// https://syzkaller.appspot.com/bug?id=1a97a5bd119fd97995f752819fd87840ab9479a9 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void exitf(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir() { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); rv = system(command); if (rv) { if (panic) fail("command '%s' failed: %d", &command[0], rv); } } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02hx" #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } static void initialize_netdevices(void) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0", "bond0", "veth0", "veth1", "team0", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team"}; const char* devmasters[] = {"bridge", "bond", "team"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); execute_command(0, "ip link add type veth"); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { execute_command( 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s", devmasters[i], devmasters[i]); execute_command( 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set veth0_to_%s up", devmasters[i]); execute_command(0, "ip link set veth1_to_%s up", devmasters[i]); } execute_command(0, "ip link set bridge_slave_0 up"); execute_command(0, "ip link set bridge_slave_1 up"); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[32]; snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 160 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } static int real_uid; static int real_gid; __attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20]; static int namespace_sandbox_proc(void* arg) { sandbox_common(); write_file("/proc/self/setgroups", "deny"); if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) fail("write of /proc/self/uid_map failed"); if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) fail("write of /proc/self/gid_map failed"); if (unshare(CLONE_NEWNET)) fail("unshare(CLONE_NEWNET)"); initialize_netdevices(); if (mkdir("./syz-tmp", 0777)) fail("mkdir(syz-tmp) failed"); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) fail("mount(tmpfs) failed"); if (mkdir("./syz-tmp/newroot", 0777)) fail("mkdir failed"); if (mkdir("./syz-tmp/newroot/dev", 0700)) fail("mkdir failed"); unsigned mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, mount_flags, NULL)) fail("mount(dev) failed"); if (mkdir("./syz-tmp/newroot/proc", 0700)) fail("mkdir failed"); if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL)) fail("mount(proc) failed"); if (mkdir("./syz-tmp/newroot/selinux", 0700)) fail("mkdir failed"); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, mount_flags, NULL)) { if (errno != ENOENT) fail("mount(/selinux) failed"); if (mount("/sys/fs/selinux", selinux_path, NULL, mount_flags, NULL) && errno != ENOENT) fail("mount(/sys/fs/selinux) failed"); } if (mkdir("./syz-tmp/newroot/sys", 0700)) fail("mkdir failed"); if (mount(NULL, "./syz-tmp/newroot/sys", "sysfs", 0, NULL)) fail("mount(sysfs) failed"); if (mkdir("./syz-tmp/pivot", 0777)) fail("mkdir failed"); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) fail("chdir failed"); } else { if (chdir("/")) fail("chdir failed"); if (umount2("./pivot", MNT_DETACH)) fail("umount failed"); } if (chroot("./newroot")) fail("chroot failed"); if (chdir("/")) fail("chdir failed"); struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) fail("capget failed"); cap_data[0].effective &= ~(1 << CAP_SYS_PTRACE); cap_data[0].permitted &= ~(1 << CAP_SYS_PTRACE); cap_data[0].inheritable &= ~(1 << CAP_SYS_PTRACE); if (syscall(SYS_capset, &cap_hdr, &cap_data)) fail("capset failed"); loop(); doexit(1); } static int do_sandbox_namespace(void) { int pid; real_uid = getuid(); real_gid = getgid(); mprotect(sandbox_stack, 4096, PROT_NONE); pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64], CLONE_NEWUSER | CLONE_NEWPID, 0); if (pid < 0) fail("sandbox clone failed"); return pid; } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting", dir); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static void execute_one(); extern unsigned long long procid; static void loop() { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); execute_one(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 3 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } remove_dir(cwdbuf); } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } uint64_t r[1] = {0xffffffffffffffff}; unsigned long long procid; void execute_call(int call) { long res; switch (call) { case 0: memcpy((void*)0x201a3000, "./file0", 8); syscall(__NR_mkdir, 0x201a3000, 0); break; case 1: memcpy((void*)0x20000240, "./file0", 8); memcpy((void*)0x20000000, ".", 1); memcpy((void*)0x20000480, "\xb3\xb8\x15\x57\x13\xfb\x18\xde\xa1\x32\x54\x03\xcf\x49\x45\x8e" "\xa0\x55\xd7\x59\x19\x82\x90\x3d\x49\x1d\x14\xc2\xe9\xcb\xc3\x9e" "\x8b\xf7\x05\xc2\x1d\x4c\xc6\xc5\x70\xba\x1b\x1b\x03\xc6\xdb\x40" "\x04\x0c\x16\x3a\x6d\xee\x93\x29\xd6\x69\xc3\xa8\x3a\x02\xef\x21" "\x19\x95\x7d\x6d\x4d\x06\xf7\x9c\x5d\x29\xc3\xf9\x7a\xcb\xbb\xd1" "\xa0\x03\x48\x98\x93\x97\x12\xcc\x63\x02\x0f\x31\x10\x7f\x31\xc3" "\xa7\xea\x6b\x05\x5a\x3d\x9c\xd0\x58\x45\x1e\xef\xee\x6e\xbd\xb0" "\x35\x78\x31\x79\x67\x61\xe1\x6f\x81\x0e\x24\x52\xbe\x7d\x0b\xbb" "\