// https://syzkaller.appspot.com/bug?id=0b210638616bb68109e9642158d4c0072770ae1c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 9; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0x0, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: // prlimit64 arguments: [ // pid: pid (resource) // res: rlimit_type = 0xe (8 bytes) // new: ptr[in, rlimit] { // rlimit { // soft: intptr = 0x8 (8 bytes) // hard: intptr = 0x8b (8 bytes) // } // } // old: nil // ] *(uint64_t*)0x200000000140 = 8; *(uint64_t*)0x200000000148 = 0x8b; syscall(__NR_prlimit64, /*pid=*/0, /*res=RLIMIT_RTPRIO*/ 0xeul, /*new=*/0x200000000140ul, /*old=*/0ul); break; case 1: // sched_setscheduler arguments: [ // pid: pid (resource) // policy: sched_policy = 0x1 (8 bytes) // prio: ptr[in, int32] { // int32 = 0x7 (4 bytes) // } // ] *(uint32_t*)0x200000000080 = 7; syscall(__NR_sched_setscheduler, /*pid=*/0, /*policy=SCHED_FIFO*/ 1ul, /*prio=*/0x200000000080ul); break; case 2: // getpid arguments: [ // ] // returns pid res = syscall(__NR_getpid); if (res != -1) r[0] = res; break; case 3: // sched_setaffinity arguments: [ // pid: pid (resource) // cpusetsize: len = 0x0 (8 bytes) // mask: nil // ] syscall(__NR_sched_setaffinity, /*pid=*/0, /*cpusetsize=*/0ul, /*mask=*/0ul); break; case 4: // sched_setscheduler arguments: [ // pid: pid (resource) // policy: sched_policy = 0x2 (8 bytes) // prio: ptr[in, int32] { // int32 = 0x6 (4 bytes) // } // ] *(uint32_t*)0x200000000200 = 6; syscall(__NR_sched_setscheduler, /*pid=*/r[0], /*policy=SCHED_RR*/ 2ul, /*prio=*/0x200000000200ul); break; case 5: // mmap arguments: [ // addr: VMA[0xb36000] // len: len = 0xb36000 (8 bytes) // prot: mmap_prot = 0xb635773f06ebbeef (8 bytes) // flags: mmap_flags = 0x8031 (8 bytes) // fd: fd (resource) // offset: intptr = 0x71096000 (8 bytes) // ] syscall( __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0xb36000ul, /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE|PROT_READ|PROT_EXEC|0xb635773f04ebbee0*/ 0xb635773f06ebbeeful, /*flags=MAP_POPULATE|MAP_FIXED|MAP_ANONYMOUS|MAP_SHARED*/ 0x8031ul, /*fd=*/(intptr_t)-1, /*offset=*/0x71096000ul); break; case 6: // sched_setaffinity arguments: [ // pid: pid (resource) // cpusetsize: len = 0x8 (8 bytes) // mask: ptr[in, int64] { // int64 = 0x2 (8 bytes) // } // ] *(uint64_t*)0x200000000240 = 2; syscall(__NR_sched_setaffinity, /*pid=*/r[0], /*cpusetsize=*/8ul, /*mask=*/0x200000000240ul); break; case 7: // openat$sequencer arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 73 65 71 75 65 6e 63 65 72 00} (length 0xf) // } // flags: open_flags = 0x8002 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_seq memcpy((void*)0x200000000040, "/dev/sequencer\000", 15); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, /*flags=O_LARGEFILE|O_RDWR*/ 0x8002, /*mode=*/0); if (res != -1) r[1] = res; break; case 8: // write$P9_RSTATu arguments: [ // fd: wfd9p (resource) // data: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {67 06 00 00 7d 00 00 00 05 b5 02 00 00 00 00 // 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 2e 00 04 6e 6f 64 5a // 3d bf 64 02 37 fc 62 25 ff ff ff 80 05 00 00 00 00 00 00 ff 03 // ff 92 e9 16 00 05 9b 65 71 2c 93 cb 3d b6 c2 31 d1 19 aa a1 9a // 00 70 02 00 7d fa 67 3e ff eb 09 b5 35 1f 9e de 05 4a 00 00 00 // 00 18 7b 82 d9 b5 69 28 fb bf 0b 00 00 2b 59 5f cb 14 a8 f3 0e // 26 e5 26 ab c1 80 6a 42 de 7a dc 81 06 b4 94 e1 8d b5 7f c1 ac // 8d 06 85 95 f0 1c 1c be 05 c2 76 16 2f 81 b4 07 e5 0d b6 93 39 // 67 21 f3 ed 9c e2 01 9e e6 a9 46 e3 a5 5a 1b 40 ee b9 3a c2 9f // 37 5b 5a fd f1 df 11 2c 9a af d3 69 94 e1 65 b3 3a f7 86 c5 34 // 05 87 5d 37 a0 45 22 17 8b 37 50 9e 73 c7 02 5f c4 13 c7 d1 2a // 80 86 3f 70 23 68 66 8d 35 00 cf 60 37 2d 61 cc ea b8 c8 86 41 // eb 93 b4 cc f6 00 2a b8 7b fc 01 27 96 09 3f 68 30 5c 4d 22 28 // 39 e4 46 1a b6 2a eb 84 1f 20 83 7e 01 08 e2 e7 48 50 1c 51 48 // 85 01 f8 f6 69 fb 71 6d 9a c6 5b 94 08 67 8c 2c 3b 9e 1d 52 c3 // 6c de 7b a4 a4 00 b4 b0 b4 f1 74 a6 66 a8 52 9a 45 1b 34 07 db // da b2 88 4b af 05 00 00 00 00 00 00 00 47 ec 21 ca bf f2 0f 9c // 1c be 36 f4 fd 1a 4c db 80 e8 d4 07 00 00 00 37 00 87 0f 46 42 // e4 c5 de 87 14 a2 b0 84 4c 23 45 d8 df 49 d7 00 ef c4 52 af b5 // 46 9e aa d2 c8 85 7a 35 24 46 ae 2b 4e a7 08 fa 22 c6 de 48 82 // e3 46 41 51 df 43 be 5a 27 9a 95 f2 a9 00 17 44 a9 74 53 58 46 // e1 3e 2d 0c b4 9e 4a 0f a1 75 33 43 b8 a3 c0 af ca e6 2c c4 29 // c0 ec 7d 64 54 00 00 42 8d 58 9d 75 9f 61 7e a1 95 22 