// https://syzkaller.appspot.com/bug?id=2fad7bf7d727d00ba117711828f7c1fe92a00a03 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct ipt_get_entries entries; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct xt_counters counters[XT_MAX_ENTRIES]; struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_arptables(void) { struct arpt_get_entries entries; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(ARPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { struct xt_counters counters[XT_MAX_ENTRIES]; struct arpt_get_entries entries; struct arpt_getinfo info; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(ARPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(ARPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void test(); void loop() { int iter; checkpoint_net_namespace(); for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("loop fork failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } reset_net_namespace(); } } long r[2]; void test() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); *(uint8_t*)0x204f6000 = 1; *(uint8_t*)0x204f6001 = 0x80; *(uint8_t*)0x204f6002 = 0xc2; *(uint8_t*)0x204f6003 = 0; *(uint8_t*)0x204f6004 = 0; *(uint8_t*)0x204f6005 = 0; *(uint8_t*)0x204f6006 = 1; *(uint8_t*)0x204f6007 = 0x80; *(uint8_t*)0x204f6008 = 0xc2; *(uint8_t*)0x204f6009 = 0; *(uint8_t*)0x204f600a = 0; *(uint8_t*)0x204f600b = 0; *(uint16_t*)0x204f600c = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, 0x204f600e, 0, 0, 4); STORE_BY_BITMASK(uint8_t, 0x204f600e, 6, 4, 4); memcpy((void*)0x204f600f, "\x05\x01\x01", 3); *(uint16_t*)0x204f6012 = htobe16(0x28); *(uint8_t*)0x204f6014 = 0; *(uint8_t*)0x204f6015 = 0; *(uint8_t*)0x204f6016 = 0; *(uint8_t*)0x204f6017 = 0; *(uint8_t*)0x204f6018 = 0; *(uint8_t*)0x204f6019 = 0; *(uint8_t*)0x204f601a = 0; *(uint8_t*)0x204f601b = 0; *(uint8_t*)0x204f601c = 0; *(uint8_t*)0x204f601d = 0; *(uint8_t*)0x204f601e = 0; *(uint8_t*)0x204f601f = 0; *(uint8_t*)0x204f6020 = -1; *(uint8_t*)0x204f6021 = -1; *(uint32_t*)0x204f6022 = htobe32(0xe0000002); *(uint8_t*)0x204f6026 = -1; *(uint8_t*)0x204f6027 = 2; *(uint8_t*)0x204f6028 = 0; *(uint8_t*)0x204f6029 = 0; *(uint8_t*)0x204f602a = 0; *(uint8_t*)0x204f602b = 0; *(uint8_t*)0x204f602c = 0; *(uint8_t*)0x204f602d = 0; *(uint8_t*)0x204f602e = 0; *(uint8_t*)0x204f602f = 0; *(uint8_t*)0x204f6030 = 0; *(uint8_t*)0x204f6031 = 0; *(uint8_t*)0x204f6032 = 0; *(uint8_t*)0x204f6033 = 0; *(uint8_t*)0x204f6034 = 0; *(uint8_t*)0x204f6035 = 1; *(uint8_t*)0x204f6036 = 0; *(uint8_t*)0x204f6037 = 2; *(uint8_t*)0x204f6038 = 1; *(uint8_t*)0x204f6039 = 0; *(uint32_t*)0x204f603a = 0; *(uint64_t*)0x204f603e = htobe64(0); *(uint64_t*)0x204f6046 = htobe64(1); STORE_BY_BITMASK(uint16_t, 0x204f604e, 0, 0, 1); STORE_BY_BITMASK(uint16_t, 0x204f604e, 0, 1, 1); STORE_BY_BITMASK(uint16_t, 0x204f604e, 1, 2, 1); STORE_BY_BITMASK(uint16_t, 0x204f604e, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x204f604e, 0, 4, 4); STORE_BY_BITMASK(uint16_t, 0x204f604e, 0, 8, 1); STORE_BY_BITMASK(uint16_t, 0x204f604e, 0, 9, 4); STORE_BY_BITMASK(uint16_t, 0x204f604e, 1, 13, 3); *(uint16_t*)0x204f6050 = htobe16(0x880b); *(uint16_t*)0x204f6052 = htobe16(0); *(uint16_t*)0x204f6054 = htobe16(0); STORE_BY_BITMASK(uint16_t, 0x204f6056, 0, 0, 1); STORE_BY_BITMASK(uint16_t, 0x204f6056, 0, 1, 1); STORE_BY_BITMASK(uint16_t, 0x204f6056, 0, 2, 1); STORE_BY_BITMASK(uint16_t, 0x204f6056, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x204f6056, 0, 4, 9); STORE_BY_BITMASK(uint16_t, 0x204f6056, 0, 13, 3); *(uint16_t*)0x204f6058 = htobe16(0); STORE_BY_BITMASK(uint16_t, 0x204f605a, 0, 0, 1); STORE_BY_BITMASK(uint16_t, 0x204f605a, 0, 1, 1); STORE_BY_BITMASK(uint16_t, 0x204f605a, 0, 2, 1); STORE_BY_BITMASK(uint16_t, 0x204f605a, 0, 3, 1); STORE_BY_BITMASK(uint16_t, 0x204f605a, 0, 4, 9); STORE_BY_BITMASK(uint16_t, 0x204f605a, 0, 13, 3); *(uint16_t*)0x204f605c = htobe16(0); *(uint32_t*)0x20efe000 = 0; *(uint32_t*)0x20efe004 = 1; *(uint32_t*)0x20efe008 = 0; r[0] = syscall(__NR_socket, 0xa, 0x8000000000000802, 0); *(uint16_t*)0x20dee000 = 0xa; *(uint16_t*)0x20dee002 = htobe16(0x4e21); *(uint32_t*)0x20dee004 = 0; *(uint8_t*)0x20dee008 = 0; *(uint8_t*)0x20dee009 = 0; *(uint8_t*)0x20dee00a = 0; *(uint8_t*)0x20dee00b = 0; *(uint8_t*)0x20dee00c = 0; *(uint8_t*)0x20dee00d = 0; *(uint8_t*)0x20dee00e = 0; *(uint8_t*)0x20dee00f = 0; *(uint8_t*)0x20dee010 = 0; *(uint8_t*)0x20dee011 = 0; *(uint8_t*)0x20dee012 = -1; *(uint8_t*)0x20dee013 = -1; *(uint8_t*)0x20dee014 = 0xac; *(uint8_t*)0x20dee015 = 0x14; *(uint8_t*)0x20dee016 = 0; *(uint8_t*)0x20dee017 = 0xaa; *(uint32_t*)0x20dee018 = 0; syscall(__NR_sendto, r[0], 0x2089af82, 0, 0x8000, 0x20dee000, 0x1c); r[1] = syscall(__NR_socket, 2, 3, 1); memcpy((void*)0x20005ca0, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x20005cc0 = 0xe; *(uint32_t*)0x20005cc4 = 4; *(uint32_t*)0x20005cc8 = 0x300; *(uint32_t*)0x20005ccc = -1; *(uint32_t*)0x20005cd0 = 0xf0; *(uint32_t*)0x20005cd4 = 0xf0; *(uint32_t*)0x20005cd8 = 0; *(uint32_t*)0x20005cdc = -1; *(uint32_t*)0x20005ce0 = -1; *(uint32_t*)0x20005ce4 = 0x268; *(uint32_t*)0x20005ce8 = 0x268; *(uint32_t*)0x20005cec = 0x268; *(uint32_t*)0x20005cf0 = -1; *(uint32_t*)0x20005cf4 = 4; *(uint64_t*)0x20005cf8 = 0x2001c000; *(uint8_t*)0x20005d00 = 0; *(uint8_t*)0x20005d01 = 0; *(uint8_t*)0x20005d02 = 0; *(uint8_t*)0x20005d03 = 0; *(uint8_t*)0x20005d04 = 0; *(uint8_t*)0x20005d05 = 0; *(uint8_t*)0x20005d06 = 0; *(uint8_t*)0x20005d07 = 0; *(uint8_t*)0x20005d08 = 0; *(uint8_t*)0x20005d09 = 0; *(uint8_t*)0x20005d0a = 0; *(uint8_t*)0x20005d0b = 0; *(uint8_t*)0x20005d0c = 0; *(uint8_t*)0x20005d0d = 0; *(uint8_t*)0x20005d0e = 0; *(uint8_t*)0x20005d0f = 0; *(uint8_t*)0x20005d10 = 0; *(uint8_t*)0x20005d11 = 0; *(uint8_t*)0x20005d12 = 0; *(uint8_t*)0x20005d13 = 0; *(uint8_t*)0x20005d14 = 0; *(uint8_t*)0x20005d15 = 0; *(uint8_t*)0x20005d16 = 0; *(uint8_t*)0x20005d17 = 0; *(uint8_t*)0x20005d18 = 0; *(uint8_t*)0x20005d19 = 0; *(uint8_t*)0x20005d1a = 0; *(uint8_t*)0x20005d1b = 0; *(uint8_t*)0x20005d1c = 0; *(uint8_t*)0x20005d1d = 0; *(uint8_t*)0x20005d1e = 0; *(uint8_t*)0x20005d1f = 0; *(uint8_t*)0x20005d20 = 0; *(uint8_t*)0x20005d21 = 0; *(uint8_t*)0x20005d22 = 0; *(uint8_t*)0x20005d23 = 0; *(uint8_t*)0x20005d24 = 0; *(uint8_t*)0x20005d25 = 0; *(uint8_t*)0x20005d26 = 0; *(uint8_t*)0x20005d27 = 0; *(uint8_t*)0x20005d28 = 0; *(uint8_t*)0x20005d29 = 0; *(uint8_t*)0x20005d2a = 0; *(uint8_t*)0x20005d2b = 0; *(uint8_t*)0x20005d2c = 0; *(uint8_t*)0x20005d2d = 0; *(uint8_t*)0x20005d2e = 0; *(uint8_t*)0x20005d2f = 0; *(uint8_t*)0x20005d30 = 0; *(uint8_t*)0x20005d31 = 0; *(uint8_t*)0x20005d32 = 0; *(uint8_t*)0x20005d33 = 0; *(uint8_t*)0x20005d34 = 0; *(uint8_t*)0x20005d35 = 0; *(uint8_t*)0x20005d36 = 0; *(uint8_t*)0x20005d37 = 0; *(uint8_t*)0x20005d38 = 0; *(uint8_t*)0x20005d39 = 0; *(uint8_t*)0x20005d3a = 0; *(uint8_t*)0x20005d3b = 0; *(uint8_t*)0x20005d3c = 0; *(uint8_t*)0x20005d3d = 0; *(uint8_t*)0x20005d3e = 0; *(uint8_t*)0x20005d3f = 0; *(uint8_t*)0x20005d40 = 0; *(uint8_t*)0x20005d41 = 0; *(uint8_t*)0x20005d42 = 0; *(uint8_t*)0x20005d43 = 0; *(uint8_t*)0x20005d44 = 0; *(uint8_t*)0x20005d45 = 0; *(uint8_t*)0x20005d46 = 0; *(uint8_t*)0x20005d47 = 0; *(uint8_t*)0x20005d48 = 0; *(uint8_t*)0x20005d49 = 0; *(uint8_t*)0x20005d4a = 0; *(uint8_t*)0x20005d4b = 0; *(uint8_t*)0x20005d4c = 0; *(uint8_t*)0x20005d4d = 0; *(uint8_t*)0x20005d4e = 0; *(uint8_t*)0x20005d4f = 0; *(uint8_t*)0x20005d50 = 0; *(uint8_t*)0x20005d51 = 0; *(uint8_t*)0x20005d52 = 0; *(uint8_t*)0x20005d53 = 0; *(uint32_t*)0x20005d54 = 0; *(uint16_t*)0x20005d58 = 0xa8; *(uint16_t*)0x20005d5a = 0xf0; *(uint32_t*)0x20005d5c = 0; *(uint64_t*)0x20005d60 = 0; *(uint64_t*)0x20005d68 = 0; *(uint16_t*)0x20005d70 = 0x38; memcpy((void*)0x20005d72, "\x64\x65\x76\x67\x72\x6f\x75\x70\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20005d8f = 0; *(uint32_t*)0x20005d90 = 6; *(uint32_t*)0x20005d94 = 0; *(uint32_t*)0x20005d98 = 0; *(uint32_t*)0x20005d9c = 0; *(uint32_t*)0x20005da0 = 0; *(uint16_t*)0x20005da8 = 0x48; memcpy((void*)0x20005daa, "\x4c\x45\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20005dc7 = 0; memcpy((void*)0x20005dc8, "\x73\x79\x7a\x31\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00", 27); *(uint8_t*)0x20005de3 = 0; *(uint32_t*)0x20005de4 = -1; *(uint64_t*)0x20005de8 = 0xffffffffffff8000; *(uint8_t*)0x20005df0 = 0; *(uint8_t*)0x20005df1 = 0; *(uint8_t*)0x20005df2 = 0; *(uint8_t*)0x20005df3 = 0; *(uint8_t*)0x20005df4 = 0; *(uint8_t*)0x20005df5 = 0; *(uint8_t*)0x20005df6 = 0; *(uint8_t*)0x20005df7 = 0; *(uint8_t*)0x20005df8 = 0; *(uint8_t*)0x20005df9 = 0; *(uint8_t*)0x20005dfa = 0; *(uint8_t*)0x20005dfb = 0; *(uint8_t*)0x20005dfc = 0; *(uint8_t*)0x20005dfd = 0; *(uint8_t*)0x20005dfe = 0; *(uint8_t*)0x20005dff = 0; *(uint8_t*)0x20005e00 = 0; *(uint8_t*)0x20005e01 = 0; *(uint8_t*)0x20005e02 = 0; *(uint8_t*)0x20005e03 = 0; *(uint8_t*)0x20005e04 = 0; *(uint8_t*)0x20005e05 = 0; *(uint8_t*)0x20005e06 = 0; *(uint8_t*)0x20005e07 = 0; *(uint8_t*)0x20005e08 = 0; *(uint8_t*)0x20005e09 = 0; *(uint8_t*)0x20005e0a = 0; *(uint8_t*)0x20005e0b = 0; *(uint8_t*)0x20005e0c = 0; *(uint8_t*)0x20005e0d = 0; *(uint8_t*)0x20005e0e = 0; *(uint8_t*)0x20005e0f = 0; *(uint8_t*)0x20005e10 = 0; *(uint8_t*)0x20005e11 = 0; *(uint8_t*)0x20005e12 = 0; *(uint8_t*)0x20005e13 = 0; *(uint8_t*)0x20005e14 = 0; *(uint8_t*)0x20005e15 = 0; *(uint8_t*)0x20005e16 = 0; *(uint8_t*)0x20005e17 = 0; *(uint8_t*)0x20005e18 = 0; *(uint8_t*)0x20005e19 = 0; *(uint8_t*)0x20005e1a = 0; *(uint8_t*)0x20005e1b = 0; *(uint8_t*)0x20005e1c = 0; *(uint8_t*)0x20005e1d = 0; *(uint8_t*)0x20005e1e = 0; *(uint8_t*)0x20005e1f = 0; *(uint8_t*)0x20005e20 = 0; *(uint8_t*)0x20005e21 = 0; *(uint8_t*)0x20005e22 = 0; *(uint8_t*)0x20005e23 = 0; *(uint8_t*)0x20005e24 = 0; *(uint8_t*)0x20005e25 = 0; *(uint8_t*)0x20005e26 = 0; *(uint8_t*)0x20005e27 = 0; *(uint8_t*)0x20005e28 = 0; *(uint8_t*)0x20005e29 = 0; *(uint8_t*)0x20005e2a = 0; *(uint8_t*)0x20005e2b = 0; *(uint8_t*)0x20005e2c = 0; *(uint8_t*)0x20005e2d = 0; *(uint8_t*)0x20005e2e = 0; *(uint8_t*)0x20005e2f = 0; *(uint8_t*)0x20005e30 = 0; *(uint8_t*)0x20005e31 = 0; *(uint8_t*)0x20005e32 = 0; *(uint8_t*)0x20005e33 = 0; *(uint8_t*)0x20005e34 = 0; *(uint8_t*)0x20005e35 = 0; *(uint8_t*)0x20005e36 = 0; *(uint8_t*)0x20005e37 = 0; *(uint8_t*)0x20005e38 = 0; *(uint8_t*)0x20005e39 = 0; *(uint8_t*)0x20005e3a = 0; *(uint8_t*)0x20005e3b = 0; *(uint8_t*)0x20005e3c = 0; *(uint8_t*)0x20005e3d = 0; *(uint8_t*)0x20005e3e = 0; *(uint8_t*)0x20005e3f = 0; *(uint8_t*)0x20005e40 = 0; *(uint8_t*)0x20005e41 = 0; *(uint8_t*)0x20005e42 = 0; *(uint8_t*)0x20005e43 = 0; *(uint32_t*)0x20005e44 = 0; *(uint16_t*)0x20005e48 = 0x98; *(uint16_t*)0x20005e4a = 0xe0; *(uint32_t*)0x20005e4c = 0; *(uint64_t*)0x20005e50 = 0; *(uint64_t*)0x20005e58 = 0; *(uint16_t*)0x20005e60 = 0x28; memcpy((void*)0x20005e62, "\x73\x74\x61\x74\x65\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20005e7f = 0; *(uint32_t*)0x20005e80 = 0; *(uint16_t*)0x20005e88 = 0x48; memcpy((void*)0x20005e8a, "\x4c\x45\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20005ea7 = 0; memcpy((void*)0x20005ea8, "\x73\x79\x7a\x31\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00", 27); *(uint8_t*)0x20005ec3 = 0; *(uint32_t*)0x20005ec4 = 0; *(uint64_t*)0x20005ec8 = 0; *(uint8_t*)0x20005ed0 = 0xac; *(uint8_t*)0x20005ed1 = 0x14; *(uint8_t*)0x20005ed2 = 0; *(uint8_t*)0x20005ed3 = 0xbb; *(uint32_t*)0x20005ed4 = htobe32(0xe0000002); *(uint32_t*)0x20005ed8 = htobe32(0); *(uint32_t*)0x20005edc = htobe32(0); memcpy((void*)0x20005ee0, "\x62\x72\x69\x64\x67\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); memcpy((void*)0x20005ef0, "\x6b\xc9\x50\x55\xde\x80\x09\xc0\xa5\x37\x1b\xb9\x31\x6b\x7a\x4c", 16); *(uint8_t*)0x20005f00 = 0; *(uint8_t*)0x20005f01 = 0; *(uint8_t*)0x20005f02 = 0; *(uint8_t*)0x20005f03 = 0; *(uint8_t*)0x20005f04 = 0; *(uint8_t*)0x20005f05 = 0; *(uint8_t*)0x20005f06 = 0; *(uint8_t*)0x20005f07 = 0; *(uint8_t*)0x20005f08 = 0; *(uint8_t*)0x20005f09 = 0; *(uint8_t*)0x20005f0a = 0; *(uint8_t*)0x20005f0b = 0; *(uint8_t*)0x20005f0c = 0; *(uint8_t*)0x20005f0d = 0; *(uint8_t*)0x20005f0e = 0; *(uint8_t*)0x20005f0f = 0; *(uint8_t*)0x20005f10 = 0; *(uint8_t*)0x20005f11 = 0; *(uint8_t*)0x20005f12 = 0; *(uint8_t*)0x20005f13 = 0; *(uint8_t*)0x20005f14 = 0; *(uint8_t*)0x20005f15 = 0; *(uint8_t*)0x20005f16 = 0; *(uint8_t*)0x20005f17 = 0; *(uint8_t*)0x20005f18 = 0; *(uint8_t*)0x20005f19 = 0; *(uint8_t*)0x20005f1a = 0; *(uint8_t*)0x20005f1b = 0; *(uint8_t*)0x20005f1c = 0; *(uint8_t*)0x20005f1d = 0; *(uint8_t*)0x20005f1e = 0; *(uint8_t*)0x20005f1f = 0; *(uint16_t*)0x20005f20 = 0; *(uint8_t*)0x20005f22 = 0; *(uint8_t*)0x20005f23 = 0; *(uint32_t*)0x20005f24 = 0; *(uint16_t*)0x20005f28 = 0x70; *(uint16_t*)0x20005f2a = 0x98; *(uint32_t*)0x20005f2c = 0; *(uint64_t*)0x20005f30 = 0; *(uint64_t*)0x20005f38 = 0; *(uint16_t*)0x20005f40 = 0x28; memcpy((void*)0x20005f42, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20005f5f = 0; *(uint32_t*)0x20005f60 = 0; *(uint8_t*)0x20005f68 = 0; *(uint8_t*)0x20005f69 = 0; *(uint8_t*)0x20005f6a = 0; *(uint8_t*)0x20005f6b = 0; *(uint8_t*)0x20005f6c = 0; *(uint8_t*)0x20005f6d = 0; *(uint8_t*)0x20005f6e = 0; *(uint8_t*)0x20005f6f = 0; *(uint8_t*)0x20005f70 = 0; *(uint8_t*)0x20005f71 = 0; *(uint8_t*)0x20005f72 = 0; *(uint8_t*)0x20005f73 = 0; *(uint8_t*)0x20005f74 = 0; *(uint8_t*)0x20005f75 = 0; *(uint8_t*)0x20005f76 = 0; *(uint8_t*)0x20005f77 = 0; *(uint8_t*)0x20005f78 = 0; *(uint8_t*)0x20005f79 = 0; *(uint8_t*)0x20005f7a = 0; *(uint8_t*)0x20005f7b = 0; *(uint8_t*)0x20005f7c = 0; *(uint8_t*)0x20005f7d = 0; *(uint8_t*)0x20005f7e = 0; *(uint8_t*)0x20005f7f = 0; *(uint8_t*)0x20005f80 = 0; *(uint8_t*)0x20005f81 = 0; *(uint8_t*)0x20005f82 = 0; *(uint8_t*)0x20005f83 = 0; *(uint8_t*)0x20005f84 = 0; *(uint8_t*)0x20005f85 = 0; *(uint8_t*)0x20005f86 = 0; *(uint8_t*)0x20005f87 = 0; *(uint8_t*)0x20005f88 = 0; *(uint8_t*)0x20005f89 = 0; *(uint8_t*)0x20005f8a = 0; *(uint8_t*)0x20005f8b = 0; *(uint8_t*)0x20005f8c = 0; *(uint8_t*)0x20005f8d = 0; *(uint8_t*)0x20005f8e = 0; *(uint8_t*)0x20005f8f = 0; *(uint8_t*)0x20005f90 = 0; *(uint8_t*)0x20005f91 = 0; *(uint8_t*)0x20005f92 = 0; *(uint8_t*)0x20005f93 = 0; *(uint8_t*)0x20005f94 = 0; *(uint8_t*)0x20005f95 = 0; *(uint8_t*)0x20005f96 = 0; *(uint8_t*)0x20005f97 = 0; *(uint8_t*)0x20005f98 = 0; *(uint8_t*)0x20005f99 = 0; *(uint8_t*)0x20005f9a = 0; *(uint8_t*)0x20005f9b = 0; *(uint8_t*)0x20005f9c = 0; *(uint8_t*)0x20005f9d = 0; *(uint8_t*)0x20005f9e = 0; *(uint8_t*)0x20005f9f = 0; *(uint8_t*)0x20005fa0 = 0; *(uint8_t*)0x20005fa1 = 0; *(uint8_t*)0x20005fa2 = 0; *(uint8_t*)0x20005fa3 = 0; *(uint8_t*)0x20005fa4 = 0; *(uint8_t*)0x20005fa5 = 0; *(uint8_t*)0x20005fa6 = 0; *(uint8_t*)0x20005fa7 = 0; *(uint8_t*)0x20005fa8 = 0; *(uint8_t*)0x20005fa9 = 0; *(uint8_t*)0x20005faa = 0; *(uint8_t*)0x20005fab = 0; *(uint8_t*)0x20005fac = 0; *(uint8_t*)0x20005fad = 0; *(uint8_t*)0x20005fae = 0; *(uint8_t*)0x20005faf = 0; *(uint8_t*)0x20005fb0 = 0; *(uint8_t*)0x20005fb1 = 0; *(uint8_t*)0x20005fb2 = 0; *(uint8_t*)0x20005fb3 = 0; *(uint8_t*)0x20005fb4 = 0; *(uint8_t*)0x20005fb5 = 0; *(uint8_t*)0x20005fb6 = 0; *(uint8_t*)0x20005fb7 = 0; *(uint8_t*)0x20005fb8 = 0; *(uint8_t*)0x20005fb9 = 0; *(uint8_t*)0x20005fba = 0; *(uint8_t*)0x20005fbb = 0; *(uint32_t*)0x20005fbc = 0; *(uint16_t*)0x20005fc0 = 0x70; *(uint16_t*)0x20005fc2 = 0x98; *(uint32_t*)0x20005fc4 = 0; *(uint64_t*)0x20005fc8 = 0; *(uint64_t*)0x20005fd0 = 0; *(uint16_t*)0x20005fd8 = 0x28; memcpy((void*)0x20005fda, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x20005ff7 = 0; *(uint32_t*)0x20005ff8 = 0xfffffffe; syscall(__NR_setsockopt, r[1], 0, 0x40, 0x20005ca0, 0x360); *(uint16_t*)0x20fbb000 = 0xa; *(uint16_t*)0x20fbb002 = 0; *(uint32_t*)0x20fbb004 = 0; *(uint8_t*)0x20fbb008 = 0; *(uint8_t*)0x20fbb009 = 0; *(uint8_t*)0x20fbb00a = 0; *(uint8_t*)0x20fbb00b = 0; *(uint8_t*)0x20fbb00c = 0; *(uint8_t*)0x20fbb00d = 0; *(uint8_t*)0x20fbb00e = 0; *(uint8_t*)0x20fbb00f = 0; *(uint8_t*)0x20fbb010 = 0; *(uint8_t*)0x20fbb011 = 0; *(uint8_t*)0x20fbb012 = 0; *(uint8_t*)0x20fbb013 = 0; *(uint8_t*)0x20fbb014 = 0; *(uint8_t*)0x20fbb015 = 0; *(uint8_t*)0x20fbb016 = 0; *(uint8_t*)0x20fbb017 = 0; *(uint32_t*)0x20fbb018 = 0; syscall(__NR_sendto, r[0], 0x20fc4000, 0, 0, 0x20fbb000, 0x1c); } int main() { for (;;) { loop(); } }