Re: net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu

From: Andrey Konovalov
Date: Wed Apr 26 2017 - 11:19:11 EST


On Wed, Apr 26, 2017 at 3:59 PM, Paul E. McKenney
<paulmck@xxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Apr 26, 2017 at 02:34:15PM +0200, Andrey Konovalov wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 5a7ad1146caa895ad718a534399e38bd2ba721b7 (4.11-rc8).
>>
>> Unfortunately it's not reproducible.
>>
>> I'm not sure whether is is an issue with rcu or ipv6.
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in __call_rcu.constprop.77+0x13be/0x1640
>
> Does building with CONFIG_DEBUG_OBJECTS_RCU_HEAD=y show any splats?
> (Yeah, kind of a stupid question if it is not reproducible, but had
> to ask!)

+David

I've enabled CONFIG_DEBUG_OBJECTS_RCU_HEAD and this is what I get.

Apparently the rcu warning is related to the fib6_del_route bug I've
been trying to reproduce:
https://groups.google.com/forum/#!msg/syzkaller/3SS80JbVPKA/2tfIAcW7DwAJ

Adding David, who provided the fix:
https://patchwork.ozlabs.org/patch/754913/

I've managed to extract a reproducer, attached together with the
.config that I used.

On commit 5a7ad1146caa895ad718a534399e38bd2ba721b7 (4.11-rc8) with
David's patch applied.