c6 2f 19 // 24 80 11 9b 28 01 c9 c1 04 14 05 60 f2 0d 38 59 0a 81 98 2a 94 // 90 b3 95 e9 00 74 0b dc 1a b0 38 77 26 41 9b ff d5 c7 73 7d 4c // 2a 17 b9 2f 18 ed c9 9c 10 99 e4 0f 13 d8 28 04 9f 3c 5b 3a 7f // e0 30 d9 c7 8a ea 99 03 af 14 23 55 f5 49 ab b3 f7 b4 0b b0 10 // 22 2b 4f ed ec d3 0e a3 9e c4 39 66 47 22 61 b0 d5 ab 65 14 43 // 6a c3 b9 70 6e 01 eb fe 5e 0b b3 34 77 d1 cf 78 e0 6c 5c d5 83 // a4 9b 33 6a 56 ba b2 35 90 ba 87 0f c2 45 74 bf f1 8c b5 81 92 // de 74 25 3e de ab cc 0a 02 cd c7 d4 3e c4 84 88 0e a7 fb c4 80 // 65 22 c7 8e 1f a7 06 da 87 08 ea 51 7e 5c 8b 5f 2a 10 77 f6 f6 // f3 dd 60 fd f9 42 22 e9 a2 67 2f 80 3a 9d 03 6f 64 65 76 2f 6e // b1 7b 23 00 f9 da a5 ee 23 26 6e cf 85 fe a6 5e 42 d9 79 a3 f7 // e5 f4 75 da f0 3b 11 72 d9 7b ad c7 09 5a fd 76 fe 4f 0c 41 f7 // f7 74 1e ac 03 00 00 ec ff 00 00 db a0 c2 f7 f0 9f f5 3c 7e 4d // 1a d6 6e 2d 07 01 98 01 9f 30 11 84 47 aa 75 f8 24 6b cc 42 ea // a8 c6 31 c0 c5 00 95 9a 74 f5 16 85 f5 06 ae 89 48 06 87 82 67 // d5 a1 29 8d 79 2c 4a 37 f2 e1 cb bd 24 82 92 9a 0d 89 72 b5 cf // 73 2e a5 b0 d7 23 85 93 ae d3 b4 2e e7 ca c0 7d e0 9d 1d 68 a6 // 03 33 a8 82 46 7d 2b 31 aa fb 56 c5 7d 7d c6 26 e4 39 07 96 a1 // eb 48 27 46 69 ab 13 f8 b1 1d 14 60 59 f3 10 e2 63 4d 59 3f ec // 65 d5 29 f3 82 06 66 64 c0 fb 4e 4c 90 57 0a 70 04 9f 39 9f 06 // 1f 75 b7 79 7c e1 fe 11 ea 91 96 09 d5 1a 41 dd 3d e3 04 bd 7c // 7e d0 a4 56 f0 ae 12 2e 61 05 c9 ce 88 7d f5 a6 e0 b6 a7 7d 59 // 6c f8 8b a6 e5 c6 39 7c 7d 50 21 d7 98 95 28 fd 17 39 e1 c2 d8 // 7f c2 00 00 00 30 e4 ee 2b fc 7f 80 50 85 11 43 e5 16 1a cd 47 // 15 0a cb af 74 38 22 df e2 03 b1 08 d3 7e 91 4d c1 e5 3e 23 cc // 50 9e ca 41 07 a1 71 2c aa 9d a5 3d 05 1c 36 88 4c 79 18 26 61 // f3 ca 36 bc db fb bd 26 71 09 f8 31 9d 8d d5 c0 70 99 eb 1b 11 // 03 06 55 f5 62 69 4f 61 74 3d 19 42 1b 4a 19 ef 8b 8b 4c e9 c9 // 93 c7 d6 cb 30 0c 4e 65 7a 4e 50 a3 5b 5c c1 6b 8c 16 1a 8e 3d // f9 03 6b bc f2 8a dc d1 9a 6c 4c 29 17 09 ae e5 ab 3e 5b c5 ae // 29 f4 75 e4 d2 44 08 b5 16 7d 0f af 5f c1 56 6b 70 5c 8b 60 af // a8 ac a4 2f 7e 04 69 18 8a 0e f0 62 ca 18 e3 8f 9e e1 0a c7 7d // 2b 7e b9 d6 0e a7 9f db 55 64 11 e5 9d fb d8 db b8 a2 a6 62 2e // bc f8 4c 69 6f a4 da 21 ba d2 32 0d 0d 68 