| // KMSAN: uninit-value in ipv6_find_tlv |
| // https://syzkaller.appspot.com/bug?id=3d605ec1d0a7f2a269a1a6936ac7f2b85975ee9c |
| // status:open |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <arpa/inet.h> |
| #include <dirent.h> |
| #include <endian.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <net/if.h> |
| #include <net/if_arp.h> |
| #include <netinet/in.h> |
| #include <pthread.h> |
| #include <sched.h> |
| #include <setjmp.h> |
| #include <signal.h> |
| #include <stdarg.h> |
| #include <stdbool.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/ioctl.h> |
| #include <sys/mount.h> |
| #include <sys/prctl.h> |
| #include <sys/resource.h> |
| #include <sys/socket.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/time.h> |
| #include <sys/types.h> |
| #include <sys/uio.h> |
| #include <sys/wait.h> |
| #include <time.h> |
| #include <unistd.h> |
| |
| #include <linux/capability.h> |
| #include <linux/futex.h> |
| #include <linux/if_addr.h> |
| #include <linux/if_ether.h> |
| #include <linux/if_link.h> |
| #include <linux/if_tun.h> |
| #include <linux/in6.h> |
| #include <linux/ip.h> |
| #include <linux/neighbour.h> |
| #include <linux/net.h> |
| #include <linux/netlink.h> |
| #include <linux/rtnetlink.h> |
| #include <linux/tcp.h> |
| #include <linux/veth.h> |
| |
| unsigned long long procid; |
| |
| static __thread int skip_segv; |
| static __thread jmp_buf segv_env; |
| |
| static void segv_handler(int sig, siginfo_t* info, void* ctx) |
| { |
| uintptr_t addr = (uintptr_t)info->si_addr; |
| const uintptr_t prog_start = 1 << 20; |
| const uintptr_t prog_end = 100 << 20; |
| if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && |
| (addr < prog_start || addr > prog_end)) { |
| _longjmp(segv_env, 1); |
| } |
| exit(sig); |
| } |
| |
| static void install_segv_handler(void) |
| { |
| struct sigaction sa; |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_handler = SIG_IGN; |
| syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); |
| syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_sigaction = segv_handler; |
| sa.sa_flags = SA_NODEFER | SA_SIGINFO; |
| sigaction(SIGSEGV, &sa, NULL); |
| sigaction(SIGBUS, &sa, NULL); |
| } |
| |
| #define NONFAILING(...) \ |
| { \ |
| __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ |
| if (_setjmp(segv_env) == 0) { \ |
| __VA_ARGS__; \ |
| } \ |
| __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ |
| } |
| |
| static void sleep_ms(uint64_t ms) |
| { |
| usleep(ms * 1000); |
| } |
| |
| static uint64_t current_time_ms(void) |
| { |
| struct timespec ts; |
| if (clock_gettime(CLOCK_MONOTONIC, &ts)) |
| exit(1); |
| return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; |
| } |
| |
| static void use_temporary_dir(void) |
| { |
| char tmpdir_template[] = "./syzkaller.XXXXXX"; |
| char* tmpdir = mkdtemp(tmpdir_template); |
| if (!tmpdir) |
| exit(1); |
| if (chmod(tmpdir, 0777)) |
| exit(1); |
| if (chdir(tmpdir)) |
| exit(1); |
| } |
| |
| static void thread_start(void* (*fn)(void*), void* arg) |
| { |
| pthread_t th; |
| pthread_attr_t attr; |
| pthread_attr_init(&attr); |
| pthread_attr_setstacksize(&attr, 128 << 10); |
| int i; |
| for (i = 0; i < 100; i++) { |
| if (pthread_create(&th, &attr, fn, arg) == 0) { |
| pthread_attr_destroy(&attr); |
| return; |
| } |
| if (errno == EAGAIN) { |
| usleep(50); |
| continue; |
| } |
| break; |
| } |
| exit(1); |
| } |
| |
| typedef struct { |
| int state; |
| } event_t; |
| |
| static void event_init(event_t* ev) |
| { |
| ev->state = 0; |
| } |
| |
| static void event_reset(event_t* ev) |
| { |
| ev->state = 0; |
| } |
| |
| static void event_set(event_t* ev) |
| { |
| if (ev->state) |
| exit(1); |
| __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); |
| syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); |
| } |
| |
| static void event_wait(event_t* ev) |
| { |
| while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) |
| syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); |
| } |
| |
| static int event_isset(event_t* ev) |
| { |
| return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); |
| } |
| |
| static int event_timedwait(event_t* ev, uint64_t timeout) |
| { |
| uint64_t start = current_time_ms(); |
| uint64_t now = start; |
| for (;;) { |
| uint64_t remain = timeout - (now - start); |
| struct timespec ts; |
| ts.tv_sec = remain / 1000; |
| ts.tv_nsec = (remain % 1000) * 1000 * 1000; |
| syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); |
| if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) |
| return 1; |
| now = current_time_ms(); |
| if (now - start > timeout) |
| return 0; |
| } |
| } |
| |
| static bool write_file(const char* file, const char* what, ...) |
| { |
| char buf[1024]; |
| va_list args; |
| va_start(args, what); |
| vsnprintf(buf, sizeof(buf), what, args); |
| va_end(args); |
| buf[sizeof(buf) - 1] = 0; |
| int len = strlen(buf); |
| int fd = open(file, O_WRONLY | O_CLOEXEC); |
| if (fd == -1) |
| return false; |
| if (write(fd, buf, len) != len) { |
| int err = errno; |
| close(fd); |
| errno = err; |
| return false; |
| } |
| close(fd); |
| return true; |
| } |
| |
| static struct { |
| char* pos; |
| int nesting; |
| struct nlattr* nested[8]; |
| char buf[1024]; |
| } nlmsg; |
| |
| static void netlink_init(int typ, int flags, const void* data, int size) |
| { |
| memset(&nlmsg, 0, sizeof(nlmsg)); |
| struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; |
| hdr->nlmsg_type = typ; |
| hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; |
| memcpy(hdr + 1, data, size); |
| nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); |
| } |
| |
| static void netlink_attr(int typ, const void* data, int size) |
| { |
| struct nlattr* attr = (struct nlattr*)nlmsg.pos; |
| attr->nla_len = sizeof(*attr) + size; |
| attr->nla_type = typ; |
| memcpy(attr + 1, data, size); |
| nlmsg.pos += NLMSG_ALIGN(attr->nla_len); |
| } |
| |
| static void netlink_nest(int typ) |
| { |
| struct nlattr* attr = (struct nlattr*)nlmsg.pos; |
| attr->nla_type = typ; |
| nlmsg.pos += sizeof(*attr); |
| nlmsg.nested[nlmsg.nesting++] = attr; |
| } |
| |
| static void netlink_done(void) |
| { |
| struct nlattr* attr = nlmsg.nested[--nlmsg.nesting]; |
| attr->nla_len = nlmsg.pos - (char*)attr; |
| } |
| |
| static int netlink_send(int sock) |
| { |
| if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting) |
| exit(1); |
| struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; |
| hdr->nlmsg_len = nlmsg.pos - nlmsg.buf; |
| struct sockaddr_nl addr; |
| memset(&addr, 0, sizeof(addr)); |
| addr.nl_family = AF_NETLINK; |
| unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0, |
| (struct sockaddr*)&addr, sizeof(addr)); |
| if (n != hdr->nlmsg_len) |
| exit(1); |
| n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); |
| if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) |
| exit(1); |
| if (hdr->nlmsg_type != NLMSG_ERROR) |
| exit(1); |
| return -((struct nlmsgerr*)(hdr + 1))->error; |
| } |
| |
| static void netlink_add_device_impl(const char* type, const char* name) |
| { |
| struct ifinfomsg hdr; |
| memset(&hdr, 0, sizeof(hdr)); |
| netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); |
| if (name) |
| netlink_attr(IFLA_IFNAME, name, strlen(name)); |
| netlink_nest(IFLA_LINKINFO); |
| netlink_attr(IFLA_INFO_KIND, type, strlen(type)); |
| } |
| |
| static void netlink_add_device(int sock, const char* type, const char* name) |
| { |
| netlink_add_device_impl(type, name); |
| netlink_done(); |
| int err = netlink_send(sock); |
| (void)err; |
| } |
| |
| static void netlink_add_veth(int sock, const char* name, const char* peer) |
| { |
| netlink_add_device_impl("veth", name); |
| netlink_nest(IFLA_INFO_DATA); |
| netlink_nest(VETH_INFO_PEER); |
| nlmsg.pos += sizeof(struct ifinfomsg); |
| netlink_attr(IFLA_IFNAME, peer, strlen(peer)); |
| netlink_done(); |
| netlink_done(); |
| netlink_done(); |
| int err = netlink_send(sock); |
| (void)err; |
| } |
| |
| static void netlink_add_hsr(int sock, const char* name, const char* slave1, |
| const char* slave2) |
| { |
| netlink_add_device_impl("hsr", name); |
| netlink_nest(IFLA_INFO_DATA); |
| int ifindex1 = if_nametoindex(slave1); |
| netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1)); |
| int ifindex2 = if_nametoindex(slave2); |
| netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2)); |
| netlink_done(); |
| netlink_done(); |
| int err = netlink_send(sock); |
| (void)err; |
| } |
| |
| static void netlink_device_change(int sock, const char* name, bool up, |
| const char* master, const void* mac, |
| int macsize) |
| { |
| struct ifinfomsg hdr; |
| memset(&hdr, 0, sizeof(hdr)); |
| if (up) |
| hdr.ifi_flags = hdr.ifi_change = IFF_UP; |
| netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr)); |
| netlink_attr(IFLA_IFNAME, name, strlen(name)); |
| if (master) { |
| int ifindex = if_nametoindex(master); |
| netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex)); |
| } |
| if (macsize) |
| netlink_attr(IFLA_ADDRESS, mac, macsize); |
| int err = netlink_send(sock); |
| (void)err; |
| } |
| |
