xbf\x44\x1a\x56\xfe\xc5\x81\xa0\xeb" "\xda\x61\x36\x0f\x87\xca\x7b\x58\x2c\x5f\x6b\x91\xd5\x0a\x40\xbc" "\x75\xd5\x56\xbc\x4a\x75\xd2\xd3\x43\x72\x60\xa6\xbf\x50\xa2\x36" "\x2b\x39\xbe\x1a\x48\xbc\x8d\x1c\x23\xa0\xca\xca\x3c\x2a\x66\x5a" "\x96\xfa\x1c\x93\xe3\x63\xb3\x3b\x51\x6a\x6a\xaf\x6b\xe0\x75\x88" "\x03\x33\xa4\xf7\xba\x89\x54\xf8\xf7\x96\xbe\xbc\xc6\xaf\xe6\x27" "\x3d\x9e\x35\xdd\xab\x94\x93\xb2\x5e\x1f\x53\x18\xd3\x7b\x61\xca" "\xff\x85\x49\x88\xe1\x18\xed\x07\xce\x34\x8a\xc0\x4c\xa0\xc9\x90" "\xdd\x0a\xb6\xed\x34\x88\x76\x11\x6f\x1e\x3f\x58\x0f\x48\x16\x74" "\xa2\x73\xee\xa3\x5e\x18\x03\x3f\x77\xa2\xb2\x52\x4e\xd0\xf7\x9d" "\x0c\x41\xb4\xe9\xaf\x30\xc7\x08\x4d\xfd\x29\x2a\x0e\xa7\xc1\x45" "\x3a\xbc\x6c\xd6\xc2\xce\x9a\x8a\xe1\x74\x02\x08\x41\xcb\x20\x85" "\xa0\x16\x70\x93\x5f\x21\x13\x04\xb3\xf0\x37\x88\x9d\x52\x74\xba" "\x63\x6d\x9e\xa9\x1e\xd5\xe7\x3f\x19\x49\x24\xf2\x13\xa6\x31\x96" "\x01\x21\x92\xe1\xbf\xd3\x33\x19\x71\xde\xb7\xf8\x11\x48\x88\x55" "\x26\x8c\x4f\xa7\x03\xdc\x06\x79\x44\x37\xd3\xc4\x91\x84\x79\xe2" "\x71\x1b\xee\x14\xba\xc9\xfe\xeb\x77\xe1\xbe\x95\xa4\xb3\xcd\x97" "\xe1\x6b\xae\xcc\xa8\x68\x1c\x9a\xd3\xe1\x95\xc1\xeb\x77\x57\xfe" "\xae\x52\xea\x76\xdd\xc6\x43\x83\x23\x77\x47\x95\x74\x58\x79\x16" "\x2a\x6d\x50\xc4\x06\xcf\x62\xca\x4a\x2d\x9d\x32\xc9\xc2\x38\x45" "\xfc\x61\x9b\xc7\x39\x63\x5d\x88\xfe\x4f\xff\xc1\x09\x04\xb7\x90" "\x82\x4d\x0c\x74\x63\x5d\x50\x23\x66\xde\x18\xd8\x01\x96\xe6\x7f" "\xf9\x47\xef\x3e\xaf\x7b\x6d\x22\x3b\x9d\x6a\xf0\x8b\x17\x6a\x8f" "\xce\x86\x5a\x0b\xe3\x14\xeb\x5c\x8b\xbf\xd9\x4f\x0e\x69\x32\xa8" "\xe9\xb9\x46\x74\x89\x8a\xe8\xa2\x93\x26\x0d\xb1\x7a\x52\xe0\x5d" "\x33\x0d\xf6\x1b\x21\x36\xe7\x40\x93\xd9\xfd\x0e\x35\x47\xde\x01" "\x50\x63\xda\xda\x93\x66\xc1\x7e\x1f\x4c\x42\x9d\xe3\x96\x5f\xdf" "\x73\x76\x0b\x0d\xa2\x11\xa8\x2a\x81\xb2\x37\x5e\x2c\x08\x20\xe7" "\x03\x88\x88\x0f\x26\x01\x51\x95\x66\xaa\x6e\xdc\x9d\x19\xdb\x3c" "\xf1\xb5\x76\x4a\x7b\xeb\x43\x62\xbb\x33\x61\x92\x11\x8a\x45\x7c" "\xd6\x81\xd6\xee\xb7\x8f\x8b\x9d\x6c\x64\x91\xe2\xac\x92\x11\x7e" "\x8c\x1b\x3a\xe0\x35\xb4\xcf\x6e\xd3\x92\x86\x7c\xf5\xc0\xe3\x6a" "\x0f\x90\xb0\x6f\x20\xa9\x27\xc9\x3c\xef\xb2\x0a\xe1\x15\x