// autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } doexit(sig); for (;;) { } } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void test(); void loop() { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } } } long r[63]; void* thr(void* arg) { switch ((long)arg) { case 0: NONFAILING(*(uint16_t*)0x20924ff0 = (uint16_t)0x2); NONFAILING(*(uint64_t*)0x20924ff8 = (uint64_t)0x20192ff0); NONFAILING(*(uint16_t*)0x20192ff0 = (uint16_t)0x20); NONFAILING(*(uint8_t*)0x20192ff2 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20192ff3 = (uint8_t)0x0); NONFAILING(*(uint32_t*)0x20192ff4 = (uint32_t)0xfffffffffffff034); NONFAILING(*(uint16_t*)0x20192ff8 = (uint16_t)0x6); NONFAILING(*(uint8_t*)0x20192ffa = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20192ffb = (uint8_t)0x0); NONFAILING(*(uint32_t*)0x20192ffc = (uint32_t)0x0); r[10] = syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x1ul, 0x1aul, 0x20924ff0ul, 0x10ul); break; case 1: r[11] = syscall(__NR_mmap, 0x20000000ul, 0xfd5000ul, 0x300000cul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 2: r[12] = syscall(__NR_socket, 0xaul, 0x80003ul, 0x33ul); break; case 3: NONFAILING(*(uint16_t*)0x2066cfe4 = (uint16_t)0xa); NONFAILING(*(uint16_t*)0x2066cfe6 = (uint16_t)0x214e); NONFAILING(*(uint32_t*)0x2066cfe8 = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x2066cfec = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x2066cff4 = (uint64_t)0x100000000000000); NONFAILING(*(uint32_t*)0x2066cffc = (uint32_t)0x0); r[19] = syscall(__NR_sendto, r[12], 0x208c1000ul, 0x0ul, 0x8080ul, 0x2066cfe4ul, 0x1cul); break; case 4: NONFAILING(*(uint64_t*)0x2052efc8 = (uint64_t)0x20b11000); NONFAILING(*(uint32_t*)0x2052efd0 = (uint32_t)0x58); NONFAILING(*(uint64_t*)0x2052efd8 = (uint64_t)0x209c4000); NONFAILING(*(uint64_t*)0x2052efe0 = (uint64_t)0x4); NONFAILING(*(uint64_t*)0x2052efe8 = (uint64_t)0x208f1000); NONFAILING(*(uint64_t*)0x2052eff0 = (uint64_t)0x0); NONFAILING(*(uint32_t*)0x2052eff8 = (uint32_t)0xfffffffffffffff9); NONFAILING(*(uint64_t*)0x209c4000 = (uint64_t)0x20dd5f61); NONFAILING(*(uint64_t*)0x209c4008 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x209c4010 = (uint64_t)0x20a2c000); NONFAILING(*(uint64_t*)0x209c4018 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x209c4020 = (uint64_t)0x209b7f39); NONFAILING(*(uint64_t*)0x209c4028 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x209c4030 = (uint64_t)0x2069a000); NONFAILING(*(uint64_t*)0x209c4038 = (uint64_t)0x0); r[35] = syscall(__NR_recvmsg, r[12], 0x2052efc8ul, 0x10020ul); break; case 5: NONFAILING(memcpy( (void*)0x2013b7ff, "\xec\x0c\xd3\xb5\x1b\x24\x75\x5b\x81\x84\x61\xe7\x01\x55\xa5" "\x67\x25\xf3\x0a\x7c\x1e\x38\x3b\x23\x28\x81\x19\x87\xa2\xf3" "\xa4\x79\x85\x20\x85\x9a\x6a\x5c\x92\x2e\x8f\x36\x7c\xed\xeb" "\xf9\x7c\x61\xc1\xc5\x37\xcb\x11\x0b\x13\xb6\x6b\xc6\x4d\x0d" "\xbb\x36\xd5\x09\x83\xcf\x0a\x8a\xa2\xde\x12\x0d\x70\x20\x3b" "\x42\x2f\x7e\x60\x43\xf4\x74\x56\xfc\x9e\x97\x8e\xa6\xc3\x2c" "\x4b\x1c\x89\xc9\x4d\xb9\x7a\x1e\x75\xda\x6e\xd1\x36\xf7\xa5" "\xdd\xea\x81\x9d\xf7\x50\x89\x87\xb6\x7c\x27\x84\xef\xe7\x91" "\x78\x55\x4a\x7f\x1b\xa4\x93\xf1\x51\x80\x80\xcf\x91\x84\x2c" "\x1c\x5b\xd9\xc9\xc6\xb2\x3e\x6d\x31\x10\x20\x50\x37\xea\xfe" "\x4a\x84\x8d\xb8\x50\x67\xca\xef\xa8\xa4\xb0\x13\x64\x20\xbe" "\xe4\x43\x45\xaa\x76\xcf\x9b\xd2\xf4\x22\x8c\x74\x29\x5e\x48" "\x6b\x9d\xcf\x64\x91\x29\x94\xe4\xb1\x0a\x0b\xff\xf7\x86\x21" "\x5e\x57\xb4\x72\x81\x17\x39\x37\x74\x4a\x77\x9f\x1a\xbf\xe1" "\xe0\x20\x00\x0b\x2d\x29\xd5\x26\xa2\x6d\x09\x86\x07\xf6\xbf" "\x16\xc7\x6e\xac\xcf\xc9\x61\xb3\x14\x9a\xdc\x38\xab\xfe\x44" "\x37\x76\x3c\x4a\xb9\xf2\x0c\x06\xc2\x3b\xd0\x96\xd2\x5d\xf4" "\xcf\xfb\x0c\x1c\x21\xd2\x7c\x68\x7b\xe8\xa7\xc1\x22\x88\x1a" "\x0c\x07\xc9\x28\x78\x61\xc9\xf3\xce\xeb\xbd\x87\xbc\xc3\x35" "\xfe\x5e\x59\x8c\xb2\xa2\xba\x3e\xcb\x75\x72\x3d\x80\x81\x51" "\x7d\xf6\x83\x54\xba\x5c\xae\x80\xff\x59\x7e\xb9\x7e\x76\x35" "\x0d\xa9\x50\x4c\x14\x63\x96\x3c\xcf\x16\x15\x42\x03\x6e\x4d" "\xfe\x9c\x6f\xe5\x9c\x50\xe0\x89\x1b\xb9\x7b\x40\x6b\x59\x1e" "\x09\x96\xf7\x41\x39\x36\x13\xcc\xd8\xff\xae\x98\xb6\x26\x23" "\xe7\x02\x48\x83\xe8\xef\xe4\x41\x41\x53\xab\x0a\xc2\x43\x8e" "\x2a\x97\xf4\x56\x75\x26\x56\xac\x58\x8b\x30\xe4\xcb\x2e\x87" "\x96\x77\x39\x89\xa8\xc5\x99\xdb\xa7\x65\xd4\xe0\x69\x58\x04" "\x4e\xdf\x30\xf9\x90\xb3\x45\x4f\xd8\xee\xdf\xfa\x50\x66\xea" "\xef\x88\x28\x54\x92\x1c\x45\x17\x42\x55\x9a\x22\x5d\xba\xee" "\xbf\xd2\x73\xcf\x86\x8b\x5b\xd1\xc9\x00\xea\x8c\xfc\xbf\xfe" "\x59\x4e\x92\x11\x4b\xa5\x96\x52\x2e\xe7\x4a\x3e\xee\x44\x0f" "\xc4\xe3\x92\x69\x34\x39\xa6\xe1\x4e\x76\xc0\x07\x0c\x32\xd8" "\x53\xeb\x30\xa6\x5f\x40\xe4\xdf\x9f\x54\x30\x53\xb0\xaa\xfb" "\x26\x74\x2a\x9d\x58\x5a\xdd\x17\x17\x99\xbc\x23\x36\xbf\xc8" "\xd4\x3c\x94\x74\x22\x71\xb8\x7a\x23\x24\xfe\xa0\x93\xe1\xcb" "\x78\x86\x71\xfe\x36\xc6\x01\x10\x8c\xb0\xd8\xff\x9e\x5a\xba" "\xf6\xd5\x1c\xa1\x4b\x37\xe5\xda\x86\x21\xd1\x91\x2b\x6e\x28" "\xd4\x42\x89\xb4\x43\x70\xd6\x3a\xd0\x23\x68\x89\x44\xc2\x2a" "\x2c\xfb\x16\x85\xcb\xa0\xc2\x47\x02\xee\xdb\x09\x41\x35\x87" "\xa0\x50\x65\x19\xc3\xea\x78\x30\xd5\x6c\x8f\x2c\xe7\x85\x3c" "\x21\xeb\x70\x1a\xea\x25\x82\x89\x5c\xb4\x3e\x37\xdd\xf0\x9c" "\xec\xde\x80\xf1\x97\x4d\xe6\xa0\x5b\x06\xd6\x54\x1d\xe6\xd3" "\xda\x4e\xa4\x00\x8a\xeb\x77\x8d\x68\x69\x62\xc6\xed\x16\x66" "\x55\x71\x1e\x61\x14\xe2\x41\x6f\xa3\xb8\x6d\x1d\xc3\xfb\xf6" "\xd7\x42\x3e\x01\x3e\x86\x96\x63\xfc\x6e\xe4\x2a\x34\xdf\x6a" "\x0c\x36\x16\x5c\x50\x50\x35\xd2\xe3\xc3\xb0\x1b\xe2\x54\x50" "\x4d\x04\x81\x7e\x2e\xeb\x80\xdd\x39\xce\xe1\x90\x0e\x14\x41" "\xd2\x94\x5d\x90\x09\x6b\x75\x63\x75\xdd\x6f\xc1\x50\x73\x13" "\xb3\x3c\x25\xde\x3d\x79\xa2\xc3\xfa\xe0\xd1\x4a\x8b\xde\x30" "\x40\xc5\x90\x93\x74\x17\x96\x50\x95\x80\xaa\x14\x29\xfe\x74" "\x3e\x42\xf8\xa4\x22\x1a\xa4\xa9\xc4\x71\x97\xf0\xbb\xfa\x43" "\x58\x4f\xac\x3a\xd9\x4a\x5b\x3c\x9d\x22\xc2\x8d\x68\x57\xf5" "\x2b\xe2\x54\x49\x66\xf2\xbd\x8d\x0f\x88\xde\xb4\x4d\x92\x85" "\x44\xec\xd6\x77\x7d\xf8\x20\x95\x1e\xb6\x82\x0e\xc7\x12\x36" "\x13\xa4\x32\x95\xf0\xdb\x82\x2b\x57\xe5\xe6\xb3\x4a\xa6\xb7" "\xce\xdb\x32\x5a\x4a\x80\x74\x59\x38\x44\xe7\xa0\xec\xc9\x3d" "\x59\x5d\x07\x64\xa7\x14\xc9\x03\x17\xfe\x91\xbc\xe1\xe8\x0f" "\x04\x70\x58\x36\x23\xc2\x0d\x92\xe6\x85\x4c\xf6\x3f\x0c\x94" "\x63\x6d\xe3\xe2\x0d\xf9\x34\xf7\x2c\x4b\xb1\xd5\x15\x07\x2a" "\xac\xdb\x5a\x74\x9a\x44\x26\x96\xab\x40\x2d\x0e\xa9\x91\x93" "\xe9\x5c\x46\x17\xcf\x26\x52\x07\xe2\xfb\xe1\x23\xc6\x10\x46" "\xec\x6f\xe5\x0f\xf0\x94\x96\x21\x8c\x92\xbb\xb7\x1c\x03\x5a" "\x92\x12\x0b\x