// https://syzkaller.appspot.com/bug?id=912f70e859dfffd2533b7cfcd2c71e0dd6f71e9d // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); rv = system(command); if (panic && rv != 0) fail("tun: command \"%s\" failed with code %d", &command[0], rv); va_end(args); } static int tunfd = -1; static int tun_frags_enabled; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define MAX_PIDS 32 #define ADDR_MAX_LEN 32 #define LOCAL_MAC "aa:aa:aa:aa:%02hx:aa" #define REMOTE_MAC "aa:aa:aa:aa:%02hx:bb" #define LOCAL_IPV4 "172.20.%d.170" #define REMOTE_IPV4 "172.20.%d.187" #define LOCAL_IPV6 "fe80::%02hx:aa" #define REMOTE_IPV6 "fe80::%02hx:bb" #define IFF_NAPI 0x0010 #define IFF_NAPI_FRAGS 0x0020 static void initialize_tun(int id) { if (id >= MAX_PIDS) fail("tun: no more than %d executors", MAX_PIDS); tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } char iface[IFNAMSIZ]; snprintf_check(iface, sizeof(iface), "syz%d", id); struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, iface, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNSETIFF) failed"); } if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNGETIFF) failed"); tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; char local_mac[ADDR_MAX_LEN]; snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id); char remote_mac[ADDR_MAX_LEN]; snprintf_check(remote_mac, sizeof(remote_mac), REMOTE_MAC, id); char local_ipv4[ADDR_MAX_LEN]; snprintf_check(local_ipv4, sizeof(local_ipv4), LOCAL_IPV4, id); char remote_ipv4[ADDR_MAX_LEN]; snprintf_check(remote_ipv4, sizeof(remote_ipv4), REMOTE_IPV4, id); char local_ipv6[ADDR_MAX_LEN]; snprintf_check(local_ipv6, sizeof(local_ipv6), LOCAL_IPV6, id); char remote_ipv6[ADDR_MAX_LEN]; snprintf_check(remote_ipv6, sizeof(remote_ipv6), REMOTE_IPV6, id); execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", iface); execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", iface); execute_command(1, "ip link set dev %s address %s", iface, local_mac); execute_command(1, "ip addr add %s/24 dev %s", local_ipv4, iface); execute_command(1, "ip -6 addr add %s/120 dev %s", local_ipv6, iface); execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", remote_ipv4, remote_mac, iface); execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", remote_ipv6, remote_mac, iface); execute_command(1, "ip link set dev %s up", iface); } #define DEV_IPV4 "172.20.%d.