// autogenerated by syzkaller (http://github.com/google/syzkaller) #ifndef __NR_mmap #define __NR_mmap 9 #endif #ifndef __NR_socket #define __NR_socket 41 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 54 #endif #ifndef __NR_bind #define __NR_bind 49 #endif #ifndef __NR_sendto #define __NR_sendto 44 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 46 #endif #ifndef __NR_listen #define __NR_listen 50 #endif #ifndef __NR_accept #define __NR_accept 43 #endif #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kErrorStatus = 68; const int kRetryStatus = 69; __attribute__((noreturn)) void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } __attribute__((noreturn)) void fail(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } __attribute__((noreturn)) void exitf(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static int flag_debug; void debug(const char* msg, ...) { if (!flag_debug) return; va_list args; va_start(args, msg); vfprintf(stdout, msg, args); va_end(args); fflush(stdout); } __thread int skip_segv; __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { debug("SIGSEGV on %p, skipping\n", addr); _longjmp(segv_env, 1); } debug("SIGSEGV on %p, exiting\n", addr); doexit(sig); for (;;) { } } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7, uintptr_t a8) { switch (nr) { default: return syscall(nr, a0, a1, a2, a3, a4, a5); } } static void setup_main_process() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); install_segv_handler(); char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); unshare(CLONE_NEWNS); unshare(CLONE_NEWIPC); unshare(CLONE_IO); } static int do_sandbox_none(int executor_pid, bool enable_tun) { int pid = fork(); if (pid) return pid; sandbox_common(); loop(); doexit(1); } long r[57]; void* thr(void* arg) { switch ((long)arg) { case 0: r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0x482000ul, 0x3ul, 0x10000000000032ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0); break; case 1: r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x84ul, 0, 0, 0, 0, 0, 0); break; case 2: NONFAILING(*(uint32_t*)0x2047c000 = (uint32_t)0x849); r[3] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x20ul, 0x2047c000ul, 0x4ul, 0, 0, 0, 0); break; case 3: NONFAILING(*(uint16_t*)0x20000ff0 = (uint16_t)0x2); NONFAILING(*(uint16_t*)0x20000ff2 = (uint16_t)0x204e); NONFAILING(*(uint32_t*)0x20000ff4 = (uint32_t)0x100007f); NONFAILING(*(uint8_t*)0x20000ff8 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff9 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffa = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffb = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffc = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffd = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffe = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000fff = (uint8_t)0x0); r[15] = execute_syscall(__NR_bind, r[1], 0x20000ff0ul, 0x10ul, 0, 0, 0, 0, 0, 0); break; case 4: NONFAILING(memcpy((void*)0x20477000, "\x90\x70\x3d\x6b\x7b\x32\x8d\x74\xcc", 9)); NONFAILING(*(uint16_t*)0x20477000 = (uint16_t)0x2); NONFAILING(*(uint16_t*)0x20477002 = (uint16_t)0x204e); NONFAILING(*(uint32_t*)0x20477004 = (uint32_t)0x100007f); NONFAILING(*(uint8_t*)0x20477008 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20477009 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047700a = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047700b = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047700c = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047700d = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047700e = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047700f = (uint8_t)0x0); r[28] = execute_syscall(__NR_sendto, r[1], 0x20477000ul, 0x9ul, 0x0ul, 0x20477000ul, 0x10ul, 0, 0, 0); break; case 5: NONFAILING(memcpy( (void*)0x2047a000, "\x99\x21\x20\x19\xd2\x15\xda\xcd\xd2\x1f\x1d\x33\x47\x26\xa6" "\x69\xec\xbb\x9e\x5d\x62\xb0\xad\x2d\xdf\x01\x38\xd9\xd8\x60" "\x50\xf6\xa0\xed\x17\xd9\xda\x9a\x97\x37\x00\xbd\x6b\xc9\x30" "\x7e\xcb\x6f\xe6\xd4\xb6\x2b\x09\x0f\x7c\x0d\x63\x45\xae\x24" "\xe4\xca\xf3\xb0\x18\x70\x1d\x03\x71\x30\x74\x62\xe1\x13\x26" "\x8c\x6a\x09\xd6\x32\xfd\xc0\x5a\xec\x0a\x4d\xc0\xca\x1c\x37" "\xea\x72\xc9\xff\x65\xdd\x1a\xc3\x07\xf7\x66\xa5\xb3\xe9\x17" "\x9d\x4d\x1f\x87\x12\x53\x5b\x5f\x0b\x59\x40\xb0\x5f\x99\x13" "\x9c\x60\x01\x29\xb8\x39\x7c\x67\xe5\x50\xa7\x36\xb6\x82\x89" "\x60\x86\xd3\x4e\x43\x66\x31\x97\x2c\x0e\x73\x5d\xec\x9c\x9b" "\xdd\x8d\xba\x4f\xa9\x84\x23\x7f\x51\x35\x29\xd6\x8b\x75\xef" "\xc8\xbf\x63\x5d\xe3\x00\xf6\x05\x82\xb7\x33\xc6\xf1\x9f\x5f" "\xc4\xdf\x25\x01\x67\xf7\x48\x33\x7f\x74\xfe\x78\x28\xf5\xfb" "\xf2\x02\xad\xc3\x68\x6f\xd1\xac\xf1\xbb\xcb\xd1\x1b\x3a\x9b" "\x8e\x6c\xcd\x4e\x2e\x9e\x65\x34\x92\xd6\x22\x73\x99\x64\x62" "\x65\xe9\x1a\x0d\x05\x2f\xf7\x70\x3d\x40\x9a\xcf\xfa\x40\x4f" "\x6a\x7e\x5b\x12\xb7\x7c\x87\xc7\xf6\x48\x00\x1b\x59\xd6\x87" "\x7a\xe7\x4d\x77\x63\x02\x3e\xac\xa2\xc3\xe3\x7c\x35\x40\x6f" "\xc2\x3b\xc5\x67\x9c\xf3\xb0\xc6\x56\x36\x56\x7b\xbd\x7a\x37" "\x58\x2b\x93\xee\xf6\xa1\x90\xad\xd7\x33\x89\x4d\xec\xf5\x9c" "\x74\x42\x35\x31\xdb\x0c\x9c\xa8\x0c\x32\x0e\x1a\x72\x8e\x4f" "\x78\x67\x5c\xf2\xa9\x6a\xbf\x58\xdf\xce\x7b\x08\xa1\xb8\x07" "\x35\xee\x32\xf4\xc3\x2a\xb9\x61\x3c\xfb\x28\xa3\x2b\xe9\x41" "\xa5\xeb\xf8\x84\x20\x03\x6c\x57\x7c\x81\x18\x1e\x46\xa4\x65" "\xea\xb3\xa5\xc4\xfb\x65\xf4\x6f\xf5\xbb\x7a\xb4\x2c\x6c\x24" "\xb0\x7d\xa0\x37\xe9\x83\x60\xbe\x14\x91\x1c\x7d\x12\xfd\x07" "\x3d\xdf\xc9\x29\x6f\xa4\x93\x6a\x6a\x28\x60\xaa\xd8\x57\xaf" "\xea\xa3\x05\xd4\x2d\x83\xf1\x74\xac\x63\xe6\x7f\x25\xc8\x4c" "\xb1\xb9\xbd\x3e\xa4\x76\xab\xc3\x1c\xfb\xd9\x27\x3c\x72\xd2" "\x77\x75\x90\x39\x4e\xbf\xe9\x6d\x6f\xe5\x05\x04\x98\x5a\x0c" "\x38\x6d\xbb\xf2\x0a\x7c\xb9\x28\x5d\xac\xfc\x26\xd2\xef\x1e" "\x72\xcb\xc0\xc9\xb2\xbb\x96\x15\xc0\xed\x3f\x2e\xbe\xbd\xb8" "\xcc\x79\xa1\x0a\x95\xc5\xf5\xcc\xa4\x5f\x8c\xf1\xf5\xf6\xa0" "\x47\x8c\x0f\x70\xab\x09\xeb\xf7\x5c\x92\xc0\xdc\x25\x98\x0f" "\xcf\x52\xf8\x26\xdc\x8a\xa3\x5b\x94\x63\x69\x36\x9f\xb7\xab" "\x56\xe7\x57\x0e\x2c\x4d\xb5\x5a\xe3\x3b\x43\x8f\x78\x97\x71" "\xe0\xe5\x9c\x6c\x92\x2a\xdc\x47\xe3\x01\x6e\x01\x54\x9d\x53" "\x11\x24\xea\xbc\xab\x11\x6a\xbc\xfd\x1e\x8f\x03\x7c\x70\x8a" "\xfd\x82\x42\xd0\xb9\x03\x1c\x2d\x7f\xe0\x83\x13\x2e\xaa\x50" "\x95\xa9\x6e\x00\x75\xb2\x72\x02\x7d\xc4\xb4\x5a\xe7\xee\xd0" "\xae\x48\x32\x65\x0f\xd5\x21\x5d\x4b\xda\x7b\x0e\x10\x03\x70" "\xfe\x09\x5e\xd8\x33\x1f\x2b\x8a\xf0\x28\xf6\xda\xe3\xc9\xcc" "\x74\x84\x66\x22\x8c\x7d\x25\x4b\x5b\x95\x5c\x0d\x95\x55\x4f" "\xc4\xa4\x25\x6d\xe9\x69\x67\x67\x4f\xd0\xa5\xe9\x47\x48\x87" "\x21\x7a\x14\xa0\x25\x78\x4d\x53\x6f\x86\x1a\x82\x99\x7e\xad" "\x4a\x87\x24\x4d\x85\x18\xfb\xb9\xed\xfa\x4a\xdf\x60\xa7\xda" "\x11\xd2\x99\x72\x83\xda\x76\x8f\xe9\x75\xc3\x82\xd9\xf3\xea" "\x44\x69\x38\x1d\x28\x79\x51\xec\x0d\x08\xf5\x81\x38\x61\x64" "\xa4\xb3\x4d\xe9\xcc\x55\x06\xa7\xdd\xba\x52\x15\xe6\x79\x8d" "\xb8\x3f\xc5\xa9\x81\x43\x52\x13\x42\x6a\x63\x03\x53\x71\xc5" "\xeb\xcc\x2c\x2a\x66\x3d\xa5\x72\x53\xaf\x1b\x4d\xe3\xb0\x70" "\x46\x2b\xca\x1d\x17\x85\x60\x74\xc8\x4f\x54\x40\x93\xb7\xe2" "\xa7\x4f\x43\x95\x43\x98\x86\xa0\x6a\xc9\x5c\xfb\x5b\xb2\x6a" "\x1e\x2b\xaa\xce\x10\x4c\x0a\x1f\x4f\x63\x1d\x4b\xab\x14\x3b" "\x6a\x52\x3c\xb2\x00\xd7\x07\x21\x97\xaa\x95\x11\xa0\xd3\x36" "\xe7\x74\x76\x85\xbd\x4f\x1f\x10\xfb\x85\xca\x03\x4d\x87\x74" "\xb9\xb1\x25\xcc\x7c\x82\x1f\x24\x81\x78\x40\x37\x5c\x0b\xdb" "\x25\xf2\x51\xb0\x03\x45\x87\xef\x99\xbf\x79\xe1\xc6\xf2\x07" "\x89\xb2\xb3\x2b\x7e\x72\xd5\xd1\x10\xe6\xc4\xe8\xcd\x2c\xd5" "\x67\x3a\xc7\x7a\xc6\xd9\x10\x8b\x4a\xbf\x78\xe6\xc9\x87\x87" "\xbb\xfc\x56\xc1\x71\x5b\xbe\x01\xbf\x5a\x7c\x36\xa1\xf9\xb5" "\xa1\x87\x5e\xde\x17\xb4\xbc\x61\xd1\xc3\x5a\xf8\x3a\x65\x41" "\x26\x16\x02\x2a\x1b\xcc\xa7\x5a\x67\x80\x47\x32\xb1\xd4\xe4" "\xd5\x79\xd6\xee\xb3\x0e\x8e\x2b\x04\xf4\x3e\x0e\xfe\xb7\x37" "\xdd\x28\xf2\x30\x18\x3e\xd7\x6d\x8d\x1b\x53\xe4\xda\xb7\xf1" "\xcf\xaf\x65\xf8\x96\xa5\x42\xd8\xf7\xf2\x23\xf6\x8c\x55\x40" "\x4d\xf2\x81\x21\xc6\x4a\xf0\x09\x34\xcf\xd0\x4c\x5f\xe6\x80" "\x50\xa2\xee\x63\x18\x1c\x59\x6b\xe7\x58\xe8\x6f\xed\x54\x78" "\x00\xd4\xab\x6b\xf1\xf4\x77\x17\xf7\x63\xb1\xf7\x25\xc7\x11" "\x00\xac\x4a\x6d\x68\x3c\xf0\x8f\xfa\xf0\xae\x17\x0e\x3e\xae" "\x02\x9c\xe7\xab\xe8\x9d\xa1\x7c\x05\x42\x93\x75\x45\x15\x24" "\xb8\x5e\x67\x45\xfe\x99\xed\x83\x18\xca\xe8\x02\x1f\xb4\x60" "\x6c\x01\x7b\x99\x11\xfa\x6b\xcd\x50\xa9\x2b\x2c\x6f\x8a\xdd" "\x44\x32\xc3\xd8\x69\x6c\x26\x05\xdb\x2e\x81\xa6\x8e\xb5\xfa" "\xa9\x1a\x34\x95\xd6\xbe\xdb\x4b\xd5\x17\x4a\x5e\x02\xe3\x92" "\xf1\x6e\x44\x5b\x92\x09\x5c\x59\x2d\xdf\xfe\xc6\x0c\x2e\x3c" "\xaa\x2e\x4a\x18\x2b\x4b\x9d\x5e\x57\x72\x3d\xa3\x11\xa1\x2f" "\xb0\x2d\x43\x69\x8f\x65\xce\xd8