// https://syzkaller.appspot.com/bug?id=130cae4a4387fae6614fccf5eed180400ea30948
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
#include <pthread.h>
#include <sched.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/capability.h>
#include <linux/futex.h>
#include <linux/genetlink.h>
#include <linux/if_addr.h>
#include <linux/if_ether.h>
#include <linux/if_link.h>
#include <linux/if_tun.h>
#include <linux/in6.h>
#include <linux/ip.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/nl80211.h>
#include <linux/rfkill.h>
#include <linux/rtnetlink.h>
#include <linux/tcp.h>
#include <linux/veth.h>
static unsigned long long procid;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
int valid = addr < prog_start || addr > prog_end;
if (skip && valid) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
({ \
int ok = 1; \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} else \
ok = 0; \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
ok; \
})
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
struct nlmsg {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[4096];
};
static void netlink_init(struct nlmsg* nlmsg, int typ, int flags,
const void* data, int size)
{
memset(nlmsg, 0, sizeof(*nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data,
int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg->pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
if (size > 0)
memcpy(attr + 1, data, size);
nlmsg->pos += NLMSG_ALIGN(attr->nla_len);
}
static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type,
int* reply_len, bool dofail)
{
if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf;
hdr->nlmsg_len = nlmsg->pos - nlmsg->buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != (ssize_t)hdr->nlmsg_len) {
if (dofail)
exit(1);
return -1;
}
n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
if (reply_len)
*reply_len = 0;
if (n < 0) {
if (dofail)
exit(1);
return -1;
}
if (n < (ssize_t)sizeof(struct nlmsghdr)) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type == NLMSG_DONE)
return 0;
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
if (hdr->nlmsg_type != NLMSG_ERROR) {
errno = EINVAL;
if (dofail)
exit(1);
return -1;
}
errno = -((struct nlmsgerr*)(hdr + 1))->error;
return -errno;
}
static int netlink_send(struct nlmsg* nlmsg, int sock)
{
return netlink_send_ext(nlmsg, sock, 0, NULL, true);
}
static int netlink_query_family_id(struct nlmsg* nlmsg, int sock,
const char* family_name, bool dofail)
{
struct genlmsghdr genlhdr;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = CTRL_CMD_GETFAMILY;
netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name,
strnlen(family_name, GENL_NAMSIZ - 1) + 1);
int n = 0;
int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail);
if (err < 0) {
return -1;
}
uint16_t id = 0;
struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN +
NLMSG_ALIGN(sizeof(genlhdr)));
for (; (char*)attr < nlmsg->buf + n;
attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
id = *(uint16_t*)(attr + 1);
break;
}
}
if (!id) {
errno = EINVAL;
return -1;
}
recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0);
return id;
}
static void netlink_device_change(struct nlmsg* nlmsg, int sock,
const char* name, bool up, const char* master,
const void* mac, int macsize,