e9 bf 43 46 f0 68 61 // 19 a3 9e 40 03 95 c8 f2 82 5e a0 69 ae 0e 14 3b d1 a4 41 79 ed // 8e 3c ea 0b 5e 9a 19 cc 7f fa 50 0f a4 1b 6c 80 49 bd e4 58 27 // d5 4e c9 01 d2 7a d1 25 05 68 89 b3 33 6b 3f 06 83 8c 5b 66 7a // e2 2e fe 3b c1 5b 82 5f 7f bc e4 80 27 28 1c f9 fe 8f c2 1f c7 // 7c 24 3d e2 67 05 31 0e b8 1c f7 4d e0 29 31 92 a1 3f 6a d0 57 // de 61 fd 8a ba 8e f4 43 9b c0 6a 45 b2 b0 31 62 51 5a 23 43 3a // fe b5 2a ed b5 ab 6f 33 46 53 38 05 15 f7 79 f3 5d c8 a7 8c 37 // 77 24 92 e5 a2 af 05 23 d0 40 a2 28 4c 21 d2 13 56 d4 73 f0 0f // 85 13 7c 7b f0 63 6f 75 7d 35 28 86 9b 3f 00 77 35 cf f8 5c 9d // 97 8b f5 5d cc 26 d6 2d 25 e3 08 f0 88 27 a9 1f f4 7b ec 92 f8 // e9 1e 79 08 66 54 00 aa 4e 39 b3 59 86 23 9d 5c 7b 94 92 c5 bb // 26 bc 55 b5 5b 49 ed 70 48 6e 6e 7d a3 8c 20 84 50 f9 f7 9e 1b // 41 00 00 00 00 00 00 00 00 00 00 00 00 00 ae 2d 5b 5c 99 f7 17 // f0 a0 77 49 23 9b 5d 08 f8 c5 c0 ad 79 51 e0 a7 c7 f3 db 8d fd // 3f 86 57 25 8a 6c 04 f3 2d 57 ad 28 73 de 45 fa 98 b0 f8 26 79 // 17 ff 9b be 9c 0d 74 a5 ac a2 06 fe 29 e0 c1 03 9f 22 55 3c 27 // 47 42 5d 83 10 30 78 2e e7 8f 8b a3 5d e3 18 c5 3f 09 4f 92 5c // c9 78 2e 94 b6 c8 70 a4 87 67 8b fa e7 45 df f2 68 bd a7 fd ec // 87 3c e4 fb 4b 8d cb a0 41 9b 30 44 9a df ef 72 41 62 bf b1 0a // af cf ea 48 a6 7f ae 77 33 cc 3a 7f 1e ef 91 be 52 85 21 5e ab // 41 f6 7a 21 c6 16 36 41 e4 db f5 21 b0 e9 01 6b 13 92 70 0d aa // 66 14 8e 6c 58 8e 3d 93 f1 cb} (length 0x67f) // } // union ANYUNION { // ANYRES32: ANYRES32 (resource) // } // union ANYUNION { // ANYRES32: ANYRES32 (resource) // } // union ANYUNION { // ANYRES32: ANYRES32 (resource) // } // } // } // size: bytesize = 0x667 (8 bytes) // ] memcpy( (void*)0x200000000f80, "\x67\x06\x00\x00\x7d\x00\x00\x00\x05\xb5\x02\x00\x00\x00\x00\x00\x00" "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x2e" "\x00\x04\x6e\x6f\x64\x5a\x3d\xbf\x64\x02\x37\xfc\x62\x25\xff\xff\xff" "\x80\x05\x00\x00\x00\x00\x00\x00\xff\x03\xff\x92\xe9\x16\x00\x05\x9b" "\x65\x71\x2c\x93\xcb\x3d\xb6\xc2\x31\xd1\x19\xaa\xa1\x9a\x00\x70\x02" "\x00\x7d\xfa\x67\x3e\xff\xeb\x09\xb5\x35\x1f\x9e\xde\x05\x4a\x00\x00" "\x00\x00\x18\x7b\x82\xd9\xb5\x69\x28\xfb\xbf\x0b\x00\x00\x2b\x59\x5f" "\xcb\x14\xa8\xf3\x0e\x26\xe5\