// https://syzkaller.appspot.com/bug?id=1c7edd2967e60778f50a15dc59f5cf851ab8de54 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define MAX_FDS 30 static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void close_fds() { int fd; for (fd = 3; fd < MAX_FDS; fd++) close(fd); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); close_fds(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; memcpy((void*)0x20000080, "/dev/uhid\000", 10); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000080ul, 2ul, 0ul); if (res != -1) r[0] = res; memcpy( (void*)0x20000b40, "\x0b\x00\x00\x00\x73\x79\x7a\x31\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x8a\x8e\x87\x4b\x73\xe9\x90\xb4" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2b" "\x40\x00\x00\x00\x00\x81\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x01\x00\x73\x8d\x7a\x31\x00\x00\x00\x00\x00\xff\x07\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x79" "\x7a\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xcf\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3b\x38\xe9\x67\xac\x82\x06\xea" "\xae\x86\xb9\x7e\xec\x0b\x2b\xed\x1e\xe2\x33\x64\xb1\x0d\x6a\xad\x51\x02" "\x00\x00\x00\xe2\xa5\xdb\x3c\x6a\x0d\xee\x4a\xfc\x66\xd2\x44\xfb\x3d\xa2" "\x68\xd5\x47\xc2\x6e\xd1\x8e\x6f\x24\x03\x01\xb6\x92\x28\x05\x20\x1c\x39" "\x38\x9a\x80\x4c\x41\xc2\x99\x3f\xc6\x7e\x8a\x14\x60\x45\xe1\x4a\x8a\x08" "\x00\x7a\xbe\x87\x0c\x06\x51\xb1\x55\x0e\x6a\x25\xc0\xef\x65\xf6\x7c\x53" "\x3a\x01\x13\xf7\xe4\x64\xf6\x00\x00\x00\x00\x00\x00\x00\x03\x18\x7f\xaf" "\xa4\xa1\xee\x6e\xce\x53\xc6\x73\x85\xb8\x83\xa3\x6a\xd2\x4a\x04\x00\x00" "\x00\x00\x00\x00\x00\x6a\x8a\xb1\x1b\x0a\x0b\x00\xe7\x7e\x6c\x16\x18\x9c" "\xfa\x16\xcb\xe0\x1a\x4c\xe4\x11\x37\x93\xaa\xb7\x37\x2d\xab\x5e\xef\x84" "\xc3\x1b\x2d\xad\x86\x8a\x53\xe6\xf5\xe6\x97\x46\xa7\x86\xe5\xc8\x1e\xae" "\x09\x00\x00\x00\x00\x00\x00\x00\x1e\xdb\x57\x8b\x45\x3a\xca\xc0\x3a\x9d" "\x34\x48\x00\x00\x00\x00\x83\xd6\xd5\xfe\x4f\x83\x3d\x4d\x4c\xfb\xee\xf0" "\xe0\xe6\x2b\x7b\x09\x66\x49\xe2\x05\x00\x00\x00\x3c\x32\x98\x4c\x6c\x4b" "\x2b\x9c\x33\xd8\xa6\x24\xce\xa9\x5c\x3b\x3c\x6d\xd8\x00\x00\x00\x00\x00" "\x1f\xf2\x8d\x3c\xe3\xe3\xb8\xf8\x1e\x34\xcf\x97\xc9\xc8\x41\xcb\x2e\xf0" "\x81\x07\xa9\xa9\x65\x49\xe3\xd2\x59\xdf\x17\xe2\x9e\xd6\x4b\xd6\x12\x08" "\x13\xf9\xf0\x34\x4e\x13\x95\x06\x70\x1e\x8f\xde\xdb\x06\x00\x9b\x5e\x4d" "\x0c\x67\xbd\xa0\xb9\x28\xb7\x32\xcf\xf7\x82\xb0\x68\x40\x75\xf2\xcb\x78" "\x51\xef\xdd\x77\x97\xee\x95\xd2\xac\x28\xa8\xca\xbd\x26\xc1\x56\x82\xaa" "\x78\xd3\x1a\xec\x95\x6b\xd7\xc2\x78\x06\x40\x34\x34\xb3\xc3\x0b\x07\x0b" "\xcc\x82\x66\xe1\x2f\xa6\x66\x02\x05\x62\x56\xf7\x46\x75\xb7\xcb\x4d\x87" "\xb2\x70\x8d\x70\xc8\xf3\xdf\x53\xca\xf8\xfe\x18\x0c\x4d\xea\x3f\x5b\x7a" "\x92\xa3\x4b\x0e\xfa\xab\x02\xdc\xa0\x51\x7e\xee\x50\xff\x30\x20\x6f\x78" "\xec\x82\xc7\x2f\x33\xe9\x09\xc1\xae\x1f\xe9\x4f\xe0\x75\x9f\x07\xd1\x64" "\x02\x59\x3e\x33\x35\xd4\x20\x00\x88\x8c\x90\x5f\xb4\x1d\xbd\xb4\x60\xea" "\x9f\x87\xfc\x86\x51", 743); syscall(__NR_write, r[0], 0x20000b40ul, 0x12eul); *(uint32_t*)0x200016c0 = 8; memcpy( (void*)0x200016c4, "\x16\x9e\x02\xd3\xa6\xad\x79\x2a\x40\xb7\x14\xa4\x26\xab\x33\x0f\x67\xf4" "\x1f\xe9\x16\xab\xd4\x9d\x05\x5f\x49\xe0\x7f\x9b\x03\x98\x14\xe8\x4b\xcc" "\x89\x4b\x1e\x0d\x22\x7b\x42\x71\x65\x53\xe1\xea\xab\xfd\xb7\xa6\x74\xe5" "\x79\x11\x61\x53\x86\xe8\x2b\xbe\x61\x6d\x94\x3b\x57\x94\xa4\x21\xf4\x7e" "\x82\xe9\x07\xd6\xa1\x13\xc6\x3d\x6f\xa5\x2e\xda\x12\x5b\x78\x15\x79\x5d" "\x9e\x44\xd2\x4e\xd6\x2d\x34\x24\xb1\x2d\xfe\x27\x26\x1d\xec\x05\x1a\xba" "\x2a\x7b\x97\x7e\x47\x3c\xc5\xda\xd8\x30\x25\xab\x56\x5c\xca\x06\xfc\x1c" "\x93\x3a\xe6\xa1\x59\x6c\xa1\x08\xe7\x7d\x02\x8b\x42\x18\xd9\xee\x41\x48" "\x34\x2d\xe8\xa3\x3c\x41\xb3\x6d\x1f\xe8\xf9\x77\x24\xca\xc0\x45\x1d\x0c" "\xad\x1d\xfe\x7c\xa9\x85\xd2\xc4\x42\xb3\xa8\x86\xaa\x69\x6a\x7b\xe4\x93" "\x72\xa7\x20\xf1\xdb\x75\xb1\xf2\x28\x05\xa2\x55\x2e\x38\x96\x1c\xc2\xb9" "\x84\x26\xeb\xdd\xbf\x28\xec\xeb\x05\x9f\xde\x5b\x46\x8b\x9a\x84\x9b\x74" "\x38\xa4\x2f\x83\xcf\x51\x7a\x4f\x5c\x09\x02\x90\x9e\x8c\xe6\x11\x06\x92" "\xfd\xa5\xca\x05\x17\x11\x28\x51\xad\x22\x61\x61\x1e\x3f\x72\xd9\xdc\x85" "\x8e\x49\x7c\xe7\x56\x7f\x18\x8c\x4e\x94\x26\x14\x85\xe1\x36\x9b\xed\xb0" "\x8d\x98\x6f\xbe\x29\x8e\x0d\xe3\xc9\x5e\x51\x9b\x34\x5a\x8e\x83\x95\xa0" "\x28\x42\x0c\x24\x7d\x67\xf0\x3f\xa5\xe9\x70\x49\x83\x4a\x76\x3e\xa2\xa3" "\x60\xba\x4b\xeb\xdf\x42\x6a\x39\xb3\xcb\xc7\xdb\x3b\xc5\xbb\x18\x97\x3f" "\x5c\xb7\x77\xa9\xce\xd8\xd6\x00\xdc\xc2\x26\x3e\x83\x36\x9d\xca\x99\x04" "\x0c\xc3\xb1\x71\x91\x36\x3f\xe2\xf8\x60\x4b\xb1\xcc\xb0\x0a\x0d\x61\xdb" "\x3c\xdc\x18\x15\xd8\xf1\x25\x6b\xd6\xdb\x03\x7e\xb5\xc1\xe2\x25\xa3\xea" "\xe8\x47\xdd\xa3\xb0\x54\xee\xd9\x61\x0d\x93\x89\xed\x5c\x62\x07\xfa\x40" "\x4e\x51\x01\x9c\x8e\x51\x54\x3e\xbe\xe2\x13\x93\xd8\x6a\xaf\xd1\xcf\x90" "\xca\xb0\x88\x6e\xcc\x7a\x79\x2f\x34\xbd\x07\x06\x79\x40\x51\x62\xac\xc7" "\xe6\x13\x54\xcf\x87\xb4\xb3\xf0\x83\x39\x60\xe0\x3c\xef\xff\xa7\x9a\x85" "\x89\xc2\x92\x0b\xcf\x0b\xdf\xec\x26\xe2\x06\x31\x06\xd8\x1e\x43\x5b\x00" "\x81\x59\x23\xbe\xa3\xbd\x9c\xeb\xac\xa2\