// https://syzkaller.appspot.com/bug?id=999cd31c7c8430911ff6a1bbf569ffdfd0fe1af2 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } uint64_t r[1] = {0xffffffffffffffff}; void loop(void) { intptr_t res = 0; res = syscall(__NR_socket, 0xaul, 2ul, 0); if (res != -1) r[0] = res; *(uint64_t*)0x20000040 = 0x200003c0; *(uint16_t*)0x200003c0 = 0xa; *(uint16_t*)0x200003c2 = htobe16(0x4e21); *(uint32_t*)0x200003c4 = htobe32(0); *(uint64_t*)0x200003c8 = htobe64(0); *(uint64_t*)0x200003d0 = htobe64(1); *(uint32_t*)0x200003d8 = 0; *(uint32_t*)0x20000048 = 0x1c; *(uint64_t*)0x20000050 = 0x20000280; *(uint64_t*)0x20000280 = 0; *(uint64_t*)0x20000288 = 0; *(uint64_t*)0x20000290 = 0; *(uint64_t*)0x20000298 = 0; *(uint64_t*)0x200002a0 = 0x20001280; memcpy((void*)0x20001280, "\xd2", 1); *(uint64_t*)0x200002a8 = 1; *(uint64_t*)0x200002b0 = 0x200000c0; memcpy((void*)0x200000c0, "\xa0\x82\xc9\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 15); *(uint64_t*)0x200002b8 = 0x17; *(uint64_t*)0x200002c0 = 0x200012c0; memcpy( (void*)0x200012c0, "\x58\xde\x64\x44\x13\x6f\xc8\x58\x73\xd4\x3e\x7e\x8d\xda\xe9\x48\xcf\x07" "\xb4\x8b\x3a\xfb\x78\x94\xfc\x7d\x97\x89\x30\x0d\x90\x94\x61\x58\x9e\xfb" "\xc5\xec\x92\x8d\x0f\xfb\x28\x21\xdb\x8e\xb4\xa3\xb3\x40\x66\x73\xcc\xd9" "\x65\xb0\x77\x2f\x9a\x82\x4f\xa2\x11\x6a\xe5\xca\xda\x41\xd8\x1c\x33\x48" "\xb5\x7a\x90\x01\x73\x6f\x1f\x65\x75\xd1\x59\xb4\x00\x2c\x5d\x16\x43\xf4" "\xe7\xb4\x49\x15\x80\x5e\x57\xde\x75\xc6\xe8\x3b\x9a\x46\x07\xa5\x10\x5a" "\x79\x2b\xd1\x4e\xa4\x4b\x68\x41\xb5\xa1\xd4\x34\xe0\xf7\x69\xf1\x26\xc8" "\x49\x2b\xba\x07\x10\x59\x67\x6b\x36\x6e\xd8\x2f\xe8\xab\x28\x55\x00\xb6" "\xce\x75\x76\x8a\x26\x83\xa7\x93\x61\xa5\xb4\xed\x0d\xbc\x56\xc8\x84\x0d" "\x16\x81\x15\x34\x59\xb5\xc6\x86\x2e\xc9\x56\x0f\x5d\x56\x5b\x59\x47\x2d" "\xac\x37\x16\xf6\x3d\xb5\x0d\x5d\x8f\x5c\xa3\xec\x79\x68\xf8\xa7\xf8\x52" "\x78\x2f\x04\x8b\x50\xb1\x07\xd4\xd3\xdd\x69\x96\x29\xaf\x77\xf8\xdf\xda" "\x1b\xb1\x40\x80\x02\xee\xb2\xba\x08\x83\x38\x9f\xfa\x9d\xab\xf3\x5f\xdd" "\xc5\xbd\x52\x42\xa4\x7b\x1d\x99\x7b\xab\xdb\xfb\xc9\xca\x0b\x72\xd9\x72" "\x40\x09\x75\x71\xc0\x5c\x47\x73\xfb\xdb\x2f\x69\xa3\x70\xc6\x69\xc9\x48" "\xa0\xf6\x8a\xa3\x47\xc5\x8f\xf1\xe9\x1c\x7d\x0c\x75\xa2\xf6\xb4\x7a\xb6" "\x0b\x6b\xd6\x82\x09\xa5\x6f\xa3\xba\x51\x68\xdb\x27\x78\x56\xec\xf7\xc8" "\x4c\xb2\x6d\xaa\x08\xd6\x4a\xe2\x07\xcc\x35\x28\x26\xe5\x94\x20\x8c\x10" "\x25\xa6\xb4\x8c\xd6\xf2\xc3\xe0\x1c\x13\x3e\xef\x7d\x16\xe2\x2f\xc2\xb5" "\xd8\xd8\xcb