// https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); if (pthread_create(&th, &attr, fn, arg)) exit(1); pthread_attr_destroy(&attr); } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) struct csum_inet { uint32_t acc; }; static void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } static uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static long syz_init_net_socket(long domain, long type, long proto) { return syscall(__NR_socket, domain, type, proto); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } #define SYZ_HAVE_SETUP_TEST 1 static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); } #define SYZ_HAVE_RESET_TEST 1 static void reset_test() { int fd; for (fd = 3; fd < 30; fd++) close(fd); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 25; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); reset_test(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: res = syz_init_net_socket(0xb, 5, 0); if (res != -1) r[0] = res; break; case 1: memcpy((void*)0x20000080, "rose0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000090 = 0x1f; *(uint8_t*)0x20000092 = 0; *(uint8_t*)0x20000093 = 0; *(uint8_t*)0x20000094 = 0; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; syscall(__NR_ioctl, r[0], 0x8914, 0x20000080); break; case 2: syscall(__NR_bind, -1, 0, 0); break; case 3: syscall(__NR_setsockopt, -1, 0x10f, 0x86); break; case 4: syz_init_net_socket(3, 3, 0xcf); break; case 5: syscall(__NR_setsockopt, -1, 4, 9, 0, 0); break; case 6: syz_init_net_socket(0xb, 5, 0); break; case 7: res = syz_init_net_socket(0xb, 5, 0); if (res != -1) r[1] = res; break; case 8: syscall(__NR_ioctl, r[1], 0x5411, 0); break; case 9: syscall(__NR_getsockopt, -1, 0x103, 4, 0, 0); break; case 10: res = syscall(__NR_socket, 2, 0x4000000000000001, 0); if (res != -1) r[2] = res; break; case 11: *(uint32_t*)0x200000c0 = 0x74; syscall(__NR_setsockopt, r[2], 6, 0x80000000000002, 0x200000c0, 4); break; case 12: syscall(__NR_bind, r[2], 0, 0); break; case 13: syscall(__NR_sendto, r[2], 0, 0, 0x200007fd, 0, 0); break; case 14: memcpy( (void*)0x20000040, "\xc8\xe5\x02\x88\x95\x9d\x7b\x2f\xfc\x38\xd3\x16\x38\xd1\xa2\xb1\x10" "\xb7\x93\xad\x8e\x66\xd2\xc1\x2b\x18\x63\x34\x45\x3e\xea\x9f\xf5\x97" "\x4b\x22\x48\xe9\x25\x57\xd5\xcb\x33\x69\x7b\x8b\x6d\x93\xac\xe4\xc2" "\xfe\x40\x62\xd6\xc0\xf2\x60\x09\x7c\x81\x9a\xb6\x8d\x7d\x4e\xd4\x96" "\x6a\x30\x42\xb6\x1e\x09\xa7\x75\x92\xd7\x06\x9a\x39\x7c\xd3\x20\xd9" "\xff\xb5\xd1\x62\x19\x57\xe5\xc0\x17\xd4\xe6\xac\x86\x04\x7b\x61\xcf" "\xd1\x29\x5f\x93\xb5\x5d\xaa\x6f\x71\xdb\x18\x01\x18\x19\x26\xb6\x57" "\x09\x1d\x1c\x7f\x91\xfa\xa9\x81\xe3\xef\x41\x02\x70\x53\x3e\x36\x48" "\xce\xbc\xe2\x78\x49\x3d\x1f\xfd\xa6\x96\xa5\x7a\x78\xdc\xf8\x1f\x42" "\x5c\x33\x2d\x34\xfd\xd9\x56\x1d\x52\x69\xba\x95