1a\x46\xac\x60\x3d\x23\x06\x49\x98\xbe\xc5\xb4" "\x50\x99\xe5\x4c\xa1\x70\x7b\x59\xe7\x2d\x13\x1d\xfa\xc3\xe8" "\xba\x53\xff\xe5\xbb\xa8\xa1\x15\xee\xc9\x61\x22\xbe\xc5\xd1" "\x4f\x67\xec\xdc\x57\xa1\x1f\x33\x02\x6a\xba\xeb\x04\xc6\x6d" "\xa8\xff\x44\x98\x07\x53\x66\xd3\xf1\xdc\x4c\xa2\xa6\x6a\x26" "\x33\x43\x05\x20\x2f\xe8\x98\xc3\xf6\xc6\x4a\x25\x34\xf0\x64" "\x01\xec\x54\x38\x93\x5f\x8e\x11\xa2\xcd\xfe\x57\x8e\xdd\x07" "\xfd\x50\xdd\x7b\xac\x66\x29\x98\x1d\xce\x0b\x24\xae\x1d\x5f" "\x32\x57\xdf\xb7\xdf\x14\x47\xc0\x40\x4f\x9e\x5a\x2d\x74\x06" "\x7c\x79\xd0\x83\xda\x1b\x87\x41\xdb\xb2\xfe\x52\xef\x28\xef" "\x16\x88\xf7\x1a\xb1\x64\x6d\x44\xc6\xb3\xd2\xb6\x25\xca\x92" "\xea\xfa\xe7\x22\x8c\xdd\x56\x71\xf4\x9e\xf6\x91\x9e\xc4\xb7" "\x04\x63\xfa\x7d\x93\xc6\x2c\x7b\x51\x5e\x77\x39\x70\x4a\x36" "\x04\x0c\x0e\xa4\x04\x39\x01\x9c\x48\x7e\x91\x1d\x4b\x4e\x07" "\xcc\xbc\x6d\x62\x0c\x3d\x9d\x04\xcf\x51\x98\x78\x82\x97\xaf" "\x9b\x28\xfb\x3d\x07\xc8\x9d\x6f\x86\xb0\x4a\xee\xb1\x04\x49" "\x79\xb4\xfc\x72\xa0\x08\x41\xfb\x21\x68\x8c\xad\x9c\xa3\x6b" "\xc8\xfe\x22\xf5\xb0\x1a\x96\x91\xe5\xfb\x3b\x4f\x7d\x34\xe8" "\xf1\x70\xea\xbe\xf9\x91\x56\x67\x98\xbf\x57\x0d\x2b\xcb\x22" "\x1b\x79\xf2\x87\x76\xd5\xe9\x8e\x4e\xfb\x4a\x20\x7a\xfa\xbd" "\x56\xca\xbe\x0f\x70\xe6\xb9\x95\xf6\x46\x16\x78\xb4\xd8\xaf" "\x27\x2f\x33\x16\x55\x02\x43\xad\x12\x3d\x94\x17\x4c\xfc\x5b" "\xa7\x7e\xda\xc5\xc2\x40\x8e\xdf\x96\xa4\xd5\x30\x62\xe3\x06" "\xa2\xd9\x0a\x5d\x78\xe5\x8a\x3b\x1e\xaf\x1f\x46\x17\x80\xf8" "\x17\xb4\x15\x1d\xcf\xa9\x89\xe0\x64\x10\x8f\xd1\xb9\x7e\x35" "\xc8\xac\xe8\x8e\x5e\xf1\xbc\x7f\xfb\x86\x28\x26\x39\x80\x88" "\x23\xfb\xcf\xf3\xa8\x53\xca\x92\x50\x6c\x9e\x7d\xc9\x40\x1d" "\x28\x55\xd8\xc6\x05\xae\xb4\x1b\xe0\x17\xd5\x50\xc9\x95\xa3" "\x85\xa9\x9a\x2a\xb1\xf5\x8f\xef\xa7\x66\xe8\xe8\xcd\x77\x60" "\xea\x3c\x2a\xda\xb6\xe2\x65\xe5\x2d\x03\xac\xcd\xe8\x52\xcd" "\x3c\xe7\x79\x91\xcc\x52\x73\xbf\xa9\x81\xc4\xb7\x50\x34\xc6" "\x7f\xd3\x14\xb9\x59\xa1\x2a\x49\x25\xd7\x13\xc6\x76\xb1\xb2" "\x69\x04\x89\xda\x83\x7f\x99\x1f\xe2\xcf\x99\xbf\x2c\x1b\xa4" "\xda\x7c\x95\x4f\x73\xa2\xf4\xd5\xa4\xd0\xc9\xd1\x30\xbe\x47" "\xe9\x48\x30\x1a\xa1\xc6\xb0\xfa\x65\x49\x5f\xc8\