// https://syzkaller.appspot.com/bug?id=35c69a61d7a3ac5102d729001701d5db25dbe58a // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } uint64_t r[1] = {0xffffffffffffffff}; void loop(void) { intptr_t res = 0; res = syscall(__NR_socket, 0x10ul, 3ul, 9); if (res != -1) r[0] = res; *(uint64_t*)0x20001140 = 0; *(uint32_t*)0x20001148 = 0; *(uint64_t*)0x20001150 = 0x20001100; *(uint64_t*)0x20001100 = 0x200000c0; *(uint32_t*)0x200000c0 = 0xec4; *(uint16_t*)0x200000c4 = 0x453; *(uint16_t*)0x200000c6 = 0; *(uint32_t*)0x200000c8 = 0; *(uint32_t*)0x200000cc = 0; memcpy( (void*)0x200000d0, "\x37\x4f\x21\xf2\xae\x60\xbe\xbd\x77\x66\xe2\x65\x9e\xc5\xc0\xb8\xd0\xdc" "\x37\xa1\x70\x05\xbd\x1b\x54\x1a\x4b\xfc\xe5\x29\x10\xd6\x85\x4e\x88\x83" "\xd9\xce\xdb\x02\x17\xca\x0e\xf2\x0a\xde\x18\x6b\x9b\x90\x1a\x9e\x3f\xab" "\xd1\x12\x01\x29\xcb\x3d\xae\x7b\xc7\xeb\xd3\x7c\x15\x6f\x3c\xe7\x48\xdf" "\xdb\x78\x8f\x85\xfd\x35\x6d\x4b\xc0\x65\x27\xf6\x36\xda\x1d\xb6\x48\x47" "\xd3\xb3\x23\x5d\x6c\x54\x03\x1f\x0a\x86\xac\x47\x70\xff\x4d\xab\x9b\x2c" "\x59\xb3\x17\x04\x2d\x27\x95\xa4\x02\x28\xd1\x23\x0c\xb2\x10\xe8\xcb\x5b" "\x43\x43\xc5\x39\x92\x04\x37\x86\x39\x13\xa6\x01\x2b\x24\x56\x63\x2c\x5b" "\xea\x46\xb6\xf9\x93\x82\x2e\xa7\xd4\x56\x75\x4a\x7e\xb4\x1f\xed\xf8\xeb" "\x20\x22\xd5\xe4\xf2\x7a\x1d\x30\x90\x35\x65\x17\x2d\xba\xe5\xc2\x03\xb6" "\x4f\x6c\x3c\x89\x83\x53\xc9\x40\x62\xc2\xdf\x58\x89\xff\xe6\xfa\xa3\x27" "\xbc\x59\xb8\x69\x99\x17\x13\xcc\x39\xc7\xf7\x41\x54\x2a\x9e\x0a\x26\x18" "\x4c\x0f\xfe\xb4\x22\xdc\x8f\xf3\x3f\x6a\x2a\x1e\x99\xf0\xfd\x75\x7d\x6c" "\xcd\x6b\x95\x6c\x32\x97\x40\xfa\x2b\xd2\xa7\x33\xb9\x0d\x2b\x8f\x3d\xf7" "\x96\x72\x1f\x26\xdd\xd0\xb3\xf9\xa9\x07\x34\x6f\xe9\x61\xca\x10\x8e\x88" "\x34\xdd\x3e\x38\xf2\xae\xc9\xc9\x47\x63\x8e\x12\x0e\xbd\x52\x42\xde\x69" "\xc1\x1d\x25\x54\xd7\xb1\xa0\x39\x9f\x6b\xca\x0a\x2d\x84\x03\xde\xf8\x52" "\x7b\x3b\x77\x8f\xc4\x1c\x36\xf4\xd5\x57\xf8\xb6\x51\xd4\x22\x6d\xa3\xa7" "\x87\x42\xd6\xcc\x54\xbe\x92\xf0\xff\xa1\x41\x7e\x3c\x52\x95\x1a\x5e\x59" "\x1f\x8a\x5e\xe4\x3e\x7d\x94\xcc\xbf\x39\x24\x7f\xb2\xdf\x34\xba\x1d\x55" "\x79\x1d\xc9\x6e\x63\x57\xf7\xb9\x8c\xd3\x34\x85\x24\x18\x40\x0d\xac\xeb" "\x33\x91\xf4\x5d\xa8\x04\xab\x6d\x27\x98\x51\x3b\x6b\xe2\x65\xd3\x76\x1a" "\x11\x0d\x77\x7d\x96\xce\xb3\xbd\x1e\x1e\xea\x9e\x13\x29\xae\xc7\x05\x62" "\xf0\x87\x77\xf4\x4c\xff\xf7\x6f\xd4\x1f\xa2\x77\x1d\x45\x80\x60\x8c\xeb" "\x0b\xad\xb0\x3d\x9f\x41\x42\x93\x61\xa3\xa2\xc6\xef\x58\x3e\xd0\xfa\x31" "\xf2\x07\x52\xf4\x33\xad\x28\x63\x48\x5d\xf4\x01\xbb\x13\x73\x56\x82\xe8" "\x8a\x02\x94\xfa\x8b\x45\xc1\xac\x40\x09\x97\x13\x85\x5d\x5d\xcd\x19\x8f" "\xde\xb1\xb1\x8d\x78\x32\xe6\x4b\x7d\x53\x77\xd2\x75\x9c\x27\xe5\x64\xc7" "\x5e\x10\xb9\x7c\x54\x28\xfe\xec\xf3\x01\x69\x4c\x07\x6d\xe7\xa7\xfd\x11" "\x1b\xd4\x26\xb3\x6a\xd1\x25\xf0\x67\xf2\x1e\x7c\x4c\x22\x7e\xa0\x95\x5c" "\xb3\x87\xa3\xf4\x50\x34\xd4\xfa\xb0\x93\xc1\x61\x08\x12\x24\x65\x2e\x9a" "\x0d\x85\x01\x83\x8e\x9e\x2f\x16\xe3\xa0\xa3\xc8\x8e\x7e\x08\xab\xba\x92" "\xa0\x69\x53\x10\x26\x6f\x01\xa6\xfe\x58\x36\x69\x03\x61\xa1\x07\x8f\x1b" "\xac\xb7\x1b\x4f\x02\xad\x4c\xdb\x8a\xb5\x17\xbb\x59\x78\xce\x5e\x45\x43" "\x7b\x1d\x16\x96\xf0\x41\x4a\xdc\x43\x55\x84\x90\x15\x5c\x20\x22\xe5\xf2" "\xd6\x71\x6f\xc5\x1a\xaf\x98\x74\x2e\x7d\x08\x14\x57\x0e\x53\x00\x1b\x58" "\xd8\xbb\xde\x3d\x6f\x0c\xc9\x44\x95\xc5\x0b\x66\x44\x23\x4d\x6d\x0c\x31" "\x11\x24\x96\xd9\xf8\x4a\xfa\xac\x3e\xf0\xa5\x67\xfd\xc5\x16\xa3\xae\xab" "\xfc\x73\xae\xb1\xec\x9e\xea\x82\xd9\x15\x26\x1d\x66\x76\x2b\x40\xa2\xed" "\xb5\x90\x0b\x16\x33\x5d\x84\x0f\x41\x90\x3f\xfd\xd0\xfb\x79\x06\x5d\x6c" "\xf8\x8f\xd5\xf4\x2f\x24\x18\x40\x60\x39\x4c\x14\xb8\x38\x45\x80\x4c\x06" "\x5a\xba\x6e\xc4\x16\x3a\xfc\xb7\x69\x18\x10\x6c\x64\x82\x5a\x3c\x56\xf1" "\x50\x47\x37\xb2\x08\x26\xd7\xf7\xe7\x06\x38\x76\x3e\x97\xf4\x4b\x80\x1a" "\x5f\x82\xf7\xee\x46\x1e\x93\x82\xe2\xe4\xaf\xf7\xb7\xb9\xb9\x44\xf6\x6b" "\xfa\xc6\x52\x7e\x97\x06\x0c\xf4\xd0\x0c\xea\x0b\x1a\xda\xd5\x04\x8b\x18" "\xb8\xa8\x29\xec\x4f\x9a\x35\xa4\x5e\x72\x05\xd7\xac\x0e\x71\x06\xc6\x46" "\x41\xbd\x8d\x4d\xef\x2c\xa1\x27\x8e\x2d\x8c\x60\x0d\x71\x34\x24\xea\x3b" "\x42\xfa\x8c\xcb\x3c\xfa\x44\xdf\x7c\x2d\x35\x3c\x4f\xcd\xdb\x23\x88\x7e" "\xd7\x43\x15\x55\xbe\x50\xbf\xec\x0f\x17\xeb\x18\x3d\x4c\x98\x97\xb1\xc0" "\x0c\x0f\x0d\xc3\x80\xa5\xa9\xfe\xfe\x9d\x1f\x21\xbe\x45\xad\x3b\xb0\xf8" "\xd4\x85\x2b\x76\xdd\x39\xd0\x47\x34\x9b\x52\x26\xcf\x84\x50\xce\x9d\x18" "\x1d\x51\x4d\xad\x12\xd6\xf3\xc0\xe1\xeb\xb2\x38\x6c\x93\xa9\x1a\xef\xa1" "\x2b\x9f\x21\x11\xc6\xd7\x58\x35\x9d\x8f\xc7\x9d\x49\xc5\xf2\x5b\xaa\x55" "\x21\x43\x77\xbc\xac\xd2\x30\x9e\x7e\x1f\x3d\xf7\x6a\xa0\x3b\x30\xe4\x8f" "\x98\x9a\xa6\x41\x63\x3f\x9b\x58\x75\xc5\x1c\xee\x7b\x72\x8e\xc4\x59\x22" "\x0a\x08\xd9\x1f\x27\x26\x2f\x9b\x07\x7e\x13\xd6\x53\x5d\x21\x2f\xb5\xdc" "\x4f\x00\xc4\x79\xd9\x58\x62\x29\x63\xaa\x7e\x6f\x7b\x01\xf3\xdc\x76\xa6" "\x3c\x4e\x60\x24\x67\xd9\x2a\x25\x6c\x58\x57\x74\xf1\x43\x23\xef\xd4\x93" "\x8d\xc3\xae\xc1\x26\x99\xb5\x35\x77\xd1\x52\xdc\x15\xa1\xfe\x0a\xae\xec" "\xf2\x1f\xce\x43\x23\x47\x7f\x52\x19\x80\x4a\x53\xf4\x75\x0d\xae\xd5\x60" "\x4a\x4d\xc5\xf8\xb2\xc0\x00\xd5\xf8\x92\x72\x77\x02\xe3\x88\x5d\x9b\xe9" "\x38\xad\x91\xbe\x11\x04\x1f\x64\xc8\xc9\x0c\xf2\xf4\xea\x71\xc7\xed\x88" "\x4c\xe9\x28\x35\xfb\xf6\x17\x44\x67\x2b\x86\x79\x3f\x51\x10\x76\x81\x46" "\xf4\xae\x6f\x3f\x35\x33\xd1\x0a\x72\x3d\x8c\xa4\x74\x9f\xa0\xe0\x40\xe8" "\xcc\x86\xba\xbd\xa3\xcf\x24\x88\xb7\xcd\x64\x2c\x37\x2d\xa6\xc0\xc8\x3b" "\xd9\xe0\x0e\xb8\x26\xcf\x3f\x6b\xb7\xd9\xf2\xee\x2d\xf2\x90\x22\x95\x76" "\x3d\x9f\xbf\x1b\xaa\x84\x16\x16\x38\x95\xc8\x70\x06\x5e\xef\x88\xe2\xab" "\xc7\x3c\x7d\xb5\x55\x39\xcc\x1f\x50\x26\x93\xe2\xd3\x42\xba\x60\x5b\xe3" "\x9c\xf4\x31\x64\x99\xfb\x4c\xc2\x2e\x51\xc1\x63\x11\x14\x69\xd9\x65\x55" "\xe0\x7c\x04\xc6\x17\xaf\x56\xba\x4d\xef\x58\x90\x1d\xf4\xa9\x59\xb0\xfe" "\xd1\x22\x67\xa0\xce\xe4\x85\x6b\x49\x7d\x08\x14\xaf\x25\xfa\xe9\x37\x1a" "\x79\xb0\x88\x8d\xf0\x6a\xe0\xd6\x1e\x79\xcd\x12\x55\x7b\xe2\x29\xb2\xdf" "\x7a\x60\x29\x15\x63\x87\x41\xcd\x4f\x55\x65\x0f\x45\x0c\x04\xfd\x5a\x57" "\x4c\x59\xa3\xcf\x53\xee\xbe\xf6\x95\x2f\x3c\xd4\x3d\x4a\x6c\xeb\x96\x2e" "\x2e\xc6\x2c\x52\x58\x1b\x58\xdc\x7f\xc5\xd3\x65\x86\xa5\x0e\x62\x39\x23" "\xe8\xd1\x18\xb4\x66\xd5\x64\x16\x42\x5a\x12\x4e\x83\xc2\xbf\x39\x96\x90" "\x84\x73\xe1\x1f\xb3\xc9\x35\x50\x9b\x14\xb0\x48\xe4\x6c\x75\xeb\xd9\xb8" "\xe5\x81\x0a\x2e\xcd\xd7\x2d\xb3\xb0\xd0\x88\x5e\x97\x81\x3f\x91\xd0\xa8" "\x7c\x8d\x3a\xc5\xba\x5a\x4a\x4f\x0e\xa6\x0f\xfe\x56\x44\x4d\x9d\x8b\xef" "\x7b\x75\x8d\x2a\xf9\xc0\x94\x4f\xdd\x95\x8f\x7e\x13\xa5\xea\xc4\x7a\x95" "\xec\x6a\x63\x67\x0d\x9a\x19\x34\x41\x73\x8f\xa2\x14\x34\xe9\xba\xbe\xcc" "\x1d\xd9\x55\xba\xcd\xf5\x57\xfa\x51\xf1\x39\xc0\x14\xa0\xb3\x1b\xb4\xae" "\xd8\xa1\x97\xd7\x53\x68\xce\x92\x85\x65\xb6\x02\xe6\xa0\xf1\xe0\x06\x3b" "\x05\x04\xe1\x9b\x91\x51\x86\x58\x40\xf9\xfd\xdf\x49\x95\xe9\x3d\x8a\x46" "\x13\x35\x9c\x14\x18\x57\xed\xe7\x34\xa6\x88\xeb\x08\x75\xe2\x6a\xa2\xbc" "\x30\xa4\xbf\xb2\x0d\x19\xd8\x3b\x78\x2f\x86\x39\x1f\x33\xb3\xd0\x36\xc0" "\xc1\x8f\x50\x16\x3f\x4f\x2b\x39\x2f\xd2\x32\xc8\xce\xef\x56\xcc\x37\x8e" "\xfb\xe2\x7d\xf9\x7f\x67\x0d\xce\x27\x7c\xfd\x34\xe5\xfe\xa9\xec\x4e\x67" "\x3d\xf5\xaf\xc1\x1e\xc0\xbd\xce\x60\x4d\xbb\xee\x51\x47\xdd\x16\x69\x93" "\x12\xc6\xc9\x36\x44\x40\x28\xac\x78\x79\x0b\x35\xa1\x23\x65\x4b\x1e\xe7" "\xbb\x9b\x4d\x4c\x7b\x96\x23\xe2\xd6\x57\xf2\xb8\x01\x4e\x9c\xe4\xe7\x26" "\x13\xc1\xb6\xf0\xcb\x39\x93\xa5\x0d\x58\x3f\x70\xa8\x3e\x0b\x92\x2e\x9b" "\x85\x8e\xed\x5d\x52\x5c\x0b\xe3\x79\x2b\xbd\x5e\xbd\x7a\x7d\x66\xc4\x63" "\xd8\x4f\xfb\x95\x0d\x85\x18\xae\xcf\x58\xfe\xe3\x07\x59\x4c\x1b\x3c\xff" "\x5e\x8c\xc4\x73\x08\x00\xa2\xfb\xa4\x1c\xac\x79\x7f\xc7\x2b\xa4\x64\xfb" "\xc8\x9a\xfa\xb4\x34\x70\x5a\x01\x85\x8b\xfb\x2e\xfb\xdb\x8b\x3c\x6a\xe5" "\xb1\xd5\x11\x85\x05\xdc\x33\x0c\x46\x68\x70\xd2\x37\x2e\x6e\x83\xdf\xe9" "\x4f\x86\xb9\x4b\xdf\x24\x7b\xc8\x08\x6e\x73\xc5\x4e\x83\x88\xa1\x5d\x94" "\xaf\x2a\xc4\xbd\xd2\x46\xc7\xc9\x7e\x2d\x18\x09\x35\xd6\xbf\x58\x4d\x10" "\x0d\xc9\xb2\xcb\x0f\x8e\x03\x45\x49\x7d\x0a\xc9\x1d\xc6\x8a\xc7\x90\x8d" "\xee\xb8\xd3\x68\x3a\x87\x23\x14\x78\xc7\xc3\x5a\xda\x4d\x76\x9c\xe9\x09" "\x09\x02\xdf\x12\xb5\xe3\xf9\x12\x92\xe6\x9a\x8a\xb6\xcf\xbd\xff\x53\xef" "\xc8\x83\x51\x2a\x34\x3f\x5c\x91\x7b\x76\xa7\x8d\xd1\xde\xb1\xe9\xc4\xc0" "\x9c\xa4\x22\x8b\xe5\x08\x52\x3c\xb5\x67\x28\x11\x4b\x8d\x11\xb9\xe7\xab" "\xfb\xef\xff\x5c\x43\xd1\x4a\xf4\x65\x23\x96\xb0\x94\x85\xe5\x29\xb1\x55" "\xb5\xff\xbe\xd9\x14\x1b\x5f\xd1\x12\x05\x0b\x89\x36\x6d\x19\x2b\x64\xff" "\x6c\x28\xf4\x63\x16\x1c\xff\x10\x46\x98\xa2\x67\xb0\x8b\xc9\x4b\x0d\x5f" "\x80\xec\x92\x1a\xbe\x2a\x32\x90\xa7\x77\xce\x0f\x5a\xec\x25\xea\xcd\xd5" "\x81\x1c\x3f\x58\x15\xce\xfb\x94\x2a\x27\x10\x08\x7c\xe6\xb5\x1f\x0e\xb2" "\xf0\xa1\x16\xa0\xe7\xd7\xc1\x8c\xc2\x62\x35\x3a\xad\x30\xec\x60\xe7\xde" "\x6e\x99\x4b\x64\xae\xab\xfd\x18\xdd\xcf\xed\x5f\x43\xe1\xaf\x06\x0a\x59" "\x14\x97\x98\x61\xa6\x99\xe3\x9c\x5d\x73\x9d\x16\x10\xec\x60\x72\xf3\x28" "\xde\x2a\x39\x5d\x2d\xc8\x49\x35\x68\xc8\x65\x93\x5e\xef\x3b\xdc\xae\x81" "\x61\xf2\xe3\x8d\xc0\x53\x3c\xe6\xeb\xb1\x8d\xf8\xc2\x04\x74\x98\x3e\xcc" "\xf3\x67\x44\x4e\x3c\x41\x6d\x23\xc3\xed\x00\x08\x4a\x27\xa2\x72\x80\x57" "\xbc\xe8\x87\x40\xaa\x0d\x29\x4e\x27\xd7\x30\x2d\x76\x9c\xfc\x72\x24\xc9" "\x05\xb7\x9c\x8f\x68\x96\x14\x9b\x84\xea\xf3\x98\x21\xa0\x8f\x98\x6a\x4f" "\x50\xda\x47\x09\x7c\x4f\x09\x7d\xd4\x46\xce\x06\xbc\xbb\xc3\x6e\xf2\xc9" "\x40\xb1\xa7\xd0\x4a\xaa\x76\xed\x7d\x35\xa6\x57\x24\x58\xb6\x0a\x40\x1f" "\xd3\xbf\xe6\x73\x1e\x85\x96\x63\x05\xfe\xc4\x9b\xe4\x58\x3f\xe4\x9c\x24" "\x78\xdc\x8f\xe4\xd2\xf1\xa2\xe2\x0a\xb5\x9e\x49\x94\x07\x6c\xb4\x66\x99" "\x93\x71\xcd\x93\xa5\xf2\x97\xfb\x1a\xa8\xfd\x94\xff\xdf\x5c\x60\x4c\xe7" "\x0c\xcb\x2e\xe1\x3a\x4d\x09\x0f\x71\x10\xa7\x11\x0b\xe1\xd6\x23\x22\x69" "\x2a\xf5\x82\xf9\x96\x4b\x8d\xb6\xf1\x61\xdf\x49\x0e\xcc\xa3\xca\x33\x31" "\xb6\x31\x94\xc7\xf8\x09\x59\xe8\x25\x5e\x71\xa9\x89\x49\xfb\x63\x21\xb8" "\x99\x7b\x84\x7b\xf2\x8a\xd4\x57\xe9\x09\xab\x0b\x6b\x72\xee\x31\x3f\x02" "\x63\x16\x3d\x8d\xc3\x56\xc0\x63\x14\x60\x02\x22\xd7\x76\x66\x0b\x82\x6e" "\xf7\x0c\xd7\xad\x82\x37\x41\x35\x22\x95\x50\xa5\xc7\xc3\x1f\x23\x62\x43" "\xdc\x50\x7d\x06\x0f\x90\x06\x3f\x1b\x67\x8a\x4f\xad\x56\x92\xbd\xb9\xa8" "\x09\x99\xce\x78\xf2\x40\x7d\x38\x1d\xf9\x60\x2e\xd2\xb1\xdd\x5b\xad\xa8" "\x4f\xb3\x64\x03\x51\xf8\x13\xe2\x3b\x97\xd2\x07\xc0\x7f\xb3\x2f\xe7\xdb" "\x96\xa0\x92\x0d\x26\x0f\x54\xb6\x19\x9c\x3d\xe2\x7e\xa2\xc2\xe6\x5e\x62" "\xde\x32\x18\xce\x07\x60\x12\xb1\x26\xc8\xd6\x22\x56\xdc\xd0\x6e\x86\xd2" "\xfd\xf6\x0f\x8a\x2e\xb2\x99\x67\x70\x01\xb4\x0e\xc3\x95\x10\xf8\xc0\xf0" "\x91\x63\x34\x4b\x87\xaa\xce\xf9\xd3\x0c\xff\xef\x07\xce\x9e\xc3\x6a\xf4" "\xc8\x95\x37\x0a\xc2\x29\x6f\x88\xc0\x5f\xe2\x5e\xa5\x66\xcc\xe6\x31\xa0" "\xf3\xc3\x2a\x0e\xe7\x75\x21\x77\xd0\x48\xe4\xde\x69\x99\x38\x21\x6a\x42" "\x68\x9f\x23\xc1\x33\x56\xf3\x85\xda\x1b\xc9\x59\xbb\xa3\x00\x0b\x3d\x1a" "\xf5\x6c\x5d\x8f\x19\x18\xaa\x2b\xd0\x72\xdf\xa3\xb6\x94\x48\xcc\xa5\xb8" "\xe5\x92\x02\xc9\x37\xa0\x51\x2f\x76\x72\x14\x89\x5e\xdd\xd2\x7d\xac\x12" "\x7f\x20\xc8\xdf\x13\x26\xe2\xa2\x15\x9d\xa2\xf6\x68\x2b\xf8\xfd\x8d\xac" "\x5b\x71\x93\x0a\x8d\x0b\x9d\x1d\x42\xe5\x4d\xe1\x36\x83\x3f\x16\xce\x7b" "\xda\x7d\x02\x22\x33\xe7\xb6\xff\x1e\xf6\x55\x31\x48\x41\x46\xdd\x64\x06" "\xfa\x24\xd0\x9e\xb3\xb3\x41\xbc\xc1\xf2\xa0\x03\x46\xf8\xe8\xf9\xbb\x41" "\x69\xb7\xc0\xe6\x68\xbb\xd7\x35\x22\x2d\x3f\x28\x53\x75\xc6\x6a\x13\x84" "\xf5\x91\x44\xac\x27\x01\x1a\x61\xe4\x73\x55\x2e\xc0\xb0\x31\xfa\xdd\xe1" "\xf8\x30\x11\xfe\x68\xf7\xa1\x84\xfe\x90\x92\xc7\x1e\x9f\xd4\x62\x2f\x83" "\x39\x9a\x48\xc9\xe4\xa6\xc7\xca\x65\x87\x4a\x64\x95\xc9\x89\x9b\x2a\x0c" "\xb0\xf4\xf6\xc1\xe3\x10\x92\x79\xd9\x3c\xda\xf1\x59\x71\xf6\x4a\xd6\xbb" "\x05\xe9\x3e\xb9\x3b\x64\x79\xfe\x46\xca\x6b\xf8\xd6\x04\xa6\xa3\x5e\x07" "\x5a\x7e\x90\x4d\x7f\x2a\xa3\xe4\xca\xfe\x20\x2b\xae\x33\x38\xed\x6f\x49" "\x35\x3a\x1e\xc8\x0a\xf9\x15\xa3\x31\xe4\xe5\xc3\x11\x25\x90\x11\x69\x83" "\xcc\xe1\x2f\xe5\xd5\xca\x18\x57\xaf\xa9\x8f\x1b\x3a\x9c\x19\xa2\x16\x1f" "\x91\xd3\x7d\xfa\x6b\x22\x2b\xfd\x70\xe9\x10\x6c\x97\x58\x7f\x46\x79\x1a" "\xbe\x48\x9b\xf0\x48\xa0\x12\xcc\xa7\xbd\xe4\xdd\x0c\xa7\xfa\x2b\x71\x78" "\x6f\x43\x0e\x9a\xc9\xc6\x74\x13\x06\x3f\x02\x62\x85\xae\xc1\x96\x0d\x32" "\x4b\x97\xbb\xcd\x81\x3a\x1b\x99\xed\x73\x41\x65\x4f\x78\xd7\xb8\x7d\xd6" "\x61\x5c\x32\xcc\xde\xe2\x6b\x41\xb3\x5a\xc9\x52\x27\x0c\x62\xdd\x09\x3e" "\xe6\xbd\xef\x1f\x82\x41\x48\x3c\xfc\x3c\x20\xe2\xaa\x3a\x7e\xca\x74\xda" "\x83\x8f\x98\x52\xc0\x6c\xf1\xd3\x2e\xc5\x66\x61\x2f\xa2\x3e\x90\x03\x89" "\xc1\xd4\xe7\x09\xf1\x46\xce\xfe\x77\x81\x6d\x67\xe1\x4d\x3a\x97\x5e\xb4" "\x32\x1e\x16\x1b\xc6\x62\xa4\x30\xbb\xc0\xa7\x61\xd3\x6e\x18\x9c\xa5\xe3" "\xf2\x36\xc2\x55\x02\xd3\x18\x91\xfc\x59\x88\x1e\x2f\x53\xfd\x64\x41\x7b" "\xdc\xa8\x45\xcd\xee\x57\xef\xb5\xc1\x6f\xd4\x87\xe4\x29\xa5\xbd\x74\x48" "\x42\xe9\x9e\x40\x81\x11\xc1\xfc\xe4\x2d\x2d\x2d\xa5\x01\x98\x68\x11\xcd" "\xb3\xb2\xbd\x74\x1b\xce\x2f\xfe\xcd\x66\xca\x28\x60\xfe\x5e\xc6\x02\x40" "\x4d\x82\xfb\x5b\x03\xf4\xeb\x60\xd6\xe5\x12\xb7\xb6\xe3\xb9\x21\xaf\xbe" "\xc3\x03\xeb\x3d\xe2\xe4\xf4\x98\x60\x29\x4f\x70\x99\x21\x7e\x6f\xe8\xa0" "\x4d\xe4\x18\x65\xe0\x7c\xe9\x72\xf1\xca\xc1\xda\xde\xd8\x02\xcf\x63\x42" "\x70\xe8\xa3\x7e\xa7\x7d\x4e\xed\x06\xdf\xb2\xd9\x5d\xd8\xa1\x37\xb6\xe1" "\xa1\x92\xef\x40\x8c\xf3\x78\x33\x5f\xac\x35\x71\x81\x6b\x02\xa9\x70\xf4" "\xed\x00\xb7\x25\xb3\x85\x27\x3d\xdd\x1c\xa5\x2a\x8d\x36\xd2\xac\x07\xf1" "\xd1\x27\x01\x32\xce\x12\x6f\x95\x77\xb4\x0e\x59\x12\xaf\xe4\x2a\xd5\x9a" "\x7d\x5a\x6e\x5d\x30\x04\xa8\xe0\x1e\x1b\xba\xa9\x4f\xa0\x03\x73\x19\x92" "\xf1\x56\x7d\x99\x2d\x3b\x49\x29\x97\xe9\xd1\xbc\x72\xc2\xd3\xc3\xad\xcc" "\x9c\xa0\xa7\x03\xb9\x35\xeb\x28\xca\x0e\x15\x46\xfd\x48\xe4\xe4\x6f\x6e" "\x7f\x14\xb4\x51\x14\x6b\x4c\x0e\xa4\xea\x0e\x1f\xc7\xa1\x86\xa3\x0d\xcc" "\x50\xe6\x9f\xb3\x29\x63\x58\x48\xcb\x01\x8b\xb7\x9a\xf1\xd5\xf0\x39\x66" "\x20\x19\xb0\xff\xd5\x84\xf6\x41\xcc\xb5\x20\xd5\xf4\xc9\x18\x29\xd6\xcc" "\xbf\x8f\xa9\x27\x5d\xf3\x6e\x42\xc1\xf3\xf6\xc1\x0e\x26\x5e\xb7\x00\x01" "\x60\xb2\x51\xb2\x42\x50\x3c\x3a\x6d\x03\x60\xfd\xe9\x04\xc2\xa9\xc7\x42" "\x6d\xc9\x0a\xb2\x09\x45\xc0\x99\xbd\x75\xfc\x00\xf2\xc2\xac\xac\xa4\x9d" "\x31\x41\x38\x9d\x40\xc6\x2e\x3c\x55\xeb\xe3\x36\xe4\x54\x59\xd8\xdb\xb9" "\xd3\x61\x9e\x93\xae\x84\x5d\xb6\x81\x90\x15\x4f\xd1\x1c\x59\x6f\x25\x82" "\xfa\x06\x26\x3a\xe7\xc3\xaa\x56\xb1\x87\xdb\x76\x28\xe8\x14\x7b\xa0\xab" "\x31\xcb\x85\xd2\x76\xd5\x03\x9e\x18\x08\x44\xc9\x2f\x02\x53\xb0\x51\xd7" "\x73\x89\x4c\x9c\xaa\x47\x40\xee\x21\x40\xe0\xf4\x3c\x36\xfe\x0b\x31\x3d" "\xcf\x33\xee\x41\x10\x11\x9f\x66\x6a\xef\xdc\xf0\xce\xcc\xa1\xad\x9f\x2d" "\xca\xe7\x67\x25\x17\x52\x3b\x3c\xab\xa3\x0c\x90\x93\x2a\xed\x5e\x3a\xcc" "\x3a\x8e\xa6\xf8\x95\x80\xfc\xb3\xea\x0b\xc0\xa5\x1b\x1c\x53\x2d\x8f\x54" "\xfe\xc8\x65\x89\x14\xe9\x69\x08\xad\xc3\xe0\x48\xe4\x77\xa2\x2f\x14\xc3" "\xc6\xdb\xb0\x33\x6e\x7d\xa3\x3c\x77\xaf\xec\xad\x29\xf5\xdc\xb7\xc1\x09" "\xe5\x56\x08\x4d\x23\xc0\x96\xd4\x9d\xd6\x13\x3f\xdc\x0f\x47\x33\x43\x96" "\x5c\x2b\x3a\x4e\xdf\x17\x60\x05\x27\x34\xd2\xcf\x3f\xe1\xa9\xdb\xd3\x0a" "\x70\xa5\xcb\x37\x10\x17\x8e\x3f\x40\xa9\xda\x1f\xa8\x29\xdf\x24\x41\x24" "\x19\xa4\x32\x1b\x73\xf9\x13\x16\xbe\x55\xd7\x13\xe6\x52\x33\xac\x59\xc4" "\x7c\xe0\xd4\x69\x23\x93\xd1\x39\x99\xbd\xfd\xff\xf1\xd9\xa8\x38\x90\x9a" "\x03\x93\x52\xf3\xb1\x0c\x24\x25\xf0\xd3\xf9\xca\x33\x26\x20\x83\x94\xdb" "\xe9\x9d\xb6\xb7\x8e\xcc\xc1\x54\x85\xf6\x1f\x93\x5e\xc9\x01\x8f\x90\x75" "\x3d\x54\x80\xc8\x6c\xf0\x63\x48\xc1\x08\x1d\xb3\xc7\x28\xf8\x24\x43\x17" "\x70\x8c\x0c\x07\xb1\x98\x8a\x2d\xb8\xbd\xbf\xc7\xc7\x08\xcd\x1b\x3f\x35" "\x94\x45\x70\xd4\xb2\x9c\x0c\x43\x69\xbf\x5d\x09\xe1\x2d\xd9\x55\x9b\xdf" "\x87\x1b\xaf\xc0\xfe\xaf\x1c\xef\xea\xa1\x36\xce\x31\x4c\xd9\x71\x4b\x49" "\x2b\xed\x1a\xd1\xc7\x19\xfe\x75\x2a\xdc\x74\x62\x85\xae\x22\x82\x6a\x79" "\x52\xb2\x00\x99\x3a\xdb\x6a\x16\xeb\xff\x5c\x5a\x00\xad\xa6\xd3\x42\x07" "\xb2\xb6\x92\xdc\xe5\x0a\xb4\xa2\x20\x3b\xb5\xb5\xb4\xb1\x6f\xe6\xa9\x71" "\x41\x84\x58\x3e\x8f\xbe\x8d\x80\x2c\x88\x67\x4c\x49\x69\x08\x97\x52\x0c" "\xbb\x6a\xea\x03\x71\xc3\xf6\x73\x60\x99\x48\xb7\x69\x05\x96\x59\xa8\x75" "\x6e\x8d\xbf\xf4\x15\x0b\x0b\x51\xd9\x34\xc8\xd4\x00\x6e\x70\xe7\xe5", 3761); *(uint64_t*)0x20001108 = 0xec4; *(uint64_t*)0x20001158 = 1; *(uint64_t*)0x20001160 = 0; *(uint64_t*)0x20001168 = 0; *(uint32_t*)0x20001170 = 0; syscall(__NR_sendmsg, r[0], 0x20001140ul, 0ul); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); do_sandbox_none(); return 0; }