\x66\xc7\xc7\x10\x68" "\xa7\xec\xdf\x44\x51\xc7\x31\x34\x17\xcf\x3a\xc6\xbd\x99\xc6\x40\x85" "\x5d\x1e\x24\x1a\x53\x4d\x9a\x21\x6f\x6a\x40\xb0\xcc\x21\x72\xc2\xbf" "\x1a\xb6\x64\x7a\xff\xf8\xd9\x76\x45\x9c\xa1\x5e\x69\xdb\xea\x7f\xf5" "\x1e\x2a\x76\x2a\x69\x53\xee\x64\x74\xb3\x66\x27\xcf\x5c\xbb\x9a\x83" "\x94\x17\x2c\x09\xae\x31\xd7\x52\xd0\x91\x9b\x81\x1d\x63\x45\x35\x46" "\x0c\x52\xee\x93\x13\xc4\x26\xca\x31\x25\xd4\x99\x0e\x3a\x08\xb2\x35" "\xa4\x51\x97\x46\xcf\xc9\x37\x55\xef\xf2\xf5\x41\xe0\x09\xf8\x08\x26" "\xa2\x7c\xb0\x8d\x22\x7e\x18\xf4\xbf\xee\x54\xb2\x0a\x1e\xf6\x41\xec" "\x10\xe0\x60\xb5\x20\xdd\x32\xa9\x36\xe4\x86\x83\x35\x21\x6c\xd5\xb1" "\xdc\x27\x6b\xe6\xa1\x6a\x06\x76\xfe\x88\xe5\x9c\x25\x8e\x08\xfe\x24" "\xf1\x7a\x46\xe1\x2a\x26\x9e\x57\xcf\x09\x49\x1e\x56\x77\xda\x26\xbc" "\xf7\xa4\xe4\xa9\xfc\x6c\xfc\x56\x79\xe2\x6a\x21\x1d\xae\xaf\xbd\x8b" "\xc0\xcc\x50\x31\x05\xea\xf5\x13\x81\x56\x36\xab\x2f\x37\xd6\x08\x90" "\xb3\x05\x13\x2a\xb5\x55\xd9\x62\xac\x1e\x4e\xfc\x36\x79\xb3\x5c\x3e" "\x04\x99\x60\xe7\x83\xcd\xbe\xa4\x37\xc7\xde\xcd\x54\x31\x8c\x44\x72" "\xb1\x99\x82\x0f\x91\x9f\xcd\x40\x04\xfe\x5c\x3d\xc2\x32\xfe\x5f\x41" "\xf5\x70\xe8\x5b\xdc\xd5\xa7\xd7\xf8\xe4\x12\x98\x39\x32\x21\xa8\x02" "\xba\x8a\xe3\x32\x46\x0e\x20\xa5\x4b\x19\xd9\xfd\x1e\x3e\x72\xb6\x56" "\xcc\xd4\xee\xca\x04\x4e\xa9\xf4\xb7\x49\xe1\x27\xc2\xcb\xa6\xd1\xf3" "\xc7\x90\x27\x74\xc7\x08\xdf\x9c\xbc\x6b\x61\xd3\xd7\xbc\x3b\x3c\xf9" "\xf3\x17\x4d\x56\x58\xd3\xd7\xc3\xfa\x94\x8d\xb4\xa1\xc7\xa5\xf6\x84" "\xd8\xae\x7c\x02\x49\x3e\x41\x14\x26\x60\x05\x61\xfa\x87\x45\x2b\x69" "\x26\x0a\xf5\x30\x48\x58\x20\x83\xfd\xbb\xd5\xf1\x63\xa4\x89\xdd\xeb" "\x91\xca\x18\x56\x13\xe6\x0a\xf1\x69\xab\x4a\xa1\xd9\x5e\x01\xb7\x59" "\x1a\x08\xf3\x1f\x0a\xed\xeb\xc1\x4e\x59\xc6\x33\x7a\x1f\xcc\xe9\x60" "\x30\xd6\x80\xd4\x18\x7f\xb8\x7d\x58\x20\xf5\xdb\x64\x0a\x90\x90\x94" "\xc2\x6d\xa9\x43\x1a\xfd\x3d\xd7\x29\x71\xba\x5a\xd6\xea\x25\x68\x8d" "\x8e\xb8\xcf\xfc\x0c\x31\xb1\x3a\x40\x18\xd8\x01\x6c\x40\xf7\x99\xe2" "\xe3\x95\x98\x83\x9a\x81\x76\x63\xa6\x2e\x3a\xf9\xaa\x6f\x99\xad\xc9" "\x83\x13\x0e\x8f\xab\x50\x0b\x67\xdf\xfb\xf3\xe4\x66\x67\xbc\x6a\x7b" "\x47\xac\x0f\xf2\xbe\x89\x68\xf8\x20\x0b\xe7\xb8\xcd\x0a\x02\xee\x5d" "\xc9\x96\x59\x9a\xe4\x77\x4b\x54\x44\x80\x60\x2c\x0e\xec\x91\x92\x14" "\x9f\xa0\xdf\x5a\x37\xf4\xd6\xc0\xf0\x1f\x9a\x6a\xa1\x56\x4e\xa0\x39" "\xfd\x64\x0c\xc6\x22\x88\x11\x90\xf9\x89\x50\x22\xcb\xda\x20\xea\xff" "\x93\xec\xd2\x94\x61\xaa\xc9\x22\xd1\xaf\x68\x24\x83\xf5\xf9\xdb\xcf" "\xcc\x1e\xae\x79\xde\x81\x9d\x46\x63\x84\x7b\xca\x7a\xc3\x9c\x7f\x8d" "\xc0\x25\x4c\x64\x26\x93\x99\x95\x5d\xc1\xd5\x13\x11\xc0\xeb\xc0\x4a" "\xd2\x72\xd0\xeb\x6c\x89\xef\x0e\x35\x99\x22\xc4\x7b\xb1\xeb\xbf\x2a" "\x61\x00\x81\x3a\xcc\xea\xb6\x89\x5e\xe7\x3a\xca\x0f\x8d\x1a\