05\x37" "\xe2\x9f\x3d\x18\x0c\x42\xcf\x0d\x65\xe6\x91\xd3\x33\x47\xda\xd3" "\x80\x7c\xee\xa5\xf8\x04\x88\x0d\x24\x9e\xa8\x68\x0a\x58\x4e\x1c" "\xea\xfa\xe6\xe7\xa0\x1e\x7c\x54\x41\xaa\x98\x63\x0c\x2f\xe4\x4d" "\x40\xed\x7d\x5e\x7f\xff\x3a\xb4\xb6\xf2\x4d\x40\xbb\x90\xb9\x65" "\x93\xcd\xec\x21\x8d\x61\x1e\x12\x9f\x29\xac\x03\xb1\x4e\x6d\xd1" "\x41\xd8\x51\xd3\x24\x34\x1d\x95\x3e\xbc\xdc\xdd\x5a\xa2\x82\xc0" "\xe1\x30\x56\x76\x09\x2b\xd3\x9a\x81\xa6\x2e\x3f\xfb\xcc\xd4\xe0" "\x65\x24\x43\xa4\x81\xb5\xe8\x2f\xcf\xec\x66\x98\xa0\xb0\x9f\x5e" "\xe2\xa8\xd4\x8f\x30\x16\xa6\x0c\x43\x5d\xf1\x4a\xdb\xe1\xac\x76" "\x58\x4f\xa0\xda\x7e\xd4\x72\x39\xab\xfd\x89\x68\xee\xaa\xcf\xe2" "\x35\xf5\x5b\x95\x63\xe7\x5f\xb8\x15\xdd\x09\x09\x4d\xc9\xbd\x9d" "\x7d\xa9\x54\xb7\xa1\x36\xc4\x06\x4a\xd4\xcb\x0b\xda\x8e\xd2\x1f" "\x6d\x4c\x11\x69\x27\x14\x09\x1f\xca\xf1\x6a\xbb\x7d\x67\xa9\xb9" "\x47\xa8\xa2\xaa\xd3\xf2\xfd\xb3\x81\xfb\x8c\x71\xdb\x28\xfe\xe7" "\xf0\xc4\x24\x35\x06\xba\xce\x02\x40\x1e\xb7\xdf\xb3\xa3\x30\x1e" "\xc0\x40\x05\xe9\x10\xfc\xbc\x1d\x6b\xfd\xbd\x94\x23\xb6\x06\x1e" "\x27\x7b\x66\x72\x3e\xba\x34\x08\x3e\x3f\xf7\xf3\xd6\x02\x9b\xa5" "\x4e\x53\x33\x9c\x3a\x1f\x47\x82\xfe\x9d\x6e\x2f\x26\xa8\x02\x3d" "\x40\x1e\x25\x0d\x7a\xe0\x43\xa1\x57\x48\x91\xbc\x0f\x3c\xee\x4f" "\x3d\x7d\xdc\xa5\xba\xd3\x37\xed\x33\xf9\xa3\xaa\xab\x95\x85\x0a" "\xda\x90\x94\x80\x3b\x85\x79\x7f\xec\x8a\xb7\xdf\xc4\x34\x72\x2b" "\x81\x82\xe1\xa7\xeb\x8c\x4c\x96\xf3\x5e\xbe\x50\xb6\x7e\xe5\x4e" "\x3d\xef\xa4\xf9\x3b\x40\xce\xf0\x76\xd4\x7e\xc7\x55\xb1\xa1\x31" "\x12\xcb\xa6\x34\x3d\x4d\xae\xf7\x11\xc9\x3c\xa3\x97\x74\xe2\xff" "\x4e\xb5\xe9\x49\x74\xe3\x7f\x32\x5c\x6d\x1f\x2f\x5b\xd8\xf5\x9b" "\xbf\x7d\x70\x0e\xf2\x8e\x9e\xa4\x5b\x42\x1f\xfb\x4e\x92\x71\x2e" "\xc4\x64\xc3\x03\x38\xcf\xf8\xd8\x17\xc3\xd6\x8b\xff\xd4\x29\xc9" "\x29\x25\x34\x0b\x10\xd1\x09\x9a\x55\x7f\xce\x94\x20\xb7\x58\x8b" "\x23\xd7\xb5\x37\xcc\x8d\x93\x50\xc5\x23\x23\xda\x74\x0c\x37\xbc" "\xd8\xb4\xc1\x9a\xf4\x10\xb7\x9c\x46\xd7\xa2\xe4\x0d\x5e\xc5\xdd" "\xc6\x3e\xc3\xc4\xe1\xbb\x33\x90\x8d\x7e\x09\xc1\xb8\xb9\x2a\x4f" "\x4b\xca\x9e\xb7\x9c\xc8\x38\xee\x4f\x82\xbc\x9a\x76\x13\x83\xa4" "\x95\xcc\x4e\xa7\xfb