x8e\x98\xd4\xbd\x84\x9f\x20\x18" "\xa8\xcb\x6e\x04\x82\xd3\x78\xb6\x7f\x20\x94\xb8\xb4\xff\x3a\x3f\x53\xa9" "\xef\xbe\x57\xe6\xbe\x92\x7d\x61\x84\x9a\x7b\x24\x8e\x66\xca\xaa\xc0\x87" "\x6b\xa5\x1b\x0f\x99\xcf\x69\x4b\x01\xe5\xe4\x82\x36\x77\xe7\xb3\xba\x40" "\x44\x34\xa7\xa9\x6f\xb0\xbb\x45\x23\x7e\xee\xf7\xea\xec\xfd\x58\x43\xed" "\x2e\xee\x25\x98\x5c\x05\xe5\xab\x57\xc1\x99\xf4\xa5\x12\x7d\x0f\x64\x9f" "\x7d\x3a\xb9\x39\x1b\x43\x12\xab\x47\xcd\x2b\xbd\x36\xb9\xda\x02\xf0\x52" "\xfc\xdd\xe6\x3d\x8b\xf0\x5d\x5a\x32\x55\x7a\xcf\x89\x3c\xdd\x85\x09\x44" "\x78\x12\x2f\x4c\x7b\xc5\x16\xb7\xe1\x73\xf1\x60\x54\x6a\x9b\xe2\x5c\xde" "\xab\x66\x3b\x85\xbd\x98\xb1\xdc\x8a\x3a\x53\x22\xa7\x8c\xca\xd4\xcf\x05" "\xa0\xe5\x5c\x4e\x9b\xbf\x8e\x5b\x52\xa6\x80\xd6\xf2\x0d\x9a\x4f\xaf\xe9" "\xf0\x25\xfe\xaf\xbe\x95\xd7\xe6\xe5\xf9\x5f\xb2\x60\x95\x7d\xdf\x41\x51" "\xe4\x95\xce\x39\x56\xb7\x48\xde\xd6\xf2\x45\xad\x1b\xa5\x4a\x4c\x8f\x28" "\x90\xe0\xec\x98\x40\x52\xf7\xae\xd1\xa0\xf6\x9e\xf4\x8b\x5c\xd3\x6d\x46" "\xe3\x5f\x60\x62\xf2\xb7\xb7\x25\x67\xaa\xf3\x22\xff\x9a\x6c\xec\x7a\x77" "\xb0\xfd\x09\x68\xd7\x26\x49\xe5\xd6\x75\xd9\xed\xea\xc2\xc6\xbd\x61\xc1" "\xe0\xd3\x85\xc8\xb3\x68\x7b\xa7\x9e\x39\xfc\x9c\x2c\x42\xd5\xb2\x7c\xe3" "\xc5\x26\x6e\x32\x72\x00\x6d\x68\xfc\xe8\xdc\x68\x2d\xed\xcc\xae\x58\xa6" "\x1f\x72\x7a\x93\xab\xbd\x64\xc7\x08\x00\x68\xc4\x9e\x69\xa9\x21\x55\xa7" "\xdc\xa7\x2b\x49\xd3\x86\x04\xb6\x3c\x56\xc9\xbf\xf3\x26\x9b\x1a\x6f\xcd" "\xa9\xbd\x3d\x8b\xf8\x27\x29\xfb\x92\xcb\xbc\x5d\x54\x97\x99\x6f\x17\x94" "\x20\x8d\xf0\x2a\x5c\x1b\x9a\x3a\x83\x85\x85\x23\x52\xba\x07\xb2\xa0\x30" "\x81\x08\xde\x4b\x72\x0c\x52\x10\xd1\x93\xf6\x20\x05\x08\x68\xf9\xfb\x06" "\x14\x16\x27\x42\x71\x81\xe8\xaf\x20\xa5\x3a\x77\x13\x1a\xa3\x61\x8f\x19" "\x4a\x4d\x1e\x50\x50\xab\xcf\x40\xe2\x27\x1b\x2c\xde\xb3\xdd\xf2\x77\xaa" "\x16\x39\x3e\x54\xb1\x23\x29\xd7\x84\x49\x74\xea\xe6\xdd\x8e\x69\xb6\x68" "\x28\x86\xea\xcc\xe8\x24\xee\x42\xcb\x75\xb0\x7e\xfd\x6b\x76\x11\x06\x0e" "\x16\x80\x33\xdd\xf5\x19\xeb\x22\x68\x53\xec\x38\xcd\x81\x89\x33\xba\x23" "\x3d\xb5\x93\x66\xbb\xef\x17\xf6\x14\xda\xd4\x75\x8b\xdf\xe6\xd2\x2f\x0d" "\x28\x5b\x20\x45\x6d\xf3\xeb\xe0\x13\x1a\x2d\x61\xea\x41\x73\x00\x36\xfa" "\x3e\xce\xb6\x6f\xdf\x1c\xfc\xb0\x91\xf8\xb7\xa5\x06\xa3\x9e\x73\x30\x92" "\x37\xdb\xf1\x15\x91\x8d\xcf\x2d\xa9\xcd\x09\x4a\x00\xe3\xaf\x80\x12\x5d" "\x67\x2f\xd4\x48\x60\xce\x13\xae\xef\x6c\x10\x96\x6d\x65\x2b\xc0\xf9\x9c" "\xba\x37\x93\x46\x54\x81\xc5\xb2\x96\x83\x0b\x63\x00\xe9\x1d\xc2\x27\x4c" "\xde\xf1\x92\x88\x49\xba\xe2\xa8\x44