// https://syzkaller.appspot.com/bug?id=bf7780df648105d40e1fdbb0566defda3605ed93 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); if (err < 0) { } } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); if (err < 0) { } } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 200; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); setup_binderfs(); loop(); exit(1); } static void setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) { } write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:"); write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC"); } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0}; void loop(void) { intptr_t res = 0; res = syscall(__NR_socket, 0x200000100000011ul, 3ul, 0); if (res != -1) r[0] = res; res = syscall(__NR_socket, 0x11ul, 3ul, 0x300); if (res != -1) r[1] = res; memcpy((void*)0x20000080, "syz_tun\000\000\000\000\000\000\000\000\000", 16); res = syscall(__NR_ioctl, r[1], 0x8933, 0x20000080ul); if (res != -1) r[2] = *(uint32_t*)0x20000090; *(uint16_t*)0x20000040 = 0x11; *(uint16_t*)0x20000042 = htobe16(0); *(uint32_t*)0x20000044 = r[2]; *(uint16_t*)0x20000048 = 1; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 6; memset((void*)0x2000004c, 170, 5); *(uint8_t*)0x20000051 = 0xaa; memset((void*)0x20000052, 0, 2); syscall(__NR_bind, r[0], 0x20000040ul, 0x14ul); *(uint32_t*)0x20000100 = 0x800b; syscall(__NR_setsockopt, r[0], 0x107, 0xf, 0x20000100ul, 4ul); *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint64_t*)0x20000150 = 0x200015c0; *(uint64_t*)0x200015c0 = 0x20000000; memcpy((void*)0x20000000, "\x03\x03\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdb" "\x6e\x6c\x8d\x5e\x85\x88\xa8\x6a\xf4\xbc\x5d\x5d\xa2\xf4\x30\xf8\x49" "\xdb\xc2\x0b\xb2\x23\x61\x83\x69\xd8\x26\xa9\xcd\x29\x18\x84\x61\xfb" "\x27\xb1\x5d\x18\xae\xfc\x4d\xef\x56\xf7", 61); *(uint64_t*)0x200015c8 = 0x300; *(uint64_t*)0x200015d0 = 0x20000480; *(uint32_t*)0x20000480 = 0xcfc; *(uint16_t*)0x20000484 = 0; *(uint16_t*)0x20000486 = 0; *(uint32_t*)0x20000488 = 0; *(uint32_t*)0x2000048c = 0; memcpy( (void*)0x20000490, "\xa4\x34\x02\x70\xaa\x20\x76\x67\xa4\x47\x52\xd6\xb9\x8e\xf3\x64\x3c\xc8" "\x5d\xd9\x7f\x2e\x3a\x37\xa2\xaa\xe0\xab\x8a\x5b\x46\xb4\x74\x3f\xaf\x78" "\x3e\x90\xc4\x07\xb9\x89\xb9\x57\x05\x38\x93\x1c\xf8\xea\xc3\x9d\xed\x6d" "\x60\x9d\x89\x16\x7c\xd1\x12\x47\x58\x9e\x75\x47\xf1\x1f\x4b\x05\xa8\xc5" "\xf1\x3a\x44\x41\xf9\x92\x99\xba\x12\xb3\x35\x6d\xc0\x97\x73\x42\x88\x6c" "\xbc\x3c\xf9\x9b\x6d\x90\x26\xb6\x11\x58\x65\x2f\xd8\x2b\x1c\x05\x56\x34" "\xef\x07\xaf\x76\x7a\x38\xdd\x40\xf5\xab\x41\xdb\x6b\x04\x5d\xea\x12\x3b" "\x2b\x9d\xcf\x69\xbd\xbe\x8c\x04\xb0\x7d\x07\x24\x95\x50\x8d\x02\x2a\xc3" "\xc0\x7e\x81\x20\x71\x62\x88\x96\xf9\xa2\xc5\x17\xc7\xfe\xad\xb9\x17\x8c" "\x09\xd6\x5b\xed\x96\xd6\x8d\xeb\x06\x12\x75\xbb\x9a\x09\x15\x99\x1f\x44" "\xdd\xe4\xa8\x21\x05\xb1\xd6\xae\xff\xef\x89\x51\x0a\x7f\x3c\x79\x56\x04" "\x20\x77\x32\x29\xa2\x8f\x1f\xcf\x43\x98\x9c\x3a\xe2\x06\x16\x62\x46\xb8" "\xd8\xe4\xe1\x81\x8c\x23\x8a\x73\xa8\x91\x88\x82\x76\x83\x8f\xd3\xd7\x07" "\x40\x4b\xbf\x81\x03\x56\xfc\x60\x7c\xad\x30\x3e\x04\x56\x31\xae\xe5\x51" "\x92\x57\x38\xf6\xa6\x9c\xbf\x6c\x37\x8e\x9b\x14\x97\xe8\x5b\xac\xe2\x8f" "\x5e\x9c\xe3\x74\xb5\xed\x88\x52\xf7\xf9\x15\x7e\xaf\x7f\x81\x50\x82\x8e" "\xaa\xef\xc8\x5f\xd5\x3c\xe3\x72\x7f\xb3\xea\x7d\x90\x78\x26\x00\x08\xaf" "\x58\x18\x90\xcb\x33\x6f\xfe\x66\xdd\x01\x51\x3a\x6e\xc4\x5d\x80\xfd\x43" "\x12\x15\x99\x3b\x41\x77\x44\xad\x1c\x43\x79\xaa\x3b\xe7\xf2\xbd\xae\x9c" "\xfa\x1a\xa0\x78\xdb\x4b\xd7\x6a\x11\x53\x8d\x89\x2f\x73\x65\x92\xd5\xa2" "\x9b\xc2\xe4\xa6\x85\xeb\x1f\xdd\xa8\x82\x41\x64\x6c\x41\x50\xd4\xb2\xef" "\x02\x34\x34\xf4\x31\xeb\xdb\x21\xe8\xc7\x58\xda\x76\xe8\x49\xd2\x12\x82" "\xae\x4e\x7b\xf1\x23\x01\xba\x2e\xe2\xa7\x5a\x2f\xe1\xe3\x60\x03\x77\x36" "\x84\x4a\xdc\xa2\xd1\x2b\x5f\x23\x32\x18\x53\x44\xc4\x7b\xc1\x8c\x1e\x08" "\x41\xe6\x84\x44\x81\x4d\x59\x62\x75\x31\xcd\xa0\x27\xed\x96\xbb\x60\xd7" "\x97\x5c\xa3\xb0\x9c\x4a\xaa\x90\xe6\xc8\x16\x10\x00\x4d\x15\xb1\x72\xe2" "\x06