// https://syzkaller.appspot.com/bug?id=1f122822446e3863604a9e3c9dffaacea6098596 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); rv = system(command); if (panic && rv != 0) fail("tun: command \"%s\" failed with code %d", &command[0], rv); va_end(args); } static int tunfd = -1; static int tun_frags_enabled; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define TUN_IFACE "syz_tun" #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 #define IFF_NAPI_FRAGS 0x0020 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 252; if (dup2(tunfd, kTunFd) < 0) fail("dup2(tunfd, kTunFd) failed"); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNSETIFF) failed"); } if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNGETIFF) failed"); tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE); execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", TUN_IFACE); execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC); execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE); execute_command(1, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE); execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV4, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV6, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip link set dev %s up", TUN_IFACE); } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02hx" #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" static void initialize_netdevices(void) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "veth"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0", "bond0", "veth0", "veth1"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); execute_command(0, "ip link add dev veth1 type veth"); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[32]; snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } #define MAX_FRAGS 4 struct vnet_fragmentation { uint32_t full; uint32_t count; uint32_t frags[MAX_FRAGS]; }; static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; struct iovec vecs[MAX_FRAGS + 1]; uint32_t nfrags = 0; if (!tun_frags_enabled || frags == NULL) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } else { bool full = true; uint32_t i, count = 0; full = frags->full; count = frags->count; if (count > MAX_FRAGS) count = MAX_FRAGS; for (i = 0; i < count && length != 0; i++) { uint32_t size = 0; size = frags->frags[i]; if (size > length) size = length; vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = size; nfrags++; data += size; length -= size; } if (length != 0 && (full || nfrags == 0)) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } } return writev(tunfd, vecs, nfrags); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); #define CLONE_NEWCGROUP 0x02000000 if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(CLONE_NEWCGROUP)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid < 0) fail("sandbox fork failed"); if (pid) return pid; sandbox_common(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); initialize_netdevices(); loop(); doexit(1); } uint64_t r[1] = {0xffffffffffffffff}; void loop() { long res; res = syscall(__NR_socket, 0xa, 2, 0); if (res != -1) r[0] = res; *(uint16_t*)0x20000280 = 0xa; *(uint16_t*)0x20000282 = htobe16(0x4e23); *(uint32_t*)0x20000284 = 0xf82a; *(uint8_t*)0x20000288 = -1; *(uint8_t*)0x20000289 = 1; *(uint8_t*)0x2000028a = 0; *(uint8_t*)0x2000028b = 0; *(uint8_t*)0x2000028c = 0; *(uint8_t*)0x2000028d = 0; *(uint8_t*)0x2000028e = 0; *(uint8_t*)0x2000028f = 0; *(uint8_t*)0x20000290 = 0; *(uint8_t*)0x20000291 = 0; *(uint8_t*)0x20000292 = 0; *(uint8_t*)0x20000293 = 0; *(uint8_t*)0x20000294 = 0; *(uint8_t*)0x20000295 = 0; *(uint8_t*)0x20000296 = 0; *(uint8_t*)0x20000297 = 1; *(uint32_t*)0x20000298 = 4; syscall(__NR_connect, r[0], 0x20000280, 0x1c); *(uint64_t*)0x20000240 = 0; *(uint32_t*)0x20000248 = 0; *(uint64_t*)0x20000250 = 0x20000200; *(uint64_t*)0x20000200 = 0x20000100; *(uint64_t*)0x20000208 = 0; *(uint64_t*)0x20000210 = 0x20000180; *(uint64_t*)0x20000218 = 0; *(uint64_t*)0x20000258 = 2; *(uint64_t*)0x20000260 = 0x200012c0; *(uint64_t*)0x200012c0 = 0x10; *(uint32_t*)0x200012c8 = 0x115; *(uint32_t*)0x200012cc = 1; *(uint64_t*)0x200012d0 = 0x1010; *(uint32_t*)0x200012d8 = 0x29; *(uint32_t*)0x200012dc = 3; memcpy( (void*)0x200012e0, "\xc1\xd6\x66\x76\x83\x7e\x35\xf0\x35\x39\x8b\x03\x3e\x88\xdd\x02\xf7\xff" "\xe1\x55\xa4\x93\x97\xe4\x4e\x6c\x3c\x20\xcf\x83\x63\x1f\x74\xe2\x91\x06" "\xdd\xd3\x47\x40\x89\x9b\xd0\x1b\x4d\x55\x6d\x17\xc7\x71\xaa\xb0\x64\x57" "\x7b\x24\x2d\x34\x15\x17\x3b\xfa\x6c\xd2\x60\xcf\xe3\xab\x61\x03\xaf\x19" "\xa5\x49\x4d\xb0\x8e\xff\xcb\x0c\x79\x71\x9b\x63\x0e\x36\xd4\xed\x4e\xb1" "\xd0\xaa\x3e\x83\x44\x5c\xbc\x05\xca\x75\x12\x3e\x65\xc1\x2a\x5e\xd1\x01" "\x01\xd6\x16\x38\x66\x5b\x4c\xd6\x8b\xa0\x4f\x3c\x47\xdd\x1b\x4d\xf6\xd1" "\xa9\x68\x91\xd3\x18\x30\xa3\x16\x73\x77\x8e\xf8\xe0\x1b\xda\x95\xc2\xa6" "\xb7\xdd\x25\x9b\xae\x68\x6b\x55\x5f\x0a\xff\x4a\x90\xdb\x2b\x12\xa2\x13" "\x86\x40\x7d\xdf\x66\x12\x3c\x49\xb3\x47\x77\x7f\xa4\x40\x17\x0e\x3a\xed" "\xda\x8b\x41\xfa\x07\x55\xcd\x4c\x37\x8c\xa8\xfb\x85\xdd\x16\xb9\x7e\x73" "\xdd\x23\xd2\xc2\xd7\x59\x34\xd3\xeb\x76\x02\x02\x3c\x18\x73\xc9\xcc\x4c" "\x1c\x3b\x87\xb7\xf0\x40\x78\xc5\x7a\xd5\x66\x83\x74\x9f\x03\xcc\x60\xe9" "\x3f\xf2\x3b\xb9\x6c\x98\xa9\x59\x50\x87\x2a\xff\xe4\x77\xcb\x83\xd4\xb5" "\x4a\xc3\xc1\x1b\xe4\x2e\x33\xb8\x81\x05\x36\xde\x62\x42\x74\x1d\x87\xfa" "\xd1\xa9\x1c\x78\x65\x59\x33\xae\x1b\x71\x87\xbc\x0e\xa4\x80\xe3\xdd\x34" "\x8d\xc5\xc6\x53\x89\xcf\x54\x2c\x4c\x10\x51\xb8\xc4\xc3\xf9\xce\x4c\x0b" "\xef\xa4\xca\xfe\x38\xbe\xc9\x78\x79\x62\xfb\x91\x38\x77\x43\x38\xd9\x95" "\x77\xdc\xb0\x24\x62\x23\x6c\x33\xef\x66\xee\x61\x3f\x77\x56\x0a\xf4\xee" "\xdf\x69\x1d\x13\xa6\xa6\xf1\x70\x71\xdf\x93\x0c\x39\x33\x44\x2e\xe7\x08" "\xf6\xd5\x73\x01\x06\x2a\x4d\xec\x4d\x40\x94\xa4\x21\x17\x02\x47\xc5\x43" "\x30\x5c\x10\x94\xe8\x9a\x4b\x11\xb5\xaf\x7e\xbd\xa8\x06\x54\x71\x05\xe3" "\x3c\x48\x83\x0a\x6e\xf3\xb5\x73\xc7\xc4\x65\xf3\xf7\xa1\xc4\xcb\x92\xcb" "\xc5\xda\x80\x32\x18\x23\x15\x8d\xf1\x51\xf0\x83\xea\xc2\xaa\x45\x37\x51" "\x6e\xe2\x60\x5d\x7f\x11\x45\x26\xe5\xe7\x78\x52\xb0\x10\xe9\xf2\x68\x71" "\x19\xda\xb9\xe4\xa2\xb7\xab\x19\x3f\x91\xb3\x7c\x8c\x39\xeb\x3e\x5a\x03" "\x59\x3f\x29\x06\xad\x0d\x22\xda\xe6\x84\xc6\xa3\xd2\x5f\xc0\x0a\x96\x27" "\x70\x05\xc4\xeb\xed\x05\xef\x30\x06\x60\x4c\x27\x49\x72\x2f\xea\xf8\x51" "\xc6\xf4\x24\x55\xfc\x60\x61\x7a\xc4\xd7\xd1\x1f\xb3\x2b\xbf\xce\x02\xa1" "\x00\xac\x4b\xf4\xa6\x57\xe3\xfb\xfb\xce\xca\xd6\xfc\xa2\x21\x46\x5e\xfc" "\xed\x24\xa6\x57\xce\xaa\xca\xed\x07\x6f\x87\xce\x44\x0a\xf0\x1c\xb1\x66" "\x91\x53\xf4\xdd\x00\x83\x59\xa2\x3b\x90\x33\x82\x39\x84\x85\x28\xfb\xb2" "\x3f\x35\x7f\xaf\x22\xcb\x32\x3a\xa9\x0f\xc3\x5d\x11\xc1\x2a\x9f\x1f\x06" "\x47\x92\x43\xa1\x57\x88\xef\x34\x0e\x10\x1e\xba\x53\xaf\x38\xa6\xed\xda" "\x88\x29\xdf\x14\xa2\xa8\x17\xe4\x2f\xcf\x73\x68\xde\x75\x62\xde\xc6\xdc" "\x12\x36\x74\x33\xf5\x43\x84\x6a\x4a\xc2\xcf\xde\x47\x71\x78\x69\x58\x8c" "\xe3\x95\x5f\x7d\xb1\x7e\xab\xaf\x0b\xf6\xc2\x19\x06\xfa\xe1\xd6\x3a\x69" "\x89\x40\xdd\xa8\x1a\xe3\xda\x51\x9f\x16\x77\x76\xde\x0a\x3c\x44\x51\x53" "\xcb\x5d\xd7\x3e\x4c\x1c\x95\x26\x5a\xe9\x7a\x3f\x02\xc1\x2e\x29\x46\xee" "\xa1\xf4\x57\x39\x58\x72\x9c\xe4\xd2\x70\x84\xb7\xe9\x7a\x28\xc6\x49\x4f" "\x4e\xb5\x48\xa4\x7a\x08\x20\xea\x95\xc6\x66\x35\x62\x5c\xe4\x1d\x0c\x03" "\x6f\xfd\x19\xcd\xb6\xb8\xfe\x8e\x28\xfd\x6f\xa9\x2b\x7e\x80\xf7\xfb\x6f" "\x72\x01\x7d\xd0\x0f\xc4\x35\x7d\xe0\x1a\x42\xa9\x73\xd3\x68\xc6\x52\x95" "\xfc\x35\x9a\x79\x3b\x9b\xd5\xa1\xa1\x79\x89\xff\xc4\xab\xab\xf4\x26\xc6" "\x23\xcf\xee\x37\x38\xf3\xef\x2b\x34\xfa\xb4\x7a\x42\xa8\xfa\xcf\x65\xf8" "\x9f\x93\xd0\xd9\x9a\xa9\x59\x0b\xc3\x3e\xb7\xd4\xbb\xa3\x09\xcb\xc1\xe0" "\x5d\x2a\x2c\x0b\x29\x5b\x60\x74\x22\x5c\x6e\x9c\x7a\x73\x75\x74\x3d\xf2" "\xc1\xa4\x0b\x8f\xbc\xaa\xaf\x06\x43\xfd\xbd\x7d\xc4\x0d\x20\xd2\xdc\x0f" "\xce\x52\xbe\xc8\x97\x7a\x80\xb9\xcb\x63\x52\x95\x0a\xef\x64\x6f\x28\x9d" "\xff\x20\x89\xa3\x9b\x66\xd0\xb1\x4c\x98\xc8\x0c\x03\x00\x2e\xa5\xc8\xeb" "\xad\x1b\x09\x5f\x46\xc5\xeb\xba\x07\x7e\x38\x96\xcd\xbe\x83\x12\x6f\xb0" "\x27\x22\x04\x5d\xf7\x5a\x0f\xea\xf5\xef\xe7\xe5\x8c\x39\xf5\xb6\x1f\x44" "\xfa\xa7\x9d\x78\xa6\xcc\x0a\x5a\x5a\x31\x5c\x93\x05\x56\xe0\xfb\x1d\xe3" "\xeb\x43\xc3\x3d\x3c\x6b\x4b\x86\x4f\xda\x55\x41\xf1\x71\x14\x76\xc2\x34" "\x53\x93\xdb\xee\x34\xeb\xde\x7a\x8a\x9e\x2c\x97\xb4\xb4\x13\xf9\x0e\x11" "\x60\x95\x61\x03\x64\xc7\x61\x22\x0f\x75\x5b\x9a\xa9\xa2\x7e\xe5\x67\x53" "\x11\xc1\x77\x36\xc2\x7f\xc0\xae\x59\xc3\x5a\xba\xc9\x34\x84\xac\xb1\x99" "\x1b\x10\xfc\x63\x53\x6e\x53\xfa\x87\xe0\xc2\x18\x6c\xb1\x8c\xd4\x30\xe7" "\xd8\x98\xbc\xe1\x1d\x13\xcb\xeb\xac\xbe\x94\x0a\xea\xa2\xd9\x7e\x90\x4e" "\xac\xd1\xdf\x63\x61\xa1\xb3\xc4\x2d\xda\x69\x8f\xfd\x0e\xb9\x6c\xae\xa8" "\xdc\x87\xd2\x86\x18\x97\x7c\x6c\x08\x19\x15\x59\x65\x27\xd9\x80\x8f\xf6" "\xd0\xb0\x11\x64\x8a\x78\x33\x73\xcd\x8f\x5f\x1b\xad\x34\x91\x9e\xc9\x72" "\xd5\x9e\x6c\x86\x7c\xdd\xaf\x70\xd6\x6f\xd5\x45\x9f\xbe\x2a\x10\x01\xc7" "\x2a\xbf\x0a\xc9\x21\x88\x9e\x93\x1d\xa1\xff\x29\x60\x40\xb9\xb1\x46\x33" "\x1a\xf3\x8a\x07\x8f\x11\x72\xdf\x70\xc1\xce\xfe\xfe\x5a\x5f\xf7\xde\x2f" "\x28\x22\x8d\xe9\xab\x3d\xe2\x7f\x49\x71\xe3\x02\x30\x78\xcb\x4c\x6e\xa6" "\xde\xa2\xea\xd1\x31\xc7\xba\x09\x1c\x39\x89\x14\xf6\x2e\x77\xd0\xdb\x4c" "\x3f\x0e\x79\x08\xb7\xbb\x33\xf9\x7c\x42\x01\x48\x0b\xe4\xbd\xe4\x6a\x83" "\xa3\x35\xc8\x1a\x13\x37\xa6\x1b\xe0\xad\x65\x16\xb7\x68\x78\x65\xa4\x09" "\xb9\x47\x9e\x9d\x55\xaa\xcd\x7c\x5c\x56\xe3\xe3\x2a\x10\x2d\x13\x32\xc5" "\x78\xba\xc0\x6c\x8b\x23\x1d\x6b\xc1\x43\xf9\x4a\xde\xe4\xdb\x87\x4b\x99" "\xc9\x41\xa5\xb1\xd8\xee\xad\xa0\x89\xfd\xf3\xab\x16\x26\x18\xa0\x73\xd1" "\xc8\x46\xc0\x75\xf9\x76\xa3\x55\x2f\x81\x23\xcd\xcf\x63\x0c\xc3\xea\xe5" "\x47\xcd\xcc\xaa\x08\x40\x99\x06\x8d\xf4\xb2\xf6\x0e\xe3\xbf\x33\x47\x54" "\x87\xb1\x38\x41\x97\x46\x99\xc3\xfe\x98\xe2\x39\xdd\xd9\x8d\x17\xdb\x70" "\x24\xad\x36\x04\x84\x42\x2f\x43\x16\xfd\x64\x04\x88\x88\x5b\xe3\xf7\xe9" "\x45\xc5\x74\xb1\xcb\x53\x0e\xfe\x4b\x9b\x39\x20\x25\x5b\x51\x48\xae\xcc" "\x39\x9e\x14\x77\x17\xf5\x86\x41\x89\x5a\x65\xfc\x35\xf9\x15\x8d\xf6\x62" "\x04\xf0\xf2\x5f\xba\xbf\x43\x64\x30\x99\x62\x82\x99\x9f\xbd\x31\x1a\x53" "\x5b\xa0\x3e\xdd\x31\x41\xdc\x4b\xb5\x7b\xab\x31\xa2\x2b\x28\x2a\x65\x89" "\x52\x3f\xa4\x4b\x7e\xfc\x86\x25\xb0\x58\xf4\x87\x63\xa4\xa7\x3c\x08\x88" "\xf7\x1e\xad\x21\xa0\xa8\x4e\xf6\xd4\xdb\xdc\xf9\x48\x57\x67\xb4\xf7\x0f" "\x4a\x5b\x05\x0a\x72\xcb\x9d\xc2\xab\x97\x69\xa5\xe0\x01\x68\x95\x88\x58" "\x4a\x3b\x35\xf0\xcd\x90\x26\x16\x38\xd4\xc1\xa9\x99\x13\x31\xc0\xc7\xbe" "\x2a\x90\xc4\xc0\xc5\xd7\x33\x23\x69\x51\x8f\xcc\x07\x0b\x05\x2f\x6d\x25" "\x6e\x41\xaf\x6d\xaa\xa7\x52\x18\x5d\x12\x22\xe0\x87\xf3\xf1\x7c\x5c\x82" "\x54\x56\xf3\x24\x72\x01\x45\xdd\x44\x8e\x9c\xa7\xe1\xdf\xef\xda\x63\x55" "\x0c\xbe\x58\x17\x21\x15\xb7\xea\xe7\xb7\xcb\xf2\xb6\x76\x61\xaa\x52\x41" "\xae\xc8\x5f\xd2\x6c\xf9\x42\xbc\xf5\xac\x00\x9c\x05\x13\x8b\x6f\xe6\x24" "\xfa\xa9\x77\x96\x26\x93\xdc\x41\xe9\x17\xa9\x65\xeb\xf4\xfb\x54\x10\x4f" "\x96\x9c\x1f\x7e\x71\x90\xbf\x4e\x76\xb3\xef\xc7\x96\x7f\x14\x84\xec\xae" "\x51\x4b\xe3\xcc\xa5\x36\xc9\x38\x04\x9a\xd3\x7c\x82\x12\xb8\xe1\x3d\x6e" "\x5b\x7a\xb8\xe6\x5d\xa9\x81\x02\x98\x60\xbf\x19\xa8\x11\xcd\x15\x5c\x76" "\x2f\xaa\x27\x31\xca\x5c\xef\xb7\xcd\xfd\xd0\xdf\x41\x3e\x09\x6c\x25\xd5" "\xc8\x96\xc0\x64\xb9\x54\x37\x97\x69\xb6\xcb\x44\x72\x7c\xe2\xb3\x90\xb3" "\xa3\x98\xfc\x20\xcf\x03\x67\x2c\x31\x17\xc3\x79\xcb\xca\x26\xd0\x2a\x23" "\x19\xb7\xf8\xcd\x8d\x82\x66\x40\x66\x78\x06\xd5\xa2\x06\xb9\x53\x21\x89" "\x3d\x96\xa2\x67\xfc\x05\x34\xd2\x0c\x57\x74\xf2\xca\x83\x99\x6a\x09\xf8" "\xa6\xfa\x38\xba\xfc\x03\xee\xcb\xea\x86\x0e\x16\x04\xea\xcb\x27\xfd\xdc" "\xfd\xaa\x3e\x74\x01\xa7\xc3\xf6\x4f\xff\x6f\xd7\xf7\x6d\x6f\xf1\xdc\x37" "\xf7\x28\x2e\x8a\x7a\x39\x82\xa0\xd6\xc9\xe8\x38\x5f\x62\xef\x00\xfb\xa9" "\x37\x90\x7c\xd0\x98\xf5\x6c\x7e\xe5\x02\xc1\xaf\x11\x3f\xdc\xa9\xf9\x02" "\x12\x09\x71\xed\x6c\xbd\x2e\xd8\x7d\x2f\x50\x8c\xc1\x85\x39\x54\x14\xb7" "\x55\x1f\xbe\x0b\x1e\x43\xb5\x96\x0a\x6f\xd0\x27\x72\x78\x57\xc6\x80\x17" "\x92\x04\x90\xbb\xec\x70\xe1\x05\x78\xb8\xc8\x35\xb1\x73\xa6\x91\xa6\xd3" "\x43\xbe\xf0\x1f\x99\x12\x2a\x87\xb7\xd8\xee\xea\x84\xb8\x0e\x56\xf5\x0d" "\xfb\x8f\x04\x80\xcd\x06\x9a\x75\x9a\xd5\xfb\xef\x7f\x1b\x4a\x4f\xbc\xc0" "\x22\xd6\x75\xe9\x6f\x6a\xdc\x6b\x8c\x40\x35\xdf\xb4\x47\xca\xe1\x53\x65" "\x5b\xf6\x3a\x2d\x42\x0a\x6b\xa8\x35\x7c\xcf\xa9\x6d\xf5\x8c\x78\x43\x8e" "\xae\x54\x19\xde\x93\x24\x68\x42\xdc\x93\x7a\x60\xa0\x11\x09\xe6\x2d\xae" "\x07\x9e\xb1\xef\x34\x36\x41\xf4\x5e\xb8\x75\xdf\xe3\xfd\x18\xdf\x41\x3e" "\xc5\xb0\x65\xa2\x11\x5e\xca\xc2\x7b\x7c\xce\x5d\xdb\x0b\xc6\x95\x66\x73" "\x12\x64\xed\x6e\x2f\x05\xe9\x96\xa4\xf1\x03\x26\xab\xcf\x92\x08\x60\xca" "\xac\xe5\x43\x5c\x76\xe3\xec\x9f\x2f\x16\xf5\x50\x10\x61\x55\xa8\x36\x4a" "\x23\x83\x02\xae\x02\x32\xfb\x65\x4b\x6a\x32\x57\x87\x67\xf5\xa4\x8f\x0f" "\x9a\x2b\x2d\xcb\x03\x0a\x83\xc3\x91\xea\x54\xce\xd9\x32\x94\x65\x6c\x61" "\xcc\x99\x6c\xe3\x27\xe5\x75\x78\xf6\xd5\x13\x6e\x5b\x0c\xeb\x46\x30\xa9" "\x3a\x20\x19\x4a\xdd\x32\x96\x05\xd0\x5f\x99\x45\xee\x7b\x1c\x85\x46\xff" "\x2c\x48\xda\xbe\x71\x4d\xd8\x25\x4e\xba\xc6\x78\x94\x3e\x68\x21\xe6\x01" "\x6e\xd2\x2f\xef\x16\xb2\x9b\x73\x63\xd3\x81\xd5\x3a\x1c\x8b\xa5\x97\x19" "\x92\xeb\xb1\x88\x4c\x8c\xc7\x7a\xf2\x19\x62\x1a\x2d\xfb\xa8\xdc\xd0\x2f" "\x6c\xad\xf8\xe3\x47\xd0\x72\x83\x7d\xfb\x20\xec\x16\xaa\xb7\xdf\xed\xb6" "\x49\xfe\x7d\x17\x83\x75\x85\x74\x7d\x68\xda\x72\x64\x2f\x89\x2b\xde\xf1" "\x74\x30\xa6\x45\x0e\xe3\x93\x2e\xff\x66\xfd\x46\xcc\x65\x45\x8c\x73\xfe" "\x09\x03\xdc\x25\x08\x08\xa5\x29\xa3\x7c\xc7\xc9\x42\xcc\xac\x83\xdd\xaf" "\x1d\xf7\xe6\x0b\x38\x85\x6c\xb7\x48\xf9\xd6\x9b\x27\xd1\x5a\x9b\xe4\x75" "\x88\xc2\x40\x5e\x11\x25\xbc\xba\x70\x98\xd7\xd8\xf2\xfd\x07\x03\x3c\x90" "\xf1\x55\x2a\xdf\x61\xbe\x4d\x70\x44\xf3\x03\xca\xc7\xcc\xbd\x6b\x33\x4b" "\x5c\x98\x62\x16\x9c\x0f\xa1\xe8\x5f\xcf\x52\xbf\xc9\x99\xe9\x0c\x82\x24" "\xac\x9d\x77\x54\x9a\xc6\x28\xcd\xfc\x21\x35\x76\x8d\x4c\x0f\x7f\x35\x83" "\x27\xf6\x50\x00\xa4\x34\xa1\xa6\x11\x3c\x16\xb2\x73\x92\x64\x7b\x99\x90" "\x6a\xa0\x33\xd9\xf1\xe1\xd5\xf1\x69\x0e\xe3\xff\xcd\xba\x68\x93\xc6\xe8" "\x4a\x1e\x74\x25\xa7\x27\x60\xe2\x1c\x61\x2c\xce\x3c\x97\xef\x2c\xef\x1d" "\x2d\x09\xf5\x7b\x47\x4a\x95\x69\xbb\x47\x17\x2b\xf2\xbd\xa0\xc3\xc9\xe2" "\x5b\x68\xa1\x44\x9c\x17\x28\x76\x14\x8b\x74\x5f\x7c\xb9\x65\xb6\xed\x24" "\x9a\x04\x97\x78\xee\x73\x38\x5e\xcc\xa3\x24\xeb\x1b\x74\x23\x9e\xe8\x15" "\x9a\xfe\x08\xe9\xdd\x49\x6f\x09\x55\xac\xd7\x92\xb3\x76\x0c\xd4\xb6\xd6" "\x22\xa3\x4d\x53\x6e\x4e\x3e\xf5\xee\xdc\x3a\xfe\x7f\x6d\x77\xf5\xeb\x75" "\x9b\xbf\xf6\xed\xe8\x6f\x7a\xbf\x57\x3a\xbf\xa5\x3a\x40\x04\xbc\x85\xdf" "\x9f\x9d\x85\xc0\xdb\xcb\x0f\x8d\xc1\xb3\x80\x99\x8a\xc2\x59\x46\x4c\x79" "\x8a\x77\x25\xb7\xcc\xe2\xfa\xb8\xa0\xb6\x06\x04\xba\xf8\x72\x9c\xba\xc9" "\x06\xc1\xe1\x14\x02\x76\x3d\xc5\x6c\x87\x9b\xc3\xfd\x33\xcf\x2c\x2b\x4a" "\x0d\xa8\x39\x27\xd1\xfa\x88\xcf\xb3\xda\xe8\x88\x82\xb1\x1e\xe0\xaa\x50" "\x8f\x9b\x8e\x39\x2b\xdd\x76\x3c\x20\xaa\xcf\x8c\x7d\x59\x5d\x7b\x88\x1d" "\x43\xc3\x19\x0b\x56\xec\x34\x7e\xc4\x41\xad\x3d\x5f\xfb\x27\xf2\xef\x21" "\xdd\xff\x45\xa3\x72\x1e\x5e\x7f\x3f\x67\x3b\x78\xaf\x28\x17\x61\x00\x93" "\x81\x83\x27\x0f\x92\x37\x00\x9c\xb0\x67\xf9\xc9\xd9\x90\xe5\x11\x17\xde" "\x77\xb3\x87\x79\x35\x6a\x75\xb7\x89\xb6\x8b\x52\xab\x50\x51\x3e\x45\xf1" "\x5f\xea\x83\x78\x73\x28\xd3\xce\xb1\x8b\x0e\x4a\x57\xb1\x56\x1f\x89\xa4" "\xce\x4c\xa5\xec\x53\xf6\x12\x75\x4a\xbc\xdb\x81\xec\x40\xf9\xe9\x9c\x8c" "\x9c\x63\x9c\x90\xd9\xab\xe6\x49\x7f\x23\xa5\xfc\x4c\x5e\x0c\x35\xbe\x01" "\xd1\x7e\x1a\x6b\x5e\xa1\x2e\xcb\xc4\x8b\x8f\x9b\xab\x03\xda\x8d\x34\x7d" "\x22\x8f\xfc\x71\x5e\x13\xcb\x03\x8c\xa6\x17\xd4\xde\xa8\xd0\xae\x5d\x8d" "\xa7\x87\xe9\xff\x92\x78\xc2\x22\x8c\x05\x64\xef\x53\x52\x91\xeb\xc9\x50" "\x49\x4c\x59\x91\xb6\xe8\xda\x08\xc6\xb8\x6a\x91\xe3\xec\x46\x83\xa6\xa0" "\x16\xbf\xfc\x08\x73\x46\xa3\xe3\x8d\xb2\x98\x8e\x6c\x50\x03\x37\x0f\xf5" "\x12\x40\x3e\x83\x29\xbb\x87\x67\xa6\xc6\xf1\x4a\x78\x10\xf4\xa3\x78\xdd" "\x10\xbe\x78\x0d\x0e\x36\x6d\x9d\x5f\xcd\x5c\x26\xd8\xf1\x8b\x5f\xd7\x27" "\xe9\x50\x7a\x33\x18\x55\x03\x6d\xa9\x23\xc0\xfe\x5a\xec\x83\x64\x65\x96" "\x01\xf4\xd5\x8b\xbc\xef\xa7\x7d\xbe\x8e\x19\xa8\xb6\x35\x00\x9f\x59\x38" "\x17\xab\xdc\x4e\x97\x1d\x7c\x64\x1b\x65\x82\x7c\xf8\x2d\xce\xda\x07\x79" "\x1f\x4d\x04\xc5\x77\x2a\xd9\x59\x03\xbd\x08\xe4\xb3\x56\x61\x3c\xa6\x82" "\x20\xb8\xc7\xd6\x82\xd9\x38\xff\x03\x5f\xc4\x0c\xdb\x37\xf0\x23\xa5\xeb" "\x05\x6e\xbf\x5b\x0b\xb8\xef\x00\x74\xe2\x4e\xe7\x0e\x35\x41\xa8\xb2\xfa" "\x54\x2a\x4a\xe0\x89\xbc\x9e\xc7\x89\x77\xf1\xe4\x4d\x46\x22\x20\x19\xea" "\xca\x72\x7e\x05\x72\x80\x90\xa6\x65\x4f\xdd\x46\x0b\xef\x1b\xc1\x84\xb4" "\x5d\x1f\xe3\xee\xe0\x47\x39\x9a\x39\x1e\xf7\xb3\xa9\xbc\xa4\xa1\x7f\x22" "\xd7\xca\xe7\xdd\xd7\x13\x9c\x50\xd0\x6c\xc6\x55\x89\x72\x3d\x80\xed\x6c" "\xc6\x86\x04\xbc\x12\x5d\x5e\x0f\x31\x27\xd9\x79\x29\xff\xf3\xeb\xca\x7f" "\x5e\x01\xae\x16\xf0\x7e\x7d\xd2\x5d\xfd\xa7\xaf\xcd\x04\x90\xec\xd6\x23" "\xcc\x15\xaa\x6b\x6c\xd4\x9a\x27\xbc\xb0\xb8\x44\x88\xbb\x31\xb9\xa3\x72" "\x86\x4d\xea\x00\x1c\x78\x82\xa8\x29\xfe\x5c\x91\x3c\x8c\x09\x6e\xfd\xdc" "\x13\xf3\x9d\x67\xf9\x38\xb2\x48\x77\x71\x5a\xe5\xac\xfb\xc4\x5e\xb2\x66" "\x2a\xe6\xb4\xaa\x04\xfb\xcc\xa3\x18\x5c\xb4\xf6\x9c\x4b\x76\x80\xa4\x50" "\x46\x60\x4f\xa1\xaa\xdb\x90\x76\xe7\x19\x1a\x78\x57\x20\x69\x97\x4a\x03" "\x16\x97\xfe\x84\x32\x77\x11\x94\x51\x4b\x91\x47\xaf\x90\x24\x31\x54\x9f" "\xd4\x90\x48\xd2\x28\xed\x4d\xf9\xdc\xf8\x39\xad\x0e\x97\x80\x42\x90\x8d" "\x19\x1d\xbf\x41\x63\x97\x63\x00\x32\x96\x7b\x8b\x7d\x07\xcf\xf4\x42\x46" "\x0f\xda\x69\xc9\xaf\x6c\x99\x6b\xb4\x16\xf3\x64\x04\x2c\xe6\x54\xd9\xb3" "\xc6\x10\x7a\x94\x92\x85\x58\x39\xe4\xb6\x28\x89\x0b\x72\x67\x74\x55\xb5" "\x57\x19\x86\x7b\xda\x77\xcf\x4b\x10\x75\xb7\x7c\x2e\x54\xf9\x92\x69\x50" "\x2b\xf9\x6b\xe6\xd6\x6e\x40\x8c\x98\x8a\xd9\x7e\x10\x56\x9e\x2c\x34\x18" "\xc9\x53\xf0\x89\x56\xf5\x28\x2e\xc5\xf2\x6f\x5a\x10\x95\xa2\x2f\x5e\x90" "\x76\x00\xe1\x10\x42\xdf\x3e\xfe\x9e\x57\xf8\xce\xb4\x76\xdc\xc6\x8f\xcd" "\x96\xb1\xc9\xde\x24\x53\x13\x3c\xdd\x8a\x07\x1b\xfe\x78\x2d\xe8\x70\xee" "\x8d\x05\xee\x91\xa1\x39\x07\x17\xd8\x75\xb4\xf0\x2e\xdb\xd3\x84\x2c\x8f" "\xcd\x6f\x75\x12\xf4\x01\xd5\xfa\x21\x52\x57\x86\x8c\x04\x19\x26\x8c\x9b" "\xe7\xc0\xff\x9f\xf8\x02\x57\x4d\x8a\x43\x33\x40\xc2\xa4\x32\x06\x8d\x7a" "\x46\x8c\x6f\xf1\x9f\x1f\x3c\xe8\xe7\x13\x26\xbe\xfd\xca\xb6\x98\x53\xea" "\xc6\x48\x34\xd4\x12\xe7\x2f\x17\x2b\x94\xae\xf6\x0e\x2c\xb8\x95\xa4\x92" "\x53\xd2\x6a\xbc\x5e\xef\xce\xaa\x88\x05\x38\xca\x29\xa1\x06\x28\x9d\x33" "\x68\xc2\x3d\x34\x5d\xa4\xf9\x00\xdf\xd9\x58\xb3\x1f\x22\xfe\x89\xcb\x98" "\x97\x93\xfa\xc3\x40\x7f\x3f\xbd\x83\xe7\x64\x98\x2c\x7c\x7f\x52\x92\x8c" "\xe4\xe9\xc3\xcd\x68\x83\x72\x66\xa2\x9a\x0b\x0d\x4f\x0b\x0f\xe0\x7a\x7e" "\x72\x55\x18\xe2\x76\xfc\x10\x8b\xb2\x26\x14\xeb\x2f\x48\xd7\x0f\x38\xdf" "\x9f\x2e\x0e\x5a\xd7\x8f\x5f\x8d\xce\x31\x88\xb7\xf7\xd8\x34\xf5\x2a\x7c" "\x6c\xa1\x50\x2e\x59\x30\xf2\xb1\xa6\x31\xaf\x3d\x76\xdf\xed\xcf\xb2\xaa" "\xe5\x24\x19\x3e\x36\x3f\x70\x65\x2b\x69\xd7\x78\xed\xc3\x84\x5a\x75\x2b" "\xeb\xfd\x58\xff\x77\xd3\xf5\x90\x25\x60\x1e\xb8\x41\xc3\x41\x32\x7c\x4e" "\x47\x20\x73\xfb\x00\xa6\x24\x30\x43\x2e\xfe\x61\x3e\x64\x3b\xe2\x66\x0d" "\x30\xa9\x89\xc6\x23\xe6\x45\x4a\xf5\xac\xb8\x57\x98\x8c\xbb\x15\xb9\xaa" "\x98\xc8\xdf\x9e\xdb\x3b\x68\x7d\x74\x12\x7a\x0f\xbf\x1e\x0d\x90\xc1\x2b" "\x84\xea\xaa\x19\xe7\xd9\x18\x22\x01\x4a\x38\x55\xc3\x92\x41\x70\xba\x22" "\x85\x0b\x4d\xa3\x89\x17\xa0\x6c\x24\xcc\xd4\xbe\x36\xf3\xd4\xa7\x36\x22" "\x6c\xee\x11\x82\xf8\xec\x18\x9b\xa2\x60\xd1\xcf\x06\x35\x44\xf9\x2d\xd5" "\x0e\x26\x3b\x7c\xd0\xc7\x4e\x9a\x7b\xd7\x19\x85\xe2\x4b\xbd\xc6\x09\xff" "\x60\x50\x7b\xdf\x34\x98\x1a\x0a\xa0\xbd\x5e\x91\x40\x83\x99\xd4\xcd\x03" "\x84\x98\x3b\xb0\xef\xae\xb9\xdc\xca\xb6\x3e\x27\x38\xab\xf8\x7b\x1d\x2a" "\x2e\x23\x03\xcb\x02\xde\x46\xc0\xa4\xdc\xfd\xed\x9d\x21\xa5\x4d\x8f\x41" "\x58\x8c\x12\xc3\xa0\xa9\x29\x25\x8d\x35\xbd\x07\xc6\xe9\x7b\x77\x1b\xff" "\xfd\x86\xd8\x7b\x27\x48\x08\xe5\x26\xdf\xcf\x5e\xbe\xa1\xd4\xb7\x1a\x97" "\x8d\x8e\x7c\x9f\x38\xcb\xba\xd6\x37\xc2\xa5\xe8\x77\xbf\x17\xe0\xa8\x9c" "\x3c\x4c\x15\x99\x3b\x0c\xa2\x3a\x6b\x57\xb9\x04\x1d\x9d\x89\x67\x58\x17" "\xdf\xce\x65\xcf\xb3\x81\x89\x82\x45\x5d\x05\x7b\x15\x76\xd2\xc8\x3f\x1b" "\xaa\x4c\x9a\x57\x95\x2b\x78\x2f\xfb\x1d\xc3\xac\x7f\x29\x5b\xa9\x4b\x11" "\x51\xa7\x9a\xc9\x34\x62\x45\x33\x3c\xe3\x77\x2a\xc4\x82\xab\x88\x16\x11" "\x0b\xe1\xd9\x5e\xbb\x4f\xf8\xeb\xd1\x0b\xad\xd3\xa3\xf1\x10\xa1\x2e\x4f" "\x70\xff\x2a\x22\x42\xa3\xe8\x9c\x4f\xf5\xe9\x91\x17\xce\x07\x8d\x70\x66" "\xc4\xce\x5f\x62\x95\x55\xbf\x88\x90\xce\x55\x94\xbb\x62\xc3\x25\x84\x75" "\xe0\x3e\x3a\x44\x64\xc5\x72\x26\xc8\xeb\x1f\xce\xef\x9e\x3e\x7b\x48\x38" "\xfa\x02\xd0\x30\x78\x92\x03\x5d\xcc\x67\xc1\x08\x73\x01\x45\xe1\xeb\xb6" "\xc9\x61\x4c\xeb\x94\xaf\x1f\xf6\x3c\x4d\x11\x2e\x38\xa5\x1d\xb0\x75\x38" "\xf3\x09\xeb\x6c\xab\x62\x6f\xec\x79\x70\x75\x1e\xa0\x04\x6f\x6c\x7f\x0b" "\x63\x4d\x42\x5a\xb7\xb2\xc2\x11\x0b\xff\x56\x48\x6e\x51\xbf\x08\xde\x03" "\x3c\x5e\xec\xe0\x92\x4b\x8e\xc9\x4b\x30\x4d\x2b\x69\x25\xc9\x04\x1d\xd9" "\x1c\x14\xff\xdd\x5f\x31\x2f\x46\x6b\x07\x6e\xf2\x78\x67\xf1\xb9\x64\x15" "\x36\x5a\x55\x10\x75\xe0\x37\x65\x47\x3a\x28\xca\x4e\x8a\xd2\x3b\x8d\x80" "\x64\x1b\x02\xdf\xe6\x20\xa6\x8a\x18\xb1", 4096); *(uint64_t*)0x200022e0 = 0x10; *(uint32_t*)0x200022e8 = 0x13f; *(uint32_t*)0x200022ec = 2; *(uint64_t*)0x200022f0 = 0x10; *(uint32_t*)0x200022f8 = 0x13e; *(uint32_t*)0x200022fc = 4; *(uint64_t*)0x20002300 = 0x10; *(uint32_t*)0x20002308 = 0x11e; *(uint32_t*)0x2000230c = 0xe714; *(uint64_t*)0x20000268 = 0x1050; *(uint32_t*)0x20000270 = 0x84; syscall(__NR_sendmsg, r[0], 0x20000240, 0x8000); *(uint64_t*)0x20000080 = 0; *(uint32_t*)0x20000088 = 0; *(uint64_t*)0x20000090 = 0x20000000; *(uint64_t*)0x20000000 = 0x20000d00; memcpy( (void*)0x20000d00, "\x5e\x10\x9c\x9a\x14\x14\xb5\xa8\xa8\x97\x31\xf5\x05\xd4\x97\x2a\xed\x72" "\xaf\xc2\xcd\xee\xd4\xf4\x8f\x61\xfc\x23\xf0\x61\x9a\xa1\xc8\xc8\xec\x19" "\xaf\x09\x8e\x06\x09\xef\x2c\x2c\x21\x7c\xa7\x07\x65\xa7\x78\x3c\x6b\xe9" "\x9a\x4f\x0c\x38\x53\x4e\x1c\x93\x83\x13\x6c\xd5\x5a\x73\xa5\x82\xe1\xbc" "\x20\x7f\xbb\xe3\x20\x3f\xd6\x1e\xf1\x7a\xb8\x9b\x7a\xe4\xfd\x1a\xbd\x73" "\x3d\xc1\x3c\xfa\x5e\xd6\x31\x4b\xa6\x91\xad\xeb\x10\x9a\xb1\x11\x83\xb8" "\x4b\x08\x0f\x3e\xd7\xff\x6a\x50\x65\xbb\x47\xee\x87\x6d\x9a\xc5\x1f\xe9" "\x44\x8b\x8d\xdf\x05\x8a\x43\xea\x1b\x60\x3d\xe0\xab\xee\x03\xd8\xa2\x5f" "\x26\xec\x68\x36\x88\x41\xee\xf0\x32\x48\x9b\x77\xa2\x9b\xf3\x56\x2c\xf4" "\xe5\x21\x90\x71\xf9\x34\x6f\x99\x3e\x41\x62\x74\xf3\x72\xa4\x68\x3f\x7c" "\x6c\xb7\x58\x6d\xce\x84\x73\xd9\x60\xca\x0a\x8e\xa8\xb1\x86\x84\xcf\x07" "\x20\xd9\x4c\x12\x68\x2d\x4c\x5c\xac\xbc\x00\x9e\x02\x76\x4b\xb9\x51\x7f" "\xc2\xdd\x8c\x79\xe9\x22\x89\xe7\x89\x91\x18\xc8\xb8\xab\x1a\xb1\x57\x47" "\xa8\x57\x9c\x7a\x0a\x1e\x84\xb1\x9d\x6e\x59\xe5\x90\xac\xa9\x15\x6f\x70" "\x09\x17\xa7\xe6\x34\x43\xdc\x62\xc5\x1c\xc9\xda\x0b\x3c\x5b\xe0\x58\x03" "\xbb\x39\x32\xe5\x95\x04\x26\xff\x92\x5a\x95\x43\x1f\x4e\x23\x57\xfb\x22" "\xa3\x1a\xf0\xe6\x60\xba\xad\xe6\x63\xd6\xae\x78\xf6\x8f\xc4\xc2\x48\x59" "\x8a\xf6\xbf\xde\xf5\x77\xe8\xb0\x2d\x09\x68\x6d\xf1\x42\x4d\x7e\xdf\x54" "\x3c\xfc\xec\x7c\x30\xc6\x3f\x6f\xd9\x24\x16\x82\x98\x2e\x42\xeb\x5d\xc0" "\xe0\xfc\x97\x1e\x0a\x7d\xa6\x68\xdb\x44\x27\x9b\xe4\x00\xd4\x9c\x8d\x0b" "\xff\xcd\xaa\x14\x16\x7a\xd9\xd9\x44\x87\x0c\x67\xd9\xcb\x5e\x38\x8e\xa0" "\x46\x9e\x48\xbe\x54\xa3\x16\x8d\xc0\x9c\xa2\x4f\x85\x41\x25\x6b\xdd\xb5" "\xcb\x93\xec\x12\x71\x2d\x4f\x24\x99\x65\x6c\xa5\xa0\x67\xd8\xba\xd3\x24" "\x1f\x34\xb4\x83\x5c\xc6\xef\x06\x6e\x62\x76\xd8\xa3\xa3\x19\xd9\x19\x66" "\xe2\xd9\xcc\x72\xbe\xa1\x43\x56\x21\xee\xda\x21\xe2\x6c\xba\x7f\x7a\x10" "\xb0\x7f\x4d\xef\x55\xd1\xea\xb5\x79\x03\xef\x37\x7c\xc2\x4f\x2f\x57\x4b" "\x43\xd1\x23\x8c\x31\x13\x44\xa4\x68\x20\xaa\x99\x9f\x77\x11\x3d\x36\x29" "\x83\xa8\x0a\x72\xf5\xcf\x0f\xfb\x60\xdd\x8d\xb4\x86\x88\xee\x52\xe7\x17" "\x4a\x42\xdf\x21\x16\xb6\x4e\x2a\x74\x8a\x20\xfe\x64\xda\xfc\x28\x7d\xe4" "\x71\xb8\x5a\x82\x5e\x02\x83\xb2\x91\xde\x5e\x56\x0a\xb3\x6a\x91\x8d\x74" "\x78\x84\xe4\x61\xd9\x32\xdd\x74\x11\x5b\x5f\x20\x16\x6e\x8f\x6f\x38\xf7" "\x9d\xec\x55\x04\x07\x76\xbf\x3e\x1d\xa6\xce\x34\x29\x17\x48\xb9\x7b\x93" "\xcc\xfa\x15\x57\x2c\x6c\x62\x2e\xba\xb8\xe3\xbe\x39\xac\x0d\xff\x97\x07" "\xc2\xfa\xd2\x73\x73\xfd\x49\xc2\x68\xa4\x76\x54\x22\x74\x92\x34\xc9\x57" "\x00\x12\x68\x88\x93\xc8\x14\x0f\x51\x3e\x93\xc8\xb7\xd7\x5e\xb2\xee\xa9" "\x90\x1d\x6c\xfc\xf1\x9a\x75\xb0\x1b\xa2\xa1\x31\xa0\xbb\x71\x67\xd2\x67" "\x27\xba\xcd\x68\x1a\xef\xc6\xba\x4b\x8e\xc9\x2b\x85\x3c\x9f\x91\x7a\x78" "\xb9\xfa\x48\x4e\xa6\x59\xe7\xcc\xa1\xf5\xa7\x7a\x22\x8d\x25\x5c\x4b\xf9" "\xf9\xa9\x42\x11\xae\x6d\x1e\xd7\xaa\xec\x21\x2b\xd6\xb4\x99\xdf\x9e\x77" "\xb0\x4b\xb2\x89\x6b\x79\x5d\xcf\x3b\xf4\x68\xa4\xa6\x25\x29\xf2\xab\x92" "\x7f\xe5\x61\x15\x3b\x94\xde\xdc\x3f\x84\x7a\x99\xed\x33\xc2\x09\xa1\x54" "\xb9\x9b\x36\x5f\x31\x60\x6d\xdd\x02\x48\x7c\x0a\x7f\xd0\x86\x07\xad\x9a" "\x7f\x24\x19\xb5\xf1\xa5\xe9\x98\x6b\x03\x52\x8c\xd1\x73\xd5\x16\xfa\xe7" "\x87\x57\xb1\x88\x83\x42\x95\x09\x28\xf2\x93\xb4\x06\x8c\xb6\xbc\x47\xcb" "\xad\xf1\xbd\xd1\x82\x64\x10\x07\xb3\x09\x37\x60\xe6\x7e\x30\x57\xc5\xd3" "\xbf\xd9\xd1\x25\x40\xe5\x00\xdc\xa9\x29\x2e\x63\xda\x22\xfd\xa3\xe8\x79" "\x91\xc1\xde\x27\x7e\x6e\xcc\xc0\x21\xd9\xf0\x74\xed\x76\x8b\xc6\x91\x53" "\xd8\xff\x45\x69\x68\x6e\x3c\xbc\x18\x0c\x44\x2a\x29\xed\xd5\xe1\x93\x41" "\x42\x74\x69\x87\x17\x9b\x4d\x7e\x39\xa5\xa3\xc0\xa7\x32\x8d\x55\x59\x28" "\x39\xef\x56\x92\x6c\xfe\xcc\xb3\x16\x38\x67\x4c\x60\x37\xe2\xa7\xbd\xbe" "\x6c\x9b\x8f\xf4\xf4\x1b\x74\xe7\x2a\x39\x72\x64\xfb\x2b\x27\x60\x99\x66" "\xde\xba\x18\x55\xc4\x35\xd5\x0c\x32\x14\x38\x2a\xe2\x06\x28\x71\xb9\xd0" "\x58\xba\xe7\x93\x1f\x5e\xd1\x3f\x88\x2a\xb7\xfe\xb6\x87\x76\xb9\xac\x2f" "\xd9\xf2\x62\xd4\xee\x69\xac\x93\x6d\xf3\x73\x38\xf8\x20\xf8\x80\xc8\xaf" "\x5a\x78\x51\xf5\xd2\xbe\xf1\x44\x44\xbc\x07\xca\x95\xae\x42\xef\xe4\x7e" "\x96\xc1\x1f\x3f\x82\x04\x65\xc1\xd6\x03\x47\x1c\x3a\x45\x2c\xd9\x45\x34" "\x37\xf1\x79\x53\x01\xa3\x04\xd2\xc8\x45\x97\xd6\x6d\x9c\x3e\x33\x53\xe3" "\xce\x9c\xa0\xed\x87\x90\x8e\x94\x49\x02\x71\x85\x6a\x34\x66\x9d\xe5\x94" "\xb8\x3e\x3e\xa8\x45\x8b\xa9\x66\xae\x50\x89\xa3\x03\x43\x33\x54\x7c\x0b" "\x8e\x32\x80\x26\xf5\xac\x09\xff\x27\x60\x36\x0b\x54\x7b\x32\x09\x0b\x62" "\x6a\x0a\x77\x28\xf9\x7c\xbf\xdf\x5d\x11\x1a\xdf\x52\xb1\x0c\xe4\x94\xf3" "\x73\xf7\x75\xf2\x9f\x6b\xdb\x05\xf6\xbb\x12\x08\xf1\x3a\xb6\xcd\x98\xa2" "\x7c\xe0\x7d\x4c\x8a\x65\x68\xcd\x49\x39\xe5\x96\xf1\xb5\xe2\x83\x6f\x34" "\xe3\x17\xf4\xd3\x52\xc8\xde\x21\x4e\xb7\x10\xc7\x19\x1c\x45\x8c\x94\x67" "\x88\x37\x9c\x4b\x4b\xb5\xb3\x83\x6d\x5c\x22\x4f\x2f\x04\x39\xb6\x3b\xea" "\x1d\x7d\xfd\x8a\x41\x5d\x29\x1d\x32\xbd\xa0\xa6\xcd\x3e\x5e\x11\x83\x54" "\xcc\xfc\x95\x99\x72\xfc\x13\xfe\xe2\xe2\x0b\xc9\x1b\xfa\x25\xb5\x79\x9b" "\x6f\x03\x93\xc0\x5e\x5e\xe7\x41\xd3\x63\x74\x51\x81\xb7\x10\x1e\x10\x0a" "\x81\xc1\x3f\x2a\x30\xf5\x9d\xa5\x40\x0a\x45\x5c\x9c\x04\x56\x65\x1d\xe9" "\x1b\x3e\x60\x76\x1a\xf2\x26\x73\x7a\x62\xac\x16\x24\x2f\x85\x62\x16\x5d" "\xdf\xab\x38\xe1\x4f\xe9\x6b\x07\x40\x05\x52\x51\x7c\x01\x17\x83\x94\xd3" "\x32\x2d\x00\xd8\xe6\x20\xcd\x23\x30\x29\x2e\x13\x3f\x90\x80\xaf\xad\xed" "\xa1\x72\xba\x79\x89\xc2\x19\x5d\x45\x27\x74\xe8\x7a\x22\xd0\x1c\xbd\xd2" "\x17\x43\x63\xf3\x33\xa6\x4d\xec\xb1\xd3\x58\x59\xe2\x09\x89\x64\x59\x6f" "\xe9\x5a\xe7\xcd\xb6\xfb\xbf\xe2\xe0\xcb\x08\xc8\xb4\xf0\xa6\x8b\xda\x63" "\x69\x78\x3f\x6d\x53\xf3\x32\x78\x4c\x45\xe7\x0a\xac\x9a\x04\x6b\x67\xfd" "\x8a\x7d\x8b\xde\xfb\xc7\x7e\x70\xdf\xb0\x1c\xf1\xa3\x9a\x60\xa3\xc3\x3a" "\x0f\x2d\xac\xa4\xd2\x10\x00\x91\xf1\x1f\x89\x91\x05\x92\x88\xaf\x87\x65" "\xe8\x80\x3b\x97\x20\x2c\x33\x38\x46\x0f\x78\x14\x8a\xd0\xa0\xeb\x42\x86" "\x71\x94\x44\x31\x60\xca\xae\x25\xd7\xb0\x26", 1433); *(uint64_t*)0x20000008 = 0x599; *(uint64_t*)0x20000098 = 1; *(uint64_t*)0x200000a0 = 0; *(uint64_t*)0x200000a8 = 0; *(uint32_t*)0x200000b0 = 0; syscall(__NR_sendmsg, r[0], 0x20000080, 0); *(uint8_t*)0x20000080 = 0xaa; *(uint8_t*)0x20000081 = 0xaa; *(uint8_t*)0x20000082 = 0xaa; *(uint8_t*)0x20000083 = 0xaa; *(uint8_t*)0x20000084 = 0xaa; *(uint8_t*)0x20000085 = 0xbb; *(uint8_t*)0x20000086 = -1; *(uint8_t*)0x20000087 = -1; *(uint8_t*)0x20000088 = -1; *(uint8_t*)0x20000089 = -1; *(uint8_t*)0x2000008a = -1; *(uint8_t*)0x2000008b = -1; *(uint16_t*)0x2000008c = htobe16(0x8100); STORE_BY_BITMASK(uint16_t, 0x2000008e, 7, 0, 3); STORE_BY_BITMASK(uint16_t, 0x2000008e, -1, 3, 1); STORE_BY_BITMASK(uint16_t, 0x2000008e, 2, 4, 12); *(uint16_t*)0x20000090 = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, 0x20000092, 0, 0, 4); STORE_BY_BITMASK(uint8_t, 0x20000092, 6, 4, 4); memcpy((void*)0x20000093, "\x02\x29\x0f", 3); *(uint16_t*)0x20000096 = htobe16(0x30); *(uint8_t*)0x20000098 = 0x3a; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint8_t*)0x200000a0 = 0; *(uint8_t*)0x200000a1 = 0; *(uint8_t*)0x200000a2 = 0; *(uint8_t*)0x200000a3 = 0; *(uint8_t*)0x200000a4 = -1; *(uint8_t*)0x200000a5 = -1; *(uint32_t*)0x200000a6 = htobe32(0); *(uint8_t*)0x200000aa = -1; *(uint8_t*)0x200000ab = 2; *(uint8_t*)0x200000ac = 0; *(uint8_t*)0x200000ad = 0; *(uint8_t*)0x200000ae = 0; *(uint8_t*)0x200000af = 0; *(uint8_t*)0x200000b0 = 0; *(uint8_t*)0x200000b1 = 0; *(uint8_t*)0x200000b2 = 0; *(uint8_t*)0x200000b3 = 0; *(uint8_t*)0x200000b4 = 0; *(uint8_t*)0x200000b5 = 0; *(uint8_t*)0x200000b6 = 0; *(uint8_t*)0x200000b7 = 0; *(uint8_t*)0x200000b8 = 0; *(uint8_t*)0x200000b9 = 1; *(uint8_t*)0x200000ba = 0x87; *(uint8_t*)0x200000bb = 0; *(uint16_t*)0x200000bc = 0; *(uint32_t*)0x200000be = htobe32(0); STORE_BY_BITMASK(uint8_t, 0x200000c2, 0, 0, 4); STORE_BY_BITMASK(uint8_t, 0x200000c2, 6, 4, 4); memcpy((void*)0x200000c3, "\x94\x33\xdf", 3); *(uint16_t*)0x200000c6 = htobe16(0); *(uint8_t*)0x200000c8 = 0; *(uint8_t*)0x200000c9 = 0; *(uint64_t*)0x200000ca = htobe64(0); *(uint64_t*)0x200000d2 = htobe64(1); *(uint8_t*)0x200000da = 0xfe; *(uint8_t*)0x200000db = 0x80; *(uint8_t*)0x200000dc = 0; *(uint8_t*)0x200000dd = 0; *(uint8_t*)0x200000de = 0; *(uint8_t*)0x200000df = 0; *(uint8_t*)0x200000e0 = 0; *(uint8_t*)0x200000e1 = 0; *(uint8_t*)0x200000e2 = 0xb; *(uint8_t*)0x200000e3 = 0; *(uint8_t*)0x200000e4 = 0; *(uint8_t*)0x200000e5 = 0; *(uint8_t*)0x200000e6 = 0; *(uint8_t*)0x200000e7 = 0; *(uint8_t*)0x200000e8 = 0; *(uint8_t*)0x200000e9 = 0; struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x2000009a, 16); csum_inet_update(&csum_1, (const uint8_t*)0x200000aa, 16); uint32_t csum_1_chunk_2 = 0x30000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 4); uint32_t csum_1_chunk_3 = 0x3a000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 4); csum_inet_update(&csum_1, (const uint8_t*)0x200000ba, 48); *(uint16_t*)0x200000bc = csum_inet_digest(&csum_1); syz_emit_ethernet(0x6a, 0x20000080, 0); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); int pid = do_sandbox_none(); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } return 0; }