// https://syzkaller.appspot.com/bug?id=7fb176a683dd4316b99d28fb1f2db39bf830d1f9 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // syz_open_dev$evdev arguments: [ // dev: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 69 6e 70 75 74 2f 65 76 65 6e 74 23 00} // (length 0x12) // } // id: intptr = 0x2 (8 bytes) // flags: open_flags = 0x862b01 (8 bytes) // ] // returns fd_evdev memcpy((void*)0x2000000000c0, "/dev/input/event#\000", 18); res = -1; res = syz_open_dev( /*dev=*/0x2000000000c0, /*id=*/2, /*flags=O_TRUNC|O_NONBLOCK|O_NOFOLLOW|O_NOCTTY|O_NOATIME|FASYNC|0x800001*/ 0x862b01); if (res != -1) r[0] = res; // write$uinput_user_dev arguments: [ // fd: fd_uinput (resource) // data: ptr[in, uinput_user_dev] { // uinput_user_dev { // name: buffer: {73 79 7a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} (length 0x50) id: // input_id { // bustype: int16 = 0x7 (2 bytes) // vendor: int16 = 0x4 (2 bytes) // product: int16 = 0x8a (2 bytes) // version: int16 = 0xfffa (2 bytes) // } // ff_effects_max: int32 = 0x1d (4 bytes) // absmax: array[int32] { // int32 = 0xafe (4 bytes) // int32 = 0xc952 (4 bytes) // int32 = 0xfffffff3 (4 bytes) // int32 = 0x4000009 (4 bytes) // int32 = 0x80 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x7f (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x50 (4 bytes) // int32 = 0x39cc191a (4 bytes) // int32 = 0x5f (4 bytes) // int32 = 0x149 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0xffffff01 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0xfffffffe (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0xb (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x1f461e28 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0xe660 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0xff (4 bytes) // int32 = 0x7fff (4 bytes) // int32 = 0x4c74 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x242 (4 bytes) // int32 = 0x4399 (4 bytes) // int32 = 0x22 (4 bytes) // int32 = 0xe23e02c (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0xfffffff8 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0xd (4 bytes) // int32 = 0x3e (4 bytes) // int32 = 0x8f (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x30000006 (4 bytes) // int32 = 0xffffffff (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0x200 (4 bytes) // int32 = 0x80 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0xb (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0xbd (4 bytes) // int32 = 0x40 (4 bytes) // } // absmin: array[int32] { // int32 = 0x10000007 (4 bytes) // int32 = 0xffff (4 bytes) // int32 = 0x4000124 (4 bytes) // int32 = 0x7ffe (4 bytes) // int32 = 0xfffffffd (4 bytes) // int32 = 0xfffffff3 (4 bytes) // int32 = 0x80 (4 bytes) // int32 = 0xcb (4 bytes) // int32 = 0xf6 (4 bytes) // int32 = 0xd (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x6c9 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x1a (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0xe (4 bytes) // int32 = 0x312 (4 bytes) // int32 = 0x78 (4 bytes) // int32 = 0xea1 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0x8004 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x800 (4 bytes) // int32 = 0xff (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x80000000 (4 bytes) // int32 = 0x3ff (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0xa (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x28 (4 bytes) // int32 = 0x7fc (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0x8000 (4 bytes) // int32 = 0xffffffff (4 bytes) // int32 = 0x64 (4 bytes) // int32 = 0xff7f (4 bytes) // int32 = 0xa (4 bytes) // int32 = 0x7f (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0xffffffff (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x48cd3690 (4 bytes) // int32 = 0x42 (4 bytes) // int32 = 0x400002 (4 bytes) // } // absfuzz: array[int32] { // int32 = 0x3fc (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0xfffffffc (4 bytes) // int32 = 0x100 (4 bytes) // int32 = 0x8d2 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x7fff (4 bytes) // int32 = 0x91e3 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0xb (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x800005 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x1ef (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x87 (4 bytes) // int32 = 0x80000003 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x3e7 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x80002 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0xc (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x6d01 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x800003 (4 bytes) // int32 = 0x56a00000 (4 bytes) // int32 = 0xa0 (4 bytes) // int32 = 0xf (4 bytes) // int32 = 0xd (4 bytes) // int32 = 0x2950bfaf (4 bytes) // int32 = 0x1004 (4 bytes) // int32 = 0xa2 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0xb (4 bytes) // int32 = 0x200 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0xac8 (4 bytes) // int32 = 0xbc (4 bytes) // int32 = 0x42 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x802 (4 bytes) // int32 = 0xfffffff9 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0xffffffff (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x120000 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x800aaed (4 bytes) // int32 = 0x20 (4 bytes) // int32 = 0x65 (4 bytes) // } // absflat: array[int32] { // int32 = 0x9 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0xc (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x938 (4 bytes) // int32 = 0xb (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0xce7 (4 bytes) // int32 = 0x5e (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0xf58 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x101 (4 bytes) // int32 = 0x10000 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x4 (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0x2 (4 bytes) // int32 = 0x14c (4 bytes) // int32 = 0xc (4 bytes) // int32 = 0x20000e (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x7fffffff (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0xc8 (4 bytes) // int32 = 0x1a (4 bytes) // int32 = 0x1b7 (4 bytes) // int32 = 0x9 (4 bytes) // int32 = 0x3 (4 bytes) // int32 = 0x7f (4 bytes) // int32 = 0x100 (4 bytes) // int32 = 0x9602 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x8001 (4 bytes) // int32 = 0x40 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x100a0 (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x6 (4 bytes) // int32 = 0x8 (4 bytes) // int32 = 0xfffffff7 (4 bytes) // int32 = 0x335e0ac3 (4 bytes) // int32 = 0x7 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0x6c1b (4 bytes) // int32 = 0x0 (4 bytes) // int32 = 0x3dfb (4 bytes) // int32 = 0x5 (4 bytes) // int32 = 0x10001 (4 bytes) // int32 = 0x1 (4 bytes) // int32 = 0xfb (4 bytes) // int32 = 0xffbf2441 (4 bytes) // int32 = 0xfff (4 bytes) // } // } // } // len: len = 0x45c (8 bytes) // ] memcpy((void*)0x200000000400, "syz1\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000", 80); *(uint16_t*)0x200000000450 = 7; *(uint16_t*)0x200000000452 = 4; *(uint16_t*)0x200000000454 = 0x8a; *(uint16_t*)0x200000000456 = 0xfffa; *(uint32_t*)0x200000000458 = 0x1d; *(uint32_t*)0x20000000045c = 0xafe; *(uint32_t*)0x200000000460 = 0xc952; *(uint32_t*)0x200000000464 = 0xfffffff3; *(uint32_t*)0x200000000468 = 0x4000009; *(uint32_t*)0x20000000046c = 0x80; *(uint32_t*)0x200000000470 = 9; *(uint32_t*)0x200000000474 = 3; *(uint32_t*)0x200000000478 = 0x7f; *(uint32_t*)0x20000000047c = 4; *(uint32_t*)0x200000000480 = 0x50; *(uint32_t*)0x200000000484 = 0x39cc191a; *(uint32_t*)0x200000000488 = 0x5f; *(uint32_t*)0x20000000048c = 0x149; *(uint32_t*)0x200000000490 = 0; *(uint32_t*)0x200000000494 = 2; *(uint32_t*)0x200000000498 = 0xffffff01; *(uint32_t*)0x20000000049c = 5; *(uint32_t*)0x2000000004a0 = 3; *(uint32_t*)0x2000000004a4 = 0xfffffffe; *(uint32_t*)0x2000000004a8 = 5; *(uint32_t*)0x2000000004ac = 4; *(uint32_t*)0x2000000004b0 = 8; *(uint32_t*)0x2000000004b4 = 4; *(uint32_t*)0x2000000004b8 = 1; *(uint32_t*)0x2000000004bc = 0xb; *(uint32_t*)0x2000000004c0 = 3; *(uint32_t*)0x2000000004c4 = 9; *(uint32_t*)0x2000000004c8 = 1; *(uint32_t*)0x2000000004cc = 0x1f461e28; *(uint32_t*)0x2000000004d0 = 0; *(uint32_t*)0x2000000004d4 = 0xe660; *(uint32_t*)0x2000000004d8 = 4; *(uint32_t*)0x2000000004dc = 7; *(uint32_t*)0x2000000004e0 = 0xff; *(uint32_t*)0x2000000004e4 = 0x7fff; *(uint32_t*)0x2000000004e8 = 0x4c74; *(uint32_t*)0x2000000004ec = 6; *(uint32_t*)0x2000000004f0 = 0x242; *(uint32_t*)0x2000000004f4 = 0x4399; *(uint32_t*)0x2000000004f8 = 0x22; *(uint32_t*)0x2000000004fc = 0xe23e02c; *(uint32_t*)0x200000000500 = 7; *(uint32_t*)0x200000000504 = 0xfffffff8; *(uint32_t*)0x200000000508 = 5; *(uint32_t*)0x20000000050c = 0; *(uint32_t*)0x200000000510 = 0; *(uint32_t*)0x200000000514 = 0xd; *(uint32_t*)0x200000000518 = 0x3e; *(uint32_t*)0x20000000051c = 0x8f; *(uint32_t*)0x200000000520 = 6; *(uint32_t*)0x200000000524 = 0x30000006; *(uint32_t*)0x200000000528 = -1; *(uint32_t*)0x20000000052c = 8; *(uint32_t*)0x200000000530 = 4; *(uint32_t*)0x200000000534 = 8; *(uint32_t*)0x200000000538 = 0x200; *(uint32_t*)0x20000000053c = 0x80; *(uint32_t*)0x200000000540 = 0; *(uint32_t*)0x200000000544 = 2; *(uint32_t*)0x200000000548 = 6; *(uint32_t*)0x20000000054c = 0xb; *(uint32_t*)0x200000000550 = 4; *(uint32_t*)0x200000000554 = 0xbd; *(uint32_t*)0x200000000558 = 0x40; *(uint32_t*)0x20000000055c = 0x10000007; *(uint32_t*)0x200000000560 = 0xffff; *(uint32_t*)0x200000000564 = 0x4000124; *(uint32_t*)0x200000000568 = 0x7ffe; *(uint32_t*)0x20000000056c = 0xfffffffd; *(uint32_t*)0x200000000570 = 0xfffffff3; *(uint32_t*)0x200000000574 = 0x80; *(uint32_t*)0x200000000578 = 0xcb; *(uint32_t*)0x20000000057c = 0xf6; *(uint32_t*)0x200000000580 = 0xd; *(uint32_t*)0x200000000584 = 1; *(uint32_t*)0x200000000588 = 