API tools faq
paste
zzqq0103

Untitled

zzqq0103
Feb 8th, 2025
26
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 51.20 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #include <endian.h>
  4. #include <errno.h>
  5. #include <fcntl.h>
  6. #include <sched.h>
  7. #include <setjmp.h>
  8. #include <stdbool.h>
  9. #include <stddef.h>
  10. #include <stdint.h>
  11. #include <stdio.h>
  12. #include <stdlib.h>
  13. #include <string.h>
  14. #include <sys/ioctl.h>
  15. #include <sys/mman.h>
  16. #include <sys/mount.h>
  17. #include <sys/stat.h>
  18. #include <sys/syscall.h>
  19. #include <sys/types.h>
  20. #include <unistd.h>
  21.  
  22. #include <linux/loop.h>
  23.  
  24. #ifndef __NR_memfd_create
  25. #define __NR_memfd_create 319
  26. #endif
  27.  
  28. static unsigned long long procid;
  29.  
  30. #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
  31. #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
  32. *(type*)(addr) = \
  33. htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
  34. (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
  35.  
  36. static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
  37. {
  38. if (a0 == 0xc || a0 == 0xb) {
  39. char buf[128];
  40. sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
  41. (uint8_t)a2);
  42. return open(buf, O_RDWR, 0);
  43. } else {
  44. char buf[1024];
  45. char* hash;
  46. strncpy(buf, (char*)a0, sizeof(buf) - 1);
  47. buf[sizeof(buf) - 1] = 0;
  48. while ((hash = strchr(buf, '#'))) {
  49. *hash = '0' + (char)(a1 % 10);
  50. a1 /= 10;
  51. }
  52. return open(buf, a2, 0);
  53. }
  54. }
  55.  
  56. //% This code is derived from puff.{c,h}, found in the zlib development. The
  57. //% original files come with the following copyright notice:
  58.  
  59. //% Copyright (C) 2002-2013 Mark Adler, all rights reserved
  60. //% version 2.3, 21 Jan 2013
  61. //% This software is provided 'as-is', without any express or implied
  62. //% warranty. In no event will the author be held liable for any damages
  63. //% arising from the use of this software.
  64. //% Permission is granted to anyone to use this software for any purpose,
  65. //% including commercial applications, and to alter it and redistribute it
  66. //% freely, subject to the following restrictions:
  67. //% 1. The origin of this software must not be misrepresented; you must not
  68. //% claim that you wrote the original software. If you use this software
  69. //% in a product, an acknowledgment in the product documentation would be
  70. //% appreciated but is not required.
  71. //% 2. Altered source versions must be plainly marked as such, and must not be
  72. //% misrepresented as being the original software.
  73. //% 3. This notice may not be removed or altered from any source distribution.
  74. //% Mark Adler [email protected]
  75.  
  76. //% BEGIN CODE DERIVED FROM puff.{c,h}
  77.  
  78. #define MAXBITS 15
  79. #define MAXLCODES 286
  80. #define MAXDCODES 30
  81. #define MAXCODES (MAXLCODES + MAXDCODES)
  82. #define FIXLCODES 288
  83.  
  84. struct puff_state {
  85. unsigned char* out;
  86. unsigned long outlen;
  87. unsigned long outcnt;
  88. const unsigned char* in;
  89. unsigned long inlen;
  90. unsigned long incnt;
  91. int bitbuf;
  92. int bitcnt;
  93. jmp_buf env;
  94. };
  95. static int puff_bits(struct puff_state* s, int need)
  96. {
  97. long val = s->bitbuf;
  98. while (s->bitcnt < need) {
  99. if (s->incnt == s->inlen)
  100. longjmp(s->env, 1);
  101. val |= (long)(s->in[s->incnt++]) << s->bitcnt;
  102. s->bitcnt += 8;
  103. }
  104. s->bitbuf = (int)(val >> need);
  105. s->bitcnt -= need;
  106. return (int)(val & ((1L << need) - 1));
  107. }
  108. static int puff_stored(struct puff_state* s)
  109. {
  110. s->bitbuf = 0;
  111. s->bitcnt = 0;
  112. if (s->incnt + 4 > s->inlen)
  113. return 2;
  114. unsigned len = s->in[s->incnt++];
  115. len |= s->in[s->incnt++] << 8;
  116. if (s->in[s->incnt++] != (~len & 0xff) ||
  117. s->in[s->incnt++] != ((~len >> 8) & 0xff))
  118. return -2;
  119. if (s->incnt + len > s->inlen)
  120. return 2;
  121. if (s->outcnt + len > s->outlen)
  122. return 1;
  123. for (; len--; s->outcnt++, s->incnt++) {
  124. if (s->in[s->incnt])
  125. s->out[s->outcnt] = s->in[s->incnt];
  126. }
  127. return 0;
  128. }
  129. struct puff_huffman {
  130. short* count;
  131. short* symbol;
  132. };
  133. static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
  134. {
  135. int first = 0;
  136. int index = 0;
  137. int bitbuf = s->bitbuf;
  138. int left = s->bitcnt;
  139. int code = first = index = 0;
  140. int len = 1;
  141. short* next = h->count + 1;
  142. while (1) {
  143. while (left--) {
  144. code |= bitbuf & 1;
  145. bitbuf >>= 1;
  146. int count = *next++;
  147. if (code - count < first) {
  148. s->bitbuf = bitbuf;
  149. s->bitcnt = (s->bitcnt - len) & 7;
  150. return h->symbol[index + (code - first)];
  151. }
  152. index += count;
  153. first += count;
  154. first <<= 1;
  155. code <<= 1;
  156. len++;
  157. }
  158. left = (MAXBITS + 1) - len;
  159. if (left == 0)
  160. break;
  161. if (s->incnt == s->inlen)
  162. longjmp(s->env, 1);
  163. bitbuf = s->in[s->incnt++];
  164. if (left > 8)
  165. left = 8;
  166. }
  167. return -10;
  168. }
  169. static int puff_construct(struct puff_huffman* h, const short* length, int n)
  170. {
  171. int len;
  172. for (len = 0; len <= MAXBITS; len++)
  173. h->count[len] = 0;
  174. int symbol;
  175. for (symbol = 0; symbol < n; symbol++)
  176. (h->count[length[symbol]])++;
  177. if (h->count[0] == n)
  178. return 0;
  179. int left = 1;
  180. for (len = 1; len <= MAXBITS; len++) {
  181. left <<= 1;
  182. left -= h->count[len];
  183. if (left < 0)
  184. return left;
  185. }
  186. short offs[MAXBITS + 1];
  187. offs[1] = 0;
  188. for (len = 1; len < MAXBITS; len++)
  189. offs[len + 1] = offs[len] + h->count[len];
  190. for (symbol = 0; symbol < n; symbol++)
  191. if (length[symbol] != 0)
  192. h->symbol[offs[length[symbol]]++] = symbol;
  193. return left;
  194. }
  195. static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
  196. const struct puff_huffman* distcode)
  197. {
  198. static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
  199. 15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
  200. 67, 83, 99, 115, 131, 163, 195, 227, 258};
  201. static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
  202. 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
  203. static const short dists[30] = {
  204. 1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
  205. 33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
  206. 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
  207. static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
  208. 4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
  209. 9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
  210. int symbol;
  211. do {
  212. symbol = puff_decode(s, lencode);
  213. if (symbol < 0)
  214. return symbol;
  215. if (symbol < 256) {
  216. if (s->outcnt == s->outlen)
  217. return 1;
  218. if (symbol)
  219. s->out[s->outcnt] = symbol;
  220. s->outcnt++;
  221. } else if (symbol > 256) {
  222. symbol -= 257;
  223. if (symbol >= 29)
  224. return -10;
  225. int len = lens[symbol] + puff_bits(s, lext[symbol]);
  226. symbol = puff_decode(s, distcode);
  227. if (symbol < 0)
  228. return symbol;
  229. unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
  230. if (dist > s->outcnt)
  231. return -11;
  232. if (s->outcnt + len > s->outlen)
  233. return 1;
  234. while (len--) {
  235. if (dist <= s->outcnt && s->out[s->outcnt - dist])
  236. s->out[s->outcnt] = s->out[s->outcnt - dist];
  237. s->outcnt++;
  238. }
  239. }
  240. } while (symbol != 256);
  241. return 0;
  242. }
  243. static int puff_fixed(struct puff_state* s)
  244. {
  245. static int virgin = 1;
  246. static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
