// https://syzkaller.appspot.com/bug?id=990d1ea15a57bc6fa79779c7c6d36be2a423bc06 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (hdr->nlmsg_type == NLMSG_DONE) { *reply_len = 0; return 0; } if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } const int kInitNetNsFd = 239; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_CMD_RELOAD 37 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 #define DEVLINK_ATTR_NETNS_FD 138 static int netlink_devlink_id_get(struct nlmsg* nlmsg, int sock) { struct genlmsghdr genlhdr; struct nlattr* attr; int err, n; uint16_t id = 0; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME, strlen(DEVLINK_FAMILY_NAME) + 1); err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n); if (err) { return -1; } attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); /* recv ack */ return id; } static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd) { struct genlmsghdr genlhdr; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_RELOAD; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd)); err = netlink_send(&nlmsg, sock); if (err) { } error: close(sock); } static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len); if (err) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } static void initialize_devlink_pci(void) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); int ret = setns(kInitNetNsFd, 0); if (ret == -1) exit(1); netlink_devlink_netns_move("pci", "0000:00:10.0", netns); ret = setns(netns, 0); if (ret == -1) exit(1); close(netns); initialize_devlink_ports("pci", "0000:00:10.0", "netpci"); } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); intptr_t res = 0; res = syscall(__NR_socket, 2ul, 2ul, 0x88ul); if (res != -1) r[0] = res; memcpy((void*)0x20000900, "filter\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000", 32); *(uint32_t*)0x20000920 = 4; *(uint32_t*)0x20000924 = 4; *(uint32_t*)0x20000928 = 0x3b8; *(uint32_t*)0x2000092c = 0; *(uint32_t*)0x20000930 = 0; *(uint32_t*)0x20000934 = 0x1d0; *(uint32_t*)0x20000938 = 0x2d0; *(uint32_t*)0x2000093c = 0x2d0; *(uint32_t*)0x20000940 = 0x2d0; *(uint32_t*)0x20000944 = 4; *(uint64_t*)0x20000948 = 0; *(uint8_t*)0x20000950 = 0; *(uint8_t*)0x20000951 = 0; *(uint8_t*)0x20000952 = 0; *(uint8_t*)0x20000953 = 0; *(uint8_t*)0x20000954 = 0; *(uint8_t*)0x20000955 = 0; *(uint8_t*)0x20000956 = 0; *(uint8_t*)0x20000957 = 0; *(uint8_t*)0x20000958 = 0; *(uint8_t*)0x20000959 = 0; *(uint8_t*)0x2000095a = 0; *(uint8_t*)0x2000095b = 0; *(uint8_t*)0x2000095c = 0; *(uint8_t*)0x2000095d = 0; *(uint8_t*)0x2000095e = 0; *(uint8_t*)0x2000095f = 0; *(uint8_t*)0x20000960 = 0; *(uint8_t*)0x20000961 = 0; *(uint8_t*)0x20000962 = 0; *(uint8_t*)0x20000963 = 0; *(uint8_t*)0x20000964 = 0; *(uint8_t*)0x20000965 = 0; *(uint8_t*)0x20000966 = 0; *(uint8_t*)0x20000967 = 0; *(uint8_t*)0x20000968 = 0; *(uint8_t*)0x20000969 = 0; *(uint8_t*)0x2000096a = 0; *(uint8_t*)0x2000096b = 0; *(uint8_t*)0x2000096c = 0; *(uint8_t*)0x2000096d = 0; *(uint8_t*)0x2000096e = 0; *(uint8_t*)0x2000096f = 0; *(uint8_t*)0x20000970 = 0; *(uint8_t*)0x20000971 = 0; *(uint8_t*)0x20000972 = 0; *(uint8_t*)0x20000973 = 0; *(uint8_t*)0x20000974 = 0; *(uint8_t*)0x20000975 = 0; *(uint8_t*)0x20000976 = 0; *(uint8_t*)0x20000977 = 0; *(uint8_t*)0x20000978 = 0; *(uint8_t*)0x20000979 = 0; *(uint8_t*)0x2000097a = 0; *(uint8_t*)0x2000097b = 0; *(uint8_t*)0x2000097c = 0; *(uint8_t*)0x2000097d = 0; *(uint8_t*)0x2000097e = 0; *(uint8_t*)0x2000097f = 0; *(uint8_t*)0x20000980 = 0; *(uint8_t*)0x20000981 = 0; *(uint8_t*)0x20000982 = 0; *(uint8_t*)0x20000983 = 0; *(uint8_t*)0x20000984 = 0; *(uint8_t*)0x20000985 = 0; *(uint8_t*)0x20000986 = 0; *(uint8_t*)0x20000987 = 0; *(uint8_t*)0x20000988 = 0; *(uint8_t*)0x20000989 = 0; *(uint8_t*)0x2000098a = 0; *(uint8_t*)0x2000098b = 0; *(uint8_t*)0x2000098c = 0; *(uint8_t*)0x2000098d = 0; *(uint8_t*)0x2000098e = 0; *(uint8_t*)0x2000098f = 0; *(uint8_t*)0x20000990 = 0; *(uint8_t*)0x20000991 = 0; *(uint8_t*)0x20000992 = 0; *(uint8_t*)0x20000993 = 0; *(uint8_t*)0x20000994 = 0; *(uint8_t*)0x20000995 = 0; *(uint8_t*)0x20000996 = 0; *(uint8_t*)0x20000997 = 0; *(uint8_t*)0x20000998 = 0; *(uint8_t*)0x20000999 = 0; *(uint8_t*)0x2000099a = 0; *(uint8_t*)0x2000099b = 0; *(uint8_t*)0x2000099c = 0; *(uint8_t*)0x2000099d = 0; *(uint8_t*)0x2000099e = 0; *(uint8_t*)0x2000099f = 0; *(uint8_t*)0x200009a0 = 0; *(uint8_t*)0x200009a1 = 0; *(uint8_t*)0x200009a2 = 0; *(uint8_t*)0x200009a3 = 0; *(uint8_t*)0x200009a4 = 0; *(uint8_t*)0x200009a5 = 0; *(uint8_t*)0x200009a6 = 0; *(uint8_t*)0x200009a7 = 0; *(uint8_t*)0x200009a8 = 0; *(uint8_t*)0x200009a9 = 0; *(uint8_t*)0x200009aa = 0; *(uint8_t*)0x200009ab = 0; *(uint8_t*)0x200009ac = 0; *(uint8_t*)0x200009ad = 0; *(uint8_t*)0x200009ae = 0; *(uint8_t*)0x200009af = 0; *(uint8_t*)0x200009b0 = 0; *(uint8_t*)0x200009b1 = 0; *(uint8_t*)0x200009b2 = 0; *(uint8_t*)0x200009b3 = 0; *(uint8_t*)0x200009b4 = 0; *(uint8_t*)0x200009b5 = 0; *(uint8_t*)0x200009b6 = 0; *(uint8_t*)0x200009b7 = 0; *(uint8_t*)0x200009b8 = 0; *(uint8_t*)0x200009b9 = 0; *(uint8_t*)0x200009ba = 0; *(uint8_t*)0x200009bb = 0; *(uint8_t*)0x200009bc = 0; *(uint8_t*)0x200009bd = 0; *(uint8_t*)0x200009be = 0; *(uint8_t*)0x200009bf = 0; *(uint8_t*)0x200009c0 = 0; *(uint8_t*)0x200009c1 = 0; *(uint8_t*)0x200009c2 = 0; *(uint8_t*)0x200009c3 = 0; *(uint8_t*)0x200009c4 = 0; *(uint8_t*)0x200009c5 = 0; *(uint8_t*)0x200009c6 = 0; *(uint8_t*)0x200009c7 = 0; *(uint8_t*)0x200009c8 = 0; *(uint8_t*)0x200009c9 = 0; *(uint8_t*)0x200009ca = 0; *(uint8_t*)0x200009cb = 0; *(uint8_t*)0x200009cc = 0; *(uint8_t*)0x200009cd = 0; *(uint8_t*)0x200009ce = 0; *(uint8_t*)0x200009cf = 0; *(uint8_t*)0x200009d0 = 0; *(uint8_t*)0x200009d1 = 0; *(uint8_t*)0x200009d2 = 0; *(uint8_t*)0x200009d3 = 0; *(uint8_t*)0x200009d4 = 0; *(uint8_t*)0x200009d5 = 0; *(uint8_t*)0x200009d6 = 0; *(uint8_t*)0x200009d7 = 0; *(uint8_t*)0x200009d8 = 0; *(uint8_t*)0x200009d9 = 0; *(uint8_t*)0x200009da = 0; *(uint8_t*)0x200009db = 0; *(uint8_t*)0x200009dc = 0; *(uint8_t*)0x200009dd = 0; *(uint8_t*)0x200009de = 0; *(uint8_t*)0x200009df = 0; *(uint8_t*)0x200009e0 = 0; *(uint8_t*)0x200009e1 = 0; *(uint8_t*)0x200009e2 = 0; *(uint8_t*)0x200009e3 = 0; *(uint8_t*)0x200009e4 = 0; *(uint8_t*)0x200009e5 = 0; *(uint8_t*)0x200009e6 = 0; *(uint8_t*)0x200009e7 = 0; *(uint8_t*)0x200009e8 = 0; *(uint8_t*)0x200009e9 = 0; *(uint8_t*)0x200009ea = 0; *(uint8_t*)0x200009eb = 0; *(uint8_t*)0x200009ec = 0; *(uint8_t*)0x200009ed = 0; *(uint8_t*)0x200009ee = 0; *(uint8_t*)0x200009ef = 0; *(uint8_t*)0x200009f0 = 0; *(uint8_t*)0x200009f1 = 0; *(uint8_t*)0x200009f2 = 0; *(uint8_t*)0x200009f3 = 0; *(uint16_t*)0x200009f4 = 0xc0; *(uint16_t*)0x200009f6 = 0xe8; *(uint32_t*)0x200009f8 = 0; *(uint64_t*)0x20000a00 = 0; *(uint64_t*)0x20000a08 = 0; *(uint16_t*)0x20000a10 = 0x28; memcpy((void*)0x20000a12, "CLASSIFY\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20000a2f = 0; *(uint32_t*)0x20000a30 = 0; *(uint32_t*)0x20000a38 = htobe32(0xe0000002); *(uint8_t*)0x20000a3c = 0xac; *(uint8_t*)0x20000a3d = 0x1e; *(uint8_t*)0x20000a3e = 0; *(uint8_t*)0x20000a3f = 1; *(uint32_t*)0x20000a40 = htobe32(0); *(uint32_t*)0x20000a44 = htobe32(0); *(uint8_t*)0x20000a48 = 0; *(uint8_t*)0x20000a49 = 0; *(uint8_t*)0x20000a4a = 0; *(uint8_t*)0x20000a4b = 0; *(uint8_t*)0x20000a4c = 0; *(uint8_t*)0x20000a4d = 0; *(uint8_t*)0x20000a4e = 0; *(uint8_t*)0x20000a4f = 0; *(uint8_t*)0x20000a5a = 0; *(uint8_t*)0x20000a5b = 0; *(uint8_t*)0x20000a5c = 0; *(uint8_t*)0x20000a5d = 0; *(uint8_t*)0x20000a5e = 0; *(uint8_t*)0x20000a5f = 0; *(uint8_t*)0x20000a6a = 0; *(uint8_t*)0x20000a6b = 0; *(uint8_t*)0x20000a6c = 0; *(uint8_t*)0x20000a6d = 0; *(uint8_t*)0x20000a6e = 0; *(uint8_t*)0x20000a6f = 0; *(uint8_t*)0x20000a70 = 0; *(uint8_t*)0x20000a71 = 0; *(uint8_t*)0x20000a72 = 0; *(uint8_t*)0x20000a73 = 0; *(uint8_t*)0x20000a74 = 0; *(uint8_t*)0x20000a75 = 0; *(uint8_t*)0x20000a76 = 0; *(uint8_t*)0x20000a77 = 0; *(uint8_t*)0x20000a78 = 0; *(uint8_t*)0x20000a79 = 0; *(uint8_t*)0x20000a7a = 0; *(uint8_t*)0x20000a7b = 0; *(uint8_t*)0x20000a7c = 0; *(uint8_t*)0x20000a7d = 0; *(uint8_t*)0x20000a7e = 0; *(uint8_t*)0x20000a7f = 0; *(uint16_t*)0x20000a8a = htobe16(0); *(uint16_t*)0x20000a8c = htobe16(0); *(uint16_t*)0x20000a8e = htobe16(0); *(uint16_t*)0x20000a90 = htobe16(0x7f); *(uint16_t*)0x20000a92 = htobe16(0); *(uint16_t*)0x20000a94 = htobe16(0); memcpy((void*)0x20000a96, "nr0\000\000\000\000\000\000\000\000\000\000\000\000\000", 16); memcpy((void*)0x20000aa6, "vlan0\000\000\000\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x20000ab6 = 0; *(uint8_t*)0x20000ac6 = 0; *(uint8_t*)0x20000ad6 = 0; *(uint16_t*)0x20000ad8 = 0; *(uint16_t*)0x20000adc = 0xc0; *(uint16_t*)0x20000ade = 0xe8; *(uint32_t*)0x20000ae0 = 0; *(uint64_t*)0x20000ae8 = 0; *(uint64_t*)0x20000af0 = 0; *(uint16_t*)0x20000af8 = 0x28; memcpy((void*)0x20000afa, "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000", 29); *(uint8_t*)0x20000b17 = 0; *(uint32_t*)0x20000b18 = 0xe8; *(uint32_t*)0x20000b20 = htobe32(0xe0000001); *(uint32_t*)0x20000b24 = htobe32(0x7f000001); *(uint32_t*)0x20000b28 = htobe32(0); *(uint32_t*)0x20000b2c = htobe32(0); *(uint8_t*)0x20000b30 = 0; *(uint8_t*)0x20000b31 = 0; *(uint8_t*)0x20000b32 = 0; *(uint8_t*)0x20000b33 = 0; *(uint8_t*)0x20000b34 = 0; *(uint8_t*)0x20000b35 = 0; *(uint8_t*)0x20000b36 = 0; *(uint8_t*)0x20000b37 = 0; *(uint8_t*)0x20000b38 = 0; *(uint8_t*)0x20000b39 = 0; *(uint8_t*)0x20000b3a = 0; *(uint8_t*)0x20000b3b = 0; *(uint8_t*)0x20000b3c = 0; *(uint8_t*)0x20000b3d = 0; *(uint8_t*)0x20000b3e = 0; *(uint8_t*)0x20000b3f = 0; *(uint8_t*)0x20000b40 = 0; *(uint8_t*)0x20000b41 = 0; *(uint8_t*)0x20000b42 = 0; *(uint8_t*)0x20000b43 = -1; *(uint8_t*)0x20000b44 = -1; *(uint8_t*)0x20000b45 = 0; *(uint8_t*)0x20000b46 = 0; *(uint8_t*)0x20000b47 = 0; *(uint8_t*)0x20000b52 = 0xaa; *(uint8_t*)0x20000b53 = 0xaa; *(uint8_t*)0x20000b54 = 0xaa; *(uint8_t*)0x20000b55 = 0xaa; *(uint8_t*)0x20000b56 = 0xaa; *(uint8_t*)0x20000b57 = 0; *(uint8_t*)0x20000b62 = 0; *(uint8_t*)0x20000b63 = 0; *(uint8_t*)0x20000b64 = 0; *(uint8_t*)0x20000b65 = 0; *(uint8_t*)0x20000b66 = 0; *(uint8_t*)0x20000b67 = 0; *(uint16_t*)0x20000b72 = htobe16(0); *(uint16_t*)0x20000b74 = htobe16(0); *(uint16_t*)0x20000b76 = htobe16(0); *(uint16_t*)0x20000b78 = htobe16(5); *(uint16_t*)0x20000b7a = htobe16(0xfffc); *(uint16_t*)0x20000b7c = htobe16(0); memcpy((void*)0x20000b7e, "team0\000\000\000\000\000\000\000\000\000\000\000", 16); memcpy((void*)0x20000b8e, "macvlan1\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x20000b9e = 0; *(uint8_t*)0x20000bae = 0; *(uint8_t*)0x20000bbe = 0; *(uint16_t*)0x20000bc0 = 0; *(uint16_t*)0x20000bc4 = 0xc0; *(uint16_t*)0x20000bc6 = 0x100; *(uint32_t*)0x20000bc8 = 0; *(uint64_t*)0x20000bd0 = 0; *(uint64_t*)0x20000bd8 = 0; *(uint16_t*)0x20000be0 = 0x40; memcpy((void*)0x20000be2, "RATEEST\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000", 29); *(uint8_t*)0x20000bff = 0; memcpy((void*)0x20000c00, "syz0\000\000\000\000\000\000\000\000\000\000\000\000", 16); *(uint8_t*)0x20000c10 = 6; *(uint8_t*)0x20000c11 = 1; *(uint64_t*)0x20000c18 = 6; *(uint8_t*)0x20000c20 = 0; *(uint8_t*)0x20000c21 = 0; *(uint8_t*)0x20000c22 = 0; *(uint8_t*)0x20000c23 = 0; *(uint8_t*)0x20000c24 = 0; *(uint8_t*)0x20000c25 = 0; *(uint8_t*)0x20000c26 = 0; *(uint8_t*)0x20000c27 = 0; *(uint8_t*)0x20000c28 = 0; *(uint8_t*)0x20000c29 = 0; *(uint8_t*)0x20000c2a = 0; *(uint8_t*)0x20000c2b = 0; *(uint8_t*)0x20000c2c = 0; *(uint8_t*)0x20000c2d = 0; *(uint8_t*)0x20000c2e = 0; *(uint8_t*)0x20000c2f = 0; *(uint8_t*)0x20000c30 = 0; *(uint8_t*)0x20000c31 = 0; *(uint8_t*)0x20000c32 = 0; *(uint8_t*)0x20000c33 = 0; *(uint8_t*)0x20000c34 = 0; *(uint8_t*)0x20000c35 = 0; *(uint8_t*)0x20000c36 = 0; *(uint8_t*)0x20000c37 = 0; *(uint8_t*)0x20000c38 = 0; *(uint8_t*)0x20000c39 = 0; *(uint8_t*)0x20000c3a = 0; *(uint8_t*)0x20000c3b = 0; *(uint8_t*)0x20000c3c = 0; *(uint8_t*)0x20000c3d = 0; *(uint8_t*)0x20000c3e = 0; *(uint8_t*)0x20000c3f = 0; *(uint8_t*)0x20000c40 = 0; *(uint8_t*)0x20000c41 = 0; *(uint8_t*)0x20000c42 = 0; *(uint8_t*)0x20000c43 = 0; *(uint8_t*)0x20000c44 = 0; *(uint8_t*)0x20000c45 = 0; *(uint8_t*)0x20000c46 = 0; *(uint8_t*)0x20000c47 = 0; *(uint8_t*)0x20000c48 = 0; *(uint8_t*)0x20000c49 = 0; *(uint8_t*)0x20000c4a = 0; *(uint8_t*)0x20000c4b = 0; *(uint8_t*)0x20000c4c = 0; *(uint8_t*)0x20000c4d = 0; *(uint8_t*)0x20000c4e = 0; *(uint8_t*)0x20000c4f = 0; *(uint8_t*)0x20000c50 = 0; *(uint8_t*)0x20000c51 = 0; *(uint8_t*)0x20000c52 = 0; *(uint8_t*)0x20000c53 = 0; *(uint8_t*)0x20000c54 = 0; *(uint8_t*)0x20000c55 = 0; *(uint8_t*)0x20000c56 = 0; *(uint8_t*)0x20000c57 = 0; *(uint8_t*)0x20000c58 = 0; *(uint8_t*)0x20000c59 = 0; *(uint8_t*)0x20000c5a = 0; *(uint8_t*)0x20000c5b = 0; *(uint8_t*)0x20000c5c = 0; *(uint8_t*)0x20000c5d = 0; *(uint8_t*)0x20000c5e = 0; *(uint8_t*)0x20000c5f = 0; *(uint8_t*)0x20000c60 = 0; *(uint8_t*)0x20000c61 = 0; *(uint8_t*)0x20000c62 = 0; *(uint8_t*)0x20000c63 = 0; *(uint8_t*)0x20000c64 = 0; *(uint8_t*)0x20000c65 = 0; *(uint8_t*)0x20000c66 = 0; *(uint8_t*)0x20000c67 = 0; *(uint8_t*)0x20000c68 = 0; *(uint8_t*)0x20000c69 = 0; *(uint8_t*)0x20000c6a = 0; *(uint8_t*)0x20000c6b = 0; *(uint8_t*)0x20000c6c = 0; *(uint8_t*)0x20000c6d = 0; *(uint8_t*)0x20000c6e = 0; *(uint8_t*)0x20000c6f = 0; *(uint8_t*)0x20000c70 = 0; *(uint8_t*)0x20000c71 = 0; *(uint8_t*)0x20000c72 = 0; *(uint8_t*)0x20000c73 = 0; *(uint8_t*)0x20000c74 = 0; *(uint8_t*)0x20000c75 = 0; *(uint8_t*)0x20000c76 = 0; *(uint8_t*)0x20000c77 = 0; *(uint8_t*)0x20000c78 = 0; *(uint8_t*)0x20000c79 = 0; *(uint8_t*)0x20000c7a = 0; *(uint8_t*)0x20000c7b = 0; *(uint8_t*)0x20000c7c = 0; *(uint8_t*)0x20000c7d = 0; *(uint8_t*)0x20000c7e = 0; *(uint8_t*)0x20000c7f = 0; *(uint8_t*)0x20000c80 = 0; *(uint8_t*)0x20000c81 = 0; *(uint8_t*)0x20000c82 = 0; *(uint8_t*)0x20000c83 = 0; *(uint8_t*)0x20000c84 = 0; *(uint8_t*)0x20000c85 = 0; *(uint8_t*)0x20000c86 = 0; *(uint8_t*)0x20000c87 = 0; *(uint8_t*)0x20000c88 = 0; *(uint8_t*)0x20000c89 = 0; *(uint8_t*)0x20000c8a = 0; *(uint8_t*)0x20000c8b = 0; *(uint8_t*)0x20000c8c = 0; *(uint8_t*)0x20000c8d = 0; *(uint8_t*)0x20000c8e = 0; *(uint8_t*)0x20000c8f = 0; *(uint8_t*)0x20000c90 = 0; *(uint8_t*)0x20000c91 = 0; *(uint8_t*)0x20000c92 = 0; *(uint8_t*)0x20000c93 = 0; *(uint8_t*)0x20000c94 = 0; *(uint8_t*)0x20000c95 = 0; *(uint8_t*)0x20000c96 = 0; *(uint8_t*)0x20000c97 = 0; *(uint8_t*)0x20000c98 = 0; *(uint8_t*)0x20000c99 = 0; *(uint8_t*)0x20000c9a = 0; *(uint8_t*)0x20000c9b = 0; *(uint8_t*)0x20000c9c = 0; *(uint8_t*)0x20000c9d = 0; *(uint8_t*)0x20000c9e = 0; *(uint8_t*)0x20000c9f = 0; *(uint8_t*)0x20000ca0 = 0; *(uint8_t*)0x20000ca1 = 0; *(uint8_t*)0x20000ca2 = 0; *(uint8_t*)0x20000ca3 = 0; *(uint8_t*)0x20000ca4 = 0; *(uint8_t*)0x20000ca5 = 0; *(uint8_t*)0x20000ca6 = 0; *(uint8_t*)0x20000ca7 = 0; *(uint8_t*)0x20000ca8 = 0; *(uint8_t*)0x20000ca9 = 0; *(uint8_t*)0x20000caa = 0; *(uint8_t*)0x20000cab = 0; *(uint8_t*)0x20000cac = 0; *(uint8_t*)0x20000cad = 0; *(uint8_t*)0x20000cae = 0; *(uint8_t*)0x20000caf = 0; *(uint8_t*)0x20000cb0 = 0; *(uint8_t*)0x20000cb1 = 0; *(uint8_t*)0x20000cb2 = 0; *(uint8_t*)0x20000cb3 = 0; *(uint8_t*)0x20000cb4 = 0; *(uint8_t*)0x20000cb5 = 0; *(uint8_t*)0x20000cb6 = 0; *(uint8_t*)0x20000cb7 = 0; *(uint8_t*)0x20000cb8 = 0; *(uint8_t*)0x20000cb9 = 0; *(uint8_t*)0x20000cba = 0; *(uint8_t*)0x20000cbb = 0; *(uint8_t*)0x20000cbc = 0; *(uint8_t*)0x20000cbd = 0; *(uint8_t*)0x20000cbe = 0; *(uint8_t*)0x20000cbf = 0; *(uint8_t*)0x20000cc0 = 0; *(uint8_t*)0x20000cc1 = 0; *(uint8_t*)0x20000cc2 = 0; *(uint8_t*)0x20000cc3 = 0; *(uint16_t*)0x20000cc4 = 0xc0; *(uint16_t*)0x20000cc6 = 0xe8; *(uint32_t*)0x20000cc8 = 0; *(uint64_t*)0x20000cd0 = 0; *(uint64_t*)0x20000cd8 = 0; *(uint16_t*)0x20000ce0 = 0x28; memcpy((void*)0x20000ce2, "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000\000\000\000\000\000\000\000" "\000\000\000\000\000", 29); *(uint8_t*)0x20000cff = 0; *(uint32_t*)0x20000d00 = 0xfffffffe; syscall(__NR_setsockopt, r[0], 0xa02000000000000ul, 0x60ul, 0x20000900ul, 0x408ul); return 0; }