\xb8\x27\x3d\xcf\xa3\x5b\xea\x9c\x44\x9e\x09" "\xa6\xaf\x8b\x8d\x74\x8f\x50\x9b\xb2\xac\x1b\x95\x0d\xb2\x3f\x8d" "\x5a\xc4\x9e\xae\x88\x7d\x82\x02\xb6\x5f\x2f\x80\xb9\x6b\x25\xd8" "\xbe\x17\x0d\xdc\x9c\x06\x7d\xaf\x06\xe8\x2b\x3e\x4e\x21\xba\x7a" "\x6b\x78\x5e\x12\x5a\x89\x41\x0b\x80\xba\x75\x98\x6a\x8f\xff\x94" "\x9a\x8b\xff\xb5\x2a\x62\x4e\xb6\x6e\x9e\x95\x99\xf4\xc9\x6c\x55" "\xca\xbf\x9b\xee\xe9\xba\x99\xb1\x7c\x85\x32\xf1\x98\x90\x51\x65" "\xca\x2b\x95\x9d\xfd\xc3\x4e\xf3\x8f\x1e\x3c\x89\x20\xa3\xcd\x8c" "\x2b\xf9\xb2\x47\x52\xb9\xa2\xef\xa1\xaa\x2c\x48\xd2\x7c\xc2\x23" "\xed\xcc\x13\x68\x49\xae\x98\x36\x25\xaa\xad\xda\xbf\x14\x3d\x89" "\x69\xac\x9f\xfd\x6f\x11\xa1\x3e\xcd\x08\x45\xd0\x49\xbc\x64\xb2" "\x07\x15\x37\xe7\x38\x55\x64\x36\x95\xf4\xa1\x30\x2e\x82\x95\x0b" "\xf9\x7f\x9c\x3d\x36\xe4\x6b\x8b\x41\x84\xbe\xca\x60\xf5\x98\xbd" "\xb0\x66\x7c\x36\xed\xb4\xbc\x62\x3d\x2b\xbc\xc3\x8a\x14\x6a\x19" "\x64\xad\x43\xf2\xb0\x9a\x1c\xfa\xf9\x37\x22\x7e\xc5\xb9\xd5\x1d" "\x2c\x66\x18\x42\x99\x54\xf4\xde\x8d\x16\xe7\xf8\x6c\x88\x9b\x5f" "\x44\xa6\x5f\x02\x9f\xfb\x81\x4e\xcc\x58\x8c\x0a\x64\x34\xb0\x00" "\x4e\xe9\x84\xf0\xdd\xbf\xbf\x71\x11\x9b\xae\x35\x79\x6f\x63\x0c" "\x56\xb7\x19\xb3\xa2\x7d\xae\x1a\x8c\x1d\x68\x99\xfc\xb6\x6b\x86" "\x36\xfc\x6f\x71\xa1\x85\x31\x03\xfe\x42\xd0\x0b\xa8\xb8\x53\x15" "\x9d\xe2\x4c\x14\x96\x6b\x08\xbe\xce\xbd\xc8\xdf\xe2\x7f\x40\x7b" "\xbb\x70\x62\x6e\x0e\x17\xa6\xad\x08\x3d\x4e\x99\x4f\x71\xad\x26" "\x10\x01\xfd\x3d\x70\x5f\x6b\x8c\xf5\x66\x91\x6b\x9b\x90\x6e\xba" "\xa8\xfe\x5c\xd5\x0e\x31\x3d\x97\x4e\xeb\xb4\x59\x9a\x9a\xce\x92" "\x84\xef\x39\x10\x7d\x41\x65\xa5\x3b\x20\xdb\x4c\xc5\x0f\xf3\x0b" "\x0a\x07\x9f\x6d\x1a\x8a\xa7\xd5\xe8\x44\x54\xd8\xdd\x58\x86\x9d" "\xb3\x82\x4c\x4f\xee\xc3\x2d\x84\xc0\xdc\x89\x72\x0f\x32\x40\xbf" "\x0b\x4a\x53\x8b\x8a\xbb\xa8\x95\x9d\x8c\x59\xfc\x4e\x2e\x0a\xa1" "\xa2\xab\x0f\x73\x28\x07\x46\xda\x0a\x13\xbb\xf6\xe1\xd0\xb3\xa7" "\xd6\xa0\xb4\xd9\x8a\xe5\xdb\x7c\x54\x7d\x27\x56\x3f\x43\xf4\xe7" "\x73\x99\xb0\xf0\x1a\x6d\xe7\x19\xcf\x5c\x5b\x17\x9c\x80\xb0\x2a" "\x97\xd4\xbb\x36\x81\x4f\x3f\x78\x3d\x18\x33\x71\x11\x37\xe8\x99" "\x82\xf0\x6a\x51\x11\x91\x2d\x0b\xa2\x64\xa2\xe6