// https://syzkaller.appspot.com/bug?id=cc48191274be0a9e986e29be2ef06fc176c4aa51 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) ({ int ok = 1; __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } else ok = 0; __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); ok; }) static void kill_and_wait(int pid, int* status) { kill(pid, SIGKILL); while (waitpid(-1, status, 0) != pid) { } } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void __attribute__((noinline)) remove_dir(const char* dir) { DIR* dp = opendir(dir); if (dp == NULL) { if (errno == EACCES) { if (rmdir(dir)) exit(1); return; } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } if (unlink(filename)) { exit(1); } } closedir(dp); while (rmdir(dir)) { exit(1); } } #define CAST static void sandbox_common() { if (setsid() == -1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); } static void loop(); static int do_sandbox_none(void) { sandbox_common(); loop(); return 0; } static void execute_one(void); #define WAIT_FLAGS 0 static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; NONFAILING(memcpy((void*)0x20000080, "./file0\000", 8)); res = -1; NONFAILING(res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(open))(/*file=*/0x20000080, /*flags=O_NOFOLLOW|O_TRUNC|O_CREAT|O_APPEND|0x6*/0x70e, /*mode=*/0)); if (res != -1) r[0] = res; NONFAILING(*(uint64_t*)0x20000280 = 0x20000400); NONFAILING(memcpy((void*)0x20000400, "\x56\xcf\x5d\xaa\xfc\x65\x97\x87\x24\x31\xff\x6c\x66\x8c\x28\xad\xc3\x3a\x60\x65\x1a\x07\x8a\x11\x6b\x35\x48\xa8\xbe\x66\x44\x46\x58\xa0\x69\xb7\x1e\x92\xfe\xad\xcd\x7b\x34\x34\xda\xdf\xc4\xfc\x3f\xd4\xef\x75\x25\xb5\x8b\x00\x86\x93\x2b\x0a\x93\x46\x35\x11\xa8\x88\x9f\x58\x07\x3c\x33\x28\x2b\x2a\xfa\x19\x67\xc7\x90\x8d\x4d\x0a\xea\x83\x0b\x68\xa4\x37\x11\xd6\xc4\x45\x7e\xc4\xa4\x1a\x77\x2d\x6a\xe3\x11\x73\x0b\x78\x23\xd9\x6e\xf1\xc2\x5a\x7b\xae\x68\x95\x4d\xa1\xff\xde\x05\xcf\x13\x87\x58\xef\x54\xd0\x53\xa9\x4b\xce\x1d\x28\xf7\xea\x23\x5a\x66\x64\x7b\x6d\xb6\xed\xa0\xd5\xe7\x8d\xb1\x6b\x66\xfa\xe3\xf1\x3f\xb8\xd2\x56\x10\xc0\x9b\x96\x00\x3d\x87\x76\xb0\x5d\xcc\x0d\xd5\x68\x81\xe8\x48\x48\x3a\x08\x26\xbb\x01\x0e\x52\xd7\x20\x70\x26\xa5\x90\x74\xa6\xa4\xc0\xf7\x67\x7a\x7a\x35\xa8\xd2\x9e\x87\x5a\xeb\xab\xef\x35\x4e\x08\x2b\x69\x11\x2d\x48\x67\x81\xc8\x97\xab\xf6\xbb\x9a\x1b\xe0\x14\xc3\x58\xaf\x0d\xea\xaf\x17\x01\xcf", 232)); NONFAILING(*(uint64_t*)0x20000288 = 0xe8); NONFAILING(*(uint64_t*)0x20000290 = 0x200000c0); NONFAILING(memcpy((void*)0x200000c0, "\x46\xc4\xf1\x0b\xc8\x7c\x57\xf4\x94\x28\x87\x40\x22\x3f\x05\xda\x53\xba\xde\x43\xd9\x6c\xee\x8b\x67\xa2\xbd\xa8\x51\xf3\x46\xb3\xec\x95\x14\xee\x7d\x09\x36\x29\x0b\x45\x28\x26\x95\xc9\x1e\x2a\x70\xb6\x52\x00\xf5\x42\xea\x22\xfd\x10\xe9\x2e\x68\x1b\x7d\x17\xf3\x88\xcd\x46\xb7\x89\xf2\x44\xbb\x55\x2a\xdb\x6a\xef\x00\xb7\xe4\x86\xf4\x8e\x4c\xc1\x31\x3a\x28\xf1\x61\x95\xc6\x20\x2c\x2c\xcb\x8c\x51\xbd\xae\x11\x06", 103)); NONFAILING(*(uint64_t*)0x20000298 = 0x67); NONFAILING(*(uint64_t*)0x200002a0 = 0); NONFAILING(*(uint64_t*)0x200002a8 = 0); NONFAILING(*(uint64_t*)0x200002b0 = 0x20000580); NONFAILING(memcpy((void*)0x20000580, "\xe3\xb2\x15\x6d\xbd\x96\x92\xb4\x9e\x19\xf3\x7c\xd5\x8d\x0a\x93\x6f\x8b\x3b\xcd\xea\xab\x6e\x6e\x81\x20\x52\x75\xc9\xf9\x6b\xec\x01\x9e\xce\xb8\xd1\xab\x8b\x42\x23\x65\x1e\x2f\x00\xae\xcd\x56\x7c\x4e\x01\x58\x97\x8c\xd1\x0c\x6f\xf7\xa9\x9d\x4b\x22\xce\xe5\xf1\x45\x4f\xa4\x32\x57\x5f\x47\xf9\x20\x67\xbd\x93\xb9\x84\x72\xda\x81\x02\x63\x95\xa0\x3c\xdb\xac\xca\x75\xee\x65\xa4\xed\x34\x31\x80\x93\xc8\x2c\x3a\x86\xab\xcc\x78\x0d\x18\x84\x1f\x73\x14\x3b\xfd\x3f\xc9\x8a\xa8\xd9\x1b\x42\xda\x40\xa2\x26\xb2\x8f\x0e\x69\x2f\xa4\xa7\x10\x5d\x63\x76\x7b\x6e\x2c\x21\xb5\xa0\x02\x06\xf3\xa1\x4d\xbf\x11\xcc\x13\xfc\xc3\x05\x02\xc5\x8b\x7d\x3e\x46\xbf\x3e\x1e\x37\xee\xaa\xf6\x8a\x08\x19\x08\xe6\x71\xd3\x6e\x3e\x63\xd2\x7e\x92\x3a\x65\xca\xf6\x2c\x2b\x4e\x14\x16\x25\x9d\x5f\x7a\x5b\xf7\xdb\x4f\x23\xf1\x98\x74\xbc\x01\xd8\x09\xe5\x9e\x90\x3c\x67\xfd\x67\x7e\x31\xa4\xe1\x9e\xfc\x76\xaf\xe7\x55\xfb\xbb\x03\x7f\xd7\xe2\x43\x28\x65\xa1\x56\xbf\xd6\x5e\xe0\x35\x53\xd1\x57\xa4\x64\x7a\x5b\x88\x71\x36\xd1\xe8\xf5\x87\xa7\x35\x4d\xda\x1c\x73\x3f\xa5\xed\xdd\x53\x44\xa5\xe4\xab\xd2\xa8\x2e\x44\xf6\x62\xbd\x05\xcf\x4b\x01\x70\xfe\xa2\x2a\x81\x95\x3a\x7d\xde\xfd\xda\x23\x78\xd0\xe1\xd8\x28\x78\xa4\xab\x2b\x98\x9d\xf0\x8f\x34\x0a\x2b\x0f\x85\x0b\xd1\xa0\xcd\x2c\x45\x62\x2f\x18\x2f\x16\xe8\xd3\x93\x41\x8a\x26\xdd\x43\x5b\xff\xb3\xb2\xfe\xc8\x26\x8c\xbd\xe5\xa8\x2a\xd6\x99\xc1\xa3\x21\x78\x34\x48\x58\x1e\x29\x80\xa4\x9f\x06\x4c\x8f\xb4\x52\x4f\x4e\xe2\xd5\xec\x65\x58\xb4\x38\x89\xc5\x51\x2a\x3d\x49\xbf\x8d\x74\x35\x86\xc6\xab\xa9\x1c\x4d\xfb\x27\x99\x26\xeb\x0b\xb8\x38\xe2\x54\x09\x56\xd8\x0c\xe3\x07\x51\x79\xca\xa3\x77\x4a\x6d\xfb\x9d\x06\x11\x9b\xb5\xdb\x08\x8e\x19\xd9\xd5\xb5\x31\x6a\x80\x05\x8c\xe9\xce\x58\xde\xea\x27\x73\x5f\x86\x5e\x46\x78\xa5\x97\xfe\xc6\x45\x4b\xb8\xa5\x71\x55\x24\x99\x19\x80\x59\x84\x74\x3b\x84\x33\x88\x00\x14\x44\x9e\x4f\xe3\x7b\x6e\x9b\x26\xfb\xff\x15\x3c\xb0\xea\xa2\x0d\xf6\xb7\x30\xf1\xdb\x3d\x69\x67\x0a\x48\x12\x3e\x02\x0c\xab\xff\x46\x64\x80\x04\x69\xed\x4f\x45\xd4\xca\xea\x89\x25\xf7\xf2\x08\x0e\x36\x84\x3d\xf6\x9f\x85\xd7\xf9\x50\x85\xeb\x9f\x6e\xe2\x43\x92\x4f\xde\x44\xc3\xe8\x80\x15\xa8\xde\x23\xc5\xe2\xfb\xab\x6f\xd7\x46\x3e\x9e\xde\x2d\xe5\xe1\xde\xb2\x02