// https://syzkaller.appspot.com/bug?id=779a64ccaefd969d5d9bc72a7c4fe39598d53884 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 12; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: res = syscall(__NR_socket, 0xaul, 2ul, 0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x20000a00, "filter\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000", 32); *(uint32_t*)0x20000a20 = 0xe; *(uint32_t*)0x20000a24 = 4; *(uint32_t*)0x20000a28 = 0x398; *(uint32_t*)0x20000a2c = -1; *(uint32_t*)0x20000a30 = 0xf0; *(uint32_t*)0x20000a34 = 0xf0; *(uint32_t*)0x20000a38 = 0xf0; *(uint32_t*)0x20000a3c = -1; *(uint32_t*)0x20000a40 = -1; *(uint32_t*)0x20000a44 = 0x2c8; *(uint32_t*)0x20000a48 = 0x2c8; *(uint32_t*)0x20000a4c = 0x2c8; *(uint32_t*)0x20000a50 = -1; *(uint32_t*)0x20000a54 = 4; *(uint64_t*)0x20000a58 = 0; *(uint8_t*)0x20000a60 = 0; *(uint8_t*)0x20000a61 = 0; *(uint8_t*)0x20000a62 = 0; *(uint8_t*)0x20000a63 = 0; *(uint8_t*)0x20000a64 = 0; *(uint8_t*)0x20000a65 = 0; *(uint8_t*)0x20000a66 = 0; *(uint8_t*)0x20000a67 = 0; *(uint8_t*)0x20000a68 = 0; *(uint8_t*)0x20000a69 = 0; *(uint8_t*)0x20000a6a = 0; *(uint8_t*)0x20000a6b = 0; *(uint8_t*)0x20000a6c = 0; *(uint8_t*)0x20000a6d = 0; *(uint8_t*)0x20000a6e = 0; *(uint8_t*)0x20000a6f = 0; *(uint8_t*)0x20000a70 = 0; *(uint8_t*)0x20000a71 = 0; *(uint8_t*)0x20000a72 = 0; *(uint8_t*)0x20000a73 = 0; *(uint8_t*)0x20000a74 = 0; *(uint8_t*)0x20000a75 = 0; *(uint8_t*)0x20000a76 = 0; *(uint8_t*)0x20000a77 = 0; *(uint8_t*)0x20000a78 = 0; *(uint8_t*)0x20000a79 = 0; *(uint8_t*)0x20000a7a = 0; *(uint8_t*)0x20000a7b = 0; *(uint8_t*)0x20000a7c = 0; *(uint8_t*)0x20000a7d = 0; *(uint8_t*)0x20000a7e = 0; *(uint8_t*)0x20000a7f = 0; *(uint8_t*)0x20000a80 = 0; *(uint8_t*)0x20000a81 = 0; *(uint8_t*)0x20000a82 = 0; *(uint8_t*)0x20000a83 = 0; *(uint8_t*)0x20000a84 = 0; *(uint8_t*)0x20000a85 = 0; *(uint8_t*)0x20000a86 = 0; *(uint8_t*)0x20000a87 = 0; *(uint8_t*)0x20000a88 = 0; *(uint8_t*)0x20000a89 = 0; *(uint8_t*)0x20000a8a = 0; *(uint8_t*)0x20000a8b = 0; *(uint8_t*)0x20000a8c = 0; *(uint8_t*)0x20000a8d = 0; *(uint8_t*)0x20000a8e = 0; *(uint8_t*)0x20000a8f = 0; *(uint8_t*)0x20000a90 = 0; *(uint8_t*)0x20000a91 = 0; *(uint8_t*)0x20000a92 = 0; *(uint8_t*)0x20000a93 = 0; *(uint8_t*)0x20000a94 = 0; *(uint8_t*)0x20000a95 = 0; *(uint8_t*)0x20000a96 = 0; *(uint8_t*)0x20000a97 = 0; *(uint8_t*)0x20000a98 = 0; *(uint8_t*)0x20000a99 = 0; *(uint8_t*)0x20000a9a = 0; *(uint8_t*)0x20000a9b = 0; *(uint8_t*)0x20000a9c = 0; *(uint8_t*)0x20000a9d = 