x7d\x56\xb0" "\xb3\xa1\xfc\x85\xe0\x0a\x05\xb5\x8b\xee\xc7\x09\xbe\x48\xe1" "\x63\xb9\x35\xe8\xb0\xf6\x53\x5c\xff\x3a\x4a\xa5\xb9\x8c\x04" "\x58\x16\xd4\xf0\x8f\xfa\xb2\x22\xb1\x43\x03\xe9\x3f\x71\x15" "\x25\x3a\xeb\x64\x73\x4f\xa3\x59\x42\xff\xac\xc6\x6c\x69\x80" "\x96\xd3\x90\x4b\xf5\x44\x5d\x41\x72\x28\xbc\x03\xd2\x2a\x39" "\xd8\x8e\x17\x5e\x9b\xde\x20\x55\x52\x9a\xf9\xdc\x51\x24\x6d" "\x86\xe9\x50\x3b\x97\xd0\x12\xc8\x7e\x70\x88\xc0\x1f\x9b\xa0" "\xfe\xad\x0c\x34\xaf\xd9\x05\x8a\xfc\x88\xc6\x1f\xb9\x31\xe7" "\xa7\x47\x96\xea\x6a\xae\x5f\xae\x59\xa9\x5c\x52\x27\x47\x59" "\x3c\xea\x42\x0f\xff\x95\x60\x50\x52\x0f\x2a\x58\xc0\x04\x51" "\xbb\x1c\x6a\xcb\xfc\x43\xec\x38\xf2\xb9\x3c\x10\x00\x6d\x13" "\xc0\x5b\xed\xab\xdd\x8b\x8f\xb2\xe2\xe4\x27\x3b\xc5\x76\xfa" "\x70\x44\x5e\x41\xca\x07\xe2\xb4\x32\x42\x60\xda\x6a\xd5\x65" "\x06\x21\xd9\x60\x95\x97\xf1\xfe\xaa\x53\x76\x88\x96\x0c\x77" "\x91\x84\x64\xd9\x00\x88\xbf\xd5\x1b\xfa\xcc\x00\xf2\x9a\x08" "\x52\x63\xb1\xbc\xf4\xb2\xc9\x99\x08\x91\x3a\x93\x33\x07\x03" "\xf3\xce\x76\x91\xa2\x60\xe1\x5d\x9c\xdb\xf7\x30\xad\x20\x42" "\x24\x5d\x3e\x7a\xe7\xf5\xd2\xa5\x29\xaa\x77\xf9\x0f\x8c\x44" "\xce\xb4\x28\xed\x11\x47\xbb\xe4\x16\x14\x59\x8f\x28\xc9\xa5" "\x07\xc6\x73\x80\x05\x84\xef\x7c\xb2\xc0\xbf\x0b\x77\xe7\xa9" "\x88\xdd\x9d\xd0\x99\x6b\x9f\x2b\x22\xad\x5f\xb8\x0b\xa0\x58" "\xc6\x21\x60\x13\xec\xef\xae\xed\x04\xa0\xcc\xe3\x08\xee\xc1" "\x8e\xd2\x0c\x44\x6f\x34\xb6\xbe\x43\x7f\x37\x23\x42\x53\x94" "\xb8\x26\x74\x28\x0b\x4b\x46\x8c\x4e\x0a\x13\x4b\x2c\x50\x44" "\xe9\xe4\xc4\x94\x14\x1b\x5e\xb2\x4a\x05\x50\xf5\x45\x71\x4e" "\x6e\x96\xeb\x7e\x27\x06\xf2\x05\xa4\xc3\x9a\x6d\x6e\x7f\xb4" "\xa7\x78\xfe\x20\xfc\x6f\x99\x91\xdd\x93\xc5\xae\xab\x9f\xff" "\x3a\x85\xed\x53\x37\x3e\x6a\xa6\x14\x3b\x16\x15\x4f\xb9\x37" "\x56\xa9\x26\xeb\x7f\x4d\xd1\x9e\x1c\xf7\x96\x6a\x9f\xc7\x4b" "\x1e\x1c\x33\x07\x72\x6d\xa3\xf5\x3f\xa4\xcf\xb1\x8d\xb1\x1c" "\x2a\x87\x8a\x41\xfd\xdd\x76\x92\xb3\xcb\x42\x91\x34\x1d\x59" "\x65\x5c\x8e\x2c\x5b\x5a\xe8\xb9\x92\xc0\xf1\x52\xa6\x41\x1a" "\xe6\x78\x16\x0e\x4d\xa5\xf7\x29\xde\x98\x9c\x20\xa8\x80\x1b" "\xd3\xb2\xdd\xa3\x2d\x46\x5f\x7a\x5b\x63\xc4\xba\x86\xca\x83" "\xdb\x6d\xeb\xdc\x9c\xed\xf2\x8c\x9c\x0c\x38\x53\xbe\x5d\x15" "\xda\x23\xee\xf2\x46\x91\x48\x24\xdd\x4c\x37\xf5\xfc\xeb\xb9" "\xb8\x0e\x09\x86\x05\x5d\xb3\x91\x1a\xcf\x9d\x70\xb5\x84\xd8" "\x4d\xa1\xb9\xcd\x3d\x24\x33\x6f\x88\x79\x56\x36\x40\x59\x2b" "\x5a\xb6\x43\x48\x09\xb9\x74\x74", 