const char* new_name)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
if (up)
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
hdr.ifi_index = if_nametoindex(name);
netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr));
if (new_name)
netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name));
if (master) {
int ifindex = if_nametoindex(master);
netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
}
if (macsize)
netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev,
const void* addr, int addrsize)
{
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr,
sizeof(hdr));
netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize);
netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize);
return netlink_send(nlmsg, sock);
}
static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev,
const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr));
if (err < 0) {
}
}
static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev,
const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr));
if (err < 0) {
}
}
static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name,
const void* addr, int addrsize, const void* mac,
int macsize)
{
struct ndmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ndm_ifindex = if_nametoindex(name);
hdr.ndm_state = NUD_PERMANENT;
netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr,
sizeof(hdr));
netlink_attr(nlmsg, NDA_DST, addr, addrsize);
netlink_attr(nlmsg, NDA_LLADDR, mac, macsize);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
}
static struct nlmsg nlmsg;
static int tunfd = -1;
#define TUN_IFACE "syz_tun"
#define LOCAL_MAC 0xaaaaaaaaaaaa
#define REMOTE_MAC 0xaaaaaaaaaabb
#define LOCAL_IPV4 "172.20.20.170"
#define REMOTE_IPV4 "172.20.20.187"
#define LOCAL_IPV6 "fe80::aa"
#define REMOTE_IPV6 "fe80::bb"
#define IFF_NAPI 0x0010
static void initialize_tun(void)
{
tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
if (tunfd == -1) {
printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
printf("otherwise fuzzing or reproducing might not work as intended\n");
return;
}
const int kTunFd = 240;
if (dup2(tunfd, kTunFd) < 0)
exit(1);
close(tunfd);
tunfd = kTunFd;
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
exit(1);
}
char sysctl[64];
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
write_file(sysctl, "0");
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
write_file(sysctl, "0");
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4);
netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6);
uint64_t macaddr = REMOTE_MAC;
struct in_addr in_addr;
inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr),
&macaddr, ETH_ALEN);
struct in6_addr in6_addr;
inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr),
&macaddr, ETH_ALEN);
macaddr = LOCAL_MAC;
netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN,
NULL);
close(sock);
}
#define WIFI_INITIAL_DEVICE_COUNT 2
#define WIFI_MAC_BASE \
{ \
0x08, 0x02, 0x11, 0x00, 0x00, 0x00 \
}
#define WIFI_IBSS_BSSID \
{ \
0x50, 0x50, 0x50, 0x50, 0x50, 0x50 \
}
#define WIFI_IBSS_SSID \
{ \
0x10, 0x10, 0x10, 0x10, 0x10, 0x10 \
}
#define WIFI_DEFAULT_FREQUENCY 2412
#define WIFI_DEFAULT_SIGNAL 0
#define WIFI_DEFAULT_RX_RATE 1
#define HWSIM_CMD_REGISTER 1
#define HWSIM_CMD_FRAME 2
#define HWSIM_CMD_NEW_RADIO 4
