// https://syzkaller.appspot.com/bug?id=f4ef381349e100280193c25f24e01d9d364132d9 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void exitf(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } doexit(sig); } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir() { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); rv = system(command); if (rv) { if (panic) fail("command '%s' failed: %d", &command[0], rv); } } static int tunfd = -1; static int tun_frags_enabled; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define TUN_IFACE "syz_tun" #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 #define IFF_NAPI_FRAGS 0x0020 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 252; if (dup2(tunfd, kTunFd) < 0) fail("dup2(tunfd, kTunFd) failed"); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNSETIFF) failed"); } if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNGETIFF) failed"); tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE); execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", TUN_IFACE); execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC); execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE); execute_command(1, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE); execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV4, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV6, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip link set dev %s up", TUN_IFACE); } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02hx" #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } static void initialize_netdevices(void) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0", "bond0", "veth0", "veth1", "team0", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team"}; const char* devmasters[] = {"bridge", "bond", "team"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); execute_command(0, "ip link add type veth"); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { execute_command( 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s", devmasters[i], devmasters[i]); execute_command( 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set veth0_to_%s up", devmasters[i]); execute_command(0, "ip link set veth1_to_%s up", devmasters[i]); } execute_command(0, "ip link set bridge_slave_0 up"); execute_command(0, "ip link set bridge_slave_1 up"); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[32]; snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN) return -1; if (errno == EBADFD) return -1; fail("tun: read failed with %d", rv); } return rv; } #define MAX_FRAGS 4 struct vnet_fragmentation { uint32_t full; uint32_t count; uint32_t frags[MAX_FRAGS]; }; static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; struct iovec vecs[MAX_FRAGS + 1]; uint32_t nfrags = 0; if (!tun_frags_enabled || frags == NULL) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } else { bool full = true; uint32_t i, count = 0; NONFAILING(full = frags->full); NONFAILING(count = frags->count); if (count > MAX_FRAGS) count = MAX_FRAGS; for (i = 0; i < count && length != 0; i++) { uint32_t size = 0; NONFAILING(size = frags->frags[i]); if (size > length) size = length; vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = size; nfrags++; data += size; length -= size; } if (length != 0 && (full || nfrags == 0)) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } } return writev(tunfd, vecs, nfrags); } static void flush_tun() { char data[SYZ_TUN_MAX_PACKET_SIZE]; while (read_tun(&data[0], sizeof(data)) != -1) ; } struct ipv6hdr { __u8 priority : 4, version : 4; __u8 flow_lbl[3]; __be16 payload_len; __u8 nexthdr; __u8 hop_limit; struct in6_addr saddr; struct in6_addr daddr; }; struct tcp_resources { uint32_t seq; uint32_t ack; }; static uintptr_t syz_extract_tcp_res(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (tunfd < 0) return (uintptr_t)-1; char data[SYZ_TUN_MAX_PACKET_SIZE]; int rv = read_tun(&data[0], sizeof(data)); if (rv == -1) return (uintptr_t)-1; size_t length = rv; struct tcphdr* tcphdr; if (length < sizeof(struct ethhdr)) return (uintptr_t)-1; struct ethhdr* ethhdr = (struct ethhdr*)&data[0]; if (ethhdr->h_proto == htons(ETH_P_IP)) { if (length < sizeof(struct ethhdr) + sizeof(struct iphdr)) return (uintptr_t)-1; struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)]; if (iphdr->protocol != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4]; } else { if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr)) return (uintptr_t)-1; struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)]; if (ipv6hdr->nexthdr != IPPROTO_TCP) return (uintptr_t)-1; if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) return (uintptr_t)-1; tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)]; } struct tcp_resources* res = (struct tcp_resources*)a0; NONFAILING(res->seq = htonl((ntohl(tcphdr->seq) + (uint32_t)a1))); NONFAILING(res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32_t)a2))); return 0; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void setup_cgroups() { if (mkdir("/syzcgroup", 0777)) { } if (mkdir("/syzcgroup/unified", 0777)) { } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { } if (chmod("/syzcgroup/unified", 0777)) { } if (!write_file("/syzcgroup/unified/cgroup.subtree_control", "+cpu +memory +io +pids +rdma")) { } if (mkdir("/syzcgroup/cpu", 0777)) { } if (mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,perf_event,hugetlb")) { } if (!write_file("/syzcgroup/cpu/cgroup.clone_children", "1")) { } if (chmod("/syzcgroup/cpu", 0777)) { } if (mkdir("/syzcgroup/net", 0777)) { } if (mount("none", "/syzcgroup/net", "cgroup", 0, "net_cls,net_prio,devices,freezer")) { } if (chmod("/syzcgroup/net", 0777)) { } } static void setup_binfmt_misc() { if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:syz0::./file0:")) { } if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:yz1::./file0:POC")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 160 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid < 0) fail("sandbox fork failed"); if (pid) return pid; setup_cgroups(); setup_binfmt_misc(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); initialize_netdevices(); loop(); doexit(1); } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct ipt_get_entries entries; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: return; } fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); } for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct xt_counters counters[XT_MAX_ENTRIES]; struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: return; } fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); } for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_arptables(void) { struct arpt_get_entries entries; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(ARPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { struct xt_counters counters[XT_MAX_ENTRIES]; struct arpt_get_entries entries; struct arpt_getinfo info; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(ARPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(ARPT_SO_SET_REPLACE)"); } close(fd); } #include #include struct ebt_table_desc { const char* name; struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; }; static struct ebt_table_desc ebt_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, }; static void checkpoint_ebtables(void) { socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; strcpy(table->replace.name, table->name); optlen = sizeof(table->replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(EBT_SO_GET_INIT_INFO)"); } if (table->replace.entries_size > sizeof(table->entrytable)) fail("table size is too large: %u", table->replace.entries_size); table->replace.num_counters = 0; table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen)) fail("getsockopt(EBT_SO_GET_INIT_ENTRIES)"); } close(fd); } static void reset_ebtables() { struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; socklen_t optlen; unsigned i, j, h; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; if (table->replace.valid_hooks == 0) continue; memset(&replace, 0, sizeof(replace)); strcpy(replace.name, table->name); optlen = sizeof(replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) fail("getsockopt(EBT_SO_GET_INFO)"); replace.num_counters = 0; table->replace.entries = 0; for (h = 0; h < NF_BR_NUMHOOKS; h++) table->replace.hook_entry[h] = 0; if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { memset(&entrytable, 0, sizeof(entrytable)); replace.entries = entrytable; optlen = sizeof(replace) + replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) fail("getsockopt(EBT_SO_GET_ENTRIES)"); if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) continue; } for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { if (table->replace.valid_hooks & (1 << h)) { table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j; j++; } } table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) fail("setsockopt(EBT_SO_SET_ENTRIES)"); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting", dir); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static void execute_one(); extern unsigned long long procid; static void loop() { checkpoint_net_namespace(); char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); char cgroupdir_cpu[64]; snprintf(cgroupdir_cpu, sizeof(cgroupdir_cpu), "/syzcgroup/cpu/syz%llu", procid); char cgroupdir_net[64]; snprintf(cgroupdir_net, sizeof(cgroupdir_net), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } if (mkdir(cgroupdir_cpu, 0777)) { } if (mkdir(cgroupdir_net, 0777)) { } int pid = getpid(); char procs_file[128]; snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir); if (!write_file(procs_file, "%d", pid)) { } snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_cpu); if (!write_file(procs_file, "%d", pid)) { } snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_net); if (!write_file(procs_file, "%d", pid)) { } int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); if (symlink(cgroupdir, "./cgroup")) { } if (symlink(cgroupdir_cpu, "./cgroup.cpu")) { } if (symlink(cgroupdir_net, "./cgroup.net")) { } flush_tun(); execute_one(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 3 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } remove_dir(cwdbuf); reset_net_namespace(); } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } uint64_t r[26] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}; unsigned long long procid; void execute_call(int call) { long res; switch (call) { case 0: res = syscall(__NR_socket, 0x40000000015, 5, 0); if (res != -1) r[0] = res; break; case 1: NONFAILING(*(uint32_t*)0x206dbffc = 0); syscall(__NR_setsockopt, r[0], 1, 8, 0x206dbffc, 4); break; case 2: NONFAILING(*(uint16_t*)0x208a5ff0 = 2); NONFAILING(*(uint16_t*)0x208a5ff2 = htobe16(0x4e20)); NONFAILING(*(uint32_t*)0x208a5ff4 = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x208a5ff8 = 0); NONFAILING(*(uint8_t*)0x208a5ff9 = 0); NONFAILING(*(uint8_t*)0x208a5ffa = 0); NONFAILING(*(uint8_t*)0x208a5ffb = 0); NONFAILING(*(uint8_t*)0x208a5ffc = 0); NONFAILING(*(uint8_t*)0x208a5ffd = 0); NONFAILING(*(uint8_t*)0x208a5ffe = 0); NONFAILING(*(uint8_t*)0x208a5fff = 0); syscall(__NR_bind, r[0], 0x208a5ff0, 0x10); break; case 3: NONFAILING(memcpy( (void*)0x20f7db7f, "\xba\x67\x13\x68\xd1\x01\x00\x00\x00\x49\x00\x00\x00\x01\x00\x00\x00" "\x01\x8b\xe4\x9e\x93\x01\x44\x28\x65\x31\x99\x97\xd0\xef\xdb\x2f\x54" "\xb6\xa1\x0c\x73\x27\x75\x74\x82\xbf\xce\x94\x5c\x2a\x91\xfb\x8d\xfa" "\xfc\x1d\x3f\x56\xbc\x54\x3a\xb8\x73\x21\xe1\x2c\xca\x08\xa7\x44\xa2" "\xd1\x28\xb0\x06\x34\xbc\x88\x21\x51\xd3\x68\x09\x22\x9a\x96\xbc\x34" "\x37\xef\x15\x94\x89\x38\x4a\xde\x07\x7b\xa2\x95\xea\xc2\x88\x2d\xbf" "\xd3\x78\x1d\xd4\xd4\xe6\x09\xc4\x26\x28\xdb\xb7\x09\xb3\xeb\x1f\xa0" "\x30\x00\x90\x45\xdd\x98\xb9\xe6\xd7\x7b\x6c\xec\x9c\xeb\x68\x55\x95" "\xd4\x39\x95\xe0\xf0\x4c\x32\x26\x09\x43\xad\xd7\x98\x31\xe6\x61\xc6" "\xa3\x51\xde\xdc\x8b\x9d\x22\x0f\xbf\x9f\xb6\xe4\x4f\xb6\xa6\x29\xce" "\x9a\x82\x02\x51\x24\xfe\xc9\xf3\xee\x75\x1f\x7d\xa0\xcd\x7e\x79\x9b" "\xe8\x8d\xdb\xda\xc2\x0b\x48\xe8\x90\xff\x81\xd7\xfa\x28\xc2\xd0\x17" "\xd7\x93\x2f\x25\x69\x03\x87\x40\x46\x1a\xcc\xd4\x58\x2f\x57\x6e\x4f" "\xdb\x61\x50\xa3\x39\x9f\x82\x66\xbc\x19\xeb\x94\x36\x48\xad\x1a\xd8" "\x14\x20\xed\x6c\x38\x24\x36\xe4\x74\x39\x0c\x89\x95\xe8\x29\xe4\xf9" "\xdf\x43", 257)); NONFAILING(*(uint16_t*)0x20000200 = 2); NONFAILING(*(uint16_t*)0x20000202 = htobe16(0x4e20)); NONFAILING(*(uint32_t*)0x20000204 = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x20000208 = 0); NONFAILING(*(uint8_t*)0x20000209 = 0); NONFAILING(*(uint8_t*)0x2000020a = 0); NONFAILING(*(uint8_t*)0x2000020b = 0); NONFAILING(*(uint8_t*)0x2000020c = 0); NONFAILING(*(uint8_t*)0x2000020d = 0); NONFAILING(*(uint8_t*)0x2000020e = 0); NONFAILING(*(uint8_t*)0x2000020f = 0); syscall(__NR_sendto, r[0], 0x20f7db7f, 0x101, 0, 0x20000200, 0x10); break; case 4: NONFAILING(*(uint16_t*)0x202b4000 = 2); NONFAILING(*(uint16_t*)0x202b4002 = htobe16(0x4e20)); NONFAILING(*(uint32_t*)0x202b4004 = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x202b4008 = 0); NONFAILING(*(uint8_t*)0x202b4009 = 0); NONFAILING(*(uint8_t*)0x202b400a = 0); NONFAILING(*(uint8_t*)0x202b400b = 0); NONFAILING(*(uint8_t*)0x202b400c = 0); NONFAILING(*(uint8_t*)0x202b400d = 0); NONFAILING(*(uint8_t*)0x202b400e = 0); NONFAILING(*(uint8_t*)0x202b400f = 0); syscall(__NR_sendto, r[0], 0x204b3fff, 0x380, 0, 0x202b4000, 0x10); break; case 5: NONFAILING(*(uint16_t*)0x20000000 = 0x1d); NONFAILING(*(uint32_t*)0x20000004 = 0); NONFAILING(*(uint32_t*)0x20000008 = 0); NONFAILING(*(uint32_t*)0x2000000c = 0); syscall(__NR_connect, r[0], 0x20000000, 0x10); break; case 6: res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[1] = res; break; case 7: NONFAILING(*(uint32_t*)0x20002080 = 0x60); res = syscall(__NR_accept, -1, 0x20002000, 0x20002080); if (res != -1) r[2] = res; break; case 8: NONFAILING(*(uint16_t*)0x200020c0 = 0x27); NONFAILING(*(uint32_t*)0x200020c4 = 1); NONFAILING(*(uint32_t*)0x200020c8 = 2); NONFAILING(*(uint32_t*)0x200020cc = 