0; *(uint8_t*)0x20000a9e = 0; *(uint8_t*)0x20000a9f = 0; *(uint8_t*)0x20000aa0 = 0; *(uint8_t*)0x20000aa1 = 0; *(uint8_t*)0x20000aa2 = 0; *(uint8_t*)0x20000aa3 = 0; *(uint8_t*)0x20000aa4 = 0; *(uint8_t*)0x20000aa5 = 0; *(uint8_t*)0x20000aa6 = 0; *(uint8_t*)0x20000aa7 = 0; *(uint8_t*)0x20000aa8 = 0; *(uint8_t*)0x20000aa9 = 0; *(uint8_t*)0x20000aaa = 0; *(uint8_t*)0x20000aab = 0; *(uint8_t*)0x20000aac = 0; *(uint8_t*)0x20000aad = 0; *(uint8_t*)0x20000aae = 0; *(uint8_t*)0x20000aaf = 0; *(uint8_t*)0x20000ab0 = 0; *(uint8_t*)0x20000ab1 = 0; *(uint8_t*)0x20000ab2 = 0; *(uint8_t*)0x20000ab3 = 0; *(uint8_t*)0x20000ab4 = 0; *(uint8_t*)0x20000ab5 = 0; *(uint8_t*)0x20000ab6 = 0; *(uint8_t*)0x20000ab7 = 0; *(uint8_t*)0x20000ab8 = 0; *(uint8_t*)0x20000ab9 = 0; *(uint8_t*)0x20000aba = 0; *(uint8_t*)0x20000abb = 0; *(uint8_t*)0x20000abc = 0; *(uint8_t*)0x20000abd = 0; *(uint8_t*)0x20000abe = 0; *(uint8_t*)0x20000abf = 0; *(uint8_t*)0x20000ac0 = 0; *(uint8_t*)0x20000ac1 = 0; *(uint8_t*)0x20000ac2 = 0; *(uint8_t*)0x20000ac3 = 0; *(uint8_t*)0x20000ac4 = 0; *(uint8_t*)0x20000ac5 = 0; *(uint8_t*)0x20000ac6 = 0; *(uint8_t*)0x20000ac7 = 0; *(uint8_t*)0x20000ac8 = 0; *(uint8_t*)0x20000ac9 = 0; *(uint8_t*)0x20000aca = 0; *(uint8_t*)0x20000acb = 0; *(uint8_t*)0x20000acc = 0; *(uint8_t*)0x20000acd = 0; *(uint8_t*)0x20000ace = 0; *(uint8_t*)0x20000acf = 0; *(uint8_t*)0x20000ad0 = 0; *(uint8_t*)0x20000ad1 = 0; *(uint8_t*)0x20000ad2 = 0; *(uint8_t*)0x20000ad3 = 0; *(uint8_t*)0x20000ad4 = 0; *(uint8_t*)0x20000ad5 = 0; *(uint8_t*)0x20000ad6 = 0; *(uint8_t*)0x20000ad7 = 0; *(uint8_t*)0x20000ad8 = 0; *(uint8_t*)0x20000ad9 = 0; *(uint8_t*)0x20000ada = 0; *(uint8_t*)0x20000adb = 0; *(uint8_t*)0x20000adc = 0; *(uint8_t*)0x20000add = 0; *(uint8_t*)0x20000ade = 0; *(uint8_t*)0x20000adf = 0; *(uint8_t*)0x20000ae0 = 0; *(uint8_t*)0x20000ae1 = 0; *(uint8_t*)0x20000ae2 = 0; *(uint8_t*)0x20000ae3 = 0; *(uint8_t*)0x20000ae4 = 0; *(uint8_t*)0x20000ae5 = 0; *(uint8_t*)0x20000ae6 = 0; *(uint8_t*)0x20000ae7 = 0; *(uint32_t*)0x20000ae8 = 0; *(uint16_t*)0x20000aec = 0xa8; *(uint16_t*)0x20000aee = 0xf0; *(uint32_t*)0x20000af0 = 0; *(uint64_t*)0x20000af8 = 0; *(uint64_t*)0x20000b00 = 0; *(uint16_t*)0x20000b08 = 0x48; memcpy((void*)0x20000b0a, "TEE\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20000b27 = 1; *(uint8_t*)0x20000b28 = 0xac; *(uint8_t*)0x20000b29 = 0x14; *(uint8_t*)0x20000b2a = 0x14; *(uint8_t*)0x20000b2b = 0; memcpy((void*)0x20000b38, "caif0\000\000\000\000\000\000\000\000\000\000\000", 