#define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14
#define HWSIM_ATTR_PERM_ADDR 22
#define IF_OPER_UP 6
struct join_ibss_props {
int wiphy_freq;
bool wiphy_freq_fixed;
uint8_t* mac;
uint8_t* ssid;
int ssid_len;
};
static int set_interface_state(const char* interface_name, int on)
{
struct ifreq ifr;
int sock = socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) {
return -1;
}
memset(&ifr, 0, sizeof(ifr));
strcpy(ifr.ifr_name, interface_name);
int ret = ioctl(sock, SIOCGIFFLAGS, &ifr);
if (ret < 0) {
close(sock);
return -1;
}
if (on)
ifr.ifr_flags |= IFF_UP;
else
ifr.ifr_flags &= ~IFF_UP;
ret = ioctl(sock, SIOCSIFFLAGS, &ifr);
close(sock);
if (ret < 0) {
return -1;
}
return 0;
}
static int nl80211_set_interface(struct nlmsg* nlmsg, int sock,
int nl80211_family, uint32_t ifindex,
uint32_t iftype)
{
struct genlmsghdr genlhdr;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = NL80211_CMD_SET_INTERFACE;
netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex));
netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype));
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
return err;
}
static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family,
uint32_t ifindex, struct join_ibss_props* props)
{
struct genlmsghdr genlhdr;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = NL80211_CMD_JOIN_IBSS;
netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex));
netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len);
netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq),
sizeof(props->wiphy_freq));
if (props->mac)
netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN);
if (props->wiphy_freq_fixed)
netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
return err;
}
static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex)
{
struct ifinfomsg info;
memset(&info, 0, sizeof(info));
info.ifi_family = AF_UNSPEC;
info.ifi_index = ifindex;
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1) {
return -1;
}
netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info));
int n;
int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true);
close(sock);
if (err) {
return -1;
}
struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf));
for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) {
if (attr->rta_type == IFLA_OPERSTATE)
return *((int32_t*)RTA_DATA(attr));
}
return -1;
}
static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface,
int operstate)
{
int ifindex = if_nametoindex(interface);
while (true) {
usleep(1000);
int ret = get_ifla_operstate(nlmsg, ifindex);
if (ret < 0)
return ret;
if (ret == operstate)
return 0;
}
return 0;
}
static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock,
int nl80211_family_id, char* interface,
struct join_ibss_props* ibss_props)
{
int ifindex = if_nametoindex(interface);
if (ifindex == 0) {
return -1;
}
int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex,
NL80211_IFTYPE_ADHOC);
if (ret < 0) {
return -1;
}
ret = set_interface_state(interface, 1);
if (ret < 0) {
return -1;
}
ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props);
if (ret < 0) {
return -1;
}
return 0;
}
static int hwsim80211_create_device(struct nlmsg* nlmsg, int sock,
int hwsim_family,
uint8_t mac_addr[ETH_ALEN])
{
struct genlmsghdr genlhdr;
