// https://syzkaller.appspot.com/bug?id=5b9d1e3232dc19d61832a76821bc5fc9b914b4cd // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct ipt_get_entries entries; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct xt_counters counters[XT_MAX_ENTRIES]; struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_arptables(void) { struct arpt_get_entries entries; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(ARPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { struct xt_counters counters[XT_MAX_ENTRIES]; struct arpt_get_entries entries; struct arpt_getinfo info; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(ARPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(ARPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void test(); void loop() { int iter; checkpoint_net_namespace(); for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("loop fork failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } reset_net_namespace(); } } long r[2]; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 2, 1, 0); *(uint32_t*)0x206b8000 = 1; *(uint16_t*)0x206b8008 = 2; *(uint16_t*)0x206b800a = 0; *(uint32_t*)0x206b800c = htobe32(0xe0000001); *(uint8_t*)0x206b8010 = 0; *(uint8_t*)0x206b8011 = 0; *(uint8_t*)0x206b8012 = 0; *(uint8_t*)0x206b8013 = 0; *(uint8_t*)0x206b8014 = 0; *(uint8_t*)0x206b8015 = 0; *(uint8_t*)0x206b8016 = 0; *(uint8_t*)0x206b8017 = 0; *(uint64_t*)0x206b8018 = 0; *(uint64_t*)0x206b8020 = 0; *(uint64_t*)0x206b8028 = 0; *(uint64_t*)0x206b8030 = 0; *(uint64_t*)0x206b8038 = 0; *(uint64_t*)0x206b8040 = 0; *(uint64_t*)0x206b8048 = 0; *(uint64_t*)0x206b8050 = 0; *(uint64_t*)0x206b8058 = 0; *(uint64_t*)0x206b8060 = 0; *(uint64_t*)0x206b8068 = 0; *(uint64_t*)0x206b8070 = 0; *(uint64_t*)0x206b8078 = 0; *(uint64_t*)0x206b8080 = 0; *(uint64_t*)0x206b8088 = 0; syscall(__NR_setsockopt, r[0], 0, 0x2a, 0x206b8000, 0x90); r[1] = syscall(__NR_socket, 0xa, 0x80803, 3); memcpy((void*)0x2089ad10, "\x72\x61\x77\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x2089ad30 = 9; *(uint32_t*)0x2089ad34 = 3; *(uint32_t*)0x2089ad38 = 0x290; *(uint32_t*)0x2089ad3c = 0xd0; *(uint32_t*)0x2089ad40 = -1; *(uint32_t*)0x2089ad44 = -1; *(uint32_t*)0x2089ad48 = 0; *(uint32_t*)0x2089ad4c = -1; *(uint32_t*)0x2089ad50 = 0x1c0; *(uint32_t*)0x2089ad54 = -1; *(uint32_t*)0x2089ad58 = -1; *(uint32_t*)0x2089ad5c = 0x1c0; *(uint32_t*)0x2089ad60 = -1; *(uint32_t*)0x2089ad64 = 3; *(uint64_t*)0x2089ad68 = 0x20220fd0; *(uint8_t*)0x2089ad70 = -1; *(uint8_t*)0x2089ad71 = 1; *(uint8_t*)0x2089ad72 = 0; *(uint8_t*)0x2089ad73 = 0; *(uint8_t*)0x2089ad74 = 0; *(uint8_t*)0x2089ad75 = 0; *(uint8_t*)0x2089ad76 = 0; *(uint8_t*)0x2089ad77 = 0; *(uint8_t*)0x2089ad78 = 0; *(uint8_t*)0x2089ad79 = 0; *(uint8_t*)0x2089ad7a = 0; *(uint8_t*)0x2089ad7b = 0; *(uint8_t*)0x2089ad7c = 0; *(uint8_t*)0x2089ad7d = 0; *(uint8_t*)0x2089ad7e = 0; *(uint8_t*)0x2089ad7f = 1; *(uint8_t*)0x2089ad80 = -1; *(uint8_t*)0x2089ad81 = 1; *(uint8_t*)0x2089ad82 = 0; *(uint8_t*)0x2089ad83 = 0; *(uint8_t*)0x2089ad84 = 0; *(uint8_t*)0x2089ad85 = 0; *(uint8_t*)0x2089ad86 = 0; *(uint8_t*)0x2089ad87 = 0; *(uint8_t*)0x2089ad88 = 0; *(uint8_t*)0x2089ad89 = 0; *(uint8_t*)0x2089ad8a = 0; *(uint8_t*)0x2089ad8b = 0; *(uint8_t*)0x2089ad8c = 0; *(uint8_t*)0x2089ad8d = 0; *(uint8_t*)0x2089ad8e = 0; *(uint8_t*)0x2089ad8f = 1; *(uint32_t*)0x2089ad90 = htobe32(0); *(uint32_t*)0x2089ad94 = htobe32(0); *(uint32_t*)0x2089ad98 = htobe32(0); *(uint32_t*)0x2089ad9c = htobe32(-1); *(uint32_t*)0x2089ada0 = htobe32(0); *(uint32_t*)0x2089ada4 = htobe32(0); *(uint32_t*)0x2089ada8 = htobe32(0); *(uint32_t*)0x2089adac = htobe32(0); memcpy((void*)0x2089adb0, "\x67\x72\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); memcpy((void*)0x2089adc0, "\x62\x70\x71\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x2089add0 = 0; *(uint8_t*)0x2089add1 = 0; *(uint8_t*)0x2089add2 = 0; *(uint8_t*)0x2089add3 = 0; *(uint8_t*)0x2089add4 = 0; *(uint8_t*)0x2089add5 = 0; *(uint8_t*)0x2089add6 = 0; *(uint8_t*)0x2089add7 = 0; *(uint8_t*)0x2089add8 = 0; *(uint8_t*)0x2089add9 = 0; *(uint8_t*)0x2089adda = 0; *(uint8_t*)0x2089addb = 0; *(uint8_t*)0x2089addc = 0; *(uint8_t*)0x2089addd = 0; *(uint8_t*)0x2089adde = 0; *(uint8_t*)0x2089addf = 0; *(uint8_t*)0x2089ade0 = 0; *(uint8_t*)0x2089ade1 = 0; *(uint8_t*)0x2089ade2 = 0; *(uint8_t*)0x2089ade3 = 0; *(uint8_t*)0x2089ade4 = 0; *(uint8_t*)0x2089ade5 = 0; *(uint8_t*)0x2089ade6 = 0; *(uint8_t*)0x2089ade7 = 0; *(uint8_t*)0x2089ade8 = 0; *(uint8_t*)0x2089ade9 = 0; *(uint8_t*)0x2089adea = 0; *(uint8_t*)0x2089adeb = 0; *(uint8_t*)0x2089adec = 0; *(uint8_t*)0x2089aded = 0; *(uint8_t*)0x2089adee = 0; *(uint8_t*)0x2089adef = 0; *(uint16_t*)0x2089adf0 = 0; *(uint8_t*)0x2089adf2 = 0; *(uint8_t*)0x2089adf3 = 0; *(uint8_t*)0x2089adf4 = 0; *(uint32_t*)0x2089adf8 = 0; *(uint16_t*)0x2089adfc = 0xa8; *(uint16_t*)0x2089adfe = 