// https://syzkaller.appspot.com/bug?id=4cc2fb55688d9531f6302893f47f046b3e317ed5 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name, bool up) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; #define NL802154_CMD_SET_SHORT_ADDR 11 #define NL802154_ATTR_IFINDEX 3 #define NL802154_ATTR_SHORT_ADDR 10 static const char* setup_802154() { const char* error = NULL; int sock_generic = -1; int sock_route = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock_route == -1) { error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) failed"; goto fail; } sock_generic = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock_generic == -1) { error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed"; goto fail; } { int nl802154_family_id = netlink_query_family_id(&nlmsg, sock_generic, "nl802154", true); if (nl802154_family_id < 0) { error = "netlink_query_family_id failed"; goto fail; } for (int i = 0; i < 2; i++) { char devname[] = "wpan0"; devname[strlen(devname) - 1] += i; uint64_t hwaddr = 0xaaaaaaaaaaaa0002 + (i << 8); uint16_t shortaddr = 0xaaa0 + i; int ifindex = if_nametoindex(devname); struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL802154_CMD_SET_SHORT_ADDR; netlink_init(&nlmsg, nl802154_family_id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, NL802154_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(&nlmsg, NL802154_ATTR_SHORT_ADDR, &shortaddr, sizeof(shortaddr)); if (netlink_send(&nlmsg, sock_generic) < 0) { error = "NL802154_CMD_SET_SHORT_ADDR failed"; goto fail; } netlink_device_change(&nlmsg, sock_route, devname, true, 0, &hwaddr, sizeof(hwaddr), 0); if (i == 0) { netlink_add_device_impl(&nlmsg, "lowpan", "lowpan0", false); netlink_done(&nlmsg); netlink_attr(&nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); if (netlink_send(&nlmsg, sock_route) < 0) { error = "netlink: adding device lowpan0 type lowpan link wpan0"; goto fail; } } } } fail: close(sock_route); close(sock_generic); return error; } uint64_t r[6] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_802154())) printf("the reproducer may not work as expected: 802154 injection setup " "failed: %s\n", reason); install_segv_handler(); use_temporary_dir(); intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$nl_route arguments: [ // domain: const = 0x10 (8 bytes) // type: const = 0x3 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_nl_route res = syscall(__NR_socket, /*domain=*/0x10ul, /*type=*/3ul, /*proto=*/0); if (res != -1) r[0] = res; // socket$inet6_udp arguments: [ // domain: const = 0xa (8 bytes) // type: const = 0x2 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_udp6 res = syscall(__NR_socket, /*domain=*/0xaul, /*type=*/2ul, /*proto=*/0); if (res != -1) r[1] = res; // ioctl$sock_SIOCGIFINDEX arguments: [ // fd: sock (resource) // cmd: const = 0x8933 (4 bytes) // arg: ptr[out, ifreq_dev_t[devnames, ifindex]] { // ifreq_dev_t[devnames, ifindex] { // ifr_ifrn: buffer: {6c 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) elem: ifindex (resource) pad = 0x0 (20 bytes) // } // } // ] NONFAILING( memcpy((void*)0x200000000040, "lo\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16)); res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x8933, /*arg=*/0x200000000040ul); if (res != -1) NONFAILING(r[2] = *(uint32_t*)0x200000000050); // sendmsg$nl_route_sched arguments: [ // fd: sock_nl_route (resource) // msg: ptr[in, msghdr_netlink[netlink_msg_route_sched]] { // msghdr_netlink[netlink_msg_route_sched] { // addr: nil // addrlen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // vec: ptr[in, iovec[in, netlink_msg_route_sched]] { // iovec[in, netlink_msg_route_sched] { // addr: ptr[in, netlink_msg_route_sched] { // union netlink_msg_route_sched { // newqdisc: netlink_msg_t[const[RTM_NEWQDISC, int16], // tcmsg[AF_UNSPEC], rtm_tca_policy] { // len: len = 0x74 (4 bytes) // type: const = 0x24 (2 bytes) // flags: netlink_msg_flags = 0x4ee4e6a52ff56541 (2 bytes) // seq: int32 = 0x0 (4 bytes) // pid: int32 = 0x0 (4 bytes) // payload: tcmsg[AF_UNSPEC] { // family: const = 0x0 (1 bytes) // tcm__pad1: const = 0x0 (1 bytes) // tcm__pad2: const = 0x0 (2 bytes) // ifindex: ifindex (resource) // tcm_handle: tcm_handle { // minor: tcm_handle_offsets = 0x0 (2 bytes) // major: tcm_handle_offsets = 0x0 (2 bytes) // } // tcm_parent: tcm_handle { // minor: tcm_handle_offsets = 0xffff (2 bytes) // major: tcm_handle_offsets = 0xffff (2 bytes) // } // tcm_info: tcm_handle { // minor: tcm_handle_offsets = 0x0 (2 bytes) // major: tcm_handle_offsets = 0x0 (2 bytes) // } // } // attrs: array[rtm_tca_policy] { // union rtm_tca_policy { // qdisc_kind_options: union qdisc_kind_options { // q_netem: tca_kind_options_t["netem", // tc_netem_message] { // TCA_KIND: nlattr_t[const[TCA_KIND, int16], // string["netem"]] { // nla_len: offsetof = 0xa (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: buffer: {6e 65 74 65 6d 00} (length // 0x6) size: buffer: {} (length 0x0) pad = 0x0 (2 // bytes) // } // TCA_OPTIONS: nlattr_t[const[TCA_OPTIONS, int16], // tc_netem_message] { // nla_len: offsetof = 0x44 (2 bytes) // nla_type: const = 0x2 (2 bytes) // payload: tc_netem_message { // qopt: tc_netem_qopt { // latency: int32 = 0x0 (4 bytes) // limit: int32 = 0x200000 (4 bytes) // loss: int32 = 0x0 (4 bytes) // gap: int32 = 0x0 (4 bytes) // duplicate: int32 = 0xfffffffd (4 bytes) // jitter: int32 = 0x0 (4 bytes) // } // attrs: array[netem_policy] { // union netem_policy { // TCA_NETEM_LOSS: // nlattr_tt[const[TCA_NETEM_LOSS, int16:14], // 0, 1, array[netem_loss_policy]] { // nla_len: offsetof = 0x1c (2 bytes) // nla_type: const = 0x5 (1 bytes) // NLA_F_NET_BYTEORDER: const = 0x0 (0 // bytes) NLA_F_NESTED: const = 0x1 (1 // bytes) payload: array[netem_loss_policy] // { // union netem_loss_policy { // NETEM_LOSS_GI: // nlattr_t[const[NETEM_LOSS_GI, // int16], tc_netem_gimodel] { // nla_len: offsetof = 0x18 (2 bytes) // nla_type: const = 0x1 (2 bytes) // payload: tc_netem_gimodel { // p13: int32 = 0x7fffffff (4 // bytes) p31: int32 = 0x0 (4 // bytes) p32: int32 = 0xfffffffd // (4 bytes) p14: int32 = 0x0 (4 // bytes) p23: int32 = 0x0 (4 // bytes) // } // size: buffer: {} (length 0x0) // } // } // } // size: buffer: {} (length 0x0) // } // } // union netem_policy { // TCA_NETEM_LATENCY64: // nlattr_t[const[TCA_NETEM_LATENCY64, // int16], int64] { // nla_len: offsetof = 0xc (2 bytes) // nla_type: const = 0xa (2 bytes) // payload: int64 = 0x6 (8 bytes) // size: buffer: {} (length 0x0) // } // } // } // } // size: buffer: {} (length 0x0) // } // } // } // } // } // } // } // } // len: len = 0x74 (8 bytes) // } // } // vlen: const = 0x1 (8 bytes) // ctrl: const = 0x0 (8 bytes) // ctrllen: const = 0x0 (8 bytes) // f: send_flags = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] NONFAILING(*(uint64_t*)0x2000000012c0 = 0); NONFAILING(*(uint32_t*)0x2000000012c8 = 0); NONFAILING(*(uint64_t*)0x2000000012d0 = 0x200000000000); NONFAILING(*(uint64_t*)0x200000000000 = 0x200000000280); NONFAILING(*(uint32_t*)0x200000000280 = 0x74); NONFAILING(*(uint16_t*)0x200000000284 = 0x24); NONFAILING(*(uint16_t*)0x200000000286 = 0x6541); NONFAILING(*(uint32_t*)0x200000000288 = 0); NONFAILING(*(uint32_t*)0x20000000028c = 0); NONFAILING(*(uint8_t*)0x200000000290 = 0); NONFAILING(*(uint8_t*)0x200000000291 = 0); NONFAILING(*(uint16_t*)0x200000000292 = 0); NONFAILING(*(uint32_t*)0x200000000294 = r[2]); NONFAILING(*(uint16_t*)0x200000000298 = 0); NONFAILING(*(uint16_t*)0x20000000029a = 0); NONFAILING(*(uint16_t*)0x20000000029c = -1); NONFAILING(*(uint16_t*)0x20000000029e = -1); NONFAILING(*(uint16_t*)0x2000000002a0 = 0); NONFAILING(*(uint16_t*)0x2000000002a2 = 0); NONFAILING(*(uint16_t*)0x2000000002a4 = 0xa); NONFAILING(*(uint16_t*)0x2000000002a6 = 1); NONFAILING(memcpy((void*)0x2000000002a8, "netem\000", 6)); NONFAILING(*(uint16_t*)0x2000000002b0 = 0x44); NONFAILING(*(uint16_t*)0x2000000002b2 = 2); NONFAILING(*(uint32_t*)0x2000000002b4 = 0); NONFAILING(*(uint32_t*)0x2000000002b8 = 0x200000); NONFAILING(*(uint32_t*)0x2000000002bc = 0); NONFAILING(*(uint32_t*)0x2000000002c0 = 0); NONFAILING(*(uint32_t*)0x2000000002c4 = 0xfffffffd); NONFAILING(*(uint32_t*)0x2000000002c8 = 0); NONFAILING(*(uint16_t*)0x2000000002cc = 0x1c); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x2000000002ce, 5, 0, 14)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x2000000002cf, 0, 6, 1)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x2000000002cf, 1, 7, 1)); NONFAILING(*(uint16_t*)0x2000000002d0 = 0x18); NONFAILING(*(uint16_t*)0x2000000002d2 = 1); NONFAILING(*(uint32_t*)0x2000000002d4 = 0x7fffffff); NONFAILING(*(uint32_t*)0x2000000002d8 = 0); NONFAILING(*(uint32_t*)0x2000000002dc = 0xfffffffd); NONFAILING(*(uint32_t*)0x2000000002e0 = 0); NONFAILING(*(uint32_t*)0x2000000002e4 = 0); NONFAILING(*(uint16_t*)0x2000000002e8 = 0xc); NONFAILING(*(uint16_t*)0x2000000002ea = 0xa); NONFAILING(*(uint64_t*)0x2000000002ec = 6); NONFAILING(*(uint64_t*)0x200000000008 = 0x74); NONFAILING(*(uint64_t*)0x2000000012d8 = 1); NONFAILING(*(uint64_t*)0x2000000012e0 = 0); NONFAILING(*(uint64_t*)0x2000000012e8 = 0); NONFAILING(*(uint32_t*)0x2000000012f0 = 0); syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x2000000012c0ul, /*f=*/0ul); // socket$inet_tcp arguments: [ // domain: const = 0x2 (8 bytes) // type: const = 0x1 (8 bytes) // proto: const = 0x0 (4 bytes) // ] // returns sock_tcp res = syscall(__NR_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0); if (res != -1) r[3] = res; // bind$inet arguments: [ // fd: sock_in (resource) // addr: ptr[in, sockaddr_in] { // sockaddr_in { // family: const = 0x2 (2 bytes) // port: int16be = 0x4e20 (2 bytes) // addr: union ipv4_addr { // multicast1: const = 0xe0000001 (4 bytes) // } // pad = 0x0 (8 bytes) // } // } // addrlen: len = 0x10 (8 bytes) // ] NONFAILING(*(uint16_t*)0x200000000000 = 2); NONFAILING(*(uint16_t*)0x200000000002 = htobe16(0x4e20)); NONFAILING(*(uint32_t*)0x200000000004 = htobe32(0xe0000001)); syscall(__NR_bind, /*fd=*/r[3], /*addr=*/0x200000000000ul, /*addrlen=*/0x10ul); // sendto$inet arguments: [ // fd: sock_in (resource) // buf: nil // len: len = 0x0 (8 bytes) // f: send_flags = 0x20020084 (8 bytes) // addr: ptr[in, sockaddr_in] { // sockaddr_in { // family: const = 0x2 (2 bytes) // port: int16be = 0x4e20 (2 bytes) // addr: union ipv4_addr { // rand_addr: int32be = 0x0 (4 bytes) // } // pad = 0x0 (8 bytes) // } // } // addrlen: len = 0x10 (8 bytes) // ] NONFAILING(*(uint16_t*)0x2000000018c0 = 2); NONFAILING(*(uint16_t*)0x2000000018c2 = htobe16(0x4e20)); NONFAILING(*(uint32_t*)0x2000000018c4 = htobe32(0)); syscall(__NR_sendto, /*fd=*/r[3], /*buf=*/0ul, /*len=*/0ul, /*f=MSG_FASTOPEN|MSG_EOR|MSG_DONTROUTE|0x20000*/ 0x20020084ul, /*addr=*/0x2000000018c0ul, /*addrlen=*/0x10ul); // bpf$PROG_LOAD arguments: [ // cmd: const = 0x5 (8 bytes) // arg: ptr[in, bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], fd_bpf_prog[opt]]] { // bpf_prog_t[flags[bpf_prog_type, int32], bpf_prog_attach_types, // bpf_btf_id[opt], fd_bpf_prog[opt]] { // type: bpf_prog_type = 0xe (4 bytes) // ninsn: bytesize8 = 0x4 (4 bytes) // insns: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {b4 05 00 00 20 00 80 00 61 10 60 00 00 00 00 // 00 c6 00 00 00 00 00 00 02 95 00 00 00 00 00 00 00 9f 33 ef 60 // 91 6e 6e 89 3f 1e eb 0b e2 56 6c d0 72 30 43 c4 7c 89 6c e0 bc // e6 6a 24 5a d9 9b 81 7f d9 8c d8 24 49 89 49 71 4f fa ac 8a 6f // 77 ef 26 dc ca 55 82 05 4d 54 d5 3c d2 b6 db 71 4e 4b 94 bd ae // 21 4f a6 8a 05 57 eb 2c 5c a6 83 a4 b6 fc 89 39 8f 2b 90 00 f2 // 24 89 10 60 01 7c fa 6f a2 6f a7 a3 47 01 00 8c 61 89 7d 4a 61 // 48 a1 c1 14 28 60 7c 40 de 60 be ac 67 1e 8e 8f de cb 03 58 8a // a6 23 fa 71 f8 71 ab 5c 2f f8 8a fc 60 02 08 4e 5b 52 71 08 00 // e8 35 cf 0d 78 e4 5f 70 98 38 26 fb 85 79 c1 fb 01 d2 c5 55 3d // 2c cb 5f c5 b5 1f e6 b1 74 be d9 90 7d cf f4 14 ed 55 b0 c2 0c // db e7 00 9a 6f e7 cc 78 76 2f 1d 4d cd bc a6 49 20 db 9a 50 f8 // 6c 21 63 2f d3 0b f0 51 21 43 8b b7 4e 46 70 ab 5d fe 44 7a 4b // d3 44 e0 bd 74 ff 05 d3 7e f6 8e 3b 9d b8 63 c7 58 ff ff ff ff // b4 26 e1 23 0b c1 cd 4c 02 c4 c2 e6 d1 7d c5 c2 ed f3 32 a6 2f // 5f e6 8f bb bb fc fd 78 a9 f3 fd c1 f5 0c 44 5e 3f 30 e7 03 cf // 05 b9 0f bf 94 0e 66 52 d3 77 47 4e d5 f8 16 f6 6a c3 02 74 60 // ae 99 1e 7f 83 4d d7 a7 fc 2a 70 03 d1 a6 cf 54 78 53 35 84 96 // 1c 32 9f cf 4f ed 5c 94 55 64 0d cd 28 27 3d c9 75 3c c9 79 11 // 3f 29 15 a3 03 9c 3c a6 0e c5 3b b1 13 0c 2d 27 fe d7 d6 7c 44 // 0e 23 d1 30 e5 1e ea 1e 08 5b eb ab e7 05 9d e9 cb fc 51 17 7c // ce 5e f2 65 c9 2b 79 57 a3 34 ff 7b e2 ca 86 7f d9 42 86 e0 16 // fe bf db 58 27 ef c7 a6 ef b0 1d 66 a3 96 f8 4c 1c a7 5d aa 4e // ad 09 96 94 ed 03 d4 49 b1 85 cc 83 6b ab 1a 41 a6 1b d6 f0 3a // 54 fa fc ee 55 4b bb 52 ad f8 f1 d7 ed e9 f9 a7 11 25 6f b4 5e // 6c 3d 12 ff 56 0e e6 9d 68 73 3d 52 2d 9b be cf 52 39 6f 15 97 // 63 81 c2 70 15 40 37 78 13 98 08 14 2b 48 ce d1 45 ca 8a 6d a5 // f3 22 d4 13 d0 9c c3 8b 83 2f a0 5d d3 c7 99 04 25 88 f9 ee a6 // f4 43 ba a7 59 25 7a 00 00 00 00 00 00 00 00 00 be d1 da d2 28 // e1 1f 80 cf ea 58 48 e4 36 ac f6 e8 9d fa e0 b3 d9 5b 91 1a f1 // 81 8e 00 81 50 48 11 a5 f3 c5 d1 ce d3 e5 92 22 4f 1d 2c a3 bd // b2 cc 89 00 16 05 db 69 87 89 9e b9 9f 94 26 54 01 a9 5f f0 a5 // a2 66 43 8f 1d b4 61 b7 eb ed d4 19 bc 03 8f 7d 36 bd 2b d4 b3 // f9 2c d1 46 9b 63 b1 ce 45 6a 96 15 2d 35 3a 8a b6 5f 8b ae 52 // 1d b7 3f f0 0b 5d 5c ac 7a 43 9a b4 0d 97 e5 7f 23 e7 03 fd 63 // 95 93 0b 9c 34 85 ab 18 1a 83 ed 56 8c ad e4 31 11 53 0e c5 84 // cf b4 8e 0c