16); *(uint64_t*)0x20000b48 = 0; *(uint8_t*)0x20000b50 = 0; *(uint8_t*)0x20000b51 = 0; *(uint8_t*)0x20000b52 = 0; *(uint8_t*)0x20000b53 = 0; *(uint8_t*)0x20000b54 = 0; *(uint8_t*)0x20000b55 = 0; *(uint8_t*)0x20000b56 = 0; *(uint8_t*)0x20000b57 = 0; *(uint8_t*)0x20000b58 = 0; *(uint8_t*)0x20000b59 = 0; *(uint8_t*)0x20000b5a = 0; *(uint8_t*)0x20000b5b = 0; *(uint8_t*)0x20000b5c = 0; *(uint8_t*)0x20000b5d = 0; *(uint8_t*)0x20000b5e = 0; *(uint8_t*)0x20000b5f = 0; *(uint8_t*)0x20000b60 = 0; *(uint8_t*)0x20000b61 = 0; *(uint8_t*)0x20000b62 = 0; *(uint8_t*)0x20000b63 = 0; *(uint8_t*)0x20000b64 = 0; *(uint8_t*)0x20000b65 = 0; *(uint8_t*)0x20000b66 = 0; *(uint8_t*)0x20000b67 = 0; *(uint8_t*)0x20000b68 = 0; *(uint8_t*)0x20000b69 = 0; *(uint8_t*)0x20000b6a = 0; *(uint8_t*)0x20000b6b = 0; *(uint8_t*)0x20000b6c = 0; *(uint8_t*)0x20000b6d = 0; *(uint8_t*)0x20000b6e = 0; *(uint8_t*)0x20000b6f = 0; *(uint8_t*)0x20000b70 = 0; *(uint8_t*)0x20000b71 = 0; *(uint8_t*)0x20000b72 = 0; *(uint8_t*)0x20000b73 = 0; *(uint8_t*)0x20000b74 = 0; *(uint8_t*)0x20000b75 = 0; *(uint8_t*)0x20000b76 = 0; *(uint8_t*)0x20000b77 = 0; *(uint8_t*)0x20000b78 = 0; *(uint8_t*)0x20000b79 = 0; *(uint8_t*)0x20000b7a = 0; *(uint8_t*)0x20000b7b = 0; *(uint8_t*)0x20000b7c = 0; *(uint8_t*)0x20000b7d = 0; *(uint8_t*)0x20000b7e = 0; *(uint8_t*)0x20000b7f = 0; *(uint8_t*)0x20000b80 = 0; *(uint8_t*)0x20000b81 = 0; *(uint8_t*)0x20000b82 = 0; *(uint8_t*)0x20000b83 = 0; *(uint8_t*)0x20000b84 = 0; *(uint8_t*)0x20000b85 = 0; *(uint8_t*)0x20000b86 = 0; *(uint8_t*)0x20000b87 = 0; *(uint8_t*)0x20000b88 = 0; *(uint8_t*)0x20000b89 = 0; *(uint8_t*)0x20000b8a = 0; *(uint8_t*)0x20000b8b = 0; *(uint8_t*)0x20000b8c = 0; *(uint8_t*)0x20000b8d = 0; *(uint8_t*)0x20000b8e = 0; *(uint8_t*)0x20000b8f = 0; *(uint8_t*)0x20000b90 = 0; *(uint8_t*)0x20000b91 = 0; *(uint8_t*)0x20000b92 = 0; *(uint8_t*)0x20000b93 = 0; *(uint8_t*)0x20000b94 = 0; *(uint8_t*)0x20000b95 = 0; *(uint8_t*)0x20000b96 = 0; *(uint8_t*)0x20000b97 = 0; *(uint8_t*)0x20000b98 = 0; *(uint8_t*)0x20000b99 = 0; *(uint8_t*)0x20000b9a = 0; *(uint8_t*)0x20000b9b = 0; *(uint8_t*)0x20000b9c = 0; *(uint8_t*)0x20000b9d = 0; *(uint8_t*)0x20000b9e = 0; *(uint8_t*)0x20000b9f = 0; *(uint8_t*)0x20000ba0 = 0; *(uint8_t*)0x20000ba1 = 0; *(uint8_t*)0x20000ba2 = 0; *(uint8_t*)0x20000ba3 = 0; *(uint8_t*)0x20000ba4 = 0; *(uint8_t*)0x20000ba5 = 0; *(uint8_t*)0x20000ba6 = 0; *(uint8_t*)0x20000ba7 = 0; *(uint8_t*)0x20000ba8 = 0; *(uint8_t*)0x20000ba9 = 0; *(uint8_t*)0x20000baa = 0; *(uint8_t*)0x20000bab = 0; *(uint8_t*)0x20000bac = 0; *(uint8_t*)0x20000bad = 0; *(uint8_t*)0x20000bae = 0; *(uint8_t*)0x20000baf = 0; *(uint8_t*)0x20000bb0 = 0; *(uint8_t*)0x20000bb1 = 0; *(uint8_t*)0x20000bb2 = 0; *(uint8_t*)0x20000bb3 = 0; *(uint8_t*)0x20000bb4 = 0; *(uint8_t*)0x20000bb5 = 0; *(uint8_t*)0x20000bb6 = 0; *(uint8_t*)0x20000bb7 = 0; *(uint8_t*)0x20000bb8 = 0; *(uint8_t*)0x20000bb9 = 0; *(uint8_t*)0x20000bba = 0; *(uint8_t*)0x20000bbb = 0; *(uint8_t*)0x20000bbc = 0; *(uint8_t*)0x20000bbd = 0; *(uint8_t*)0x20000bbe = 0; *(uint8_t*)0x20000bbf = 0; *(uint8_t*)0x20000bc0 = 0; *(uint8_t*)0x20000bc1 = 0; *(uint8_t*)0x20000bc2 = 0; *(uint8_t*)0x20000bc3 = 0; *(uint8_t*)0x20000bc4 = 0; *(uint8_t*)0x20000bc5 = 0; *(uint8_t*)0x20000bc6 = 0; *(uint8_t*)0x20000bc7 = 0; *(uint8_t*)0x20000bc8 = 0; *(uint8_t*)0x20000bc9 = 0; *(uint8_t*)0x20000bca = 0; *(uint8_t*)0x20000bcb = 0; *(uint8_t*)0x20000bcc = 0; *(uint8_t*)0x20000bcd = 0; *(uint8_t*)0x20000bce = 0; *(uint8_t*)0x20000bcf = 0; *(uint8_t*)0x20000bd0 = 0; *(uint8_t*)0x20000bd1 = 0; *(uint8_t*)0x20000bd2 = 0; *(uint8_t*)0x20000bd3 = 0; *(uint8_t*)0x20000bd4 = 0; *(uint8_t*)0x20000bd5 = 0; *(uint8_t*)0x20000bd6 = 0; *(uint8_t*)0x20000bd7 = 0; *(uint32_t*)0x20000bd8 = 0; *(uint16_t*)0x20000bdc = 0xa8; *(uint16_t*)0x20000bde = 0x108; *(uint32_t*)0x20000be0 = 0; *(uint64_t*)0x20000be8 = 0; *(uint64_t*)0x20000bf0 = 0; *(uint16_t*)0x20000bf8 = 0x60; memcpy((void*)0x20000bfa, "HMARK\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20000c17 = 0; *(uint32_t*)0x20000c18 = htobe32(0); *(uint32_t*)0x20000c28 = htobe32(0); *(uint32_t*)0x20000c2c = htobe32(0); *(uint32_t*)0x20000c30 = htobe32(0); *(uint32_t*)0x20000c34 = htobe32(0); *(uint16_t*)0x20000c38 = htobe16(0); *(uint16_t*)0x20000c3a = htobe16(0); *(uint16_t*)0x20000c3c = htobe16(0); *(uint16_t*)0x20000c3e = htobe16(0); *(uint32_t*)0x20000c40 = 0; *(uint16_t*)0x20000c44 = 0; *(uint32_t*)0x20000c48 = 0; *(uint32_t*)0x20000c4c = 0x100200; *(uint32_t*)0x20000c50 = 0; *(uint8_t*)0x20000c58 = 0xfc; *(uint8_t*)0x20000c59 = 0; *(uint8_t*)0x20000c5a = 0; *(uint8_t*)0x20000c5b = 0; *(uint8_t*)0x20000c5c = 0; *(uint8_t*)0x20000c5d = 0; *(uint8_t*)0x20000c5e = 0; *(uint8_t*)0x20000c5f = 0; *(uint8_t*)0x20000c60 = 0; *(uint8_t*)0x20000c61 = 0; *(uint8_t*)0x20000c62 = 0; *(uint8_t*)0x20000c63 = 0; *(uint8_t*)0x20000c64 = 0; *(uint8_t*)0x20000c65 = 0; *(uint8_t*)0x20000c66 = 0; *(uint8_t*)0x20000c67 = 0; *(uint8_t*)0x20000c68 = -1; *(uint8_t*)0x20000c69 = 2; *(uint8_t*)0x20000c6a = 