\x89\x56\x5c\x6e\x72\x8a\x62\x2b\x1e" "\xed\xe7\x84\x29\xdd\xd2\x43\xac\x27\x63\x3b\xe5\x75\xac\x1b\xac\x7e\x58" "\x02\x94\xf5\xa5\x27\x6c\x4f\xeb\x81\x65\xe5\x43\x0c\xf1\xc9\x6e\xca\xa0" "\x82\x0a\x7b\x83\xee\xc3\xce\xa8\x84\x39\xc4\x8c\xd4\x3a\x55\xad\xb1\xd7" "\xa9\xb7\x4b\x37\x95\x15\x39\x5c\x6d\xe6\x07\x63\x92\x69\x65\x39\xb2\x00" "\x66\x74\xc5\xa1\x0f\xb8\x44\xf5\xbd\x4c\x4f\x47\xc7\x98\x67\x97\xed\xf9" "\x36\x8a\x55\x5e\x07\x6a\x11\xe7\xdc\x03\xd9\x75\x9c\x70\xc8\xcc\x1a\x19" "\x5a\x14\xc3\x5b\xdb\x65\x9c\x71\x61\xcb\xc7\xd4\xb9\x29\x91\x2d\xb8\xf1" "\xd6\x1c\xc6\xf8\xf4\x25\x3e\x49\x84\x86\x05\xc5\x32\x97\x9f\x08\x07\x47" "\xcb\x6b\xff\xc7\xef\xe6\x89\x62\x7b\xe1\xca\xe3\xdf\x74\x5a\xe7\x2d\x82" "\x91\xbd\x68\x7a\x02\xa1\x1b\x5f\x01\x85\x2f\xc3\x04\x1d\x87\xe8\xf1\x32" "\x95\x0e\xe1\x23\xc7\x16\x21\x3f\xb2\x79\x90\xd2\x4a\x9c\x3a\xd4\xdd\xf4" "\x2a\x79\x71\x0e\xcd\x36\xc2\xac\x33\x19\x79\x38\xf5\x99\x2a\xec\x7c\xef" "\xd3\x09\x0b\x39\xd0\xcb\xe7\x54\x5a\x6f\x81\x5c\xb2\xf3\xf5\xcd\xc7\x1e" "\x77\xb0\xc1\x22\xe2\x86\x68\x53\x1b\x32\x9f\x10\xfb\xbc\x61\x0a\x52\xf4" "\xe8\x70\x32\xb5\x66\x6b\x76\x34\x7c\xa8\x66\xa5\x4a\x36\x30\xf4\x3b\x3e" "\xca\xa6\xc6\x8c\x20\x81\xc5\x0a\x14\x19\x5f\xa3\x47\x01\x0c\xe3\xde\x8e" "\xac\xeb\xc0\xfe\x7d\xd1\x0e\x55\x5a\x1b\x9a\xda\x0b\x05\xb5\x86\x85\x74" "\x2c\x2f\x68\x8a\x0a\xe3\x48\x8c\x2c\x77\xca\xd9\xe0\xa0\x34\xff\x84\x28" "\x33\xb6\x8e\xe6\x0d\x15\xf6\x88\x3b\xd5\x76\xdc\xb3\xb1\x21\xcf\xf4\x5d" "\x60\xdc\xfb\xf9\x3f\x82\xff\x63\x4f\xde\x65\xd4\xe1\x70\xd4\xb7\xc3\xc4" "\xb2\x88\x33\xb9\x10\xdb\x82\x59\x24\x18\x9a\x7d\x33\x5a\x7d\x7a\xbc\x3a" "\xd8\x6d\x2a\x2c\xa8\xba\x7c\xe1\x6d\x04\x6a\x5c\xd1\xdc\xeb\xe0\x6c\x02" "\xae\xa1\xa1\xf7\xc2\x01\x70\x07\x3f\xe1\xaa\x13\xa0\x50\x12\x50\xe8\xef" "\xb4\xd6\x87\xae\x93\x1a\xf4\xcd\x9a\x66\x55\xf3\x8c\xe1\x1d\x1e\xc8\x0b" "\x0a\x56\x59\x16\x07\xdd\x65\xe8\x7e\xa9\xc9\xb8\xee\x58\x49\xee\xea\x6f" "\x0d\xdf\x74\x61\x83\x92\xa2\xc5\x82\x98\x51\xb9\x88\xa6\x53\x7d\x79\x30" "\xee\xc8\x17\x93\xcc\x5d\x46\x9a\xb8\x4c\xdf\xed\x3d\xb7\xed\x88\x00\xe5" "\xdc\x94\xe6\xe7\xe4\xdf\xae\x5b\xaa\xcd\x27\x8a\x7c\xa9\xb8\xd3\x39\x63" "\xc1\xb2\xfe\x8b\xcb\xef\x83\xcd\xc7\xdc\x54\x51\x2c\xdd\xdf\xb1\x2b\x40" "\x27\x4e\xa4\x7a\x69\xea\x5a\x6d\x0f\x14\xa7\xad\x3b\x9e\x81\x3b\x4b\xc1" "\x81\x0a\x6c\x73\x74\xcf\xd6\x21\x64\x74\x8a\x26\x76\xc7\xd3\x1c\x4a\x6c" "\xb2\xf2\x3c\x9c\x57\xd1\x94\xeb\x37\x39\x15\x53\xb8\x55\x12\x9f\x4b\x0a" "\x07\x4a\x27\xc2\xb2\x74\xee\x0b\xcd\x65\x4e\x53\xc4\xa9\xca\x73\x29\x7d" "\xb9\x67\xd1\x77\x3f\xe4\x43\x7c\x88\x81\xea\x66\xf4\x64\xc4\x37\xda\xff" "\xa2\x38\x0a\x88\x40\x37\xdf\xb4\x2f\x1b\x10\xcd\x36\x67\x69\xd7\x15\xfb" "\x23\x12\xb0\x34\xed\x19\xfd\x1c\xcc\x4b\xc8\xef\xb9\x1c\x87\xaf\xde\x6c" "\x3e\x8a\xe3\x5c\xa6\xee\xb8\x7c\xf5\xd1\x8e\x1f\xdb\x14\x14\x1d\x13\x80" "\xf5\xa5\x5f\x1b\x87\xa8\x5a\x54\x6a\xd5\x41\xf2\xe1\x11\x87\x66\xf1\x21" "\x08\x2d\xe5\x71\x23\xd7\xf5\x5b\xb2\x5c\x64\x88\x5f\x8b\x7e\xe2\x40\x24" "\x89\xda\xf3\xe7\x59\x32\x8b\xa3\x4d\x2d\xb5\x99\xc2\x24\xcc\xb2\xb3\x24" "\x53\x86\xe1\x6e\xaa\x3b\x36\x3c\xbb\x33\xf2\x3a\x8a\x28\xd6\x4e\x9f\x47" "\xa3\xb8\x79\x72\x4f\x1d\x58\xfe\xf5\xe5\xa3\xc0\x93\xab\x59\x3c\x7f\xdc" "\x6f\x8a\x48\x57\x76\xb1\xcb\xc4\x54\x09\x43\xd7\x4f\xb9\x48\xe5\x24\xba" "\x74\x54\xc3\xc2\x38\x2e\x4e\xcf\x0c\x0b\xb5\xb8\x0e\xea\x5f\x0e\x01\xa7" "\xc7\x4d\x80\xda\xc8\x34\x4d\xb3\x86\x95\x41\xed\x09\xd2\x27\xac\xac\x4e" "\x72\x0e\x6d\xb4\x24\xe6\xab\x69\x69\x01\x0e\xe1\x64\x5e\x30\x82\x00\xa4" "\xe7\x31\xc0\x0c\x61\xbd\xf8\x0a\xc4\x8a\xb9\xfe\x57\x8c\x04\x79\x77\xf4" "\x25\xb3\x5e\x23\x7c\xc6\xd3\xad\x30\x4f\x16\x1f\x5a\x37\xc4\xf6\x5e\x31" "\xdf\x9f\xb2\x36\x10\x37\x1d\x8a\x1b\x73\x70\xc3\xc0\xb5\x0d\xba\xf0\xe5" "\xb8\xa0\x09\xb6\x51\x6a\x2c\x87\x38\xeb\x97\x0d\xa9\xbd\xb8\xf7\x66\xe6" "\xa9\x24\x50\x7d\x2e\x4b\x0e\xf9\x1e\xb3\xa3\x51\xc0\xf4\x1e\x22\xa7\x92" "\x93\x26\xf8\x6a\x02\xad\x36\x87\x8f\xed\x7c\x79\xfa\xc2\xd5\x6a\xfb\x21" "\x32\x0a\x09\x31\x7b\xd6\xf8\x3a\x5a\x7b\x24\x5f\x33\xa2\xcf\xdd\x0a\xc7" "\xe8\xf1\x85\x57\x0b\x4b\x46\x05\x48\xc9\x12\x76\x20\x17\x10\x93\x44\x8e" "\xbd\xc2\x7e\xae\xf2\x8d\x65\x8d\x8d\x09\x1e\x0a\x68\x8d\x06\xed\x50\x74" "\x6c\x2f\x06\xc1\x8a\x4c\xcb\x7b\x17\x21\x1d\x27\x36\xa1\xdc\x2b\x1f\x98" "\x4f\x0f\x4f\xe3\x99\x24\x86\xef\x6d\x6a\x4f\xdd\xd5\x57\x96\x1b\x5a\xed" "\x56\x73\xaa\x0a\xf0\x9d\x4b\x02\x93\xe8\xe3\x1d\x14\x4d\x2d\xa8\xd0\x50" "\xc2\x8a\xa3\xf3\xfd\x8c\x7b\x27\x86\x98\xbe\xf7\x7b\xc3\x97\x82\x4b\xe3" "\xa0\xa3\x6c\x49\xe5\xd1\x93\x50\xdb\xa1\x31\x00\xc5\x30\xb5\x20\x65\xf4" "\x0a\xf3\xe9\x2a\x5a\x4d\xa2\x61\x9d\x99\xf2\x69\xe6\xea\x75\x4a\x45\x15" "\x61\xae\x00\x91\xff\xe8\x97\xde\x67\xb0\xdd\xfd\xed\x7a\xb1\x56\x17\xcf" "\x69\xfb\xc1\xec\x8f\xb2\x74\xa9\xa3\xb2\x5f\x5b\x8f\x3d\x6d\xff\xb2\x2d" "\xe1\xb8\x9e\xef\xb4\x5a\xe4\x4b\xd5\x9f\xc6\x67\x34\xf1\xcd\x2c\x28\x81" "\x8a\xc7\x07\x1d\x14\x94\xdd\xc7\x31\xff\xa4\x82\x57\x4a\x00\xe5\x59\x0f" "\xc8\xfa\xd1\xe0\x5d\x65\xd1\xe6\xa1\x20\x98\x69\xbd\xab\x9c\xe7\xb7\xd0" "\x96\x95\x9d\x60\x8c\x47\xbe\xc6\x56\x01\xfb\xb8\x6b\x36\xe1\xcb\x3a\x15" "\x4e\x3e\x9d\xbb\x8c\xf4\x98\x70\x3a\xbd\x72\x34\x7a\xc6\x97\x3d\x2a\x0f" "\x14\xe9\x7c\x17\x0c\x96\x25\x41\xb3\xaf\xdc\x5e\xc5\x36\x88\xd1\x4c\xfe" "\xac\x41\xaa\x8a\x0d\x46\x9d\xac\xaa\xed\x3d\x6b\x75\x5c\x94\x4b\xea\xad" "\xdc\x09\xf1\x61\x00\x95\xe1\x66\x61\xdf\x99\x2b\xa2\x13\xcd\x95\xbc\x63" "\xd3\x79\xec\xb9\xe5\x90\xd6\x7a\x36\x0e\x55\x5f\x8c\x57\x0a\xbb\xc9\xba" "\xf3\x4f\x48\x09\xcf\x0f\x92\x50\x29\xc9\xe4\xd3\x0d\x6c\xf7\x08\x35\x87" "\xdb\x5c\xf4\x10\xb8\x58\x8c\xc0\xb0\x47\xda\x39\xbd\x12\x7d\x5d\x32\x42" "\xbe\x82\x20\x5b\xd6\x5f\x84\x6f\xf9\x69\x9e\x7b\xe8\xd4\xb8\x3f\xa2\x05" "\x3e\xbd\xf3\xff\xd9\x8c\xeb\xed\xf9\xfc\x9d\x1c\x76\x61\xf3\x2f\x42\xeb" "\xfb\x10\xd9\xb6\xb8\x43\x69\x4e\xa1\xdf\xc3\x8c\x6b\x52\x52\xb0\x3d\xea" "\x84\x66\x9f\x75\x06\x77\xa5\x9e\x9c\xd4\xb7\xa4\x5a\x26\xa8\x10\x17\x35" "\x34\xff\xe0\x67\x4d\xe0\xdc\xbe\x2c\x0c\xf8\x82\xee\x38\x75\xa2\xa6\xf2" "\x13\xd4\xeb\xf3\xc8\x16\xff\x79\xf2\x0e\x4a\x31\xa4\x8b\xb4\x18\x56\x61" "\xa3\x51\x1a\x8d\x85\x8a\xdf\xb5\xf2\xd5\x60\x18\x15\xbd\x1d\x1b\xce\x19" "\xad\x8b\x7e\xc7\xe4\xb3\x80\xe7\x7e\x82\xbd\xb4\x32\xda\x58\x1d\x6c\xf1" "\x03\x58\xa0\x69\xb1\x0d\x7e\x4d\xa9\xa5\x2a\x2b\xa2\x2b\xd4\x84\x7d\xe9" "\xa7\x56\x97\x4d\xd4\x14\x25\xb5\x53\xdd\x39\x19\x96\x85\x82\x16\xb4\xb6" "\x1d\x5a\xf7\xcb\xf4\x4e\xdc\xce\x3b\xbb\xce\x51\x7f\xd0\x92\x6e\xc7\x96" "\xf9\x20\x35\x6b\xf6\x6d\xdb\xfa\x57\xb7\xd1\x5c\x01\xcb\x36\xab\x44\x49" "\x6b\xb5\x9e\x2e\xf5\x11\x19\x18\x32\xa5\x58\x41\xd6\x3e\x50\x12\xaf\x15" "\x06\x0f\xbf\x3b\x19\x5b\x7f\xf0\x27\xa3\xe4\x6d\x57\xa1\x95\x8b\x1a\xea" "\x96\x9b\x15\x68\x65\x12\x1a\x20\xe6\x93\xae\x01\xbc\x46\x69\xc3\xd3\x08" "\xa9\xfd\xbe\xd5\xa3\x3d\x83\x0d\x00\x60\x9b\x18\x01\xed\x8a\x38\xb8\x51" "\x64\x29\xf5\xab\x28\x42\xdc\xae\xe4\x81\x08\x53\xea\xf4\x90\x20\x6b\xe4" "\xcc\x8e\xed\x8e\xf9\xbc\xd3\xcc\x91\x97\xf7\x72\x30\x86\x16\x0f\x45\x50" "\x3d\xb8\x12\x0a\xfe\x5d\x6d\x82\x3a\x3d\x20\xe8\xb8\x58\x48\xc6\x70\x8e" "\xe1\xab\x86\x10\xa0\x12\x67\x12\x10\x92\xde\x92\x00\x02\x75\xd7\x63\xcf" "\xf0\x49\x53\xb0\x6d\xdd\x5c\xaf\x01\x74\xc4\x38\x23\xac\xe0\xa4\x1d\xb3" "\x00\xee\x40\x0b\x02\xf7\x8b\x72\x05\x91\x0c\x0a\xa5\xc9\x14\xd7\xaa\xad" "\xce\x43\xc3\x51\x3d\xdd\x23\x74\xf1\xed\xe6\x30\xaf\x9e\x6d\xd1\xc9\x0d" "\x77\x51\x3d\xd9\xf7\x66\xd1\xe6\xff\x4c\x7a\xd2\x27\xb4\xf3\xaa\x48\xe9" "\x18\x5b\xb1\xd9\x56\x3b\xd0\x2c\x5e\x25\x9b\xad\xed\x02\x14\x68\x66\xe0" "\x7c\x85\x9d\xbe\x7b\x90\x34\xb2\xfa\x79\xb5\xf3\x8b\x65\xe7\x1d\x31\x1f" "\xb5\x86\x5d\x4f\x21\x30\x24\x61\xa3\xbc\xc6\x92\xcc\x1f\x9a\x9e\x87\xc2" "\x9f\xdd\xb9\xa6\x72\x10\x62\x70\xd8\xb1\x56\x5d\xb4\x6d\x2b\x52\x55\x5d" "\xa9\xd4\x57\xb9\xbf\x9c\x9a\xdf\x91\x08\xc2\x73\xa1\x90\xaf\x02\x2c\xa3" "\xd2\xb7\x96\x40\x88\x52\xd4\xdb\x6f\xaf\x6c\xd0\x41\x8a\x0a\xad\xa7\x69" "\x58\xb4\x6f\x0b\xdd\x57\x01\x46\x50\x51\xa3\xbd\xc4\x6f\x92\xee\xa7\x6f" "\xc8\x8e\xcc\x9a\x37\x4a\x0a\xb5\x99\xe7\x69\xad\x3c\xfb\xa3\x33\xfd\x60" "\x30\xfe\x35\xf5\x57\xd1\x62\x06\x28\xcb\xd5\xc6\x1f\xd3\xce\x24\x96\xce" "\x67\xd2\x11\xee\x00\xec\x44\xbc\x6f\xea\xdf\x6c\x7f\xde\x6a\xd8\xb3\x1f" "\x26\xf5\xfe\xdb\x14\x24\x8b\x89\xe6\x1f\x52\xb3\x97\x1c\x50\xf3\x01\x4e" "\x64\x4e\xbd\xe9\x45\xf0\xcd\xe4\x3e\x50\xde\x44\x60\xc0\x49\xfd\x62\x98" "\xe7\x87\x02\xa2\xce\x03\x97\x6e\x49\xde\x23\x43\x7c\x90\x71\x44\x3f\x1a" "\x4e\x50\x4b\x6b\x18\x7b\xf6\x97\x03\xcc\x84\x09\x23\x1b\x30\x90\x05\xba" "\xb2\xa6\xcb\xa4\x5e\x35\x5b\xe5\x9f\x46\x89\xa6\x3e\x8d\xa6\x12\xa8\xbb" "\xc0\x48\x62\x0b\x69\xfb\x0b\xfa\xc7\x84\x44\xb5\x87\x3e\xff\x07\x8f\x99" "\xf3\x46\x95\x6f\x5a\xfd\xd6\x91\x4e\x52\xcd\xc8\x92\x63\x7e\x09\x2c\xcb" "\xd1\xb1\x06\x34\x08\x1a\x04\x54\x0b\x7d\x7e\x10\xae\xca\xea\x6d\x89\x4c" "\xac\x05\x0f\x49\x83\xe4\xd2\x15\x3c\x37\xf4\x55\x9a\xfe\xb3\x4b\xba\x00" "\x67\x7b\x12\xfc\xb2\x91\xd3\x55\x22\x1c\xf5\x45\xbf\xdf\xce\x99\x5b\xa4" "\x51\x08\x71\x0e\x72\x64\x92\x08\x23\x67\x4a\x37\x45\x65\xf1\x77\xf5\x01" "\x1a\x83\x64\xb0\x6b\x40\x67\xde\x23\x38\xf1\x95\x9a\x0f\x72\x62\x9d\x87" "\xff\xc0\x88\xfb\x33\x24\xdb\x0d\x89\x5b\xc8\x49\xfd\x70\xbd\xfc\x37\xbd" "\x8e\x7d\x50\x57\xa1\x19\x63\xaf\x73\xf7\x92\x43\xb5\x6b\x62\x34\x3b\x34" "\x36\xb0\xef\x4d\x66\xbf\xf0\xbd\x32\xad\x7f\x43\xf3\x88\x6a\x3e\xb4\x0e" "\x15\x37\x2c\x26\x56\x99\xf4\x16\x12\x15\xc1\x9f\x71\xb6\xdc\x8c\xc8\x79" "\x36\xde\xfd\x49\xd0\xc5\x3d\x30\xe4\x5d\x05\xaa\x35\xaa\xd2\x4e\x4f\x42" "\xb9\x36\x65\x78\x1e\xf9\x14\xfe\x8a\xae\x7d\x8f\x2e\x60\xfc\x8e\x9b\x70" "\xa2\xac\x9d\x89\x8d\x6c\x54\xd0\xd3\x3e\x5e\x74\x5a\x66\xb4\xa9\x2b\xd0" "\xa2\x6d\xcd\xc2\x38\xaa\x37\x5e\x37\xd1\xbd\x02\x16\x79\xef\x92\x3d\x14" "\xef\x04\x6b\xc2\xbc\x27\x44\x8d\xa7\xec\x9e\xe5\x37\x45\xa3\xc7\x4a\x01" "\xff\x1b\x0b\xf9\xd7\xa1\x79\x00\xc6\xea\x68\xf9\x00\x9c\x0c\x56\xb5\xbc" "\xe6\x50\x40\xc2\x9f\xed\x64\xb8\xb9\x71\x26\xd4\x8b\xf6\x62\xeb\xa3\xe2" "\xd4\x5a\x32\xac\x52\x8a\x1b\xaa\x99\xc5\xbf\x85\x21\x0d\xb0\x4c\xd7\x0a" "\x86\x8a\x2c\xc5\xa0\xae\xa9\x9f\x93\xe7\xbe\x88\xfc\x72\xcb\x5c\x9d\x4a" "\x29\x90\x56\x4b\x81\x26\x01\xfe\xca\x7a\x25\x54\x86\xff\xbd\xa3\xb5\x12" "\xa7\x1a\x62\xbe\x3f\x2b\x42\x38\x60\x02\x7d\xaa\xfa\x91\x72\x53\xb5\xe5" "\x73\x00\xf8\xd7\x72\xde\x58\xe8\x92\x06\x60\xdf\xb8\x71\x1d\x54\x29\x7c" "\x98\xd1\x9c\x20\x85\x13\xca\x42\xa9\x12\xb2\x9f\x9b\x64\xfa\x4c\xac\xea" "\x87\x10\x0f\xa6\x60\x5b\x1e\xa7\x49\xfa\x6a\xda\x17\xd8\xf8\x62\x93\x48" "\x95\xb5\x55\x66\x89\xd0\xe4\x1a\x08\x86\x04\xb9\x85\x8a\x2d\x3d\x50\x14" "\xd7\xd3\x2e\xcf\xc5\x66\xf6\x0d\xc1\xe0\x63\xe2\xbe\x35\xa8\x6a\xa0\x2a" "\x20\xb1\x49\xe2\x02\x3b\x3f\x3d\xcd\xe3\x22\x20\x7d\xe5\x61\x3f\x4f\xfd" "\x7a\xdf\x2c\x11\x96\x7c\xf6\x0d\x4a\xbe\xa8\x87\x5d\x84\x69\x59\x41\xc9" "\xce\xb6\x5a\x89\x8c\x20\x75\xcf\xc7\x87\x52\x38\x1f\x22\x51\xd3\x63\x35" "\x82\x0b\xf8\x2e\x55\x49\x06\x1d\xe7\x8d\x8a\x0a\x85\x86\x6c\x39\xe7\x72" "\xca\xe2\x6f\x49\xf9\x2f\x3c\x53\x32\xeb\x44\x05\x05\xb7\x49\x4c\x07\x24" "\xd1\xab\x54\xea\x1c\xc5\xcc\xc2\x08\x94\x49\xbf\x2c\xd8\x7a\x57\x9b\xc0" "\x20\xff\xc8\x73\xa1\xbc\x52\x91\x17\xc1\xbd\x41\x81\x80\xcd\x84\x19\x1a" "\x47\xe3\x05\x4e\x0e\x70\x7a\x27\xed\xa8\xa7\x22\x80\xb1\xcf\x92\xe1\x26" "\x59\x73\xdb\x78\xe3\x24\x14\x14\x8a\x80\x08\xf6\x46\xf6\x06\x8c\x33\xc6" "\xbe\xba\x67\xb3\x98\xe1\xce\xee\xf5\x2d\xa6\xe9\x4e\x2a\xb0\x0a\xda\xf5" "\x38\x88\xfa\xaf\x37\xec\x2d\x0c\xdd\x0c\x33\x4c\x07\xc7\x5a\xcb\x6d\xcf" "\xe6\xfd\xd2\xba\xed\x92\x66\x44\xf2\x98\xdb\x05\xb7\x03\xa8\x0c\x73\x6c" "\xb0\x3f\xf2\xab\x77\x59\xdd\xa5\xc1\x0f\x1f\x3f\xfb\x85\x5d\x7b\x88\x63" "\xa3\xfb\x26\xb8\xee\x46\xfb\x23\xdf\x56\x7d\xa6\x0e\x04\x7a\x0e\x85\x61" "\x62\x2c\x22\x60\x2e\xf7\x19\xc2\xd6\xb3\x09\xf8\x9d\xf1\x60\x0f\x8c\x4a" "\x83\x04\xd9\x93\xa9\xdb\x25\xb7\xa6\xa1\x72\x08\x17\x59\xd1\x6d\x32\xc7" "\xfe\x3f\xba\xad\x8d\xab\x55\x8a\x05\x60\x4b\xfe\xcd\xbe\xbf\x8a\xab\xc0" "\xf3\x35\xdf\xe0\xcc\x1b\x28\xfd\xd6\x52\x5b\x90\x01\x88\x17\x1d\x6b\x22" "\x99\xa1\x65\x67\x68\xfd\xd8\x8a\xf4\xd8\x6b\x36\xd0\x43\x41\xea\xfe\x8a" "\x33\xfc\x70\x54\x90\xed\xd8\x27\x90\x39\xe2\xcd\x5b\xe7\xb2\xa2\x41\xd7" "\xb8\x5b\xf5\xa5\xea\xb3\x5f\x77\x2b\x81\x6c\x34\x65\xeb\x2c\xfa\x9a\xb3" "\x01\xd2\x1f\x57\xd1\x86\x76\xb8\x35\x42\x23\x55\xd6\xac\x46\xec\x42\x89" "\xab\x5d\xa7\xef\xcf\xa3\x33\x46\xb5\x1e\xee\x37\xaa\xa7\x3e\x8c\xaa\xa7" "\x34\x5b\x26\x20\x5e\x44\x71\xe4\xc0\x20\x6b\x3f\x3d\xee\x47\x86\xb9\xa5" "\x7a\x98\x7e\x77\x2c\x8d\x87\x23\xd8\x30\xd9\x99\x10\x7a\x44\x81\xd6\x02" "\x95\xf5\xa0\xd1\x4e\xb9\x34\x58\xfa\xdd\x59\xb4\x16\xba\xd7\x33\x8c\xfb" "\x79\x17\x6f\x79\xe4\x90\x43\xea\x04\x31", 4096); *(uint16_t*)0x200026c4 = 0x1000; syscall(__NR_write, r[0], 0x200016c0ul, 0x1006ul); } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { do_sandbox_none(); } } sleep(1000000); return 0; }