0); NONFAILING(*(uint8_t*)0x200020d0 = -1); NONFAILING(*(uint8_t*)0x200020d1 = 5); NONFAILING(memcpy((void*)0x200020d2, "\x76\x5f\xd1\x6b\x79\x03\x9a\x5b\xf2\x0b\x75\x08\xc8\x2d" "\x6a\xfb\x5f\x90\x59\x63\x6c\x46\x41\x94\x50\x72\x0a\x96" "\x9b\xf1\xdb\x60\x08\xa0\x65\x67\xa6\x0b\x3b\xa3\xbb\xdc" "\x94\x92\xf9\xe6\xf1\x5b\xf6\xab\x8b\x9c\x00\x9d\x19\x4c" "\x07\x04\x73\x6f\x63\x95\x90", 63)); NONFAILING(*(uint64_t*)0x20002118 = 0x36); syscall(__NR_connect, r[2], 0x200020c0, 0x60); break; case 9: syz_extract_tcp_res(0x20000040, 0, 0); break; case 10: res = syscall(__NR_socket, 0xa, 0x1000000000002, 0); if (res != -1) r[3] = res; break; case 11: syscall(__NR_ioctl, r[3], 0x8912, 0x20000280); break; case 12: syscall(__NR_unshare, 0x40000000); break; case 13: NONFAILING(memcpy((void*)0x20000040, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00", 32)); NONFAILING(*(uint32_t*)0x20000060 = 4); NONFAILING(*(uint64_t*)0x20000068 = 0); NONFAILING(*(uint64_t*)0x20000070 = 0); NONFAILING(*(uint64_t*)0x20000078 = 0); NONFAILING(*(uint64_t*)0x20000080 = 0); NONFAILING(*(uint64_t*)0x20000088 = 0); NONFAILING(*(uint64_t*)0x20000090 = 0); NONFAILING(*(uint64_t*)0x20000098 = 0); NONFAILING(*(uint64_t*)0x200000a0 = 0); syscall(__NR_setsockopt, -1, 0, 0x41, 0x20000040, 0x68); break; case 14: NONFAILING(memcpy((void*)0x20000080, "\x29\x5e\xd2\x77\xa4\x20\x01\x00\x36\x00\x70", 11)); syscall(__NR_ioctl, r[1], 0x8912, 0x20000080); break; case 15: NONFAILING(*(uint16_t*)0x200004c0 = 0xa); NONFAILING(*(uint16_t*)0x200004c2 = htobe16(0)); NONFAILING(*(uint32_t*)0x200004c4 = 0); NONFAILING(*(uint8_t*)0x200004c8 = 0xfe); NONFAILING(*(uint8_t*)0x200004c9 = 0x80); NONFAILING(*(uint8_t*)0x200004ca = 0); NONFAILING(*(uint8_t*)0x200004cb = 0); NONFAILING(*(uint8_t*)0x200004cc = 0); NONFAILING(*(uint8_t*)0x200004cd = 0); NONFAILING(*(uint8_t*)0x200004ce = 0); NONFAILING(*(uint8_t*)0x200004cf = 0); NONFAILING(*(uint8_t*)0x200004d0 = 0); NONFAILING(*(uint8_t*)0x200004d1 = 0); NONFAILING(*(uint8_t*)0x200004d2 = 0); NONFAILING(*(uint8_t*)0x200004d3 = 0); NONFAILING(*(uint8_t*)0x200004d4 = 0); NONFAILING(*(uint8_t*)0x200004d5 = 0); NONFAILING(*(uint8_t*)0x200004d6 = 0); NONFAILING(*(uint8_t*)0x200004d7 = 0xbb); NONFAILING(*(uint32_t*)0x200004d8 = 0x400); NONFAILING(*(uint16_t*)0x200004dc = 0xa); NONFAILING(*(uint16_t*)0x200004de = htobe16(0x4e23)); NONFAILING(*(uint32_t*)0x200004e0 = 4); NONFAILING(*(uint8_t*)0x200004e4 = 0); NONFAILING(*(uint8_t*)0x200004e5 = 0); NONFAILING(*(uint8_t*)0x200004e6 = 0); NONFAILING(*(uint8_t*)0x200004e7 = 0); NONFAILING(*(uint8_t*)0x200004e8 = 0); NONFAILING(*(uint8_t*)0x200004e9 = 0); NONFAILING(*(uint8_t*)0x200004ea = 0); NONFAILING(*(uint8_t*)0x200004eb = 0); NONFAILING(*(uint8_t*)0x200004ec = 0); NONFAILING(*(uint8_t*)0x200004ed = 0); NONFAILING(*(uint8_t*)0x200004ee = -1); NONFAILING(*(uint8_t*)0x200004ef = -1); NONFAILING(*(uint32_t*)0x200004f0 = htobe32(0x7f000001)); NONFAILING(*(uint32_t*)0x200004f4 = 0xfffffa2a); NONFAILING(*(uint16_t*)0x200004f8 = 0); NONFAILING(*(uint32_t*)0x200004fc = 0); NONFAILING(*(uint32_t*)0x20000500 = 0xfffffff8); NONFAILING(*(uint32_t*)0x20000504 = 0); NONFAILING(*(uint32_t*)0x20000508 = 2); NONFAILING(*(uint32_t*)0x2000050c = 0x80000000); NONFAILING(*(uint32_t*)0x20000510 = 0); NONFAILING(*(uint32_t*)0x20000514 = 0); NONFAILING(*(uint32_t*)0x20000518 = 0); syscall(__NR_setsockopt, -1, 0x29, 0xd3, 0x200004c0, 0x5c); break; case 16: res = syscall(__NR_socket, 0x40000000015, 5, 0); if (res != -1) r[4] = res; break; case 17: syscall(__NR_socket, 2, 2, 0); break; case 18: NONFAILING(*(uint16_t*)0x208a5ff0 = 2); NONFAILING(*(uint16_t*)0x208a5ff2 = htobe16(0)); NONFAILING(*(uint32_t*)0x208a5ff4 = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x208a5ff8 = 0); NONFAILING(*(uint8_t*)0x208a5ff9 = 0); NONFAILING(*(uint8_t*)0x208a5ffa = 0); NONFAILING(*(uint8_t*)0x208a5ffb = 0); NONFAILING(*(uint8_t*)0x208a5ffc = 0); NONFAILING(*(uint8_t*)0x208a5ffd = 0); NONFAILING(*(uint8_t*)0x208a5ffe = 0); NONFAILING(*(uint8_t*)0x208a5fff = 0); syscall(__NR_bind, r[4], 0x208a5ff0, 0x10); break; case 19: NONFAILING(*(uint32_t*)0x20000580 = 0x14); syscall(__NR_getsockopt, -1, 6, 0x1d, 0x20000540, 0x20000580); break; case 20: syscall(__NR_socket, 0x29, 0, 0); break; case 21: NONFAILING(*(uint16_t*)0x2069affb = 2); NONFAILING(*(uint16_t*)0x2069affd = htobe16(0x4e1c)); NONFAILING(*(uint32_t*)0x2069afff = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x2069b003 = 0); NONFAILING(*(uint8_t*)0x2069b004 = 0); NONFAILING(*(uint8_t*)0x2069b005 = 0); NONFAILING(*(uint8_t*)0x2069b006 = 0); NONFAILING(*(uint8_t*)0x2069b007 = 0); NONFAILING(*(uint8_t*)0x2069b008 = 0); NONFAILING(*(uint8_t*)0x2069b009 = 0); NONFAILING(*(uint8_t*)0x2069b00a = 0); syscall(__NR_sendto, r[4], 0x200006c0, 0, 0, 0x2069affb, 0x10); break; case 22: NONFAILING(*(uint16_t*)0x202b4000 = 2); NONFAILING(*(uint16_t*)0x202b4002 = htobe16(0)); NONFAILING(*(uint32_t*)0x202b4004 = htobe32(0x7f000001)); NONFAILING(*(uint8_t*)0x202b4008 = 0); NONFAILING(*(uint8_t*)0x202b4009 = 0); NONFAILING(*(uint8_t*)0x202b400a = 0); NONFAILING(*(uint8_t*)0x202b400b = 0); NONFAILING(*(uint8_t*)0x202b400c = 0); NONFAILING(*(uint8_t*)0x202b400d = 0); NONFAILING(*(uint8_t*)0x202b400e = 0); NONFAILING(*(uint8_t*)0x202b400f = 0); syscall(__NR_sendto, r[4], 0x204b3fff, 0x2f00, 0, 0x202b4000, 0x10); break; case 23: NONFAILING(*(uint32_t*)0x20000600 = 0); NONFAILING(*(uint32_t*)0x20000604 = 0); NONFAILING(*(uint32_t*)0x20000640 = 8); syscall(__NR_getsockopt, r[1], 0x84, 0x7b, 0x20000600, 0x20000640); break; case 24: NONFAILING(*(uint32_t*)0x200000c0 = 0x20); syscall(__NR_setsockopt, -1, 0x84, 0x1e, 0x200000c0, 4); break; case 25: NONFAILING(*(uint32_t*)0x20000180 = 0x14); syscall(__NR_accept4, -1, 0x20000140, 0x20000180, 0x80000); break; case 26: res = syscall(__NR_pipe, 0x20000240); if (res != -1) { NONFAILING(r[5] = *(uint32_t*)0x20000240); NONFAILING(r[6] = *(uint32_t*)0x20000244); } break; case 27: syscall(__NR_ioctl, r[6], 0x80f86406, 0x20000080); break; case 28: syscall(__NR_ioctl, r[5], 0xc0189436, 0x20000000); break; case 29: res = syscall(__NR_socket, 0x18, 1, 2); if (res != -1) r[7] = res; break; case 30: NONFAILING(*(uint16_t*)0x20000440 = 0x18); NONFAILING(*(uint32_t*)0x20000442 = 2); NONFAILING(*(uint16_t*)0x20000446 = htobe16(3)); NONFAILING(*(uint32_t*)0x2000044a = htobe32(0x8001)); syscall(__NR_connect, r[7], 0x20000440, 0x1e); break; case 31: NONFAILING(*(uint16_t*)0x20000040 = 0xa); NONFAILING(*(uint16_t*)0x20000042 = htobe16(0)); NONFAILING(*(uint32_t*)0x20000044 = 0); NONFAILING(*(uint8_t*)0x20000048 = 0xfe); NONFAILING(*(uint8_t*)0x20000049 = 0x80); NONFAILING(*(uint8_t*)0x2000004a = 0); NONFAILING(*(uint8_t*)0x2000004b = 0); NONFAILING(*(uint8_t*)0x2000004c = 0); NONFAILING(*(uint8_t*)0x2000004d = 0); NONFAILING(*(uint8_t*)0x2000004e = 0); NONFAILING(*(uint8_t*)0x2000004f = 0); NONFAILING(*(uint8_t*)0x20000050 = 0); NONFAILING(*(uint8_t*)0x20000051 = 0); NONFAILING(*(uint8_t*)0x20000052 = 0); NONFAILING(*(uint8_t*)0x20000053 = 0); NONFAILING(*(uint8_t*)0x20000054 = 0); NONFAILING(*(uint8_t*)0x20000055 = 0); NONFAILING(*(uint8_t*)0x20000056 = 0); NONFAILING(*(uint8_t*)0x20000057 = 0xaa); NONFAILING(*(uint32_t*)0x20000058 = 3); syscall(__NR_connect, -1, 0x20000040, 0x1c); break; case 32: NONFAILING(*(uint32_t*)0x20000080 = 0); NONFAILING(*(uint32_t*)0x20000084 = 0); syscall(__NR_setsockopt, -1, 1, 6, 0x20000080, 8); break; case 33: syscall(__NR_socket, 0x1d, 2, 2); break; case 34: NONFAILING(*(uint16_t*)0x20000240 = 2); NONFAILING(*(uint16_t*)0x20000242 = htobe16(0x4e23)); NONFAILING(*(uint32_t*)0x20000244 = htobe32(-1)); NONFAILING(*(uint8_t*)0x20000248 = 0); NONFAILING(*(uint8_t*)0x20000249 = 0); NONFAILING(*(uint8_t*)0x2000024a = 0); NONFAILING(*(uint8_t*)0x2000024b = 0); NONFAILING(*(uint8_t*)0x2000024c = 0); NONFAILING(*(uint8_t*)0x2000024d = 0); NONFAILING(*(uint8_t*)0x2000024e = 0); NONFAILING(*(uint8_t*)0x2000024f = 0); syscall(__NR_bind, -1, 0x20000240, 0x10); break; case 35: NONFAILING(*(uint64_t*)0x20000b80 = 0x20000380); NONFAILING(*(uint32_t*)0x20000b88 = 0x80); NONFAILING(*(uint64_t*)0x20000b90 = 0x20000b00); NONFAILING(*(uint64_t*)0x20000b00 = 0x20000a80); NONFAILING(*(uint64_t*)0x20000b08 = 0x77); NONFAILING(*(uint64_t*)0x20000b98 = 1); NONFAILING(*(uint64_t*)0x20000ba0 = 0); NONFAILING(*(uint64_t*)0x20000ba8 = 0); NONFAILING(*(uint32_t*)0x20000bb0 = 0); syscall(__NR_recvmsg, -1, 0x20000b80, 0); break; case 36: res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[8] = res; break; case 37: syscall(__NR_ioctl, r[8], 0x4000008912, 0x20000100); break; case 38: NONFAILING(*(uint32_t*)0x20000000 = -1); NONFAILING(*(uint16_t*)0x20000004 = 0x100); NONFAILING(*(uint16_t*)0x20000006 = 0); NONFAILING(*(uint32_t*)0x20000008 = -1); NONFAILING(*(uint16_t*)0x2000000c = 0); NONFAILING(*(uint16_t*)0x2000000e = 0); syscall(__NR_poll, 0x20000000, 2, 0); break; case 39: NONFAILING(*(uint32_t*)0x200012c0 = 0x10); res = syscall(__NR_accept4, 0xffffff9c, 0x20001280, 0x200012c0, 0x80800); if (res != -1) r[9] = res; break; case 40: NONFAILING(*(uint32_t*)0x20001400 = 0); NONFAILING(*(uint16_t*)0x20001404 = 2); NONFAILING(*(uint16_t*)0x20001406 = htobe16(0x4e22)); NONFAILING(*(uint32_t*)0x20001408 = htobe32(0xe0000001)); NONFAILING(*(uint8_t*)0x2000140c = 0); NONFAILING(*(uint8_t*)0x2000140d = 0); NONFAILING(*(uint8_t*)0x2000140e = 0); NONFAILING(*(uint8_t*)0x2000140f = 0); NONFAILING(*(uint8_t*)0x20001410 = 0); NONFAILING(*(uint8_t*)0x20001411 = 0); NONFAILING(*(uint8_t*)0x20001412 = 0); NONFAILING(*(uint8_t*)0x20001413 = 0); NONFAILING(*(uint32_t*)0x20001484 = 0); NONFAILING(*(uint32_t*)0x20001488 = 0x9a6); NONFAILING(*(uint32_t*)0x2000148c = 9); NONFAILING(*(uint32_t*)0x20001490 = 2); NONFAILING(*(uint32_t*)0x20001494 = 5); NONFAILING(*(uint32_t*)0x200014c0 = 0x98); syscall(__NR_getsockopt, r[9], 0x84, 0xf, 0x20001400, 0x200014c0); break; case 41: syscall(__NR_socket, 0x10, 3, 0x10); break; case 42: NONFAILING(*(uint32_t*)0x20000340 = 8); syscall(__NR_setsockopt, r[9], 0x84, 0x14, 0x20000340, 4); break; case 43: NONFAILING(*(uint32_t*)0x20000280 = 0); NONFAILING(*(uint32_t*)0x20000284 = 0x80000); NONFAILING(*(uint32_t*)0x20000288 = 0xffffff9c); res = syscall(__NR_ioctl, -1, 0xc00c642e, 0x20000280); if (res != -1) NONFAILING(r[10] = *(uint32_t*)0x20000288); break; case 44: NONFAILING(*(uint64_t*)0x200002c0 = 9); NONFAILING(*(uint64_t*)0x200002c8 = 0); NONFAILING(*(uint64_t*)0x200002d0 = 0x10003); NONFAILING(*(uint64_t*)0x200002d8 = 0); res = syscall(__NR_ioctl, 0xffffff9c, 0xc0206434, 0x200002c0); if (res != -1) NONFAILING(r[11] = *(uint64_t*)0x200002c8); break; case 45: NONFAILING(*(uint64_t*)0x20000300 = 0xffffffffffffffd4); NONFAILING(*(uint64_t*)0x20000308 = r[11]); syscall(__NR_ioctl, r[10], 0xc0106438, 0x20000300); break; case 46: syscall(__NR_socket, 0x2b, 1, 0); break; case 47: NONFAILING(*(uint32_t*)0x206dbffc = 1); syscall(__NR_setsockopt, -1, 1, 0x3c, 0x206dbffc, 4); break; case 48: NONFAILING(*(uint32_t*)0x20000140 = 0); res = syscall(__NR_accept, -1, 0, 0x20000140); if (res != -1) r[12] = res; break; case 49: NONFAILING(*(uint32_t*)0x20001c80 = 0xc); res = syscall(__NR_getsockopt, -1, 1, 0x11, 0x20001c40, 0x20001c80); if (res != -1) NONFAILING(r[13] = *(uint32_t*)0x20001c44); break; case 50: NONFAILING(*(uint32_t*)0x20002080 = 0xe8); res = syscall(__NR_getsockopt, -1, 0x29, 0x23, 0x20001f80, 0x20002080); if (res != -1) NONFAILING(r[14] = *(uint32_t*)0x20001fb4); break; case 51: NONFAILING(*(uint64_t*)0x20002180 = 0x20000180); NONFAILING(*(uint16_t*)0x20000180 = 1); NONFAILING(*(uint8_t*)0x20000182 = 0); NONFAILING(*(uint32_t*)0x20000184 = 0x4e24); NONFAILING(*(uint32_t*)0x20002188 = 0x6e); NONFAILING(*(uint64_t*)0x20002190 = 0x20001580); NONFAILING(*(uint64_t*)0x20001580 = 0x20000240); NONFAILING(memcpy( (void*)0x20000240, "\x34\xd0\x59\x28\x28\x92\xbb\x53\xa4\x7e\x67\xe8\xda\x7d\xd6\xfd\x9a" "\xd0\xa1\xd8\x2f\x9a\xd7\xf5\x86\x12\xcf\x2e\x19\xde\xce\xfd\xb4\x78" "\x9a\x1e\xdb\xba\x84\xd4\x98\x2c\x03\xa0\x7e\x02\x6d\xb5\xf9\x55\x5f" "\x06\xcb\xe5\xc1\xd4\xee\xb0\xbe\xe8\x79\x94\xaa\x83\x35\xf0\x34\xe4" "\xdc\xc5\x72\x54\x52\x92\x07\x13\x8e\x39\xd0\xe3\xde\xf7\x7d\x8e\x4a" "\x97\x0f\xe8\x9e\x06\x5d\x75\x2b\x7b\xd0\x9d\x61\x5e\x28\x5f\xce\x7a" "\x79\xb4\x39\x00\x0d\x2c\x8f\x50\x0f\xbc\x5f\xf5\x1e\x8d\xee\x51\x9a" "\x25\x29\xa9\x8f\xb1\xec\x22\x27\x21\x79\x94\x19\xf8\xd4\xa7\xd3\x6c" "\x31\x77\x3f\x83\x5d\xc3\x47\xf4\x11\x50\xbc\x6b\x45\x0e\x45\x3e\x33" "\x84\x4f\xd0\x6f\xcb\x50\xff\x6c\x1d\x61\xec\x8f\xba\x20\x67\xc4\xa8" "\xb7\xe6\xb7\xde\x90\xd0\x05\x84\x75\x49\x17\x61\x53\xdc\xc0\xd2\xff" "\xe6\xdf\xf4\xbf\x37\x2a\xc6\x0a\x6e\x9d\xe5\x70\xf5\x90\xc9\x42\xdf" "\x71\x82\xc5\xf0\x9f\x30\xa8\x26\x62\xc7\xd7\x94\xe4\x42\x18\xd7\x49" "\x6f\x4c\xed\xd5\xaa\xe5\xaf\x4f\xa7\x2a\x70\x18\xc0\x16\x88\x01\xd4" "\x62\xc4\x9c\xac\x21\x30\xe5\x42\xcc\x4d\x0e\x2c\x53\x58\x24\x85\xe7" "\x96\x0d\x78\x04\x65\x45\xe7\x28\x19\x9e\x8d\x36\xc9\x61\x5c\xa6\x0e" "\x42\x4e\xb5\x4c\xf3\x01\x1d\x4b\x14\xf7\x7c\x21\x19\x8f\x19\x3e\x9c" "\x00\xb2\xa3\x09\x11\xb4\xf7\xb2\x28\xf0\x9a\x64\xa4\x97\x90\x1e\xda" "\x2f\x0f\x7c\x55\xfa\x1a\x53\xcf\x6b\x70\x91\x6f\xa0\xe9\xac\x9c\x7f" "\x16\xe1\x5b\x01\x46\x17\xac\x7b\xd3\xf7\x0f\x96\x80\xef\xe4\x88\xa7" "\x91\x29\xcb\xd0\x1f\x1a\xec\x2f\xa6\x02\x70\x30\xc8\xab\x48\x8f\xe9" "\x5c\x88\xeb\xbe\x38\xa8\xaa\xff\xfe\x55\x8a\xd6\x8a\x96\xd4\xe4\xc5" "\x80\x43\x4a\xe9\x73\xdd\x50\xc8\x80\xa4\xe8\xec\x4c\x86\x13\x8b\x3b" "\x37\xd7\x82\x6a\x1f\xc6\x1b\x10\xd0\x98\xdb\x58\xf0\xa1\x06\x51\x9f" "\x17\x74\xed\x49\x42\xfe\x57\x9b\xa4\xa0\xd3\xe0\x93\x59\xe0\xcd\x4d" "\x57\x44\x31\x4b\xa1\xc0\xf5\x4d\xf2\x2e\x3b\xce\x0f\x36\x5e\x59\xe8" "\x68\xab\x06\xf6\x7b\x71\x5a\xa0\x0a\x56\xe9\x11\xd3\xdc\x65\x55\x0d" "\xe5\x96\x76\x5f\x27\x0d\x97\x4b\x65\xff\xcc\x00\x8f\xa6\x66\x68\xa1" "\xbc\x86\x9a\xa9\x9e\x40\xc9\xda\x03\xad\x69\xd8\xd0\x90\xbf\x18\x5f" "\x3d\x52\x7d\x56\xf2\x2d\xd6\x00\x79\x9e\xdf\xec\x2c\xca\x59\x60\xcd" "\x9b\x58\xf3\xb3\xbe\xea\x5d\x6c\x95\xfe\x7f\x7a\xa5\x01\x8a\x2c\x71" "\x67\x6e\xb8\xb4\x98\x08\x4a\xbe\xb3\x3f\x97\xf0\x4b\x3a\x3b\xed\x10" "\x0e\x5d\xe5\xb0\x00\x95\x93\x89\xa4\xf9\xd1\x73\x79\x94\x08\xc9\xf4" "\x38\x7b\xa8\xc9\x88\x29\x91\x94\xa3\x28\xbc\xe0\x49\xdf\x7b\x04\x10" "\x58\x61\x05\x12\x61\xdc\x8e\xf9\x97\x7d\xc0\x05\xc2\x8b\xee\x69\xbf" "\xe5\xe8\xe6\x25\x50\x74\x2c\xe4\x98\xaf\xdd\xd4\xca\x50\x49\x0c\xb0" "\x39\x4c\x7c\x6f\x4f\x87\x02\xc7\xac\x7c\x00\x0a\x01\x69\x84\x78\x29" "\xc0\x51\x0f\xfd\x8d\x67\xc2\x89\xcd\xfb\x0a\x02\x70\xa8\x71\x8f\x69" "\x9a\x18\x70\x4e\x89\xf1\xe0\xbe\x7e\x7a\xf9\x48\xf3\x18\x6c\xd5\x5f" "\x2a\xe7\x95\x6a\xe3\xb3\x70\x9e\x45\xc1\xcc\xc0\x35\xb6\x13\x5b\xa3" "\x31\x1e\x88\x7b\x82\x12\xe2\x35\x92\x21\x2f\x1d\x77\xa2\x42\x7e\xd4" "\xab\xcd\x6f\xac\x1c\x3e\x22\x53\x76\x52\xfc\xb5\x48\xc4\x6f\x5e\x67" "\x15\xf7\xfc\x15\xb3\xda\x67\x79\x2e\xf9\xa8\x83\x37\xfc\x86\xf4\x06" "\xfa\x08\xbe\x98\xd8\xbc\x27\x8f\x20\x0c\xd2\x39\x31\x06\xe6\xea\xc5" "\x64\x03\x7b\xab\xfa\x5a\xac\x0f\xe8\x49\xec\x9d\x5c\x1f\x61\x2f\xe4" "\xb0\x3d\xbf\x9b\xb8\xde\xbd\x90\x20\xe1\x63\x87\xa4\x12\x82\x38\xf0" "\x9d\xa1\xdc\x69\xfc\xd5\x4b\xb1\x48\x56\xd1\x7e\x61\x84\xf5\x4a\x63" "\x9b\x2d\x78\x26\x51\x7d\x79\x40\x4e\x7c\x82\x77\x61\xcd\xff\x2b\x8c" "\x40\xb6\x83\x48\x77\xd7\x2a\x77\xcb\xbc\xd0\x1a\xe2\xc6\x81\xdd\x73" "\xd9\xe7\xcb\x50\xf3\xf8\x42\x51\xaa\x2b\x29\x90\x42\x0e\x7c\x27\x25" "\x41\x3e\xa3\xd2\x5f\x6f\x08\xe2\x51\xbb\x02\xa8\x9b\xd0\x04\xf3\xcf" "\x05\xcd\x11\x00\xc4\xdd\xaa\xf5\x45\xf5\x56\xec\x16\x19\x05\x95\xff" "\xb2\x57\x98\x91\x67\xcc\xa8\x1b\x57\xc6\xbb\x9c\x0b\xb4\x0d\x8d\x89" "\xde\xb7\x04\x37\xee\x28\xcb\x67\x21\x5e\x1a\xe4\x31\x80\x24\xc6\x8a" "\x83\xed\xe8\xdc\xbe\x1b\x61\x80\xa7\x2b\x17\x79\x5f\xd4\x73\x6d\x1c" "\x77\xd6\x63\x68\x62\xf3\x4a\xf0\x8d\x29\x49\x73\x51\x5f\x81\xe4\x7b" "\xbd\x1e\x4e\x2e\x7e\xf2\x43\xaa\xe1\xdb\xb0\x18\x7a\x00\x8e\x00\xb7" "\x7d\x56\xcc\x6e\x02\xa6\x15\xad\xe9\x4b\x36\xc2\x35\x8b\x0e\x58\xd2" "\x44\x65\xc0\x7d\xb9\x9b\xc7\xb3\xff\x41\x84\xe3\xbb\x0e\x7f\xf0\x13" "\xcc\x15\x18\x8e\x30\xb4\x15\x17\x31\x26\x5d\x72\x50\xa6\xf3\x2f\x2c" "\xc4\xbc\x9e\x1f\x4b\xcd\x3b\x3f\x69\xc8\x17\x3a\xf4\xa1\x50\xad\xd0" "\xa5\xa5\x8a\xb1\xc9\xf3\xad\xcd\xc6\x7f\x3b\x4c\xef\x50\x18\x78\xb3" "\x62\xf7\x41\xe7\xbf\xe5\xe7\x1e\x8d\xad\xab\xde\x63\xf7\xfb\x55\x72" "\x71\x32\x78\xde\x25\x1e\x7d\x08\xe7\xb4\xe4\x23\x33\xe8\x67\xa8\xca" "\xcc\x0a\x90\x87\xf5\xe1\xb0\xfa\x07\x8a\xd5\x30\x58\x35\x44\xd8\xcf" "\xa1\xaf\xe8\x44\xef\xd3\xe5\x6e\x1b\x03\x8b\xf6\x2c\x9a\x01\x2f\xe5" "\x0f\x9f\xab\x39\xd1\xdf\xea\xad\xe3\xdc\xe8\x74\x0f\x0a\x88\xb8\x8b" "\xd8\x50\x8b\xc4\x40\x5b\xce\xf5\x30\x81\xe2\x66\xfa\x74\xfe\xb5\x95" "\x95\x45\xe0\x3c\x8b\x38\x3f\x22\xaf\x5f\x8f\xaf\xd4\x87\x5c\xd7\x15" "\xb3\x6f\x4b\xa7\x5f\xaa\x09\x15\x47\x9c\x62\x2b\x3d\x93\x86\x37\x27" "\x66\x12\xe6\x7f\x59\x7f\x20\x24\x0c\x95\x94\xd7\x5f\x47\xbb\x99\xbd" "\x90\xa3\xbb\xfc\x18\x40\xc7\x14\x41\xd7\x36\xfa\xad\x9e\xdc\xf1\x34" "\x03\xc0\xe5\xfb\xab\x7e\xfc\x44\x14\x65\x53\xda\xd9\xcc\x10\x8c\x8e" "\x1e\x40\xe0\x9a\x6a\x0c\xa8\x85\x55\x5b\xda\x9f\x5c\x4e\xfc\x5c\xe2" "\xc4\x24\x23\x3e\xf7\xb3\xe3\xba\xcb\x6c\x17\xe4\x0e\xa2\xa4\xea\xd4" "\xc7\x3d\xb3\x5e\x4f\xfd\x74\x4a\xcd\x45\x82\x01\xa4\x6f\x2e\x6f\xb1" "\x3f\xa6\xf1\x31\x40\x7b\xeb\xb3\xe2\xab\x46\xeb\xe5\xc2\x10\xfd\xc9" "\x0e\xc8\xf9\x01\x03\xc6\xa9\xf5\x91\x35\xdd\xa2\x61\xe7\x4c\x2e\x2c" "\x8e\xc9\x70\x70\xe0\x67\x69\x1e\x1b\x13\xa2\xb2\xd8\x6c\xb5\x94\x2e" "\x2e\x98\xc2\x98\xea\xf8\x57\xaf\x0f\xcd\x9f\xaa\x88\x36\x63\x13\xa2" "\x25\x78\x19\x79\xd0\xe2\x7e\x0d\x1a\x69\xb9\xb9\xe1\x95\xf4\xdf\x90" "\xae\x5f\x3f\x09\x25\x52\x5a\x89\x80\x9e\x3c\x7c\x93\xcd\x77\x6b\x2b" "\xbb\x5b\x50\xf4\x8f\xa2\x5d\x4b\x32\xd9\x26\x4c\x0f\x3d\x83\xaf\x0a" "\x08\x52\x90\xda\x41\xc2\xd3\x2f\xc3\x2f\xac\x6e\xa7\xb1\xf7\x47\x2c" "\x6d\xc0\xbc\xab\xf8\x5b\x53\x21\xe8\x30\x3d\x03\x88\xbc\x52\xac\xcb" "\x0e\xf5\xc1\xf6\xd2\x89\x3a\x4b\x23\xc3\xc4\x88\x6d\x7c\x36\x58\x97" "\x97\x6e\xf5\x38\x3a\x5b\x28\xbb\xf5\x11\x88\x64\xdc\x2c\x59\xbc\x5d" "\x9b\x3a\x99\x00\xf1\x6e\x2c\xde\x2e\x46\x6c\x36\xac\x04\x36\x6d\x59" "\x00\xab\xdb\x3c\xc2\x67\x1b\x08\xf8\x21\xf3\xdd\xb8\x90\xd0\x48\x7a" "\xb7\xea\xa7\x01\xf9\x85\xf1\xda\x06\x7a\x22\x65\x23\x49\x37\xd8\x1b" "\xfd\x25\xa5\xcb\x6a\x0f\x2c\x42\x8f\x3f\xd9\x33\x5c\xe5\x06\x0d\x4d" "\xc7\x12\x2e\x41\x88\x99\x70\xc6\xaa\x4f\x29\xfe\xbf\xc2\xbe\x5d\xed" "\xa3\x83\x51\xd2\x0c\xf1\x93\x66\xb4\x70\xac\xfd\x69\x3b\x8e\x7f\xff" "\x70\x24\x75\xe3\x4c\x3a\x88\xdf\x81\xa0\x8e\xaf\xe6\xc7\xa7\xc9\xe7" "\xc7\x55\x7d\x70\xb1\x64\x4b\x24\x2d\x9a\x04\xb6\x7f\xee\x84\x43\xc4" "\xe2\x43\xb0\xf4\xbf\x48\x6b\xa8\x55\x02\xfc\xcc\x6f\x44\xd5\x82\x5e" "\x70\x60\xb8\x82\x41\xe7\x1c\x73\xaf\x6a\x16\x89\x5e\x86\x20\xa5\xa9" "\x84\x5c\x2c\x05\x88\x61\x9e\x4a\xda\x99\x17\xef\xde\x8b\x0f\x5e\x2b" "\x11\xa2\x7a\xdd\xa1\x3b\x81\xc1\x43\x2e\x2e\x98\xbd\x42\xb5\x61\xd5" "\x28\x85\x5b\x77\x8f\x26\xe6\x06\x18\x2b\xd8\x77\x3b\xb1\x42\x7f\x3d" "\x0e\x1e\xbb\xc4\x36\xcd\x8c\xab\x56\x2d\x08\x0d\xa5\x37\xa5\x97\x9b" "\x9e\xf3\x64\xdd\xf9\x5d\x80\x66\xe6\x25\xf3\xa9\x98\x0c\x27\x6f\x29" "\x76\x81\x1c\xd8\x14\x23\xcf\x37\xc6\x7e\xc9\x13\x3c\x2c\xb8\x1e\xfc" "\xb9\x69\x30\xc9\x81\xd4\xd5\x26\x53\x2d\xfc\x02\xcc\xf2\xe4\x73\xf8" "\x91\x3f\xce\x8a\x9c\x52\x16\xf0\x8f\x54\xf9\x08\x91\x28\xdc\x77\xa8" "\x24\xc0\x00\xee\x9e\x5c\xb0\x2e\x6d\x8c\xb1\x49\xcb\x36\x30\xb6\x31" "\x9b\x1d\x4a\xb1\x60\xfe\xe6\x8b\x8a\x4b\xd8\x97\xc3\xff\xa0\x02\x26" "\x8d\x8f\x27\x6f\x18\xbe\x93\x1e\x64\x86\x41\x5e\x01\x7f\xa8\xba\x09" "\x6c\xa0\xc7\x65\x38\x60\xcb\x6d\x32\xc4\xfc\x3a\x1c\xa9\x1b\x29\xe9" "\x0c\x18\xaa\xca\x3e\x27\xda\xe4\x2e\x7d\xfc\x70\x73\x0b\xeb\xe6\xc1" "\x9a\xab\x0f\x48\xdd\xc8\x49\x5a\xc7\xd2\x85\xd8\x7e\xbc\xa1\xe2\x93" "\xc1\x57\x8e\x7d\x39\x42\x4a\x0f\x18\x84\x71\xae\x0c\x15\x36\x06\xc3" "\xda\x5c\x14\x9a\x2e\x87\xd3\x01\x35\xbf\x67\xdf\x98\x27\x80\x21\xa9" "\x70\x2e\x52\xbd\x3b\x65\x03\x00\x31\x26\xc7\x43\x7e\xa7\xfc\x7f\x3e" "\x93\x7a\xc1\x95\xf1\x44\xed\x5a\x2d\xf8\xc2\x5c\xc6\x56\x05\x4e\x4b" "\xce\x80\x35\x6a\x45\x2e\xd1\x6e\x3d\x7b\x3e\x7b\x9c\xb4\xca\xbb\x50" "\x1f\x8d\x2c\xd5\x2d\xef\x87\x6d\x40\x4b\x0d\x99\xbc\x04\x76\xae\xbc" "\xee\xf8\x7d\xe4\x7b\x36\xd9\x14\x34\x5e\x91\x1e\x65\xf4\x5d\x1b\xff" "\xcb\xd3\xcd\x4f\xb1\x3a\x6f\xdf\x74\x49\x2d\xd4\x1c\x8f\xbd\x92\x60" "\xbf\x8c\x99\xf3\xf9\x2e\x42\x7c\xd7\x4a\x74\x29\x6f\x8c\xae\x8f\x6c" "\x54\xe5\x61\xb7\xbb\xda\x55\x9e\xad\xe1\x01\xc4\x16\x87\xe9\xd2\x49" "\x31\x5e\x0c\x23\xb2\x62\xe4\x1e\xaa\xa4\xe4\x48\xe1\x3a\x2b\x68\xf1" "\x8d\xc3\xd9\x3f\xc2\xe9\x63\xc3\xb8\xe4\x07\x35\x33\xfe\x98\xa0\xf4" "\x94\xba\x6e\x55\xb6\x85\xf4\x3f\x22\x9b\xf3\x9a\x5e\xad\x5b\xe5\x7c" "\x70\x87\xa8\xc0\x87\x2b\x3d\x84\xfd\x02\x0d\x76\xf1\x06\x51\x1d\x22" "\x6e\xfd\xf3\xb0\x44\x60\x8c\xfd\x2e\x65\x55\x18\x6e\x99\xb0\xb6\x50" "\xd0\xc7\xee\x9f\x88\xb6\xfc\xa5\x3f\xcd\xdf\xd2\xa0\x90\xeb\xe2\x6a" "\x2c\x32\x1e\x38\xcd\x63\x40\x09\xd2\xd6\xe1\x5f\x52\x8f\x67\x08\x12" "\xb4\x6e\xc2\xc8\x0b\xda\x85\x3d\x3d\xc4\x3f\x67\x50\xbc\x9c\x63\x6e" "\xe3\xf8\x0d\xd3\x5d\xca\x15\xea\xc7\xd9\xf0\xaf\x0a\xd3\x25\x6d\x31" "\xa3\xdf\x9e\xee\x30\xf5\xfb\x6c\x48\xb2\x3c\x87\x3f\x0a\x06\xf9\x0d" "\x94\x3a\x28\x8a\x6c\x42\xfa\x40\xb3\x12\xfe\x9d\xec\xfd\x6c\x4d\xfc" "\x37\x3b\x00\xdb\x40\x44\x79\xe6\xf4\x61\xf0\xb7\x1e\x18\x31\x7c\x36" "\x1e\x8c\x43\x57\x7d\x92\x25\xb8\xa0\x44\xbc\xbc\x2f\x08\x6e\x3b\xbd" "\x3a\x4d\x95\x10\x7e\xdf\xd3\x2c\x22\x2a\xaa\x03\xfc\xa2\xea\x34\x21" "\x86\xa5\x92\xb1\x1e\xd2\xa5\x7e\x2d\x19\xca\xb1\x37\x8e\x47\x73\xc5" "\x3a\xe1\x90\xb8\xe4\xc4\xe7\xfa\xd5\x52\x78\x9c\x63\x0a\xeb\xc6\xcb" "\xa7\xb1\xc5\xf2\x49\xa5\x0b\x7d\x2b\xd2\x13\x0d\xbe\x62\x57\x04\x7d" "\x14\x5c\xfb\x9f\xbd\x8c\xfd\xa0\xf0\x70\x02\x04\xee\x9c\x2e\x62\x22" "\xc8\x6a\xe1\xc1\x82\xb2\x87\xc0\x31\x06\x0f\xec\x2c\x9e\x7b\xe5\x82" "\xce\x86\x78\x37\x15\x81\x34\xce\xac\xd9\x7a\xb5\x9b\xb1\x06\x40\xbb" "\x7f\x1f\x2c\x61\x3c\xf6\xaa\x58\x34\x5e\x1b\x86\xb4\x8c\xe4\x61\x17" "\x4f\xb7\x52\x79\xea\x60\x4e\xbf\xa5\xe0\xd0\x05\x60\x2f\xb7\x5b\xfb" "\x29\xbf\x50\x83\xbe\x0e\xc1\x41\x89\x7b\x91\xea\xcb\xf3\x57\xcc\x41" "\x72\x80\xdb\xf5\x8d\x08\x14\xa1\xe7\x59\xee\x28\x73\x68\x66\x67\xa2" "\x95\xbd\xdd\x3b\x51\x5a\x3b\x89\xf6\xb2\xc0\xb1\x49\xb5\xe3\x6e\x4a" "\xfa\xec\x39\x65\xc1\xb5\xcd\x79\x29\xe9\x95\xcf\x49\x96\x99\x84\x33" "\x50\xde\x49\x40\x0e\xde\xf0\x06\x56\xe9\x18\xc2\x77\x48\x11\x07\x7b" "\x84\x0b\x3d\x36\x9b\xa8\x24\x11\x0d\x75\x82\x99\x27\x4c\x6b\xef\xb7" "\x9c\x21\x8c\x74\x7e\x45\xd5\xa4\x60\x9c\xc4\xfa\x4f\xa9\xc9\x04\x2c" "\x01\x28\xa7\xc3\x08\x40\x3c\x9a\x82\x27\x78\xf5\xd2\x7c\xd7\x54\x7a" "\x4f\x57\x14\xd0\x2d\x5c\x4e\x41\x32\xf8\xd5\x1a\xd1\xc4\xba\x1c\xa1" "\xb5\xc1\x4f\xd1\x03\xf2\x5e\xa3\xff\x4c\x00\x35\x8a\x5b\x88\xd0\x42" "\x01\x81\xc6\xf9\x50\xdb\xc4\x71\x71\x89\xee\x12\xd9\x92\x2f\xa6\xb5" "\xb7\x83\x3c\x70\xe9\xeb\x60\x19\x2f\xad\x02\x62\xc3\x7b\x36\x21\x5b" "\x50\x0b\xe6\xb8\x0c\xf6\xdb\xf7\x4d\xe0\x96\x7b\x40\x11\x00\x32\xa1" "\x5c\x24\x25\x25\x19\x17\x45\x4b\x55\x96\xab\xc4\xe7\xfa\xbe\x2a\xf3" "\x1d\x64\x3e\xd7\x05\x21\x3e\x8b\x92\x60\xc7\x0c\x13\x78\x66\x23\x24" "\x00\xb2\x7b\x0b\x5d\xf1\x96\x81\xbe\x3d\x81\xc5\x9a\x1a\x9e\x0d\x11" "\x80\x1e\xff\x73\x1f\xb2\xa9\x20\xee\xe4\x60\x0d\x5b\x53\x9b\x18\x54" "\x6c\xb0\x04\xd8\xf8\x9a\x7f\x06\xa8\x39\x76\x11\x97\x71\x5c\x17\xac" "\x02\x22\xbb\x0b\xa0\xa7\x73\xa9\x23\xa6\x68\x10\x81\x11\xa4\x82\xf6" "\x01\xf6\x92\x79\x33\xa0\x88\x6d\x0a\x15\xcc\x00\xfc\x7b\xb5\xd1\x51" "\x96\x90\xe8\x1c\x17\xf0\x3e\x42\x96\xbd\xf2\x2b\x76\xe5\x0b\xd9\x12" "\x56\x0a\x49\x7a\xfb\xda\x0f\x74\xce\xaa\xd8\xf1\x7d\x20\x59\x3e\x4d" "\x82\xb1\x0b\x54\x4e\x6e\xf4\xe0\x77\x85\x0a\xf5\x9d\x2f\x48\xb8\x35" "\x21\xfd\x95\xef\x75\x45\xc8\x7b\xa4\x89\x21\x86\x89\x0c\xa5\x62\xc1" "\xbc\x4a\x98\xc8\xe2\x2c\xf9\x3a\x3e\x9e\x46\xd1\x52\x0c\xc5\x96\x5d" "\xe5\x2e\xa7\x43\x32\xf4\xa9\x7c\xbc\x30\xc8\x37\x53\x17\x9f\xe0\x4d" "\xd4\x27\x39\x66\x3d\x0d\x97\xf3\x79\xe0\xc4\xab\x4d\x26\x27\x3f\x24" "\x95\x8b\xb0\x5e\x9b\x93\xef\x5d\xbb\x19\xe2\x23\xe9\x68\x0d\xe8\x40" "\x2e\xf6\x89\x14\xd2\xd6\xa8\x12\x85\x95\x53\x5c\xb5\x22\xa2\xb9\x17" "\x66\x43\x1f\xfa\x77\x91\xb3\xa8\x55\x41\x5c\x77\x6b\x99\xbf\xb0\x74" "\x98\x29\xe1\x69\xa9\x18\x2f\xfc\xed\xe9\x64\x44\x20\x70\x73\x06\xe1" "\xb0\xfe\x52\x6b\x7b\x60\xf6\x84\x1e\xec\xa0\xa3\x8d\x04\xfb\x60\x8f" "\xc4\x07\xdf\x31\x7a\x2e\x9e\xd5\xbe\x6a\xca\xe2\xdc\xe2\xcb\xd3\x2d" "\xd5\xa1\x7f\xb0\xb2\x72\x50\x1a\xb8\xaf\x79\x32\x90\xb7\x9d\xbd\x54" "\xa2\xad\x7a\xf0\x6a\xbc\x2d\x27\x36\x07\x08\x7f\x60\x39\x64\x1d\x6c" "\x56\x50\xb6\x37\x59\x04\xa6\xe8\x9d\xc2\x70\xc8\x29\xbb\xcc\x38\x90" "\x60\x58\xd2\x71\x97\xa8\xdb\x09\x36\xed\x8a\x34\x9e\xf7\xc0\x00\x67" "\x1b\x6a\xab\x30\xd3\xe9\x03\x83\xdc\x35\x11\x7b\x86\x3b\xfd\x95\x90" "\xa7\xbd\x3a\x01\x06\x0e\x1f\x3e\x96\x5b\xf3\x55\xf0\x8a\x68\xae\x79" "\xea\xef\x76\xbe\xd9\x0a\x14\x11\x12\x3d\x0d\x54\xd7\x68\x56\xe6\x71" "\xa0\xac\x50\xee\xb1\xfb\xef\x71\x83\x50\xa6\xc2\x56\x5e\x49\xfb\x31" "\x05\x09\x40\xb5\xb9\xb5\x8e\xd0\xc8\x27\x1f\x80\xd3\x74\xa4\x14\x5e" "\x92\xaa\xcb\x99\x02\x01\x07\xe7\x9d\x43\xe4\xf0\xad\x75\xce\xea\x48" "\x65\xd2\x25\x33\x85\x14\x88\xc1\xda\x93\x6e\x5c\x73\x41\x7d\xde\x16" "\x9d\x7c\x37\xbb\x0d\xa7\xf0\x79\xd7\x40\xb2\xf5\x12\x76\x71\x74\xbd" "\x09\xc4\xe7\x1e\x47\x78\xc7\x3e\x04\xde\x11\x9f\x79\xec\x5f\xb9\x01" "\x4f\x5d\x9a\x53\xf2\x97\x2b\x09\x8e\x1d\x90\x1a\xfc\xa4\xac\xe4\xef" "\xcc\x10\x17\x82\x18\x7d\xc2\xb9\x00\x54\x0e\xfc\xf4\x99\xeb\xb4\x6c" "\x85\x9f\xfe\x2c\x11\x10\xa9\xdf\xe6\xbf\x9d\x6b\x3f\x00\x07\xf0\xed" "\x44\x1b\xec\xd4\x46\x5d\x36\x37\x14\x76\xd9\x6d\x4f\xf4\xf6\x74\xc2" "\x75\xe0\x38\x0d\x50\x31\xc8\x41\xa0\x9c\x2a\x2c\x80\x12\xb4\x6f\x7a" "\x5e\xec\xd2\x74\x75\xda\xc9\x40\x02\x3b\xcf\x82\x48\x47\xbb\x3f\x57" "\x43\x09\x78\xc1\x56\xf8\xb6\x36\x5c\xd2\x05\xde\xa1\x4e\xfb\x98\xf8" "\x02\x9a\x71\x54\x69\x4a\xfa\x9b\xf4\x38\x4c\xbe\x7e\xa9\xf7\x09\x36" "\x37\x1b\x67\x5d\xa8\x6f\x1f\xa1\x4f\x3a\xdd\xe9\x56\xe6\x1c\xe2\xe2" "\x1a\x72\x5c\x81\xd4\xa6\x0a\x11\x8d\xc7\x0f\x5f\xeb\x67\x50\x72\xfd" "\x61\xde\xef\xe7\xab\xa4\x27\x66\x56\x8f\x2a\xb9\x18\x60\xa7\xc4\xf7" "\x0b\x14\x7d\x0e\x5f\x92\xa6\x0c\xf0\x22\x66\x6c\x02\x84\x80\xf8\x62" "\xcd\x87\x8a\x43\x1f\x0d\xf7\xa5\x16\xe6\xfc\x19\x12\xaa\x0a\xbe\x60" "\x8d\x2d\x4d\xca\xbc\xa7\x9a\x12\xce\x7f\xf5\x30\x18\xbd\xd9\x45\xc0" "\x43\x97\xb6\x76\x5a\x53\x79\x43\x86\x9c\xd6\x0f\xda\x41\x1e\xb5\xa7" "\xb2\xb2\x40\xa3\x4f\x0f\xaf\x1a\x56\xa3\xbe\x5f\x74\xa1\x26\xc5\xf7" "\x0e\xe7\x50\x14\x33\xb7\x43\x78\x2f\xb6\x5d\xb5\xb0\x87\x54\x0b\x7f" "\x82\xbb\x6e\xd3\x9c\xfa\xa1\xac\x22\x0d\x3d\x4e\x2a\xea\x23\x00\x87" "\x43\x2e\xb2\x84\xc1\x65\x6d\x5e\x01\x89\x79\xb4\xd2\x82\x1f\x02\x68" "\x7e\xf8\xc4\x42\x16\xa3\xd5\xa2\xd0\xd4\x27\x4e\x05\x79\xd5\x60\x1e" "\xda\xa4\xdd\x26\xf6\xb4\x76\xe9\xb2\x13\xa2\x0b\xdd\x7e\x65\x1f\xea" "\xda\x54\x71\xf0\x61\x15\x7e\x57\x45\xfe\x9c\x5f\x46\x50\x26\xec\xb9" "\x86\xe2\xde\x37\x2b\x20\xdb\x92\x19\x28\xa5\x33\xb4\x42\xcd\xab\x4b" "\x6b\x52\xb5\x2a\x03\xe3\x7c\x8b\x53\x91\xf5\xa0\x60\x2b\x23\xe7\x73" "\xf2\x65\x43\x9d\x65\xb1\xee\x7f\xdb\xb3\x57\x4a\x3f\xa6\x9d\x53\x3b" "\xe6\xc0\x5a\xfa\x44\x44\x6e\x34\xcc\x59\x00\xa0\xbf\x43\x3a\xc2\x0a" "\xa6\x3c\xe8\x25\xd4\x35\xd8\xc5\x5d\x16\x8f\x91\xd4\x83\x0c\xd8\x97" "\xe0\x0f\x97\x5a\x44\x71\x0d\x2d\x47\xee\xb8\xf6\x14\xc0\xbf\x82\xff" "\x71\xed\xc5\x20\x9e\x12\x62\xe7\x30\x7f\x94\x76\x04\x01\x21\xc9\x98" "\x6a\xa1\x3e\x5f\x08\xca\xfc\x71\x7a\x24\x65\x66\xd0\xc4\x0e\xc7\xf7" "\xbc\x32\x08\x3a\xc6\x00\x15\xcf\xa1\xd0\x97\x07\x14\xe3\x81\xd4\x6e" "\x5c\x40\x83\x09\xca\x6f\x90\x82\x8f\xfa\xb8\x1d\xf2\x1f\x6d\xc0\xc8" "\xf8\x16\xce\xee\x58\x17\xa8\xf0\xed\xfe\xa0\xa5\x1a\x82\xad\x87\x91" "\x93\x0b\x7d\x48\x66\x0a\x56\x15\xed\xa0\xeb\x53\xec\xa6\x22\xde\x0e" "\x2f\x34\xa8\x89\xc4\x73\x5a\x80\xd5\x73\xfd\x36\xbe\x96\x69\x3e\x49" "\xe0\x45\x37\xc8\x20\x27\x43\x4f\x8f\x2f\x8d\x28\x9d\x63\x14\x28\x53" "\xb5\x06\xad\x6c\x44\x87\xce\x72\x8e\x5f\xf8\x92\xd8\xee\x96\xe8\x38" "\x68\x9d\x0e\x71\x45\x6f\x11\x72\xf0\x31\xb2\x08\xe4\xe6\x4f\x53\xfe" "\xca\x2f\xc1\xc5\xf7\xc9\x8c\x1a\x93\x20\x19\x93\x77\xcf\x2e\xa2\xf2" "\xa9\xa1\x89\xc9\xa0\xdd\x50\xcc\x7f\x49\x05\xb8\x16\x41\x64\x30\x37" "\xa5\xbb\xa7\xe3\x39\x8f\xde\x6e\x92\x8f\x22\xd2\xa8\x2c\x78\x12\xc8" "\x16\xb0\x01\x5d\x36\x14\xc7\xb7\x7c\x87\x99\x58\xe3\xc9\xbc\xfc\x18" "\x02\x5c\x73\x45\xf7\xd9\x14\x79\x13\x58\xaf\x88\x93\x6e\xf4\x60\x42" "\xe2\xdb\xab\x8b\x93\x90\x2f\x8b\xd7\x3f\xf7\xee\x2e\x30\x27\x1d\x2b" "\x6e\x90\x8e\x14\x5b\x7c\xfb\xb9\xce\x4d\x61\x76\x91\x77\x5e\xa3\x9d" "\x3e\x75\xb3\xcc\x27\x17\x29\xe7\xd9\xcb\x97\x63\xc8\xaf\xb4\xf5\x73" "\x9b\xe3\x98\x5e\xc9\xf0\xba\x2e\x2f\x48\x94\x8e\x13\x28\x61\x90\x33" "\x00\x03\x4d\x74\x2c\x30\xdc\x93\x07\x0f\xf3\x1a\xea\x79\xa9\xb1\xdf" "\xd5\xf0\xbc\xe5\xd5\x54\x31\xba\x9b\xf8\xbc\x00\x32\x48\xcf\x77\x44" "\x38\x2e\x1d\x4c\xc7\x5c\x3b\x6f\xd2\xc6\xe5\xac\x96\x83\x5d\x99\x39" "\x62\xa8\x77\x2e\x25\x9b\x82\x35\xc1\xf3\x28\xa4\xe8\x71\xd7\x0c\x8e" "\x59\x8f\x60\x8d\x6c\xde\x86\xb7\xf0\xb5\xf5\x84\x37\x85\xb3\x28", 4096)); NONFAILING(*(uint64_t*)0x20001588 = 0x1000); NONFAILING(*(uint64_t*)0x20001590 = 0x20001240); NONFAILING(memcpy((void*)0x20001240, "\xf8\x7f\xdd\x22\xa1\x3c\x7e\xfa\xe2\x6a", 10)); NONFAILING(*(uint64_t*)0x20001598 = 0xa); NONFAILING(*(uint64_t*)0x200015a0 = 0x20001280); NONFAILING(*(uint64_t*)0x200015a8 = 0); NONFAILING(*(uint64_t*)0x200015b0 = 0x200012c0); NONFAILING(memcpy( (void*)0x200012c0, "\x38\x8e\xc3\x4f\x70\x7d\x5e\x9c\xb3\x22\x82\x11\x70\x93\x70\xb8\x96" "\x7e\x44\x5a\x9d\xc8\x2b\x56\x45\x55\xa9\x24\x93\xbb\x1e\x8b\x27\xec" "\x1b\xa5\x59\xf7\xdc\x9b\xbb\xed\xf8\xaf\x0d\xac\xfd\x9e\x69\x73\xde" "\x94\x07\x47\x5b\xd2\x73\x0e\x07\xa2\x74\x52\xde\xc5\xa8\xf4\x28\x38" "\xdd\xef\x8c\x6d\x9d\x0c\xc9\xbb\xe1\x04\xfb\xf4\xe5\x23\x1f\x64\x25" "\x5e\x67\xfe\x1d\x89\x31\x8f\xb6\xfa\x26\x6a\xe1\x93\x74", 99)); NONFAILING(*(uint64_t*)0x200015b8 = 0x63); NONFAILING(*(uint64_t*)0x200015c0 = 0x20001340); NONFAILING(memcpy( (void*)0x20001340, "\xdc\x5d\x0f\x69\xc7\xb2\xc6\x3b\x5f\x6c\xa1\x9d\x5d\x51\xd1\x58\xe7" "\xe2\xad\xa9\x7f\x25\x27\xb7\xe9\x2b\x14\x8d\xa1\x0a\x04\x97\xd9\xc9" "\xa9\x74\xa8\xf5\x75\x59\x82\x8e\xb1\x3b\x21\x2c\x6f\x23\xc0\xbc\xd4" "\xa5\x0d\x31\x94\x62\xe4\x27\xf1\x53\xc6\x92\xf2\x8b\xd7\x3e\xca\x4f" "\xf1\x38\xd8\xec\x64\x69\xcb\x35\xbc\xbc\xc1\x54\x6b\xd4\x87\x2f\x80" "\x0e\x34\xa0\x98\x70\x2d\xc2\x0c\x34\xe1\x8e\xdc\x69\xc9\x8b\x98\x5f" "\x3a\x77\x78\x18\xff\xbd\xa2\x97\x19\x42\xc7\x96\x01\x29\xf4\xe1\xd7" "\xfe\xe9\x12\xef\x88\x24\xfc\x78\xd6\x5e\x75", 130)); NONFAILING(*(uint64_t*)0x200015c8 = 0x82); NONFAILING(*(uint64_t*)0x200015d0 = 0x20001400); NONFAILING(*(uint64_t*)0x200015d8 = 0); NONFAILING(*(uint64_t*)0x200015e0 = 0x20001480); NONFAILING(*(uint64_t*)0x200015e8 = 0); NONFAILING(*(uint64_t*)0x20002198 = 7); NONFAILING(*(uint64_t*)0x200021a0 = 0); NONFAILING(*(uint64_t*)0x200021a8 = 0); NONFAILING(*(uint32_t*)0x200021b0 = 0x20000800); NONFAILING(*(uint64_t*)0x200021b8 = 0x20001600); NONFAILING(*(uint16_t*)0x20001600 = 0); NONFAILING(*(uint8_t*)0x20001602 = 0); NONFAILING(*(uint32_t*)0x20001604 = 0x4e24); NONFAILING(*(uint32_t*)0x200021c0 = 0x6e); NONFAILING(*(uint64_t*)0x200021c8 = 0x20001b80); NONFAILING(*(uint64_t*)0x20001b80 = 0x20001680); NONFAILING(*(uint64_t*)0x20001b88 = 0); NONFAILING(*(uint64_t*)0x20001b90 = 0x20001700); NONFAILING(memcpy( (void*)0x20001700, "\x96\x3f\x66\x99\xbe\x2b\xd0\x1a\xd8\x92\x29\x51\x13\xda\x63\x3d\xae" "\x7e\x73\x47\x40\x41\x8a\x07\x78\x7e\x4f\x22\x48\x8d\xf1\xa8\x9b\x8f" "\x53\xc1\xa0\xac\xec\xf5\x57\x60\xbb\xd3\x82\x57\xe3\x82\xc0\xbc\xd9" "\x80\x36\xa7\xa0\xa4\x36\x0b\xcb\xf2\x2f\xcc\xd0\xdf\x91\x6e\xcb\xbd" "\x2f\x4a\x5f\x46\xcc\x46\xf6\x9e\xe1\xa1\xdb\x29\x41\x26\xee\x2f\x4d" "\x26\x01\x9f\xbd\x69\xda\xd6\xcf\x99\xef\xd6\x2c\xd3\x8c\x93\x81\x36" "\xb9\xd8\x79\x66\x1a\x8a\x10\xe9\x05\xd6\xa2\x0d\xbc\x1e\xf5\xf2\xb9" "\xa2\xad\xea\x7f\xb0\x04\xa7\xbd\xee\x6b\xde\x66\x1d\xff\x3d\x2c\x76" "\xa2\x10\x03\x4e\xb9\xbc\x85\x23\x70\xb6\x42\x3b\x2f\x80\x1f\x73\xa3" "\x1b\xa9\xbe\xf3\xa3\x9f\xca\x0d\xfa\x08\x4b\x0e\xe5\xff\xeb\xb2\xa6" "\x26\xb0\xc2\x95\x94\x0e\xff\x81\x09\x02\xab\x19\x9b\x28\x3c\x6b\x9a" "\x9d\x89\xeb\x1c\x65\xf1\xae\x53\xb6\x79\x37\x87\xca\xba\xed\x21\x6e" "\x6c\x7a\x75\x01\x05\xb8\x76\x4e\x3e\x4a\x22\x1f\x3c\x7a\x8f\x6d\x7b" "\x77\x16\xf1\xd4\x38\x50\x0c\x13\x99\x3b\xc6\xac", 233)); NONFAILING(*(uint64_t*)0x20001b98 = 0xe9); NONFAILING(*(uint64_t*)0x20001ba0 = 0x20001800); NONFAILING(*(uint64_t*)0x20001ba8 = 0); NONFAILING(*(uint64_t*)0x20001bb0 = 0x200018c0); NONFAILING(memcpy((void*)0x200018c0, "\xeb\xbe\x9c\x91\xc8\xc4\x13\x75\x78" "\x4f\xfe\x2b\x8d\xc5\x9e\x10\xf8\xf6" "\xa0\x88\x87", 21)); NONFAILING(*(uint64_t*)0x20001bb8 = 0x15); NONFAILING(*(uint64_t*)0x20001bc0 = 0x20001900); NONFAILING(memcpy( (void*)0x20001900, "\xfb\x92\x59\xe6\xae\xa9\x02\x5e\x52\xd3\x52\x5a\x82\xf6\xb0\x37\xd2" "\x65\xa2\x85\xf5\x4d\x95\xf4\xf4\x86\xb4\x27\xe5\xed\x3f\x40\x8c\x72" "\xa6\xce\x2b\x24\x2a\xde\xa9\xee\x0e\xb4\xa6\x23\x74\x63\xb5\x19\xbe" "\xe2\x61\x32\x3a\xec\xcb\xc4\x84\x07\x32\x86\x23\x98\xc8\x0e\x10\x82" "\xda\xe1\x2b\x4c\xee\x5f\xd6\xe8\x46\x35\x99\x0d\xaf\xcd\x09\xd6\x05" "\xd4\xef\xe3\x25\x10\x82\xa4\xfe\x95\xb8\x3c\x19\x27\xca\x43\x67\x72" "\xfd\x8e\x6d\x98\x6c\x83\x8d\x5f\x5f\x9c\x39\x62\xb1\xa1\x11\x78\x8a" "\x49\x5b\x4b\x31\x0d\xd6\x75\xcd\x59\x0d\x7a\x01\xf5\xf1\x84\x50\xf9" "\xa7\x74\xe5\xa1\xc2\x80\x6f\x3d\xba\x74\x36\x5f\xa4\xd9\x8d\x43\xda" "\xe8\x7b\x6e\x84\x8a\x2a\xe8\x8d\x12\xf4\x9c\x48\xbe\x5d\x0e\x00\x0b" "\xc8\xff\xab\x06\xb6\xe9\xc6\xc2\x9b\xdb\xf2\xd6\x87\x18\xce\xe2\x2b" "\x7f\xc6\x0a\xe5\xd6\x4a\x3b\xf8\xc3\xef\x04\xf5\x9d\xde\x17\x16\xf5" "\x3e\x0e\x66\xe3\xbf\x37\xba\x31\x2e\x3b\xd6\xad\x23\x26\xfd\xfe\x38" "\xa7\xf8\x10", 224)); NONFAILING(*(uint64_t*)0x20001bc8 = 0xe0); NONFAILING(*(uint64_t*)0x20001bd0 = 0x20001a00); NONFAILING(*(uint64_t*)0x20001bd8 = 0); NONFAILING(*(uint64_t*)0x20001be0 = 0x20001a40); NONFAILING(*(uint64_t*)0x20001be8 = 0); NONFAILING(*(uint64_t*)0x20001bf0 = 0x20001b00); NONFAILING(*(uint64_t*)0x20001bf8 = 0); NONFAILING(*(uint64_t*)0x20001c00 = 0x20001b40); NONFAILING(*(uint64_t*)0x20001c08 = 0); NONFAILING(*(uint64_t*)0x200021d0 = 9); NONFAILING(*(uint64_t*)0x200021d8 = 0x20001d40); NONFAILING(*(uint32_t*)0x20001d40 = -1); NONFAILING(*(uint32_t*)0x20001d44 = -1); NONFAILING(*(uint32_t*)0x20001d48 = -1); NONFAILING(*(uint32_t*)0x20001d4c = r[12]); NONFAILING(*(uint32_t*)0x20001d50 = -1); NONFAILING(*(uint32_t*)0x20001d54 = -1); NONFAILING(*(uint32_t*)0x20001d58 = r[13]); NONFAILING(*(uint32_t*)0x20001d5c = -1); NONFAILING(memcpy((void*)0x20001d60, "\x00\x00\x00\x00\x20\x00\x00\x00\x00" "\x00\x00\x00\x01\x00\x00\x00\x01\x00" "\x00\x00", 20)); NONFAILING(*(uint32_t*)0x20001d74 = r[12]); NONFAILING(*(uint32_t*)0x20001d78 = r[12]); NONFAILING(*(uint32_t*)0x20001d7c = -1); NONFAILING(memcpy((void*)0x20001d80, "\x00\x00\x00\x00", 4)); NONFAILING(*(uint64_t*)0x200021e0 = 0x44); NONFAILING(*(uint32_t*)0x200021e8 = 0x4000000); NONFAILING(*(uint64_t*)0x200021f0 = 0x20001dc0); NONFAILING(*(uint16_t*)0x20001dc0 = 0x89b8); NONFAILING(*(uint8_t*)0x20001dc2 = 0); NONFAILING(*(uint32_t*)0x20001dc4 = 0x4e24); NONFAILING(*(uint32_t*)0x200021f8 = 0x6e); NONFAILING(*(uint64_t*)0x20002200 = 0x20001ec0); NONFAILING(*(uint64_t*)0x20001ec0 = 0x20001e40); NONFAILING(*(uint64_t*)0x20001ec8 = 0); NONFAILING(*(uint64_t*)0x20002208 = 1); NONFAILING(*(uint64_t*)0x20002210 = 0x20002140); NONFAILING(*(uint64_t*)0x20002140 = 0x20); NONFAILING(*(uint32_t*)0x20002148 = 1); NONFAILING(*(uint32_t*)0x2000214c = 2); NONFAILING(*(uint32_t*)0x20002150 = 0); NONFAILING(*(uint32_t*)0x20002154 = r[14]); NONFAILING(*(uint32_t*)0x20002158 = 0); NONFAILING(*(uint64_t*)0x20002218 = 0x20); NONFAILING(*(uint32_t*)0x20002220 = 0x24000800); syscall(__NR_sendmmsg, r[12], 0x20002180, 3, 4); break; case 52: NONFAILING(*(uint32_t*)0x200001c0 = 0); syscall(__NR_setsockopt, -1, 0x84, 0x78, 0x200001c0, 4); break; case 53: NONFAILING(*(uint32_t*)0x200016c0 = 0); NONFAILING(*(uint32_t*)0x200016c4 = 0); NONFAILING(*(uint32_t*)0x200016c8 = 0); NONFAILING(*(uint32_t*)0x200016cc = 0); NONFAILING(*(uint32_t*)0x200016d0 = 0); NONFAILING(*(uint32_t*)0x200016d4 = 0); syz_emit_ethernet(1, 0x20000040, 0x200016c0); break; case 54: NONFAILING(*(uint32_t*)0x200000c0 = 0xe); res = syscall(__NR_accept4, -1, 0x20000080, 0x200000c0, 0x80000); if (res != -1) r[15] = res; break; case 55: NONFAILING(*(uint32_t*)0x20000100 = 0x8f0); syscall(__NR_setsockopt, r[15], 0x112, 0xa, 0x20000100, 4); break; case 56: NONFAILING(memcpy((void*)0x20000300, "\x29\x5e\xe1\x01\x04\x12\xd4\x77\x67\x10\x70", 11)); syscall(__NR_ioctl, -1, 0x4000008912, 0x20000300); break; case 57: syscall(__NR_socket, 0x26, 5, 0); break; case 58: NONFAILING(*(uint64_t*)0x20000180 = 0x20000080); NONFAILING(*(uint16_t*)0x20000080 = 0x10); NONFAILING(*(uint16_t*)0x20000082 = 0); NONFAILING(*(uint32_t*)0x20000084 = 0); NONFAILING(*(uint32_t*)0x20000088 = 0); NONFAILING(*(uint32_t*)0x20000188 = 0xc); NONFAILING(*(uint64_t*)0x20000190 = 0x20000140); NONFAILING(*(uint64_t*)0x20000140 = 0x20000240); NONFAILING(*(uint64_t*)0x20000148 = 0); NONFAILING(*(uint64_t*)0x20000198 = 1); NONFAILING(*(uint64_t*)0x200001a0 = 0); NONFAILING(*(uint64_t*)0x200001a8 = 0); NONFAILING(*(uint32_t*)0x200001b0 = 0); syscall(__NR_sendmsg, -1, 0x20000180, 0xc000); break; case 59: res = syscall(__NR_socket, 0x29, 2, 0); if (res != -1) r[16] = res; break; case 60: syscall(__NR_ioctl, r[16], 0x8912, 0x20000000); break; case 61: res = syscall(__NR_socket, 0x10, 3, 0); if (res != -1) r[17] = res; break; case 62: NONFAILING(memcpy( (void*)0x20000080, "\x67\x72\x65\x74\x61\x70\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)); syscall(__NR_ioctl, r[17], 0x89a0, 0x20000080); break; case 63: syscall(__NR_socket, 0xd, 0x803, 1); break; case 64: syscall(__NR_socket, 0x2018, 0, 0); break; case 65: NONFAILING(*(uint32_t*)0x20000000 = 0x80); syscall(__NR_accept, -1, 0x20000080, 0x20000000); break; case 66: syscall(__NR_socket, 0xa, 1, 0); break; case 67: syscall(__NR_socket, 2, 6, 0); break; case 68: res = syscall(__NR_socket, 0x10, 3, 0x8000000004); if (res != -1) r[18] = res; break; case 69: syscall(__NR_ioctl, r[18], 0x100, 0x20000000); break; case 70: NONFAILING(*(uint64_t*)0x20e11ff0 = 0x20000140); NONFAILING(*(uint64_t*)0x20e11ff8 = 0); syscall(__NR_writev, r[18], 0x20e11ff0, 1); break; case 71: NONFAILING(*(uint32_t*)0x200000c0 = r[18]); NONFAILING(*(uint32_t*)0x200000c4 = 0); NONFAILING(*(uint64_t*)0x200000c8 = 1); NONFAILING(*(uint64_t*)0x200000d0 = 3); NONFAILING(*(uint64_t*)0x200000d8 = 5); syscall(__NR_ioctl, r[18], 0x4020940d, 0x200000c0); break; case 72: res = syscall(__NR_socket, 0xa, 1, 0); if (res != -1) r[19] = res; break; case 73: syscall(__NR_ioctl, r[19], 0x4000008912, 0x20000100); break; case 74: NONFAILING(*(uint32_t*)0x20000000 = 2); syscall(__NR_setsockopt, r[19], 0x29, 1, 0x20000000, 4); break; case 75: syscall(__NR_socket, 2, 2, 0); break; case 76: res = syscall(__NR_socket, 0xa, 0x1000000000002, 0); if (res != -1) r[20] = res; break; case 77: NONFAILING(memcpy((void*)0x20000280, "\x02\x5c\xc8\x3d\x6d\x34\x5f\x8f\x76\x00\x70", 11)); syscall(__NR_ioctl, r[20], 0x8912, 0x20000280); break; case 78: syscall(__NR_socketpair, 2, 6, 0, 0x20000000); break; case 79: syscall(__NR_socket, 0x26, 5, 0); break; case 80: res = syscall(__NR_socket, 0xa, 1, 0xab); if (res != -1) r[21] = res; break; case 81: NONFAILING(memcpy((void*)0x20000100, "\x29\x5e\xe1\x31\x1f\x16\xf4\x77\x67\x10\x70", 11)); syscall(__NR_ioctl, r[21], 0x4000008912, 0x20000100); break; case 82: res = syscall(__NR_socket, 2, 2, 0); if (res != -1) r[22] = res; break; case 83: NONFAILING(*(uint32_t*)0x20000080 = 5); NONFAILING(*(uint32_t*)0x20000084 = 5); NONFAILING(*(uint32_t*)0x20000088 = 0x3f); NONFAILING(*(uint32_t*)0x2000008c = 0xbd4); NONFAILING(*(uint32_t*)0x20000090 = 4); NONFAILING(*(uint64_t*)0x20000098 = 0x7f); syscall(__NR_ioctl, -1, 0xc0206416, 0x20000080); break; case 84: NONFAILING(*(uint32_t*)0x20000100 = 1); NONFAILING(memcpy( (void*)0x20000104, "\x69\x72\x6c\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)); NONFAILING(*(uint32_t*)0x20000114 = 1); syscall(__NR_setsockopt, r[22], 0, 0x48c, 0x20000100, 0x18); break; case 85: NONFAILING(*(uint32_t*)0x20000100 = 0); syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000100, 4); break; case 86: res = syscall(__NR_socket, 0x2b, 1, 0); if (res != -1) r[23] = res; break; case 87: NONFAILING(*(uint32_t*)0x20001800 = 4); NONFAILING(*(uint64_t*)0x20001808 = 0x200017c0); NONFAILING(*(uint32_t*)0x200017c0 = 0x3e6); NONFAILING(*(uint32_t*)0x200017c4 = 5); NONFAILING(*(uint32_t*)0x200017c8 = 2); NONFAILING(*(uint32_t*)0x200017cc = 8); syscall(__NR_ioctl, -1, 0x4010641a, 0x20001800); break; case 88: syscall(__NR_listen, r[23], 0); break; case 89: NONFAILING(*(uint32_t*)0x200005c0 = 0); NONFAILING(*(uint32_t*)0x200005c4 = 0); NONFAILING(*(uint64_t*)0x200005c8 = 3); res = syscall(__NR_ioctl, -1, 0xc010640b, 0x200005c0); if (res != -1) NONFAILING(r[24] = *(uint32_t*)0x200005c4); break; case 90: NONFAILING(*(uint32_t*)0x20001740 = 0); NONFAILING(*(uint32_t*)0x20001744 = r[24]); NONFAILING(*(uint64_t*)0x20001748 = 3); res = syscall(__NR_ioctl, -1, 0xc010640b, 0x20001740); if (res != -1) NONFAILING(r[25] = *(uint32_t*)0x20001740); break; case 91: NONFAILING(*(uint32_t*)0x200000c0 = 0); NONFAILING(*(uint32_t*)0x200000c4 = r[25]); syscall(__NR_ioctl, 0xffffff9c, 0xc008640a, 0x200000c0); break; case 92: NONFAILING(*(uint32_t*)0x20002840 = 0x1000); syscall(__NR_getsockopt, -1, 1, 0x37, 0x20001840, 0x20002840); break; case 93: NONFAILING(*(uint32_t*)0x200002c0 = 8); syscall(__NR_getsockopt, r[23], 1, 0x39, 0x20000280, 0x200002c0); break; case 94: NONFAILING(*(uint32_t*)0x20000200 = 4); NONFAILING(*(uint64_t*)0x20000208 = 0x200001c0); syscall(__NR_ioctl, -1, 0xc0106426, 0x20000200); break; case 95: NONFAILING(*(uint32_t*)0x20000080 = 0x68); syscall(__NR_getsockopt, r[23], 0, 0x483, 0x20000000, 0x20000080); break; case 96: syscall(__NR_socket, 0x18, 1, 0); break; } } void execute_one() { execute(97); collide = 1; execute(97); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); char* cwd = get_current_dir_name(); for (;;) { if (chdir(cwd)) fail("failed to chdir"); use_temporary_dir(); int pid = do_sandbox_none(); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } } }