// https://syzkaller.appspot.com/bug?id=846e8b9d5141983e8106867783c28aa70b0342f1 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; }; static struct nlmsg nlmsg; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (hdr->nlmsg_type == NLMSG_DONE) { *reply_len = 0; return 0; } if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type, const char* name) { netlink_add_device_impl(nlmsg, type, name); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name, const char* peer) { netlink_add_device_impl(nlmsg, "veth", name); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_nest(nlmsg, VETH_INFO_PEER); nlmsg->pos += sizeof(struct ifinfomsg); netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer)); netlink_done(nlmsg); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name, const char* slave1, const char* slave2) { netlink_add_device_impl(nlmsg, "hsr", name); netlink_nest(nlmsg, IFLA_INFO_DATA); int ifindex1 = if_nametoindex(slave1); netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1)); int ifindex2 = if_nametoindex(slave2); netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type, const char* name, const char* link) { netlink_add_device_impl(nlmsg, type, name); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t id, uint16_t proto) { netlink_add_device_impl(nlmsg, "vlan", name); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id)); netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link) { netlink_add_device_impl(nlmsg, "macvlan", name); netlink_nest(nlmsg, IFLA_INFO_DATA); uint32_t mode = MACVLAN_MODE_BRIDGE; netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name, uint32_t vni, struct in_addr* addr4, struct in6_addr* addr6) { netlink_add_device_impl(nlmsg, "geneve", name); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni)); if (addr4) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4)); if (addr6) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); (void)err; } #define IFLA_IPVLAN_FLAGS 2 #define IPVLAN_MODE_L3S 2 #undef IPVLAN_F_VEPA #define IPVLAN_F_VEPA 2 static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t mode, uint16_t flags) { netlink_add_device_impl(nlmsg, "ipvlan", name); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode)); netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); (void)err; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 static int netlink_devlink_id_get(struct nlmsg* nlmsg, int sock) { struct genlmsghdr genlhdr; struct nlattr* attr; int err, n; uint16_t id = 0; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME, strlen(DEVLINK_FAMILY_NAME) + 1); err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n); if (err) { return -1; } attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); /* recv ack */ return id; } static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_devlink_id_get(&nlmsg, sock); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len); if (err) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02x" #define DEV_MAC 0x00aaaaaaaaaa static void netdevsim_add(unsigned int addr, unsigned int port_count) { char buf[16]; sprintf(buf, "%u %u", addr, port_count); if (write_file("/sys/bus/netdevsim/new_device", buf)) { snprintf(buf, sizeof(buf), "netdevsim%d", addr); initialize_devlink_ports("netdevsim", buf, "netdevsim"); } } static void initialize_netdevices(void) { char netdevsim[16]; sprintf(netdevsim, "netdevsim%d", (int)procid); struct { const char* type; const char* dev; } devtypes[] = { {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, {"vcan", "vcan0"}, {"bond", "bond0"}, {"team", "team0"}, {"dummy", "dummy0"}, {"nlmon", "nlmon0"}, {"caif", "caif0"}, {"batadv", "batadv0"}, {"vxcan", "vxcan1"}, {"netdevsim", netdevsim}, {"veth", 0}, {"xfrm", "xfrm0"}, {"wireguard", "wireguard0"}, {"wireguard", "wireguard1"}, }; const char* devmasters[] = {"bridge", "bond", "team", "batadv"}; struct { const char* name; int macsize; bool noipv6; } devices[] = { {"lo", ETH_ALEN}, {"sit0", 0}, {"bridge0", ETH_ALEN}, {"vcan0", 0, true}, {"tunl0", 0}, {"gre0", 0}, {"gretap0", ETH_ALEN}, {"ip_vti0", 0}, {"ip6_vti0", 0}, {"ip6tnl0", 0}, {"ip6gre0", 0}, {"ip6gretap0", ETH_ALEN}, {"erspan0", ETH_ALEN}, {"bond0", ETH_ALEN}, {"veth0", ETH_ALEN}, {"veth1", ETH_ALEN}, {"team0", ETH_ALEN}, {"veth0_to_bridge", ETH_ALEN}, {"veth1_to_bridge", ETH_ALEN}, {"veth0_to_bond", ETH_ALEN}, {"veth1_to_bond", ETH_ALEN}, {"veth0_to_team", ETH_ALEN}, {"veth1_to_team", ETH_ALEN}, {"veth0_to_hsr", ETH_ALEN}, {"veth1_to_hsr", ETH_ALEN}, {"hsr0", 0}, {"dummy0", ETH_ALEN}, {"nlmon0", 0}, {"vxcan0", 0, true}, {"vxcan1", 0, true}, {"caif0", ETH_ALEN}, {"batadv0", ETH_ALEN}, {netdevsim, ETH_ALEN}, {"xfrm0", ETH_ALEN}, {"veth0_virt_wifi", ETH_ALEN}, {"veth1_virt_wifi", ETH_ALEN}, {"virt_wifi0", ETH_ALEN}, {"veth0_vlan", ETH_ALEN}, {"veth1_vlan", ETH_ALEN}, {"vlan0", ETH_ALEN}, {"vlan1", ETH_ALEN}, {"macvlan0", ETH_ALEN}, {"macvlan1", ETH_ALEN}, {"ipvlan0", ETH_ALEN}, {"ipvlan1", ETH_ALEN}, {"veth0_macvtap", ETH_ALEN}, {"veth1_macvtap", ETH_ALEN}, {"macvtap0", ETH_ALEN}, {"macsec0", ETH_ALEN}, {"veth0_to_batadv", ETH_ALEN}, {"veth1_to_batadv", ETH_ALEN}, {"batadv_slave_0", ETH_ALEN}, {"batadv_slave_1", ETH_ALEN}, {"geneve0", ETH_ALEN}, {"geneve1", ETH_ALEN}, {"wireguard0", 0}, {"wireguard1", 0}, }; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { char master[32], slave0[32], veth0[32], slave1[32], veth1[32]; sprintf(slave0, "%s_slave_0", devmasters[i]); sprintf(veth0, "veth0_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave0, veth0); sprintf(slave1, "%s_slave_1", devmasters[i]); sprintf(veth1, "veth1_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave1, veth1); sprintf(master, "%s0", devmasters[i]); netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL); netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL); } netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr"); netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr"); netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1"); netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi"); netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0", "veth1_virt_wifi"); netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan"); netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q)); netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD)); netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan"); netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan"); netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0); netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S, IPVLAN_F_VEPA); netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap"); netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap"); netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap"); char addr[32]; sprintf(addr, DEV_IPV4, 14 + 10); struct in_addr geneve_addr4; if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0) exit(1); struct in6_addr geneve_addr6; if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0) exit(1); netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0); netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6); netdevsim_add((int)procid, 4); for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) { char addr[32]; sprintf(addr, DEV_IPV4, i + 10); netlink_add_addr4(&nlmsg, sock, devices[i].name, addr); if (!devices[i].noipv6) { sprintf(addr, DEV_IPV6, i + 10); netlink_add_addr6(&nlmsg, sock, devices[i].name, addr); } uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40); netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr, devices[i].macsize, NULL); } close(sock); } static void initialize_netdevices_init(void) { int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); struct { const char* type; int macsize; bool noipv6; bool noup; } devtypes[] = { {"nr", 7, true}, {"rose", 5, true, true}, }; unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) { char dev[32], addr[32]; sprintf(dev, "%s%d", devtypes[i].type, (int)procid); sprintf(addr, "172.30.%d.%d", i, (int)procid + 1); netlink_add_addr4(&nlmsg, sock, dev, addr); if (!devtypes[i].noipv6) { sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1); netlink_add_addr6(&nlmsg, sock, dev, addr); } int macsize = devtypes[i].macsize; uint64_t macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) + (procid << (8 * (macsize - 1))); netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr, macsize, NULL); } close(sock); } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); initialize_netdevices_init(); if (unshare(CLONE_NEWNET)) { } initialize_netdevices(); loop(); exit(1); } uint64_t r[4] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0}; void loop(void) { intptr_t res = 0; res = syscall(__NR_socket, 0x10ul, 3ul, 0x10ul); if (res != -1) r[0] = res; memcpy((void*)0x20000480, "wireguard\000", 10); res = syz_genetlink_get_family_id(0x20000480); if (res != -1) r[1] = res; *(uint64_t*)0x20001340 = 0; *(uint32_t*)0x20001348 = 0; *(uint64_t*)0x20001350 = 0x20001300; *(uint64_t*)0x20001300 = 0x20001380; *(uint32_t*)0x20001380 = 0x894; *(uint16_t*)0x20001384 = r[1]; *(uint16_t*)0x20001386 = 1; *(uint32_t*)0x20001388 = 0; *(uint32_t*)0x2000138c = 0; *(uint8_t*)0x20001390 = 1; *(uint8_t*)0x20001391 = 0; *(uint16_t*)0x20001392 = 0; *(uint16_t*)0x20001394 = 0x14; *(uint16_t*)0x20001396 = 2; memcpy((void*)0x20001398, "wireguard0\000\000\000\000\000\000", 16); *(uint16_t*)0x200013a8 = 0x86c; STORE_BY_BITMASK(uint16_t, , 0x200013aa, 8, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200013ab, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200013ab, 1, 7, 1); *(uint16_t*)0x200013ac = 0x54; STORE_BY_BITMASK(uint16_t, , 0x200013ae, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200013af, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200013af, 1, 7, 1); *(uint16_t*)0x200013b0 = 8; *(uint16_t*)0x200013b2 = 3; *(uint32_t*)0x200013b4 = 6; *(uint16_t*)0x200013b8 = 0x24; *(uint16_t*)0x200013ba = 1; *(uint8_t*)0x200013bc = 0xaa; *(uint8_t*)0x200013bd = 0xaa; *(uint8_t*)0x200013be = 0xaa; *(uint8_t*)0x200013bf = 0xaa; *(uint8_t*)0x200013c0 = 0xaa; *(uint8_t*)0x200013c1 = 0xaa; *(uint8_t*)0x200013c2 = 0xaa; *(uint8_t*)0x200013c3 = 0xaa; *(uint8_t*)0x200013c4 = 0xaa; *(uint8_t*)0x200013c5 = 0xaa; *(uint8_t*)0x200013c6 = 0xaa; *(uint8_t*)0x200013c7 = 0xaa; *(uint8_t*)0x200013c8 = 0xaa; *(uint8_t*)0x200013c9 = 0xaa; *(uint8_t*)0x200013ca = 0xaa; *(uint8_t*)0x200013cb = 0xaa; *(uint8_t*)0x200013cc = 0xaa; *(uint8_t*)0x200013cd = 0xaa; *(uint8_t*)0x200013ce = 0xaa; *(uint8_t*)0x200013cf = 0xaa; *(uint8_t*)0x200013d0 = 0xaa; *(uint8_t*)0x200013d1 = 0xaa; *(uint8_t*)0x200013d2 = 0xaa; *(uint8_t*)0x200013d3 = 0xaa; *(uint8_t*)0x200013d4 = 0xaa; *(uint8_t*)0x200013d5 = 0xaa; *(uint8_t*)0x200013d6 = 0xaa; *(uint8_t*)0x200013d7 = 0xaa; *(uint8_t*)0x200013d8 = 0xaa; *(uint8_t*)0x200013d9 = 0xaa; *(uint8_t*)0x200013da = 0xaa; *(uint8_t*)0x200013db = 0xaa; *(uint16_t*)0x200013dc = 0x24; *(uint16_t*)0x200013de = 1; *(uint8_t*)0x200013e0 = 0; *(uint8_t*)0x200013e1 = 0; *(uint8_t*)0x200013e2 = 0; *(uint8_t*)0x200013e3 = 0; *(uint8_t*)0x200013e4 = 0; *(uint8_t*)0x200013e5 = 0; *(uint8_t*)0x200013e6 = 0; *(uint8_t*)0x200013e7 = 0; *(uint8_t*)0x200013e8 = 0; *(uint8_t*)0x200013e9 = 0; *(uint8_t*)0x200013ea = 0; *(uint8_t*)0x200013eb = 0; *(uint8_t*)0x200013ec = 0; *(uint8_t*)0x200013ed = 0; *(uint8_t*)0x200013ee = 0; *(uint8_t*)0x200013ef = 0; *(uint8_t*)0x200013f0 = 0; *(uint8_t*)0x200013f1 = 0; *(uint8_t*)0x200013f2 = 0; *(uint8_t*)0x200013f3 = 0; *(uint8_t*)0x200013f4 = 0; *(uint8_t*)0x200013f5 = 0; *(uint8_t*)0x200013f6 = 0; *(uint8_t*)0x200013f7 = 0; *(uint8_t*)0x200013f8 = 0; *(uint8_t*)0x200013f9 = 0; *(uint8_t*)0x200013fa = 0; *(uint8_t*)0x200013fb = 0; *(uint8_t*)0x200013fc = 0; *(uint8_t*)0x200013fd = 0; *(uint8_t*)0x200013fe = 0; *(uint8_t*)0x200013ff = 0; *(uint16_t*)0x20001400 = 0x54; STORE_BY_BITMASK(uint16_t, , 0x20001402, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001403, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001403, 1, 7, 1); *(uint16_t*)0x20001404 = 0x24; *(uint16_t*)0x20001406 = 1; *(uint8_t*)0x20001408 = 0; *(uint8_t*)0x20001409 = 0; *(uint8_t*)0x2000140a = 0; *(uint8_t*)0x2000140b = 0; *(uint8_t*)0x2000140c = 0; *(uint8_t*)0x2000140d = 0; *(uint8_t*)0x2000140e = 0; *(uint8_t*)0x2000140f = 