0; *(uint8_t*)0x20000c6b = 0; *(uint8_t*)0x20000c6c = 0; *(uint8_t*)0x20000c6d = 0; *(uint8_t*)0x20000c6e = 0; *(uint8_t*)0x20000c6f = 0; *(uint8_t*)0x20000c70 = 0; *(uint8_t*)0x20000c71 = 0; *(uint8_t*)0x20000c72 = 0; *(uint8_t*)0x20000c73 = 0; *(uint8_t*)0x20000c74 = 0; *(uint8_t*)0x20000c75 = 0; *(uint8_t*)0x20000c76 = 0; *(uint8_t*)0x20000c77 = 1; *(uint32_t*)0x20000c78 = htobe32(0); *(uint32_t*)0x20000c7c = htobe32(0); *(uint32_t*)0x20000c80 = htobe32(0); *(uint32_t*)0x20000c84 = htobe32(0); *(uint32_t*)0x20000c88 = htobe32(0); *(uint32_t*)0x20000c8c = htobe32(0); *(uint32_t*)0x20000c90 = htobe32(0); *(uint32_t*)0x20000c94 = htobe32(0); memcpy((void*)0x20000c98, "veth1_to_batadv\000", 16); memcpy((void*)0x20000ca8, "hsr0\000\000\000\000\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x20000cb8 = 0; *(uint8_t*)0x20000cc8 = 0; *(uint16_t*)0x20000cd8 = 0; *(uint8_t*)0x20000cda = 0; *(uint8_t*)0x20000cdb = 0; *(uint8_t*)0x20000cdc = 0; *(uint32_t*)0x20000ce0 = 0; *(uint16_t*)0x20000ce4 = 0xa8; *(uint16_t*)0x20000ce6 = 0xd0; *(uint32_t*)0x20000ce8 = 0; *(uint64_t*)0x20000cf0 = 0; *(uint64_t*)0x20000cf8 = 0; *(uint16_t*)0x20000d00 = 0x28; memcpy((void*)0x20000d02, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20000d1f = 0; *(uint32_t*)0x20000d20 = 0xfffffffd; *(uint8_t*)0x20000d28 = 0; *(uint8_t*)0x20000d29 = 0; *(uint8_t*)0x20000d2a = 0; *(uint8_t*)0x20000d2b = 0; *(uint8_t*)0x20000d2c = 0; *(uint8_t*)0x20000d2d = 0; *(uint8_t*)0x20000d2e = 0; *(uint8_t*)0x20000d2f = 0; *(uint8_t*)0x20000d30 = 0; *(uint8_t*)0x20000d31 = 0; *(uint8_t*)0x20000d32 = 0; *(uint8_t*)0x20000d33 = 0; *(uint8_t*)0x20000d34 = 0; *(uint8_t*)0x20000d35 = 0; *(uint8_t*)0x20000d36 = 0; *(uint8_t*)0x20000d37 = 0; *(uint8_t*)0x20000d38 = 0; *(uint8_t*)0x20000d39 = 0; *(uint8_t*)0x20000d3a = 0; *(uint8_t*)0x20000d3b = 0; *(uint8_t*)0x20000d3c = 0; *(uint8_t*)0x20000d3d = 0; *(uint8_t*)0x20000d3e = 0; *(uint8_t*)0x20000d3f = 0; *(uint8_t*)0x20000d40 = 0; *(uint8_t*)0x20000d41 = 0; *(uint8_t*)0x20000d42 = 0; *(uint8_t*)0x20000d43 = 0; *(uint8_t*)0x20000d44 = 0; *(uint8_t*)0x20000d45 = 0; *(uint8_t*)0x20000d46 = 0; *(uint8_t*)0x20000d47 = 0; *(uint8_t*)0x20000d48 = 0; *(uint8_t*)0x20000d49 = 0; *(uint8_t*)0x20000d4a = 0; *(uint8_t*)0x20000d4b = 0; *(uint8_t*)0x20000d4c = 0; *(uint8_t*)0x20000d4d = 0; *(uint8_t*)0x20000d4e = 0; *(uint8_t*)0x20000d4f = 0; *(uint8_t*)0x20000d50 = 0; *(uint8_t*)0x20000d51 = 0; *(uint8_t*)0x20000d52 = 0; *(uint8_t*)0x20000d53 = 0; *(uint8_t*)0x20000d54 = 0; *(uint8_t*)0x20000d55 = 0; *(uint8_t*)0x20000d56 = 0; *(uint8_t*)0x20000d57 = 0; *(uint8_t*)0x20000d58 = 0; *(uint8_t*)0x20000d59 = 0; *(uint8_t*)0x20000d5a = 0; *(uint8_t*)0x20000d5b = 0; *(uint8_t*)0x20000d5c = 0; *(uint8_t*)0x20000d5d = 0; *(uint8_t*)0x20000d5e = 0; *(uint8_t*)0x20000d5f = 0; *(uint8_t*)0x20000d60 = 0; *(uint8_t*)0x20000d61 = 0; *(uint8_t*)0x20000d62 = 0; *(uint8_t*)0x20000d63 = 0; *(uint8_t*)0x20000d64 = 0; *(uint8_t*)0x20000d65 = 0; *(uint8_t*)0x20000d66 = 0; *(uint8_t*)0x20000d67 = 0; *(uint8_t*)0x20000d68 = 0; *(uint8_t*)0x20000d69 = 0; *(uint8_t*)0x20000d6a = 0; *(uint8_t*)0x20000d6b = 0; *(uint8_t*)0x20000d6c = 0; *(uint8_t*)0x20000d6d = 0; *(uint8_t*)0x20000d6e = 0; *(uint8_t*)0x20000d6f = 0; *(uint8_t*)0x20000d70 = 0; *(uint8_t*)0x20000d71 = 0; *(uint8_t*)0x20000d72 = 0; *(uint8_t*)0x20000d73 = 0; *(uint8_t*)0x20000d74 = 0; *(uint8_t*)0x20000d75 = 0; *(uint8_t*)0x20000d76 = 0; *(uint8_t*)0x20000d77 = 0; *(uint8_t*)0x20000d78 = 0; *(uint8_t*)0x20000d79 = 0; *(uint8_t*)0x20000d7a = 0; *(uint8_t*)0x20000d7b = 0; *(uint8_t*)0x20000d7c = 0; *(uint8_t*)0x20000d7d = 0; *(uint8_t*)0x20000d7e = 0; *(uint8_t*)0x20000d7f = 0; *(uint8_t*)0x20000d80 = 0; *(uint8_t*)0x20000d81 = 0; *(uint8_t*)0x20000d82 = 0; *(uint8_t*)0x20000d83 = 0; *(uint8_t*)0x20000d84 = 0; *(uint8_t*)0x20000d85 = 0; *(uint8_t*)0x20000d86 = 0; *(uint8_t*)0x20000d87 = 0; *(uint8_t*)0x20000d88 = 0; *(uint8_t*)0x20000d89 = 0; *(uint8_t*)0x20000d8a = 0; *(uint8_t*)0x20000d8b = 0; *(uint8_t*)0x20000d8c = 0; *(uint8_t*)0x20000d8d = 0; *(uint8_t*)0x20000d8e = 0; *(uint8_t*)0x20000d8f = 0; *(uint8_t*)0x20000d90 = 0; *(uint8_t*)0x20000d91 = 0; *(uint8_t*)0x20000d92 = 0; *(uint8_t*)0x20000d93 = 0; *(uint8_t*)0x20000d94 = 0; *(uint8_t*)0x20000d95 = 0; *(uint8_t*)0x20000d96 = 0; *(uint8_t*)0x20000d97 = 0; *(uint8_t*)0x20000d98 = 0; *(uint8_t*)0x20000d99 = 0; *(uint8_t*)0x20000d9a = 0; *(uint8_t*)0x20000d9b = 0; *(uint8_t*)0x20000d9c = 0; *(uint8_t*)0x20000d9d = 0; *(uint8_t*)0x20000d9e = 0; *(uint8_t*)0x20000d9f = 0; *(uint8_t*)0x20000da0 = 0; *(uint8_t*)0x20000da1 = 0; *(uint8_t*)0x20000da2 = 0; *(uint8_t*)0x20000da3 = 0; *(uint8_t*)0x20000da4 = 0; *(uint8_t*)0x20000da5 = 0; *(uint8_t*)0x20000da6 = 0; *(uint8_t*)0x20000da7 = 0; *(uint8_t*)0x20000da8 = 0; *(uint8_t*)0x20000da9 = 0; *(uint8_t*)0x20000daa = 0; *(uint8_t*)0x20000dab = 0; *(uint8_t*)0x20000dac = 0; *(uint8_t*)0x20000dad = 0; *(uint8_t*)0x20000dae = 0; *(uint8_t*)0x20000daf = 0; *(uint32_t*)0x20000db0 = 