x26\xab\xc1\x80\x6a\x42\xde\x7a\xdc\x81" "\x06\xb4\x94\xe1\x8d\xb5\x7f\xc1\xac\x8d\x06\x85\x95\xf0\x1c\x1c\xbe" "\x05\xc2\x76\x16\x2f\x81\xb4\x07\xe5\x0d\xb6\x93\x39\x67\x21\xf3\xed" "\x9c\xe2\x01\x9e\xe6\xa9\x46\xe3\xa5\x5a\x1b\x40\xee\xb9\x3a\xc2\x9f" "\x37\x5b\x5a\xfd\xf1\xdf\x11\x2c\x9a\xaf\xd3\x69\x94\xe1\x65\xb3\x3a" "\xf7\x86\xc5\x34\x05\x87\x5d\x37\xa0\x45\x22\x17\x8b\x37\x50\x9e\x73" "\xc7\x02\x5f\xc4\x13\xc7\xd1\x2a\x80\x86\x3f\x70\x23\x68\x66\x8d\x35" "\x00\xcf\x60\x37\x2d\x61\xcc\xea\xb8\xc8\x86\x41\xeb\x93\xb4\xcc\xf6" "\x00\x2a\xb8\x7b\xfc\x01\x27\x96\x09\x3f\x68\x30\x5c\x4d\x22\x28\x39" "\xe4\x46\x1a\xb6\x2a\xeb\x84\x1f\x20\x83\x7e\x01\x08\xe2\xe7\x48\x50" "\x1c\x51\x48\x85\x01\xf8\xf6\x69\xfb\x71\x6d\x9a\xc6\x5b\x94\x08\x67" "\x8c\x2c\x3b\x9e\x1d\x52\xc3\x6c\xde\x7b\xa4\xa4\x00\xb4\xb0\xb4\xf1" "\x74\xa6\x66\xa8\x52\x9a\x45\x1b\x34\x07\xdb\xda\xb2\x88\x4b\xaf\x05" "\x00\x00\x00\x00\x00\x00\x00\x47\xec\x21\xca\xbf\xf2\x0f\x9c\x1c\xbe" "\x36\xf4\xfd\x1a\x4c\xdb\x80\xe8\xd4\x07\x00\x00\x00\x37\x00\x87\x0f" "\x46\x42\xe4\xc5\xde\x87\x14\xa2\xb0\x84\x4c\x23\x45\xd8\xdf\x49\xd7" "\x00\xef\xc4\x52\xaf\xb5\x46\x9e\xaa\xd2\xc8\x85\x7a\x35\x24\x46\xae" "\x2b\x4e\xa7\x08\xfa\x22\xc6\xde\x48\x82\xe3\x46\x41\x51\xdf\x43\xbe" "\x5a\x27\x9a\x95\xf2\xa9\x00\x17\x44\xa9\x74\x53\x58\x46\xe1\x3e\x2d" "\x0c\xb4\x9e\x4a\x0f\xa1\x75\x33\x43\xb8\xa3\xc0\xaf\xca\xe6\x2c\xc4" "\x29\xc0\xec\x7d\x64\x54\x00\x00\x42\x8d\x58\x9d\x75\x9f\x61\x7e\xa1" "\x95\x22\xc6\x2f\x19\x24\x80\x11\x9b\x28\x01\xc9\xc1\x04\x14\x05\x60" "\xf2\x0d\x38\x59\x0a\x81\x98\x2a\x94\x90\xb3\x95\xe9\x00\x74\x0b\xdc" "\x1a\xb0\x38\x77\x26\x41\x9b\xff\xd5\xc7\x73\x7d\x4c\x2a\x17\xb9\x2f" "\x18\xed\xc9\x9c\x10\x99\xe4\x0f\x13\xd8\x28\x04\x9f\x3c\x5b\x3a\x7f" "\xe0\x30\xd9\xc7\x8a\xea\x99\x03\xaf\x14\x23\x55\xf5\x49\xab\xb3\xf7" "\xb4\x0b\xb0\x10\x22\x2b\x4f\xed\xec\xd3\x0e\xa3\x9e\xc4\x39\x66\x47" "\x22\x61\xb0\xd5\xab\x65\x14\x43\x6a\xc3\xb9\x70\x6e\x01\xeb\xfe\x5e" "\x0b\xb3\x34\x77\xd1\xcf\x78\xe0\x6c\x5c\xd5\x83\xa4\x9b\x33\x6a\x56" "\xba\xb2\x35\x90\xba\x87\x0f\xc2\x45\x74\xbf\xf1\x8c\xb5\x81\x92\xde" "\x74\x25\x3e\xde\xab\xcc\x0a\x02\xcd\xc7\xd4\x3e\xc4\x84\x88\x0e\xa7" "\xfb\xc4\x80\x65\x22\xc7\x8e\x1f\xa7\x06\xda\x87\x08\xea\x51