\xae\xf5\x7f\xd9\x58\xe1\x9a\x27\x0a\xec\x8b\x55\xd6\x4e\xb0\xd5\xdd" "\x88\x69\xaf\x36\x97\x3e\xf0\xa0\x3c\xd2\xb7\x93\x8d\x35\xb4\x63\x99\x5f" "\x5f\x34\x8d\xa0\xac\x9c\x21\x0a\xdd\xb9\x2c\xdc\x25\x49\xdd\xb8\x7d\xb6" "\xc1\x65\x9f\x39\xff\xea\x03\xb7\xf2\xaf\xa7\x03\x7d\x76\xb8\xb9\x5d\x55" "\xb9\x3e\x00\x03\xaa\xe6\xdb\x4e\x11\x22\x05\x0c\x98\x09\x43\x73\x58\x7d" "\xd9\x7e\xd8\xff\x69\x2e\xe9\xfa\x1e\x07\x7c\x8d\xe1\x08\x88\x19\x68\xe6" "\xf2\x91\xbb\x39\x6b\xb5\x10\x7d\xb0\xa7\xfd\xe6\x19\x32\x7b\x0c\x2c\xcd" "\x6c\xc8\x7d\xa3\x8e\xdf\xf9\x32\x7e\x68\x35\x20\x53\x1d\xdf\x3e\x58\x9c" "\xdd\x25\x04\x9f\x61\xf2\x4e\x94\xd9\xcb\xce\x4d\x1c\xea\x62\xae\xa1\xa0" "\xca\x77\x4c\x7c\x6e\x6e\x02\xcb\x9f\x93\x1c\x58\xfa\x80\xf5\x31\x49\x09" "\x5e\x6c\x46\x08\x6d\xc8\x11\x29\xd6\x9e\xbf\xd5\x35\xb9\x78\xff\xff\xc6" "\xa3\x24\xc9\x06\xec\xf1\x39\x14\x21\x06\x33\x8a\x6d\x4c\x69\x26\x25\x5a" "\x96\x10\xf1\x96\xfe\x12\x0f\x91\xc3\xd3\x66\xba\x85\x10\x80\xbd\x16\x2e" "\x1d\x45\xbe\x53\x3e\xea\x74\x5a\x79\x75\x67\xcc\x65\xbd\xa7\xd7\x64\x11" "\xf4\x3e\x17\x8c\x08\xe4\x8c\x08\x4f\x07\x7a\xf9\x03\x41\xae\xcf\xb7\xd2" "\x6f\xfe\xe7\xb6\x2c\xfd\xa3\x6e\xa8\x6e\x9d\x51\xcd\xad\x0a\xd7\xf7\xbf" "\x12\x5d\x74\x81\x0b\x75\x4d\x5f\x3c\x9e\x59\x54\x5e\xc0\x6a\xe8\x22\x4a" "\x3a\x27\x4a\x65\x46\x03\x5b\x47\xa5\x36\xa3\xfd\xfd\x0a\xc0\xce\x6a\xe3" "\x69\x53\x64\xc0\x55\x29\x8b\x09\x69\x40\x30\x48\xb4\xc8\x7b\xaf\x9f\x5a" "\x48\x7d\x24\xfd\xd6\x9c\x3d\x8c\xec\xf2\xb0\x58\xdb\xdd\xf1\x79\x8b\xcf" "\x96\xe3\xf1\x81\x0f\x60\x81\xe0\xb2\x79\xce\xf5\x0e\xbd\xd9\xa1\x8a\x8c" "\x70\x64\x47\x6f\x3e\xec\x77\x70\x0b\x42\x2c\x95\xf8\x90\x3e\x52\x28\x21" "\xa9\xec\x3a\xa4\x56\x18\xb8\x26\xc8\x55\xdf\x60\xf7\x93\xbc\x37\x92\x94" "\x2b\xe1\xef\xd5\x1f\x1a\x1d\x11\x72\xd0\xe4\x5c\x59\x79\x3c\xe5\x49\x37" "\xea\x85\x12\x49\x2b\x36\xf9\xff\xe7\x29\xcc\xa8\x43\x75\x70\x8b\x4b\x28" "\xa0\x48\x70\x3b\x6e\x98\x42\xdb\x8c\x6f\xa9\xd4\xe2\xd2\xeb\xce\xf4\xb9" "\x76\x44\x73\xc0\x67\x42\xb1\x28\xd8\x2b\xd1\xcf\xa3\x2e\xa4\x0d\xc4\x44" "\x71\xfd\xc4\xa7\x64\x7e\x1f\x2d\x85\x75\x24\x98\x75\x02\x7d\x69\xb6\x06" "\xa9\x36\x0c\xc6\xc8\x00\xb8\xab\x2c\xc5\x2f\x2c\x65\x6a\x00\x9a\xb1\xd8" "\xc3\x40\x33\xdc\x06\x6f\x67\x7e\xcc\xd5\xda\x61\x8a\x29\x47\x7f\x33\xd1" "\xd1\x72\x01\x51\xa6\x42\xe5\x0e\xe0\x04\x72\x1f\xa4\x21\x9c\xaa\x4f\xdb" "\x02\x57\xe3\x45\x75\xc8\xc6\xcf\xf0\x0e\xeb\x5b\xa6\x9b\x3a\xe2\x05\xec" "\x36\x7b\xad\xb0\x58\x17\x06\x6e\xf0\xf2\x02\x06\x0e\x3b\x5a\xa0\xbb\x5d" "\x18\x15\x73\x50\x1c\x7b\xd1\x55\x77\xa0\xba\xdc\x22\x37\xf7\xaa\x47\x54" "\x08\x80\xf5\x6f\x88\x11\x89\x2b\x73\x8b\x3d\xc1\xd0\x39\xc1\x8b\x13\x89" "\xb7\x7c\x6f\xd2\xb5\xa8\x15\x9c\x96\x35\x44\x4b\xd8\x2d\x2a\x9b\x5d\x85" "\x3d\xab\x96\x4d\x1e\x74\x4b\x64\x35\x55\x28\x88\xf8\xed\xfb\x97\xca\x3e" "\x3c\x2c\xd9\x9b\x9c\xe1\xa7\xd4\x8f\x71\xdf\x25\xaa\x99\x9e\xf7\x96\x66" "\x1d\x6e\xe2\x3d\x04\xf5\xe2\xb8\x24\x61\x84\xca\x4e\xbe\xda\x32\x78\xa6" "\x14\x32\x32\x09\x8c\x8f\xd7\x0c\x3e\x82\x19\x50\x10\xbf\x39\xff\xaf\xdb" "\x40\x5c\xa6\x51\xef\x6e\x22\x88\xca\xbe\xe8\xb9\x3c\x16\x9c\x60\x76\x79" "\xad\xee\xec\xf5\xac\xa8\xe0\xbb\x60\x90\x66\x31\xc8\xaf\xf5\xa8\xcd\x05" "\x00\x13\xd9\x4b\xc8\x93\xf5\x81\x68\x82\xdc\x27\x15\xee\x0f\xc2\x7e\xec" "\xd8\xb9\xd1\x49\xc9\x29\x1e\xc3\x80\xad\xdd\x75\xcf\x8d\x98\xac\x73\x6e" "\x62\xc3\x01\x99\xde\xf2\xb2\x3b\x28\xdf\x7e\xcc\x9b\x7e\x85\x53\x2f\x34" "\x71\x6d\xe5\xf2\x79\x34\xdc\x14\x8e\x4f\x34\x06\x5e\x08\x30\x96\xb7\x9a" "\xbc\x5f\x6d\xc5\x2a\x49\x00\xfa\xd8\x46\x8d\x07\x3d\x09\xa0\x65\xee\x79" "\xcc\x7a\x46\xaf\xf1\x14\x7c\xbe\xd4\xad\x45\x55\x04\xf7\x45\x25\xc8\x63" "\x85\x47\x66\x68\x1d\xee\x49\x1f\xbd\x7f\x25\x2e\x73\x2a\xdb\x0a\xee\x23" "\xa7\xeb\xc3\xb0\xef\x93\xc1\x56\xbe\x93\x02\x6a\x4b\x50\x1f\x44\xbb\xcd" "\x00\x61\xe8\xf4\x1a\xc9\x27\x13\x69\x7f\x84\xb8\x80\x7e\x73\x22\x92\x71" "\x9e\xb9\xcc\xe3\xe1\x3a\x4b\x1b\x7e\x0c\x33\xa0\x39\x92\xdc\x5d\xae\x50" "\xc0\x55\x47\xa6\x6c\x0a\xe4\x50\xa9\x22\x84\x2e\xcc\x27\xa3\xce\x96\x74" "\x94\xd3\xf3\x0a\x60\x93\x96\xe0\xd2\xd4\x31\xaf\x30\x1b\xad\x3f\x3f\xe9" "\x93\xf9\x86\xc7\xac\x00\xff\x9a\x4c\xb0\xae\xc8\x0e\x89\xb5\x57\x2e\x78" "\xeb\x26\x4b\x4b\x9e\xd3\xe6\xe7\xfe\x61\xda\xf3\xe0\x91\xa5\x76\xba\xf3" "\x79\x2e\xa0\x76\x43\xcb\x55\xa4\x3c\x9d\xf2\xf3\x24\x92\x12\xb8\x84\x15" "\xc2\xeb\x16\x72\xe3\xbe\xa8\x22\x0c\x32\x67\xb1\xba\xc7\xad\x28\x38\x3b" "\xf8\x78\xec\xc0\xe2\x9e\xf1\x0d\x9f\x8e\x4e\xcc\xd5\x7e\xbe\x40\xc9\x07" "\x44\xb5\x4a\xef\x32\xab\x6e\xc1\xc4\x9d\x0a\x1d\x98\xf4\x11\x0e\x3e\xed" "\x96\xe0\x5c\x4a\x98\xb7\xc2\x1c\x62\x81\x21\x52\x94\xa6\x03\x23\xb0\x95" "\x14\xd7\xc8\x42\xd5\x91\x5e\xa0\x4c\x7e\x64\x8f\x4d\x36\x3d\x4a\xcf\x69" "\x65\xa6\x24\xf8\x40\x75\xdb\x56\x7f\x7d\x58\x86\x86\x08\x95\x37\xd3\x4b" "\x95\x2f\xe2\x51\x1c\x41\xc9\xa7\x17\x91\x9f\xf0\x50\xf6\xa0\x74\x7c\x82" "\x4c\xd3\x31\x87\xef\x36\xd0\x94\xb4\x5d\x00\x0d\x6f\x05\xc1\x2e\x95\x94" "\x0c\x81\x9c\xf1\x6f\xd4\x4f\xc0\x65\x61\xf6\x6e\x6c\xbb\x34\x2d\x2e\xcb" "\x3a\x99\xdf\x8f\xac\xcf\xea\xf0\x75\xa5\xbc\x39\x6a\x4c\xb5\xac\xe2\xf8" "\xd8\x7f\xa6\x37\xf5\x02\x82\x8f\x41\xdb\xfa\xf0\x77\x8c\xaf\xc2\x96\x2b" "\xdf\x1f\xa0\x07\x5f\x30\xcb\x30\xcd\x57\x6b\xe6\x5d\xe9\x2b\x9f\xee\x63" "\xe7\x55\x86\x29\x2e\xcb\x13\x84\x2d\x29\x36\xaa\x36\xec\x73\xa5\xd7\xd3" "\xcc\x7a\xdd\x21\x7c\x74\xd4\x97\xc0\xe2\x7f\xc9\x9f\x16\x1f\xb9\x2c\x41" "\x58\x61\xc7\x08\xa0\x7f\x9b\xee\x64\xf4\x9c\xd2\x04\x0f\x61\x07\xd0\x17" "\xad\x67\xcd\xe6\x4c\x9b\x3d\x31\x7c\x83\x54\x84\xd8\x7b\xe4\xec\xd0\x39" "\xb7\x10\x48\x37\xfa\x05\x10\xf2\x5d\x2a\x0c\x4e\x69\x8f\x29\x7c\xcf\xad" "\xae\xec\x8f\x0f\x73\x32\xa8\x6f\xc1\x0a\x21\x3b\x17\xb8\x0b\x85\xe9\xbe" "\xb7\x1f\xa8\xf7\x71\xc3\x7b\x61\x67\xb7\xc5\x30\x87\x22\x65\x6d\xf2\xcc" "\xb6\xa5\x16\x7d\x5a\xa4\x69\xea\x80\x6e\x63\xcb\x6b\x3d\x48\x1e\x7f\x07" "\x73\xed\x2c\xe6\x54\x02\x6e\x0f\x03\x74\x03\xf2\xeb\xbb\x49\x88\xa2\x73" "\x2a\x86\x87\xbe\x0e\x60\x1e\xb8\xbf\x4f\xfa\x47\xc5\x11\x5e\x36\xe9\x19" "\xa9\x59\x96\xda\x23\x66\x8e\x4e\x3f\x00\x2a\x6c\xf8\xbd\x6d\xdc\xcb\xec" "\x78\x96\x8f\xe5\xc8\x29\xf8\xad\xdd\xf0\x25\x54\xda\xc3\xe9\xb3\x6a\x25" "\x41\xaa\x8a\x0e\x46\x24\xe4\xb0\xc7\x2f\x16\x3d\x08\x41\x81\xd0\xb4\xd2" "\x9b\x2c\x18\x95\xff\xcc\x66\x69\x2d\x5e\x9a\x2f\xff\xa1\xdb\x3b\x3d\x9f" "\x55\x58\x81\x9e\xb3\xa2\x71\xaa\x80\xea\x75\x88\x24\x6b\x47\x46\xdd\x45" "\x69\x15\x76\x51\xd5\x0a\xe2\xae\x49\x86\xa6\xc0\x9a\xd4\x64\x03\xcf\x55" "\xdf\x22\xef\x4a\x87\x10\xc2\xb5\x07\xb0\xf4\x6f\x33\x40\x1e\xe7\xbc\x8c" "\xc4\x11\x92\x02\x84\x4b\x37\x6c\xa7\x3f\xbc\xfb\x69\x30\xa6\xf7\x19\xc1" "\x9a\x66\xf7\x80\x3b\xfe\x96\x7c\xb6\xeb\x71\xbc\x6c\xe8\x7d\x5f\x43\x90" "\xed\xcf\xd4\x04\xc1\xf6\x00\x09\x8f\xc5\x4a\x8c\xa3\xf8\x75\xb5\xdb\xc8" "\x4f\xb6\x95\xad\x4d\x69\x03\x53\xc3\x4e\xe6\x7b\xfd\x9b\x69\xb7\x2e\x4e" "\x50\x3f\x62\xf3\xbc\x9a\xea\x95\x56\x8e\x19\xec\xcc\x87\x1b\x9d\x94\x49" "\x2b\x9a\xef\xc2\xd7\x7d\x2e\x14\x6b\x16\x13\xb8\xa9\x5b\x44\x58\xfe\x2b" "\xbc\x70\x14\x13\x7b\x7a\xb3\x2a\x80\x2c\x4f\xcc\x7b\x48\xa7\x36\xaa\x7b" "\x34\x10\x35\xef\x23\x91\xdb\xa7\x55\x2f\xc7\xfe\x3c\x91\x28\x21\x5b\xf6" "\xee\xab\x36\x0b\xda\xb8\x2d\xb7\x0d\x92\x71\xef\x95\x3f\x44\xc0\xff\x42" "\x6d\x29\x8c\xc4\x15\xf4\x75\x15\x60\x35\xf7\xad\x59\x8b\xfb\xff\xbc\x29" "\x29\x46\x7c\xc0\x28\xe3\x94\xcd\x2d\x79\xe7\x9a\x7b\xab\x6d\xea\x93\x9d" "\x11\x7e\x79\xb3\xbe\xb7\x86\x50\xc2\x06\xdd\xaa\xe0\xe6\x03\x31\x29\xcb" "\x71\x0d\x33\x09\xb5\x82\xac\x22\xa8\x33\xd9\x16\x7f\x82\x0a\xc1\x5d\xb7" "\x1a\x2c\x05\xce\x76\x6d\xbf\x41\xc5\x16\xdb\x78\x51\xe0\x59\x79\x64\x10" "\xd3\xba\x45\x55\xc8\xab\x84\xf1\x5d\x77\x62\xea\xa8\xcc\xef\xd9\x78\x14" "\xea\x3f\x1c\x06\xed\x8c\xf3\xfc\xd8\xe7\x2e\x3e\x6a\x9c\x1b\x0a\x37\x06" "\x28\xe5\xf2\x67\xbe\x62\x66\x98\xe7\xc1\x1c\xa4\x4e\x58\x11\xf2\x11\xac" "\x2b\x56\x15\x1a\xf9\x0a\xae\xf7\xe2\x73\xae\x66\x99\x16\x06\x80\x1a\xf2" "\x2a\xaf\x5f\x10\x98\x14\x76\xec\x80\x23\x0d\xf0\x8f\x3e\xdd\xc5\xa3\x09" "\x37\xca\x3c\xb5\x34\xff\xc6\xc0\xaa\x4b\x9d\x26\xa5\xc6\x53\x99\x6e\x67" "\x39\xd2\x7b\xa8\x1d\x44\x47\xb0\xf9\x13\x01\x3c\x50\xcb\xc9\xf1\x93\x3e" "\x5d\x0f\x1d\x1a\x9b\x21\x61\xe5\x09\xdc\xa6\x4f\xda\xfe\