%d" #define DEV_IPV6 "fe80::%02hx:%02hx" #define DEV_MAC "aa:aa:aa:aa:%02hx:%02hx" static void initialize_netdevices(int id) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[ADDR_MAX_LEN]; snprintf_check(addr, sizeof(addr), DEV_IPV4, id, id + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, id, id + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, id, id + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } static void setup_tun(uint64_t pid, bool enable_tun) { if (enable_tun) { initialize_tun(pid); initialize_netdevices(pid); } } long r[2]; void loop() { memset(r, -1, sizeof(r)); syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); r[0] = syscall(__NR_socket, 2, 2, 0); *(uint32_t*)0x20007ffd = 0; syscall(__NR_getsockopt, r[0], 0, 0x30, 0x20008000, 0x20007ffd); r[1] = syscall(__NR_socket, 2, 0x80005, 0); memcpy((void*)0x2002ccf8, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00", 32); *(uint32_t*)0x2002cd18 = 0xe; *(uint32_t*)0x2002cd1c = 4; *(uint32_t*)0x2002cd20 = 0x280; *(uint32_t*)0x2002cd24 = -1; *(uint32_t*)0x2002cd28 = 0; *(uint32_t*)0x2002cd2c = 0; *(uint32_t*)0x2002cd30 = 0; *(uint32_t*)0x2002cd34 = -1; *(uint32_t*)0x2002cd38 = -1; *(uint32_t*)0x2002cd3c = 0; *(uint32_t*)0x2002cd40 = 0; *(uint32_t*)0x2002cd44 = 0; *(uint32_t*)0x2002cd48 = -1; *(uint32_t*)0x2002cd4c = 4; *(uint64_t*)0x2002cd50 = 0x20001000; *(uint8_t*)0x2002cd58 = 0; *(uint8_t*)0x2002cd59 = 0; *(uint8_t*)0x2002cd5a = 0; *(uint8_t*)0x2002cd5b = 0; *(uint8_t*)0x2002cd5c = 0; *(uint8_t*)0x2002cd5d = 0; *(uint8_t*)0x2002cd5e = 0; *(uint8_t*)0x2002cd5f = 0; *(uint8_t*)0x2002cd60 = 0; *(uint8_t*)0x2002cd61 = 0; *(uint8_t*)0x2002cd62 = 0; *(uint8_t*)0x2002cd63 = 0; *(uint8_t*)0x2002cd64 = 0; *(uint8_t*)0x2002cd65 = 0; *(uint8_t*)0x2002cd66 = 0; *(uint8_t*)0x2002cd67 = 0; *(uint8_t*)0x2002cd68 = 0; *(uint8_t*)0x2002cd69 = 0; *(uint8_t*)0x2002cd6a = 0; *(uint8_t*)0x2002cd6b = 0; *(uint8_t*)0x2002cd6c = 0; *(uint8_t*)0x2002cd6d = 0; *(uint8_t*)0x2002cd6e = 0; *(uint8_t*)0x2002cd6f = 0; *(uint8_t*)0x2002cd70 = 0; *(uint8_t*)0x2002cd71 = 0; *(uint8_t*)0x2002cd72 = 0; *(uint8_t*)0x2002cd73 = 0; *(uint8_t*)0x2002cd74 = 0; *(uint8_t*)0x2002cd75 = 0; *(uint8_t*)0x2002cd76 = 0; *(uint8_t*)0x2002cd77 = 0; *(uint8_t*)0x2002cd78 = 0; *(uint8_t*)0x2002cd79 = 0; *(uint8_t*)0x2002cd7a = 0; *(uint8_t*)0x2002cd7b = 0; *(uint8_t*)0x2002cd7c = 0; *(uint8_t*)0x2002cd7d = 0; *(uint8_t*)0x2002cd7e = 0; *(uint8_t*)0x2002cd7f = 0; *(uint8_t*)0x2002cd80 = 0; *(uint8_t*)0x2002cd81 = 0; *(uint8_t*)0x2002cd82 = 0; *(uint8_t*)0x2002cd83 = 0; *(uint8_t*)0x2002cd84 = 0; *(uint8_t*)0x2002cd85 = 0; *(uint8_t*)0x2002cd86 = 0; *(uint8_t*)0x2002cd87 = 0; *(uint8_t*)0x2002cd88 = 0; *(uint8_t*)0x2002cd89 = 0; *(uint8_t*)0x2002cd8a = 0; *(uint8_t*)0x2002cd8b = 0; *(uint8_t*)0x2002cd8c = 0; *(uint8_t*)0x2002cd8d = 0; *(uint8_t*)0x2002cd8e = 0; *(uint8_t*)0x2002cd8f = 0; *(uint8_t*)0x2002cd90 = 0; *(uint8_t*)0x2002cd91 = 0; *(uint8_t*)0x2002cd92 = 0; *(uint8_t*)0x2002cd93 = 0; *(uint8_t*)0x2002cd94 = 0; *(uint8_t*)0x2002cd95 = 0; *(uint8_t*)0x2002cd96 = 0; *(uint8_t*)0x2002cd97 = 0; *(uint8_t*)0x2002cd98 = 0; *(uint8_t*)0x2002cd99 = 0; *(uint8_t*)0x2002cd9a = 0; *(uint8_t*)0x2002cd9b = 0; *(uint8_t*)0x2002cd9c = 0; *(uint8_t*)0x2002cd9d = 0; *(uint8_t*)0x2002cd9e = 0; *(uint8_t*)0x2002cd9f = 0; *(uint8_t*)0x2002cda0 = 0; *(uint8_t*)0x2002cda1 = 0; *(uint8_t*)0x2002cda2 = 0; *(uint8_t*)0x2002cda3 = 0; *(uint8_t*)0x2002cda4 = 0; *(uint8_t*)0x2002cda5 = 0; *(uint8_t*)0x2002cda6 = 0; *(uint8_t*)0x2002cda7 = 0; *(uint8_t*)0x2002cda8 = 0; *(uint8_t*)0x2002cda9 = 0; *(uint8_t*)0x2002cdaa = 0; *(uint8_t*)0x2002cdab = 0; *(uint32_t*)0x2002cdac = 0; *(uint16_t*)0x2002cdb0 = 0x70; *(uint16_t*)0x2002cdb2 = 0x98; *(uint32_t*)0x2002cdb4 = 0; *(uint64_t*)0x2002cdb8 = 0; *(uint64_t*)0x2002cdc0 = 0; *(uint16_t*)0x2002cdc8 = 0x28; memcpy((void*)0x2002cdca, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2002cde7 = 0; *(uint32_t*)0x2002cde8 = 0xfffffffe; *(uint8_t*)0x2002cdf0 = 0; *(uint8_t*)0x2002cdf1 = 0; *(uint8_t*)0x2002cdf2 = 0; *(uint8_t*)0x2002cdf3 = 0; *(uint8_t*)0x2002cdf4 = 0; *(uint8_t*)0x2002cdf5 = 0; *(uint8_t*)0x2002cdf6 = 0; *(uint8_t*)0x2002cdf7 = 0; *(uint8_t*)0x2002cdf8 = 0; *(uint8_t*)0x2002cdf9 = 0; *(uint8_t*)0x2002cdfa = 0; *(uint8_t*)0x2002cdfb = 0; *(uint8_t*)0x2002cdfc = 0; *(uint8_t*)0x2002cdfd = 0; *(uint8_t*)0x2002cdfe = 0; *(uint8_t*)0x2002cdff = 0; *(uint8_t*)0x2002ce00 = 0; *(uint8_t*)0x2002ce01 = 0; *(uint8_t*)0x2002ce02 = 0; *(uint8_t*)0x2002ce03 = 0; *(uint8_t*)0x2002ce04 = 0; *(uint8_t*)0x2002ce05 = 0; *(uint8_t*)0x2002ce06 = 0; *(uint8_t*)0x2002ce07 = 0; *(uint8_t*)0x2002ce08 = 0; *(uint8_t*)0x2002ce09 = 0; *(uint8_t*)0x2002ce0a = 0; *(uint8_t*)0x2002ce0b = 0; *(uint8_t*)0x2002ce0c = 0; *(uint8_t*)0x2002ce0d = 0; *(uint8_t*)0x2002ce0e = 0; *(uint8_t*)0x2002ce0f = 0; *(uint8_t*)0x2002ce10 = 0; *(uint8_t*)0x2002ce11 = 0; *(uint8_t*)0x2002ce12 = 0; *(uint8_t*)0x2002ce13 = 0; *(uint8_t*)0x2002ce14 = 0; *(uint8_t*)0x2002ce15 = 0; *(uint8_t*)0x2002ce16 = 0; *(uint8_t*)0x2002ce17 = 0; *(uint8_t*)0x2002ce18 = 0; *(uint8_t*)0x2002ce19 = 0; *(uint8_t*)0x2002ce1a = 0; *(uint8_t*)0x2002ce1b = 0; *(uint8_t*)0x2002ce1c = 0; *(uint8_t*)0x2002ce1d = 0; *(uint8_t*)0x2002ce1e = 0; *(uint8_t*)0x2002ce1f = 0; *(uint8_t*)0x2002ce20 = 0; *(uint8_t*)0x2002ce21 = 0; *(uint8_t*)0x2002ce22 = 0; *(uint8_t*)0x2002ce23 = 0; *(uint8_t*)0x2002ce24 = 0; *(uint8_t*)0x2002ce25 = 0; *(uint8_t*)0x2002ce26 = 0; *(uint8_t*)0x2002ce27 = 0; *(uint8_t*)0x2002ce28 = 0; *(uint8_t*)0x2002ce29 = 0; *(uint8_t*)0x2002ce2a = 0; *(uint8_t*)0x2002ce2b = 0; *(uint8_t*)0x2002ce2c = 0; *(uint8_t*)0x2002ce2d = 0; *(uint8_t*)0x2002ce2e = 0; *(uint8_t*)0x2002ce2f = 0; *(uint8_t*)0x2002ce30 = 0; *(uint8_t*)0x2002ce31 = 0; *(uint8_t*)0x2002ce32 = 0; *(uint8_t*)0x2002ce33 = 0; *(uint8_t*)0x2002ce34 = 0; *(uint8_t*)0x2002ce35 = 0; *(uint8_t*)0x2002ce36 = 0; *(uint8_t*)0x2002ce37 = 0; *(uint8_t*)0x2002ce38 = 0; *(uint8_t*)0x2002ce39 = 0; *(uint8_t*)0x2002ce3a = 0; *(uint8_t*)0x2002ce3b = 0; *(uint8_t*)0x2002ce3c = 0; *(uint8_t*)0x2002ce3d = 0; *(uint8_t*)0x2002ce3e = 0; *(uint8_t*)0x2002ce3f = 0; *(uint8_t*)0x2002ce40 = 0; *(uint8_t*)0x2002ce41 = 0; *(uint8_t*)0x2002ce42 = 0; *(uint8_t*)0x2002ce43 = 0; *(uint32_t*)0x2002ce44 = 0; *(uint16_t*)0x2002ce48 = 0x70; *(uint16_t*)0x2002ce4a = 0x98; *(uint32_t*)0x2002ce4c = 0; *(uint64_t*)0x2002ce50 = 0; *(uint64_t*)0x2002ce58 = 0; *(uint16_t*)0x2002ce60 = 0x28; memcpy((void*)0x2002ce62, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2002ce7f = 0; *(uint32_t*)0x2002ce80 = 0; *(uint8_t*)0x2002ce88 = 0; *(uint8_t*)0x2002ce89 = 0; *(uint8_t*)0x2002ce8a = 0; *(uint8_t*)0x2002ce8b = 0; *(uint8_t*)0x2002ce8c = 0; *(uint8_t*)0x2002ce8d = 0; *(uint8_t*)0x2002ce8e = 0; *(uint8_t*)0x2002ce8f = 0; *(uint8_t*)0x2002ce90 = 0; *(uint8_t*)0x2002ce91 = 0; *(uint8_t*)0x2002ce92 = 0; *(uint8_t*)0x2002ce93 = 0; *(uint8_t*)0x2002ce94 = 0; *(uint8_t*)0x2002ce95 = 0; *(uint8_t*)0x2002ce96 = 0; *(uint8_t*)0x2002ce97 = 0; *(uint8_t*)0x2002ce98 = 0; *(uint8_t*)0x2002ce99 = 0; *(uint8_t*)0x2002ce9a = 0; *(uint8_t*)0x2002ce9b = 0; *(uint8_t*)0x2002ce9c = 0; *(uint8_t*)0x2002ce9d = 0; *(uint8_t*)0x2002ce9e = 0; *(uint8_t*)0x2002ce9f = 0; *(uint8_t*)0x2002cea0 = 0; *(uint8_t*)0x2002cea1 = 0; *(uint8_t*)0x2002cea2 = 0; *(uint8_t*)0x2002cea3 = 0; *(uint8_t*)0x2002cea4 = 0; *(uint8_t*)0x2002cea5 = 0; *(uint8_t*)0x2002cea6 = 0; *(uint8_t*)0x2002cea7 = 0; *(uint8_t*)0x2002cea8 = 0; *(uint8_t*)0x2002cea9 = 0; *(uint8_t*)0x2002ceaa = 0; *(uint8_t*)0x2002ceab = 0; *(uint8_t*)0x2002ceac = 0; *(uint8_t*)0x2002cead = 0; *(uint8_t*)0x2002ceae = 0; *(uint8_t*)0x2002ceaf = 0; *(uint8_t*)0x2002ceb0 = 0; *(uint8_t*)0x2002ceb1 = 0; *(uint8_t*)0x2002ceb2 = 0; *(uint8_t*)0x2002ceb3 = 0; *(uint8_t*)0x2002ceb4 = 0; *(uint8_t*)0x2002ceb5 = 0; *(uint8_t*)0x2002ceb6 = 0; *(uint8_t*)0x2002ceb7 = 0; *(uint8_t*)0x2002ceb8 = 0; *(uint8_t*)0x2002ceb9 = 0; *(uint8_t*)0x2002ceba = 0; *(uint8_t*)0x2002cebb = 0; *(uint8_t*)0x2002cebc = 0; *(uint8_t*)0x2002cebd = 0; *(uint8_t*)0x2002cebe = 0; *(uint8_t*)0x2002cebf = 0; *(uint8_t*)0x2002cec0 = 0; *(uint8_t*)0x2002cec1 = 0; *(uint8_t*)0x2002cec2 = 0; *(uint8_t*)0x2002cec3 = 0; *(uint8_t*)0x2002cec4 = 0; *(uint8_t*)0x2002cec5 = 0; *(uint8_t*)0x2002cec6 = 0; *(uint8_t*)0x2002cec7 = 0; *(uint8_t*)0x2002cec8 = 0; *(uint8_t*)0x2002cec9 = 0; *(uint8_t*)0x2002ceca = 0; *(uint8_t*)0x2002cecb = 0; *(uint8_t*)0x2002cecc = 0; *(uint8_t*)0x2002cecd = 0; *(uint8_t*)0x2002cece = 0; *(uint8_t*)0x2002cecf = 0; *(uint8_t*)0x2002ced0 = 0; *(uint8_t*)0x2002ced1 = 0; *(uint8_t*)0x2002ced2 = 0; *(uint8_t*)0x2002ced3 = 0; *(uint8_t*)0x2002ced4 = 0; *(uint8_t*)0x2002ced5 = 0; *(uint8_t*)0x2002ced6 = 0; *(uint8_t*)0x2002ced7 = 0; *(uint8_t*)0x2002ced8 = 0; *(uint8_t*)0x2002ced9 = 0; *(uint8_t*)0x2002ceda = 0; *(uint8_t*)0x2002cedb = 0; *(uint32_t*)0x2002cedc = 0; *(uint16_t*)0x2002cee0 = 0x70; *(uint16_t*)0x2002cee2 = 0x98; *(uint32_t*)0x2002cee4 = 0; *(uint64_t*)0x2002cee8 = 0; *(uint64_t*)0x2002cef0 = 0; *(uint16_t*)0x2002cef8 = 0x28; memcpy((void*)0x2002cefa, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2002cf17 = 0; *(uint32_t*)0x2002cf18 = 0; *(uint8_t*)0x2002cf20 = 0; *(uint8_t*)0x2002cf21 = 0; *(uint8_t*)0x2002cf22 = 0; *(uint8_t*)0x2002cf23 = 0; *(uint8_t*)0x2002cf24 = 0; *(uint8_t*)0x2002cf25 = 0; *(uint8_t*)0x2002cf26 = 0; *(uint8_t*)0x2002cf27 = 0; *(uint8_t*)0x2002cf28 = 0; *(uint8_t*)0x2002cf29 = 0; *(uint8_t*)0x2002cf2a = 0; *(uint8_t*)0x2002cf2b = 0; *(uint8_t*)0x2002cf2c = 0; *(uint8_t*)0x2002cf2d = 0; *(uint8_t*)0x2002cf2e = 0; *(uint8_t*)0x2002cf2f = 0; *(uint8_t*)0x2002cf30 = 0; *(uint8_t*)0x2002cf31 = 0; *(uint8_t*)0x2002cf32 = 0; *(uint8_t*)0x2002cf33 = 0; *(uint8_t*)0x2002cf34 = 0; *(uint8_t*)0x2002cf35 = 0; *(uint8_t*)0x2002cf36 = 0; *(uint8_t*)0x2002cf37 = 0; *(uint8_t*)0x2002cf38 = 0; *(uint8_t*)0x2002cf39 = 0; *(uint8_t*)0x2002cf3a = 0; *(uint8_t*)0x2002cf3b = 0; *(uint8_t*)0x2002cf3c = 0; *(uint8_t*)0x2002cf3d = 0; *(uint8_t*)0x2002cf3e = 0; *(uint8_t*)0x2002cf3f = 0; *(uint8_t*)0x2002cf40 = 0; *(uint8_t*)0x2002cf41 = 0; *(uint8_t*)0x2002cf42 = 0; *(uint8_t*)0x2002cf43 = 0; *(uint8_t*)0x2002cf44 = 0; *(uint8_t*)0x2002cf45 = 0; *(uint8_t*)0x2002cf46 = 0; *(uint8_t*)0x2002cf47 = 0; *(uint8_t*)0x2002cf48 = 0; *(uint8_t*)0x2002cf49 = 0; *(uint8_t*)0x2002cf4a = 0; *(uint8_t*)0x2002cf4b = 0; *(uint8_t*)0x2002cf4c = 0; *(uint8_t*)0x2002cf4d = 0; *(uint8_t*)0x2002cf4e = 0; *(uint8_t*)0x2002cf4f = 0; *(uint8_t*)0x2002cf50 = 0; *(uint8_t*)0x2002cf51 = 0; *(uint8_t*)0x2002cf52 = 0; *(uint8_t*)0x2002cf53 = 0; *(uint8_t*)0x2002cf54 = 0; *(uint8_t*)0x2002cf55 = 0; *(uint8_t*)0x2002cf56 = 0; *(uint8_t*)0x2002cf57 = 0; *(uint8_t*)0x2002cf58 = 0; *(uint8_t*)0x2002cf59 = 0; *(uint8_t*)0x2002cf5a = 0; *(uint8_t*)0x2002cf5b = 0; *(uint8_t*)0x2002cf5c = 0; *(uint8_t*)0x2002cf5d = 0; *(uint8_t*)0x2002cf5e = 0; *(uint8_t*)0x2002cf5f = 0; *(uint8_t*)0x2002cf60 = 0; *(uint8_t*)0x2002cf61 = 0; *(uint8_t*)0x2002cf62 = 0; *(uint8_t*)0x2002cf63 = 0; *(uint8_t*)0x2002cf64 = 0; *(uint8_t*)0x2002cf65 = 0; *(uint8_t*)0x2002cf66 = 0; *(uint8_t*)0x2002cf67 = 0; *(uint8_t*)0x2002cf68 = 0; *(uint8_t*)0x2002cf69 = 0; *(uint8_t*)0x2002cf6a = 0; *(uint8_t*)0x2002cf6b = 0; *(uint8_t*)0x2002cf6c = 0; *(uint8_t*)0x2002cf6d = 0; *(uint8_t*)0x2002cf6e = 0; *(uint8_t*)0x2002cf6f = 0; *(uint8_t*)0x2002cf70 = 0; *(uint8_t*)0x2002cf71 = 0; *(uint8_t*)0x2002cf72 = 0; *(uint8_t*)0x2002cf73 = 0; *(uint32_t*)0x2002cf74 = 0; *(uint16_t*)0x2002cf78 = 0x70; *(uint16_t*)0x2002cf7a = 0xb8; *(uint32_t*)0x2002cf7c = 0; *(uint64_t*)0x2002cf80 = 0; *(uint64_t*)0x2002cf88 = 0; *(uint16_t*)0x2002cf90 = 0x48; memcpy((void*)0x2002cf92, "\x54\x45\x45\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 29); *(uint8_t*)0x2002cfaf = 1; *(uint8_t*)0x2002cfb0 = 0xfe; *(uint8_t*)0x2002cfb1 = 0x80; *(uint8_t*)0x2002cfb2 = 0; *(uint8_t*)0x2002cfb3 = 0; *(uint8_t*)0x2002cfb4 = 0; *(uint8_t*)0x2002cfb5 = 0; *(uint8_t*)0x2002cfb6 = 0; *(uint8_t*)0x2002cfb7 = 0; *(uint8_t*)0x2002cfb8 = 0; *(uint8_t*)0x2002cfb9 = 0; *(uint8_t*)0x2002cfba = 0; *(uint8_t*)0x2002cfbb = 0; *(uint8_t*)0x2002cfbc = 0; *(uint8_t*)0x2002cfbd = 0; *(uint8_t*)0x2002cfbe = 0; *(uint8_t*)0x2002cfbf = 0xbb; memcpy((void*)0x2002cfc0, "\x69\x70\x36\x67\x72\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint64_t*)0x2002cfd0 = 0; *(uint64_t*)0x20001000 = 0; *(uint64_t*)0x20001008 = 0; *(uint64_t*)0x20001010 = 0; *(uint64_t*)0x20001018 = 0; *(uint64_t*)0x20001020 = 0; *(uint64_t*)0x20001028 = 0; *(uint64_t*)0x20001030 = 0; *(uint64_t*)0x20001038 = 0; syscall(__NR_setsockopt, r[1], 0, 0x40, 0x2002ccf8, 0x2e0); } int main() { setup_tun(0, true); loop(); return 0; }