xb4\x47" "\x3e\x7f\x2e\x8c\x0a\x7a\x0d\xd9\x4e\x25\x46\xce\x35\xf0\x8a\x0b\x66" "\x8b\xf2\x5b\xc4\xb0\xa6\x6e\x09\x24\x93\x8f\x0c\x3f\xcc\x0e\x60\xfd" "\x25\x57\xa1\xb1\xfa\xec\x18\xc6\xb8\x61\xd2\x2b\x7f\xb5\xa1\xd7\x5f" "\x5e\xf9\xc3\x99\x36\x0f\x3f\x1d\xe1\x21\x79\xe1\xfd\x53\x9a\xb2\x8b" "\x0b\xa6\xad\x8f\xeb\x61\xe4\xbc\x58\x37\x5a\xc4\x12\x4d\xa0\xac\xb9" "\xc0\x15\x3f\xcf\x68\x20\x04\xab\x84\x13\x04\xeb\xd5\xd2\xda\x80\x4e" "\x33\x89\x8a\x0d\x18\x91\xec\x31\xf5\xe7\xfa\x18\xd6\xe0\xae\x9d\x94" "\xa1\xe6\x04\xde\xfc\x08\xa8\xbe\x70\xfa\x31\xa3\xaf\x71\xef\xac\xeb" "\xc9\xc6\xec\xd3\x7d\x4e\x99\x69\x02\xf4\x3d\xeb\xec\xdb\x3c\xc3\x98" "\xff\x95\xb3\x61\xb0\x6d\xa0\x05\xf8\xc7\x28\x2a\x1d\xa7\x69\x79\x55" "\x8f\xd6\xc6\xb8\xe5\x70\x84\x48\x0a\xac\xe6\x8e\x27\x65\x3b\x08\x6d" "\xcd\x52\x91\x0a\x5c\x3f\x77\x1e\x54\x5d\xf4\xda\xd5\x1d\x78\x09\x6c" "\x6e\x9a\x5e\xb2\x78\x3a\xbe\x60\x79\x62\xe3\xbc\xc0\xeb\xab\xf8\x5c" "\x62\x68\xfc\x45\x48\x38\x2b\xd2\xc7\x7e\x69\xd8\xce\x9c\xa3\x1e\x07" "\x59\xf3\x18\x1b\x05\x46\x87\x0e\x4c\xa7\x4f\x79\x91\x50\x9f\xb6\xc3" "\x79\x0b\xf5\x38\x83\xad\x12\x79\x55\x05\xb9\x2d\x92\xa0\xb5\x8f\x7b" "\x4f\x1e\x1c\xeb\xf8\x6b\x4d\xe5\x96\x89\x61\x3f\xc1\x4d\x3e\xe1\x64" "\x39\x63\xb6\x55\x59\x3e\x5a\x10\xd0\xca\x8a\x14\xe5\xee\x48\x11\xa9" "\x3b\x66\x6b\xc8\x11\xff\x4d\x13\x4e\xfd\x8c\x3b\x51\x8a\xaa\xd1\x20" "\xb7\x7f\x7d\xc0\x54\x0b\x01\xa2\xc1\x6a\xfe\x64\x72\xc8\x6c\xf1\xc5" "\x71\x16\x97\x17\x3b\x35\x02\xbd\x1a\x5a\xee\xb3\xdf\x1a\x40\xbf\xb6" "\xa7\xac\xd6\x8d\x28\x2e\x54\x7e\xca\x51\xfc\x64\x1c\xac\x52\xaf\x98" "\xce\xec\x06\xe3\x2e\x0d\x6c\x51\x3b\x85\x77\x8e\xda\x44\x8a\xf1\xb7" "\x91\xdf\xbe\x2d\x50\xb6\x63\x7f\xa9\x95\x63\xbf\x31\x68\x41\xeb\xb9" "\x1c\x7b\x00\x2d\xec\x55\x4f\x06\xa9\xf9\x8d\x20\xcf\x82\x74\xc0\x5d" "\x19\x75\xf8\x5a\x8f\xea\x67\x4b\x75\x91\x74\xf1\xad\x30\xb6\xf9\x25" "\xa5\x9b\x3d\xa6\xb4\xd8\x55\xea\xaf\xc6\x16\x61\xd6\xd3\x74\x2e\xc7" "\xf7\x35\x4b\xb1\x15\x44\xf7\x44\x28\x57\x4c\x52\xa4\x6b\x77\x13\xed" "\xe4\xba\xee\xa3\x32\xd8\x66\xcd\x4c\x0a\xf4\xf8\x5b\x60\xca\x05\x2f" "\x50\x38\x29\xec\x64\xe2\xa2\xcd\x29\x16\x1f\xa3\xd5\x32\xa8\x69\x40" "\x8f\x6b\x83\x12\xa5\x55\x69\x52\xe9\x6d\x91\x4f\x0d\x7e\x22\x34\x17" "\x6d\x42\x2d\xc6\xe8\xec\xd1\x96\x6f\x4e\xe1\x88\xfa\xb0\x4f\x2f\x6e" "\xfc\xec\x65\x7f\x6f\x73\x36\xc8\xa9\x33\x09\xee\x00\xe6\x99\xa2\x07" "\xf7\xd3\xf8\x13\x16\x2f\x52\x6c\xd1\xbb\x8b\xd4\xe7\x57\xbe\x34\x7d" "\x33\x2a\x74\xa0\x62\x34\xc3\xc9\xc4\x39\xbc\xb7\x9c\x52\x0b\xe5\x9e" "\x0a\x6e\x08\xdb\xa8\x8e\xd5\x11\x30\xdc\x1e\x45\xa3\xf2\xf7\xf9\xfb" "\x3f\x7f\xf0\xe6\x3c\x81\x03\x38\xae\xa5\x65\x54\x3e\xd2\x75\x05\x70" "\x5c\x16\xb5\xfb\x21\xb8\x3b\x93\x4b\xd9\xb1\xf9\x8a\x73\x4d\x03\xa9" "\x84\xe6\xb2\xbe\x44\x00\x38\xec\x06\xdd\x5c\xd7\xed\xd4\x07\x23\x27" "\xc