\x7e\x5c" "\x8b\x5f\x2a\x10\x77\xf6\xf6\xf3\xdd\x60\xfd\xf9\x42\x22\xe9\xa2\x67" "\x2f\x80\x3a\x9d\x03\x6f\x64\x65\x76\x2f\x6e\xb1\x7b\x23\x00\xf9\xda" "\xa5\xee\x23\x26\x6e\xcf\x85\xfe\xa6\x5e\x42\xd9\x79\xa3\xf7\xe5\xf4" "\x75\xda\xf0\x3b\x11\x72\xd9\x7b\xad\xc7\x09\x5a\xfd\x76\xfe\x4f\x0c" "\x41\xf7\xf7\x74\x1e\xac\x03\x00\x00\xec\xff\x00\x00\xdb\xa0\xc2\xf7" "\xf0\x9f\xf5\x3c\x7e\x4d\x1a\xd6\x6e\x2d\x07\x01\x98\x01\x9f\x30\x11" "\x84\x47\xaa\x75\xf8\x24\x6b\xcc\x42\xea\xa8\xc6\x31\xc0\xc5\x00\x95" "\x9a\x74\xf5\x16\x85\xf5\x06\xae\x89\x48\x06\x87\x82\x67\xd5\xa1\x29" "\x8d\x79\x2c\x4a\x37\xf2\xe1\xcb\xbd\x24\x82\x92\x9a\x0d\x89\x72\xb5" "\xcf\x73\x2e\xa5\xb0\xd7\x23\x85\x93\xae\xd3\xb4\x2e\xe7\xca\xc0\x7d" "\xe0\x9d\x1d\x68\xa6\x03\x33\xa8\x82\x46\x7d\x2b\x31\xaa\xfb\x56\xc5" "\x7d\x7d\xc6\x26\xe4\x39\x07\x96\xa1\xeb\x48\x27\x46\x69\xab\x13\xf8" "\xb1\x1d\x14\x60\x59\xf3\x10\xe2\x63\x4d\x59\x3f\xec\x65\xd5\x29\xf3" "\x82\x06\x66\x64\xc0\xfb\x4e\x4c\x90\x57\x0a\x70\x04\x9f\x39\x9f\x06" "\x1f\x75\xb7\x79\x7c\xe1\xfe\x11\xea\x91\x96\x09\xd5\x1a\x41\xdd\x3d" "\xe3\x04\xbd\x7c\x7e\xd0\xa4\x56\xf0\xae\x12\x2e\x61\x05\xc9\xce\x88" "\x7d\xf5\xa6\xe0\xb6\xa7\x7d\x59\x6c\xf8\x8b\xa6\xe5\xc6\x39\x7c\x7d" "\x50\x21\xd7\x98\x95\x28\xfd\x17\x39\xe1\xc2\xd8\x7f\xc2\x00\x00\x00" "\x30\xe4\xee\x2b\xfc\x7f\x80\x50\x85\x11\x43\xe5\x16\x1a\xcd\x47\x15" "\x0a\xcb\xaf\x74\x38\x22\xdf\xe2\x03\xb1\x08\xd3\x7e\x91\x4d\xc1\xe5" "\x3e\x23\xcc\x50\x9e\xca\x41\x07\xa1\x71\x2c\xaa\x9d\xa5\x3d\x05\x1c" "\x36\x88\x4c\x79\x18\x26\x61\xf3\xca\x36\xbc\xdb\xfb\xbd\x26\x71\x09" "\xf8\x31\x9d\x8d\xd5\xc0\x70\x99\xeb\x1b\x11\x03\x06\x55\xf5\x62\x69" "\x4f\x61\x74\x3d\x19\x42\x1b\x4a\x19\xef\x8b\x8b\x4c\xe9\xc9\x93\xc7" "\xd6\xcb\x30\x0c\x4e\x65\x7a\x4e\x50\xa3\x5b\x5c\xc1\x6b\x8c\x16\x1a" "\x8e\x3d\xf9\x03\x6b\xbc\xf2\x8a\xdc\xd1\x9a\x6c\x4c\x29\x17\x09\xae" "\xe5\xab\x3e\x5b\xc5\xae\x29\xf4\x75\xe4\xd2\x44\x08\xb5\x16\x7d\x0f" "\xaf\x5f\xc1\x56\x6b\x70\x5c\x8b\x60\xaf\xa8\xac\xa4\x2f\x7e\x04\x69" "\x18\x8a\x0e\xf0\x62\xca\x18\xe3\x8f\x9e\xe1\x0a\xc7\x7d\x2b\x7e\xb9" "\xd6\x0e\xa7\x9f\xdb\x55\x64\x11\xe5\x9d\xfb\xd8\xdb\xb8\xa2\xa6\x62" "\x2e\xbc\xf8\x4c\x69\x6f\xa4\xda\x21\xba\xd2\x32\x0d\x0d\x68\xe9\xbf" "\x43\x46\xf0\x68\x61\x19\xa3\x9e\x40\x03\x95\xc8\xf2\x82\x5e\xa0\x69" "\xae\x0e\x14\x3b\xd1\xa4\x41\x79\xed\x8e\x3c\xea\x0b\x5e\x9a\x19\xcc" "\x7f\xfa\x50\x0f\xa4\x1b\x6c\x80\x49\xbd\xe4\x58\x27\xd5\x4e\xc9\x01" "\xd2\x7a\xd1\x25\x05\x68\x89\xb3\x33\x6b\x3f\x06\x83\x8c\x5b\x66\x7a" "\xe2\x2e\xfe\x3b\xc1\x5b\x82\x5f\x7f\xbc\xe4\x80\x27\x28\x1c\xf9\xfe" "\x8f\xc2\x1f\xc7\x7c\x24\x3d\xe2\x67\x05\x31\x0e\xb8\x1c\xf7\x4d\xe0" "\x29\x31\x92\xa1\x3f\x6a\xd0\x57\xde\x61\xfd\x8a\xba\x8e\xf4\x43\x9b" "\xc0\x6a\x45\xb2\xb0\x31\x62\x51\x5a\x23\x43\x3a\xfe\xb5\x2a\xed\xb5" "\xab\x6f\x33\x46\x53\x38\x05\x15\xf7\x79\xf3\x5d\xc8\xa7\x8c\x37\x77" "\x24\x92\xe5\xa2\xaf\x05\x23\xd0\x40\xa2\x28\x4c\x21\xd2\x13\x56\xd4" "\x73\xf0\x0f\x85\x13\x7c\x7b\xf0\x63\x6f\x75\x7d\x35\x28\x86\x9b\x3f" "\x00\x77\x35\xcf\xf8\x5c\x9d\x97\x8b\xf5\x5d\xcc\x26\xd6\x2d\x25\xe3" "\x08\xf0\x88\x27\xa9\x1f\xf4\x7b\xec\x92\xf8\xe9\x1e\x79\x08\x66\x54" "\x00\xaa\x4e\x39\xb3\x59\x86\x23\x9d\x5c\x7b\x94\x92\xc5\xbb\x26\xbc" "\x55\xb5\x5b\x49\xed\x70\x48\x6e\x6e\x7d\xa3\x8c\x20\x84\x50\xf9\xf7" "\x9e\x1b\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xae" "\x2d\x5b\x5c\x99\xf7\x17\xf0\xa0\x77\x49\x23\x9b\x5d\x08\xf8\xc5\xc0" "\xad\x79\x51\xe0\xa7\xc7\xf3\xdb\x8d\xfd\x3f\x86\x57\x25\x8a\x6c\x04" "\xf3\x2d\x57\xad\x28\x73\xde\x45\xfa\x98\xb0\xf8\x26\x79\x17\xff\x9b" "\xbe\x9c\x0d\x74\xa5\xac\xa2\x06\xfe\x29\xe0\xc1\x03\x9f\x22\x55\x3c" "\x27\x47\x42\x5d\x83\x10\x30\x78\x2e\xe7\x8f\x8b\xa3\x5d\xe3\x18\xc5" "\x3f\x09\x4f\x92\x5c\xc9\x78\x2e\x94\xb6\xc8\x70\xa4\x87\x67\x8b\xfa" "\xe7\x45\xdf\xf2\x68\xbd\xa7\xfd\xec\x87\x3c\xe4\xfb\x4b\x8d\xcb\xa0" "\x41\x9b\x30\x44\x9a\xdf\xef\x72\x41\x62\xbf\xb1\x0a\xaf\xcf\xea\x48" "\xa6\x7f\xae\x77\x33\xcc\x3a\x7f\x1e\xef\x91\xbe\x52\x85\x21\x5e\xab" "\x41\xf6\x7a\x21\xc6\x16\x36\x41\xe4\xdb\xf5\x21\xb0\xe9\x01\x6b\x13" "\x92\x70\x0d\xaa\x66\x14\x8e\x6c\x58\x8e\x3d\x93\xf1\xcb", 1663); *(uint32_t*)0x2000000015ff = -1; *(uint32_t*)0x200000001603 = 0; *(uint32_t*)0x200000001607 = 0; syscall(__NR_write, /*fd=*/r[1], /*data=*/0x200000000f80ul, /*size=*/0x667ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); const char* reason; (void)reason; for (procid = 0; procid < 5; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }