// https://syzkaller.appspot.com/bug?id=0c570137a55c72fd6ea1511e69f8170aa79459b6 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) exit(1); if ((size_t)rv >= size) exit(1); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); rv = system(command); if (rv) { if (panic) exit(1); } } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02hx" #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } static void initialize_netdevices(void) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0", "bond0", "veth0", "veth1", "team0", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team"}; const char* devmasters[] = {"bridge", "bond", "team"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); execute_command(0, "ip link add type veth"); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { execute_command( 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s", devmasters[i], devmasters[i]); execute_command( 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set veth0_to_%s up", devmasters[i]); execute_command(0, "ip link set veth1_to_%s up", devmasters[i]); } execute_command(0, "ip link set bridge_slave_0 up"); execute_command(0, "ip link set bridge_slave_1 up"); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[32]; snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } static long syz_genetlink_get_family_id(long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 200 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } initialize_netdevices(); loop(); exit(1); } uint64_t r[2] = {0xffffffffffffffff, 0x0}; void loop(void) { long res = 0; res = syscall(__NR_socket, 0x10, 3, 0x10); if (res != -1) r[0] = res; memcpy((void*)0x20000080, "TIPCv2", 7); res = syz_genetlink_get_family_id(0x20000080); if (res != -1) r[1] = res; *(uint64_t*)0x20000c00 = 0; *(uint32_t*)0x20000c08 = 0; *(uint64_t*)0x20000c10 = 0x20000bc0; *(uint64_t*)0x20000bc0 = 0x20000840; *(uint32_t*)0x20000840 = 0x348; *(uint16_t*)0x20000844 = r[1]; *(uint16_t*)0x20000846 = 0xe01; *(uint32_t*)0x20000848 = 0x70bd2b; *(uint32_t*)0x2000084c = 0x25dfdbff; *(uint8_t*)0x20000850 = 3; *(uint8_t*)0x20000851 = 0; *(uint16_t*)0x20000852 = 0; *(uint16_t*)0x20000854 = 0x90; *(uint16_t*)0x20000856 = 1; *(uint16_t*)0x20000858 = 0x2c; *(uint16_t*)0x2000085a = 4; *(uint16_t*)0x2000085c = 0x14; *(uint16_t*)0x2000085e = 1; *(uint16_t*)0x20000860 = 2; *(uint16_t*)0x20000862 = htobe16(0x4e23); *(uint32_t*)0x20000864 = htobe32(9); *(uint8_t*)0x20000868 = 0; *(uint8_t*)0x20000869 = 0; *(uint8_t*)0x2000086a = 