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = HWSIM_CMD_NEW_RADIO;
netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(nlmsg, HWSIM_ATTR_SUPPORT_P2P_DEVICE, NULL, 0);
netlink_attr(nlmsg, HWSIM_ATTR_PERM_ADDR, mac_addr, ETH_ALEN);
int err = netlink_send(nlmsg, sock);
if (err < 0) {
}
return err;
}
static void initialize_wifi_devices(void)
{
int rfkill = open("/dev/rfkill", O_RDWR);
if (rfkill == -1) {
if (errno != ENOENT && errno != EACCES)
exit(1);
} else {
struct rfkill_event event = {0};
event.type = RFKILL_TYPE_ALL;
event.op = RFKILL_OP_CHANGE_ALL;
if (write(rfkill, &event, sizeof(event)) != (ssize_t)(sizeof(event)))
exit(1);
close(rfkill);
}
uint8_t mac_addr[6] = WIFI_MAC_BASE;
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (sock < 0) {
return;
}
int hwsim_family_id =
netlink_query_family_id(&nlmsg, sock, "MAC80211_HWSIM", true);
int nl80211_family_id =
netlink_query_family_id(&nlmsg, sock, "nl80211", true);
uint8_t ssid[] = WIFI_IBSS_SSID;
uint8_t bssid[] = WIFI_IBSS_BSSID;
struct join_ibss_props ibss_props = {.wiphy_freq = WIFI_DEFAULT_FREQUENCY,
.wiphy_freq_fixed = true,
.mac = bssid,
.ssid = ssid,
.ssid_len = sizeof(ssid)};
for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) {
mac_addr[5] = device_id;
int ret = hwsim80211_create_device(&nlmsg, sock, hwsim_family_id, mac_addr);
if (ret < 0)
exit(1);
char interface[6] = "wlan0";
interface[4] += device_id;
if (nl80211_setup_ibss_interface(&nlmsg, sock, nl80211_family_id, interface,
&ibss_props) < 0)
exit(1);
}
for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) {
char interface[6] = "wlan0";
interface[4] += device_id;
int ret = await_ifla_operstate(&nlmsg, interface, IF_OPER_UP);
if (ret < 0)
exit(1);
}
close(sock);
}
static int read_tun(char* data, int size)
{
if (tunfd < 0)
return -1;
int rv = read(tunfd, data, size);
if (rv < 0) {
if (errno == EAGAIN || errno == EBADFD)
return -1;
exit(1);
}
return rv;
}
static void flush_tun()
{
char data[1000];
while (read_tun(&data[0], sizeof(data)) != -1) {
}
}
#define MAX_FDS 30
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
static int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
if (unshare(CLONE_NEWNET)) {
}
initialize_tun();
initialize_wifi_devices();
loop();
exit(1);
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
flush_tun();
}
static void close_fds()
{
for (int fd = 3; fd < MAX_FDS; fd++)
close(fd);
}
static void setup_sysctl()
{
char mypid[32];
snprintf(mypid, sizeof(mypid), "%d", getpid());
struct {
const char* name;
const char* data;
} files[] = {
{"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"},
{"/proc/sys/kernel/hung_task_check_interval_secs", "20"},
{"/proc/sys/net/core/bpf_jit_kallsyms", "1"},
{"/proc/sys/net/core/bpf_jit_harden", "0"},
{"/proc/sys/kernel/kptr_restrict", "0"},
{"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"},
{"/proc/sys/fs/mount-max", "100"},
{"/proc/sys/vm/oom_dump_tasks", "0"},
{"/proc/sys/debug/exception-trace", "0"},
{"/proc/sys/kernel/printk", "7 4 1 3"},
{"/proc/sys/net/ipv4/ping_group_range", "0 65535"},
{"/proc/sys/kernel/keys/gc_delay", "1"},
{"/proc/sys/vm/oom_kill_allocating_task", "1"},
{"/proc/sys/kernel/ctrl-alt-del", "0"},
{"/proc/sys/kernel/cad_pid", mypid},
};
for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
if (!write_file(files[i].name, files[i].data))
printf("write to %s failed: %s\n", files[i].name, strerror(errno));
}
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
int collide = 0;
again:
for (call = 0; call < 11; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
if (collide && (call % 2) == 0)
break;
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
close_fds();
if (!collide) {
collide = 1;
goto again;
}
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
syscall(__NR_socket, 0x10ul, 3ul, 0);
break;
case 1:
syscall(__NR_socket, 0x11ul, 2ul, 0x300);
break;
case 2:
syscall(__NR_socket, 2ul, 1ul, 0);
break;
case 3:
syscall(__NR_socket, 0x11ul, 2ul, 0x300);
break;
case 4:
NONFAILING(*(uint32_t*)0x20000140 = 1);
NONFAILING(*(uint32_t*)0x20000144 = 0xe);
NONFAILING(*(uint64_t*)0x20000148 = 0x20001a40);
NONFAILING(memcpy(
(void*)0x20001a40,
"\xb7\x02\x00\x00\xf7\xff\xff\xff\xbf\xa7\x00\x00\x00\x00\x00\x00\x24"
"\x02\x00\x00\x20\xfe\xff\xff\x7a\x0a\xf0\xff\xf8\xff\xff\xff\x69\xa4"
"\xf0\xff\x00\x00\x00\x00\xb7\x06\x00\x00\x00\x18\xd1\xfe\x2d\x64\x05"
"\x00\x00\x00\x00\x00\x75\x04\x00\x00\x00\x00\x00\x00\x07\x04\x00\x00"
"\x00\x00\x00\x00\xb7\x04\x00\x00\x10\x00\x00\x20\x6a\x07\x00\xfe\x00"
"\x00\x00\x00\x85\x00\x00\x00\x23\x00\x00\x00\xb7\x00\x00\x00\x0a\x00"
"\x00\x00\x95\x00\x00\x00\x00\x00\x00\x00\x64\x58\xc2\xc6\x2f\xc2\x06"
"\x00\x00\x00\xe0\x09\xa6\x37\x96\xc3\xf7\x05\xa6\xf8\x42\xc1\x13\xa8"
"\x0c\x19\xaa\xb9\xd6\x07\x00\x00\x00\xb6\xcd\x48\x3b\xe3\xf0\xd3\x25"
"\x37\x30\xe7\x80\x00\x00\x00\x62\xc2\x8b\x22\x75\x6b\xed\xf3\xcf\x39"
"\x3d\x14\xc4\x6c\xc4\xf7\x9f\xd2\xb3\x16\xda\x4f\x0d\xe8\x16\x3f\x62"
"\x42\xfa\x73\x23\xf1\x74\x06\x37\xc4\x84\x68\x76\x6a\xeb\x39\x43\x9f"
"\xce\x41\xf1\x44\x23\x1a\xc2\x62\xdc\xae\x08\xc3\xd1\xa1\xfb\xe9\x6d"
"\xd8\x72\x35\xb4\x41\x23\x5d\x74\xf7\xc0\x00\x00\x85\x08\x9a\x0f\x11"
"\x9e\x31\x97\x5e\x55\x15\x58\x05\x5d\xc2\xdc\x29\xed\xc3\x3b\x37\x5f"
"\xa3\x07\xdc\xf3\xe9\x03\x20\xf6\x2e\x70\x30\xdb\xe7\x0e\x45\x51\xfe"
"\x89\xc3\xd1\x7c\xf4\x5a\x16\x16\xad\x23\x76\x82\x05\x70\x34\xdf\x2a"
"\x81\xf5\xa5\x3c\xd6\x40\x21\x2c\x88\xe8\xb6\x87\xa2\x44\x60\x49\x57"
"\x7c\x75\xb7\x6b\x77\x5c\x1e\x30\x1c\xaf\x24\x65\xed\x4b\x2a\xd5\x6b"
"\x84\x8d\x04\x6c\x52\xb7\xc3\x73\x71\x27\x12\x0a\xb1\x7d\x82\xa2\x94"
"\xd1\x74\xf2\x40\xa3\xcd\xc7\x25\xcf\xe6\xe8\x39\xa1\xf8\x0f\x59\x48"
"\x65\x78\xe4\x5b\x00\x8d\x39\xab\x61\x8f\x66\x0e\x3c\x53\xed\x44\x09"
"\xaa\x92\xae\x4f\xec\xd9\x13\x06\x0c\xa7\x4e\xd8\xa3\x03\xe2\x2d\xe1"
"\x20\x87\xa2\x17\xd8\xd7\xbe\x0a\xe1\x11\x7c\xc7\x91\x31\x3b\x5a\x08"
"\xb4\x13\x18\x49\x7d\xea\x8f\x10\x45\x16\x60\x3f\x49\xdf\x04\xa0\xd4"
"\x77\x69\x79\x6b\xfd\xc3\x2a\xdc\x5e\xd4\xad\xdf\x44\xa1\x4f\xf5\x58"
"\xd6\xf1\xea\xb2\x2d\xda\xbe\xc1\x39\x3f\x0e\xa0\x21\x3f\xbc\x83\x59"
"\xc9\x3c\x47\x4b\x0e\xb9\x79\xcc\xe2\x8e\xec\x9d\x77\x41\xf0\xac\xef"
"\x12\x33\x0e\x6b\xde\x15\xb0\x8f\x10\x4c\x03\x3e\x26\x4f\x13\xe7\x27"
"\xaa\xdf\xfb\xbf\x15\xf1\x77\x51\xb4\xdc\x5b\x65\x0e\xfb\x4b\x7e\x29"
"\x41\x53\x59\xd9\xce\x1b\xdc\x41\x86\x6d\x10\x31\xb8\x45\x41\xd6\x51"
"\xef\xd9\xd4\x94\x04\x7d\x5e\x31",
535));
NONFAILING(*(uint64_t*)0x20000150 = 0x20000280);
NONFAILING(memcpy((void*)0x20000280, "GPL\000", 4));
NONFAILING(*(uint32_t*)0x20000158 = 0);
NONFAILING(*(uint32_t*)0x2000015c = 0);