7\xd1\xfc\x9f\x4e\xc9\x98\x61\xd2\x43\x47\xef\xca\xd8\x15\xd0\xd7" "\x1a\x00\x38\x59\x64\x46\x1a\x62\x53\x4a\xa5\x47\xe0\xe4\xc2\x43\x28" "\x7e\x1e\x21\x7c\x6d\x93\xd6\x3c\x1d\x50\x12\xc3\x25\x37\xbb\xc4\x11" "\xb6\x91\xcc\x32\x8e\xae\xf1\x2c\xcb\x5e\x64\xab\x03\xbc\xd8\x53\x2a" "\xd0\x9f\xf4\xbb\xac\x47\xe8\xa6\xb6\x17\x03\x37\x1b\x6a\x58\x4a\x90" "\x3b\x7d\x24\xf1\x97\x70\xc4\x53\xa9\x88\xcd\x8d\xf8\xf0\x14\x2c\xb6" "\x9d\xf1\x3e\x21\xb3\x8c\x0d\xbf\x74\x92\x8f\x74\x32\xab\xf9\x61\x4e" "\xb0\x14\xb3\x8e\xbf\x8c\xe4\x90\xb8\x24\x76\xff\x1d\x5f\x0f\x2c\x91" "\x56\xe5\x60\x81\x24\xdc\xc6\xa7\xb3\xe7\x57\x4e\xf7\x95\x0e\x02\xa7" "\xa9\xbb\x4c\xde\xe2\x53\x30\xf6\xb3\x54\x2b\x66\x51\x69\xe2\xde\xeb" "\x3f\x22\xa5\xc0\x92\x80\x07\x20\x09\x74\xd9\x92\x2d\xda\x6f\xda\x3a" "\xc4\xba\x39\xc1\x48\xb2\xad\x55\x19\x64\xf0\x80\x31\xa8\x47\x44\x68" "\x4c\x1c\xe7\x5e\xe1\x61\xbb\x67\xb2\xe5\x6b\x99\x95\xc2\x0f\xe2\xf1" "\x67\x8d\x64\x87\x70\x9e\xc1\xc5\x85\xec\x86\xc9\x8d\xa2\x89\xcb\x5e" "\xaf\xb7\x27\x85\xc5\xab\xcc\x20\x82\x94\xea\x5b\x35\xf0\xde\x16\x15" "\xa8\xd2\xfa\x00\xbc\xd1\x3b\x8a\x76\xb1\xaf\x7c\x8e\x6c\x51\xc8\x77" "\x32\xc8\x73\xbd\x0a\x4d\x2e\x0a\x29\x3f\x35\x0d\x60\xe1\x70\x2c\x0c" "\x0d\x1d\xbe\x52\xb3\x53\xf9\xfa\x7c\x93\x09\x5c\xee\x8c\xbb\x50\x6c" "\x57\xd2\x9d\xec\xcd\x6a\xf8\xf3\xe8\x6f\xff\xaa\x91\x11\x3d\x9e\xf2" "\x1f\x23\xe3\x08\xb8\x06\x3d\xcc\x70\x55\x4f\x1c\x3d\xe2\x7b\x05\xa3" "\xe1\x33\x1e\x9d\x51\x10\x06\x1a\x0e\xf7\x03\xbd\x54\x97\x6b\x85\x37" "\xe6\x8b\x83\xcd\xea\x25\x90\x93\xd6\x1d\x49\x2b\xa7\x6e\xe9\x6e\xbc" "\xa1\x04\x3c\xb4\xb3\x28\x7e\xba\xf0\x2b\x8c\xb4\x1a\xce\xe9\xa0\x16" "\x27\x05\xff\x63\x55\xd6\xed\xba\x64\x2c\x52\x3d\xf6\x52\xaa\xc0\x42" "\xd6\x4e\x29\x89\xd8\x71\x2e\x6b\x12\x2b\xfb\x44\x32\xb1\x83\xb2\x34" "\x80\x10\x88\x99\xe9\xd7\x4b\x8c\x57\x7e\x5a\x5a\xb6\x8a\x93\xcf\x43" "\xce\xe2\xef\xcf\xd6\xb1\x24\xdc\x53\xb1\xde\x1a\x22\x98\x5e\x82\x7f" "\x90\x2e\x0c\x22\x2f\xd9\x01\xba\xd3\x3c\x99\x07\xee\x73\xd5\x0e\x2c" "\x54\x1d\xb2\x56\xac\xc2\xea\xb6\x18\x01\x15\xda\x96\x81\x27\x8e\x51" "\x65\x9d\x55\x0d\xba\x79\x8d\xc2\xab\x1f\x8f\x8e\xc1\x60\x9a\x9c\xe2" "\x8d\x01\x24\xf8\x40\x50\x80\xb4\x77\x40\xc8\x68\x8e\x60\x65\x7f\x79" "\x49\x6c\x9c\xbe\x3a\x79\x88\xd8\xdd\x81\x97\x4d\x86\xfd\x75\x2d\x70" "\x06\x08\xd9\xa3\x99\x28\x93\xd2\xfd\x20\x38\x30\x4c\xdf\xd1\x56\x69" "\x8d\x10\x55\x6c\xf8\x19\xa8\x38\xcc\xf2\x99\x7a\xb9\x05\x42\xb6\x71" "\x24\x92\x66\xe8\xc5\x7f\x64\x82\x67\x36\x73\xa9\x2f\x78\xc4\xfc\xe2" "\xf3\x58\x0f\xe9\xe5\x14\xdd\x2b\xa0\x77\x79\x76\xe4\x0e\xde\x1a\x54" "\x6d\x79\x95\xf1\xe1\x98\xff\xd1\xf3\x24\xc8\xdb\xd7\x55\xcf\xc4\xea" "\x7d\x00\xed\xd6\x17\x90\x6c\x71\x78\x98\x60\x72\xaa\xc5\x8f\x65\xdc" "\x50\x77\x40\x59\x04\xc5\xeb\xa3\xf2\xab\xf0\x9d\x6a\xac\x9a\x1c\x2f" "\xc5\x19\x32\xca