\xed\x90\x5d\xee\xe7\xc0\xfe\x99\x1f\x23\xeb\xbd\xdd\xd3\x16\x7e\x44\xd6\x5a\x3b\x74\x15\x5e\x81\x42\x79\xe2\x65\xa7\x38\xb5\x04\x98\x02\x38\x9e\x02\x29\xcf\xf7\xe2\x23\xe2\xb5\x8f\x14\x15\xef\x2c\x34\x72\xa9\xd5\xa0\x21\x7e\x83\x6f\x70\xfa\x16\xe7\x6d\x2b\x75\x42\x3b\x6b\xb1\x1e\xe6\x29\xbc\xef\x30\xdb\xd4\x36\x3a\x23\xc1\xd0\x6e\x34\x4a\xb6\x5f\xc3\xa1\x39\x28\x94\x0a\xfb\xe9\xd4\x01\xb0\xd9\x54\xb5\xc7\x59\x76\x73\xc9\x49\x28\xf2\xbd\x78\xdc\xc5\xa8\xda\xfd\xa6\xa2\xfa\xda\xc8\xf8\x96\xc9\x6f\xd5\xce\xaa\xb4\xf4\xbd\x6d\xce\x2f\x6f\x60\x7b\x69\x9a\xdc\x39\x4b\xd1\xa6\x5c\xb2\x56\x5e\xbc\xbd\x83\xd8\x5b\xa4\xe0\x1a\x27\x73\xb3\x2c\x42\xcb\x3f\x53\x63\x3c\xc4\xe4\x6a\x5f\x96\x59\x4a\xe4\x2c\x4e\x57\xc7\x0e\xc8\xa3\x3b\xf7\x2d\x5d\x4c\xaa\x13\x42\x36\x58\x62\x8b\xb7\x1e\x17\xc4\xc3\x96\xba\x36\xe4\x7d\x8b\x29\x78\xd7\x5b\x0f\x02\x07\x0f\x70\x8b\xc4\xa2\xc7\xc3\xa7\x0b\x87\x34\x7e\xc0\x74\x91\x3f\x00\xd9\x79\xe1\xa4\xc2\xa0\xc8\x1d\x18\x12\x5e\x1b\x7b\x18\xca\xbc\xf7\x59\xb7\xed\x3e\xbe\x1f\xdf\x5b\x65\xcc\xd0\xbb\x3a\x9f\xfc\x83\x79\xbd\xe4\xce\xda\x45\x2b\x4c\x5f\x0f\x56\xe3\x8c\x8d\xd4\x9e\xcf\x16\xf9\x54\x23\xa2\xc2\xa0\x21\xfb\x7c\x1f\x9a\x95\x30\x99\x55\x4a\xb2\x52\x99\x1d\x47\xe0\x03\xc0\x26\x3a\x6a\xea\x2d\x25\xa9\x5f\x1d\xd2\xff\x97\x22\x5a\x7c\xf2\x68\x33\xd2\x19\x1d\x7b\x7e\xce\x65\x74\xe5\x2c\x76\xca\x61\xe8\xde\x29\x17\x6d\xbc\x01\xeb\x9c\xc4\x27\x97\x12\xa9\xab\xb6\x0e\x62\x9c\x66\x7b\x99\xcd\xe7\xa6\xee\xf8\xac\x65\x37\x19\x15\xcd\x8a\xa2\x2e\xf6\x3c\x84\xce\xf6\x70\x5f\x47\x5c\x8b\xb2\x18\x9b\xbb\x38\xc5\x5b\x8c\xfc\x6e\xc8\x86\x98\xae\xa1\xc0\xa0\x08\x96\x71\xcb\x2c\x28\x06\xc6\xed\x58\xef\x05\x1b\x6f\xe7\x6b\xee\x9e\x21\xf4\x3e\x87\x43\xc3\x15\x72\xbb\x62\x21\xf6\x0a\x58\x70\x33\x41\xa1\x78\x52\x05\xfe\x0c\x59\x12\xdf\x91\xf8\xbd\x44\x55\x9d\x65\x31\xab\xd0\x65\xa0\xaf\x1e\xfe\x7f\xd7\x16\x4e\x8a\x8c\xa3\x54\x00\x91\xc8\xba\xcc\x9f\xcb\x24\xd3\x10\xba\x32\xbd\x93\xf8\xdc\xe7\xf8\xd0\x60\xed\x5b\xb2\x37\x01\x4e\x22\xee\x84\x2c\xcc\x7d\x86\xba\xdc\xf8\xa5\x4a\xce\x05\x3e\xdc\x21\x22\xa2\x8d\x4e\xe3\x4e\x04\x19\xde\x00\x95\xa9\x9a\x68\xad\x59\x45\xdb\x5a\x7a\x08\x80\xa6\xdd\xad\xf2\x3a\xaa\xaf\xbf\x0c\x44\xac\x35\x95\x72\x4e\x58\xf0\x37\x8d\x1a\x02\x4f\x1a\x62\x41\x73\xe8\x96\x6a\x0b\x85\xa2\x17\x8d\x9d\x3e\xcf\xda\x88\xa8\xf1\x1f\xf5\x41\x31\x88\xac\xc6\xa8\x4c\x2e\xc0\x74\x88\xa3\xe1\xba\x7f\xad\xca\x39\x9f\xb7\x4b\x2f\x7e\x89\xf5\xc1\xbc\x6c\x43\xa2\xcb\x0e\x55\x7c\x64\xd6\x6f\x87\x05\x54\x7c\xff\x85\xbb\xe8\x12\x55\xef\x7c\xc2\x34\x53\x38\xf6\xa1\xf0\xae\x2b\x69\xe8\x67\xdb\x12\x0d\x70\xcf\x19\x66\x8c\xdb\xcc\xf8\x66\x54\xc5\xd9\x93\x41\xfc\xec\x9f\xc8\x07\xc8\xf0\xaa\x6e\x31\x2d\x1d\xec\x4c\xf6\x