| // KASAN: use-after-free Read in ip6_route_me_harder |
| // https://syzkaller.appspot.com/bug?id=52da8b3e29345da11271b7e521554d695ea3ac4d |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <arpa/inet.h> |
| #include <endian.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <linux/if.h> |
| #include <linux/if_ether.h> |
| #include <linux/if_tun.h> |
| #include <linux/ip.h> |
| #include <linux/tcp.h> |
| #include <net/if_arp.h> |
| #include <stdarg.h> |
| #include <stdbool.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <sys/ioctl.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/uio.h> |
| #include <unistd.h> |
| |
| __attribute__((noreturn)) static void doexit(int status) |
| { |
| volatile unsigned i; |
| syscall(__NR_exit_group, status); |
| for (i = 0;; i++) { |
| } |
| } |
| #include <stdint.h> |
| #include <string.h> |
| |
| const int kFailStatus = 67; |
| const int kRetryStatus = 69; |
| |
| static void fail(const char* msg, ...) |
| { |
| int e = errno; |
| va_list args; |
| va_start(args, msg); |
| vfprintf(stderr, msg, args); |
| va_end(args); |
| fprintf(stderr, " (errno %d)\n", e); |
| doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); |
| } |
| |
| #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) |
| |
| #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ |
| (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) |
| |
| #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ |
| if ((bf_off) == 0 && (bf_len) == 0) { \ |
| *(type*)(addr) = (type)(val); \ |
| } else { \ |
| type new_val = *(type*)(addr); \ |
| new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ |
| new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ |
| *(type*)(addr) = new_val; \ |
| } |
| |
| struct csum_inet { |
| uint32_t acc; |
| }; |
| |
| static void csum_inet_init(struct csum_inet* csum) |
| { |
| csum->acc = 0; |
| } |
| |
| static void csum_inet_update(struct csum_inet* csum, const uint8_t* data, |
| size_t length) |
| { |
| if (length == 0) |
| return; |
| |
| size_t i; |
| for (i = 0; i < length - 1; i += 2) |
| csum->acc += *(uint16_t*)&data[i]; |
| |
| if (length & 1) |
| csum->acc += (uint16_t)data[length - 1]; |
| |
| while (csum->acc > 0xffff) |
| csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); |
| } |
| |
| static uint16_t csum_inet_digest(struct csum_inet* csum) |
| { |
| return ~csum->acc; |
| } |
| |
| static void vsnprintf_check(char* str, size_t size, const char* format, |
| va_list args) |
| { |
| int rv; |
| |
| rv = vsnprintf(str, size, format, args); |
| if (rv < 0) |
| fail("tun: snprintf failed"); |
| if ((size_t)rv >= size) |
| fail("tun: string '%s...' doesn't fit into buffer", str); |
| } |
| |
| static void snprintf_check(char* str, size_t size, const char* format, ...) |
| { |
| va_list args; |
| |
| va_start(args, format); |
| vsnprintf_check(str, size, format, args); |
| va_end(args); |
| } |
| |
| #define COMMAND_MAX_LEN 128 |
| #define PATH_PREFIX \ |
| "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " |
| #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) |
| |
| static void execute_command(bool panic, const char* format, ...) |
| { |
| va_list args; |
| char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; |
| int rv; |
| |
| va_start(args, format); |
| memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); |
| vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); |
| rv = system(command); |
| if (panic && rv != 0) |
| fail("tun: command \"%s\" failed with code %d", &command[0], rv); |
| |
| va_end(args); |
| } |
| |
| static int tunfd = -1; |
| static int tun_frags_enabled; |
| |
| #define SYZ_TUN_MAX_PACKET_SIZE 1000 |
| |
| #define TUN_IFACE "syz_tun" |
| |
| #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" |
| #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" |
| |
| #define LOCAL_IPV4 "172.20.20.170" |
| #define REMOTE_IPV4 "172.20.20.187" |
| |
| #define LOCAL_IPV6 "fe80::aa" |
| #define REMOTE_IPV6 "fe80::bb" |
| |
| #define IFF_NAPI 0x0010 |
| #define IFF_NAPI_FRAGS 0x0020 |
| |
| static void initialize_tun(void) |
| { |
| tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); |
| if (tunfd == -1) { |
| printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); |
| printf("otherwise fuzzing or reproducing might not work as intended\n"); |
| return; |
| } |
| const int kTunFd = 252; |
| if (dup2(tunfd, kTunFd) < 0) |
| fail("dup2(tunfd, kTunFd) failed"); |
| close(tunfd); |
| tunfd = kTunFd; |
| |
| struct ifreq ifr; |
| memset(&ifr, 0, sizeof(ifr)); |
| strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) |
| fail("tun: ioctl(TUNSETIFF) failed"); |
| } |
| if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) |
| fail("tun: ioctl(TUNGETIFF) failed"); |
| tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; |
| |
| execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE); |
| |
| execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", |
| TUN_IFACE); |
| |
| execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC); |
| execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE); |
| execute_command(1, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE); |
| execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", |
| REMOTE_IPV4, REMOTE_MAC, TUN_IFACE); |
| execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", |
| REMOTE_IPV6, REMOTE_MAC, TUN_IFACE); |
| execute_command(1, "ip link set dev %s up", TUN_IFACE); |
| } |
| |
| #define DEV_IPV4 "172.20.20.%d" |
| #define DEV_IPV6 "fe80::%02hx" |
| #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" |
| |
| static void initialize_netdevices(void) |
| { |
| unsigned i; |
| const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "veth"}; |
| const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", |
| "tunl0", "gre0", "gretap0", "ip_vti0", |
| "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", |
| "erspan0", "bond0", "veth0", "veth1"}; |
| |
| for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) |
| execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); |
| execute_command(0, "ip link add dev veth1 type veth"); |
| for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { |
| char addr[32]; |
| snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); |
| execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); |
| snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); |
| execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); |
| snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); |
| execute_command(0, "ip link set dev %s address %s", devnames[i], addr); |
| execute_command(0, "ip link set dev %s up", devnames[i]); |
| } |
| } |
| |
| #define MAX_FRAGS 4 |
| struct vnet_fragmentation { |
| uint32_t full; |
| uint32_t count; |
| uint32_t frags[MAX_FRAGS]; |
| }; |
| |
| static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1, uintptr_t a2) |
| { |
| if (tunfd < 0) |
| return (uintptr_t)-1; |
| |
| uint32_t length = a0; |
| char* data = (char*)a1; |
| |
| struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; |
| struct iovec vecs[MAX_FRAGS + 1]; |
| uint32_t nfrags = 0; |
| if (!tun_frags_enabled || frags == NULL) { |
| vecs[nfrags].iov_base = data; |
| vecs[nfrags].iov_len = length; |
| nfrags++; |
| } else { |
| bool full = true; |
| uint32_t i, count = 0; |
| full = frags->full; |
| count = frags->count; |
| if (count > MAX_FRAGS) |
| count = MAX_FRAGS; |
| for (i = 0; i < count && length != 0; i++) { |
| uint32_t size = 0; |
| size = frags->frags[i]; |
| if (size > length) |
| size = length; |
| vecs[nfrags].iov_base = data; |
| vecs[nfrags].iov_len = size; |
| nfrags++; |
| data += size; |
| length -= size; |
| } |
| if (length != 0 && (full || nfrags == 0)) { |
| vecs[nfrags].iov_base = data; |
| vecs[nfrags].iov_len = length; |
| nfrags++; |
| } |
| } |
| return writev(tunfd, vecs, nfrags); |
| } |
| |
| uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; |
| void loop() |
| { |
| long res; |
| res = syscall(__NR_socket, 0xa, 2, 0); |
| if (res != -1) |
| r[0] = res; |
| memcpy((void*)0x20000080, "\x6d\x61\x6e\x67\x6c\x65\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00", |
| 32); |
| *(uint32_t*)0x200000a0 = 0x1f; |
| *(uint32_t*)0x200000a4 = 6; |
| *(uint32_t*)0x200000a8 = 0x558; |
| *(uint32_t*)0x200000ac = 0x2e8; |
| *(uint32_t*)0x200000b0 = 0x3b8; |
| *(uint32_t*)0x200000b4 = 0x218; |
| *(uint32_t*)0x200000b8 = 0x128; |
| *(uint32_t*)0x200000bc = 0x3b8; |
| *(uint32_t*)0x200000c0 = 0x488; |
| *(uint32_t*)0x200000c4 = 0x488; |
| *(uint32_t*)0x200000c8 = 0x488; |
| *(uint32_t*)0x200000cc = 0x488; |
| *(uint32_t*)0x200000d0 = 0x488; |
| *(uint32_t*)0x200000d4 = 6; |
| *(uint64_t*)0x200000d8 = 0x20000000; |
| *(uint8_t*)0x200000e0 = -1; |
| *(uint8_t*)0x200000e1 = 1; |
| *(uint8_t*)0x200000e2 = 0; |
| *(uint8_t*)0x200000e3 = 0; |
| *(uint8_t*)0x200000e4 = 0; |
| *(uint8_t*)0x200000e5 = 0; |
| *(uint8_t*)0x200000e6 = 0; |
| *(uint8_t*)0x200000e7 = 0; |
| *(uint8_t*)0x200000e8 = 0; |
| *(uint8_t*)0x200000e9 = 0; |
| *(uint8_t*)0x200000ea = 0; |
| *(uint8_t*)0x200000eb = 0; |
| *(uint8_t*)0x200000ec = 0; |
| *(uint8_t*)0x200000ed = 0; |
| *(uint8_t*)0x200000ee = 0; |
| *(uint8_t*)0x200000ef = 1; |
| *(uint64_t*)0x200000f0 = htobe64(0); |
| *(uint64_t*)0x200000f8 = htobe64(1); |
| *(uint32_t*)0x20000100 = htobe32(0); |
| *(uint32_t*)0x20000104 = htobe32(0); |
| *(uint32_t*)0x20000108 = htobe32(0); |
| *(uint32_t*)0x2000010c = htobe32(0); |
| *(uint32_t*)0x20000110 = htobe32(0); |
| *(uint32_t*)0x20000114 = htobe32(0); |
| *(uint32_t*)0x20000118 = htobe32(0); |
| *(uint32_t*)0x2000011c = htobe32(0); |
| memcpy((void*)0x20000120, |
| "\x76\x6c\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| memcpy((void*)0x20000130, |
| "\x69\x72\x6c\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint8_t*)0x20000140 = 0; |
| *(uint8_t*)0x20000141 = 0; |
| *(uint8_t*)0x20000142 = 0; |
| *(uint8_t*)0x20000143 = 0; |
| *(uint8_t*)0x20000144 = 0; |
| *(uint8_t*)0x20000145 = 0; |
| *(uint8_t*)0x20000146 = 0; |
| *(uint8_t*)0x20000147 = 0; |
| *(uint8_t*)0x20000148 = 0; |
| *(uint8_t*)0x20000149 = 0; |
| *(uint8_t*)0x2000014a = 0; |
| *(uint8_t*)0x2000014b = 0; |
| *(uint8_t*)0x2000014c = 0; |
| *(uint8_t*)0x2000014d = 0; |
| *(uint8_t*)0x2000014e = 0; |
| *(uint8_t*)0x2000014f = 0; |
| *(uint8_t*)0x20000150 = 0; |
| *(uint8_t*)0x20000151 = 0; |
| *(uint8_t*)0x20000152 = 0; |
| *(uint8_t*)0x20000153 = 0; |
| *(uint8_t*)0x20000154 = 0; |
| *(uint8_t*)0x20000155 = 0; |
| *(uint8_t*)0x20000156 = 0; |
| *(uint8_t*)0x20000157 = 0; |
| *(uint8_t*)0x20000158 = 0; |
| *(uint8_t*)0x20000159 = 0; |
| *(uint8_t*)0x2000015a = 0; |
| *(uint8_t*)0x2000015b = 0; |
| *(uint8_t*)0x2000015c = 0; |
| *(uint8_t*)0x2000015d = 0; |
| *(uint8_t*)0x2000015e = 0; |
| *(uint8_t*)0x2000015f = 0; |
| *(uint16_t*)0x20000160 = 0; |
| *(uint8_t*)0x20000162 = 0; |
| *(uint8_t*)0x20000163 = 0; |
| *(uint8_t*)0x20000164 = 0; |
| *(uint32_t*)0x20000168 = 0; |
| *(uint16_t*)0x2000016c = 0x100; |
| *(uint16_t*)0x2000016e = 0x128; |
| *(uint32_t*)0x20000170 = 0; |
| *(uint64_t*)0x20000178 = 0; |
| *(uint64_t*)0x20000180 = 0; |
| *(uint16_t*)0x20000188 = 0x28; |
| memcpy((void*)0x2000018a, "\x72\x70\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200001a7 = 0; |
| *(uint8_t*)0x200001a8 = 0; |
| *(uint16_t*)0x200001b0 = 0x30; |
| memcpy((void*)0x200001b2, "\x61\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200001cf = 0; |
| *(uint32_t*)0x200001d0 = htobe32(0); |
| *(uint32_t*)0x200001d4 = htobe32(0); |
| *(uint32_t*)0x200001d8 = 0; |
| *(uint8_t*)0x200001dc = 0; |
| *(uint8_t*)0x200001dd = 0; |
| *(uint16_t*)0x200001e0 = 0x28; |
| memcpy((void*)0x200001e2, "\x43\x48\x45\x43\x4b\x53\x55\x4d\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200001ff = 0; |
| *(uint8_t*)0x20000200 = 1; |
| *(uint8_t*)0x20000208 = 0; |
| *(uint8_t*)0x20000209 = 0; |
| *(uint8_t*)0x2000020a = 0; |
| *(uint8_t*)0x2000020b = 0; |
| *(uint8_t*)0x2000020c = 0; |
| *(uint8_t*)0x2000020d = 0; |
| *(uint8_t*)0x2000020e = 0; |
| *(uint8_t*)0x2000020f = 0; |
| *(uint8_t*)0x20000210 = 0; |
| *(uint8_t*)0x20000211 = 0; |
| *(uint8_t*)0x20000212 = 0; |
| *(uint8_t*)0x20000213 = 0; |
| *(uint8_t*)0x20000214 = 0; |
| *(uint8_t*)0x20000215 = 0; |
| *(uint8_t*)0x20000216 = 0; |
| *(uint8_t*)0x20000217 = 0; |
| *(uint8_t*)0x20000218 = -1; |
| *(uint8_t*)0x20000219 = 1; |
| *(uint8_t*)0x2000021a = 0; |
| *(uint8_t*)0x2000021b = 0; |
| *(uint8_t*)0x2000021c = 0; |
| *(uint8_t*)0x2000021d = 0; |
| *(uint8_t*)0x2000021e = 0; |
| *(uint8_t*)0x2000021f = 0; |
| *(uint8_t*)0x20000220 = 0; |
| *(uint8_t*)0x20000221 = 0; |
| *(uint8_t*)0x20000222 = 0; |
| *(uint8_t*)0x20000223 = 0; |
| *(uint8_t*)0x20000224 = 0; |
| *(uint8_t*)0x20000225 = 0; |
| *(uint8_t*)0x20000226 = 0; |
| *(uint8_t*)0x20000227 = 1; |
| *(uint32_t*)0x20000228 = htobe32(0); |
| *(uint32_t*)0x2000022c = htobe32(0); |
| *(uint32_t*)0x20000230 = htobe32(0); |
| *(uint32_t*)0x20000234 = htobe32(0); |
| *(uint32_t*)0x20000238 = htobe32(0); |
| *(uint32_t*)0x2000023c = htobe32(0); |
| *(uint32_t*)0x20000240 = htobe32(0); |
| *(uint32_t*)0x20000244 = htobe32(0); |
| memcpy((void*)0x20000248, |
| "\x69\x70\x36\x67\x72\x65\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| memcpy((void*)0x20000258, |
| "\x69\x70\x36\x67\x72\x65\x74\x61\x70\x30\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint8_t*)0x20000268 = 0; |
| *(uint8_t*)0x20000269 = 0; |
| *(uint8_t*)0x2000026a = 0; |
| *(uint8_t*)0x2000026b = 0; |
| *(uint8_t*)0x2000026c = 0; |
| *(uint8_t*)0x2000026d = 0; |
| *(uint8_t*)0x2000026e = 0; |
| *(uint8_t*)0x2000026f = 0; |
| *(uint8_t*)0x20000270 = 0; |
| *(uint8_t*)0x20000271 = 0; |
| *(uint8_t*)0x20000272 = 0; |
| *(uint8_t*)0x20000273 = 0; |
| *(uint8_t*)0x20000274 = 0; |
| *(uint8_t*)0x20000275 = 0; |
| *(uint8_t*)0x20000276 = 0; |
| *(uint8_t*)0x20000277 = 0; |
| *(uint8_t*)0x20000278 = -1; |
| *(uint8_t*)0x20000279 = 0; |
| *(uint8_t*)0x2000027a = 0; |
| *(uint8_t*)0x2000027b = 0; |
| *(uint8_t*)0x2000027c = 0; |
| *(uint8_t*)0x2000027d = 0; |
| *(uint8_t*)0x2000027e = 0; |
| *(uint8_t*)0x2000027f = 0; |
| *(uint8_t*)0x20000280 = 0; |
| *(uint8_t*)0x20000281 = 0; |
| *(uint8_t*)0x20000282 = 0; |
| *(uint8_t*)0x20000283 = 0; |
| *(uint8_t*)0x20000284 = 0; |
| *(uint8_t*)0x20000285 = 0; |
| *(uint8_t*)0x20000286 = 0; |
| *(uint8_t*)0x20000287 = 0; |
| *(uint16_t*)0x20000288 = 0; |
| *(uint8_t*)0x2000028a = 0; |
| *(uint8_t*)0x2000028b = 0; |
| *(uint8_t*)0x2000028c = 0; |
| *(uint32_t*)0x20000290 = 0; |
| *(uint16_t*)0x20000294 = 0xa8; |
| *(uint16_t*)0x20000296 = 0xf0; |
| *(uint32_t*)0x20000298 = 0; |
| *(uint64_t*)0x200002a0 = 0; |
| *(uint64_t*)0x200002a8 = 0; |
| *(uint16_t*)0x200002b0 = 0x48; |
| memcpy((void*)0x200002b2, "\x44\x4e\x50\x54\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200002cf = 0; |
| *(uint8_t*)0x200002d0 = 0xac; |
| *(uint8_t*)0x200002d1 = 0x14; |
| *(uint8_t*)0x200002d2 = 0x14; |
| *(uint8_t*)0x200002d3 = 0xaa; |
| *(uint8_t*)0x200002e0 = 0xac; |
| *(uint8_t*)0x200002e1 = 0x14; |
| *(uint8_t*)0x200002e2 = 0x14; |
| *(uint8_t*)0x200002e3 = 0; |
| *(uint8_t*)0x200002f0 = 0x23; |
| *(uint8_t*)0x200002f1 = 0x3f; |
| *(uint16_t*)0x200002f2 = 0; |
| *(uint8_t*)0x200002f8 = 0; |
| *(uint8_t*)0x200002f9 = 0; |
| *(uint8_t*)0x200002fa = 0; |
| *(uint8_t*)0x200002fb = 0; |
| *(uint8_t*)0x200002fc = 0; |
| *(uint8_t*)0x200002fd = 0; |
| *(uint8_t*)0x200002fe = 0; |
| *(uint8_t*)0x200002ff = 0; |
| *(uint8_t*)0x20000300 = 0; |
| *(uint8_t*)0x20000301 = 0; |
| *(uint8_t*)0x20000302 = 0; |
| *(uint8_t*)0x20000303 = 0; |
| *(uint8_t*)0x20000304 = 0; |
| *(uint8_t*)0x20000305 = 0; |
| *(uint8_t*)0x20000306 = 0; |
| *(uint8_t*)0x20000307 = 0; |
| *(uint8_t*)0x20000308 = 0; |
| *(uint8_t*)0x20000309 = 0; |
| *(uint8_t*)0x2000030a = 0; |
| *(uint8_t*)0x2000030b = 0; |
| *(uint8_t*)0x2000030c = 0; |
| *(uint8_t*)0x2000030d = 0; |
| *(uint8_t*)0x2000030e = 0; |
| *(uint8_t*)0x2000030f = 0; |
| *(uint8_t*)0x20000310 = 0; |
| *(uint8_t*)0x20000311 = 0; |
| *(uint8_t*)0x20000312 = 0; |
| *(uint8_t*)0x20000313 = 0; |
| *(uint8_t*)0x20000314 = 0; |
| *(uint8_t*)0x20000315 = 0; |
| *(uint8_t*)0x20000316 = 0; |
| *(uint8_t*)0x20000317 = 0; |
| *(uint8_t*)0x20000318 = 0; |
| *(uint8_t*)0x20000319 = 0; |
| *(uint8_t*)0x2000031a = 0; |
| *(uint8_t*)0x2000031b = 0; |
| *(uint8_t*)0x2000031c = 0; |
| *(uint8_t*)0x2000031d = 0; |
| *(uint8_t*)0x2000031e = 0; |
| *(uint8_t*)0x2000031f = 0; |
| *(uint8_t*)0x20000320 = 0; |
| *(uint8_t*)0x20000321 = 0; |
| *(uint8_t*)0x20000322 = 0; |
| *(uint8_t*)0x20000323 = 0; |
| *(uint8_t*)0x20000324 = 0; |
| *(uint8_t*)0x20000325 = 0; |
| *(uint8_t*)0x20000326 = 0; |
| *(uint8_t*)0x20000327 = 0; |
| *(uint8_t*)0x20000328 = 0; |
| *(uint8_t*)0x20000329 = 0; |
| *(uint8_t*)0x2000032a = 0; |
| *(uint8_t*)0x2000032b = 0; |
| *(uint8_t*)0x2000032c = 0; |
| *(uint8_t*)0x2000032d = 0; |
| *(uint8_t*)0x2000032e = 0; |
| *(uint8_t*)0x2000032f = 0; |
| *(uint8_t*)0x20000330 = 0; |
| *(uint8_t*)0x20000331 = 0; |
| *(uint8_t*)0x20000332 = 0; |
| *(uint8_t*)0x20000333 = 0; |
| *(uint8_t*)0x20000334 = 0; |
| *(uint8_t*)0x20000335 = 0; |
| *(uint8_t*)0x20000336 = 0; |
| *(uint8_t*)0x20000337 = 0; |
| *(uint8_t*)0x20000338 = 0; |
| *(uint8_t*)0x20000339 = 0; |
| *(uint8_t*)0x2000033a = 0; |
| *(uint8_t*)0x2000033b = 0; |
| *(uint8_t*)0x2000033c = 0; |
| *(uint8_t*)0x2000033d = 0; |
| *(uint8_t*)0x2000033e = 0; |
| *(uint8_t*)0x2000033f = 0; |
| *(uint8_t*)0x20000340 = 0; |
| *(uint8_t*)0x20000341 = 0; |
| *(uint8_t*)0x20000342 = 0; |
| *(uint8_t*)0x20000343 = 0; |
| *(uint8_t*)0x20000344 = 0; |
| *(uint8_t*)0x20000345 = 0; |
| *(uint8_t*)0x20000346 = 0; |
| *(uint8_t*)0x20000347 = 0; |
| *(uint8_t*)0x20000348 = 0; |
| *(uint8_t*)0x20000349 = 0; |
| *(uint8_t*)0x2000034a = 0; |
| *(uint8_t*)0x2000034b = 0; |
| *(uint8_t*)0x2000034c = 0; |
| *(uint8_t*)0x2000034d = 0; |
| *(uint8_t*)0x2000034e = 0; |
| *(uint8_t*)0x2000034f = 0; |
| *(uint8_t*)0x20000350 = 0; |
| *(uint8_t*)0x20000351 = 0; |
| *(uint8_t*)0x20000352 = 0; |
| *(uint8_t*)0x20000353 = 0; |
| *(uint8_t*)0x20000354 = 0; |
| *(uint8_t*)0x20000355 = 0; |
| *(uint8_t*)0x20000356 = 0; |
| *(uint8_t*)0x20000357 = 0; |
| *(uint8_t*)0x20000358 = 0; |
| *(uint8_t*)0x20000359 = 0; |
| *(uint8_t*)0x2000035a = 0; |
| *(uint8_t*)0x2000035b = 0; |
| *(uint8_t*)0x2000035c = 0; |
| *(uint8_t*)0x2000035d = 0; |
| *(uint8_t*)0x2000035e = 0; |
| *(uint8_t*)0x2000035f = 0; |
| *(uint8_t*)0x20000360 = 0; |
| *(uint8_t*)0x20000361 = 0; |
| *(uint8_t*)0x20000362 = 0; |
| *(uint8_t*)0x20000363 = 0; |
| *(uint8_t*)0x20000364 = 0; |
| *(uint8_t*)0x20000365 = 0; |
| *(uint8_t*)0x20000366 = 0; |
| *(uint8_t*)0x20000367 = 0; |
| *(uint8_t*)0x20000368 = 0; |
| *(uint8_t*)0x20000369 = 0; |
| *(uint8_t*)0x2000036a = 0; |
| *(uint8_t*)0x2000036b = 0; |
| *(uint8_t*)0x2000036c = 0; |
| *(uint8_t*)0x2000036d = 0; |
| *(uint8_t*)0x2000036e = 0; |
| *(uint8_t*)0x2000036f = 0; |
| *(uint8_t*)0x20000370 = 0; |
| *(uint8_t*)0x20000371 = 0; |
| *(uint8_t*)0x20000372 = 0; |
| *(uint8_t*)0x20000373 = 0; |
| *(uint8_t*)0x20000374 = 0; |
| *(uint8_t*)0x20000375 = 0; |
| *(uint8_t*)0x20000376 = 0; |
| *(uint8_t*)0x20000377 = 0; |
| *(uint8_t*)0x20000378 = 0; |
| *(uint8_t*)0x20000379 = 0; |
| *(uint8_t*)0x2000037a = 0; |
| *(uint8_t*)0x2000037b = 0; |
| *(uint8_t*)0x2000037c = 0; |
| *(uint8_t*)0x2000037d = 0; |
| *(uint8_t*)0x2000037e = 0; |
| *(uint8_t*)0x2000037f = 0; |
| *(uint32_t*)0x20000380 = 0; |
| *(uint16_t*)0x20000384 = 0xa8; |
| *(uint16_t*)0x20000386 = 0xd0; |
| *(uint32_t*)0x20000388 = 0; |
| *(uint64_t*)0x20000390 = 0; |
| *(uint64_t*)0x20000398 = 0; |
| *(uint16_t*)0x200003a0 = 0x28; |
| memcpy((void*)0x200003a2, "\x4d\x41\x52\x4b\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200003bf = 2; |
| *(uint32_t*)0x200003c0 = 0x7ff; |
| *(uint32_t*)0x200003c4 = 0; |
| *(uint8_t*)0x200003c8 = 0; |
| *(uint8_t*)0x200003c9 = 0; |
| *(uint8_t*)0x200003ca = 0; |
| *(uint8_t*)0x200003cb = 0; |
| *(uint8_t*)0x200003cc = 0; |
| *(uint8_t*)0x200003cd = 0; |
| *(uint8_t*)0x200003ce = 0; |
| *(uint8_t*)0x200003cf = 0; |
| *(uint8_t*)0x200003d0 = 0; |
| *(uint8_t*)0x200003d1 = 0; |
| *(uint8_t*)0x200003d2 = 0; |
| *(uint8_t*)0x200003d3 = 0; |
| *(uint8_t*)0x200003d4 = 0; |
| *(uint8_t*)0x200003d5 = 0; |
| *(uint8_t*)0x200003d6 = 0; |
| *(uint8_t*)0x200003d7 = 0; |
| *(uint8_t*)0x200003d8 = 0; |
| *(uint8_t*)0x200003d9 = 0; |
| *(uint8_t*)0x200003da = 0; |
| *(uint8_t*)0x200003db = 0; |
| *(uint8_t*)0x200003dc = 0; |
| *(uint8_t*)0x200003dd = 0; |
| *(uint8_t*)0x200003de = 0; |
| *(uint8_t*)0x200003df = 0; |
| *(uint8_t*)0x200003e0 = 0; |
| *(uint8_t*)0x200003e1 = 0; |
| *(uint8_t*)0x200003e2 = 0; |
| *(uint8_t*)0x200003e3 = 0; |
| *(uint8_t*)0x200003e4 = 0; |
| *(uint8_t*)0x200003e5 = 0; |
| *(uint8_t*)0x200003e6 = 0; |
| *(uint8_t*)0x200003e7 = 0; |
| *(uint8_t*)0x200003e8 = 0; |
| *(uint8_t*)0x200003e9 = 0; |
| *(uint8_t*)0x200003ea = 0; |
| *(uint8_t*)0x200003eb = 0; |
| *(uint8_t*)0x200003ec = 0; |
| *(uint8_t*)0x200003ed = 0; |
| *(uint8_t*)0x200003ee = 0; |
| *(uint8_t*)0x200003ef = 0; |
| *(uint8_t*)0x200003f0 = 0; |
| *(uint8_t*)0x200003f1 = 0; |
| *(uint8_t*)0x200003f2 = 0; |
| *(uint8_t*)0x200003f3 = 0; |
| *(uint8_t*)0x200003f4 = 0; |
| *(uint8_t*)0x200003f5 = 0; |
| *(uint8_t*)0x200003f6 = 0; |
| *(uint8_t*)0x200003f7 = 0; |
| *(uint8_t*)0x200003f8 = 0; |
| *(uint8_t*)0x200003f9 = 0; |
| *(uint8_t*)0x200003fa = 0; |
| *(uint8_t*)0x200003fb = 0; |
| *(uint8_t*)0x200003fc = 0; |
| *(uint8_t*)0x200003fd = 0; |
| *(uint8_t*)0x200003fe = 0; |
| *(uint8_t*)0x200003ff = 0; |
| *(uint8_t*)0x20000400 = 0; |
| *(uint8_t*)0x20000401 = 0; |
| *(uint8_t*)0x20000402 = 0; |
| *(uint8_t*)0x20000403 = 0; |
| *(uint8_t*)0x20000404 = 0; |
| *(uint8_t*)0x20000405 = 0; |
| *(uint8_t*)0x20000406 = 0; |
| *(uint8_t*)0x20000407 = 0; |
| *(uint8_t*)0x20000408 = 0; |
| *(uint8_t*)0x20000409 = 0; |
| *(uint8_t*)0x2000040a = 0; |
| *(uint8_t*)0x2000040b = 0; |
| *(uint8_t*)0x2000040c = 0; |
| *(uint8_t*)0x2000040d = 0; |
| *(uint8_t*)0x2000040e = 0; |
| *(uint8_t*)0x2000040f = 0; |
| *(uint8_t*)0x20000410 = 0; |
| *(uint8_t*)0x20000411 = 0; |
| *(uint8_t*)0x20000412 = 0; |
| *(uint8_t*)0x20000413 = 0; |
| *(uint8_t*)0x20000414 = 0; |
| *(uint8_t*)0x20000415 = 0; |
| *(uint8_t*)0x20000416 = 0; |
| *(uint8_t*)0x20000417 = 0; |
| *(uint8_t*)0x20000418 = 0; |
| *(uint8_t*)0x20000419 = 0; |
| *(uint8_t*)0x2000041a = 0; |
| *(uint8_t*)0x2000041b = 0; |
| *(uint8_t*)0x2000041c = 0; |
| *(uint8_t*)0x2000041d = 0; |
| *(uint8_t*)0x2000041e = 0; |
| *(uint8_t*)0x2000041f = 0; |
| *(uint8_t*)0x20000420 = 0; |
| *(uint8_t*)0x20000421 = 0; |
| *(uint8_t*)0x20000422 = 0; |
| *(uint8_t*)0x20000423 = 0; |
| *(uint8_t*)0x20000424 = 0; |
| *(uint8_t*)0x20000425 = 0; |
| *(uint8_t*)0x20000426 = 0; |
| *(uint8_t*)0x20000427 = 0; |
| *(uint8_t*)0x20000428 = 0; |
| *(uint8_t*)0x20000429 = 0; |
| *(uint8_t*)0x2000042a = 0; |
| *(uint8_t*)0x2000042b = 0; |
| *(uint8_t*)0x2000042c = 0; |
| *(uint8_t*)0x2000042d = 0; |
| *(uint8_t*)0x2000042e = 0; |
| *(uint8_t*)0x2000042f = 0; |
| *(uint8_t*)0x20000430 = 0; |
| *(uint8_t*)0x20000431 = 0; |
| *(uint8_t*)0x20000432 = 0; |
| *(uint8_t*)0x20000433 = 0; |
| *(uint8_t*)0x20000434 = 0; |
| *(uint8_t*)0x20000435 = 0; |
| *(uint8_t*)0x20000436 = 0; |
| *(uint8_t*)0x20000437 = 0; |
| *(uint8_t*)0x20000438 = 0; |
| *(uint8_t*)0x20000439 = 0; |
| *(uint8_t*)0x2000043a = 0; |
| *(uint8_t*)0x2000043b = 0; |
| *(uint8_t*)0x2000043c = 0; |
| *(uint8_t*)0x2000043d = 0; |
| *(uint8_t*)0x2000043e = 0; |
| *(uint8_t*)0x2000043f = 0; |
| *(uint8_t*)0x20000440 = 0; |
| *(uint8_t*)0x20000441 = 0; |
| *(uint8_t*)0x20000442 = 0; |
| *(uint8_t*)0x20000443 = 0; |
| *(uint8_t*)0x20000444 = 0; |
| *(uint8_t*)0x20000445 = 0; |
| *(uint8_t*)0x20000446 = 0; |
| *(uint8_t*)0x20000447 = 0; |
| *(uint8_t*)0x20000448 = 0; |
| *(uint8_t*)0x20000449 = 0; |
| *(uint8_t*)0x2000044a = 0; |
| *(uint8_t*)0x2000044b = 0; |
| *(uint8_t*)0x2000044c = 0; |
| *(uint8_t*)0x2000044d = 0; |
| *(uint8_t*)0x2000044e = 0; |
| *(uint8_t*)0x2000044f = 0; |
| *(uint32_t*)0x20000450 = 0; |
| *(uint16_t*)0x20000454 = 0xa8; |
| *(uint16_t*)0x20000456 = 0xd0; |
| *(uint32_t*)0x20000458 = 0; |
| *(uint64_t*)0x20000460 = 0; |
| *(uint64_t*)0x20000468 = 0; |
| *(uint16_t*)0x20000470 = 0x28; |
| memcpy((void*)0x20000472, "\x48\x4c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x2000048f = 0; |
| *(uint8_t*)0x20000490 = 2; |
| *(uint8_t*)0x20000491 = 0xa0; |
| *(uint8_t*)0x20000498 = 0; |
| *(uint8_t*)0x20000499 = 0; |
| *(uint8_t*)0x2000049a = 0; |
| *(uint8_t*)0x2000049b = 0; |
| *(uint8_t*)0x2000049c = 0; |
| *(uint8_t*)0x2000049d = 0; |
| *(uint8_t*)0x2000049e = 0; |
| *(uint8_t*)0x2000049f = 0; |
| *(uint8_t*)0x200004a0 = 0; |
| *(uint8_t*)0x200004a1 = 0; |
| *(uint8_t*)0x200004a2 = 0; |
| *(uint8_t*)0x200004a3 = 0; |
| *(uint8_t*)0x200004a4 = 0; |
| *(uint8_t*)0x200004a5 = 0; |
| *(uint8_t*)0x200004a6 = 0; |
| *(uint8_t*)0x200004a7 = 0; |
| *(uint8_t*)0x200004a8 = 0; |
| *(uint8_t*)0x200004a9 = 0; |
| *(uint8_t*)0x200004aa = 0; |
| *(uint8_t*)0x200004ab = 0; |
| *(uint8_t*)0x200004ac = 0; |
| *(uint8_t*)0x200004ad = 0; |
| *(uint8_t*)0x200004ae = 0; |
| *(uint8_t*)0x200004af = 0; |
| *(uint8_t*)0x200004b0 = 0; |
| *(uint8_t*)0x200004b1 = 0; |
| *(uint8_t*)0x200004b2 = 0; |
| *(uint8_t*)0x200004b3 = 0; |
| *(uint8_t*)0x200004b4 = 0; |
| *(uint8_t*)0x200004b5 = 0; |
| *(uint8_t*)0x200004b6 = 0; |
| *(uint8_t*)0x200004b7 = 0; |
| *(uint8_t*)0x200004b8 = 0; |
| *(uint8_t*)0x200004b9 = 0; |
| *(uint8_t*)0x200004ba = 0; |
| *(uint8_t*)0x200004bb = 0; |
| *(uint8_t*)0x200004bc = 0; |
| *(uint8_t*)0x200004bd = 0; |
| *(uint8_t*)0x200004be = 0; |
| *(uint8_t*)0x200004bf = 0; |
| *(uint8_t*)0x200004c0 = 0; |
| *(uint8_t*)0x200004c1 = 0; |
| *(uint8_t*)0x200004c2 = 0; |
| *(uint8_t*)0x200004c3 = 0; |
| *(uint8_t*)0x200004c4 = 0; |
| *(uint8_t*)0x200004c5 = 0; |
| *(uint8_t*)0x200004c6 = 0; |
| *(uint8_t*)0x200004c7 = 0; |
| *(uint8_t*)0x200004c8 = 0; |
| *(uint8_t*)0x200004c9 = 0; |
| *(uint8_t*)0x200004ca = 0; |
| *(uint8_t*)0x200004cb = 0; |
| *(uint8_t*)0x200004cc = 0; |
| *(uint8_t*)0x200004cd = 0; |
| *(uint8_t*)0x200004ce = 0; |
| *(uint8_t*)0x200004cf = 0; |
| *(uint8_t*)0x200004d0 = 0; |
| *(uint8_t*)0x200004d1 = 0; |
| *(uint8_t*)0x200004d2 = 0; |
| *(uint8_t*)0x200004d3 = 0; |
| *(uint8_t*)0x200004d4 = 0; |
| *(uint8_t*)0x200004d5 = 0; |
| *(uint8_t*)0x200004d6 = 0; |
| *(uint8_t*)0x200004d7 = 0; |
| *(uint8_t*)0x200004d8 = 0; |
| *(uint8_t*)0x200004d9 = 0; |
| *(uint8_t*)0x200004da = 0; |
| *(uint8_t*)0x200004db = 0; |
| *(uint8_t*)0x200004dc = 0; |
| *(uint8_t*)0x200004dd = 0; |
| *(uint8_t*)0x200004de = 0; |
| *(uint8_t*)0x200004df = 0; |
| *(uint8_t*)0x200004e0 = 0; |
| *(uint8_t*)0x200004e1 = 0; |
| *(uint8_t*)0x200004e2 = 0; |
| *(uint8_t*)0x200004e3 = 0; |
| *(uint8_t*)0x200004e4 = 0; |
| *(uint8_t*)0x200004e5 = 0; |
| *(uint8_t*)0x200004e6 = 0; |
| *(uint8_t*)0x200004e7 = 0; |
| *(uint8_t*)0x200004e8 = 0; |
| *(uint8_t*)0x200004e9 = 0; |
| *(uint8_t*)0x200004ea = 0; |
| *(uint8_t*)0x200004eb = 0; |
| *(uint8_t*)0x200004ec = 0; |
| *(uint8_t*)0x200004ed = 0; |
| *(uint8_t*)0x200004ee = 0; |
| *(uint8_t*)0x200004ef = 0; |
| *(uint8_t*)0x200004f0 = 0; |
| *(uint8_t*)0x200004f1 = 0; |
| *(uint8_t*)0x200004f2 = 0; |
| *(uint8_t*)0x200004f3 = 0; |
| *(uint8_t*)0x200004f4 = 0; |
| *(uint8_t*)0x200004f5 = 0; |
| *(uint8_t*)0x200004f6 = 0; |
| *(uint8_t*)0x200004f7 = 0; |
| *(uint8_t*)0x200004f8 = 0; |
| *(uint8_t*)0x200004f9 = 0; |
| *(uint8_t*)0x200004fa = 0; |
| *(uint8_t*)0x200004fb = 0; |
| *(uint8_t*)0x200004fc = 0; |
| *(uint8_t*)0x200004fd = 0; |
| *(uint8_t*)0x200004fe = 0; |
| *(uint8_t*)0x200004ff = 0; |
| *(uint8_t*)0x20000500 = 0; |
| *(uint8_t*)0x20000501 = 0; |
| *(uint8_t*)0x20000502 = 0; |
| *(uint8_t*)0x20000503 = 0; |
| *(uint8_t*)0x20000504 = 0; |
| *(uint8_t*)0x20000505 = 0; |
| *(uint8_t*)0x20000506 = 0; |
| *(uint8_t*)0x20000507 = 0; |
| *(uint8_t*)0x20000508 = 0; |
| *(uint8_t*)0x20000509 = 0; |
| *(uint8_t*)0x2000050a = 0; |
| *(uint8_t*)0x2000050b = 0; |
| *(uint8_t*)0x2000050c = 0; |
| *(uint8_t*)0x2000050d = 0; |
| *(uint8_t*)0x2000050e = 0; |
| *(uint8_t*)0x2000050f = 0; |
| *(uint8_t*)0x20000510 = 0; |
| *(uint8_t*)0x20000511 = 0; |
| *(uint8_t*)0x20000512 = 0; |
| *(uint8_t*)0x20000513 = 0; |
| *(uint8_t*)0x20000514 = 0; |
| *(uint8_t*)0x20000515 = 0; |
| *(uint8_t*)0x20000516 = 0; |
| *(uint8_t*)0x20000517 = 0; |
| *(uint8_t*)0x20000518 = 0; |
| *(uint8_t*)0x20000519 = 0; |
| *(uint8_t*)0x2000051a = 0; |
| *(uint8_t*)0x2000051b = 0; |
| *(uint8_t*)0x2000051c = 0; |
| *(uint8_t*)0x2000051d = 0; |
| *(uint8_t*)0x2000051e = 0; |
| *(uint8_t*)0x2000051f = 0; |
| *(uint32_t*)0x20000520 = 0; |
| *(uint16_t*)0x20000524 = 0xa8; |
| *(uint16_t*)0x20000526 = 0xd0; |
| *(uint32_t*)0x20000528 = 0; |
| *(uint64_t*)0x20000530 = 0; |
| *(uint64_t*)0x20000538 = 0; |
| *(uint16_t*)0x20000540 = 0x28; |
| memcpy((void*)0x20000542, "\x43\x48\x45\x43\x4b\x53\x55\x4d\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x2000055f = 0; |
| *(uint8_t*)0x20000560 = 1; |
| *(uint8_t*)0x20000568 = 0; |
| *(uint8_t*)0x20000569 = 0; |
| *(uint8_t*)0x2000056a = 0; |
| *(uint8_t*)0x2000056b = 0; |
| *(uint8_t*)0x2000056c = 0; |
| *(uint8_t*)0x2000056d = 0; |
| *(uint8_t*)0x2000056e = 0; |
| *(uint8_t*)0x2000056f = 0; |
| *(uint8_t*)0x20000570 = 0; |
| *(uint8_t*)0x20000571 = 0; |
| *(uint8_t*)0x20000572 = 0; |
| *(uint8_t*)0x20000573 = 0; |
| *(uint8_t*)0x20000574 = 0; |
| *(uint8_t*)0x20000575 = 0; |
| *(uint8_t*)0x20000576 = 0; |
| *(uint8_t*)0x20000577 = 0; |
| *(uint8_t*)0x20000578 = 0; |
| *(uint8_t*)0x20000579 = 0; |
| *(uint8_t*)0x2000057a = 0; |
| *(uint8_t*)0x2000057b = 0; |
| *(uint8_t*)0x2000057c = 0; |
| *(uint8_t*)0x2000057d = 0; |
| *(uint8_t*)0x2000057e = 0; |
| *(uint8_t*)0x2000057f = 0; |
| *(uint8_t*)0x20000580 = 0; |
| *(uint8_t*)0x20000581 = 0; |
| *(uint8_t*)0x20000582 = 0; |
| *(uint8_t*)0x20000583 = 0; |
| *(uint8_t*)0x20000584 = 0; |
| *(uint8_t*)0x20000585 = 0; |
| *(uint8_t*)0x20000586 = 0; |
| *(uint8_t*)0x20000587 = 0; |
| *(uint8_t*)0x20000588 = 0; |
| *(uint8_t*)0x20000589 = 0; |
| *(uint8_t*)0x2000058a = 0; |
| *(uint8_t*)0x2000058b = 0; |
| *(uint8_t*)0x2000058c = 0; |
| *(uint8_t*)0x2000058d = 0; |
| *(uint8_t*)0x2000058e = 0; |
| *(uint8_t*)0x2000058f = 0; |
| *(uint8_t*)0x20000590 = 0; |
| *(uint8_t*)0x20000591 = 0; |
| *(uint8_t*)0x20000592 = 0; |
| *(uint8_t*)0x20000593 = 0; |
| *(uint8_t*)0x20000594 = 0; |
| *(uint8_t*)0x20000595 = 0; |
| *(uint8_t*)0x20000596 = 0; |
| *(uint8_t*)0x20000597 = 0; |
| *(uint8_t*)0x20000598 = 0; |
| *(uint8_t*)0x20000599 = 0; |
| *(uint8_t*)0x2000059a = 0; |
| *(uint8_t*)0x2000059b = 0; |
| *(uint8_t*)0x2000059c = 0; |
| *(uint8_t*)0x2000059d = 0; |
| *(uint8_t*)0x2000059e = 0; |
| *(uint8_t*)0x2000059f = 0; |
| *(uint8_t*)0x200005a0 = 0; |
| *(uint8_t*)0x200005a1 = 0; |
| *(uint8_t*)0x200005a2 = 0; |
| *(uint8_t*)0x200005a3 = 0; |
| *(uint8_t*)0x200005a4 = 0; |
| *(uint8_t*)0x200005a5 = 0; |
| *(uint8_t*)0x200005a6 = 0; |
| *(uint8_t*)0x200005a7 = 0; |
| *(uint8_t*)0x200005a8 = 0; |
| *(uint8_t*)0x200005a9 = 0; |
| *(uint8_t*)0x200005aa = 0; |
| *(uint8_t*)0x200005ab = 0; |
| *(uint8_t*)0x200005ac = 0; |
| *(uint8_t*)0x200005ad = 0; |
| *(uint8_t*)0x200005ae = 0; |
| *(uint8_t*)0x200005af = 0; |
| *(uint8_t*)0x200005b0 = 0; |
| *(uint8_t*)0x200005b1 = 0; |
| *(uint8_t*)0x200005b2 = 0; |
| *(uint8_t*)0x200005b3 = 0; |
| *(uint8_t*)0x200005b4 = 0; |
| *(uint8_t*)0x200005b5 = 0; |
| *(uint8_t*)0x200005b6 = 0; |
| *(uint8_t*)0x200005b7 = 0; |
| *(uint8_t*)0x200005b8 = 0; |
| *(uint8_t*)0x200005b9 = 0; |
| *(uint8_t*)0x200005ba = 0; |
| *(uint8_t*)0x200005bb = 0; |
| *(uint8_t*)0x200005bc = 0; |
| *(uint8_t*)0x200005bd = 0; |
| *(uint8_t*)0x200005be = 0; |
| *(uint8_t*)0x200005bf = 0; |
| *(uint8_t*)0x200005c0 = 0; |
| *(uint8_t*)0x200005c1 = 0; |
| *(uint8_t*)0x200005c2 = 0; |
| *(uint8_t*)0x200005c3 = 0; |
| *(uint8_t*)0x200005c4 = 0; |
| *(uint8_t*)0x200005c5 = 0; |
| *(uint8_t*)0x200005c6 = 0; |
| *(uint8_t*)0x200005c7 = 0; |
| *(uint8_t*)0x200005c8 = 0; |
| *(uint8_t*)0x200005c9 = 0; |
| *(uint8_t*)0x200005ca = 0; |
| *(uint8_t*)0x200005cb = 0; |
| *(uint8_t*)0x200005cc = 0; |
| *(uint8_t*)0x200005cd = 0; |
| *(uint8_t*)0x200005ce = 0; |
| *(uint8_t*)0x200005cf = 0; |
| *(uint8_t*)0x200005d0 = 0; |
| *(uint8_t*)0x200005d1 = 0; |
| *(uint8_t*)0x200005d2 = 0; |
| *(uint8_t*)0x200005d3 = 0; |
| *(uint8_t*)0x200005d4 = 0; |
| *(uint8_t*)0x200005d5 = 0; |
| *(uint8_t*)0x200005d6 = 0; |
| *(uint8_t*)0x200005d7 = 0; |
| *(uint8_t*)0x200005d8 = 0; |
| *(uint8_t*)0x200005d9 = 0; |
| *(uint8_t*)0x200005da = 0; |
| *(uint8_t*)0x200005db = 0; |
| *(uint8_t*)0x200005dc = 0; |
| *(uint8_t*)0x200005dd = 0; |
| *(uint8_t*)0x200005de = 0; |
| *(uint8_t*)0x200005df = 0; |
| *(uint8_t*)0x200005e0 = 0; |
| *(uint8_t*)0x200005e1 = 0; |
| *(uint8_t*)0x200005e2 = 0; |
| *(uint8_t*)0x200005e3 = 0; |
| *(uint8_t*)0x200005e4 = 0; |
| *(uint8_t*)0x200005e5 = 0; |
| *(uint8_t*)0x200005e6 = 0; |
| *(uint8_t*)0x200005e7 = 0; |
| *(uint8_t*)0x200005e8 = 0; |
| *(uint8_t*)0x200005e9 = 0; |
| *(uint8_t*)0x200005ea = 0; |
| *(uint8_t*)0x200005eb = 0; |
| *(uint8_t*)0x200005ec = 0; |
| *(uint8_t*)0x200005ed = 0; |
| *(uint8_t*)0x200005ee = 0; |
| *(uint8_t*)0x200005ef = 0; |
| *(uint32_t*)0x200005f0 = 0; |
| *(uint16_t*)0x200005f4 = 0xa8; |
| *(uint16_t*)0x200005f6 = 0xd0; |
| *(uint32_t*)0x200005f8 = 0; |
| *(uint64_t*)0x20000600 = 0; |
| *(uint64_t*)0x20000608 = 0; |
| *(uint16_t*)0x20000610 = 0x28; |
| memcpy((void*)0x20000612, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x2000062f = 0; |
| *(uint32_t*)0x20000630 = 0xfffffffe; |
| syscall(__NR_setsockopt, r[0], 0x29, 0x40, 0x20000080, 0x5b8); |
| res = syscall(__NR_socket, 0xa, 1, 0); |
| if (res != -1) |
| r[1] = res; |
| *(uint16_t*)0x20000640 = 0xa; |
| *(uint16_t*)0x20000642 = htobe16(0x4e20); |
| *(uint32_t*)0x20000644 = 0; |
| *(uint8_t*)0x20000648 = 0; |
| *(uint8_t*)0x20000649 = 0; |
| *(uint8_t*)0x2000064a = 0; |
| *(uint8_t*)0x2000064b = 0; |
| *(uint8_t*)0x2000064c = 0; |
| *(uint8_t*)0x2000064d = 0; |
| *(uint8_t*)0x2000064e = 0; |
| *(uint8_t*)0x2000064f = 0; |
| *(uint8_t*)0x20000650 = 0; |
| *(uint8_t*)0x20000651 = 0; |
| *(uint8_t*)0x20000652 = 0; |
| *(uint8_t*)0x20000653 = 0; |
| *(uint8_t*)0x20000654 = 0; |
| *(uint8_t*)0x20000655 = 0; |
| *(uint8_t*)0x20000656 = 0; |
| *(uint8_t*)0x20000657 = 0; |
| *(uint32_t*)0x20000658 = 0; |
| syscall(__NR_bind, r[1], 0x20000640, 0x1c); |
| syscall(__NR_listen, r[1], 2); |
| *(uint8_t*)0x20000100 = 0xaa; |
| *(uint8_t*)0x20000101 = 0xaa; |
| *(uint8_t*)0x20000102 = 0xaa; |
| *(uint8_t*)0x20000103 = 0xaa; |
| *(uint8_t*)0x20000104 = 0xaa; |
| *(uint8_t*)0x20000105 = 0xaa; |
| *(uint8_t*)0x20000106 = -1; |
| *(uint8_t*)0x20000107 = -1; |
| *(uint8_t*)0x20000108 = -1; |
| *(uint8_t*)0x20000109 = -1; |
| *(uint8_t*)0x2000010a = -1; |
| *(uint8_t*)0x2000010b = -1; |
| *(uint16_t*)0x2000010c = htobe16(0x86dd); |
| STORE_BY_BITMASK(uint8_t, 0x2000010e, 0, 0, 4); |
| STORE_BY_BITMASK(uint8_t, 0x2000010e, 6, 4, 4); |
| memcpy((void*)0x2000010f, "\xd8\x65\x2b", 3); |
| *(uint16_t*)0x20000112 = htobe16(0x14); |
| *(uint8_t*)0x20000114 = 6; |
| *(uint8_t*)0x20000115 = 0; |
| *(uint8_t*)0x20000116 = 0xfe; |
| *(uint8_t*)0x20000117 = 0x80; |
| *(uint8_t*)0x20000118 = 0; |
| *(uint8_t*)0x20000119 = 0; |
| *(uint8_t*)0x2000011a = 0; |
| *(uint8_t*)0x2000011b = 0; |
| *(uint8_t*)0x2000011c = 0; |
| *(uint8_t*)0x2000011d = 0; |
| *(uint8_t*)0x2000011e = 0; |
| *(uint8_t*)0x2000011f = 0; |
| *(uint8_t*)0x20000120 = 0; |
| *(uint8_t*)0x20000121 = 0; |
| *(uint8_t*)0x20000122 = 0; |
| *(uint8_t*)0x20000123 = 0; |
| *(uint8_t*)0x20000124 = 0; |
| *(uint8_t*)0x20000125 = 0xaa; |
| *(uint8_t*)0x20000126 = 0xfe; |
| *(uint8_t*)0x20000127 = 0x80; |
| *(uint8_t*)0x20000128 = 0; |
| *(uint8_t*)0x20000129 = 0; |
| *(uint8_t*)0x2000012a = 0; |
| *(uint8_t*)0x2000012b = 0; |
| *(uint8_t*)0x2000012c = 0; |
| *(uint8_t*)0x2000012d = 0; |
| *(uint8_t*)0x2000012e = 0; |
| *(uint8_t*)0x2000012f = 0; |
| *(uint8_t*)0x20000130 = 0; |
| *(uint8_t*)0x20000131 = 0; |
| *(uint8_t*)0x20000132 = 0; |
| *(uint8_t*)0x20000133 = 0; |
| *(uint8_t*)0x20000134 = 0; |
| *(uint8_t*)0x20000135 = 0xaa; |
| *(uint16_t*)0x20000136 = htobe16(0x4e20); |
| *(uint16_t*)0x20000138 = htobe16(0x4e20); |
| *(uint32_t*)0x2000013a = 0x41424344; |
| *(uint32_t*)0x2000013e = 0x41424344; |
| STORE_BY_BITMASK(uint8_t, 0x20000142, 0, 0, 1); |
| STORE_BY_BITMASK(uint8_t, 0x20000142, 0, 1, 3); |
| STORE_BY_BITMASK(uint8_t, 0x20000142, 5, 4, 4); |
| *(uint8_t*)0x20000143 = 2; |
| *(uint16_t*)0x20000144 = htobe16(0); |
| *(uint16_t*)0x20000146 = 0; |
| *(uint16_t*)0x20000148 = htobe16(0); |
| *(uint32_t*)0x200002c0 = 0; |
| *(uint32_t*)0x200002c4 = 0; |
| *(uint32_t*)0x200002c8 = 0; |
| *(uint32_t*)0x200002cc = 0; |
| *(uint32_t*)0x200002d0 = 0; |
| *(uint32_t*)0x200002d4 = 0; |
| struct csum_inet csum_1; |
| csum_inet_init(&csum_1); |
| csum_inet_update(&csum_1, (const uint8_t*)0x20000116, 16); |
| csum_inet_update(&csum_1, (const uint8_t*)0x20000126, 16); |
| uint32_t csum_1_chunk_2 = 0x14000000; |
| csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_2, 4); |
| uint32_t csum_1_chunk_3 = 0x6000000; |
| csum_inet_update(&csum_1, (const uint8_t*)&csum_1_chunk_3, 4); |
| csum_inet_update(&csum_1, (const uint8_t*)0x20000136, 20); |
| *(uint16_t*)0x20000146 = csum_inet_digest(&csum_1); |
| syz_emit_ethernet(0x4a, 0x20000100, 0x200002c0); |
| } |
| |
| int main() |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| initialize_tun(); |
| initialize_netdevices(); |
| loop(); |
| return 0; |
| } |
