| // INFO: trying to register non-static key in del_timer_sync |
| // https://syzkaller.appspot.com/bug?id=b4b5c74c57c4b69f4fff86131abb799106182749 |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <endian.h> |
| #include <errno.h> |
| #include <linux/net.h> |
| #include <netinet/in.h> |
| #include <signal.h> |
| #include <stdarg.h> |
| #include <stdio.h> |
| #include <sys/prctl.h> |
| #include <sys/socket.h> |
| #include <sys/syscall.h> |
| #include <sys/time.h> |
| #include <sys/wait.h> |
| #include <time.h> |
| #include <unistd.h> |
| |
| __attribute__((noreturn)) static void doexit(int status) |
| { |
| volatile unsigned i; |
| syscall(__NR_exit_group, status); |
| for (i = 0;; i++) { |
| } |
| } |
| #include <stdint.h> |
| #include <string.h> |
| |
| const int kFailStatus = 67; |
| const int kRetryStatus = 69; |
| |
| static void fail(const char* msg, ...) |
| { |
| int e = errno; |
| va_list args; |
| va_start(args, msg); |
| vfprintf(stderr, msg, args); |
| va_end(args); |
| fprintf(stderr, " (errno %d)\n", e); |
| doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); |
| } |
| |
| static uint64_t current_time_ms() |
| { |
| struct timespec ts; |
| |
| if (clock_gettime(CLOCK_MONOTONIC, &ts)) |
| fail("clock_gettime failed"); |
| return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; |
| } |
| |
| struct ipt_getinfo { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int hook_entry[5]; |
| unsigned int underflow[5]; |
| unsigned int num_entries; |
| unsigned int size; |
| }; |
| |
| struct ipt_get_entries { |
| char name[32]; |
| unsigned int size; |
| unsigned int pad; |
| char entrytable[1024]; |
| }; |
| |
| struct xt_counters { |
| uint64_t pcnt, bcnt; |
| }; |
| |
| struct ipt_replace { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int num_entries; |
| unsigned int size; |
| unsigned int hook_entry[5]; |
| unsigned int underflow[5]; |
| unsigned int num_counters; |
| struct xt_counters* counters; |
| char entrytable[1024]; |
| }; |
| |
| struct ipt_table_desc { |
| const char* name; |
| struct ipt_getinfo info; |
| struct ipt_get_entries entries; |
| struct ipt_replace replace; |
| struct xt_counters counters[10]; |
| }; |
| |
| static struct ipt_table_desc ipv4_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, |
| {.name = "raw"}, {.name = "security"}, |
| }; |
| |
| #define IPT_BASE_CTL 64 |
| #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) |
| #define IPT_SO_GET_INFO (IPT_BASE_CTL) |
| #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) |
| |
| static void checkpoint_net_namespace(void) |
| { |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) |
| fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); |
| for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) { |
| struct ipt_table_desc* table = &ipv4_tables[i]; |
| strcpy(table->info.name, table->name); |
| strcpy(table->entries.name, table->name); |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->info); |
| if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &table->info, &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| fail("getsockopt(IPT_SO_GET_INFO)"); |
| } |
| if (table->info.size > sizeof(table->entries.entrytable)) |
| fail("table size is too large: %u", table->info.size); |
| if (table->info.num_entries > |