0; *(uint8_t*)0x2000086b = 0; *(uint8_t*)0x2000086c = 0; *(uint8_t*)0x2000086d = 0; *(uint8_t*)0x2000086e = 0; *(uint8_t*)0x2000086f = 0; *(uint16_t*)0x20000870 = 0x14; *(uint16_t*)0x20000872 = 2; *(uint16_t*)0x20000874 = 2; *(uint16_t*)0x20000876 = htobe16(0x4e22); *(uint32_t*)0x20000878 = htobe32(-1); *(uint8_t*)0x2000087c = 0; *(uint8_t*)0x2000087d = 0; *(uint8_t*)0x2000087e = 0; *(uint8_t*)0x2000087f = 0; *(uint8_t*)0x20000880 = 0; *(uint8_t*)0x20000881 = 0; *(uint8_t*)0x20000882 = 0; *(uint8_t*)0x20000883 = 0; *(uint16_t*)0x20000884 = 0xc; *(uint16_t*)0x20000886 = 2; *(uint16_t*)0x20000888 = 8; *(uint16_t*)0x2000088a = 2; *(uint32_t*)0x2000088c = 8; *(uint16_t*)0x20000890 = 8; *(uint16_t*)0x20000892 = 3; *(uint32_t*)0x20000894 = 0x20; *(uint16_t*)0x20000898 = 8; *(uint16_t*)0x2000089a = 3; *(uint32_t*)0x2000089c = 0x80000000; *(uint16_t*)0x200008a0 = 0x44; *(uint16_t*)0x200008a2 = 4; *(uint16_t*)0x200008a4 = 0x20; *(uint16_t*)0x200008a6 = 1; *(uint16_t*)0x200008a8 = 0xa; *(uint16_t*)0x200008aa = htobe16(0x4e23); *(uint32_t*)0x200008ac = 0xb3; *(uint8_t*)0x200008b0 = 0; *(uint8_t*)0x200008b1 = 0; *(uint8_t*)0x200008b2 = 0; *(uint8_t*)0x200008b3 = 0; *(uint8_t*)0x200008b4 = 0; *(uint8_t*)0x200008b5 = 0; *(uint8_t*)0x200008b6 = 0; *(uint8_t*)0x200008b7 = 0; *(uint8_t*)0x200008b8 = 0; *(uint8_t*)0x200008b9 = 0; *(uint8_t*)0x200008ba = 0; *(uint8_t*)0x200008bb = 0; *(uint8_t*)0x200008bc = 0; *(uint8_t*)0x200008bd = 0; *(uint8_t*)0x200008be = 0; *(uint8_t*)0x200008bf = 0; *(uint32_t*)0x200008c0 = 0x261; *(uint16_t*)0x200008c4 = 0x20; *(uint16_t*)0x200008c6 = 2; *(uint16_t*)0x200008c8 = 0xa; *(uint16_t*)0x200008ca = htobe16(0x4e24); *(uint32_t*)0x200008cc = 1; *(uint8_t*)0x200008d0 = 0; *(uint8_t*)0x200008d1 = 0; *(uint8_t*)0x200008d2 = 0; *(uint8_t*)0x200008d3 = 0; *(uint8_t*)0x200008d4 = 0; *(uint8_t*)0x200008d5 = 0; *(uint8_t*)0x200008d6 = 0; *(uint8_t*)0x200008d7 = 0; *(uint8_t*)0x200008d8 = 0; *(uint8_t*)0x200008d9 = 0; *(uint8_t*)0x200008da = 0; *(uint8_t*)0x200008db = 0; *(uint8_t*)0x200008dc = 0; *(uint8_t*)0x200008dd = 0; *(uint8_t*)0x200008de = 0; *(uint8_t*)0x200008df = 0; *(uint32_t*)0x200008e0 = 0x3f; *(uint16_t*)0x200008e4 = 0x40; *(uint16_t*)0x200008e6 = 7; *(uint16_t*)0x200008e8 = 0xc; *(uint16_t*)0x200008ea = 4; *(uint64_t*)0x200008ec = 2; *(uint16_t*)0x200008f4 = 0xc; *(uint16_t*)0x200008f6 = 3; *(uint64_t*)0x200008f8 = 3; *(uint16_t*)0x20000900 = 0xc; *(uint16_t*)0x20000902 = 3; *(uint64_t*)0x20000904 = 0x100000001; *(uint16_t*)0x2000090c = 0xc; *(uint16_t*)0x2000090e = 3; *(uint64_t*)0x20000910 = 5; *(uint16_t*)0x20000918 = 0xc; *(uint16_t*)0x2000091a = 4; *(uint64_t*)0x2000091c = 5; *(uint16_t*)0x20000924 = 0x34; *(uint16_t*)0x20000926 = 7; *(uint16_t*)0x20000928 = 0xc; *(uint16_t*)0x2000092a = 4; *(uint64_t*)0x2000092c = 0x100; *(uint16_t*)0x20000934 = 0xc; *(uint16_t*)0x20000936 = 4; *(uint64_t*)0x20000938 = 5; *(uint16_t*)0x20000940 = 8; *(uint16_t*)0x20000942 = 2; *(uint32_t*)0x20000944 = 9; *(uint16_t*)0x20000948 = 8; *(uint16_t*)0x2000094a = 2; *(uint32_t*)0x2000094c = 0x7f; *(uint16_t*)0x20000950 = 8; *(uint16_t*)0x20000952 = 2; *(uint32_t*)0x20000954 = 0x899; *(uint16_t*)0x20000958 = 0x24; *(uint16_t*)0x2000095a = 7; *(uint16_t*)0x2000095c = 0xc; *(uint16_t*)0x2000095e = 3; *(uint64_t*)0x20000960 = 0xffffffffffff97cb; *(uint16_t*)0x20000968 = 0xc; *(uint16_t*)0x2000096a = 4; *(uint64_t*)0x2000096c = 0xd00; *(uint16_t*)0x20000974 = 8; *(uint16_t*)0x20000976 = 1; *(uint32_t*)0x20000978 = 0x10001; *(uint16_t*)0x2000097c = 0xd8; *(uint16_t*)0x2000097e = 1; *(uint16_t*)0x20000980 = 0x10; *(uint16_t*)0x20000982 = 1; memcpy((void*)0x20000984, "udp:syz1", 9); *(uint16_t*)0x20000990 = 8; *(uint16_t*)0x20000992 = 3; *(uint32_t*)0x20000994 = 0x200; *(uint16_t*)0x20000998 = 0x38; *(uint16_t*)0x2000099a = 4; *(uint16_t*)0x2000099c = 0x14; *(uint16_t*)0x2000099e = 1; *(uint16_t*)0x200009a0 = 2; *(uint16_t*)0x200009a2 = htobe16(0x4e23); *(uint32_t*)0x200009a4 = htobe32(0xe0000002); *(uint8_t*)0x200009a8 = 0; *(uint8_t*)0x200009a9 = 0; *(uint8_t*)0x200009aa = 0; *(uint8_t*)0x200009ab = 0; *(uint8_t*)0x200009ac = 0; *(uint8_t*)0x200009ad = 0; *(uint8_t*)0x200009ae = 0; *(uint8_t*)0x200009af = 0; *(uint16_t*)0x200009b0 = 0x20; *(uint16_t*)0x200009b2 = 2; *(uint16_t*)0x200009b4 = 0xa; *(uint16_t*)0x200009b6 = htobe16(0x4e24); *(uint32_t*)0x200009b8 = 0x7fffffff; *(uint8_t*)0x200009bc = -1; *(uint8_t*)0x200009bd = 2; *(uint8_t*)0x200009be = 0; *(uint8_t*)0x200009bf = 0; *(uint8_t*)0x200009c0 = 0; *(uint8_t*)0x200009c1 = 0; *(uint8_t*)0x200009c2 = 0; *(uint8_t*)0x200009c3 = 0; *(uint8_t*)0x200009c4 = 0; *(uint8_t*)0x200009c5 = 0; *(uint8_t*)0x200009c6 = 0; *(uint8_t*)0x200009c7 = 0; *(uint8_t*)0x200009c8 = 0; *(uint8_t*)0x200009c9 = 0; *(uint8_t*)0x200009ca = 0; *(uint8_t*)0x200009cb = 1; *(uint32_t*)0x200009cc = 0xad1; *(uint16_t*)0x200009d0 = 0x14; *(uint16_t*)0x200009d2 = 2; *(uint16_t*)0x200009d4 = 8; *(uint16_t*)0x200009d6 = 1; *(uint32_t*)0x200009d8 = 0x17; *(uint16_t*)0x200009dc = 8; *(uint16_t*)0x200009de = 