\xcc\x96\x51\xc4" "\x84\x78\xb1\x70\xd3\xa8\x96\xd7\xcd\x9b\xed\xac\xc2\xbc\xc0\xd3" "\xd8\x03\x21\x50\x7d\x70\x0f\x85\x94\x35\x75\x23\x42\xb0\x2b\x3c" "\xc0\x17\x52\x0d\xc3\x59\x19\xf5\xf2\x2f\x01\x75\xf7\xc1\x93\x31" "\xc4\xf9\xc0\x50\x2c\xd4\x15\xbe\x81\x07\x04\x88\xc4\xd2\x07\x9e" "\xdf\x3c\x9a\xe9\xdd\xcf\x5a\x58\x41\x8b\x57\x3f\xf2\x65\x23\xd5" "\x47\x09\x18\x5d\x27\x35\x54\x76\x50\x64\x27\xeb\xdd\xed\x7a\x54" "\xd6\x9b\x8f\x72\xcc\xc1\xfa\x1e\x39\x10\xfb\x9e\x1e\xda\x1d\xc9" "\x7e\x46\xac\xe4\x52\x90\x34\xf3\xf7\x7e\x6b\x6e\xc4\xbf\x73\x8c" "\xa9\x92\xcb\xd6\x16\xfb\xf1\x6b\x8e\x67\x5f\x2a\x6e\x80\x89\x5e" "\x84\x68\x1a\xf9\xf6\x5c\x95\x27\x8f\x5e\xdc\xbf\x68\xdc\xec\x21" "\x29\xb3\x37\x77\xb1\x3d\x79\x9c\x22\x56\x75\x7e\x3c\x7b\x87\x0a" "\x7e\xa6\x39\x3d\x45\x24\x6c\x25\x1a\xd0\x7d\xf2\x8d\xa0\x94\xd4" "\xcd\x37\x49\x0d\x36\x76\xfa\xd5\xf9\x47\x9c\xdc\x99\xaf\x5d\xde" "\xa0\x89\xe7\x06\x93\x2c\xd5\x7d\x26\x81\xc5\xfa\xd2\x01\x67\xe2" "\xb3\x87\x02\xfa\x9f\xb2\xa3\x0c\xc4\x7d\x36\x1b\x2c\xd9\x09\x19" "\xd7\x36\xd2\x2a\x48\x22\x8d\x0d\x81\x83\xe9\x7c\x2d\x75\xe9\xef" "\xae\xb9\xd7\xa2\xa6\x75\xc7\xc2\xff\x43\x94\xd1\x68\x61\xa1\x4a" "\x44\x20\xb5\xe7\x55\x3f\x34\xd7\x5c\x8c\x65\x4e\xa2\x5a\x7a\x70" "\x3a\x55\x3a\x0f\x05\x3a\xd3\x4c\xb0\x51\xf9\x00\x38\xad\xca\x90" "\xe9\x04\x09\x02\xa8\xe0\x54\x13\x2d\x15\xad\xc7\x2e\xcc\xdf\xc0" "\x98\xdd\x3c\x59\xa5\x21\xb3\xa3\xd5\x68\x00\x70\x10\x5f\x32\x4b" "\x44\x3f\x3e\x39\xe4\x5f\x1d\x26\xb1\xcd\x95\xbb\x73\xa2\x66\x71" "\xbf\xcb\xf9\xf6\x1c\xe7\xa6\x66\x12\xff\x9a\xa0\x5b\x40\xf9\xd0" "\x0c\xf0\x4e\x31\xef\x7b\xdc\x86\x3b\xa1\xaa\xf8\x55\x89\x61\x53" "\xc5\xee\xb8\x4e\x6a\x84\x93\x32\x35\xc7\x89\x13\x26\x18\xd4\x10" "\x6f\xf6\xa6\x62\x42\x1f\xb9\xbf\x28\x57\x46\x41\xa9\xae\xfb\x45" "\xcf\xe6\xd7\x28\x10\x9d\x09\x9e\x64\xde\xf7\x2b\x30\x16\x03\xfd" "\x22\x27\xf0\xa7\xd6\x1d\xca\x6e\x02\xb4\xc2\x11\x0e\xab\x36\x30" "\x08\xda\x7c\x47\x6f\x83\xbc\xbb\x10\xcf\x29\x17\x8d\x5b\x33\x18" "\xc4\x07\x48\xc6\x4e\x9b\x1c\x36\xf6\xd4\x93\x62\xeb\x8d\xba\x67" "\xe6\x40\xf6\x01\x91\x3b\x02\xbe\xc1\x7b\x5a\xa2\x52\x59\x9f\x1a" "\x64\xff\xd6\xf0\xbd\xcd\x37\x64\xe9\x4d\xef\x45\x4e\x6c\x99\x15" "\x64\x2a\xc1\x5d\xe6\xf0\xb7\x2b\x99\xda\x80\x38\xab\x37\x17\x8c" "\x9a\xbe\x2d\xff\xaa\xed\x50\xd2\xd6\xbb\x3a\x75\xa1\x1c\x09\x77" "\xea\xf8\xfa\x40\xcc\x31\xbb\x88\x55\x83\xe3\xa4\x91\x96\x41\xed" "\x0a\xeb\x46\x54\x7c\xec\x54\xa3\xa8\x0c\x68\x95\x80\xe8\xd7\x61" "\x65\xa5\x3b\x8a\x51\xe8\x59\x92\x2b\x60\x86\xbe\xfe\x17\x66\x61" "\xb0\x03\x2e\x4d\xeb\xd2\x2c\x55\x07\x78\x4f\xcc\x06\x61\x24\xb6" "\xc4\xf6\xaf\x12\xe2\x7a\x36\xea\xc1\x9e\x7a\x57\x78\x33\x76\x3e" "\x75\xe0\x1c\x77\x67\x2c\x6c\x3b\x9c\x87\x22\xdc\x51\x86\x7d\xba" "\xe7\x5e\xfe\x12\x8b\x08\x70\xce\xb6\x3c\x17\xa2\xba\xe9\xbb\x26" "\x4d\x86\x3f\xe5\x22\x7f\x42\x15\x3a\x3a\x50\x4e\xe6\x2e\xb7\xb4" "\x4c\x09\xdf\x84\x31\x9c\x77\xfa\x4b\x80\x96\x38\xa6\xcd\x83\x43" "\x4f\xe7\x43\xff\x5e\x65\x14\x5a\x02\x8c\xca\xd4\x19\xaa\x6a\xda" "\x98\xb1\x99\xbc\x69\xd0\x3b\x03\x7f\xfd\x53\xe0\xec\x2c\x74\xb5" "\x77\xb5\xbf\xcf\xd7\xa3\x76\xb3\x3a\x7b\x3e\xee\xd7\x00\xe8\xdd" "\xaa\x90\xdd\x5e\xc1\x3f\x07\xaa\x9d\x55\xfe\x02\xe2\x75\xeb\x3f" "\xd0\x00\x39\xed\x5e\x27\x62\x91\x1c\x9e\x3a\xc2\x7f\x3f\x7a\xc8" "\xcd\x9b\x77\x88\x2d\x36\x69\x5a\xba\x5e\xcc\x2c\xc1\xd5\x77\x17" "\xbc\x9d\x68\x07\x81\x53\x15\xd2\xfb\x17\xcd\x0d\xd8\x3f\x0c\xe4" "\xc3\xe3\xcb\x64\x76\xa4\xc3\x49\x19\x73\x97\xd4\x25\xfe\xfa\xaa" "\x01\xd1\xff\x8e\x6c\xa1\xae\xe2\x0a\x1a\x7d\xb5\xa6\xf8\x78\xf4" "\x74\x0c\xe6\xe5\x07\x20\xf8\x19\x20\xdf\x27\x95\x6f\x89\x02\xae" "\x98\x38\xcf\x83\xac\xdf\xf5\xda\x16\x15\xdd\xb4\x34\xe8\x06\x14" "\x1b\x88\xa5\xd5\xc3\xb3\x95\x2c\x99\x9b\x49\xb8\x2e\xa7\xac\x68" "\xd7\x7a\xdd\x05\x51\x16\x52\x92\x77\x26\xec\x1c\xb2\xf2\xa3\xb0" "\x94\xaf\xf0\x21\xb2\x3a\x79\x1d\x8c\x95\x87\x5b\x89\x1b\x17\x67" "\xbf\xf1\x61\xa7\xf3\xdf\x1b\x9d\xe4\x63\x04\x46\x6e\x99\xaa\x53" "\x04\x89\xe0\xe4\x06\xd6\x23\x18\x7e\x3a\xab\x61\xad\x19\x7a\xfc" "\xf4\x8a\x43\xc4\xe3\x4e\xc3\x28\xc7\xe1\x3c\x09\xda\x0c\x3f\x42" "\x0e\x49\xdd\x60\xe6\x05\xcc\x26\x59\x9c\x2d\x25\x15\x13\x7b\x77" "\xca\xe7\xe2\x88\x38\x45\x57\x76\xa5\x29\xf6\xa9\x69\x4d\x80\x3a" "\xa3\x2f\x03\x29\x53\x6a\xd6\xac\x7b\xc4\x8f\x65\x07\xac\x10\x58" "\xd3\x51\xf2\x1f\x7d\x7a\xff\x2f\x02\xe3\x97\xa8\xb0\xdd\xba\xba" "\x25\xa7\x29\x4a\x8a\x68\xc5\xc7\x70\x13