\xc1\xb9\x81\xf0\x77\x3d\x80\x7d\x0d\x96\x47\x66\x6d" "\x8a\xbe\xf5\xdf\xa1\xdc\xa9\x4a\xd6\x6a\x76\x8c\x80\xb0\xd5\x75\x49" "\xa5\x45\x63\x31\x22\xb7\x64\x44\x7d\x6b\xaa\x11\xf8\xa7\xc8\xb5\x83" "\xcf\xdb\xa1\x64\x62\x65\x26\x57\x88\x4d\x13\x2d\xca\x36\x4c\xec\x41" "\x0b\x74\xbe\xc5\x46\xa5\xd8\x1e\x1a\xe2\x69\x2a\x5e\xd3\xd4\x57\x32" "\x09\x1b\xc5\x66\x3e\x04\x10\xe1\x4b\x27\x03\xbc\x83\x51\xce\x06\x71" "\xa4\x95\x94\x09\x62\xe6\xdf\xde\x2b\x8e\xfe\x7b\xce\xe3\x06\x5b\x2f" "\x62\x95\x22\x2d\x6c\x1a\xe3\xae\x8e\xe7\x1a\x02\x2d\x48\x99\x26\xc7" "\x2b\xf7\xc1\xb5\x23\x2a\xf9\xb9\x81\x24\xc5\xff\x99\xa3\xe4\xd3\x0e" "\xd2\xc1\x70\x8c\x89\x05\xc2\x28\x94\x0c\x03\x2a\x97\xd9\x44\x58\xc7" "\x08\x4f\xd6\xdb\x59\x7e\xe2\x36\xdb\x55\xbe\xf8\x2a\x70\x2c\xc7\x7c" "\x1c\xf1\xb2\xe8\x7d\xb0\xda\x99\x73\x46\x4d\x88\x52\x02\x72\xc5\xb9" "\xb3\x2f\xe3\x85\x9b\x94\x91\x6c\x97\xf1\x3f\xf1\xa9\xac\x82\x9c\x24" "\xa2\x9b\x84\xbe\x30\x16\xa5\x5f\xb2\x63\x51\xd4\xe8\xf5\x13\x22\x78" "\x3d\x77\xfa\x6a\x6a\x21\xec\x5b\xfe\x33\xe8\xcc\xc9\x7d\x63\x7b\x33" "\x47\x48\x6b\x29\xc9\x04\x70\x7d\xb4\x30\x49\xe2\xbd\x8d\x8f\xa2\xd4" "\x35\x02\xe5\xa2\x20\x10\xd6\xbe\xd2\xf2\x42\x23\x5e\x41\xb5\xe5\xb7" "\x7d\x90\xd9\x04\xd7\xa5\x99\xfd\xe2\x42\xf0\xad\x72\x0c\x34\xa3\x5f" "\x6f\x35\xd9\x3a\x4f\x6b\xe3\x0b\xb2\x66\xda\x66\xb2\xfc\xe4\x7d\x68" "\xac\x4d\x96\x91\x90\xee\x1a\x40\x25\x72\xed\x2a\x55\xd0\x35\xaf\x41" "\x17\xf9\x2e\x23\xf1\x99\xe2\xcf\x71\xc5\xa3\xab\x00\xad\xfc\x5d\x30" "\xa3\x38\x87\xd7\x91\x39\x49\x43\x93\xce\xd9\x38\x3d\x93\xda\x68\xef" "\x48\xf0\x22\xec\x87\xbd\x41\x96\x68\xbf\x5e\x41\x4a\xb0\xd3\xd6\x31" "\xe0\x86\x72\x76\xdf\x4b\x34\x05\x47\xec\x69\x9a\x93\x5b\x55\xbb\x56" "\xa1\x2d\xb2\x95\xf2\xbc\x32\xe7\x2d\x56\x32\xf2\x54\xb7\x55\x3b\x80" "\xd0\xbd\x77\x88\x8d\x9e\xdf\x59\xaa\xbc\x9b\x54\x8f\x35\x2f\x51\x13" "\x41\x96\x11\x82\xfa\xe9\x0d\xa4\x97\x75\xf2\xa0\x86\x2c\x94\x24\x08" "\xcd\x9d\xa5\x2a\x29\x45\x18\x68\xf9\xd9\xc5\xc6\xd2\xbe\x9e\x31\x00" "\x32\x3c\x07\xc0\x06\x32\xe2\x17\x69\x0c\x1e\xaf\xf7\xb1\x86\x25\x36" "\x4d\x35\x6e\x82\xdf\x69\x47\xf2\x3f\x83\xba\xbb\x62\xf9\x4a\x80\x1a" "\x91\xe5\xb0\xc7\x5d\x04\x9c\xa6\x61\x40\xea\x59\xf1\x5b\xe4\x4c\x40" "\xb2\xab\xcb\xd2\x5f\x3c\xae\x9f\xf5\x79\x2c\x2c\xd5\x15\x9d\x79\x88" "\xe8\x13\x2d\x85\x19\x99\x87\xba\xcd\xb1\x0d\x97\x90\xd8\xd7\xa6\xc6" "\x50\x7c\x61\xcc\x28\x9f\x80\x71\x53\xb2\x07\xda\x2b\x72\xf9\x0b\xbb" "\xf0\xdb\xa7\x51\xd2\xaf\xdd\x8d\xd1\x41\xcb\xb7\xb6\x2a\x3c\x3e\x82" "\x2e\x98\xf1\x88\x3d\x80\x8c\x85\xed\xbf\x8e\x1c\xef\x6e\x02\xff\x70" "\xfb\x98\xe9\xa6\x60\x72\x16\xf0\x65\xb9\x2c\x11\x36\xbf\xa2\xdc\xff" "\x0d\x4c\x83\x5d\x42\x08\xc5\xc9\xf3\x69\x44\x22\xde\x82\xf6\x0c\x8a" "\xa7\xac\x34\x9f\x58\x32\xce\x39\x3e\x31\x74\xe2\x10\x25\x51\x38\x38" "\x97\x06\xdd\xfb\xc3\xf2\x78\xff\x3b\x93\xd8\xab\xa6\x07\x1a\x1a\x02" "\xfb\x79\x4c\xcc\x78\x5b\xe6\x91\xbb\x01\xae\x65\xfc\x70\x7c\xbb\x79" "\x84\xe1\x9e\xc2\xaf\x91\x5b\x62\xaa\x79\xc3\x0c\xf9\x25\xca\x39\xb3" "\xfa\x21\x74\x3d\x11\xf8\x64\xdb\x88\x9e\xd1\x21\x03\x1b\x4e\xc2\x91" "\x23\xb0\x4b\x34\x12\x43\x48\x45\xb0\x92\x00\x8d\xf1\xca\x80\x54\x54" "\x2a\x2b\xf6\x88\xe4\xcc\x32\x7b\xba\x4e\xe0\x2d\x82\xb9\x21\x12\xae" "\x3c\x10\x5e\x03\x8e\xe2\x93\xdf\xcc\x83\xdc\x81\xc3\xb1\xcf\x25\xda" "\x99\x74\x1b\x8b\x1d\x1b\xfc\xc6\x17\x8d\x08\x67\x76\xe3\x0e\xcd\xc9" "\xf0\x8c\x44\x3f\x18\xac\xc5\x00\xa1\x68\x3e\xe5\xe0\x05\xf8\x22\x14" "\x1d\x79\x7f\xc5\x77\x59\x8b\x31\x67\x4f\x4d\x32\x39\x2c\x5c\x95\xd7" "\xdd\xf6\xdc\x14\x30\x79\x74\x69\x66\x66\xd4\x7f\x17\xa2\x6d\x64\x76" "\xdc\xdd\x37\xa5\x85\xbb\x7c\xa6\x0b\x34\xbc\xff\xfe\xff\x95\x65\x07" "\x87\x9e\x15\xa6\xb8\x86\x63\x49\x13\x7c\x62\x62\x52\xf1\x53\xa5\x20" "\x81\xd2\x57\xbc\x98\xa3\x95\x75\x32\x1a\x9e\xe3\x8e\xc6\x99\xa6\xb4" "\xa4\xa7\x4a\x66\x9f\x32\xb5\x38\xd5\x27\x0c\xa3\x91\x13\x5c\x31\x5b" "\xf6\x8a\xb8\xe7\x05\x32\x99\x80\x35\x23\xaf\xdd\x8e\x5e\xbc\xe3\xc8" "\x26\xb1\x47\x03\x6d\xb1\x1c\xce\xd0\x70\x43\x1a\xc2\x9f\x36\x3d\x0c" "\x9b\xdd\x49\xbe\x92\x1c\x07\xe7\x3e\xb7\x5f\xdf\x09\x35\xf7\x54\x4d" "\xb3\xce\x24\x32\x91\x88\xca\x98\xf6\x85\xe1\xb3\x54\xea\x47\xb7\xc1" "\x71\x3b\xb7\xdd\xfc\x6f\x39\xae\x8b\x5b\x74\x02\x02\x8a\x8d\xc5\xa1" "\xdc\x58\xb6\x92\x20\x7c\xdd\xdb\xa1\x05\x4e\x56\x2e\x1e\x7c\x16\x46" "\x10\x5d\x13\x24\xdf\x17\xbf\x87\x33\x10\x89\x60\xfd\x3f\x31\xaa\xa0" "\x4d\x1b\x69\x08\xbf\x2a\x37\x22\x15\xfc\xd5\xf0\xc2\x59\xc2\x51\x1f" "\xc3\xa6\x18\xb2\x01\x10\xbc\x82\xf2\xac\xb1\x10\x34\x14\x88\x39\xf6" "\x0e\x09\xf4\x3e\x18\xde\x72\x98\xbf\x40\x9a\x3e\x18\x1d\x0c\xb8\x29" "\x47\xff\x91\xe9\xd2\x96\x08\x82\xe2\xee\x75\x84\x7f\x6f\x9a\xdf\x75" "\x40\x25\xe9\x1b\x98\xeb\x35\xd6\x62\xb1\xe7\xef\x11\xfd\x52\x35\xc1" "\x7a\x78\x83\x98\xe5\x70\x15\x6e\x02\xef\x80\xfd\xb1\xa9\xcb\x68\xc5" "\x43\x35\x3e\x0b\x1f\xe5\xb3\x39\x5f\xb0\xf5\xea\x4b\x66\x1f\xd9\xbe" "\xba\x09\x8c\x25\x6d\xa6\x3b\x26\x4e\x09\xc1\x65\x34\x0b\x28\x65\xcf" "\x54\x25\x19\x9d\x18\xa7\x0d\xe0\xab\xcf\x33\xc7\x94\x6d\xbb\xad\x04" "\x0a\xd4\x18\x89\x28\xd1\xe9\x50\xaa\x72\x61\x31\x0c\x26\x4f\x45\x20" "\x49\xb2\x36\x34\xc2\xfb\xce\x0b\x3c\xd3\x70\xb3\x15\x5b\x88\xdc\x9e" "\x7e\xb2\xce\xae\x77\xbe\x2d\x3d\xa6\xe1\x94\x5f\xec\x56\xb9\x55\x96" "\x55\x79\x98\x18\x9b\xd6\xab\xa8\x1b\xed\x91\x6c\x5a\x01\x1e\xe6\x0f" "\xf4\x3f\x74\xf6\x0f\x71\x52\x4a\xd4\xdd\x94\xac\x9a\x09\x68\x88\x88" "\x93\x55\x57\xf1\x26\xf9\x27\x83\xe3\xbb\x1f\x50\x51\xa8\x6b\x49\x8e" "\xa1\xf7\xee\xce\x26\x8e\x7d\xbc\xf7\xaf\xcb\x03\xe5\xdf\xde\xf4\x59" "\x32\xa8\x7e\x14\x82\x83\x37\x30\x47\xe0\x35\x89\xea\xe4\xce\xff\x63" "\x18\x28\x81\xa1\x51\xd2\x32\xbf\x9d\x41\