  247. static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
  248. static struct puff_huffman lencode, distcode;
  249. if (virgin) {
  250. lencode.count = lencnt;
  251. lencode.symbol = lensym;
  252. distcode.count = distcnt;
  253. distcode.symbol = distsym;
  254. short lengths[FIXLCODES];
  255. int symbol;
  256. for (symbol = 0; symbol < 144; symbol++)
  257. lengths[symbol] = 8;
  258. for (; symbol < 256; symbol++)
  259. lengths[symbol] = 9;
  260. for (; symbol < 280; symbol++)
  261. lengths[symbol] = 7;
  262. for (; symbol < FIXLCODES; symbol++)
  263. lengths[symbol] = 8;
  264. puff_construct(&lencode, lengths, FIXLCODES);
  265. for (symbol = 0; symbol < MAXDCODES; symbol++)
  266. lengths[symbol] = 5;
  267. puff_construct(&distcode, lengths, MAXDCODES);
  268. virgin = 0;
  269. }
  270. return puff_codes(s, &lencode, &distcode);
  271. }
  272. static int puff_dynamic(struct puff_state* s)
  273. {
  274. static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
  275. 11, 4, 12, 3, 13, 2, 14, 1, 15};
  276. int nlen = puff_bits(s, 5) + 257;
  277. int ndist = puff_bits(s, 5) + 1;
  278. int ncode = puff_bits(s, 4) + 4;
  279. if (nlen > MAXLCODES || ndist > MAXDCODES)
  280. return -3;
  281. short lengths[MAXCODES];
  282. int index;
  283. for (index = 0; index < ncode; index++)
  284. lengths[order[index]] = puff_bits(s, 3);
  285. for (; index < 19; index++)
  286. lengths[order[index]] = 0;
  287. short lencnt[MAXBITS + 1], lensym[MAXLCODES];
  288. struct puff_huffman lencode = {lencnt, lensym};
  289. int err = puff_construct(&lencode, lengths, 19);
  290. if (err != 0)
  291. return -4;
  292. index = 0;
  293. while (index < nlen + ndist) {
  294. int symbol;
  295. int len;
  296. symbol = puff_decode(s, &lencode);
  297. if (symbol < 0)
  298. return symbol;
  299. if (symbol < 16)
  300. lengths[index++] = symbol;
  301. else {
  302. len = 0;
  303. if (symbol == 16) {
  304. if (index == 0)
  305. return -5;
  306. len = lengths[index - 1];
  307. symbol = 3 + puff_bits(s, 2);
  308. } else if (symbol == 17)
  309. symbol = 3 + puff_bits(s, 3);
  310. else
  311. symbol = 11 + puff_bits(s, 7);
  312. if (index + symbol > nlen + ndist)
  313. return -6;
  314. while (symbol--)
  315. lengths[index++] = len;
  316. }
  317. }
  318. if (lengths[256] == 0)
  319. return -9;
  320. err = puff_construct(&lencode, lengths, nlen);
  321. if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
  322. return -7;
  323. short distcnt[MAXBITS + 1], distsym[MAXDCODES];
  324. struct puff_huffman distcode = {distcnt, distsym};
  325. err = puff_construct(&distcode, lengths + nlen, ndist);
  326. if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
  327. return -8;
  328. return puff_codes(s, &lencode, &distcode);
  329. }
  330. static int puff(unsigned char* dest, unsigned long* destlen,
  331. const unsigned char* source, unsigned long sourcelen)
  332. {
  333. struct puff_state s = {
  334. .out = dest,
  335. .outlen = *destlen,
  336. .outcnt = 0,
  337. .in = source,
  338. .inlen = sourcelen,
  339. .incnt = 0,
  340. .bitbuf = 0,
  341. .bitcnt = 0,
  342. };
  343. int err;
  344. if (setjmp(s.env) != 0)
  345. err = 2;
  346. else {
  347. int last;
  348. do {
  349. last = puff_bits(&s, 1);
  350. int type = puff_bits(&s, 2);
  351. err = type == 0 ? puff_stored(&s)
  352. : (type == 1 ? puff_fixed(&s)
  353. : (type == 2 ? puff_dynamic(&s) : -1));
  354. if (err != 0)
  355. break;
  356. } while (!last);
  357. }
  358. *destlen = s.outcnt;
  359. return err;
  360. }
  361.  
  362. //% END CODE DERIVED FROM puff.{c,h}
  363.  
  364. #define ZLIB_HEADER_WIDTH 2
  365.  
  366. static int puff_zlib_to_file(const unsigned char* source,
  367. unsigned long sourcelen, int dest_fd)
  368. {
  369. if (sourcelen < ZLIB_HEADER_WIDTH)
  370. return 0;
  371. source += ZLIB_HEADER_WIDTH;
  372. sourcelen -= ZLIB_HEADER_WIDTH;
  373. const unsigned long max_destlen = 132 << 20;
  374. void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
  375. MAP_PRIVATE | MAP_ANON, -1, 0);
  376. if (ret == MAP_FAILED)
  377. return -1;
  378. unsigned char* dest = (unsigned char*)ret;
  379. unsigned long destlen = max_destlen;
  380. int err = puff(dest, &destlen, source, sourcelen);
  381. if (err) {
  382. munmap(dest, max_destlen);
  383. errno = -err;
  384. return -1;
  385. }
  386. if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
  387. munmap(dest, max_destlen);
  388. return -1;
  389. }
  390. return munmap(dest, max_destlen);
  391. }
  392.  
  393. static int setup_loop_device(unsigned char* data, unsigned long size,
  394. const char* loopname, int* loopfd_p)
  395. {
  396. int err = 0, loopfd = -1;
  397. int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
  398. if (memfd == -1) {
  399. err = errno;
  400. goto error;
  401. }
  402. if (puff_zlib_to_file(data, size, memfd)) {
  403. err = errno;
  404. goto error_close_memfd;
  405. }
  406. loopfd = open(loopname, O_RDWR);
  407. if (loopfd == -1) {
  408. err = errno;
  409. goto error_close_memfd;
  410. }
  411. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  412. if (errno != EBUSY) {
  413. err = errno;
  414. goto error_close_loop;
  415. }
  416. ioctl(loopfd, LOOP_CLR_FD, 0);
  417. usleep(1000);
  418. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  419. err = errno;
  420. goto error_close_loop;
  421. }
  422. }
  423. close(memfd);
  424. *loopfd_p = loopfd;
  425. return 0;
  426.  
  427. error_close_loop:
  428. close(loopfd);
  429. error_close_memfd:
  430. close(memfd);
  431. error:
  432. errno = err;
  433. return -1;
  434. }
  435.  
  436. static void reset_loop_device(const char* loopname)
  437. {
  438. int loopfd = open(loopname, O_RDWR);
  439. if (loopfd == -1) {
  440. return;
  441. }
  442. if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
  443. }
  444. close(loopfd);
  445. }
  446.  
  447. static long syz_mount_image(volatile long fsarg, volatile long dir,
  448. volatile long flags, volatile long optsarg,
  449. volatile long change_dir,
  450. volatile unsigned long size, volatile long image)
  451. {
  452. unsigned char* data = (unsigned char*)image;
  453. int res = -1, err = 0, need_loop_device = !!size;
  454. char* mount_opts = (char*)optsarg;
  455. char* target = (char*)dir;
  456. char* fs = (char*)fsarg;
  457. char* source = NULL;
  458. char loopname[64];
  459. if (need_loop_device) {
  460. int loopfd;
  461. memset(loopname, 0, sizeof(loopname));
  462. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
  463. if (setup_loop_device(data, size, loopname, &loopfd) == -1)
  464. return -1;
  465. close(loopfd);
  466. source = loopname;
  467. }
  468. mkdir(target, 0777);
  469. char opts[256];
  470. memset(opts, 0, sizeof(opts));
  471. if (strlen(mount_opts) > (sizeof(opts) - 32)) {
  472. }
  473. strncpy(opts, mount_opts, sizeof(opts) - 32);
  474. if (strcmp(fs, "iso9660") == 0) {
  475. flags |= MS_RDONLY;
  476. } else if (strncmp(fs, "ext", 3) == 0) {
  477. bool has_remount_ro = false;
  478. char* remount_ro_start = strstr(opts, "errors=remount-ro");
  479. if (remount_ro_start != NULL) {
  480. char after = *(remount_ro_start + strlen("errors=remount-ro"));
  481. char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
  482. has_remount_ro = ((before == '\0' || before == ',') &&
  483. (after == '\0' || after == ','));
  484. }
  485. if (strstr(opts, "errors=panic") || !has_remount_ro)
  486. strcat(opts, ",errors=continue");
  487. } else if (strcmp(fs, "xfs") == 0) {
  488. strcat(opts, ",nouuid");
  489. }
  490. res = mount(source, target, fs, flags, opts);
  491. if (res == -1) {
  492. err = errno;
  493. goto error_clear_loop;
  494. }
  495. res = open(target, O_RDONLY | O_DIRECTORY);
  496. if (res == -1) {
  497. err = errno;
  498. goto error_clear_loop;
  499. }
  500. if (change_dir) {
  501. res = chdir(target);
  502. if (res == -1) {
  503. err = errno;
  504. }
  505. }
  506.  
