| // KASAN: use-after-free Read in rds_cong_queue_updates |
| // https://syzkaller.appspot.com/bug?id=f4ef381349e100280193c25f24e01d9d364132d9 |
| // status:fixed |
| // autogenerated by syzkaller (http://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| #include <arpa/inet.h> |
| #include <dirent.h> |
| #include <endian.h> |
| #include <errno.h> |
| #include <errno.h> |
| #include <errno.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <fcntl.h> |
| #include <linux/futex.h> |
| #include <linux/if.h> |
| #include <linux/if_ether.h> |
| #include <linux/if_tun.h> |
| #include <linux/ip.h> |
| #include <linux/net.h> |
| #include <linux/tcp.h> |
| #include <net/if_arp.h> |
| #include <netinet/in.h> |
| #include <pthread.h> |
| #include <sched.h> |
| #include <signal.h> |
| #include <signal.h> |
| #include <stdarg.h> |
| #include <stdarg.h> |
| #include <stdarg.h> |
| #include <stdbool.h> |
| #include <stdbool.h> |
| #include <stdio.h> |
| #include <stdio.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <stdlib.h> |
| #include <sys/ioctl.h> |
| #include <sys/mount.h> |
| #include <sys/mount.h> |
| #include <sys/prctl.h> |
| #include <sys/prctl.h> |
| #include <sys/resource.h> |
| #include <sys/socket.h> |
| #include <sys/stat.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/time.h> |
| #include <sys/time.h> |
| #include <sys/types.h> |
| #include <sys/uio.h> |
| #include <sys/wait.h> |
| #include <sys/wait.h> |
| #include <time.h> |
| #include <unistd.h> |
| |
| __attribute__((noreturn)) static void doexit(int status) |
| { |
| volatile unsigned i; |
| syscall(__NR_exit_group, status); |
| for (i = 0;; i++) { |
| } |
| } |
| #include <errno.h> |
| #include <setjmp.h> |
| #include <signal.h> |
| #include <stdarg.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| |
| const int kFailStatus = 67; |
| const int kRetryStatus = 69; |
| |
| static void fail(const char* msg, ...) |
| { |
| int e = errno; |
| va_list args; |
| va_start(args, msg); |
| vfprintf(stderr, msg, args); |
| va_end(args); |
| fprintf(stderr, " (errno %d)\n", e); |
| doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); |
| } |
| |
| static void exitf(const char* msg, ...) |
| { |
| int e = errno; |
| va_list args; |
| va_start(args, msg); |
| vfprintf(stderr, msg, args); |
| va_end(args); |
| fprintf(stderr, " (errno %d)\n", e); |
| doexit(kRetryStatus); |
| } |
| |
| static __thread int skip_segv; |
| static __thread jmp_buf segv_env; |
| |
| static void segv_handler(int sig, siginfo_t* info, void* uctx) |
| { |
| uintptr_t addr = (uintptr_t)info->si_addr; |
| const uintptr_t prog_start = 1 << 20; |
| const uintptr_t prog_end = 100 << 20; |
| if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && |
| (addr < prog_start || addr > prog_end)) { |
| _longjmp(segv_env, 1); |
| } |
| doexit(sig); |
| } |
| |
| static void install_segv_handler() |
| { |
| struct sigaction sa; |
| |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_handler = SIG_IGN; |
| syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); |
| syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); |
| |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_sigaction = segv_handler; |
| sa.sa_flags = SA_NODEFER | SA_SIGINFO; |
| sigaction(SIGSEGV, &sa, NULL); |
| sigaction(SIGBUS, &sa, NULL); |
| } |
| |
| #define NONFAILING(...) \ |
| { \ |
| __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ |
| if (_setjmp(segv_env) == 0) { \ |
| __VA_ARGS__; \ |
| } \ |
| __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ |
| } |
| |
| static uint64_t current_time_ms() |
| { |
| struct timespec ts; |
| |
| if (clock_gettime(CLOCK_MONOTONIC, &ts)) |
| fail("clock_gettime failed"); |
| return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; |
| } |
| |
| static void use_temporary_dir() |
| { |
| char tmpdir_template[] = "./syzkaller.XXXXXX"; |
| char* tmpdir = mkdtemp(tmpdir_template); |
| if (!tmpdir) |
| fail("failed to mkdtemp"); |
| if (chmod(tmpdir, 0777)) |
| fail("failed to chmod"); |
| if (chdir(tmpdir)) |
| fail("failed to chdir"); |
| } |
| |
| static void vsnprintf_check(char* str, size_t size, const char* format, |
| va_list args) |
| { |
| int rv; |
| |
| rv = vsnprintf(str, size, format, args); |
| if (rv < 0) |
| fail("tun: snprintf failed"); |
| if ((size_t)rv >= size) |
| fail("tun: string '%s...' doesn't fit into buffer", str); |
| } |
| |
| #define COMMAND_MAX_LEN 128 |
| #define PATH_PREFIX \ |
| "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " |
| #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) |
| |
| static void execute_command(bool panic, const char* format, ...) |
| { |
| va_list args; |
| char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; |
| int rv; |
| |
| va_start(args, format); |
| memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); |
| vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); |
| va_end(args); |
| rv = system(command); |
| if (rv) { |
| if (panic) |
| fail("command '%s' failed: %d", &command[0], rv); |
| } |
| } |
| |
| static int tunfd = -1; |
| static int tun_frags_enabled; |
| |
| #define SYZ_TUN_MAX_PACKET_SIZE 1000 |
| |
| #define TUN_IFACE "syz_tun" |
| |
| #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" |
| #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" |
| |
| #define LOCAL_IPV4 "172.20.20.170" |
| #define REMOTE_IPV4 "172.20.20.187" |
| |
| #define LOCAL_IPV6 "fe80::aa" |
| #define REMOTE_IPV6 "fe80::bb" |
| |
| #define IFF_NAPI 0x0010 |
| #define IFF_NAPI_FRAGS 0x0020 |
| |
| static void initialize_tun(void) |
| { |
| tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); |
| if (tunfd == -1) { |
| printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); |
| printf("otherwise fuzzing or reproducing might not work as intended\n"); |
| return; |
| } |
| const int kTunFd = 252; |
| if (dup2(tunfd, kTunFd) < 0) |
| fail("dup2(tunfd, kTunFd) failed"); |
| close(tunfd); |
| tunfd = kTunFd; |
| |
| struct ifreq ifr; |
| memset(&ifr, 0, sizeof(ifr)); |
| strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { |
| ifr.ifr_flags = IFF_TAP | IFF_NO_PI; |
| if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) |
| fail("tun: ioctl(TUNSETIFF) failed"); |
| } |
| if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) |
| fail("tun: ioctl(TUNGETIFF) failed"); |
| tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; |
| |
| execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE); |
| |
| execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", |
| TUN_IFACE); |
| |
| execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC); |
| execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE); |
| execute_command(1, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE); |
| execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", |
| REMOTE_IPV4, REMOTE_MAC, TUN_IFACE); |
| execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", |
| REMOTE_IPV6, REMOTE_MAC, TUN_IFACE); |
| execute_command(1, "ip link set dev %s up", TUN_IFACE); |
| } |
| |
| #define DEV_IPV4 "172.20.20.%d" |
| #define DEV_IPV6 "fe80::%02hx" |
| #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" |
| |
| static void snprintf_check(char* str, size_t size, const char* format, ...) |
| { |
| va_list args; |
| |
| va_start(args, format); |
| vsnprintf_check(str, size, format, args); |
| va_end(args); |
| } |
| |
| static void initialize_netdevices(void) |
| { |
| unsigned i; |
| const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"}; |
| const char* devnames[] = {"lo", |
| "sit0", |
| "bridge0", |
| "vcan0", |
| "tunl0", |
| "gre0", |
| "gretap0", |
| "ip_vti0", |
| "ip6_vti0", |
| "ip6tnl0", |
| "ip6gre0", |
| "ip6gretap0", |
| "erspan0", |
| "bond0", |
| "veth0", |
| "veth1", |
| "team0", |
| "veth0_to_bridge", |
| "veth1_to_bridge", |
| "veth0_to_bond", |
| "veth1_to_bond", |
| "veth0_to_team", |
| "veth1_to_team"}; |
| const char* devmasters[] = {"bridge", "bond", "team"}; |
| |
| for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) |
| execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); |
| execute_command(0, "ip link add type veth"); |
| |
| for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { |
| execute_command( |
| 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s", |
| devmasters[i], devmasters[i]); |
| execute_command( |
| 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s", |
| devmasters[i], devmasters[i]); |
| execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i], |
| devmasters[i]); |
| execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i], |
| devmasters[i]); |
| execute_command(0, "ip link set veth0_to_%s up", devmasters[i]); |
| execute_command(0, "ip link set veth1_to_%s up", devmasters[i]); |
| } |
| execute_command(0, "ip link set bridge_slave_0 up"); |
| execute_command(0, "ip link set bridge_slave_1 up"); |
| |
| for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { |
| char addr[32]; |
| snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); |
| execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); |
| snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); |
| execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); |
| snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); |
| execute_command(0, "ip link set dev %s address %s", devnames[i], addr); |
| execute_command(0, "ip link set dev %s up", devnames[i]); |
| } |
| } |
| |
| static int read_tun(char* data, int size) |
| { |
| if (tunfd < 0) |
| return -1; |
| |
| int rv = read(tunfd, data, size); |
| if (rv < 0) { |
| if (errno == EAGAIN) |
| return -1; |
| if (errno == EBADFD) |
| return -1; |
| fail("tun: read failed with %d", rv); |
| } |
| return rv; |
| } |
| |
| #define MAX_FRAGS 4 |
| struct vnet_fragmentation { |
| uint32_t full; |
| uint32_t count; |
| uint32_t frags[MAX_FRAGS]; |
| }; |
| |
| static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1, uintptr_t a2) |
| { |
| if (tunfd < 0) |
| return (uintptr_t)-1; |
| |
| uint32_t length = a0; |
| char* data = (char*)a1; |
| |
| struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; |
| struct iovec vecs[MAX_FRAGS + 1]; |
| uint32_t nfrags = 0; |
| if (!tun_frags_enabled || frags == NULL) { |
| vecs[nfrags].iov_base = data; |
| vecs[nfrags].iov_len = length; |
| nfrags++; |
| } else { |
| bool full = true; |
| uint32_t i, count = 0; |
| NONFAILING(full = frags->full); |
| NONFAILING(count = frags->count); |
| if (count > MAX_FRAGS) |
| count = MAX_FRAGS; |
| for (i = 0; i < count && length != 0; i++) { |
| uint32_t size = 0; |
| NONFAILING(size = frags->frags[i]); |
| if (size > length) |
| size = length; |
| vecs[nfrags].iov_base = data; |
| vecs[nfrags].iov_len = size; |
| nfrags++; |
| data += size; |
| length -= size; |
| } |
| if (length != 0 && (full || nfrags == 0)) { |
| vecs[nfrags].iov_base = data; |
| vecs[nfrags].iov_len = length; |
| nfrags++; |
| } |
| } |
| return writev(tunfd, vecs, nfrags); |
| } |
| |
| static void flush_tun() |
| { |
| char data[SYZ_TUN_MAX_PACKET_SIZE]; |
| while (read_tun(&data[0], sizeof(data)) != -1) |
| ; |
| } |
| |
| struct ipv6hdr { |
| __u8 priority : 4, version : 4; |
| __u8 flow_lbl[3]; |
| |
| __be16 payload_len; |
| __u8 nexthdr; |
| __u8 hop_limit; |
| |
| struct in6_addr saddr; |
| struct in6_addr daddr; |
| }; |
| |
| struct tcp_resources { |
| uint32_t seq; |
| uint32_t ack; |
| }; |
| |
| static uintptr_t syz_extract_tcp_res(uintptr_t a0, uintptr_t a1, uintptr_t a2) |
| { |
| |
| if (tunfd < 0) |
| return (uintptr_t)-1; |
| |
| char data[SYZ_TUN_MAX_PACKET_SIZE]; |
| int rv = read_tun(&data[0], sizeof(data)); |
| if (rv == -1) |
| return (uintptr_t)-1; |
| size_t length = rv; |
| |
| struct tcphdr* tcphdr; |
| |
| if (length < sizeof(struct ethhdr)) |
| return (uintptr_t)-1; |
| struct ethhdr* ethhdr = (struct ethhdr*)&data[0]; |
| |
| if (ethhdr->h_proto == htons(ETH_P_IP)) { |
| if (length < sizeof(struct ethhdr) + sizeof(struct iphdr)) |
| return (uintptr_t)-1; |
| struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)]; |
| if (iphdr->protocol != IPPROTO_TCP) |
| return (uintptr_t)-1; |
| if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr)) |
| return (uintptr_t)-1; |
| tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4]; |
| } else { |
| if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr)) |
| return (uintptr_t)-1; |
| struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)]; |
| if (ipv6hdr->nexthdr != IPPROTO_TCP) |
| return (uintptr_t)-1; |
| if (length < |
| sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) |
| return (uintptr_t)-1; |
| tcphdr = |
| (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)]; |
| } |
| |
| struct tcp_resources* res = (struct tcp_resources*)a0; |
| NONFAILING(res->seq = htonl((ntohl(tcphdr->seq) + (uint32_t)a1))); |
| NONFAILING(res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32_t)a2))); |
| |
| return 0; |
| } |
| |
| static bool write_file(const char* file, const char* what, ...) |
| { |
| char buf[1024]; |
| va_list args; |
| va_start(args, what); |
| vsnprintf(buf, sizeof(buf), what, args); |
| va_end(args); |
| buf[sizeof(buf) - 1] = 0; |
| int len = strlen(buf); |
| |
| int fd = open(file, O_WRONLY | O_CLOEXEC); |
| if (fd == -1) |
| return false; |
| if (write(fd, buf, len) != len) { |
| int err = errno; |
| close(fd); |
| errno = err; |
| return false; |
| } |
| close(fd); |
| return true; |
| } |
| |
| static void setup_cgroups() |
| { |
| if (mkdir("/syzcgroup", 0777)) { |
| } |
| if (mkdir("/syzcgroup/unified", 0777)) { |
| } |
| if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { |
| } |
| if (chmod("/syzcgroup/unified", 0777)) { |
| } |
| if (!write_file("/syzcgroup/unified/cgroup.subtree_control", |
| "+cpu +memory +io +pids +rdma")) { |
| } |
| if (mkdir("/syzcgroup/cpu", 0777)) { |
| } |
| if (mount("none", "/syzcgroup/cpu", "cgroup", 0, |
| "cpuset,cpuacct,perf_event,hugetlb")) { |
| } |
| if (!write_file("/syzcgroup/cpu/cgroup.clone_children", "1")) { |
| } |
| if (chmod("/syzcgroup/cpu", 0777)) { |
| } |
| if (mkdir("/syzcgroup/net", 0777)) { |
| } |
| if (mount("none", "/syzcgroup/net", "cgroup", 0, |
| "net_cls,net_prio,devices,freezer")) { |
| } |
| if (chmod("/syzcgroup/net", 0777)) { |
| } |
| } |
| |
| static void setup_binfmt_misc() |
| { |
| if (!write_file("/proc/sys/fs/binfmt_misc/register", |
| ":syz0:M:0:syz0::./file0:")) { |
| } |
| if (!write_file("/proc/sys/fs/binfmt_misc/register", |
| ":syz1:M:1:yz1::./file0:POC")) { |
| } |
| } |
| |
| static void loop(); |
| |
| static void sandbox_common() |
| { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| setsid(); |
| |
| struct rlimit rlim; |
| rlim.rlim_cur = rlim.rlim_max = 160 << 20; |
| setrlimit(RLIMIT_AS, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 8 << 20; |
| setrlimit(RLIMIT_MEMLOCK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 136 << 20; |
| setrlimit(RLIMIT_FSIZE, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 1 << 20; |
| setrlimit(RLIMIT_STACK, &rlim); |
| rlim.rlim_cur = rlim.rlim_max = 0; |
| setrlimit(RLIMIT_CORE, &rlim); |
| |
| if (unshare(CLONE_NEWNS)) { |
| } |
| if (unshare(CLONE_NEWIPC)) { |
| } |
| if (unshare(0x02000000)) { |
| } |
| if (unshare(CLONE_NEWUTS)) { |
| } |
| if (unshare(CLONE_SYSVSEM)) { |
| } |
| } |
| |
| static int do_sandbox_none(void) |
| { |
| if (unshare(CLONE_NEWPID)) { |
| } |
| int pid = fork(); |
| if (pid < 0) |
| fail("sandbox fork failed"); |
| if (pid) |
| return pid; |
| |
| setup_cgroups(); |
| setup_binfmt_misc(); |
| sandbox_common(); |
| if (unshare(CLONE_NEWNET)) { |
| } |
| initialize_tun(); |
| initialize_netdevices(); |
| loop(); |
| doexit(1); |
| } |
| |
| #define XT_TABLE_SIZE 1536 |
| #define XT_MAX_ENTRIES 10 |
| |
| struct xt_counters { |
| uint64_t pcnt, bcnt; |
| }; |
| |
| struct ipt_getinfo { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int hook_entry[5]; |
| unsigned int underflow[5]; |
| unsigned int num_entries; |
| unsigned int size; |
| }; |
| |
| struct ipt_get_entries { |
| char name[32]; |
| unsigned int size; |
| void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; |
| }; |
| |
| struct ipt_replace { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int num_entries; |
| unsigned int size; |
| unsigned int hook_entry[5]; |
| unsigned int underflow[5]; |
| unsigned int num_counters; |
| struct xt_counters* counters; |
| char entrytable[XT_TABLE_SIZE]; |
| }; |
| |
| struct ipt_table_desc { |
| const char* name; |
| struct ipt_getinfo info; |
| struct ipt_replace replace; |
| }; |
| |
| static struct ipt_table_desc ipv4_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, |
| {.name = "raw"}, {.name = "security"}, |
| }; |
| |
| static struct ipt_table_desc ipv6_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, |
| {.name = "raw"}, {.name = "security"}, |
| }; |
| |
| #define IPT_BASE_CTL 64 |
| #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) |
| #define IPT_SO_GET_INFO (IPT_BASE_CTL) |
| #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) |
| |
| struct arpt_getinfo { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int hook_entry[3]; |
| unsigned int underflow[3]; |
| unsigned int num_entries; |
| unsigned int size; |
| }; |
| |
| struct arpt_get_entries { |
| char name[32]; |
| unsigned int size; |
| void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; |
| }; |
| |
| struct arpt_replace { |
| char name[32]; |
| unsigned int valid_hooks; |
| unsigned int num_entries; |
| unsigned int size; |
| unsigned int hook_entry[3]; |
| unsigned int underflow[3]; |
| unsigned int num_counters; |
| struct xt_counters* counters; |
| char entrytable[XT_TABLE_SIZE]; |
| }; |
| |
| struct arpt_table_desc { |
| const char* name; |
| struct arpt_getinfo info; |
| struct arpt_replace replace; |
| }; |
| |
| static struct arpt_table_desc arpt_tables[] = { |
| {.name = "filter"}, |
| }; |
| |
| #define ARPT_BASE_CTL 96 |
| #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) |
| #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) |
| #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) |
| |
| static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, |
| int family, int level) |
| { |
| struct ipt_get_entries entries; |
| socklen_t optlen; |
| int fd, i; |
| |
| fd = socket(family, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); |
| } |
| for (i = 0; i < num_tables; i++) { |
| struct ipt_table_desc* table = &tables[i]; |
| strcpy(table->info.name, table->name); |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->info); |
| if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| fail("getsockopt(IPT_SO_GET_INFO)"); |
| } |
| if (table->info.size > sizeof(table->replace.entrytable)) |
| fail("table size is too large: %u", table->info.size); |
| if (table->info.num_entries > XT_MAX_ENTRIES) |
| fail("too many counters: %u", table->info.num_entries); |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; |
| if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) |
| fail("getsockopt(IPT_SO_GET_ENTRIES)"); |
| table->replace.valid_hooks = table->info.valid_hooks; |
| table->replace.num_entries = table->info.num_entries; |
| table->replace.size = table->info.size; |
| memcpy(table->replace.hook_entry, table->info.hook_entry, |
| sizeof(table->replace.hook_entry)); |
| memcpy(table->replace.underflow, table->info.underflow, |
| sizeof(table->replace.underflow)); |
| memcpy(table->replace.entrytable, entries.entrytable, table->info.size); |
| } |
| close(fd); |
| } |
| |
| static void reset_iptables(struct ipt_table_desc* tables, int num_tables, |
| int family, int level) |
| { |
| struct xt_counters counters[XT_MAX_ENTRIES]; |
| struct ipt_get_entries entries; |
| struct ipt_getinfo info; |
| socklen_t optlen; |
| int fd, i; |
| |
| fd = socket(family, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) { |
| switch (errno) { |
| case EAFNOSUPPORT: |
| case ENOPROTOOPT: |
| return; |
| } |
| fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); |
| } |
| for (i = 0; i < num_tables; i++) { |
| struct ipt_table_desc* table = &tables[i]; |
| if (table->info.valid_hooks == 0) |
| continue; |
| memset(&info, 0, sizeof(info)); |
| strcpy(info.name, table->name); |
| optlen = sizeof(info); |
| if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) |
| fail("getsockopt(IPT_SO_GET_INFO)"); |
| if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; |
| if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) |
| fail("getsockopt(IPT_SO_GET_ENTRIES)"); |
| if (memcmp(table->replace.entrytable, entries.entrytable, |
| table->info.size) == 0) |
| continue; |
| } |
| table->replace.num_counters = info.num_entries; |
| table->replace.counters = counters; |
| optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + |
| table->replace.size; |
| if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) |
| fail("setsockopt(IPT_SO_SET_REPLACE)"); |
| } |
| close(fd); |
| } |
| |
| static void checkpoint_arptables(void) |
| { |
| struct arpt_get_entries entries; |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) |
| fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); |
| for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { |
| struct arpt_table_desc* table = &arpt_tables[i]; |
| strcpy(table->info.name, table->name); |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->info); |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| fail("getsockopt(ARPT_SO_GET_INFO)"); |
| } |
| if (table->info.size > sizeof(table->replace.entrytable)) |
| fail("table size is too large: %u", table->info.size); |
| if (table->info.num_entries > XT_MAX_ENTRIES) |
| fail("too many counters: %u", table->info.num_entries); |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) |
| fail("getsockopt(ARPT_SO_GET_ENTRIES)"); |
| table->replace.valid_hooks = table->info.valid_hooks; |
| table->replace.num_entries = table->info.num_entries; |
| table->replace.size = table->info.size; |
| memcpy(table->replace.hook_entry, table->info.hook_entry, |
| sizeof(table->replace.hook_entry)); |
| memcpy(table->replace.underflow, table->info.underflow, |
| sizeof(table->replace.underflow)); |
| memcpy(table->replace.entrytable, entries.entrytable, table->info.size); |
| } |
| close(fd); |
| } |
| |
| static void reset_arptables() |
| { |
| struct xt_counters counters[XT_MAX_ENTRIES]; |
| struct arpt_get_entries entries; |
| struct arpt_getinfo info; |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) |
| fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); |
| for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { |
| struct arpt_table_desc* table = &arpt_tables[i]; |
| if (table->info.valid_hooks == 0) |
| continue; |
| memset(&info, 0, sizeof(info)); |
| strcpy(info.name, table->name); |
| optlen = sizeof(info); |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) |
| fail("getsockopt(ARPT_SO_GET_INFO)"); |
| if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { |
| memset(&entries, 0, sizeof(entries)); |
| strcpy(entries.name, table->name); |
| entries.size = table->info.size; |
| optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; |
| if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) |
| fail("getsockopt(ARPT_SO_GET_ENTRIES)"); |
| if (memcmp(table->replace.entrytable, entries.entrytable, |
| table->info.size) == 0) |
| continue; |
| } |
| table->replace.num_counters = info.num_entries; |
| table->replace.counters = counters; |
| optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + |
| table->replace.size; |
| if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) |
| fail("setsockopt(ARPT_SO_SET_REPLACE)"); |
| } |
| close(fd); |
| } |
| #include <linux/if.h> |
| #include <linux/netfilter_bridge/ebtables.h> |
| |
| struct ebt_table_desc { |
| const char* name; |
| struct ebt_replace replace; |
| char entrytable[XT_TABLE_SIZE]; |
| }; |
| |
| static struct ebt_table_desc ebt_tables[] = { |
| {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, |
| }; |
| |
| static void checkpoint_ebtables(void) |
| { |
| socklen_t optlen; |
| unsigned i; |
| int fd; |
| |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) |
| fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); |
| for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { |
| struct ebt_table_desc* table = &ebt_tables[i]; |
| strcpy(table->replace.name, table->name); |
| optlen = sizeof(table->replace); |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, |
| &optlen)) { |
| switch (errno) { |
| case EPERM: |
| case ENOENT: |
| case ENOPROTOOPT: |
| continue; |
| } |
| fail("getsockopt(EBT_SO_GET_INIT_INFO)"); |
| } |
| if (table->replace.entries_size > sizeof(table->entrytable)) |
| fail("table size is too large: %u", table->replace.entries_size); |
| table->replace.num_counters = 0; |
| table->replace.entries = table->entrytable; |
| optlen = sizeof(table->replace) + table->replace.entries_size; |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, |
| &optlen)) |
| fail("getsockopt(EBT_SO_GET_INIT_ENTRIES)"); |
| } |
| close(fd); |
| } |
| |
| static void reset_ebtables() |
| { |
| struct ebt_replace replace; |
| char entrytable[XT_TABLE_SIZE]; |
| socklen_t optlen; |
| unsigned i, j, h; |
| int fd; |
| |
| fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
| if (fd == -1) |
| fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); |
| for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { |
| struct ebt_table_desc* table = &ebt_tables[i]; |
| if (table->replace.valid_hooks == 0) |
| continue; |
| memset(&replace, 0, sizeof(replace)); |
| strcpy(replace.name, table->name); |
| optlen = sizeof(replace); |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) |
| fail("getsockopt(EBT_SO_GET_INFO)"); |
| replace.num_counters = 0; |
| table->replace.entries = 0; |
| for (h = 0; h < NF_BR_NUMHOOKS; h++) |
| table->replace.hook_entry[h] = 0; |
| if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { |
| memset(&entrytable, 0, sizeof(entrytable)); |
| replace.entries = entrytable; |
| optlen = sizeof(replace) + replace.entries_size; |
| if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) |
| fail("getsockopt(EBT_SO_GET_ENTRIES)"); |
| if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) |
| continue; |
| } |
| for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { |
| if (table->replace.valid_hooks & (1 << h)) { |
| table->replace.hook_entry[h] = |
| (struct ebt_entries*)table->entrytable + j; |
| j++; |
| } |
| } |
| table->replace.entries = table->entrytable; |
| optlen = sizeof(table->replace) + table->replace.entries_size; |
| if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) |
| fail("setsockopt(EBT_SO_SET_ENTRIES)"); |
| } |
| close(fd); |
| } |
| |
| static void checkpoint_net_namespace(void) |
| { |
| checkpoint_ebtables(); |
| checkpoint_arptables(); |
| checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), |
| AF_INET, SOL_IP); |
| checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), |
| AF_INET6, SOL_IPV6); |
| } |
| |
| static void reset_net_namespace(void) |
| { |
| reset_ebtables(); |
| reset_arptables(); |
| reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), |
| AF_INET, SOL_IP); |
| reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), |
| AF_INET6, SOL_IPV6); |
| } |
| |
| static void remove_dir(const char* dir) |
| { |
| DIR* dp; |
| struct dirent* ep; |
| int iter = 0; |
| retry: |
| while (umount2(dir, MNT_DETACH) == 0) { |
| } |
| dp = opendir(dir); |
| if (dp == NULL) { |
| if (errno == EMFILE) { |
| exitf("opendir(%s) failed due to NOFILE, exiting", dir); |
| } |
| exitf("opendir(%s) failed", dir); |
| } |
| while ((ep = readdir(dp))) { |
| if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) |
| continue; |
| char filename[FILENAME_MAX]; |
| snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); |
| struct stat st; |
| if (lstat(filename, &st)) |
| exitf("lstat(%s) failed", filename); |
| if (S_ISDIR(st.st_mode)) { |
| remove_dir(filename); |
| continue; |
| } |
| int i; |
| for (i = 0;; i++) { |
| if (unlink(filename) == 0) |
| break; |
| if (errno == EROFS) { |
| break; |
| } |
| if (errno != EBUSY || i > 100) |
| exitf("unlink(%s) failed", filename); |
| if (umount2(filename, MNT_DETACH)) |
| exitf("umount(%s) failed", filename); |
| } |
| } |
| closedir(dp); |
| int i; |
| for (i = 0;; i++) { |
| if (rmdir(dir) == 0) |
| break; |
| if (i < 100) { |
| if (errno == EROFS) { |
| break; |
| } |
| if (errno == EBUSY) { |
| if (umount2(dir, MNT_DETACH)) |
| exitf("umount(%s) failed", dir); |
| continue; |
| } |
| if (errno == ENOTEMPTY) { |
| if (iter < 100) { |
| iter++; |
| goto retry; |
| } |
| } |
| } |
| exitf("rmdir(%s) failed", dir); |
| } |
| } |
| |
| static void execute_one(); |
| extern unsigned long long procid; |
| |
| static void loop() |
| { |
| checkpoint_net_namespace(); |
| char cgroupdir[64]; |
| snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); |
| char cgroupdir_cpu[64]; |
| snprintf(cgroupdir_cpu, sizeof(cgroupdir_cpu), "/syzcgroup/cpu/syz%llu", |
| procid); |
| char cgroupdir_net[64]; |
| snprintf(cgroupdir_net, sizeof(cgroupdir_net), "/syzcgroup/net/syz%llu", |
| procid); |
| if (mkdir(cgroupdir, 0777)) { |
| } |
| if (mkdir(cgroupdir_cpu, 0777)) { |
| } |
| if (mkdir(cgroupdir_net, 0777)) { |
| } |
| int pid = getpid(); |
| char procs_file[128]; |
| snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir); |
| if (!write_file(procs_file, "%d", pid)) { |
| } |
| snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_cpu); |
| if (!write_file(procs_file, "%d", pid)) { |
| } |
| snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_net); |
| if (!write_file(procs_file, "%d", pid)) { |
| } |
| int iter; |
| for (iter = 0;; iter++) { |
| char cwdbuf[32]; |
| sprintf(cwdbuf, "./%d", iter); |
| if (mkdir(cwdbuf, 0777)) |
| fail("failed to mkdir"); |
| int pid = fork(); |
| if (pid < 0) |
| fail("clone failed"); |
| if (pid == 0) { |
| prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
| setpgrp(); |
| if (chdir(cwdbuf)) |
| fail("failed to chdir"); |
| if (symlink(cgroupdir, "./cgroup")) { |
| } |
| if (symlink(cgroupdir_cpu, "./cgroup.cpu")) { |
| } |
| if (symlink(cgroupdir_net, "./cgroup.net")) { |
| } |
| flush_tun(); |
| execute_one(); |
| doexit(0); |
| } |
| |
| int status = 0; |
| uint64_t start = current_time_ms(); |
| for (;;) { |
| int res = waitpid(-1, &status, __WALL | WNOHANG); |
| if (res == pid) { |
| break; |
| } |
| usleep(1000); |
| if (current_time_ms() - start < 3 * 1000) |
| continue; |
| kill(-pid, SIGKILL); |
| kill(pid, SIGKILL); |
| while (waitpid(-1, &status, __WALL) != pid) { |
| } |
| break; |
| } |
| remove_dir(cwdbuf); |
| reset_net_namespace(); |
| } |
| } |
| |
| struct thread_t { |
| int created, running, call; |
| pthread_t th; |
| }; |
| |
| static struct thread_t threads[16]; |
| static void execute_call(int call); |
| static int running; |
| static int collide; |
| |
| static void* thr(void* arg) |
| { |
| struct thread_t* th = (struct thread_t*)arg; |
| for (;;) { |
| while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) |
| syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); |
| execute_call(th->call); |
| __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); |
| __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); |
| syscall(SYS_futex, &th->running, FUTEX_WAKE); |
| } |
| return 0; |
| } |
| |
| static void execute(int num_calls) |
| { |
| int call, thread; |
| running = 0; |
| for (call = 0; call < num_calls; call++) { |
| for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { |
| struct thread_t* th = &threads[thread]; |
| if (!th->created) { |
| th->created = 1; |
| pthread_attr_t attr; |
| pthread_attr_init(&attr); |
| pthread_attr_setstacksize(&attr, 128 << 10); |
| pthread_create(&th->th, &attr, thr, th); |
| } |
| if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { |
| th->call = call; |
| __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); |
| __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); |
| syscall(SYS_futex, &th->running, FUTEX_WAKE); |
| if (collide && call % 2) |
| break; |
| struct timespec ts; |
| ts.tv_sec = 0; |
| ts.tv_nsec = 20 * 1000 * 1000; |
| syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); |
| if (running) |
| usleep((call == num_calls - 1) ? 10000 : 1000); |
| break; |
| } |
| } |
| } |
| } |
| |
| uint64_t r[26] = {0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0x0, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0x0, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0xffffffffffffffff, |
| 0x0, |
| 0x0}; |
| unsigned long long procid; |
| void execute_call(int call) |
| { |
| long res; |
| switch (call) { |
| case 0: |
| res = syscall(__NR_socket, 0x40000000015, 5, 0); |
| if (res != -1) |
| r[0] = res; |
| break; |
| case 1: |
| NONFAILING(*(uint32_t*)0x206dbffc = 0); |
| syscall(__NR_setsockopt, r[0], 1, 8, 0x206dbffc, 4); |
| break; |
| case 2: |
| NONFAILING(*(uint16_t*)0x208a5ff0 = 2); |
| NONFAILING(*(uint16_t*)0x208a5ff2 = htobe16(0x4e20)); |
| NONFAILING(*(uint32_t*)0x208a5ff4 = htobe32(0x7f000001)); |
| NONFAILING(*(uint8_t*)0x208a5ff8 = 0); |
| NONFAILING(*(uint8_t*)0x208a5ff9 = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffa = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffb = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffc = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffd = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffe = 0); |
| NONFAILING(*(uint8_t*)0x208a5fff = 0); |
| syscall(__NR_bind, r[0], 0x208a5ff0, 0x10); |
| break; |
| case 3: |
| NONFAILING(memcpy( |
| (void*)0x20f7db7f, |
| "\xba\x67\x13\x68\xd1\x01\x00\x00\x00\x49\x00\x00\x00\x01\x00\x00\x00" |
| "\x01\x8b\xe4\x9e\x93\x01\x44\x28\x65\x31\x99\x97\xd0\xef\xdb\x2f\x54" |
| "\xb6\xa1\x0c\x73\x27\x75\x74\x82\xbf\xce\x94\x5c\x2a\x91\xfb\x8d\xfa" |
| "\xfc\x1d\x3f\x56\xbc\x54\x3a\xb8\x73\x21\xe1\x2c\xca\x08\xa7\x44\xa2" |
| "\xd1\x28\xb0\x06\x34\xbc\x88\x21\x51\xd3\x68\x09\x22\x9a\x96\xbc\x34" |
| "\x37\xef\x15\x94\x89\x38\x4a\xde\x07\x7b\xa2\x95\xea\xc2\x88\x2d\xbf" |
| "\xd3\x78\x1d\xd4\xd4\xe6\x09\xc4\x26\x28\xdb\xb7\x09\xb3\xeb\x1f\xa0" |
| "\x30\x00\x90\x45\xdd\x98\xb9\xe6\xd7\x7b\x6c\xec\x9c\xeb\x68\x55\x95" |
| "\xd4\x39\x95\xe0\xf0\x4c\x32\x26\x09\x43\xad\xd7\x98\x31\xe6\x61\xc6" |
| "\xa3\x51\xde\xdc\x8b\x9d\x22\x0f\xbf\x9f\xb6\xe4\x4f\xb6\xa6\x29\xce" |
| "\x9a\x82\x02\x51\x24\xfe\xc9\xf3\xee\x75\x1f\x7d\xa0\xcd\x7e\x79\x9b" |
| "\xe8\x8d\xdb\xda\xc2\x0b\x48\xe8\x90\xff\x81\xd7\xfa\x28\xc2\xd0\x17" |
| "\xd7\x93\x2f\x25\x69\x03\x87\x40\x46\x1a\xcc\xd4\x58\x2f\x57\x6e\x4f" |
| "\xdb\x61\x50\xa3\x39\x9f\x82\x66\xbc\x19\xeb\x94\x36\x48\xad\x1a\xd8" |
| "\x14\x20\xed\x6c\x38\x24\x36\xe4\x74\x39\x0c\x89\x95\xe8\x29\xe4\xf9" |
| "\xdf\x43", |
| 257)); |
| NONFAILING(*(uint16_t*)0x20000200 = 2); |
| NONFAILING(*(uint16_t*)0x20000202 = htobe16(0x4e20)); |
| NONFAILING(*(uint32_t*)0x20000204 = htobe32(0x7f000001)); |
| NONFAILING(*(uint8_t*)0x20000208 = 0); |
| NONFAILING(*(uint8_t*)0x20000209 = 0); |
| NONFAILING(*(uint8_t*)0x2000020a = 0); |
| NONFAILING(*(uint8_t*)0x2000020b = 0); |
| NONFAILING(*(uint8_t*)0x2000020c = 0); |
| NONFAILING(*(uint8_t*)0x2000020d = 0); |
| NONFAILING(*(uint8_t*)0x2000020e = 0); |
| NONFAILING(*(uint8_t*)0x2000020f = 0); |
| syscall(__NR_sendto, r[0], 0x20f7db7f, 0x101, 0, 0x20000200, 0x10); |
| break; |
| case 4: |
| NONFAILING(*(uint16_t*)0x202b4000 = 2); |
| NONFAILING(*(uint16_t*)0x202b4002 = htobe16(0x4e20)); |
| NONFAILING(*(uint32_t*)0x202b4004 = htobe32(0x7f000001)); |
| NONFAILING(*(uint8_t*)0x202b4008 = 0); |
| NONFAILING(*(uint8_t*)0x202b4009 = 0); |
| NONFAILING(*(uint8_t*)0x202b400a = 0); |
| NONFAILING(*(uint8_t*)0x202b400b = 0); |
| NONFAILING(*(uint8_t*)0x202b400c = 0); |
| NONFAILING(*(uint8_t*)0x202b400d = 0); |
| NONFAILING(*(uint8_t*)0x202b400e = 0); |
| NONFAILING(*(uint8_t*)0x202b400f = 0); |
| syscall(__NR_sendto, r[0], 0x204b3fff, 0x380, 0, 0x202b4000, 0x10); |
| break; |
| case 5: |
| NONFAILING(*(uint16_t*)0x20000000 = 0x1d); |
| NONFAILING(*(uint32_t*)0x20000004 = 0); |
| NONFAILING(*(uint32_t*)0x20000008 = 0); |
| NONFAILING(*(uint32_t*)0x2000000c = 0); |
| syscall(__NR_connect, r[0], 0x20000000, 0x10); |
| break; |
| case 6: |
| res = syscall(__NR_socket, 0xa, 1, 0); |
| if (res != -1) |
| r[1] = res; |
| break; |
| case 7: |
| NONFAILING(*(uint32_t*)0x20002080 = 0x60); |
| res = syscall(__NR_accept, -1, 0x20002000, 0x20002080); |
| if (res != -1) |
| r[2] = res; |
| break; |
| case 8: |
| NONFAILING(*(uint16_t*)0x200020c0 = 0x27); |
| NONFAILING(*(uint32_t*)0x200020c4 = 1); |
| NONFAILING(*(uint32_t*)0x200020c8 = 2); |
| NONFAILING(*(uint32_t*)0x200020cc = 0); |
| NONFAILING(*(uint8_t*)0x200020d0 = -1); |
| NONFAILING(*(uint8_t*)0x200020d1 = 5); |
| NONFAILING(memcpy((void*)0x200020d2, |
| "\x76\x5f\xd1\x6b\x79\x03\x9a\x5b\xf2\x0b\x75\x08\xc8\x2d" |
| "\x6a\xfb\x5f\x90\x59\x63\x6c\x46\x41\x94\x50\x72\x0a\x96" |
| "\x9b\xf1\xdb\x60\x08\xa0\x65\x67\xa6\x0b\x3b\xa3\xbb\xdc" |
| "\x94\x92\xf9\xe6\xf1\x5b\xf6\xab\x8b\x9c\x00\x9d\x19\x4c" |
| "\x07\x04\x73\x6f\x63\x95\x90", |
| 63)); |
| NONFAILING(*(uint64_t*)0x20002118 = 0x36); |
| syscall(__NR_connect, r[2], 0x200020c0, 0x60); |
| break; |
| case 9: |
| syz_extract_tcp_res(0x20000040, 0, 0); |
| break; |
| case 10: |
| res = syscall(__NR_socket, 0xa, 0x1000000000002, 0); |
| if (res != -1) |
| r[3] = res; |
| break; |
| case 11: |
| syscall(__NR_ioctl, r[3], 0x8912, 0x20000280); |
| break; |
| case 12: |
| syscall(__NR_unshare, 0x40000000); |
| break; |
| case 13: |
| NONFAILING(memcpy((void*)0x20000040, "\x66\x69\x6c\x74\x65\x72\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00\x00\x00\x00\x00" |
| "\x00\x00\x00\x00\x00", |
| 32)); |
| NONFAILING(*(uint32_t*)0x20000060 = 4); |
| NONFAILING(*(uint64_t*)0x20000068 = 0); |
| NONFAILING(*(uint64_t*)0x20000070 = 0); |
| NONFAILING(*(uint64_t*)0x20000078 = 0); |
| NONFAILING(*(uint64_t*)0x20000080 = 0); |
| NONFAILING(*(uint64_t*)0x20000088 = 0); |
| NONFAILING(*(uint64_t*)0x20000090 = 0); |
| NONFAILING(*(uint64_t*)0x20000098 = 0); |
| NONFAILING(*(uint64_t*)0x200000a0 = 0); |
| syscall(__NR_setsockopt, -1, 0, 0x41, 0x20000040, 0x68); |
| break; |
| case 14: |
| NONFAILING(memcpy((void*)0x20000080, |
| "\x29\x5e\xd2\x77\xa4\x20\x01\x00\x36\x00\x70", 11)); |
| syscall(__NR_ioctl, r[1], 0x8912, 0x20000080); |
| break; |
| case 15: |
| NONFAILING(*(uint16_t*)0x200004c0 = 0xa); |
| NONFAILING(*(uint16_t*)0x200004c2 = htobe16(0)); |
| NONFAILING(*(uint32_t*)0x200004c4 = 0); |
| NONFAILING(*(uint8_t*)0x200004c8 = 0xfe); |
| NONFAILING(*(uint8_t*)0x200004c9 = 0x80); |
| NONFAILING(*(uint8_t*)0x200004ca = 0); |
| NONFAILING(*(uint8_t*)0x200004cb = 0); |
| NONFAILING(*(uint8_t*)0x200004cc = 0); |
| NONFAILING(*(uint8_t*)0x200004cd = 0); |
| NONFAILING(*(uint8_t*)0x200004ce = 0); |
| NONFAILING(*(uint8_t*)0x200004cf = 0); |
| NONFAILING(*(uint8_t*)0x200004d0 = 0); |
| NONFAILING(*(uint8_t*)0x200004d1 = 0); |
| NONFAILING(*(uint8_t*)0x200004d2 = 0); |
| NONFAILING(*(uint8_t*)0x200004d3 = 0); |
| NONFAILING(*(uint8_t*)0x200004d4 = 0); |
| NONFAILING(*(uint8_t*)0x200004d5 = 0); |
| NONFAILING(*(uint8_t*)0x200004d6 = 0); |
| NONFAILING(*(uint8_t*)0x200004d7 = 0xbb); |
| NONFAILING(*(uint32_t*)0x200004d8 = 0x400); |
| NONFAILING(*(uint16_t*)0x200004dc = 0xa); |
| NONFAILING(*(uint16_t*)0x200004de = htobe16(0x4e23)); |
| NONFAILING(*(uint32_t*)0x200004e0 = 4); |
| NONFAILING(*(uint8_t*)0x200004e4 = 0); |
| NONFAILING(*(uint8_t*)0x200004e5 = 0); |
| NONFAILING(*(uint8_t*)0x200004e6 = 0); |
| NONFAILING(*(uint8_t*)0x200004e7 = 0); |
| NONFAILING(*(uint8_t*)0x200004e8 = 0); |
| NONFAILING(*(uint8_t*)0x200004e9 = 0); |
| NONFAILING(*(uint8_t*)0x200004ea = 0); |
| NONFAILING(*(uint8_t*)0x200004eb = 0); |
| NONFAILING(*(uint8_t*)0x200004ec = 0); |
| NONFAILING(*(uint8_t*)0x200004ed = 0); |
| NONFAILING(*(uint8_t*)0x200004ee = -1); |
| NONFAILING(*(uint8_t*)0x200004ef = -1); |
| NONFAILING(*(uint32_t*)0x200004f0 = htobe32(0x7f000001)); |
| NONFAILING(*(uint32_t*)0x200004f4 = 0xfffffa2a); |
| NONFAILING(*(uint16_t*)0x200004f8 = 0); |
| NONFAILING(*(uint32_t*)0x200004fc = 0); |
| NONFAILING(*(uint32_t*)0x20000500 = 0xfffffff8); |
| NONFAILING(*(uint32_t*)0x20000504 = 0); |
| NONFAILING(*(uint32_t*)0x20000508 = 2); |
| NONFAILING(*(uint32_t*)0x2000050c = 0x80000000); |
| NONFAILING(*(uint32_t*)0x20000510 = 0); |
| NONFAILING(*(uint32_t*)0x20000514 = 0); |
| NONFAILING(*(uint32_t*)0x20000518 = 0); |
| syscall(__NR_setsockopt, -1, 0x29, 0xd3, 0x200004c0, 0x5c); |
| break; |
| case 16: |
| res = syscall(__NR_socket, 0x40000000015, 5, 0); |
| if (res != -1) |
| r[4] = res; |
| break; |
| case 17: |
| syscall(__NR_socket, 2, 2, 0); |
| break; |
| case 18: |
| NONFAILING(*(uint16_t*)0x208a5ff0 = 2); |
| NONFAILING(*(uint16_t*)0x208a5ff2 = htobe16(0)); |
| NONFAILING(*(uint32_t*)0x208a5ff4 = htobe32(0x7f000001)); |
| NONFAILING(*(uint8_t*)0x208a5ff8 = 0); |
| NONFAILING(*(uint8_t*)0x208a5ff9 = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffa = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffb = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffc = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffd = 0); |
| NONFAILING(*(uint8_t*)0x208a5ffe = 0); |
| NONFAILING(*(uint8_t*)0x208a5fff = 0); |
| syscall(__NR_bind, r[4], 0x208a5ff0, 0x10); |
| break; |
| case 19: |
| NONFAILING(*(uint32_t*)0x20000580 = 0x14); |
| syscall(__NR_getsockopt, -1, 6, 0x1d, 0x20000540, 0x20000580); |
| break; |
| case 20: |
| syscall(__NR_socket, 0x29, 0, 0); |
| break; |
| case 21: |
| NONFAILING(*(uint16_t*)0x2069affb = 2); |
| NONFAILING(*(uint16_t*)0x2069affd = htobe16(0x4e1c)); |
| NONFAILING(*(uint32_t*)0x2069afff = htobe32(0x7f000001)); |
| NONFAILING(*(uint8_t*)0x2069b003 = 0); |
| NONFAILING(*(uint8_t*)0x2069b004 = 0); |
| NONFAILING(*(uint8_t*)0x2069b005 = 0); |
| NONFAILING(*(uint8_t*)0x2069b006 = 0); |
| NONFAILING(*(uint8_t*)0x2069b007 = 0); |
| NONFAILING(*(uint8_t*)0x2069b008 = 0); |
| NONFAILING(*(uint8_t*)0x2069b009 = 0); |
| NONFAILING(*(uint8_t*)0x2069b00a = 0); |
| syscall(__NR_sendto, r[4], 0x200006c0, 0, 0, 0x2069affb, 0x10); |
| break; |
| case 22: |
| NONFAILING(*(uint16_t*)0x202b4000 = 2); |
| NONFAILING(*(uint16_t*)0x202b4002 = htobe16(0)); |
| NONFAILING(*(uint32_t*)0x202b4004 = htobe32(0x7f000001)); |
| NONFAILING(*(uint8_t*)0x202b4008 = 0); |
| NONFAILING(*(uint8_t*)0x202b4009 = 0); |
| NONFAILING(*(uint8_t*)0x202b400a = 0); |
| NONFAILING(*(uint8_t*)0x202b400b = 0); |
| NONFAILING(*(uint8_t*)0x202b400c = 0); |
| NONFAILING(*(uint8_t*)0x202b400d = 0); |
| NONFAILING(*(uint8_t*)0x202b400e = 0); |
| NONFAILING(*(uint8_t*)0x202b400f = 0); |
| syscall(__NR_sendto, r[4], 0x204b3fff, 0x2f00, 0, 0x202b4000, 0x10); |
| break; |
| case 23: |
| NONFAILING(*(uint32_t*)0x20000600 = 0); |
| NONFAILING(*(uint32_t*)0x20000604 = 0); |
| NONFAILING(*(uint32_t*)0x20000640 = 8); |
| syscall(__NR_getsockopt, r[1], 0x84, 0x7b, 0x20000600, 0x20000640); |
| break; |
| case 24: |
| NONFAILING(*(uint32_t*)0x200000c0 = 0x20); |
| syscall(__NR_setsockopt, -1, 0x84, 0x1e, 0x200000c0, 4); |
| break; |
| case 25: |
| NONFAILING(*(uint32_t*)0x20000180 = 0x14); |
| syscall(__NR_accept4, -1, 0x20000140, 0x20000180, 0x80000); |
| break; |
| case 26: |
| res = syscall(__NR_pipe, 0x20000240); |
| if (res != -1) { |
| NONFAILING(r[5] = *(uint32_t*)0x20000240); |
| NONFAILING(r[6] = *(uint32_t*)0x20000244); |
| } |
| break; |
| case 27: |
| syscall(__NR_ioctl, r[6], 0x80f86406, 0x20000080); |
| break; |
| case 28: |
| syscall(__NR_ioctl, r[5], 0xc0189436, 0x20000000); |
| break; |
| case 29: |
| res = syscall(__NR_socket, 0x18, 1, 2); |
| if (res != -1) |
| r[7] = res; |
| break; |
| case 30: |
| NONFAILING(*(uint16_t*)0x20000440 = 0x18); |
| NONFAILING(*(uint32_t*)0x20000442 = 2); |
| NONFAILING(*(uint16_t*)0x20000446 = htobe16(3)); |
| NONFAILING(*(uint32_t*)0x2000044a = htobe32(0x8001)); |
| syscall(__NR_connect, r[7], 0x20000440, 0x1e); |
| break; |
| case 31: |
| NONFAILING(*(uint16_t*)0x20000040 = 0xa); |
| NONFAILING(*(uint16_t*)0x20000042 = htobe16(0)); |
| NONFAILING(*(uint32_t*)0x20000044 = 0); |
| NONFAILING(*(uint8_t*)0x20000048 = 0xfe); |
| NONFAILING(*(uint8_t*)0x20000049 = 0x80); |
| NONFAILING(*(uint8_t*)0x2000004a = 0); |
| NONFAILING(*(uint8_t*)0x2000004b = 0); |
| NONFAILING(*(uint8_t*)0x2000004c = 0); |
| NONFAILING(*(uint8_t*)0x2000004d = 0); |
| NONFAILING(*(uint8_t*)0x2000004e = 0); |
| NONFAILING(*(uint8_t*)0x2000004f = 0); |
| NONFAILING(*(uint8_t*)0x20000050 = 0); |
| NONFAILING(*(uint8_t*)0x20000051 = 0); |
| NONFAILING(*(uint8_t*)0x20000052 = 0); |
| NONFAILING(*(uint8_t*)0x20000053 = 0); |
| NONFAILING(*(uint8_t*)0x20000054 = 0); |
| NONFAILING(*(uint8_t*)0x20000055 = 0); |
| NONFAILING(*(uint8_t*)0x20000056 = 0); |
| NONFAILING(*(uint8_t*)0x20000057 = 0xaa); |
| NONFAILING(*(uint32_t*)0x20000058 = 3); |
| syscall(__NR_connect, -1, 0x20000040, 0x1c); |
| break; |
| case 32: |
| NONFAILING(*(uint32_t*)0x20000080 = 0); |
| NONFAILING(*(uint32_t*)0x20000084 = 0); |
| syscall(__NR_setsockopt, -1, 1, 6, 0x20000080, 8); |
| break; |
| case 33: |
| syscall(__NR_socket, 0x1d, 2, 2); |
| break; |
| case 34: |
| NONFAILING(*(uint16_t*)0x20000240 = 2); |
| NONFAILING(*(uint16_t*)0x20000242 = htobe16(0x4e23)); |
| NONFAILING(*(uint32_t*)0x20000244 = htobe32(-1)); |
| NONFAILING(*(uint8_t*)0x20000248 = 0); |
| NONFAILING(*(uint8_t*)0x20000249 = 0); |
| NONFAILING(*(uint8_t*)0x2000024a = 0); |
| NONFAILING(*(uint8_t*)0x2000024b = 0); |
| NONFAILING(*(uint8_t*)0x2000024c = 0); |
| NONFAILING(*(uint8_t*)0x2000024d = 0); |
| NONFAILING(*(uint8_t*)0x2000024e = 0); |
| NONFAILING(*(uint8_t*)0x2000024f = 0); |
| syscall(__NR_bind, -1, 0x20000240, 0x10); |
| break; |
| case 35: |
| NONFAILING(*(uint64_t*)0x20000b80 = 0x20000380); |
| NONFAILING(*(uint32_t*)0x20000b88 = 0x80); |
| NONFAILING(*(uint64_t*)0x20000b90 = 0x20000b00); |
| NONFAILING(*(uint64_t*)0x20000b00 = 0x20000a80); |
| NONFAILING(*(uint64_t*)0x20000b08 = 0x77); |
| NONFAILING(*(uint64_t*)0x20000b98 = 1); |
| NONFAILING(*(uint64_t*)0x20000ba0 = 0); |
| NONFAILING(*(uint64_t*)0x20000ba8 = 0); |
| NONFAILING(*(uint32_t*)0x20000bb0 = 0); |
| syscall(__NR_recvmsg, -1, 0x20000b80, 0); |
| break; |
| case 36: |
| res = syscall(__NR_socket, 0xa, 1, 0); |
| if (res != -1) |
| r[8] = res; |
| break; |
| case 37: |
| syscall(__NR_ioctl, r[8], 0x4000008912, 0x20000100); |
| break; |
| case 38: |
| NONFAILING(*(uint32_t*)0x20000000 = -1); |
| NONFAILING(*(uint16_t*)0x20000004 = 0x100); |
| NONFAILING(*(uint16_t*)0x20000006 = 0); |
| NONFAILING(*(uint32_t*)0x20000008 = -1); |
| NONFAILING(*(uint16_t*)0x2000000c = 0); |
| NONFAILING(*(uint16_t*)0x2000000e = 0); |
| syscall(__NR_poll, 0x20000000, 2, 0); |
| break; |
| case 39: |
| NONFAILING(*(uint32_t*)0x200012c0 = 0x10); |
| res = syscall(__NR_accept4, 0xffffff9c, 0x20001280, 0x200012c0, 0x80800); |
| if (res != -1) |
| r[9] = res; |
| break; |
| case 40: |
| NONFAILING(*(uint32_t*)0x20001400 = 0); |
| NONFAILING(*(uint16_t*)0x20001404 = 2); |
| NONFAILING(*(uint16_t*)0x20001406 = htobe16(0x4e22)); |
| NONFAILING(*(uint32_t*)0x20001408 = htobe32(0xe0000001)); |
| NONFAILING(*(uint8_t*)0x2000140c = 0); |
| NONFAILING(*(uint8_t*)0x2000140d = 0); |
| NONFAILING(*(uint8_t*)0x2000140e = 0); |
| NONFAILING(*(uint8_t*)0x2000140f = 0); |
| NONFAILING(*(uint8_t*)0x20001410 = 0); |
| NONFAILING(*(uint8_t*)0x20001411 = 0); |
| NONFAILING(*(uint8_t*)0x20001412 = 0); |
| NONFAILING(*(uint8_t*)0x20001413 = 0); |
| NONFAILING(*(uint32_t*)0x20001484 = 0); |
| NONFAILING(*(uint32_t*)0x20001488 = 0x9a6); |
| NONFAILING(*(uint32_t*)0x2000148c = 9); |
| NONFAILING(*(uint32_t*)0x20001490 = 2); |
| NONFAILING(*(uint32_t*)0x20001494 = 5); |
| NONFAILING(*(uint32_t*)0x200014c0 = 0x98); |
| syscall(__NR_getsockopt, r[9], 0x84, 0xf, 0x20001400, 0x200014c0); |
| break; |
| case 41: |
| syscall(__NR_socket, 0x10, 3, 0x10); |
| break; |
| case 42: |
| NONFAILING(*(uint32_t*)0x20000340 = 8); |
| syscall(__NR_setsockopt, r[9], 0x84, 0x14, 0x20000340, 4); |
| break; |
| case 43: |
| NONFAILING(*(uint32_t*)0x20000280 = 0); |
| NONFAILING(*(uint32_t*)0x20000284 = 0x80000); |
| NONFAILING(*(uint32_t*)0x20000288 = 0xffffff9c); |
| res = syscall(__NR_ioctl, -1, 0xc00c642e, 0x20000280); |
| if (res != -1) |
| NONFAILING(r[10] = *(uint32_t*)0x20000288); |
| break; |
| case 44: |
| NONFAILING(*(uint64_t*)0x200002c0 = 9); |
| NONFAILING(*(uint64_t*)0x200002c8 = 0); |
| NONFAILING(*(uint64_t*)0x200002d0 = 0x10003); |
| NONFAILING(*(uint64_t*)0x200002d8 = 0); |
| res = syscall(__NR_ioctl, 0xffffff9c, 0xc0206434, 0x200002c0); |
| if (res != -1) |
| NONFAILING(r[11] = *(uint64_t*)0x200002c8); |
| break; |
| case 45: |
| NONFAILING(*(uint64_t*)0x20000300 = 0xffffffffffffffd4); |
| NONFAILING(*(uint64_t*)0x20000308 = r[11]); |
| syscall(__NR_ioctl, r[10], 0xc0106438, 0x20000300); |
| break; |
| case 46: |
| syscall(__NR_socket, 0x2b, 1, 0); |
| break; |
| case 47: |
| NONFAILING(*(uint32_t*)0x206dbffc = 1); |
| syscall(__NR_setsockopt, -1, 1, 0x3c, 0x206dbffc, 4); |
| break; |
| case 48: |
| NONFAILING(*(uint32_t*)0x20000140 = 0); |
| res = syscall(__NR_accept, -1, 0, 0x20000140); |
| if (res != -1) |
| r[12] = res; |
| break; |
| case 49: |
| NONFAILING(*(uint32_t*)0x20001c80 = 0xc); |
| res = syscall(__NR_getsockopt, -1, 1, 0x11, 0x20001c40, 0x20001c80); |
| if (res != -1) |
| NONFAILING(r[13] = *(uint32_t*)0x20001c44); |
| break; |
| case 50: |
| NONFAILING(*(uint32_t*)0x20002080 = 0xe8); |
| res = syscall(__NR_getsockopt, -1, 0x29, 0x23, 0x20001f80, 0x20002080); |
| if (res != -1) |
| NONFAILING(r[14] = *(uint32_t*)0x20001fb4); |
| break; |
| case 51: |
| NONFAILING(*(uint64_t*)0x20002180 = 0x20000180); |
| NONFAILING(*(uint16_t*)0x20000180 = 1); |
| NONFAILING(*(uint8_t*)0x20000182 = 0); |
| NONFAILING(*(uint32_t*)0x20000184 = 0x4e24); |
| NONFAILING(*(uint32_t*)0x20002188 = 0x6e); |
| NONFAILING(*(uint64_t*)0x20002190 = 0x20001580); |
| NONFAILING(*(uint64_t*)0x20001580 = 0x20000240); |
| NONFAILING(memcpy( |
| (void*)0x20000240, |
| "\x34\xd0\x59\x28\x28\x92\xbb\x53\xa4\x7e\x67\xe8\xda\x7d\xd6\xfd\x9a" |
| "\xd0\xa1\xd8\x2f\x9a\xd7\xf5\x86\x12\xcf\x2e\x19\xde\xce\xfd\xb4\x78" |
| "\x9a\x1e\xdb\xba\x84\xd4\x98\x2c\x03\xa0\x7e\x02\x6d\xb5\xf9\x55\x5f" |
| "\x06\xcb\xe5\xc1\xd4\xee\xb0\xbe\xe8\x79\x94\xaa\x83\x35\xf0\x34\xe4" |
| "\xdc\xc5\x72\x54\x52\x92\x07\x13\x8e\x39\xd0\xe3\xde\xf7\x7d\x8e\x4a" |
| "\x97\x0f\xe8\x9e\x06\x5d\x75\x2b\x7b\xd0\x9d\x61\x5e\x28\x5f\xce\x7a" |
| "\x79\xb4\x39\x00\x0d\x2c\x8f\x50\x0f\xbc\x5f\xf5\x1e\x8d\xee\x51\x9a" |
| "\x25\x29\xa9\x8f\xb1\xec\x22\x27\x21\x79\x94\x19\xf8\xd4\xa7\xd3\x6c" |
| "\x31\x77\x3f\x83\x5d\xc3\x47\xf4\x11\x50\xbc\x6b\x45\x0e\x45\x3e\x33" |
| "\x84\x4f\xd0\x6f\xcb\x50\xff\x6c\x1d\x61\xec\x8f\xba\x20\x67\xc4\xa8" |
| "\xb7\xe6\xb7\xde\x90\xd0\x05\x84\x75\x49\x17\x61\x53\xdc\xc0\xd2\xff" |
| "\xe6\xdf\xf4\xbf\x37\x2a\xc6\x0a\x6e\x9d\xe5\x70\xf5\x90\xc9\x42\xdf" |
| "\x71\x82\xc5\xf0\x9f\x30\xa8\x26\x62\xc7\xd7\x94\xe4\x42\x18\xd7\x49" |
| "\x6f\x4c\xed\xd5\xaa\xe5\xaf\x4f\xa7\x2a\x70\x18\xc0\x16\x88\x01\xd4" |
| "\x62\xc4\x9c\xac\x21\x30\xe5\x42\xcc\x4d\x0e\x2c\x53\x58\x24\x85\xe7" |
| "\x96\x0d\x78\x04\x65\x45\xe7\x28\x19\x9e\x8d\x36\xc9\x61\x5c\xa6\x0e" |
| "\x42\x4e\xb5\x4c\xf3\x01\x1d\x4b\x14\xf7\x7c\x21\x19\x8f\x19\x3e\x9c" |
| "\x00\xb2\xa3\x09\x11\xb4\xf7\xb2\x28\xf0\x9a\x64\xa4\x97\x90\x1e\xda" |
| "\x2f\x0f\x7c\x55\xfa\x1a\x53\xcf\x6b\x70\x91\x6f\xa0\xe9\xac\x9c\x7f" |
| "\x16\xe1\x5b\x01\x46\x17\xac\x7b\xd3\xf7\x0f\x96\x80\xef\xe4\x88\xa7" |
| "\x91\x29\xcb\xd0\x1f\x1a\xec\x2f\xa6\x02\x70\x30\xc8\xab\x48\x8f\xe9" |
| "\x5c\x88\xeb\xbe\x38\xa8\xaa\xff\xfe\x55\x8a\xd6\x8a\x96\xd4\xe4\xc5" |
| "\x80\x43\x4a\xe9\x73\xdd\x50\xc8\x80\xa4\xe8\xec\x4c\x86\x13\x8b\x3b" |
| "\x37\xd7\x82\x6a\x1f\xc6\x1b\x10\xd0\x98\xdb\x58\xf0\xa1\x06\x51\x9f" |
| "\x17\x74\xed\x49\x42\xfe\x57\x9b\xa4\xa0\xd3\xe0\x93\x59\xe0\xcd\x4d" |
| "\x57\x44\x31\x4b\xa1\xc0\xf5\x4d\xf2\x2e\x3b\xce\x0f\x36\x5e\x59\xe8" |
| "\x68\xab\x06\xf6\x7b\x71\x5a\xa0\x0a\x56\xe9\x11\xd3\xdc\x65\x55\x0d" |
| "\xe5\x96\x76\x5f\x27\x0d\x97\x4b\x65\xff\xcc\x00\x8f\xa6\x66\x68\xa1" |
| "\xbc\x86\x9a\xa9\x9e\x40\xc9\xda\x03\xad\x69\xd8\xd0\x90\xbf\x18\x5f" |
| "\x3d\x52\x7d\x56\xf2\x2d\xd6\x00\x79\x9e\xdf\xec\x2c\xca\x59\x60\xcd" |
| "\x9b\x58\xf3\xb3\xbe\xea\x5d\x6c\x95\xfe\x7f\x7a\xa5\x01\x8a\x2c\x71" |
| "\x67\x6e\xb8\xb4\x98\x08\x4a\xbe\xb3\x3f\x97\xf0\x4b\x3a\x3b\xed\x10" |
| "\x0e\x5d\xe5\xb0\x00\x95\x93\x89\xa4\xf9\xd1\x73\x79\x94\x08\xc9\xf4" |
| "\x38\x7b\xa8\xc9\x88\x29\x91\x94\xa3\x28\xbc\xe0\x49\xdf\x7b\x04\x10" |
| "\x58\x61\x05\x12\x61\xdc\x8e\xf9\x97\x7d\xc0\x05\xc2\x8b\xee\x69\xbf" |
| "\xe5\xe8\xe6\x25\x50\x74\x2c\xe4\x98\xaf\xdd\xd4\xca\x50\x49\x0c\xb0" |
| "\x39\x4c\x7c\x6f\x4f\x87\x02\xc7\xac\x7c\x00\x0a\x01\x69\x84\x78\x29" |
| "\xc0\x51\x0f\xfd\x8d\x67\xc2\x89\xcd\xfb\x0a\x02\x70\xa8\x71\x8f\x69" |
| "\x9a\x18\x70\x4e\x89\xf1\xe0\xbe\x7e\x7a\xf9\x48\xf3\x18\x6c\xd5\x5f" |
| "\x2a\xe7\x95\x6a\xe3\xb3\x70\x9e\x45\xc1\xcc\xc0\x35\xb6\x13\x5b\xa3" |
| "\x31\x1e\x88\x7b\x82\x12\xe2\x35\x92\x21\x2f\x1d\x77\xa2\x42\x7e\xd4" |
| "\xab\xcd\x6f\xac\x1c\x3e\x22\x53\x76\x52\xfc\xb5\x48\xc4\x6f\x5e\x67" |
| "\x15\xf7\xfc\x15\xb3\xda\x67\x79\x2e\xf9\xa8\x83\x37\xfc\x86\xf4\x06" |
| "\xfa\x08\xbe\x98\xd8\xbc\x27\x8f\x20\x0c\xd2\x39\x31\x06\xe6\xea\xc5" |
| "\x64\x03\x7b\xab\xfa\x5a\xac\x0f\xe8\x49\xec\x9d\x5c\x1f\x61\x2f\xe4" |
| "\xb0\x3d\xbf\x9b\xb8\xde\xbd\x90\x20\xe1\x63\x87\xa4\x12\x82\x38\xf0" |
| "\x9d\xa1\xdc\x69\xfc\xd5\x4b\xb1\x48\x56\xd1\x7e\x61\x84\xf5\x4a\x63" |
| "\x9b\x2d\x78\x26\x51\x7d\x79\x40\x4e\x7c\x82\x77\x61\xcd\xff\x2b\x8c" |
| "\x40\xb6\x83\x48\x77\xd7\x2a\x77\xcb\xbc\xd0\x1a\xe2\xc6\x81\xdd\x73" |
| "\xd9\xe7\xcb\x50\xf3\xf8\x42\x51\xaa\x2b\x29\x90\x42\x0e\x7c\x27\x25" |
| "\x41\x3e\xa3\xd2\x5f\x6f\x08\xe2\x51\xbb\x02\xa8\x9b\xd0\x04\xf3\xcf" |
| "\x05\xcd\x11\x00\xc4\xdd\xaa\xf5\x45\xf5\x56\xec\x16\x19\x05\x95\xff" |
| "\xb2\x57\x98\x91\x67\xcc\xa8\x1b\x57\xc6\xbb\x9c\x0b\xb4\x0d\x8d\x89" |
| "\xde\xb7\x04\x37\xee\x28\xcb\x67\x21\x5e\x1a\xe4\x31\x80\x24\xc6\x8a" |
| "\x83\xed\xe8\xdc\xbe\x1b\x61\x80\xa7\x2b\x17\x79\x5f\xd4\x73\x6d\x1c" |
| "\x77\xd6\x63\x68\x62\xf3\x4a\xf0\x8d\x29\x49\x73\x51\x5f\x81\xe4\x7b" |
| "\xbd\x1e\x4e\x2e\x7e\xf2\x43\xaa\xe1\xdb\xb0\x18\x7a\x00\x8e\x00\xb7" |
| "\x7d\x56\xcc\x6e\x02\xa6\x15\xad\xe9\x4b\x36\xc2\x35\x8b\x0e\x58\xd2" |
| "\x44\x65\xc0\x7d\xb9\x9b\xc7\xb3\xff\x41\x84\xe3\xbb\x0e\x7f\xf0\x13" |
| "\xcc\x15\x18\x8e\x30\xb4\x15\x17\x31\x26\x5d\x72\x50\xa6\xf3\x2f\x2c" |
| "\xc4\xbc\x9e\x1f\x4b\xcd\x3b\x3f\x69\xc8\x17\x3a\xf4\xa1\x50\xad\xd0" |
| "\xa5\xa5\x8a\xb1\xc9\xf3\xad\xcd\xc6\x7f\x3b\x4c\xef\x50\x18\x78\xb3" |
| "\x62\xf7\x41\xe7\xbf\xe5\xe7\x1e\x8d\xad\xab\xde\x63\xf7\xfb\x55\x72" |
| "\x71\x32\x78\xde\x25\x1e\x7d\x08\xe7\xb4\xe4\x23\x33\xe8\x67\xa8\xca" |
| "\xcc\x0a\x90\x87\xf5\xe1\xb0\xfa\x07\x8a\xd5\x30\x58\x35\x44\xd8\xcf" |
| "\xa1\xaf\xe8\x44\xef\xd3\xe5\x6e\x1b\x03\x8b\xf6\x2c\x9a\x01\x2f\xe5" |
| "\x0f\x9f\xab\x39\xd1\xdf\xea\xad\xe3\xdc\xe8\x74\x0f\x0a\x88\xb8\x8b" |
| "\xd8\x50\x8b\xc4\x40\x5b\xce\xf5\x30\x81\xe2\x66\xfa\x74\xfe\xb5\x95" |
| "\x95\x45\xe0\x3c\x8b\x38\x3f\x22\xaf\x5f\x8f\xaf\xd4\x87\x5c\xd7\x15" |
| "\xb3\x6f\x4b\xa7\x5f\xaa\x09\x15\x47\x9c\x62\x2b\x3d\x93\x86\x37\x27" |
| "\x66\x12\xe6\x7f\x59\x7f\x20\x24\x0c\x95\x94\xd7\x5f\x47\xbb\x99\xbd" |
| "\x90\xa3\xbb\xfc\x18\x40\xc7\x14\x41\xd7\x36\xfa\xad\x9e\xdc\xf1\x34" |
| "\x03\xc0\xe5\xfb\xab\x7e\xfc\x44\x14\x65\x53\xda\xd9\xcc\x10\x8c\x8e" |
| "\x1e\x40\xe0\x9a\x6a\x0c\xa8\x85\x55\x5b\xda\x9f\x5c\x4e\xfc\x5c\xe2" |
| "\xc4\x24\x23\x3e\xf7\xb3\xe3\xba\xcb\x6c\x17\xe4\x0e\xa2\xa4\xea\xd4" |
| "\xc7\x3d\xb3\x5e\x4f\xfd\x74\x4a\xcd\x45\x82\x01\xa4\x6f\x2e\x6f\xb1" |
| "\x3f\xa6\xf1\x31\x40\x7b\xeb\xb3\xe2\xab\x46\xeb\xe5\xc2\x10\xfd\xc9" |
| "\x0e\xc8\xf9\x01\x03\xc6\xa9\xf5\x91\x35\xdd\xa2\x61\xe7\x4c\x2e\x2c" |
| "\x8e\xc9\x70\x70\xe0\x67\x69\x1e\x1b\x13\xa2\xb2\xd8\x6c\xb5\x94\x2e" |
| "\x2e\x98\xc2\x98\xea\xf8\x57\xaf\x0f\xcd\x9f\xaa\x88\x36\x63\x13\xa2" |
| "\x25\x78\x19\x79\xd0\xe2\x7e\x0d\x1a\x69\xb9\xb9\xe1\x95\xf4\xdf\x90" |
| "\xae\x5f\x3f\x09\x25\x52\x5a\x89\x80\x9e\x3c\x7c\x93\xcd\x77\x6b\x2b" |
| "\xbb\x5b\x50\xf4\x8f\xa2\x5d\x4b\x32\xd9\x26\x4c\x0f\x3d\x83\xaf\x0a" |
| "\x08\x52\x90\xda\x41\xc2\xd3\x2f\xc3\x2f\xac\x6e\xa7\xb1\xf7\x47\x2c" |
| "\x6d\xc0\xbc\xab\xf8\x5b\x53\x21\xe8\x30\x3d\x03\x88\xbc\x52\xac\xcb" |
| "\x0e\xf5\xc1\xf6\xd2\x89\x3a\x4b\x23\xc3\xc4\x88\x6d\x7c\x36\x58\x97" |
| "\x97\x6e\xf5\x38\x3a\x5b\x28\xbb\xf5\x11\x88\x64\xdc\x2c\x59\xbc\x5d" |
| "\x9b\x3a\x99\x00\xf1\x6e\x2c\xde\x2e\x46\x6c\x36\xac\x04\x36\x6d\x59" |
| "\x00\xab\xdb\x3c\xc2\x67\x1b\x08\xf8\x21\xf3\xdd\xb8\x90\xd0\x48\x7a" |
| "\xb7\xea\xa7\x01\xf9\x85\xf1\xda\x06\x7a\x22\x65\x23\x49\x37\xd8\x1b" |
| "\xfd\x25\xa5\xcb\x6a\x0f\x2c\x42\x8f\x3f\xd9\x33\x5c\xe5\x06\x0d\x4d" |
| "\xc7\x12\x2e\x41\x88\x99\x70\xc6\xaa\x4f\x29\xfe\xbf\xc2\xbe\x5d\xed" |
| "\xa3\x83\x51\xd2\x0c\xf1\x93\x66\xb4\x70\xac\xfd\x69\x3b\x8e\x7f\xff" |
| "\x70\x24\x75\xe3\x4c\x3a\x88\xdf\x81\xa0\x8e\xaf\xe6\xc7\xa7\xc9\xe7" |
| "\xc7\x55\x7d\x70\xb1\x64\x4b\x24\x2d\x9a\x04\xb6\x7f\xee\x84\x43\xc4" |
| "\xe2\x43\xb0\xf4\xbf\x48\x6b\xa8\x55\x02\xfc\xcc\x6f\x44\xd5\x82\x5e" |
| "\x70\x60\xb8\x82\x41\xe7\x1c\x73\xaf\x6a\x16\x89\x5e\x86\x20\xa5\xa9" |
| "\x84\x5c\x2c\x05\x88\x61\x9e\x4a\xda\x99\x17\xef\xde\x8b\x0f\x5e\x2b" |
| "\x11\xa2\x7a\xdd\xa1\x3b\x81\xc1\x43\x2e\x2e\x98\xbd\x42\xb5\x61\xd5" |
| "\x28\x85\x5b\x77\x8f\x26\xe6\x06\x18\x2b\xd8\x77\x3b\xb1\x42\x7f\x3d" |
| "\x0e\x1e\xbb\xc4\x36\xcd\x8c\xab\x56\x2d\x08\x0d\xa5\x37\xa5\x97\x9b" |
| "\x9e\xf3\x64\xdd\xf9\x5d\x80\x66\xe6\x25\xf3\xa9\x98\x0c\x27\x6f\x29" |
| "\x76\x81\x1c\xd8\x14\x23\xcf\x37\xc6\x7e\xc9\x13\x3c\x2c\xb8\x1e\xfc" |
| "\xb9\x69\x30\xc9\x81\xd4\xd5\x26\x53\x2d\xfc\x02\xcc\xf2\xe4\x73\xf8" |
| "\x91\x3f\xce\x8a\x9c\x52\x16\xf0\x8f\x54\xf9\x08\x91\x28\xdc\x77\xa8" |
| "\x24\xc0\x00\xee\x9e\x5c\xb0\x2e\x6d\x8c\xb1\x49\xcb\x36\x30\xb6\x31" |
| "\x9b\x1d\x4a\xb1\x60\xfe\xe6\x8b\x8a\x4b\xd8\x97\xc3\xff\xa0\x02\x26" |
| "\x8d\x8f\x27\x6f\x18\xbe\x93\x1e\x64\x86\x41\x5e\x01\x7f\xa8\xba\x09" |
| "\x6c\xa0\xc7\x65\x38\x60\xcb\x6d\x32\xc4\xfc\x3a\x1c\xa9\x1b\x29\xe9" |
| "\x0c\x18\xaa\xca\x3e\x27\xda\xe4\x2e\x7d\xfc\x70\x73\x0b\xeb\xe6\xc1" |
| "\x9a\xab\x0f\x48\xdd\xc8\x49\x5a\xc7\xd2\x85\xd8\x7e\xbc\xa1\xe2\x93" |
| "\xc1\x57\x8e\x7d\x39\x42\x4a\x0f\x18\x84\x71\xae\x0c\x15\x36\x06\xc3" |
| "\xda\x5c\x14\x9a\x2e\x87\xd3\x01\x35\xbf\x67\xdf\x98\x27\x80\x21\xa9" |
| "\x70\x2e\x52\xbd\x3b\x65\x03\x00\x31\x26\xc7\x43\x7e\xa7\xfc\x7f\x3e" |
| "\x93\x7a\xc1\x95\xf1\x44\xed\x5a\x2d\xf8\xc2\x5c\xc6\x56\x05\x4e\x4b" |
| "\xce\x80\x35\x6a\x45\x2e\xd1\x6e\x3d\x7b\x3e\x7b\x9c\xb4\xca\xbb\x50" |
| "\x1f\x8d\x2c\xd5\x2d\xef\x87\x6d\x40\x4b\x0d\x99\xbc\x04\x76\xae\xbc" |
| "\xee\xf8\x7d\xe4\x7b\x36\xd9\x14\x34\x5e\x91\x1e\x65\xf4\x5d\x1b\xff" |
| "\xcb\xd3\xcd\x4f\xb1\x3a\x6f\xdf\x74\x49\x2d\xd4\x1c\x8f\xbd\x92\x60" |
| "\xbf\x8c\x99\xf3\xf9\x2e\x42\x7c\xd7\x4a\x74\x29\x6f\x8c\xae\x8f\x6c" |
| "\x54\xe5\x61\xb7\xbb\xda\x55\x9e\xad\xe1\x01\xc4\x16\x87\xe9\xd2\x49" |
| "\x31\x5e\x0c\x23\xb2\x62\xe4\x1e\xaa\xa4\xe4\x48\xe1\x3a\x2b\x68\xf1" |
| "\x8d\xc3\xd9\x3f\xc2\xe9\x63\xc3\xb8\xe4\x07\x35\x33\xfe\x98\xa0\xf4" |
| "\x94\xba\x6e\x55\xb6\x85\xf4\x3f\x22\x9b\xf3\x9a\x5e\xad\x5b\xe5\x7c" |
| "\x70\x87\xa8\xc0\x87\x2b\x3d\x84\xfd\x02\x0d\x76\xf1\x06\x51\x1d\x22" |
| "\x6e\xfd\xf3\xb0\x44\x60\x8c\xfd\x2e\x65\x55\x18\x6e\x99\xb0\xb6\x50" |
| "\xd0\xc7\xee\x9f\x88\xb6\xfc\xa5\x3f\xcd\xdf\xd2\xa0\x90\xeb\xe2\x6a" |
| "\x2c\x32\x1e\x38\xcd\x63\x40\x09\xd2\xd6\xe1\x5f\x52\x8f\x67\x08\x12" |
| "\xb4\x6e\xc2\xc8\x0b\xda\x85\x3d\x3d\xc4\x3f\x67\x50\xbc\x9c\x63\x6e" |
| "\xe3\xf8\x0d\xd3\x5d\xca\x15\xea\xc7\xd9\xf0\xaf\x0a\xd3\x25\x6d\x31" |
| "\xa3\xdf\x9e\xee\x30\xf5\xfb\x6c\x48\xb2\x3c\x87\x3f\x0a\x06\xf9\x0d" |
| "\x94\x3a\x28\x8a\x6c\x42\xfa\x40\xb3\x12\xfe\x9d\xec\xfd\x6c\x4d\xfc" |
| "\x37\x3b\x00\xdb\x40\x44\x79\xe6\xf4\x61\xf0\xb7\x1e\x18\x31\x7c\x36" |
| "\x1e\x8c\x43\x57\x7d\x92\x25\xb8\xa0\x44\xbc\xbc\x2f\x08\x6e\x3b\xbd" |
| "\x3a\x4d\x95\x10\x7e\xdf\xd3\x2c\x22\x2a\xaa\x03\xfc\xa2\xea\x34\x21" |
| "\x86\xa5\x92\xb1\x1e\xd2\xa5\x7e\x2d\x19\xca\xb1\x37\x8e\x47\x73\xc5" |
| "\x3a\xe1\x90\xb8\xe4\xc4\xe7\xfa\xd5\x52\x78\x9c\x63\x0a\xeb\xc6\xcb" |
| "\xa7\xb1\xc5\xf2\x49\xa5\x0b\x7d\x2b\xd2\x13\x0d\xbe\x62\x57\x04\x7d" |
| "\x14\x5c\xfb\x9f\xbd\x8c\xfd\xa0\xf0\x70\x02\x04\xee\x9c\x2e\x62\x22" |
| "\xc8\x6a\xe1\xc1\x82\xb2\x87\xc0\x31\x06\x0f\xec\x2c\x9e\x7b\xe5\x82" |
| "\xce\x86\x78\x37\x15\x81\x34\xce\xac\xd9\x7a\xb5\x9b\xb1\x06\x40\xbb" |
| "\x7f\x1f\x2c\x61\x3c\xf6\xaa\x58\x34\x5e\x1b\x86\xb4\x8c\xe4\x61\x17" |
| "\x4f\xb7\x52\x79\xea\x60\x4e\xbf\xa5\xe0\xd0\x05\x60\x2f\xb7\x5b\xfb" |
| "\x29\xbf\x50\x83\xbe\x0e\xc1\x41\x89\x7b\x91\xea\xcb\xf3\x57\xcc\x41" |
| "\x72\x80\xdb\xf5\x8d\x08\x14\xa1\xe7\x59\xee\x28\x73\x68\x66\x67\xa2" |
| "\x95\xbd\xdd\x3b\x51\x5a\x3b\x89\xf6\xb2\xc0\xb1\x49\xb5\xe3\x6e\x4a" |
| "\xfa\xec\x39\x65\xc1\xb5\xcd\x79\x29\xe9\x95\xcf\x49\x96\x99\x84\x33" |
| "\x50\xde\x49\x40\x0e\xde\xf0\x06\x56\xe9\x18\xc2\x77\x48\x11\x07\x7b" |
| "\x84\x0b\x3d\x36\x9b\xa8\x24\x11\x0d\x75\x82\x99\x27\x4c\x6b\xef\xb7" |
| "\x9c\x21\x8c\x74\x7e\x45\xd5\xa4\x60\x9c\xc4\xfa\x4f\xa9\xc9\x04\x2c" |
| "\x01\x28\xa7\xc3\x08\x40\x3c\x9a\x82\x27\x78\xf5\xd2\x7c\xd7\x54\x7a" |
| "\x4f\x57\x14\xd0\x2d\x5c\x4e\x41\x32\xf8\xd5\x1a\xd1\xc4\xba\x1c\xa1" |
| "\xb5\xc1\x4f\xd1\x03\xf2\x5e\xa3\xff\x4c\x00\x35\x8a\x5b\x88\xd0\x42" |
| "\x01\x81\xc6\xf9\x50\xdb\xc4\x71\x71\x89\xee\x12\xd9\x92\x2f\xa6\xb5" |
| "\xb7\x83\x3c\x70\xe9\xeb\x60\x19\x2f\xad\x02\x62\xc3\x7b\x36\x21\x5b" |
| "\x50\x0b\xe6\xb8\x0c\xf6\xdb\xf7\x4d\xe0\x96\x7b\x40\x11\x00\x32\xa1" |
| "\x5c\x24\x25\x25\x19\x17\x45\x4b\x55\x96\xab\xc4\xe7\xfa\xbe\x2a\xf3" |
| "\x1d\x64\x3e\xd7\x05\x21\x3e\x8b\x92\x60\xc7\x0c\x13\x78\x66\x23\x24" |
| "\x00\xb2\x7b\x0b\x5d\xf1\x96\x81\xbe\x3d\x81\xc5\x9a\x1a\x9e\x0d\x11" |
| "\x80\x1e\xff\x73\x1f\xb2\xa9\x20\xee\xe4\x60\x0d\x5b\x53\x9b\x18\x54" |
| "\x6c\xb0\x04\xd8\xf8\x9a\x7f\x06\xa8\x39\x76\x11\x97\x71\x5c\x17\xac" |
| "\x02\x22\xbb\x0b\xa0\xa7\x73\xa9\x23\xa6\x68\x10\x81\x11\xa4\x82\xf6" |
| "\x01\xf6\x92\x79\x33\xa0\x88\x6d\x0a\x15\xcc\x00\xfc\x7b\xb5\xd1\x51" |
| "\x96\x90\xe8\x1c\x17\xf0\x3e\x42\x96\xbd\xf2\x2b\x76\xe5\x0b\xd9\x12" |
| "\x56\x0a\x49\x7a\xfb\xda\x0f\x74\xce\xaa\xd8\xf1\x7d\x20\x59\x3e\x4d" |
| "\x82\xb1\x0b\x54\x4e\x6e\xf4\xe0\x77\x85\x0a\xf5\x9d\x2f\x48\xb8\x35" |
| "\x21\xfd\x95\xef\x75\x45\xc8\x7b\xa4\x89\x21\x86\x89\x0c\xa5\x62\xc1" |
| "\xbc\x4a\x98\xc8\xe2\x2c\xf9\x3a\x3e\x9e\x46\xd1\x52\x0c\xc5\x96\x5d" |
| "\xe5\x2e\xa7\x43\x32\xf4\xa9\x7c\xbc\x30\xc8\x37\x53\x17\x9f\xe0\x4d" |
| "\xd4\x27\x39\x66\x3d\x0d\x97\xf3\x79\xe0\xc4\xab\x4d\x26\x27\x3f\x24" |
| "\x95\x8b\xb0\x5e\x9b\x93\xef\x5d\xbb\x19\xe2\x23\xe9\x68\x0d\xe8\x40" |
| "\x2e\xf6\x89\x14\xd2\xd6\xa8\x12\x85\x95\x53\x5c\xb5\x22\xa2\xb9\x17" |
| "\x66\x43\x1f\xfa\x77\x91\xb3\xa8\x55\x41\x5c\x77\x6b\x99\xbf\xb0\x74" |
| "\x98\x29\xe1\x69\xa9\x18\x2f\xfc\xed\xe9\x64\x44\x20\x70\x73\x06\xe1" |
| "\xb0\xfe\x52\x6b\x7b\x60\xf6\x84\x1e\xec\xa0\xa3\x8d\x04\xfb\x60\x8f" |
| "\xc4\x07\xdf\x31\x7a\x2e\x9e\xd5\xbe\x6a\xca\xe2\xdc\xe2\xcb\xd3\x2d" |
| "\xd5\xa1\x7f\xb0\xb2\x72\x50\x1a\xb8\xaf\x79\x32\x90\xb7\x9d\xbd\x54" |
| "\xa2\xad\x7a\xf0\x6a\xbc\x2d\x27\x36\x07\x08\x7f\x60\x39\x64\x1d\x6c" |
| "\x56\x50\xb6\x37\x59\x04\xa6\xe8\x9d\xc2\x70\xc8\x29\xbb\xcc\x38\x90" |
| "\x60\x58\xd2\x71\x97\xa8\xdb\x09\x36\xed\x8a\x34\x9e\xf7\xc0\x00\x67" |
| "\x1b\x6a\xab\x30\xd3\xe9\x03\x83\xdc\x35\x11\x7b\x86\x3b\xfd\x95\x90" |
| "\xa7\xbd\x3a\x01\x06\x0e\x1f\x3e\x96\x5b\xf3\x55\xf0\x8a\x68\xae\x79" |
| "\xea\xef\x76\xbe\xd9\x0a\x14\x11\x12\x3d\x0d\x54\xd7\x68\x56\xe6\x71" |
| "\xa0\xac\x50\xee\xb1\xfb\xef\x71\x83\x50\xa6\xc2\x56\x5e\x49\xfb\x31" |
| "\x05\x09\x40\xb5\xb9\xb5\x8e\xd0\xc8\x27\x1f\x80\xd3\x74\xa4\x14\x5e" |
| "\x92\xaa\xcb\x99\x02\x01\x07\xe7\x9d\x43\xe4\xf0\xad\x75\xce\xea\x48" |
| "\x65\xd2\x25\x33\x85\x14\x88\xc1\xda\x93\x6e\x5c\x73\x41\x7d\xde\x16" |
| "\x9d\x7c\x37\xbb\x0d\xa7\xf0\x79\xd7\x40\xb2\xf5\x12\x76\x71\x74\xbd" |
| "\x09\xc4\xe7\x1e\x47\x78\xc7\x3e\x04\xde\x11\x9f\x79\xec\x5f\xb9\x01" |
| "\x4f\x5d\x9a\x53\xf2\x97\x2b\x09\x8e\x1d\x90\x1a\xfc\xa4\xac\xe4\xef" |
| "\xcc\x10\x17\x82\x18\x7d\xc2\xb9\x00\x54\x0e\xfc\xf4\x99\xeb\xb4\x6c" |
| "\x85\x9f\xfe\x2c\x11\x10\xa9\xdf\xe6\xbf\x9d\x6b\x3f\x00\x07\xf0\xed" |
| "\x44\x1b\xec\xd4\x46\x5d\x36\x37\x14\x76\xd9\x6d\x4f\xf4\xf6\x74\xc2" |
| "\x75\xe0\x38\x0d\x50\x31\xc8\x41\xa0\x9c\x2a\x2c\x80\x12\xb4\x6f\x7a" |
| "\x5e\xec\xd2\x74\x75\xda\xc9\x40\x02\x3b\xcf\x82\x48\x47\xbb\x3f\x57" |
| "\x43\x09\x78\xc1\x56\xf8\xb6\x36\x5c\xd2\x05\xde\xa1\x4e\xfb\x98\xf8" |
| "\x02\x9a\x71\x54\x69\x4a\xfa\x9b\xf4\x38\x4c\xbe\x7e\xa9\xf7\x09\x36" |
| "\x37\x1b\x67\x5d\xa8\x6f\x1f\xa1\x4f\x3a\xdd\xe9\x56\xe6\x1c\xe2\xe2" |
| "\x1a\x72\x5c\x81\xd4\xa6\x0a\x11\x8d\xc7\x0f\x5f\xeb\x67\x50\x72\xfd" |
| "\x61\xde\xef\xe7\xab\xa4\x27\x66\x56\x8f\x2a\xb9\x18\x60\xa7\xc4\xf7" |
| "\x0b\x14\x7d\x0e\x5f\x92\xa6\x0c\xf0\x22\x66\x6c\x02\x84\x80\xf8\x62" |
| "\xcd\x87\x8a\x43\x1f\x0d\xf7\xa5\x16\xe6\xfc\x19\x12\xaa\x0a\xbe\x60" |
| "\x8d\x2d\x4d\xca\xbc\xa7\x9a\x12\xce\x7f\xf5\x30\x18\xbd\xd9\x45\xc0" |
| "\x43\x97\xb6\x76\x5a\x53\x79\x43\x86\x9c\xd6\x0f\xda\x41\x1e\xb5\xa7" |
| "\xb2\xb2\x40\xa3\x4f\x0f\xaf\x1a\x56\xa3\xbe\x5f\x74\xa1\x26\xc5\xf7" |
| "\x0e\xe7\x50\x14\x33\xb7\x43\x78\x2f\xb6\x5d\xb5\xb0\x87\x54\x0b\x7f" |
| "\x82\xbb\x6e\xd3\x9c\xfa\xa1\xac\x22\x0d\x3d\x4e\x2a\xea\x23\x00\x87" |
| "\x43\x2e\xb2\x84\xc1\x65\x6d\x5e\x01\x89\x79\xb4\xd2\x82\x1f\x02\x68" |
| "\x7e\xf8\xc4\x42\x16\xa3\xd5\xa2\xd0\xd4\x27\x4e\x05\x79\xd5\x60\x1e" |
| "\xda\xa4\xdd\x26\xf6\xb4\x76\xe9\xb2\x13\xa2\x0b\xdd\x7e\x65\x1f\xea" |
| "\xda\x54\x71\xf0\x61\x15\x7e\x57\x45\xfe\x9c\x5f\x46\x50\x26\xec\xb9" |
| "\x86\xe2\xde\x37\x2b\x20\xdb\x92\x19\x28\xa5\x33\xb4\x42\xcd\xab\x4b" |
| "\x6b\x52\xb5\x2a\x03\xe3\x7c\x8b\x53\x91\xf5\xa0\x60\x2b\x23\xe7\x73" |
| "\xf2\x65\x43\x9d\x65\xb1\xee\x7f\xdb\xb3\x57\x4a\x3f\xa6\x9d\x53\x3b" |
| "\xe6\xc0\x5a\xfa\x44\x44\x6e\x34\xcc\x59\x00\xa0\xbf\x43\x3a\xc2\x0a" |
| "\xa6\x3c\xe8\x25\xd4\x35\xd8\xc5\x5d\x16\x8f\x91\xd4\x83\x0c\xd8\x97" |
| "\xe0\x0f\x97\x5a\x44\x71\x0d\x2d\x47\xee\xb8\xf6\x14\xc0\xbf\x82\xff" |
| "\x71\xed\xc5\x20\x9e\x12\x62\xe7\x30\x7f\x94\x76\x04\x01\x21\xc9\x98" |
| "\x6a\xa1\x3e\x5f\x08\xca\xfc\x71\x7a\x24\x65\x66\xd0\xc4\x0e\xc7\xf7" |
| "\xbc\x32\x08\x3a\xc6\x00\x15\xcf\xa1\xd0\x97\x07\x14\xe3\x81\xd4\x6e" |
| "\x5c\x40\x83\x09\xca\x6f\x90\x82\x8f\xfa\xb8\x1d\xf2\x1f\x6d\xc0\xc8" |
| "\xf8\x16\xce\xee\x58\x17\xa8\xf0\xed\xfe\xa0\xa5\x1a\x82\xad\x87\x91" |
| "\x93\x0b\x7d\x48\x66\x0a\x56\x15\xed\xa0\xeb\x53\xec\xa6\x22\xde\x0e" |
| "\x2f\x34\xa8\x89\xc4\x73\x5a\x80\xd5\x73\xfd\x36\xbe\x96\x69\x3e\x49" |
| "\xe0\x45\x37\xc8\x20\x27\x43\x4f\x8f\x2f\x8d\x28\x9d\x63\x14\x28\x53" |
| "\xb5\x06\xad\x6c\x44\x87\xce\x72\x8e\x5f\xf8\x92\xd8\xee\x96\xe8\x38" |
| "\x68\x9d\x0e\x71\x45\x6f\x11\x72\xf0\x31\xb2\x08\xe4\xe6\x4f\x53\xfe" |
| "\xca\x2f\xc1\xc5\xf7\xc9\x8c\x1a\x93\x20\x19\x93\x77\xcf\x2e\xa2\xf2" |
| "\xa9\xa1\x89\xc9\xa0\xdd\x50\xcc\x7f\x49\x05\xb8\x16\x41\x64\x30\x37" |
| "\xa5\xbb\xa7\xe3\x39\x8f\xde\x6e\x92\x8f\x22\xd2\xa8\x2c\x78\x12\xc8" |
| "\x16\xb0\x01\x5d\x36\x14\xc7\xb7\x7c\x87\x99\x58\xe3\xc9\xbc\xfc\x18" |
| "\x02\x5c\x73\x45\xf7\xd9\x14\x79\x13\x58\xaf\x88\x93\x6e\xf4\x60\x42" |
| "\xe2\xdb\xab\x8b\x93\x90\x2f\x8b\xd7\x3f\xf7\xee\x2e\x30\x27\x1d\x2b" |
| "\x6e\x90\x8e\x14\x5b\x7c\xfb\xb9\xce\x4d\x61\x76\x91\x77\x5e\xa3\x9d" |
| "\x3e\x75\xb3\xcc\x27\x17\x29\xe7\xd9\xcb\x97\x63\xc8\xaf\xb4\xf5\x73" |
| "\x9b\xe3\x98\x5e\xc9\xf0\xba\x2e\x2f\x48\x94\x8e\x13\x28\x61\x90\x33" |
| "\x00\x03\x4d\x74\x2c\x30\xdc\x93\x07\x0f\xf3\x1a\xea\x79\xa9\xb1\xdf" |
| "\xd5\xf0\xbc\xe5\xd5\x54\x31\xba\x9b\xf8\xbc\x00\x32\x48\xcf\x77\x44" |
| "\x38\x2e\x1d\x4c\xc7\x5c\x3b\x6f\xd2\xc6\xe5\xac\x96\x83\x5d\x99\x39" |
| "\x62\xa8\x77\x2e\x25\x9b\x82\x35\xc1\xf3\x28\xa4\xe8\x71\xd7\x0c\x8e" |
| "\x59\x8f\x60\x8d\x6c\xde\x86\xb7\xf0\xb5\xf5\x84\x37\x85\xb3\x28", |
| 4096)); |
| NONFAILING(*(uint64_t*)0x20001588 = 0x1000); |
| NONFAILING(*(uint64_t*)0x20001590 = 0x20001240); |
| NONFAILING(memcpy((void*)0x20001240, |
| "\xf8\x7f\xdd\x22\xa1\x3c\x7e\xfa\xe2\x6a", 10)); |
| NONFAILING(*(uint64_t*)0x20001598 = 0xa); |
| NONFAILING(*(uint64_t*)0x200015a0 = 0x20001280); |
| NONFAILING(*(uint64_t*)0x200015a8 = 0); |
| NONFAILING(*(uint64_t*)0x200015b0 = 0x200012c0); |
| NONFAILING(memcpy( |
| (void*)0x200012c0, |
| "\x38\x8e\xc3\x4f\x70\x7d\x5e\x9c\xb3\x22\x82\x11\x70\x93\x70\xb8\x96" |
| "\x7e\x44\x5a\x9d\xc8\x2b\x56\x45\x55\xa9\x24\x93\xbb\x1e\x8b\x27\xec" |
| "\x1b\xa5\x59\xf7\xdc\x9b\xbb\xed\xf8\xaf\x0d\xac\xfd\x9e\x69\x73\xde" |
| "\x94\x07\x47\x5b\xd2\x73\x0e\x07\xa2\x74\x52\xde\xc5\xa8\xf4\x28\x38" |
| "\xdd\xef\x8c\x6d\x9d\x0c\xc9\xbb\xe1\x04\xfb\xf4\xe5\x23\x1f\x64\x25" |
| "\x5e\x67\xfe\x1d\x89\x31\x8f\xb6\xfa\x26\x6a\xe1\x93\x74", |
| 99)); |
| NONFAILING(*(uint64_t*)0x200015b8 = 0x63); |
| NONFAILING(*(uint64_t*)0x200015c0 = 0x20001340); |
| NONFAILING(memcpy( |
| (void*)0x20001340, |
| "\xdc\x5d\x0f\x69\xc7\xb2\xc6\x3b\x5f\x6c\xa1\x9d\x5d\x51\xd1\x58\xe7" |
| "\xe2\xad\xa9\x7f\x25\x27\xb7\xe9\x2b\x14\x8d\xa1\x0a\x04\x97\xd9\xc9" |
| "\xa9\x74\xa8\xf5\x75\x59\x82\x8e\xb1\x3b\x21\x2c\x6f\x23\xc0\xbc\xd4" |
| "\xa5\x0d\x31\x94\x62\xe4\x27\xf1\x53\xc6\x92\xf2\x8b\xd7\x3e\xca\x4f" |
| "\xf1\x38\xd8\xec\x64\x69\xcb\x35\xbc\xbc\xc1\x54\x6b\xd4\x87\x2f\x80" |
| "\x0e\x34\xa0\x98\x70\x2d\xc2\x0c\x34\xe1\x8e\xdc\x69\xc9\x8b\x98\x5f" |
| "\x3a\x77\x78\x18\xff\xbd\xa2\x97\x19\x42\xc7\x96\x01\x29\xf4\xe1\xd7" |
| "\xfe\xe9\x12\xef\x88\x24\xfc\x78\xd6\x5e\x75", |
| 130)); |
| NONFAILING(*(uint64_t*)0x200015c8 = 0x82); |
| NONFAILING(*(uint64_t*)0x200015d0 = 0x20001400); |
| NONFAILING(*(uint64_t*)0x200015d8 = 0); |
| NONFAILING(*(uint64_t*)0x200015e0 = 0x20001480); |
| NONFAILING(*(uint64_t*)0x200015e8 = 0); |
| NONFAILING(*(uint64_t*)0x20002198 = 7); |
| NONFAILING(*(uint64_t*)0x200021a0 = 0); |
| NONFAILING(*(uint64_t*)0x200021a8 = 0); |
| NONFAILING(*(uint32_t*)0x200021b0 = 0x20000800); |
| NONFAILING(*(uint64_t*)0x200021b8 = 0x20001600); |
| NONFAILING(*(uint16_t*)0x20001600 = 0); |
| NONFAILING(*(uint8_t*)0x20001602 = 0); |
| NONFAILING(*(uint32_t*)0x20001604 = 0x4e24); |
| NONFAILING(*(uint32_t*)0x200021c0 = 0x6e); |
| NONFAILING(*(uint64_t*)0x200021c8 = 0x20001b80); |
| NONFAILING(*(uint64_t*)0x20001b80 = 0x20001680); |
| NONFAILING(*(uint64_t*)0x20001b88 = 0); |
| NONFAILING(*(uint64_t*)0x20001b90 = 0x20001700); |
| NONFAILING(memcpy( |
| (void*)0x20001700, |
| "\x96\x3f\x66\x99\xbe\x2b\xd0\x1a\xd8\x92\x29\x51\x13\xda\x63\x3d\xae" |
| "\x7e\x73\x47\x40\x41\x8a\x07\x78\x7e\x4f\x22\x48\x8d\xf1\xa8\x9b\x8f" |
| "\x53\xc1\xa0\xac\xec\xf5\x57\x60\xbb\xd3\x82\x57\xe3\x82\xc0\xbc\xd9" |
| "\x80\x36\xa7\xa0\xa4\x36\x0b\xcb\xf2\x2f\xcc\xd0\xdf\x91\x6e\xcb\xbd" |
| "\x2f\x4a\x5f\x46\xcc\x46\xf6\x9e\xe1\xa1\xdb\x29\x41\x26\xee\x2f\x4d" |
| "\x26\x01\x9f\xbd\x69\xda\xd6\xcf\x99\xef\xd6\x2c\xd3\x8c\x93\x81\x36" |
| "\xb9\xd8\x79\x66\x1a\x8a\x10\xe9\x05\xd6\xa2\x0d\xbc\x1e\xf5\xf2\xb9" |
| "\xa2\xad\xea\x7f\xb0\x04\xa7\xbd\xee\x6b\xde\x66\x1d\xff\x3d\x2c\x76" |
| "\xa2\x10\x03\x4e\xb9\xbc\x85\x23\x70\xb6\x42\x3b\x2f\x80\x1f\x73\xa3" |
| "\x1b\xa9\xbe\xf3\xa3\x9f\xca\x0d\xfa\x08\x4b\x0e\xe5\xff\xeb\xb2\xa6" |
| "\x26\xb0\xc2\x95\x94\x0e\xff\x81\x09\x02\xab\x19\x9b\x28\x3c\x6b\x9a" |
| "\x9d\x89\xeb\x1c\x65\xf1\xae\x53\xb6\x79\x37\x87\xca\xba\xed\x21\x6e" |
| "\x6c\x7a\x75\x01\x05\xb8\x76\x4e\x3e\x4a\x22\x1f\x3c\x7a\x8f\x6d\x7b" |
| "\x77\x16\xf1\xd4\x38\x50\x0c\x13\x99\x3b\xc6\xac", |
| 233)); |
| NONFAILING(*(uint64_t*)0x20001b98 = 0xe9); |
| NONFAILING(*(uint64_t*)0x20001ba0 = 0x20001800); |
| NONFAILING(*(uint64_t*)0x20001ba8 = 0); |
| NONFAILING(*(uint64_t*)0x20001bb0 = 0x200018c0); |
| NONFAILING(memcpy((void*)0x200018c0, "\xeb\xbe\x9c\x91\xc8\xc4\x13\x75\x78" |
| "\x4f\xfe\x2b\x8d\xc5\x9e\x10\xf8\xf6" |
| "\xa0\x88\x87", |
| 21)); |
| NONFAILING(*(uint64_t*)0x20001bb8 = 0x15); |
| NONFAILING(*(uint64_t*)0x20001bc0 = 0x20001900); |
| NONFAILING(memcpy( |
| (void*)0x20001900, |
| "\xfb\x92\x59\xe6\xae\xa9\x02\x5e\x52\xd3\x52\x5a\x82\xf6\xb0\x37\xd2" |
| "\x65\xa2\x85\xf5\x4d\x95\xf4\xf4\x86\xb4\x27\xe5\xed\x3f\x40\x8c\x72" |
| "\xa6\xce\x2b\x24\x2a\xde\xa9\xee\x0e\xb4\xa6\x23\x74\x63\xb5\x19\xbe" |
| "\xe2\x61\x32\x3a\xec\xcb\xc4\x84\x07\x32\x86\x23\x98\xc8\x0e\x10\x82" |
| "\xda\xe1\x2b\x4c\xee\x5f\xd6\xe8\x46\x35\x99\x0d\xaf\xcd\x09\xd6\x05" |
| "\xd4\xef\xe3\x25\x10\x82\xa4\xfe\x95\xb8\x3c\x19\x27\xca\x43\x67\x72" |
| "\xfd\x8e\x6d\x98\x6c\x83\x8d\x5f\x5f\x9c\x39\x62\xb1\xa1\x11\x78\x8a" |
| "\x49\x5b\x4b\x31\x0d\xd6\x75\xcd\x59\x0d\x7a\x01\xf5\xf1\x84\x50\xf9" |
| "\xa7\x74\xe5\xa1\xc2\x80\x6f\x3d\xba\x74\x36\x5f\xa4\xd9\x8d\x43\xda" |
| "\xe8\x7b\x6e\x84\x8a\x2a\xe8\x8d\x12\xf4\x9c\x48\xbe\x5d\x0e\x00\x0b" |
| "\xc8\xff\xab\x06\xb6\xe9\xc6\xc2\x9b\xdb\xf2\xd6\x87\x18\xce\xe2\x2b" |
| "\x7f\xc6\x0a\xe5\xd6\x4a\x3b\xf8\xc3\xef\x04\xf5\x9d\xde\x17\x16\xf5" |
| "\x3e\x0e\x66\xe3\xbf\x37\xba\x31\x2e\x3b\xd6\xad\x23\x26\xfd\xfe\x38" |
| "\xa7\xf8\x10", |
| 224)); |
| NONFAILING(*(uint64_t*)0x20001bc8 = 0xe0); |
| NONFAILING(*(uint64_t*)0x20001bd0 = 0x20001a00); |
| NONFAILING(*(uint64_t*)0x20001bd8 = 0); |
| NONFAILING(*(uint64_t*)0x20001be0 = 0x20001a40); |
| NONFAILING(*(uint64_t*)0x20001be8 = 0); |
| NONFAILING(*(uint64_t*)0x20001bf0 = 0x20001b00); |
| NONFAILING(*(uint64_t*)0x20001bf8 = 0); |
| NONFAILING(*(uint64_t*)0x20001c00 = 0x20001b40); |
| NONFAILING(*(uint64_t*)0x20001c08 = 0); |
| NONFAILING(*(uint64_t*)0x200021d0 = 9); |
| NONFAILING(*(uint64_t*)0x200021d8 = 0x20001d40); |
| NONFAILING(*(uint32_t*)0x20001d40 = -1); |
| NONFAILING(*(uint32_t*)0x20001d44 = -1); |
| NONFAILING(*(uint32_t*)0x20001d48 = -1); |
| NONFAILING(*(uint32_t*)0x20001d4c = r[12]); |
| NONFAILING(*(uint32_t*)0x20001d50 = -1); |
| NONFAILING(*(uint32_t*)0x20001d54 = -1); |
| NONFAILING(*(uint32_t*)0x20001d58 = r[13]); |
| NONFAILING(*(uint32_t*)0x20001d5c = -1); |
| NONFAILING(memcpy((void*)0x20001d60, "\x00\x00\x00\x00\x20\x00\x00\x00\x00" |
| "\x00\x00\x00\x01\x00\x00\x00\x01\x00" |
| "\x00\x00", |
| 20)); |
| NONFAILING(*(uint32_t*)0x20001d74 = r[12]); |
| NONFAILING(*(uint32_t*)0x20001d78 = r[12]); |
| NONFAILING(*(uint32_t*)0x20001d7c = -1); |
| NONFAILING(memcpy((void*)0x20001d80, "\x00\x00\x00\x00", 4)); |
| NONFAILING(*(uint64_t*)0x200021e0 = 0x44); |
| NONFAILING(*(uint32_t*)0x200021e8 = 0x4000000); |
| NONFAILING(*(uint64_t*)0x200021f0 = 0x20001dc0); |
| NONFAILING(*(uint16_t*)0x20001dc0 = 0x89b8); |
| NONFAILING(*(uint8_t*)0x20001dc2 = 0); |
| NONFAILING(*(uint32_t*)0x20001dc4 = 0x4e24); |
| NONFAILING(*(uint32_t*)0x200021f8 = 0x6e); |
| NONFAILING(*(uint64_t*)0x20002200 = 0x20001ec0); |
| NONFAILING(*(uint64_t*)0x20001ec0 = 0x20001e40); |
| NONFAILING(*(uint64_t*)0x20001ec8 = 0); |
| NONFAILING(*(uint64_t*)0x20002208 = 1); |
| NONFAILING(*(uint64_t*)0x20002210 = 0x20002140); |
| NONFAILING(*(uint64_t*)0x20002140 = 0x20); |
| NONFAILING(*(uint32_t*)0x20002148 = 1); |
| NONFAILING(*(uint32_t*)0x2000214c = 2); |
| NONFAILING(*(uint32_t*)0x20002150 = 0); |
| NONFAILING(*(uint32_t*)0x20002154 = r[14]); |
| NONFAILING(*(uint32_t*)0x20002158 = 0); |
| NONFAILING(*(uint64_t*)0x20002218 = 0x20); |
| NONFAILING(*(uint32_t*)0x20002220 = 0x24000800); |
| syscall(__NR_sendmmsg, r[12], 0x20002180, 3, 4); |
| break; |
| case 52: |
| NONFAILING(*(uint32_t*)0x200001c0 = 0); |
| syscall(__NR_setsockopt, -1, 0x84, 0x78, 0x200001c0, 4); |
| break; |
| case 53: |
| NONFAILING(*(uint32_t*)0x200016c0 = 0); |
| NONFAILING(*(uint32_t*)0x200016c4 = 0); |
| NONFAILING(*(uint32_t*)0x200016c8 = 0); |
| NONFAILING(*(uint32_t*)0x200016cc = 0); |
| NONFAILING(*(uint32_t*)0x200016d0 = 0); |
| NONFAILING(*(uint32_t*)0x200016d4 = 0); |
| syz_emit_ethernet(1, 0x20000040, 0x200016c0); |
| break; |
| case 54: |
| NONFAILING(*(uint32_t*)0x200000c0 = 0xe); |
| res = syscall(__NR_accept4, -1, 0x20000080, 0x200000c0, 0x80000); |
| if (res != -1) |
| r[15] = res; |
| break; |
| case 55: |
| NONFAILING(*(uint32_t*)0x20000100 = 0x8f0); |
| syscall(__NR_setsockopt, r[15], 0x112, 0xa, 0x20000100, 4); |
| break; |
| case 56: |
| NONFAILING(memcpy((void*)0x20000300, |
| "\x29\x5e\xe1\x01\x04\x12\xd4\x77\x67\x10\x70", 11)); |
| syscall(__NR_ioctl, -1, 0x4000008912, 0x20000300); |
| break; |
| case 57: |
| syscall(__NR_socket, 0x26, 5, 0); |
| break; |
| case 58: |
| NONFAILING(*(uint64_t*)0x20000180 = 0x20000080); |
| NONFAILING(*(uint16_t*)0x20000080 = 0x10); |
| NONFAILING(*(uint16_t*)0x20000082 = 0); |
| NONFAILING(*(uint32_t*)0x20000084 = 0); |
| NONFAILING(*(uint32_t*)0x20000088 = 0); |
| NONFAILING(*(uint32_t*)0x20000188 = 0xc); |
| NONFAILING(*(uint64_t*)0x20000190 = 0x20000140); |
| NONFAILING(*(uint64_t*)0x20000140 = 0x20000240); |
| NONFAILING(*(uint64_t*)0x20000148 = 0); |
| NONFAILING(*(uint64_t*)0x20000198 = 1); |
| NONFAILING(*(uint64_t*)0x200001a0 = 0); |
| NONFAILING(*(uint64_t*)0x200001a8 = 0); |
| NONFAILING(*(uint32_t*)0x200001b0 = 0); |
| syscall(__NR_sendmsg, -1, 0x20000180, 0xc000); |
| break; |
| case 59: |
| res = syscall(__NR_socket, 0x29, 2, 0); |
| if (res != -1) |
| r[16] = res; |
| break; |
| case 60: |
| syscall(__NR_ioctl, r[16], 0x8912, 0x20000000); |
| break; |
| case 61: |
| res = syscall(__NR_socket, 0x10, 3, 0); |
| if (res != -1) |
| r[17] = res; |
| break; |
| case 62: |
| NONFAILING(memcpy( |
| (void*)0x20000080, |
| "\x67\x72\x65\x74\x61\x70\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16)); |
| syscall(__NR_ioctl, r[17], 0x89a0, 0x20000080); |
| break; |
| case 63: |
| syscall(__NR_socket, 0xd, 0x803, 1); |
| break; |
| case 64: |
| syscall(__NR_socket, 0x2018, 0, 0); |
| break; |
| case 65: |
| NONFAILING(*(uint32_t*)0x20000000 = 0x80); |
| syscall(__NR_accept, -1, 0x20000080, 0x20000000); |
| break; |
| case 66: |
| syscall(__NR_socket, 0xa, 1, 0); |
| break; |
| case 67: |
| syscall(__NR_socket, 2, 6, 0); |
| break; |
| case 68: |
| res = syscall(__NR_socket, 0x10, 3, 0x8000000004); |
| if (res != -1) |
| r[18] = res; |
| break; |
| case 69: |
| syscall(__NR_ioctl, r[18], 0x100, 0x20000000); |
| break; |
| case 70: |
| NONFAILING(*(uint64_t*)0x20e11ff0 = 0x20000140); |
| NONFAILING(*(uint64_t*)0x20e11ff8 = 0); |
| syscall(__NR_writev, r[18], 0x20e11ff0, 1); |
| break; |
| case 71: |
| NONFAILING(*(uint32_t*)0x200000c0 = r[18]); |
| NONFAILING(*(uint32_t*)0x200000c4 = 0); |
| NONFAILING(*(uint64_t*)0x200000c8 = 1); |
| NONFAILING(*(uint64_t*)0x200000d0 = 3); |
| NONFAILING(*(uint64_t*)0x200000d8 = 5); |
| syscall(__NR_ioctl, r[18], 0x4020940d, 0x200000c0); |
| break; |
| case 72: |
| res = syscall(__NR_socket, 0xa, 1, 0); |
| if (res != -1) |
| r[19] = res; |
| break; |
| case 73: |
| syscall(__NR_ioctl, r[19], 0x4000008912, 0x20000100); |
| break; |
| case 74: |
| NONFAILING(*(uint32_t*)0x20000000 = 2); |
| syscall(__NR_setsockopt, r[19], 0x29, 1, 0x20000000, 4); |
| break; |
| case 75: |
| syscall(__NR_socket, 2, 2, 0); |
| break; |
| case 76: |
| res = syscall(__NR_socket, 0xa, 0x1000000000002, 0); |
| if (res != -1) |
| r[20] = res; |
| break; |
| case 77: |
| NONFAILING(memcpy((void*)0x20000280, |
| "\x02\x5c\xc8\x3d\x6d\x34\x5f\x8f\x76\x00\x70", 11)); |
| syscall(__NR_ioctl, r[20], 0x8912, 0x20000280); |
| break; |
| case 78: |
| syscall(__NR_socketpair, 2, 6, 0, 0x20000000); |
| break; |
| case 79: |
| syscall(__NR_socket, 0x26, 5, 0); |
| break; |
| case 80: |
| res = syscall(__NR_socket, 0xa, 1, 0xab); |
| if (res != -1) |
| r[21] = res; |
| break; |
| case 81: |
| NONFAILING(memcpy((void*)0x20000100, |
| "\x29\x5e\xe1\x31\x1f\x16\xf4\x77\x67\x10\x70", 11)); |
| syscall(__NR_ioctl, r[21], 0x4000008912, 0x20000100); |
| break; |
| case 82: |
| res = syscall(__NR_socket, 2, 2, 0); |
| if (res != -1) |
| r[22] = res; |
| break; |
| case 83: |
| NONFAILING(*(uint32_t*)0x20000080 = 5); |
| NONFAILING(*(uint32_t*)0x20000084 = 5); |
| NONFAILING(*(uint32_t*)0x20000088 = 0x3f); |
| NONFAILING(*(uint32_t*)0x2000008c = 0xbd4); |
| NONFAILING(*(uint32_t*)0x20000090 = 4); |
| NONFAILING(*(uint64_t*)0x20000098 = 0x7f); |
| syscall(__NR_ioctl, -1, 0xc0206416, 0x20000080); |
| break; |
| case 84: |
| NONFAILING(*(uint32_t*)0x20000100 = 1); |
| NONFAILING(memcpy( |
| (void*)0x20000104, |
| "\x69\x72\x6c\x61\x6e\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
| 16)); |
| NONFAILING(*(uint32_t*)0x20000114 = 1); |
| syscall(__NR_setsockopt, r[22], 0, 0x48c, 0x20000100, 0x18); |
| break; |
| case 85: |
| NONFAILING(*(uint32_t*)0x20000100 = 0); |
| syscall(__NR_setsockopt, -1, 0x10e, 2, 0x20000100, 4); |
| break; |
| case 86: |
| res = syscall(__NR_socket, 0x2b, 1, 0); |
| if (res != -1) |
| r[23] = res; |
| break; |
| case 87: |
| NONFAILING(*(uint32_t*)0x20001800 = 4); |
| NONFAILING(*(uint64_t*)0x20001808 = 0x200017c0); |
| NONFAILING(*(uint32_t*)0x200017c0 = 0x3e6); |
| NONFAILING(*(uint32_t*)0x200017c4 = 5); |
| NONFAILING(*(uint32_t*)0x200017c8 = 2); |
| NONFAILING(*(uint32_t*)0x200017cc = 8); |
| syscall(__NR_ioctl, -1, 0x4010641a, 0x20001800); |
| break; |
| case 88: |
| syscall(__NR_listen, r[23], 0); |
| break; |
| case 89: |
| NONFAILING(*(uint32_t*)0x200005c0 = 0); |
| NONFAILING(*(uint32_t*)0x200005c4 = 0); |
| NONFAILING(*(uint64_t*)0x200005c8 = 3); |
| res = syscall(__NR_ioctl, -1, 0xc010640b, 0x200005c0); |
| if (res != -1) |
| NONFAILING(r[24] = *(uint32_t*)0x200005c4); |
| break; |
| case 90: |
| NONFAILING(*(uint32_t*)0x20001740 = 0); |
| NONFAILING(*(uint32_t*)0x20001744 = r[24]); |
| NONFAILING(*(uint64_t*)0x20001748 = 3); |
| res = syscall(__NR_ioctl, -1, 0xc010640b, 0x20001740); |
| if (res != -1) |
| NONFAILING(r[25] = *(uint32_t*)0x20001740); |
| break; |
| case 91: |
| NONFAILING(*(uint32_t*)0x200000c0 = 0); |
| NONFAILING(*(uint32_t*)0x200000c4 = r[25]); |
| syscall(__NR_ioctl, 0xffffff9c, 0xc008640a, 0x200000c0); |
| break; |
| case 92: |
| NONFAILING(*(uint32_t*)0x20002840 = 0x1000); |
| syscall(__NR_getsockopt, -1, 1, 0x37, 0x20001840, 0x20002840); |
| break; |
| case 93: |
| NONFAILING(*(uint32_t*)0x200002c0 = 8); |
| syscall(__NR_getsockopt, r[23], 1, 0x39, 0x20000280, 0x200002c0); |
| break; |
| case 94: |
| NONFAILING(*(uint32_t*)0x20000200 = 4); |
| NONFAILING(*(uint64_t*)0x20000208 = 0x200001c0); |
| syscall(__NR_ioctl, -1, 0xc0106426, 0x20000200); |
| break; |
| case 95: |
| NONFAILING(*(uint32_t*)0x20000080 = 0x68); |
| syscall(__NR_getsockopt, r[23], 0, 0x483, 0x20000000, 0x20000080); |
| break; |
| case 96: |
| syscall(__NR_socket, 0x18, 1, 0); |
| break; |
| } |
| } |
| |
| void execute_one() |
| { |
| execute(97); |
| collide = 1; |
| execute(97); |
| } |
| |
| int main() |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| install_segv_handler(); |
| char* cwd = get_current_dir_name(); |
| for (;;) { |
| if (chdir(cwd)) |
| fail("failed to chdir"); |
| use_temporary_dir(); |
| int pid = do_sandbox_none(); |
| int status = 0; |
| while (waitpid(pid, &status, __WALL) != pid) { |
| } |
| } |
| } |