0xd0; *(uint32_t*)0x2089ae00 = 0; *(uint64_t*)0x2089ae08 = 0; *(uint64_t*)0x2089ae10 = 0; *(uint16_t*)0x2089ae18 = 0x28; memcpy((void*)0x2089ae1a, "\x43\x4c\x41\x53\x53\x49\x46\x59\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2089ae37 = 0; *(uint32_t*)0x2089ae38 = 0xfffffff9; *(uint8_t*)0x2089ae40 = 0; *(uint8_t*)0x2089ae41 = 0; *(uint8_t*)0x2089ae42 = 0; *(uint8_t*)0x2089ae43 = 0; *(uint8_t*)0x2089ae44 = 0; *(uint8_t*)0x2089ae45 = 0; *(uint8_t*)0x2089ae46 = 0; *(uint8_t*)0x2089ae47 = 0; *(uint8_t*)0x2089ae48 = 0; *(uint8_t*)0x2089ae49 = 0; *(uint8_t*)0x2089ae4a = 0; *(uint8_t*)0x2089ae4b = 0; *(uint8_t*)0x2089ae4c = 0; *(uint8_t*)0x2089ae4d = 0; *(uint8_t*)0x2089ae4e = 0; *(uint8_t*)0x2089ae4f = 0; *(uint8_t*)0x2089ae50 = 0xfe; *(uint8_t*)0x2089ae51 = 0x80; *(uint8_t*)0x2089ae52 = 0; *(uint8_t*)0x2089ae53 = 0; *(uint8_t*)0x2089ae54 = 0; *(uint8_t*)0x2089ae55 = 0; *(uint8_t*)0x2089ae56 = 0; *(uint8_t*)0x2089ae57 = 0; *(uint8_t*)0x2089ae58 = 0; *(uint8_t*)0x2089ae59 = 0; *(uint8_t*)0x2089ae5a = 0; *(uint8_t*)0x2089ae5b = 0; *(uint8_t*)0x2089ae5c = 0; *(uint8_t*)0x2089ae5d = 0; *(uint8_t*)0x2089ae5e = 0; *(uint8_t*)0x2089ae5f = 0; *(uint32_t*)0x2089ae60 = htobe32(0); *(uint32_t*)0x2089ae64 = htobe32(0); *(uint32_t*)0x2089ae68 = htobe32(0); *(uint32_t*)0x2089ae6c = htobe32(0); *(uint32_t*)0x2089ae70 = htobe32(0); *(uint32_t*)0x2089ae74 = htobe32(0); *(uint32_t*)0x2089ae78 = htobe32(0); *(uint32_t*)0x2089ae7c = htobe32(0); memcpy((void*)0x2089ae80, "\x67\x72\x65\x74\x61\x70\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); memcpy((void*)0x2089ae90, "\x67\x72\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint8_t*)0x2089aea0 = 0; *(uint8_t*)0x2089aea1 = 0; *(uint8_t*)0x2089aea2 = 0; *(uint8_t*)0x2089aea3 = 0; *(uint8_t*)0x2089aea4 = 0; *(uint8_t*)0x2089aea5 = 0; *(uint8_t*)0x2089aea6 = 0; *(uint8_t*)0x2089aea7 = 0; *(uint8_t*)0x2089aea8 = 0; *(uint8_t*)0x2089aea9 = 0; *(uint8_t*)0x2089aeaa = 0; *(uint8_t*)0x2089aeab = 0; *(uint8_t*)0x2089aeac = 0; *(uint8_t*)0x2089aead = 0; *(uint8_t*)0x2089aeae = 0; *(uint8_t*)0x2089aeaf = 0; *(uint8_t*)0x2089aeb0 = 0; *(uint8_t*)0x2089aeb1 = 0; *(uint8_t*)0x2089aeb2 = 0; *(uint8_t*)0x2089aeb3 = 0; *(uint8_t*)0x2089aeb4 = 0; *(uint8_t*)0x2089aeb5 = 0; *(uint8_t*)0x2089aeb6 = 0; *(uint8_t*)0x2089aeb7 = 0; *(uint8_t*)0x2089aeb8 = 0; *(uint8_t*)0x2089aeb9 = 0; *(uint8_t*)0x2089aeba = 0; *(uint8_t*)0x2089aebb = 0; *(uint8_t*)0x2089aebc = 0; *(uint8_t*)0x2089aebd = 0; *(uint8_t*)0x2089aebe = 0; *(uint8_t*)0x2089aebf = 0; *(uint16_t*)0x2089aec0 = 8; *(uint8_t*)0x2089aec2 = 0; *(uint8_t*)0x2089aec3 = 0; *(uint8_t*)0x2089aec4 = 0; *(uint32_t*)0x2089aec8 = 0; *(uint16_t*)0x2089aecc = 0xa8; *(uint16_t*)0x2089aece = 0xf0; *(uint32_t*)0x2089aed0 = 0; *(uint64_t*)0x2089aed8 = 0; *(uint64_t*)0x2089aee0 = 0; *(uint16_t*)0x2089aee8 = 0x48; memcpy((void*)0x2089aeea, "\x54\x45\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2089af07 = 1; *(uint8_t*)0x2089af08 = 0xac; *(uint8_t*)0x2089af09 = 0x14; *(uint8_t*)0x2089af0a = 0; *(uint8_t*)0x2089af0b = 0; memcpy((void*)0x2089af18, "\x76\x63\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint64_t*)0x2089af28 = 0; *(uint8_t*)0x2089af30 = 0; *(uint8_t*)0x2089af31 = 0; *(uint8_t*)0x2089af32 = 0; *(uint8_t*)0x2089af33 = 0; *(uint8_t*)0x2089af34 = 0; *(uint8_t*)0x2089af35 = 0; *(uint8_t*)0x2089af36 = 0; *(uint8_t*)0x2089af37 = 0; *(uint8_t*)0x2089af38 = 0; *(uint8_t*)0x2089af39 = 0; *(uint8_t*)0x2089af3a = 0; *(uint8_t*)0x2089af3b = 0; *(uint8_t*)0x2089af3c = 0; *(uint8_t*)0x2089af3d = 0; *(uint8_t*)0x2089af3e = 0; *(uint8_t*)0x2089af3f = 0; *(uint8_t*)0x2089af40 = 0; *(uint8_t*)0x2089af41 = 0; *(uint8_t*)0x2089af42 = 0; *(uint8_t*)0x2089af43 = 0; *(uint8_t*)0x2089af44 = 0; *(uint8_t*)0x2089af45 = 0; *(uint8_t*)0x2089af46 = 0; *(uint8_t*)0x2089af47 = 0; *(uint8_t*)0x2089af48 = 0; *(uint8_t*)0x2089af49 = 0; *(uint8_t*)0x2089af4a = 0; *(uint8_t*)0x2089af4b = 0; *(uint8_t*)0x2089af4c = 0; *(uint8_t*)0x2089af4d = 0; *(uint8_t*)0x2089af4e = 0; *(uint8_t*)0x2089af4f = 0; *(uint8_t*)0x2089af50 = 0; *(uint8_t*)0x2089af51 = 0; *(uint8_t*)0x2089af52 = 0; *(uint8_t*)0x2089af53 = 0; *(uint8_t*)0x2089af54 = 0; *(uint8_t*)0x2089af55 = 0; *(uint8_t*)0x2089af56 = 0; *(uint8_t*)0x2089af57 = 0; *(uint8_t*)0x2089af58 = 0; *(uint8_t*)0x2089af59 = 0; *(uint8_t*)0x2089af5a = 0; *(uint8_t*)0x2089af5b = 0; *(uint8_t*)0x2089af5c = 0; *(uint8_t*)0x2089af5d = 0; *(uint8_t*)0x2089af5e = 0; *(uint8_t*)0x2089af5f = 0; *(uint8_t*)0x2089af60 = 0; *(uint8_t*)0x2089af61 = 0; *(uint8_t*)0x2089af62 = 0; *(uint8_t*)0x2089af63 = 0; *(uint8_t*)0x2089af64 = 0; *(uint8_t*)0x2089af65 = 0; *(uint8_t*)0x2089af66 = 0; *(uint8_t*)0x2089af67 = 0; *(uint8_t*)0x2089af68 = 0; *(uint8_t*)0x2089af69 = 0; *(uint8_t*)0x2089af6a = 0; *(uint8_t*)0x2089af6b = 0; *(uint8_t*)0x2089af6c = 0; *(uint8_t*)0x2089af6d = 0; *(uint8_t*)0x2089af6e = 0; *(uint8_t*)0x2089af6f = 0; *(uint8_t*)0x2089af70 = 0; *(uint8_t*)0x2089af71 = 0; *(uint8_t*)0x2089af72 = 0; *(uint8_t*)0x2089af73 = 0; *(uint8_t*)0x2089af74 = 0; *(uint8_t*)0x2089af75 = 0; *(uint8_t*)0x2089af76 = 0; *(uint8_t*)0x2089af77 = 0; *(uint8_t*)0x2089af78 = 0; *(uint8_t*)0x2089af79 = 0; *(uint8_t*)0x2089af7a = 0; *(uint8_t*)0x2089af7b = 0; *(uint8_t*)0x2089af7c = 0; *(uint8_t*)0x2089af7d = 0; *(uint8_t*)0x2089af7e = 0; *(uint8_t*)0x2089af7f = 0; *(uint8_t*)0x2089af80 = 0; *(uint8_t*)0x2089af81 = 0; *(uint8_t*)0x2089af82 = 0; *(uint8_t*)0x2089af83 = 0; *(uint8_t*)0x2089af84 = 0; *(uint8_t*)0x2089af85 = 0; *(uint8_t*)0x2089af86 = 0; *(uint8_t*)0x2089af87 = 0; *(uint8_t*)0x2089af88 = 0; *(uint8_t*)0x2089af89 = 0; *(uint8_t*)0x2089af8a = 0; *(uint8_t*)0x2089af8b = 0; *(uint8_t*)0x2089af8c = 0; *(uint8_t*)0x2089af8d = 0; *(uint8_t*)0x2089af8e = 0; *(uint8_t*)0x2089af8f = 0; *(uint8_t*)0x2089af90 = 0; *(uint8_t*)0x2089af91 = 0; *(uint8_t*)0x2089af92 = 0; *(uint8_t*)0x2089af93 = 0; *(uint8_t*)0x2089af94 = 0; *(uint8_t*)0x2089af95 = 0; *(uint8_t*)0x2089af96 = 0; *(uint8_t*)0x2089af97 = 0; *(uint8_t*)0x2089af98 = 0; *(uint8_t*)0x2089af99 = 0; *(uint8_t*)0x2089af9a = 0; *(uint8_t*)0x2089af9b = 0; *(uint8_t*)0x2089af9c = 0; *(uint8_t*)0x2089af9d = 0; *(uint8_t*)0x2089af9e = 0; *(uint8_t*)0x2089af9f = 0; *(uint8_t*)0x2089afa0 = 0; *(uint8_t*)0x2089afa1 = 0; *(uint8_t*)0x2089afa2 = 0; *(uint8_t*)0x2089afa3 = 0; *(uint8_t*)0x2089afa4 = 0; *(uint8_t*)0x2089afa5 = 0; *(uint8_t*)0x2089afa6 = 0; *(uint8_t*)0x2089afa7 = 0; *(uint8_t*)0x2089afa8 = 0; *(uint8_t*)0x2089afa9 = 0; *(uint8_t*)0x2089afaa = 0; *(uint8_t*)0x2089afab = 0; *(uint8_t*)0x2089afac = 0; *(uint8_t*)0x2089afad = 0; *(uint8_t*)0x2089afae = 0; *(uint8_t*)0x2089afaf = 0; *(uint8_t*)0x2089afb0 = 0; *(uint8_t*)0x2089afb1 = 0; *(uint8_t*)0x2089afb2 = 0; *(uint8_t*)0x2089afb3 = 0; *(uint8_t*)0x2089afb4 = 0; *(uint8_t*)0x2089afb5 = 0; *(uint8_t*)0x2089afb6 = 0; *(uint8_t*)0x2089afb7 = 0; *(uint32_t*)0x2089afb8 = 0; *(uint16_t*)0x2089afbc = 0xa8; *(uint16_t*)0x2089afbe = 0xd0; *(uint32_t*)0x2089afc0 = 0; *(uint64_t*)0x2089afc8 = 0; *(uint64_t*)0x2089afd0 = 0; *(uint16_t*)0x2089afd8 = 0x28; memcpy((void*)0x2089afda, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2089aff7 = 0; *(uint32_t*)0x2089aff8 = 0xfffffffe; syscall(__NR_setsockopt, r[1], 0x29, 0x40, 0x2089ad10, 0x2f0); } int main() { for (;;) { loop(); } }