NONFAILING(*(uint64_t*)0x20000160 = 0);
NONFAILING(*(uint32_t*)0x20000168 = 0);
NONFAILING(*(uint32_t*)0x2000016c = 0);
NONFAILING(memset((void*)0x20000170, 0, 16));
NONFAILING(*(uint32_t*)0x20000180 = 0);
NONFAILING(*(uint32_t*)0x20000184 = 0);
NONFAILING(*(uint32_t*)0x20000188 = -1);
NONFAILING(*(uint32_t*)0x2000018c = 8);
NONFAILING(*(uint64_t*)0x20000190 = 0x20000000);
NONFAILING(*(uint32_t*)0x20000000 = 0);
NONFAILING(*(uint32_t*)0x20000004 = 0);
NONFAILING(*(uint32_t*)0x20000198 = 0x139);
NONFAILING(*(uint32_t*)0x2000019c = 0x10);
NONFAILING(*(uint64_t*)0x200001a0 = 0x20000000);
NONFAILING(*(uint32_t*)0x20000000 = 0);
NONFAILING(*(uint32_t*)0x20000004 = 0);
NONFAILING(*(uint32_t*)0x20000008 = 0);
NONFAILING(*(uint32_t*)0x2000000c = 0);
NONFAILING(*(uint32_t*)0x200001a8 = 0);
NONFAILING(*(uint32_t*)0x200001ac = 0);
NONFAILING(*(uint32_t*)0x200001b0 = -1);
syscall(__NR_bpf, 5ul, 0x20000140ul, 0x48ul);
break;
case 5:
syscall(__NR_socket, 0x26ul, 5ul, 0);
break;
case 6:
syscall(__NR_socketpair, 0ul, 0ul, 0, 0x20000000ul);
break;
case 7:
syscall(__NR_socket, 0x26ul, 5ul, 0);
break;
case 8:
NONFAILING(*(uint32_t*)0x20000280 = 6);
NONFAILING(*(uint32_t*)0x20000284 = 4);
NONFAILING(*(uint64_t*)0x20000288 = 0x20001380);
NONFAILING(memcpy(
(void*)0x20001380,
"\x18\x02\x00\x00\xe2\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x85"
"\x00\x00\x00\x36\x00\x00\x00\x95\x00\x00\x18\x00\x00\x00\x00\x92\x2a"
"\xe8\x37\x13\xab\x96\x62\xce\x3a\xe3\x56\x53\x8d\xda\x12\x00\x00\x01"
"\x00\x00\x80\x32\xad\x55\x8c\x46\xff\xf4\x20\x8d\x14\x13\x8b\x8f\xe9"
"\x03\xdd\xc7\x02\xe4\x04\xe1\x9a\x51\x83\xd7\x69\x67\x65\x20\xe9\x8a"
"\x26\x33\x45\xe4\x4d\x51\x87\xb3\xc4\xd8\x6a\xbe\xb1\x23\x03\xff\x13"
"\x9f\xe0\xd0\x00\x00\x00\xd6\x04\x00\x00\x00\x00\x00\x00\x00\x8a\xff"
"\x66\xd6\xb3\x18\x1f\xfc\x1d\x62\xa3\x95\x4c\x11\xc2\x78\x39\xdc\x00"
"\x7c\x4d\x29\x6e\x73\x59\xea\x79\xa7\x1d\x81\x00\x00\xae\xbf\x31\x83"
"\xfe\x80\x3a\xbb\xf5\x02\x4b\x52\xdc\x26\x5b\x36\xfc\x9d\xae\x00\xa0"
"\xd0\x95\x70\x25\x2b\xd8\xb6\x46\x4e\xf3\xc6\xa7\x35\x2c\xe7\x43\x90"
"\x5f\xd6\xde\xf8\x39\xa1\xfe\xba\xd3\xca\x6e\x3a\xbd\xb2\xdf\xc6\x32"
"\x96\xe3\x40\xbb\x8e\x2a\x09\x3a\xdc\x57\x19\x6b\x40\xde\xf3\x85\x8e"
"\xf5\x69\x34\x7f\xa4\x10\x83\x28\x39\x2d\x32\x2a\xb4\xdf\x10\xa2\xf6"
"\x9a\x6b\xdf\x72\x57\xd3\x27\x07\x0e\x42\x41\x0f\x57\x46\x6f\x59\xae"
"\xa2\x54\x40\x47\xd6\xd8\x00\x44\x2e\x00\x00\x00\x00\x00\xee\x16\xc7"
"\x29\x30\x0d\x23\x01\x80\x00\x00\x00\x00\x00\x00\x28\xa0\xb3\x67\x54"
"\xed\x52\x90\xa8\xcd\x84\x70\xe7\x76\xd6\xb8\x06\x30\xd6\xcb\xde\x49"
"\xb2\x9a\x6c\xb5\xf4\xfc\x00\x01\x00\x00\x00\x00\x4b\x58\x8c\x74\x5c"
"\x38\x0e\x5f\xe5\x72\x38\xae\xad\xa5\xac\xf3\x20\x9a\x08\x43\x9f\xc6"
"\x31\x03\x86\x59\x77\x60\x52\x5b\xfe\x5f\xe1\xf6\x97\xbc\x11\x4c\xd1"
"\x77\x8e\x97\xa3\xf0\x29\x5f\x94\x69\x74\xcd\xb4\x58\xbe\x32\x34\xcf"
"\x92\x4d\xc3\x6b\x22\xeb\x29\x71\x25\xfd\x60\xc5\x55\x8f\xbf\x17\xa7"
"\x6f\x35\x47\x49\x7a\xba\x50\x86\xe3\x0e\xc8\xa5\x7c\x81\x43\x82\xff"
"\xab\x04\x5c\xa0\x77\xa9\xd1\x52\x51\x87\x54\x32\xe7\x4b\x54\xef\xaf"
"\x49\x85\x67\x2a\x1c\x7b\x3c\x20\x00\x21\xde\x95\xae\x7b\x68\x13\x6b"
"\x00\x46\xd5\x35\xdd\x39\xc0\xf3\x54\x69\x86\x9e\x9b\x34\x2b\x95\x3f"
"\x81\x44\x7e\x6b\x9e\x52\x2d\x62\xb1\xe6\xff\xca\xab\x30\x4f\x13\x43"
"\x06\x33\x5f\xc7\xa4\x41\x95\x25\x4b\x45\xa6\xc1\x31\x2a\x13\x69\x6c"
"\x72\x02\xdf\x5f\x76\x47\x13\x50\x4f\x94\xc5\xe0\xfb\xc7\x0b\xcb\x97"
"\x5f\x97\xed\x7b\x03\x00\x00\x00\x00\x00\x00\x00\xe5\x4e\xda\x17\x99"
"\x92\x91\x74\x4a\x33\x2e\x2f\xa8\x06\xe6\x3c\x5c\xd9\x8a\x85\x69\xa6"
"\xd6\xbc\xfb\x00\x00\x00\x2c\xf6\xc7\x3d\xc6\x3f\x04\xaf\x77\xc9\x72"
"\x14\x59\xab\xfc\xfa\x1e\x97\x73\xb2\xb7\x13\x0e\xae\x67\xe0\xeb\xe3"
"\x80\xd0\xf6\x48\x60\x3e\x68\x15\x35\x79\xc0\x2d\x71\xc5\x8d\x14\x7b"
"\x00\x82\x1a\xb9\xa6\x47\x5b\x31\xe1\xeb\xf1\x36\x9a\xfe\x98\x68\x2e"
"\xfb\xf3\x98\x3f\x28\x3f\x2f\xaf\x8f\x40\xe3\x99\x27\xac\xa9\xec\x52"
"\x7f\xb5\xb6\xbf\x7e\x7b\x03\x74\x81\x4d\x63\x00\x00\x00\x00\x00\x00"
"\x00\x40\x49\xcb\x79\xc5\x4b\x0a\x38\x85\x69\x29\xe7\xd8\xb1\xb0\x6c"
"\x9b\xd5\xd7\xe5\x49\x7d\x61\x30\x0f\x3b\x85\x96\xb6\x94\xea\x94\x83"
"\xbd\x4b\xd2\x87\xc8\x3d\xf9\x98\xa7\x46\x94\x26\xec\x8b\x00\x00\x00"
"\x00\x00\x00\x00\x10\xff\x2c\xd1\x8b\xdd\x8a\xb7\x98\x3b\xc9\x07\x70"
"\xbb\xd2\x6a\x82\xb9\xd9\x9d\x17\xc0\x2a\x97\xb5\x23\x04\x87\x78\x2c"
"\xa0\x0e\xdf\x8e\x47\xa7\x1b\xcc\x73\x8e\xf6\x36\xd3\x2b\x01\x93\x35"
"\x56\x79\xaf\xe7\x72\xcd\x45\xaf\x0a\x40\x1f\x69\x00\x10\x00\x00\x00"
"\x00\x00\x00\x6c\xb7\x8a\xef\xfe\x27\x53\x08\xa9\x0a\xcb\x1a\x21\x0b"
"\x22\x45\x3b\x05\xed\x4c\x63\x8a\x04\x3c\x07\xaf\xf7\xd3\x52\xdc\xf7"
"\x2b\xe8\x3e\x7c\x4c\x27\x10\x4a\xc2\x12\x6b\xb2\xbf\xc2\x16\x2f\x6e"
"\x46\xc6\x0c\xba\x05\x4e\x5d\xc5\xc0\x95\x15\xd4\x3f\xc7\x6d\x1d\x83"
"\x1d\xee\xa4\x1f\x01\x97\x0b\x13\x4d\x21\xef\x4f\x42\xfc\x63\xd3\x9b"
"\x94\xa7\xf8\x38\xe0\x4b\xa7\x7f\x13\x67\xc1\xa2\x8c\x73\xa6\x99\xee"
"\x47\x69\x95\x0b\xc8\xb3\xbb\xd0\x78\x61\x02\x00\x00\x00\x00\x00\x00"
"\x00\xe3\xc1\x3f\x7d\x3a\x43\x31\x58\x27\xe2\xa4\xbc\x47\x44\xef\x9d"
"\x64\xfd\xfa\xd9\x1c\x77\x60\xba\x4a\xa9\xf3\x85\x0d\xba\x7c\xa4\x2e"
"\x00\x72\xcc\x0b\x34\x6d\xce\xbe\x06\x44\x22\xf0\x80\x73\x81\x2e\xc5"
"\xe7\xcd\xcc\x26\x49\x98\xb4\xa6\x99\x4e\xfd\x9f\x6b\x7a\x9b\x5d\x15"
"\x24\x7b\xf4\xfa\xbc\xff\x7c\x89\x0c\x23\x8f\x87\x3e\x6f\x52\xad\xfc"
"\x07\x00\x00\x00\x00\x00\x00\x00\x6e\x58\xb9\xf7\x7c\xce\x15\x06\x8c"
"\x6e\xda\x3c\x05\xd5\x60\x63\x0b\x9f\x88\x44\xbe\x77\xe8\x43\x64\xfe"
"\x4e\x39\x29\xea\x4c\x0d\xc8\x9a\x63\x52\xfe\x5a\xd1\xa1\x04\x00\x3d"
"\x89\xbd\x9b\xfc\x59\xe6\x8a\x6b\xb5\xe0\x91\x2f\x19\x67\x3d\x1b\xc4"
"\x21\x07\x2f\x3a\x98\xb3\x1d\x38\x1a\x1d\xf1\xb9\x7e\x39\x34\x09\xd4"
"\x27\x18\xc2\x0d\x41\x50\x01\x70\x33\xc4\xf7\x04\x5c\x79\x3d\xfa\xed"
"\x00\xed\x70\x5d\x7e\xf8\xaa\x7d\xff\xde\xec\x68\x0c\x3b\xba\xd5\x59"
"\x5d\xa7\x04\x90\x34\xe7\xf5\x1c\xc4\x07\x8c\x58\x0f\x8c\x97\x39\x6b"
"\x26\xb2\xd0\x17\xc2\x74\x56\x0c\xc7\xdf\x0d\xe2\x44\xd7\x20\x09\xd2"
"\x3d\x83\x83\x20\xac\x68\x7b\xb1\x4c\x34\xd1\x75\x98\x0a\xaf\xbb\x2e"
"\xfb\xab\x23\x0e\x00\x00\x2c\x07\x36\xcd\x7a\x53\x1b\x8b\x0d\x64\x67"
"\x9a\xfb\x87\xff\x2c\xb1\x54\x1a\xa7\x2e\x1b\xad\x33\x25\x83\x58\x9f"
"\x2b\x30\x6a\xe0\xe5\x93\xf8\xc3\x7a\xc7\x11\xbf\xd3\x9f\x8a\x6a\x6f"
"\x2a\x71\x28\x1a\xd0\x82\xa2\xfe\x7a\x7a\x90\x52\xfb\x5c\xbf\xbb\x20"
"\xa9\x05\x83\xcb\xf8\x21\x88\x83\xac\xb0\x6d\x8d\x98\x31\xc9\x89\x22"
"\xe1\x5d\x5f\x01\xc3\xcf\xc2\x91\x86\x55\x3d\x8b\x8a\x54\x6b\xbf\xb5"
"\xef\xf9\x2d\xff\xff\x5c\x0d\x22\x27\x04\xac\xe9\xb6\xa0\x76\x69\x23"
"\x13\xd5\x07\x50\xf8\x38\x0f\x72\xd5\x1e\x35\xbb\x75\x58\x6f\x6e\xf8"
"\xe5\xbd\x3b\x41\x3c\xde\xfd\xe1\x48\xff\x9d\xd0\xb6\xba\x58\xc3\x91"
"\x99\xe0\x42\xff\xfb\x7e\x18\x93\x3e\x53\x89\xc5\xf8\x85\xac\x1f\x3d"
"\xc0\x2d\x3d\xde\x39\xd3\xc2\x70\xe5\x19\x83\xf5\xbe\x99\x0b\x41\x2f"
"\x7c\xba\x4c\x9c\x28\x8e\x52\xfc\x26\xd6\x21\x0b\xdc\xc6\x4c\x2c\xb3"
"\x9b\x9f\x02\xbc\x2a\x84\x1d\x92\x19\x81\xa2\xc3\x53\x8c\x9d\xa7\xc9"
"\xb1\xbc\xc9\x04\xc0\x59\xea\x50\xd4\x52\xe2\xe3\xd5\x54\x67\xac\x90"
"\xfd\x5f\x76\xfe\xb0\xd0\xc5\xb9\x71\xa6\x69\x2f\x7e\x81\x7d\x0e\x0c"
"\x98\x76\xb3\xd9\xb0\xb9\x51\xcd\xcc\x8e\x53\x8b\x49\x28\xc8\x9d\x8e"
"\x4b\x24\x06\xf2\xa5\xfb\x7e\x74\x17\xf2\x0f\x7f\x5e\x48\xdb\x79\x94"
"\xfc\x88\x8e\x44\xf8\x99\xef\x75\xd5\x28\x4d\x01\x62\xd6\x1d\xb3\x40"
"\x1d\xce\xca\x00\x4e\x54\x62\x50\x91\xda\xf2\x6a\xa2\x0e\x96\xb5\xec"
"\x98\xfd\x9d\x57\x28\xda\x77\x61\x54\x11\x78\x2c\x76\xda\xff\x44\x06"
"\xc5\x4d\xa6\x51\x07\x52\x6f\x8d\x8f\x66\xf3\xfc\x3e\x9a\xdb\x30\xb2"
"\xfe\xe8\xd1\xdd\x2b\x2a\xaa\x7d\x66\xe7\xb5\x26\xda\x78\xda\xab\x73"
"\x2b\x4e\x00\x57\x5b\x24\x5f\x56\x47\x4c\x11\x1a\xde\x6f\xd7\x5d\x9a"
"\xad\xf6\x77\xa1\x3b\xef\x46\x16\xaf\x41\x7d\x04\xf1\x50\x06\x94\x61"
"\xe2\xd4\x57\x23\x9c\xa8\xdb\x56\x38\xe2\x90\xaf\x42\x6a\x05\x7a\xc7"
"\xb9\xf6\xc9\x7c\x84\x98\xf1\xc2\x9f\xd9\xae\x8a\x11\x23\x7b\xc0\xad"
"\x4a\xa2\xcd\x1b\x31\x91\xd7\x03\xb3\xf2\x37\x5b\xf3\xef\x1b\xd7\x1e"
"\x8d\xaa\x40\xf1\x46\x5a\x0f\xee\x58\xd3\x1b\xcf\xab\x34\xfc\xa6\x43"
"\xe2\xc8\x0b\xf4\x8e\x7f\x74\x64\x86\x05\xee\x7c\x19\x49\xa7\x83\x18"
"\xc7\x30\xb8\x6a\xad\xaf\x84\xae\xef\x1f\x44\xa8\x5a\x62\xe1\x89\x05"
"\xe9\x0e\xc2\xf8\xba\x60\x34\x2f\x02\xf4\xf9\xf6\x57\x12\x5d\x58\xc2"
"\xd7\x93\xe2\x5b\x87\x0a\xe9\x7f\x5f\x5c\x9d\x27\x9a\x85\xe6\xb7\x9a"
"\x9b\x3e\xc3\x8c\xae\x7e\xe0\xd7\x35",
1692));
NONFAILING(*(uint64_t*)0x20000290 = 0x20000040);
NONFAILING(memcpy((void*)0x20000040, "GPL\000", 4));
NONFAILING(*(uint32_t*)0x20000298 = 4);
NONFAILING(*(uint32_t*)0x2000029c = 0x1076);
NONFAILING(*(uint64_t*)0x200002a0 = 0x20000300);
NONFAILING(*(uint32_t*)0x200002a8 = 0);
NONFAILING(*(uint32_t*)0x200002ac = 0);
NONFAILING(memset((void*)0x200002b0, 0, 16));
NONFAILING(*(uint32_t*)0x200002c0 = 0);
NONFAILING(*(uint32_t*)0x200002c4 = 0);
NONFAILING(*(uint32_t*)0x200002c8 = -1);
NONFAILING(*(uint32_t*)0x200002cc = 8);
NONFAILING(*(uint64_t*)0x200002d0 = 0);
NONFAILING(*(uint32_t*)0x200002d8 = 0);
NONFAILING(*(uint32_t*)0x200002dc = 0x10);
NONFAILING(*(uint64_t*)0x200002e0 = 0);
NONFAILING(*(uint32_t*)0x200002e8 = 0);
NONFAILING(*(uint32_t*)0x200002ec = 0);
NONFAILING(*(uint32_t*)0x200002f0 = -1);
res = syscall(__NR_bpf, 5ul, 0x20000280ul, 0x70ul);
if (res != -1)
r[0] = res;
break;
case 9:
NONFAILING(memcpy((void*)0x20000240, "cpuacct.usage_percpu_sys\000", 25));
res = syscall(__NR_openat, 0xffffff9c, 0x20000240ul, 0x26e1ul, 0ul);
if (res != -1)
r[1] = res;
break;
case 10:
NONFAILING(*(uint32_t*)0x20001300 = r[0]);
NONFAILING(*(uint32_t*)0x20001304 = r[1]);
NONFAILING(*(uint32_t*)0x20001308 = 0x25);
NONFAILING(*(uint32_t*)0x2000130c = 0);
syscall(__NR_bpf, 0x1cul, 0x20001300ul, 0x10ul);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
setup_sysctl();
install_segv_handler();
for (procid = 0; procid < 6; procid++) {
if (fork() == 0) {
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}