\x1a\x1f\xc9\x99\x51\x8b\x9e\xb7\x30\x3e\xe2\xb2\xaf\x60\xbe" "\x35\xe8\x03\x28\xb3\x27\xbd\x78\xc1\x2a\x77\x5b\x0a\x10\x5a\x83\x91\xa9" "\xdb\x4e\x55\x19\xfa\x13\x9d\x5c\x38\xce\x77\xcd\xdf\xa6\x0b\xb8\x26\x73" "\x0c\x64\x98\xa3\x42\xd3\x9e\xc6\x98\xa4\x1c\xe4\xad\xff\x1f\x4e\xf9\x3e" "\x10\xa2\x31\x55\x68\xce\xe1\x67\xfe\x3c\x17\x34\xce\x67\x47\x1d\x11\x77" "\x10\x67\xff\x1c\x6f\xc8\xb2\xb3\x15\x2b\x1c\x23\x6b\x60\x9f\x6e\x76\xbc" "\xfa\x2a\xd7\x5f\xaa\xf1\xb6\x4d\xeb\x09\x23\x56\x3a\x66\xc9\xfb\xcd\xf1" "\x8e\x67\xdd\xa2\x28\x6d\x6b\x08\x6e\x4f\x3a\x2e\x99\x1b\x1f\x60\x65\xe0" "\xe2\x99\x29\x84\x73\xe4\x3b\x9d\xb3\xad\x3c\xfb\x08\xc7\x3c\x6d\xea\x29" "\x1d\x5a\xad\x50\x45\x5f\xe3\x0f\x64\x85\xc6\xb6\x20\x94\xfc\x9d\xc9\x9e" "\xaf\x5f\x12\x91\x8c\x70\x27\xfa\x5f\x63\xf0\xb0\x8c\x9e\x00\x03\x73\x4b" "\x3a\x68\xbf\xaf\xbe\x12\xc3\x53\x67\xa4\x44\x06\x79\x79\x87\x14\x9d\x41" "\xef\xd7\x68\x2d\x34\xdc\x62\xe9\xb6\x9d\xff\xac\x43\x46\x7a\xaf\x10\x6d" "\x0b\xf6\x94\x97\x9d\x36\x44\x4a\x9b\x6a\xb4\x7b\xdc\xd6\x12\xf2\x92\xa9" "\x19\x73\x66\x89\x90\x73\xf0\x59\xbb\x44\xb8\x3c\xc1\x96\xce\xe2\x5b\xf5" "\x9f\x8a\x0d\x4b\xad\x09\x98\xac\xa4\x82\x99\x5a\xa6\x6b\xbc\x79\xde\x2b" "\x43\x5c\x3b\xcd\x72\x34\x36\x44\xbb\x1f\xd0\x60\x25\x3d\x47\x9c\x9d\x69" "\x7e\xba\xca\xb6\xdc\x0a\xbc\xae\x54\x04\xcf\x04\xa8\xdc\x7d\x56\xd5\xa6" "\x3a\x76\x15\x1d\xcf\x7d\x6e\x1d\x15\x77\xe3\xcb\xec\xd1\x5f\x3d\x01\x93" "\xbd\x18\xa4\x85\x74\x8b\x0a\x69\xfa\x3f\x7e\x41\x30\xff\xe8\x18\x7c\xc8" "\x7c\x68\x55\x85\x2d\xe8\x57\x09\x0f\xba\x59\x25\x86\x95\x4e\x3c\xaf\x43" "\xb9\xdf\xfe\xb0\xcc\xac\x93\x8b\xe9\x1f\x3f\x11\xd1\x6c\x82\xf4\x6e\xda" "\x55\x34\x5d\xc5\xd6\xb5\xd2\x10\x19\x93\x5e\x6f\x05\x09\xa4\x0f\xa6\x46" "\xe4\x0c\x73\x44\x3e\xdd\x72\x80\xa0\x92\x66\x37\xbb\x53\x7d\x1d\xfb\x96" "\x23\xb1\xb0\x4b\x23\x04\x60\xa3\xb6\x3e\x69\xac\xb3\x73\xed\x37\x8a\x39" "\x52\xd6\xfc\x3f\xbc\xb6\x7d\x05\xd9\x20\xa1\x57\xb6\x68\xdf\x91\x2a\x50" "\xb5\x7a\x20\x0d\x46\x29\x45\xe8\xc1\x3a\x4c\x47\x7e\x60\xb8\xba\xfa\x89" "\x02\x4f\xfb\xf8\x5b\xa0\xcc\x2e\x79\x0e\xdd\x15\x7a\xc5\x6a\x95\x88\x1e" "\x2b\x2d\x06\x86\xa1\x70\x93\x67\x00\x50\xbd\x75\xdc\xf5\x85\x52\x47\xd3" "\x4e\xd9\x1c\x14\x4e\x96\xf3\x34\xe4\xb7\xc3\x84\x8c\x58\x32\x4c\x3a\x16" "\xa7\xeb\xe7\x88\xa7\x8b\x57\x23\xac\x8f\x61\x1e\x39\xa5\xc6\x7d\xee\xc5" "\x1e\x4e\xce\xfe\xad\xa4\xa8\x99\xad\x8c\x31\xb3\xe7\x1c\x12\x93\xe7\x50" "\x73\xe8\x4c\x86\x86\x00\xde\x03\xef\x50\xce\xe1\x14\xf5\xaa\x5c\x69\x54" "\x49\x98\x87\x57\x89\x53\x0d\x4d\x94\x51\x4c\xd8\x2c\xbb\xa4\xb8\xec\x7e" "\x07\x9a\xe4\x49\xb7\x5c\xb6\xb2\x6e\xbc\x18\x5b\xfd\xb3\x2a\x34\x27\x9c" "\x40\x3a\x40\x3d\x92\xcd\xe1\x38\xf9\xb2\x8d\xa1\x64\x34\x74\xdb\xaf\x49" "\x50\x4c\xa0\xf1\xae\x75\x7d\xab\x52\x9f\x43\x10\x93\x4b\x76\x6a\x10\xc4" "\xc8\x0d\xa1\xed\xd8\x79\xa9\x84\xb5\xf2\x5f\x12\xd2\x6e\x11\x37\x5f\x0d" "\xde\x88\xad\xe2\x49\x8b\x78\x0d\x45\xb9\x9e\xb1\x09\x76\x9f\xbb\x6f\xec" "\xe6\xad\x49\x38\xdc\xcc\x6e\x8e\x64\x00\x11\x2c\xfb\x63\xd7\x8b\xd2\x97" "\x28\x40\x87\x3d\xdf\x20\x96\xf6\x1d\x47\x01\xa6\x11\x30\xbf\x93\x0b\x07" "\xff\x96\x59\x23\xca\x5b\x3b\xdf\x44\x65\x48\x26\x1b\x2e\xe0\xa8\xe4\x2b" "\x9e\x35\x27\xb5\xfd\x38\xf4\x63\x67\x09\x9c\x64\x38\xfa\x70\x27\x15\xb0" "\xf5\x6c\x2e\x90\xb3\xcd\x3c\xc2\x04\x8f\x04\xc9\xee\x6d\xd4\xef\x86\x11" "\xc2\x6f\xcd\xad\x3c\x0d\xc5\xdb\x34\xf3\x38\x57\x03\xfd\xed\x4b\x08\xf1" "\x5e\xfe\x69\x0f\x8f\x2b\x8f\x21\x05\xdf\x37\x49\xd0\x51\xf6\xa1\xd3\xfa" "\x59\x51\xaf\xd5\xeb\xcd\xaa\xf1\xeb\x22\x49\xbd\xfa\x3c\xa9\x7c\xb4\xb0" "\xc9\x2c\x9b\x0e\x52\x01\x02\x63\xd6\xf1\xf5\x81\xfa\xe7\x54\x7b\x7f\x3a" "\xd0\x5a\xae\x05\xdd\x3f\x94\x4b\xea\xdc\x30\xf0\x46\xeb\x63\x3a\x07\x52" "\xc1\x84\x2b\xab\x1d\x7e\xa3\x5e\xc8\x72\x2b\x4d\xe7\x5c\xb7\x39\x80\x9c" "\x69\x5e\xe1\xfc\x59\x11\x9d\xb8\x0a\x29\xd4\x96\x1c\x0c\x5b\x2f\xeb\x50" "\xe5\x6b\xf7\xa4\x50\x6f\xf6\x56\x52\xfa\x02\x27\x45\x7e\x86\xa8\x69\x46" "\xe7\x7e\xe2\xde\x84\x84\xb9\xc5\x4a\x08\xc2\xb7\x85\x1d\x2b\x76\xf4\x85" "\xc3\x69\x76\xd8\xc8\x2b\x24\x79\x8a\x61\x26\xc2\x82\x1a\x19\x5f\xfc\xcd" "\xa3\xc7\xf6\xf5\x68\xa3\x5d\x63\x61\xbd\xcb\x14\x44\xcb\x0b\xf9\x13\xa4" "\x37\x65\x23\x12\x60\xc6\x4f\xb1\x8c\x18\xea\x8c\x22\x56\xdb\x6e\xf5\x96" "\x48\xdd\x18\x19\x29\xb7\x92\xcf\x65\xdf\xef\xeb\xab\x2d\x33\x8f\x73\x1f" "\x85\x56\xac\x3e\xc8\x8e\xec\xb8\x8c\x71\x81\x62\x9f\xbf\x15\xe8\x45\x94" "\x2c\x76\x53\xab\xaa\x97\x3d\x67\x40\x2a\xf9\x8e\xc9\x56\x9f\xeb\xac\x90" "\xa5\x04\x17\x9c\x8f\x6f\x05\xf2\x75\xa4\x6c\x5f\x43\xed\xd2\x23\x0b\x33" "\x74\x4e\xda\x1f\x39\xb6\x56\x0d\x8c\x47\xdb\xff\x68\x39\x99\xcc\x49\x51" "\x42\xa0\x28\xd3\x5f\x8c\xeb\x65\x93\x15\x87\x74\x41\x74\xeb\x00\xc3\x4b" "\xed\x47\x17\xca\x7c\x58\x84\x2f\xf6\x87\xb5\x1e\xc5\x44\x5b\x16\xfc\xa2" "\x11\x72\x6f\xb4\x12\x71\x89\x69\x98\xc7\x97\x25\xf2\xd7\xdb\x2e\x74\x0a" "\xc5\x5f\x75\x6d\x14\x8d\xc9\x56\x24\x69\xdb\xb6\x37\x4a\x9b\xb6\x5a\x65" "\xdd\x29\x36\x16\xea\x12\xaf\x40\x2d\xb0\x4b\xf1\x79\x47\x7f\x69\x92\xe2" "\x2f\xca\x54\xd5\xbc\xc6\x85\x65\x65\xa0\xb2\xbc\x4f\x4b\xc0\xcd\xd6\x10" "\xfc\x77\x94\x7c\xcf\x2f\xb6\xb1\x40\x5d\x7d\x36\x87\xca\x51\x6a\x66\xe2" "\xd2\xaa\x38\x31\x25\x8e\x33\xc5\xdf\x4e\xae\xb2\xfe\x66\xfc\xc2\x57\xac" "\x2c\xdd\x05\x9c\x7a\x83\x96\xcc\xd7\xd1\x3f\x10\x06\x1b\x60\xe4\xbd\xb9" "\x6e\x90\x50\x89\x04\x67\x22\xf3\x12\xc5\x1b\x9c\xdd\xb3\x99\xc3\x44\xb4" "\xe7\x9e\x1b\xfe\xd0\x77\x2c\xfb\x26\xa4\x07\xc4\xed\xcd\x74\x59\x0f\x7c" "\x1b\xec\x2d\xca\x10\x4a\xf0\xd1\x05\x8c\x73\xfb\x5d\x67\x10\xe9\xf8\xf2" "\xb4\xb3\x23\x91\x76\x65\xd8\xa5\xfb\x14\xf2\x12\xc2\x22\xcf\x50\x94\x7f" "\x0c\x43\x87\xc3\x4b\x18\x43\xa0\x9f\xc4\x85\x80\xac\x6c\xf5\x9d\x10\x9c" "\x7f\x47\x12\xb9\xb3\x22\x46\x55\xe4\x37\xb6\x70\x73\x79\x34\x90\xef\x96" "\x05\x3d\xb5\xaa\xa9\xc5\x37\x98\x86\x5b\x8d\xa8\xc5\x7c\xe0\x70\x04\x9f" "\xce\x00\x0d\xf1\xd6\x1c\x93\x6b\xc5\x59\x1e\x7d\x98\x78\x8d\x92\xf1\x97" "\x24\xc1\x7d\x46\x66\xa7\x0c\x15\x6f\x77\xb5\xa0\xb9\xf6\x23\x5c\xe7\x6a" "\x59\x03\x2b\xcb\x3e\xac\xb7\xe5\xdf\xbf\xf8\xf7\x63\x34\x07\xe6\x20\x86" "\x83\x05\x57\xc9\x4b\x7f\xd4\xe4\x4f\x58\xbd\xe1\x61\x15\x1d\x14\x56\xd2" "\x6a\x95\x45\x05\xbb\x4a\x57\xb6\xad\xd9\xe1\xe4\xdb\x83\x16\xfd\x50\x9d" "\x0c\x6a\x5b\xe6\x53\xc4\x6c\x16\x1b\x19\xeb\x47\xb0\x3f\xbb\xb3\x75\x6f" "\xe9\x09\x41\x9a\x1d\x64\x7e\x0d\xeb\xeb\xfe\x60\xeb\x17\x10\xe0\x62\x55" "\xd3\xf5\x64\x36\x06\xda\x33\x96\x8f\xf1\xfb\xc3\x22\x24\x7c\xfe\xbf\xb1" "\x53\xb3\x10\xc1\x8b\x52\xb1\x4a\xe5\xa9\x9b\x7b\x0b\x03\x1b\xbf\x91\x1e" "\x47\xfd\x7a\x32\xa7\xdd\xb5\x55\x95\x57\x72\x1b\x29\xca\x2d\x63\xa5\x3c" "\x85\x34\xf6\xa6\x4e\x54\x8d\x92\x64\x09\x31\x01\x59\x17\xc3\x54\x5d\x78" "\x8c\x55\x55\x16\x71\xee\xa5\xba\x30\xe3\x9f\x0f\xb9\x29\x78\xe5\x34\x2f" "\x17\xe3\x31\x98\x5b\x72\x4f\x6d\x6f\x1f\x0f\x94\x5b\xce\x5e\xc5\x85\x1f" "\x54\xa3\x6c\xe4\x27\x01\xa5\x5e\x50\x79\xe4\x58\x57\x3b\xc7\x1f\xb8\xfc" "\x1f\xdc\x4f\x91\xaf\x36\x0d\x49\x85\x4d\x80\xcc\xef\xb9\x1f\x19\x27\x8b" "\x08\x41\x06\x0f\x2a\x06\x7f\x9f\x73\x33\x56\x72\xea\xc4\x81\xb0\x14\x1d" "\x01\xf7\x8a\x99\x66\xea\xa6\xa9\x94\xde\x39\x7b\xaa\x2a\xee\x93\x15\x5d" "\x12\x3d\x78\xe6\x4b\x07\xca\xa7\xe6\x51\xb2\x28\x11\x3b\x98\x8c\x07\x67" "\x73\x0b\xec\x17\x1b\xde\x3d\x8d\xf3\xc0\xe5\x12\xa3\xaa\x29\x79\xdf\x9a" "\x6c\xdb\x01\x61\x1c\xfa\x24\x80\x8e\xb2\xcd\xaa\x7c\xf2\x57\x4a\x38\x28" "\x6f\xda\x07\xa4\x32\xf3\x0c\x46\x9c\x48\x44\x8f\x24\xb1\xa7\x25\xad\xd0" "\x41\x3f\xc6\x0d\x73\x1c\x51\x54\xae\x1a\xc3\x46\x51\xdc\x89\x21\x2e\xfb" "\xf2\x12\x96\x01\xa6\xb0\x28\x80\x22\xb2\x00\x22\xd3\x2a\x8d\x77\xfa\x38" "\xc4\x44\x17\xb9\x54\xc2\x7d\xdb\x9e\x71\x17\xbc\xb9\x97\xf2\x9f\x80\xea" "\xee\x47\xcf\x88\x5b\xf7\x69\x2f\xa7\x07\xc0\xfb\x3a\x44\xc6\x62\xfc\x53" "\xf2\xd9\x02\x64\x82\xa5\x58\x4c\xba\x89\x55\xbc\xb6\x5d\xdf\x5e\xb4\x3d" "\xd8\xf3\x45\x64\x27\x94\x27\x78\x09\x06\x9e\xee\x9d\x0e\xa0\x09\xb3\x7d" "\x4c\x56\x23\x29\xa9\x4c\x35\x38\x25\xe8\x31\xb3\xd3\xf7\x33\x76\xcd\x2e" "\x3c\xb1\x1a\x7b\x47\x73\xa9\x14\xce\x1a\xb8\x5f\xf6\x00\x44\x84\x06\xd8" "\x69\xa8\xce\x24\x68\xc2\x8d\x0d\x9e\x1e\x32\x7d\x3f\x35\x80\x12\x4a\x95" "\x7e\xff\x30\x03\x56\xf9\x22\xed\x28\x4f\xf0\x07\xb3\x63\xb5\x71\x87\xcd" "\xc8\x58\xbe\xa1\xbb\x0f\x1a\x13\x57\x9b\x47\xa4\x7a\xb8\xc2\xbd\xe4\xa1" "\xb5\x5c\xb2\xf7\x75\x2e\x57\xbe\x81\xff\x38\xd6\xe7\xb7\x66\xc6\xe6\x42" "\x51\x3f\xff\xf9\x66\x7a\xc0\xe0\x5a\x1e\xfd\xf8\x5f\xb4\x13\xb1\x9c\xff" "\x95\x73\x05\x32\x34\x1f\xdf\xb5\x72\xb1\x13\x80\x4a\xf1\x6c\xfa\x39\xbd" "\xf1\x44\x3d\xdf\x52\xbc\x45\xeb\xe9\x2f\xa3\x83\xb2\x9e\x93\x4f\x7c\xe5" "\xd2\x65\xb5\x20\xff\xbf\x05\xd6\x50\x58\x3b\xcf\xa0\x47\x4b\xa8\xa6\xd5" "\xa0\x03\xe0\x42\x6a\x54\xe3\x07\xc6\x46\x94\x78\x84\x6b\xb7\x19\x30\x48" "\xc1\x52\xef\x72\x1e\xf8\x9d\x30\x46\x93\xd8\xef\x0e\x24\x26\x15\x7e\x46" "\x64\xec\x00\x0a\x61\xbb\xcf\x0b\x37\x24\xe3\x1d\x76\xa9\x05\x7b\xdf\xe3" "\xc6\x7a\x61\xdd\xc4\x01\xc5\x6d\xbc\x69\x2c\x1d\xde\x28\xb1\x1b\x94\xe6" "\x38\xe7\xd3\x68\xe5\x40\x28\x4a\xb9\xa3\x77\xc8\xb7\xf2\xa1\xad\xcf\x2b" "\x5c\x64\xc8\x32\x00\xbf\xa5\xb5\x50\x50\xf8\xb6\x07\x79\xb1\x4e\x29\xdb" "\x53\x82\x84\xd2\x09\x8d\x96\x71\x3e\xd7\x77\x74\x56\x3d\x93\xed\xa6\x92" "\xd9\x93\x6b\xcd\xb2\xff\x26\xc1\xd9\x50\x61\xfb\x97\xbf\xd3\x95\x4c\xf1" "\x00\xf0\x4f\xaf\xe3\xd0\x12\x0f\x23\x9b\xd2\x5d\x7f\x08\xeb\xe4\xfb\x10" "\xe3\xd6\x3b\x38\x77\xcd\x35\x16\xde\x78\xd8\xdc\xba\x9b\x48\xe6\x9d\xe9" "\xbf\x89\x00\x06\xd6\x96\x50\xcc\x6a\x1e\xdd\x39\xfb\x57\xb2\x36\x49\x16" "\xfd\xf3\x8b\xd7\x8c\x80\xc6\x56\x34\xdf\xf9\x82\xa9\x06\x3a\x66\xc3\x3d" "\xb7\x1c\x9f\x08\xa7\x5c\xa4\x1e\xe3\x61\x65\x87\xcf\x15\x77\xd4\x8a\xd2" "\xe4\xdf\x67\x86\x22\x77\x5a\xfd\xe7\x34\x7e\xff\x8d\xb6\xc1\x2b\x84\xdf" "\x57\x47\x8d\xb9\xb6\x68\x49\x10\xfa\x9d\x63\x58\xc0\xae\xda\x8d\x5e\x67" "\x86\xe4\x62\x94\xc3\xc6\x55\x0e\xfe\x0c\x80\xa5\xe0\x01\x54\x86\xcc\xd4" "\x13\x55\xc9\x4f\x05\xbc\x1d\x9a\xea\xf4\x7a\x7e\xbc\x48\xca\x15\xc9\x58" "\x08\x8a\x8d\x00\x34\x45\x99\x85\x6d\x76\x30\xe5\xf5\x24\x5d\x3d\xb7\x78" "\x98\x30\x38\x75\x95\x25\x24\x16\xde\x4e\x8f\xeb\x64\x1f\x30\x74\x2a\x57" "\xcb\xbc\x66\x5b\x9a\xd4\x8a\xb9\x6b\xb5\xc1\xb4\xdc\x3c\x0d\xce\xab\xf6" "\x70\x4c\x06\xfa\xd6\xe0\xee\xb9\x57\x97\x55\xd0\x3b\xe7\xfe\xd7\x01\x0c" "\x46\x92\x0a\xfb\x8a\x44\xcd\x43\xd2\x5c\xd3\x3a\x2a\x6a\x4d\x59\xa2\x16" "\x92\xfe\xdf\x93\x1d\xc0\x89\x68\x5d\x05\x20\x8d\x8d\x39\xef\xdc\x24\xfa" "\x29\x73\x69\x0a\xf6\xee\x9d\x81\xde\xb3\x19\xd7\x18\x1f\xb4\xa2\x31\x95" "\x31\x31\x49\x08\xbf\x6c\xec\x4b\xc4\x69\x8d\xab\xa7\x15\x8d\xd5\x16\x8f" "\x5a\x46\xfd\x8d\xa3\xb8\x65\xcc\x97\x94\x51\x71\xf7\x46\xe1\xca\x7b\x1a" "\xf9\xd6\x23\x9b\x12\xbe\x54\xcc\xb5\x46\x68\x7e\x74\x78\x81\xda\x09\x90" "\x60\xe6\x2a\xe0\x6b\x90\x10\x5a\xbf\x59\x8f\x6b\x2e\x2e\xe0\x8d\xb6\x33" "\xe4\xa5\xe6\x3b\x7a\xae\x2b\x9c\x2f\x1c\xba\xcb\xd6\x34\x5c\x3f\xae\x36" "\x5a\xdb\x9d\xd8\x46\xc5\x8f\x9e\x1f\xaf\xd7\xe0\xdf\xb5\x98\xc0\xa8\x40" "\x07\x1e\x47\xe1\x02\x60\x8c\x23\x7a\x68\xbf\x9a\x0c\x15\x19\xe5\x33\x88" "\xa5\xac\x8a\x86\x07\xdd\xd0\x4f\xad\x89\x94\x23\xb2\x6c\xc2\xfa\x27\x1c" "\xd2\x0e\x43\xf2\xba\x30\x83\xe7\xe4\x2d\xd5\xea\x5c\x03\x4a\xab\x44\x5c" "\xfc\xbc\x4e\xe9\x89\x73\x44\x36\x6c\x6f\xbe\x84\x23\x2f\xef\x45\x62\x9a" "\xc8\x0d\x5e\x91\x02\xfa\xd3\x1e\x3f\x42\xd2\x9c\xfe\x82\x06\xcc\xae\x2b" "\xc6\x49\x26\xb6\xe0\xdf\xea\xe4\x04\x15\xcf\xd6\xde\xb9\xbd\x3c\xf1\x60" "\x93\xd0\x17\x7d\xb7\xee\x18\x01\xee\xd2\xbf\xb1\x3f\x9a\xb5\x8c\x48\x12" "\x5a\x67\x84\x4f\x68\x0c\xb1\xfb\xe9\x3a\x83\xf1\xeb\x59\x75\x61\xa2\xd4" "\x1d\x4c\x45\xe3\x17\xe0\xd3\xad\xe0\x3e\x2f\xad\xde\x75\x3b\xe1\x51\xb4" "\x62\xd6\x4a\x81\x82\x42\xbf\xc7\xe5\x9d\x99\xee\x44\xe0\x2e\x2b\xe7\x97" "\x62\xac\x00\x98\x1d\x75\x02\xfa\xf6\xf9\xba\x3d\x27\x2a\x05\x62\x14\x94" "\xca\xa1\xdc\xd3\x26\x85\x97\xa9\x7d\x27\x61\x01\x38\x69\x6e\xc4\x27\x65" "\xaa\x1c\xa0\x83\x81\xfd\x3d\xea\x98\xfc\x3f\xbb\x6a\x72\x42\x6a\x67\x57" "\x5b\xec\x4a\xc2\x1d\xbe\x18\x35\x49\x73\x83\xcd\x06\x79\x55\xd6\x3a\x32" "\xd6\xfe\x03\xc5\xfa\x7b\x11\x42\x1d\x41\xd5\x69\xc6\xd4\xd4\x6b\x8c\x25" "\x40\x6e\x97\x3b\xfd\x41\x63\xac\x66\xc7\x8a\x3e\xa6\x76\xb6\xac\x1e\xc0" "\x42\xd7\xa6\x89\x0d\xef\x0d\xd6\xf2\x47\x24\x38\x5c\x79\x02\x19\xf3\xe4" "\x71\x82\x19\xb9\x43\xc2\xf2\x47\xe7\x45\x13\x68\x0c\x2c\x31\xea\xbc\x00" "\x13\x8d\x6d\xf6\x5a\xb2\x42\x4a\x22\x1e\xc3\xcb\xd6\x44\x68\x86\xc4\xb2" "\x0b\xb7\xa9\xc7\x19\xdf\x37\xe3\xfc\x28\xa4\x0b\x17\xe6\xf1\xc7\xd2\x0b" "\x88\xcc\xc6\xb1\x3e\xa1\x35\x9d\x28\xb4\xfa\xce\x6e\xd8\x60\x6c\xb9\xf2" "\x82\x8b\xe5\x00\x47\x48\x62\xad\x12\x75\x3e\xa5\x4a\x57\xe2\x77\x0f\x4a" "\xb1\x6c\x28\x38\xb5\x13\x3a\xcd\x2c\xe1\x70\x13\x92\x4f\xae\x51\xb4\x0f" "\x35\x2d\x8e\x88\x01\x06\x97\xf4\x1c\xe0\x7c\x8c\x34\x9f\xfa\xe5\x70\x12" "\xc1\x3f\x6e\xb9\x6e\x9f\x52\xbe\x29\xbe\x9e\xe6\xaa\xdf\x81\x4f\xdc\xb9" "\x70\xb4\xdb\x35\x09\xd4\xd3\x48\xdf\x4f\x53\x98\x10\x4c\x3c\x07\xbe\x22" "\x22\x9d\xfc\x28\xa7\xfc\x61\xb4\xbe\x86\x85\xa2\x22\x8b\x75\xa1\x74\x65" "\xb2\xc4\xe6\x88\xcf\xb9\x5a\x9a\x1c\xf2\x8d\xca\x91\x70\xec\xb4\x7b\x02" "\xd6\x53\xa3\x1f\x56\xd7\x6e\xc4\xd3\xa6\x0b\x60\x02\xdd\x14\x03\x07\xf9" "\x8f\xa0\xff\x6d\x92\x55\x36\xf1\xc2\xf3\x0d\x99\x5c\xce\x3f\xe9\x70\xe6" "\x29\xe0\xf1\xf6\xb5\x00\xba\x72\xb9\xe4\x86\x70\x57\xea\x24\xd0\x57\x22" "\x3c\x2e\x1b\x01\x31\x35\xf5\x3b\x1e\xed\x63\xa9\x7b\x08\xde\x42\xb5\x7d" "\xc7\x1e\x81\xa1\x9e\xd4\x85\x19\xf6\x4e\x86\x95\x7c\x6d\x44\xaa\x04\x78" "\xb0\x4b\x9e\x32\x3d\x45\xd7\x3a\x67\xda\x0a\xcb\x5f\xcb\xea\x1e\x25\x6b" "\xe7\x51\xd6\x85\x1f\x68\x62\x26\xf5\x51\xc9\x2f\xb0\x4a\xb8\xa1\x6c\xf8" "\xa5\xa3\x5b\x36\x55\x5a\xd5\xf0\x0e\xf7\x97\x4f\xd1\xcd\xdd\xb1\xcb\x1b" "\x9d\x3d\xd9\x66\xb8\xba\xeb\xa4\x4b\xac\x58\x56\xd2\x3a\x61\x99\x41\x6c" "\xeb\x54\x80\x1d\xdc\xe6\xbd\xd9\x43\x2a\x12\x8e\x7c\x38\x20\xf1\xe1\xb0" "\x4c\x88\x2e\x74\x6f\x61\x24\x00\x89\x9e\xc0\xcb\x0c\x43\xd5\x5b\x56\xdb" "\xc5\x5a\xf7\xc6\x55\x3d\x8f\x4d\x58\x0f\xfa\x1b\x1e\x31\xb7\xc2\x5d\x39" "\x3d\xf4\xba\x5e\x87\x9a\xe6\x48\x6e\x89\xd4\x28\x61\xae\xff\x94\x9b\xa4" "\x13\x70\x1d\x0b\xd8\x80\x19\x92\x55\xd6\x15\x61\x5b\xa3\xee\x67\x6f\x8d" "\x82\x47\x12\x93\x03\x15\x36\xae\x2f\x96\x7b\x6e\xa6\xef\xa1\xdb\xf2\x6f" "\xf6\x3b\xc9\xbc\xf1\x3d\x0e\x9a\xb8\x9c\xf0\xbb\x3d\x6e\x0d\x03\x76\x31" "\x79\x09\xf3\x86\x99\xb9\xaa\xba\x80\x3c\x54\xd6\x87\xd8\x3a\x38\xa2\x66" "\x6e\x07\x90\xa6\x08\x52\xf7\xed\x69\x29\x36\xe0\x4a\x31\x8d\xf8\x6d\xa6" "\xce\x95\x0c\xd5\x2b\x5a\xbc\x9c\xa8\x37\xa5\x85\x45\xbe\x96\xc5\xcb\xfb" "\x01\xcd\xb3\x11\x91\x04\x6e\xa4\x4d\xda\xf0\x30\x81\x5c\x93\x7f\x33\x3f" "\x25\x15\xba\xcd\x8d\x74\x9c\x03\x19\xac\xa5\xf3\xff\x4a\x39\xf6\x07\xe7" "\x5f\x89\x17\x4d\x18\x60\xc3\xc5\xdf\x19\xd2\x13\x11\x0b\x07\x56\xd4\xc5" "\x90\x7a\xce\x98\xea\x7f\x6f\xb2\xd3\xd8\x09\x01\xdc\x08\xd1\xeb\x87\x20" "\x74\xbd\x62\x84\x82\xed\xce\xc4\xe7\x1d\x8e\x07\xad\x6b\xe4\x40\x31\xbc" "\x4c\x83\xb7\x0e\x73\x44\xe8\xb2\x2b\x25\x5f\x07\xdc\x1d\x45\x25\x00\x3a" "\xd0\x19\x94\x48\xb0\xd3\x80\x86\x47\x16\xc7\x5c\xaa\x49\x97\xd2\xf4\x13" "\xfc\x8c\x78\xed\x0f\xf2\x94\xc3\x16\xf0\xb9\x11\x01\x7c\xa6\x04\x32\xff" "\x0a\xc0\xe6\x50\x6a\xf9\x03\xd2\xf2\xc9\xc0\x7e\xd3\x85\x94\x8a\xe6\xb4" "\xa7\xd6\x71\x40\x52\x8e\x1f\x6b\xd0\xc7\xe4\x0a\xe6\x4a\x8e\xe9\x2b\xf0" "\x6e\x06\x81\x9f\x27\x8f\x1f\x38\xb5\x31\x94\xa0\xa8\x3d\xae\x14\xa9\x10" "\x7a\x44\x2d\x20\xf9\x68\xa3\x9b\x1d\x90\xea\x94\x55\x60\x70\x18\xa3\x16" "\xd7\x49\x7a\x59\x59\x47\x1e\xaa\x05\xe6\xc1\x3e\x5e\x76\x74\x84\x00\xe1" "\x35\x03\x1a\x2d\x8d\x16\x49\x2b\xde\x6d\x8f\xdd\x8e\xe8\xa5\x30\xb9\x5d" "\xb2\xc8\x40\xea\x87\x9a\xa0\xbc\xcb\xa9\x50\x24\x39\x7c\xd8\xe9\xde\xec" "\x9c\x39\xc0\xd5\x73\xbf\x71\x93\xe1\x82\xa8\x55\xd3\x7f\xd0\x80\xca\x26" "\xd5\x6a\x31\xe8\x09\xc7\x66\xe9\x42\xdb\xed\x89\x92\xcf\xd4\xf0\x40\xef" "\xf6\xc1\x5a\x19\x6d\x9e\xbe\x70\x4a\xe8", 4096); *(uint64_t*)0x200002c8 = 0xfed2; *(uint64_t*)0x200002d0 = 0x20000100; memcpy((void*)0x20000100, "\x0e\x42\x2d\x0c\x39\x8c\xc9\x00\xae\x68\x32\x41" "\x65\x87\x4d\xf5\x88\x55\xd0\x1f\x5e\xaa\x70\xbf" "\x0c\x39\x6a\x0c\xe9\x19\xfe\x5a\x13\x6f\xeb\x95" "\x3f\x53\x4c\x9d\x22\x85\x09\xf6\xb3\x5d\xc1\xd9" "\xd3\x0f\xd2\xd1\x51\x91\x46\x58\xb2\xa2\x65", 59); *(uint64_t*)0x200002d8 = 0x3b; *(uint64_t*)0x200002e0 = 0x20000140; memcpy((void*)0x20000140, "\xc5\x6a\x5d\x77\x60\x1e\x38\x27\xb4\x0e\x6d\xff\x07\x7f\xed\x2c\xca" "\x03\x0a\x83\x0f\x3d\xe0\xbf\x71\x75\xe1\x0b\x56\x4f\xdb\xe2\x5f\xbf" "\x1e\xa3\x55\x6d\x3e\xa7\x3d\x33\x65\x6c\x33\x36\xab\xd2\x54\xa3\x70" "\x70\xa4\x8e\xea\x00\x83\xce\xcf\xc7\x40\x5c\xb2\x78\x30\x92\x14\xbf" "\xfd\x4a\x50\xf0\xf7\xa5\x42\x6a\x34\xd2\xf4\x93\x0c\x0c\x59\xfb\xa0" "\x03\x03\x52\x39\x5d\xd3\x54\x28\x3b\x18\x9a", 96); *(uint64_t*)0x200002e8 = 0x60; *(uint64_t*)0x200002f0 = 0x20000200; memcpy((void*)0x20000200, "\x8a\xda\x30\x8e\xe8\xb9\x37\x93\x4d\xfa\x11\x25\xa1\x7b\xa9\x46\xf0" "\x0c\xe2\x5f\xbc\x59\x2d\x8a\x41\x97\xbe\x19\x47\x60\x02\x39\xca\x27" "\xed\x87\x55\xd5\xb0\x90\xb0\x2d\x7f\x96\x58\xb4\x22\x5e\xc7\x05\x6a" "\x3a\x74\xe0\x55\xa6\x85\xbf\x90\x9f\xa1\x22\xe4\x42\x5b\x91\x23\x76" "\xdc\x43\x38\xdc\x60\xeb\x90\xfa\xb8\xcf\x4b\x69\xb8\x8f\x64\xcc\x48" "\xe4\x6d\x87\xc9\xd5\x35\x01\xa6\x34\xae\xf0\xd8\x2b\x53\x49\xf6\x56" "\x09\xe1\xb0\x62\x19\x15\x0c\xe7\x29\x9a\x8d\x46\xad\x7e", 116); *(uint64_t*)0x200002f8 = 0x74; *(uint64_t*)0x20000058 = 8; *(uint64_t*)0x20000060 = 0; *(uint64_t*)0x20000068 = 0; *(uint32_t*)0x20000070 = 0; syscall(__NR_sendmsg, r[0], 0x20000040ul, 0ul); } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); do_sandbox_none(); return 0; }