| static int netlink_add_addr(int sock, const char* dev, const void* addr, |
| int addrsize) |
| { |
| struct ifaddrmsg hdr; |
| memset(&hdr, 0, sizeof(hdr)); |
| hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; |
| hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; |
| hdr.ifa_scope = RT_SCOPE_UNIVERSE; |
| hdr.ifa_index = if_nametoindex(dev); |
| netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); |
| netlink_attr(IFA_LOCAL, addr, addrsize); |
| netlink_attr(IFA_ADDRESS, addr, addrsize); |
| return netlink_send(sock); |
| } |
| |
| static void netlink_add_addr4(int sock, const char* dev, const char* addr) |
| { |
| struct in_addr in_addr; |
| inet_pton(AF_INET, addr, &in_addr); |
| int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr)); |
| (void)err; |
| } |
| |
| static void netlink_add_addr6(int sock, const char* dev, const char* addr) |
| { |
| struct in6_addr in6_addr; |
| inet_pton(AF_INET6, addr, &in6_addr); |
| int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr)); |
| (void)err; |
| } |
| |
| static void netlink_add_neigh(int sock, const char* name, const void* addr, |
| int addrsize, const void* mac, int macsize) |
| { |
| struct ndmsg hdr; |
| memset(&hdr, 0, sizeof(hdr)); |
| hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; |
| hdr.ndm_ifindex = if_nametoindex(name); |
| hdr.ndm_state = NUD_PERMANENT; |
| netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); |
| netlink_attr(NDA_DST, addr, addrsize); |
| netlink_attr(NDA_LLADDR, mac, macsize); |
| int err = netlink_send(sock); |
| (void)err; |
| } |
| |
| static int tunfd = -1; |
| static int tun_frags_enabled; |
| #define SYZ_TUN_MAX_PACKET_SIZE 1000 |
| |
| #define TUN_IFACE "syz_tun" |
| |
| #define LOCAL_MAC 0xaaaaaaaaaaaa |
| #define REMOTE_MAC 0xaaaaaaaaaabb |
| |
| #define LOCAL_IPV4 "172.20.20.170" |
| #define REMOTE_IPV4 "172.20.20.187" |
| |
| #define LOCAL_IPV6 "fe80::aa" |
| #define REMOTE_IPV6 "fe80::bb" |
| |
| #define IFF_NAPI 0x0010 |
| #define IFF_NAPI_FRAGS 0x0020 |
| |
| static void initialize_tun(void) |
| { |
| tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); |
| if (tunfd == -1) { |
| printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); |
| printf("otherwise fuzzing or reproducing might not work as intended\n"); |
| return; |
| } |
| const int kTunFd = 240; |
| if (dup2(tunfd, kTunFd) < 0) |
| exit(1); |
| close(tunfd); |
| tunfd = kTunFd; |
| struct ifreq ifr; |
| memset(&ifr, 0, sizeof(ifr)); |
| strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) |
| exit(1); |
| } |
| if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) |
| exit(1); |
| tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; |
| char sysctl[64]; |
| sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); |
| write_file(sysctl, "0"); |
| sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); |
| write_file(sysctl, "0"); |
| int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); |
| if (sock == -1) |
| exit(1); |
| netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4); |
| netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6); |
| uint64_t macaddr = REMOTE_MAC; |
| struct in_addr in_addr; |
| inet_pton(AF_INET, REMOTE_IPV4, &in_addr); |
| netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, |
| ETH_ALEN); |
| struct in6_addr in6_addr; |
| inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); |
| netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, |
| ETH_ALEN); |
| macaddr = LOCAL_MAC; |
| netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN); |
| close(sock); |
| } |
| |
| #define DEV_IPV4 "172.20.20.%d" |
| #define DEV_IPV6 "fe80::%02x" |
| #define DEV_MAC 0x00aaaaaaaaaa |
| static void initialize_netdevices(void) |
| { |
| char netdevsim[16]; |
| sprintf(netdevsim, "netdevsim%d", (int)procid); |
| struct { |
| const char* type; |
| const char* dev; |
| } devtypes[] = { |
| {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, |
| {"vcan", "vcan0"}, {"bond", "bond0"}, |
| {"team", "team0"}, {"dummy", "dummy0"}, |
| {"nlmon", "nlmon0"}, {"caif", "caif0"}, |
| {"batadv", "batadv0"}, {"vxcan", "vxcan1"}, |
| {"netdevsim", netdevsim}, {"veth", 0}, |
| }; |
| const char* devmasters[] = {"bridge", "bond", "team"}; |
| struct { |
| const char* name; |
| int macsize; |
| bool noipv6; |
| } devices[] = { |
| {"lo", ETH_ALEN}, |
| {"sit0", 0}, |
| {"bridge0", ETH_ALEN}, |
| {"vcan0", 0, true}, |
| {"tunl0", 0}, |
| {"gre0", 0}, |
| {"gretap0", ETH_ALEN}, |
| {"ip_vti0", 0}, |
| {"ip6_vti0", 0}, |
| {"ip6tnl0", 0}, |
| {"ip6gre0", 0}, |
| {"ip6gretap0", ETH_ALEN}, |
| {"erspan0", ETH_ALEN}, |
| {"bond0", ETH_ALEN}, |
| {"veth0", ETH_ALEN}, |
| {"veth1", ETH_ALEN}, |
| {"team0", ETH_ALEN}, |
| {"veth0_to_bridge", ETH_ALEN}, |
| {"veth1_to_bridge", ETH_ALEN}, |
| {"veth0_to_bond", ETH_ALEN}, |
| {"veth1_to_bond", ETH_ALEN}, |
| {"veth0_to_team", ETH_ALEN}, |
| {"veth1_to_team", ETH_ALEN}, |
| {"veth0_to_hsr", ETH_ALEN}, |
| {"veth1_to_hsr", ETH_ALEN}, |
| {"hsr0", 0}, |
| {"dummy0", ETH_ALEN}, |
| {"nlmon0", 0}, |
| {"vxcan1", 0, true}, |
| {"caif0", ETH_ALEN}, |
| {"batadv0", ETH_ALEN}, |
| {netdevsim, ETH_ALEN}, |
| }; |
| int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); |
| if (sock == -1) |
| exit(1); |
| unsigned i; |
| for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) |
| netlink_add_device(sock, devtypes[i].type, devtypes[i].dev); |
| for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { |
| char master[32], slave0[32], veth0[32], slave1[32], veth1[32]; |
| sprintf(slave0, "%s_slave_0", devmasters[i]); |
| sprintf(veth0, "veth0_to_%s", devmasters[i]); |
| netlink_add_veth(sock, slave0, veth0); |
| sprintf(slave1, "%s_slave_1", devmasters[i]); |
| sprintf(veth1, "veth1_to_%s", devmasters[i]); |
| netlink_add_veth(sock, slave1, veth1); |
| sprintf(master, "%s0", devmasters[i]); |
| netlink_device_change(sock, slave0, false, master, 0, 0); |
| netlink_device_change(sock, slave1, false, master, 0, 0); |
| } |
| netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0); |
| netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0); |
| netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr"); |
| netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr"); |
| netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1"); |
| netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0); |
| netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0); |
| for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) { |
| char addr[32]; |
| sprintf(addr, DEV_IPV4, i + 10); |
| netlink_add_addr4(sock, devices[i].name, addr); |
| if (!devices[i].noipv6) { |
| sprintf(addr, DEV_IPV6, i + 10); |
| netlink_add_addr6(sock, devices[i].name, addr); |
| } |
| uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40); |
| netlink_device_change(sock, devices[i].name, true, 0, &macaddr, |
| devices[i].macsize); |
| } |
| close(sock); |
| } |
| static void initialize_netdevices_init(void) |
| { |
| int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); |
| if (sock == -1) |
| exit(1); |
| struct { |
| const char* type; |
| int macsize; |
| bool noipv6; |
| bool noup; |
| } devtypes[] = { |
| {"nr", 7, true}, {"rose", 5, true, true}, |
| }; |
| unsigned i; |
| for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) { |
| char dev[32], addr[32]; |
| sprintf(dev, "%s%d", devtypes[i].type, (int)procid); |
| sprintf(addr, "172.30.%d.%d", i, (int)procid + 1); |
| netlink_add_addr4(sock, dev, addr); |
| if (!devtypes[i].noipv6) { |
| sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1); |
| netlink_add_addr6(sock, dev, addr); |
| } |
| int macsize = devtypes[i].macsize; |
| uint64_t macaddr = 0xbbbbbb + |
| ((unsigned long long)i << (8 * (macsize - 2))) + |
| (procid << (8 * (macsize - 1))); |
| netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize); |
| } |
| close(sock); |
| } |
| |
| static int read_tun(char* data, int size) |
| { |
| if (tunfd < 0) |
| return -1; |
| int rv = read(tunfd, data, size); |
| if (rv < 0) { |
| if (errno == EAGAIN) |
| return -1; |
| if (errno == EBADFD) |
| return -1; |
| exit(1); |
| } |
| return rv; |
| } |
| |
| static void flush_tun() |
| { |
| char data[SYZ_TUN_MAX_PACKET_SIZE]; |
| while (read_tun(&data[0], sizeof(data)) != -1) { |
| } |
| } |
| |
| #define XT_TABLE_SIZE 1536 |
| #define XT_MAX_ENTRIES 10 |
| |
| struct xt_counters { |
| uint64_t pcnt, bcnt; |
| }; |
| |
| struct ipt_getinfo { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int hook_entry[5]; |
| unsigned int underflow[5]; |
| unsigned int num_entries; |
| unsigned int size; |
| }; |
| |
| struct ipt_get_entries { |
| char name[32]; |
| unsigned int size; |
| void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; |
| }; |
| |
| struct ipt_replace { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int num_entries; |
| unsigned int size; |
| unsigned int hook_entry[5]; |
| unsigned int underflow[5]; |
| unsigned int num_counters; |
| struct xt_counters* counters; |
| char entrytable[XT_TABLE_SIZE]; |
| }; |
| |
| struct ipt_table_desc { |
| const char* name; |
| struct ipt_getinfo info; |
| struct ipt_replace replace; |
| }; |
| |
| static struct ipt_table_desc ipv4_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, |
| {.name = "raw"}, {.name = "security"}, |
| }; |
| |
| static struct ipt_table_desc ipv6_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, |
| {.name = "raw"}, {.name = "security"}, |
| }; |
| |
| #define IPT_BASE_CTL 64 |
| #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) |
| #define IPT_SO_GET_INFO (IPT_BASE_CTL) |
| #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) |
| |
| struct arpt_getinfo { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int hook_entry[3]; |
| unsigned int underflow[3]; |
| unsigned int num_entries; |
| unsigned int size; |
| }; |
| |
| struct arpt_get_entries { |
| char name[32]; |
| unsigned int size; |
| void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; |
| }; |
| |
| struct arpt_replace { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int num_entries; |
| unsigned int size; |
| unsigned int hook_entry[3]; |
| unsigned int underflow[3]; |
| unsigned int num_counters; |
| struct xt_counters* counters; |
| char entrytable[XT_TABLE_SIZE]; |
| }; |
| |
| struct arpt_table_desc { |
| const char* name; |
| struct arpt_getinfo info; |
| struct arpt_replace replace; |
| }; |
| |
| static struct arpt_table_desc arpt_tables[] = { |
| {.name = "filter"}, |
| }; |
| |
| #define ARPT_BASE_CTL 96 |
| #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) |
| #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) |
| #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) |
| |
| static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, |
| int family, int level) |
| { |
| struct ipt_get_entries entries; |
| socklen_t optlen; |
| int fd, i; |
| fd = socket(family, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| exit(1); |
| } |
| for (i = 0; i < num_tables; i++) { |
| struct ipt_table_desc* table = &tables[i]; |
| strcpy(table->info.name, table->name); |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->info); |
| if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| exit(1); |
| } |
| if (table->info.size > sizeof(table->replace.entrytable)) |
| exit(1); |
| if (table->info.num_entries > XT_MAX_ENTRIES) |
| exit(1); |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; |
| if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) |
| exit(1); |
| table->replace.valid_hooks = table->info.valid_hooks; |
| table->replace.num_entries = table->info.num_entries; |
| table->replace.size = table->info.size; |
| memcpy(table->replace.hook_entry, table->info.hook_entry, |
| sizeof(table->replace.hook_entry)); |
| memcpy(table->replace.underflow, table->info.underflow, |
| sizeof(table->replace.underflow)); |
| memcpy(table->replace.entrytable, entries.entrytable, table->info.size); |
| } |
| close(fd); |
| } |
| |
| static void reset_iptables(struct ipt_table_desc* tables, int num_tables, |
| int family, int level) |
| { |
| struct xt_counters counters[XT_MAX_ENTRIES]; |
| struct ipt_get_entries entries; |
| struct ipt_getinfo info; |
| socklen_t optlen; |
| int fd, i; |
| fd = socket(family, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| exit(1); |
| } |
| for (i = 0; i < num_tables; i++) { |
| struct ipt_table_desc* table = &tables[i]; |
| if (table->info.valid_hooks == 0) |
| continue; |
| memset(&info, 0, sizeof(info)); |
| strcpy(info.name, table->name); |
| optlen = sizeof(info); |
| if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) |
| exit(1); |
| if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; |
| if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) |
| exit(1); |
| if (memcmp(table->replace.entrytable, entries.entrytable, |
| table->info.size) == 0) |
| continue; |
| } |
| table->replace.num_counters = info.num_entries; |
| table->replace.counters = counters; |
| optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + |
| table->replace.size; |
| if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) |
| exit(1); |
| } |
| close(fd); |
| } |
| |
| static void checkpoint_arptables(void) |
| { |
| struct arpt_get_entries entries; |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| exit(1); |
| } |
| for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { |
| struct arpt_table_desc* table = &arpt_tables[i]; |
| strcpy(table->info.name, table->name); |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->info); |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| exit(1); |
| } |
| if (table->info.size > sizeof(table->replace.entrytable)) |
| exit(1); |
| if (table->info.num_entries > XT_MAX_ENTRIES) |
| exit(1); |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) |
| exit(1); |
| table->replace.valid_hooks = table->info.valid_hooks; |
| table->replace.num_entries = table->info.num_entries; |
| table->replace.size = table->info.size; |
| memcpy(table->replace.hook_entry, table->info.hook_entry, |
| sizeof(table->replace.hook_entry)); |
| memcpy(table->replace.underflow, table->info.underflow, |
| sizeof(table->replace.underflow)); |
| memcpy(table->replace.entrytable, entries.entrytable, table->info.size); |
| } |
| close(fd); |
| } |
| |
| static void reset_arptables() |
| { |
| struct xt_counters counters[XT_MAX_ENTRIES]; |
| struct arpt_get_entries entries; |
| struct arpt_getinfo info; |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| exit(1); |
| } |
| for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { |
| struct arpt_table_desc* table = &arpt_tables[i]; |
| if (table->info.valid_hooks == 0) |
| continue; |
| memset(&info, 0, sizeof(info)); |
| strcpy(info.name, table->name); |
| optlen = sizeof(info); |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) |
| exit(1); |
| if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) |
| exit(1); |
| if (memcmp(table->replace.entrytable, entries.entrytable, |
| table->info.size) == 0) |
| continue; |
| } else { |
| } |
| table->replace.num_counters = info.num_entries; |
| table->replace.counters = counters; |
| optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + |
| table->replace.size; |
| if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) |
| exit(1); |
| } |
| close(fd); |
| } |
| |
| #define NF_BR_NUMHOOKS 6 |
| #define EBT_TABLE_MAXNAMELEN 32 |
| #define EBT_CHAIN_MAXNAMELEN 32 |
| #define EBT_BASE_CTL 128 |
| #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) |
| #define EBT_SO_GET_INFO (EBT_BASE_CTL) |
| #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1) |
| #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1) |
| #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1) |
| |
| struct ebt_replace { |
| char name[EBT_TABLE_MAXNAMELEN]; |
| unsigned int valid_hooks; |
| unsigned int nentries; |
| unsigned int entries_size; |
| struct ebt_entries* hook_entry[NF_BR_NUMHOOKS]; |
| unsigned int num_counters; |
| struct ebt_counter* counters; |
| char* entries; |
| }; |
| |
| struct ebt_entries { |
| unsigned int distinguisher; |
| char name[EBT_CHAIN_MAXNAMELEN]; |
| unsigned int counter_offset; |
| int policy; |
| unsigned int nentries; |
| char data[0] __attribute__((aligned(__alignof__(struct ebt_replace)))); |
| }; |
| |
| struct ebt_table_desc { |
| const char* name; |
| struct ebt_replace replace; |
| char entrytable[XT_TABLE_SIZE]; |
| }; |
| |
| static struct ebt_table_desc ebt_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, |
| }; |
| |
| static void checkpoint_ebtables(void) |
| { |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| exit(1); |
| } |
| for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { |
| struct ebt_table_desc* table = &ebt_tables[i]; |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->replace); |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, |
| &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| exit(1); |
| } |
| if (table->replace.entries_size > sizeof(table->entrytable)) |
| exit(1); |
| table->replace.num_counters = 0; |
| table->replace.entries = table->entrytable; |
| optlen = sizeof(table->replace) + table->replace.entries_size; |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, |
| &optlen)) |
| exit(1); |
| } |
| close(fd); |
| } |
| |
| static void reset_ebtables() |
| { |
| struct ebt_replace replace; |
| char entrytable[XT_TABLE_SIZE]; |
| socklen_t optlen; |
| unsigned i, j, h; |
| int fd; |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| exit(1); |
| } |
| for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { |
| struct ebt_table_desc* table = &ebt_tables[i]; |
| if (table->replace.valid_hooks == 0) |
| continue; |
| memset(&replace, 0, sizeof(replace)); |
| strcpy(replace.name, table->name); |
| optlen = sizeof(replace); |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) |
| exit(1); |
| replace.num_counters = 0; |
| table->replace.entries = 0; |
| for (h = 0; h < NF_BR_NUMHOOKS; h++) |
| table->replace.hook_entry[h] = 0; |
| if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { |
| memset(&entrytable, 0, sizeof(entrytable)); |
| replace.entries = entrytable; |
| optlen = sizeof(replace) + replace.entries_size; |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) |
| exit(1); |
| if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) |
| continue; |
| } |
| for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { |
| if (table->replace.valid_hooks & (1 << h)) { |
| table->replace.hook_entry[h] = |
| (struct ebt_entries*)table->entrytable + j; |
| j++; |
| } |
| } |
| table->replace.entries = table->entrytable; |
| optlen = sizeof(table->replace) + table->replace.entries_size; |
| if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) |
| exit(1); |
| } |
| close(fd); |
| } |
| |
| static void checkpoint_net_namespace(void) |
| { |
| checkpoint_ebtables(); |
| checkpoint_arptables(); |
| checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), |
| AF_INET, SOL_IP); |
| checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), |
| AF_INET6, SOL_IPV6); |
| } |
| |
| static void reset_net_namespace(void) |
| { |
| reset_ebtables(); |
| reset_arptables(); |
| reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), |
| AF_INET, SOL_IP); |
| reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), |
| AF_INET6, SOL_IPV6); |
| } |
| |
| static void setup_cgroups() |
| { |
| if (mkdir("/syzcgroup", 0777)) { |
| } |
| if (mkdir("/syzcgroup/unified", 0777)) { |
| } |
| if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { |
| } |
| if (chmod("/syzcgroup/unified", 0777)) { |
| } |
| write_file("/syzcgroup/unified/cgroup.subtree_control", |
| "+cpu +memory +io +pids +rdma"); |
| if (mkdir("/syzcgroup/cpu", 0777)) { |
| } |
| if (mount("none", "/syzcgroup/cpu", "cgroup", 0, |
| "cpuset,cpuacct,perf_event,hugetlb")) { |
| } |
| write_file("/syzcgroup/cpu/cgroup.clone_children", "1"); |
| if (chmod("/syzcgroup/cpu", 0777)) { |
| } |
| if (mkdir("/syzcgroup/net", 0777)) { |
| } |
| if (mount("none", "/syzcgroup/net", "cgroup", 0, |
| "net_cls,net_prio,devices,freezer")) { |
| } |
| if (chmod("/syzcgroup/net", 0777)) { |
| } |
| } |
| |
| static void setup_cgroups_loop() |
| { |
| int pid = getpid(); |
| char file[128]; |
| char cgroupdir[64]; |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); |
| if (mkdir(cgroupdir, 0777)) { |
| } |
| snprintf(file, sizeof(file), "%s/pids.max", cgroupdir); |
| write_file(file, "32"); |
| snprintf(file, sizeof(file), "%s/memory.low", cgroupdir); |
| write_file(file, "%d", 298 << 20); |
| snprintf(file, sizeof(file), "%s/memory.high", cgroupdir); |
| write_file(file, "%d", 299 << 20); |
| snprintf(file, sizeof(file), "%s/memory.max", cgroupdir); |
| write_file(file, "%d", 300 << 20); |
| snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); |
| write_file(file, "%d", pid); |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); |
| if (mkdir(cgroupdir, 0777)) { |
| } |
| snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); |
| write_file(file, "%d", pid); |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); |
| if (mkdir(cgroupdir, 0777)) { |
| } |
| snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); |
| write_file(file, "%d", pid); |
| } |
| |
| static void setup_cgroups_test() |
| { |
| char cgroupdir[64]; |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); |
| if (symlink(cgroupdir, "./cgroup")) { |
| } |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); |
| if (symlink(cgroupdir, "./cgroup.cpu")) { |
| } |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); |
| if (symlink(cgroupdir, "./cgroup.net")) { |
| } |
| } |
| |
| static void setup_common() |
| { |
| if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { |
| } |
| setup_cgroups(); |
| } |
| |
| static void loop(); |
| |
| static void sandbox_common() |
| { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| setsid(); |
| struct rlimit rlim; |
| rlim.rlim_cur = rlim.rlim_max = (200 << 20); |
| setrlimit(RLIMIT_AS, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 32 << 20; |
| setrlimit(RLIMIT_MEMLOCK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 136 << 20; |
| setrlimit(RLIMIT_FSIZE, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 1 << 20; |
| setrlimit(RLIMIT_STACK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 0; |
| setrlimit(RLIMIT_CORE, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 256; |
| setrlimit(RLIMIT_NOFILE, &rlim); |
| if (unshare(CLONE_NEWNS)) { |
| } |
| if (unshare(CLONE_NEWIPC)) { |
| } |
| if (unshare(0x02000000)) { |
| } |
| if (unshare(CLONE_NEWUTS)) { |
| } |
| if (unshare(CLONE_SYSVSEM)) { |
| } |
| typedef struct { |
| const char* name; |
| const char* value; |
| } sysctl_t; |
| static const sysctl_t sysctls[] = { |
| {"/proc/sys/kernel/shmmax", "16777216"}, |
| {"/proc/sys/kernel/shmall", "536870912"}, |
| {"/proc/sys/kernel/shmmni", "1024"}, |
| {"/proc/sys/kernel/msgmax", "8192"}, |
| {"/proc/sys/kernel/msgmni", "1024"}, |
| {"/proc/sys/kernel/msgmnb", "1024"}, |
| {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, |
| }; |
| unsigned i; |
| for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) |
| write_file(sysctls[i].name, sysctls[i].value); |
| } |
| |
| int wait_for_loop(int pid) |
| { |
| if (pid < 0) |
| exit(1); |
| int status = 0; |
| while (waitpid(-1, &status, __WALL) != pid) { |
| } |
| return WEXITSTATUS(status); |
| } |
| |
| static void drop_caps(void) |
| { |
| struct __user_cap_header_struct cap_hdr = {}; |
| struct __user_cap_data_struct cap_data[2] = {}; |
| cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; |
| cap_hdr.pid = getpid(); |
| if (syscall(SYS_capget, &cap_hdr, &cap_data)) |
| exit(1); |
| const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); |
| cap_data[0].effective &= ~drop; |
| cap_data[0].permitted &= ~drop; |
| cap_data[0].inheritable &= ~drop; |
| if (syscall(SYS_capset, &cap_hdr, &cap_data)) |
| exit(1); |
| } |
| |
| static int do_sandbox_none(void) |
| { |
| if (unshare(CLONE_NEWPID)) { |
| } |
| int pid = fork(); |
| if (pid != 0) |
| return wait_for_loop(pid); |
| setup_common(); |
| sandbox_common(); |
| drop_caps(); |
| initialize_netdevices_init(); |
| if (unshare(CLONE_NEWNET)) { |
| } |
| initialize_tun(); |
| initialize_netdevices(); |
| loop(); |
| exit(1); |
| } |
| |
| #define FS_IOC_SETFLAGS _IOW('f', 2, long) |
| static void remove_dir(const char* dir) |
| { |
| DIR* dp; |
| struct dirent* ep; |
| int iter = 0; |
| retry: |
| while (umount2(dir, MNT_DETACH) == 0) { |
| } |
| dp = opendir(dir); |
| if (dp == NULL) { |
| if (errno == EMFILE) { |
| exit(1); |
| } |
| exit(1); |
| } |
| while ((ep = readdir(dp))) { |
| if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) |
| continue; |
| char filename[FILENAME_MAX]; |
| snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); |
| while (umount2(filename, MNT_DETACH) == 0) { |
| } |
| struct stat st; |
| if (lstat(filename, &st)) |
| exit(1); |
| if (S_ISDIR(st.st_mode)) { |
| remove_dir(filename); |
| continue; |
| } |
| int i; |
| for (i = 0;; i++) { |
| if (unlink(filename) == 0) |
| break; |
| if (errno == EPERM) { |
| int fd = open(filename, O_RDONLY); |
| if (fd != -1) { |
| long flags = 0; |
| if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) |
| close(fd); |
| continue; |
| } |
| } |
| if (errno == EROFS) { |
| break; |
| } |
| if (errno != EBUSY || i > 100) |
| exit(1); |
| if (umount2(filename, MNT_DETACH)) |
| exit(1); |
| } |
| } |
| closedir(dp); |
| int i; |
| for (i = 0;; i++) { |
| if (rmdir(dir) == 0) |
| break; |
| if (i < 100) { |
| if (errno == EPERM) { |
| int fd = open(dir, O_RDONLY); |
| if (fd != -1) { |
| long flags = 0; |
| if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) |
| close(fd); |
| continue; |
| } |
| } |
| if (errno == EROFS) { |
| break; |
| } |
| if (errno == EBUSY) { |
| if (umount2(dir, MNT_DETACH)) |
| exit(1); |
| continue; |
| } |
| if (errno == ENOTEMPTY) { |
| if (iter < 100) { |
| iter++; |
| goto retry; |
| } |
| } |
| } |
| exit(1); |
| } |
| } |
| |
| static void kill_and_wait(int pid, int* status) |
| { |
| kill(-pid, SIGKILL); |
| kill(pid, SIGKILL); |
| int i; |
| for (i = 0; i < 100; i++) { |
| if (waitpid(-1, status, WNOHANG | __WALL) == pid) |
| return; |
| usleep(1000); |
| } |
| DIR* dir = opendir("/sys/fs/fuse/connections"); |
| if (dir) { |
| for (;;) { |
| struct dirent* ent = readdir(dir); |
| if (!ent) |
| break; |
| if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) |
| continue; |
| char abort[300]; |
| snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", |
| ent->d_name); |
| int fd = open(abort, O_WRONLY); |
| if (fd == -1) { |
| continue; |
| } |
| if (write(fd, abort, 1) < 0) { |
| } |
| close(fd); |
| } |
| closedir(dir); |
| } else { |
| } |
| while (waitpid(-1, status, __WALL) != pid) { |
| } |
| } |
| |
| static void setup_loop() |
| { |
| setup_cgroups_loop(); |
| checkpoint_net_namespace(); |
| } |
| |
| static void reset_loop() |
| { |
| reset_net_namespace(); |
| } |
| |
| static void setup_test() |
| { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| setup_cgroups_test(); |
| write_file("/proc/self/oom_score_adj", "1000"); |
| flush_tun(); |
| } |
| |
| static void close_fds() |
| { |
| int fd; |
| for (fd = 3; fd < 30; fd++) |
| close(fd); |
| } |
| |
| static void setup_binfmt_misc() |
| { |
| if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) { |
| } |
| write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:"); |
| write_file("/proc/sys/fs/binfmt_misc/register", |
| ":syz1:M:1:\x02::./file0:POC"); |
| } |
| |
| struct thread_t { |
| int created, call; |
| event_t ready, done; |
| }; |
| |
| static struct thread_t threads[16]; |
| static void execute_call(int call); |
| static int running; |
| |
| static void* thr(void* arg) |
| { |
| struct thread_t* th = (struct thread_t*)arg; |
| for (;;) { |
| event_wait(&th->ready); |
| event_reset(&th->ready); |
| execute_call(th->call); |
| __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); |
| event_set(&th->done); |
| } |
| return 0; |
| } |
| |
| static void execute_one(void) |
| { |
| int i, call, thread; |
| for (call = 0; call < 4; call++) { |
| for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); |
| thread++) { |
| struct thread_t* th = &threads[thread]; |
| if (!th->created) { |
| th->created = 1; |
| event_init(&th->ready); |
| event_init(&th->done); |
| event_set(&th->done); |
| thread_start(thr, th); |
| } |
| if (!event_isset(&th->done)) |
| continue; |
| event_reset(&th->done); |
| th->call = call; |
| __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); |
| event_set(&th->ready); |
| event_timedwait(&th->done, 45); |
| break; |
| } |
| } |
| for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) |
| sleep_ms(1); |
| close_fds(); |
| } |
| |
| static void execute_one(void); |
| |
| #define WAIT_FLAGS __WALL |
| |
| static void loop(void) |
| { |
| setup_loop(); |
| int iter; |
| for (iter = 0;; iter++) { |
| char cwdbuf[32]; |
| sprintf(cwdbuf, "./%d", iter); |
| if (mkdir(cwdbuf, 0777)) |
| exit(1); |
| reset_loop(); |
| int pid = fork(); |
| if (pid < 0) |
| exit(1); |
| if (pid == 0) { |
| if (chdir(cwdbuf)) |
| exit(1); |
| setup_test(); |
| execute_one(); |
| exit(0); |
| } |
| int status = 0; |
| uint64_t start = current_time_ms(); |
| for (;;) { |
| if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) |
| break; |
| sleep_ms(1); |
| if (current_time_ms() - start < 5 * 1000) |
| continue; |
| kill_and_wait(pid, &status); |
| break; |
| } |
| remove_dir(cwdbuf); |
| } |
| } |
| |
| uint64_t r[1] = {0xffffffffffffffff}; |
| |
| void execute_call(int call) |
| { |
| intptr_t res; |
| switch (call) { |
| case 0: |
| res = syscall(__NR_socket, 0xa, 3, 0x3c); |
| if (res != -1) |
| r[0] = res; |
| break; |
| case 1: |
| NONFAILING(*(uint16_t*)0x20000140 = 0xa); |
| NONFAILING(*(uint16_t*)0x20000142 = htobe16(0)); |
| NONFAILING(*(uint32_t*)0x20000144 = htobe32(0)); |
| NONFAILING(*(uint8_t*)0x20000148 = -1); |
| NONFAILING(*(uint8_t*)0x20000149 = 2); |
| NONFAILING(*(uint8_t*)0x2000014a = 0); |
| NONFAILING(*(uint8_t*)0x2000014b = 0); |
| NONFAILING(*(uint8_t*)0x2000014c = 0); |
| NONFAILING(*(uint8_t*)0x2000014d = 0); |
| NONFAILING(*(uint8_t*)0x2000014e = 0); |
| NONFAILING(*(uint8_t*)0x2000014f = 0); |
| NONFAILING(*(uint8_t*)0x20000150 = 0); |
| NONFAILING(*(uint8_t*)0x20000151 = 0); |
| NONFAILING(*(uint8_t*)0x20000152 = 0); |
| NONFAILING(*(uint8_t*)0x20000153 = 0); |
| NONFAILING(*(uint8_t*)0x20000154 = 0); |
| NONFAILING(*(uint8_t*)0x20000155 = 0); |
| NONFAILING(*(uint8_t*)0x20000156 = 0); |
| NONFAILING(*(uint8_t*)0x20000157 = 1); |
| NONFAILING(*(uint32_t*)0x20000158 = 9); |
| syscall(__NR_connect, r[0], 0x20000140, 0x1c); |
| break; |
| case 2: |
| NONFAILING(memcpy( |
| (void*)0x200001c0, |
| "\x3a\xae\x00\x00\x00\x23\x7b\x3d\x03\x00\x00\x00\x00\x00\xf4\x94\x9a" |
| "\x2d\xee\x32\xb1\x62\x64\x07\x36\xb9\xbe\xca\xba\x3d\xe7\xb4\x01\x00" |
| "\x00\x20\x00\x00\x00\x00\x19\x8c\xe1\x79\x05\xd3\x2c\xe5\x04\xd9\x93" |
| "\x49\x46\xcf\xae\xb9\x2e\xca\x74\x05\x08\xbd\x92\x0c\xbe\xdd\x79\x4c" |
| "\x1a\xaa\xdc\xf6\x6a\x62\x8b\x3c\xcc\x05\x7c\x2a\xe6\xb8\x99\xd4\x04" |
| "\x8c\x0b\x55\x74\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x8d\xc6" |
| "\x18\xc6\x45\x15\x6c\xf0\x63\x71\x19\x89\x49\xc4\x48\x73\x2a\xa5\x45" |
| "\xfe\xdc\x85\x6f\xdb\xf5\xc4\xc5\x86\xfc\x7b\x0c\x1c\x73\x86\xe7\xb0" |
| "\xc6\x6f\x9b\x64\xad\xf1\x11\xcb\x89\xc9\x6e\x7e\xa5\x30\x72\x64\xaa" |
| "\xeb\x01\x36\x8d\x1c\x65\x36\x5b\x5a\x8d\xc7\x34\x9d\x82\x33\x44\x23" |
| "\xad\x1f\x7c\x2a\xbf\xa7\xf7\xc7\xe1\xdb\x90\x44\xf9\x87\x63\xf0\xb0" |
| "\x82\x3d\x20\x69\xe9\x2f\xa7\x32\x7e\x4c\x47\xda\x77\x07\xc6\x29\x11" |
| "\xfe\x95\x04\x05\xca\x20\x38\x22\xab\x90\xf2\x63\x85\xd4\x09\xc6\x47" |
| "\x3f\xc2\xfc\x6c\x1c\x38\xb4\xba\x6d\xb2\x81\xea\xd3\x1c\x87\xe6\x38" |
| "\x36\x41\x48\x70\x9d\x35\x8a\x5f\x5d\x80\x11\xc5\x02\x36\x5e\x79\xbc" |
| "\xb7\xa7\x1d\x81\x19\x8a\xad\x55\x21\x05\x11\xe1\xc7\xec\x92\x93\x42" |
| "\x8f\x11\x8c\x12\xac\x15\x53\xab\x33\x99\xc7\x60\xa1\x53\x2b\x57\xe1" |
| "\x3d\x7e\x1f\x54\x86\x07\xbf\xeb\x2c\x13\xf3\x52\xcf\x8f\xf9\x83\x71" |
| "\x68\xb5\xb1\x5d\x39\x74\xb8\x23\x3f\xd7", |
| 316)); |
| syscall(__NR_write, r[0], 0x200001c0, 0x41a0); |
| break; |
| case 3: |
| NONFAILING(memcpy((void*)0x200005c0, "filter\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000", |
| 32)); |
| NONFAILING(*(uint32_t*)0x200005e0 = 0xe); |
| NONFAILING(*(uint32_t*)0x200005e4 = 4); |
| NONFAILING(*(uint32_t*)0x200005e8 = 0x580); |
| NONFAILING(*(uint32_t*)0x200005ec = 0x4b0); |
| NONFAILING(*(uint32_t*)0x200005f0 = 0x260); |
| NONFAILING(*(uint32_t*)0x200005f4 = 0x378); |
| NONFAILING(*(uint32_t*)0x200005f8 = 0x260); |
| NONFAILING(*(uint32_t*)0x200005fc = 0x378); |
| NONFAILING(*(uint32_t*)0x20000600 = 0x4b0); |
| NONFAILING(*(uint32_t*)0x20000604 = 0x4b0); |
| NONFAILING(*(uint32_t*)0x20000608 = 0x4b0); |
| NONFAILING(*(uint32_t*)0x2000060c = 0x4b0); |
| NONFAILING(*(uint32_t*)0x20000610 = 0x4b0); |
| NONFAILING(*(uint32_t*)0x20000614 = 4); |
| NONFAILING(*(uint64_t*)0x20000618 = 0); |
| NONFAILING(memcpy( |
| (void*)0x20000620, |
| "\xdf\x63\x76\x0c\x30\xce\x51\x0e\x47\x18\x42\x36\xc9\xe9\xaf\x7b", |
| 16)); |
| NONFAILING(*(uint8_t*)0x20000630 = 0); |
| NONFAILING(*(uint8_t*)0x20000631 = 0); |
| NONFAILING(*(uint8_t*)0x20000632 = 0); |
| NONFAILING(*(uint8_t*)0x20000633 = 0); |
| NONFAILING(*(uint8_t*)0x20000634 = 0); |
| NONFAILING(*(uint8_t*)0x20000635 = 0); |
| NONFAILING(*(uint8_t*)0x20000636 = 0); |
| NONFAILING(*(uint8_t*)0x20000637 = 0); |
| NONFAILING(*(uint8_t*)0x20000638 = 0); |
| NONFAILING(*(uint8_t*)0x20000639 = 0); |
| NONFAILING(*(uint8_t*)0x2000063a = 0); |
| NONFAILING(*(uint8_t*)0x2000063b = 0); |
| NONFAILING(*(uint8_t*)0x2000063c = 0); |
| NONFAILING(*(uint8_t*)0x2000063d = 0); |
| NONFAILING(*(uint8_t*)0x2000063e = 0); |
| NONFAILING(*(uint8_t*)0x2000063f = 0); |
| NONFAILING(*(uint32_t*)0x20000640 = htobe32(0xff000000)); |
| NONFAILING(*(uint32_t*)0x20000644 = htobe32(-1)); |
| NONFAILING(*(uint32_t*)0x20000648 = htobe32(-1)); |
| NONFAILING(*(uint32_t*)0x2000064c = htobe32(0xff)); |
| NONFAILING(*(uint32_t*)0x20000650 = htobe32(0)); |
| NONFAILING(*(uint32_t*)0x20000654 = htobe32(-1)); |
| NONFAILING(*(uint32_t*)0x20000658 = htobe32(0xffffff00)); |
| NONFAILING(*(uint32_t*)0x2000065c = htobe32(0)); |
| NONFAILING(memcpy( |
| (void*)0x20000660, |
| "lo\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 16)); |
| NONFAILING( |
| memcpy((void*)0x20000670, "ip6gretap0\000\000\000\000\000\000", 16)); |
| NONFAILING(*(uint8_t*)0x20000689 = -1); |
| NONFAILING(*(uint8_t*)0x200006a7 = 0); |
| NONFAILING(*(uint16_t*)0x200006b8 = 0x3b); |
| NONFAILING(*(uint8_t*)0x200006ba = 1); |
| NONFAILING(*(uint8_t*)0x200006bb = 4); |
| NONFAILING(*(uint8_t*)0x200006bc = 4); |
| NONFAILING(*(uint32_t*)0x200006c8 = 0); |
| NONFAILING(*(uint16_t*)0x200006cc = 0x228); |
| NONFAILING(*(uint16_t*)0x200006ce = 0x260); |
| NONFAILING(*(uint32_t*)0x200006d0 = 0); |
| NONFAILING(*(uint64_t*)0x200006d8 = 0); |
| NONFAILING(*(uint64_t*)0x200006e0 = 0); |
| NONFAILING(*(uint16_t*)0x200006e8 = 0x28); |
| NONFAILING(memcpy((void*)0x200006ea, "set\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x20000707 = 1); |
| NONFAILING(*(uint16_t*)0x20000708 = 0); |
| NONFAILING(*(uint8_t*)0x2000070a = 3); |
| NONFAILING(*(uint8_t*)0x2000070b = 0); |
| NONFAILING(*(uint16_t*)0x20000710 = 0x138); |
| NONFAILING(memcpy((void*)0x20000712, "rt\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x2000072f = 0); |
| NONFAILING(*(uint32_t*)0x20000730 = 9); |
| NONFAILING(*(uint32_t*)0x20000734 = 0x80000000); |
| NONFAILING(*(uint32_t*)0x20000738 = 0x100); |
| NONFAILING(*(uint32_t*)0x2000073c = 0); |
| NONFAILING(*(uint8_t*)0x20000740 = 0x20); |
| NONFAILING(*(uint8_t*)0x20000741 = 6); |
| NONFAILING(*(uint8_t*)0x20000744 = 0); |
| NONFAILING(*(uint8_t*)0x20000745 = 0); |
| NONFAILING(*(uint8_t*)0x20000746 = 0); |
| NONFAILING(*(uint8_t*)0x20000747 = 0); |
| NONFAILING(*(uint8_t*)0x20000748 = 0); |
| NONFAILING(*(uint8_t*)0x20000749 = 0); |
| NONFAILING(*(uint8_t*)0x2000074a = 0); |
| NONFAILING(*(uint8_t*)0x2000074b = 0); |
| NONFAILING(*(uint8_t*)0x2000074c = 0); |
| NONFAILING(*(uint8_t*)0x2000074d = 0); |
| NONFAILING(*(uint8_t*)0x2000074e = 0); |
| NONFAILING(*(uint8_t*)0x2000074f = 0); |
| NONFAILING(*(uint8_t*)0x20000750 = 0); |
| NONFAILING(*(uint8_t*)0x20000751 = 0); |
| NONFAILING(*(uint8_t*)0x20000752 = 0); |
| NONFAILING(*(uint8_t*)0x20000753 = 0); |
| NONFAILING(*(uint8_t*)0x20000754 = 0); |
| NONFAILING(*(uint8_t*)0x20000755 = 0); |
| NONFAILING(*(uint8_t*)0x20000756 = 0); |
| NONFAILING(*(uint8_t*)0x20000757 = 0); |
| NONFAILING(*(uint8_t*)0x20000758 = 0); |
| NONFAILING(*(uint8_t*)0x20000759 = 0); |
| NONFAILING(*(uint8_t*)0x2000075a = 0); |
| NONFAILING(*(uint8_t*)0x2000075b = 0); |
| NONFAILING(*(uint8_t*)0x2000075c = 0); |
| NONFAILING(*(uint8_t*)0x2000075d = 0); |
| NONFAILING(*(uint8_t*)0x2000075e = 0); |
| NONFAILING(*(uint8_t*)0x2000075f = 0); |
| NONFAILING(*(uint8_t*)0x20000760 = 0); |
| NONFAILING(*(uint8_t*)0x20000761 = 0); |
| NONFAILING(*(uint8_t*)0x20000762 = 0); |
| NONFAILING(*(uint8_t*)0x20000763 = 0); |
| NONFAILING(*(uint8_t*)0x20000764 = -1); |
| NONFAILING(*(uint8_t*)0x20000765 = 1); |
| NONFAILING(*(uint8_t*)0x20000766 = 0); |
| NONFAILING(*(uint8_t*)0x20000767 = 0); |
| NONFAILING(*(uint8_t*)0x20000768 = 0); |
| NONFAILING(*(uint8_t*)0x20000769 = 0); |
| NONFAILING(*(uint8_t*)0x2000076a = 0); |
| NONFAILING(*(uint8_t*)0x2000076b = 0); |
| NONFAILING(*(uint8_t*)0x2000076c = 0); |
| NONFAILING(*(uint8_t*)0x2000076d = 0); |
| NONFAILING(*(uint8_t*)0x2000076e = 0); |
| NONFAILING(*(uint8_t*)0x2000076f = 0); |
| NONFAILING(*(uint8_t*)0x20000770 = 0); |
| NONFAILING(*(uint8_t*)0x20000771 = 0); |
| NONFAILING(*(uint8_t*)0x20000772 = 0); |
| NONFAILING(*(uint8_t*)0x20000773 = 1); |
| NONFAILING(*(uint8_t*)0x20000774 = 0xfe); |
| NONFAILING(*(uint8_t*)0x20000775 = 0x80); |
| NONFAILING(*(uint8_t*)0x20000776 = 0); |
| NONFAILING(*(uint8_t*)0x20000777 = 0); |
| NONFAILING(*(uint8_t*)0x20000778 = 0); |
| NONFAILING(*(uint8_t*)0x20000779 = 0); |
| NONFAILING(*(uint8_t*)0x2000077a = 0); |
| NONFAILING(*(uint8_t*)0x2000077b = 0); |
| NONFAILING(*(uint8_t*)0x2000077c = 0); |
| NONFAILING(*(uint8_t*)0x2000077d = 0); |
| NONFAILING(*(uint8_t*)0x2000077e = 0); |
| NONFAILING(*(uint8_t*)0x2000077f = 0); |
| NONFAILING(*(uint8_t*)0x20000780 = 0); |
| NONFAILING(*(uint8_t*)0x20000781 = 0); |
| NONFAILING(*(uint8_t*)0x20000782 = 0); |
| NONFAILING(*(uint8_t*)0x20000783 = 0xb); |
| NONFAILING(*(uint8_t*)0x20000784 = -1); |
| NONFAILING(*(uint8_t*)0x20000785 = 2); |
| NONFAILING(*(uint8_t*)0x20000786 = 0); |
| NONFAILING(*(uint8_t*)0x20000787 = 0); |
| NONFAILING(*(uint8_t*)0x20000788 = 0); |
| NONFAILING(*(uint8_t*)0x20000789 = 0); |
| NONFAILING(*(uint8_t*)0x2000078a = 0); |
| NONFAILING(*(uint8_t*)0x2000078b = 0); |
| NONFAILING(*(uint8_t*)0x2000078c = 0); |
| NONFAILING(*(uint8_t*)0x2000078d = 0); |
| NONFAILING(*(uint8_t*)0x2000078e = 0); |
| NONFAILING(*(uint8_t*)0x2000078f = 0); |
| NONFAILING(*(uint8_t*)0x20000790 = 0); |
| NONFAILING(*(uint8_t*)0x20000791 = 0); |
| NONFAILING(*(uint8_t*)0x20000792 = 0); |
| NONFAILING(*(uint8_t*)0x20000793 = 1); |
| NONFAILING(*(uint8_t*)0x20000794 = 0); |
| NONFAILING(*(uint8_t*)0x20000795 = 0); |
| NONFAILING(*(uint8_t*)0x20000796 = 0); |
| NONFAILING(*(uint8_t*)0x20000797 = 0); |
| NONFAILING(*(uint8_t*)0x20000798 = 0); |
| NONFAILING(*(uint8_t*)0x20000799 = 0); |
| NONFAILING(*(uint8_t*)0x2000079a = 0); |
| NONFAILING(*(uint8_t*)0x2000079b = 0); |
| NONFAILING(*(uint8_t*)0x2000079c = 0); |
| NONFAILING(*(uint8_t*)0x2000079d = 0); |
| NONFAILING(*(uint8_t*)0x2000079e = -1); |
| NONFAILING(*(uint8_t*)0x2000079f = -1); |
| NONFAILING(*(uint32_t*)0x200007a0 = htobe32(0)); |
| NONFAILING(*(uint8_t*)0x200007a4 = 0); |
| NONFAILING(*(uint8_t*)0x200007a5 = 0); |
| NONFAILING(*(uint8_t*)0x200007a6 = 0); |
| NONFAILING(*(uint8_t*)0x200007a7 = 0); |
| NONFAILING(*(uint8_t*)0x200007a8 = 0); |
| NONFAILING(*(uint8_t*)0x200007a9 = 0); |
| NONFAILING(*(uint8_t*)0x200007aa = 0); |
| NONFAILING(*(uint8_t*)0x200007ab = 0); |
| NONFAILING(*(uint8_t*)0x200007ac = 0); |
| NONFAILING(*(uint8_t*)0x200007ad = 0); |
| NONFAILING(*(uint8_t*)0x200007ae = -1); |
| NONFAILING(*(uint8_t*)0x200007af = -1); |
| NONFAILING(*(uint8_t*)0x200007b0 = 0xac); |
| NONFAILING(*(uint8_t*)0x200007b1 = 0x14); |
| NONFAILING(*(uint8_t*)0x200007b2 = 0x14); |
| NONFAILING(*(uint8_t*)0x200007b3 = 0xaa); |
| NONFAILING(*(uint8_t*)0x200007b4 = 0); |
| NONFAILING(*(uint8_t*)0x200007b5 = 0); |
| NONFAILING(*(uint8_t*)0x200007b6 = 0); |
| NONFAILING(*(uint8_t*)0x200007b7 = 0); |
| NONFAILING(*(uint8_t*)0x200007b8 = 0); |
| NONFAILING(*(uint8_t*)0x200007b9 = 0); |
| NONFAILING(*(uint8_t*)0x200007ba = 0); |
| NONFAILING(*(uint8_t*)0x200007bb = 0); |
| NONFAILING(*(uint8_t*)0x200007bc = 0); |
| NONFAILING(*(uint8_t*)0x200007bd = 0); |
| NONFAILING(*(uint8_t*)0x200007be = -1); |
| NONFAILING(*(uint8_t*)0x200007bf = -1); |
| NONFAILING(*(uint8_t*)0x200007c0 = 0xac); |
| NONFAILING(*(uint8_t*)0x200007c1 = 0x1e); |
| NONFAILING(*(uint8_t*)0x200007c2 = 1); |
| NONFAILING(*(uint8_t*)0x200007c3 = 1 + procid * 1); |
| NONFAILING(*(uint8_t*)0x200007c4 = 0xfe); |
| NONFAILING(*(uint8_t*)0x200007c5 = 0x80); |
| NONFAILING(*(uint8_t*)0x200007c6 = 0); |
| NONFAILING(*(uint8_t*)0x200007c7 = 0); |
| NONFAILING(*(uint8_t*)0x200007c8 = 0); |
| NONFAILING(*(uint8_t*)0x200007c9 = 0); |
| NONFAILING(*(uint8_t*)0x200007ca = 0); |
| NONFAILING(*(uint8_t*)0x200007cb = 0); |
| NONFAILING(*(uint8_t*)0x200007cc = 0); |
| NONFAILING(*(uint8_t*)0x200007cd = 0); |
| NONFAILING(*(uint8_t*)0x200007ce = 0); |
| NONFAILING(*(uint8_t*)0x200007cf = 0); |
| NONFAILING(*(uint8_t*)0x200007d0 = 0); |
| NONFAILING(*(uint8_t*)0x200007d1 = 0); |
| NONFAILING(*(uint8_t*)0x200007d2 = 0); |
| NONFAILING(*(uint8_t*)0x200007d3 = 0xe); |
| NONFAILING(*(uint8_t*)0x200007d4 = -1); |
| NONFAILING(*(uint8_t*)0x200007d5 = 1); |
| NONFAILING(*(uint8_t*)0x200007d6 = 0); |
| NONFAILING(*(uint8_t*)0x200007d7 = 0); |
| NONFAILING(*(uint8_t*)0x200007d8 = 0); |
| NONFAILING(*(uint8_t*)0x200007d9 = 0); |
| NONFAILING(*(uint8_t*)0x200007da = 0); |
| NONFAILING(*(uint8_t*)0x200007db = 0); |
| NONFAILING(*(uint8_t*)0x200007dc = 0); |
| NONFAILING(*(uint8_t*)0x200007dd = 0); |
| NONFAILING(*(uint8_t*)0x200007de = 0); |
| NONFAILING(*(uint8_t*)0x200007df = 0); |
| NONFAILING(*(uint8_t*)0x200007e0 = 0); |
| NONFAILING(*(uint8_t*)0x200007e1 = 0); |
| NONFAILING(*(uint8_t*)0x200007e2 = 0); |
| NONFAILING(*(uint8_t*)0x200007e3 = 1); |
| NONFAILING(*(uint8_t*)0x200007e4 = 0xfe); |
| NONFAILING(*(uint8_t*)0x200007e5 = 0x80); |
| NONFAILING(*(uint8_t*)0x200007e6 = 0); |
| NONFAILING(*(uint8_t*)0x200007e7 = 0); |
| NONFAILING(*(uint8_t*)0x200007e8 = 0); |
| NONFAILING(*(uint8_t*)0x200007e9 = 0); |
| NONFAILING(*(uint8_t*)0x200007ea = 0); |
| NONFAILING(*(uint8_t*)0x200007eb = 0); |
| NONFAILING(*(uint8_t*)0x200007ec = 0); |
| NONFAILING(*(uint8_t*)0x200007ed = 0); |
| NONFAILING(*(uint8_t*)0x200007ee = 0); |
| NONFAILING(*(uint8_t*)0x200007ef = 0); |
| NONFAILING(*(uint8_t*)0x200007f0 = 0); |
| NONFAILING(*(uint8_t*)0x200007f1 = 0); |
| NONFAILING(*(uint8_t*)0x200007f2 = 0); |
| NONFAILING(*(uint8_t*)0x200007f3 = 0xaa); |
| NONFAILING(memcpy( |
| (void*)0x200007f4, |
| "\x85\xf9\xb0\xc3\x52\xab\x97\xa6\x17\xde\x29\x51\x57\xf9\x84\x6b", |
| 16)); |
| NONFAILING(*(uint8_t*)0x20000804 = 0xfe); |
| NONFAILING(*(uint8_t*)0x20000805 = 0x80); |
| NONFAILING(*(uint8_t*)0x20000806 = 0); |
| NONFAILING(*(uint8_t*)0x20000807 = 0); |
| NONFAILING(*(uint8_t*)0x20000808 = 0); |
| NONFAILING(*(uint8_t*)0x20000809 = 0); |
| NONFAILING(*(uint8_t*)0x2000080a = 0); |
| NONFAILING(*(uint8_t*)0x2000080b = 0); |
| NONFAILING(*(uint8_t*)0x2000080c = 0); |
| NONFAILING(*(uint8_t*)0x2000080d = 0); |
| NONFAILING(*(uint8_t*)0x2000080e = 0); |
| NONFAILING(*(uint8_t*)0x2000080f = 0); |
| NONFAILING(*(uint8_t*)0x20000810 = 0); |
| NONFAILING(*(uint8_t*)0x20000811 = 0); |
| NONFAILING(*(uint8_t*)0x20000812 = 0); |
| NONFAILING(*(uint8_t*)0x20000813 = 0x21); |
| NONFAILING(*(uint8_t*)0x20000814 = 0); |
| NONFAILING(*(uint8_t*)0x20000815 = 0); |
| NONFAILING(*(uint8_t*)0x20000816 = 0); |
| NONFAILING(*(uint8_t*)0x20000817 = 0); |
| NONFAILING(*(uint8_t*)0x20000818 = 0); |
| NONFAILING(*(uint8_t*)0x20000819 = 0); |
| NONFAILING(*(uint8_t*)0x2000081a = 0); |
| NONFAILING(*(uint8_t*)0x2000081b = 0); |
| NONFAILING(*(uint8_t*)0x2000081c = 0); |
| NONFAILING(*(uint8_t*)0x2000081d = 0); |
| NONFAILING(*(uint8_t*)0x2000081e = -1); |
| NONFAILING(*(uint8_t*)0x2000081f = -1); |
| NONFAILING(*(uint8_t*)0x20000820 = 0xac); |
| NONFAILING(*(uint8_t*)0x20000821 = 0x1e); |
| NONFAILING(*(uint8_t*)0x20000822 = 0); |
| NONFAILING(*(uint8_t*)0x20000823 = 1 + procid * 1); |
| NONFAILING(*(uint8_t*)0x20000824 = -1); |
| NONFAILING(*(uint8_t*)0x20000825 = 2); |
| NONFAILING(*(uint8_t*)0x20000826 = 0); |
| NONFAILING(*(uint8_t*)0x20000827 = 0); |
| NONFAILING(*(uint8_t*)0x20000828 = 0); |
| NONFAILING(*(uint8_t*)0x20000829 = 0); |
| NONFAILING(*(uint8_t*)0x2000082a = 0); |
| NONFAILING(*(uint8_t*)0x2000082b = 0); |
| NONFAILING(*(uint8_t*)0x2000082c = 0); |
| NONFAILING(*(uint8_t*)0x2000082d = 0); |
| NONFAILING(*(uint8_t*)0x2000082e = 0); |
| NONFAILING(*(uint8_t*)0x2000082f = 0); |
| NONFAILING(*(uint8_t*)0x20000830 = 0); |
| NONFAILING(*(uint8_t*)0x20000831 = 0); |
| NONFAILING(*(uint8_t*)0x20000832 = 0); |
| NONFAILING(*(uint8_t*)0x20000833 = 1); |
| NONFAILING(*(uint8_t*)0x20000834 = 0xfe); |
| NONFAILING(*(uint8_t*)0x20000835 = 0x80); |
| NONFAILING(*(uint8_t*)0x20000836 = 0); |
| NONFAILING(*(uint8_t*)0x20000837 = 0); |
| NONFAILING(*(uint8_t*)0x20000838 = 0); |
| NONFAILING(*(uint8_t*)0x20000839 = 0); |
| NONFAILING(*(uint8_t*)0x2000083a = 0); |
| NONFAILING(*(uint8_t*)0x2000083b = 0); |
| NONFAILING(*(uint8_t*)0x2000083c = 0); |
| NONFAILING(*(uint8_t*)0x2000083d = 0); |
| NONFAILING(*(uint8_t*)0x2000083e = 0); |
| NONFAILING(*(uint8_t*)0x2000083f = 0); |
| NONFAILING(*(uint8_t*)0x20000840 = 0); |
| NONFAILING(*(uint8_t*)0x20000841 = 0); |
| NONFAILING(*(uint8_t*)0x20000842 = 0); |
| NONFAILING(*(uint8_t*)0x20000843 = 0xbb); |
| NONFAILING(*(uint8_t*)0x20000844 = 5); |
| NONFAILING(*(uint16_t*)0x20000848 = 0x38); |
| NONFAILING(memcpy((void*)0x2000084a, "SET\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x20000867 = 3); |
| NONFAILING(*(uint16_t*)0x20000868 = 0x8000); |
| NONFAILING(*(uint8_t*)0x2000086a = 0); |
| NONFAILING(*(uint8_t*)0x2000086b = 0x81); |
| NONFAILING(*(uint16_t*)0x2000086c = 8); |
| NONFAILING(*(uint8_t*)0x2000086e = 0xb); |
| NONFAILING(*(uint8_t*)0x2000086f = 5); |
| NONFAILING(*(uint16_t*)0x20000870 = 5); |
| NONFAILING(*(uint8_t*)0x20000872 = 0x42); |
| NONFAILING(*(uint8_t*)0x20000873 = 3); |
| NONFAILING(*(uint32_t*)0x20000874 = 7); |
| NONFAILING(*(uint32_t*)0x20000878 = 0x8d); |
| NONFAILING(*(uint8_t*)0x20000880 = 0); |
| NONFAILING(*(uint8_t*)0x20000881 = 0); |
| NONFAILING(*(uint8_t*)0x20000882 = 0); |
| NONFAILING(*(uint8_t*)0x20000883 = 0); |
| NONFAILING(*(uint8_t*)0x20000884 = 0); |
| NONFAILING(*(uint8_t*)0x20000885 = 0); |
| NONFAILING(*(uint8_t*)0x20000886 = 0); |
| NONFAILING(*(uint8_t*)0x20000887 = 0); |
| NONFAILING(*(uint8_t*)0x20000888 = 0); |
| NONFAILING(*(uint8_t*)0x20000889 = 0); |
| NONFAILING(*(uint8_t*)0x2000088a = 0); |
| NONFAILING(*(uint8_t*)0x2000088b = 0); |
| NONFAILING(*(uint8_t*)0x2000088c = 0); |
| NONFAILING(*(uint8_t*)0x2000088d = 0); |
| NONFAILING(*(uint8_t*)0x2000088e = 0); |
| NONFAILING(*(uint8_t*)0x2000088f = 0); |
| NONFAILING(*(uint8_t*)0x20000890 = 0); |
| NONFAILING(*(uint8_t*)0x20000891 = 0); |
| NONFAILING(*(uint8_t*)0x20000892 = 0); |
| NONFAILING(*(uint8_t*)0x20000893 = 0); |
| NONFAILING(*(uint8_t*)0x20000894 = 0); |
| NONFAILING(*(uint8_t*)0x20000895 = 0); |
| NONFAILING(*(uint8_t*)0x20000896 = 0); |
| NONFAILING(*(uint8_t*)0x20000897 = 0); |
| NONFAILING(*(uint8_t*)0x20000898 = 0); |
| NONFAILING(*(uint8_t*)0x20000899 = 0); |
| NONFAILING(*(uint8_t*)0x2000089a = 0); |
| NONFAILING(*(uint8_t*)0x2000089b = 0); |
| NONFAILING(*(uint8_t*)0x2000089c = 0); |
| NONFAILING(*(uint8_t*)0x2000089d = 0); |
| NONFAILING(*(uint8_t*)0x2000089e = 0); |
| NONFAILING(*(uint8_t*)0x2000089f = 0); |
| NONFAILING(*(uint8_t*)0x200008a0 = 0); |
| NONFAILING(*(uint8_t*)0x200008a1 = 0); |
| NONFAILING(*(uint8_t*)0x200008a2 = 0); |
| NONFAILING(*(uint8_t*)0x200008a3 = 0); |
| NONFAILING(*(uint8_t*)0x200008a4 = 0); |
| NONFAILING(*(uint8_t*)0x200008a5 = 0); |
| NONFAILING(*(uint8_t*)0x200008a6 = 0); |
| NONFAILING(*(uint8_t*)0x200008a7 = 0); |
| NONFAILING(*(uint8_t*)0x200008a8 = 0); |
| NONFAILING(*(uint8_t*)0x200008a9 = 0); |
| NONFAILING(*(uint8_t*)0x200008aa = 0); |
| NONFAILING(*(uint8_t*)0x200008ab = 0); |
| NONFAILING(*(uint8_t*)0x200008ac = 0); |
| NONFAILING(*(uint8_t*)0x200008ad = 0); |
| NONFAILING(*(uint8_t*)0x200008ae = 0); |
| NONFAILING(*(uint8_t*)0x200008af = 0); |
| NONFAILING(*(uint8_t*)0x200008b0 = 0); |
| NONFAILING(*(uint8_t*)0x200008b1 = 0); |
| NONFAILING(*(uint8_t*)0x200008b2 = 0); |
| NONFAILING(*(uint8_t*)0x200008b3 = 0); |
| NONFAILING(*(uint8_t*)0x200008b4 = 0); |
| NONFAILING(*(uint8_t*)0x200008b5 = 0); |
| NONFAILING(*(uint8_t*)0x200008b6 = 0); |
| NONFAILING(*(uint8_t*)0x200008b7 = 0); |
| NONFAILING(*(uint8_t*)0x200008b8 = 0); |
| NONFAILING(*(uint8_t*)0x200008b9 = 0); |
| NONFAILING(*(uint8_t*)0x200008ba = 0); |
| NONFAILING(*(uint8_t*)0x200008bb = 0); |
| NONFAILING(*(uint8_t*)0x200008bc = 0); |
| NONFAILING(*(uint8_t*)0x200008bd = 0); |
| NONFAILING(*(uint8_t*)0x200008be = 0); |
| NONFAILING(*(uint8_t*)0x200008bf = 0); |
| NONFAILING(*(uint8_t*)0x200008c0 = 0); |
| NONFAILING(*(uint8_t*)0x200008c1 = 0); |
| NONFAILING(*(uint8_t*)0x200008c2 = 0); |
| NONFAILING(*(uint8_t*)0x200008c3 = 0); |
| NONFAILING(*(uint8_t*)0x200008c4 = 0); |
| NONFAILING(*(uint8_t*)0x200008c5 = 0); |
| NONFAILING(*(uint8_t*)0x200008c6 = 0); |
| NONFAILING(*(uint8_t*)0x200008c7 = 0); |
| NONFAILING(*(uint8_t*)0x200008c8 = 0); |
| NONFAILING(*(uint8_t*)0x200008c9 = 0); |
| NONFAILING(*(uint8_t*)0x200008ca = 0); |
| NONFAILING(*(uint8_t*)0x200008cb = 0); |
| NONFAILING(*(uint8_t*)0x200008cc = 0); |
| NONFAILING(*(uint8_t*)0x200008cd = 0); |
| NONFAILING(*(uint8_t*)0x200008ce = 0); |
| NONFAILING(*(uint8_t*)0x200008cf = 0); |
| NONFAILING(*(uint8_t*)0x200008d0 = 0); |
| NONFAILING(*(uint8_t*)0x200008d1 = 0); |
| NONFAILING(*(uint8_t*)0x200008d2 = 0); |
| NONFAILING(*(uint8_t*)0x200008d3 = 0); |
| NONFAILING(*(uint8_t*)0x200008d4 = 0); |
| NONFAILING(*(uint8_t*)0x200008d5 = 0); |
| NONFAILING(*(uint8_t*)0x200008d6 = 0); |
| NONFAILING(*(uint8_t*)0x200008d7 = 0); |
| NONFAILING(*(uint8_t*)0x200008d8 = 0); |
| NONFAILING(*(uint8_t*)0x200008d9 = 0); |
| NONFAILING(*(uint8_t*)0x200008da = 0); |
| NONFAILING(*(uint8_t*)0x200008db = 0); |
| NONFAILING(*(uint8_t*)0x200008dc = 0); |
| NONFAILING(*(uint8_t*)0x200008dd = 0); |
| NONFAILING(*(uint8_t*)0x200008de = 0); |
| NONFAILING(*(uint8_t*)0x200008df = 0); |
| NONFAILING(*(uint8_t*)0x200008e0 = 0); |
| NONFAILING(*(uint8_t*)0x200008e1 = 0); |
| NONFAILING(*(uint8_t*)0x200008e2 = 0); |
| NONFAILING(*(uint8_t*)0x200008e3 = 0); |
| NONFAILING(*(uint8_t*)0x200008e4 = 0); |
| NONFAILING(*(uint8_t*)0x200008e5 = 0); |
| NONFAILING(*(uint8_t*)0x200008e6 = 0); |
| NONFAILING(*(uint8_t*)0x200008e7 = 0); |
| NONFAILING(*(uint8_t*)0x200008e8 = 0); |
| NONFAILING(*(uint8_t*)0x200008e9 = 0); |
| NONFAILING(*(uint8_t*)0x200008ea = 0); |
| NONFAILING(*(uint8_t*)0x200008eb = 0); |
| NONFAILING(*(uint8_t*)0x200008ec = 0); |
| NONFAILING(*(uint8_t*)0x200008ed = 0); |
| NONFAILING(*(uint8_t*)0x200008ee = 0); |
| NONFAILING(*(uint8_t*)0x200008ef = 0); |
| NONFAILING(*(uint8_t*)0x200008f0 = 0); |
| NONFAILING(*(uint8_t*)0x200008f1 = 0); |
| NONFAILING(*(uint8_t*)0x200008f2 = 0); |
| NONFAILING(*(uint8_t*)0x200008f3 = 0); |
| NONFAILING(*(uint8_t*)0x200008f4 = 0); |
| NONFAILING(*(uint8_t*)0x200008f5 = 0); |
| NONFAILING(*(uint8_t*)0x200008f6 = 0); |
| NONFAILING(*(uint8_t*)0x200008f7 = 0); |
| NONFAILING(*(uint8_t*)0x200008f8 = 0); |
| NONFAILING(*(uint8_t*)0x200008f9 = 0); |
| NONFAILING(*(uint8_t*)0x200008fa = 0); |
| NONFAILING(*(uint8_t*)0x200008fb = 0); |
| NONFAILING(*(uint8_t*)0x200008fc = 0); |
| NONFAILING(*(uint8_t*)0x200008fd = 0); |
| NONFAILING(*(uint8_t*)0x200008fe = 0); |
| NONFAILING(*(uint8_t*)0x200008ff = 0); |
| NONFAILING(*(uint8_t*)0x20000900 = 0); |
| NONFAILING(*(uint8_t*)0x20000901 = 0); |
| NONFAILING(*(uint8_t*)0x20000902 = 0); |
| NONFAILING(*(uint8_t*)0x20000903 = 0); |
| NONFAILING(*(uint8_t*)0x20000904 = 0); |
| NONFAILING(*(uint8_t*)0x20000905 = 0); |
| NONFAILING(*(uint8_t*)0x20000906 = 0); |
| NONFAILING(*(uint8_t*)0x20000907 = 0); |
| NONFAILING(*(uint32_t*)0x20000928 = 0); |
| NONFAILING(*(uint16_t*)0x2000092c = 0xf0); |
| NONFAILING(*(uint16_t*)0x2000092e = 0x118); |
| NONFAILING(*(uint32_t*)0x20000930 = 0); |
| NONFAILING(*(uint64_t*)0x20000938 = 0); |
| NONFAILING(*(uint64_t*)0x20000940 = 0); |
| NONFAILING(*(uint16_t*)0x20000948 = 0x28); |
| NONFAILING(memcpy((void*)0x2000094a, "icmp6\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x20000967 = 0); |
| NONFAILING(*(uint8_t*)0x20000968 = 0x1f); |
| NONFAILING(*(uint8_t*)0x20000969 = 0x1b); |
| NONFAILING(*(uint8_t*)0x2000096a = -1); |
| NONFAILING(*(uint8_t*)0x2000096b = 0); |
| NONFAILING(*(uint16_t*)0x20000970 = 0x28); |
| NONFAILING(memcpy((void*)0x20000972, "REJECT\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x2000098f = 0); |
| NONFAILING(*(uint32_t*)0x20000990 = 0); |
| NONFAILING(memcpy( |
| (void*)0x20000998, |
| "\x90\x17\xf2\xe1\xc9\x79\x34\xf6\x03\x49\x37\xed\x70\x52\x3a\x78", |
| 16)); |
| NONFAILING(*(uint8_t*)0x200009a8 = 0); |
| NONFAILING(*(uint8_t*)0x200009a9 = 0); |
| NONFAILING(*(uint8_t*)0x200009aa = 0); |
| NONFAILING(*(uint8_t*)0x200009ab = 0); |
| NONFAILING(*(uint8_t*)0x200009ac = 0); |
| NONFAILING(*(uint8_t*)0x200009ad = 0); |
| NONFAILING(*(uint8_t*)0x200009ae = 0); |
| NONFAILING(*(uint8_t*)0x200009af = 0); |
| NONFAILING(*(uint8_t*)0x200009b0 = 0); |
| NONFAILING(*(uint8_t*)0x200009b1 = 0); |
| NONFAILING(*(uint8_t*)0x200009b2 = 0); |
| NONFAILING(*(uint8_t*)0x200009b3 = 0); |
| NONFAILING(*(uint8_t*)0x200009b4 = 0); |
| NONFAILING(*(uint8_t*)0x200009b5 = 0); |
| NONFAILING(*(uint8_t*)0x200009b6 = 0); |
| NONFAILING(*(uint8_t*)0x200009b7 = 0); |
| NONFAILING(*(uint32_t*)0x200009b8 = htobe32(-1)); |
| NONFAILING(*(uint32_t*)0x200009bc = htobe32(-1)); |
| NONFAILING(*(uint32_t*)0x200009c0 = htobe32(-1)); |
| NONFAILING(*(uint32_t*)0x200009c4 = htobe32(0xffffff00)); |
| NONFAILING(*(uint32_t*)0x200009c8 = htobe32(0xff)); |
| NONFAILING(*(uint32_t*)0x200009cc = htobe32(0xff)); |
| NONFAILING(*(uint32_t*)0x200009d0 = htobe32(0)); |
| NONFAILING(*(uint32_t*)0x200009d4 = htobe32(0)); |
| NONFAILING(memcpy((void*)0x200009d8, |
| "caif0\000\000\000\000\000\000\000\000\000\000\000", 16)); |
| NONFAILING(memcpy((void*)0x200009e8, |
| "nlmon0\000\000\000\000\000\000\000\000\000\000", 16)); |
| NONFAILING(*(uint8_t*)0x20000a01 = -1); |
| NONFAILING(*(uint8_t*)0x20000a1f = -1); |
| NONFAILING(*(uint16_t*)0x20000a30 = 0x2e); |
| NONFAILING(*(uint8_t*)0x20000a32 = 0xbc); |
| NONFAILING(*(uint8_t*)0x20000a33 = 4); |
| NONFAILING(*(uint8_t*)0x20000a34 = 0x40); |
| NONFAILING(*(uint32_t*)0x20000a40 = 0); |
| NONFAILING(*(uint16_t*)0x20000a44 = 0x110); |
| NONFAILING(*(uint16_t*)0x20000a46 = 0x138); |
| NONFAILING(*(uint32_t*)0x20000a48 = 0); |
| NONFAILING(*(uint64_t*)0x20000a50 = 0); |
| NONFAILING(*(uint64_t*)0x20000a58 = 0); |
| NONFAILING(*(uint16_t*)0x20000a60 = 0x48); |
| NONFAILING(memcpy((void*)0x20000a62, "hbh\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x20000a7f = 0); |
| NONFAILING(*(uint32_t*)0x20000a80 = 0); |
| NONFAILING(*(uint8_t*)0x20000a84 = 5); |
| NONFAILING(*(uint8_t*)0x20000a85 = 1); |
| NONFAILING(*(uint16_t*)0x20000a86 = 0); |
| NONFAILING(*(uint16_t*)0x20000a88 = 7); |
| NONFAILING(*(uint16_t*)0x20000a8a = 0xfbff); |
| NONFAILING(*(uint16_t*)0x20000a8c = 9); |
| NONFAILING(*(uint16_t*)0x20000a8e = 0xcc9c); |
| NONFAILING(*(uint16_t*)0x20000a90 = 0x47a2); |
| NONFAILING(*(uint16_t*)0x20000a92 = 0xb9); |
| NONFAILING(*(uint16_t*)0x20000a94 = 1); |
| NONFAILING(*(uint16_t*)0x20000a96 = 2); |
| NONFAILING(*(uint16_t*)0x20000a98 = 8); |
| NONFAILING(*(uint16_t*)0x20000a9a = 7); |
| NONFAILING(*(uint16_t*)0x20000a9c = 0xe9c6); |
| NONFAILING(*(uint16_t*)0x20000a9e = 0x179); |
| NONFAILING(*(uint16_t*)0x20000aa0 = 0); |
| NONFAILING(*(uint16_t*)0x20000aa2 = 0); |
| NONFAILING(*(uint16_t*)0x20000aa4 = 0); |
| NONFAILING(*(uint8_t*)0x20000aa6 = 0xd); |
| NONFAILING(*(uint16_t*)0x20000aa8 = 0x28); |
| NONFAILING(memcpy((void*)0x20000aaa, "MARK\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x20000ac7 = 2); |
| NONFAILING(*(uint32_t*)0x20000ac8 = 6); |
| NONFAILING(*(uint32_t*)0x20000acc = 7); |
| NONFAILING(*(uint8_t*)0x20000ad0 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad1 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad2 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad3 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad4 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad5 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad6 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad7 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad8 = 0); |
| NONFAILING(*(uint8_t*)0x20000ad9 = 0); |
| NONFAILING(*(uint8_t*)0x20000ada = 0); |
| NONFAILING(*(uint8_t*)0x20000adb = 0); |
| NONFAILING(*(uint8_t*)0x20000adc = 0); |
| NONFAILING(*(uint8_t*)0x20000add = 0); |
| NONFAILING(*(uint8_t*)0x20000ade = 0); |
| NONFAILING(*(uint8_t*)0x20000adf = 0); |
| NONFAILING(*(uint8_t*)0x20000ae0 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae1 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae2 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae3 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae4 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae5 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae6 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae7 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae8 = 0); |
| NONFAILING(*(uint8_t*)0x20000ae9 = 0); |
| NONFAILING(*(uint8_t*)0x20000aea = 0); |
| NONFAILING(*(uint8_t*)0x20000aeb = 0); |
| NONFAILING(*(uint8_t*)0x20000aec = 0); |
| NONFAILING(*(uint8_t*)0x20000aed = 0); |
| NONFAILING(*(uint8_t*)0x20000aee = 0); |
| NONFAILING(*(uint8_t*)0x20000aef = 0); |
| NONFAILING(*(uint8_t*)0x20000af0 = 0); |
| NONFAILING(*(uint8_t*)0x20000af1 = 0); |
| NONFAILING(*(uint8_t*)0x20000af2 = 0); |
| NONFAILING(*(uint8_t*)0x20000af3 = 0); |
| NONFAILING(*(uint8_t*)0x20000af4 = 0); |
| NONFAILING(*(uint8_t*)0x20000af5 = 0); |
| NONFAILING(*(uint8_t*)0x20000af6 = 0); |
| NONFAILING(*(uint8_t*)0x20000af7 = 0); |
| NONFAILING(*(uint8_t*)0x20000af8 = 0); |
| NONFAILING(*(uint8_t*)0x20000af9 = 0); |
| NONFAILING(*(uint8_t*)0x20000afa = 0); |
| NONFAILING(*(uint8_t*)0x20000afb = 0); |
| NONFAILING(*(uint8_t*)0x20000afc = 0); |
| NONFAILING(*(uint8_t*)0x20000afd = 0); |
| NONFAILING(*(uint8_t*)0x20000afe = 0); |
| NONFAILING(*(uint8_t*)0x20000aff = 0); |
| NONFAILING(*(uint8_t*)0x20000b00 = 0); |
| NONFAILING(*(uint8_t*)0x20000b01 = 0); |
| NONFAILING(*(uint8_t*)0x20000b02 = 0); |
| NONFAILING(*(uint8_t*)0x20000b03 = 0); |
| NONFAILING(*(uint8_t*)0x20000b04 = 0); |
| NONFAILING(*(uint8_t*)0x20000b05 = 0); |
| NONFAILING(*(uint8_t*)0x20000b06 = 0); |
| NONFAILING(*(uint8_t*)0x20000b07 = 0); |
| NONFAILING(*(uint8_t*)0x20000b08 = 0); |
| NONFAILING(*(uint8_t*)0x20000b09 = 0); |
| NONFAILING(*(uint8_t*)0x20000b0a = 0); |
| NONFAILING(*(uint8_t*)0x20000b0b = 0); |
| NONFAILING(*(uint8_t*)0x20000b0c = 0); |
| NONFAILING(*(uint8_t*)0x20000b0d = 0); |
| NONFAILING(*(uint8_t*)0x20000b0e = 0); |
| NONFAILING(*(uint8_t*)0x20000b0f = 0); |
| NONFAILING(*(uint8_t*)0x20000b10 = 0); |
| NONFAILING(*(uint8_t*)0x20000b11 = 0); |
| NONFAILING(*(uint8_t*)0x20000b12 = 0); |
| NONFAILING(*(uint8_t*)0x20000b13 = 0); |
| NONFAILING(*(uint8_t*)0x20000b14 = 0); |
| NONFAILING(*(uint8_t*)0x20000b15 = 0); |
| NONFAILING(*(uint8_t*)0x20000b16 = 0); |
| NONFAILING(*(uint8_t*)0x20000b17 = 0); |
| NONFAILING(*(uint8_t*)0x20000b18 = 0); |
| NONFAILING(*(uint8_t*)0x20000b19 = 0); |
| NONFAILING(*(uint8_t*)0x20000b1a = 0); |
| NONFAILING(*(uint8_t*)0x20000b1b = 0); |
| NONFAILING(*(uint8_t*)0x20000b1c = 0); |
| NONFAILING(*(uint8_t*)0x20000b1d = 0); |
| NONFAILING(*(uint8_t*)0x20000b1e = 0); |
| NONFAILING(*(uint8_t*)0x20000b1f = 0); |
| NONFAILING(*(uint8_t*)0x20000b20 = 0); |
| NONFAILING(*(uint8_t*)0x20000b21 = 0); |
| NONFAILING(*(uint8_t*)0x20000b22 = 0); |
| NONFAILING(*(uint8_t*)0x20000b23 = 0); |
| NONFAILING(*(uint8_t*)0x20000b24 = 0); |
| NONFAILING(*(uint8_t*)0x20000b25 = 0); |
| NONFAILING(*(uint8_t*)0x20000b26 = 0); |
| NONFAILING(*(uint8_t*)0x20000b27 = 0); |
| NONFAILING(*(uint8_t*)0x20000b28 = 0); |
| NONFAILING(*(uint8_t*)0x20000b29 = 0); |
| NONFAILING(*(uint8_t*)0x20000b2a = 0); |
| NONFAILING(*(uint8_t*)0x20000b2b = 0); |
| NONFAILING(*(uint8_t*)0x20000b2c = 0); |
| NONFAILING(*(uint8_t*)0x20000b2d = 0); |
| NONFAILING(*(uint8_t*)0x20000b2e = 0); |
| NONFAILING(*(uint8_t*)0x20000b2f = 0); |
| NONFAILING(*(uint8_t*)0x20000b30 = 0); |
| NONFAILING(*(uint8_t*)0x20000b31 = 0); |
| NONFAILING(*(uint8_t*)0x20000b32 = 0); |
| NONFAILING(*(uint8_t*)0x20000b33 = 0); |
| NONFAILING(*(uint8_t*)0x20000b34 = 0); |
| NONFAILING(*(uint8_t*)0x20000b35 = 0); |
| NONFAILING(*(uint8_t*)0x20000b36 = 0); |
| NONFAILING(*(uint8_t*)0x20000b37 = 0); |
| NONFAILING(*(uint8_t*)0x20000b38 = 0); |
| NONFAILING(*(uint8_t*)0x20000b39 = 0); |
| NONFAILING(*(uint8_t*)0x20000b3a = 0); |
| NONFAILING(*(uint8_t*)0x20000b3b = 0); |
| NONFAILING(*(uint8_t*)0x20000b3c = 0); |
| NONFAILING(*(uint8_t*)0x20000b3d = 0); |
| NONFAILING(*(uint8_t*)0x20000b3e = 0); |
| NONFAILING(*(uint8_t*)0x20000b3f = 0); |
| NONFAILING(*(uint8_t*)0x20000b40 = 0); |
| NONFAILING(*(uint8_t*)0x20000b41 = 0); |
| NONFAILING(*(uint8_t*)0x20000b42 = 0); |
| NONFAILING(*(uint8_t*)0x20000b43 = 0); |
| NONFAILING(*(uint8_t*)0x20000b44 = 0); |
| NONFAILING(*(uint8_t*)0x20000b45 = 0); |
| NONFAILING(*(uint8_t*)0x20000b46 = 0); |
| NONFAILING(*(uint8_t*)0x20000b47 = 0); |
| NONFAILING(*(uint8_t*)0x20000b48 = 0); |
| NONFAILING(*(uint8_t*)0x20000b49 = 0); |
| NONFAILING(*(uint8_t*)0x20000b4a = 0); |
| NONFAILING(*(uint8_t*)0x20000b4b = 0); |
| NONFAILING(*(uint8_t*)0x20000b4c = 0); |
| NONFAILING(*(uint8_t*)0x20000b4d = 0); |
| NONFAILING(*(uint8_t*)0x20000b4e = 0); |
| NONFAILING(*(uint8_t*)0x20000b4f = 0); |
| NONFAILING(*(uint8_t*)0x20000b50 = 0); |
| NONFAILING(*(uint8_t*)0x20000b51 = 0); |
| NONFAILING(*(uint8_t*)0x20000b52 = 0); |
| NONFAILING(*(uint8_t*)0x20000b53 = 0); |
| NONFAILING(*(uint8_t*)0x20000b54 = 0); |
| NONFAILING(*(uint8_t*)0x20000b55 = 0); |
| NONFAILING(*(uint8_t*)0x20000b56 = 0); |
| NONFAILING(*(uint8_t*)0x20000b57 = 0); |
| NONFAILING(*(uint32_t*)0x20000b58 = 0); |
| NONFAILING(*(uint16_t*)0x20000b5c = 0xa8); |
| NONFAILING(*(uint16_t*)0x20000b5e = 0xd0); |
| NONFAILING(*(uint32_t*)0x20000b60 = 0); |
| NONFAILING(*(uint64_t*)0x20000b68 = 0); |
| NONFAILING(*(uint64_t*)0x20000b70 = 0); |
| NONFAILING(*(uint16_t*)0x20000b78 = 0x28); |
| NONFAILING(memcpy((void*)0x20000b7a, "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000\000\000\000\000\000\000\000" |
| "\000\000", |
| 29)); |
| NONFAILING(*(uint8_t*)0x20000b97 = 0); |
| NONFAILING(*(uint32_t*)0x20000b98 = 0xfffffffe); |
| syscall(__NR_setsockopt, -1, 0x29, 0x40, 0x200005c0, 0x5e0); |
| break; |
| } |
| } |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| setup_binfmt_misc(); |
| install_segv_handler(); |
| for (procid = 0; procid < 6; procid++) { |
| if (fork() == 0) { |
| use_temporary_dir(); |
| do_sandbox_none(); |
| } |
| } |
| sleep(1000000); |
| return 0; |
| } |