0; *(uint16_t*)0x20000db4 = 0xa8; *(uint16_t*)0x20000db6 = 0xd0; *(uint32_t*)0x20000db8 = 0; *(uint64_t*)0x20000dc0 = 0; *(uint64_t*)0x20000dc8 = 0; *(uint16_t*)0x20000dd0 = 0x28; memcpy((void*)0x20000dd2, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20000def = 0; *(uint32_t*)0x20000df0 = 0xfffffffe; syscall(__NR_setsockopt, r[0], 0x29, 0x40, 0x20000a00ul, 0x3f8ul); break; case 2: syscall(__NR_perf_event_open, 0ul, 0, 0xff7ffffffffffffful, -1, 0ul); break; case 3: res = syscall(__NR_openat, 0xffffffffffffff9cul, 0ul, 0x115480ul, 0ul); if (res != -1) r[1] = res; break; case 4: syscall(__NR_perf_event_open, 0ul, -1, 0xdul, r[1], 2ul); break; case 5: syscall(__NR_rt_tgsigqueueinfo, 0, 0, 0, 0ul); break; case 6: syscall(__NR_mkdirat, 0xffffffffffffff9cul, 0ul, 0x1fful); break; case 7: syscall(__NR_memfd_create, 0ul, 0ul); break; case 8: memcpy((void*)0x200000c0, "/dev/net/tun\000", 13); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200000c0ul, 6ul, 0ul); if (res != -1) r[2] = res; break; case 9: memcpy((void*)0x20000000, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16); syscall(__NR_ioctl, r[2], 0x400454ca, 0x20000000ul); break; case 10: res = syscall(__NR_socket, 0x10ul, 3ul, 0xc); if (res != -1) r[3] = res; break; case 11: *(uint64_t*)0x20000240 = 0; *(uint32_t*)0x20000248 = 0x300; *(uint64_t*)0x20000250 = 0x20000080; *(uint64_t*)0x20000080 = 0x20000000; *(uint32_t*)0x20000000 = 0x30; *(uint8_t*)0x20000004 = 0; *(uint8_t*)0x20000005 = 0xb; *(uint16_t*)0x20000006 = 0xf7d7; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint8_t*)0x20000010 = 3; *(uint8_t*)0x20000011 = 0; *(uint16_t*)0x20000012 = htobe16(0); *(uint16_t*)0x20000014 = 8; STORE_BY_BITMASK(uint16_t, , 0x20000016, 3, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20000017, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20000017, 0, 7, 1); *(uint32_t*)0x20000018 = htobe32(0); *(uint16_t*)0x2000001c = 0xb; *(uint16_t*)0x2000001e = 1; memcpy((void*)0x20000020, "cgroup\000", 7); *(uint16_t*)0x20000028 = 8; STORE_BY_BITMASK(uint16_t, , 0x2000002a, 2, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000002b, 1, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000002b, 0, 7, 1); *(uint32_t*)0x2000002c = htobe32(0); *(uint64_t*)0x20000088 = 0x30; *(uint64_t*)0x20000258 = 1; *(uint64_t*)0x20000260 = 0; *(uint64_t*)0x20000268 = 0; *(uint32_t*)0x20000270 = 0; syscall(__NR_sendmsg, r[3], 0x20000240ul, 0ul); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); loop(); return 0; }