3; *(uint32_t*)0x200009e0 = 0x7ff; *(uint16_t*)0x200009e4 = 8; *(uint16_t*)0x200009e6 = 3; *(uint32_t*)0x200009e8 = 6; *(uint16_t*)0x200009ec = 0x10; *(uint16_t*)0x200009ee = 1; memcpy((void*)0x200009f0, "udp:syz2", 9); *(uint16_t*)0x200009fc = 0x10; *(uint16_t*)0x200009fe = 1; memcpy((void*)0x20000a00, "udp:syz2", 9); *(uint16_t*)0x20000a0c = 0x38; *(uint16_t*)0x20000a0e = 4; *(uint16_t*)0x20000a10 = 0x14; *(uint16_t*)0x20000a12 = 1; *(uint16_t*)0x20000a14 = 2; *(uint16_t*)0x20000a16 = htobe16(0x4e21); *(uint8_t*)0x20000a18 = 0xac; *(uint8_t*)0x20000a19 = 0x14; *(uint8_t*)0x20000a1a = 0x14; *(uint8_t*)0x20000a1b = 0x1a; *(uint8_t*)0x20000a1c = 0; *(uint8_t*)0x20000a1d = 0; *(uint8_t*)0x20000a1e = 0; *(uint8_t*)0x20000a1f = 0; *(uint8_t*)0x20000a20 = 0; *(uint8_t*)0x20000a21 = 0; *(uint8_t*)0x20000a22 = 0; *(uint8_t*)0x20000a23 = 0; *(uint16_t*)0x20000a24 = 0x20; *(uint16_t*)0x20000a26 = 2; *(uint16_t*)0x20000a28 = 0xa; *(uint16_t*)0x20000a2a = htobe16(0x4e24); *(uint32_t*)0x20000a2c = 3; *(uint8_t*)0x20000a30 = -1; *(uint8_t*)0x20000a31 = 2; *(uint8_t*)0x20000a32 = 0; *(uint8_t*)0x20000a33 = 0; *(uint8_t*)0x20000a34 = 0; *(uint8_t*)0x20000a35 = 0; *(uint8_t*)0x20000a36 = 0; *(uint8_t*)0x20000a37 = 0; *(uint8_t*)0x20000a38 = 0; *(uint8_t*)0x20000a39 = 0; *(uint8_t*)0x20000a3a = 0; *(uint8_t*)0x20000a3b = 0; *(uint8_t*)0x20000a3c = 0; *(uint8_t*)0x20000a3d = 0; *(uint8_t*)0x20000a3e = 0; *(uint8_t*)0x20000a3f = 1; *(uint32_t*)0x20000a40 = 0x8001; *(uint16_t*)0x20000a44 = 8; *(uint16_t*)0x20000a46 = 3; *(uint32_t*)0x20000a48 = 0x401; *(uint16_t*)0x20000a4c = 8; *(uint16_t*)0x20000a4e = 3; *(uint32_t*)0x20000a50 = 5; *(uint16_t*)0x20000a54 = 0x34; *(uint16_t*)0x20000a56 = 7; *(uint16_t*)0x20000a58 = 8; *(uint16_t*)0x20000a5a = 2; *(uint32_t*)0x20000a5c = 0xc5; *(uint16_t*)0x20000a60 = 8; *(uint16_t*)0x20000a62 = 2; *(uint32_t*)0x20000a64 = 0x9fc; *(uint16_t*)0x20000a68 = 8; *(uint16_t*)0x20000a6a = 2; *(uint32_t*)0x20000a6c = 0; *(uint16_t*)0x20000a70 = 0xc; *(uint16_t*)0x20000a72 = 4; *(uint64_t*)0x20000a74 = 3; *(uint16_t*)0x20000a7c = 0xc; *(uint16_t*)0x20000a7e = 3; *(uint64_t*)0x20000a80 = 0xffff; *(uint16_t*)0x20000a88 = 0x2c; *(uint16_t*)0x20000a8a = 2; *(uint16_t*)0x20000a8c = 8; *(uint16_t*)0x20000a8e = 2; *(uint32_t*)0x20000a90 = 0x95c7; *(uint16_t*)0x20000a94 = 4; *(uint16_t*)0x20000a96 = 4; *(uint16_t*)0x20000a98 = 4; *(uint16_t*)0x20000a9a = 4; *(uint16_t*)0x20000a9c = 8; *(uint16_t*)0x20000a9e = 1; *(uint32_t*)0x20000aa0 = 0x401; *(uint16_t*)0x20000aa4 = 8; *(uint16_t*)0x20000aa6 = 1; *(uint32_t*)0x20000aa8 = 0; *(uint16_t*)0x20000aac = 8; *(uint16_t*)0x20000aae = 1; *(uint32_t*)0x20000ab0 = 0xfffffffb; *(uint16_t*)0x20000ab4 = 0x30; *(uint16_t*)0x20000ab6 = 7; *(uint16_t*)0x20000ab8 = 8; *(uint16_t*)0x20000aba = 2; *(uint32_t*)0x20000abc = 0; *(uint16_t*)0x20000ac0 = 8; *(uint16_t*)0x20000ac2 = 1; *(uint32_t*)0x20000ac4 = 8; *(uint16_t*)0x20000ac8 = 8; *(uint16_t*)0x20000aca = 1; *(uint32_t*)0x20000acc = 3; *(uint16_t*)0x20000ad0 = 0xc; *(uint16_t*)0x20000ad2 = 4; *(uint64_t*)0x20000ad4 = 0; *(uint16_t*)0x20000adc = 8; *(uint16_t*)0x20000ade = 2; *(uint32_t*)0x20000ae0 = 0x7fffffff; *(uint16_t*)0x20000ae4 = 0xa4; *(uint16_t*)0x20000ae6 = 4; *(uint16_t*)0x20000ae8 = 0x14; *(uint16_t*)0x20000aea = 1; memcpy((void*)0x20000aec, "broadcast-link", 15); *(uint16_t*)0x20000afc = 0x14; *(uint16_t*)0x20000afe = 7; *(uint16_t*)0x20000b00 = 8; *(uint16_t*)0x20000b02 = 2; *(uint32_t*)0x20000b04 = 0xef3; *(uint16_t*)0x20000b08 = 8; *(uint16_t*)0x20000b0a = 4; *(uint32_t*)0x20000b0c = 0x80000000; *(uint16_t*)0x20000b10 = 0xc; *(uint16_t*)0x20000b12 = 1; memcpy((void*)0x20000b14, "syz0", 5); *(uint16_t*)0x20000b1c = 0x14; *(uint16_t*)0x20000b1e = 1; memcpy((void*)0x20000b20, "broadcast-link", 15); *(uint16_t*)0x20000b30 = 0x44; *(uint16_t*)0x20000b32 = 7; *(uint16_t*)0x20000b34 = 8; *(uint16_t*)0x20000b36 = 1; *(uint32_t*)0x20000b38 = 0x16; *(uint16_t*)0x20000b3c = 8; *(uint16_t*)0x20000b3e = 1; *(uint32_t*)0x20000b40 = 2; *(uint16_t*)0x20000b44 = 8; *(uint16_t*)0x20000b46 = 4; *(uint32_t*)0x20000b48 = 0x7a5; *(uint16_t*)0x20000b4c = 8; *(uint16_t*)0x20000b4e = 1; *(uint32_t*)0x20000b50 = 0xb; *(uint16_t*)0x20000b54 = 8; *(uint16_t*)0x20000b56 = 4; *(uint32_t*)0x20000b58 = 0x7ff; *(uint16_t*)0x20000b5c = 8; *(uint16_t*)0x20000b5e = 2; *(uint32_t*)0x20000b60 = 0xff; *(uint16_t*)0x20000b64 = 8; *(uint16_t*)0x20000b66 = 3; *(uint32_t*)0x20000b68 = 1; *(uint16_t*)0x20000b6c = 8; *(uint16_t*)0x20000b6e = 1; *(uint32_t*)0x20000b70 = 4; *(uint16_t*)0x20000b74 = 0x14; *(uint16_t*)0x20000b76 = 7; *(uint16_t*)0x20000b78 = 8; *(uint16_t*)0x20000b7a = 1; *(uint32_t*)0x20000b7c = 0x1b; *(uint16_t*)0x20000b80 = 8; *(uint16_t*)0x20000b82 = 3; *(uint32_t*)0x20000b84 = 9; *(uint64_t*)0x20000bc8 = 0x348; *(uint64_t*)0x20000c18 = 1; *(uint64_t*)0x20000c20 = 0; *(uint64_t*)0x20000c28 = 0; *(uint32_t*)0x20000c30 = 0x4040; syscall(__NR_sendmsg, r[0], 0x20000c00, 0xc000); } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); do_sandbox_none(); return 0; }