// https://syzkaller.appspot.com/bug?id=180e282924600527193dc00eb4bffc62920a6401
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/capability.h>
#include <linux/genetlink.h>
#include <linux/if_addr.h>
#include <linux/if_ether.h>
#include <linux/if_link.h>
#include <linux/if_tun.h>
#include <linux/in6.h>
#include <linux/ip.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/tcp.h>
#include <linux/veth.h>
unsigned long long procid;
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static struct {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[1024];
} nlmsg;
static void netlink_init(int typ, int flags, const void* data, int size)
{
memset(&nlmsg, 0, sizeof(nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(int typ, const void* data, int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
memcpy(attr + 1, data, size);
nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
}
static void netlink_nest(int typ)
{
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
attr->nla_type = typ;
nlmsg.pos += sizeof(*attr);
nlmsg.nested[nlmsg.nesting++] = attr;
}
static void netlink_done(void)
{
struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
attr->nla_len = nlmsg.pos - (char*)attr;
}
static int netlink_send_ext(int sock, uint16_t reply_type, int* reply_len)
{
if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != hdr->nlmsg_len)
exit(1);
n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
if (n < sizeof(struct nlmsghdr))
exit(1);
if (reply_len && hdr->nlmsg_type == reply_type) {
*reply_len = n;
return 0;
}
if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
exit(1);
if (hdr->nlmsg_type != NLMSG_ERROR)
exit(1);
return -((struct nlmsgerr*)(hdr + 1))->error;
}
static int netlink_send(int sock)
{
return netlink_send_ext(sock, 0, NULL);
}
static void netlink_add_device_impl(const char* type, const char* name)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
if (name)
netlink_attr(IFLA_IFNAME, name, strlen(name));
netlink_nest(IFLA_LINKINFO);
netlink_attr(IFLA_INFO_KIND, type, strlen(type));
}
static void netlink_add_device(int sock, const char* type, const char* name)
{
netlink_add_device_impl(type, name);
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_add_veth(int sock, const char* name, const char* peer)
{
netlink_add_device_impl("veth", name);
netlink_nest(IFLA_INFO_DATA);
netlink_nest(VETH_INFO_PEER);
nlmsg.pos += sizeof(struct ifinfomsg);
netlink_attr(IFLA_IFNAME, peer, strlen(peer));
netlink_done();
netlink_done();
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_add_hsr(int sock, const char* name, const char* slave1,
const char* slave2)
{
netlink_add_device_impl("hsr", name);
netlink_nest(IFLA_INFO_DATA);
int ifindex1 = if_nametoindex(slave1);
netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
int ifindex2 = if_nametoindex(slave2);
netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
netlink_done();
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_device_change(int sock, const char* name, bool up,
const char* master, const void* mac,
int macsize)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
if (up)
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
netlink_attr(IFLA_IFNAME, name, strlen(name));
if (master) {
int ifindex = if_nametoindex(master);
netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
}
if (macsize)
netlink_attr(IFLA_ADDRESS, mac, macsize);
int err = netlink_send(sock);
(void)err;
}
static int netlink_add_addr(int sock, const char* dev, const void* addr,
int addrsize)
{
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
netlink_attr(IFA_LOCAL, addr, addrsize);
netlink_attr(IFA_ADDRESS, addr, addrsize);
return netlink_send(sock);
}
static void netlink_add_addr4(int sock, const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
(void)err;
}
static void netlink_add_addr6(int sock, const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
(void)err;
}
const int kInitNetNsFd = 239;
#define DEVLINK_FAMILY_NAME "devlink"
#define DEVLINK_CMD_RELOAD 37
#define DEVLINK_ATTR_BUS_NAME 1
#define DEVLINK_ATTR_DEV_NAME 2
#define DEVLINK_ATTR_NETNS_FD 137
static void netlink_devlink_netns_move(const char* bus_name,
const char* dev_name, int netns_fd)
{
struct genlmsghdr genlhdr;
struct nlattr* attr;
int sock, err, n;
uint16_t id = 0;
sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (sock == -1)
exit(1);
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = CTRL_CMD_GETFAMILY;
netlink_init(GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(CTRL_ATTR_FAMILY_NAME, DEVLINK_FAMILY_NAME,
strlen(DEVLINK_FAMILY_NAME) + 1);
err = netlink_send_ext(sock, GENL_ID_CTRL, &n);
if (err) {
goto error;
}
attr =
(struct nlattr*)(nlmsg.buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr)));
for (; (char*)attr < nlmsg.buf + n;
attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
if (attr->nla_type == CTRL_ATTR_FAMILY_ID) {
id = *(uint16_t*)(attr + 1);
break;
}
}
if (!id) {
goto error;
}
recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0); /* recv ack */
memset(&genlhdr, 0, sizeof(genlhdr));
genlhdr.cmd = DEVLINK_CMD_RELOAD;
netlink_init(id, 0, &genlhdr, sizeof(genlhdr));
netlink_attr(DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1);
netlink_attr(DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1);
netlink_attr(DEVLINK_ATTR_NETNS_FD, &netns_fd, sizeof(netns_fd));
netlink_send(sock);
error:
close(sock);
}
static void initialize_devlink_pci(void)
{
int netns = open("/proc/self/ns/net", O_RDONLY);
if (netns == -1)
exit(1);
int ret = setns(kInitNetNsFd, 0);
if (ret == -1)
exit(1);
netlink_devlink_netns_move("pci", "0000:00:10.0", netns);
ret = setns(netns, 0);
if (ret == -1)
exit(1);
close(netns);
}
#define DEV_IPV4 "172.20.20.%d"
#define DEV_IPV6 "fe80::%02x"
#define DEV_MAC 0x00aaaaaaaaaa
static void netdevsim_add(unsigned int addr, unsigned int port_count)
{
char buf[16];
sprintf(buf, "%u %u", addr, port_count);
write_file("/sys/bus/netdevsim/new_device", buf);
}
static void initialize_netdevices(void)
{
char netdevsim[16];
sprintf(netdevsim, "netdevsim%d", (int)procid);
struct {
const char* type;
const char* dev;
} devtypes[] = {
{"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
{"vcan", "vcan0"}, {"bond", "bond0"},
{"team", "team0"}, {"dummy", "dummy0"},
{"nlmon", "nlmon0"}, {"caif", "caif0"},
{"batadv", "batadv0"}, {"vxcan", "vxcan1"},
{"netdevsim", netdevsim}, {"veth", 0},
};
const char* devmasters[] = {"bridge", "bond", "team"};
struct {
const char* name;
int macsize;
bool noipv6;
} devices[] = {
{"lo", ETH_ALEN},
{"sit0", 0},
{"bridge0", ETH_ALEN},
{"vcan0", 0, true},
{"tunl0", 0},
{"gre0", 0},
{"gretap0", ETH_ALEN},
{"ip_vti0", 0},
{"ip6_vti0", 0},
{"ip6tnl0", 0},
{"ip6gre0", 0},
{"ip6gretap0", ETH_ALEN},
{"erspan0", ETH_ALEN},
{"bond0", ETH_ALEN},
{"veth0", ETH_ALEN},
{"veth1", ETH_ALEN},
{"team0", ETH_ALEN},
{"veth0_to_bridge", ETH_ALEN},
{"veth1_to_bridge", ETH_ALEN},
{"veth0_to_bond", ETH_ALEN},
{"veth1_to_bond", ETH_ALEN},
{"veth0_to_team", ETH_ALEN},
{"veth1_to_team", ETH_ALEN},
{"veth0_to_hsr", ETH_ALEN},
{"veth1_to_hsr", ETH_ALEN},
{"hsr0", 0},
{"dummy0", ETH_ALEN},
{"nlmon0", 0},
{"vxcan0", 0, true},
{"vxcan1", 0, true},
{"caif0", ETH_ALEN},
{"batadv0", ETH_ALEN},
{netdevsim, ETH_ALEN},
};
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
sprintf(slave0, "%s_slave_0", devmasters[i]);
sprintf(veth0, "veth0_to_%s", devmasters[i]);
netlink_add_veth(sock, slave0, veth0);
sprintf(slave1, "%s_slave_1", devmasters[i]);
sprintf(veth1, "veth1_to_%s", devmasters[i]);
netlink_add_veth(sock, slave1, veth1);
sprintf(master, "%s0", devmasters[i]);
netlink_device_change(sock, slave0, false, master, 0, 0);
netlink_device_change(sock, slave1, false, master, 0, 0);
}
netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
netdevsim_add((int)procid, 4);
for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
char addr[32];
sprintf(addr, DEV_IPV4, i + 10);
netlink_add_addr4(sock, devices[i].name, addr);
if (!devices[i].noipv6) {
sprintf(addr, DEV_IPV6, i + 10);
netlink_add_addr6(sock, devices[i].name, addr);
}
uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
netlink_device_change(sock, devices[i].name, true, 0, &macaddr,
devices[i].macsize);
}
close(sock);
}
static void initialize_netdevices_init(void)
{
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
struct {
const char* type;
int macsize;
bool noipv6;
bool noup;
} devtypes[] = {
{"nr", 7, true}, {"rose", 5, true, true},
};
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
char dev[32], addr[32];
sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
netlink_add_addr4(sock, dev, addr);
if (!devtypes[i].noipv6) {
sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
netlink_add_addr6(sock, dev, addr);
}
int macsize = devtypes[i].macsize;
uint64_t macaddr = 0xbbbbbb +
((unsigned long long)i << (8 * (macsize - 2))) +
(procid << (8 * (macsize - 1)));
netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
}
close(sock);
}
#define MAX_FDS 30
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();
int netns = open("/proc/self/ns/net", O_RDONLY);
if (netns == -1)
exit(1);
if (dup2(netns, kInitNetNsFd) < 0)
exit(1);
close(netns);
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
initialize_netdevices_init();
if (unshare(CLONE_NEWNET)) {
}
initialize_devlink_pci();
initialize_netdevices();
loop();
exit(1);
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
int i;
for (i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void close_fds()
{
int fd;
for (fd = 3; fd < MAX_FDS; fd++)
close(fd);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter;
for (iter = 0;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
close_fds();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5 * 1000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0};
void execute_one(void)
{
intptr_t res = 0;
res = syscall(__NR_socket, 0x1dul, 2ul, 7ul);
if (res != -1)
r[0] = res;
res = syscall(__NR_socket, 2ul, 2ul, 0x88ul);
if (res != -1)
r[1] = res;
memcpy((void*)0x20000200, "vcan0\000\000\000\000\000\000\000\000\000\000\000",
16);
*(uint32_t*)0x20000210 = 0;
res = syscall(__NR_ioctl, r[1], 0x8933ul, 0x20000200ul);
if (res != -1)
r[2] = *(uint32_t*)0x20000210;
*(uint16_t*)0x20000240 = 0x1d;
*(uint32_t*)0x20000244 = r[2];
*(uint64_t*)0x20000248 = 0;
*(uint8_t*)0x20000250 = 0;
*(uint8_t*)0x20000251 = 0;
*(uint8_t*)0x20000252 = 0;
*(uint8_t*)0x20000253 = 0;
*(uint8_t*)0x20000254 = 0;
syscall(__NR_bind, r[0], 0x20000240ul, 0x18ul);
*(uint64_t*)0x20000bc0 = 0x20000b40;
*(uint16_t*)0x20000b40 = 0x1d;
*(uint32_t*)0x20000b44 = 0;
*(uint64_t*)0x20000b48 = 0;
*(uint8_t*)0x20000b50 = 0;
*(uint8_t*)0x20000b51 = 0;
*(uint8_t*)0x20000b52 = 0;
*(uint8_t*)0x20000b53 = 0;
*(uint8_t*)0x20000b54 = 0;
*(uint32_t*)0x20000bc8 = 0x18;
*(uint64_t*)0x20000bd0 = 0x20000b80;
*(uint64_t*)0x20000b80 = 0x20002300;
memcpy(
(void*)0x20002300,
"\x98\xa5\xd0\x38\x14\x01\x0a\xe7\x6d\x01\x6b\xd2\x2d\x15\x40\x28\xde\x26"
"\x2a\xc2\xb9\x5c\x2b\x44\x39\x11\xe0\x98\xb5\x30\xa0\xc3\xa7\x51\xc4\x21"
"\x03\xce\x3b\xd9\x70\x7c\xc8\x97\x88\xc4\x2c\xd0\xa2\x07\x64\xda\x9b\xb5"
"\x82\xff\xe8\x9d\xb1\xf9\x0e\x66\xc1\x1b\x19\xe7\xec\xeb\x79\xc6\xe2\xff"
"\x30\x7a\x05\x05\x3e\x42\x89\x51\x31\x6d\x92\x1b\x68\x58\x86\xea\x6e\xbf"
"\x82\x51\x5d\x47\xf1\x48\xb8\x1d\x1b\xc7\x40\x06\xd6\x26\x49\x50\x8d\xc9"
"\x4e\xc0\xa6\x77\xab\x36\x26\x8f\x21\x56\xd3\x45\x89\xe7\xe7\x4c\x3d\xf9"
"\x85\x4f\xb4\x7f\xc4\xdf\xc6\xec\xc7\x64\x7d\xc9\x85\x67\xce\x78\xba\x4b"
"\xd6\xed\xee\x1b\x51\x38\xe5\x7c\x94\xa1\xfe\xcc\x77\x4b\x6c\xfa\x2a\x11"
"\xa5\xc7\xe3\x64\xe2\xcf\xa0\x11\x35\x74\xa1\xcb\x75\xa5\x41\x26\xa8\x06"
"\x13\x49\x41\xa9\x73\x14\xa5\xcb\xf4\xd0\xbe\x72\x11\x8f\xb6\x1f\x75\xf9"
"\x08\xdf\x44\xb9\x1e\x00\x83\x53\x7d\x2a\x1e\x75\x75\xea\x4a\xee\xbf\xf1"
"\xf1\x68\x4a\xc8\x60\xdb\x4b\xba\x84\x82\x23\xd1\x56\x5b\xc7\xec\x8e\xb4"
"\x8d\x86\x12\x34\x83\xda\xcf\x64\x58\xc2\x35\xf8\xe8\x2c\x17\x34\x22\xc9"
"\xb0\x95\xeb\xab\xf4\x42\x55\xb6\xdd\xcb\xce\x2f\x81\x4a\x57\x28\x7a\xc6"
"\x6f\x2c\xf3\x4a\x19\x0b\x97\x03\x17\x06\x79\xbe\x9b\xd1\x25\xa9\x49\xcc"
"\x09\xc8\x67\x4a\xa2\x83\x04\xc9\x98\x01\xe0\x33\x75\x5a\x1a\xcf\xd6\x70"
"\x0d\x1e\xa3\x5c\x62\x9d\x91\x54\x15\xa1\x1a\x65\x7d\xd2\x13\x07\x90\xb9"
"\x62\x2a\xcf\xb1\xd2\x09\x5e\x0a\xd9\xc7\x8d\xc3\x2c\x8f\x1a\x1f\xc2\xad"
"\x7d\x33\x13\xde\xe1\xf7\xeb\x37\x7d\x02\xe3\xc3\x87\x05\xaf\x4a\x25\x05"
"\xb7\x8e\xef\x03\xd0\x70\x0d\x89\x8e\x6d\x18\x0d\x0a\x62\x36\x44\x3c\x5d"
"\xdc\x9e\xb3\x5e\xe3\x8e\xd5\x25\xfe\x13\xe9\xa1\xd5\x2b\x91\x75\x40\xed"
"\x6c\xb3\x0b\x8c\x80\x48\x34\x18\x10\x96\x32\xff\xa5\xc8\x6c\xb3\x03\x49"
"\x4e\x27\x16\xc4\x37\xfb\xe1\x28\x10\xeb\x26\x6b\x50\x55\xd3\x90\x0c\x86"
"\x2c\xeb\x71\x92\x4f\x4a\xde\x5f\x8f\x53\x7c\x60\x5d\xac\xe9\x64\x18\x84"
"\x11\x7e\xe8\x8c\xc1\x88\x38\x11\x15\x80\x3e\xa2\xba\xd3\xa4\xe7\xc8\x51"
"\x5e\x6a\x2b\x76\xc4\x70\x96\x8f\x3a\xd9\x79\x48\xfc\xcf\x25\x15\x66\xc9"
"\x02\x56\xa8\xb5\x3d\x43\x2f\x61\xa9\x5d\xc5\x1a\xaa\x85\x96\xa9\x5e\xfe"
"\x6e\x5f\x58\xab\x55\x2a\x6c\xf5\xd4\xe9\x16\xcb\x1f\x42\x35\x71\xcf\x05"
"\xf7\xff\xc1\x5c\x1a\x1e\x8f\x19\x17\xba\x2e\xcb\xc4\x52\xcd\x38\x29\x2f"
"\xbf\x3c\x03\x9a\x23\x97\x7a\x2a\x9d\x7a\x90\x71\xd7\xc1\x20\xa4\x39\x27"
"\x22\x70\xc6\x2c\x29\x8e\x9f\xc1\x59\x86\x28\x69\xa1\xa7\xf5\xea\xfa\x2c"
"\xbc\x90\xe3\x00\xbf\x9f\xe0\xcf\x80\x4a\x35\xa6\x10\xb4\xfe\x0e\x23\xe6"
"\xc9\x8e\x69\x18\x6c\xe5\xe7\xc5\xc4\xb3\x71\x7f\xeb\x26\x69\xfc\xc8\x2f"
"\x21\xcd\x94\xeb\x34\x7e\xb0\x0f\x0d\x2b\x60\x5b\x28\x0d\x85\x40\x61\xdb"
"\x8f\x5f\x17\x97\x27\xa4\x33\x70\x34\xb5\xdb\x52\x8f\x1b\xdb\x45\x3c\xa7"
"\xc1\x05\xf5\x64\x63\xe0\x2e\x86\x96\x3a\x00\x99\xc9\x6b\xa0\xbd\xc9\x43"
"\x6e\x4f\x54\x2e\xcf\x25\x74\x6c\x34\xae\xde\xf3\x95\x62\x79\xaa\xce\xaa"
"\xf6\x8c\x9a\x80\x95\xa9\xdf\xa0\x54\x67\x13\x7f\xab\xa9\xbc\xad\x9c\xc5"
"\xd9\xc4\xa3\x47\xb3\xb2\x99\x25\x71\x27\xb0\x1d\x1d\xca\x21\x04\x23\x95"
"\x9b\x3e\x14\x32\xd5\xbb\xd1\x4b\x70\x20\x5e\x53\x79\xc3\xf1\x6f\x52\x68"
"\xc6\x8e\x3d\x25\xce\xa8\x3f\x49\xd8\x65\x07\xf4\x24\x4f\x35\xeb\xeb\x77"
"\x4d\x4b\x46\x96\xf8\xa6\x82\xb5\x8f\x9c\x5b\xd4\x6f\x6b\xe1\x8d\xe9\x79"
"\x79\xfe\x0f\xa4\xd3\xfa\x77\xca\xcf\xae\x1b\x7c\xf0\x29\x15\x60\xec\xa8"
"\x85\x75\xd0\xec\xcf\x7f\xcf\x2c\xae\x45\x39\x8c\xb4\x37\xab\x09\x0c\xec"
"\x39\xad\x82\x3c\x67\x22\x10\x98\x82\xc4\x18\x5c\x6c\x81\xda\x22\x8a\x81"
"\x80\x84\xe1\xa6\xf2\xea\xfd\x7f\xea\x67\xad\xe8\x3b\xb6\xf0\xb3\xdb\x78"
"\xc5\xc9\x91\x14\x52\x19\xf9\xa8\xcc\xf7\x04\xa3\x13\xe5\x3c\xfc\x5f\xf2"
"\x50\x78\x9c\xa7\x5a\x37\x47\xee\x2f\x3f\xed\x3e\x7a\xe0\xac\xdf\x71\x82"
"\x08\x5f\x32\x38\xd4\x0e\xa9\xd0\x4f\xd6\xb8\x57\xf7\x6a\x23\x90\x58\x28"
"\xc4\x66\xa4\x27\x60\xf7\xcb\x9c\xff\x4d\x3f\x0a\x25\xe8\x70\x33\x77\x3e"
"\xe2\xcd\xfb\xd6\xa6\x0f\xca\xe0\xb3\x42\x8e\x26\xf3\x63\xc4\x99\x1d\x72"
"\xc7\x27\x4d\x48\x16\xe2\xf2\xfb\xb4\x8f\x8c\xf7\x5c\x5b\x26\xa9\x41\x5a"
"\xa2\xb9\xe2\x73\x8e\x7d\x43\x1c\xae\x8f\xeb\x7a\x6c\xca\x0d\x9a\xac\x8d"
"\x1d\xaa\x4f\x67\x32\xbb\x55\xbd\x14\xd0\x6a\xae\x84\x8c\xbb\xd0\x28\x05"
"\x92\xf9\xbb\x99\x52\xfd\xd4\xab\xe7\x63\xc0\xb0\x0d\xcb\x06\x85\x50\x72"
"\xb8\x87\x80\xd6\x24\x6f\x24\x73\x71\xab\xfd\xdb\xae\x56\x1b\x3b\x14\x6d"
"\xe6\xcc\x9f\x5e\x36\x6c\x01\x48\xfc\x56\x45\x9b\x22\x88\xc0\xe0\xfe\x31"
"\xd8\xc8\xd9\x09\x52\x8c\x05\x31\xa6\x60\x2f\xe8\x32\x2d\xfb\xd8\xb6\xd6"
"\xe8\x24\xba\x9b\xf5\x0f\x8e\x8a\x53\x73\x13\x76\x97\x97\xf6\xdf\xad\x6f"
"\x7a\xa3\x7b\x73\x86\xfb\x84\x64\xf1\x36\xad\xe8\x8e\x1a\xb3\x14\x37\x17"
"\x66\xba\xe3\x29\xe1\xa7\xc1\x9c\x6f\x94\x29\x48\x65\x1c\x47\x93\x61\x45"
"\xde\x48\x6d\x99\xb2\xa8\xe0\x71\x5b\x2e\x1a\x9c\xfc\xfc\xa2\xd4\x42\x57"
"\x1b\xee\x0c\x67\x33\xcb\x72\x1f\x8a\x15\x27\x59\x6f\xac\x7b\x7e\x7b\xcf"
"\x77\xeb\xac\xa5\xda\xc2\xaa\xac\xcf\xca\x75\x89\xfe\xda\xc7\xbe\x97\x4d"
"\x1f\xf8\xe9\x1d\xec\xcd\x91\x01\x9f\xc0\x86\xfa\x7a\xfb\x9a\x09\xe9\x30"
"\xd3\x57\x0e\x62\x17\x30\x7d\xb7\xc4\xc9\xee\xd6\x29\x57\xb5\x5d\x7b\x30"
"\x7e\x05\x38\x8b\xdb\xbf\xc7\x02\x08\x5b\xf7\x7d\xbe\xad\xc4\xf0\x46\x5b"
"\x28\xf1\x6a\xaf\xe5\x43\xcf\xb7\x8b\xc9\x5d\x10\x6b\x7a\xd9\x83\x62\x34"
"\x3e\xdf\xfd\x51\x60\x2a\xb9\xc2\xd7\x30\x02\x50\x77\x2b\xb3\x7a\xf1\x1f"
"\xb1\x57\x8c\x29\x33\xbb\x33\x1b\x68\x74\x69\xb0\xa7\x2f\x00\x61\xf9\xd5"
"\xaa\xc5\xde\xec\x36\x5e\xc9\xba\xd2\x9e\x1e\x3f\x56\xf4\x68\x49\xd6\xb0"
"\xe4\xf4\x0e\x3b\x33\xb2\xdd\xe1\x16\xbe\xf6\x99\x1b\x1e\x60\xc5\xd0\x73"
"\x93\x97\x56\x4a\xef\x89\x26\x6f\x56\x27\x35\xc9\xf6\xca\x26\x47\x60\xd0"
"\x93\x88\x21\x59\x44\x18\xef\x6f\xd3\x80\xfa\xa6\xdb\xda\x05\xd4\xbc\xc5"
"\x87\xec\xb9\x53\x09\x83\x68\xab\x4b\xba\x4f\xdc\xad\xfb\x33\xd4\xb1\xac"
"\xbb\xb9\xcc\xf5\x56\x3f\xfe\x50\x12\xa3\x2a\x59\x0d\xa2\x47\x75\xc1\x1b"
"\x8d\xd8\x10\xae\xf7\x89\x15\xa2\xd2\xf5\xd1\x48\xd7\x9f\x11\xcd\xe8\x72"
"\x54\x12\x83\xc9\x34\x45\xf4\xe7\x02\x1e\x28\x96\x02\x60\x06\xf1\xe9\xe2"
"\xa0\x8b\x67\xf9\xb0\xc5\x02\x46\x44\x84\xce\x59\x4b\xf5\x0e\xe0\x81\xb9"
"\xa9\x94\xcc\x09\x5f\x97\x06\x27\x83\x82\xb5\x7a\x38\x4c\xc3\x0c\x10\xed"
"\x22\xe2\xd8\x9f\x4f\x12\x06\x2b\x16\xb9\xb3\x24\xbc\x3f\x4e\xc5\xfe\x0f"
"\x94\xc2\x1f\xae\x44\x26\xca\x55\x9f\x73\xe2\x79\xde\xff\xdc\xf1\xe6\x99"
"\xff\xf0\x2c\x78\xc8\x22\x06\xdd\xad\xf3\x47\xe4\xf1\x21\x76\x10\xa1\x39"
"\x7b\x2e\xd1\x3e\x2d\x3c\x5c\x85\x13\x29\xf6\x4f\x6f\xe5\x1d\x73\x01\x59"
"\x89\xbc\xff\x64\x9a\x1a\x50\x27\x1e\xf8\xb4\x86\xe7\x30\xd8\xf4\x77\x16"
"\x43\xec\xd1\x5f\x54\x6a\xe3\x92\xba\xf0\x64\x13\xf9\xc0\xf9\x38\x68\xf7"
"\xc6\x1a\xcd\x93\x84\xf9\xb5\xa0\x7d\xeb\x7c\xc2\x4b\x14\x43\x6a\x86\x93"
"\x81\x25\x30\xa7\x67\xc0\xf9\x74\x15\xe2\x40\x7f\x2d\xc8\xc2\xb1\x64\x78"
"\x44\x34\x7c\x7a\xeb\xe1\x0a\x52\xe3\xf5\xf5\x23\xf2\xb2\x2d\x5c\xb0\x29"
"\x44\xe1\x39\xf8\x98\xb7\x2e\xb8\xd9\x83\xe7\x60\x27\x35\xa8\x4d\x5a\x6a"
"\x41\xb2\xf4\xb7\x0f\x12\x91\x78\xc7\xbe\x31\x10\xd4\x03\x21\xe6\xab\x99"
"\x01\xc7\x4c\x34\x39\x40\x96\x29\xb6\x11\x7b\x88\xcb\xba\x6c\x91\x3b\x07"
"\xdc\x77\xfd\xa7\x85\x97\x40\xcb\xdd\xea\xc6\xaf\x8d\xa3\x3a\x7d\xd4\x8d"
"\xed\x6e\x46\x91\xc1\x15\xe2\x3e\xdf\xb5\x5b\x7b\x9c\x35\x14\x2e\x1f\xf0"
"\x87\x42\x55\x19\x29\xf5\x51\xc5\xb4\x4e\xbb\xe4\xc8\x93\xc3\xa6\xe5\x76"
"\xb4\xf1\x5f\x7e\x11\xf2\x3b\x4b\x0f\xa8\xff\x59\x10\xce\x13\xc8\xa6\x82"
"\x90\x71\x2e\x1e\xd7\x46\x08\xb3\xd3\x46\xd3\x1b\x43\x59\x65\x8b\xa4\xb6"
"\xb4\x90\x45\xce\xba\xa1\x01\xc7\xfd\xcd\x9c\x45\x40\x66\xdc\xdb\x3f\x63"
"\xdd\x33\x3a\x1a",
1786);
*(uint64_t*)0x20000b88 = 0x6fa;
*(uint64_t*)0x20000bd8 = 1;
*(uint64_t*)0x20000be0 = 0;
*(uint64_t*)0x20000be8 = 0;
*(uint32_t*)0x20000bf0 = 0;
syscall(__NR_sendmsg, r[0], 0x20000bc0ul, 0ul);
}
int main(void)
{
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
for (procid = 0; procid < 6; procid++) {
if (fork() == 0) {
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}