\xfd\xfb\x48\xf5\xd0\xe3\xa2" "\xc7\xa5\x17\xbe\x78\xc6\x4c\x6e\xdd\x00\xd1\x79\x5e\x99\x64" "\x21\xd9\x38\xb5\xb5\x08\x2f\xac\x5d\x2b\x62\x46\x76\xcc\xfa" "\xb8\x2a\xf6\x81\xfe\xf1\xfb\xc9\x15\xd9\xc0\x76\x55\x68\x8f" "\xfd\xae\x5f\xe3\x8a\xda\x5f\xb2\x17\xec\x03\x37\x13\x69\x99" "\xee\xdf\x2d\xb8\x0b\xbc\xfc\x8d\xc3\x3e\x90\x19\x99\x78\x30" "\x36\x4d\x4e\xdc\x45\xba\x48\x5a\x4a\x68\x46\xe0\x5c\x8b\x5e" "\xdc\x26\xe6\x37\x39\xc9\xa8\xe8\xc4\x04\xaa\x59\x48\x1e\x9f" "\xcf\x6d\x9a\xd3\x3b\x6c\x11\x63\xa4\x7e\xb9\x6c\x71\xe3\x28" "\xdb\x4f\xc2\xdf\x35\x52\x45\x02\xc6\x10\x8a\x7a\x3d\x27\x87" "\x0e\x3c\xd4\x82\x85\x3d\x58\xac\xa6\x28\xac\x22\x69\xff\x04" "\x1b\x46\xa3\x84\xd5\x48\x10\x8c\x51\xee\x65\xd2\x97\x99\x1c" "\x22\xd0\x76\xce\x44\xe0\xd2\xb7\xd9\xb3\x2c\x99\x0e\x3b\x15" "\x61\x1e\xc4\x70\x55\xec\x5e\xfc\xc6\x97\xf7\xb7\xe6\xd1\x9f" "\xc3\x39\xf9\x92\x16\x73\x48\xaf\x98\xf0\x22\xf2\xb3\xe1\x1a" "\x57\x05\x4f\xea\xad\xeb\x77\x7d\x0e\x1f\xe0\x19\xaf\xd0\xff" "\x6d\xad\xef\xec\xca\xf7\xc5\xb0\x34\x06\x28\x3d\x2c\x08\xe5" "\x5c\x92\x59\xf5\xda\x5f\x54\x96\x9e\xd9\x10\x58\x49\x45\xc4" "\xa9\x4b\xc4\xc2\xcd\x16\x9f\x77\xd9\x44\x5e\xbb\x4a\x67\x06" "\xcb\x68\x6c\xca\xf2\x9e\x33\x31\x77\x72\x3a\x5a\x83\xf0\x9d" "\xe0\x11\xa5\x58\x36\x43\x90\xdb\xfb\x81\x5d\x61\x70\xea\x36" "\x10\x8c\x74\x9a\xf0\xe9\x88\x88\xa4\xaf\xf5\x93\x4b\x95\x48" "\x65\x4f\x54\xe5\x7b\x8b\xb9\xf2\x15\x26\x2c\xde\xc5\x14\xc3" "\x5e\x28\x11\xd4\xa9\xb5\x40\xc6\xb8\x52\x4f\x34\x99\x4e\x1b" "\x59\xd3\xad\x6d\xef\x47\x91\xe7\x41\xa6\x39\x61\x1c\x03\x42" "\x2e\x4f\xb9\xd4\x60\x4c\x78\x5f\xe0\xab\x13\xe0\xd1\x51\xb4" "\xaf\x9e\xe7\x01\x1e\x6f\xb7\x11\xe6\xe8\x51\x58\x8c\x47\x97" "\x75\xd8\x67\xe9\x4d\x7a\x16\x12\x7a\x38\x32\xdf\x4f\x61\xe8" "\xcb\x43\xda\xf3\x17\x8c\x74\x54\xed\xbe\xa5\x3d\xce\xef\xfb" "\x61\xf2\x28\x12\xd3\xf9\xc5\x22\x3a\x91\xad\x18\x39\x56\xdb" "\xcc\x69\xed\x6f\x30\x5c\x4e\x94\x82\xc0\x1a\xf2\xcf\x86\x05" "\xf5\x93\xfd\xd0\x0c\x19\xe8\x56\xc0\x0a\x67\xb7\x8b\x6e\xce" "\xde\x35\x51\xbb\x5f\xc0\xa3\x17\x20\x92\x1d\x00\x2d\x13\x82" "\xad\xd1\xc8\x6e\x13\x8d\x98\xaf\x88\x5e\x29\xf6\xbc\x82\x95" "\xb5\x12\x92\xe3\xf2\x04\x10\x83\x55\x2c\xf6\x33\xa0\x15\xc0" "\x44\xd3\xce\x5e\xb1\x0d\x56\x46\x61\xd0\x2f\xaf\xd4\x7b\x25" "\x99\xee\xef\xd5\xbb\x4f\xa0\x11\x49\x63\x4f\x42\xb1\x84\xc0" "\x25\x95\x87\x72\xf7\x22\xc5\x9c\xb8\x67\xc7\x4e\x30\x16\xa5" "\x58\x08\xe7\x3e\x14\x88\xea\x27\xb2\xd5\x36\x8d\x8a\xb9\xbb" "\x9d\xca\x35\xd6\x99\xa2\xd6\x9a\x17\xd3\xa1\xcf\xfa\x92\xf2" "\xa3\x07\x86\x09\x61\xf6\x14\x2c\xb9\xfc\x5b\xa5\x8c\xfb\xb6" "\xc3\x0f\x0b\x53\xf8\xf5\x76\x70\x5a\x57\x85\x31\x19\x9b\xa2" "\x77\x4f\xec\xd2\x31\x46\xd1\x10\x21\xca\x9c\xf7\xae\x68\x0e" "\x7a\x2e\xa5\x74\xc5\x86\xcf\x19\x76\x6f\xe1\xdf\x9d\x0e\xa9" "\xe7\x2b\x74\x26\xf4\x50\x91\x1b\x1d\x16\xf4\x71\xc2\xb0\x0a" "\xa4\x33\x9b\xad\xec\xd0\x82\x3b\x59\x44\xcb\x86\xf4\x2f\x6c" "\x13\x9f\x78\xe5\xdc\x53\x23\x4d\xda\xc2\x31\x32\x78\xed\x97" "\x18\x57\x41\x41\x4e\xb3\x70\xaf\x1f\xac\x59\x73\x5a\x56\x00" "\xfd\x5b\x86\x26\xb2\x0c\x0e\xff\xca\xe9\x68\xbe\x2d\x2b\x55" "\x74\x05\xbf\x62\x04\xe1\xf9\xe7\x68\xaa\x35\xf5\x5d\xad\xba" "\x51\x7f\x58\x58\x73\x78\x42\x6e\xfc\x78\x99\xa6\xd0\x76\xac" "\xd4\x3c\x2f\xd0\x3b\xc8\x72\x2f\xd3\x3c\x34\x5d\xa7\x39\x82" "\x0e\x71\xfb\x87\xaa\x2c\xff\x15\xd5\x87\x51\x9a\x0d\xc8\xea" "\x79\xc9\xed\xde\xe1\x09\x74\x12\x2c\x1a\xb6\xb7\xbc\x8e\xac" "\x9a\x13\x1d\x50\xd5\xc1\x75\x7e\x89\x99\xa4\x60\xd7\x98\xf2" "\x49\x75\xe3\x18\x49\x69\x8c\x4e\x27\x14\x87\x66\x53\x3e\xcc" "\x3f\x36\x86\x72\xb8\xb8\x3d\x82\x35\xd9\x14\x7d\xcc\xfc\x3e" "\xbf\xc0\xe3\xdb\xf6\x3d\xbb\xf5\x35\x30\x90\xf1\x33\xf6\x65" "\x98\x6c\x02\xfb\x50\xcb\xcd\x0a\x41\xd9\xee\x87\x13\xfb\x1c" "\x65\x3f\x15\x7e\x59\x72\x5a\xc4\x5d\xe3\x3a\x4d\xf6\xb8\x62" "\x91\x0e\xdd\xd2\xd2\xdd\x6f\x11\x58\x76\x69\x58\x0e\x2c\xd2" "\xa9\xea\x6b\xdb\x9f\x90\xab\xd5\x12\x43\xb3\x67\x58\x6a\x67" "\x41\xbd\x9f\x7b\x76\x09\x6e\x59\x9f\xe6\x00\x99\xa2\xad\x63" "\xd8\xd7\x37\x83\xf9\xb0\x71\x4a\xf9\x94\x10\x02\xf9\x0b\x4c" "\xac\x81\xbb\x47\x39\xc7\x00\x35\x26\xd0\xba\xc9\x0a\xc2\x19" "\xba\x94\xd1\x7a\x73\x44\x84\x7c\x03\x29\x84\x80\xf8\xd2\xd3" "\x3b\x02\x14\xdd\x2d\xd7\xda\x61\xaa\xf6\x01\xe8\x58\x1f\xcf" "\x14\x14\xa7\xcc\x92\x06\xf9\x7a\xba\x60\xd1\xb5\x25\x4c\x08" "\xd7\xe5\xed\x30\xcf\xba\x41\x3e\xbc\x1c\x62\x14\x05\x0d\xfb" "\xbe\x34\x52\x11\x0a\x1e\xcb\x9c\xbb\x9a\x41\xa7\x35\xfa\x80" "\xe1\xca\x30\x26\xaa\x52\x63\x76\x96\xed\x85\x06\xe4\x9f\x2f" "\x90\x89\x04\x6b\x98\x74\xe4\xd6\x9d\x72\xe3\x38\x34\x9e\x0d" "\x7d\x98\x14\x52\x9e\x8c\x1f\xb3\xf6\xc6\x3a\xe9\x59\x47\x77" "\xf7\x2b\x0f\x49\xa3\xf6\x9a\xf7\x3a\x55\xbd\x3b\xa1\x1f\x16" "\xdb\x9d\xf5\x36\xf2\x09\x07\x6d\xcb\xd0\x65\x28\xde\x24\x00" "\x22\x29\x34\xf2\x60\xf9\x9c\x3a\x10\x89\x54\xe6\x3d\xe7\x38" "\x94\xc6\x95\x48\x40\x7e\x21\xea\xba\xbd\xe0\xfd\x28\x8e\x99" "\x5d\x5e\x6b\xa8\xf1\x99\x3f\x7f\x08\xe2\x36\x55\x06\x00\xea" "\xae\x1f\x29\xdf\x3e\xf4\x78\x2b\xe5\x57\x50\x6c\xff\x53\x7f" "\xc1\x01\x09\x37\x75\x25\x97\x3d\x5a\xe0\xac\xab\xe6\x8a\x01" "\x70\x3d\x08\x10\xb8\x32\x6d\x19\x11\xf4\x63\x00\xdc\x15\xc5" "\x5b\xaa\xbf\x7d\x63\x32\x3a\xbc\xbf\x7d\x9e\xf2\x89\x87\x73" "\x54\x63\xd1\xdd\x9b\x57\xea\xb1\x16\xec\x08\x57\x17\x8c\xd9" "\x2c\x8d\xb5\xb1\x42\x3a\x88\xee\x73\x29\xf1\xc8\xaf\x54\x99" "\x6f\x42\xb5\x1a\x9f\x22\x87\x14\x02\x4e\x87\x9e\x46\x93\x04" "\x76\x36\xc4\x85\xd7\x57\xd6\x36\x3a\x95\x28\xa6\x31\x54\xf1" "\x7e\x90\xd3\x5e\xd9\x1c\x9d\xe2\x5a\xba\x23\x98\x70\x85\x61" "\xdf\xd0\x2c\xf0\xac\x3f\xa9\x23\x75\x0d\xde\x09\x4e\xb2\x56" "\x54\xa6\xda\x55\x25\x86\x27\xa8\xae\xe9\x9c\x48\xf9\x94\x06" "\xae\x88\x97\x4e\xb7\x30\xc1\x0d\x79\xa3\x38\xa2\x54\xdc\x1f" "\x9c\x49\x42\x72\xf5\xc1\x0d\xf0\x0c\x78\x0c\x69\x3f\x7c\x57" "\x56\xc0\x11\x9d\xfb\x86\xf6\x77\x32\xca\xc7\x76\x1e\x2f\x6a" "\x75\x5b\x4a\x38\x44\x2f\xb9\x01\x7a\x03\xf5\x75\xfd\x64\x3e" "\xb4\xac\x51\xbc\x36\xfd\xdd\xda\xc2\x89\x19\xf2\x93\xc8\xf8" "\x69\x02\xee\x4b\x82\x23\xf4\xdb\x91\x3f\x3b\x90\x7f\x55\x7c" "\xb1\x28\x3d\xbd\x35\x04\x9a\x3a\x0e\x22\x97\x52\x4b\xc3\xa3" "\x2d\x14\x71\x14\x72\x68\xab\x7e\x2a\xfe\x9d\x9e\x0f\x8e\xee" "\x35\x2d\x94\x3e\xcd\x05\x75\x34\xe5\x7a\x18\x50\x1e\x68\xa1" "\x1b\xba\x92\x62\x70\xfe\x76\x50\x9e\x70\x15\x61\xc0\x31\x0b" "\x1e\xee\xb4\xe3\xbd\xbb\x99\xc9\x72\x4f\x3b\x19\xf0\xf8\xb6" "\xe7\x6a\xae\xa1\x59\x8a\x40\x2c\x65\xc8\x83\xe9\xc9\x77\x69" "\x6f\x02\x43\x84\x9b\xe1\x84\xec\x24\xf4\xca\x12\xb9\x9c\x9e" "\xc2\x98\x4d\xd6\x9a\x1f\x81\xe0\xe0\x27\x8f\x79\x58\xf5\xf8" "\xe6\x79\x05\x0f\xd8\x72\xe9\xaf\x2f\x0e\xb9\x33\x45\x9a\xf1" "\x2b\xe9\x01\x81\x8a\xdf\xaa\x85\x9d\x59\x2a\x93\x81\x23\xce" "\x96\x56\x1b\xa8\xda\xee\x0a\x66\xd4\x7b\x9d\xe9\x52\x62\x86" "\x51\xdc\xda\xd4\x9f\xac\x29\x61\x88\x3b\x86\xdb\xc1\x76\xa9" "\xa4\x8a\x08\x97\xe1\xb7\x1e\xcb\x44\x68\xd9\x0b\xaa\x32\x1d" "\x0e\x3d\xf1\x51\x6e\x8e\x7b\xcd\xa6\xfa\x21\xdb\x33\x4e\xa7" "\xfb\x99\xb9\x6a\xc6\x1f\x98\xba\xba\x48\x89\x3d\xe8\x93\x12" "\xd9\xca\xac\x1c\x91\x44\xb9\x25\xfa\xe9\x27\x24\x55\x58\xec" "\x93\x52\xc3\xbb\x90\xf1\xec\xc6\x86\xe1\x45\x5b\xfe\xfe\xc8" "\x30\x3b\xdb\xa2\x36\x8d\x58\xff\xbc\x08\x2e\x30\xcb\x5a\x44" "\x75\x1c\xb6\x9a\x81\x85\x35\x2d\x2f\xaa\x84\xb1\x19\x32\x49" "\x86\x19\x60\x69\xb6\x91\x2a\x4e\x05\xa1\xb4\x1d\x08\xa5\x0c" "\xdb\x5f\x53\x5e\x0c\xb9\x3e\xef\x2e\xa9\x27\x46\x74\xb4\x8b" "\x2f\xf1\xf5\x02\xf8\x79\x9a\x05\xc4\x0b\x99\xdf\xee\x36\x4b" "\x7b\xee\xeb\x1b\x17\x42\x7c\x1b\x1a\x05\x71\x63\xe8\x7a\x98" "\xf8\xdb\xed\x3d\x71\xae\x8b\x07\xa9\x6a\x0c\xa4\xbd\xfb\x14" "\xaf\xcf\xba\xdc\x02\x96\x04\x5c\xe3\x8d\x24\x99\x19\x61\x4f" "\x14\x7d\x4a\x6d\x7e\xd7\xd8\x0a\x5d\x8a\xf1\x98\x59\xfd\x93" "\x69\xea\x5b\xe7\x56\x1b\xd5\x34\x1d\xa9\x2c\x92\x40\xf3\xf0" "\x05\x17\x8f\x1d\x73\x88\xf4\xde\x42\x7c\x63\x39\xb0\x15\x45" "\x98\x10\xd6\xee\x6d\xa7\x82\x06\x7b\xc0\x18\x17\xb5\x25\xd7" "\xc5\x8c\x78\x1a\x8b\x2e\x6e\x0e\xee\xde\x7b\x28\x5e\x0e\xf0" "\xc3\xc5\x31\x43\xd1\x9b\x9c\x57\xed\xe3\x51\x1b\xc0\xb0\x42" "\xe4\xc7\x45\xb5\x6f\x45\x42\xed\x1f\x4e\x2b\x7f\x16\xbe\xbe" "\x8d\x08\xcb\x94\x09\x3f\xcc\xa5\xef\xc5\xab\x66\x88\x33\x60" "\x5e\xa0\xf1\xe3\x19\x5e\x73\xe5\xea\x93\x7b\x1f\x70\x4f\xcd" "\x04\x41\x88\xdc\x4b\x57\xc1\x3e\x7a\x83\x15\x3d\x12\x07\x68" "\x77\xa1\x01\xd3\x8f\xb8\xc1\xd2\xd7\x9b\x72\xb2\xc9\x3b\x20" "\xd7\xd3\x50\xdf\x5c\x32\xf2\xd8\x45\x46\xcb\x2b\x30\x7b\x29" "\x4b\xfc\x10\xfc\x37\x90\xd4\x2c\xec\x75\x87\x4a\xd0\x6d\x1f" "\x82\xa8\x01\x50\x5d\xb8\x9c\xc0\x65\x8f\xac\x64\xa6\x04\x20" "\x36\x3e\xa5\x21\x85\xbe\xfb\x62\x7b\x89\x50\x47\x2f\x8d\xbb" "\x80\x75\x86\x0b\x6e\x41\x98\xc9\x6a\xba\xd8\x50\x09\x0c\x9e" "\xf7\x9d\x30\x4a\x27\xb0\xe0\x9e\xc2\xfd\x1c\x1c\xd2\xb7\x22" "\xe8\xfa\xb1\x4e\xdf\x49\xca\x37\xc4\x98\x9a\xb0\x93\x99\xce" "\xff\xdb\x68\x64\x9b\xb3\x0e\x9a\x92\x6a\x6d\xce\x88\x67\xe9" "\xf8\x6d\xa8\xcb\xab\x8c\xf2\x75\x09\x89\x17\xdb\x64\xc6\x5c" "\xb3\x43\x2c\x1e\x07\x88\xd4\x5b\xf3\xa2\x80\x9b\x06\xa3\x65" "\x16\xde\xc8\x81\xd9\x4d\x58\xdc\xaa\xc5\x8b\x17\xa1\x9c\x03" "\xd9\x1a\xa1\xd7\x46\x14\xb9\x4d\xc6\xbb\xe4\x89\xfe\xfd\x08" "\x3f\x35\x7f\x3d\x1e\x27\x3b\xb7\x15\xa1\x66\xc6\x56\x3b\xcb" "\xef\xbe\xfc\x18\x0d\xe0\xa6\x9a\x2f\x44\x6f\xa9\x2d\xd6\x05" "\xb4\x18\xe9\x20\x8a\xee\x62\x9f\x95\xe7\x4e\xca\xb4\xb5\xcd" "\x5c\xae\xfd\x48\xf2\x54\x69\x6b\x3a\x4e\xba\x8a\x40\xa4\x80" "\xf9\x8a\x53\xdf\x02\xff\x86\xf0\xe2\xc9\xd6\x5b\x3b\x34\x09" "\x57\x6f\x42\x83\x4c\x33\xf0\x9d\xf6\xb3\x23\x46\x29\xed\x80" "\x70\x35\x41\xb3\x06\x9e\x86\x58\xcb\xac\x43\x0b\x65\x64\xe5" "\xeb\xc3\xb2\x89\xe5\xa3\x0f\x11\x5b\x80\x48\x7e\xba\x40\x6f" "\xcb\x57\x47\xa7\xfe\x59\x3c\xf0\x0b\x60\x7c\xf5\x81\x98\x2b" "\x2d\xe6\x66\x92\x3c\xa3\xe9\xb6\xf9\xd6\x04\xb1\x17\xa9\x47" "\xec\x96\xe9\xb0\x41\xe1\x4f\xe3\x5d\x4e\x63\xec\x3f\x0e\x7d" "\x38\xb7\x22\xa9\xb6\x63\x94\xad\xc9\x41\x08\x78\x8e\x47\x6b" "\xd8\x59\xd7\x05\x02\x57\x5a\xba\xa8\x1e\x96\xd1\x51\xd8\xa0" "\xc1\x43\xf5\x45\x4f\x1c\xef\xca\xa5\x04\x9d\x8a\xe4\x07\xd3" "\x4d\x73\x83\xd7\x5c\xdf\x17\x26\x7b\xde\x90\x21\xcc\x94\xf6" "\x7f\xcb\xcd\x17\x2b\xa7\xb7\x00\x63\xc1\x98\x64\x51\x0c\xa3" "\xb0\x0e\x71\xba\x9b\xc4\x96\x89\x1c\x12\xb8\xac\x5c\x8f\x73" "\x84\x2a\x28\x73\x33\x03\x27\x5a\x92\x04\xbb\x45\x93\xbd\x94" "\x5b\x87\xfa\xd8\x8e\x7d\xd0\x88\x11\x97\x9f\x6b\xbc\x3b\xfb" "\x74\xe4\xf8\x82\xff\xf0\x09\x12\xf7\x35\xb8\xa2\xcd\x64\x87" "\x70\x53\x68\xed\xc9\xfe\x66\x23\xfe\x38\x8e\x03\x8f\xd1\xd1" "\x30\x75\xe5\x73\x63\x23\x20\xb7\xe0\xe1\x85\xc6\x7c\x29\x98" "\x2f\x83\xfc\x21\xe9\x61\xcf\xc6\xc5\xb7\x33\xb3\x64\x72\xb2" "\x28\x18\x5a\x73\x30\xf2\xc5\x30\xfb\x36\x52\x66\xf9\x66\x33" "\x48\x3c\xac\xef\x4b\x00\x72\x93\xa7\x51\xec\xd5\xeb\x0f\xb1" "\x55\x29\x90\x51\x4c\xe5\xe9\x44\x44\x00\xf4\x75\xdf\xbc\x64" "\xa5\xd3\xeb\xeb\xc7\x96\x74\x02\x9b\xc5\xcd\x56\xb8\x3d\x34" "\xfb\x1c\x40\x6b\xf8\x6d\xfa\xb4\x45\xeb\x89\x89\x8f\xc6\x83" "\xee\x44\xba\x9e\x60\x24\xd0\x19\xb5\xa0\xc2\xba\x81\x56\xc5" "\x85\x54\x48\x63\xe8\x9d\xd2\x02\x60\xa4\xaa\x01\xd1\xdc\xa4" "\x7a\xbc\xf2\x22\x2a\x44\x25\x85\xff\x5b\x0b\x05\xd7\x33\x92" "\xb7\x68\x4c\x26\xea\xfa\x65\x86\x5a\x94\xec\x2a\xc2\x98\xec" "\x5f\x91\x24\x94\xa3\x11\x93\xdc\x55\x9e\x31\xe9\x1f\x29\xea" "\x37\x4e\xcf\xcf\xd5\xda\xb6\x23\x44\xe8\x4b\x8a\x72\x78\x03" "\x13\x09\xc0\xcd\xe0\x29\xdd\x83\xbf\x48\xd7\xfb\x5b\x83\xe4" "\x21\x28\x0e\x35\xbd\xc1\x41\x33\xde\x8f\xbf\x2e\xb7\xca\xe0" "\x25\x28\x01\x29\x10\x62\xc2\x87\xea\x79\x53\xbc\x24\x92\xe0" "\xc6\xc5\x13\x4f\x49\xbe\xde\xb3\x33\x35\x31\xfe\xbd\x8c\xfd" "\xc0\x07\x08\x0b\x59\x0c\x53\xdf\xdc\x2e\xa4\xd8\x86\xe6\xe0" "\x3a\x97\x5c\x47\x17\x82\x77\x3d\x3d\xc2\x8f\x27\xf6\x3e\x14" "\x43\xe4\x7d\xb8\x81\xf9\x2a\x28\x97\x4f\x04\xe3\xde\x6e\x6b" "\x7a\x13\x19\xef\x6e\x96\x3e\x1f\xb1\xc1\x48\x08\x16\xf8\x01" "\x28\xaa\xa3\xf2\x6a\x82\xf4\x00\x18\x5b\xb4\x31\x40\x4f\x75" "\x81\xf7\x00\x1f\xdd\x45\x1f\xa9\x94\xe7\x8c\x36\x55\x5e\xe0" "\x1a\x0a\x1e\x2f\x13\x90\x6c\xc1\x21\xc8\xe2\x9e\xc5\x53\x46" "\x9a\x06\x0b\x57\x57\x75\x74\x50\xdd\x3d\x37\x91\x1e\x79\x26" "\x86\x79\xa7\x34\x6e\xa7\x1e\xd0\x5a\x12\xcc\xbb\x3e\x49\x13" "\x4d\x02\x09\x90\xba\xad\x49\xd3\x61\x85\x8b\x46\x48\xba\x13" "\x2d\x5c\xed\xf9\x76\x32\x92\xf5\x9b\x6c\x2d\xfe\xb4\x47\xf6" "\xe2\x93\x0e\xac\xea\xe4\x52\x17\xe0\xcc\x18\x97\x38\xd6\xe0" "\xbc\x6f\xf0\x11\xa9\xcd\xdc\x8f\xa7\x7c\x8d\x96\x80\x81\xcd" "\x7d\x77\x4e\x24\x8e\xdd\x4c\x0d\x91\xd8\xcc\xfb\x4c\xdf\x38" "\x3c\xba\x0c\x8c\x97\x07\x38\xb9\x83\xb4\x89\xc2\x9f\x31\xb6" "\x04", 4096)); r[30] = execute_syscall(__NR_sendto, r[1], 0x2047a000ul, 0x1000ul, 0x20004000ul, 0x0ul, 0x0ul, 0, 0, 0); break; case 6: NONFAILING(*(uint64_t*)0x2047a000 = (uint64_t)0x2047a000); NONFAILING(*(uint32_t*)0x2047a008 = (uint32_t)0x10); NONFAILING(*(uint64_t*)0x2047a010 = (uint64_t)0x2047afe0); NONFAILING(*(uint64_t*)0x2047a018 = (uint64_t)0x1); NONFAILING(*(uint64_t*)0x2047a020 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x2047a028 = (uint64_t)0x0); NONFAILING(*(uint32_t*)0x2047a030 = (uint32_t)0x0); NONFAILING(*(uint16_t*)0x2047a000 = (uint16_t)0x2); NONFAILING(*(uint16_t*)0x2047a002 = (uint16_t)0x204e); NONFAILING(*(uint32_t*)0x2047a004 = (uint32_t)0x0); NONFAILING(*(uint8_t*)0x2047a008 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a009 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a00a = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a00b = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a00c = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a00d = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a00e = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2047a00f = (uint8_t)0x0); NONFAILING(*(uint64_t*)0x2047afe0 = (uint64_t)0x2032cfbc); NONFAILING(*(uint64_t*)0x2047afe8 = (uint64_t)0x22); NONFAILING(memcpy((void*)0x2032cfbc, "\x9a\xc5\x2b\x7d\x1d\x37\x65\xf9\x4f\x3e\x01\xdc" "\xc0\xe6\xe4\x65\xb6\xbf\xb4\x81\x7f\x29\xbd\xa2" "\x56\xe9\x8c\x42\x23\xdb\x73\xb8\x80\xe1", 34)); r[52] = execute_syscall(__NR_sendmsg, r[1], 0x2047a000ul, 0x4000ul, 0, 0, 0, 0, 0, 0); break; case 7: r[53] = execute_syscall(__NR_mmap, 0x201ff000ul, 0x800000ul, 0x5ul, 0x32ul, r[1], 0x0ul, 0, 0, 0); break; case 8: r[54] = execute_syscall(__NR_listen, r[1], 0x7ffful, 0, 0, 0, 0, 0, 0, 0); break; case 9: NONFAILING(*(uint32_t*)0x2047b000 = (uint32_t)0x0); r[56] = execute_syscall(__NR_accept, r[1], 0x203acffful, 0x2047b000ul, 0, 0, 0, 0, 0, 0); break; } return 0; } void loop() { long i; pthread_t th[20]; memset(r, -1, sizeof(r)); srand(getpid()); for (i = 0; i < 10; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(10000); } usleep(100000); } int main() { setup_main_process(); int pid = do_sandbox_none(0, false); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } return 0; }