  507. error_clear_loop:
  508. if (need_loop_device)
  509. reset_loop_device(loopname);
  510. errno = err;
  511. return res;
  512. }
  513.  
  514. #define USLEEP_FORKED_CHILD (3 * 50 * 1000)
  515.  
  516. static long handle_clone_ret(long ret)
  517. {
  518. if (ret != 0) {
  519. return ret;
  520. }
  521. usleep(USLEEP_FORKED_CHILD);
  522. syscall(__NR_exit, 0);
  523. while (1) {
  524. }
  525. }
  526.  
  527. static long syz_clone(volatile long flags, volatile long stack,
  528. volatile long stack_len, volatile long ptid,
  529. volatile long ctid, volatile long tls)
  530. {
  531. long sp = (stack + stack_len) & ~15;
  532. long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
  533. return handle_clone_ret(ret);
  534. }
  535.  
  536. uint64_t r[11] = {0xffffffffffffffff,
  537. 0xffffffffffffffff,
  538. 0x0,
  539. 0xffffffffffffffff,
  540. 0xffffffffffffffff,
  541. 0x0,
  542. 0xffffffffffffffff,
  543. 0xffffffffffffffff,
  544. 0xffffffffffffffff,
  545. 0x0,
  546. 0xffffffffffffffff};
  547.  
  548. int main(void)
  549. {
  550. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  551. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  552. /*offset=*/0ul);
  553. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
  554. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
  555. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  556. /*offset=*/0ul);
  557. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  558. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  559. /*offset=*/0ul);
  560. intptr_t res = 0;
  561. *(uint32_t*)0x2001d000 = 0;
  562. *(uint32_t*)0x2001d004 = 0x80;
  563. *(uint8_t*)0x2001d008 = 2;
  564. *(uint8_t*)0x2001d009 = 0;
  565. *(uint8_t*)0x2001d00a = 0;
  566. *(uint8_t*)0x2001d00b = 0;
  567. *(uint32_t*)0x2001d00c = 0;
  568. *(uint64_t*)0x2001d010 = 0x18a;
  569. *(uint64_t*)0x2001d018 = 0;
  570. *(uint64_t*)0x2001d020 = 0;
  571. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
  572. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
  573. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
  574. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
  575. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
  576. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
  577. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
  578. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
  579. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
  580. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
  581. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
  582. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
  583. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
  584. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
  585. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
  586. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
  587. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
  588. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
  589. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
  590. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
  591. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
  592. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
  593. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
  594. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
  595. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
  596. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
  597. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
  598. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
  599. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
  600. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
  601. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
  602. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
  603. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
  604. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
  605. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
  606. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
  607. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
  608. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
  609. *(uint32_t*)0x2001d030 = 0;
  610. *(uint32_t*)0x2001d034 = 0;
  611. *(uint64_t*)0x2001d038 = 3;
  612. *(uint64_t*)0x2001d040 = 0;
  613. *(uint64_t*)0x2001d048 = 0;
  614. *(uint64_t*)0x2001d050 = 0;
  615. *(uint32_t*)0x2001d058 = 0;
  616. *(uint32_t*)0x2001d05c = 4;
  617. *(uint64_t*)0x2001d060 = 0;
  618. *(uint32_t*)0x2001d068 = 0;
  619. *(uint16_t*)0x2001d06c = 0;
  620. *(uint16_t*)0x2001d06e = 0;
  621. *(uint32_t*)0x2001d070 = 0;
  622. *(uint32_t*)0x2001d074 = 0;
  623. *(uint64_t*)0x2001d078 = 0;
  624. res = syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0,
  625. /*cpu=*/-1, /*group=*/-1, /*flags=*/0ul);
  626. if (res != -1)
  627. r[0] = res;
  628. memcpy((void*)0x20000080, "ext4\000", 5);
  629. memcpy((void*)0x20000500, "./file1\000", 8);
  630. memcpy((void*)0x20000240,
  631. "errors=remount-ro,grpquota,dioread_lock,debug,noauto_da_alloc,"
  632. "barrier,barrier,init_itable=0x0,usrquota,\000",
  633. 104);
  634. memcpy(
  635. (void*)0x20000ec0,
  636. "\x78\x9c\xec\xdd\x51\x6b\x5c\x59\x1d\x00\xf0\xff\xbd\xc9\xd4\xb4\x4d\x4d"
  637. "\xaa\x3e\xd4\x82\xb5\xd8\x4a\x5a\xb4\x33\x49\x63\xdb\xe0\x43\xad\x20\xf6"
  638. "\xa9\xa0\xd6\xf7\x1a\x93\x49\x08\x99\x64\x42\x66\xd2\x26\xa1\x48\x8a\x1f"
  639. "\x40\x10\x51\xc1\x27\x9f\x7c\x11\xfc\x00\x82\xf4\x23\x88\x50\xd0\x77\xd9"
  640. "\x5d\x76\x59\x76\xdb\xdd\x87\x7d\xd8\xdd\x59\x66\xe6\x4e\xb7\xcd\xce\x34"
  641. "\x09\x9d\xe4\x2e\xc9\xef\x07\x27\xf7\x9c\x7b\xef\xcc\xff\x7f\x12\xe6\xce"
  642. "\x3d\xf7\x9e\xcc\x04\x70\x64\x9d\x8f\x88\x5b\x11\x31\x10\x11\x97\x23\x62"
  643. "\x24\x5b\x9f\x66\xe5\x76\xb3\xb1\xd5\xde\xef\xd9\xd3\x87\x33\xcd\x92\x44"
  644. "\xa3\x71\xf7\xbd\x24\x92\x6c\x5d\xe7\xb9\x92\x6c\x79\xb2\xfd\x90\x18\x8a"
  645. "\x88\x5f\xdc\x8e\xf8\x75\xf2\xc5\xb8\xb5\x8d\xcd\xc5\xe9\x4a\xa5\xbc\x9a"
  646. "\xb5\x4b\xf5\xa5\x95\x52\x6d\x63\xf3\xca\xc2\xd2\xf4\x7c\x79\xbe\xbc\x3c"
  647. "\x39\x39\x71\x7d\xea\xc6\xd4\xb5\xa9\xf1\xbe\xf4\x73\x34\x22\x6e\xfe\xe4"
  648. "\xad\x3f\xfe\xee\x6f\x3f\xbd\xf9\xaf\xef\x3f\xf8\xff\xbd\x77\x2e\xfd\xa6"
  649. "\x99\xd6\x70\xb6\xfd\xc5\x7e\xf4\x53\xbb\xeb\x85\xd6\xef\xa2\x63\x30\x22"
  650. "\x56\xf7\x23\x58\x0e\x06\xb2\x65\x21\xe7\x3c\x00\x00\xd8\x9d\xe6\x39\xfe"
  651. "\xd7\x22\xe2\x3b\xad\xf3\xff\x91\x18\x68\x9d\x9d\x02\x00\x00\x00\x87\x49"
  652. "\xe3\x47\xc3\xf1\x71\x12\xd1\x00\x00\x00\x00\x0e\xad\xb4\x35\x07\x36\x49"
  653. "\x8b\xd9\x5c\x80\xe1\x48\xd3\x62\xb1\x3d\x87\xf7\x1b\x71\x22\xad\x54\x6b"
  654. "\xf5\xef\xcd\x55\xd7\x96\x67\xdb\x73\x65\x47\xa3\x90\xce\x2d\x54\xca\xe3"
  655. "\xd9\x5c\xe1\xd1\x28\x24\xcd\xf6\x44\x36\xc7\xb6\xd3\xbe\xba\xad\x3d\x19"
