// https://syzkaller.appspot.com/bug?id=c90b146144fcef1e45d570dda6413d863242eccb // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name, bool up) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type, const char* name) { netlink_add_device_impl(nlmsg, type, name, false); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name, const char* peer) { netlink_add_device_impl(nlmsg, "veth", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_nest(nlmsg, VETH_INFO_PEER); nlmsg->pos += sizeof(struct ifinfomsg); netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer)); netlink_done(nlmsg); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_xfrm(struct nlmsg* nlmsg, int sock, const char* name) { netlink_add_device_impl(nlmsg, "xfrm", name, true); netlink_nest(nlmsg, IFLA_INFO_DATA); int if_id = 1; netlink_attr(nlmsg, 2, &if_id, sizeof(if_id)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name, const char* slave1, const char* slave2) { netlink_add_device_impl(nlmsg, "hsr", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); int ifindex1 = if_nametoindex(slave1); netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1)); int ifindex2 = if_nametoindex(slave2); netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type, const char* name, const char* link) { netlink_add_device_impl(nlmsg, type, name, false); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t id, uint16_t proto) { netlink_add_device_impl(nlmsg, "vlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id)); netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link) { netlink_add_device_impl(nlmsg, "macvlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); uint32_t mode = MACVLAN_MODE_BRIDGE; netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name, uint32_t vni, struct in_addr* addr4, struct in6_addr* addr6) { netlink_add_device_impl(nlmsg, "geneve", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni)); if (addr4) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4)); if (addr6) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } #define IFLA_IPVLAN_FLAGS 2 #define IPVLAN_MODE_L3S 2 #undef IPVLAN_F_VEPA #define IPVLAN_F_VEPA 2 static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t mode, uint16_t flags) { netlink_add_device_impl(nlmsg, "ipvlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode)); netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); if (err < 0) { } } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); if (err < 0) { } } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 200; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len, true); if (err < 0) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } static int runcmdline(char* cmdline) { int ret = system(cmdline); if (ret) { } return ret; } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02x" #define DEV_MAC 0x00aaaaaaaaaa static void netdevsim_add(unsigned int addr, unsigned int port_count) { write_file("/sys/bus/netdevsim/del_device", "%u", addr); if (write_file("/sys/bus/netdevsim/new_device", "%u %u", addr, port_count)) { char buf[32]; snprintf(buf, sizeof(buf), "netdevsim%d", addr); initialize_devlink_ports("netdevsim", buf, "netdevsim"); } } #define WG_GENL_NAME "wireguard" enum wg_cmd { WG_CMD_GET_DEVICE, WG_CMD_SET_DEVICE, }; enum wgdevice_attribute { WGDEVICE_A_UNSPEC, WGDEVICE_A_IFINDEX, WGDEVICE_A_IFNAME, WGDEVICE_A_PRIVATE_KEY, WGDEVICE_A_PUBLIC_KEY, WGDEVICE_A_FLAGS, WGDEVICE_A_LISTEN_PORT, WGDEVICE_A_FWMARK, WGDEVICE_A_PEERS, }; enum wgpeer_attribute { WGPEER_A_UNSPEC, WGPEER_A_PUBLIC_KEY, WGPEER_A_PRESHARED_KEY, WGPEER_A_FLAGS, WGPEER_A_ENDPOINT, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, WGPEER_A_LAST_HANDSHAKE_TIME, WGPEER_A_RX_BYTES, WGPEER_A_TX_BYTES, WGPEER_A_ALLOWEDIPS, WGPEER_A_PROTOCOL_VERSION, }; enum wgallowedip_attribute { WGALLOWEDIP_A_UNSPEC, WGALLOWEDIP_A_FAMILY, WGALLOWEDIP_A_IPADDR, WGALLOWEDIP_A_CIDR_MASK, }; static void netlink_wireguard_setup(void) { const char ifname_a[] = "wg0"; const char ifname_b[] = "wg1"; const char ifname_c[] = "wg2"; const char private_a[] = "\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1" "\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43"; const char private_b[] = "\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c" "\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e"; const char private_c[] = "\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15" "\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42"; const char public_a[] = "\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25" "\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c"; const char public_b[] = "\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e" "\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b"; const char public_c[] = "\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c" "\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22"; const uint16_t listen_a = 20001; const uint16_t listen_b = 20002; const uint16_t listen_c = 20003; const uint16_t af_inet = AF_INET; const uint16_t af_inet6 = AF_INET6; const struct sockaddr_in endpoint_b_v4 = { .sin_family = AF_INET, .sin_port = htons(listen_b), .sin_addr = {htonl(INADDR_LOOPBACK)}}; const struct sockaddr_in endpoint_c_v4 = { .sin_family = AF_INET, .sin_port = htons(listen_c), .sin_addr = {htonl(INADDR_LOOPBACK)}}; struct sockaddr_in6 endpoint_a_v6 = {.sin6_family = AF_INET6, .sin6_port = htons(listen_a)}; endpoint_a_v6.sin6_addr = in6addr_loopback; struct sockaddr_in6 endpoint_c_v6 = {.sin6_family = AF_INET6, .sin6_port = htons(listen_c)}; endpoint_c_v6.sin6_addr = in6addr_loopback; const struct in_addr first_half_v4 = {0}; const struct in_addr second_half_v4 = {(uint32_t)htonl(128 << 24)}; const struct in6_addr first_half_v6 = {{{0}}}; const struct in6_addr second_half_v6 = {{{0x80}}}; const uint8_t half_cidr = 1; const uint16_t persistent_keepalives[] = {1, 3, 7, 9, 14, 19}; struct genlmsghdr genlhdr = {.cmd = WG_CMD_SET_DEVICE, .version = 1}; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) { return; } id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true); if (id == -1) goto error; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[0], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6, sizeof(endpoint_c_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[1], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[2], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4, sizeof(endpoint_c_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[3], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[4], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[5], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } error: close(sock); } static void initialize_netdevices(void) { char netdevsim[16]; sprintf(netdevsim, "netdevsim%d", (int)procid); struct { const char* type; const char* dev; } devtypes[] = { {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, {"vcan", "vcan0"}, {"bond", "bond0"}, {"team", "team0"}, {"dummy", "dummy0"}, {"nlmon", "nlmon0"}, {"caif", "caif0"}, {"batadv", "batadv0"}, {"vxcan", "vxcan1"}, {"veth", 0}, {"wireguard", "wg0"}, {"wireguard", "wg1"}, {"wireguard", "wg2"}, }; const char* devmasters[] = {"bridge", "bond", "team", "batadv"}; struct { const char* name; int macsize; bool noipv6; } devices[] = { {"lo", ETH_ALEN}, {"sit0", 0}, {"bridge0", ETH_ALEN}, {"vcan0", 0, true}, {"tunl0", 0}, {"gre0", 0}, {"gretap0", ETH_ALEN}, {"ip_vti0", 0}, {"ip6_vti0", 0}, {"ip6tnl0", 0}, {"ip6gre0", 0}, {"ip6gretap0", ETH_ALEN}, {"erspan0", ETH_ALEN}, {"bond0", ETH_ALEN}, {"veth0", ETH_ALEN}, {"veth1", ETH_ALEN}, {"team0", ETH_ALEN}, {"veth0_to_bridge", ETH_ALEN}, {"veth1_to_bridge", ETH_ALEN}, {"veth0_to_bond", ETH_ALEN}, {"veth1_to_bond", ETH_ALEN}, {"veth0_to_team", ETH_ALEN}, {"veth1_to_team", ETH_ALEN}, {"veth0_to_hsr", ETH_ALEN}, {"veth1_to_hsr", ETH_ALEN}, {"hsr0", 0}, {"dummy0", ETH_ALEN}, {"nlmon0", 0}, {"vxcan0", 0, true}, {"vxcan1", 0, true}, {"caif0", ETH_ALEN}, {"batadv0", ETH_ALEN}, {netdevsim, ETH_ALEN}, {"xfrm0", ETH_ALEN}, {"veth0_virt_wifi", ETH_ALEN}, {"veth1_virt_wifi", ETH_ALEN}, {"virt_wifi0", ETH_ALEN}, {"veth0_vlan", ETH_ALEN}, {"veth1_vlan", ETH_ALEN}, {"vlan0", ETH_ALEN}, {"vlan1", ETH_ALEN}, {"macvlan0", ETH_ALEN}, {"macvlan1", ETH_ALEN}, {"ipvlan0", ETH_ALEN}, {"ipvlan1", ETH_ALEN}, {"veth0_macvtap", ETH_ALEN}, {"veth1_macvtap", ETH_ALEN}, {"macvtap0", ETH_ALEN}, {"macsec0", ETH_ALEN}, {"veth0_to_batadv", ETH_ALEN}, {"veth1_to_batadv", ETH_ALEN}, {"batadv_slave_0", ETH_ALEN}, {"batadv_slave_1", ETH_ALEN}, {"geneve0", ETH_ALEN}, {"geneve1", ETH_ALEN}, {"wg0", 0}, {"wg1", 0}, {"wg2", 0}, }; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { char master[32], slave0[32], veth0[32], slave1[32], veth1[32]; sprintf(slave0, "%s_slave_0", devmasters[i]); sprintf(veth0, "veth0_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave0, veth0); sprintf(slave1, "%s_slave_1", devmasters[i]); sprintf(veth1, "veth1_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave1, veth1); sprintf(master, "%s0", devmasters[i]); netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL); netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL); } netlink_add_xfrm(&nlmsg, sock, "xfrm0"); netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr"); netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr"); netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1"); netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi"); netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0", "veth1_virt_wifi"); netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan"); netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q)); netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD)); netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan"); netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan"); netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0); netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S, IPVLAN_F_VEPA); netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap"); netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap"); netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap"); char addr[32]; sprintf(addr, DEV_IPV4, 14 + 10); struct in_addr geneve_addr4; if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0) exit(1); struct in6_addr geneve_addr6; if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0) exit(1); netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0); netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6); netdevsim_add((int)procid, 4); netlink_wireguard_setup(); for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) { char addr[32]; sprintf(addr, DEV_IPV4, i + 10); netlink_add_addr4(&nlmsg, sock, devices[i].name, addr); if (!devices[i].noipv6) { sprintf(addr, DEV_IPV6, i + 10); netlink_add_addr6(&nlmsg, sock, devices[i].name, addr); } uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40); netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr, devices[i].macsize, NULL); } close(sock); } static void initialize_netdevices_init(void) { int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); struct { const char* type; int macsize; bool noipv6; bool noup; } devtypes[] = { {"nr", 7, true}, {"rose", 5, true, true}, }; unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) { char dev[32], addr[32]; sprintf(dev, "%s%d", devtypes[i].type, (int)procid); sprintf(addr, "172.30.%d.%d", i, (int)procid + 1); netlink_add_addr4(&nlmsg, sock, dev, addr); if (!devtypes[i].noipv6) { sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1); netlink_add_addr6(&nlmsg, sock, dev, addr); } int macsize = devtypes[i].macsize; uint64_t macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) + (procid << (8 * (macsize - 1))); netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr, macsize, NULL); } close(sock); } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN || errno == EBADF || errno == EBADFD) return -1; exit(1); } return rv; } static void flush_tun() { char data[1000]; while (read_tun(&data[0], sizeof(data)) != -1) { } } #define MAX_FDS 30 #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { int fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (int i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); socklen_t optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } exit(1); } if (table->info.size > sizeof(table->replace.entrytable)) exit(1); if (table->info.num_entries > XT_MAX_ENTRIES) exit(1); struct ipt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { int fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (int i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; struct ipt_getinfo info; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); socklen_t optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) exit(1); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { struct ipt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } struct xt_counters counters[XT_MAX_ENTRIES]; table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) exit(1); } close(fd); } static void checkpoint_arptables(void) { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (unsigned i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); socklen_t optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } exit(1); } if (table->info.size > sizeof(table->replace.entrytable)) exit(1); if (table->info.num_entries > XT_MAX_ENTRIES) exit(1); struct arpt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (unsigned i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; struct arpt_getinfo info; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); socklen_t optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) exit(1); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { struct arpt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } else { } struct xt_counters counters[XT_MAX_ENTRIES]; table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) exit(1); } close(fd); } #define NF_BR_NUMHOOKS 6 #define EBT_TABLE_MAXNAMELEN 32 #define EBT_CHAIN_MAXNAMELEN 32 #define EBT_BASE_CTL 128 #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) #define EBT_SO_GET_INFO (EBT_BASE_CTL) #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1) #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1) #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1) struct ebt_replace { char name[EBT_TABLE_MAXNAMELEN]; unsigned int valid_hooks; unsigned int nentries; unsigned int entries_size; struct ebt_entries* hook_entry[NF_BR_NUMHOOKS]; unsigned int num_counters; struct ebt_counter* counters; char* entries; }; struct ebt_entries { unsigned int distinguisher; char name[EBT_CHAIN_MAXNAMELEN]; unsigned int counter_offset; int policy; unsigned int nentries; char data[0] __attribute__((aligned(__alignof__(struct ebt_replace)))); }; struct ebt_table_desc { const char* name; struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; }; static struct ebt_table_desc ebt_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, }; static void checkpoint_ebtables(void) { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (size_t i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; strcpy(table->replace.name, table->name); socklen_t optlen = sizeof(table->replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } exit(1); } if (table->replace.entries_size > sizeof(table->entrytable)) exit(1); table->replace.num_counters = 0; table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen)) exit(1); } close(fd); } static void reset_ebtables() { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (unsigned i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; if (table->replace.valid_hooks == 0) continue; struct ebt_replace replace; memset(&replace, 0, sizeof(replace)); strcpy(replace.name, table->name); socklen_t optlen = sizeof(replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) exit(1); replace.num_counters = 0; table->replace.entries = 0; for (unsigned h = 0; h < NF_BR_NUMHOOKS; h++) table->replace.hook_entry[h] = 0; if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { char entrytable[XT_TABLE_SIZE]; memset(&entrytable, 0, sizeof(entrytable)); replace.entries = entrytable; optlen = sizeof(replace) + replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) exit(1); if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) continue; } for (unsigned j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { if (table->replace.valid_hooks & (1 << h)) { table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j; j++; } } table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) exit(1); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void mount_cgroups(const char* dir, const char** controllers, int count) { if (mkdir(dir, 0777)) { return; } char enabled[128] = {0}; int i = 0; for (; i < count; i++) { if (mount("none", dir, "cgroup", 0, controllers[i])) { continue; } umount(dir); strcat(enabled, ","); strcat(enabled, controllers[i]); } if (enabled[0] == 0) { if (rmdir(dir) && errno != EBUSY) exit(1); return; } if (mount("none", dir, "cgroup", 0, enabled + 1)) { if (rmdir(dir) && errno != EBUSY) exit(1); } if (chmod(dir, 0777)) { } } static void mount_cgroups2(const char** controllers, int count) { if (mkdir("/syzcgroup/unified", 0777)) { return; } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { if (rmdir("/syzcgroup/unified") && errno != EBUSY) exit(1); return; } if (chmod("/syzcgroup/unified", 0777)) { } int control = open("/syzcgroup/unified/cgroup.subtree_control", O_WRONLY); if (control == -1) return; int i; for (i = 0; i < count; i++) if (write(control, controllers[i], strlen(controllers[i])) < 0) { } close(control); } static void setup_cgroups() { const char* unified_controllers[] = {"+cpu", "+io", "+pids"}; const char* net_controllers[] = {"net", "net_prio", "devices", "blkio", "freezer"}; const char* cpu_controllers[] = {"cpuset", "cpuacct", "hugetlb", "rlimit", "memory"}; if (mkdir("/syzcgroup", 0777)) { return; } mount_cgroups2(unified_controllers, sizeof(unified_controllers) / sizeof(unified_controllers[0])); mount_cgroups("/syzcgroup/net", net_controllers, sizeof(net_controllers) / sizeof(net_controllers[0])); mount_cgroups("/syzcgroup/cpu", cpu_controllers, sizeof(cpu_controllers) / sizeof(cpu_controllers[0])); write_file("/syzcgroup/cpu/cgroup.clone_children", "1"); write_file("/syzcgroup/cpu/cpuset.memory_pressure_enabled", "1"); } static void setup_cgroups_loop() { int pid = getpid(); char