| sizeof(table->counters) / sizeof(table->counters[0])) |
| fail("too many counters: %u", table->info.num_entries); |
| table->entries.size = table->info.size; |
| optlen = sizeof(table->entries) - sizeof(table->entries.entrytable) + |
| table->info.size; |
| if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &table->entries, &optlen)) |
| fail("getsockopt(IPT_SO_GET_ENTRIES)"); |
| table->replace.valid_hooks = table->info.valid_hooks; |
| table->replace.num_entries = table->info.num_entries; |
| table->replace.counters = table->counters; |
| table->replace.size = table->info.size; |
| memcpy(table->replace.hook_entry, table->info.hook_entry, |
| sizeof(table->replace.hook_entry)); |
| memcpy(table->replace.underflow, table->info.underflow, |
| sizeof(table->replace.underflow)); |
| memcpy(table->replace.entrytable, table->entries.entrytable, |
| table->info.size); |
| } |
| close(fd); |
| } |
| |
| static void reset_net_namespace(void) |
| { |
| struct ipt_get_entries entries; |
| struct ipt_getinfo info; |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| |
| memset(&info, 0, sizeof(info)); |
| memset(&entries, 0, sizeof(entries)); |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) |
| fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); |
| for (i = 0; i < sizeof(ipv4_tables) / sizeof(ipv4_tables[0]); i++) { |
| struct ipt_table_desc* table = &ipv4_tables[i]; |
| if (table->info.valid_hooks == 0) |
| continue; |
| strcpy(info.name, table->name); |
| optlen = sizeof(info); |
| if (getsockopt(fd, SOL_IP, IPT_SO_GET_INFO, &info, &optlen)) |
| fail("getsockopt(IPT_SO_GET_INFO)"); |
| if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; |
| if (getsockopt(fd, SOL_IP, IPT_SO_GET_ENTRIES, &entries, &optlen)) |
| fail("getsockopt(IPT_SO_GET_ENTRIES)"); |
| if (memcmp(&table->entries, &entries, optlen) == 0) |
| continue; |
| } |
| table->replace.num_counters = info.num_entries; |
| optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + |
| table->replace.size; |
| if (setsockopt(fd, SOL_IP, IPT_SO_SET_REPLACE, &table->replace, optlen)) |
| fail("setsockopt(IPT_SO_SET_REPLACE)"); |
| } |
| close(fd); |
| } |
| |
| static void test(); |
| |
| void loop() |
| { |
| int iter; |
| checkpoint_net_namespace(); |
| for (iter = 0;; iter++) { |
| int pid = fork(); |
| if (pid < 0) |
| fail("loop fork failed"); |
| if (pid == 0) { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| test(); |
| doexit(0); |
| } |
| int status = 0; |
| uint64_t start = current_time_ms(); |
| for (;;) { |
| int res = waitpid(-1, &status, __WALL | WNOHANG); |
| if (res == pid) |
| break; |
| usleep(1000); |
| if (current_time_ms() - start > 5 * 1000) { |
| kill(-pid, SIGKILL); |
| kill(pid, SIGKILL); |
| while (waitpid(-1, &status, __WALL) != pid) { |
| } |
| break; |
| } |
| } |
| reset_net_namespace(); |
| } |
| } |
| |
| long r[2]; |
| void test() |
| { |
| memset(r, -1, sizeof(r)); |
| syscall(__NR_mmap, 0x20000000, 0x18000, 3, 0x32, -1, 0); |
| r[0] = syscall(__NR_socket, 2, 0x80001, 0); |
| memcpy((void*)0x20014000, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00", |
| 32); |
| *(uint32_t*)0x20014020 = 0xe; |
| *(uint32_t*)0x20014024 = 4; |
| *(uint32_t*)0x20014028 = 0x280; |
| *(uint32_t*)0x2001402c = -1; |
| *(uint32_t*)0x20014030 = 0; |
| *(uint32_t*)0x20014034 = 0; |
| *(uint32_t*)0x20014038 = 0; |
| *(uint32_t*)0x2001403c = -1; |
| *(uint32_t*)0x20014040 = -1; |
| *(uint32_t*)0x20014044 = 0; |
| *(uint32_t*)0x20014048 = 0; |
| *(uint32_t*)0x2001404c = 0; |
| *(uint32_t*)0x20014050 = -1; |
| *(uint32_t*)0x20014054 = 4; |
| *(uint64_t*)0x20014058 = 0x20012fc0; |
| *(uint8_t*)0x20014060 = 0; |
| *(uint8_t*)0x20014061 = 0; |
| *(uint8_t*)0x20014062 = 0; |
| *(uint8_t*)0x20014063 = 0; |
| *(uint8_t*)0x20014064 = 0; |
| *(uint8_t*)0x20014065 = 0; |
| *(uint8_t*)0x20014066 = 0; |
| *(uint8_t*)0x20014067 = 0; |
| *(uint8_t*)0x20014068 = 0; |
| *(uint8_t*)0x20014069 = 0; |
| *(uint8_t*)0x2001406a = 0; |
| *(uint8_t*)0x2001406b = 0; |
| *(uint8_t*)0x2001406c = 0; |
| *(uint8_t*)0x2001406d = 0; |
| *(uint8_t*)0x2001406e = 0; |
| *(uint8_t*)0x2001406f = 0; |
| *(uint8_t*)0x20014070 = 0; |
| *(uint8_t*)0x20014071 = 0; |
| *(uint8_t*)0x20014072 = 0; |
| *(uint8_t*)0x20014073 = 0; |
| *(uint8_t*)0x20014074 = 0; |
| *(uint8_t*)0x20014075 = 0; |
| *(uint8_t*)0x20014076 = 0; |
| *(uint8_t*)0x20014077 = 0; |
| *(uint8_t*)0x20014078 = 0; |
| *(uint8_t*)0x20014079 = 0; |
| *(uint8_t*)0x2001407a = 0; |
| *(uint8_t*)0x2001407b = 0; |
| *(uint8_t*)0x2001407c = 0; |
| *(uint8_t*)0x2001407d = 0; |
| *(uint8_t*)0x2001407e = 0; |
| *(uint8_t*)0x2001407f = 0; |
| *(uint8_t*)0x20014080 = 0; |
| *(uint8_t*)0x20014081 = 0; |
| *(uint8_t*)0x20014082 = 0; |
| *(uint8_t*)0x20014083 = 0; |
| *(uint8_t*)0x20014084 = 0; |
| *(uint8_t*)0x20014085 = 0; |
| *(uint8_t*)0x20014086 = 0; |
| *(uint8_t*)0x20014087 = 0; |
| *(uint8_t*)0x20014088 = 0; |
| *(uint8_t*)0x20014089 = 0; |
| *(uint8_t*)0x2001408a = 0; |
| *(uint8_t*)0x2001408b = 0; |
| *(uint8_t*)0x2001408c = 0; |
| *(uint8_t*)0x2001408d = 0; |
| *(uint8_t*)0x2001408e = 0; |
| *(uint8_t*)0x2001408f = 0; |
| *(uint8_t*)0x20014090 = 0; |
| *(uint8_t*)0x20014091 = 0; |
| *(uint8_t*)0x20014092 = 0; |
| *(uint8_t*)0x20014093 = 0; |
| *(uint8_t*)0x20014094 = 0; |
| *(uint8_t*)0x20014095 = 0; |
| *(uint8_t*)0x20014096 = 0; |
| *(uint8_t*)0x20014097 = 0; |
| *(uint8_t*)0x20014098 = 0; |
| *(uint8_t*)0x20014099 = 0; |
| *(uint8_t*)0x2001409a = 0; |
| *(uint8_t*)0x2001409b = 0; |
| *(uint8_t*)0x2001409c = 0; |
| *(uint8_t*)0x2001409d = 0; |
| *(uint8_t*)0x2001409e = 0; |
| *(uint8_t*)0x2001409f = 0; |
| *(uint8_t*)0x200140a0 = 0; |
| *(uint8_t*)0x200140a1 = 0; |
| *(uint8_t*)0x200140a2 = 0; |
| *(uint8_t*)0x200140a3 = 0; |
| *(uint8_t*)0x200140a4 = 0; |
| *(uint8_t*)0x200140a5 = 0; |
| *(uint8_t*)0x200140a6 = 0; |
| *(uint8_t*)0x200140a7 = 0; |
| *(uint8_t*)0x200140a8 = 0; |
| *(uint8_t*)0x200140a9 = 0; |
| *(uint8_t*)0x200140aa = 0; |
| *(uint8_t*)0x200140ab = 0; |
| *(uint8_t*)0x200140ac = 0; |
| *(uint8_t*)0x200140ad = 0; |
| *(uint8_t*)0x200140ae = 0; |
| *(uint8_t*)0x200140af = 0; |
| *(uint8_t*)0x200140b0 = 0; |
| *(uint8_t*)0x200140b1 = 0; |
| *(uint8_t*)0x200140b2 = 0; |
| *(uint8_t*)0x200140b3 = 0; |
| *(uint32_t*)0x200140b4 = 0; |
| *(uint16_t*)0x200140b8 = 0x70; |
| *(uint16_t*)0x200140ba = 0x98; |
| *(uint32_t*)0x200140bc = 0; |
| *(uint64_t*)0x200140c0 = 0; |
| *(uint64_t*)0x200140c8 = 0; |
| *(uint16_t*)0x200140d0 = 0x28; |
| memcpy((void*)0x200140d2, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200140ef = 0; |
| *(uint32_t*)0x200140f0 = 0xfffffffe; |
| *(uint8_t*)0x200140f8 = 0xac; |
| *(uint8_t*)0x200140f9 = 0x14; |
| *(uint8_t*)0x200140fa = 0; |
| *(uint8_t*)0x200140fb = 0; |
| *(uint32_t*)0x200140fc = htobe32(-1); |
| *(uint32_t*)0x20014100 = htobe32(0); |
| *(uint32_t*)0x20014104 = htobe32(0); |
| memcpy((void*)0x20014108, |
| "\x69\x70\x36\x5f\x76\x74\x69\x30\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint8_t*)0x20014118 = 0x73; |
| *(uint8_t*)0x20014119 = 0x79; |
| *(uint8_t*)0x2001411a = 0x7a; |
| *(uint8_t*)0x2001411b = 0; |
| *(uint8_t*)0x2001411c = 0; |
| *(uint8_t*)0x20014128 = 0; |
| *(uint8_t*)0x20014129 = 0; |
| *(uint8_t*)0x2001412a = 0; |
| *(uint8_t*)0x2001412b = 0; |
| *(uint8_t*)0x2001412c = 0; |
| *(uint8_t*)0x2001412d = 0; |
| *(uint8_t*)0x2001412e = 0; |
| *(uint8_t*)0x2001412f = 0; |
| *(uint8_t*)0x20014130 = 0; |
| *(uint8_t*)0x20014131 = 0; |
| *(uint8_t*)0x20014132 = 0; |
| *(uint8_t*)0x20014133 = 0; |
| *(uint8_t*)0x20014134 = 0; |
| *(uint8_t*)0x20014135 = 0; |
| *(uint8_t*)0x20014136 = 0; |
| *(uint8_t*)0x20014137 = 0; |
| *(uint8_t*)0x20014138 = 0; |
| *(uint8_t*)0x20014139 = 0; |
| *(uint8_t*)0x2001413a = 0; |
| *(uint8_t*)0x2001413b = 0; |
| *(uint8_t*)0x2001413c = 0; |
| *(uint8_t*)0x2001413d = 0; |
| *(uint8_t*)0x2001413e = 0; |
| *(uint8_t*)0x2001413f = 0; |
| *(uint8_t*)0x20014140 = 0; |
| *(uint8_t*)0x20014141 = 0; |
| *(uint8_t*)0x20014142 = 0; |
| *(uint8_t*)0x20014143 = 0; |
| *(uint8_t*)0x20014144 = 0; |
| *(uint8_t*)0x20014145 = 0; |
| *(uint8_t*)0x20014146 = 0; |
| *(uint8_t*)0x20014147 = 0; |
| *(uint16_t*)0x20014148 = 0; |
| *(uint8_t*)0x2001414a = 0; |
| *(uint8_t*)0x2001414b = 0; |
| *(uint32_t*)0x2001414c = 0; |
| *(uint16_t*)0x20014150 = 0x70; |
| *(uint16_t*)0x20014152 = 0xb8; |
| *(uint32_t*)0x20014154 = 0; |
| *(uint64_t*)0x20014158 = 0; |
| *(uint64_t*)0x20014160 = 0; |
| *(uint16_t*)0x20014168 = 0x48; |
| memcpy((void*)0x2001416a, "\x4c\x45\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x20014187 = 0; |
| memcpy((void*)0x20014188, "\x73\x79\x7a\x30\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00", |
| 27); |
| *(uint8_t*)0x200141a3 = 0; |
| *(uint32_t*)0x200141a4 = 0; |
| *(uint64_t*)0x200141a8 = 2; |
| *(uint8_t*)0x200141b0 = 0xac; |
| *(uint8_t*)0x200141b1 = 0x14; |
| *(uint8_t*)0x200141b2 = 0; |
| *(uint8_t*)0x200141b3 = 0; |
| *(uint32_t*)0x200141b4 = htobe32(0xe0000001); |
| *(uint32_t*)0x200141b8 = htobe32(0); |
| *(uint32_t*)0x200141bc = htobe32(0); |
| memcpy((void*)0x200141c0, |
| "\x6b\xd6\xd4\x48\x45\x73\x6f\x88\x9e\xc1\xcf\x4c\x41\xf2\xaf\xfa", |
| 16); |
| *(uint8_t*)0x200141d0 = 0x73; |
| *(uint8_t*)0x200141d1 = 0x79; |
| *(uint8_t*)0x200141d2 = 0x7a; |
| *(uint8_t*)0x200141d3 = 0; |
| *(uint8_t*)0x200141d4 = 0; |
| *(uint8_t*)0x200141e0 = 0; |
| *(uint8_t*)0x200141e1 = 0; |
| *(uint8_t*)0x200141e2 = 0; |
| *(uint8_t*)0x200141e3 = 0; |
| *(uint8_t*)0x200141e4 = 0; |
| *(uint8_t*)0x200141e5 = 0; |
| *(uint8_t*)0x200141e6 = 0; |
| *(uint8_t*)0x200141e7 = 0; |
| *(uint8_t*)0x200141e8 = 0; |
| *(uint8_t*)0x200141e9 = 0; |
| *(uint8_t*)0x200141ea = 0; |
| *(uint8_t*)0x200141eb = 0; |
| *(uint8_t*)0x200141ec = 0; |
| *(uint8_t*)0x200141ed = 0; |
| *(uint8_t*)0x200141ee = 0; |
| *(uint8_t*)0x200141ef = 0; |
| *(uint8_t*)0x200141f0 = 0; |
| *(uint8_t*)0x200141f1 = 0; |
| *(uint8_t*)0x200141f2 = 0; |
| *(uint8_t*)0x200141f3 = 0; |
| *(uint8_t*)0x200141f4 = 0; |
| *(uint8_t*)0x200141f5 = 0; |
| *(uint8_t*)0x200141f6 = 0; |
| *(uint8_t*)0x200141f7 = 0; |
| *(uint8_t*)0x200141f8 = 0; |
| *(uint8_t*)0x200141f9 = 0; |
| *(uint8_t*)0x200141fa = 0; |
| *(uint8_t*)0x200141fb = 0; |
| *(uint8_t*)0x200141fc = 0; |
| *(uint8_t*)0x200141fd = 0; |
| *(uint8_t*)0x200141fe = 0; |
| *(uint8_t*)0x200141ff = 0; |
| *(uint16_t*)0x20014200 = 0; |
| *(uint8_t*)0x20014202 = 0; |
| *(uint8_t*)0x20014203 = 0; |
| *(uint32_t*)0x20014204 = 0; |
| *(uint16_t*)0x20014208 = 0x70; |
| *(uint16_t*)0x2001420a = 0x98; |
| *(uint32_t*)0x2001420c = 0; |
| *(uint64_t*)0x20014210 = 0; |
| *(uint64_t*)0x20014218 = 0; |
| *(uint16_t*)0x20014220 = 0x28; |
| memcpy((void*)0x20014222, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x2001423f = 0; |
| *(uint32_t*)0x20014240 = 0; |
| *(uint32_t*)0x20014248 = htobe32(0xe0000002); |
| *(uint32_t*)0x2001424c = htobe32(0x7f000001); |
| *(uint32_t*)0x20014250 = htobe32(0); |
| *(uint32_t*)0x20014254 = htobe32(0); |
| memcpy((void*)0x20014258, |
| "\x69\x66\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint8_t*)0x20014268 = 0x73; |
| *(uint8_t*)0x20014269 = 0x79; |
| *(uint8_t*)0x2001426a = 0x7a; |
| *(uint8_t*)0x2001426b = 0; |
| *(uint8_t*)0x2001426c = 0; |
| *(uint8_t*)0x20014278 = 0; |
| *(uint8_t*)0x20014279 = 0; |
| *(uint8_t*)0x2001427a = 0; |
| *(uint8_t*)0x2001427b = 0; |
| *(uint8_t*)0x2001427c = 0; |
| *(uint8_t*)0x2001427d = 0; |
| *(uint8_t*)0x2001427e = 0; |
| *(uint8_t*)0x2001427f = 0; |
| *(uint8_t*)0x20014280 = 0; |
| *(uint8_t*)0x20014281 = 0; |
| *(uint8_t*)0x20014282 = 0; |
| *(uint8_t*)0x20014283 = 0; |
| *(uint8_t*)0x20014284 = 0; |
| *(uint8_t*)0x20014285 = 0; |
| *(uint8_t*)0x20014286 = 0; |
| *(uint8_t*)0x20014287 = 0; |
| *(uint8_t*)0x20014288 = 0; |
| *(uint8_t*)0x20014289 = 0; |
| *(uint8_t*)0x2001428a = 0; |
| *(uint8_t*)0x2001428b = 0; |
| *(uint8_t*)0x2001428c = 0; |
| *(uint8_t*)0x2001428d = 0; |
| *(uint8_t*)0x2001428e = 0; |
| *(uint8_t*)0x2001428f = 0; |
| *(uint8_t*)0x20014290 = 0; |
| *(uint8_t*)0x20014291 = 0; |
| *(uint8_t*)0x20014292 = 0; |
| *(uint8_t*)0x20014293 = 0; |
| *(uint8_t*)0x20014294 = 0; |
| *(uint8_t*)0x20014295 = 0; |
| *(uint8_t*)0x20014296 = 0; |
| *(uint8_t*)0x20014297 = 0; |
| *(uint16_t*)0x20014298 = 0; |
| *(uint8_t*)0x2001429a = 0; |
| *(uint8_t*)0x2001429b = 0; |
| *(uint32_t*)0x2001429c = 0; |
| *(uint16_t*)0x200142a0 = 0x70; |
| *(uint16_t*)0x200142a2 = 0x98; |
| *(uint32_t*)0x200142a4 = 0; |
| *(uint64_t*)0x200142a8 = 0; |
| *(uint64_t*)0x200142b0 = 0; |
| *(uint16_t*)0x200142b8 = 0x28; |
| memcpy((void*)0x200142ba, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200142d7 = 0; |
| *(uint32_t*)0x200142d8 = 0; |
| *(uint64_t*)0x20012fc0 = 0; |
| *(uint64_t*)0x20012fc8 = 0; |
| *(uint64_t*)0x20012fd0 = 0; |
| *(uint64_t*)0x20012fd8 = 0; |
| *(uint64_t*)0x20012fe0 = 0; |
| *(uint64_t*)0x20012fe8 = 0; |
| *(uint64_t*)0x20012ff0 = 0; |
| *(uint64_t*)0x20012ff8 = 0; |
| syscall(__NR_setsockopt, r[0], 0, 0x40, 0x20014000, 0x2e0); |
| r[1] = syscall(__NR_socket, 2, 0x80001, 0); |
| memcpy((void*)0x20014000, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00", |
| 32); |
| *(uint32_t*)0x20014020 = 0xe; |
| *(uint32_t*)0x20014024 = 4; |
| *(uint32_t*)0x20014028 = 0x280; |
| *(uint32_t*)0x2001402c = -1; |
| *(uint32_t*)0x20014030 = 0; |
| *(uint32_t*)0x20014034 = 0; |
| *(uint32_t*)0x20014038 = 0; |
| *(uint32_t*)0x2001403c = -1; |
| *(uint32_t*)0x20014040 = -1; |
| *(uint32_t*)0x20014044 = 0; |
| *(uint32_t*)0x20014048 = 0; |
| *(uint32_t*)0x2001404c = 0; |
| *(uint32_t*)0x20014050 = -1; |
| *(uint32_t*)0x20014054 = 4; |
| *(uint64_t*)0x20014058 = 0x20012fc0; |
| *(uint8_t*)0x20014060 = 0; |
| *(uint8_t*)0x20014061 = 0; |
| *(uint8_t*)0x20014062 = 0; |
| *(uint8_t*)0x20014063 = 0; |
| *(uint8_t*)0x20014064 = 0; |
| *(uint8_t*)0x20014065 = 0; |
| *(uint8_t*)0x20014066 = 0; |
| *(uint8_t*)0x20014067 = 0; |
| *(uint8_t*)0x20014068 = 0; |
| *(uint8_t*)0x20014069 = 0; |
| *(uint8_t*)0x2001406a = 0; |
| *(uint8_t*)0x2001406b = 0; |
| *(uint8_t*)0x2001406c = 0; |
| *(uint8_t*)0x2001406d = 0; |
| *(uint8_t*)0x2001406e = 0; |
| *(uint8_t*)0x2001406f = 0; |
| *(uint8_t*)0x20014070 = 0; |
| *(uint8_t*)0x20014071 = 0; |
| *(uint8_t*)0x20014072 = 0; |
| *(uint8_t*)0x20014073 = 0; |
| *(uint8_t*)0x20014074 = 0; |
| *(uint8_t*)0x20014075 = 0; |
| *(uint8_t*)0x20014076 = 0; |
| *(uint8_t*)0x20014077 = 0; |
| *(uint8_t*)0x20014078 = 0; |
| *(uint8_t*)0x20014079 = 0; |
| *(uint8_t*)0x2001407a = 0; |
| *(uint8_t*)0x2001407b = 0; |
| *(uint8_t*)0x2001407c = 0; |
| *(uint8_t*)0x2001407d = 0; |
| *(uint8_t*)0x2001407e = 0; |
| *(uint8_t*)0x2001407f = 0; |
| *(uint8_t*)0x20014080 = 0; |
| *(uint8_t*)0x20014081 = 0; |
| *(uint8_t*)0x20014082 = 0; |
| *(uint8_t*)0x20014083 = 0; |
| *(uint8_t*)0x20014084 = 0; |
| *(uint8_t*)0x20014085 = 0; |
| *(uint8_t*)0x20014086 = 0; |
| *(uint8_t*)0x20014087 = 0; |
| *(uint8_t*)0x20014088 = 0; |
| *(uint8_t*)0x20014089 = 0; |
| *(uint8_t*)0x2001408a = 0; |
| *(uint8_t*)0x2001408b = 0; |
| *(uint8_t*)0x2001408c = 0; |
| *(uint8_t*)0x2001408d = 0; |
| *(uint8_t*)0x2001408e = 0; |
| *(uint8_t*)0x2001408f = 0; |
| *(uint8_t*)0x20014090 = 0; |
| *(uint8_t*)0x20014091 = 0; |
| *(uint8_t*)0x20014092 = 0; |
| *(uint8_t*)0x20014093 = 0; |
| *(uint8_t*)0x20014094 = 0; |
| *(uint8_t*)0x20014095 = 0; |
| *(uint8_t*)0x20014096 = 0; |
| *(uint8_t*)0x20014097 = 0; |
| *(uint8_t*)0x20014098 = 0; |
| *(uint8_t*)0x20014099 = 0; |
| *(uint8_t*)0x2001409a = 0; |
| *(uint8_t*)0x2001409b = 0; |
| *(uint8_t*)0x2001409c = 0; |
| *(uint8_t*)0x2001409d = 0; |
| *(uint8_t*)0x2001409e = 0; |
| *(uint8_t*)0x2001409f = 0; |
| *(uint8_t*)0x200140a0 = 0; |
| *(uint8_t*)0x200140a1 = 0; |
| *(uint8_t*)0x200140a2 = 0; |
| *(uint8_t*)0x200140a3 = 0; |
| *(uint8_t*)0x200140a4 = 0; |
| *(uint8_t*)0x200140a5 = 0; |
| *(uint8_t*)0x200140a6 = 0; |
| *(uint8_t*)0x200140a7 = 0; |
| *(uint8_t*)0x200140a8 = 0; |
| *(uint8_t*)0x200140a9 = 0; |
| *(uint8_t*)0x200140aa = 0; |
| *(uint8_t*)0x200140ab = 0; |
| *(uint8_t*)0x200140ac = 0; |
| *(uint8_t*)0x200140ad = 0; |
| *(uint8_t*)0x200140ae = 0; |
| *(uint8_t*)0x200140af = 0; |
| *(uint8_t*)0x200140b0 = 0; |
| *(uint8_t*)0x200140b1 = 0; |
| *(uint8_t*)0x200140b2 = 0; |
| *(uint8_t*)0x200140b3 = 0; |
| *(uint32_t*)0x200140b4 = 0; |
| *(uint16_t*)0x200140b8 = 0x70; |
| *(uint16_t*)0x200140ba = 0x98; |
| *(uint32_t*)0x200140bc = 0; |
| *(uint64_t*)0x200140c0 = 0; |
| *(uint64_t*)0x200140c8 = 0; |
| *(uint16_t*)0x200140d0 = 0x28; |
| memcpy((void*)0x200140d2, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200140ef = 0; |
| *(uint32_t*)0x200140f0 = 0xfffffffe; |
| *(uint8_t*)0x200140f8 = 0xac; |
| *(uint8_t*)0x200140f9 = 0x14; |
| *(uint8_t*)0x200140fa = 0; |
| *(uint8_t*)0x200140fb = 0; |
| *(uint32_t*)0x200140fc = htobe32(-1); |
| *(uint32_t*)0x20014100 = htobe32(0); |
| *(uint32_t*)0x20014104 = htobe32(0); |
| memcpy((void*)0x20014108, |
| "\x69\x70\x36\x5f\x76\x74\x69\x30\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint8_t*)0x20014118 = 0x73; |
| *(uint8_t*)0x20014119 = 0x79; |
| *(uint8_t*)0x2001411a = 0x7a; |
| *(uint8_t*)0x2001411b = 0; |
| *(uint8_t*)0x2001411c = 0; |
| *(uint8_t*)0x20014128 = 0; |
| *(uint8_t*)0x20014129 = 0; |
| *(uint8_t*)0x2001412a = 0; |
| *(uint8_t*)0x2001412b = 0; |
| *(uint8_t*)0x2001412c = 0; |
| *(uint8_t*)0x2001412d = 0; |
| *(uint8_t*)0x2001412e = 0; |
| *(uint8_t*)0x2001412f = 0; |
| *(uint8_t*)0x20014130 = 0; |
| *(uint8_t*)0x20014131 = 0; |
| *(uint8_t*)0x20014132 = 0; |
| *(uint8_t*)0x20014133 = 0; |
| *(uint8_t*)0x20014134 = 0; |
| *(uint8_t*)0x20014135 = 0; |
| *(uint8_t*)0x20014136 = 0; |
| *(uint8_t*)0x20014137 = 0; |
| *(uint8_t*)0x20014138 = 0; |
| *(uint8_t*)0x20014139 = 0; |
| *(uint8_t*)0x2001413a = 0; |
| *(uint8_t*)0x2001413b = 0; |
| *(uint8_t*)0x2001413c = 0; |
| *(uint8_t*)0x2001413d = 0; |
| *(uint8_t*)0x2001413e = 0; |
| *(uint8_t*)0x2001413f = 0; |
| *(uint8_t*)0x20014140 = 0; |
| *(uint8_t*)0x20014141 = 0; |
| *(uint8_t*)0x20014142 = 0; |
| *(uint8_t*)0x20014143 = 0; |
| *(uint8_t*)0x20014144 = 0; |
| *(uint8_t*)0x20014145 = 0; |
| *(uint8_t*)0x20014146 = 0; |
| *(uint8_t*)0x20014147 = 0; |
| *(uint16_t*)0x20014148 = 0; |
| *(uint8_t*)0x2001414a = 0; |
| *(uint8_t*)0x2001414b = 0; |
| *(uint32_t*)0x2001414c = 0; |
| *(uint16_t*)0x20014150 = 0x70; |
| *(uint16_t*)0x20014152 = 0xb8; |
| *(uint32_t*)0x20014154 = 0; |
| *(uint64_t*)0x20014158 = 0; |
| *(uint64_t*)0x20014160 = 0; |
| *(uint16_t*)0x20014168 = 0x48; |
| memcpy((void*)0x2001416a, "\x4c\x45\x44\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x20014187 = 0; |
| memcpy((void*)0x20014188, "\x73\x79\x7a\x30\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00", |
| 27); |
| *(uint8_t*)0x200141a3 = 0; |
| *(uint32_t*)0x200141a4 = 0x80000000; |
| *(uint64_t*)0x200141a8 = 2; |
| *(uint8_t*)0x200141b0 = 0xac; |
| *(uint8_t*)0x200141b1 = 0x14; |
| *(uint8_t*)0x200141b2 = 0; |
| *(uint8_t*)0x200141b3 = 0; |
| *(uint32_t*)0x200141b4 = htobe32(0xe0000001); |
| *(uint32_t*)0x200141b8 = htobe32(0); |
| *(uint32_t*)0x200141bc = htobe32(0); |
| memcpy((void*)0x200141c0, |
| "\x6b\xd6\xd4\x48\x45\x73\x6f\x88\x9e\xc1\xcf\x4c\x41\xf2\xaf\xfa", |
| 16); |
| *(uint8_t*)0x200141d0 = 0x73; |
| *(uint8_t*)0x200141d1 = 0x79; |
| *(uint8_t*)0x200141d2 = 0x7a; |
| *(uint8_t*)0x200141d3 = 0; |
| *(uint8_t*)0x200141d4 = 0; |
| *(uint8_t*)0x200141e0 = 0; |
| *(uint8_t*)0x200141e1 = 0; |
| *(uint8_t*)0x200141e2 = 0; |
| *(uint8_t*)0x200141e3 = 0; |
| *(uint8_t*)0x200141e4 = 0; |
| *(uint8_t*)0x200141e5 = 0; |
| *(uint8_t*)0x200141e6 = 0; |
| *(uint8_t*)0x200141e7 = 0; |
| *(uint8_t*)0x200141e8 = 0; |
| *(uint8_t*)0x200141e9 = 0; |
| *(uint8_t*)0x200141ea = 0; |
| *(uint8_t*)0x200141eb = 0; |
| *(uint8_t*)0x200141ec = 0; |
| *(uint8_t*)0x200141ed = 0; |
| *(uint8_t*)0x200141ee = 0; |
| *(uint8_t*)0x200141ef = 0; |
| *(uint8_t*)0x200141f0 = 0; |
| *(uint8_t*)0x200141f1 = 0; |
| *(uint8_t*)0x200141f2 = 0; |
| *(uint8_t*)0x200141f3 = 0; |
| *(uint8_t*)0x200141f4 = 0; |
| *(uint8_t*)0x200141f5 = 0; |
| *(uint8_t*)0x200141f6 = 0; |
| *(uint8_t*)0x200141f7 = 0; |
| *(uint8_t*)0x200141f8 = 0; |
| *(uint8_t*)0x200141f9 = 0; |
| *(uint8_t*)0x200141fa = 0; |
| *(uint8_t*)0x200141fb = 0; |
| *(uint8_t*)0x200141fc = 0; |
| *(uint8_t*)0x200141fd = 0; |
| *(uint8_t*)0x200141fe = 0; |
| *(uint8_t*)0x200141ff = 0; |
| *(uint16_t*)0x20014200 = 0; |
| *(uint8_t*)0x20014202 = 0; |
| *(uint8_t*)0x20014203 = 0; |
| *(uint32_t*)0x20014204 = 0; |
| *(uint16_t*)0x20014208 = 0x70; |
| *(uint16_t*)0x2001420a = 0x98; |
| *(uint32_t*)0x2001420c = 0; |
| *(uint64_t*)0x20014210 = 0; |
| *(uint64_t*)0x20014218 = 0; |
| *(uint16_t*)0x20014220 = 0x28; |
| memcpy((void*)0x20014222, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x2001423f = 0; |
| *(uint32_t*)0x20014240 = 0; |
| *(uint32_t*)0x20014248 = htobe32(0xe0000002); |
| *(uint32_t*)0x2001424c = htobe32(0x7f000001); |
| *(uint32_t*)0x20014250 = htobe32(0); |
| *(uint32_t*)0x20014254 = htobe32(0); |
| memcpy((void*)0x20014258, |
| "\x69\x66\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16); |
| *(uint8_t*)0x20014268 = 0x73; |
| *(uint8_t*)0x20014269 = 0x79; |
| *(uint8_t*)0x2001426a = 0x7a; |
| *(uint8_t*)0x2001426b = 0; |
| *(uint8_t*)0x2001426c = 0; |
| *(uint8_t*)0x20014278 = 0; |
| *(uint8_t*)0x20014279 = 0; |
| *(uint8_t*)0x2001427a = 0; |
| *(uint8_t*)0x2001427b = 0; |
| *(uint8_t*)0x2001427c = 0; |
| *(uint8_t*)0x2001427d = 0; |
| *(uint8_t*)0x2001427e = 0; |
| *(uint8_t*)0x2001427f = 0; |
| *(uint8_t*)0x20014280 = 0; |
| *(uint8_t*)0x20014281 = 0; |
| *(uint8_t*)0x20014282 = 0; |
| *(uint8_t*)0x20014283 = 0; |
| *(uint8_t*)0x20014284 = 0; |
| *(uint8_t*)0x20014285 = 0; |
| *(uint8_t*)0x20014286 = 0; |
| *(uint8_t*)0x20014287 = 0; |
| *(uint8_t*)0x20014288 = 0; |
| *(uint8_t*)0x20014289 = 0; |
| *(uint8_t*)0x2001428a = 0; |
| *(uint8_t*)0x2001428b = 0; |
| *(uint8_t*)0x2001428c = 0; |
| *(uint8_t*)0x2001428d = 0; |
| *(uint8_t*)0x2001428e = 0; |
| *(uint8_t*)0x2001428f = 0; |
| *(uint8_t*)0x20014290 = 0; |
| *(uint8_t*)0x20014291 = 0; |
| *(uint8_t*)0x20014292 = 0; |
| *(uint8_t*)0x20014293 = 0; |
| *(uint8_t*)0x20014294 = 0; |
| *(uint8_t*)0x20014295 = 0; |
| *(uint8_t*)0x20014296 = 0; |
| *(uint8_t*)0x20014297 = 0; |
| *(uint16_t*)0x20014298 = 0; |
| *(uint8_t*)0x2001429a = 0; |
| *(uint8_t*)0x2001429b = 0; |
| *(uint32_t*)0x2001429c = 0; |
| *(uint16_t*)0x200142a0 = 0x70; |
| *(uint16_t*)0x200142a2 = 0x98; |
| *(uint32_t*)0x200142a4 = 0; |
| *(uint64_t*)0x200142a8 = 0; |
| *(uint64_t*)0x200142b0 = 0; |
| *(uint16_t*)0x200142b8 = 0x28; |
| memcpy((void*)0x200142ba, "\x52\x45\x4a\x45\x43\x54\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 29); |
| *(uint8_t*)0x200142d7 = 0; |
| *(uint32_t*)0x200142d8 = 0; |
| *(uint64_t*)0x20012fc0 = 0; |
| *(uint64_t*)0x20012fc8 = 0; |
| *(uint64_t*)0x20012fd0 = 0; |
| *(uint64_t*)0x20012fd8 = 0; |
| *(uint64_t*)0x20012fe0 = 0; |
| *(uint64_t*)0x20012fe8 = 0; |
| *(uint64_t*)0x20012ff0 = 0; |
| *(uint64_t*)0x20012ff8 = 0; |
| syscall(__NR_setsockopt, r[1], 0, 0x40, 0x20014000, 0x2e0); |
| } |
| |
| int main() |
| { |
| for (;;) { |
| loop(); |
| } |
| } |