  656. "\x11\xa7\x23\xe2\x0f\x23\xc7\x5b\xed\xe2\x4c\xb5\x32\x9b\xf7\xc5\x0f\x00"
  657. "\x00\x00\x38\x22\x4e\x6e\x1b\xff\x7f\x38\xd2\x1e\xff\x03\x00\x00\x00\x87"
  658. "\xcc\x68\xde\x09\x00\x00\x00\x00\xfb\xce\xf8\x1f\x00\x00\x00\x0e\x3f\xe3"
  659. "\x7f\x00\x00\x00\x38\xd4\x7e\x76\xe7\x4e\xb3\x34\x3a\xdf\x7f\x3d\x7b\x7f"
  660. "\x63\x6d\xb1\x7a\xff\xca\x6c\xb9\xb6\x58\x5c\x5a\x9b\x29\xce\x54\x57\x57"
  661. "\x8a\xf3\xd5\xea\x7c\xeb\x33\xfb\x96\x76\x7a\xbe\x4a\xb5\xba\xf2\x83\x58"
  662. "\x5e\x5b\x2f\xd5\xcb\xb5\x7a\xa9\xb6\xb1\x79\x6f\xa9\xba\xb6\x5c\xbf\xb7"
  663. "\xf0\xd2\x57\x60\x03\x00\x00\x00\x07\xe8\xf4\xb7\x1f\xff\x2f\x89\x88\xad"
  664. "\x1f\x1e\x6f\x95\xa6\x63\x79\x27\x05\x1c\x88\x64\x2f\x3b\xbf\xb9\x7f\x79"
  665. "\x00\x07\x6f\x20\xef\x04\x80\xdc\x0c\xe6\x9d\x00\x90\x9b\x42\xde\x09\x00"
  666. "\xb9\xdb\xe9\x3a\x40\xcf\xc9\x3b\xff\xee\x7f\x2e\x00\x00\xc0\xfe\x18\xfb"
  667. "\x66\xef\xfb\xff\xae\x0d\xc0\xe1\x96\xe6\x9d\x00\x00\x70\xe0\xdc\xff\x87"
  668. "\xa3\xab\x60\x06\x20\x1c\x79\x5f\xdd\x61\xfb\xeb\xdf\xff\x6f\x34\xf6\x94"
  669. "\x10\x00\x00\xd0\x77\xc3\xad\x92\xa4\xc5\xec\x5e\xe0\x70\xa4\x69\xb1\x18"
  670. "\x71\xaa\xf5\xb5\x00\x85\x64\x6e\xa1\x52\x1e\xcf\xc6\x07\xff\x1d\x29\x7c"
  671. "\xa5\xd9\x9e\x68\x3d\x32\xd9\xdb\xff\x0e\x03\x00\x00\x00\x00\x00\x00\x00"
  672. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x11\xd6\x68\x24\xd1\xd8"
  673. "\x93\x18\xda\xdb\xfe\x00\x00\x00\x40\xde\x22\xd2\xb7\x93\xd6\xa7\xf9\x47"
  674. "\x8c\x8d\x5c\x1c\xde\x7e\x7d\xe0\x58\xf2\xd1\x48\x6b\x19\x11\x0f\xfe\x72"
  675. "\xf7\x4f\xeb\xd3\xf5\xfa\xea\x44\x73\xfd\xfb\xcf\xd7\xd7\xff\x9c\xad\xbf"
  676. "\x9a\xc7\x15\x0c\x00\x00\x00\x60\xbb\xce\x38\x7d\x3d\xcd\x3b\x13\x00\x00"
  677. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  678. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  679. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e"
  680. "\xa3\x67\x4f\x1f\xce\x74\xca\x41\xc6\x7d\xf7\xc7\x11\x31\xda\x2d\xfe\x60"
  681. "\x0c\xb5\x96\x43\x51\x88\x88\x13\x1f\x24\x31\xf8\xc2\xe3\x92\x88\x18\xe8"
  682. "\x43\xfc\xad\x47\x11\x71\xa6\x5b\xfc\xa4\x99\x56\x8c\x66\x59\x74\x8b\x7f"
  683. "\x3c\xc7\xf8\x69\x44\x9c\xec\x43\x7c\x38\xca\x1e\x37\x8f\x3f\xb7\xba\xbd"
  684. "\xfe\xd2\x38\xdf\x5a\x76\x7f\xfd\x0d\x66\xe5\x75\xf5\x3e\xfe\xa5\xcf\x8f"
  685. "\x7f\x03\x3d\x8e\x3f\xa7\x76\x19\xe3\xec\x93\x7f\x94\x7a\xc6\x7f\x14\x71"
  686. "\x76\xb0\xfb\xf1\xa7\x13\x3f\xe9\x11\xff\xc2\x2e\xe3\xff\xea\x97\x9b\x9b"
  687. "\xbd\xb6\x35\xfe\x1a\x31\xd6\xf5\xfd\x27\x79\x29\x56\xa9\xbe\xb4\x52\xaa"
  688. "\x6d\x6c\x5e\x59\x58\x9a\x9e\x2f\xcf\x97\x97\x27\x27\x27\xae\x4f\xdd\x98"
  689. "\xba\x36\x35\x5e\x9a\x5b\xa8\x94\xb3\x9f\x5d\x63\xfc\xfe\x5b\xff\xfc\xf4"
  690. "\x55\xfd\x3f\xd1\x23\xfe\xe8\x0e\xfd\xbf\xb8\xcb\xfe\x7f\xf2\x64\xfd\xe9"
  691. "\xd7\xdb\xd5\x42\xb7\xf8\x97\x2e\x74\x7f\xff\x3d\xd3\x23\x7e\x9a\xbd\xf7"
  692. "\x7d\x37\xab\x37\xb7\x8f\x75\xea\x5b\xed\xfa\x8b\xce\xfd\xfd\x3f\xe7\x5e"
  693. "\xd5\xff\xd9\x1e\xfd\xdf\xe9\xef\x7f\x69\x97\xfd\xbf\xfc\xf3\xdf\xbe\xb1"
  694. "\xcb\x5d\x01\x80\x03\x50\xdb\xd8\x5c\x9c\xae\x54\xca\xab\x39\x57\x86\xbe"
  695. "\x1c\x69\xa8\xa8\xa8\xb4\x2a\x79\x1f\x99\x00\x00\x80\x7e\xfb\xfc\xa4\x3f"
  696. "\xef\x4c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0"
  697. "\xe8\xea\xeb\x67\x86\xa5\xd1\x75\xd3\xf6\x98\x5b\xf9\x74\x15\x00\x00\x00"
  698. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  699. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  700. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  701. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  702. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  703. "\x00\xe0\x95\x3e\x0b\x00\x00\xff\xff\x7b\x39\xcf\xc6",
  704. 1219);
  705. syz_mount_image(/*fs=*/0x20000080, /*dir=*/0x20000500, /*flags=MS_NOSUID*/ 2,
  706. /*opts=*/0x20000240, /*chdir=*/0x12, /*size=*/0x4c3,
  707. /*img=*/0x20000ec0);
  708. memcpy((void*)0x20000000, "/dev/snd/seq\000", 13);
  709. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul,
  710. /*flags=O_NOFOLLOW*/ 0x20000ul, 0);
  711. memcpy((void*)0x20000000, "/dev/snd/seq\000", 13);
  712. res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul,
  713. /*flags=O_NOFOLLOW*/ 0x20000ul, 0);
  714. if (res != -1)
  715. r[1] = res;
  716. syz_open_dev(/*dev=*/0xc, /*major=*/4, /*minor=*/0x15);
  717. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x4b34, /*arg=*/0x20ul);
  718. *(uint8_t*)0x200002c0 = 0;
  719. *(uint8_t*)0x200002c1 = 0x1f;
  720. *(uint8_t*)0x200002c2 = 1;
  721. *(uint8_t*)0x200002c3 = 1;
  722. *(uint32_t*)0x200002c4 = 0xfffffff8;
  723. *(uint32_t*)0x200002c8 = -1;
  724. *(uint8_t*)0x200002cc = 0x60;
  725. *(uint8_t*)0x200002cd = 3;
  726. *(uint8_t*)0x200002ce = 1;
  727. *(uint8_t*)0x200002cf = 6;
  728. *(uint32_t*)0x200002d0 = 0x400;
  729. *(uint32_t*)0x200002d4 = 0x800;
  730. *(uint32_t*)0x200002d8 = 0xfffff707;
  731. *(uint8_t*)0x200002dc = 7;
  732. *(uint8_t*)0x200002dd = 0x40;
  733. *(uint8_t*)0x200002de = 9;
  734. *(uint8_t*)0x200002df = 0x87;
  735. *(uint32_t*)0x200002e0 = 0x200;
  736. *(uint32_t*)0x200002e4 = 0x87;
  737. *(uint8_t*)0x200002e8 = 1;
  738. *(uint8_t*)0x200002e9 = 0xfd;
  739. *(uint8_t*)0x200002ea = 2;
  740. *(uint8_t*)0x200002eb = 9;
  741. *(uint8_t*)0x200002ec = 0xb8;
  742. *(uint32_t*)0x200002f0 = 4;
  743. *(uint32_t*)0x200002f4 = 3;
  744. *(uint8_t*)0x200002f8 = 0x3f;
  745. *(uint8_t*)0x200002f9 = 0xe0;
  746. *(uint8_t*)0x200002fa = 0x14;
  747. *(uint8_t*)0x200002fb = 0xca;
  748. *(uint32_t*)0x200002fc = 0xcb55;
  749. *(uint32_t*)0x20000300 = 2;
  750. *(uint8_t*)0x20000304 = 7;
  751. *(uint8_t*)0x20000305 = 0x1f;
  752. *(uint8_t*)0x20000306 = 0x7f;
  753. *(uint8_t*)0x20000307 = 7;
  754. *(uint8_t*)0x20000308 = 3;
  755. *(uint8_t*)0x20000309 = 8;
  756. syscall(__NR_write, /*fd=*/r[1], /*data=*/0x200002c0ul, /*len=*/0x54ul);
  757. *(uint64_t*)0x20000400 = 0x7f;
  758. syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40089413, /*arg=*/0x20000400ul);
  759. res = -1;
  760. res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0,
  761. /*childtid=*/0, /*tls=*/0);
  762. if (res != -1)
  763. r[2] = res;
  764. syscall(__NR_ftruncate, /*fd=*/-1, /*len=*/1ul);
  765. memcpy((void*)0x20007f80, "./bus\000", 6);
  766. res =
  767. syscall(__NR_open, /*file=*/0x20007f80ul,
  768. /*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_EXCL|O_CREAT|0x2*/ 0x1411c2ul,
  769. /*mode=*/0ul);
  770. if (res != -1)
  771. r[3] = res;
  772. syscall(__NR_ftruncate, /*fd=*/r[3], /*len=*/8ul);
  773. syscall(__NR_ftruncate, /*fd=*/r[3], /*len=*/8ul);
  774. syscall(__NR_sendfile, /*fdout=*/r[3], /*fdin=*/r[3], /*off=*/0ul,
  775. /*count=*/0xfffffffful);
  776. *(uint32_t*)0x20000000 = 0x4000;
  777. syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x40086602, /*arg=*/0x20000000ul);
  778. *(uint32_t*)0x2001d000 = 0;
  779. *(uint32_t*)0x2001d004 = 0x80;
  780. *(uint8_t*)0x2001d008 = 2;
  781. *(uint8_t*)0x2001d009 = 0;
  782. *(uint8_t*)0x2001d00a = 0;
  783. *(uint8_t*)0x2001d00b = 0;
  784. *(uint32_t*)0x2001d00c = 0;
  785. *(uint64_t*)0x2001d010 = 0x18a;
  786. *(uint64_t*)0x2001d018 = 0;
  787. *(uint64_t*)0x2001d020 = 2;
  788. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
  789. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
  790. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
  791. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
  792. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
  793. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
  794. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
  795. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
  796. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
  797. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
  798. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
  799. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
  800. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
  801. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
  802. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
  803. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
  804. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
  805. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
  806. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
  807. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
  808. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
  809. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
  810. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
  811. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
  812. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
  813. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
  814. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
  815. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
  816. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
  817. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
  818. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
  819. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
  820. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
  821. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
  822. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
  823. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
  824. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
  825. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
  826. *(uint32_t*)0x2001d030 = 0;
  827. *(uint32_t*)0x2001d034 = 0;
  828. *(uint64_t*)0x2001d038 = 0;
  829. *(uint64_t*)0x2001d040 = 0;
  830. *(uint64_t*)0x2001d048 = 0x280;
  831. *(uint64_t*)0x2001d050 = 0;
  832. *(uint32_t*)0x2001d058 = 0;
  833. *(uint32_t*)0x2001d05c = 0;
  834. *(uint64_t*)0x2001d060 = 0;
  835. *(uint32_t*)0x2001d068 = 0;
  836. *(uint16_t*)0x2001d06c = 0;
  837. *(uint16_t*)0x2001d06e = 0;
  838. *(uint32_t*)0x2001d070 = 0;
  839. *(uint32_t*)0x2001d074 = 0;
  840. *(uint64_t*)0x2001d078 = 0;
  841. syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
  842. /*group=*/-1, /*flags=*/0ul);
  843. *(uint32_t*)0x2001d000 = 0;
  844. *(uint32_t*)0x2001d004 = 0x80;
  845. *(uint8_t*)0x2001d008 = 2;
  846. *(uint8_t*)0x2001d009 = 0;
  847. *(uint8_t*)0x2001d00a = 0;
  848. *(uint8_t*)0x2001d00b = 0;
  849. *(uint32_t*)0x2001d00c = 0;
  850. *(uint64_t*)0x2001d010 = 0x18a;
  851. *(uint64_t*)0x2001d018 = 0;
  852. *(uint64_t*)0x2001d020 = 2;
  853. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
  854. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
  855. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
  856. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
  857. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
  858. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
  859. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
  860. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
  861. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
  862. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
  863. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
  864. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
  865. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
  866. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
  867. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
  868. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
  869. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
  870. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
  871. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
  872. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
  873. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
  874. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
  875. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
  876. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
  877. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
  878. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
  879. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
  880. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
  881. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
  882. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
  883. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
  884. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
  885. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
  886. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
  887. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
  888. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
  889. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
  890. STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
  891. *(uint32_t*)0x2001d030 = 0;
  892. *(uint32_t*)0x2001d034 = 0;
  893. *(uint64_t*)0x2001d038 = 0;
  894. *(uint64_t*)0x2001d040 = 0;
  895. *(uint64_t*)0x2001d048 = 0x280;
  896. *(uint64_t*)0x2001d050 = 0;
  897. *(uint32_t*)0x2001d058 = 0;
  898. *(uint32_t*)0x2001d05c = 0;
  899. *(uint64_t*)0x2001d060 = 0;
  900. *(uint32_t*)0x2001d068 = 0;
  901. *(uint16_t*)0x2001d06c = 0;
  902. *(uint16_t*)0x2001d06e = 0;
  903. *(uint32_t*)0x2001d070 = 0;
  904. *(uint32_t*)0x2001d074 = 0;
  905. *(uint64_t*)0x2001d078 = 0;
  906. syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
  907. /*group=*/-1, /*flags=*/0ul);
  908. memcpy((void*)0x20000740, "/dev/autofs\000", 12);
  909. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000740ul,
  910. /*flags=O_SYNC|O_EXCL|O_CLOEXEC*/ 0x181080ul, /*mode=*/0ul);
  911. memcpy((void*)0x20000740, "/dev/autofs\000", 12);
  912. syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000740ul,
  913. /*flags=O_SYNC|O_EXCL|O_CLOEXEC*/ 0x181080ul, /*mode=*/0ul);
  914. syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
  915. res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/1ul, /*proto=*/0);
  916. if (res != -1)
  917. r[4] = res;
  918. *(uint32_t*)0x20000100 = 0xe8;
  919. res = syscall(__NR_getsockopt, /*fd=*/r[4], /*level=*/0x29, /*optname=*/0x23,
  920. /*optval=*/0x20000780ul, /*optlen=*/0x20000100ul);
  921. if (res != -1)
  922. r[5] = *(uint32_t*)0x200007b4;
  923. res = syscall(__NR_socket, /*domain=AF_NETLINK*/ 0x10ul,
  924. /*type=SOCK_RAW*/ 3ul, /*proto=*/0);
  925. if (res != -1)
  926. r[6] = res;
  927. *(uint32_t*)0x20cab000 = 0xc;
  928. res = syscall(__NR_getsockopt, /*fd=*/r[6], /*level=*/1, /*optname=*/0x11,
  929. /*optval=*/0x20caaffbul, /*optlen=*/0x20cab000ul);
  930. if (res != -1) {
  931. r[7] = *(uint32_t*)0x20caafff;
  932. r[8] = *(uint32_t*)0x20cab003;
  933. }
  934. syscall(__NR_mmap, /*addr=*/0x20ffe000ul, /*len=*/0x1000ul,
  935. /*prot=PROT_GROWSUP|PROT_WRITE*/ 0x2000002ul,
  936. /*flags=MAP_FIXED|MAP_DENYWRITE*/ 0x810ul, /*fd=*/r[0],
  937. /*offset=*/0x400ul);
  938. memcpy((void*)0x20001b40, "ext2\000", 5);
  939. memcpy((void*)0x200047c0, "./file2\000", 8);
  940. *(uint8_t*)0x20000580 = r[8];
  941. *(uint16_t*)0x20000581 = r[7];
  942. memcpy(
  943. (void*)0x20003100,
  944. "\x78\x9c\xec\xdd\x4f\x6f\x23\x67\x19\x00\xf0\x67\x9c\xb8\x64\xbb\x59\x92"
  945. "\x02\x87\x52\xa9\xa5\xa2\x45\xd9\x0a\xd6\x4e\x1a\xda\x46\x1c\xda\x22\x21"
  946. "\x6e\x95\x40\xcb\x7d\x89\x12\x27\x8a\xe2\xc4\x51\xec\xb4\x9b\xa8\x42\xa9"
  947. "\xf8\x00\x48\x08\xc1\x4a\x9c\x38\x71\x41\xe2\x03\x20\xa1\xfd\x08\x68\xa5"
  948. "\x95\xd8\x3b\x02\x04\x42\xb0\x0b\x07\x0e\xc0\xa0\x19\x4f\xb2\x89\x35\xde"
  949. "\x64\xd5\xd8\x5e\x39\xbf\x9f\xf4\x7a\xde\x19\x7b\xe6\x79\x5e\x3b\x1e\xcf"
  950. "\x9f\x37\x33\x01\x5c\x5a\xaf\x46\xc4\xfb\x11\x31\x11\x11\x6f\x44\xc4\x4c"
  951. "\x31\xbd\x52\x94\x38\xec\x96\xec\x75\x8f\x1e\x7e\xbc\x92\x95\x24\xd2\xf4"
  952. "\xe6\xdf\x93\x7c\x9e\x6c\x3c\x22\x92\x93\xcb\xbc\x5a\xcc\x36\xd5\x1d\x94"
  953. "\x6a\xef\x1f\x6c\x2e\x37\x9b\x8d\xdd\x62\xbc\xde\xd9\xda\xa9\xb7\xf7\x0f"
  954. "\x6e\x6c\x6c\x2d\xaf\x37\xd6\x1b\xdb\x8b\x8b\x0b\x6f\x2f\xbd\xb3\xf4\xd6"
  955. "\xd2\xfc\x85\xb4\xf3\x5a\x44\xbc\xfb\xad\x3f\xff\xf4\x47\xbf\xfc\xf6\xbb"
  956. "\xbf\xfd\xda\x47\x7f\xb8\xf5\xd7\xeb\x3f\xc8\x92\x9e\x2e\x9e\x2f\xda\x71"
  957. "\xe1\x1e\xe4\x8f\xd5\xec\xbd\x38\x36\x19\x11\xbb\x83\x08\x36\x02\x13\x45"
  958. "\x7b\xaa\xa3\x4e\x04\x00\x80\x73\xa9\x45\xc4\xe7\x22\xe2\xcb\xf9\xf6\xff"
  959. "\x4c\x4c\xe4\x5b\x73\x39\x9b\x74\x00\x00\x00\x30\x26\xd2\xf7\xa6\xe3\x3f"
  960. "\x49\x44\x0a\x00\x00\x00\x8c\xad\xf7\xf2\x3e\xb0\x49\xa5\x56\xf4\xf7\x9d"
  961. "\x8e\x4a\xa5\x56\xeb\xf6\xe1\xfd\x42\x3c\x5f\x69\xb6\xda\x9d\xaf\xae\xb5"
  962. "\xf6\xb6\x57\xbb\x7d\x65\x67\xa3\x5a\x59\xdb\x68\x36\xe6\x8b\xbe\xc2\xb3"
  963. "\x51\x4d\xb2\xf1\x85\xbc\xfe\x78\xfc\xcd\x9e\xf1\xc5\x88\x78\x21\x22\x7e"
  964. "\x32\x73\x25\x1f\xaf\xad\xb4\x9a\xab\xa3\x3e\xf8\x01\x00\x00\x00\x97\xc4"
  965. "\xd5\x9e\xfd\xff\x7f\xcd\x74\xf7\xff\x01\x00\x00\x80\x31\x33\x3b\xea\x04"
  966. "\x00\x00\x00\x80\x81\xeb\xb7\xff\x9f\x0c\x39\x0f\x00\x00\x00\x60\x70\x9c"
  967. "\xff\x07\x00\x00\x80\xb1\xf6\x9d\x0f\x3e\xc8\x4a\x7a\x74\xff\xeb\xd5\x0f"
  968. "\xf7\xf7\x36\x5b\x1f\xde\x58\x6d\xb4\x37\x6b\x5b\x7b\x2b\xb5\x95\xd6\xee"
  969. "\x4e\x6d\xbd\xd5\x5a\xcf\xaf\xd9\xb7\x75\xd6\xf2\x9a\xad\xd6\xce\xd7\x63"
  970. "\x7b\xef\x76\xbd\xd3\x68\x77\xea\xed\xfd\x83\x5b\x5b\xad\xbd\xed\xce\xad"
  971. "\x8d\x53\xb7\xc0\x06\x00\x00\x00\x86\xe8\x85\x2f\xdd\x7d\x90\x44\xc4\xe1"
  972. "\x37\xae\xe4\x25\xf3\x5c\xf6\x30\xd1\x67\x06\x7d\x05\x60\x6c\x54\x9e\xe6"
  973. "\xc5\x7f\x1a\x5c\x1e\xc0\xf0\xf5\xfb\x99\x07\xc6\xdf\xe4\xa8\x13\x00\x46"
  974. "\xe7\x70\xd4\x09\x00\xa3\x76\xea\x52\x1f\x25\x1b\x05\x27\x3b\xef\x9c\x3a"
  975. "\x66\xf0\xbb\xc1\xe5\x04\x00\x00\x5c\xac\xb9\x2f\x96\x9f\xff\xcf\x76\x01"
  976. "\xaa\xa3\x4e\x0e\x18\xa8\xa7\x3a\xff\x0f\x8c\x15\xe7\xff\xe1\xf2\x7a\xca"
  977. "\xf3\xff\xf7\x06\x95\x07\x30\x7c\x55\x5b\x00\x70\xe9\x9d\x75\xab\x8f\xbe"
  978. "\x17\xef\x38\xf7\xf9\xff\x34\x3d\x73\x59\x00\x00\xc0\x40\x4d\xe7\x25\xa9"
  979. "\xd4\x8a\x73\x81\xd3\x51\xa9\xd4\x6a\x11\xd7\xf2\x7f\xf5\xaf\x26\x6b\x1b"
  980. "\xcd\xc6\x7c\x44\x7c\x36\x22\x7e\x3f\x53\xfd\x4c\x36\xbe\x90\xcf\x99\xb8"
  981. "\x3d\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  982. "\x00\x00\x00\x9c\x53\x9a\x26\x91\x02\x00\x00\x00\x63\x2d\xa2\xf2\x97\xa4"
  983. "\xb8\xff\xd7\xdc\xcc\xeb\xd3\xbd\xc7\x07\x9e\x4b\xfe\x3d\x93\x0f\x23\xe2"
  984. "\xa3\x9f\xdf\xac\xdc\x5e\xee\x74\x76\x17\xb2\xe9\xff\x38\x9e\xde\xb9\x73"
  985. "\xf3\x67\xf9\xf4\x37\x47\x71\x04\x03\x00\x00\x00\xe8\x75\xb4\x9f\x7e\xb4"
  986. "\x1f\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  987. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  988. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  989. "\x00\x00\x00\x17\xe9\xd1\xc3\x8f\x57\x8e\xca\x30\xe3\xfe\xed\x9b\x11\x31"
  990. "\x5b\x16\x7f\x32\xa6\xf2\xe1\x54\x54\x23\xe2\xf9\x7f\x26\x31\x79\x62\xbe"
  991. "\x24\x22\x26\x2e\x20\xfe\xe1\x27\x11\xf1\x62\x59\xfc\x24\x4b\x2b\x66\x8b"
  992. "\x2c\x7a\xe3\x57\x22\xe2\xca\x70\xe2\xbf\x9c\xa6\x69\x69\xfc\xab\x17\x10"
  993. "\x1f\x2e\xb3\xbb\xd9\xfa\xe7\xfd\xb2\xef\x5f\x25\x5e\xcd\x87\xe5\xdf\xff"
  994. "\xc9\xa2\x7c\x5a\xfd\xd7\x7f\x95\xe3\xf5\xdf\x44\x9f\xf5\xdf\xb5\x73\xc6"
  995. "\x78\xe9\xfe\xaf\xeb\x7d\xe3\x7f\x12\xf1\xd2\x64\xf9\xfa\xe7\x28\x7e\xd2"
  996. "\x27\xfe\x6b\x65\x0b\x2c\x79\x53\xbe\xff\xbd\x83\x83\x7e\xf1\xd3\x5f\x44"
  997. "\xcc\x95\xfe\xfe\x24\xa7\x62\xd5\x3b\x5b\x3b\xf5\xf6\xfe\xc1\x8d\x8d\xad"
  998. "\xe5\xf5\xc6\x7a\x63\x7b\x71\x71\xe1\xed\xa5\x77\x96\xde\x5a\x9a\xaf\xaf"
  999. "\x6d\x34\x1b\xc5\x63\x69\x8c\x1f\xbf\xfc\x9b\xff\xf5\x4c\xfa\x6f\xda\x95"
  1000. "\xb7\x3f\xfa\xc4\x9f\x3d\xa3\xfd\xaf\x67\x95\xea\xc9\xc6\xf4\x86\x29\x82"
  1001. "\xdd\xbf\xfd\xf0\xf3\xdd\x6a\xb5\x67\x11\x79\xfc\xeb\xaf\x95\x7f\xfe\x2f"
  1002. "\x3e\x21\x7e\xf6\x37\xf1\x95\xe2\x77\x20\x7b\x7e\xee\xa8\x7e\xd8\xad\x9f"
  1003. "\xf4\xca\xaf\xee\xbd\x52\x9a\x58\x11\x7f\xb5\x4f\xfb\x8f\x3f\xff\xac\x52"
  1004. "\xd2\xfe\xeb\xfd\x16\xda\xe3\x8d\xef\xfe\xf0\x8f\xe7\x7c\x29\x00\x30\x04"
  1005. "\xed\xfd\x83\xcd\xe5\x66\xb3\xb1\x3b\xf0\xca\x9d\x34\x4d\x87\x15\x4b\xe5"
  1006. "\x19\xac\x4c\x3d\x1b\x69\xa8\x9c\x5d\xb9\x88\x23\x5b\x00\x00\xc0\xb3\xe6"
  1007. "\xf1\x46\xff\xa8\x33\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  1008. "\x00\x00\x80\xcb\xab\xbd\x9f\x4e\x0c\xfa\x72\x62\xbd\x31\x0f\x47\xd3\x54"
  1009. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  1010. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  1011. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  1012. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  1013. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  1014. "\x00\x00\x00\x00\x80\x27\xfa\x7f\x00\x00\x00\xff\xff\xa2\xc2\xe3\xbd",
  1015. 1277);
  1016. syz_mount_image(
  1017. /*fs=*/0x20001b40, /*dir=*/0x200047c0,
  1018. /*flags=MS_POSIXACL|MS_RELATIME|MS_RDONLY|MS_NOSUID|0x40c*/ 0x21040f,
  1019. /*opts=*/0x20000580, /*chdir=*/1, /*size=*/0x4fd, /*img=*/0x20003100);
  1020. memcpy((void*)0x20000440, "./file1\000", 8);
  1021. syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul, /*file=*/0x20000440ul,
  1022. /*statbuf=*/0x20000480ul, /*flag=AT_NO_AUTOMOUNT*/ 0x800ul);
  1023. memcpy((void*)0x20000440, "./file1\000", 8);
  1024. res = syscall(__NR_newfstatat, /*dfd=*/0xffffffffffffff9cul,
  1025. /*file=*/0x20000440ul, /*statbuf=*/0x20000480ul,
  1026. /*flag=AT_NO_AUTOMOUNT*/ 0x800ul);
  1027. if (res != -1)
  1028. r[9] = *(uint32_t*)0x2000049c;
  1029. *(uint32_t*)0x20000540 = 0xa0;
  1030. *(uint8_t*)0x20000544 = 0x19;
  1031. *(uint16_t*)0x20000545 = 2;
  1032. *(uint64_t*)0x20000547 = 0x2c89;
  1033. *(uint8_t*)0x2000054f = 0;
  1034. *(uint32_t*)0x20000550 = 0;
  1035. *(uint64_t*)0x20000554 = 0;
  1036. *(uint32_t*)0x2000055c = 0x44;
  1037. *(uint32_t*)0x20000560 = r[5];
  1038. *(uint32_t*)0x20000564 = r[9];
  1039. *(uint64_t*)0x20000568 = 6;
  1040. *(uint64_t*)0x20000570 = 0;
  1041. *(uint64_t*)0x20000578 = 0x80000001;
  1042. *(uint64_t*)0x20000580 = 0x72e;
  1043. *(uint64_t*)0x20000588 = 0x800;
  1044. *(uint64_t*)0x20000590 = 0x400;
  1045. *(uint64_t*)0x20000598 = 7;
  1046. *(uint64_t*)0x200005a0 = 0;
  1047. *(uint64_t*)0x200005a8 = 0xffffffff00000000;
  1048. *(uint64_t*)0x200005b0 = 0x80000001;
  1049. *(uint64_t*)0x200005b8 = 0x400;
  1050. *(uint64_t*)0x200005c0 = 1;
  1051. *(uint64_t*)0x200005c8 = 0;
  1052. *(uint64_t*)0x200005d0 = 7;
  1053. *(uint64_t*)0x200005d8 = 0x771aeadc;
  1054. syscall(__NR_write, /*fd=*/r[3], /*data=*/0x20000540ul, /*size=*/0xa0ul);
  1055. *(uint32_t*)0x200001c0 = 0;
  1056. *(uint32_t*)0x200001c4 = 0x80;
  1057. *(uint8_t*)0x200001c8 = 1;
  1058. *(uint8_t*)0x200001c9 = 0x40;
  1059. *(uint8_t*)0x200001ca = 0x20;
  1060. *(uint8_t*)0x200001cb = -1;
  1061. *(uint32_t*)0x200001cc = 0;
  1062. *(uint64_t*)0x200001d0 = 5;
  1063. *(uint64_t*)0x200001d8 = 0x59000;
  1064. *(uint64_t*)0x200001e0 = 4;
  1065. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 0, 1);
  1066. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 1, 1);
  1067. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 2, 1);
  1068. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 3, 1);
  1069. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 4, 1);
  1070. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 5, 1);
  1071. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 6, 1);
  1072. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 7, 1);
  1073. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 8, 1);
  1074. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 9, 1);
  1075. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 10, 1);
  1076. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 11, 1);
  1077. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 12, 1);
  1078. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 13, 1);
  1079. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 14, 1);
  1080. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 2, 15, 2);
  1081. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 17, 1);
  1082. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 18, 1);
  1083. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 19, 1);
  1084. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 20, 1);
  1085. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 21, 1);
  1086. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 22, 1);
  1087. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 23, 1);
  1088. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 24, 1);
  1089. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 25, 1);
  1090. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 26, 1);
  1091. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 27, 1);
  1092. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 28, 1);
  1093. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 29, 1);
  1094. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 30, 1);
  1095. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 31, 1);
  1096. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 1, 32, 1);
  1097. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 33, 1);
  1098. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 34, 1);
  1099. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 35, 1);
  1100. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 36, 1);
  1101. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 37, 1);
  1102. STORE_BY_BITMASK(uint64_t, , 0x200001e8, 0, 38, 26);
  1103. *(uint32_t*)0x200001f0 = 0x2f1;
  1104. *(uint32_t*)0x200001f4 = 6;
  1105. *(uint64_t*)0x200001f8 = 0;
  1106. *(uint64_t*)0x20000200 = 8;
  1107. *(uint64_t*)0x20000208 = 0x1000;
  1108. *(uint64_t*)0x20000210 = 6;
  1109. *(uint32_t*)0x20000218 = 2;
  1110. *(uint32_t*)0x2000021c = 0;
  1111. *(uint64_t*)0x20000220 = 3;
  1112. *(uint32_t*)0x20000228 = 0x1000;
  1113. *(uint16_t*)0x2000022c = 0xa1e;
  1114. *(uint16_t*)0x2000022e = 0;
  1115. *(uint32_t*)0x20000230 = 8;
  1116. *(uint32_t*)0x20000234 = 0;
  1117. *(uint64_t*)0x20000238 = 4;
  1118. res = syscall(__NR_perf_event_open, /*attr=*/0x200001c0ul, /*pid=*/r[2],
  1119. /*cpu=*/9ul, /*group=*/r[0], /*flags=*/0ul);
  1120. if (res != -1)
  1121. r[10] = res;
  1122. *(uint32_t*)0x20000600 = 3;
  1123. *(uint32_t*)0x20000604 = 0x80;
  1124. *(uint8_t*)0x20000608 = 0x1c;
  1125. *(uint8_t*)0x20000609 = 2;
  1126. *(uint8_t*)0x2000060a = 6;
  1127. *(uint8_t*)0x2000060b = 0x81;
  1128. *(uint32_t*)0x2000060c = 0;
  1129. *(uint64_t*)0x20000610 = 0x5a4;
  1130. *(uint64_t*)0x20000618 = 0x90;
  1131. *(uint64_t*)0x20000620 = 3;
  1132. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 0, 1);
  1133. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 1, 1);
  1134. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 2, 1);
  1135. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 3, 1);
  1136. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 4, 1);
  1137. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 5, 1);
  1138. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 6, 1);
  1139. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 7, 1);
  1140. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 8, 1);
  1141. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 9, 1);
  1142. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 10, 1);
  1143. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 11, 1);
  1144. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 12, 1);
  1145. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 13, 1);
  1146. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 14, 1);
  1147. STORE_BY_BITMASK(uint64_t, , 0x20000628, 2, 15, 2);
  1148. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 17, 1);
  1149. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 18, 1);
  1150. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 19, 1);
  1151. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 20, 1);
  1152. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 21, 1);
  1153. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 22, 1);
  1154. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 23, 1);
  1155. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 24, 1);
  1156. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 25, 1);
  1157. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 26, 1);
  1158. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 27, 1);
  1159. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 28, 1);
  1160. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 29, 1);
  1161. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 30, 1);
  1162. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 31, 1);
  1163. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 32, 1);
  1164. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 33, 1);
  1165. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 34, 1);
  1166. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 35, 1);
  1167. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 36, 1);
  1168. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 37, 1);
  1169. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 38, 26);
  1170. *(uint32_t*)0x20000630 = 0x7ff;
  1171. *(uint32_t*)0x20000634 = 0;
  1172. *(uint64_t*)0x20000638 = 8;
  1173. *(uint64_t*)0x20000640 = 8;
  1174. *(uint64_t*)0x20000648 = 4;
  1175. *(uint64_t*)0x20000650 = 5;
  1176. *(uint32_t*)0x20000658 = 0xfff;
  1177. *(uint32_t*)0x2000065c = 1;
  1178. *(uint64_t*)0x20000660 = 6;
  1179. *(uint32_t*)0x20000668 = 8;
  1180. *(uint16_t*)0x2000066c = 6;
  1181. *(uint16_t*)0x2000066e = 0;
  1182. *(uint32_t*)0x20000670 = 6;
  1183. *(uint32_t*)0x20000674 = 0;
  1184. *(uint64_t*)0x20000678 = 0xc3;
  1185. syscall(
  1186. __NR_perf_event_open, /*attr=*/0x20000600ul, /*pid=*/0, /*cpu=*/4ul,
  1187. /*group=*/r[10],
  1188. /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_NO_GROUP|0xb2200ec1dacf7264*/
  1189. 0xb2200ec1dacf726dul);
  1190. *(uint32_t*)0x20000600 = 3;
  1191. *(uint32_t*)0x20000604 = 0x80;
  1192. *(uint8_t*)0x20000608 = 0x1c;
  1193. *(uint8_t*)0x20000609 = 2;
  1194. *(uint8_t*)0x2000060a = 6;
  1195. *(uint8_t*)0x2000060b = 0x81;
  1196. *(uint32_t*)0x2000060c = 0;
  1197. *(uint64_t*)0x20000610 = 0x5a4;
  1198. *(uint64_t*)0x20000618 = 0x90;
  1199. *(uint64_t*)0x20000620 = 3;
  1200. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 0, 1);
  1201. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 1, 1);
  1202. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 2, 1);
  1203. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 3, 1);
  1204. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 4, 1);
  1205. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 5, 1);
  1206. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 6, 1);
  1207. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 7, 1);
  1208. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 8, 1);
  1209. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 9, 1);
  1210. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 10, 1);
  1211. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 11, 1);
  1212. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 12, 1);
  1213. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 13, 1);
  1214. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 14, 1);
  1215. STORE_BY_BITMASK(uint64_t, , 0x20000628, 2, 15, 2);
  1216. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 17, 1);
  1217. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 18, 1);
  1218. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 19, 1);
  1219. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 20, 1);
  1220. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 21, 1);
  1221. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 22, 1);
  1222. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 23, 1);
  1223. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 24, 1);
  1224. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 25, 1);
  1225. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 26, 1);
  1226. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 27, 1);
  1227. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 28, 1);
  1228. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 29, 1);
  1229. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 30, 1);
  1230. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 31, 1);
  1231. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 32, 1);
  1232. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 33, 1);
  1233. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 34, 1);
  1234. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 35, 1);
  1235. STORE_BY_BITMASK(uint64_t, , 0x20000628, 1, 36, 1);
  1236. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 37, 1);
  1237. STORE_BY_BITMASK(uint64_t, , 0x20000628, 0, 38, 26);
  1238. *(uint32_t*)0x20000630 = 0x7ff;
  1239. *(uint32_t*)0x20000634 = 0;
  1240. *(uint64_t*)0x20000638 = 8;
  1241. *(uint64_t*)0x20000640 = 8;
  1242. *(uint64_t*)0x20000648 = 4;
  1243. *(uint64_t*)0x20000650 = 5;
  1244. *(uint32_t*)0x20000658 = 0xfff;
  1245. *(uint32_t*)0x2000065c = 1;
  1246. *(uint64_t*)0x20000660 = 6;
  1247. *(uint32_t*)0x20000668 = 8;
  1248. *(uint16_t*)0x2000066c = 6;
  1249. *(uint16_t*)0x2000066e = 0;
  1250. *(uint32_t*)0x20000670 = 6;
  1251. *(uint32_t*)0x20000674 = 0;
  1252. *(uint64_t*)0x20000678 = 0xc3;
  1253. syscall(
  1254. __NR_perf_event_open, /*attr=*/0x20000600ul, /*pid=*/0, /*cpu=*/4ul,
  1255. /*group=*/r[10],
  1256. /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_NO_GROUP|0xb2200ec1dacf7264*/
  1257. 0xb2200ec1dacf726dul);
  1258. syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc0bc5310, /*arg=*/0ul);
  1259. syscall(__NR_ptrace, /*req=PTRACE_ATTACH*/ 0x10ul, /*pid=*/r[2], 0, 0);
  1260. syscall(__NR_ptrace, /*req=PTRACE_ATTACH*/ 0x10ul, /*pid=*/r[2], 0, 0);
  1261. syscall(__NR_ptrace, /*req=PTRACE_POKEDATA|0xfffffffffffffffa*/ -1, /*pid=*/0,
  1262. /*addr=*/0x200000c0ul, /*data=*/0ul);
  1263. syscall(__NR_ptrace, /*req=PTRACE_POKEDATA|0xfffffffffffffffa*/ -1, /*pid=*/0,
  1264. /*addr=*/0x200000c0ul, /*data=*/0ul);
  1265. syscall(__NR_read, /*fd=*/r[1], /*buf=*/0x20000040ul, /*count=*/0x2bul);
  1266. syscall(__NR_ioctl, /*fd=*/r[10], /*cmd=*/0x6611, 0);
  1267. return 0;
  1268. }
  1269.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!