net/udp: slab-out-of-bounds in udp_recvmsg/do_csum

From: Andrey Konovalov
Date: Mon Feb 20 2017 - 07:51:49 EST

Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).

A reproducer and .config are attached.

BUG: KASAN: slab-out-of-bounds in do_csum+0x333/0x360
arch/x86/lib/csum-partial_64.c:102 at addr ffff880053c47100
Read of size 4 by task syz-executor2/7429
CPU: 2 PID: 7429 Comm: syz-executor2 Not tainted 4.10.0-rc8+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0x292/0x398 lib/dump_stack.c:51
kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
print_address_description mm/kasan/report.c:200 [inline]
kasan_report_error mm/kasan/report.c:289 [inline]
kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
kasan_report mm/kasan/report.c:331 [inline]
__asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:331
do_csum+0x333/0x360 arch/x86/lib/csum-partial_64.c:102
csum_partial+0x21/0x30 arch/x86/lib/csum-partial_64.c:135
ip_cmsg_recv_checksum net/ipv4/ip_sockglue.c:120 [inline]
ip_cmsg_recv_offset+0xf57/0x1240 net/ipv4/ip_sockglue.c:231
udp_recvmsg+0xf86/0x1380 net/ipv4/udp.c:1494
inet_recvmsg+0x13e/0x610 net/ipv4/af_inet.c:775
sock_recvmsg_nosec net/socket.c:742 [inline]
sock_recvmsg+0xd7/0x110 net/socket.c:749
SYSC_recvfrom+0x33a/0x720 net/socket.c:1738
SyS_recvfrom+0x40/0x50 net/socket.c:1711
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458b9
RSP: 002b:00007f3f404d7b58 EFLAGS: 00000282 ORIG_RAX: 000000000000002d
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004458b9
RDX: 0000000000000000 RSI: 0000000020cf2ffc RDI: 0000000000000006
RBP: 00000000006e1740 R08: 0000000020cf2ff0 R09: 0000000000000010
R10: 0000000100000042 R11: 0000000000000282 R12: 0000000000708000
R13: 0000000000000016 R14: 0000000020153000 R15: 0000000000000215
Object at ffff880053c46ed8, in cache kmalloc-512 size: 512
Allocated:
PID = 7429
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544
slab_post_alloc_hook mm/slab.h:432 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
__kmalloc_node_track_caller+0x20e/0x360 mm/slub.c:4262
__kmalloc_reserve.isra.34+0x41/0xd0 net/core/skbuff.c:138
__alloc_skb+0x159/0x800 net/core/skbuff.c:231
alloc_skb include/linux/skbuff.h:926 [inline]
alloc_skb_with_frags+0x12e/0x7b0 net/core/skbuff.c:4657
sock_alloc_send_pskb+0x804/0xa30 net/core/sock.c:1887
sock_alloc_send_skb+0x32/0x40 net/core/sock.c:1904
__ip_append_data.isra.48+0x1780/0x2ca0 net/ipv4/ip_output.c:1028
ip_append_data.part.49+0xe9/0x160 net/ipv4/ip_output.c:1226
ip_append_data+0x68/0x80 net/ipv4/ip_output.c:1215
udp_sendmsg+0x1a1f/0x2b80 net/ipv4/udp.c:1085
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
SYSC_sendto+0x660/0x810 net/socket.c:1687
SyS_sendto+0x40/0x50 net/socket.c:1655
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 785
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514 [inline]
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xe8/0x2b0 mm/slub.c:3878
skb_free_head+0x74/0xb0 net/core/skbuff.c:580
skb_release_data+0x3a7/0x470 net/core/skbuff.c:611
skb_release_all+0x4a/0x60 net/core/skbuff.c:670
__kfree_skb+0x15/0x20 net/core/skbuff.c:684
kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
netlink_sock_destruct+0x14d/0x400 net/netlink/af_netlink.c:333
__sk_destruct+0xe1/0x6e0 net/core/sock.c:1430
sk_destruct+0x47/0x80 net/core/sock.c:1460
__sk_free+0x57/0x230 net/core/sock.c:1468
sk_free+0x23/0x30 net/core/sock.c:1479
netlink_sock_destruct_work+0x19/0x20 net/netlink/af_netlink.c:353
process_one_work+0xc06/0x1c20 kernel/workqueue.c:2098
worker_thread+0x223/0x19c0 kernel/workqueue.c:2232
kthread+0x326/0x3f0 kernel/kthread.c:227
ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Memory state around the buggy address:
ffff880053c47000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff880053c47080: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff880053c47100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff880053c47180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880053c47200: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
==================================================================
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_poll
#define __NR_poll 7
#endif
#ifndef __NR_recvfrom
#define __NR_recvfrom 45
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_sendto
#define __NR_sendto 44
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;

__attribute__((noreturn)) void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}

__attribute__((noreturn)) void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(e == ENOMEM ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}

static int flag_debug;

void debug(const char* msg, ...)
{
if (!flag_debug)
return;
va_list args;
va_start(args, msg);
vfprintf(stdout, msg, args);
va_end(args);
fflush(stdout);
}

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
debug("SIGSEGV on %p, skipping\n", addr);
_longjmp(segv_env, 1);
}
debug("SIGSEGV on %p, exiting\n", addr);
doexit(sig);
for (;;) {
}
}

static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}

static void setup_main_process()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
install_segv_handler();

char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}

static void loop();

static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();

struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);

unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}

static int do_sandbox_none(int executor_pid, bool enable_tun)
{
int pid = fork();
if (pid)
return pid;

sandbox_common();

loop();
doexit(1);
}

long r[67];
void loop()
{
memset(r, -1, sizeof(r));
r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0xcfe000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
r[1] = execute_syscall(__NR_socket, 0x2ul, 0x2ul, 0x0ul, 0, 0, 0, 0,
0, 0);
NONFAILING(*(uint32_t*)0x2035f000 = (uint32_t)0x8);
r[3] = execute_syscall(__NR_setsockopt, r[1], 0x0ul, 0x17ul,
0x2035f000ul, 0x4ul, 0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20a98000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20a98002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20a98004 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20a98008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a98009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a9800a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a9800b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a9800c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a9800d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a9800e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20a9800f = (uint8_t)0x0);
r[15] = execute_syscall(__NR_bind, r[1], 0x20a98000ul, 0x10ul, 0, 0,
0, 0, 0, 0);
r[16] = execute_syscall(__NR_socket, 0x2ul, 0x2ul, 0x0ul, 0, 0, 0, 0,
0, 0);
NONFAILING(*(uint32_t*)0x20cfcffc = (uint32_t)0x200);
r[18] =
execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x20000000000002aul,
0x20cfcffcul, 0x4ul, 0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20189000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20189002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20189004 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20189008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20189009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2018900a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2018900b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2018900c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2018900d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2018900e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2018900f = (uint8_t)0x0);
r[30] = execute_syscall(__NR_sendto, r[16], 0x2043bfa2ul, 0x0ul,
0x8080ul, 0x20189000ul, 0x10ul, 0, 0, 0);
r[31] = execute_syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x6ul,
0x1ful, 0x20cfcf78ul, 0x0ul, 0, 0, 0, 0);
NONFAILING(memcpy(
(void*)0x20153000,
"\x05\xad\x44\xed\x72\x17\x03\x24\xf3\x17\xae\x88\xf5\x8b\xad\x1e"
"\x94\xe1\xa0\xa2\xf3\xad\xc3\xee\x93\x89\xff\x35\x4c\x5d\x7b\xa3"
"\x1f\x54\x78\x08\x5e\x31\x73\x09\x3a\x7d\x21\x54\x4a\x40\xf5\xc0"
"\xc6\x58\x69\xf9\x43\xa4\x79\x3d\x5e\x31\x20\x91\x88\xf0\xb8\x54"
"\x6a\x54\xd5\x0a\x3c\x7d\xdc\xf5\x89\xa3\x5f\x60\x23\x98\x2f\x0b"
"\xc4\xe1\x83\xa8\x13\x43\xb1\xac\x16\xd7\xaf\x08\x29\x29\xa8\xa0"
"\x02\x8f\x2d\xc1\xa6\xdf\xa6\x76\x53\x1a\xfe\xb7\xd4\x22\xb2\x7a"
"\x98\x14\x55\x9f\xe5\x38\xa7\x4e\x91\xa5\x85\xc3\xb5\x86\x19\xdd"
"\x40\xa4\x46\x62\xb0\xa1\x2b\x0a\x08\x46\x26\x83\x3c\x1b\x8c\xe8"
"\xe0\xde\x6d\x81\xab\x2d\x61\xe9\x20\xa8\xed\xdb\xa6\x7d\xf3\xbf"
"\x2c\xb9\x76\x2f\x6d\xa2\x6c\x7c\x8f\xe2\x01\xfe\xff\xff\x13\xd1"
"\x1c\x94\x6b\x01\x3e\x3d\x0c\xe6\x72\x82\x3b\x9b\x8d\xc7\x0e\x61"
"\xdb\xc6\xa8\x6f\x1c\x92\x22\x03\xdc\x4a\x37\xbd\x8d\xa0\x4f\x67"
"\xcb\x39\xca\x8f\x8b\x1e\x52\xeb\x30\xdc\x3c\x02\xef\x97\xde\x56"
"\x50\x2a\xc0\xe2\xe0\x81\xbc\x86\x1c\x19\xd5\x81\x21\x21\xe6\x1f"
"\xe4\x24\x25\x3d\x35\x78\xcc\x7f\x75\xcd\x42\x65\xe4\x51\xa9\x01"
"\x0e\x9b\x16\x83\x14\x4b\xda\x51\x8a\x96\xe5\xcc\x6b\x77\x5e\xbc"
"\xa6\x93\x91\x9a\xbc\xd6\x1a\x81\xc7\xee\x28\x97\x80\x09\x84\xd7"
"\xd8\x6b\x6b\xd4\x29\x8b\x43\x3e\x8c\x56\x98\x2b\xd0\xe1\x77\xf3"
"\x6f\x5d\x8f\x0d\x8a\x8b\xbb\x6a\x58\x06\x03\x26\xa8\xc4\xa4\x32"
"\x9b\xb0\x84\x52\x15\xe1\x5e\xd7\x6d\xf1\x1c\x0e\x88\x92\x7c\x22"
"\x8e\x7b\x5f\x7a\x36\xce\xc3\x0c\xda\xec\x92\x80\x95\xbd\xb9\x03"
"\xa1\x97\xc8\x0b\xe6\x6f\xf5\x81\xaf\x95\x06\xfb\x43\xca\xab\x7f"
"\x02\x14\xd6\x73\x99\x96\xec\xe2\x82\xbd\x9a\x54\xf1\xcf\x9a\xc2"
"\x66\xfd\x34\xf1\xec\x3f\xdb\x36\xac\x0e\xf5\xb6\x0d\x0f\xa8\x62"
"\x36\xb9\x48\xf5\xb5\xd2\xd5\x16\xfc\x79\x44\xa1\x13\x42\x66\x90"
"\x37\x5f\xfe\xf7\x46\x55\xf6\x0a\xc4\xcf\x7e\xe4\x2e\xb2\x5a\x25"
"\x1a\x78\x18\xb5\x68\xd3\x1f\x04\x11\x80\x82\xc7\x52\xd6\xed\x8d"
"\x34\x9c\xf6\x3b\x28\x76\x4c\xae\x7b\x53\xd4\x0e\x6f\xa5\x96\x50"
"\x5d\x0e\x54\xdc\x38\x19\x7f\x1f\xfa\x80\xad\xf8\x01\x00\x00\x00"
"\xce\xde\x3f\xb6\x0f\xe7\x1a\x68\x65\x32\x87\xee\x76\x77\x10\x15"
"\x32\x88\x3b\xbb\xbb\xb4\x5b\x28\x14\x9a\x34\x7f\x07\x28\xf4\xfa"
"\xf0\x83\xf4\x63\x67\xbc\x82\x92\xdf\xb6\x4e\x67\x29\x72\xff\x96"
"\x4b\x9d\xb7\x7e\xd0",
533));
NONFAILING(*(uint16_t*)0x20445ff0 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20445ff2 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20445ff4 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20445ff8 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445ff9 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445ffa = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445ffb = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445ffc = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445ffd = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445ffe = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20445fff = (uint8_t)0x0);
r[44] = execute_syscall(__NR_sendto, r[16], 0x20153000ul, 0x215ul,
0x0ul, 0x20445ff0ul, 0x10ul, 0, 0, 0);
NONFAILING(*(uint32_t*)0x20591ff0 = (uint32_t)0xffffffffffffffff);
NONFAILING(*(uint16_t*)0x20591ff4 = (uint16_t)0x2000);
NONFAILING(*(uint16_t*)0x20591ff6 = (uint16_t)0x0);
NONFAILING(*(uint32_t*)0x20591ff8 = r[16]);
NONFAILING(*(uint16_t*)0x20591ffc = (uint16_t)0x600a);
NONFAILING(*(uint16_t*)0x20591ffe = (uint16_t)0x0);
NONFAILING(*(uint32_t*)0x20592000 = r[1]);
NONFAILING(*(uint16_t*)0x20592004 = (uint16_t)0x8000);
NONFAILING(*(uint16_t*)0x20592006 = (uint16_t)0x0);
r[54] = execute_syscall(__NR_poll, 0x20591ff0ul, 0x3ul, 0x5ul, 0, 0,
0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20cf2ff0 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20cf2ff2 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20cf2ff4 = (uint32_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ff8 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ff9 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ffa = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ffb = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ffc = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ffd = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2ffe = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20cf2fff = (uint8_t)0x0);
r[66] = execute_syscall(__NR_recvfrom, r[1], 0x20cf2ffcul, 0x0ul,
0x100000042ul, 0x20cf2ff0ul, 0x10ul, 0, 0, 0);
}
int main()
{
setup_main_process();
int pid = do_sandbox_none(0, false);
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}

Attachment: .config
Description: Binary data