// https://syzkaller.appspot.com/bug?id=f775d15f3d6f727b2af84ed78e8e2af92d456aab // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void vsnprintf_check(char* str, size_t size, const char* format, va_list args) { int rv; rv = vsnprintf(str, size, format, args); if (rv < 0) fail("tun: snprintf failed"); if ((size_t)rv >= size) fail("tun: string '%s...' doesn't fit into buffer", str); } static void snprintf_check(char* str, size_t size, const char* format, ...) { va_list args; va_start(args, format); vsnprintf_check(str, size, format, args); va_end(args); } #define COMMAND_MAX_LEN 128 #define PATH_PREFIX \ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin " #define PATH_PREFIX_LEN (sizeof(PATH_PREFIX) - 1) static void execute_command(bool panic, const char* format, ...) { va_list args; char command[PATH_PREFIX_LEN + COMMAND_MAX_LEN]; int rv; va_start(args, format); memcpy(command, PATH_PREFIX, PATH_PREFIX_LEN); vsnprintf_check(command + PATH_PREFIX_LEN, COMMAND_MAX_LEN, format, args); va_end(args); rv = system(command); if (rv) { if (panic) fail("command '%s' failed: %d", &command[0], rv); } } static int tunfd = -1; static int tun_frags_enabled; #define SYZ_TUN_MAX_PACKET_SIZE 1000 #define TUN_IFACE "syz_tun" #define LOCAL_MAC "aa:aa:aa:aa:aa:aa" #define REMOTE_MAC "aa:aa:aa:aa:aa:bb" #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 #define IFF_NAPI_FRAGS 0x0020 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 252; if (dup2(tunfd, kTunFd) < 0) fail("dup2(tunfd, kTunFd) failed"); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNSETIFF) failed"); } if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) fail("tun: ioctl(TUNGETIFF) failed"); tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; execute_command(1, "sysctl -w net.ipv6.conf.%s.accept_dad=0", TUN_IFACE); execute_command(1, "sysctl -w net.ipv6.conf.%s.router_solicitations=0", TUN_IFACE); execute_command(1, "ip link set dev %s address %s", TUN_IFACE, LOCAL_MAC); execute_command(1, "ip addr add %s/24 dev %s", LOCAL_IPV4, TUN_IFACE); execute_command(1, "ip -6 addr add %s/120 dev %s", LOCAL_IPV6, TUN_IFACE); execute_command(1, "ip neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV4, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip -6 neigh add %s lladdr %s dev %s nud permanent", REMOTE_IPV6, REMOTE_MAC, TUN_IFACE); execute_command(1, "ip link set dev %s up", TUN_IFACE); } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02hx" #define DEV_MAC "aa:aa:aa:aa:aa:%02hx" static void initialize_netdevices(void) { unsigned i; const char* devtypes[] = {"ip6gretap", "bridge", "vcan", "bond", "team"}; const char* devnames[] = {"lo", "sit0", "bridge0", "vcan0", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "ip6tnl0", "ip6gre0", "ip6gretap0", "erspan0", "bond0", "veth0", "veth1", "team0", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team"}; const char* devmasters[] = {"bridge", "bond", "team"}; for (i = 0; i < sizeof(devtypes) / (sizeof(devtypes[0])); i++) execute_command(0, "ip link add dev %s0 type %s", devtypes[i], devtypes[i]); execute_command(0, "ip link add type veth"); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { execute_command( 0, "ip link add name %s_slave_0 type veth peer name veth0_to_%s", devmasters[i], devmasters[i]); execute_command( 0, "ip link add name %s_slave_1 type veth peer name veth1_to_%s", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_0 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set %s_slave_1 master %s0", devmasters[i], devmasters[i]); execute_command(0, "ip link set veth0_to_%s up", devmasters[i]); execute_command(0, "ip link set veth1_to_%s up", devmasters[i]); } execute_command(0, "ip link set bridge_slave_0 up"); execute_command(0, "ip link set bridge_slave_1 up"); for (i = 0; i < sizeof(devnames) / (sizeof(devnames[0])); i++) { char addr[32]; snprintf_check(addr, sizeof(addr), DEV_IPV4, i + 10); execute_command(0, "ip -4 addr add %s/24 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_IPV6, i + 10); execute_command(0, "ip -6 addr add %s/120 dev %s", addr, devnames[i]); snprintf_check(addr, sizeof(addr), DEV_MAC, i + 10); execute_command(0, "ip link set dev %s address %s", devnames[i], addr); execute_command(0, "ip link set dev %s up", devnames[i]); } } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN) return -1; if (errno == EBADFD) return -1; fail("tun: read failed with %d", rv); } return rv; } #define MAX_FRAGS 4 struct vnet_fragmentation { uint32_t full; uint32_t count; uint32_t frags[MAX_FRAGS]; }; static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (tunfd < 0) return (uintptr_t)-1; uint32_t length = a0; char* data = (char*)a1; struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; struct iovec vecs[MAX_FRAGS + 1]; uint32_t nfrags = 0; if (!tun_frags_enabled || frags == NULL) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } else { bool full = true; uint32_t i, count = 0; full = frags->full; count = frags->count; if (count > MAX_FRAGS) count = MAX_FRAGS; for (i = 0; i < count && length != 0; i++) { uint32_t size = 0; size = frags->frags[i]; if (size > length) size = length; vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = size; nfrags++; data += size; length -= size; } if (length != 0 && (full || nfrags == 0)) { vecs[nfrags].iov_base = data; vecs[nfrags].iov_len = length; nfrags++; } } return writev(tunfd, vecs, nfrags); } static void flush_tun() { char data[SYZ_TUN_MAX_PACKET_SIZE]; while (read_tun(&data[0], sizeof(data)) != -1) ; } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid < 0) fail("sandbox fork failed"); if (pid) return pid; sandbox_common(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); initialize_netdevices(); loop(); doexit(1); } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; void* entrytable[XT_TABLE_SIZE / sizeof(void*)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; char entrytable[XT_TABLE_SIZE]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct ipt_get_entries entries; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: return; } fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); } for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(IPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { struct xt_counters counters[XT_MAX_ENTRIES]; struct ipt_get_entries entries; struct ipt_getinfo info; socklen_t optlen; int fd, i; fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(%d, SOCK_STREAM, IPPROTO_TCP)", family); for (i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(IPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(IPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(IPT_SO_SET_REPLACE)"); } close(fd); } static void checkpoint_arptables(void) { struct arpt_get_entries entries; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(ARPT_SO_GET_INFO)"); } if (table->info.size > sizeof(table->replace.entrytable)) fail("table size is too large: %u", table->info.size); if (table->info.num_entries > XT_MAX_ENTRIES) fail("too many counters: %u", table->info.num_entries); memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { struct xt_counters counters[XT_MAX_ENTRIES]; struct arpt_get_entries entries; struct arpt_getinfo info; socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) fail("getsockopt(ARPT_SO_GET_INFO)"); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) fail("getsockopt(ARPT_SO_GET_ENTRIES)"); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) fail("setsockopt(ARPT_SO_SET_REPLACE)"); } close(fd); } #include #include struct ebt_table_desc { const char* name; struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; }; static struct ebt_table_desc ebt_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, }; static void checkpoint_ebtables(void) { socklen_t optlen; unsigned i; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; strcpy(table->replace.name, table->name); optlen = sizeof(table->replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } fail("getsockopt(EBT_SO_GET_INIT_INFO)"); } if (table->replace.entries_size > sizeof(table->entrytable)) fail("table size is too large: %u", table->replace.entries_size); table->replace.num_counters = 0; table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen)) fail("getsockopt(EBT_SO_GET_INIT_ENTRIES)"); } close(fd); } static void reset_ebtables() { struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; socklen_t optlen; unsigned i, j, h; int fd; fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) fail("socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; if (table->replace.valid_hooks == 0) continue; memset(&replace, 0, sizeof(replace)); strcpy(replace.name, table->name); optlen = sizeof(replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) fail("getsockopt(EBT_SO_GET_INFO)"); replace.num_counters = 0; table->replace.entries = 0; for (h = 0; h < NF_BR_NUMHOOKS; h++) table->replace.hook_entry[h] = 0; if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { memset(&entrytable, 0, sizeof(entrytable)); replace.entries = entrytable; optlen = sizeof(replace) + replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) fail("getsockopt(EBT_SO_GET_ENTRIES)"); if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) continue; } for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { if (table->replace.valid_hooks & (1 << h)) { table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j; j++; } } table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) fail("setsockopt(EBT_SO_SET_ENTRIES)"); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void execute_one(); extern unsigned long long procid; static void loop() { checkpoint_net_namespace(); int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); flush_tun(); execute_one(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 3 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } reset_net_namespace(); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one() { long res = 0; *(uint32_t*)0x20000000 = 0; *(uint32_t*)0x20000004 = 0; *(uint32_t*)0x20000008 = 0; *(uint32_t*)0x2000000c = 0; *(uint32_t*)0x20000010 = 0; *(uint32_t*)0x20000014 = 0; syz_emit_ethernet(1, 0x200000c0, 0x20000000); res = syscall(__NR_socket, 2, 2, 0); if (res != -1) r[0] = res; *(uint16_t*)0x20000040 = 2; *(uint16_t*)0x20000042 = htobe16(0); *(uint8_t*)0x20000044 = 0xac; *(uint8_t*)0x20000045 = 0x14; *(uint8_t*)0x20000046 = 0x14; *(uint8_t*)0x20000047 = 0xaa; *(uint8_t*)0x20000048 = 0; *(uint8_t*)0x20000049 = 0; *(uint8_t*)0x2000004a = 0; *(uint8_t*)0x2000004b = 0; *(uint8_t*)0x2000004c = 0; *(uint8_t*)0x2000004d = 0; *(uint8_t*)0x2000004e = 0; *(uint8_t*)0x2000004f = 0; syscall(__NR_connect, r[0], 0x20000040, 0x10); *(uint16_t*)0x20000000 = 2; *(uint16_t*)0x20000002 = htobe16(0x4e25); *(uint32_t*)0x20000004 = htobe32(0xe0000002); *(uint8_t*)0x20000008 = 0; *(uint8_t*)0x20000009 = 0; *(uint8_t*)0x2000000a = 0; *(uint8_t*)0x2000000b = 0; *(uint8_t*)0x2000000c = 0; *(uint8_t*)0x2000000d = 0; *(uint8_t*)0x2000000e = 0; *(uint8_t*)0x2000000f = 0; syscall(__NR_sendto, r[0], 0x20000fc0, 0, 0x2004c044, 0x20000000, 0x10); memcpy( (void*)0x20005440, "\x23\x21\x20\x2e\x2f\x66\x69\x6c\x65\x30\x20\x20\x20\x2d\x62\x64\x65\x76" "\x7b\x24\x2c\x27\x5d\x2b\x70\x70\x70\x30\x27\x20\x5d\x6d\x64\x35\x73\x75" "\x6d\x28\x20\x20\x20\x73\x79\x73\x74\x65\x6d\x5b\x70\x72\x6f\x63\x25\x20" "\x2f\x47\x50\x4c\x20\x65\x74\x68\x31\x65\x74\x68\x31\x0a\x2b\x30\x9a\x32" "\x1b\x7c\x0c\xb2\x13\x88\x88\x9f\x0c\xab\xe6\xb6\x0f\xda\xcf\xe8\x18\x0f" "\x77\x45\xbe\x7c\x5c\xaf\xe9\xa1\x47\x8c\x12\xb4\xae\xa5\x3a\xd9\x75\x23" "\x66\xb4\x8d\xa9\x02\xbb\x9c\x68\x5d\x91\x15\xb1\xe6\x65\x26\xd3\xab\x0c" "\x52\xce\x44\x4b\xdf\xee\x19\x8e\x39\x84\x14\xfc\x76\xff\x79\x7b\x11\xa9" "\x18\x3f\x3b\xe6\x8e\x8b\x72\x03\xdc\x03\x66\x10\xd7\xaa\x75\xdd\x27\x53" "\x1e\x91\x70\x1b\x44\xd8\xe7\x02\x83\xf8\xda\x9e\x2a\xd3\x72\x2b\x23\xd9" "\x27\x55\x23\x1b\xe6\x80\x71\x47\x9c\x98\xf1\xcd\x8f\xd7\x69\x6f\x9f\xb6" "\xba\x6e\x2e\x69\x8e\x4e\xfc\x94\x16\x4d\xfb\xb9\x20\x7a\xb2\x27\x52\xa3" "\x53\xbd\xcb\x83\xeb\x55\xec\xc8\xeb\x3d\xc6\x96\xd4\x4a\x96\xd1\x5a\xa1" "\x2a\xbd\xda\x56\xd9\x9c\x44\x55\xf0\xc0\x6e\x05\x7e\x16\x14\xe5\x78\x00" "\x1c\xd1\x1a\x38\xf1\x51\x5b\xe8\xcf\x78\x08\x00\x00\x00\x00\x00\x00\x00" "\xba\x28\xe2\x20\x81\x5a\x64\x0b\xfa\x05\xb3\x0b\x9c\x8d\xce\x8b\x2d\x62" "\xe0\x4d\xed\xee\xcd\x9d\x19\xf1\xff\xe5\xdc\x79\x37\xa6\xbb\x6a\x52\xe8" "\x05\xb6\xd8\x46\x77\x6e\x07\xb3\x25\x63\xc3\x18\x1e\xc3\xc9\xfb\xe4\xf2" "\x02\xea\x4e\xdf\x39\x50\x3c\x55\x0f\x06\xd2\x99\x7d\xe6\x2e\x5c\x0d\xbe" "\x02\xf1\xad\x1d\x4b\x6c\x4f\xcc\xe2\x01\xcb\x93\xbd\x47\xee\x7f\xb9\xcf" "\x7c\xce\x48\xbe\x89\x67\x44\xd5\x3a\xc4\x10\x06\x12\xe0\x2f\xb3\x4e\x6b" "\xe9\x14\x47\x5f\xcd\x80\x69\x1f\xc3\xf3\xec\xce\x78\x66\x3f\xec\x98\xd9" "\xd5\x56\xc1\x50\x33\xed\xd1\xe8\x6c\x6f\x8b\x36\x3e\x89\x9c\x04\x13\xb1" "\xe8\x94\x5c\x1d\xee\xf0\x0d\xfa\x69\x29\x15\x9a\x01\xc7\x78\xd4\xac\x02" "\x25\xb5\x75\x4b\xdc\x98\xa2\x5f\x85\x29\x80\x28\x4d\x9d\xae\x6c\x77\x3e" "\x1e\xb7\x27\x88\x9e\x93\x87\xab\xbc\x05\x63\x7f\xe4\x42\xc7\xa5\x1f\x09" "\x9b\x42\x11\x5a\xdb\x46\x15\xd7\x66\x13\x91\x0c\x8a\x9d\xf7\xab\x90\x7d" "\x8d\x51\x69\x74\xf0\x9f\x6b\x45\x19\x54\x05\xd4\x96\x62\xa4\x68\xec\x51" "\xe9\x24\xa2\xa5\x72\x18\x14\x5e\x0f\x16\xdc\xa3\x91\xb6\xff\x05\x59\xcd" "\xa4\xf8\x53\x27\x37\x3c\x99\xc9\xe8\x19\xd2\xd1\xcd\x11\x8d\xa0\xa1\xf1" "\x0e\xc7\xf1\x3f\xce\x59\x68\xf3\x62\xbc\x34\x95\x54\x56\x66\xdd\x1f\x42" "\x1f\xe6\x59\xf1\x92\xc1\xad\x8f\xe4\xbe\x30\x41\x5c\x6c\xaf\x7d\x74\x0e" "\x96\x12\x63\xa5\xb9\xa3\xdd\x20\x6e\xaa\x8f\xe6\x3b\xcc\x71\xdc\xb7\xb9" "\x55\x47\x01\xd8\x33\xc3\xe9\x6e\x16\xcc\xcd\x79\xa4\x45\x53\xee\x4f\xa1" "\xf4\xd0\x53\xa2\xf3\xa6\xe4\x2b\xcf\x32\xd6\xf4\xd2\x8d\xfc\x67\x7f\xe9" "\x6d\xf7\xf3\x95\x71\x57\x1e\xfa\x92\x94\x38\x33\xac\x05\x94\x3f\x1e\x14" "\x84\x2f\xf4\x8f\x2f\x85\x3a\xc0\xbe\xee\xfb\xa9\xf3\x1d\xd8\xd4\x9d\xc4" "\x76\xa1\xb7\x54\x4e\xf5\x1a\x27\xe9\xfc\x19\x07\xa2\xa7\xb2\x4b\x3c\xb0" "\x8c\x9b\x51\xf4\x40\x42\xd3\xfe\xcb\xdd\xe3\x82\x38\x8c\xdf\xbf\x44\xd5" "\x84\x96\xa3\x6d\x41\x87\x00\x8b\x3e\xdd\x38\xfb\x4d\xe6\xdc\xda\x47\xb1" "\x28\x14\xa6\x7b\x49\x3d\x3a\x85\xf8\xad\x7e\x68\x11\xb6\x4d\x28\x8e\xa7" "\x94\x38\x98\xd4\xc6\x26\x57\x51\x45\x8f\x53\x78\xbd\xaa\x4c\xc5\x83\x85" "\x36\x03\x80\x6a\x54\xcf\x84\xc8\x4a\xe1\x22\x41\xa8\x23\x66\x06\x7e\xe9" "\x41\xd4\x53\x6d\x1d\x7d\x44\x9c\xec\x86\x8a\x33\xef\x03\xf9\xb4\xd2\xe5" "\x85\xca\x15\x41\x90\x45\xf5\xc6\x13\x03\x38\x87\xcf\x8c\x3f\xfc\x7a\x1c" "\xee\x9d\x86\x25\x14\xec\xf8\xef\xd3\x1b\x1a\xb4\x60\x87\x52\x1f\xda\x52" "\x32\x0b\x0b\x0b\x24\x1f\x87\x