c5 d6 3e 28 07 b2 e9 85 25 a8 4f 9a c5 9c f7 4f 3b // a2 79 e2 28 e2 a0 dc 8d a8 01 7c ba 39 96 54 10 08 78 5a b8 f0 // 41 f0 a8 d1 39 9d 88 a3 a5 87 65 e5 a0 14 9b 9d 0e a5 4b 32 36 // 75 14 97 83 ec 05 7e c6 d6 e8 e6 00 b9 ec ed 07 dd cc 56 b7 7d // 8e a0 82 23} (length 0x346) // } // } // } // license: ptr[in, buffer] { // buffer: {47 50 4c 00} (length 0x4) // } // loglev: int32 = 0x4 (4 bytes) // logsize: len = 0xfd90 (4 bytes) // log: ptr[out, buffer] { // buffer: (DirOut) // } // kern_version: bpf_kern_version = 0x0 (4 bytes) // flags: bpf_prog_load_flags = 0x0 (4 bytes) // prog_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00} // (length 0x10) prog_ifindex: ifindex (resource) expected_attach_type: // union bpf_prog_attach_types { // fallback: bpf_attach_types = 0x0 (4 bytes) // } // btf_fd: fd_btf (resource) // func_info_rec_size: const = 0x8 (4 bytes) // func_info: ptr[in, bpf_func_info] { // bpf_func_info { // insn_off: int32 = 0x0 (4 bytes) // type_id: int32 = 0x0 (4 bytes) // } // } // func_info_cnt: len = 0x366 (4 bytes) // line_info_rec_size: const = 0x10 (4 bytes) // line_info: ptr[in, bpf_line_info] { // bpf_line_info { // insn_off: int32 = 0x0 (4 bytes) // file_name_off: int32 = 0x0 (4 bytes) // line_off: int32 = 0x0 (4 bytes) // line_col: int32 = 0x0 (4 bytes) // } // } // line_info_cnt: len = 0x1dd (4 bytes) // attach_btf_id: bpf_btf_id (resource) // attach_prog_fd: fd_bpf_prog (resource) // core_relo_cnt: len = 0x0 (4 bytes) // fd_array: nil // core_relos: nil // core_relo_rec_size: const = 0x10 (4 bytes) // log_true_size: int32 = 0x0 (4 bytes) // prog_token_fd: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_prog_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad: union _bpf_prog_t[flags[bpf_prog_type, int32], // bpf_prog_attach_types, bpf_btf_id[opt], // fd_bpf_prog[opt]]_pad_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // size: len = 0x48 (8 bytes) // ] // returns fd_bpf_prog NONFAILING(*(uint32_t*)0x20000000e000 = 0xe); NONFAILING(*(uint32_t*)0x20000000e004 = 4); NONFAILING(*(uint64_t*)0x20000000e008 = 0x200000000b80); NONFAILING(memcpy( (void*)0x200000000b80, "\xb4\x05\x00\x00\x20\x00\x80\x00\x61\x10\x60\x00\x00\x00\x00\x00\xc6\x00" "\x00\x00\x00\x00\x00\x02\x95\x00\x00\x00\x00\x00\x00\x00\x9f\x33\xef\x60" "\x91\x6e\x6e\x89\x3f\x1e\xeb\x0b\xe2\x56\x6c\xd0\x72\x30\x43\xc4\x7c\x89" "\x6c\xe0\xbc\xe6\x6a\x24\x5a\xd9\x9b\x81\x7f\xd9\x8c\xd8\x24\x49\x89\x49" "\x71\x4f\xfa\xac\x8a\x6f\x77\xef\x26\xdc\xca\x55\x82\x05\x4d\x54\xd5\x3c" "\xd2\xb6\xdb\x71\x4e\x4b\x94\xbd\xae\x21\x4f\xa6\x8a\x05\x57\xeb\x2c\x5c" "\xa6\x83\xa4\xb6\xfc\x89\x39\x8f\x2b\x90\x00\xf2\x24\x89\x10\x60\x01\x7c" "\xfa\x6f\xa2\x6f\xa7\xa3\x47\x01\x00\x8c\x61\x89\x7d\x4a\x61\x48\xa1\xc1" "\x14\x28\x60\x7c\x40\xde\x60\xbe\xac\x67\x1e\x8e\x8f\xde\xcb\x03\x58\x8a" "\xa6\x23\xfa\x71\xf8\x71\xab\x5c\x2f\xf8\x8a\xfc\x60\x02\x08\x4e\x5b\x52" "\x71\x08\x00\xe8\x35\xcf\x0d\x78\xe4\x5f\x70\x98\x38\x26\xfb\x85\x79\xc1" "\xfb\x01\xd2\xc5\x55\x3d\x2c\xcb\x5f\xc5\xb5\x1f\xe6\xb1\x74\xbe\xd9\x90" "\x7d\xcf\xf4\x14\xed\x55\xb0\xc2\x0c\xdb\xe7\x00\x9a\x6f\xe7\xcc\x78\x76" "\x2f\x1d\x4d\xcd\xbc\xa6\x49\x20\xdb\x9a\x50\xf8\x6c\x21\x63\x2f\xd3\x0b" "\xf0\x51\x21\x43\x8b\xb7\x4e\x46\x70\xab\x5d\xfe\x44\x7a\x4b\xd3\x44\xe0" "\xbd\x74\xff\x05\xd3\x7e\xf6\x8e\x3b\x9d\xb8\x63\xc7\x58\xff\xff\xff\xff" "\xb4\x26\xe1\x23\x0b\xc1\xcd\x4c\x02\xc4\xc2\xe6\xd1\x7d\xc5\xc2\xed\xf3" "\x32\xa6\x2f\x5f\xe6\x8f\xbb\xbb\xfc\xfd\x78\xa9\xf3\xfd\xc1\xf5\x0c\x44" "\x5e\x3f\x30\xe7\x03\xcf\x05\xb9\x0f\xbf\x94\x0e\x66\x52\xd3\x77\x47\x4e" "\xd5\xf8\x16\xf6\x6a\xc3\x02\x74\x60\xae\x99\x1e\x7f\x83\x4d\xd7\xa7\xfc" "\x2a\x70\x03\xd1\xa6\xcf\x54\x78\x53\x35\x84\x96\x1c\x32\x9f\xcf\x4f\xed" "\x5c\x94\x55\x64\x0d\xcd\x28\x27\x3d\xc9\x75\x3c\xc9\x79\x11\x3f\x29\x15" "\xa3\x03\x9c\x3c\xa6\x0e\xc5\x3b\xb1\x13\x0c\x2d\x27\xfe\xd7\xd6\x7c\x44" "\x0e\x23\xd1\x30\xe5\x1e\xea\x1e\x08\x5b\xeb\xab\xe7\x05\x9d\xe9\xcb\xfc" "\x51\x17\x7c\xce\x5e\xf2\x65\xc9\x2b\x79\x57\xa3\x34\xff\x7b\xe2\xca\x86" "\x7f\xd9\x42\x86\xe0\x16\xfe\xbf\xdb\x58\x27\xef\xc7\xa6\xef\xb0\x1d\x66" "\xa3\x96\xf8\x4c\x1c\xa7\x5d\xaa\x4e\xad\x09\x96\x94\xed\x03\xd4\x49\xb1" "\x85\xcc\x83\x6b\xab\x1a\x41\xa6\x1b\xd6\xf0\x3a\x54\xfa\xfc\xee\x55\x4b" "\xbb\x52\xad\xf8\xf1\xd7\xed\xe9\xf9\xa7\x11\x25\x6f\xb4\x5e\x6c\x3d\x12" "\xff\x56\x0e\xe6\x9d\x68\x73\x3d\x52\x2d\x9b\xbe\xcf\x52\x39\x6f\x15\x97" "\x63\x81\xc2\x70\x15\x40\x37\x78\x13\x98\x08\x14\x2b\x48\xce\xd1\x45\xca" "\x8a\x6d\xa5\xf3\x22\xd4\x13\xd0\x9c\xc3\x8b\x83\x2f\xa0\x5d\xd3\xc7\x99" "\x04\x25\x88\xf9\xee\xa6\xf4\x43\xba\xa7\x59\x25\x7a\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xbe\xd1\xda\xd2\x28\xe1\x1f\x80\xcf\xea\x58\x48\xe4\x36" "\xac\xf6\xe8\x9d\xfa\xe0\xb3\xd9\x5b\x91\x1a\xf1\x81\x8e\x00\x81\x50\x48" "\x11\xa5\xf3\xc5\xd1\xce\xd3\xe5\x92\x22\x4f\x1d\x2c\xa3\xbd\xb2\xcc\x89" "\x00\x16\x05\xdb\x69\x87\x89\x9e\xb9\x9f\x94\x26\x54\x01\xa9\x5f\xf0\xa5" "\xa2\x66\x43\x8f\x1d\xb4\x61\xb7\xeb\xed\xd4\x19\xbc\x03\x8f\x7d\x36\xbd" "\x2b\xd4\xb3\xf9\x2c\xd1\x46\x9b\x63\xb1\xce\x45\x6a\x96\x15\x2d\x35\x3a" "\x8a\xb6\x5f\x8b\xae\x52\x1d\xb7\x3f\xf0\x0b\x5d\x5c\xac\x7a\x43\x9a\xb4" "\x0d\x97\xe5\x7f\x23\xe7\x03\xfd\x63\x95\x93\x0b\x9c\x34\x85\xab\x18\x1a" "\x83\xed\x56\x8c\xad\xe4\x31\x11\x53\x0e\xc5\x84\xcf\xb4\x8e\x0c\xc5\xd6" "\x3e\x28\x07\xb2\xe9\x85\x25\xa8\x4f\x9a\xc5\x9c\xf7\x4f\x3b\xa2\x79\xe2" "\x28\xe2\xa0\xdc\x8d\xa8\x01\x7c\xba\x39\x96\x54\x10\x08\x78\x5a\xb8\xf0" "\x41\xf0\xa8\xd1\x39\x9d\x88\xa3\xa5\x87\x65\xe5\xa0\x14\x9b\x9d\x0e\xa5" "\x4b\x32\x36\x75\x14\x97\x83\xec\x05\x7e\xc6\xd6\xe8\xe6\x00\xb9\xec\xed" "\x07\xdd\xcc\x56\xb7\x7d\x8e\xa0\x82\x23", 838)); NONFAILING(*(uint64_t*)0x20000000e010 = 0x200000003ff6); NONFAILING(memcpy((void*)0x200000003ff6, "GPL\000", 4)); NONFAILING(*(uint32_t*)0x20000000e018 = 4); NONFAILING(*(uint32_t*)0x20000000e01c = 0xfd90); NONFAILING(*(uint64_t*)0x20000000e020 = 0x20000000cf3d); NONFAILING(*(uint32_t*)0x20000000e028 = 0); NONFAILING(*(uint32_t*)0x20000000e02c = 0); NONFAILING(memset((void*)0x20000000e030, 0, 16)); NONFAILING(*(uint32_t*)0x20000000e040 = 0); NONFAILING(*(uint32_t*)0x20000000e044 = 0); NONFAILING(*(uint32_t*)0x20000000e048 = -1); NONFAILING(*(uint32_t*)0x20000000e04c = 8); NONFAILING(*(uint64_t*)0x20000000e050 = 0x200000000000); NONFAILING(*(uint32_t*)0x200000000000 = 0); NONFAILING(*(uint32_t*)0x200000000004 = 0); NONFAILING(*(uint32_t*)0x20000000e058 = 0x366); NONFAILING(*(uint32_t*)0x20000000e05c = 0x10); NONFAILING(*(uint64_t*)0x20000000e060 = 0x200000000000); NONFAILING(*(uint32_t*)0x200000000000 = 0); NONFAILING(*(uint32_t*)0x200000000004 = 0); NONFAILING(*(uint32_t*)0x200000000008 = 0); NONFAILING(*(uint32_t*)0x20000000000c = 0); NONFAILING(*(uint32_t*)0x20000000e068 = 0x1dd); NONFAILING(*(uint32_t*)0x20000000e06c = 0); NONFAILING(*(uint32_t*)0x20000000e070 = -1); NONFAILING(*(uint32_t*)0x20000000e074 = 0); NONFAILING(*(uint64_t*)0x20000000e078 = 0); NONFAILING(*(uint64_t*)0x20000000e080 = 0); NONFAILING(*(uint32_t*)0x20000000e088 = 0x10); NONFAILING(*(uint32_t*)0x20000000e08c = 0); NONFAILING(*(uint32_t*)0x20000000e090 = 0); res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000000e000ul, /*size=*/0x48ul); if (res != -1) r[4] = res; // bpf$MAP_CREATE arguments: [ // cmd: const = 0x0 (8 bytes) // arg: ptr[in, bpf_map_create_arg] { // union bpf_map_create_arg { // base: bpf_map_create_arg_t[flags[bpf_map_type, int32], int32, int32, // int32, flags[map_flags, int32], const[0, int64]] { // type: bpf_map_type = 0xf (4 bytes) // ksize: int32 = 0x4 (4 bytes) // vsize: int32 = 0x4 (4 bytes) // max: int32 = 0x12 (4 bytes) // flags: map_flags = 0x0 (4 bytes) // inner: fd_bpf_map (resource) // node: int32 = 0x0 (4 bytes) // map_name: buffer: {00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 // 00} (length 0x10) map_ifindex: ifindex (resource) btf_fd: fd_btf // (resource) btf_key_type_id: int32 = 0x0 (4 bytes) // btf_value_type_id: int32 = 0x0 (4 bytes) // btf_vmlinux_type_id: int32 = 0x0 (4 bytes) // map_extra: const = 0x0 (8 bytes) // value_type_btf_obj_fd: union // _bpf_map_create_arg_t[flags[bpf_map_type, int32], int32, int32, // int32, flags[map_flags, int32], const[0, // int64]]_value_type_btf_obj_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad1: union _bpf_map_create_arg_t[flags[bpf_map_type, int32], // int32, int32, int32, flags[map_flags, int32], const[0, // int64]]_pad1_wrapper { // value: const = 0x0 (4 bytes) // } // map_token_fd: union _bpf_map_create_arg_t[flags[bpf_map_type, // int32], int32, int32, int32, flags[map_flags, int32], const[0, // int64]]_map_token_fd_wrapper { // void: buffer: {} (length 0x0) // } // pad2: union _bpf_map_create_arg_t[flags[bpf_map_type, int32], // int32, int32, int32, flags[map_flags, int32], const[0, // int64]]_pad2_wrapper { // value: const = 0x0 (4 bytes) // } // } // } // } // size: len = 0x48 (8 bytes) // ] // returns fd_bpf_map NONFAILING(*(uint32_t*)0x200000000200 = 0xf); NONFAILING(*(uint32_t*)0x200000000204 = 4); NONFAILING(*(uint32_t*)0x200000000208 = 4); NONFAILING(*(uint32_t*)0x20000000020c = 0x12); NONFAILING(*(uint32_t*)0x200000000210 = 0); NONFAILING(*(uint32_t*)0x200000000214 = -1); NONFAILING(*(uint32_t*)0x200000000218 = 0); NONFAILING(memset((void*)0x20000000021c, 0, 16)); NONFAILING(*(uint32_t*)0x20000000022c = 0); NONFAILING(*(uint32_t*)0x200000000230 = -1); NONFAILING(*(uint32_t*)0x200000000234 = 0); NONFAILING(*(uint32_t*)0x200000000238 = 0); NONFAILING(*(uint32_t*)0x20000000023c = 0); NONFAILING(*(uint64_t*)0x200000000240 = 0); NONFAILING(*(uint32_t*)0x200000000248 = 0); NONFAILING(*(uint32_t*)0x20000000024c = 0); res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x200000000200ul, /*size=*/0x48ul); if (res != -1) r[5] = res; // bpf$BPF_PROG_DETACH arguments: [ // cmd: const = 0x8 (8 bytes) // arg: ptr[in, bpf_detach_arg] { // bpf_detach_arg { // target: union bpf_attach_targets { // map: fd_bpf_map (resource) // } // prog: fd_bpf_prog (resource) // type: bpf_attach_types = 0x5 (4 bytes) // flags: bpf_mprog_attach_flags = 0x0 (4 bytes) // replace_bpf_fd: const = 0x0 (4 bytes) // relative_link_fd: union _bpf_detach_arg_relative_link_fd_wrapper { // void: buffer: {} (length 0x0) // } // relative_prog_fd: union _bpf_detach_arg_relative_prog_fd_wrapper { // value: fd_bpf_prog (resource) // } // relative_link_id: union _bpf_detach_arg_relative_link_id_wrapper { // void: buffer: {} (length 0x0) // } // relative_prog_id: union _bpf_detach_arg_relative_prog_id_wrapper { // void: buffer: {} (length 0x0) // } // exp_revision: bpf_revision (resource) // } // } // size: len = 0x10 (8 bytes) // ] NONFAILING(*(uint32_t*)0x200000000080 = r[5]); NONFAILING(*(uint32_t*)0x200000000084 = r[4]); NONFAILING(*(uint32_t*)0x200000000088 = 5); NONFAILING(*(uint32_t*)0x20000000008c = 0); NONFAILING(*(uint32_t*)0x200000000090 = 0); NONFAILING(*(uint32_t*)0x200000000094 = -1); NONFAILING(*(uint64_t*)0x200000000098 = 0); syscall(__NR_bpf, /*cmd=*/8ul, /*arg=*/0x200000000080ul, /*size=*/0x10ul); // bpf$MAP_UPDATE_ELEM arguments: [ // cmd: const = 0x2 (8 bytes) // arg: ptr[in, bpf_map_update_arg] { // bpf_map_update_arg { // map: fd_bpf_map (resource) // pad = 0x0 (4 bytes) // key: ptr[in, buffer] { // buffer: {} (length 0x0) // } // val: ptr[in, bpf_map_update_val] { // union bpf_map_update_val { // tcp: sock_tcp (resource) // } // } // flags: bpf_map_flags = 0x0 (8 bytes) // } // } // size: len = 0x20 (8 bytes) // ] NONFAILING(*(uint32_t*)0x200000000100 = r[5]); NONFAILING(*(uint64_t*)0x200000000108 = 0x200000000340); NONFAILING(*(uint64_t*)0x200000000110 = 0x200000000040); NONFAILING(*(uint32_t*)0x200000000040 = r[3]); NONFAILING(*(uint64_t*)0x200000000118 = 0); syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x200000000100ul, /*size=*/0x20ul); // sendto$inet arguments: [ // fd: sock_in (resource) // buf: ptr[in, buffer] { // buffer: {2b} (length 0x1) // } // len: len = 0xffffffffffffff60 (8 bytes) // f: send_flags = 0xf405 (8 bytes) // addr: nil // addrlen: len = 0xf06 (8 bytes) // ] NONFAILING(memset((void*)0x2000000000c0, 43, 1)); syscall(__NR_sendto, /*fd=*/r[3], /*buf=*/0x2000000000c0ul, /*len=*/0xffffffffffffff60ul, /*f=MSG_OOB|MSG_NOSIGNAL|MSG_MORE|MSG_DONTROUTE|0x3400*/ 0xf405ul, /*addr=*/0ul, /*addrlen=*/0xf06ul); // getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE arguments: [ // fd: sock_tcp (resource) // level: const = 0x6 (4 bytes) // optname: const = 0x23 (4 bytes) // optval: ptr[in, tcp_zerocopy_receive] { // tcp_zerocopy_receive { // address: VMA[0x2000] // length: len = 0x2000 (4 bytes) // recv_skip_hint: int32 = 0x0 (4 bytes) // inq: int32 = 0x0 (4 bytes) // err: int32 = 0x0 (4 bytes) // copybuf_address: nil // copybuf_len: bytesize = 0xfffffffffffffc44 (4 bytes) // flags: tcp_zerocopy_receive_flags = 0x0 (4 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: int32 = 0x0 (4 bytes) // reserved: const = 0x0 (4 bytes) // } // } // optlen: ptr[inout, len] { // len = 0x40 (4 bytes) // } // ] NONFAILING(*(uint64_t*)0x200000000340 = 0x200000003000); NONFAILING(*(uint32_t*)0x200000000348 = 0x2000); NONFAILING(*(uint64_t*)0x200000000358 = 0); NONFAILING(*(uint32_t*)0x200000000360 = 0xfffffc44); NONFAILING(*(uint32_t*)0x200000000364 = 0); NONFAILING(*(uint64_t*)0x200000000368 = 0); NONFAILING(*(uint64_t*)0x200000000370 = 0); NONFAILING(*(uint32_t*)0x20000000037c = 0); NONFAILING(*(uint32_t*)0x200000000380 = 0x40); syscall(__NR_getsockopt, /*fd=*/r[3], /*level=*/6, /*optname=*/0x23, /*optval=*/0x200000000340ul, /*optlen=*/0x200000000380ul); return 0; }