// https://syzkaller.appspot.com/bug?id=180e282924600527193dc00eb4bffc62920a6401 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static struct { char* pos; int nesting; struct nlattr* nested[8]; char buf[1024]; } nlmsg; static void netlink_init(int typ, int flags, const void* data, int size) { memset(&nlmsg, 0, sizeof(nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg.pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; memcpy(attr + 1, data, size); nlmsg.pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(int typ) { struct nlattr* attr = (struct nlattr*)nlmsg.pos; attr->nla_type = typ; nlmsg.pos += sizeof(*attr); nlmsg.nested[nlmsg.nesting++] = attr; } static void netlink_done(void) { struct nlattr* attr = nlmsg.nested[--nlmsg.nesting]; attr->nla_len = nlmsg.pos - (char*)attr; } static int netlink_send_ext(int sock, uint16_t reply_type, int* reply_len) { if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf; hdr->nlmsg_len = nlmsg.pos - nlmsg.buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return -((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(int sock) { return netlink_send_ext(sock, 0, NULL); } static void netlink_add_device_impl(const char* type, const char* name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(IFLA_IFNAME, name, strlen(name)); netlink_nest(IFLA_LINKINFO); netlink_attr(IFLA_INFO_KIND, type, strlen(type)); } static void netlink_add_device(int sock, const char* type, const char* name) { netlink_add_device_impl(type, name); netlink_done(); int err = netlink_send(sock); (void)err; } static void netlink_add_veth(int sock, const char* name, const char* peer) { netlink_add_device_impl("veth", name); netlink_nest(IFLA_INFO_DATA); netlink_nest(VETH_INFO_PEER); nlmsg.pos += sizeof(struct ifinfomsg); netlink_attr(IFLA_IFNAME, peer, strlen(peer)); netlink_done(); netlink_done(); netlink_done(); int err = netlink_send(sock); (void)err; } static void netlink_add_hsr(int sock, const char* name, const char* slave1, const char* slave2) { netlink_add_device_impl("hsr", name); netlink_nest(IFLA_INFO_DATA); int ifindex1 = if_nametoindex(slave1); netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1)); int ifindex2 = if_nametoindex(slave2); netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2)); netlink_done(); netlink_done(); int err = netlink_send(sock); (void)err; } static void netlink_device_change(int sock, const char* name, bool up, const char* master, const void* mac, int macsize) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr)); netlink_attr(IFLA_IFNAME, name, strlen(name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(IFLA_ADDRESS, mac, macsize); int err = netlink_send(sock); (void)err; } static int netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(IFA_LOCAL, addr, addrsize); netlink_attr(IFA_ADDRESS, addr, addrsize); return netlink_send(sock); } static