xb8\x0a\x57\x1b" "\x68\x52\xeb\xf5\x1b\x57\x2a\x3b\x49\xe6\x2c\x3e\xed\x7e\x1d\xe5\x88\x99" "\xe5\xd6\x58\x55\x63\xfb\x3b\x61\xda\x93\x25\xff\x5e\x28\x95\xac\xbc\x9e" "\x65\x69\x2d\xee\x97\xef\x90\x80\x32\xbe\x34\xe0\x3c\x6b\x9a\x85\x72\x4f" "\x01\x2a\x38\x2c\xba\x7f\xb2\x13\x9e\xdd\x55\xcf\xed\x12\x20\x02\x6a\x7b" "\x4b\xb2\x56\xd1\xcd\x74\xfa\x83\xc8\xe4\x86\xac\x20\x87\x03\x77\xc1\x27" "\x98\xb8\x19\xb0\x0d\x5e\x76\xae\x3f\x19\xfe\x73\x1f\x51\xad\x0f\x67\xd2" "\xeb\x55\x64\xf7\x1d\x2b\x23\x51\x30\xa9\xf5\x30\x3c\x1d\x22\xdc\xef\xa0" "\x9e\x48\xc0\x9a\xe9\x5c\x92\xd0\xed\x05\xc2\x11\x4a\xfd\x16\xc0\x61\xee" "\xa6\xde\x7d\x17\x9d\xb6\x35\xec\x2e\xcf\x37\x15\x86\x83\x96\xec\x3b\xce" "\xad\xa9\xb0\xa9\xd0\x67\xf0\xe3\xce\xae\xde\xc5\x07\x86\xb9\xc5\xa9\xe6" "\xfd\xf3\x5a\x74\xdc\xbc\xdb\x93\xdf\x12\xfb\xb2\xc9\x8e\x88\x88\x61\x8e" "\x91\xdc\xa7\x31\x60\x53\x7f\xcb\x55\x95\xd4\x3d\xaf\xd1\x02\x22\x41\x61" "\x10\xda\x76\xde\x09\xf9\xb1\x9e\x2f\x6c\xb8\xc3\x0d\x37\x8c\x9d\x46\x8e" "\x98\x05\xe4\xef\xbd\xec\x64\x8a\x2c\xc4\x10\x3c\xa4\xee\x0c\x24\xcf\x8a" "\xe7\x93\x48\xed\xd5\x67\xa6\x3f\x19\xd7\x9b\xe5\xa5\xf6\x05\x6f\xab\x06" "\x73\x5a\x6f\x2c\xa1\xd1\x71\x19\xf2\x94\xf2\x78\x35\x7d\x7e\x50\x71\xd9" "\x80\x72\x2f\x3b\x65\x71\x41\x2f\x83\x57\xff\x6f\xdd\x50\x99\x4e\xea\x6d" "\x29\xeb\xb2\xd1\x80\x40\xa7\x41\x4b\xd4\xd8\x30\xe9\xf1\x51\x51\x7e\x16" "\x00\x25\x79\x81\x57\x88\xf8\x35\xc7\x5a\x49\x48\x59\x89\xe0\x22\x01\x44" "\x94\x45\x23\xa0\xe1\x1d\xcf\x0a\x05\x23\xa5\x24\xdb\x74\x57\x57\x92\xde" "\x2f\xee\xde\xa5\x4a\x8b\xa0\xa3\x9d\xba\x6e\x3f\x5c\x6c\x9c\xab\x16\xc2" "\x04\xdd\xe8\x4b\x8b\x5b\xa4\x76\xb7\x1e\x50\xec\xd2\x1e\x76\xb9\xde\x4a" "\xbf\x84\x6d\xcb\xc1\xa8\x34\x65\x07\x00\xbb\x81\xa3\xd4\x8f\xc4\xb1\xd4" "\x78\xe7\x3e\x68\xe5\x5b\xc1\x7e\x9c\x39\x1e\x58\x9a\xa8\x22\xba\x8d\x4c" "\x6f\xe7\xf0\x55\xdc\x89\xc0\x50\xea\xfa\xa4\x2b\x66\xf9\xf2\x0d\x54\x30" "\x32\x69\x28\xc3\x0a\x36\xec\x2e\x9d\x35\x0d\x43\x23\xce\x6c\x0f\xe3\x50" "\x34\xe6\x80\xee\x53\x0a\x1b\x09\x1f\x6e\xa5\xcd\xa9\xbe\x7c\xcc\xd8\xef" "\xaf\x34\x5d\xe8\xc2\xa4\x1c\x74\x96\xcc\xa8\x67\x72\xe0\xa9\x00\x9f\x4a" "\x00\xad\x27\x80\xc7\x00\x94\x0b\x45\x76\x7d\x3e\x70\x3b\x93\xba\x09\x05" "\x2f\x7d\x82\xca\x06\xf7\x53\x6e\x7e\xad\xc0\x34\xc9\xc5\x94\x04\x07\x9d" "\x84\x22\xf3\xf3\x7d\x7d\x1d\x30\x0f\x4f\xde\x95\x9d\x2a\x42\x72\x33\xb3" "\x4f\x37\x9a\x2a\xbe\xcc\x61\x0b\x38\x94\xc9\xf2\xbe\x38\x41\x58\xf9\xb7" "\x92\x31\x1d\x23\xff\xb4\x0d\xd0\x0b\x70\x32\xde\x13\x36\x3f\x06\x0b\xed" "\x72\xe0\xfc\x0a\x02\x1f\xd1\x32\x86\xb1\x3f\x1f\x76\xb2\x9b\x44\x7f\xfc" "\x7a\x2b\x7f\xde\x2c\x50\xdf\xcf\x9b\xed\xef\x8e\xbd\x8a\xfb\x33\xc9\xba" "\x52\xce\x3f\x0a\x82\x04\xa4\xa9\xb3\x35\x4f\x59\x59\xd4\xa8\x89\x5a\x34" "\x9b\xa7\x42\x36\x9b\x1c\x2c\xc7\xc6\x3f\xfc\x29\x6d\x51\x17\x0b\x4a\x30" "\x39\x91\x5e\x5e\x62\xc3\x9b\xaf\xba\x55\x67\x71\x7b\x07\x33\xf9\xa6\x5c" "\x38\xab\x58\x41\xcb\xc5\x15\x05\xe2\xc5\xf5\x5e\x61\xb6\x10\xb4\x59\x2f" "\x18\x03\xfa\xaf\x00\xee\xc8\xfb\xdb\x6d\x5f\x51\xcc\x90\x81\xca\xf1\x0f" "\x38\x78\x81\x63\x13\x1d\xf4\x46\x54\x0f\x0a\x8c\xd5\xac\x8c\xe4\x68\x56" "\x6b\x76\x21\x22\xeb\x43\xff\x9e\x08\x32\xc9\x80\x5d\x4b\xab\x27\xd5\x1a" "\x82\x0e\xdb\xdd\x03\x95\xfd\x48\x28\xb2\x60\xd1\x9a\x55\x11\x23\x89\x79" "\x68\x90\x2d\xcf\x5c\x06\x45\xce\x86\x4d\xd0\xef\x5d\x7b\x32\xcb\xb0\x6f" "\x76\xe4\x99\x0f\x90\x7d\x7d\xd0\x85\xdc\xf6\xdf\x3c\x51\x10\x71\xf7\xf5" "\x57\x87\x69\xda\xb7\xc7\x30\x2d\x4f\x1f\x52\x51\xb1\xef\x70\x14\x08\x4b" "\x6c\xe4\x51\x7f\xa4\x52\xee\xcc\x04\xee\xa8\x7f\x23\x62\xf7\xa3\x28\xfe" "\x44\x5d\x42\xbe\xf6\x2e\x60\xa3\xa2\x19\xf5\xdb\xfa\x1a\x72\x5b\x23\x15" "\x6e\xb2\x2c\x8c\xb7\x97\xef\xa7\x16\xd6\xa2\x32\xb7\xb3\x7a\xe6\xdf\x3c" "\x15\xf1\x15\x6c\xbf\x72\x56\x61\xcd\x5d\x20", 3305); *(uint64_t*)0x200015d8 = 0xcfc; *(uint64_t*)0x20000158 = 2; *(uint64_t*)0x20000160 = 0; *(uint64_t*)0x20000168 = 0; *(uint32_t*)0x20000170 = 0x84; syscall(__NR_sendmsg, r[0], 0x20000140ul, 0ul); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_binfmt_misc(); do_sandbox_none(); return 0; }