09\xa9\xb7\xa8\x0e\x33\x0c\xb3\x07\x98\xda\x24\xac\x16\x15\xdf\x35\xf6\x44\x1e\xa5\x12\x5f\xf1\x62\x73\xd1\xf9\x22\xd9\x13\xf5\x8a\xb5\x00\x06\x41\x45\x35\xf1\x7b\xcd\x07\xcd\x58\x83\xcc\xdc\x29\xba\xea\x7a\xbc\x32\x62\x0d\x0b\xa9\x76\x07\x9b\x8a\xe7\xf7\x15\xa1\x85\x24\x58\x37\x58\x48\xbd\xfe\x97\xe9\x3c\xff\x47\x8d\x6e\xec\xf3\x7d\x8f\x39\x54\x8e\x3e\x56\x8d\x1e\x70\x33\x0d\xdc\xe2\x69\x4a\x61\x38\x59\x0e\x49\xc5\x0d\x3f\x35\x6a\x2e\x39\x65\xd4\x35\x6b\x06\xcf\xdb\xa6\xaa\x5d\xcd\xbc\x1a\xf8\xc2\x06\xe7\x13\xc0\x9c\x7b\x34\xbd\x05\xc0\x9f\xbd\xa1\x70\x89\xf4\xe0\x93\x3c\x98\x6d\x24\x0c\xf0\x81\x51\x60\x00\xa8\x18\xdf\xa4\x17\xde\x09\x4d\xfa\x1d\x15\x2a\x7f\x16\xe1\x17\x67\x16\x20\x74\x9c\x28\x71\x0f\x38\x08\xa0\x4d\x04\xc4\x91\x65\x43\x87\x77\x61\xc6\x62\x01\x9a\xda\x12\x96\x09\x5b\xf2\xea\x2c\x01\x03\xb3\xa5\x8b\x47\x89\xcd\x17\x6e\x65\xd3\x48\x63\xfc\x5b\xa4\x23\x92\xf8\xd9\xdf\x8b\xd4\xf5\x11\x78\x3f\x53\xee\xcd\x26\x3a\x45\xf9\xde\xbc\x82\x85\x23\xf2\x11\x30\xf5\x54\xd0\x77\x09\xf1\xa2\xc5\x72\x97\xd8\x2a\x63\x56\x68\x91\x30\x3b\x9a\x0a\xc8\xea\xb0\xfb\x83\x61\x32\x23\x80\x73\x19\x91\xec\x5d\x23\x20\xc3\x9a\xc6\xc0\x71\x3d\xac\xf1\xdf\xa2\xfa\x2d\x08\xae\xc5\x6c\xfc\x40\xb9\x9f\x11\xd2\xbf\x5a\xc2\xcf\x16\xd4\xcb\xe8\x63\xe8\xb7\x51\xd5\xc4\xc8\xe2\x13\x39\xb4\x6d\x03\x16\x78\x6a\x28\x69\x98\xa6\xe4\xd0\x22\x23\x96\x98\xd6\x41\x8e\xba\xc9\x03\x85\x71\xc3\xc5\x84\x42\x2c\x05\x62\xfd\x55\x58\xe2\x1b\xb0\x2e\x93\x16\x81\x1a\xa3\x90\x2c\x95\x2e\xd2\xed\xc1\xba\x94\x79\xfa\x87\x9b\xcb\x0c\x4c\x8e\x7c\x0e\xca\x5d\x91\x7a\xc0\xa3\x34\x0d\x51\x7a\xc2\x6e\x6c\x38\xf6\x42\xde\xfd\x62\x4a\x29\x1f\x88\xbd\x97\x88\x59\x8a\x40\x3c\xad\xc8\xf1\x4e\x6f\x55\x01\x1d\xe9\xd8\x7a\x22\xc1\xee\x04\xca\x16\xa6\x65\x00\xf8\xd2\x26\xe9\x93\xb0\x3a\xf3\xd9\xbc\xb2\xe5\x26\xb2\x79\x4a\x93\xb2\xc5\x57\x83\x9c\x09\xde\x70\x65\xd9\x31\x12\xca\x73\xbc\x46\x75\x34\x8d\x9f\x8a\x01\xcf\x97\x1e\x3c\xad\x62\x65\x98\x8b\x35\x03\xac\xe0\xb4\x2c\x39\x9a\x8a\x76\xa6\x73\xad\x5a\x1b\x52\x74\x6b\x5f\x1c\xfd\xe1\x6a\x7c\x6b\x65\x0a\x20\x81\x87\xad\xa2\x7b\x64\x23\x99\xdd\xbc\xfd\x1d\xa5\xc9\x66\x2a\x69\x53\x52\x58\xd8\x2e\x90\x08\x49\x7c\x6a\x18\x93\xbd\xac\x6d\x67\xc7\x03\xfd\x31\xd6\xf0\x7d\x68\x5b\xe5\x29\x74\x3f\x99\x4b\x7c\x5a\x4f\x02\xe1\x5b\x64\x2f\x80\x41\xa4\x66\x5c\xab\x6c\x22\x88\x79\xad\xd1\x68\x32\x9e\x30\x3a\x58\xc3\x2f\xe1\x1d\xa6\x9b\x9d\x5c\x24\x10\x25\x54\x35\x0b\xde\x68\x14\x97\x9a\xc5\xc3\xd1\x1c\x18\x2d\x3f\x4f\x7f\x50\xc2\xc7\x7d\x0a\x1e\x4b\xe7\x71\x9b\x57\x0b\x3b\x58\x41\x74\xfd\xf4\x7b\xa1\x91\x06\xe8\x7b\x3d\x7d\xa4\x21\x20\xe4\xd2\xf4\x03\x00\xca\x6b\x75\x54\xa3\x98\x65\xcf\x5b\x58\x37\x84\x48\x0c\x36\xf2\x06\x41\x18\xfb\xf0\xc9\x0a\xf7\x20\xed\x57\x7f\x83\x86\xa3\x60\x78\xd0\x7a\x96\x1f\x43\xc6\x40\x83\x3b\x37\xde\x42\xec\xe4\x3b\x72\x78\x16\xd1\xaf\xdf\x5f\x37\xd8\xf2\x89\xce\x4a\x59\x0a\x80\xf8\xdc\x76\x48\x33\x0e\x27\xe1\x1e\x8b\x87\xae\xb5\x99\x81\xa1\xfd\x2d\xf9\xd7\x9b\x8a\x5d\x9b\x37\xf9\xde\x34\x59\xc2\xaa\xf2\x92\x5f\x29\xbf\x70\x08\xa8\x31\x8e\xf6\xa2\x30\xf9\x5a\x10\x9d\x62\x05\x8d\x39\x43\xa2\x55\x4b\x8a\x8b\x64\x69\x4c\x91\x80\x8a\x9c\x14\xc3\x82\xe3\x81\x86\x7e\xbc\xaa\xf8\xbd\xda\x84\x04\x71\x9e\xa2\x4d\x62\x60\x2d\x40\xc8\xf1\xcc\x54\xed\x32\xea\xc5\x99\x63\x3c\x66\x97\x1a\x97\x71\x52\xf8\xaf\x50\xd1\x15\x9f\x3c\xc4\xc5\xcb\x58\x41\xcd\x98\xd2\x92\x25\x5b\xe5\x24\xf7\xf2\xd3\xa4\x82\x6f\x0f\xcb\xa1\xa2\xa4\x4a\xde\x0a\xff\xd0\xc4\x79\x63\x94\x84\x0b\xd0\xcc\x21\x83\xe3\x18\x33\x76\x87\x88\x67\x8d\xe6\x66\x46\x79\x72\xdc\x81\x4a\xc1\x47\x32\x4e\x3b\xae\xb2\x68\x11\x3c\x1f\xea\x9d\xcd\xb8\x11\xa8\xe3\xd9\x04\xfd\x1a\xfa\x3c\xa1\x06\xa2\x40\x0e\x8e\x46\xa1\x1b\x4f\x4f\x64\x7c\xe2\xb4\xe8\xc8\xcf\xe8\x2d\x53\x2c\xa6\x79\x5d\x2e\xb2\x6f\x91\xec\xf2\x4b\x22\xae\x5d\x2e\xab\xb0\xa1\xd5\x99\x2c\x1b\xb6\x86\x2e\xc1\x12\x41\x6d\x63\xfd\x42\x3e\x5b\xa4\x85\xf3\x45\xe5\x39\x8d\x36\x24\x08\x95\x69\x05\x8f\x98\xeb\x53\x70\x8b\xcd\x06\xc5\x76\x90\x05\xee\x84\x7a\x7f\x78\x41\x55\x80\x9d\xa3\xef\xe8\xe9\x18\x28\x76\x3d\xb6\xae\x4f\xa8\xbb\x46\x07\xc3\x54\xde\x16\xf7\x40\x7f\x82\xe2\x32\xaf\x2a\xe7\x83\x4a\xb1\x44\x56\xfa\x7f\x44\x11\x86\xfa\x78\xfa\x75\xdc\x27\x4e\x28\x47\x6d\x6c\xf1\xef\x8c\x5d\x3c\x73\x7b\x13\x3b\xd6\x08\x9c\x3f\x95\x66\xac\x31\x36\xf4\x8c\x70\x9f\xdb\x88\x0d\xa8\x80\xbd\xc8\x39\x5e\x52\x92\x64\x88\x9b\x62\x67\x77\x64\x23\x65\x0b\xfe\xb6\x57\x44\xd3\xb7\x91\x3b\x86\xd4\xc2\x80\xf0\xf0\xfe\x66\xe3\xb8\x74\x0b\x7f\xed\x41\xad\x5a\x8f\x57\x0f\xd1\x85\xed\xeb\x7a\x30\xab\xc2\x26\xd1\x8c\xac\x7a\x35\xe8\x13\x40\x51\x82\x28\x76\x95\x87\xae\x4c\x6b\x85\xcf\x5f\xb7\xf7\x95\x30\xe2\xb1\x92\x06\x9a\x2e\xb7\x29\x0e\x36\x4c\x6d\x85\xa3\xe6\x79\x98\x05\x13\x12\x0c\x52\x5d\x24\x3d\x29\x06\xdf\x75\x5f\x6c\x21\x47\x46\xa7\x6b\x39\xb2\xc4\xa3\xc8\xfc\x36\xe4\x14\x53\x18\x03\x27\xab\x5c\x35\x4a\x4c\x14\xfb\x8a\xd7\x7f\xb7\x41\x27\x56\x01\x17\x72\xc5\x45\x76\x65\xa6\xb6\x45\x48\xf5\xd5\xae\x11\xd4\x08\xea\x6d\x1c\x8e\x25\xcd\x40\xdd\xfe\x80\x3e\x7b\x01\x34\x19\x83\x36\xfb\x0c\x77\x14\x29\xd0\x14\xad\xed\xeb\x97\x6a\x93\x05\xb8\xef\xf0\xd4\x1c\xda\xba\x4f\xf9\xfc\x27\x6d\x31\x25\x5f\x68\x43\xf8\xc7\x4a\x98\x85\x50\xff\xe3\x42\x35\x95\x7a\xc6\x22\xe2\x5a\x03\x2a\xc0\x07\xc7\x11\xf2\xc8\x91\x31\x5d\x86\xfe\x6b\x35\xeb\x72\x8c\xad\xd7\x2e\x87\x7f\x45\x5f\x7b\xbe\xd6\xb7\x46\xf3\x74\xf0\xb1\x1e\x3b\xab\x66\x77\x85\x38\xb8\xe5\xa9\x26\xf2\x41\xd9\xb5\x06\x7f\x1b\x47\x26\xd5\x96\x4c\x71\x99\xe1\x5e\x0d\x59\x0a\xc3\x4d\x25\x7c\x07\x5e\x88\xd3\xc9\x5a\xc1\x34\xe0\xe4\x5f\xe3\xf5\x7e\x38\xaa\x85\x0e\xbf\x95\x0a\x52\xaa\xf9\xeb\x10\xe1\xab\xe5\x48\x70\xcf\xfc\xb6\x2a\x7f\xd0\xc9\x4a\x86\xff\x39\x59\xb1\xe3\x9e\xe5\x89\xa4\xd6\x4f\x9f\x18\xc0\x72\x01\x4a\x7c\x90\xf9\x6c\x48\x48\xac\x9d\x0b\x80\xb0\xd8\x5f\x07\x61\x0d\xc1\x67\xab\x45\xf1\x46\xe1\xaa\xdf\xe4\x82\x7f\x23\x4d\xfe\xd2\x49\x03\xee\x90\x56\x12\x48\x0e\xde\xfc\xa3\xae\xc8\xcc\xfa\x5d\x78\xe7\x9d\x0e\xf8\x78\x7e\xb9\x2d\x64\x47\x72\x12\x60\xe6\x45\x27\x8d\x9d\x7a\x8a\x4e\x47\x90\x37\xac\xd9\x05\x81\xf7\xa8\x3e\xbf\x4e\xf3\xf2\x87\x3a\xd4\x9f\xcd\xb0\x19\xe1\xfb\x9a\x38\xb7\xa2\x3a\xbb\xc4\x45\x89\x53\x19\x2f\x79\x1f\x79\x29\xd0\x9f\x80\x33\x62\xed\xe6\x43\x1d\x7a\x96\x38\xe8\x02\x68\x8e\x14\x60\x7d\x48\x0e\xc6\x72\xa3\x78\xec\x6d\x1f\x7c\x1a\x9a\xc8\x64\x57\x8d\x07\x8f\x45\x58\x46\x68\x1c\xac\x4c\x04\x38\xad\xca\xbe\x94\xab\x06\x00\x9f\xf0\x01\x25\x99\x2a\x9f\x13\x4c\x4c\x25\xf1\x4e\xdc\xa5\xcb\x6e\xf3\x69\xf3\x73\xbb\x49\x0a\x66\x6e\x21\xd1\x0d\x1f\x63\xa8\xf0\x28\x5e\xc1\xc5\x23\x0a\x7b\xb3\xad\x43\xb2\x18\x64\x41\x40\x09\x35\xab\xd1\x6f\x2e\x4c\xb4\x82\x52\x0e\x6b\x48\x2f\x59\xde\xd5\xc0\x1d\xcd\x60\xf1\xf3\x7a\xb1\x85\x97\xaf\xe6\x6c\x67\x24\x1d\x81\xed\xe5\xaf\x65\x63\x63\x5b\xb6\xc4\x55\xba\x26\xdb\xc1\x66\x59\x63\x5c\xad\xc3\x03\x29\xe2\x04\xa1\x5c\xd5\x69\xc2\xe0\xb4\x5e\x78\x47\xfe\x03\xe2\xdf\x38\x41\x13\xe5\xdc\x23\x8d\xb1\x58\xaa\xac\xd4\xfe\x55\xb5\x5e\xd1\xc4\x2d\x7d\xdd\x56\xe1\x1a\x89\xdc\x7c\xd0\x42\xf4\xd0\x04\xce\x30\x5a\x42\x01\xe2\x70\xb8\x39\x1f\x36\x6e\x0e\x05\x67\x79\xd0\xcd\x41\x72\x17\xdd\xdb\x57\x70\x4f\x0d\x91\xe9\x76\x48\x60\xbb\x0f\x51\xee\x7c\x4c\x24\x38\xe6\xf8\x06\x99\x47\x26\xfd\xf2\xee\x42\xe8\xdb\x10\x97\x23\xc4\x81\x02\x6b\xb0\xc2\x05\xde\xd3\x42\x1b\xaf\x0d\xe5\xf2\x99\x36\x8a\x99\x43\x78\x67\xc6\xab\x33\x73\xd9\xe8\x45\x55\x87\xd4\x49\x26\x38\x38\xe9\xee\x52\x14\xd5\xc1\x63\x90\x9e\x12\x68\x61\x0f\x79\xb2\x74\xd4\x8e\xe9\xec\x2a\x03\xb8\xeb\x46\xc0\xc8\xc4\x89\x37\x9a\xfd\x79\x3a\xc3\xfb\xb4\xc0\x3a\x37\xbd\x5c\xe1\xe1\x5e\xba\x5e\xc8\x86\xce\x2e\x0b\x42\x07\x8e\xdc\x53\xf7\x6d\x88\xa7\xa0\xb7\x73\xf7\x47\x15\x22\xee\xbd\xe9\x42\xbe\x79\x3a\x46\x9c\x43\x34\xf5\xb3\x98\x80\x20\x14\x46\xb4\xb0\x94\x69\xb3\x65\x44\x51\x61\x6e\xf4\xfc\xe8\x71\x39\xda\x2c\x43\x6d\x66\x2d\x5f\xdb\x15\xce\xa0\x29\x91\x16\xdc\xe8\x9b\x14\x9b\x6e\x7b\xac\x68\xb4\x77\x6c\xd9\x7f\xa4\xd4\x99\x99\x75\x54\x9d\x83\xbb\xe2\xc3\xcd\xa4\x02\x83\xf4\x4e\x5d\x8c\xb5\xa8\x92\x03\x48\xc6\xc0\x82\x71\xa7\xd7\xe3\x56\x5a\x0c\x14\x4b\x69\x24\x6e\x26\x69\xed\x38\x8c\xff\xd1\x4d\x4b\xcd\xf9\x1e\x50\xd4\x98\x7b\xe1\x42\x3b\x3c\x21\x9b\xd7\x04\xc0\x12\xe5\x54\x06\x92\x90\x40\x43\xbc\x93\x6e\xd4\xc4\xb9\x98\xba\x2e\xf4\xf6\xf9\x38\x1b\x17\xb3\xfb\x3d\xb4\xd0\x7e\xd8\x3f\xe8\x43\x26\x0b\x80\x71\x11\x90\xe7\xad\x59\x9b\x12\x55\xd8\x14\xb4\xbe\xa1\x02\x81\x81\x0a\xe8\xa9\x6a\x5d\xda\x37\x44\x82\x12\xc1\x32\x94\x2a\xf3\xa5\x86\x39\xce\x8a\x7c\x15\x71\xc4\xb0\x87\x80\x7a\x26\xff\xed\xdb\x42\x5a\x39\xdc\xd1\xb6\x55\x02\x01\xed\x49\x74\x5c\x9a\x06\x0c\xff\x53\x24\xfe\x62\x02\x80\x4e\x7c\x23\x50\x92\x69\x3c\x1a\x2d\xe9\x0b\xd6\x3d\x8f\x44\xcf\x44\xfe\x7b\x42\x1c\x06\x17\x0d\xaa\x95\xa2\x3c\xd0\x3f\x7b\x4f\x19\x44\x30\x60\x65\x66\x92\x3d\x89\x86\x4e\x9a\x4b\x81\xca\x8c\xf4\x8a\x9c\x12\x60\xe5\x85\x58\xc2\x10\x73\x45\x40\x6f\xb3\x05\x35\x53\x87\x07\x1f\x9b\xfb\xbe\x85\xff\x1e\x91\x4a\x0c\xf9\xce\xcf\x7e\xc1\x13\xe4\xda\x20\x42\x56\xbd\xe6\xa9\x8e\xdf\x55\x58\xdd\xd5\x2e\x9e\xa3\xae\x4f\x4d\x47\xb8\x06\xb5\xe7\xfc\x22\xcd\x02\x50\xd3\xf3\x23\x9b\x11\x0f\x08\xb7\xfe\x4c\x77\x1f\x9f\x58\x31\xc4\xa4\x43\x48\x4d\x87\xc5\xd0\x00\xd3\x55\x93\xd0\x11\x55\x0d\xed\xb7\xfc\xb0\x30\x5d\x7a\x06\x99\xee\x36\x08\x1d\xfd\xa3\x7b\xff\x33\xb2\x83\x15\x0e\x37\x0a\x34\xed\x15\xac\x7f\x74\x23\x33\x3c\x00\x97\xbd\x11\xd4\x2f\x3b\x4b\x00\xf3\xd6\x89\xef", 3522)); NONFAILING(*(uint64_t*)0x200002b8 = 0xdc2); NONFAILING(((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(writev))(/*fd=*/r[0], /*vec=*/0x20000280, /*vlen=*/4)); NONFAILING(memcpy((void*)0x20000040, "./file0\000", 8)); res = -1; NONFAILING(res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(open))(/*file=*/0x20000040, /*flags=*/0, /*mode=*/0)); if (res != -1) r[1] = res; NONFAILING(((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(mmap))(/*addr=*/0x20000000, /*len=*/0x200000, /*prot=PROT_WRITE|PROT_READ*/3, /*flags=MAP_FIXED*/0x10, /*fd=*/r[1], /*offset=*/0)); NONFAILING(*(uint64_t*)0x20000000 = 0x10); NONFAILING(*(uint64_t*)0x20000008 = 0); NONFAILING(*(uint64_t*)0x20000010 = 0x20ffb000); NONFAILING(*(uint64_t*)0x20000018 = 0x20ffd000); NONFAILING(*(uint64_t*)0x20000020 = 0x1000); NONFAILING(*(uint64_t*)0x20000028 = 0x2002f000); NONFAILING(*(uint64_t*)0x20000030 = 0); NONFAILING(*(uint64_t*)0x20000038 = 0); NONFAILING(*(uint64_t*)0x20000040 = 0x20060000); NONFAILING(*(uint64_t*)0x20000048 = 0x20ffb000); NONFAILING(*(uint64_t*)0x20000050 = 0); NONFAILING(*(uint64_t*)0x20000058 = 0x20182000); NONFAILING(*(uint64_t*)0x20000060 = 0); NONFAILING(*(uint64_t*)0x20000068 = 0); NONFAILING(*(uint64_t*)0x20000070 = 0); NONFAILING(*(uint64_t*)0x20000078 = 0x20ffb000); NONFAILING(*(uint64_t*)0x20000080 = 0); NONFAILING(*(uint64_t*)0x20000088 = 0x20ffd000); NONFAILING(*(uint64_t*)0x20000090 = 0x20fff000); NONFAILING(*(uint64_t*)0x20000098 = 0); NONFAILING(*(uint64_t*)0x200000a0 = 0); NONFAILING(*(uint64_t*)0x200000a8 = 0); NONFAILING(*(uint64_t*)0x200000b0 = 0); NONFAILING(*(uint64_t*)0x200000b8 = 0x20ffd000); NONFAILING(*(uint64_t*)0x200000c0 = 0x20ffe000); NONFAILING(*(uint64_t*)0x200000c8 = 0); NONFAILING(*(uint64_t*)0x200000d0 = 0); NONFAILING(*(uint64_t*)0x200000d8 = 0); NONFAILING(*(uint64_t*)0x200000e0 = 0); NONFAILING(*(uint64_t*)0x200000e8 = 0x20ffc000); NONFAILING(*(uint64_t*)0x200000f0 = 0x20ffc000); NONFAILING(*(uint64_t*)0x200000f8 = 0); NONFAILING(*(uint64_t*)0x20000100 = 0); NONFAILING(*(uint64_t*)0x20000108 = 0x20ffe000); NONFAILING(*(uint64_t*)0x20000110 = 0); NONFAILING(*(uint64_t*)0x20000118 = 0x20ffb000); NONFAILING(*(uint64_t*)0x20000120 = 0x20ffd000); NONFAILING(*(uint64_t*)0x20000128 = 0); NONFAILING(*(uint64_t*)0x20000130 = 0); NONFAILING(*(uint64_t*)0x20000138 = 0x20ffd000); NONFAILING(*(uint64_t*)0x20000140 = 0); NONFAILING(*(uint64_t*)0x20000148 = 0x20053000); NONFAILING(*(uint64_t*)0x20000150 = 0); NONFAILING(*(uint64_t*)0x20000158 = 0); NONFAILING(*(uint64_t*)0x20000160 = 0x20ffd000); NONFAILING(*(uint64_t*)0x20000168 = 0); NONFAILING(*(uint64_t*)0x20000170 = 0x20); NONFAILING(*(uint64_t*)0x20000178 = 0); NONFAILING(*(uint64_t*)0x20000180 = 0x20ffd000); NONFAILING(*(uint64_t*)0x20000188 = 0); NONFAILING(memcpy((void*)0x20000190, "./file0\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64)); NONFAILING(*(uint32_t*)0x200001d0 = 0); NONFAILING(((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(ioctl))(/*fd=*/-1, /*cmd=*/0xc5005601, /*arg=*/0x20000000)); NONFAILING(memcpy((void*)0x20000500, "/dev/vmm\000", 9)); res = -1; NONFAILING(res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(openat))(/*fd=*/0xffffffffffffff9c, /*file=*/0x20000500, /*flags=*/0, /*mode=*/0)); if (res != -1) r[2] = res; NONFAILING(*(uint32_t*)0x20000000 = 1); NONFAILING(*(uint32_t*)0x20000004 = 0); NONFAILING(*(uint8_t*)0x20000008 = 1); NONFAILING(*(uint16_t*)0x2000000a = 0); NONFAILING(*(uint64_t*)0x20000010 = 0); NONFAILING(*(uint16_t*)0x20000018 = 0); NONFAILING(*(uint8_t*)0x2000001a = 0); NONFAILING(((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(ioctl))(/*fd=*/r[2], /*cmd=*/0xc2585601, /*arg=*/0x20000000)); } int main(void) { NONFAILING(((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(mmap))(/*addr=*/0x20000000, /*len=*/0x1000000, /*prot=PROT_WRITE|PROT_READ*/3, /*flags=MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE*/0x1012, /*fd=*/-1, /*offset=*/0)); install_segv_handler(); for (procid = 0; procid < 8; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; }