\xca\x6a\xd8\x83\x3d\x9c" "\xef\xbe\x43\x4e\xa5\xf7\xa5\x6b\x0e\x7c\x6f\xdb\xd7\xf7\x06\x80" "\xf2\x38\xe5\xd7\x8b\x3d\x0e\x25\xa2\x24\x2f\x5a\x68\x0c\x58\xd1" "\xeb\x0b\xaa\x19\x00\x92\xda\xb9\x1e\xad\xd5\x82\x61\xe0\x66\xe1" "\xea\xf7\xd3\x90\xc9\x6f\x60\x70\x5d\x64\xbd\xd0\x0f\x45\x13\xdd" "\xf4\x4a\xfc\xa4\xb2\x3f\x84\xe1\x67\x10\x25\x75\x02\x08\x9f\x67" "\xd9\x5a\x95\xb6\x73\x64\x0a\x8f\xb5\x96\x4d\x88\xec\x4b\x74\xa1" "\xd2\x48\x88\x4f\xc2\x13\x85\x6b\xe7\xd3\x11\xea\xd4\x38\x1f\x97" "\x61\xd1\xba\xaa\x36\x0d\x9f\xa7\x16\x5a\xcb\x7e\xb2\xf4\xdf\xad" "\x9c\xda\x04\x6c\x0d\x07\xde\x21\x29\xf5\x2b\x07\x44\x61\x7d\x7c" "\x0c\xfa\x7b\xb2\x8f\x4c\x72\x47\xfe\x6b\x22\x02\x5d\xd4\xfb\x5a" "\x56\x32\xd7\xcb\xb7\x32\x2b\x2a\x90\xcd\x07\xb1\xc3\xd2\xd0\x3e" "\xf2\xa4\x9d\x25\x3f\x19\x39\x84\xc7\x41\x38\xb4\x3d\x50\x4b\xb4" "\x23\x2b\xc1\x44\x8c\x52\x41\x68\xae\x7c\x79\x7e\xac\x93\xce\x62" "\xd5\xc9\xfa\x6e\x91\xa8\x14\x0d\xb3\xbc\xcb\xb0\x93\x24\x74\xce" "\xc1\xe2\x14\x26\xa9\x95\x7f\x11\xe7\xcb\x12\x76\x93\xbe\x60\x5c" "\x62\xb3\xd6\x24\xbc\xf5\x75\x4a\xb0\x98\x1b\x3d\x75\x33\x20\x0a" "\xa2\x69\xa6\x88\xb0\x9e\xc2\xc7\x53\x3a\xe8\xe4\x15\x43\x5d\xd6" "\x4e\x88\x7b\xac\x1f\xe0\xfb\x24\x69\x62\x5c\x5c\x08\x4b\xac\x7d" "\x35\xb2\x07\xbc\x7b\x01\xf1\x49\xa1\xe0\x12\x06\x5b\x51\xe9\x03" "\x61\xc9\x6a\x6b\x59\x07\x3d\x78\x0f\x1d\xaf\xb7\xf7\x4c\x1f\x36" "\xe2\x24\xe4\x31\xb7\x2b\x00\x7c\x0f\x98\x27\x3d\x10\x89\x0e\xe1" "\x79\x6c\xd2\x2a\xdb\x1b\x99\x3e\x40\x33\x3c\xe6\x4b\x79\x20\x5b" "\x05\x42\x62\x17\x09\x89\x37\x06\xa6\x82\xa3\x25\xc8\xf8\x2f\x38" "\x85\x9e\xac\xfe\xf4\x85\x5d\x9e\xdf\x7f\xa8\x36\xe9\xcf\xe2\x20" "\x68\x60\x5f\x27\x4c\xe4\xef\xa9\xc2\x94\x10\x71\x76\x2b\xe9\x54" "\xb9\x82\xbf\x0c\x8c\x06\x20\xfe\x01\x50\x8a\x9a\x91\x46\x10\x16" "\xb5\xdc\x7e\x28\x92\x85\x27\x88\x5c\xdb\x1f\x56\xeb\x63\xe9\x16" "\xe2\xfc\x08\x9b\x7f\x4c\x5f\xc5\xc6\xd9\x86\x36\x59\x6f\x3a\xa7" "\xb8\xd0\xa9\xef\x3b\x91\xac\xb0\xab\xb3\x5e\xeb\xa7\xe0\x01\xdf" "\x64\x13\x4c\x74\x7f\x05\x6f\xcd\xfe\x35\xd8\x03\x9a\xc3\xfa\x8d" "\x53\x36\x70\xed\x4d\xac\x46\xf8\x71\xb8\x03\x3a\x49\x3d\x78\x78" "\x58\xa1\xc6\x1a\xfc\xcc\xad\xfd\x4b\x92\x2c\xc0\x8f\x0d\xbb\x55" "\xe7\xa5\x77\xb9\x72\x7f\x1e\x3d\x2b\xec\xa2\xf6\x49\xb4\x76" "\x2f", 4096); r[156] = syscall(__NR_sendmmsg, 0xfffffffffffffffful, 0x2055fdc0ul, 0x6ul, 0x4000ul); memcpy((void*)0x20571ff7, "\x2f\x64\x65\x76\x2f\x73\x67\x23\x00", 9); r[158] = syz_open_dev(0x20571ff7ul, 0x0ul, 0x0ul); r[159] = syscall(__NR_socket, 0x10ul, 0x3ul, 0x40000000000000cul); *(uint64_t*)0x205d9000 = (uint64_t)0x20223000; *(uint64_t*)0x205d9008 = (uint64_t)0x39; memcpy((void*)0x20223000, "\x39\x00\x00\x00\x10\x00\x09\x04\x00\x00\x00\x00\x00\x40\x00" "\x00\x07\x00\x00\x4a\x03\x00\x00\x00\x45\x00\x01\x07\x00\x00" "\x00\x14\x19\x00\x0a\x00\x04\x00\x00\x00\x00\x00\x00\x00\x06" "\x08\x00\x03\x00\xff\x09\x00\x00\xff\xe4\x69\x3e", 57); r[163] = syscall(__NR_writev, r[159], 0x205d9000ul, 0x1ul); *(uint32_t*)0x20894000 = (uint32_t)0x0; r[165] = syscall(__NR_getsockopt, 0xfffffffffffffffful, 0x200ul, 0xfffffffful, 0x207bd000ul, 0x20894000ul); *(uint32_t*)0x208a7f88 = (uint32_t)0x4000000002; *(uint32_t*)0x208a7f8c = (uint32_t)0x78; *(uint8_t*)0x208a7f90 = (uint8_t)0xdc; *(uint8_t*)0x208a7f91 = (uint8_t)0x0; *(uint8_t*)0x208a7f92 = (uint8_t)0x0; *(uint8_t*)0x208a7f93 = (uint8_t)0x0; *(uint32_t*)0x208a7f94 = (uint32_t)0x0; *(uint64_t*)0x208a7f98 = (uint64_t)0x0; *(uint64_t*)0x208a7fa0 = (uint64_t)0x0; *(uint64_t*)0x208a7fa8 = (uint64_t)0x0; *(uint8_t*)0x208a7fb0 = (uint8_t)0xfc; *(uint8_t*)0x208a7fb1 = (uint8_t)0x0; *(uint8_t*)0x208a7fb2 = (uint8_t)0x0; *(uint8_t*)0x208a7fb3 = (uint8_t)0x0; *(uint32_t*)0x208a7fb4 = (uint32_t)0x0; *(uint32_t*)0x208a7fb8 = (uint32_t)0x0; *(uint32_t*)0x208a7fbc = (uint32_t)0x0; *(uint64_t*)0x208a7fc0 = (uint64_t)0x0; *(uint64_t*)0x208a7fc8 = (uint64_t)0x0; *(uint64_t*)0x208a7fd0 = (uint64_t)0x0; *(uint64_t*)0x208a7fd8 = (uint64_t)0x0; *(uint64_t*)0x208a7fe0 = (uint64_t)0x0; *(uint32_t*)0x208a7fe8 = (uint32_t)0x0; *(uint64_t*)0x208a7ff0 = (uint64_t)0x0; *(uint32_t*)0x208a7ff8 = (uint32_t)0x0; *(uint16_t*)0x208a7ffc = (uint16_t)0x0; *(uint16_t*)0x208a7ffe = (uint16_t)0x0; r[193] = syscall(__NR_perf_event_open, 0x208a7f88ul, 0x0ul, 0xfffffffffffffffful, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x204a4000, "\x2f\x64\x65\x76\x2f\x6b\x76\x6d\x00", 