x99\xee\x89\x07\x39\x87\x3f\x2d\xe4\x81\x87\x42\x83\x42\xa5\xe9" "\x5f\x62\x5e\x7b\x49\x26\x5d\xcb\x01\xcd\xb7\x18\xbd\x29\x20\x86" "\x3e\xd6\xaf\x48\xbf\x04\x4a\xd8\x73\x94\x62\x5a\x24\x42\x3d\x5f" "\xef\xeb\xc9\x3d\x3a\x4a\x96\xd5\x82\xc6\x36\xa0\xbc\x3e\xc3\xfa" "\x80\x85\x4d\xeb\x41\xda\xa2\x21\xd1\x2e\xd5\xbd\xc1\xae\xaa\xbe" "\xd9\xdc\xbb\x85\x0b\x47\xa9\x8a\xb2\x56\x49\x38\x7a\xb1\x1d\x7b" "\x20\x5a\x07\xb9\x08\x2b\x73\x6c\x17\xf9\x7d", 235); syscall(__NR_mount, 0x20000240, 0x20000000, 0x20000480, 0x1004, 0); break; case 2: memcpy((void*)0x20000140, ".", 1); memcpy((void*)0x20000380, "./file0", 8); memcpy((void*)0x20753000, "mslos", 6); syscall(__NR_mount, 0x20000140, 0x20000380, 0x20753000, 0x5010, 0x20000180); break; case 3: memcpy((void*)0x20000000, "./file1", 8); syscall(__NR_mkdir, 0x20000000, 0); break; case 4: res = syscall(__NR_socket, 0xa, 3, 0x3c); if (res != -1) r[0] = res; break; case 5: *(uint16_t*)0x20000180 = 0xa; *(uint16_t*)0x20000182 = htobe16(0); *(uint32_t*)0x20000184 = 0; *(uint8_t*)0x20000188 = 0xfe; *(uint8_t*)0x20000189 = 0x80; *(uint8_t*)0x2000018a = 0; *(uint8_t*)0x2000018b = 0; *(uint8_t*)0x2000018c = 0; *(uint8_t*)0x2000018d = 0; *(uint8_t*)0x2000018e = 0; *(uint8_t*)0x2000018f = 0; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint8_t*)0x20000192 = 0; *(uint8_t*)0x20000193 = 0; *(uint8_t*)0x20000194 = 0; *(uint8_t*)0x20000195 = 0; *(uint8_t*)0x20000196 = 0; *(uint8_t*)0x20000197 = 0xbb; *(uint32_t*)0x20000198 = 9; syscall(__NR_connect, r[0], 0x20000180, 0x1c); break; case 6: memcpy( (void*)0x20000a80, "\x2c\xf2\xed\x74\x6e\x6d\x01\xba\xc9\xe0\xb8\xf7\xfc\x65\x38\x78\x20" "\x09\x75\x98\x7b\xfc\xfa\xde\x99\xa7\x9d\x5b\x62\x50\x16\xe0\x1a\x2a" "\x53\x52\x50\x71\x0c\x5c\xd1\x3b\x52\x59\xfa\xb5\xc5\xc7\x2f\x34\x86" "\xe9\x5e\x7a\xc4\x8b\x93\x6f\x4d\x2c\x0a\x94\xd7\x94\x25\x7d\x1f\x0e" "\x18\x4d\x11\x3d\x7c\xe9\xce\xf2\x60\xf6\x50\x0f\xd7\x5c\x44\xda\x34" "\xbc\x5b\x39\xac\x00\x28\x92\xaf\xfb\x05\xb4\x9d\x8d\x1e\xd1\xe6\x58" "\xcc\x54\x55\x30\xa1\xa5\x97\xc8\x52\xf7\xdf\x38\x7f\x27\xa7\x07\x92" "\x50\x00\x4b\x43\x50\x97\x71\xfd\x55\x80\xcf\x30\xdb\xd2\xd2\xc2\x73" "\xd3\x15\xa5\x4a\x57\xfa\x94\x81\x89\xc5\xfe\x6e\xb4\x96\x86\x77\x28" "\x7d\xc4\x02\xb7\xe3\x99\x6b\x3e\xa4\xce\xce\x2b\x96\x4f\x0f\xb9\xd5" "\x30\x8c\xd8\xcd\xcb\x45\xb2\x2c\x9e\x1a\xce\x83\x32\x25\xc2\x83\x99" "\xeb\x89\x8a\xca\x43\x98\x37\x99\xe6\x7c\xab\xba\x22\x8a\x7b\x30\x69" "\xb0\x2f\x1e\xdc\x1b\x64\x85\x02\xf2\x38\xb5\xa6\x20\x9c\xe6\x33\xa5" "\xf1\x11\x1e\x72\x1c\xec\xfc\x5a\x90\x1a\x35\x0d\x26\xcc\x99\x1b\x6d" "\x54\x01\x84\xd7\x0a\x2e\x3c\x29\xa4\xbf\xac\x84\x10\x23\x81\xa9\x44" "\xd3\x5d\x7a\x16\xe2\x83\x77\xaa\x79\x67\xa9\x77\x06\x21\xbd\xe4\x5b" "\x97\xe7\xcf\x25\x43\xca\x95\x04\xa4\xa7\x75\x9a\xdd\x4d\x53\x1c\x7f" "\x25\x2d\x1a\x06\xc8\x97\x84\x03\x6c\xb6\x20\xbf\x2a\xaf\x96\xc8\xec" "\x4c\x53\x04\x2e\xc0\x42\x68\xf9\xbd\xd8\x38\x58\x4f\x1f\xfa\xc5\xd7" "\xea\xa9\xfa\x0d\x53\x70\x2b\xeb\xa9\x6e\xa7\x46\x57\x4b\x73\x9f\xd7" "\xac\x3f\xe3\xc8\x0b\xde\xbc\x8c\x32\x4d\x78\x92\x5a\x65\xc3\x7d\x41" "\xdb\x7b\x49\x14\x53\x6c\x4d\x54\x50\x2b\xab\x23\x41\x51\xa4\x57\xcc" "\x24\x4f\x76\xfb\x73\x3f\x1d\xa4\x18\xce\x55\xec\x94\x42\x69\x88\xfa" "\x7d\x3e\xb0\x87\xae\x53\xbc\x69\x3b\x50\x44\xba\x63\x90\x97\x3e\xeb" "\xa3\xfd\x5a\x38\xc5\xfd\xb3\x98\x4e\xba\x39\x5c\x1f\xb6\x69\xa0\xc7" "\xdb\xb4\x3e\x8f\x7f\x8a\x71\xbf\x9c\x28\xd6\x35\xc6\x89\xb8\x66\x12" "\x9d\x1e\x02\x4c\x0a\x53\x74\xed\x23\x22\x47\x9f\xb4\xba\x9e\x74\x2e" "\x95\xde\x91\xd4\x9f\x50\x6b\x87\x25\x97\x57\x78\xdd\x72\xae\x96\x59" "\x05\x22\x92\x12\x64\xf7\xf7\x61\x0c\x85\x81\xe8\xb4\x2b\x99\x26\x93" "\xf3\xa4\x05\xef\x1e\x1f\x7d\xbe\xc5\x9b\xf2\xa6\x66\x2a\xe0\xf1\x56" "\xb3\x92\xe4\xfa\xf7\xdb\xab\xf1\x0b\x05\x8d\xe6\xe2\x72\xbd\x15\x53" "\x46\x56\xae\xa9\x13\xab\x0c\x0d\x9a\x72\x92\xa7\xf9\x74\x45\xd9\x90" "\x7b\xfe\x34\x3c\xc7\x0e\xfd\xee\xf2\x22\x39\x8c\xb3\xea\x73\x53\x27" "\xad\x57\x2b\x74\x98\xf1\x0b\xb4\x0a\xc3\x02\x7b\x99\xfc\x36\xf5\x5f" "\xf5\xdd\xd1\xc3\x7b\x15\xf6\x55\x04\xc5\x54\x19\x7f\x14\xba\xab\x9f" "\x05\x6d\x68\x5c\x0b\xda\x61\x4e\x97\x8c\xdd\x25\x72\x49\x39\xe8\x0d" "\x45\xad\xf9\xac\xa9\xc3\xd6\xb8\xf1\x6b\xc6\x98\x9b\xcf\xfe\x3e\x79" "\x3c\xb9\x15\xf1\xb1\xaf\xce\x9e\x6a\x30\x46\xd5\x76\x94\xa2\x16\x64" "\x28\xf5\x8b\xc8\x55\x6d\xf5\xe2\x6c\x47\x02\xdc\xd6\xf3\xbd\x2e\x14" "\x8d\xec\x8c\xdc\x91\x43\x2a\x50\x8f\xb8\x70\x53\xd3\xb1\xa1\xd4\xbb" "\xd5\x72\xf0\xba\x2e\x15\x0c\x8b\xf4\x93\x95\x6e\x19\x7b\xef\x16\xa0" "\xf0\x6e\x63\x39\x94\x34\x27\xff\xdd\x6d\x0f\x2f\x02\x1a\xdf\xe9\x08" "\xb8\x35\xe7\x55\x43\xea\x8c\xf4\x14\xcb\x29\xd9\xef\xb5\x06\xe2\xc5" "\xc5\x07\xdc\xe7\x54\x6f\x81\x47\x5a\xf8\x59\xca\x4b\xf3\x18\xf8\xee" "\x53\x9a\xa4\x1c\xd7\x63\x65\xab\xf8\x93\xfc\xa9\x65\x79\x2d\x51\x09" "\x2d\x5e\xe2\xa9\xbd\xed\x4a\x14\x0e\xd4\x55\xc8\xd7\xf3\x02\xad\xbc" "\x9b\x66\xbf\x83\x14\xc6\x5f\xde\x17\xcd\x89\x27\xd1\x6b\xfc\x88\x59" "\xeb\x7e\xf0\x94\x26\xbf\x66\x2f\x97\x15\xa2\xfc\x57\x28\x93\x22\xf5" "\xf4\x00\x01\x26\x74\x7c\xb4\x1d\x8a\xd9\x56\xdf\x7e\xc5\x08\xe5\x70" "\x13\xa9\xb1\xbb\x8f\xce\xfe\x32\x81\xa3\xde\x70\xd0\x9b\x80\x0d\x00" "\x8e\x32\x06\x75\x83\x27\x9a\x06\x78\x86\x6e\x99\xec\xdc\x8e\xd0\x8d" "\x22\x7c\x18\xe1\xc4\xb5\x51\x67\x70\x55\x71\x38\xbc\x5a\x19\x5e\x2c" "\xd8\xda\xb1\x9e\x54\x1e\x5e\xb4\x06\x45\x88\x45\xbe\xc9\xe9\x04\x06" "\x11\xc0\xbd\x81\xa8\xd2\x6e\xf9\x4d\x01\xf8\x32\x22\xca\x98\xd0\xd7" "\xa7\x91\xef\x48\xa1\x8e\xc6\x44\x02\x66\x0d\xda\xc7\x7f\xed\xcb\x81" "\x84\xb9\xd8\x35\x4b\x38\x89\x82\x9c\x03\x58\x47\xff\x12\x94\x69\xdf" "\x9a\x92\xfe\x22\x08\xa6\xa8\x66\xf0\xb8\x11\xd7\x49\x95\xc5\x04\x6a" "\x0d\x3e\xc3\xb3\x64\x3f\x57\x69\x50\x82\xc5\xdb\x54\x51\x90\xda\x5c" "\x47\xd6\xd9\xff\x24\x99\xd6\x21\x37\x7e\x53\x24\x57\x2e\x65\x8d\x91" "\x18\x82\x70\x17\x37\x99\x29\xe4\xd7\xf1\x36\x45\x6e\x49\x4e\x50\xbe" "\xeb\x06\x32\xf3\xd6\x11\xc0\x85\x62\x62\x33\xc4\x85\x1a\xb7\xbd\xd1" "\x93\x9f\x1d\x7e\xd1\x94\x22\x11\x9e\xc7\x3b\x68\x66\xf5\xf6\x4f\xb8" "\x0f\x10\x53\xe2\xa5\x5c\x65\x13\x99\xb5\x42\xb8\xbc\xb0\xfd\xd0\x28" "\xa9\x57\x06\x15\x2c\x7d\x37\x43\xa1\x45\xab\xfc\x02\x7a\xbb\xa6\x87" "\xec\xec\x61\x0e\xac\xf6\x65\x69\x49\x24\xff\xe9\xd2\x22\xca\xf8\x04" "\x90\x91\x68\x76\x57\x81\x74\x65\x5c\x61\x94\x34\x24\x62\x7f\x7a\x05" "\xdb\x3a\x24\x11\x7b\x11\x0e\x7c\x79\x36\x9b\xc1\xdf\x43\x8b\x38\xe4" "\x39\x2f\x89\xb2\x54\x57\x5c\x4b\xdc\xb5\x2e\x01\xb4\xbb\x8e\x55\x26" "\x3a\xd6\xc9\xa3\xc1\x8e\xaa\x11\x9f\x79\x99\xb0\xf3\x16\xf4\x5e\x9d" "\xf7\x1d\x75\xc7\x45\xab\x4e\x08\xf5\x83\xf6\x58\x28\xff\x9b\x5c\x4c" "\xec\x9d\xe6\xf4\x0d\xf6\xa7\x45\x59\xbc\x11\xac\xdf\x34\xe7\x4a\xd6" "\x5c\xe5\x07\x6f\xc2\x28\x5e\xfc\xcb\xd6\xeb\x66\x8c\xac\x0c\x41\x12" "\xa3\x71\x4a\xef\x8e\xce\x3f\x43\x36\xee\xf6\x8b\x14\x03\xaa\xb6\xb5" "\x1a\xdb\xdc\x2e\xe4\xaa\x14\xcd\xfd\xf3\x98\x2a\x04\x4a\xdc\x59\x2f" "\xc9\x3d\xb9\x46\x46\x26\x75\xac\x14\xf5\xac\x67\xb2\x44\xba\x42\x1e" "\xd4\x43\xd2\xff\xd0\xa7\xec\xfd\x95\x78\xc5\xf1\x1a\xe0\x39\x08\x7f" "\xd3\xf7\x92\x27\x86\x6c\x7f\xd9\x00\x52\x78\xd4\xb4\xf4\x7d\xf0\x51" "\x05\xba\x9e\xfb\xec\xe0\xc3\x25\x2c\x7d\xb0\x43\x21\x9b\xdc\x4c\x93" "\xa2\x9c\x04\x67\xad\xcf\x36\x55\xc9\x9f\x98\x08\x7e\xc4\x8c\xe4\x25" "\x97\x2a\x9e\x60\x0d\x85\x48\x82\x37\xba\x3e\x9a\x4f\x9c\x1f\xd7\x7e" "\xeb\x51\x98\x59\xa1\xa9\x9f\xca\xe2\x77\x76\x09\x17\x30\x05\x73\xb6" "\xf1\xdb\xa5\x77\x4b\xac\x4a\x4b\x58\x5f\x0f\x50\xd0\x8a\x21\x02\x8f" "\xcc\x3a\x18\x3b\xdf\x04\x38\xe0\xe7\x75\xbf\xf4\xad\x5e\x33\x1f\x5e" "\xa3\x9f\x5f\x21\xc7\xf7\x53\xb4\x74\x70\xd8\x23\xf6\xb4\xbd\xb5\xca" "\xa3\xee\xf4\x54\x7d\x17\x6d\x29\xd7\xa8\x5f\x09\xc3\x9c\xc7\xaf\xed" "\x6b\xf6\x4f\xf6\x6a\x23\x1b\x1e\xa3\x76\x91\xf6\xe7\x5a\x05\x10\xdf" "\x73\x86\xa4\x5f\x7a\x7b\x8f\x93\x22\xe7\x8d\x9f\xcf\x5c\x4c\xc9\x0e" "\x8c\xad\x4d\x77\xc4\x33\x61\x1b\x56\xe5\x35\x18\x3f\x67\x5d\xab\x96" "\x30\x01\x25\x51\x34\x16\x14\xfe\x0d\x20\xf3\xfd\x9d\xd5\xc1\x2c\x5e" "\x88\x89\xd5\x29\x2f\xdd\xdc\x36\x97\x95\xc4\x6f\xd1\x96\x39\x25\xfb" "\xbe\x8f\x82\xbb\xac\x53\x00\x3d\x2c\x02\xc0\x2e\xeb\x6b\x1c\xf0\x8d" "\x57\x5e\xc5\x6f\x02\x29\xef\xec\x0f\x2a\xe2\xa5\x8b\xac\xde\x5c\x11" "\x25\x7b\x5e\x83\xdf\x98\x43\xc9\x6e\xc5\x56\xe3\xe1\xf3\xb7\x31\x55" "\x91\x5c\x23\xef\x7d\xb2\xbc\x18\x76\xbd\x58\x0c\x8b\xf7\x75\xdb\x70" "\x2c\x79\xbd\x3c\xe5\x01\xf3\x8d\x83\x2e\x2c\x2a\x20\x00\x34\xa4\x1c" "\xbe\xc1\x0f\x76\x52\x44\xca\xb7\xcc\x85\x0a\xfc\x86\x56\xce\x12\xae" "\x90\xac\xd7\xfa\xbb\xd4\x6d\x25\xe4\x9a\x34\x47\x9d\xb6\x4e\x83\x45" "\x4a\x14\xec\x43\x3e\x86\x15\xb0\x41\x4e\xaf\xc8\x60\xe1\xdd\x04\xa8" "\xec\x31\x4e\xb1\xf1\x22\xbd\xf5\x90\xe5\x45\xe7\x9e\x05\x64\x49\x4c" "\xdc\xda\xe3\x00\x66\x73\xf3\x55\x2f\x30\x16\x60\x10\xe3\x16\xcb\x61" "\xc0\x08\x58\x3e\x78\x7c\x01\x40\x4b\xa1\xa0\x63\x99\x55\x05\x3e\x06" "\x6f\xdf\x5b\xac\x58\xff\x58\x40\x80\x23\xf0\x96\xd2\x21\x7f\x17\x8c" "\xf0\x82\x02\x1d\x96\x16\x3d\x6f\xd7\xad\x20\x72\xd8\xff\xe6\xff\x1e" "\x65\xe8\xf9\x2a\x2d\xf3\x35\x16\xd6\xe4\x3a\x5b\x52\x16\x30\x01\x6c" "\x24\xdb\x12\xc4\xca\xcd\xc6\x07\x14\x01\x7e\x90\xf5\xba\x4a\x88\x71" "\x09\xd6\x91\xcb\xac\x25\x35\x05\x36\x33\xf2\x10\x5c\x6f\x7c\x2e\x32" "\xf1\x65\xd5\xdb\x78\xbe\x00\xe0\x71\x13\x4c\x97\x8a\xd1\x73\x8b\xb2" "\xb6\xb6\x5b\x91\x45\xee\x90\x7b\x98\x1c\x6c\xf5\x48\xfc\xf7\xce\xea" "\xe0\x65\xbf\x94\x72\xd6\x23\x57\xcd\x19\x7c\x0c\xfd\xbd\xcf\xe5\x15" "\x00\xa6\x29\x20\xe2\x16\xdc\xc1\x62\x53\x16\x88\xd6\xc8\xb0\xbb\x22" "\x96\xa2\x26\xd2\x31\x92\x68\xa6\xd2\x3e\x70\x4b\xff\x64\xd3\x33\x75" "\xc3\xab\xbe\xa4\xef\x17\x36\xe5\x97\x06\x8e\x89\xcf\x7d\xe9\xf6\x98" "\x1a\x10\x86\xd7\x4d\x34\xa9\x22\x19\x62\x8b\x86\x4c\x58\x55\x49\x70" "\x26\x0e\x39\x18\xc1\xef\xca\x36\x4b\x1e\x9a\x42\x6a\xfc\xe6\x44\xb1" "\x77\x22\x87\x17\x50\x8a\x2a\x3b\xb9\x1d\xca\x6b\x7e\xc9\xa4\xc5\x57" "\xd1\x25\x5d\x1a\xba\xa4\x0d\x43\xf1\x4e\x08\x95\x4c\x62\x7b\x70\x6c" "\x0b\x60\xd3\x3a\xb5\xee\x86\x18\x70\x50\x15\x56\x54\x75\xfa\x7c\x89" "\xb3\xb9\x2b", 1992); syscall(__NR_sendto, r[0], 0x20000a80, 0x7c8, 0, 0, 0); break; } } void execute_one() { execute(7); collide = 1; execute(7); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); char* cwd = get_current_dir_name(); for (procid = 0; procid < 8; procid++) { if (fork() == 0) { for (;;) { if (chdir(cwd)) fail("failed to chdir"); use_temporary_dir(); int pid = do_sandbox_namespace(); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } } } } sleep(1000000); return 0; }