0x6c9; *(uint32_t*)0x20000000058c = 9; *(uint32_t*)0x200000000590 = 6; *(uint32_t*)0x200000000594 = 3; *(uint32_t*)0x200000000598 = 0; *(uint32_t*)0x20000000059c = 0x1a; *(uint32_t*)0x2000000005a0 = 5; *(uint32_t*)0x2000000005a4 = 0; *(uint32_t*)0x2000000005a8 = 0xe; *(uint32_t*)0x2000000005ac = 0x312; *(uint32_t*)0x2000000005b0 = 0x78; *(uint32_t*)0x2000000005b4 = 0xea1; *(uint32_t*)0x2000000005b8 = 0; *(uint32_t*)0x2000000005bc = 2; *(uint32_t*)0x2000000005c0 = 8; *(uint32_t*)0x2000000005c4 = 0x8004; *(uint32_t*)0x2000000005c8 = 9; *(uint32_t*)0x2000000005cc = 1; *(uint32_t*)0x2000000005d0 = 5; *(uint32_t*)0x2000000005d4 = 6; *(uint32_t*)0x2000000005d8 = 0x800; *(uint32_t*)0x2000000005dc = 0xff; *(uint32_t*)0x2000000005e0 = 5; *(uint32_t*)0x2000000005e4 = 5; *(uint32_t*)0x2000000005e8 = 0x80000000; *(uint32_t*)0x2000000005ec = 0x3ff; *(uint32_t*)0x2000000005f0 = 0; *(uint32_t*)0x2000000005f4 = 2; *(uint32_t*)0x2000000005f8 = 2; *(uint32_t*)0x2000000005fc = 0xa; *(uint32_t*)0x200000000600 = 4; *(uint32_t*)0x200000000604 = 6; *(uint32_t*)0x200000000608 = 0x28; *(uint32_t*)0x20000000060c = 0x7fc; *(uint32_t*)0x200000000610 = 6; *(uint32_t*)0x200000000614 = 7; *(uint32_t*)0x200000000618 = 0x8000; *(uint32_t*)0x20000000061c = -1; *(uint32_t*)0x200000000620 = 0x64; *(uint32_t*)0x200000000624 = 0xff7f; *(uint32_t*)0x200000000628 = 0xa; *(uint32_t*)0x20000000062c = 0x7f; *(uint32_t*)0x200000000630 = 9; *(uint32_t*)0x200000000634 = 3; *(uint32_t*)0x200000000638 = -1; *(uint32_t*)0x20000000063c = 9; *(uint32_t*)0x200000000640 = 1; *(uint32_t*)0x200000000644 = 7; *(uint32_t*)0x200000000648 = 3; *(uint32_t*)0x20000000064c = 9; *(uint32_t*)0x200000000650 = 0x48cd3690; *(uint32_t*)0x200000000654 = 0x42; *(uint32_t*)0x200000000658 = 0x400002; *(uint32_t*)0x20000000065c = 0x3fc; *(uint32_t*)0x200000000660 = 4; *(uint32_t*)0x200000000664 = 4; *(uint32_t*)0x200000000668 = 0; *(uint32_t*)0x20000000066c = 0xfffffffc; *(uint32_t*)0x200000000670 = 0x100; *(uint32_t*)0x200000000674 = 0x8d2; *(uint32_t*)0x200000000678 = 9; *(uint32_t*)0x20000000067c = 6; *(uint32_t*)0x200000000680 = 0x7fff; *(uint32_t*)0x200000000684 = 0x91e3; *(uint32_t*)0x200000000688 = 5; *(uint32_t*)0x20000000068c = 0xb; *(uint32_t*)0x200000000690 = 2; *(uint32_t*)0x200000000694 = 5; *(uint32_t*)0x200000000698 = 0x800005; *(uint32_t*)0x20000000069c = 1; *(uint32_t*)0x2000000006a0 = 0x1ef; *(uint32_t*)0x2000000006a4 = 5; *(uint32_t*)0x2000000006a8 = 9; *(uint32_t*)0x2000000006ac = 0x87; *(uint32_t*)0x2000000006b0 = 0x80000003; *(uint32_t*)0x2000000006b4 = 9; *(uint32_t*)0x2000000006b8 = 0x3e7; *(uint32_t*)0x2000000006bc = 9; *(uint32_t*)0x2000000006c0 = 5; *(uint32_t*)0x2000000006c4 = 0x80002; *(uint32_t*)0x2000000006c8 = 2; *(uint32_t*)0x2000000006cc = 2; *(uint32_t*)0x2000000006d0 = 0xc; *(uint32_t*)0x2000000006d4 = 3; *(uint32_t*)0x2000000006d8 = 0x6d01; *(uint32_t*)0x2000000006dc = 1; *(uint32_t*)0x2000000006e0 = 0; *(uint32_t*)0x2000000006e4 = 0x800003; *(uint32_t*)0x2000000006e8 = 0x56a00000; *(uint32_t*)0x2000000006ec = 0xa0; *(uint32_t*)0x2000000006f0 = 0xf; *(uint32_t*)0x2000000006f4 = 0xd; *(uint32_t*)0x2000000006f8 = 0x2950bfaf; *(uint32_t*)0x2000000006fc = 0x1004; *(uint32_t*)0x200000000700 = 0xa2; *(uint32_t*)0x200000000704 = 7; *(uint32_t*)0x200000000708 = 0xb; *(uint32_t*)0x20000000070c = 0x200; *(uint32_t*)0x200000000710 = 3; *(uint32_t*)0x200000000714 = 0xac8; *(uint32_t*)0x200000000718 = 0xbc; *(uint32_t*)0x20000000071c = 0x42; *(uint32_t*)0x200000000720 = 3; *(uint32_t*)0x200000000724 = 0x802; *(uint32_t*)0x200000000728 = 0xfffffff9; *(uint32_t*)0x20000000072c = 1; *(uint32_t*)0x200000000730 = 1; *(uint32_t*)0x200000000734 = 1; *(uint32_t*)0x200000000738 = -1; *(uint32_t*)0x20000000073c = 6; *(uint32_t*)0x200000000740 = 5; *(uint32_t*)0x200000000744 = 0x120000; *(uint32_t*)0x200000000748 = 5; *(uint32_t*)0x20000000074c = 6; *(uint32_t*)0x200000000750 = 0x800aaed; *(uint32_t*)0x200000000754 = 0x20; *(uint32_t*)0x200000000758 = 0x65; *(uint32_t*)0x20000000075c = 9; *(uint32_t*)0x200000000760 = 0; *(uint32_t*)0x200000000764 = 3; *(uint32_t*)0x200000000768 = 0xc; *(uint32_t*)0x20000000076c = 5; *(uint32_t*)0x200000000770 = 0x938; *(uint32_t*)0x200000000774 = 0xb; *(uint32_t*)0x200000000778 = 6; *(uint32_t*)0x20000000077c = 0; *(uint32_t*)0x200000000780 = 5; *(uint32_t*)0x200000000784 = 0xce7; *(uint32_t*)0x200000000788 = 0x5e; *(uint32_t*)0x20000000078c = 2; *(uint32_t*)0x200000000790 = 0xf58; *(uint32_t*)0x200000000794 = 4; *(uint32_t*)0x200000000798 = 3; *(uint32_t*)0x20000000079c = 0x101; *(uint32_t*)0x2000000007a0 = 0x10000; *(uint32_t*)0x2000000007a4 = 6; *(uint32_t*)0x2000000007a8 = 4; *(uint32_t*)0x2000000007ac = 8; *(uint32_t*)0x2000000007b0 = 7; *(uint32_t*)0x2000000007b4 = 2; *(uint32_t*)0x2000000007b8 = 1; *(uint32_t*)0x2000000007bc = 7; *(uint32_t*)0x2000000007c0 = 2; *(uint32_t*)0x2000000007c4 = 0x14c; *(uint32_t*)0x2000000007c8 = 0xc; *(uint32_t*)0x2000000007cc = 0x20000e; *(uint32_t*)0x2000000007d0 = 6; *(uint32_t*)0x2000000007d4 = 6; *(uint32_t*)0x2000000007d8 = 0x7fffffff; *(uint32_t*)0x2000000007dc = 5; *(uint32_t*)0x2000000007e0 = 8; *(uint32_t*)0x2000000007e4 = 0xc8; *(uint32_t*)0x2000000007e8 = 0x1a; *(uint32_t*)0x2000000007ec = 0x1b7; *(uint32_t*)0x2000000007f0 = 9; *(uint32_t*)0x2000000007f4 = 3; *(uint32_t*)0x2000000007f8 = 0x7f; *(uint32_t*)0x2000000007fc = 0x100; *(uint32_t*)0x200000000800 = 0x9602; *(uint32_t*)0x200000000804 = 7; *(uint32_t*)0x200000000808 = 1; *(uint32_t*)0x20000000080c = 0x8001; *(uint32_t*)0x200000000810 = 0x40; *(uint32_t*)0x200000000814 = 1; *(uint32_t*)0x200000000818 = 0x100a0; *(uint32_t*)0x20000000081c = 5; *(uint32_t*)0x200000000820 = 6; *(uint32_t*)0x200000000824 = 8; *(uint32_t*)0x200000000828 = 0xfffffff7; *(uint32_t*)0x20000000082c = 0x335e0ac3; *(uint32_t*)0x200000000830 = 7; *(uint32_t*)0x200000000834 = 1; *(uint32_t*)0x200000000838 = 0x6c1b; *(uint32_t*)0x20000000083c = 0; *(uint32_t*)0x200000000840 = 0x3dfb; *(uint32_t*)0x200000000844 = 5; *(uint32_t*)0x200000000848 = 0x10001; *(uint32_t*)0x20000000084c = 1; *(uint32_t*)0x200000000850 = 0xfb; *(uint32_t*)0x200000000854 = 0xffbf2441; *(uint32_t*)0x200000000858 = 0xfff; syscall(__NR_write, /*fd=*/(intptr_t)-1, /*data=*/0x200000000400ul, /*len=*/0x45cul); // write$char_usb arguments: [ // fd: fd_char_usb (resource) // buf: ptr[in, buffer] { // buffer: {e2} (length 0x1) // } // count: len = 0x2250 (8 bytes) // ] memset((void*)0x200000000040, 226, 1); syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x200000000040ul, /*count=*/0x2250ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }