// https://syzkaller.appspot.com/bug?id=5b9d1e3232dc19d61832a76821bc5fc9b914b4cd // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct ipt_get_entries entries; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct xt_counters counters[XT_MAX_ENTRIES]; struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_arptables(void) { struct arpt_get_entries entries; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(ARPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { struct xt_counters counters[XT_MAX_ENTRIES]; struct arpt_get_entries entries; struct arpt_getinfo info; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(ARPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(ARPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void test(); void loop() { int iter; checkpoint_net_namespace(); for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("loop fork failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } reset_net_namespace(); } } long r[2]; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 0xa, 5, 0x84); *(uint32_t*)0x20058000 = 1; *(uint16_t*)0x20058008 = 0xa; *(uint16_t*)0x2005800a = 0; *(uint32_t*)0x2005800c = 0; *(uint8_t*)0x20058010 = -1; *(uint8_t*)0x20058011 = 1; *(uint8_t*)0x20058012 = 0; *(uint8_t*)0x20058013 = 0; *(uint8_t*)0x20058014 = 0; *(uint8_t*)0x20058015 = 0; *(uint8_t*)0x20058016 = 0; *(uint8_t*)0x20058017 = 0; *(uint8_t*)0x20058018 = 0; *(uint8_t*)0x20058019 = 0; *(uint8_t*)0x2005801a = 0; *(uint8_t*)0x2005801b = 0; *(uint8_t*)0x2005801c = 0; *(uint8_t*)0x2005801d = 0; *(uint8_t*)0x2005801e = 0; *(uint8_t*)0x2005801f = 1; *(uint32_t*)0x20058020 = 0; *(uint64_t*)0x20058028 = 0; *(uint64_t*)0x20058030 = 0; *(uint64_t*)0x20058038 = 0; *(uint64_t*)0x20058040 = 0; *(uint64_t*)0x20058048 = 0; *(uint64_t*)0x20058050 = 0; *(uint64_t*)0x20058058 = 0; *(uint64_t*)0x20058060 = 0; *(uint64_t*)0x20058068 = 0; *(uint64_t*)0x20058070 = 0; *(uint64_t*)0x20058078 = 0; *(uint64_t*)0x20058080 = 0; syscall(__NR_setsockopt, r[0], 0x29, 0x2a, 0x20058000, 0x88); r[1] = syscall(__NR_socket, 0xa, 0x801, 0); memcpy((void*)0x20031000, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x20031020 = 0xe; *(uint32_t*)0x20031024 = 4; *(uint32_t*)0x20031028 = 0x310; *(uint32_t*)0x2003102c = -1; *(uint32_t*)0x20031030 = 0x198; *(uint32_t*)0x20031034 = 0x98; *(uint32_t*)0x20031038 = 0x98; *(uint32_t*)0x2003103c = -1; *(uint32_t*)0x20031040 = -1; *(uint32_t*)0x20031044 = 0x278; *(uint32_t*)0x20031048 = 0x278; *(uint32_t*)0x2003104c = 0x278; *(uint32_t*)0x20031050 = -1; *(uint32_t*)0x20031054 = 4; *(uint64_t*)0x20031058 = 0x20003fc0; *(uint8_t*)0x20031060 = 0; *(uint8_t*)0x20031061 = 0; *(uint8_t*)0x20031062 = 0; *(uint8_t*)0x20031063 = 0; *(uint8_t*)0x20031064 = 0; *(uint8_t*)0x20031065 = 0; *(uint8_t*)0x20031066 = 0; *(uint8_t*)0x20031067 = 0; *(uint8_t*)0x20031068 = 0; *(uint8_t*)0x20031069 = 0; *(uint8_t*)0x2003106a = 0; *(uint8_t*)0x2003106b = 0; *(uint8_t*)0x2003106c = 0; *(uint8_t*)0x2003106d = 0; *(uint8_t*)0x2003106e = 0; *(uint8_t*)0x2003106f = 0; *(uint8_t*)0x20031070 = 0; *(uint8_t*)0x20031071 = 0; *(uint8_t*)0x20031072 = 0; *(uint8_t*)0x20031073 = 0; *(uint8_t*)0x20031074 = 0; *(uint8_t*)0x20031075 = 0; *(uint8_t*)0x20031076 = 0; *(uint8_t*)0x20031077 = 0; *(uint8_t*)0x20031078 = 0; *(uint8_t*)0x20031079 = 0; *(uint8_t*)0x2003107a = 0; *(uint8_t*)0x2003107b = 0; *(uint8_t*)0x2003107c = 0; *(uint8_t*)0x2003107d = 0; *(uint8_t*)0x2003107e = 0; *(uint8_t*)0x2003107f = 0; *(uint8_t*)0x20031080 = 0; *(uint8_t*)0x20031081 = 0; *(uint8_t*)0x20031082 = 0; *(uint8_t*)0x20031083 = 0; *(uint8_t*)0x20031084 = 0; *(uint8_t*)0x20031085 = 0; *(uint8_t*)0x20031086 = 0; *(uint8_t*)0x20031087 = 0; *(uint8_t*)0x20031088 = 0; *(uint8_t*)0x20031089 = 0; *(uint8_t*)0x2003108a = 0; *(uint8_t*)0x2003108b = 0; *(uint8_t*)0x2003108c = 0; *(uint8_t*)0x2003108d = 0; *(uint8_t*)0x2003108e = 0; *(uint8_t*)0x2003108f = 0; *(uint8_t*)0x20031090 = 0; *(uint8_t*)0x20031091 = 0; *(uint8_t*)0x20031092 = 0; *(uint8_t*)0x20031093 = 0; *(uint8_t*)0x20031094 = 0; *(uint8_t*)0x20031095 = 0; *(uint8_t*)0x20031096 = 0; *(uint8_t*)0x20031097 = 0; *(uint8_t*)0x20031098 = 0; *(uint8_t*)0x20031099 = 0; *(uint8_t*)0x2003109a = 0; *(uint8_t*)0x2003109b = 0; *(uint8_t*)0x2003109c = 0; *(uint8_t*)0x2003109d = 0; *(uint8_t*)0x2003109e = 0; *(uint8_t*)0x2003109f = 0; *(uint8_t*)0x200310a0 = 0; *(uint8_t*)0x200310a1 = 0; *(uint8_t*)0x200310a2 = 0; *(uint8_t*)0x200310a3 = 0; *(uint8_t*)0x200310a4 = 0; *(uint8_t*)0x200310a5 = 0; *(uint8_t*)0x200310a6 = 0; *(uint8_t*)0x200310a7 = 0; *(uint8_t*)0x200310a8 = 0; *(uint8_t*)0x200310a9 = 0; *(uint8_t*)0x200310aa = 0; *(uint8_t*)0x200310ab = 0; *(uint8_t*)0x200310ac = 0; *(uint8_t*)0x200310ad = 0; *(uint8_t*)0x200310ae = 0; *(uint8_t*)0x200310af = 0; *(uint8_t*)0x200310b0 = 0; *(uint8_t*)0x200310b1 = 0; *(uint8_t*)0x200310b2 = 0; *(uint8_t*)0x200310b3 = 0; *(uint32_t*)0x200310b4 = 0; *(uint16_t*)0x200310b8 = 0x70; *(uint16_t*)0x200310ba = 0x98; *(uint32_t*)0x200310bc = 0; *(uint64_t*)0x200310c0 = 0; *(uint64_t*)0x200310c8 = 0; *(uint16_t*)0x200310d0 = 0x28; memcpy((void*)0x200310d2, "\x41\x55\x44\x49\x54\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200310ef = 0; *(uint8_t*)0x200310f0 = 0; *(uint8_t*)0x200310f8 = 0; *(uint8_t*)0x200310f9 = 0; *(uint8_t*)0x200310fa = 0; *(uint8_t*)0x200310fb = 0; *(uint8_t*)0x200310fc = 0; *(uint8_t*)0x200310fd = 0; *(uint8_t*)0x200310fe = 0; *(uint8_t*)0x200310ff = 0; *(uint8_t*)0x20031100 = 0; *(uint8_t*)0x20031101 = 0; *(uint8_t*)0x20031102 = 0; *(uint8_t*)0x20031103 = 0; *(uint8_t*)0x20031104 = 0; *(uint8_t*)0x20031105 = 0; *(uint8_t*)0x20031106 = 0; *(uint8_t*)0x20031107 = 0; *(uint8_t*)0x20031108 = 0; *(uint8_t*)0x20031109 = 0; *(uint8_t*)0x2003110a = 0; *(uint8_t*)0x2003110b = 0; *(uint8_t*)0x2003110c = 0; *(uint8_t*)0x2003110d = 0; *(uint8_t*)0x2003110e = 0; *(uint8_t*)0x2003110f = 0; *(uint8_t*)0x20031110 = 0; *(uint8_t*)0x20031111 = 0; *(uint8_t*)0x20031112 = 0; *(uint8_t*)0x20031113 = 0; *(uint8_t*)0x20031114 = 0; *(uint8_t*)0x20031115 = 0; *(uint8_t*)0x20031116 = 0; *(uint8_t*)0x20031117 = 0; *(uint8_t*)0x20031118 = 0; *(uint8_t*)0x20031119 = 0; *(uint8_t*)0x2003111a = 0; *(uint8_t*)0x2003111b = 0; *(uint8_t*)0x2003111c = 0; *(uint8_t*)0x2003111d = 0; *(uint8_t*)0x2003111e = 0; *(uint8_t*)0x2003111f = 0; *(uint8_t*)0x20031120 = 0; *(uint8_t*)0x20031121 = 0; *(uint8_t*)0x20031122 = 0; *(uint8_t*)0x20031123 = 0; *(uint8_t*)0x20031124 = 0; *(uint8_t*)0x20031125 = 0; *(uint8_t*)0x20031126 = 0; *(uint8_t*)0x20031127 = 0; *(uint8_t*)0x20031128 = 0; *(uint8_t*)0x20031129 = 0; *(uint8_t*)0x2003112a = 0; *(uint8_t*)0x2003112b = 0; *(uint8_t*)0x2003112c = 0; *(uint8_t*)0x2003112d = 0; *(uint8_t*)0x2003112e = 0; *(uint8_t*)0x2003112f = 0; *(uint8_t*)0x20031130 = 0; *(uint8_t*)0x20031131 = 0; *(uint8_t*)0x20031132 = 0; *(uint8_t*)0x20031133 = 0; *(uint8_t*)0x20031134 = 0; *(uint8_t*)0x20031135 = 0; *(uint8_t*)0x20031136 = 0; *(uint8_t*)0x20031137 = 0; *(uint8_t*)0x20031138 = 0; *(uint8_t*)0x20031139 = 0; *(uint8_t*)0x2003113a = 0; *(uint8_t*)0x2003113b = 0; *(uint8_t*)0x2003113c = 0; *(uint8_t*)0x2003113d = 0; *(uint8_t*)0x2003113e = 0; *(uint8_t*)0x2003113f = 0; *(uint8_t*)0x20031140 = 0; *(uint8_t*)0x20031141 = 0; *(uint8_t*)0x20031142 = 0; *(uint8_t*)0x20031143 = 0; *(uint8_t*)0x20031144 = 0; *(uint8_t*)0x20031145 = 0; *(uint8_t*)0x20031146 = 0; *(uint8_t*)0x20031147 = 0; *(uint8_t*)0x20031148 = 0; *(uint8_t*)0x20031149 = 0; *(uint8_t*)0x2003114a = 0; *(uint8_t*)0x2003114b = 0; *(uint32_t*)0x2003114c = 0; *(uint16_t*)0x20031150 = 0xd0; *(uint16_t*)0x20031152 = 0x100; *(uint32_t*)0x20031154 = 0; *(uint64_t*)0x20031158 = 0; *(uint64_t*)0x20031160 = 0; *(uint16_t*)0x20031168 = 0x38; memcpy((void*)0x2003116a, "\x71\x75\x6f\x74\x61\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20031187 = 0; *(uint32_t*)0x20031188 = 0; *(uint32_t*)0x2003118c = 0; *(uint64_t*)0x20031190 = 0; *(uint64_t*)0x20031198 = 0; *(uint16_t*)0x200311a0 = 0x28; memcpy((void*)0x200311a2, "\x74\x74\x6c\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200311bf = 0; *(uint8_t*)0x200311c0 = 0; *(uint8_t*)0x200311c1 = 0; *(uint16_t*)0x200311c8 = 0x30; memcpy((void*)0x200311ca, "\x43\x4f\x4e\x4e\x4d\x41\x52\x4b\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200311e7 = 1; *(uint32_t*)0x200311e8 = 0; *(uint32_t*)0x200311ec = 0; *(uint32_t*)0x200311f0 = 0; *(uint8_t*)0x200311f4 = 0; *(uint8_t*)0x200311f8 = 0; *(uint8_t*)0x200311f9 = 0; *(uint8_t*)0x200311fa = 0; *(uint8_t*)0x200311fb = 0; *(uint8_t*)0x200311fc = 0; *(uint8_t*)0x200311fd = 0; *(uint8_t*)0x200311fe = 0; *(uint8_t*)0x200311ff = 0; *(uint8_t*)0x20031200 = 0; *(uint8_t*)0x20031201 = 0; *(uint8_t*)0x20031202 = 0; *(uint8_t*)0x20031203 = 0; *(uint8_t*)0x20031204 = 0; *(uint8_t*)0x20031205 = 0; *(uint8_t*)0x20031206 = 0; *(uint8_t*)0x20031207 = 0; *(uint8_t*)0x20031208 = 0; *(uint8_t*)0x20031209 = 0; *(uint8_t*)0x2003120a = 0; *(uint8_t*)0x2003120b = 0; *(uint8_t*)0x2003120c = 0; *(uint8_t*)0x2003120d = 0; *(uint8_t*)0x2003120e = 0; *(uint8_t*)0x2003120f = 0; *(uint8_t*)0x20031210 = 0; *(uint8_t*)0x20031211 = 0; *(uint8_t*)0x20031212 = 0; *(uint8_t*)0x20031213 = 0; *(uint8_t*)0x20031214 = 0; *(uint8_t*)0x20031215 = 0; *(uint8_t*)0x20031216 = 0; *(uint8_t*)0x20031217 = 0; *(uint8_t*)0x20031218 = 0; *(uint8_t*)0x20031219 = 0; *(uint8_t*)0x2003121a = 0; *(uint8_t*)0x2003121b = 0; *(uint8_t*)0x2003121c = 0; *(uint8_t*)0x2003121d = 0; *(uint8_t*)0x2003121e = 0; *(uint8_t*)0x2003121f = 0; *(uint8_t*)0x20031220 = 0; *(uint8_t*)0x20031221 = 0; *(uint8_t*)0x20031222 = 0; *(uint8_t*)0x20031223 = 0; *(uint8_t*)0x20031224 = 0; *(uint8_t*)0x20031225 = 0; *(uint8_t*)0x20031226 = 0; *(uint8_t*)0x20031227 = 0; *(uint8_t*)0x20031228 = 0; *(uint8_t*)0x20031229 = 0; *(uint8_t*)0x2003122a = 0; *(uint8_t*)0x2003122b = 0; *(uint8_t*)0x2003122c = 0; *(uint8_t*)0x2003122d = 0; *(uint8_t*)0x2003122e = 0; *(uint8_t*)0x2003122f = 0; *(uint8_t*)0x20031230 = 0; *(uint8_t*)0x20031231 = 0; *(uint8_t*)0x20031232 = 0; *(uint8_t*)0x20031233 = 0; *(uint8_t*)0x20031234 = 0; *(uint8_t*)0x20031235 = 0; *(uint8_t*)0x20031236 = 0; *(uint8_t*)0x20031237 = 0; *(uint8_t*)0x20031238 = 0; *(uint8_t*)0x20031239 = 0; *(uint8_t*)0x2003123a = 0; *(uint8_t*)0x2003123b = 0; *(uint8_t*)0x2003123c = 0; *(uint8_t*)0x2003123d = 0; *(uint8_t*)0x2003123e = 0; *(uint8_t*)0x2003123f = 0; *(uint8_t*)0x20031240 = 0; *(uint8_t*)0x20031241 = 0; *(uint8_t*)0x20031242 = 0; *(uint8_t*)0x20031243 = 0; *(uint8_t*)0x20031244 = 0; *(uint8_t*)0x20031245 = 0; *(uint8_t*)0x20031246 = 0; *(uint8_t*)0x20031247 = 0; *(uint8_t*)0x20031248 = 0; *(uint8_t*)0x20031249 = 0; *(uint8_t*)0x2003124a = 0; *(uint8_t*)0x2003124b = 0; *(uint32_t*)0x2003124c = 0; *(uint16_t*)0x20031250 = 0x98; *(uint16_t*)0x20031252 = 0xe0; *(uint32_t*)0x20031254 = 0; *(uint64_t*)0x20031258 = 0; *(uint64_t*)0x20031260 = 0; *(uint16_t*)0x20031268 = 0x28; memcpy((void*)0x2003126a, "\x63\x6f\x6e\x6e\x6c\x61\x62\x65\x6c\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20031287 = 0; *(uint16_t*)0x20031288 = 0; *(uint16_t*)0x2003128a = 0; *(uint16_t*)0x20031290 = 0x48; memcpy((void*)0x20031292, "\x54\x45\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x200312af = 1; *(uint32_t*)0x200312b0 = htobe32(0xe0000001); *(uint8_t*)0x200312c0 = 0x73; *(uint8_t*)0x200312c1 = 0x79; *(uint8_t*)0x200312c2 = 0x7a; *(uint8_t*)0x200312c3 = 0; *(uint8_t*)0x200312c4 = 0; *(uint64_t*)0x200312d0 = 0; *(uint8_t*)0x200312d8 = 0; *(uint8_t*)0x200312d9 = 0; *(uint8_t*)0x200312da = 0; *(uint8_t*)0x200312db = 0; *(uint8_t*)0x200312dc = 0; *(uint8_t*)0x200312dd = 0; *(uint8_t*)0x200312de = 0; *(uint8_t*)0x200312df = 0; *(uint8_t*)0x200312e0 = 0; *(uint8_t*)0x200312e1 = 0; *(uint8_t*)0x200312e2 = 0; *(uint8_t*)0x200312e3 = 0; *(uint8_t*)0x200312e4 = 0; *(uint8_t*)0x200312e5 = 0; *(uint8_t*)0x200312e6 = 0; *(uint8_t*)0x200312e7 = 0; *(uint8_t*)0x200312e8 = 0; *(uint8_t*)0x200312e9 = 0; *(uint8_t*)0x200312ea = 0; *(uint8_t*)0x200312eb = 0; *(uint8_t*)0x200312ec = 0; *(uint8_t*)0x200312ed = 0; *(uint8_t*)0x200312ee = 0; *(uint8_t*)0x200312ef = 0; *(uint8_t*)0x200312f0 = 0; *(uint8_t*)0x200312f1 = 0; *(uint8_t*)0x200312f2 = 0; *(uint8_t*)0x200312f3 = 0; *(uint8_t*)0x200312f4 = 0; *(uint8_t*)0x200312f5 = 0; *(uint8_t*)0x200312f6 = 0; *(uint8_t*)0x200312f7 = 0; *(uint8_t*)0x200312f8 = 0; *(uint8_t*)0x200312f9 = 0; *(uint8_t*)0x200312fa = 0; *(uint8_t*)0x200312fb = 0; *(uint8_t*)0x200312fc = 0; *(uint8_t*)0x200312fd = 0; *(uint8_t*)0x200312fe = 0; *(uint8_t*)0x200312ff = 0; *(uint8_t*)0x20031300 = 0; *(uint8_t*)0x20031301 = 0; *(uint8_t*)0x20031302 = 0; *(uint8_t*)0x20031303 = 0; *(uint8_t*)0x20031304 = 0; *(uint8_t*)0x20031305 = 0; *(uint8_t*)0x20031306 = 0; *(uint8_t*)0x20031307 = 0; *(uint8_t*)0x20031308 = 0; *(uint8_t*)0x20031309 = 0; *(uint8_t*)0x2003130a = 0; *(uint8_t*)0x2003130b = 0; *(uint8_t*)0x2003130c = 0; *(uint8_t*)0x2003130d = 0; *(uint8_t*)0x2003130e = 0; *(uint8_t*)0x2003130f = 0; *(uint8_t*)0x20031310 = 0; *(uint8_t*)0x20031311 = 0; *(uint8_t*)0x20031312 = 0; *(uint8_t*)0x20031313 = 0; *(uint8_t*)0x20031314 = 0; *(uint8_t*)0x20031315 = 0; *(uint8_t*)0x20031316 = 0; *(uint8_t*)0x20031317 = 0; *(uint8_t*)0x20031318 = 0; *(uint8_t*)0x20031319 = 0; *(uint8_t*)0x2003131a = 0; *(uint8_t*)0x2003131b = 0; *(uint8_t*)0x2003131c = 0; *(uint8_t*)0x2003131d = 0; *(uint8_t*)0x2003131e = 0; *(uint8_t*)0x2003131f = 0; *(uint8_t*)0x20031320 = 0; *(uint8_t*)0x20031321 = 0; *(uint8_t*)0x20031322 = 0; *(uint8_t*)0x20031323 = 0; *(uint8_t*)0x20031324 = 0; *(uint8_t*)0x20031325 = 0; *(uint8_t*)0x20031326 = 0; *(uint8_t*)0x20031327 = 0; *(uint8_t*)0x20031328 = 0; *(uint8_t*)0x20031329 = 0; *(uint8_t*)0x2003132a = 0; *(uint8_t*)0x2003132b = 0; *(uint32_t*)0x2003132c = 0; *(uint16_t*)0x20031330 = 0x70; *(uint16_t*)0x20031332 = 0x98; *(uint32_t*)0x20031334 = 0; *(uint64_t*)0x20031338 = 0; *(uint64_t*)0x20031340 = 0; *(uint16_t*)0x20031348 = 0x28; memcpy((void*)0x2003134a, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20031367 = 0; *(uint32_t*)0x20031368 = 0xfffffffe; syscall(__NR_setsockopt, r[1], 0, 0x40, 0x20031000, 0x370); } int main() { for (;;) { loop(); } }