2033)); NONFAILING(*(uint16_t*)0x204e8fe4 = (uint16_t)0xa); NONFAILING(*(uint16_t*)0x204e8fe6 = (uint16_t)0x204e); NONFAILING(*(uint32_t*)0x204e8fe8 = (uint32_t)0x0); NONFAILING(*(uint8_t*)0x204e8fec = (uint8_t)0xfe); NONFAILING(*(uint8_t*)0x204e8fed = (uint8_t)0x80); NONFAILING(*(uint8_t*)0x204e8fee = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8fef = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff0 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff1 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff2 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff3 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff4 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff5 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff6 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff7 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff8 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ff9 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ffa = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x204e8ffb = (uint8_t)0xbb); NONFAILING(*(uint32_t*)0x204e8ffc = (uint32_t)0x0); r[57] = syscall(__NR_sendto, r[12], 0x2013b7fful, 0x7f1ul, 0x0ul, 0x204e8fe4ul, 0x1cul); break; case 6: r[58] = syscall(__NR_mmap, 0x20000000ul, 0xb9e000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 7: r[59] = syscall(__NR_socket, 0x2ul, 0x806ul, 0x0ul); break; case 8: NONFAILING(memcpy((void*)0x2003b000, "\x6c\x6f\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00" "\x00\x00", 16)); NONFAILING(*(uint16_t*)0x2003b010 = (uint16_t)0xfffffffffffffffd); r[62] = syscall(__NR_ioctl, r[59], 0x8914ul, 0x2003b000ul); break; } return 0; } void test() { long i; pthread_t th[18]; memset(r, -1, sizeof(r)); for (i = 0; i < 9; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(rand() % 10000); } usleep(rand() % 100000); } int main() { install_segv_handler(); loop(); return 0; }