ney/key: slab-out-of-bounds in parse_ipsecrequests

From: Andrey Konovalov
Date: Wed Apr 12 2017 - 11:02:27 EST


Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).

A reproducer and .config are attached.

When subtracting rq->sadb_x_ipsecrequest_len from len it can become
negative and the while loop condition remains true.

==================================================================
BUG: KASAN: slab-out-of-bounds in parse_ipsecrequest
net/key/af_key.c:1897 [inline] at addr ffff88006b1e3d0b
BUG: KASAN: slab-out-of-bounds in parse_ipsecrequests+0xc89/0xdc0
net/key/af_key.c:1949 at addr ffff88006b1e3d0b
Read of size 1 by task syz-executor5/11796
CPU: 2 PID: 11796 Comm: syz-executor5 Not tainted 4.11.0-rc6+ #211
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x292/0x398 lib/dump_stack.c:52
kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
print_address_description mm/kasan/report.c:202 [inline]
kasan_report_error mm/kasan/report.c:291 [inline]
kasan_report+0x252/0x510 mm/kasan/report.c:347
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:365
parse_ipsecrequest net/key/af_key.c:1897 [inline]
parse_ipsecrequests+0xc89/0xdc0 net/key/af_key.c:1949
pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3241
xfrm_user_policy+0x34c/0x560 net/xfrm/xfrm_state.c:1892
do_ip_setsockopt.isra.12+0x1afa/0x36c0 net/ipv4/ip_sockglue.c:1175
ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1264
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2731
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2750
SYSC_setsockopt net/socket.c:1798 [inline]
SyS_setsockopt+0x270/0x3a0 net/socket.c:1777
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458d9
RSP: 002b:00007f319fffdb58 EFLAGS: 00000292 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004458d9
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00000000006e3560 R08: 00000000000000e8 R09: 0000000000000000
R10: 0000000020002000 R11: 0000000000000292 R12: 0000000000708000
R13: 0000000000000000 R14: 00007f319fffe9c0 R15: 00007f319fffe700
Object at ffff88006b1e3b28, in cache kernfs_node_cache size: 152
Allocated:
PID = 1
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555
slab_post_alloc_hook mm/slab.h:456 [inline]
slab_alloc_node mm/slub.c:2718 [inline]
slab_alloc mm/slub.c:2726 [inline]
kmem_cache_alloc+0x1af/0x250 mm/slub.c:2731
kmem_cache_zalloc include/linux/slab.h:653 [inline]
__kernfs_new_node+0xd1/0x3e0 fs/kernfs/dir.c:629
kernfs_new_node+0x80/0xe0 fs/kernfs/dir.c:661
__kernfs_create_file+0x4b/0x320 fs/kernfs/file.c:989
sysfs_add_file_mode_ns+0x220/0x520 fs/sysfs/file.c:307
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x239/0x8f0 fs/sysfs/group.c:134
sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:156
sysfs_slab_add+0x1d0/0x200 mm/slub.c:5659
__kmem_cache_create+0x428/0x4c0 mm/slub.c:4253
create_cache mm/slab_common.c:382 [inline]
kmem_cache_create+0x15d/0x240 mm/slab_common.c:467
jbd2_journal_init_revoke_caches+0x8a/0xaf fs/jbd2/revoke.c:206
journal_init_caches fs/jbd2/journal.c:2631 [inline]
journal_init+0xf/0x14d fs/jbd2/journal.c:2656
do_one_initcall+0xf3/0x390 init/main.c:792
do_initcall_level init/main.c:858 [inline]
do_initcalls init/main.c:866 [inline]
do_basic_setup init/main.c:884 [inline]
kernel_init_freeable+0x5d1/0x6a6 init/main.c:1035
kernel_init+0x13/0x180 init/main.c:959
ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
ffff88006b1e3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88006b1e3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88006b1e3d00: fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff88006b1e3d80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
ffff88006b1e3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_ioctl
#define __NR_ioctl 16
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;

__attribute__((noreturn)) void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}

__attribute__((noreturn)) void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}

static int flag_debug;

void debug(const char* msg, ...)
{
if (!flag_debug)
return;
va_list args;
va_start(args, msg);
vfprintf(stdout, msg, args);
va_end(args);
fflush(stdout);
}

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
debug("SIGSEGV on %p, skipping\n", addr);
_longjmp(segv_env, 1);
}
debug("SIGSEGV on %p, exiting\n", addr);
doexit(sig);
for (;;) {
}
}

static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}

static void setup_main_process()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
install_segv_handler();

char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}

static void loop();

static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();

struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);

unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}

static int do_sandbox_none(int executor_pid, bool enable_tun)
{
int pid = fork();
if (pid)
return pid;

sandbox_common();

loop();
doexit(1);
}

static void remove_dir(const char* dir)
{
DIR* dp;
struct dirent* ep;
int iter = 0;
retry:
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
exitf("opendir(%s) failed due to NOFILE, exiting");
}
exitf("opendir(%s) failed", dir);
}
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
int i;
for (i = 0;; i++) {
debug("unlink(%s)\n", filename);
if (unlink(filename) == 0)
break;
if (errno == EROFS) {
debug("ignoring EROFS\n");
break;
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
debug("umount(%s)\n", filename);
if (umount2(filename, MNT_DETACH))
exitf("umount(%s) failed", filename);
}
}
closedir(dp);
int i;
for (i = 0;; i++) {
debug("rmdir(%s)\n", dir);
if (rmdir(dir) == 0)
break;
if (i < 100) {
if (errno == EROFS) {
debug("ignoring EROFS\n");
break;
}
if (errno == EBUSY) {
debug("umount(%s)\n", dir);
if (umount2(dir, MNT_DETACH))
exitf("umount(%s) failed", dir);
continue;
}
if (errno == ENOTEMPTY) {
if (iter < 100) {
iter++;
goto retry;
}
}
}
exitf("rmdir(%s) failed", dir);
}
}

static uint64_t current_time_ms()
{
struct timespec ts;

if (clock_gettime(CLOCK_MONOTONIC, &ts))
fail("clock_gettime failed");
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void test();

void loop()
{
int iter;
for (iter = 0;; iter++) {
char cwdbuf[256];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
fail("failed to mkdir");
int pid = fork();
if (pid < 0)
fail("clone failed");
if (pid == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
if (chdir(cwdbuf))
fail("failed to chdir");
test();
doexit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
int res = waitpid(-1, &status, __WALL | WNOHANG);
if (res == pid)
break;
usleep(1000);
if (current_time_ms() - start > 5 * 1000) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
while (waitpid(-1, &status, __WALL) != pid) {
}
break;
}
}
remove_dir(cwdbuf);
}
}

long r[106];
void test()
{
memset(r, -1, sizeof(r));
r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0xd4c000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul, 0, 0, 0, 0,
0, 0);
NONFAILING(*(uint16_t*)0x20002000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20002002 = (uint16_t)0x214e);
NONFAILING(*(uint32_t*)0x20002004 = (uint32_t)0x1000000);
NONFAILING(*(uint8_t*)0x20002008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000200a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000200b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000200c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000200d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000200e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000200f = (uint8_t)0x0);
NONFAILING(*(uint16_t*)0x20002010 = (uint16_t)0x6);
NONFAILING(memcpy((void*)0x20002012, "\x99\xba\x03\xfa\x05\x4a", 6));
NONFAILING(*(uint8_t*)0x20002018 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002019 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000201a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000201b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000201c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000201d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000201e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000201f = (uint8_t)0x0);
NONFAILING(*(uint32_t*)0x20002020 = (uint32_t)0x0);
NONFAILING(*(uint16_t*)0x20002024 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20002026 = (uint16_t)0x234e);
NONFAILING(*(uint32_t*)0x20002028 = (uint32_t)0x20000e0);
NONFAILING(*(uint8_t*)0x2000202c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000202d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000202e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000202f = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002030 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002031 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002032 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002033 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20002034 = (uint8_t)0x73);
NONFAILING(*(uint8_t*)0x20002035 = (uint8_t)0x79);
NONFAILING(*(uint8_t*)0x20002036 = (uint8_t)0x7a);
NONFAILING(*(uint8_t*)0x20002037 = (uint8_t)0x30);
NONFAILING(*(uint8_t*)0x20002038 = (uint8_t)0x0);
r[40] = execute_syscall(__NR_ioctl, r[1], 0x8953ul, 0x20002000ul, 0,
0, 0, 0, 0, 0);
NONFAILING(*(uint32_t*)0x20002000 = (uint32_t)0x9);
NONFAILING(*(uint16_t*)0x20002004 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20002006 = (uint16_t)0x2);
NONFAILING(*(uint32_t*)0x20002008 = (uint32_t)0x4);
NONFAILING(*(uint32_t*)0x2000200c = (uint32_t)0x81);
NONFAILING(*(uint32_t*)0x20002010 = (uint32_t)0x2);
r[47] = execute_syscall(__NR_setsockopt, 0xfffffffffffffffful, 0x84ul,
0x1ul, 0x20002000ul, 0x14ul, 0, 0, 0, 0);
NONFAILING(*(uint32_t*)0x20002000 = (uint32_t)0x7000004);
NONFAILING(*(uint32_t*)0x20002010 = (uint32_t)0xffffffff);
NONFAILING(*(uint16_t*)0x20002020 = (uint16_t)0x224e);
NONFAILING(*(uint16_t*)0x20002022 = (uint16_t)0xa7);
NONFAILING(*(uint16_t*)0x20002024 = (uint16_t)0x204e);
NONFAILING(*(uint16_t*)0x20002026 = (uint16_t)0x0);
NONFAILING(*(uint16_t*)0x20002028 = (uint16_t)0x0);
NONFAILING(*(uint8_t*)0x2000202a = (uint8_t)0x80000001);
NONFAILING(*(uint8_t*)0x2000202b = (uint8_t)0x9);
NONFAILING(*(uint8_t*)0x2000202c = (uint8_t)0x1);
NONFAILING(*(uint32_t*)0x20002030 = (uint32_t)0x10001);
NONFAILING(*(uint32_t*)0x20002034 = (uint32_t)0x51940);
NONFAILING(*(uint64_t*)0x20002038 = (uint64_t)0x5);
NONFAILING(*(uint64_t*)0x20002040 = (uint64_t)0x7);
NONFAILING(*(uint64_t*)0x20002048 = (uint64_t)0xf58);
NONFAILING(*(uint64_t*)0x20002050 = (uint64_t)0x77b3);
NONFAILING(*(uint64_t*)0x20002058 = (uint64_t)0xffffffffffff8001);
NONFAILING(*(uint64_t*)0x20002060 = (uint64_t)0xd13);
NONFAILING(*(uint64_t*)0x20002068 = (uint64_t)0x2);
NONFAILING(*(uint64_t*)0x20002070 = (uint64_t)0x3);
NONFAILING(*(uint64_t*)0x20002078 = (uint64_t)0xa3);
NONFAILING(*(uint64_t*)0x20002080 = (uint64_t)0xfffffffffffffffc);
NONFAILING(*(uint64_t*)0x20002088 = (uint64_t)0x101);
NONFAILING(*(uint64_t*)0x20002090 = (uint64_t)0x8001);
NONFAILING(*(uint32_t*)0x20002098 = (uint32_t)0xfffffffffffffffd);
NONFAILING(*(uint32_t*)0x2000209c = (uint32_t)0xfffffffffffffff8);
NONFAILING(*(uint8_t*)0x200020a0 = (uint8_t)0x6);
NONFAILING(*(uint8_t*)0x200020a1 = (uint8_t)0x1);
NONFAILING(*(uint8_t*)0x200020a2 = (uint8_t)0x8);
NONFAILING(*(uint8_t*)0x200020a3 = (uint8_t)0xffffffffffffffff);
NONFAILING(*(uint8_t*)0x200020a8 = (uint8_t)0xfd);
NONFAILING(*(uint8_t*)0x200020a9 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020aa = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020ab = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020ac = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020ad = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020ae = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020af = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b0 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b1 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b2 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b3 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b4 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b5 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b6 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x200020b7 = (uint8_t)0xaa);
NONFAILING(*(uint32_t*)0x200020b8 = (uint32_t)0x83);
NONFAILING(*(uint8_t*)0x200020bc = (uint8_t)0xffffffff7fffffff);
NONFAILING(*(uint16_t*)0x200020c0 = (uint16_t)0x2);
NONFAILING(*(uint32_t*)0x200020c4 = (uint32_t)0xffffffff);
NONFAILING(*(uint32_t*)0x200020d4 = (uint32_t)0x4);
NONFAILING(*(uint8_t*)0x200020d8 = (uint8_t)0x5);
NONFAILING(*(uint8_t*)0x200020d9 = (uint8_t)0x40000000);
NONFAILING(*(uint8_t*)0x200020da = (uint8_t)0x5);
NONFAILING(*(uint32_t*)0x200020dc = (uint32_t)0x3);
NONFAILING(*(uint32_t*)0x200020e0 = (uint32_t)0x1ff);
NONFAILING(*(uint32_t*)0x200020e4 = (uint32_t)0x201);
r[105] = execute_syscall(__NR_setsockopt, r[1], 0x0ul, 0x10ul,
0x20002000ul, 0xe8ul, 0, 0, 0, 0);
}
int main()
{
setup_main_process();
int pid = do_sandbox_none(0, false);
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}

Attachment: .config
Description: Binary data