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5911 at lib/debugobjects.c:289
debug_print_object+0x175/0x210
ODEBUG: activate active (active state 1) object type: rcu_head hint:
(null)
Modules linked in:
CPU: 1 PID: 5911 Comm: a.out Not tainted 4.11.0-rc8+ #271
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x192/0x22d lib/dump_stack.c:52
__warn+0x19f/0x1e0 kernel/panic.c:549
warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564
debug_print_object+0x175/0x210 lib/debugobjects.c:286
debug_object_activate+0x574/0x7e0 lib/debugobjects.c:442
debug_rcu_head_queue kernel/rcu/rcu.h:75
__call_rcu.constprop.76+0xff/0x9c0 kernel/rcu/tree.c:3229
call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288
rt6_rcu_free net/ipv6/ip6_fib.c:158
rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188
fib6_del_route net/ipv6/ip6_fib.c:1461
fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500
__ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174
ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187
__ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520
addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672
addrconf_notify+0x1be/0x2590 net/ipv6/addrconf.c:3477
notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663
__dev_notify_flags+0x1fd/0x320 net/core/dev.c:6499
dev_change_flags+0xf5/0x140 net/core/dev.c:6530
dev_ifsioc+0x619/0x9e0 net/core/dev_ioctl.c:254
dev_ioctl+0x238/0xfe0 net/core/dev_ioctl.c:532
sock_do_ioctl+0x94/0xb0 net/socket.c:913
sock_ioctl+0x27a/0x410 net/socket.c:1004
vfs_ioctl fs/ioctl.c:45
do_vfs_ioctl+0x1cd/0x15a0 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1a/0xa9 arch/x86/entry/entry_64.S:204
RIP: 0033:0x7fd579b89b79
RSP: 002b:00007fd207bcae58 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd207bcb700 RCX: 00007fd579b89b79
RDX: 0000000020000000 RSI: 0000000000008914 RDI: 000000000000017a
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 00007fd57a055220
R13: 00007fd207bcb9c0 R14: 00007fd57a480040 R15: 0000000000000003
---[ end trace 8997f4cb685b1a22 ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5911 at lib/debugobjects.c:289
debug_print_object+0x175/0x210
ODEBUG: active_state active (active state 1) object type: rcu_head
hint: (null)
Modules linked in:
CPU: 1 PID: 5911 Comm: a.out Tainted: G W 4.11.0-rc8+ #271
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x192/0x22d lib/dump_stack.c:52
__warn+0x19f/0x1e0 kernel/panic.c:549
warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564
debug_print_object+0x175/0x210 lib/debugobjects.c:286
debug_object_active_state+0x46e/0x630 lib/debugobjects.c:696
debug_rcu_head_queue kernel/rcu/rcu.h:76
__call_rcu.constprop.76+0x11b/0x9c0 kernel/rcu/tree.c:3229
call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288
rt6_rcu_free net/ipv6/ip6_fib.c:158
rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188
fib6_del_route net/ipv6/ip6_fib.c:1461
fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500
__ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174
ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187
__ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520
addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672
addrconf_notify+0x1be/0x2590 net/ipv6/addrconf.c:3477
notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663
__dev_notify_flags+0x1fd/0x320 net/core/dev.c:6499
dev_change_flags+0xf5/0x140 net/core/dev.c:6530
dev_ifsioc+0x619/0x9e0 net/core/dev_ioctl.c:254
dev_ioctl+0x238/0xfe0 net/core/dev_ioctl.c:532
sock_do_ioctl+0x94/0xb0 net/socket.c:913
sock_ioctl+0x27a/0x410 net/socket.c:1004
vfs_ioctl fs/ioctl.c:45
do_vfs_ioctl+0x1cd/0x15a0 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1a/0xa9 arch/x86/entry/entry_64.S:204
RIP: 0033:0x7fd579b89b79
RSP: 002b:00007fd207bcae58 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd207bcb700 RCX: 00007fd579b89b79
RDX: 0000000020000000 RSI: 0000000000008914 RDI: 000000000000017a
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 00007fd57a055220
R13: 00007fd207bcb9c0 R14: 00007fd57a480040 R15: 0000000000000003
---[ end trace 8997f4cb685b1a23 ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5911 at kernel/rcu/tree.c:3232
__call_rcu.constprop.76+0x446/0x9c0
__call_rcu(): Leaked duplicate callback
Modules linked in:
CPU: 1 PID: 5911 Comm: a.out Tainted: G W 4.11.0-rc8+ #271
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x192/0x22d lib/dump_stack.c:52
__warn+0x19f/0x1e0 kernel/panic.c:549
warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564
__call_rcu.constprop.76+0x446/0x9c0 kernel/rcu/tree.c:3232
call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288
rt6_rcu_free net/ipv6/ip6_fib.c:158
rt6_release+0x1ea/0x290 net/ipv6/ip6_fib.c:188
fib6_del_route net/ipv6/ip6_fib.c:1461
fib6_del+0xa42/0xdc0 net/ipv6/ip6_fib.c:1500
__ip6_del_rt+0x100/0x160 net/ipv6/route.c:2174
ip6_del_rt+0x140/0x1b0 net/ipv6/route.c:2187
__ipv6_ifa_notify+0x269/0x780 net/ipv6/addrconf.c:5520
addrconf_ifdown+0xe60/0x1a20 net/ipv6/addrconf.c:3672
addrconf_notify+0x1be/0x2590 net/ipv6/addrconf.c:3477
notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663
__dev_notify_flags+0x1fd/0x320 net/core/dev.c:6499
dev_change_flags+0xf5/0x140 net/core/dev.c:6530
dev_ifsioc+0x619/0x9e0 net/core/dev_ioctl.c:254
dev_ioctl+0x238/0xfe0 net/core/dev_ioctl.c:532
sock_do_ioctl+0x94/0xb0 net/socket.c:913
sock_ioctl+0x27a/0x410 net/socket.c:1004
vfs_ioctl fs/ioctl.c:45
do_vfs_ioctl+0x1cd/0x15a0 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1a/0xa9 arch/x86/entry/entry_64.S:204
RIP: 0033:0x7fd579b89b79
RSP: 002b:00007fd207bcae58 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd207bcb700 RCX: 00007fd579b89b79
RDX: 0000000020000000 RSI: 0000000000008914 RDI: 000000000000017a
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 00007fd57a055220
R13: 00007fd207bcb9c0 R14: 00007fd57a480040 R15: 0000000000000003
---[ end trace 8997f4cb685b1a24 ]---


>
> Thanx, Paul
>
>> kernel/rcu/tree.c:3269 at addr ffff88003b842280
>> Write of size 8 by task kworker/u10:1/180
>> CPU: 2 PID: 180 Comm: kworker/u10:1 Not tainted 4.11.0-rc8+ #270
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: events_unbound call_usermodehelper_exec_work
>> Call Trace:
>> __dump_stack lib/dump_stack.c:16 [inline]
>> dump_stack+0x192/0x22d lib/dump_stack.c:52
>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
>> print_address_description mm/kasan/report.c:202 [inline]
>> kasan_report_error mm/kasan/report.c:291 [inline]
>> kasan_report+0x252/0x510 mm/kasan/report.c:347
>> __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:373
>> __call_rcu.constprop.77+0x13be/0x1640 kernel/rcu/tree.c:3269
>> call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:3288
>> free_pid+0x446/0x5d0 kernel/pid.c:293
>> __change_pid+0x2a1/0x3d0 kernel/pid.c:411
>> detach_pid+0x1f/0x30 kernel/pid.c:416
>> __unhash_process kernel/exit.c:74 [inline]
>> __exit_signal kernel/exit.c:155 [inline]
>> release_task+0xbb0/0x1d90 kernel/exit.c:199
>> wait_task_zombie kernel/exit.c:1230 [inline]
>> wait_consider_task+0x11fe/0x3410 kernel/exit.c:1458
>> do_wait_thread kernel/exit.c:1521 [inline]
>> do_wait+0x3ea/0x8e0 kernel/exit.c:1592
>> SYSC_wait4 kernel/exit.c:1720 [inline]
>> SyS_wait4+0x208/0x340 kernel/exit.c:1689
>> call_usermodehelper_exec_sync kernel/kmod.c:292 [inline]
>> call_usermodehelper_exec_work+0x1a7/0x2b0 kernel/kmod.c:329
>> process_one_work+0x9f7/0x1580 kernel/workqueue.c:2097
>> worker_thread+0x1df/0x14b0 kernel/workqueue.c:2231
>> kthread+0x31f/0x3f0 kernel/kthread.c:231
>> ret_from_fork+0x2c/0x40 arch/x86/entry/entry_64.S:430
>> Object at ffff88003b842018, in cache kmalloc-1024 size: 1024
>> Allocated:
>> PID = 1
>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>> set_track mm/kasan/kasan.c:525 [inline]
>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
>> kmem_cache_alloc_trace+0x61/0x170 mm/slub.c:2745
>> kmalloc include/linux/slab.h:490 [inline]
>> kzalloc include/linux/slab.h:663 [inline]
>> ipv6_add_dev+0x199/0x1380 net/ipv6/addrconf.c:380
>> addrconf_init+0xd0/0x29a net/ipv6/addrconf.c:6405
>> inet6_init+0x2f6/0x584 net/ipv6/af_inet6.c:962
>> do_one_initcall+0xf3/0x380 init/main.c:792
>> do_initcall_level init/main.c:858 [inline]
>> do_initcalls init/main.c:866 [inline]
>> do_basic_setup init/main.c:884 [inline]
>> kernel_init_freeable+0x54d/0x622 init/main.c:1035
>> kernel_init+0x13/0x180 init/main.c:959
>> ret_from_fork+0x2c/0x40 arch/x86/entry/entry_64.S:430
>> Freed:
>> PID = 6479
>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>> set_track mm/kasan/kasan.c:525 [inline]
>> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
>> slab_free_hook mm/slub.c:1357 [inline]
>> slab_free_freelist_hook mm/slub.c:1379 [inline]
>> slab_free mm/slub.c:2961 [inline]
>> kfree+0x91/0x190 mm/slub.c:3882
>> in6_dev_finish_destroy_rcu+0x97/0xc0 net/ipv6/addrconf_core.c:150
>> __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
>> rcu_do_batch.isra.65+0x6de/0xbd0 kernel/rcu/tree.c:2879
>> invoke_rcu_callbacks kernel/rcu/tree.c:3142 [inline]
>> __rcu_process_callbacks kernel/rcu/tree.c:3109 [inline]
>> rcu_process_callbacks+0x23f/0x810 kernel/rcu/tree.c:3126
>> __do_softirq+0x253/0x78b kernel/softirq.c:284
>> Memory state around the buggy address:
>> ffff88003b842180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88003b842200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> >ffff88003b842280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff88003b842300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88003b842380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_ioctl
#define __NR_ioctl 16
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}

long r[160];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] =
execute_syscall(__NR_mmap, 0x20000000ul, 0xfed000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
break;
case 1:
r[1] = execute_syscall(__NR_socket, 0xaul, 0x5ul, 0x0ul, 0, 0, 0, 0,
0, 0);
break;
case 2:
(memcpy((void*)0x20001fd8,
"\x64\x75\x6d\x6d\x79\x30\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
16));
(*(uint32_t*)0x20001fe8 = (uint32_t)0x0);
(*(uint8_t*)0x20001fec = (uint8_t)0x0);
(*(uint8_t*)0x20001fed = (uint8_t)0x0);
(*(uint8_t*)0x20001fee = (uint8_t)0x0);
(*(uint8_t*)0x20001fef = (uint8_t)0x0);
(*(uint8_t*)0x20001ff0 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff1 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff2 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff3 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff4 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff5 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff6 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff7 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff8 = (uint8_t)0x0);
(*(uint8_t*)0x20001ff9 = (uint8_t)0x0);
(*(uint8_t*)0x20001ffa = (uint8_t)0x0);
(*(uint8_t*)0x20001ffb = (uint8_t)0x0);
(*(uint8_t*)0x20001ffc = (uint8_t)0x0);
(*(uint8_t*)0x20001ffd = (uint8_t)0x0);
(*(uint8_t*)0x20001ffe = (uint8_t)0x0);
(*(uint8_t*)0x20001fff = (uint8_t)0x0);
r[24] = execute_syscall(__NR_ioctl, r[1], 0x8933ul, 0x20001fd8ul, 0,
0, 0, 0, 0, 0);
if (r[24] != -1)
(r[25] = *(uint32_t*)0x20001fe8);
break;
case 3:
(*(uint8_t*)0x20005000 = (uint8_t)0x0);
(*(uint8_t*)0x20005001 = (uint8_t)0x0);
(*(uint8_t*)0x20005002 = (uint8_t)0x0);
(*(uint8_t*)0x20005003 = (uint8_t)0x0);
(*(uint8_t*)0x20005004 = (uint8_t)0x0);
(*(uint8_t*)0x20005005 = (uint8_t)0x0);
(*(uint8_t*)0x20005006 = (uint8_t)0x0);
(*(uint8_t*)0x20005007 = (uint8_t)0x0);
(*(uint8_t*)0x20005008 = (uint8_t)0x0);
(*(uint8_t*)0x20005009 = (uint8_t)0x0);
(*(uint8_t*)0x2000500a = (uint8_t)0x0);
(*(uint8_t*)0x2000500b = (uint8_t)0x0);
(*(uint8_t*)0x2000500c = (uint8_t)0x0);
(*(uint8_t*)0x2000500d = (uint8_t)0x0);
(*(uint8_t*)0x2000500e = (uint8_t)0x0);
(*(uint8_t*)0x2000500f = (uint8_t)0x0);
(*(uint32_t*)0x20005010 = (uint32_t)0x4);
(*(uint32_t*)0x20005014 = r[25]);
r[44] = execute_syscall(__NR_ioctl, r[1], 0x8916ul, 0x20005000ul, 0,
0, 0, 0, 0, 0);
break;
case 4:
(memcpy((void*)0x20005fd8,
"\x69\x70\x36\x74\x6e\x6c\x30\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
16));
(*(uint32_t*)0x20005fe8 = (uint32_t)0x0);
(*(uint8_t*)0x20005fec = (uint8_t)0x0);
(*(uint8_t*)0x20005fed = (uint8_t)0x0);
(*(uint8_t*)0x20005fee = (uint8_t)0x0);
(*(uint8_t*)0x20005fef = (uint8_t)0x0);