66\x0b\x44\x61\x3e\x5f\x5a\xff\x37\xc3\x88" "\x1a\xb8\x64\x87\xd2\xd2\xaa\x37\xb9\xf1\x05\xe7\xab\xab\xb8\x56\x05\x62" "\x2d\x12\xa2\x24\xc0\x3b\xaf\xb9\xc0\x49\x79\xa0\x2e\x87\xa1\x86\x66\xd4" "\x48\xb4\xac\xee\xd6\x06\xae\x8f\x33\xb3\xb7\xfd\x95\xb7\x42\xc0\x7b\xca" "\x05\x98\xda\x6d\xdc\xcf\x0e\xa9\xfe\xd9\x65\xe5\x7c\x3e\xe9\x84\x4b\x0b" "\xae\x25\xc8\xaa\x93\xb8\xa8\x4d\x49\x03\xbb\xa3\xe1\xfe\x93\x41\xfc\x12" "\x25\xd9\x19\x86\xa7\x89\xed\xcc\xdb\x48\x83\xf6\xba\x1b\xf9\x50\xc4\xfe" "\x02\x00\x00\x00\x9c\x1c\x87\xfd\x89\xc2\x7d\x85\xac\x5f\x51\x80\x4a\x69" "\x27\x88\xaa\xbe\x5a\xb4\x73\x54\x67\x30\x3e\x8c\x49\x22\xf2\xc6\x39\x44" "\x5a\xb0\xd0\xeb\x07\x93\x4a\xc1\xa3\x79\x71\x91\x87\x54\xbf\xd3\x06\x81" "\x15\x5f\x90\x00\xa7\x24\x0b\x05\xaf\xf4\x56\x59\x40\x3b\x0c\x19\xc7\x3b" "\xb6\x90\x80\xa0\x2c\x95\x04\x55\x97\xfd\x9d\xf7\xe3\x48\xf6\x1d\x6f\x42" "\x9f\x20\x48\xc7\xfe\xd4\x95\x6a\x1a\xf2\x09\x64\xc5\xa8\xea\x17\x8c\x98" "\x47\x59\x91\x42\xd0\x79\xc0\x75\x87\xbc\x6c\x32\x0c\xd4\xca\xe1\xe7\x1a" "\x43\x8f\xf4\x54\xb1\x17\x32\x9e\x89\xef\x9a\x64\x98\xa8\x05\xca\xfb\x43" "\xbf\x45\x97\x4b\x60\x10\xdf\xba\x82\x2b\xcf\xf8\x96\x4a\x63\x02\x00\x71" "\x4f\xd7\xe6\x2a\xce\x40\x2a\x63\x89\xa9\x3d\x12\xbf\xaa\xdf\xff\xd3\xef" "\x93\x9e\x2b\x16\x2b\x74\xf5\x8d\x4c\x3d\x59\x61\x3a\x88\x67\x1f\xc7\x70" "\xe0\xcf\xc7\xaa\x70\xe1\x83\x2a\x5d\x15\x6c\x53\xf6\xd6\xe4\xef\xa8\xd4" "\x81\x29\x59\xe9\x56\x0b\xae\x38\x3c\xbe\x26\x72\xe8\xfc\xf7\xe0\xe3\xa3" "\x28\x28\x2c\x1d\xd0\x57\x91\xce\x85\x19\x29\x00\xbd\x10\xeb\xe2\xd6\xc6" "\x05\xe6\x81\x3b\xa6\xe7\xff\x4c\xcf\x40\xba\x2b\xea\x78\xc7\x0d\xbe\xed" "\xf6\xa9\x2a\x86\xbe\x54\x63\x6f\xa9\x84\x65\x09\xab\xeb\x7c\x9f\xf4\xc2" "\xd8\x69\x64\xb9\x1d\xe3\xf2\x06\xb9\x07\x93\x86\x44\xc3\xbc\x3e\xb2\x40" "\x1a\x80\x69\x19\x9f\xcc\x94\xfa\xb0\x22\x96\x40\x3e\xe8\x32\x3e\xa8\x0d" "\xc9\x20\xa8\xfe\x5b\xa9\x08\x49\xcb\xbd\x50\xec\xa5\xe3\xf5\x91\x30\x4c" "\x5c\x9a\x39\x82\x6d\x63\x23\x65\x22\xe4\x14\xdc\xd2\x21\x8d\x87\xb5\x38" "\xa4\x6f\xce\xdd\xfe\x81\xc2\x4c\xba\x71\x45\x62\xa4\x32\x78\x6b\x24\x34" "\x54\xc6\x1d\x40\x07\x10\xaa\xe2\x2f\x0e\x9d\x15\x63\x00\x6a\xa4\xa8\x90" "\x07\x3e\x6c\x88\x1e\x47\xcd\x6f\xc1\x7e\x64\x0d\x75\xd1\x68\x18\x12\x5a" "\x99\x80\x0b\x09\x27\xba\x8c\x08\x33\x45\xc1\x00\x15\x11\xcd\xea\xb7\x80" "\x80\x44\x0d\x3c\x5e\x71\x5d\xbe\x44\x24\x18\x5b\x8f\xc3\xdd\xd4\xeb\x70" "\x44\xc8\xb6\xa6\xa1\x64\x9e\xfa\x00\x35\x89\xc6\x5a\x47\xff\xc0\xad\x7c" "\x0c\xbf\x5f\xb4\xea\xe2\x5f\xd0\x69\xd6\x49\x37\x67\x9f\x5e\x01\xe1\x08" "\x0e\x30\x3a\x8d\x6e\xbb\x28\xb6\x65\xad\x6f\xff\x47\x41\x2b\x4c\x83\xca" "\xb3\x8e\xdb\xe2\x1a\x32\x04\x7b\x03\x49\x25\x8a\x7c\x57\x12\x5f\x35\xab" "\x1d\x85\x80\xc5\x2f\xfa\xdb\xd4\x6f\xa1\xd3\x35\x15\x02\xe0\x96\x66\x9d" "\x14\x6c\x7d\x2a\x5d\xe1\x84\x54\x0b\xa5\x2f\x25\x4e\x6a\xa1\x85\x58\x58" "\x6f\x03\x6c\xd6\x43\xc9\x9f\x9a\x21\xdc\x8b\x05\x13\x42\xac\x0d\x6e\x4f" "\xf6\x5b\x8e\x63\x84\x25\xbd\x80\xca\x28\x3c\xac\x35\xbb\x1a\x58\x6f\xda" "\xc8\x96\xd9\xa5\x69\x2b\xf5\x15\xc5\x02\x9a\x90\xbc\x07\x78\x22\x52\x92" "\xae\xb8\x4a\xe6\x5c\xb7\x07\x19\xc2\x74\xe5\x6d\x4e\x3b\x65\x7d\xe0\xe7" "\x3b\x28\x8c\x0c\xa0\x0c\x69\x47\xa3\xd3\xe1\x01\x1a\x9f\x12\x74\x1d\x80" "\xfe\x6e\xf6\xf8\x40\x8f\xd2\x8e\x64\x69\xb5\x36\x8f\xb3\x74\xf3\x01\x12" "\xc8\xb3\x96\xb7\x32\xc2\xe2\x5f\x83\xd9\x88\x88\xba\x1a\x9d\xf5\x71\x94" "\xae\x17\xaf\x31\x7e\xa8\x00\x0a\x02\x83\x25\xa2\x87\x60\x21\x5d\xd8\xcc" "\xbe\x4c\xeb\x9a\x37\x17\xa1\x23\x19\x48\xd5\xd0\xbc\x5f\xb5\x20\x06\xae" "\x4d\xab\xe5\xcc\x84\x22\xd9\xae\x38\x68\xdb\xe7\x50\xcc\x56\x4e\x9c\xb1" "\xd8\xdf\x1b\x95\xaf\xf9\x19\x82\x8a\x64\x9a\x65\x19\x09\x7d\xfe\xeb\xbf" "\x11\xc0\xc3\x91\x5c\x0a\x85\x05\x05\x8b\xb9\x66\x1e\xbf\xd6\x2e\x6b\xfa" "\x8c\xae\x2e\x3d\x37\x18\xf5\x01\x00\xe4\x7a\xd7\x39\xb8\x28\xa7\x6e\x3d" "\xd3\x2b\x39\x6a\xc3\xd9\x27\x6a\x83\x42\xf3\x36\x11\xb3\x04\xdd\xad\x50" "\x78\xea\xc7\x71\x81\xea\x7d\x53\xb8\x68\x43\xb4\x79\xb0\x4f\xa8\x54\xf8" "\x90\x06\x91\xac\xc2\x93\x49\x2b\xc5\x97\x7b\x04\x7f\xb3\x2d\x40\x5f\x7c" "\x64\xff\x1d\x7b\x75\xb8\x63\x42\x36\xa8\x62\xa1\xee\x42\x92\xb6\xf6\xc1" "\x3f\x6f\x27\x97\xd7\x94\xd0\x53\xa4\xbc\x23\x83\xef\x90\x39\xe7\x8e\x37" "\x77\xb5\x01\x58\x3c\xb0\xef\x07\xa2\x83\xb9\xb7\x37\xbe\xd6\xb2\xf5\x82" "\x60\xd2\xee\xf4\x30\x20\x92\xe5\xd0\x26\x85\x56\x13\xfc\x82\x84\xb9\xb2" "\x41\xb2\x7b\xaf\x91\x8c\x39\x7e\x78\x05\xcc\x0d\x77\x7e\x57\x37\xb2\xd0" "\x9d\x09\x5c\x94\x71\xe6\xa3\xd7\xa5\xd7\xf1\xb4\x26\xe5\x23\xf3\x9c\x0b" "\x58\x95\xfa\xd0\xfb\xc4\x0e\x51\xca\x8d\x91\xb8\xbb\xca\x12\x55\x3d\x20" "\xdf\x9b\x18\x79\xbd\x30\xfc\xdb\x49\x1a\x8f\x3e\x7c\x2a\x96\xda\xa0\xbc" "\x31\xb0\x90\x7d\xba\x83\xe1\xe8\x22\x43\x52\xe1\xf9\xe2\x26\xbc\x55\x74" "\x96\x6a\x20\x99\x5e\x7f\xa2\x24\xca\x81\x9b\x9d\xbe\x34\xe5\x25\x12\xa4" "\xb9\x78\xc7\x45\x06\x85\x91\x71\x1b\x53\xf0\xbc\x0c\x39\xab\x2c\xfc\x35" "\x9f\xc8\xb8\xd1\xd2\x46\x98\xc7\xdc\xd2\xad\xc7\x55\xbf\x9f\xef\x5f\xca" "\x0c\x0d\x38\xd4\x60\xc3\x31\x1d\x21\x27\x2b\x31\xbe\x00\xf6\x70\x68\xee" "\xc0\x0c\x21\xe1\xc1\x11\xa9\xe8\x89\xdc\x54\x9a\x70\x51\xe5\xb4\x3e\xbe" "\x63\x7c\xaf\xf6\xb3\x01\xab\x09\xd4\x74\x78\x49\x61\x2e\x93\x5a\x95\x48" "\x72\x64\xf8\x68\x49\x43\x05\xf1\x10\x76\xa1\x6b\x54\x80\x27\x6e\x08\xc2" "\xb1\xd1\x95\xaf\x11\xfb\xcc\xec\x97\xb1\xea\x0a\x5a\x37\xf0\x6d\xba\x96" "\xc9\x12\x8b\x83\x5a\x31\x7e\x8b\x1b\x90\x8d\xfb\xdc\x29\xbb\xa3\x95\x19" "\x7b\x95\x1c\x82\xae\x7a\xf9\x44\x62\x3f\xf2\x3e\x75\x7b\xb1\xa2\x60\x06" "\xa9\x77\x32\x0c\xda\xb8\x5b\xc7\x47\x54\xd6\xe7\xe0\x95\xa3\x51\x23\xc1" "\x63\xa7\xe6\x62\x0c\xf6\x24\x2e\xee\x1c\xfa\xf7\x69\x9f\x6d\x71\xcb\x7f" "\xaa\xa4\x25\x1b\x09\xdf\x3e\x4a\x00\x73\xce\xab\x75\xcc\xe1\x47\xd7\xb2" "\x62\xa7\x67\x82\x6e\xfa\x7a\xd8\xd0\x0f\x50\x67\x9a\x8d\xac\x72\x22\xd6" "\x6a\x72\x4b\x95\x1a\x46\xb3\x49\x36\x56\xdc\x23\x55\x1b\x95\x8f\x9a\x59" "\x7e\x37\xd4\x1a\x43\xa9\x22\x18\x99\x40\x1a\x3c\x16\x4a\xb4\x6e\x66\x63" "\xce\x13\xae\xbc\xfb\xed\xe7\x8d\xe6\xb3\xcf\xf3\x1f\xae\x08\xf7\xd4\xe2" "\x44\x9d\x58\xb9\x11\x8d\xa1\x8f\xa6\x4d\xe8\xe2\x81\xfb\x73\x3b\x8b\x24" "\x11\x38\x78\x44\x75\x13\xbb\xb0\x8f\x87\x6b\xbe\xd8\x03\x11\xda\x95\xa5" "\x6a\x81\x71\x4a\x71\xbc\x46\xdb\x1a\x27\xe7\x75\x9b\x66\x5b\x34\xe3\x41" "\xbe\xc4\xc3\x68\x07\x68\x5d\xd2\xc1\x82\x37\x40\x6e\x04\xf7\x8f\x6b\xcb" "\x72\x8a\x21\x4e\x48\x73\x3f\x82\xfb\x2d\x99\x7e\xb3\x74\x96\x8e\xeb\xea" "\x48\x30\x2d\x35\x14\x89\xe6\x22\xaf\xd1\xca\x45\x01\x63\xf5\x21\xa9\x71" "\x57\x38\xe9\x81\x7a\xce\x38\xd4\xe2\xcd\x34\x6f\x89\x1e\x01\x6e\xd5\x7d" "\x36\xde\x45\x41\x2c\x97\x87\x2e\x2d\x27\x84\xc2\xbb\x57\x3e\x93\xf7\x26" "\x5a\xc4\x48\xe0\x20\x95\xad\xc9\xfa\xee\x7d\x3d\x15\x16\x57\x07\x2c\x7a" "\xe6\xf4\x14\x08\x64\x09\xe6\xfb\x87\x5d\x15\x7d\x53\x72\xac\x6b\xf8\xa9" "\x21\xba\x87\x4d\x27\xdf\xd3\x41\x9e\x14\xfc\xf6\xf5\x2f\x7e\x64\xc1\x12" "\x68\x6a\x97\x33\xcd\xed\xd9\x82\xf6\xfc\x5c\x8a\xc2\x92\x1a\x16\x3c\x3d" "\xfe\x5c\x55\xe2\x78\x18\xa2\x91\xc4\x0b\x81\xe8\x27\x7a\x2d\xb1\xaf\x06" "\x76\x3d\x31\x23\x0f\xc5\xce\x6a\x8e\x46\x0c\x36\x4b\x73\xd1\x10\x1a\xb0" "\x32\x74\xb5\x98\xa1\x40\x74\xb7\xb8\xf9\xe3\x24\xd3\xae\x8f\x38\x28\xc6" "\x27\xd1\xbe\x8d\xb8\xe7\xf7\x8d\xb8\x38\x69\x46\x0a\x19\x92\x11\x78\x2e" "\xbe\x6d\x0d\x34\x7b\xcb\x25\x6f\xf6\xe2\x6c\xe5\xfc\x01\x28\xf8\x9d\x6f" "\x59\x38\xca\x34\x02\x0c\xe8\x30\xf1\x2c\x00\x2d\xcc\xa0\xed\x63\xab\x61" "\xb9\x74\xb3\xda\x17\xb3\x25\x13\xa2\x08\xff\xbd\xb7\xd6\x09\x27\xd5\xca" "\xd5\x04\x92\x4e\x5d\xce\x16\x9d\x32\xdf\x71\x5a\xf8\xa5\x8c\xeb\x48\xf7" "\x51\x1c\x07\x6a\x57\x58\x66\xd3\x89\xdc\x93\x17\xc0\x8a\x51\x23\x44\xb6" "\x33\x53\x5a\xe0\x14\x3e\x1c\xeb\x20\x1d\x88\x20\x8b\x97\xeb\x38\x14\xb5" "\x6f\x80\x87\x0b\x53\xbd\x8a\x8d\xc6\x1a\x88\xc3\x6f\xf6\x26\xb4\xbf\x87" "\xd6\xfc\x17\x6a\x3a\xea\x4b\x74\x16\xd5\x38\x03\xb1\x2f\x0f\xab\xc6\x68" "\x03\xf9\x67\x7d\xa5\xff\x12\xbe\x41\xd6\x68\x42\xf4\xdf\x90\xdf\xf6\x07" "\x9d\x76\x35\x3c\x4b\x15\x49\x04\x08\x8e\xe4\x34\x2e\x78\x8b\x12\xb2\x2d" "\xde\xba\x56\xcb\xa9\x8a\x72\x43\x69\x8a\x24\x57\x03\x06\x01\xf4\x9e\xf5" "\xce\x98\x04\x46\xb0\x2b\xca\x58\xad\x46\xe3\xe8\xcc\xe5\x90\x0d\xdc\x39" "\xa8\xd3\x35\x65\x5a\x2b\x1b\x78\x65\x3b\xdb\x59\xc5\xb7\xda\x71\x8e\xdb" "\xf0\x59\xfb\x33\xe7\x83\x43\x16\x0d\x56\xff\x8f\xac\x46\xcb\x3b\x31\xfe" "\x32\xa3\x9e\xf7\xe1\x0f\xf5\x52\x75\xa3\x00\xdb\x0f\xd4\xb9\x56\xaf\xad" "\x57\x2c\x78\xf5\xc4\xea\x58\xd1\xe7\xba\xff\x90\x3b\xeb\x1d\xd0\x1c\x6c" "\xa2\xbf\x88\xf3\x79\xe5\x71\x19\x56\x9d\x9e\x58\x90\xce\x40\x7b\x5d\xe9" "\x50\x92\xef\x9f\x28\x82\xce\x37\x62\x2e\x0b\x76\xea\x43\x5a\x0f\x90\x1a" "\xb4\x77\x59\x7b\x52\x7b\x30\xdf\xca\x8a\xd8\xbe\x03\x82\x92\x71\xea\x02" "\xff\x04\xa7\xe0\xa3\x73\x29\x2f\x5c\x77\xad\x1f\x81\xfe\x98\x31\xd5\xc3" "\xe0\x8b\x92\x4e\x7a\x42\x56\xb0\xa4\x77\x20\x03\x5f\x47\xe4\x4f\x00\xf3" "\xa0\x71\x88\x30\x02\xbe\x4b\xc2\xc2\x82\x1d\x32\xe5\xfa\x4e\x90\x45\x6f" "\x27\xff\x09\xd2\x29\xb1\xe9\xee\x5e\xe2\x02\x01\xbf\x81\x33\xde\x64\x23" "\x34\xac\x8b\xb2\xca\x32\xc2\xa7\x62\x08\xe0\xeb\x48\xc0\x7a\xde\x60\x0b" "\xae\x2e\xdc\x7f\x44\x69\xab\xd4\x33\x4a\x72\xdd\x0c\x1b\x13\x73\xb9\xb7" "\xa9\x39\x5b\x0c\xe2\xdb\x8d\x65\xe1\xb0\xd6\x60\xb1\x7e\x1b\x4c\xe6\x21" "\x8a\x4c\xbe\xc9\x87\x82\x83\xc6\x42\x21\x60\xd9\xc1\xc9\xdd\xe1\xed\xf4" "\x17\xc3\x35\x2f\x31\x4b\xe3\xae\x9e\xc8\xe4\x5d\xe5\xfc\x14\x4d\x04\x02" "\x50\x61\x1c\x8f\x6d\xf7\x29\xdd\xb3\xc1\x7a\xce\x68\x67\xfa\x44\x7a\x99" "\x29\x0a\x80\x28\xa0\xfb\x81\xa3\xa1\x10\x68\xb2\xe1\xfe\x37\x64\xb6\x31" "\x6e\x52\x3e\x1c\x37\xf9\xdd\xeb\x64\x85\x83\x96\xc1\x75\xce\x6c\x0f\x2c" "\x95\xea\xd6\x31\x05\x94\x2a\xc4\x58\x42\x29\x71\x4e\xd1\xcc\x45\x67\xe2" "\xbb\xd1\xa0\x08\x8c\xd3\xc4\xfb\x31\x5d\x6f\x8b\xf5\x32\x48\xa9\xd1\x12" "\xf7\x87\xa7\x6d\xaf\xc3\xc2\x5d\x94\xc3\xf0\x42\xb8\x97\x2b\x11\xb6\x0e" "\x3c\x0f\x71\xf6\xe6\x14\xc6\xa0\x75\x51\x28\xf9\xe7\x06\x58\x4c\x33\x9b" "\x3d\xbe\xf3\xd1\xb8\x92\x7c\x46\xe3\x43\x13\x50\xd9\xd9\x78\x13\x21\xfc" "\x02\x26\x07\x43\x7a\x87\xed\xba\x95\x55\xe9\x98\x4c\xf3\x37\x78\x49\xac" "\x5f\x5b\x0c\x5a\xde\x7a\x2d\x22\x56\x75\xda\xa7\xd9\x54\x1d\xc7\xeb\x8a" "\x37\xcb\xf7\xbe\x88\x1f\xc9\x8a\xbd\x14\xcb\xa7\xbf\x14\x3e\xa2\xa1\x8f" "\x1c\x7d\xf7\xcf\x4c\x65\xa0\xd0\x01\x97\x0c\x47\x00\xe2\x5e\x93\x27\x66" "\x30\x44\x45\x70\x53\xe3\xcf\x52\xd2\xb4\x1a\xa1\x38\xac\x5c\xc8\xe9\x55" "\x36\x32\x96\xa0\x21\xf7\xcc\x38\xb2\x93\x71\x08\x89\x63\xd3\x29\x46\x83" "\xe0\x00\xb3\x58\x99\x9e\x71\x25\x2a\x73\x8d\x94\xd0\x81\xd4\x1b\x39\x5f" "\x62\x4d\x07\x46\xf0\x01\xc3\x9b\x6f\xb5\xef\x65\xee\x58\x89\xbf\x32\xa3" "\xce\xec\xdd\x93\x95\xa5\x7f\xa4\x01\x83\x97\x3f\x05\x37\x4b\xe6\x44\xe8" "\x8f\x80\x89\x1c\x98\x22\x05\x04\xdf\x6d\xf8\x41\xbf\x2b\x69\xf6\xdb\x28" "\x98\x2a\xa4\xfa\x26\xb2\x8a\xcb\x4b\x05\x36\xe7\x1e\x1a\xca\x49\x04\xb4" "\xc9\xaa\xf8\xc8\x27\x9f\x98\x39\x19\x8f\x36\x62\x5b\xa1\x2e\x93\x2a\x29" "\xb8\xc6\x65\x6c\x2b\xa7\x48\xbe\x97\x7b\xb3\x43\x70\x48\x6f\x30\x8c\xef" "\xfb\x0f\xe0\x23\xca\x70\x86\x21\xff\xe3\x70\x91\xbe\xca\xb9\x70\xfa\xd1" "\x31\xa4\xb4\x94\x5b\x92\x29\x48\x61\xbd\xc1\x40\x2d\x64\xe3\xc8\x79\xa0" "\x96\xf0\x33\x65\x54\x12\xba\x64\xca\x48\xc9\x25\x6f\x9d\x0f\xa6\x6e\x89" "\xf3\x0e\xdd\xaa\x56\xe1\x1f\xe6\x41\xbf\x93\x40\x77\xd9\xac\x81\x34\xc1" "\x3a\x14\xb9\x93\x43\xa4\xde\x0a\x1d\x62\xbb\x93\xd7\xab\x33\x51\x62\xb9" "\xe4\xf7\x40\xc1\xf4\x17\xd3\xab\xad\x85\x1f\x01\x8a\xad\xb9\x89\x13\x61" "\x51\x73\x28\xf2\xc6\x62\xa2\x39\xde\x1e\xe2\x17\x24\x41\xa1\x42\x7e\x86" "\x79\xd2\x44\x95\x14\x98\xa2\xe1\x78\xff\x17\x16\xb6\xa6\xb4\x15\x15\x9d" "\x5b\x09\x2b\x43\x09\x93\x8b\x7f\x3c\xc3\xac\x01\x18\x84\xe4\x33\x96\x98" "\x7a\x36\xfc\x1d\xd6\x0e\x29\x6d\x99\x9f\x4a\x65\x6b\x9a\xbf\x09\xb0\x9d" "\xb3\xf3\x46\x23\x9b\xf0\xe7\xa4\x22\x8c\xc4\x00\xd2\x69\xc8\xaf\xd2\xa2" "\xe9\xf6\x59\xeb\xe3\xe5\xcd\x62\x0f\x04\xf5\x5a\x9a\x41\xbe\xd7\x36\xf2" "\x89\x58\x0c\xae\x9f\x19\x50\x07\x86\x49\x3b\xa9\x38\x40\x2e\x92\x7d\x6c" "\x73\x96\x90\x07\x92\x7d\x94\x29\x60\x6d\xdb\xca\xcf\x8e\xac\xcc\x59\xd7" "\xce\x1f\x0d\xa6\x7f\x23\x4e\xac\x22\x95\xaf\x65\xa7\x2a\x69\xdb\x5f\x94" "\x63\xba\x8c\xe6\x54\x8d\x0e\x0f\x06\x7b\x94\xfc\xbe\x04\x24\x96\x89\xe7" "\xde\x05\xa9\x63\xf6\x8e\xc8\x9f\x7d\x12\xce\x6d\x6f\x9c\x3d\x9c\xc7\x4d" "\xa2\xf0\x49\x45\x02\x0e\x9b\x5b\xc1\xad\x16\x0b\xbf\x69\x30\xe7\x87\x3e" "\x7c\x6c\x9e\x7c\x44\xf3\xb4\xce\xcf\x50\xe8\xcf\x93\x95\xfb\x61\xaf\x66" "\xe2\x8d\x2a\xab\x36\x57\x50\xfd\xf9\x51\xcb\x7c\xeb\xe4\xde\x00\xc8\x3b" "\x53\x11\xce\xf1\x4b\xbe\xcf\x81\x22\x27\x91\xf0\x33\x10\x00\x1b\xe7\xc8" "\x11\x8a\x13\x55\xda\xb1\x27\xca\x42\x73\x31\x9c\x7f\xbd\xab\xa8\xd0\x47" "\x1e\x3d\xee\xed\xc0\xa8\x63\x89\x4e\xe2\xad\x65\x3d\x34\xde\x28\x18\x1d" "\xf6\xeb\xc8\xa7\x83\x83\xff\x7b\x1f\x08\x76\x0b\x0f\x12\xa2\xe9\x86\x7b" "\x40\xde\x99\x5c\x95\x8f\x44\x3d\x3f\x6d\xb2\x09\xf3\x2d\x34\xbd\x6d\x74" "\x23\x51\xd6\x5f\x50\x0f\x0c\xf1\x27\x19\x3a\xc3\xae\xbb\xcc\x0a\x1b\x5b" "\x20\xda\x2c\x4c\xc9\x82\x32\x67\xc6\xcd\x15\x68\x9d\x94\xcc\xc0\x6b\x32" "\x64\xcb\xc3\x0a\x2c\x27\xe7\xfe\x7c\x9e\x0f\xdf\x39\x3c\x6d\xd3\xb0\xe3" "\x81\xe3\x5b\xcc\x20\x4f\x39\x36\x4c\x80\x07\xf3\x02\x80\x4a\x73\x8f\x2f" "\x64\x99\xdd\x05\x6a\xf4\xeb\x68\xb3\xcf\x35\x3f\x2e\xd1\x6b\xab\x09\xd7" "\xd3\xa0\x54\x8e\x23\x83\xc1\x7d\x26\x39\xb4\x01\xa2\x47\x87\x8a\x50\x29" "\xcc\x71\x05\xf9\xd0\xf2\x68\xaa\x58\x72\x98\x45\x3a\x6e\x05\xa9\xb5\xcd" "\xd2\x2a\xa8\x43\x1f\xdd\x70\x2b\xc6\x62\xc1\x2d\xd8\xbe\x53\x7d\x01\xac" "\x9b\xcb\xae\xc4\xdc\xce\x09\x34\xef\xc3\xae\xf3\x1b\x59\x56\xb5\x94\xde" "\xd2\x40\x24\xad\x46\x9b\xa5\x07\x88\xf4\xb2\x8d\xac\x5d\xa6\x34\x45\x9b" "\xc2\x08\x68\xb8\xf4\x96\x6b\xec\x55\xbf\xb4\x88\x7c\xa3\xaa\x98\xdb\x49" "\xe5\x0d\x37\xaf\x99\xb9\xc4\x64\xa4\xa2\x55\x6c\x59\x16\xb5\x62\xba\x6b" "\x3c\x10\xbe\xf8\xe9\x6f\x21\x82\xe2\x78\x43\xe2\x25\x52\x43\x47\x51\x40" "\xe4\xab\xf5\xa2\x1e\x1a\x0a\x3c\x68\xf7\xbc\xe1\xfd\x8e\xde\xba\xbf\x27" "\x09\x87\x06\xed\x97\x22\x6f\xf7\xe1\xb8\x66\x31\x34\x15\xac\x2c\x0b\x53" "\xa0\x00\x00\x00\x00\x00\xfb\x3f\xb8\x2d\x58\x8e\x83\x1a\x72\xd5\x51\x0e" "\x12\xfe\x7c\x2c\x5e\xcc\xd9\xf4\xde\x4f\xb5\x71\x5b\x2a\xe9\xed\x84\xed" "\x01\x99\x9e\xca\xc2\x6b\xc1\x73\x4e\xb4\x56\x4a\x86\xe1\x7e\xc0\x32\x9e" "\x34\x02\x4a\xc9\x0a\x3c\x84\x17\x00\xcf\x4f\xc2\x0b\x63\x6e\xa2\x6c\xa5" "\x0c\x0f\xb1\x2b\xcf\xd6\x25\x9d\x7c\x99\x5a\xe3\xf8\x35\x20\xc7\xcc\xf3" "\xa4\x2d\x1c\x03\x9e\x86\xcd\x01\x18\x4b\x40\x90\x75\x95\x04\x82\xee\xd6" "\xf3\xe0\x89\xa9\xb6\xf9\x40\x84\x7c\x2f\xcd\x6a\xf2\x5a\x9b\xa0\x6b\x93" "\x7a\xdc\x20\xdd\x67", 4289); syscall(__NR_write, r[0], 0x20005440, 0x10c1); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); for (;;) { int pid = do_sandbox_none(); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } } }