diff --git a/Makefile b/Makefile
index df2407a..bff1c5f 100644
--- a/Makefile
+++ b/Makefile
@@ -98,8 +98,10 @@ debug-nox: image.bin
 		-ex "break _start" \
 		-ex "continue"
 
-fs.img: ./kernel.bin ./tools/mkfs ./user/false ./user/greet ./user/div0 ./user/shout
-	./tools/mkfs $@ $< ./user/false ./user/greet ./user/div0 ./user/shout
+USERPROGS=./user/false ./user/greet ./user/div0 ./user/shout ./user/badputs ./user/bss
+
+fs.img: ./kernel.bin ./tools/mkfs $(USERPROGS)
+	./tools/mkfs $@ $< $(USERPROGS)
 
 LDFLAGS=-m elf_i386
 
diff --git a/tasks.md b/tasks.md
index 123d0d2..1a0fe41 100644
--- a/tasks.md
+++ b/tasks.md
@@ -62,7 +62,8 @@ Yabloko does not honor the size of `.bss` that your program requests.
 Instead, it [reads your program file](https://gitlab.myltsev.ru/caos/hw/yabloko/-/blob/main/proc.c#L53)
 into memory, reserving just enough pages that it fits. If you create a large
 `.bss` with (for example) `static char zeroes[8000]`, then accessing `zeroes[7000]` will
-cause a page fault (try this out).
+cause a page fault (try running the program in `user/bss.c` by typing `run bss` at
+the Yabloko prompt).
 
 Fix this by parsing the header of the executable file and mapping the required amount
 of pages. We already have the header structure `hdr` in [proc.c](https://gitlab.myltsev.ru/caos/hw/yabloko/-/blob/main/proc.c#L58).
@@ -83,7 +84,7 @@ This task requires understanding of virtual memory mappings and the memory
 layout of Yabloko. Contact [@myltsev](https://t.me/myltsev) if you attempt
 this and get stuck.
 
-The `shout` executable [demonstrates](https://gitlab.myltsev.ru/caos/hw/yabloko/-/blob/main/user/shout.c#L14)
+The `badputs` executable [demonstrates](https://gitlab.myltsev.ru/caos/hw/yabloko/-/blob/main/user/badputs.c#L14)
 the use of the `SYS_puts` system call. It supplies the string pointer as an argument
 of the system call, and the string is printed to the screen.
 
@@ -96,7 +97,7 @@ It is easy to cause a panic by supplying a random value:
 
 Your task is to check if the pointer actually points to a valid zero-terminated string,
 completing a [FIXME](https://gitlab.myltsev.ru/caos/hw/yabloko/-/blob/main/cpu/idt.c#L124)
-in the code.
+in the code. As a result, `run badputs` should no longer cause a kernel panic.
 
 ### Figuring out the size of mapped memory after the pointer
 During the handling of this system call, the page table of the calling process
diff --git a/user/badputs.c b/user/badputs.c
new file mode 100644
index 0000000..90127cc
--- /dev/null
+++ b/user/badputs.c
@@ -0,0 +1,9 @@
+#include "../syscall.h"
+#include <stdint.h>
+
+int main() {
+    const char* message = "I hope the kernel does not panic...\n";
+    syscall(SYS_puts, (uint32_t)message);
+    syscall(SYS_puts, 0x1bad1dea);
+    return 0;
+}
diff --git a/user/bss.c b/user/bss.c
new file mode 100644
index 0000000..75595aa
--- /dev/null
+++ b/user/bss.c
@@ -0,0 +1,8 @@
+#include "../syscall.h"
+
+static char zeroes[8000];
+
+int main(void) {
+    zeroes[7999] = 0;
+    return 0;
+}
\ No newline at end of file