9); r[195] = syscall(__NR_openat, 0xffffffffffffff9cul, 0x204a4000ul, 0x40000ul, 0x0ul); r[196] = syscall(__NR_ioctl, r[195], 0xae01ul, 0x0ul); r[197] = syscall(__NR_ioctl, r[196], 0xae41ul, 0x0ul); *(uint64_t*)0x20cd1fe8 = (uint64_t)0x40; *(uint64_t*)0x20cd1ff0 = (uint64_t)0x20639000; *(uint64_t*)0x20cd1ff8 = (uint64_t)0x3c; memcpy((void*)0x20639000, "\x0f\x20\xd5\x0f\xc7\x58\x68\x65\x3e\x66\x0f\x38\x82\x2f\x66" "\x0f\x38\x82\x0b\x4b\x0f\x07\xed\xb9\x80\x00\x00\xc0\x0f\x32" "\xcb\x00\x01\x00\x00\x0f\xc3\xc4\x23\xb5\x5d\x71\x00\x0b\xab" "\xfd\x37\x37\xb8\x0e\x01\x8f\xe9\x78\xe1\xb5\x00\x00\x00\x80", 60); *(uint64_t*)0x2052dfe0 = (uint64_t)0x7; *(uint64_t*)0x2052dfe8 = (uint64_t)0x1000000000000e; *(uint64_t*)0x2052dff0 = (uint64_t)0x8; STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0x0, 0, 1); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0xa, 1, 5); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0x0, 6, 4); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0x0, 10, 2); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0x0, 12, 1); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0x2, 13, 2); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0x0, 15, 1); STORE_BY_BITMASK(uint64_t, 0x2052dff8, 0xf4, 16, 48); r[213] = syz_kvm_setup_cpu(r[196], r[197], 0x2095c000ul, 0x20cd1fe8ul, 0x1ul, 0x44ul, 0x2052dfe0ul, 0x2ul); *(uint32_t*)0x2007cfd0 = (uint32_t)0x1; *(uint32_t*)0x2007cfd4 = (uint32_t)0x0; *(uint32_t*)0x2007cfd8 = (uint32_t)0x4000000b; *(uint32_t*)0x2007cfdc = (uint32_t)0xa6eb; *(uint32_t*)0x2007cfe0 = (uint32_t)0x4; *(uint32_t*)0x2007cfe4 = (uint32_t)0x5; *(uint32_t*)0x2007cfe8 = (uint32_t)0xffffffffffffffff; *(uint32_t*)0x2007cfec = (uint32_t)0x100000000000001; *(uint32_t*)0x2007cff0 = (uint32_t)0xfb; *(uint32_t*)0x2007cff4 = (uint32_t)0x0; *(uint32_t*)0x2007cff8 = (uint32_t)0x0; *(uint32_t*)0x2007cffc = (uint32_t)0x0; r[226] = syscall(__NR_ioctl, r[197], 0x4008ae90ul, 0x2007cfd0ul); r[227] = syscall(__NR_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[228] = syscall(__NR_ioctl, r[197], 0xae80ul, 0x0ul); r[229] = syscall(__NR_ioctl, r[158], 0xaea2ul, 0x5ul); } int main() { loop(); return 0; }