x6e\x43\x33\xe5\x60\xbd\x4b" "\x39\x57\x4f\xa5\xd1\x18\x6b\x64\x62\x40\x94\xee\x69\x43\x13\x95\x9d" "\xf6\x7a\x7b\x4c\x37\xb2\xc3\x8b\x3b\x04\x01\x23\xc0\x8f\xcd\x9d\x6d" "\x58\xd3\x04\xb5\x9f\x74\x6d\xf8\x88\x32\xd7\xc1\x88\x85\x19\xde\x52" "\xdd\x76\x3e\x9a\x26\xed\xd7\x8c\x51\x10\xbc\x49\xee\x3e\xee\x0b\x81" "\x71\x09\x35\xe0\x73\x5d\xcb\x93\x3e\x58\xd2\x0a\x07\xc5\xe5\xe5\x51" "\x17\x45\x3a\xf4\x74\xbb\xd8\x74\x53\xaa\x9f\x98\x43\x2a\xe7\x3c\x96" "\x49\xc8\x8e\x7f\x04\xed\x26\x25\x83\x19\x34\xa9\xa4\x71\xa5\x60\x33" "\xbf\x87\x7b\x23\xbe\xe5\xd0\xe8\x50\x40\xd8\x68\xb8\xaa\x3c\xf5\xfd" "\xa7\xac\xfb\x49\xb0\x24\x5e\x21\xfd\x90\x78\x90\x35\xe7\xb2\x44\x75" "\x41\x14\x28\x00\xc8\x16\xa2\xbb\x04\x40\x88\x48\x03\x94\xa0\x1f\xf5" "\xc9\x0b\xb2\x6e\x40\xa8\x79\x3d\xbc\x77\x1e\xec\x63\xe4\xb9\x06\xec" "\x41\x8d\xbf\xaa\x19\xbe\x4f\xe1\xa9\x91\xc0\x5c\xd2\x4b\x50\x6b\xf6" "\x3a\xb0\x23\x28\x62\x69\x13\xea\x22\x19\xf9\x2b\xec\x2f\xf1\x29\xdb" "\xaa\xa9\xde\x2d\x86\x86\x6e\x86\xf1\xef\x03\x18\xb7\xb4\x03\x10\x86" "\xe2\xfc\x40\x74\x99\x63\x36\x8c\x1a\x8e\x97\xf7\xfa\x25\x9b\xab\xfc" "\xd3\x51\xd7\x0d\xfd\xc5\xd5\x34\x49\x2b\x06\x0f\x20\x8b\x9b\xf2\xdd" "\xc8\x17\x33\xf0\xab\x1f\x6f\x99\x83\xdf\x56\xda\xff\xc7\x57\x38\x75" "\xb5\xb6\x01\xae\x5c\xc1\x13\xc1\xca\x6c\xaf\xa1\x71\xdb\xf9\xd6\x5d" "\x98\x8f\xf6\x1a\xb2\x74\x65\x30\x52\x4a\x83\xf6\x85\x2f\x9e\xcc\xdf" "\x62\x99\xf8\x31\x46\xd8\xfe\x0b\xa0\xda\x49\xb2\x58\xf7\x32\x2c\x24" "\x5f\xe4\xa1\xf5\x20\x0d\x9c\xe3\xb0\x4b\x10\xfc\x52\x07\x56\xcf\xb7" "\xe8\x20\xc7\x1d\xe3\xe9\x3f\x57\xe4\xed\x8a\x14\xd9\x68\x14\x03\xd4" "\x81\x7e\x9f\xf0\x31\xeb\xdc\x37\x22\xd6\x4e\xf6\x23\x1d\xf4\x3e\x46" "\xa4\xd5\xf5\x7d\x12\x3e\xe3\x82\x91\x1c\xa8\x9d\xac\xee\xe9\x47\x15" "\xe3\x5b\xe5\x5b\xf9\xa6\x0f\xa9\x87\x1d\x6a\x36\x4a\x3e\x74\xd7\xb2" "\x1b\x7c\x3a\x76\x09\x89\x7b\xd6\xc7\x2c\xa5\x57\x9c\x28\xad\x3e\x38" "\x9c\xd7\xec\x5d\x3e\x73\x70\x0e\xab\x77\x25\x22\xf7\x37\xfc\x43\x2f" "\xbd\x2b\xde\x6a\x1c\x7b\xf0\x5b\x08\xf8\xd6\xe1\xa5\x84\x82\x85\x2d" "\xf1\x08\xbc\x60\xfb\xd2\x1d\x29\x45\xab\xf6\x97\xa9\x9f\xfd\x9f\xa1" "\x9a\xd8\xe6\x85\x0e\x1b\xe5\x5a\xdc\xab\x45\x9a\x6e\x30\x4c\x1c\xab" "\x5c\x8e\xa4\x5c\x61\x2a\xd0\x90\x8d\x39\x75\xa7\xeb\x39\x9a\x92\xbb" "\x6e\x25\x9c\xac\xea\x91\x71\x6f\x3d\xb1\xb3\x8e\xa2\x75\xe3\x8d\x19" "\xd7\xef\x9a\x16\xac\xca\x70\xc0\x41\xee\x29\xe4\x7c\xf7\xb5\x25\x5e" "\x04\x32\x72\xf9\x5e\x27\xc4\xf9\xa0\xa9\x61\x09\xd4\x19\x5a\x0d\x58" "\xe0\xcf\xc0\x3e\xfa\xe8\xfd\x4f\x14\x20\x4a\xe7\x0f\xad\xb1\x3f", 4096); syscall(__NR_setsockopt, -1, 4, 9, 0x20000040, 0x1000); break; case 15: syscall(__NR_socket, 0x2b, 1, 0); break; case 16: *(uint8_t*)0x20000080 = 0xaa; *(uint8_t*)0x20000081 = 0xaa; *(uint8_t*)0x20000082 = 0xaa; *(uint8_t*)0x20000083 = 0xaa; *(uint8_t*)0x20000084 = 0xaa; *(uint8_t*)0x20000085 = 0xaa; *(uint8_t*)0x20000086 = 0; *(uint8_t*)0x20000087 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint16_t*)0x2000008c = htobe16(0x86dd); STORE_BY_BITMASK(uint8_t, , 0x2000008e, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x2000008e, 6, 4, 4); memcpy((void*)0x2000008f, "\xbf\xd6\x1e", 3); *(uint16_t*)0x20000092 = htobe16(0x14); *(uint8_t*)0x20000094 = 0x33; *(uint8_t*)0x20000095 = 0; *(uint8_t*)0x20000096 = 0; *(uint8_t*)0x20000097 = 0; *(uint8_t*)0x20000098 = 0; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; *(uint8_t*)0x2000009c = 0; *(uint8_t*)0x2000009d = 0; *(uint8_t*)0x2000009e = 0; *(uint8_t*)0x2000009f = 0; *(uint8_t*)0x200000a0 = -1; *(uint8_t*)0x200000a1 = -1; *(uint8_t*)0x200000a2 = 0xac; *(uint8_t*)0x200000a3 = 0x14; *(uint8_t*)0x200000a4 = 0x14; *(uint8_t*)0x200000a5 = 0xbb; *(uint8_t*)0x200000a6 = 0; *(uint8_t*)0x200000a7 = 0; *(uint8_t*)0x200000a8 = 0; *(uint8_t*)0x200000a9 = 0; *(uint8_t*)0x200000aa = 0; *(uint8_t*)0x200000ab = 0; *(uint8_t*)0x200000ac = 0; *(uint8_t*)0x200000ad = 0; *(uint8_t*)0x200000ae = 0; *(uint8_t*)0x200000af = 0; *(uint8_t*)0x200000b0 = 0; *(uint8_t*)0x200000b1 = 0; *(uint8_t*)0x200000b2 = 0; *(uint8_t*)0x200000b3 = 0; *(uint8_t*)0x200000b4 = 0; *(uint8_t*)0x200000b5 = 0; *(uint16_t*)0x200000b6 = htobe16(0); *(uint16_t*)0x200000b8 = htobe16(0); *(uint32_t*)0x200000ba = 0x41424344; *(uint32_t*)0x200000be = 0x41424344; STORE_BY_BITMASK(uint8_t, , 0x200000c2, 0, 0, 1); STORE_BY_BITMASK(uint8_t, , 0x200000c2, 0, 1, 3); STORE_BY_BITMASK(uint8_t, , 0x200000c2, 5, 4, 4); *(uint8_t*)0x200000c3 = 0; *(uint16_t*)0x200000c4 = htobe16(0); *(uint16_t*)0x200000c6 = htobe16(0); *(uint16_t*)0x200000c8 = htobe16(0); struct csum_inet csum_1; csum_inet_init(&csum_1); csum_inet_update(&csum_1, (const uint8_t*)0x0, 16); csum_inet_update(&csum_1, (const uint8_t*)0x0, 16); uint32_t csum_1_chunk_2 = 0x14000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 4); uint32_t csum_1_chunk_3 = 0x6000000; csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 4); csum_inet_update(&csum_1, (const uint8_t*)0x0, 20); *(uint16_t*)0x200000c6 = csum_inet_digest(&csum_1); break; case 17: syscall(__NR_getsockopt, -1, 6, 0x23, 0, 0); break; case 18: syscall(__NR_bind, -1, 0, 0); break; case 19: syz_init_net_socket(3, 3, 0); break; case 20: syscall(__NR_setsockopt, -1, 0x84, 0x14, 0, 0); break; case 21: memcpy((void*)0x20000040, "dctcp\x00", 6); syscall(__NR_setsockopt, -1, 6, 0xd, 0x20000040, 6); break; case 22: syscall(__NR_sendmsg, -1, 0, 0); break; case 23: res = syz_init_net_socket(6, 5, 0); if (res != -1) r[3] = res; break; case 24: syscall(__NR_getsockopt, r[3], 0x103, 4, 0, 0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); use_temporary_dir(); loop(); return 0; }