void netlink_add_addr4(int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } const int kInitNetNsFd = 239; #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_RELOAD 37 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETNS_FD 137 static void netlink_devlink_netns_move(const char* bus_name, const char* dev_name, int netns_fd) { struct genlmsghdr genlhdr; struct nlattr* attr; int sock, err, n; uint16_t id = 0; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME, strlen(DEVLINK_FAMILY_NAME) + 1); err = netlink_send_ext(sock, GENL_ID_CTRL, &n); if (err) { goto error; } attr = (struct nlattr*)(nlmsg.buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { goto error; } recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); /* recv ack */ memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_RELOAD; netlink_init(id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); netlink_attr(DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd)); netlink_send(sock); error: close(sock); } static void initialize_devlink_pci(void) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); int ret = setns(kInitNetNsFd, 0); if (ret == -1) exit(1); netlink_devlink_netns_move("pci", "0000:00:10.0", netns); ret = setns(netns, 0); if (ret == -1) exit(1); close(netns); } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02x" #define DEV_MAC 0x00aaaaaaaaaa static void netdevsim_add(unsigned int addr, unsigned int port_count) { char buf[16]; sprintf(buf, "%u %u", addr, port_count); write_file("/sys/bus/netdevsim/new_device", buf); } static void initialize_netdevices(void) { char netdevsim[16]; sprintf(netdevsim, "netdevsim%d", (int)procid); struct { const char* type; const char* dev; } devtypes[] = { {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, {"vcan", "vcan0"}, {"bond", "bond0"}, {"team", "team0"}, {"dummy", "dummy0"}, {"nlmon", "nlmon0"}, {"caif", "caif0"}, {"batadv", "batadv0"}, {"vxcan", "vxcan1"}, {"netdevsim", netdevsim}, {"veth", 0}, }; const char* devmasters[] = {"bridge", "bond", "team"}; struct { const char* name; int macsize; bool noipv6; } devices[] = { {"lo", ETH_ALEN}, {"sit0", 0}, {"bridge0", ETH_ALEN}, {"vcan0", 0, true}, {"tunl0", 0}, {"gre0", 0}, {"gretap0", ETH_ALEN}, {"ip_vti0", 0}, {"ip6_vti0", 0}, {"ip6tnl0", 0}, {"ip6gre0", 0}, {"ip6gretap0", ETH_ALEN}, {"erspan0", ETH_ALEN}, {"bond0", ETH_ALEN}, {"veth0", ETH_ALEN}, {"veth1", ETH_ALEN}, {"team0", ETH_ALEN}, {"veth0_to_bridge", ETH_ALEN}, {"veth1_to_bridge", ETH_ALEN}, {"veth0_to_bond", ETH_ALEN}, {"veth1_to_bond", ETH_ALEN}, {"veth0_to_team", ETH_ALEN}, {"veth1_to_team", ETH_ALEN}, {"veth0_to_hsr", ETH_ALEN}, {"veth1_to_hsr", ETH_ALEN}, {"hsr0", 0}, {"dummy0", ETH_ALEN}, {"nlmon0", 0}, {"vxcan0", 0, true}, {"vxcan1", 0, true}, {"caif0", ETH_ALEN}, {"batadv0", ETH_ALEN}, {netdevsim, ETH_ALEN}, }; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) netlink_add_device(sock, devtypes[i].type, devtypes[i].dev); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { char master[32], slave0[32], veth0[32], slave1[32], veth1[32]; sprintf(slave0, "%s_slave_0", devmasters[i]); sprintf(veth0, "veth0_to_%s", devmasters[i]); netlink_add_veth(sock, slave0, veth0); sprintf(slave1, "%s_slave_1", devmasters[i]); sprintf(veth1, "veth1_to_%s", devmasters[i]); netlink_add_veth(sock, slave1, veth1); sprintf(master, "%s0", devmasters[i]); netlink_device_change(sock, slave0, false, master, 0, 0); netlink_device_change(sock, slave1, false, master, 0, 0); } netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0); netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0); netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr"); netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr"); netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1"); netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0); netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0); netdevsim_add((int)procid, 4); for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) { char addr[32]; sprintf(addr, DEV_IPV4, i + 10); netlink_add_addr4(sock, devices[i].name, addr); if (!devices[i].noipv6) { sprintf(addr, DEV_IPV6, i + 10); netlink_add_addr6(sock, devices[i].name, addr); } uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40); netlink_device_change(sock, devices[i].name, true, 0, &macaddr, devices[i].macsize); } close(sock); } static void initialize_netdevices_init(void) { int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); struct { const char* type; int macsize; bool noipv6; bool noup; } devtypes[] = { {"nr", 7, true}, {"rose", 5, true, true}, }; unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) { char dev[32], addr[32]; sprintf(dev, "%s%d", devtypes[i].type, (int)procid); sprintf(addr, "172.30.%d.%d", i, (int)procid + 1); netlink_add_addr4(sock, dev, addr); if (!devtypes[i].noipv6) { sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1); netlink_add_addr6(sock, dev, addr); } int macsize = devtypes[i].macsize; uint64_t macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) + (procid << (8 * (macsize - 1))); netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize); } close(sock); } #define MAX_FDS 30 static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); initialize_netdevices_init(); if (unshare(CLONE_NEWNET)) { } initialize_devlink_pci(); initialize_netdevices(); loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { int fd; for (fd = 3; fd < MAX_FDS; fd++) close(fd); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); close_fds(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0}; void execute_one(void) { intptr_t res = 0; res = syscall(__NR_socket, 0x1dul, 2ul, 7ul); if (res != -1) r[0] = res; res = syscall(__NR_socket, 2ul, 2ul, 0x88ul); if (res != -1) r[1] = res; memcpy((void*)0x20000200, "vcan0\000\000\000\000\000\000\000\000\000\000\000", 16); *(uint32_t*)0x20000210 = 0; res = syscall(__NR_ioctl, r[1], 0x8933ul, 0x20000200ul); if (res != -1) r[2] = *(uint32_t*)0x20000210; *(uint16_t*)0x20000240 = 0x1d; *(uint32_t*)0x20000244 = r[2]; *(uint64_t*)0x20000248 = 0; *(uint8_t*)0x20000250 = 0; *(uint8_t*)0x20000251 = 0; *(uint8_t*)0x20000252 = 0; *(uint8_t*)0x20000253 = 0; *(uint8_t*)0x20000254 = 0; syscall(__NR_bind, r[0], 0x20000240ul, 0x18ul); *(uint64_t*)0x20000bc0 = 0x20000b40; *(uint16_t*)0x20000b40 = 0x1d; *(uint32_t*)0x20000b44 = 0; *(uint64_t*)0x20000b48 = 0; *(uint8_t*)0x20000b50 = 0; *(uint8_t*)0x20000b51 = 0; *(uint8_t*)0x20000b52 = 0; *(uint8_t*)0x20000b53 = 0; *(uint8_t*)0x20000b54 = 0; *(uint32_t*)0x20000bc8 = 0x18; *(uint64_t*)0x20000bd0 = 0x20000b80; *(uint64_t*)0x20000b80 = 0x20002300; memcpy( (void*)0x20002300, "\x98\xa5\xd0\x38\x14\x01\x0a\xe7\x6d\x01\x6b\xd2\x2d\x15\x40\x28\xde\x26" "\x2a\xc2\xb9\x5c\x2b\x44\x39\x11\xe0\x98\xb5\x30\xa0\xc3\xa7\x51\xc4\x21" "\x03\xce\x3b\xd9\x70\x7c\xc8\x97\x88\xc4\x2c\xd0\xa2\x07\x64\xda\x9b\xb5" "\x82\xff\xe8\x9d\xb1\xf9\x0e\x66\xc1\x1b\x19\xe7\xec\xeb\x79\xc6\xe2\xff" "\x30\x7a\x05\x05\x3e\x42\x89\x51\x31\x6d\x92\x1b\x68\x58\x86\xea\x6e\xbf" "\x82\x51\x5d\x47\xf1\x48\xb8\x1d\x1b\xc7\x40\x06\xd6\x26\x49\x50\x8d\xc9" "\x4e\xc0\xa6\x77\xab\x36\x26\x8f\x21\x56\xd3\x45\x89\xe7\xe7\x4c\x3d\xf9" "\x85\x4f\xb4\x7f\xc4\xdf\xc6\xec\xc7\x64\x7d\xc9\x85\x67\xce\x78\xba\x4b" "\xd6\xed\xee\x1b\x51\x38\xe5\x7c\x94\xa1\xfe\xcc\x77\x4b\x6c\xfa\x2a\x11" "\xa5\xc7\xe3\x64\xe2\xcf\xa0\x11\x35\x74\xa1\xcb\x75\xa5\x41\x26\xa8\x06" "\x13\x49\x41\xa9\x73\x14\xa5\xcb\xf4\xd0\xbe\x72\x11\x8f\xb6\x1f\x75\xf9" "\x08\xdf\x44\xb9\x1e\x00\x83\x53\x7d\x2a\x1e\x75\x75\xea\x4a\xee\xbf\xf1" "\xf1\x68\x4a\xc8\x60\xdb\x4b\xba\x84\x82\x23\xd1\x56\x5b\xc7\xec\x8e\xb4" "\x8d\x86\x12\x34\x83\xda\xcf\x64\x58\xc2\x35\xf8\xe8\x2c\x17\x34\x22\xc9" "\xb0\x95\xeb\xab\xf4\x42\x55\xb6\xdd\xcb\xce\x2f\x81\x4a\x57\x28\x7a\xc6" "\x6f\x2c\xf3\x4a\x19\x0b\x97\x03\x17\x06\x79\xbe\x9b\xd1\x25\xa9\x49\xcc" "\x09\xc8\x67\x4a\xa2\x83\x04\xc9\x98\x01\xe0\x33\x75\x5a\x1a\xcf\xd6\x70" "\x0d\x1e\xa3\x5c\x62\x9d\x91\x54\x15\xa1\x1a\x65\x7d\xd2\x13\x07\x90\xb9" "\x62\x2a\xcf\xb1\xd2\x09\x5e\x0a\xd9\xc7\x8d\xc3\x2c\x8f\x1a\x1f\xc2\xad" "\x7d\x33\x13\xde\xe1\xf7\xeb\x37\x7d\x02\xe3\xc3\x87\x05\xaf\x4a\x25\x05" "\xb7\x8e\xef\x03\xd0\x70\x0d\x89\x8e\x6d\x18\x0d\x0a\x62\x36\x44\x3c\x5d" "\xdc\x9e\xb3\x5e\xe3\x8e\xd5\x25\xfe\x13\xe9\xa1\xd5\x2b\x91\x75\x40\xed" "\x6c\xb3\x0b\x8c\x80\x48\x34\x18\x10\x96\x32\xff\xa5\xc8\x6c\xb3\x03\x49" "\x4e\x27\x16\xc4\x37\xfb\xe1\x28\x10\xeb\x26\x6b\x50\x55\xd3\x90\x0c\x86" "\x2c\xeb\x71\x92\x4f\x4a\xde\x5f\x8f\x53\x7c\x60\x5d\xac\xe9\x64\x18\x84" "\x11\x7e\xe8\x8c\xc1\x88\x38\x11\x15\x80\x3e\xa2\xba\xd3\xa4\xe7\xc8\x51" "\x5e\x6a\x2b\x76\xc4\x70\x96\x8f\x3a\xd9\x79\x48\xfc\xcf\x25\x15\x66\xc9" "\x02\x56\xa8\xb5\x3d\x43\x2f\x61\xa9\x5d\xc5\x1a\xaa\x85\x96\xa9\x5e\xfe" "\x6e\x5f\x58\xab\x55\x2a\x6c\xf5\xd4\xe9\x16\xcb\x1f\x42\x35\x71\xcf\x05" "\xf7\xff\xc1\x5c\x1a\x1e\x8f\x19\x17\xba\x2e\xcb\xc4\x52\xcd\x38\x29\x2f" "\xbf\x3c\x03\x9a\x23\x97\x7a\x2a\x9d\x7a\x90\x71\xd7\xc1\x20\xa4\x39\x27" "\x22\x70\xc6\x2c\x29\x8e\x9f\xc1\x59\x86\x28\x69\xa1\xa7\xf5\xea\xfa\x2c" "\xbc\x90\xe3\x00\xbf\x9f\xe0\xcf\x80\x4a\x35\xa6\x10\xb4\xfe\x0e\x23\xe6" "\xc9\x8e\x69\x18\x6c\xe5\xe7\xc5\xc4\xb3\x71\x7f\xeb\x26\x69\xfc\xc8\x2f" "\x21\xcd\x94\xeb\x34\x7e\xb0\x0f\x0d\x2b\x60\x5b\x28\x0d\x85\x40\x61\xdb" "\x8f\x5f\x17\x97\x27\xa4\x33\x70\x34\xb5\xdb\x52\x8f\x1b\xdb\x45\x3c\xa7" "\xc1\x05\xf5\x64\x63\xe0\x2e\x86\x96\x3a\x00\x99\xc9\x6b\xa0\xbd\xc9\x43" "\x6e\x4f\x54\x2e\xcf\x25\x74\x6c\x34\xae\xde\xf3\x95\x62\x79\xaa\xce\xaa" "\xf6\x8c\x9a\x80\x95\xa9\xdf\xa0\x54\x67\x13\x7f\xab\xa9\xbc\xad\x9c\xc5" "\xd9\xc4\xa3\x47\xb3\xb2\x99\x25\x71\x27\xb0\x1d\x1d\xca\x21\x04\x23\x95" "\x9b\x3e\x14\x32\xd5\xbb\xd1\x4b\x70\x20\x5e\x53\x79\xc3\xf1\x6f\x52\x68" "\xc6\x8e\x3d\x25\xce\xa8\x3f\x49\xd8\x65\x07\xf4\x24\x4f\x35\xeb\xeb\x77" "\x4d\x4b\x46\x96\xf8\xa6\x82\xb5\x8f\x9c\x5b\xd4\x6f\x6b\xe1\x8d\xe9\x79" "\x79\xfe\x0f\xa4\xd3\xfa\x77\xca\xcf\xae\x1b\x7c\xf0\x29\x15\x60\xec\xa8" "\x85\x75\xd0\xec\xcf\x7f\xcf\x2c\xae\x45\x39\x8c\xb4\x37\xab\x09\x0c\xec" "\x39\xad\x82\x3c\x67\x22\x10\x98\x82\xc4\x18\x5c\x6c\x81\xda\x22\x8a\x81" "\x80\x84\xe1\xa6\xf2\xea\xfd\x7f\xea\x67\xad\xe8\x3b\xb6\xf0\xb3\xdb\x78" "\xc5\xc9\x91\x14\x52\x19\xf9\xa8\xcc\xf7\x04\xa3\x13\xe5\x3c\xfc\x5f\xf2" "\x50\x78\x9c\xa7\x5a\x37\x47\xee\x2f\x3f\xed\x3e\x7a\xe0\xac\xdf\x71\x82" "\x08\x5f\x32\x38\xd4\x0e\xa9\xd0\x4f\xd6\xb8\x57\xf7\x6a\x23\x90\x58\x28" "\xc4\x66\xa4\x27\x60\xf7\xcb\x9c\xff\x4d\x3f\x0a\x25\xe8\x70\x33\x77\x3e" "\xe2\xcd\xfb\xd6\xa6\x0f\xca\xe0\xb3\x42\x8e\x26\xf3\x63\xc4\x99\x1d\x72" "\xc7\x27\x4d\x48\x16\xe2\xf2\xfb\xb4\x8f\x8c\xf7\x5c\x5b\x26\xa9\x41\x5a" "\xa2\xb9\xe2\x73\x8e\x7d\x43\x1c\xae\x8f\xeb\x7a\x6c\xca\x0d\x9a\xac\x8d" "\x1d\xaa\x4f\x67\x32\xbb\x55\xbd\x14\xd0\x6a\xae\x84\x8c\xbb\xd0\x28\x05" "\x92\xf9\xbb\x99\x52\xfd\xd4\xab\xe7\x63\xc0\xb0\x0d\xcb\x06\x85\x50\x72" "\xb8\x87\x80\xd6\x24\x6f\x24\x73\x71\xab\xfd\xdb\xae\x56\x1b\x3b\x14\x6d" "\xe6\xcc\x9f\x5e\x36\x6c\x01\x48\xfc\x56\x45\x9b\x22\x88\xc0\xe0\xfe\x31" "\xd8\xc8\xd9\x09\x52\x8c\x05\x31\xa6\x60\x2f\xe8\x32\x2d\xfb\xd8\xb6\xd6" "\xe8\x24\xba\x9b\xf5\x0f\x8e\x8a\x53\x73\x13\x76\x97\x97\xf6\xdf\xad\x6f" "\x7a\xa3\x7b\x73\x86\xfb\x84\x64\xf1\x36\xad\xe8\x8e\x1a\xb3\x14\x37\x17" "\x66\xba\xe3\x29\xe1\xa7\xc1\x9c\x6f\x94\x29\x48\x65\x1c\x47\x93\x61\x45" "\xde\x48\x6d\x99\xb2\xa8\xe0\x71\x5b\x2e\x1a\x9c\xfc\xfc\xa2\xd4\x42\x57" "\x1b\xee\x0c\x67\x33\xcb\x72\x1f\x8a\x15\x27\x59\x6f\xac\x7b\x7e\x7b\xcf" "\x77\xeb\xac\xa5\xda\xc2\xaa\xac\xcf\xca\x75\x89\xfe\xda\xc7\xbe\x97\x4d" "\x1f\xf8\xe9\x1d\xec\xcd\x91\x01\x9f\xc0\x86\xfa\x7a\xfb\x9a\x09\xe9\x30" "\xd3\x57\x0e\x62\x17\x30\x7d\xb7\xc4\xc9\xee\xd6\x29\x57\xb5\x5d\x7b\x30" "\x7e\x05\x38\x8b\xdb\xbf\xc7\x02\x08\x5b\xf7\x7d\xbe\xad\xc4\xf0\x46\x5b" "\x28\xf1\x6a\xaf\xe5\x43\xcf\xb7\x8b\xc9\x5d\x10\x6b\x7a\xd9\x83\x62\x34" "\x3e\xdf\xfd\x51\x60\x2a\xb9\xc2\xd7\x30\x02\x50\x77\x2b\xb3\x7a\xf1\x1f" "\xb1\x57\x8c\x29\x33\xbb\x33\x1b\x68\x74\x69\xb0\xa7\x2f\x00\x61\xf9\xd5" "\xaa\xc5\xde\xec\x36\x5e\xc9\xba\xd2\x9e\x1e\x3f\x56\xf4\x68\x49\xd6\xb0" "\xe4\xf4\x0e\x3b\x33\xb2\xdd\xe1\x16\xbe\xf6\x99\x1b\x1e\x60\xc5\xd0\x73" "\x93\x97\x56\x4a\xef\x89\x26\x6f\x56\x27\x35\xc9\xf6\xca\x26\x47\x60\xd0" "\x93\x88\x21\x59\x44\x18\xef\x6f\xd3\x80\xfa\xa6\xdb\xda\x05\xd4\xbc\xc5" "\x87\xec\xb9\x53\x09\x83\x68\xab\x4b\xba\x4f\xdc\xad\xfb\x33\xd4\xb1\xac" "\xbb\xb9\xcc\xf5\x56\x3f\xfe\x50\x12\xa3\x2a\x59\x0d\xa2\x47\x75\xc1\x1b" "\x8d\xd8\x10\xae\xf7\x89\x15\xa2\xd2\xf5\xd1\x48\xd7\x9f\x11\xcd\xe8\x72" "\x54\x12\x83\xc9\x34\x45\xf4\xe7\x02\x1e\x28\x96\x02\x60\x06\xf1\xe9\xe2" "\xa0\x8b\x67\xf9\xb0\xc5\x02\x46\x44\x84\xce\x59\x4b\xf5\x0e\xe0\x81\xb9" "\xa9\x94\xcc\x09\x5f\x97\x06\x27\x83\x82\xb5\x7a\x38\x4c\xc3\x0c\x10\xed" "\x22\xe2\xd8\x9f\x4f\x12\x06\x2b\x16\xb9\xb3\x24\xbc\x3f\x4e\xc5\xfe\x0f" "\x94\xc2\x1f\xae\x44\x26\xca\x55\x9f\x73\xe2\x79\xde\xff\xdc\xf1\xe6\x99" "\xff\xf0\x2c\x78\xc8\x22\x06\xdd\xad\xf3\x47\xe4\xf1\x21\x76\x10\xa1\x39" "\x7b\x2e\xd1\x3e\x2d\x3c\x5c\x85\x13\x29\xf6\x4f\x6f\xe5\x1d\x73\x01\x59" "\x89\xbc\xff\x64\x9a\x1a\x50\x27\x1e\xf8\xb4\x86\xe7\x30\xd8\xf4\x77\x16" "\x43\xec\xd1\x5f\x54\x6a\xe3\x92\xba\xf0\x64\x13\xf9\xc0\xf9\x38\x68\xf7" "\xc6\x1a\xcd\x93\x84\xf9\xb5\xa0\x7d\xeb\x7c\xc2\x4b\x14\x43\x6a\x86\x93" "\x81\x25\x30\xa7\x67\xc0\xf9\x74\x15\xe2\x40\x7f\x2d\xc8\xc2\xb1\x64\x78" "\x44\x34\x7c\x7a\xeb\xe1\x0a\x52\xe3\xf5\xf5\x23\xf2\xb2\x2d\x5c\xb0\x29" "\x44\xe1\x39\xf8\x98\xb7\x2e\xb8\xd9\x83\xe7\x60\x27\x35\xa8\x4d\x5a\x6a" "\x41\xb2\xf4\xb7\x0f\x12\x91\x78\xc7\xbe\x31\x10\xd4\x03\x21\xe6\xab\x99" "\x01\xc7\x4c\x34\x39\x40\x96\x29\xb6\x11\x7b\x88\xcb\xba\x6c\x91\x3b\x07" "\xdc\x77\xfd\xa7\x85\x97\x40\xcb\xdd\xea\xc6\xaf\x8d\xa3\x3a\x7d\xd4\x8d" "\xed\x6e\x46\x91\xc1\x15\xe2\x3e\xdf\xb5\x5b\x7b\x9c\x35\x14\x2e\x1f\xf0" "\x87\x42\x55\x19\x29\xf5\x51\xc5\xb4\x4e\xbb\xe4\xc8\x93\xc3\xa6\xe5\x76" "\xb4\xf1\x5f\x7e\x11\xf2\x3b\x4b\x0f\xa8\xff\x59\x10\xce\x13\xc8\xa6\x82" "\x90\x71\x2e\x1e\xd7\x46\x08\xb3\xd3\x46\xd3\x1b\x43\x59\x65\x8b\xa4\xb6" "\xb4\x90\x45\xce\xba\xa1\x01\xc7\xfd\xcd\x9c\x45\x40\x66\xdc\xdb\x3f\x63" "\xdd\x33\x3a\x1a", 1786); *(uint64_t*)0x20000b88 = 0x6fa; *(uint64_t*)0x20000bd8 = 1; *(uint64_t*)0x20000be0 = 0; *(uint64_t*)0x20000be8 = 0; *(uint32_t*)0x20000bf0 = 0; syscall(__NR_sendmsg, r[0], 0x20000bc0ul, 0ul); } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { do_sandbox_none(); } } sleep(1000000); return 0; }