0; *(uint8_t*)0x20001410 = 0; *(uint8_t*)0x20001411 = 0; *(uint8_t*)0x20001412 = 0; *(uint8_t*)0x20001413 = 0; *(uint8_t*)0x20001414 = 0; *(uint8_t*)0x20001415 = 0; *(uint8_t*)0x20001416 = 0; *(uint8_t*)0x20001417 = 0; *(uint8_t*)0x20001418 = 0; *(uint8_t*)0x20001419 = 0; *(uint8_t*)0x2000141a = 0; *(uint8_t*)0x2000141b = 0; *(uint8_t*)0x2000141c = 0; *(uint8_t*)0x2000141d = 0; *(uint8_t*)0x2000141e = 0; *(uint8_t*)0x2000141f = 0; *(uint8_t*)0x20001420 = 0; *(uint8_t*)0x20001421 = 0; *(uint8_t*)0x20001422 = 0; *(uint8_t*)0x20001423 = 0; *(uint8_t*)0x20001424 = 0; *(uint8_t*)0x20001425 = 0; *(uint8_t*)0x20001426 = 0; *(uint8_t*)0x20001427 = 0; *(uint16_t*)0x20001428 = 0x24; *(uint16_t*)0x2000142a = 2; memcpy((void*)0x2000142c, "\xd2\x8d\x8c\x71\xab\x99\xee\x0d\xee\xd3\x2b\xcd" "\xe6\x9b\x81\x9e\xda\x34\x59\xc1\x48\x70\x63\x72" "\x25\xcc\xea\x19\x96\xdb\x09\xd6", 32); *(uint16_t*)0x2000144c = 8; *(uint16_t*)0x2000144e = 0xa; *(uint32_t*)0x20001450 = 1; *(uint16_t*)0x20001454 = 0xac; STORE_BY_BITMASK(uint16_t, , 0x20001456, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001457, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001457, 1, 7, 1); *(uint16_t*)0x20001458 = 8; *(uint16_t*)0x2000145a = 3; *(uint32_t*)0x2000145c = 2; *(uint16_t*)0x20001460 = 8; *(uint16_t*)0x20001462 = 0xa; *(uint32_t*)0x20001464 = 1; *(uint16_t*)0x20001468 = 6; *(uint16_t*)0x2000146a = 5; *(uint16_t*)0x2000146c = 6; *(uint16_t*)0x20001470 = 6; *(uint16_t*)0x20001472 = 5; *(uint16_t*)0x20001474 = 0x40; *(uint16_t*)0x20001478 = 0x14; *(uint16_t*)0x2000147a = 4; *(uint16_t*)0x2000147c = 2; *(uint16_t*)0x2000147e = htobe16(0x4e21); *(uint32_t*)0x20001480 = htobe32(0x7f000001); *(uint16_t*)0x2000148c = 0x24; *(uint16_t*)0x2000148e = 1; *(uint8_t*)0x20001490 = 0; *(uint8_t*)0x20001491 = 0; *(uint8_t*)0x20001492 = 0; *(uint8_t*)0x20001493 = 0; *(uint8_t*)0x20001494 = 0; *(uint8_t*)0x20001495 = 0; *(uint8_t*)0x20001496 = 0; *(uint8_t*)0x20001497 = 0; *(uint8_t*)0x20001498 = 0; *(uint8_t*)0x20001499 = 0; *(uint8_t*)0x2000149a = 0; *(uint8_t*)0x2000149b = 0; *(uint8_t*)0x2000149c = 0; *(uint8_t*)0x2000149d = 0; *(uint8_t*)0x2000149e = 0; *(uint8_t*)0x2000149f = 0; *(uint8_t*)0x200014a0 = 0; *(uint8_t*)0x200014a1 = 0; *(uint8_t*)0x200014a2 = 0; *(uint8_t*)0x200014a3 = 0; *(uint8_t*)0x200014a4 = 0; *(uint8_t*)0x200014a5 = 0; *(uint8_t*)0x200014a6 = 0; *(uint8_t*)0x200014a7 = 0; *(uint8_t*)0x200014a8 = 0; *(uint8_t*)0x200014a9 = 0; *(uint8_t*)0x200014aa = 0; *(uint8_t*)0x200014ab = 0; *(uint8_t*)0x200014ac = 0; *(uint8_t*)0x200014ad = 0; *(uint8_t*)0x200014ae = 0; *(uint8_t*)0x200014af = 0; *(uint16_t*)0x200014b0 = 0x24; *(uint16_t*)0x200014b2 = 2; memcpy((void*)0x200014b4, "\x60\x3e\x42\x3d\x09\x41\x8f\xc8\xbf\xa2\x0e\x55" "\x58\xd2\x69\x40\x2e\x31\xd2\x60\x98\xdd\x2f\xa7" "\x75\xcb\x70\x73\xb1\x1e\x59\x8c", 32); *(uint16_t*)0x200014d4 = 8; *(uint16_t*)0x200014d6 = 3; *(uint32_t*)0x200014d8 = 6; *(uint16_t*)0x200014dc = 0x24; *(uint16_t*)0x200014de = 2; memcpy((void*)0x200014e0, "\xc3\x4f\xd2\x99\x70\xcc\x83\x6f\x3b\x7b\x47\x9d" "\x31\x17\x74\xca\x63\x3d\x3e\xdc\xcf\xdc\x3c\xb6" "\x07\x1a\x0f\x82\xe3\xbc\x07\xc3", 32); *(uint16_t*)0x20001500 = 0x18; STORE_BY_BITMASK(uint16_t, , 0x20001502, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001503, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001503, 1, 7, 1); *(uint16_t*)0x20001504 = 0x14; *(uint16_t*)0x20001506 = 4; *(uint16_t*)0x20001508 = 2; *(uint16_t*)0x2000150a = htobe16(0x4e22); *(uint32_t*)0x2000150c = htobe32(0xe0000001); *(uint16_t*)0x20001518 = 0x674; STORE_BY_BITMASK(uint16_t, , 0x2000151a, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000151b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000151b, 1, 7, 1); *(uint16_t*)0x2000151c = 6; *(uint16_t*)0x2000151e = 5; *(uint16_t*)0x20001520 = 0x40; *(uint16_t*)0x20001524 = 6; *(uint16_t*)0x20001526 = 5; *(uint16_t*)0x20001528 = 8; *(uint16_t*)0x2000152c = 0x14; *(uint16_t*)0x2000152e = 4; *(uint16_t*)0x20001530 = 2; *(uint16_t*)0x20001532 = htobe16(0x4e22); *(uint32_t*)0x20001534 = htobe32(-1); *(uint16_t*)0x20001540 = 0x638; STORE_BY_BITMASK(uint16_t, , 0x20001542, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001543, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001543, 1, 7, 1); *(uint16_t*)0x20001544 = 0x118; STORE_BY_BITMASK(uint16_t, , 0x20001546, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001547, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001547, 1, 7, 1); *(uint16_t*)0x20001548 = 6; *(uint16_t*)0x2000154a = 1; *(uint16_t*)0x2000154c = 2; *(uint16_t*)0x20001550 = 8; *(uint16_t*)0x20001552 = 2; *(uint8_t*)0x20001554 = 0xac; *(uint8_t*)0x20001555 = 0x14; *(uint8_t*)0x20001556 = 0x14; *(uint8_t*)0x20001557 = 0xbb; *(uint16_t*)0x20001558 = 5; *(uint16_t*)0x2000155a = 3; *(uint8_t*)0x2000155c = 0xe; *(uint16_t*)0x20001560 = 6; *(uint16_t*)0x20001562 = 1; *(uint16_t*)0x20001564 = 0xa; *(uint16_t*)0x20001568 = 0x14; *(uint16_t*)0x2000156a = 2; *(uint8_t*)0x2000156c = 0xfe; *(uint8_t*)0x2000156d = 0x88; *(uint8_t*)0x2000156e = 0; *(uint8_t*)0x2000156f = 0; *(uint8_t*)0x20001570 = 0; *(uint8_t*)0x20001571 = 0; *(uint8_t*)0x20001572 = 0; *(uint8_t*)0x20001573 = 0; *(uint8_t*)0x20001574 = 0; *(uint8_t*)0x20001575 = 0; *(uint8_t*)0x20001576 = 0; *(uint8_t*)0x20001577 = 0; *(uint8_t*)0x20001578 = 0; *(uint8_t*)0x20001579 = 0; *(uint8_t*)0x2000157a = 0; *(uint8_t*)0x2000157b = 1; *(uint16_t*)0x2000157c = 5; *(uint16_t*)0x2000157e = 3; *(uint8_t*)0x20001580 = 0xa; *(uint16_t*)0x20001584 = 6; *(uint16_t*)0x20001586 = 1; *(uint16_t*)0x20001588 = 2; *(uint16_t*)0x2000158c = 8; *(uint16_t*)0x2000158e = 2; *(uint8_t*)0x20001590 = 0xac; *(uint8_t*)0x20001591 = 0x14; *(uint8_t*)0x20001592 = 0x14; *(uint8_t*)0x20001593 = 0xaa; *(uint16_t*)0x20001594 = 5; *(uint16_t*)0x20001596 = 3; *(uint8_t*)0x20001598 = 1; *(uint16_t*)0x2000159c = 6; *(uint16_t*)0x2000159e = 1; *(uint16_t*)0x200015a0 = 2; *(uint16_t*)0x200015a4 = 8; *(uint16_t*)0x200015a6 = 2; *(uint32_t*)0x200015a8 = htobe32(0x7f000001); *(uint16_t*)0x200015ac = 5; *(uint16_t*)0x200015ae = 3; *(uint8_t*)0x200015b0 = 9; *(uint16_t*)0x200015b4 = 6; *(uint16_t*)0x200015b6 = 1; *(uint16_t*)0x200015b8 = 0xa; *(uint16_t*)0x200015bc = 0x14; *(uint16_t*)0x200015be = 2; *(uint8_t*)0x200015c0 = -1; *(uint8_t*)0x200015c1 = 1; *(uint8_t*)0x200015c2 = 0; *(uint8_t*)0x200015c3 = 0; *(uint8_t*)0x200015c4 = 0; *(uint8_t*)0x200015c5 = 0; *(uint8_t*)0x200015c6 = 0; *(uint8_t*)0x200015c7 = 0; *(uint8_t*)0x200015c8 = 0; *(uint8_t*)0x200015c9 = 0; *(uint8_t*)0x200015ca = 0; *(uint8_t*)0x200015cb = 0; *(uint8_t*)0x200015cc = 0; *(uint8_t*)0x200015cd = 0; *(uint8_t*)0x200015ce = 0; *(uint8_t*)0x200015cf = 1; *(uint16_t*)0x200015d0 = 5; *(uint16_t*)0x200015d2 = 3; *(uint8_t*)0x200015d4 = 0x77; *(uint16_t*)0x200015d8 = 6; *(uint16_t*)0x200015da = 1; *(uint16_t*)0x200015dc = 2; *(uint16_t*)0x200015e0 = 8; *(uint16_t*)0x200015e2 = 2; *(uint8_t*)0x200015e4 = 0xac; *(uint8_t*)0x200015e5 = 0x14; *(uint8_t*)0x200015e6 = 0x14; *(uint8_t*)0x200015e7 = 0xaa; *(uint16_t*)0x200015e8 = 5; *(uint16_t*)0x200015ea = 3; *(uint8_t*)0x200015ec = 6; *(uint16_t*)0x200015f0 = 6; *(uint16_t*)0x200015f2 = 1; *(uint16_t*)0x200015f4 = 0xa; *(uint16_t*)0x200015f8 = 0x14; *(uint16_t*)0x200015fa = 2; *(uint8_t*)0x200015fc = 0xfe; *(uint8_t*)0x200015fd = 0x80; *(uint8_t*)0x200015fe = 0; *(uint8_t*)0x200015ff = 0; *(uint8_t*)0x20001600 = 0; *(uint8_t*)0x20001601 = 0; *(uint8_t*)0x20001602 = 0; *(uint8_t*)0x20001603 = 0; *(uint8_t*)0x20001604 = 0; *(uint8_t*)0x20001605 = 0; *(uint8_t*)0x20001606 = 0; *(uint8_t*)0x20001607 = 0; *(uint8_t*)0x20001608 = 0; *(uint8_t*)0x20001609 = 0; *(uint8_t*)0x2000160a = 0; *(uint8_t*)0x2000160b = 0xbb; *(uint16_t*)0x2000160c = 5; *(uint16_t*)0x2000160e = 3; *(uint8_t*)0x20001610 = 0x55; *(uint16_t*)0x20001614 = 6; *(uint16_t*)0x20001616 = 1; *(uint16_t*)0x20001618 = 0xa; *(uint16_t*)0x2000161c = 0x14; *(uint16_t*)0x2000161e = 2; *(uint8_t*)0x20001620 = 0xfe; *(uint8_t*)0x20001621 = 0x80; *(uint8_t*)0x20001622 = 0; *(uint8_t*)0x20001623 = 0; *(uint8_t*)0x20001624 = 0; *(uint8_t*)0x20001625 = 0; *(uint8_t*)0x20001626 = 0; *(uint8_t*)0x20001627 = 0; *(uint8_t*)0x20001628 = 0; *(uint8_t*)0x20001629 = 0; *(uint8_t*)0x2000162a = 0; *(uint8_t*)0x2000162b = 0; *(uint8_t*)0x2000162c = 0; *(uint8_t*)0x2000162d = 0; *(uint8_t*)0x2000162e = 0; *(uint8_t*)0x2000162f = 0x32; *(uint16_t*)0x20001630 = 5; *(uint16_t*)0x20001632 = 3; *(uint8_t*)0x20001634 = 0x55; *(uint16_t*)0x20001638 = 6; *(uint16_t*)0x2000163a = 1; *(uint16_t*)0x2000163c = 0xa; *(uint16_t*)0x20001640 = 0x14; *(uint16_t*)0x20001642 = 2; *(uint8_t*)0x20001644 = 0xfe; *(uint8_t*)0x20001645 = 0x80; *(uint8_t*)0x20001646 = 0; *(uint8_t*)0x20001647 = 0; *(uint8_t*)0x20001648 = 0; *(uint8_t*)0x20001649 = 0; *(uint8_t*)0x2000164a = 0; *(uint8_t*)0x2000164b = 0; *(uint8_t*)0x2000164c = 0; *(uint8_t*)0x2000164d = 0; *(uint8_t*)0x2000164e = 0; *(uint8_t*)0x2000164f = 0; *(uint8_t*)0x20001650 = 0; *(uint8_t*)0x20001651 = 0; *(uint8_t*)0x20001652 = 0; *(uint8_t*)0x20001653 = 0xaa; *(uint16_t*)0x20001654 = 5; *(uint16_t*)0x20001656 = 3; *(uint8_t*)0x20001658 = 1; *(uint16_t*)0x2000165c = 0x7c; STORE_BY_BITMASK(uint16_t, , 0x2000165e, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000165f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000165f, 1, 7, 1); *(uint16_t*)0x20001660 = 6; *(uint16_t*)0x20001662 = 1; *(uint16_t*)0x20001664 = 2; *(uint16_t*)0x20001668 = 8; *(uint16_t*)0x2000166a = 2; *(uint32_t*)0x2000166c = htobe32(0x7f000001); *(uint16_t*)0x20001670 = 5; *(uint16_t*)0x20001672 = 3; *(uint8_t*)0x20001674 = 0xe; *(uint16_t*)0x20001678 = 6; *(uint16_t*)0x2000167a = 1; *(uint16_t*)0x2000167c = 2; *(uint16_t*)0x20001680 = 8; *(uint16_t*)0x20001682 = 2; *(uint32_t*)0x20001684 = htobe32(3); *(uint16_t*)0x20001688 = 5; *(uint16_t*)0x2000168a = 3; *(uint8_t*)0x2000168c = 7; *(uint16_t*)0x20001690 = 6; *(uint16_t*)0x20001692 = 1; *(uint16_t*)0x20001694 = 2; *(uint16_t*)0x20001698 = 8; *(uint16_t*)0x2000169a = 2; *(uint8_t*)0x2000169c = 0xac; *(uint8_t*)0x2000169d = 0x14; *(uint8_t*)0x2000169e = 0x14; *(uint8_t*)0x2000169f = 0xbb; *(uint16_t*)0x200016a0 = 5; *(uint16_t*)0x200016a2 = 3; *(uint8_t*)0x200016a4 = 6; *(uint16_t*)0x200016a8 = 6; *(uint16_t*)0x200016aa = 1; *(uint16_t*)0x200016ac = 2; *(uint16_t*)0x200016b0 = 8; *(uint16_t*)0x200016b2 = 2; *(uint32_t*)0x200016b4 = htobe32(-1); *(uint16_t*)0x200016b8 = 5; *(uint16_t*)0x200016ba = 3; *(uint8_t*)0x200016bc = 0x1a; *(uint16_t*)0x200016c0 = 6; *(uint16_t*)0x200016c2 = 1; *(uint16_t*)0x200016c4 = 2; *(uint16_t*)0x200016c8 = 8; *(uint16_t*)0x200016ca = 2; *(uint8_t*)0x200016cc = 0xac; *(uint8_t*)0x200016cd = 0x1e; *(uint8_t*)0x200016ce = 0; *(uint8_t*)0x200016cf = 1; *(uint16_t*)0x200016d0 = 5; *(uint16_t*)0x200016d2 = 3; *(uint8_t*)0x200016d4 = 0x1b; *(uint16_t*)0x200016d8 = 0x94; STORE_BY_BITMASK(uint16_t, , 0x200016da, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200016db, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200016db, 1, 7, 1); *(uint16_t*)0x200016dc = 6; *(uint16_t*)0x200016de = 1; *(uint16_t*)0x200016e0 = 0xa; *(uint16_t*)0x200016e4 = 0x14; *(uint16_t*)0x200016e6 = 2; *(uint8_t*)0x200016e8 = 0xfe; *(uint8_t*)0x200016e9 = 0x80; *(uint8_t*)0x200016ea = 0; *(uint8_t*)0x200016eb = 0; *(uint8_t*)0x200016ec = 0; *(uint8_t*)0x200016ed = 0; *(uint8_t*)0x200016ee = 0; *(uint8_t*)0x200016ef = 0; *(uint8_t*)0x200016f0 = 0; *(uint8_t*)0x200016f1 = 0; *(uint8_t*)0x200016f2 = 0; *(uint8_t*)0x200016f3 = 0; *(uint8_t*)0x200016f4 = 0; *(uint8_t*)0x200016f5 = 0; *(uint8_t*)0x200016f6 = 0; *(uint8_t*)0x200016f7 = 0xaa; *(uint16_t*)0x200016f8 = 5; *(uint16_t*)0x200016fa = 3; *(uint8_t*)0x200016fc = 0x77; *(uint16_t*)0x20001700 = 6; *(uint16_t*)0x20001702 = 1; *(uint16_t*)0x20001704 = 2; *(uint16_t*)0x20001708 = 8; *(uint16_t*)0x2000170a = 2; *(uint8_t*)0x2000170c = 0xac; *(uint8_t*)0x2000170d = 0x14; *(uint8_t*)0x2000170e = 0x14; *(uint8_t*)0x2000170f = 0x1d; *(uint16_t*)0x20001710 = 5; *(uint16_t*)0x20001712 = 3; *(uint8_t*)0x20001714 = 9; *(uint16_t*)0x20001718 = 6; *(uint16_t*)0x2000171a = 1; *(uint16_t*)0x2000171c = 2; *(uint16_t*)0x20001720 = 8; *(uint16_t*)0x20001722 = 2; *(uint8_t*)0x20001724 = 0xac; *(uint8_t*)0x20001725 = 0x14; *(uint8_t*)0x20001726 = 0x14; *(uint8_t*)0x20001727 = 0xbb; *(uint16_t*)0x20001728 = 5; *(uint16_t*)0x2000172a = 3; *(uint8_t*)0x2000172c = 0xc; *(uint16_t*)0x20001730 = 6; *(uint16_t*)0x20001732 = 1; *(uint16_t*)0x20001734 = 0xa; *(uint16_t*)0x20001738 = 0x14; *(uint16_t*)0x2000173a = 2; *(uint8_t*)0x2000173c = -1; *(uint8_t*)0x2000173d = 1; *(uint8_t*)0x2000173e = 0; *(uint8_t*)0x2000173f = 0; *(uint8_t*)0x20001740 = 0; *(uint8_t*)0x20001741 = 0; *(uint8_t*)0x20001742 = 0; *(uint8_t*)0x20001743 = 0; *(uint8_t*)0x20001744 = 0; *(uint8_t*)0x20001745 = 0; *(uint8_t*)0x20001746 = 0; *(uint8_t*)0x20001747 = 0; *(uint8_t*)0x20001748 = 0; *(uint8_t*)0x20001749 = 0; *(uint8_t*)0x2000174a = 0; *(uint8_t*)0x2000174b = 1; *(uint16_t*)0x2000174c = 5; *(uint16_t*)0x2000174e = 3; *(uint8_t*)0x20001750 = 0x11; *(uint16_t*)0x20001754 = 6; *(uint16_t*)0x20001756 = 1; *(uint16_t*)0x20001758 = 2; *(uint16_t*)0x2000175c = 8; *(uint16_t*)0x2000175e = 2; *(uint32_t*)0x20001760 = htobe32(0xa0000000); *(uint16_t*)0x20001764 = 5; *(uint16_t*)0x20001766 = 3; *(uint8_t*)0x20001768 = 3; *(uint16_t*)0x2000176c = 0x4c; STORE_BY_BITMASK(uint16_t, , 0x2000176e, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x2000176f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x2000176f, 1, 7, 1); *(uint16_t*)0x20001770 = 6; *(uint16_t*)0x20001772 = 1; *(uint16_t*)0x20001774 = 0xa; *(uint16_t*)0x20001778 = 0x14; *(uint16_t*)0x2000177a = 2; *(uint8_t*)0x2000177c = 0xfe; *(uint8_t*)0x2000177d = 0x80; *(uint8_t*)0x2000177e = 0; *(uint8_t*)0x2000177f = 0; *(uint8_t*)0x20001780 = 0; *(uint8_t*)0x20001781 = 0; *(uint8_t*)0x20001782 = 0; *(uint8_t*)0x20001783 = 0; *(uint8_t*)0x20001784 = 0; *(uint8_t*)0x20001785 = 0; *(uint8_t*)0x20001786 = 0; *(uint8_t*)0x20001787 = 0; *(uint8_t*)0x20001788 = 0; *(uint8_t*)0x20001789 = 0; *(uint8_t*)0x2000178a = 0; *(uint8_t*)0x2000178b = 0xaa; *(uint16_t*)0x2000178c = 5; *(uint16_t*)0x2000178e = 3; *(uint8_t*)0x20001790 = 0x60; *(uint16_t*)0x20001794 = 6; *(uint16_t*)0x20001796 = 1; *(uint16_t*)0x20001798 = 0xa; *(uint16_t*)0x2000179c = 0x14; *(uint16_t*)0x2000179e = 2; *(uint8_t*)0x200017a0 = -1; *(uint8_t*)0x200017a1 = 2; *(uint8_t*)0x200017a2 = 0; *(uint8_t*)0x200017a3 = 0; *(uint8_t*)0x200017a4 = 0; *(uint8_t*)0x200017a5 = 0; *(uint8_t*)0x200017a6 = 0; *(uint8_t*)0x200017a7 = 0; *(uint8_t*)0x200017a8 = 0; *(uint8_t*)0x200017a9 = 0; *(uint8_t*)0x200017aa = 0; *(uint8_t*)0x200017ab = 0; *(uint8_t*)0x200017ac = 0; *(uint8_t*)0x200017ad = 0; *(uint8_t*)0x200017ae = 0; *(uint8_t*)0x200017af = 1; *(uint16_t*)0x200017b0 = 5; *(uint16_t*)0x200017b2 = 3; *(uint8_t*)0x200017b4 = 0x23; *(uint16_t*)0x200017b8 = 0xdc; STORE_BY_BITMASK(uint16_t, , 0x200017ba, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200017bb, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200017bb, 1, 7, 1); *(uint16_t*)0x200017bc = 6; *(uint16_t*)0x200017be = 1; *(uint16_t*)0x200017c0 = 2; *(uint16_t*)0x200017c4 = 8; *(uint16_t*)0x200017c6 = 2; *(uint32_t*)0x200017c8 = htobe32(-1); *(uint16_t*)0x200017cc = 5; *(uint16_t*)0x200017ce = 3; *(uint8_t*)0x200017d0 = 0x1a; *(uint16_t*)0x200017d4 = 6; *(uint16_t*)0x200017d6 = 1; *(uint16_t*)0x200017d8 = 2; *(uint16_t*)0x200017dc = 8; *(uint16_t*)0x200017de = 2; *(uint8_t*)0x200017e0 = 0xac; *(uint8_t*)0x200017e1 = 0x14; *(uint8_t*)0x200017e2 = 0x14; *(uint8_t*)0x200017e3 = 0xaa; *(uint16_t*)0x200017e4 = 5; *(uint16_t*)0x200017e6 = 3; *(uint8_t*)0x200017e8 = 0xc; *(uint16_t*)0x200017ec = 6; *(uint16_t*)0x200017ee = 1; *(uint16_t*)0x200017f0 = 0xa; *(uint16_t*)0x200017f4 = 0x14; *(uint16_t*)0x200017f6 = 2; *(uint8_t*)0x200017f8 = -1; *(uint8_t*)0x200017f9 = 1; *(uint8_t*)0x200017fa = 0; *(uint8_t*)0x200017fb = 0; *(uint8_t*)0x200017fc = 0; *(uint8_t*)0x200017fd = 0; *(uint8_t*)0x200017fe = 0; *(uint8_t*)0x200017ff = 0; *(uint8_t*)0x20001800 = 0; *(uint8_t*)0x20001801 = 0; *(uint8_t*)0x20001802 = 0; *(uint8_t*)0x20001803 = 0; *(uint8_t*)0x20001804 = 0; *(uint8_t*)0x20001805 = 0; *(uint8_t*)0x20001806 = 0; *(uint8_t*)0x20001807 = 1; *(uint16_t*)0x20001808 = 5; *(uint16_t*)0x2000180a = 3; *(uint8_t*)0x2000180c = 0x7e; *(uint16_t*)0x20001810 = 6; *(uint16_t*)0x20001812 = 1; *(uint16_t*)0x20001814 = 0xa; *(uint16_t*)0x20001818 = 0x14; *(uint16_t*)0x2000181a = 2; memcpy((void*)0x2000181c, "\xd4\xc2\x0d\xf9\x60\x30\x1b\x9b\x57\xda\xdc\x76\x9b\xdc\xed\x69", 16); *(uint16_t*)0x2000182c = 5; *(uint16_t*)0x2000182e = 3; *(uint8_t*)0x20001830 = 4; *(uint16_t*)0x20001834 = 6; *(uint16_t*)0x20001836 = 1; *(uint16_t*)0x20001838 = 2; *(uint16_t*)0x2000183c = 8; *(uint16_t*)0x2000183e = 2; *(uint8_t*)0x20001840 = 0xac; *(uint8_t*)0x20001841 = 0x1e; *(uint8_t*)0x20001842 = 0; *(uint8_t*)0x20001843 = 1; *(uint16_t*)0x20001844 = 5; *(uint16_t*)0x20001846 = 3; *(uint8_t*)0x20001848 = 7; *(uint16_t*)0x2000184c = 6; *(uint16_t*)0x2000184e = 1; *(uint16_t*)0x20001850 = 2; *(uint16_t*)0x20001854 = 8; *(uint16_t*)0x20001856 = 2; *(uint8_t*)0x20001858 = 0xac; *(uint8_t*)0x20001859 = 0x14; *(uint8_t*)0x2000185a = 0x14; *(uint8_t*)0x2000185b = 0xaa; *(uint16_t*)0x2000185c = 5; *(uint16_t*)0x2000185e = 3; *(uint8_t*)0x20001860 = 0x1c; *(uint16_t*)0x20001864 = 6; *(uint16_t*)0x20001866 = 1; *(uint16_t*)0x20001868 = 2; *(uint16_t*)0x2000186c = 8; *(uint16_t*)0x2000186e = 2; *(uint32_t*)0x20001870 = htobe32(0xe0000002); *(uint16_t*)0x20001874 = 5; *(uint16_t*)0x20001876 = 3; *(uint8_t*)0x20001878 = 0; *(uint16_t*)0x2000187c = 6; *(uint16_t*)0x2000187e = 1; *(uint16_t*)0x20001880 = 2; *(uint16_t*)0x20001884 = 8; *(uint16_t*)0x20001886 = 2; *(uint32_t*)0x20001888 = htobe32(8); *(uint16_t*)0x2000188c = 5; *(uint16_t*)0x2000188e = 3; *(uint8_t*)0x20001890 = 0x1b; *(uint16_t*)0x20001894 = 0x28; STORE_BY_BITMASK(uint16_t, , 0x20001896, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001897, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001897, 1, 7, 1); *(uint16_t*)0x20001898 = 6; *(uint16_t*)0x2000189a = 1; *(uint16_t*)0x2000189c = 0xa; *(uint16_t*)0x200018a0 = 0x14; *(uint16_t*)0x200018a2 = 2; *(uint8_t*)0x200018a4 = 0xfe; *(uint8_t*)0x200018a5 = 0x80; *(uint8_t*)0x200018a6 = 0; *(uint8_t*)0x200018a7 = 0; *(uint8_t*)0x200018a8 = 0; *(uint8_t*)0x200018a9 = 0; *(uint8_t*)0x200018aa = 0; *(uint8_t*)0x200018ab = 0; *(uint8_t*)0x200018ac = 0; *(uint8_t*)0x200018ad = 0; *(uint8_t*)0x200018ae = 0; *(uint8_t*)0x200018af = 0; *(uint8_t*)0x200018b0 = 0; *(uint8_t*)0x200018b1 = 0; *(uint8_t*)0x200018b2 = 0; *(uint8_t*)0x200018b3 = 0x2b; *(uint16_t*)0x200018b4 = 5; *(uint16_t*)0x200018b6 = 3; *(uint8_t*)0x200018b8 = 0xc; *(uint16_t*)0x200018bc = 0x130; STORE_BY_BITMASK(uint16_t, , 0x200018be, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200018bf, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200018bf, 1, 7, 1); *(uint16_t*)0x200018c0 = 6; *(uint16_t*)0x200018c2 = 1; *(uint16_t*)0x200018c4 = 0xa; *(uint16_t*)0x200018c8 = 0x14; *(uint16_t*)0x200018ca = 2; *(uint8_t*)0x200018cc = 0xfe; *(uint8_t*)0x200018cd = 0x80; *(uint8_t*)0x200018ce = 0; *(uint8_t*)0x200018cf = 0; *(uint8_t*)0x200018d0 = 0; *(uint8_t*)0x200018d1 = 0; *(uint8_t*)0x200018d2 = 0; *(uint8_t*)0x200018d3 = 0; *(uint8_t*)0x200018d4 = 0; *(uint8_t*)0x200018d5 = 0; *(uint8_t*)0x200018d6 = 0; *(uint8_t*)0x200018d7 = 0; *(uint8_t*)0x200018d8 = 0; *(uint8_t*)0x200018d9 = 0; *(uint8_t*)0x200018da = 0; *(uint8_t*)0x200018db = 0xc; *(uint16_t*)0x200018dc = 5; *(uint16_t*)0x200018de = 3; *(uint8_t*)0x200018e0 = 0xb; *(uint16_t*)0x200018e4 = 6; *(uint16_t*)0x200018e6 = 1; *(uint16_t*)0x200018e8 = 0xa; *(uint16_t*)0x200018ec = 0x14; *(uint16_t*)0x200018ee = 2; *(uint8_t*)0x200018f0 = 0xfe; *(uint8_t*)0x200018f1 = 0x80; *(uint8_t*)0x200018f2 = 0; *(uint8_t*)0x200018f3 = 0; *(uint8_t*)0x200018f4 = 0; *(uint8_t*)0x200018f5 = 0; *(uint8_t*)0x200018f6 = 0; *(uint8_t*)0x200018f7 = 0; *(uint8_t*)0x200018f8 = 0; *(uint8_t*)0x200018f9 = 0; *(uint8_t*)0x200018fa = 0; *(uint8_t*)0x200018fb = 0; *(uint8_t*)0x200018fc = 0; *(uint8_t*)0x200018fd = 0; *(uint8_t*)0x200018fe = 0; *(uint8_t*)0x200018ff = 0xaa; *(uint16_t*)0x20001900 = 5; *(uint16_t*)0x20001902 = 3; *(uint8_t*)0x20001904 = 0x71; *(uint16_t*)0x20001908 = 6; *(uint16_t*)0x2000190a = 1; *(uint16_t*)0x2000190c = 0xa; *(uint16_t*)0x20001910 = 0x14; *(uint16_t*)0x20001912 = 2; *(uint8_t*)0x20001914 = -1; *(uint8_t*)0x20001915 = 1; *(uint8_t*)0x20001916 = 0; *(uint8_t*)0x20001917 = 0; *(uint8_t*)0x20001918 = 0; *(uint8_t*)0x20001919 = 0; *(uint8_t*)0x2000191a = 0; *(uint8_t*)0x2000191b = 0; *(uint8_t*)0x2000191c = 0; *(uint8_t*)0x2000191d = 0; *(uint8_t*)0x2000191e = 0; *(uint8_t*)0x2000191f = 0; *(uint8_t*)0x20001920 = 0; *(uint8_t*)0x20001921 = 0; *(uint8_t*)0x20001922 = 0; *(uint8_t*)0x20001923 = 1; *(uint16_t*)0x20001924 = 5; *(uint16_t*)0x20001926 = 3; *(uint8_t*)0x20001928 = 7; *(uint16_t*)0x2000192c = 6; *(uint16_t*)0x2000192e = 1; *(uint16_t*)0x20001930 = 0xa; *(uint16_t*)0x20001934 = 0x14; *(uint16_t*)0x20001936 = 2; *(uint8_t*)0x20001938 = 0xfe; *(uint8_t*)0x20001939 = 0x80; *(uint8_t*)0x2000193a = 0; *(uint8_t*)0x2000193b = 0; *(uint8_t*)0x2000193c = 0; *(uint8_t*)0x2000193d = 0; *(uint8_t*)0x2000193e = 0; *(uint8_t*)0x2000193f = 0; *(uint8_t*)0x20001940 = 0; *(uint8_t*)0x20001941 = 0; *(uint8_t*)0x20001942 = 0; *(uint8_t*)0x20001943 = 0; *(uint8_t*)0x20001944 = 0; *(uint8_t*)0x20001945 = 0; *(uint8_t*)0x20001946 = 0; *(uint8_t*)0x20001947 = 0xaa; *(uint16_t*)0x20001948 = 5; *(uint16_t*)0x2000194a = 3; *(uint8_t*)0x2000194c = 0x2b; *(uint16_t*)0x20001950 = 6; *(uint16_t*)0x20001952 = 1; *(uint16_t*)0x20001954 = 2; *(uint16_t*)0x20001958 = 8; *(uint16_t*)0x2000195a = 2; *(uint8_t*)0x2000195c = 0xac; *(uint8_t*)0x2000195d = 0x14; *(uint8_t*)0x2000195e = 0x14; *(uint8_t*)0x2000195f = 0x31; *(uint16_t*)0x20001960 = 5; *(uint16_t*)0x20001962 = 3; *(uint8_t*)0x20001964 = 0xf; *(uint16_t*)0x20001968 = 6; *(uint16_t*)0x2000196a = 1; *(uint16_t*)0x2000196c = 2; *(uint16_t*)0x20001970 = 8; *(uint16_t*)0x20001972 = 2; *(uint8_t*)0x20001974 = 0xac; *(uint8_t*)0x20001975 = 0x14; *(uint8_t*)0x20001976 = 0x14; *(uint8_t*)0x20001977 = 0xaa; *(uint16_t*)0x20001978 = 5; *(uint16_t*)0x2000197a = 3; *(uint8_t*)0x2000197c = 0x19; *(uint16_t*)0x20001980 = 6; *(uint16_t*)0x20001982 = 1; *(uint16_t*)0x20001984 = 0xa; *(uint16_t*)0x20001988 = 0x14; *(uint16_t*)0x2000198a = 2; *(uint8_t*)0x2000198c = 0xfe; *(uint8_t*)0x2000198d = 0x80; *(uint8_t*)0x2000198e = 0; *(uint8_t*)0x2000198f = 0; *(uint8_t*)0x20001990 = 0; *(uint8_t*)0x20001991 = 0; *(uint8_t*)0x20001992 = 0; *(uint8_t*)0x20001993 = 0; *(uint8_t*)0x20001994 = 0; *(uint8_t*)0x20001995 = 0; *(uint8_t*)0x20001996 = 0; *(uint8_t*)0x20001997 = 0; *(uint8_t*)0x20001998 = 0; *(uint8_t*)0x20001999 = 0; *(uint8_t*)0x2000199a = 0; *(uint8_t*)0x2000199b = 0x42; *(uint16_t*)0x2000199c = 5; *(uint16_t*)0x2000199e = 3; *(uint8_t*)0x200019a0 = 0x2f; *(uint16_t*)0x200019a4 = 6; *(uint16_t*)0x200019a6 = 1; *(uint16_t*)0x200019a8 = 0xa; *(uint16_t*)0x200019ac = 0x14; *(uint16_t*)0x200019ae = 2; *(uint8_t*)0x200019b0 = -1; *(uint8_t*)0x200019b1 = 1; *(uint8_t*)0x200019b2 = 0; *(uint8_t*)0x200019b3 = 0; *(uint8_t*)0x200019b4 = 0; *(uint8_t*)0x200019b5 = 0; *(uint8_t*)0x200019b6 = 0; *(uint8_t*)0x200019b7 = 0; *(uint8_t*)0x200019b8 = 0; *(uint8_t*)0x200019b9 = 0; *(uint8_t*)0x200019ba = 0; *(uint8_t*)0x200019bb = 0; *(uint8_t*)0x200019bc = 0; *(uint8_t*)0x200019bd = 0; *(uint8_t*)0x200019be = 0; *(uint8_t*)0x200019bf = 1; *(uint16_t*)0x200019c0 = 5; *(uint16_t*)0x200019c2 = 3; *(uint8_t*)0x200019c4 = 0x59; *(uint16_t*)0x200019c8 = 6; *(uint16_t*)0x200019ca = 1; *(uint16_t*)0x200019cc = 0xa; *(uint16_t*)0x200019d0 = 0x14; *(uint16_t*)0x200019d2 = 2; *(uint8_t*)0x200019d4 = 0xfe; *(uint8_t*)0x200019d5 = 0x80; *(uint8_t*)0x200019d6 = 0; *(uint8_t*)0x200019d7 = 0; *(uint8_t*)0x200019d8 = 0; *(uint8_t*)0x200019d9 = 0; *(uint8_t*)0x200019da = 0; *(uint8_t*)0x200019db = 0; *(uint8_t*)0x200019dc = 0; *(uint8_t*)0x200019dd = 0; *(uint8_t*)0x200019de = 0; *(uint8_t*)0x200019df = 0; *(uint8_t*)0x200019e0 = 0; *(uint8_t*)0x200019e1 = 0; *(uint8_t*)0x200019e2 = 0; *(uint8_t*)0x200019e3 = 0x3c; *(uint16_t*)0x200019e4 = 5; *(uint16_t*)0x200019e6 = 3; *(uint8_t*)0x200019e8 = 0x4f; *(uint16_t*)0x200019ec = 0xb8; STORE_BY_BITMASK(uint16_t, , 0x200019ee, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x200019ef, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x200019ef, 1, 7, 1); *(uint16_t*)0x200019f0 = 6; *(uint16_t*)0x200019f2 = 1; *(uint16_t*)0x200019f4 = 2; *(uint16_t*)0x200019f8 = 8; *(uint16_t*)0x200019fa = 2; *(uint32_t*)0x200019fc = htobe32(-1); *(uint16_t*)0x20001a00 = 5; *(uint16_t*)0x20001a02 = 3; *(uint8_t*)0x20001a04 = 0x11; *(uint16_t*)0x20001a08 = 6; *(uint16_t*)0x20001a0a = 1; *(uint16_t*)0x20001a0c = 0xa; *(uint16_t*)0x20001a10 = 0x14; *(uint16_t*)0x20001a12 = 2; *(uint8_t*)0x20001a14 = 0xfe; *(uint8_t*)0x20001a15 = 0x80; *(uint8_t*)0x20001a16 = 0; *(uint8_t*)0x20001a17 = 0; *(uint8_t*)0x20001a18 = 0; *(uint8_t*)0x20001a19 = 0; *(uint8_t*)0x20001a1a = 0; *(uint8_t*)0x20001a1b = 0; *(uint8_t*)0x20001a1c = 0; *(uint8_t*)0x20001a1d = 0; *(uint8_t*)0x20001a1e = 0; *(uint8_t*)0x20001a1f = 0; *(uint8_t*)0x20001a20 = 0; *(uint8_t*)0x20001a21 = 0; *(uint8_t*)0x20001a22 = 0; *(uint8_t*)0x20001a23 = 0xaa; *(uint16_t*)0x20001a24 = 5; *(uint16_t*)0x20001a26 = 3; *(uint8_t*)0x20001a28 = 0xa; *(uint16_t*)0x20001a2c = 6; *(uint16_t*)0x20001a2e = 1; *(uint16_t*)0x20001a30 = 0xa; *(uint16_t*)0x20001a34 = 0x14; *(uint16_t*)0x20001a36 = 2; memcpy((void*)0x20001a38, "\x2c\xa3\x69\xbc\x05\xc2\x89\xac\xab\x19\xf0\xb6\xb6\x50\xe6\xfc", 16); *(uint16_t*)0x20001a48 = 5; *(uint16_t*)0x20001a4a = 3; *(uint8_t*)0x20001a4c = 0x35; *(uint16_t*)0x20001a50 = 6; *(uint16_t*)0x20001a52 = 1; *(uint16_t*)0x20001a54 = 0xa; *(uint16_t*)0x20001a58 = 0x14; *(uint16_t*)0x20001a5a = 2; *(uint8_t*)0x20001a5c = 0xfe; *(uint8_t*)0x20001a5d = 0x80; *(uint8_t*)0x20001a5e = 0; *(uint8_t*)0x20001a5f = 0; *(uint8_t*)0x20001a60 = 0; *(uint8_t*)0x20001a61 = 0; *(uint8_t*)0x20001a62 = 0; *(uint8_t*)0x20001a63 = 0; *(uint8_t*)0x20001a64 = 0; *(uint8_t*)0x20001a65 = 0; *(uint8_t*)0x20001a66 = 0; *(uint8_t*)0x20001a67 = 0; *(uint8_t*)0x20001a68 = 0; *(uint8_t*)0x20001a69 = 0; *(uint8_t*)0x20001a6a = 0; *(uint8_t*)0x20001a6b = 0xbb; *(uint16_t*)0x20001a6c = 5; *(uint16_t*)0x20001a6e = 3; *(uint8_t*)0x20001a70 = 0x54; *(uint16_t*)0x20001a74 = 6; *(uint16_t*)0x20001a76 = 1; *(uint16_t*)0x20001a78 = 2; *(uint16_t*)0x20001a7c = 8; *(uint16_t*)0x20001a7e = 2; *(uint32_t*)0x20001a80 = htobe32(0x7f000001); *(uint16_t*)0x20001a84 = 5; *(uint16_t*)0x20001a86 = 3; *(uint8_t*)0x20001a88 = 9; *(uint16_t*)0x20001a8c = 6; *(uint16_t*)0x20001a8e = 1; *(uint16_t*)0x20001a90 = 2; *(uint16_t*)0x20001a94 = 8; *(uint16_t*)0x20001a96 = 2; *(uint32_t*)0x20001a98 = htobe32(0xe0000002); *(uint16_t*)0x20001a9c = 5; *(uint16_t*)0x20001a9e = 3; *(uint8_t*)0x20001aa0 = 0x1c; *(uint16_t*)0x20001aa4 = 0x40; STORE_BY_BITMASK(uint16_t, , 0x20001aa6, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001aa7, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001aa7, 1, 7, 1); *(uint16_t*)0x20001aa8 = 6; *(uint16_t*)0x20001aaa = 1; *(uint16_t*)0x20001aac = 0xa; *(uint16_t*)0x20001ab0 = 0x14; *(uint16_t*)0x20001ab2 = 2; *(uint8_t*)0x20001ab4 = 0; *(uint8_t*)0x20001ab5 = 0; *(uint8_t*)0x20001ab6 = 0; *(uint8_t*)0x20001ab7 = 0; *(uint8_t*)0x20001ab8 = 0; *(uint8_t*)0x20001ab9 = 0; *(uint8_t*)0x20001aba = 0; *(uint8_t*)0x20001abb = 0; *(uint8_t*)0x20001abc = 0; *(uint8_t*)0x20001abd = 0; *(uint8_t*)0x20001abe = -1; *(uint8_t*)0x20001abf = -1; *(uint8_t*)0x20001ac0 = 0xac; *(uint8_t*)0x20001ac1 = 0x14; *(uint8_t*)0x20001ac2 = 0x14; *(uint8_t*)0x20001ac3 = 0x42; *(uint16_t*)0x20001ac4 = 5; *(uint16_t*)0x20001ac6 = 3; *(uint8_t*)0x20001ac8 = 0x42; *(uint16_t*)0x20001acc = 6; *(uint16_t*)0x20001ace = 1; *(uint16_t*)0x20001ad0 = 2; *(uint16_t*)0x20001ad4 = 8; *(uint16_t*)0x20001ad6 = 2; *(uint32_t*)0x20001ad8 = htobe32(0xe0000001); *(uint16_t*)0x20001adc = 5; *(uint16_t*)0x20001ade = 3; *(uint8_t*)0x20001ae0 = 4; *(uint16_t*)0x20001ae4 = 0x94; STORE_BY_BITMASK(uint16_t, , 0x20001ae6, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001ae7, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001ae7, 1, 7, 1); *(uint16_t*)0x20001ae8 = 6; *(uint16_t*)0x20001aea = 1; *(uint16_t*)0x20001aec = 0xa; *(uint16_t*)0x20001af0 = 0x14; *(uint16_t*)0x20001af2 = 2; *(uint8_t*)0x20001af4 = 0xfe; *(uint8_t*)0x20001af5 = 0x88; *(uint8_t*)0x20001af6 = 0; *(uint8_t*)0x20001af7 = 0; *(uint8_t*)0x20001af8 = 0; *(uint8_t*)0x20001af9 = 0; *(uint8_t*)0x20001afa = 0; *(uint8_t*)0x20001afb = 0; *(uint8_t*)0x20001afc = 0; *(uint8_t*)0x20001afd = 0; *(uint8_t*)0x20001afe = 0; *(uint8_t*)0x20001aff = 0; *(uint8_t*)0x20001b00 = 0; *(uint8_t*)0x20001b01 = 0; *(uint8_t*)0x20001b02 = 1; *(uint8_t*)0x20001b03 = 1; *(uint16_t*)0x20001b04 = 5; *(uint16_t*)0x20001b06 = 3; *(uint8_t*)0x20001b08 = 0x64; *(uint16_t*)0x20001b0c = 6; *(uint16_t*)0x20001b0e = 1; *(uint16_t*)0x20001b10 = 0xa; *(uint16_t*)0x20001b14 = 0x14; *(uint16_t*)0x20001b16 = 2; *(uint8_t*)0x20001b18 = 0xfe; *(uint8_t*)0x20001b19 = 0x88; *(uint8_t*)0x20001b1a = 0; *(uint8_t*)0x20001b1b = 0; *(uint8_t*)0x20001b1c = 0; *(uint8_t*)0x20001b1d = 0; *(uint8_t*)0x20001b1e = 0; *(uint8_t*)0x20001b1f = 0; *(uint8_t*)0x20001b20 = 0; *(uint8_t*)0x20001b21 = 0; *(uint8_t*)0x20001b22 = 0; *(uint8_t*)0x20001b23 = 0; *(uint8_t*)0x20001b24 = 0; *(uint8_t*)0x20001b25 = 0; *(uint8_t*)0x20001b26 = 1; *(uint8_t*)0x20001b27 = 1; *(uint16_t*)0x20001b28 = 5; *(uint16_t*)0x20001b2a = 3; *(uint8_t*)0x20001b2c = 0x75; *(uint16_t*)0x20001b30 = 6; *(uint16_t*)0x20001b32 = 1; *(uint16_t*)0x20001b34 = 0xa; *(uint16_t*)0x20001b38 = 0x14; *(uint16_t*)0x20001b3a = 2; *(uint8_t*)0x20001b3c = 0xfe; *(uint8_t*)0x20001b3d = 0x80; *(uint8_t*)0x20001b3e = 0; *(uint8_t*)0x20001b3f = 0; *(uint8_t*)0x20001b40 = 0; *(uint8_t*)0x20001b41 = 0; *(uint8_t*)0x20001b42 = 0; *(uint8_t*)0x20001b43 = 0; *(uint8_t*)0x20001b44 = 0; *(uint8_t*)0x20001b45 = 0; *(uint8_t*)0x20001b46 = 0; *(uint8_t*)0x20001b47 = 0; *(uint8_t*)0x20001b48 = 0; *(uint8_t*)0x20001b49 = 0; *(uint8_t*)0x20001b4a = 0; *(uint8_t*)0x20001b4b = 0xbb; *(uint16_t*)0x20001b4c = 5; *(uint16_t*)0x20001b4e = 3; *(uint8_t*)0x20001b50 = 0x3d; *(uint16_t*)0x20001b54 = 6; *(uint16_t*)0x20001b56 = 1; *(uint16_t*)0x20001b58 = 0xa; *(uint16_t*)0x20001b5c = 0x14; *(uint16_t*)0x20001b5e = 2; *(uint8_t*)0x20001b60 = 0xfe; *(uint8_t*)0x20001b61 = 0x80; *(uint8_t*)0x20001b62 = 0; *(uint8_t*)0x20001b63 = 0; *(uint8_t*)0x20001b64 = 0; *(uint8_t*)0x20001b65 = 0; *(uint8_t*)0x20001b66 = 0; *(uint8_t*)0x20001b67 = 0; *(uint8_t*)0x20001b68 = 0; *(uint8_t*)0x20001b69 = 0; *(uint8_t*)0x20001b6a = 0; *(uint8_t*)0x20001b6b = 0; *(uint8_t*)0x20001b6c = 0; *(uint8_t*)0x20001b6d = 0; *(uint8_t*)0x20001b6e = 0; *(uint8_t*)0x20001b6f = 0xbb; *(uint16_t*)0x20001b70 = 5; *(uint16_t*)0x20001b72 = 3; *(uint8_t*)0x20001b74 = 0x1c; *(uint16_t*)0x20001b78 = 4; STORE_BY_BITMASK(uint16_t, , 0x20001b7a, 9, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001b7b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001b7b, 1, 7, 1); *(uint16_t*)0x20001b7c = 6; *(uint16_t*)0x20001b7e = 5; *(uint16_t*)0x20001b80 = 3; *(uint16_t*)0x20001b84 = 8; *(uint16_t*)0x20001b86 = 3; *(uint32_t*)0x20001b88 = 3; *(uint16_t*)0x20001b8c = 0xc; STORE_BY_BITMASK(uint16_t, , 0x20001b8e, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001b8f, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001b8f, 1, 7, 1); *(uint16_t*)0x20001b90 = 8; *(uint16_t*)0x20001b92 = 0xa; *(uint32_t*)0x20001b94 = 1; *(uint16_t*)0x20001b98 = 0x7c; STORE_BY_BITMASK(uint16_t, , 0x20001b9a, 0, 0, 14); STORE_BY_BITMASK(uint16_t, , 0x20001b9b, 0, 6, 1); STORE_BY_BITMASK(uint16_t, , 0x20001b9b, 1, 7, 1); *(uint16_t*)0x20001b9c = 0x20; *(uint16_t*)0x20001b9e = 4; *(uint16_t*)0x20001ba0 = 0xa; *(uint16_t*)0x20001ba2 = htobe16(0x4e20); *(uint32_t*)0x20001ba4 = htobe32(3); *(uint8_t*)0x20001ba8 = 0; *(uint8_t*)0x20001ba9 = 0; *(uint8_t*)0x20001baa = 0; *(uint8_t*)0x20001bab = 0; *(uint8_t*)0x20001bac = 0; *(uint8_t*)0x20001bad = 0; *(uint8_t*)0x20001bae = 0; *(uint8_t*)0x20001baf = 0; *(uint8_t*)0x20001bb0 = 0; *(uint8_t*)0x20001bb1 = 0; *(uint8_t*)0x20001bb2 = 0; *(uint8_t*)0x20001bb3 = 0; *(uint8_t*)0x20001bb4 = 0; *(uint8_t*)0x20001bb5 = 0; *(uint8_t*)0x20001bb6 = 0; *(uint8_t*)0x20001bb7 = 0; *(uint32_t*)0x20001bb8 = 0x20; *(uint16_t*)0x20001bbc = 0x24; *(uint16_t*)0x20001bbe = 1; *(uint8_t*)0x20001bc0 = 0xbb; *(uint8_t*)0x20001bc1 = 0xbb; *(uint8_t*)0x20001bc2 = 0xbb; *(uint8_t*)0x20001bc3 = 0xbb; *(uint8_t*)0x20001bc4 = 0xbb; *(uint8_t*)0x20001bc5 = 0xbb; *(uint8_t*)0x20001bc6 = 0xbb; *(uint8_t*)0x20001bc7 = 0xbb; *(uint8_t*)0x20001bc8 = 0xbb; *(uint8_t*)0x20001bc9 = 0xbb; *(uint8_t*)0x20001bca = 0xbb; *(uint8_t*)0x20001bcb = 0xbb; *(uint8_t*)0x20001bcc = 0xbb; *(uint8_t*)0x20001bcd = 0xbb; *(uint8_t*)0x20001bce = 0xbb; *(uint8_t*)0x20001bcf = 0xbb; *(uint8_t*)0x20001bd0 = 0xbb; *(uint8_t*)0x20001bd1 = 0xbb; *(uint8_t*)0x20001bd2 = 0xbb; *(uint8_t*)0x20001bd3 = 0xbb; *(uint8_t*)0x20001bd4 = 0xbb; *(uint8_t*)0x20001bd5 = 0xbb; *(uint8_t*)0x20001bd6 = 0xbb; *(uint8_t*)0x20001bd7 = 0xbb; *(uint8_t*)0x20001bd8 = 0xbb; *(uint8_t*)0x20001bd9 = 0xbb; *(uint8_t*)0x20001bda = 0xbb; *(uint8_t*)0x20001bdb = 0xbb; *(uint8_t*)0x20001bdc = 0xbb; *(uint8_t*)0x20001bdd = 0xbb; *(uint8_t*)0x20001bde = 0xbb; *(uint8_t*)0x20001bdf = 0xbb; *(uint16_t*)0x20001be0 = 6; *(uint16_t*)0x20001be2 = 5; *(uint16_t*)0x20001be4 = 2; *(uint16_t*)0x20001be8 = 0x24; *(uint16_t*)0x20001bea = 1; *(uint8_t*)0x20001bec = 0xbb; *(uint8_t*)0x20001bed = 0xbb; *(uint8_t*)0x20001bee = 0xbb; *(uint8_t*)0x20001bef = 0xbb; *(uint8_t*)0x20001bf0 = 0xbb; *(uint8_t*)0x20001bf1 = 0xbb; *(uint8_t*)0x20001bf2 = 0xbb; *(uint8_t*)0x20001bf3 = 0xbb; *(uint8_t*)0x20001bf4 = 0xbb; *(uint8_t*)0x20001bf5 = 0xbb; *(uint8_t*)0x20001bf6 = 0xbb; *(uint8_t*)0x20001bf7 = 0xbb; *(uint8_t*)0x20001bf8 = 0xbb; *(uint8_t*)0x20001bf9 = 0xbb; *(uint8_t*)0x20001bfa = 0xbb; *(uint8_t*)0x20001bfb = 0xbb; *(uint8_t*)0x20001bfc = 0xbb; *(uint8_t*)0x20001bfd = 0xbb; *(uint8_t*)0x20001bfe = 0xbb; *(uint8_t*)0x20001bff = 0xbb; *(uint8_t*)0x20001c00 = 0xbb; *(uint8_t*)0x20001c01 = 0xbb; *(uint8_t*)0x20001c02 = 0xbb; *(uint8_t*)0x20001c03 = 0xbb; *(uint8_t*)0x20001c04 = 0xbb; *(uint8_t*)0x20001c05 = 0xbb; *(uint8_t*)0x20001c06 = 0xbb; *(uint8_t*)0x20001c07 = 0xbb; *(uint8_t*)0x20001c08 = 0xbb; *(uint8_t*)0x20001c09 = 0xbb; *(uint8_t*)0x20001c0a = 0xbb; *(uint8_t*)0x20001c0b = 0xbb; *(uint16_t*)0x20001c0c = 8; *(uint16_t*)0x20001c0e = 0xa; *(uint32_t*)0x20001c10 = 1; *(uint64_t*)0x20001308 = 0x894; *(uint64_t*)0x20001358 = 1; *(uint64_t*)0x20001360 = 0; *(uint64_t*)0x20001368 = 0; *(uint32_t*)0x20001370 = 0; syscall(__NR_sendmsg, r[0], 0x20001340ul, 0ul); res = syscall(__NR_socket, 0x10ul, 3ul, 0x10ul); if (res != -1) r[2] = res; memcpy((void*)0x20000480, "wireguard\000", 10); res = syz_genetlink_get_family_id(0x20000480); if (res != -1) r[3] = res; *(uint64_t*)0x20001340 = 0; *(uint32_t*)0x20001348 = 0; *(uint64_t*)0x20001350 = 0x20001300; *(uint64_t*)0x20001300 = 0x20000080; *(uint32_t*)0x20000080 = 0x4c; *(uint16_t*)0x20000084 = r[3]; *(uint16_t*)0x20000086 = 1; *(uint32_t*)0x20000088 = 2; *(uint32_t*)0x2000008c = 0; *(uint8_t*)0x20000090 = 1; *(uint8_t*)0x20000091 = 0; *(uint16_t*)0x20000092 = 0; *(uint16_t*)0x20000094 = 0x14; *(uint16_t*)0x20000096 = 2; memcpy((void*)0x20000098, "wireguard0\000\000\000\000\000\000", 16); *(uint16_t*)0x200000a8 = 0x24; *(uint16_t*)0x200000aa = 3; *(uint8_t*)0x200000ac = 0xbb; *(uint8_t*)0x200000ad = 0xbb; *(uint8_t*)0x200000ae = 0xbb; *(uint8_t*)0x200000af = 0xbb; *(uint8_t*)0x200000b0 = 0xbb; *(uint8_t*)0x200000b1 = 0xbb; *(uint8_t*)0x200000b2 = 0xbb; *(uint8_t*)0x200000b3 = 0xbb; *(uint8_t*)0x200000b4 = 0xbb; *(uint8_t*)0x200000b5 = 0xbb; *(uint8_t*)0x200000b6 = 0xbb; *(uint8_t*)0x200000b7 = 0xbb; *(uint8_t*)0x200000b8 = 0xbb; *(uint8_t*)0x200000b9 = 0xbb; *(uint8_t*)0x200000ba = 0xbb; *(uint8_t*)0x200000bb = 0xbb; *(uint8_t*)0x200000bc = 0xbb; *(uint8_t*)0x200000bd = 0xbb; *(uint8_t*)0x200000be = 0xbb; *(uint8_t*)0x200000bf = 0xbb; *(uint8_t*)0x200000c0 = 0xbb; *(uint8_t*)0x200000c1 = 0xbb; *(uint8_t*)0x200000c2 = 0xbb; *(uint8_t*)0x200000c3 = 0xbb; *(uint8_t*)0x200000c4 = 0xbb; *(uint8_t*)0x200000c5 = 0xbb; *(uint8_t*)0x200000c6 = 0xbb; *(uint8_t*)0x200000c7 = 0xbb; *(uint8_t*)0x200000c8 = 0xbb; *(uint8_t*)0x200000c9 = 0xbb; *(uint8_t*)0x200000ca = 0xbb; *(uint8_t*)0x200000cb = 0xbb; *(uint64_t*)0x20001308 = 0x4c; *(uint64_t*)0x20001358 = 1; *(uint64_t*)0x20001360 = 0; *(uint64_t*)0x20001368 = 0; *(uint32_t*)0x20001370 = 0; syscall(__NR_sendmsg, r[2], 0x20001340ul, 0ul); } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); do_sandbox_none(); return 0; }