file[128]; char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/pids.max", cgroupdir); write_file(file, "32"); snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(file, sizeof(file), "%s/memory.soft_limit_in_bytes", cgroupdir); write_file(file, "%d", 299 << 20); snprintf(file, sizeof(file), "%s/memory.limit_in_bytes", cgroupdir); write_file(file, "%d", 300 << 20); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); } static void setup_cgroups_test() { char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (symlink(cgroupdir, "./cgroup")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.cpu")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.net")) { } } static void initialize_cgroups() { if (mkdir("./syz-tmp/newroot/syzcgroup", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/unified", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/cpu", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/net", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/syzcgroup/unified", "./syz-tmp/newroot/syzcgroup/unified", NULL, bind_mount_flags, NULL)) { } if (mount("/syzcgroup/cpu", "./syz-tmp/newroot/syzcgroup/cpu", NULL, bind_mount_flags, NULL)) { } if (mount("/syzcgroup/net", "./syz-tmp/newroot/syzcgroup/net", NULL, bind_mount_flags, NULL)) { } } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); initialize_cgroups(); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); initialize_netdevices_init(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_tun(); initialize_netdevices(); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_loop() { setup_cgroups_loop(); checkpoint_net_namespace(); } static void reset_loop() { reset_net_namespace(); } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setup_cgroups_test(); write_file("/proc/self/oom_score_adj", "1000"); flush_tun(); if (symlink("/dev/binderfs", "./binderfs")) { } } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static const char* setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0) && errno != EBUSY) { return NULL; } if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:") || !write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC")) return "write(/proc/sys/fs/binfmt_misc/register) failed"; return NULL; } static const char* setup_usb() { if (chmod("/dev/raw-gadget", 0666)) return "failed to chmod /dev/raw-gadget"; return NULL; } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } #define SWAP_FILE "./swap-file" #define SWAP_FILE_SIZE (128 * 1000 * 1000) static const char* setup_swap() { swapoff(SWAP_FILE); unlink(SWAP_FILE); int fd = open(SWAP_FILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600); if (fd == -1) return "swap file open failed"; fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE); close(fd); char cmdline[64]; sprintf(cmdline, "mkswap %s", SWAP_FILE); if (runcmdline(cmdline)) return "mkswap failed"; if (swapon(SWAP_FILE, SWAP_FLAG_PREFER) == 1) return "swapon failed"; return NULL; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 6; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); close_fds(); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { setup_loop(); int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: // socketpair$tipc arguments: [ // domain: const = 0x1e (8 bytes) // type: tipc_socket_types = 0x1 (8 bytes) // proto: const = 0x0 (4 bytes) // fds: ptr[out, tipc_pair] { // tipc_pair { // fd0: sock_tipc (resource) // fd1: sock_tipc (resource) // } // } // ] res = syscall(__NR_socketpair, /*domain=*/0x1eul, /*type=*/1ul, /*proto=*/0, /*fds=*/0x200000000000ul); if (res != -1) { r[0] = *(uint32_t*)0x200000000000; r[1] = *(uint32_t*)0x200000000004; } break; case 1: // sendmsg$tipc arguments: [ // fd: sock_tipc (resource) // msg: ptr[in, msghdr_tipc] { // msghdr_tipc { // msg_name: ptr[in, sockaddr_tipc] { // union sockaddr_tipc { // nameseq: sockaddr_tipc_t[TIPC_ADDR_NAMESEQ, // tipc_service_range] { // family: const = 0x1e (2 bytes) // addrtype: const = 0x1 (1 bytes) // scope: tipc_scope = 0x0 (1 bytes) // addr: tipc_service_range { // type: tipc_service_type = 0x0 (4 bytes) // lower: int32 = 0x0 (4 bytes) // upper: int32 = 0x0 (4 bytes) // } // } // } // } // msg_namelen: len = 0x10 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {c3 e9 72 bd 85 a6 d8 41 36 d6 dd 55 04 8d 35 93 // a7 4f 33 8c e6 77 2a b9 a6 f6 40 41 c2 f6 fb be cd c0 8e // bc d3 19 2b 6a 53 66 2d ae 7c 8e 9c 66 5e 80 a5 d0 92 5f // 72 8d ca c3 0c 29 79 39 92 e5 88 95 26 53 d4 14 cb 8c cd // ab c3 87 67 fe e8 19 ec 5a f0 c5 ee 93 68 80 fe 85 49 b4 // ed 34 77 79 ca b4 ff d4 e0 b6 2c 53 a1 c0 1d b2 8f 2b 3f // 91 c3 42 11 c9 35 3b c1 de ce 61 51 19 17 c2 24 5f d6 6c // b8 df fe ac b4 d4 6d 62 7c 97 b4 98 bf 1f f6 b3 13 bf bc // 97 65 45 7c 83 17 71 d5 ee c7 99 7e c2 42 e4 50 5f 01 c1 // bb 3e 06 9b 2e 63 0f 42 a2 be 86 59 8a 61} (length 0xb6) // } // len: len = 0x64 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {56} (length 0x1) // } // len: len = 0x1 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {3e ed 50 d0 12 57 19 a8 10 f8 8e 3f 47 18 6f e4 // da e7 41 82 df d1 09 a2 58 7c 47 97 41 0c 9b 8e 39 bd 3d // 9a a1 44 d5 90 86 47 c3 0c 8d b6 9b 5c 17 08 4c 9b 1b fb // b8 68 07 37 c4 f8 8a bc db c7 d2 94 d7 2a b1 b3 44 27 09 // 15 df 9d df 56 35 64 4c 35 1c 22 b2 9d 94 8a c4 10 6b ce // 71 07 57 0b ee d6 30 77 cf bc 98 ef 71 69 9e ae 65 d3 77 // 24 d9 95 b5 53 e7 a3 ad e6 19 b5 22 31 3a b3 82 ca f8 79 // fe b4 89 42 87 8e 60 5e e3 ee 28 72 79 4e 3a be 22 a3 f0 // 25 06 8b 62 8a 5d 92 46 80 92 a5 cc 64 9b bb d9 78 b5 77 // 2e 53 79 39 43 2a 50 21 22 23 5c ed 31 2d af d1 08 c9 ff // eb 0b 38 cc 16 da 94 18 ca 01 d4 85 a6 af b5 82 7d a4 df // 6e 11 21 ec 30 7d e1 4b b3 2b 6a 97 76 08 e4 57 6a 99 81 // 82 dd 93 d5 92 ff 43 e5 5b fd bb ce 23 ec d5 01 e4 3b 3e // 93 ef 8d 9d 01 71 1d ff 54 c3 01 e2 99 d3 80 1a 3c ff e6 // c9 88 3f bd 0e 47 12 4d c0 25 69 f6 2d 48 b8 78 fc b5 8c // e9 9f cf fc d2 a5 16 6e ff 3a d9 3c f1 d1 37 27 49 93 d8 // 6a 3b 37 30 d6 3d ed 75 9f 6c a8 8f a4 49 e5 57 5b 15 32 // 1e 5a 58 a1 f8 88 ee d7 46 6d b4 97 6c e3 5f 6d 2e fb 5a // d0 5d 99 a6 64 82 dc 60 7c b5 ac b2 4d 32 68 03 bd 33 75 // 19 cc 98 10 3f 59 c6 3b 59 62 cd 72 e4 49 7d 1b 00 81 7d // 6e 09 de 70 27 0a 09 b4 93 c2 22 66 17 b1 c9 ef 9d 50 6b // e0 0d 6e 07 f1 46 33 a9 66 f0 4e cc a9 0f b8 d2 b9 63 ad // 6f 38 17 93 5b d6 53 4f a3 da 1c 5d c4 68 78 9c bf 11 92 // f3 c0 bf f3 77 7f 1e dd 2a da 5d 35 f8 8f 12 f2 9e 95 2c // 44 44 5c e6 23 50 9d 66 81 1c 80 a9 e0 f1 3a d8 5a ba 37 // d8 6f f0 da 4d da 60 1d 9e 8a cb 26 42 33 bc 93 9f b0 56 // 31 66 12 cf f6 87 d5 c4 41 57 be 05 bc c8 8b 33 3f f2 a4 // 00 41 d9 8f 1a cf e6 e2 23 1a 84 e0 9b d7 a5 4a 04 42 cf // 87 ce 3e e8 fd 8d a3 9d a1 86 28 62 ae 40 fc 3c b3 05 5c // 8b 70 e6 2f 24 38 50 70 73 41 f5 14 26 bb 3e 71 c7 a4 ff // fe fa b0 60 db 78 60 00 61 8b 05 eb 08 7a 42 4a 2f 30 f6 // a2 32 ff 44 b6 05 f7 0c ee c0 a8 f7 0e 37 90 7f 6e 0b bb // a2 1e 9d 5b 7e cb 6d 28 77 42 b7 5c 10 1b a7 95 25 91 8c // 34 73 ea e3 8f 3c 17 72 49 df a8 81 66 61 c9 92 1f 0b 0c // 85 8d 53 ab 87 c8 40 7b 97 95 0c 84 21 11 00 2e dd 1d 1e // 80 b8 01 b4 95 da 28 bc d5 40 9b c9 71 e5 5d ab 18 57 e1 // 88 ac 97 28 ef c8 f9 a4 54 39 45 f8 6a de 13 b4 45 ea ce // cb bf 84 8a 96 41 0a c3 7c 57 e3 e9 e8 bc 8b 8f ad d5 59 // d2 25 c7 46 86 39 da 2b 5d 12 08 55 8b 51 e9 4c 14 fa a7 // 94 7a 7c 60 e8 1a 96 bb 5d 19 4c c7 28 9a db c0 2e bb 4b // 49 be 1f 1e fc 42 9d b2 f9 b7 9b 5a 22 91 9d ba 0c 35 34 // 10 42 c5 77 69 42 c5 23 65 36 7c 4b fc 95 b4 2b e3 83 cc // a7 10 71 61 de d7 e8 51 d0 12 6d a3 3d 58 1f 1e 2b 08 d0 // c0 61 e8 6d 31 e7 a8 3f 9b 51 c7 9b 40 34 c7 de da 76 97 // 03 4e 14 04 c6 e8 e4 59 f7 6c 2e fe 64 35 01 46 c7 43 7e // f8 08 e0 4c a1 4d f5 f6 f5 00 26 4f d9 77 27 2b bf 8f c0 // 96 77 4e 8e b6 1d 09 63 43 07 51 ac 14 25 a0 73 f8 43 46 // b0 eb a3 68 cb a7 fa 34 ad c4 20 80 0d 4f 99 92 72 80 eb // a1 99 f9 69 5c f8 81 24 fa fc 3a 2b 12 26 d2 f2 ab 3e a2 // 7c 69 a1 27 65 0c f5 c7 25 b5 4c 02 bd 87 29 03 3c f6 99 // ce 7f 03 0f 9a 34 42 05 62 44 da 3c fb 61 a8 12 6d ba 11 // 37 76 24 f3 9e b0 09 24 21 52 fd 7b 8b 88 de 7d d8 60 57 // f2 9b fc b7 b7 df 0e 65 e7 e9 ac 9e ea a4 1a fa 62 74 36 // 98 bf f0 3d 5b 2d 51 fb 6b ca 2d 92 29 4e 8e 17 7c fa 36 // 61 b2 6f 1c 04 0e 9b ed 98 3b 7b c0 aa 15 4e b9 c9 2e 4e // e2 50 91 31 8c 53 11 3a 1c 23 ac 62 d2 d7 15 04 cb a9 90 // 41 f2 9a 4f 33 21 33 29 2c f2 0a be c9 22 2a 2a cc a5 7c // ac 48 fa 6c 06 68 ee 5e ec b4 94 74 1a 64 d3 3b 01 1d cc // a7 46 96 d4 61 4c 5b 45 a5 d2 09 83 b1 70 8d 36 5e d3 ff // a6 0f 91 61 97 2a 61 1c 22 64 2c 3c 25 9b 41 f9 43 f6 d7 // a8 b6 0f 28 4d 32 5e 38 fe 76 f0 64 5e 06 9f f7 0c ae 38 // 85 0c cf 97 31 93 b6 23 2c 98 7d f2 62 39 a5 74 69 1f 7f // 07 ff fa 6d ea e1 eb 03 24 fe 54 65 73 c3 6f 2a 2c 31 cd // 44 25 17 a9 b0 36 ae 6a 2a 49 1e 73 43 86 46 93 c1 07 a5 // dc 25 85 82 08 63 c1 46 c1 ba 6c aa 4f ea 9b 87 d5 67 71 // 6f 4c 8c a1 a9 d2 84 80 55 cd 75 05 12 d3 b7 41 5d 09 00 // 19 dc 8a 04 a1 a1 d2 89 31 09 3c d8 f0 0e 94 c4 07 ca 1f // a2 a5 ce 90 3d 9d f2 6e 00 8c 07 cd 13 af a7 83 22 0e 1b // d5 e6 b6 06 45 f3 db b6 ec b4 15 6f ed af a2 dd 25 49 8c // 6a 99 d9 4f 0b 38 12 5e a7 74 1b 75 10 9d ca c9 f8 06 35 // f7 9f 5c 8a 04 83 bb 9f 05 a3 a5 bf 72 1c 75 41 ed b2 52 // 44 9f 8b 13 e6 3c 37 0a 61 46 33 2f 03 ca 1f 1b 6f e0 be // d9 84 f1 37 44 bb 7f a0 fe 32 2e 83 dd f9 ff b2 08 3e 94 // f3 36 04 a0 a1 99 22 0c 45 0d ad 94 bf 15 48 05 e7 f9 e4 // 35 0c a2 d8 1a df 29 78 c8 7d cc 8a 8a 7d 56 29 7e c1 24 // bf ef 0d 28 f3 57 77 20 5e 97 32 72 c8 7e 01 07 0f 14 f5 // b1 4d aa 3b 51 04 d9 ff 6b 29 6c 4f 16 ed 49 eb 42 d3 5e // 7b a3 bc cb 7a 26 c3 3a 26 3d f8 8a ad d5 96 e9 d9 de 0a // bb d4 d4 49 df 11 08 1f 2c d6 2e 1d 89 62 b9 b9 fe b2 5a // 3b 8e 03 53 7d 61 a6 1c 11 ac 22 b7 21 1d 12 c8 4e 60 a6 // ab cc 21 9e 55 8b 25 13 d8 c5 30 b3 c7 a5 7c dc 47 de 54 // 5a af bb 2a 13 c0 e6 c7 5b 1b 92 fa 24 1c 71 3c 83 a0 9c // 92 b2 b6 1d 56 51 20 37 2a 91 43 41 55 83 c9 59 6f 27 a6 // 63 d4 96 7c d6 53 b0 8c eb d6 cb 96 c1 f0 dc 80 d5 72 67 // ac 9a 82 81 d7 14 9b de 88 08 28 ee 27 d6 9a 68 18 db 58 // 32 0d b2 9d 1b 04 4e af 6a b8 a5 10 8b c5 22 de 40 69 90 // b5 39 3b 1f 7e 7b ab 71 bf 6c f8 ee d1 cd 59 c7 60 7d 66 // 2e 8b 31 3f 5c 4f ce 0f 59 b1 02 73 71 38 10 11 b6 3d d5 // b2 b0 97 39 08 2c 0d 62 ff ad 96 e3 01 53 a3 95 23 49 37 // d3 77 c3 2f e7 af 82 ac a3 a1 9d 0e bc 4a 5c 5f b5 ff 19 // 0f 14 d5 69 5c 70 3b 57 1f b4 bf 03 75 66 35 ca fc 6c f6 // 26 7e ab 83 6c 34 7a 9d 07 e8 08 9f c1 05 34 69 34 cf 33 // 64 e5 be 37 0b 3c 42 b9 4b c5 ae 3d 17 a8 17 39 85 66 a2 // 95 32 51 eb 91 69 7d 67 27 81 45 df 9a 4b 91 7b cc a1 bf // 21 17 80 b2 2f 4c aa cf cb 76 04 c8 4f 94 3d 05 f6 fd f8 // ed bd 25 8d 7d 8d bf 84 f9 d9 9e 57 47 2c 5b 1c 23 37 d7 // 49 a1 f3 45 e6 62 e2 53 6d 23 c7 a6 3b bb bf 00 f8 b5 b0 // a2 10 6a 03 42 ab 27 b9 a1 0b 82 e8 26 68 cd 49 e0 cb b0 // 9d 7b e0 21 76 45 f1 dd a3 be 59 c8 23 2f a2 90 d3 47 91 // cd a5 2a a5 b5 ce c6 33 9a b9 6a 2e b3 f5 32 8c c7 c0 e6 // 71 7c 28 24 34 45 47 a2 ed 51 8f 6b 2b 4e 4f e5 b6 84 59 // 6a a6 a9 d3 98 8f c5 d5 ff 4c b4 6c ec 99 d9 51 b8 38 6b // 10 94 9a 16 3a f9 74 b7 54 3d f9 7b 48 82 a4 ed 60 e9 27 // a1 de b6 7c 5f 81 42 35 be f6 5f ea 79 a2 c7 12 81 5b e7 // 40 3c 93 a3 70 7f b9 0d 46 04 ec 3a 6a 3b 09 28 f2 53 f6 // ab 6b d5 6c 95 8e 02 6c 8c 58 17 2c 4a c2 a3 ef e2 ec d5 // ce a7 0c 83 13 f9 ac 2d 63 8b c2 96 ba 99 e2 ca 86 d2 fd // 06 b5 40 2c dc dd c3 f3 c9 84 5d 5a e7 7f 6f 36 96 3b 91 // e8 f6 cd cc d1 7a be 8d 40 ed 02 46 3a f4 bb 0e 49 63 44 // f3 50 09 7f 1c c1 33 13 fa 1e 17 2b 63 55 6e d2 b8 a8 12 // 1c 01 a5 fb 34 3f f7 76 78 21 62 6f c4 9b 0d 6b d5 22 e1 // c9 bf 13 7d 5a 5b cc b4 bc 8d bb 64 c8 3a 82 ef 6c 28 94 // f3 89 6c 9f 6b f0 c3 76 40 11 d5 3e eb 6d b9 ea 9d ae 22 // d3 eb cc a4 94 2d 58 28 c0 bc a0 d9 ea 37 70 1d 5a 06 c0 // 66 ac 4f e3 18 e1 1e 9c 0d 6c 65 8a c8 10 fb 5d 78 36 cf // ff e4 cc bb 09 34 e5 56 7d 74 69 59 80 a1 56 d4 bf 1c 18 // 86 1c 5a 29 cc d3 49 99 9d c2 05 62 d0 0e 1f 6c 18 51 ae // 56 35 41 08 64 38 d6 0b 97 5c 8c eb 46 64 14 ff 60 ef a0 // b2 de e7 90 fd 06 59 ff a9 8b 92 41 4c 13 d5 a6 82 53 68 // f5 6c 49 84 41 22 05 04 1c d8 e0 06 c7 12 7d 43 95 ec df // fb 5a dd f8 0e f9 38 ce 54 a3 67 15 4c 4f c2 86 d5 f9 69 // 32 5c 12 b1 36 55 a9 a9 56 dd 3b 98 28 1f 53 7e 83 76 69 // fc 55 d8 93 06 76 e8 07 aa 8c d0 46 e0 f4 58 3d 59 f8 6c // b9 9f 3f 7a 7d dd e1 fb 39 11 1f de c7 67 7d 2f ee 4b 8f // 48 14 a5 de f5 eb cc 67 c6 53 38 4c e8 0e af fd 88 04 05 // f7 ed f8 fd 3e a0 49 f0 40 59 5d f4 a7 5e 2f 89 2e 7a 85 // e0 ba 35 1f b8 d2 63 bf ff 71 68 bb 85 01 7b 36 0f cd 2b // a8 93 46 68 2a 6e a7 cc c4 6a fb db 5a b4 44 e3 f4 77 23 // 8b 2a b5 03 bd e9 14 d3 cf 17 89 53 9c de 9c 06 21 15 2c // d9 7b ff 9f 23 5d 88 a1 ef 4e a4 30 9d b3 a0 5d 40 1a f7 // fb 82 78 4b 05 0e f5 29 da b4 f1 f0 03 eb 29 71 0a 96 2f // 75 38 c5 21 e6 17 e2 f0 ef ac 36 18 2d 09 98 5e 1d 72 5c // c3 8c 38 33 a5 37 42 a0 2f 76 fb 28 54 a9 e4 5f 0f eb ac // f3 bd a8 3f 11 18 3e f5 b9 fe f0 2e bc df 56 d4 10 4b 17 // 5b ad 93 7d 8f 61 96 4f 97 d6 73 57 7c dc bb b4 8d 8e b6 // 2b 06 3e e6 56 3b 9f f0 53 71 9b af f8 71 bc d8 38 22 d8 // 65 b2 f7 ef 02 30 76 42 5a c5 cd 71 b1 f2 30 9d e0 c6 f1 // 4c c9 c4 d3 e8 fa d9 45 f7 56 a7 c8 a0 84 ea 1b fd f5 ac // 6e 74 00 43 e7 f7 bd ac a0 67 74 b0 84 ae 31 4c 26 36 52 // 9d 4f dc d9 65 c7 f8 c0 71 56 57 26 20 b8 27 d6 94 ef dc // 9d 2b fc 5a a9 39 12 20 a8 37 65 f2 c7 1f cd 48 d4 ac ae // d6 0a fb 53 d1 01 3f a3 b1 5e 94 8e c4 15 9f 7d 13 0e f8 // 5b 59 40 18 34 6e 99 03 4c 18 73 82 85 22 3e a5 3a 6b 1d // 5c f1 1a 60 7d e2 e1 96 08 ba 03 ec 97 0a 91 5b 77 38 24 // 26 1f 3f c9 31 dd 6d 3b 93 4d 89 f0 7b af 14 77 63 14 c3 // ee b8 cd 05 37 ef 57 36 f5 65 fb d1 4e 52 0d 4a b2 f7 7e // d9 59 7b 76 ff 91 f8 d1 f9 9e bd 6e 47 3e fd a7 ac cb 27 // 39 75 a0 69 44 d1 03 70 32 12 99 92 b9 94 ca 79 1a 09 b4 // d8 39 80 a1 e4 94 b0 f9 70 98 df 5f 6f b6 bb b0 27 22 ad // b1 1d c3 19 c5 65 c2 c3 63 cb d1 9d 9f b3 ef b4 61 3b 62 // d6 58 4c d5 3f 7b d8 0e 3e 89 30 4f 44 4c e9 dd 18 35 66 // 1e 3b b4 de 02 cc f5 68 a2 a5 da af 0d 56 89 8d 42 86 c3 // fb 62 e2 2a f6 2d 7a c3 18 68 58 34 46 7f 33 75 61 dd e2 // e0 c1 e2 82 7c df fc f4 2c 17 72 8e e6 4b 3f f4 cc c0 22 // 75 90 ba dd 0b d7 e4 48 b8 cc a0 89 2d 6a 5e 01 30 d2 ac // 66 5f 47 c6 b2 8d aa 10 1c 1b 31 98 69 bd d3 9f a9 24 d6 // d9 ba 7d 72 fe da 5f 21 ac 78 64 1c 7d 48 01 d4 1c 78 79 // 72 1b 3b e4 da b4 0d 9c 4a 78 55 24 40 10 1f 37 34 89 cc // 52 40 b0 14 4a 9c e3 26 91 a7 84 b6 df e9 71 a2 1b b5 98 // 0f f6 7d a2 d1 bb 90 b2 23 c9 e1 92 a3 9c 1a ea dd 1f 5c // 79 08 11 07 9c 0b 51 a9 71 05 c9 9b 6f 95 d7 1b b3 ea 47 // c3 3d 9d cb 0a 53 c9 29 c4 44 99 e1 84 a3 cd 72 2c 90 8d // 3b 0d 15 7e 28 ff de b2 ed 71 92 e7 80 d9 6a 7a 2f 0f d5 // a8 7b dc 97 3e 04 9d a0 ca f9 31 f2 6f 5a 21 81 3e 2e 60 // 2c eb 22 59 99 7e 02 05 ce 48 fd 94 24 bd 6d 4d 75 dd 43 // 01 f4 29 ee 30 74 5c d8 39 a4 0d be ab 4c 3d b2 f0 f1 0b // ba ea 07 1c a4 1d 13 92 38 56 81 73 0a 36 78 a5 f6 0f 60 // 4d be 19 cb 9d 7d d2 34 33 7e 32 74 51 b8 cc 65 39 4a f3 // 99 43 2e f7 fc 37 65 d0 55 87 4e bd ca 14 e5 99 92 92 d6 // f7 2f 31 e9 2b ac f2 5d b5 ef 8f 52 12 95 2c 19 10 de 06 // dd be 16 87 a0 e1 83 79 22 f2 22 82 89 91 6e d3 ae b7 b9 // cc 24 da 3a e4 71 39 e3 71 93 0a fa 6d 35 73 df 67 32 c2 // 6c 0c 7a e0 6d 9c ed fa 77 16 07 11 bc b0 6e 65 53 33 8d // ea e4 c5 73 1c f5 3c c1 54 11 30 96 d0 2f 30 36 d7 d9 ed // fc dc 33 1e 4b b8 60 c5 20 84 89 21 2e 90 4e ab 70 e7 f8 // 60 b0 37 98 95 cb de cb f7 a0 b7 a2 5e 5b 85 3c 7d be 08 // a4 e2 96 a3 0a fe c8 cf 5a 9f 6e a4 ae f3 2a 50 86 55 d5 // 39 a7 70 b2 1e 66 0c 9e e1 d7 68 8c 56 ab eb 7c f1 af cc // c8 d5 97 80 cf 26 31 25 89 e0 c8 e1 bc 00 ad 7b 13 25 cd // 9a 5d d6 92 46 e0 b3 34 07 c3 81 ea 09 26 51 54 ae c2 97 // e4 cc df 97 85 a1 04 2a 83 e7 7c 13 d4 ce 43 60 78 2f 24 // 28 f9 91 6b 5c d1 23 b0 89 eb 68 3d 30 c1 e8 95 b9 94 4a // a9 05 a1 a5 b5 23 01 d8 cc 5e 47 41 83 4e ad 6e bd b5 dc // 05 c9 c4 9c 5e 88 3e 99 d4 0b 98 38 03 7b ea f8 76 53 4d // 74 78 56 10 3e 59 ca f6 26 6f bb e7 60 b6 ef 83 d0 04 63 // 4b 74 f1 4f 8e b4 ae f9 3c 4c c9 cb bd 78 d8 3d 53 2c 70 // fe ef 51 ea 3f 17 0b 25 d8 1a 6a 9b 07 4b fc a7 e9 b3 77 // 1b f8 35 17 e0 dd 9d 06 00 f7 0b 86 b2 0f 61 fe 36 07 6f // 8b ad a3 34 b2 39 0f a9 54 97 3b c9 01 61 9a 3c fd 03 93 // 49 cb 32 86 25 f4 95 ab 28 8d bd d6 db fd 02 2c 2a 83 f5 // 9e 0b 99 86 19 a1 2e 35 89 1b 5a e9 e8 3a 71 76 55 07 b4 // a5 71 cd 22 41 e5 88 5c 70 52 44 c1 02 26 88 be f7 c5 06 // 5f bc f2 19 fc 01 75 3a db 61 1b 3f bc 09 40 3d cb 10 a4 // f9 9d 78 86 67 ef f7 5f a2 70 74 ca 84 81 a6 33 53 0e 26 // 16 3c cf 7d ad a0 49 d2 3e 71 7e 06 7b 6f a5 b2 f6 52 bc // 50 ab da 9e 7c cd c5 f2 f3 c3 5e cc 2c 44 31 c8 19 c9 69 // 1b e4 42 2e 37 97 50 77 4e 9f 39 da e0 6f 26 42 3c 8a 42 // 78 78 9c 9f 31 11 b4 3f 6d d2 5b 0a d4 7c 4c c5 fd a3 f3 // ed 82 07 9c 93 66 e0 ad ce d8 83 48 8f 42 9c 1d 7e 1b 35 // 1f d0 bb 20 4d d7 97 7e f2 24 c4 df 6d 7a 5f 76 97 bc 65 // 00 a7 d0 3a 8a 91 41 54 77 9f a7 09 2b f1 be 6b ad 40 92 // 36 7c e5 d2 95 a5 d5 d0 e7 c4 69 f3 72 ca 20 11 d6 12 63 // 70 25 e8 9f 17 8a e9 ad a0 c5 b7 3b cb 7d 7c 03 4f f5 95 // 26 3c d4 21 6e 3c 76 ba 5f 3d 81 93 2a 08 8a 90 bf 80 43 // e8 77 e2 99 c6 70 ef 16 22 a0 98 d5 51 9d 9a dc 4e e7 d4 // cd 00 e5 93 4a 43 75 fa 83 fd b8 12 14 b8 92 48 2b 31 bd // de 59 a7 0a af 25 cb 7f 41 7c 3a 2a 91 c4 e5 4b 48 14 9f // 6c 41 d9 d3 96 ee 6f f1 3e 30 28 c6 4a 7c 9b 1f 2e 7c 6e // 67 18 4a 3d 52 d6 f5 70 db 3d 22 5c 94 74 23 c4 c6 53 3f // 22 df 57 d1 5c 5e 5a 31 83 42 2b d3 78 b0 6f e4 73 2a 94 // 01 dc b1 98 40 fb 8f a5 c5 0a 0f f4 97 fe f3 62 c5 07 75 // 3e 46 b8 88 1d 3e 76 7f 3b 1d 89 3a 38 05 94 1c 94 f2 ef // a0 5c e3 4b 9e a8 1d 71 69 84 af 68 34 23 0d 47 07 a8 70 // 89 d4 07 79 50 3e e6 a9 bb 24 5d 7d 99 7f 14 ac b8 0e 89 // 73 1c 04 2b bb be 3d cd 05 17 7b 0e e0 ee c2 34 55 83 0e // f5 b6 5a ca 35 7f 2b 0b 88 7e 0b 98 21 c0} (length 0x1000) // } // len: len = 0x1000 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {b7 68 eb 20 30 4f 2f dc 5a 96 94 a4 86 78 40 d9 // 31 70 ca 1a 86 40 6f} (length 0x17) // } // len: len = 0xfffffec0 (8 bytes) // } // } // } // msg_iovlen: len = 0x4 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: send_flags = 0x8010 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x0 (8 bytes) // ] *(uint64_t*)0x2000000003c0 = 0x200000000180; *(uint16_t*)0x200000000180 = 0x1e; *(uint8_t*)0x200000000182 = 1; *(uint8_t*)0x200000000183 = 0; *(uint32_t*)0x200000000184 = 0; *(uint32_t*)0x200000000188 = 0; *(uint32_t*)0x20000000018c = 0; *(uint32_t*)0x2000000003c8 = 0x10; *(uint64_t*)0x2000000003d0 = 0x200000000380; *(uint64_t*)0x200000000380 = 0x200000000480; memcpy( (void*)0x200000000480, "\xc3\xe9\x72\xbd\x85\xa6\xd8\x41\x36\xd6\xdd\x55\x04\x8d\x35\x93\xa7" "\x4f\x33\x8c\xe6\x77\x2a\xb9\xa6\xf6\x40\x41\xc2\xf6\xfb\xbe\xcd\xc0" "\x8e\xbc\xd3\x19\x2b\x6a\x53\x66\x2d\xae\x7c\x8e\x9c\x66\x5e\x80\xa5" "\xd0\x92\x5f\x72\x8d\xca\xc3\x0c\x29\x79\x39\x92\xe5\x88\x95\x26\x53" "\xd4\x14\xcb\x8c\xcd\xab\xc3\x87\x67\xfe\xe8\x19\xec\x5a\xf0\xc5\xee" "\x93\x68\x80\xfe\x85\x49\xb4\xed\x34\x77\x79\xca\xb4\xff\xd4\xe0\xb6" "\x2c\x53\xa1\xc0\x1d\xb2\x8f\x2b\x3f\x91\xc3\x42\x11\xc9\x35\x3b\xc1" "\xde\xce\x61\x51\x19\x17\xc2\x24\x5f\xd6\x6c\xb8\xdf\xfe\xac\xb4\xd4" "\x6d\x62\x7c\x97\xb4\x98\xbf\x1f\xf6\xb3\x13\xbf\xbc\x97\x65\x45\x7c" "\x83\x17\x71\xd5\xee\xc7\x99\x7e\xc2\x42\xe4\x50\x5f\x01\xc1\xbb\x3e" "\x06\x9b\x2e\x63\x0f\x42\xa2\xbe\x86\x59\x8a\x61", 182); *(uint64_t*)0x200000000388 = 0x64; *(uint64_t*)0x200000000390 = 0x200000000300; memset((void*)0x200000000300, 86, 1); *(uint64_t*)0x200000000398 = 1; *(uint64_t*)0x2000000003a0 = 0x200000001600; memcpy( (void*)0x200000001600, "\x3e\xed\x50\xd0\x12\x57\x19\xa8\x10\xf8\x8e\x3f\x47\x18\x6f\xe4\xda" "\xe7\x41\x82\xdf\xd1\x09\xa2\x58\x7c\x47\x97\x41\x0c\x9b\x8e\x39\xbd" "\x3d\x9a\xa1\x44\xd5\x90\x86\x47\xc3\x0c\x8d\xb6\x9b\x5c\x17\x08\x4c" "\x9b\x1b\xfb\xb8\x68\x07\x37\xc4\xf8\x8a\xbc\xdb\xc7\xd2\x94\xd7\x2a" "\xb1\xb3\x44\x27\x09\x15\xdf\x9d\xdf\x56\x35\x64\x4c\x35\x1c\x22\xb2" "\x9d\x94\x8a\xc4\x10\x6b\xce\x71\x07\x57\x0b\xee\xd6\x30\x77\xcf\xbc" "\x98\xef\x71\x69\x9e\xae\x65\xd3\x77\x24\xd9\x95\xb5\x53\xe7\xa3\xad" "\xe6\x19\xb5\x22\x31\x3a\xb3\x82\xca\xf8\x79\xfe\xb4\x89\x42\x87\x8e" "\x60\x5e\xe3\xee\x28\x72\x79\x4e\x3a\xbe\x22\xa3\xf0\x25\x06\x8b\x62" "\x8a\x5d\x92\x46\x80\x92\xa5\xcc\x64\x9b\xbb\xd9\x78\xb5\x77\x2e\x53" "\x79\x39\x43\x2a\x50\x21\x22\x23\x5c\xed\x31\x2d\xaf\xd1\x08\xc9\xff" "\xeb\x0b\x38\xcc\x16\xda\x94\x18\xca\x01\xd4\x85\xa6\xaf\xb5\x82\x7d" "\xa4\xdf\x6e\x11\x21\xec\x30\x7d\xe1\x4b\xb3\x2b\x6a\x97\x76\x08\xe4" "\x57\x6a\x99\x81\x82\xdd\x93\xd5\x92\xff\x43\xe5\x5b\xfd\xbb\xce\x23" "\xec\xd5\x01\xe4\x3b\x3e\x93\xef\x8d\x9d\x01\x71\x1d\xff\x54\xc3\x01" "\xe2\x99\xd3\x80\x1a\x3c\xff\xe6\xc9\x88\x3f\xbd\x0e\x47\x12\x4d\xc0" "\x25\x69\xf6\x2d\x48\xb8\x78\xfc\xb5\x8c\xe9\x9f\xcf\xfc\xd2\xa5\x16" "\x6e\xff\x3a\xd9\x3c\xf1\xd1\x37\x27\x49\x93\xd8\x6a\x3b\x37\x30\xd6" "\x3d\xed\x75\x9f\x6c\xa8\x8f\xa4\x49\xe5\x57\x5b\x15\x32\x1e\x5a\x58" "\xa1\xf8\x88\xee\xd7\x46\x6d\xb4\x97\x6c\xe3\x5f\x6d\x2e\xfb\x5a\xd0" "\x5d\x99\xa6\x64\x82\xdc\x60\x7c\xb5\xac\xb2\x4d\x32\x68\x03\xbd\x33" "\x75\x19\xcc\x98\x10\x3f\x59\xc6\x3b\x59\x62\xcd\x72\xe4\x49\x7d\x1b" "\x00\x81\x7d\x6e\x09\xde\x70\x27\x0a\x09\xb4\x93\xc2\x22\x66\x17\xb1" "\xc9\xef\x9d\x50\x6b\xe0\x0d\x6e\x07\xf1\x46\x33\xa9\x66\xf0\x4e\xcc" "\xa9\x0f\xb8\xd2\xb9\x63\xad\x6f\x38\x17\x93\x5b\xd6\x53\x4f\xa3\xda" "\x1c\x5d\xc4\x68\x78\x9c\xbf\x11\x92\xf3\xc0\xbf\xf3\x77\x7f\x1e\xdd" "\x2a\xda\x5d\x35\xf8\x8f\x12\xf2\x9e\x95\x2c\x44\x44\x5c\xe6\x23\x50" "\x9d\x66\x81\x1c\x80\xa9\xe0\xf1\x3a\xd8\x5a\xba\x37\xd8\x6f\xf0\xda" "\x4d\xda\x60\x1d\x9e\x8a\xcb\x26\x42\x33\xbc\x93\x9f\xb0\x56\x31\x66" "\x12\xcf\xf6\x87\xd5\xc4\x41\x57\xbe\x05\xbc\xc8\x8b\x33\x3f\xf2\xa4" "\x00\x41\xd9\x8f\x1a\xcf\xe6\xe2\x23\x1a\x84\xe0\x9b\xd7\xa5\x4a\x04" "\x42\xcf\x87\xce\x3e\xe8\xfd\x8d\xa3\x9d\xa1\x86\x28\x62\xae\x40\xfc" "\x3c\xb3\x05\x5c\x8b\x70\xe6\x2f\x24\x38\x50\x70\x73\x41\xf5\x14\x26" "\xbb\x3e\x71\xc7\xa4\xff\xfe\xfa\xb0\x60\xdb\x78\x60\x00\x61\x8b\x05" "\xeb\x08\x7a\x42\x4a\x2f\x30\xf6\xa2\x32\xff\x44\xb6\x05\xf7\x0c\xee" "\xc0\xa8\xf7\x0e\x37\x90\x7f\x6e\x0b\xbb\xa2\x1e\x9d\x5b\x7e\xcb\x6d" "\x28\x77\x42\xb7\x5c\x10\x1b\xa7\x95\x25\x91\x8c\x34\x73\xea\xe3\x8f" "\x3c\x17\x72\x49\xdf\xa8\x81\x66\x61\xc9\x92\x1f\x0b\x0c\x85\x8d\x53" "\xab\x87\xc8\x40\x7b\x97\x95\x0c\x84\x21\x11\x00\x2e\xdd\x1d\x1e\x80" "\xb8\x01\xb4\x95\xda\x28\xbc\xd5\x40\x9b\xc9\x71\xe5\x5d\xab\x18\x57" "\xe1\x88\xac\x97\x28\xef\xc8\xf9\xa4\x54\x39\x45\xf8\x6a\xde\x13\xb4" "\x45\xea\xce\xcb\xbf\x84\x8a\x96\x41\x0a\xc3\x7c\x57\xe3\xe9\xe8\xbc" "\x8b\x8f\xad\xd5\x59\xd2\x25\xc7\x46\x86\x39\xda\x2b\x5d\x12\x08\x55" "\x8b\x51\xe9\x4c\x14\xfa\xa7\x94\x7a\x7c\x60\xe8\x1a\x96\xbb\x5d\x19" "\x4c\xc7\x28\x9a\xdb\xc0\x2e\xbb\x4b\x49\xbe\x1f\x1e\xfc\x42\x9d\xb2" "\xf9\xb7\x9b\x5a\x22\x91\x9d\xba\x0c\x35\x34\x10\x42\xc5\x77\x69\x42" "\xc5\x23\x65\x36\x7c\x4b\xfc\x95\xb4\x2b\xe3\x83\xcc\xa7\x10\x71\x61" "\xde\xd7\xe8\x51\xd0\x12\x6d\xa3\x3d\x58\x1f\x1e\x2b\x08\xd0\xc0\x61" "\xe8\x6d\x31\xe7\xa8\x3f\x9b\x51\xc7\x9b\x40\x34\xc7\xde\xda\x76\x97" "\x03\x4e\x14\x04\xc6\xe8\xe4\x59\xf7\x6c\x2e\xfe\x64\x35\x01\x46\xc7" "\x43\x7e\xf8\x08\xe0\x4c\xa1\x4d\xf5\xf6\xf5\x00\x26\x4f\xd9\x77\x27" "\x2b\xbf\x8f\xc0\x96\x77\x4e\x8e\xb6\x1d\x09\x63\x43\x07\x51\xac\x14" "\x25\xa0\x73\xf8\x43\x46\xb0\xeb\xa3\x68\xcb\xa7\xfa\x34\xad\xc4\x20" "\x80\x0d\x4f\x99\x92\x72\x80\xeb\xa1\x99\xf9\x69\x5c\xf8\x81\x24\xfa" "\xfc\x3a\x2b\x12\x26\xd2\xf2\xab\x3e\xa2\x7c\x69\xa1\x27\x65\x0c\xf5" "\xc7\x25\xb5\x4c\x02\xbd\x87\x29\x03\x3c\xf6\x99\xce\x7f\x03\x0f\x9a" "\x34\x42\x05\x62\x44\xda\x3c\xfb\x61\xa8\x12\x6d\xba\x11\x37\x76\x24" "\xf3\x9e\xb0\x09\x24\x21\x52\xfd\x7b\x8b\x88\xde\x7d\xd8\x60\x57\xf2" "\x9b\xfc\xb7\xb7\xdf\x0e\x65\xe7\xe9\xac\x9e\xea\xa4\x1a\xfa\x62\x74" "\x36\x98\xbf\xf0\x3d\x5b\x2d\x51\xfb\x6b\xca\x2d\x92\x29\x4e\x8e\x17" "\x7c\xfa\x36\x61\xb2\x6f\x1c\x04\x0e\x9b\xed\x98\x3b\x7b\xc0\xaa\x15" "\x4e\xb9\xc9\x2e\x4e\xe2\x50\x91\x31\x8c\x53\x11\x3a\x1c\x23\xac\x62" "\xd2\xd7\x15\x04\xcb\xa9\x90\x41\xf2\x9a\x4f\x33\x21\x33\x29\x2c\xf2" "\x0a\xbe\xc9\x22\x2a\x2a\xcc\xa5\x7c\xac\x48\xfa\x6c\x06\x68\xee\x5e" "\xec\xb4\x94\x74\x1a\x64\xd3\x3b\x01\x1d\xcc\xa7\x46\x96\xd4\x61\x4c" "\x5b\x45\xa5\xd2\x09\x83\xb1\x70\x8d\x36\x5e\xd3\xff\xa6\x0f\x91\x61" "\x97\x2a\x61\x1c\x22\x64\x2c\x3c\x25\x9b\x41\xf9\x43\xf6\xd7\xa8\xb6" "\x0f\x28\x4d\x32\x5e\x38\xfe\x76\xf0\x64\x5e\x06\x9f\xf7\x0c\xae\x38" "\x85\x0c\xcf\x97\x31\x93\xb6\x23\x2c\x98\x7d\xf2\x62\x39\xa5\x74\x69" "\x1f\x7f\x07\xff\xfa\x6d\xea\xe1\xeb\x03\x24\xfe\x54\x65\x73\xc3\x6f" "\x2a\x2c\x31\xcd\x44\x25\x17\xa9\xb0\x36\xae\x6a\x2a\x49\x1e\x73\x43" "\x86\x46\x93\xc1\x07\xa5\xdc\x25\x85\x82\x08\x63\xc1\x46\xc1\xba\x6c" "\xaa\x4f\xea\x9b\x87\xd5\x67\x71\x6f\x4c\x8c\xa1\xa9\xd2\x84\x80\x55" "\xcd\x75\x05\x12\xd3\xb7\x41\x5d\x09\x00\x19\xdc\x8a\x04\xa1\xa1\xd2" "\x89\x31\x09\x3c\xd8\xf0\x0e\x94\xc4\x07\xca\x1f\xa2\xa5\xce\x90\x3d" "\x9d\xf2\x6e\x00\x8c\x07\xcd\x13\xaf\xa7\x83\x22\x0e\x1b\xd5\xe6\xb6" "\x06\x45\xf3\xdb\xb6\xec\xb4\x15\x6f\xed\xaf\xa2\xdd\x25\x49\x8c\x6a" "\x99\xd9\x4f\x0b\x38\x12\x5e\xa7\x74\x1b\x75\x10\x9d\xca\xc9\xf8\x06" "\x35\xf7\x9f\x5c\x8a\x04\x83\xbb\x9f\x05\xa3\xa5\xbf\x72\x1c\x75\x41" "\xed\xb2\x52\x44\x9f\x8b\x13\xe6\x3c\x37\x0a\x61\x46\x33\x2f\x03\xca" "\x1f\x1b\x6f\xe0\xbe\xd9\x84\xf1\x37\x44\xbb\x7f\xa0\xfe\x32\x2e\x83" "\xdd\xf9\xff\xb2\x08\x3e\x94\xf3\x36\x04\xa0\xa1\x99\x22\x0c\x45\x0d" "\xad\x94\xbf\x15\x48\x05\xe7\xf9\xe4\x35\x0c\xa2\xd8\x1a\xdf\x29\x78" "\xc8\x7d\xcc\x8a\x8a\x7d\x56\x29\x7e\xc1\x24\xbf\xef\x0d\x28\xf3\x57" "\x77\x20\x5e\x97\x32\x72\xc8\x7e\x01\x07\x0f\x14\xf5\xb1\x4d\xaa\x3b" "\x51\x04\xd9\xff\x6b\x29\x6c\x4f\x16\xed\x49\xeb\x42\xd3\x5e\x7b\xa3" "\xbc\xcb\x7a\x26\xc3\x3a\x26\x3d\xf8\x8a\xad\xd5\x96\xe9\xd9\xde\x0a" "\xbb\xd4\xd4\x49\xdf\x11\x08\x1f\x2c\xd6\x2e\x1d\x89\x62\xb9\xb9\xfe" "\xb2\x5a\x3b\x8e\x03\x53\x7d\x61\xa6\x1c\x11\xac\x22\xb7\x21\x1d\x12" "\xc8\x4e\x60\xa6\xab\xcc\x21\x9e\x55\x8b\x25\x13\xd8\xc5\x30\xb3\xc7" "\xa5\x7c\xdc\x47\xde\x54\x5a\xaf\xbb\x2a\x13\xc0\xe6\xc7\x5b\x1b\x92" "\xfa\x24\x1c\x71\x3c\x83\xa0\x9c\x92\xb2\xb6\x1d\x56\x51\x20\x37\x2a" "\x91\x43\x41\x55\x83\xc9\x59\x6f\x27\xa6\x63\xd4\x96\x7c\xd6\x53\xb0" "\x8c\xeb\xd6\xcb\x96\xc1\xf0\xdc\x80\xd5\x72\x67\xac\x9a\x82\x81\xd7" "\x14\x9b\xde\x88\x08\x28\xee\x27\xd6\x9a\x68\x18\xdb\x58\x32\x0d\xb2" "\x9d\x1b\x04\x4e\xaf\x6a\xb8\xa5\x10\x8b\xc5\x22\xde\x40\x69\x90\xb5" "\x39\x3b\x1f\x7e\x7b\xab\x71\xbf\x6c\xf8\xee\xd1\xcd\x59\xc7\x60\x7d" "\x66\x2e\x8b\x31\x3f\x5c\x4f\xce\x0f\x59\xb1\x02\x73\x71\x38\x10\x11" "\xb6\x3d\xd5\xb2\xb0\x97\x39\x08\x2c\x0d\x62\xff\xad\x96\xe3\x01\x53" "\xa3\x95\x23\x49\x37\xd3\x77\xc3\x2f\xe7\xaf\x82\xac\xa3\xa1\x9d\x0e" "\xbc\x4a\x5c\x5f\xb5\xff\x19\x0f\x14\xd5\x69\x5c\x70\x3b\x57\x1f\xb4" "\xbf\x03\x75\x66\x35\xca\xfc\x6c\xf6\x26\x7e\xab\x83\x6c\x34\x7a\x9d" "\x07\xe8\x08\x9f\xc1\x05\x34\x69\x34\xcf\x33\x64\xe5\xbe\x37\x0b\x3c" "\x42\xb9\x4b\xc5\xae\x3d\x17\xa8\x17\x39\x85\x66\xa2\x95\x32\x51\xeb" "\x91\x69\x7d\x67\x27\x81\x45\xdf\x9a\x4b\x91\x7b\xcc\xa1\xbf\x21\x17" "\x80\xb2\x2f\x4c\xaa\xcf\xcb\x76\x04\xc8\x4f\x94\x3d\x05\xf6\xfd\xf8" "\xed\xbd\x25\x8d\x7d\x8d\xbf\x84\xf9\xd9\x9e\x57\x47\x2c\x5b\x1c\x23" "\x37\xd7\x49\xa1\xf3\x45\xe6\x62\xe2\x53\x6d\x23\xc7\xa6\x3b\xbb\xbf" "\x00\xf8\xb5\xb0\xa2\x10\x6a\x03\x42\xab\x27\xb9\xa1\x0b\x82\xe8\x26" "\x68\xcd\x49\xe0\xcb\xb0\x9d\x7b\xe0\x21\x76\x45\xf1\xdd\xa3\xbe\x59" "\xc8\x23\x2f\xa2\x90\xd3\x47\x91\xcd\xa5\x2a\xa5\xb5\xce\xc6\x33\x9a" "\xb9\x6a\x2e\xb3\xf5\x32\x8c\xc7\xc0\xe6\x71\x7c\x28\x24\x34\x45\x47" "\xa2\xed\x51\x8f\x6b\x2b\x4e\x4f\xe5\xb6\x84\x59\x6a\xa6\xa9\xd3\x98" "\x8f\xc5\xd5\xff\x4c\xb4\x6c\xec\x99\xd9\x51\xb8\x38\x6b\x10\x94\x9a" "\x16\x3a\xf9\x74\xb7\x54\x3d\xf9\x7b\x48\x82\xa4\xed\x60\xe9\x27\xa1" "\xde\xb6\x7c\x5f\x81\x42\x35\xbe\xf6\x5f\xea\x79\xa2\xc7\x12\x81\x5b" "\xe7\x40\x3c\x93\xa3\x70\x7f\xb9\x0d\x46\x04\xec\x3a\x6a\x3b\x09\x28" "\xf2\x53\xf6\xab\x6b\xd5\x6c\x95\x8e\x02\x6c\x8c\x58\x17\x2c\x4a\xc2" "\xa3\xef\xe2\xec\xd5\xce\xa7\x0c\x83\x13\xf9\xac\x2d\x63\x8b\xc2\x96" "\xba\x99\xe2\xca\x86\xd2\xfd\x06\xb5\x40\x2c\xdc\xdd\xc3\xf3\xc9\x84" "\x5d\x5a\xe7\x7f\x6f\x36\x96\x3b\x91\xe8\xf6\xcd\xcc\xd1\x7a\xbe\x8d" "\x40\xed\x02\x46\x3a\xf4\xbb\x0e\x49\x63\x44\xf3\x50\x09\x7f\x1c\xc1" "\x33\x13\xfa\x1e\x17\x2b\x63\x55\x6e\xd2\xb8\xa8\x12\x1c\x01\xa5\xfb" "\x34\x3f\xf7\x76\x78\x21\x62\x6f\xc4\x9b\x0d\x6b\xd5\x22\xe1\xc9\xbf" "\x13\x7d\x5a\x5b\xcc\xb4\xbc\x8d\xbb\x64\xc8\x3a\x82\xef\x6c\x28\x94" "\xf3\x89\x6c\x9f\x6b\xf0\xc3\x76\x40\x11\xd5\x3e\xeb\x6d\xb9\xea\x9d" "\xae\x22\xd3\xeb\xcc\xa4\x94\x2d\x58\x28\xc0\xbc\xa0\xd9\xea\x37\x70" "\x1d\x5a\x06\xc0\x66\xac\x4f\xe3\x18\xe1\x1e\x9c\x0d\x6c\x65\x8a\xc8" "\x10\xfb\x5d\x78\x36\xcf\xff\xe4\xcc\xbb\x09\x34\xe5\x56\x7d\x74\x69" "\x59\x80\xa1\x56\xd4\xbf\x1c\x18\x86\x1c\x5a\x29\xcc\xd3\x49\x99\x9d" "\xc2\x05\x62\xd0\x0e\x1f\x6c\x18\x51\xae\x56\x35\x41\x08\x64\x38\xd6" "\x0b\x97\x5c\x8c\xeb\x46\x64\x14\xff\x60\xef\xa0\xb2\xde\xe7\x90\xfd" "\x06\x59\xff\xa9\x8b\x92\x41\x4c\x13\xd5\xa6\x82\x53\x68\xf5\x6c\x49" "\x84\x41\x22\x05\x04\x1c\xd8\xe0\x06\xc7\x12\x7d\x43\x95\xec\xdf\xfb" "\x5a\xdd\xf8\x0e\xf9\x38\xce\x54\xa3\x67\x15\x4c\x4f\xc2\x86\xd5\xf9" "\x69\x32\x5c\x12\xb1\x36\x55\xa9\xa9\x56\xdd\x3b\x98\x28\x1f\x53\x7e" "\x83\x76\x69\xfc\x55\xd8\x93\x06\x76\xe8\x07\xaa\x8c\xd0\x46\xe0\xf4" "\x58\x3d\x59\xf8\x6c\xb9\x9f\x3f\x7a\x7d\xdd\xe1\xfb\x39\x11\x1f\xde" "\xc7\x67\x7d\x2f\xee\x4b\x8f\x48\x14\xa5\xde\xf5\xeb\xcc\x67\xc6\x53" "\x38\x4c\xe8\x0e\xaf\xfd\x88\x04\x05\xf7\xed\xf8\xfd\x3e\xa0\x49\xf0" "\x40\x59\x5d\xf4\xa7\x5e\x2f\x89\x2e\x7a\x85\xe0\xba\x35\x1f\xb8\xd2" "\x63\xbf\xff\x71\x68\xbb\x85\x01\x7b\x36\x0f\xcd\x2b\xa8\x93\x46\x68" "\x2a\x6e\xa7\xcc\xc4\x6a\xfb\xdb\x5a\xb4\x44\xe3\xf4\x77\x23\x8b\x2a" "\xb5\x03\xbd\xe9\x14\xd3\xcf\x17\x89\x53\x9c\xde\x9c\x06\x21\x15\x2c" "\xd9\x7b\xff\x9f\x23\x5d\x88\xa1\xef\x4e\xa4\x30\x9d\xb3\xa0\x5d\x40" "\x1a\xf7\xfb\x82\x78\x4b\x05\x0e\xf5\x29\xda\xb4\xf1\xf0\x03\xeb\x29" "\x71\x0a\x96\x2f\x75\x38\xc5\x21\xe6\x17\xe2\xf0\xef\xac\x36\x18\x2d" "\x09\x98\x5e\x1d\x72\x5c\xc3\x8c\x38\x33\xa5\x37\x42\xa0\x2f\x76\xfb" "\x28\x54\xa9\xe4\x5f\x0f\xeb\xac\xf3\xbd\xa8\x3f\x11\x18\x3e\xf5\xb9" "\xfe\xf0\x2e\xbc\xdf\x56\xd4\x10\x4b\x17\x5b\xad\x93\x7d\x8f\x61\x96" "\x4f\x97\xd6\x73\x57\x7c\xdc\xbb\xb4\x8d\x8e\xb6\x2b\x06\x3e\xe6\x56" "\x3b\x9f\xf0\x53\x71\x9b\xaf\xf8\x71\xbc\xd8\x38\x22\xd8\x65\xb2\xf7" "\xef\x02\x30\x76\x42\x5a\xc5\xcd\x71\xb1\xf2\x30\x9d\xe0\xc6\xf1\x4c" "\xc9\xc4\xd3\xe8\xfa\xd9\x45\xf7\x56\xa7\xc8\xa0\x84\xea\x1b\xfd\xf5" "\xac\x6e\x74\x00\x43\xe7\xf7\xbd\xac\xa0\x67\x74\xb0\x84\xae\x31\x4c" "\x26\x36\x52\x9d\x4f\xdc\xd9\x65\xc7\xf8\xc0\x71\x56\x57\x26\x20\xb8" "\x27\xd6\x94\xef\xdc\x9d\x2b\xfc\x5a\xa9\x39\x12\x20\xa8\x37\x65\xf2" "\xc7\x1f\xcd\x48\xd4\xac\xae\xd6\x0a\xfb\x53\xd1\x01\x3f\xa3\xb1\x5e" "\x94\x8e\xc4\x15\x9f\x7d\x13\x0e\xf8\x5b\x59\x40\x18\x34\x6e\x99\x03" "\x4c\x18\x73\x82\x85\x22\x3e\xa5\x3a\x6b\x1d\x5c\xf1\x1a\x60\x7d\xe2" "\xe1\x96\x08\xba\x03\xec\x97\x0a\x91\x5b\x77\x38\x24\x26\x1f\x3f\xc9" "\x31\xdd\x6d\x3b\x93\x4d\x89\xf0\x7b\xaf\x14\x77\x63\x14\xc3\xee\xb8" "\xcd\x05\x37\xef\x57\x36\xf5\x65\xfb\xd1\x4e\x52\x0d\x4a\xb2\xf7\x7e" "\xd9\x59\x7b\x76\xff\x91\xf8\xd1\xf9\x9e\xbd\x6e\x47\x3e\xfd\xa7\xac" "\xcb\x27\x39\x75\xa0\x69\x44\xd1\x03\x70\x32\x12\x99\x92\xb9\x94\xca" "\x79\x1a\x09\xb4\xd8\x39\x80\xa1\xe4\x94\xb0\xf9\x70\x98\xdf\x5f\x6f" "\xb6\xbb\xb0\x27\x22\xad\xb1\x1d\xc3\x19\xc5\x65\xc2\xc3\x63\xcb\xd1" "\x9d\x9f\xb3\xef\xb4\x61\x3b\x62\xd6\x58\x4c\xd5\x3f\x7b\xd8\x0e\x3e" "\x89\x30\x4f\x44\x4c\xe9\xdd\x18\x35\x66\x1e\x3b\xb4\xde\x02\xcc\xf5" "\x68\xa2\xa5\xda\xaf\x0d\x56\x89\x8d\x42\x86\xc3\xfb\x62\xe2\x2a\xf6" "\x2d\x7a\xc3\x18\x68\x58\x34\x46\x7f\x33\x75\x61\xdd\xe2\xe0\xc1\xe2" "\x82\x7c\xdf\xfc\xf4\x2c\x17\x72\x8e\xe6\x4b\x3f\xf4\xcc\xc0\x22\x75" "\x90\xba\xdd\x0b\xd7\xe4\x48\xb8\xcc\xa0\x89\x2d\x6a\x5e\x01\x30\xd2" "\xac\x66\x5f\x47\xc6\xb2\x8d\xaa\x10\x1c\x1b\x31\x98\x69\xbd\xd3\x9f" "\xa9\x24\xd6\xd9\xba\x7d\x72\xfe\xda\x5f\x21\xac\x78\x64\x1c\x7d\x48" "\x01\xd4\x1c\x78\x79\x72\x1b\x3b\xe4\xda\xb4\x0d\x9c\x4a\x78\x55\x24" "\x40\x10\x1f\x37\x34\x89\xcc\x52\x40\xb0\x14\x4a\x9c\xe3\x26\x91\xa7" "\x84\xb6\xdf\xe9\x71\xa2\x1b\xb5\x98\x0f\xf6\x7d\xa2\xd1\xbb\x90\xb2" "\x23\xc9\xe1\x92\xa3\x9c\x1a\xea\xdd\x1f\x5c\x79\x08\x11\x07\x9c\x0b" "\x51\xa9\x71\x05\xc9\x9b\x6f\x95\xd7\x1b\xb3\xea\x47\xc3\x3d\x9d\xcb" "\x0a\x53\xc9\x29\xc4\x44\x99\xe1\x84\xa3\xcd\x72\x2c\x90\x8d\x3b\x0d" "\x15\x7e\x28\xff\xde\xb2\xed\x71\x92\xe7\x80\xd9\x6a\x7a\x2f\x0f\xd5" "\xa8\x7b\xdc\x97\x3e\x04\x9d\xa0\xca\xf9\x31\xf2\x6f\x5a\x21\x81\x3e" "\x2e\x60\x2c\xeb\x22\x59\x99\x7e\x02\x05\xce\x48\xfd\x94\x24\xbd\x6d" "\x4d\x75\xdd\x43\x01\xf4\x29\xee\x30\x74\x5c\xd8\x39\xa4\x0d\xbe\xab" "\x4c\x3d\xb2\xf0\xf1\x0b\xba\xea\x07\x1c\xa4\x1d\x13\x92\x38\x56\x81" "\x73\x0a\x36\x78\xa5\xf6\x0f\x60\x4d\xbe\x19\xcb\x9d\x7d\xd2\x34\x33" "\x7e\x32\x74\x51\xb8\xcc\x65\x39\x4a\xf3\x99\x43\x2e\xf7\xfc\x37\x65" "\xd0\x55\x87\x4e\xbd\xca\x14\xe5\x99\x92\x92\xd6\xf7\x2f\x31\xe9\x2b" "\xac\xf2\x5d\xb5\xef\x8f\x52\x12\x95\x2c\x19\x10\xde\x06\xdd\xbe\x16" "\x87\xa0\xe1\x83\x79\x22\xf2\x22\x82\x89\x91\x6e\xd3\xae\xb7\xb9\xcc" "\x24\xda\x3a\xe4\x71\x39\xe3\x71\x93\x0a\xfa\x6d\x35\x73\xdf\x67\x32" "\xc2\x6c\x0c\x7a\xe0\x6d\x9c\xed\xfa\x77\x16\x07\x11\xbc\xb0\x6e\x65" "\x53\x33\x8d\xea\xe4\xc5\x73\x1c\xf5\x3c\xc1\x54\x11\x30\x96\xd0\x2f" "\x30\x36\xd7\xd9\xed\xfc\xdc\x33\x1e\x4b\xb8\x60\xc5\x20\x84\x89\x21" "\x2e\x90\x4e\xab\x70\xe7\xf8\x60\xb0\x37\x98\x95\xcb\xde\xcb\xf7\xa0" "\xb7\xa2\x5e\x5b\x85\x3c\x7d\xbe\x08\xa4\xe2\x96\xa3\x0a\xfe\xc8\xcf" "\x5a\x9f\x6e\xa4\xae\xf3\x2a\x50\x86\x55\xd5\x39\xa7\x70\xb2\x1e\x66" "\x0c\x9e\xe1\xd7\x68\x8c\x56\xab\xeb\x7c\xf1\xaf\xcc\xc8\xd5\x97\x80" "\xcf\x26\x31\x25\x89\xe0\xc8\xe1\xbc\x00\xad\x7b\x13\x25\xcd\x9a\x5d" "\xd6\x92\x46\xe0\xb3\x34\x07\xc3\x81\xea\x09\x26\x51\x54\xae\xc2\x97" "\xe4\xcc\xdf\x97\x85\xa1\x04\x2a\x83\xe7\x7c\x13\xd4\xce\x43\x60\x78" "\x2f\x24\x28\xf9\x91\x6b\x5c\xd1\x23\xb0\x89\xeb\x68\x3d\x30\xc1\xe8" "\x95\xb9\x94\x4a\xa9\x05\xa1\xa5\xb5\x23\x01\xd8\xcc\x5e\x47\x41\x83" "\x4e\xad\x6e\xbd\xb5\xdc\x05\xc9\xc4\x9c\x5e\x88\x3e\x99\xd4\x0b\x98" "\x38\x03\x7b\xea\xf8\x76\x53\x4d\x74\x78\x56\x10\x3e\x59\xca\xf6\x26" "\x6f\xbb\xe7\x60\xb6\xef\x83\xd0\x04\x63\x4b\x74\xf1\x4f\x8e\xb4\xae" "\xf9\x3c\x4c\xc9\xcb\xbd\x78\xd8\x3d\x53\x2c\x70\xfe\xef\x51\xea\x3f" "\x17\x0b\x25\xd8\x1a\x6a\x9b\x07\x4b\xfc\xa7\xe9\xb3\x77\x1b\xf8\x35" "\x17\xe0\xdd\x9d\x06\x00\xf7\x0b\x86\xb2\x0f\x61\xfe\x36\x07\x6f\x8b" "\xad\xa3\x34\xb2\x39\x0f\xa9\x54\x97\x3b\xc9\x01\x61\x9a\x3c\xfd\x03" "\x93\x49\xcb\x32\x86\x25\xf4\x95\xab\x28\x8d\xbd\xd6\xdb\xfd\x02\x2c" "\x2a\x83\xf5\x9e\x0b\x99\x86\x19\xa1\x2e\x35\x89\x1b\x5a\xe9\xe8\x3a" "\x71\x76\x55\x07\xb4\xa5\x71\xcd\x22\x41\xe5\x88\x5c\x70\x52\x44\xc1" "\x02\x26\x88\xbe\xf7\xc5\x06\x5f\xbc\xf2\x19\xfc\x01\x75\x3a\xdb\x61" "\x1b\x3f\xbc\x09\x40\x3d\xcb\x10\xa4\xf9\x9d\x78\x86\x67\xef\xf7\x5f" "\xa2\x70\x74\xca\x84\x81\xa6\x33\x53\x0e\x26\x16\x3c\xcf\x7d\xad\xa0" "\x49\xd2\x3e\x71\x7e\x06\x7b\x6f\xa5\xb2\xf6\x52\xbc\x50\xab\xda\x9e" "\x7c\xcd\xc5\xf2\xf3\xc3\x5e\xcc\x2c\x44\x31\xc8\x19\xc9\x69\x1b\xe4" "\x42\x2e\x37\x97\x50\x77\x4e\x9f\x39\xda\xe0\x6f\x26\x42\x3c\x8a\x42" "\x78\x78\x9c\x9f\x31\x11\xb4\x3f\x6d\xd2\x5b\x0a\xd4\x7c\x4c\xc5\xfd" "\xa3\xf3\xed\x82\x07\x9c\x93\x66\xe0\xad\xce\xd8\x83\x48\x8f\x42\x9c" "\x1d\x7e\x1b\x35\x1f\xd0\xbb\x20\x4d\xd7\x97\x7e\xf2\x24\xc4\xdf\x6d" "\x7a\x5f\x76\x97\xbc\x65\x00\xa7\xd0\x3a\x8a\x91\x41\x54\x77\x9f\xa7" "\x09\x2b\xf1\xbe\x6b\xad\x40\x92\x36\x7c\xe5\xd2\x95\xa5\xd5\xd0\xe7" "\xc4\x69\xf3\x72\xca\x20\x11\xd6\x12\x63\x70\x25\xe8\x9f\x17\x8a\xe9" "\xad\xa0\xc5\xb7\x3b\xcb\x7d\x7c\x03\x4f\xf5\x95\x26\x3c\xd4\x21\x6e" "\x3c\x76\xba\x5f\x3d\x81\x93\x2a\x08\x8a\x90\xbf\x80\x43\xe8\x77\xe2" "\x99\xc6\x70\xef\x16\x22\xa0\x98\xd5\x51\x9d\x9a\xdc\x4e\xe7\xd4\xcd" "\x00\xe5\x93\x4a\x43\x75\xfa\x83\xfd\xb8\x12\x14\xb8\x92\x48\x2b\x31" "\xbd\xde\x59\xa7\x0a\xaf\x25\xcb\x7f\x41\x7c\x3a\x2a\x91\xc4\xe5\x4b" "\x48\x14\x9f\x6c\x41\xd9\xd3\x96\xee\x6f\xf1\x3e\x30\x28\xc6\x4a\x7c" "\x9b\x1f\x2e\x7c\x6e\x67\x18\x4a\x3d\x52\xd6\xf5\x70\xdb\x3d\x22\x5c" "\x94\x74\x23\xc4\xc6\x53\x3f\x22\xdf\x57\xd1\x5c\x5e\x5a\x31\x83\x42" "\x2b\xd3\x78\xb0\x6f\xe4\x73\x2a\x94\x01\xdc\xb1\x98\x40\xfb\x8f\xa5" "\xc5\x0a\x0f\xf4\x97\xfe\xf3\x62\xc5\x07\x75\x3e\x46\xb8\x88\x1d\x3e" "\x76\x7f\x3b\x1d\x89\x3a\x38\x05\x94\x1c\x94\xf2\xef\xa0\x5c\xe3\x4b" "\x9e\xa8\x1d\x71\x69\x84\xaf\x68\x34\x23\x0d\x47\x07\xa8\x70\x89\xd4" "\x07\x79\x50\x3e\xe6\xa9\xbb\x24\x5d\x7d\x99\x7f\x14\xac\xb8\x0e\x89" "\x73\x1c\x04\x2b\xbb\xbe\x3d\xcd\x05\x17\x7b\x0e\xe0\xee\xc2\x34\x55" "\x83\x0e\xf5\xb6\x5a\xca\x35\x7f\x2b\x0b\x88\x7e\x0b\x98\x21\xc0", 4096); *(uint64_t*)0x2000000003a8 = 0x1000; *(uint64_t*)0x2000000003b0 = 0x200000000340; memcpy((void*)0x200000000340, "\xb7\x68\xeb\x20\x30\x4f\x2f\xdc\x5a\x96\x94\xa4\x86\x78\x40\xd9" "\x31\x70\xca\x1a\x86\x40\x6f", 23); *(uint64_t*)0x2000000003b8 = 0xfffffec0; *(uint64_t*)0x2000000003d8 = 4; *(uint64_t*)0x2000000003e0 = 0; *(uint64_t*)0x2000000003e8 = 0; *(uint32_t*)0x2000000003f0 = 0x8010; syscall(__NR_sendmsg, /*fd=*/r[0], /*msg=*/0x2000000003c0ul, /*f=*/0ul); break; case 2: // dup2 arguments: [ // oldfd: fd (resource) // newfd: fd (resource) // ] // returns fd syscall(__NR_dup2, /*oldfd=*/r[1], /*newfd=*/r[0]); break; case 3: // setsockopt$sock_attach_bpf arguments: [ // fd: sock (resource) // level: const = 0x1 (4 bytes) // optname: const = 0x21 (4 bytes) // optval: ptr[in, fd_bpf_prog] { // fd_bpf_prog (resource) // } // optlen: len = 0x4 (8 bytes) // ] *(uint32_t*)0x200000000040 = -1; syscall(__NR_setsockopt, /*fd=*/r[0], /*level=*/1, /*optname=*/0x21, /*optval=*/0x200000000040ul, /*optlen=*/4ul); break; case 4: // sendmmsg arguments: [ // fd: sock (resource) // mmsg: ptr[in, array[send_mmsghdr]] { // array[send_mmsghdr] { // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {65 c0 a8 19 3a e7 4a d1 51 35 d5 24 20 22 c1 // 56 90 ae f9 b9 7b a8 e3 c8 f8 94 b3 10 62 f3 de 0c 9d // 27 63 b7 e3 5b 04 0b 79 ed 00 1f 3d 76 ac a9 27 89 74 // f5 3f ee 3a fc ca 97 3c 85 05 7b f6 2b a7 40 73 81 45 // 2f 94 a4 8b 81 46 2a 58 6c 8e 41 07 66 fa a1 04 1b 5e // 61 e8 09 58 f5 ae cf 2b 55 65 aa a3 78 57 09 2d 28 14 // ec f4 83 d5 7c 98 52 1b f5 7e 05 7e 75 54 41 76 66 0e // 66 b9 e9 c1 a9 47 56 a5 8b 4f 42 7c 92 47 51 c6 fc 08 // ad 15 69 60 eb d2 33 e6 fa 4c 5a 79 7e 4e d7 9c 61 62 // 7e f8 79 11 a2} (length 0xa4) // } // len: len = 0xa4 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {b5 68 b9 43 ca cb 00 b4 3c d4 43 e4 51 cc d8 // db c5 80 21 22 7b cc e3 8b 1c be 53 d0 4c 35 da ee 08} // (length 0x21) // } // len: len = 0x21 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {2a 55 1a 1e 5f 95 5c 5a 43 4a 02 ee f4 cc 2e // 87 69 d1 a5 88 e7 71 71 68 a3 1c 7a 10 20 c6 8f 79 55 // 3c df 1e 07 ff 36 17 9e 72 27 75 aa ba 06 c1 2f 4a 13 // f3 82 fb eb 93 7d ca 4e 93 7f 8c c3 f6 59 ab fa 77 b6 // b2 79 70 91 b4 65 a3 e0 68 71 06 5e 60 24 6a a7 cb 03 // a3 fd 21 18 74 cb 62 fd bc 50 fd f8 86 ea fa d7 31 4a // aa 7e 7e 34 ef 3a 87 46 6e 9f 9a d6 1f a9 59 4d 89 6c // 77 34 4e 8c a7 97 14 1c 12} (length 0x84) // } // len: len = 0x84 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {41 fd 56 4f be aa ab 86 3d c3 48 e0 d0 7b 64 // 18 63 07 93 45 bf 50 ef a1 57 dc 9d 4e 82 d0 b3 ba 46 // 5d ef a8 3a 3f 66 9e 83 dc 6a 0e bd fc 82 88 72 2a 7f // 6d b6 92 36 34 d8 8b 3b 7f bd 9e e7 9d f1 d8 47 dc 70 // 55 34 01 06 ac 49 aa e0 eb f8 87 f0 29 96 20 79 84 7b // 61 05 43 75 f7 46 7b be 9a 93 f6 a3 9f 94 d0 cc 7a 77 // 60 88 c2 c1 50 5d} (length 0x6f) // } // len: len = 0x6f (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {bc 3b fd 24 00 85 bc 6d 06 76 04 d6 64 64 88 // 53 24 f0 63 2b cf 6d 86 e8 e0 6b 1a 2a a9 2d d1 af 55 // a6 15 50 72 ed 6c ce 34 95 83 bf 05 1f 91 b3 5a a2 7d // f8 a8 97 97 06 b1 3f 33 71 74 1f 47 df f9 49 20 97 97 // 6e 79 a3 29 ae 93 13 8f 7e 3a 0b 69 7c 94 11 55 d8 e0 // c4 f8 37 97} (length 0x5b) // } // len: len = 0x5b (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {e0 e2 03 7e c6 a3 67 ec 78 9a 75 30 40 15 8d // 52 6d 8d 64 08 8d d3 4e 94 2c 90 a4 db 71 05 2d 6b 79 // 10 74 85 a0 33 1d bb be 0a f6 a8 c3 d2 01 ee 8b ed ab // a7 44 14 3a 17 b2 79 be 45 c1 78 af 34 88 7c e4 a1 20 // 0f df 80 ab 5d e5 09 37 60 2a 5e d1 de af 76 0d b7 e5 // a2 b1 b9 cf 7c 5b 1f f8 16 72 29 b9 f4 b3 b3 2d 67 be // c1 52 16 b8 e5 86 f6 7d b1 18 ba 69 80 2a 72 b9 dd 06 // 31 ab 65 df 5b 1e 36 08 dc 81 fc d7 7b 2c 5e 18 d7 ec // e7 52 f3 28 f4 44 f4 82 61 8e d3 57 b3 12 a0 4d ab 25 // 62 13 eb 00 d1 c7 a9 bc c0 fd 4d dc 21 14 dc 46 db 25 // 29 d0 10 7d 73 8a 0e eb 75 56 c7 1f 4b 2c 0a f0 d7 95 // a0 83 ab 7d 95 69 8e 96 f6 d5 7a 16 7c 61 b8 a9 a2 00 // 8e cf c0 c5 08 30 97 14 7c 38 16 c2 e6 b3 7b 58 e6 b1 // eb 62 62 07 65 7b 08 b5 58 70 13 b8 d4 0f a0 b9 b9 ea // 46 87 b4 ca 52 66 5f ca 6f e6 57 84 81 6d d9 02 35 de // 16 97 2c 5f fd 99 2a e5 f2 73 93 d2 ef 56 49 3f fe 17 // b1 86 f5 f5 8a 07 74 28 54 62 c8 ea 69 70 c3 e2 71 3b // 44 09 eb 37 e9 2f 5b 39 df ea 09 1e ea 2b be bd 95 6b // 56 3c 3e 26 d0 d7 30 70 5d 73 36 fc 73 f1 20 c6 3d e1 // 88 81 89 81 e6 df 0c 81 50 b1 03 64 cd 5c f3 f7 24 42 // 6f b5 a1 f2 ae b2 56 67 55 f7 2a 61 1c a8 37 28 a3 ed // b5 ae 2c 60 ed ed d7 8f df 44 06 1e 8f ee b7 0d d1 09 // ce fa 19 20 37 d5 20 58 74 86 c6 86 2d 83 14 3e 74 3f // e8 53 51 ff b5 fa bb 39 03 45 71 03 e5 b0 f4 02 95 71 // 00 66 6c bf 02 93 3a 11 2e 48 3f 9d 67 5b 9a 1d 96 65 // b8 05 a5 96 87 a3 b3 a8 62 9a 27 f5 14 66 07 e8 1d e2 // 37 b4 06 f6 b7 ad 83 42 b2 39 77 e2 ce 02 07 a5 f7 d9 // 23 26 7c ef d4 03 3a 00 77 12 d3 17 cc 0c 65 86 48 4b // 24 60 29 4c ea 24 c8 b6 d9 27 61 b4 2c 4f b5 f8 0f 26 // 75 26 f0 bc 8c 8b 2f b6 ee b2 ee 5f 4a 82 54 ee f3 c2 // e3 a1 f9 41 40 5a 30 ac ef d1 fa 42 e5 80 3e bd 8a df // c3 bd 1d d0 18 a9 50 2c 85 6d d1 eb f9 ce 9b a8 a3 35 // 57 90 82 24 02 34 57 81 c7 ca b3 83 13 b7 b1 fd ba 3d // f7 a0 d4 d2 d1 50 7b a9 b7 f4 68 94 0b 39 9e ca d1 03 // ca bc a8 2b e8 75 f9 80 55 3c c2 66 3e 55 d1 5a c0 fc // 84 f7 90 03 e1 32 97 89 23 5b 94 c0 70 3a d5 a1 48 6a // 46 5e ac c0 a4 d4 23 bf ee c5 1a cd ef ad 62 a4 29 cf // bf 4a c8 13 bb 91 cf 6c 5d 9d 3d 15 a7 d6 66 ad 2e 71 // 24 7d 76 49 7d b0 d1 94 aa 32 47 bb 2a 14 b4 9f 7f 70 // 5d b4 69 17 d8 95 78 f7 46 ee 3e 95 06 00 f0 7e 13 80 // a3 8d e2 6a 1e 5f 00 07 ce 26 62 40 a1 58 a0 79 45 62 // 07 54 ea 14 36 02 cd 32 d9 e2 5a 8a 25 5e 34 c1 2a fb // ea ec 5b 84 b4 50 46 88 16 db 4d 22 38 35 2a b7 0c 37 // 4d f1 08 e5 5e 76 29 0b 39 a5 fc b5 4c 8b 84 3d cc 29 // 82 1e 11 eb 7c b8 dc d7 b7 39 a7 c6 48 8f e3 f5 00 ea // 58 82 59 da 77 74 58 bd bb e8 56 91 d2 88 11 a6 45 47 // ee 22 f4 40 f6 33 92 ff 5c cc 85 6c 1f bd 4e 5c d6 00 // 24 ab ea b0 00 96 dc d7 44 f8 3b 80 b4 f9 0a c8 82 04 // 64 19 07 67 87 2b 56 52 bd 55 ac ed d3 7f 2b 38 98 9b // 63 fc e8 bc 2f 3b fe d7 cb 43 c0 53 54 73 ed 33 4b 5c // 62 35 25 d8 59 58 ed 4b a3 5a 6c 95 97 d9 ca 5b 72 bf // d0 a3 a3 25 48 b5 de 8f ff e2 7c 83 31 70 0a 2e d4 33 // 7b 59 40 1c be ff 0f 2f 82 ef 33 9b 7e c5 97 30 57 4d // 8d 3a f3 74 2e 79 ad 4a 0c c4 8b ce 74 b6 70 cc 07 63 // 52} (length 0x3ca) // } // len: len = 0x3ca (8 bytes) // } // } // } // msg_iovlen: len = 0x6 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // } // vlen: len = 0x7 (8 bytes) // f: send_flags = 0x200000d1 (8 bytes) // ] *(uint64_t*)0x200000002740 = 0; *(uint32_t*)0x200000002748 = 0; *(uint64_t*)0x200000002750 = 0; *(uint64_t*)0x200000002758 = 0; *(uint64_t*)0x200000002760 = 0; *(uint64_t*)0x200000002768 = 0; *(uint32_t*)0x200000002770 = 0; *(uint32_t*)0x200000002778 = 0; *(uint64_t*)0x200000002780 = 0; *(uint32_t*)0x200000002788 = 0; *(uint64_t*)0x200000002790 = 0; *(uint64_t*)0x200000002798 = 0; *(uint64_t*)0x2000000027a0 = 0; *(uint64_t*)0x2000000027a8 = 0; *(uint32_t*)0x2000000027b0 = 0; *(uint32_t*)0x2000000027b8 = 0; *(uint64_t*)0x2000000027c0 = 0; *(uint32_t*)0x2000000027c8 = 0; *(uint64_t*)0x2000000027d0 = 0; *(uint64_t*)0x2000000027d8 = 0; *(uint64_t*)0x2000000027e0 = 0; *(uint64_t*)0x2000000027e8 = 0; *(uint32_t*)0x2000000027f0 = 0; *(uint32_t*)0x2000000027f8 = 0; *(uint64_t*)0x200000002800 = 0; *(uint32_t*)0x200000002808 = 0; *(uint64_t*)0x200000002810 = 0; *(uint64_t*)0x200000002818 = 0; *(uint64_t*)0x200000002820 = 0; *(uint64_t*)0x200000002828 = 0; *(uint32_t*)0x200000002830 = 0; *(uint32_t*)0x200000002838 = 0; *(uint64_t*)0x200000002840 = 0; *(uint32_t*)0x200000002848 = 0; *(uint64_t*)0x200000002850 = 0; *(uint64_t*)0x200000002858 = 0; *(uint64_t*)0x200000002860 = 0; *(uint64_t*)0x200000002868 = 0; *(uint32_t*)0x200000002870 = 0; *(uint32_t*)0x200000002878 = 0; *(uint64_t*)0x200000002880 = 0; *(uint32_t*)0x200000002888 = 0; *(uint64_t*)0x200000002890 = 0; *(uint64_t*)0x200000002898 = 0; *(uint64_t*)0x2000000028a0 = 0; *(uint64_t*)0x2000000028a8 = 0; *(uint32_t*)0x2000000028b0 = 0; *(uint32_t*)0x2000000028b8 = 0; *(uint64_t*)0x2000000028c0 = 0; *(uint32_t*)0x2000000028c8 = 0; *(uint64_t*)0x2000000028d0 = 0x2000000026c0; *(uint64_t*)0x2000000026c0 = 0x2000000001c0; memcpy( (void*)0x2000000001c0, "\x65\xc0\xa8\x19\x3a\xe7\x4a\xd1\x51\x35\xd5\x24\x20\x22\xc1\x56\x90" "\xae\xf9\xb9\x7b\xa8\xe3\xc8\xf8\x94\xb3\x10\x62\xf3\xde\x0c\x9d\x27" "\x63\xb7\xe3\x5b\x04\x0b\x79\xed\x00\x1f\x3d\x76\xac\xa9\x27\x89\x74" "\xf5\x3f\xee\x3a\xfc\xca\x97\x3c\x85\x05\x7b\xf6\x2b\xa7\x40\x73\x81" "\x45\x2f\x94\xa4\x8b\x81\x46\x2a\x58\x6c\x8e\x41\x07\x66\xfa\xa1\x04" "\x1b\x5e\x61\xe8\x09\x58\xf5\xae\xcf\x2b\x55\x65\xaa\xa3\x78\x57\x09" "\x2d\x28\x14\xec\xf4\x83\xd5\x7c\x98\x52\x1b\xf5\x7e\x05\x7e\x75\x54" "\x41\x76\x66\x0e\x66\xb9\xe9\xc1\xa9\x47\x56\xa5\x8b\x4f\x42\x7c\x92" "\x47\x51\xc6\xfc\x08\xad\x15\x69\x60\xeb\xd2\x33\xe6\xfa\x4c\x5a\x79" "\x7e\x4e\xd7\x9c\x61\x62\x7e\xf8\x79\x11\xa2", 164); *(uint64_t*)0x2000000026c8 = 0xa4; *(uint64_t*)0x2000000026d0 = 0x200000000100; memcpy( (void*)0x200000000100, "\xb5\x68\xb9\x43\xca\xcb\x00\xb4\x3c\xd4\x43\xe4\x51\xcc\xd8\xdb\xc5" "\x80\x21\x22\x7b\xcc\xe3\x8b\x1c\xbe\x53\xd0\x4c\x35\xda\xee\x08", 33); *(uint64_t*)0x2000000026d8 = 0x21; *(uint64_t*)0x2000000026e0 = 0x200000000540; memcpy( (void*)0x200000000540, "\x2a\x55\x1a\x1e\x5f\x95\x5c\x5a\x43\x4a\x02\xee\xf4\xcc\x2e\x87\x69" "\xd1\xa5\x88\xe7\x71\x71\x68\xa3\x1c\x7a\x10\x20\xc6\x8f\x79\x55\x3c" "\xdf\x1e\x07\xff\x36\x17\x9e\x72\x27\x75\xaa\xba\x06\xc1\x2f\x4a\x13" "\xf3\x82\xfb\xeb\x93\x7d\xca\x4e\x93\x7f\x8c\xc3\xf6\x59\xab\xfa\x77" "\xb6\xb2\x79\x70\x91\xb4\x65\xa3\xe0\x68\x71\x06\x5e\x60\x24\x6a\xa7" "\xcb\x03\xa3\xfd\x21\x18\x74\xcb\x62\xfd\xbc\x50\xfd\xf8\x86\xea\xfa" "\xd7\x31\x4a\xaa\x7e\x7e\x34\xef\x3a\x87\x46\x6e\x9f\x9a\xd6\x1f\xa9" "\x59\x4d\x89\x6c\x77\x34\x4e\x8c\xa7\x97\x14\x1c\x12", 132); *(uint64_t*)0x2000000026e8 = 0x84; *(uint64_t*)0x2000000026f0 = 0x200000000280; memcpy((void*)0x200000000280, "\x41\xfd\x56\x4f\xbe\xaa\xab\x86\x3d\xc3\x48\xe0\xd0\x7b\x64\x18" "\x63\x07\x93\x45\xbf\x50\xef\xa1\x57\xdc\x9d\x4e\x82\xd0\xb3\xba" "\x46\x5d\xef\xa8\x3a\x3f\x66\x9e\x83\xdc\x6a\x0e\xbd\xfc\x82\x88" "\x72\x2a\x7f\x6d\xb6\x92\x36\x34\xd8\x8b\x3b\x7f\xbd\x9e\xe7\x9d" "\xf1\xd8\x47\xdc\x70\x55\x34\x01\x06\xac\x49\xaa\xe0\xeb\xf8\x87" "\xf0\x29\x96\x20\x79\x84\x7b\x61\x05\x43\x75\xf7\x46\x7b\xbe\x9a" "\x93\xf6\xa3\x9f\x94\xd0\xcc\x7a\x77\x60\x88\xc2\xc1\x50\x5d", 111); *(uint64_t*)0x2000000026f8 = 0x6f; *(uint64_t*)0x200000002700 = 0x200000000400; memcpy((void*)0x200000000400, "\xbc\x3b\xfd\x24\x00\x85\xbc\x6d\x06\x76\x04\xd6\x64\x64\x88\x53" "\x24\xf0\x63\x2b\xcf\x6d\x86\xe8\xe0\x6b\x1a\x2a\xa9\x2d\xd1\xaf" "\x55\xa6\x15\x50\x72\xed\x6c\xce\x34\x95\x83\xbf\x05\x1f\x91\xb3" "\x5a\xa2\x7d\xf8\xa8\x97\x97\x06\xb1\x3f\x33\x71\x74\x1f\x47\xdf" "\xf9\x49\x20\x97\x97\x6e\x79\xa3\x29\xae\x93\x13\x8f\x7e\x3a\x0b" "\x69\x7c\x94\x11\x55\xd8\xe0\xc4\xf8\x37\x97", 91); *(uint64_t*)0x200000002708 = 0x5b; *(uint64_t*)0x200000002710 = 0x200000000600; memcpy( (void*)0x200000000600, "\xe0\xe2\x03\x7e\xc6\xa3\x67\xec\x78\x9a\x75\x30\x40\x15\x8d\x52\x6d" "\x8d\x64\x08\x8d\xd3\x4e\x94\x2c\x90\xa4\xdb\x71\x05\x2d\x6b\x79\x10" "\x74\x85\xa0\x33\x1d\xbb\xbe\x0a\xf6\xa8\xc3\xd2\x01\xee\x8b\xed\xab" "\xa7\x44\x14\x3a\x17\xb2\x79\xbe\x45\xc1\x78\xaf\x34\x88\x7c\xe4\xa1" "\x20\x0f\xdf\x80\xab\x5d\xe5\x09\x37\x60\x2a\x5e\xd1\xde\xaf\x76\x0d" "\xb7\xe5\xa2\xb1\xb9\xcf\x7c\x5b\x1f\xf8\x16\x72\x29\xb9\xf4\xb3\xb3" "\x2d\x67\xbe\xc1\x52\x16\xb8\xe5\x86\xf6\x7d\xb1\x18\xba\x69\x80\x2a" "\x72\xb9\xdd\x06\x31\xab\x65\xdf\x5b\x1e\x36\x08\xdc\x81\xfc\xd7\x7b" "\x2c\x5e\x18\xd7\xec\xe7\x52\xf3\x28\xf4\x44\xf4\x82\x61\x8e\xd3\x57" "\xb3\x12\xa0\x4d\xab\x25\x62\x13\xeb\x00\xd1\xc7\xa9\xbc\xc0\xfd\x4d" "\xdc\x21\x14\xdc\x46\xdb\x25\x29\xd0\x10\x7d\x73\x8a\x0e\xeb\x75\x56" "\xc7\x1f\x4b\x2c\x0a\xf0\xd7\x95\xa0\x83\xab\x7d\x95\x69\x8e\x96\xf6" "\xd5\x7a\x16\x7c\x61\xb8\xa9\xa2\x00\x8e\xcf\xc0\xc5\x08\x30\x97\x14" "\x7c\x38\x16\xc2\xe6\xb3\x7b\x58\xe6\xb1\xeb\x62\x62\x07\x65\x7b\x08" "\xb5\x58\x70\x13\xb8\xd4\x0f\xa0\xb9\xb9\xea\x46\x87\xb4\xca\x52\x66" "\x5f\xca\x6f\xe6\x57\x84\x81\x6d\xd9\x02\x35\xde\x16\x97\x2c\x5f\xfd" "\x99\x2a\xe5\xf2\x73\x93\xd2\xef\x56\x49\x3f\xfe\x17\xb1\x86\xf5\xf5" "\x8a\x07\x74\x28\x54\x62\xc8\xea\x69\x70\xc3\xe2\x71\x3b\x44\x09\xeb" "\x37\xe9\x2f\x5b\x39\xdf\xea\x09\x1e\xea\x2b\xbe\xbd\x95\x6b\x56\x3c" "\x3e\x26\xd0\xd7\x30\x70\x5d\x73\x36\xfc\x73\xf1\x20\xc6\x3d\xe1\x88" "\x81\x89\x81\xe6\xdf\x0c\x81\x50\xb1\x03\x64\xcd\x5c\xf3\xf7\x24\x42" "\x6f\xb5\xa1\xf2\xae\xb2\x56\x67\x55\xf7\x2a\x61\x1c\xa8\x37\x28\xa3" "\xed\xb5\xae\x2c\x60\xed\xed\xd7\x8f\xdf\x44\x06\x1e\x8f\xee\xb7\x0d" "\xd1\x09\xce\xfa\x19\x20\x37\xd5\x20\x58\x74\x86\xc6\x86\x2d\x83\x14" "\x3e\x74\x3f\xe8\x53\x51\xff\xb5\xfa\xbb\x39\x03\x45\x71\x03\xe5\xb0" "\xf4\x02\x95\x71\x00\x66\x6c\xbf\x02\x93\x3a\x11\x2e\x48\x3f\x9d\x67" "\x5b\x9a\x1d\x96\x65\xb8\x05\xa5\x96\x87\xa3\xb3\xa8\x62\x9a\x27\xf5" "\x14\x66\x07\xe8\x1d\xe2\x37\xb4\x06\xf6\xb7\xad\x83\x42\xb2\x39\x77" "\xe2\xce\x02\x07\xa5\xf7\xd9\x23\x26\x7c\xef\xd4\x03\x3a\x00\x77\x12" "\xd3\x17\xcc\x0c\x65\x86\x48\x4b\x24\x60\x29\x4c\xea\x24\xc8\xb6\xd9" "\x27\x61\xb4\x2c\x4f\xb5\xf8\x0f\x26\x75\x26\xf0\xbc\x8c\x8b\x2f\xb6" "\xee\xb2\xee\x5f\x4a\x82\x54\xee\xf3\xc2\xe3\xa1\xf9\x41\x40\x5a\x30" "\xac\xef\xd1\xfa\x42\xe5\x80\x3e\xbd\x8a\xdf\xc3\xbd\x1d\xd0\x18\xa9" "\x50\x2c\x85\x6d\xd1\xeb\xf9\xce\x9b\xa8\xa3\x35\x57\x90\x82\x24\x02" "\x34\x57\x81\xc7\xca\xb3\x83\x13\xb7\xb1\xfd\xba\x3d\xf7\xa0\xd4\xd2" "\xd1\x50\x7b\xa9\xb7\xf4\x68\x94\x0b\x39\x9e\xca\xd1\x03\xca\xbc\xa8" "\x2b\xe8\x75\xf9\x80\x55\x3c\xc2\x66\x3e\x55\xd1\x5a\xc0\xfc\x84\xf7" "\x90\x03\xe1\x32\x97\x89\x23\x5b\x94\xc0\x70\x3a\xd5\xa1\x48\x6a\x46" "\x5e\xac\xc0\xa4\xd4\x23\xbf\xee\xc5\x1a\xcd\xef\xad\x62\xa4\x29\xcf" "\xbf\x4a\xc8\x13\xbb\x91\xcf\x6c\x5d\x9d\x3d\x15\xa7\xd6\x66\xad\x2e" "\x71\x24\x7d\x76\x49\x7d\xb0\xd1\x94\xaa\x32\x47\xbb\x2a\x14\xb4\x9f" "\x7f\x70\x5d\xb4\x69\x17\xd8\x95\x78\xf7\x46\xee\x3e\x95\x06\x00\xf0" "\x7e\x13\x80\xa3\x8d\xe2\x6a\x1e\x5f\x00\x07\xce\x26\x62\x40\xa1\x58" "\xa0\x79\x45\x62\x07\x54\xea\x14\x36\x02\xcd\x32\xd9\xe2\x5a\x8a\x25" "\x5e\x34\xc1\x2a\xfb\xea\xec\x5b\x84\xb4\x50\x46\x88\x16\xdb\x4d\x22" "\x38\x35\x2a\xb7\x0c\x37\x4d\xf1\x08\xe5\x5e\x76\x29\x0b\x39\xa5\xfc" "\xb5\x4c\x8b\x84\x3d\xcc\x29\x82\x1e\x11\xeb\x7c\xb8\xdc\xd7\xb7\x39" "\xa7\xc6\x48\x8f\xe3\xf5\x00\xea\x58\x82\x59\xda\x77\x74\x58\xbd\xbb" "\xe8\x56\x91\xd2\x88\x11\xa6\x45\x47\xee\x22\xf4\x40\xf6\x33\x92\xff" "\x5c\xcc\x85\x6c\x1f\xbd\x4e\x5c\xd6\x00\x24\xab\xea\xb0\x00\x96\xdc" "\xd7\x44\xf8\x3b\x80\xb4\xf9\x0a\xc8\x82\x04\x64\x19\x07\x67\x87\x2b" "\x56\x52\xbd\x55\xac\xed\xd3\x7f\x2b\x38\x98\x9b\x63\xfc\xe8\xbc\x2f" "\x3b\xfe\xd7\xcb\x43\xc0\x53\x54\x73\xed\x33\x4b\x5c\x62\x35\x25\xd8" "\x59\x58\xed\x4b\xa3\x5a\x6c\x95\x97\xd9\xca\x5b\x72\xbf\xd0\xa3\xa3" "\x25\x48\xb5\xde\x8f\xff\xe2\x7c\x83\x31\x70\x0a\x2e\xd4\x33\x7b\x59" "\x40\x1c\xbe\xff\x0f\x2f\x82\xef\x33\x9b\x7e\xc5\x97\x30\x57\x4d\x8d" "\x3a\xf3\x74\x2e\x79\xad\x4a\x0c\xc4\x8b\xce\x74\xb6\x70\xcc\x07\x63" "\x52", 970); *(uint64_t*)0x200000002718 = 0x3ca; *(uint64_t*)0x2000000028d8 = 6; *(uint64_t*)0x2000000028e0 = 0; *(uint64_t*)0x2000000028e8 = 0; *(uint32_t*)0x2000000028f0 = 0; *(uint32_t*)0x2000000028f8 = 0; syscall( __NR_sendmmsg, /*fd=*/r[0], /*mmsg=*/0x200000002740ul, /*vlen=*/7ul, /*f=MSG_FASTOPEN|MSG_PROBE|MSG_OOB|MSG_EOR|MSG_DONTWAIT*/ 0x200000d1ul); break; case 5: // sendmmsg arguments: [ // fd: sock (resource) // mmsg: ptr[in, array[send_mmsghdr]] { // array[send_mmsghdr] { // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // send_mmsghdr { // msg_hdr: send_msghdr { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: nil // msg_iovlen: len = 0x0 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // msg_len: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // } // vlen: len = 0x7 (8 bytes) // f: send_flags = 0x200000d1 (8 bytes) // ] *(uint64_t*)0x200000002740 = 0; *(uint32_t*)0x200000002748 = 0; *(uint64_t*)0x200000002750 = 0; *(uint64_t*)0x200000002758 = 0; *(uint64_t*)0x200000002760 = 0; *(uint64_t*)0x200000002768 = 0; *(uint32_t*)0x200000002770 = 0; *(uint32_t*)0x200000002778 = 0; *(uint64_t*)0x200000002780 = 0; *(uint32_t*)0x200000002788 = 0; *(uint64_t*)0x200000002790 = 0; *(uint64_t*)0x200000002798 = 0; *(uint64_t*)0x2000000027a0 = 0; *(uint64_t*)0x2000000027a8 = 0; *(uint32_t*)0x2000000027b0 = 0; *(uint32_t*)0x2000000027b8 = 0; *(uint64_t*)0x2000000027c0 = 0; *(uint32_t*)0x2000000027c8 = 0; *(uint64_t*)0x2000000027d0 = 0; *(uint64_t*)0x2000000027d8 = 0; *(uint64_t*)0x2000000027e0 = 0; *(uint64_t*)0x2000000027e8 = 0; *(uint32_t*)0x2000000027f0 = 0; *(uint32_t*)0x2000000027f8 = 0; *(uint64_t*)0x200000002800 = 0; *(uint32_t*)0x200000002808 = 0; *(uint64_t*)0x200000002810 = 0; *(uint64_t*)0x200000002818 = 0; *(uint64_t*)0x200000002820 = 0; *(uint64_t*)0x200000002828 = 0; *(uint32_t*)0x200000002830 = 0; *(uint32_t*)0x200000002838 = 0; *(uint64_t*)0x200000002840 = 0; *(uint32_t*)0x200000002848 = 0; *(uint64_t*)0x200000002850 = 0; *(uint64_t*)0x200000002858 = 0; *(uint64_t*)0x200000002860 = 0; *(uint64_t*)0x200000002868 = 0; *(uint32_t*)0x200000002870 = 0; *(uint32_t*)0x200000002878 = 0; *(uint64_t*)0x200000002880 = 0; *(uint32_t*)0x200000002888 = 0; *(uint64_t*)0x200000002890 = 0; *(uint64_t*)0x200000002898 = 0; *(uint64_t*)0x2000000028a0 = 0; *(uint64_t*)0x2000000028a8 = 0; *(uint32_t*)0x2000000028b0 = 0; *(uint32_t*)0x2000000028b8 = 0; *(uint64_t*)0x2000000028c0 = 0; *(uint32_t*)0x2000000028c8 = 0; *(uint64_t*)0x2000000028d0 = 0; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0; *(uint64_t*)0x2000000028e8 = 0; *(uint32_t*)0x2000000028f0 = 0; *(uint32_t*)0x2000000028f8 = 0; syscall( __NR_sendmmsg, /*fd=*/r[0], /*mmsg=*/0x200000002740ul, /*vlen=*/7ul, /*f=MSG_FASTOPEN|MSG_PROBE|MSG_OOB|MSG_EOR|MSG_DONTWAIT*/ 0x200000d1ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); setup_cgroups(); const char* reason; (void)reason; if ((reason = setup_binfmt_misc())) printf("the reproducer may not work as expected: binfmt_misc setup failed: " "%s\n", reason); if ((reason = setup_usb())) printf("the reproducer may not work as expected: USB injection setup " "failed: %s\n", reason); if ((reason = setup_swap())) printf("the reproducer may not work as expected: swap setup failed: %s\n", reason); for (procid = 0; procid < 5; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; }