(*(uint8_t*)0x20005ff0 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff1 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff2 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff3 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff4 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff5 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff6 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff7 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff8 = (uint8_t)0x0);
(*(uint8_t*)0x20005ff9 = (uint8_t)0x0);
(*(uint8_t*)0x20005ffa = (uint8_t)0x0);
(*(uint8_t*)0x20005ffb = (uint8_t)0x0);
(*(uint8_t*)0x20005ffc = (uint8_t)0x0);
(*(uint8_t*)0x20005ffd = (uint8_t)0x0);
(*(uint8_t*)0x20005ffe = (uint8_t)0x0);
(*(uint8_t*)0x20005fff = (uint8_t)0x0);
r[67] = execute_syscall(__NR_ioctl, r[1], 0x8933ul, 0x20005fd8ul, 0,
0, 0, 0, 0, 0);
if (r[67] != -1)
(r[68] = *(uint32_t*)0x20005fe8);
break;
case 5:
(*(uint8_t*)0x20004fe8 = (uint8_t)0x0);
(*(uint8_t*)0x20004fe9 = (uint8_t)0x0);
(*(uint8_t*)0x20004fea = (uint8_t)0x0);
(*(uint8_t*)0x20004feb = (uint8_t)0x0);
(*(uint8_t*)0x20004fec = (uint8_t)0x0);
(*(uint8_t*)0x20004fed = (uint8_t)0x0);
(*(uint8_t*)0x20004fee = (uint8_t)0x0);
(*(uint8_t*)0x20004fef = (uint8_t)0x0);
(*(uint8_t*)0x20004ff0 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff1 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff2 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff3 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff4 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff5 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff6 = (uint8_t)0x0);
(*(uint8_t*)0x20004ff7 = (uint8_t)0x0);
(*(uint32_t*)0x20004ff8 = (uint32_t)0x81);
(*(uint32_t*)0x20004ffc = r[68]);
r[87] = execute_syscall(__NR_ioctl, r[1], 0x8916ul, 0x20004fe8ul, 0,
0, 0, 0, 0, 0);
break;
case 6:
(*(uint8_t*)0x20001000 = (uint8_t)0xfd);
(*(uint8_t*)0x20001001 = (uint8_t)0x0);
(*(uint8_t*)0x20001002 = (uint8_t)0x0);
(*(uint8_t*)0x20001003 = (uint8_t)0x0);
(*(uint8_t*)0x20001004 = (uint8_t)0x0);
(*(uint8_t*)0x20001005 = (uint8_t)0x0);
(*(uint8_t*)0x20001006 = (uint8_t)0x0);
(*(uint8_t*)0x20001007 = (uint8_t)0x0);
(*(uint8_t*)0x20001008 = (uint8_t)0x0);
(*(uint8_t*)0x20001009 = (uint8_t)0x0);
(*(uint8_t*)0x2000100a = (uint8_t)0x0);
(*(uint8_t*)0x2000100b = (uint8_t)0x0);
(*(uint8_t*)0x2000100c = (uint8_t)0x0);
(*(uint8_t*)0x2000100d = (uint8_t)0x0);
(*(uint8_t*)0x2000100e = (uint8_t)0x0);
(*(uint8_t*)0x2000100f = (uint8_t)0xbb);
(*(uint32_t*)0x20001010 = (uint32_t)0x1);
(*(uint32_t*)0x20001014 = r[68]);
r[106] = execute_syscall(__NR_ioctl, r[1], 0x8916ul, 0x20001000ul,
0, 0, 0, 0, 0, 0);
break;
case 7:
(memcpy((void*)0x20000000,
"\x69\x70\x36\x74\x6e\x6c\x30\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
16));
(*(uint16_t*)0x20000010 = (uint16_t)0x4001);
r[109] = execute_syscall(__NR_ioctl, r[1], 0x8914ul, 0x20000000ul,
0, 0, 0, 0, 0, 0);
break;
case 8:
r[110] = execute_syscall(__NR_socket, 0xaul, 0x3ul, 0x7ul, 0, 0, 0,
0, 0, 0);
break;
case 9:
(*(uint8_t*)0x20feafe8 = (uint8_t)0xfd);
(*(uint8_t*)0x20feafe9 = (uint8_t)0x0);
(*(uint8_t*)0x20feafea = (uint8_t)0x0);
(*(uint8_t*)0x20feafeb = (uint8_t)0x0);
(*(uint8_t*)0x20feafec = (uint8_t)0x0);
(*(uint8_t*)0x20feafed = (uint8_t)0x0);
(*(uint8_t*)0x20feafee = (uint8_t)0x0);
(*(uint8_t*)0x20feafef = (uint8_t)0x0);
(*(uint8_t*)0x20feaff0 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff1 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff2 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff3 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff4 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff5 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff6 = (uint8_t)0x0);
(*(uint8_t*)0x20feaff7 = (uint8_t)0xaa);
(*(uint32_t*)0x20feaff8 = (uint32_t)0xff0000000000000);
(*(uint32_t*)0x20feaffc = (uint32_t)0x0);
r[129] = execute_syscall(__NR_ioctl, 0xfffffffffffffffful, 0x8916ul,
0x20feafe8ul, 0, 0, 0, 0, 0, 0);
break;
case 10:
r[130] = execute_syscall(__NR_socket, 0xaul, 0x5ul, 0x0ul, 0, 0, 0,
0, 0, 0);
break;
case 11:
(memcpy((void*)0x209b9000,
"\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
16));
(*(uint16_t*)0x209b9010 = (uint16_t)0x3003);
r[133] = execute_syscall(__NR_ioctl, r[130], 0x8914ul, 0x209b9000ul,
0, 0, 0, 0, 0, 0);
break;
case 12:
(memcpy((void*)0x20000000,
"\x6c\x6f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
16));
(*(uint16_t*)0x20000010 = (uint16_t)0x2);
(*(uint16_t*)0x20000012 = (uint16_t)0x234e);
(*(uint32_t*)0x20000014 = (uint32_t)0x100007f);
(*(uint8_t*)0x20000018 = (uint8_t)0x0);
(*(uint8_t*)0x20000019 = (uint8_t)0x0);
(*(uint8_t*)0x2000001a = (uint8_t)0x0);
(*(uint8_t*)0x2000001b = (uint8_t)0x0);
(*(uint8_t*)0x2000001c = (uint8_t)0x0);
(*(uint8_t*)0x2000001d = (uint8_t)0x0);
(*(uint8_t*)0x2000001e = (uint8_t)0x0);
(*(uint8_t*)0x2000001f = (uint8_t)0x0);
r[146] = execute_syscall(__NR_ioctl, r[110], 0x8914ul, 0x20000000ul,
0, 0, 0, 0, 0, 0);
break;
case 13:
(memcpy((void*)0x20000000,
"\x69\x70\x36\x74\x6e\x6c\x30\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00",
16));
(*(uint16_t*)0x20000010 = (uint16_t)0x2);
(*(uint16_t*)0x20000012 = (uint16_t)0x204e);
(*(uint32_t*)0x20000014 = (uint32_t)0x0);
(*(uint8_t*)0x20000018 = (uint8_t)0x0);
(*(uint8_t*)0x20000019 = (uint8_t)0x0);
(*(uint8_t*)0x2000001a = (uint8_t)0x0);
(*(uint8_t*)0x2000001b = (uint8_t)0x0);
(*(uint8_t*)0x2000001c = (uint8_t)0x0);
(*(uint8_t*)0x2000001d = (uint8_t)0x0);
(*(uint8_t*)0x2000001e = (uint8_t)0x0);
(*(uint8_t*)0x2000001f = (uint8_t)0x0);
r[159] = execute_syscall(__NR_ioctl, r[1], 0x8914ul, 0x20000000ul,
0, 0, 0, 0, 0, 0);
break;
}
return 0;
}

void test()
{
unshare(CLONE_NEWNET);

long i;
pthread_t th[28];

memset(r, -1, sizeof(r));
srand(getpid());
for (i = 0; i < 14; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
}
for (i = 0; i < 14; i++) {
pthread_create(&th[14 + i], 0, thr, (void*)i);
}
}

int main()
{
while (1) test();
return 0;
}

Attachment: .config
Description: Binary data