// autogenerated by syzkaller (http://github.com/google/syzkaller) #ifndef __NR_mmap #define __NR_mmap 9 #endif #ifndef __NR_socket #define __NR_socket 41 #endif #ifndef __NR_sendto #define __NR_sendto 44 #endif #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kErrorStatus = 68; const int kRetryStatus = 69; __attribute__((noreturn)) void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } __attribute__((noreturn)) void fail(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } __attribute__((noreturn)) void exitf(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static int flag_debug; void debug(const char* msg, ...) { if (!flag_debug) return; va_list args; va_start(args, msg); vfprintf(stdout, msg, args); va_end(args); fflush(stdout); } __thread int skip_segv; __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { debug("SIGSEGV on %p, skipping\n", addr); _longjmp(segv_env, 1); } debug("SIGSEGV on %p, exiting\n", addr); doexit(sig); for (;;) { } } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type, bf_off, bf_len) \ (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \ if ((bf_off) == 0 && (bf_len) == 0) { \ *(type*)(addr) = (type)(val); \ } else { \ type new_val = *(type*)(addr); \ new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \ new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \ *(type*)(addr) = new_val; \ } struct csum_inet { uint32_t acc; }; void csum_inet_init(struct csum_inet* csum) { csum->acc = 0; } void csum_inet_update(struct csum_inet* csum, const uint8_t* data, size_t length) { if (length == 0) return; size_t i; for (i = 0; i < length - 1; i += 2) csum->acc += *(uint16_t*)&data[i]; if (length & 1) csum->acc += (uint16_t)data[length - 1]; while (csum->acc > 0xffff) csum->acc = (csum->acc & 0xffff) + (csum->acc >> 16); } uint16_t csum_inet_digest(struct csum_inet* csum) { return ~csum->acc; } static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7, uintptr_t a8) { switch (nr) { default: return syscall(nr, a0, a1, a2, a3, a4, a5); } } static void setup_main_process() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); install_segv_handler(); char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); unshare(CLONE_NEWNS); unshare(CLONE_NEWIPC); unshare(CLONE_IO); } static int do_sandbox_none(int executor_pid, bool enable_tun) { int pid = fork(); if (pid) return pid; sandbox_common(); loop(); doexit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting"); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { debug("unlink(%s)\n", filename); if (unlink(filename) == 0) break; if (errno == EROFS) { debug("ignoring EROFS\n"); break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); debug("umount(%s)\n", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { debug("rmdir(%s)\n", dir); if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { debug("ignoring EROFS\n"); break; } if (errno == EBUSY) { debug("umount(%s)\n", dir); if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void test(); void loop() { int iter; for (iter = 0;; iter++) { char cwdbuf[256]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } remove_dir(cwdbuf); } } long r[25]; void test() { memset(r, -1, sizeof(r)); r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0x1000ul, 0x1ul, 0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0); r[1] = execute_syscall(__NR_socket, 0xaul, 0x3ul, 0x84ul, 0, 0, 0, 0, 0, 0); r[2] = execute_syscall(__NR_mmap, 0x20004000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0); NONFAILING(memcpy( (void*)0x20004000, "\x68\x40\xcb\xaa\xc4\x83\x8e\x71\x71\xa3\xb6\xe9\x8e\xc5\x24\x77" "\x6f\xac\xc0\xf6\x22\x4e\xa3\x48\x5c\xfc\x44\xec\x74\x8a\xe0\xa7" "\xb2\xd8\x7d\x93\xef\xa3\x4d\xca\xae\xcc\x68\x73\xa4\x13\xd2\x35" "\xd0\x3d\x95\xbc\xf3\xe5\xb0\x40\xdf\x52\x00\x5e\xa0\xe7\xd2\x2c" "\x89\xb7\xff\x82\xc4\x23\x42\xe0\x21\xc9\xc0\xd1\xf6\xff\xa3\xf7" "\x9e\x6e\x9b\x39\x60\x78\x12\xe1\x56\x12\xa8\xad\x28\x69\xc6\xaa" "\x58\xf9\xd7\x55\xff\xc9\xa6\x5a\x87\x6d\xfb\x68\x61\xcc\x64\x76" "\xdd\x59\xeb\x78\xb0\xd6\x47\x72\xd0\xd9\xfb\x16\x15\x15\xda\xa2" "\xfd\xe0\x7e\x00\xf7\xf6\x58\x17\x85\x4e\xa8\xeb\x23\x27\xd6\x59" "\x6a\x70\x15\x17\x2f\x37\x9b\x12\x75\xcc\x8d\xe4\x42\x4d\x63\x9b" "\x30\x71\x0c\x6d\xe1\x8b\xa2\x02\xb5\x81\x98\x2c\x75\x8d\x2e\xfa" "\x88\x9d\x79\xae\x6e\xd5\x7a\x8c\x92\xb2\xce\x37\x7d\xf3\x80\x45" "\xf6\x55\xa3\x97\x0e\x5c\xbb\x42\x6d\xc5\xcc\xa6\x32\xf1\xaa\x63" "\x43\x44\x16\xd2\xc9\xe3\xc9\x33\xa0\x33\x7c\xaa\xca\x03\xe1\xdb" "\x36\xad\x6a\x63\x6e\x25\x57\x99\xde\x4b\x2c\xc7\xea\x05\x90\x40" "\xfa\xa9\x77\x18\xc8\x58\xaf\xc3\x87\x37\x23\x64\x00\xf7\x11\x6f" "\x1c\xfc\xc0\x79\x07\x4c\x5e\x37\x22\xd4\xbb\xc1\xb5\x55\xb9\x32" "\xa2\xf9\x85\x20\x3b\x8c\xe2\xb3\xb4\x01\x68\xf8\xda\x78\x46\x30" "\x13\x0d\x18\xf5\x45\x19\x1e\x47\x7a\x88\xeb\x1e\x40\x68\x97\xc1" "\x39\xeb\x17\xcc\xa0\x67\xa3\xfd\x3e\xc4\xbe\x3d\xd5\xee\x98\x08" "\x4d\x23\x98\x29\x5c\xb8\xab\x66\xd0\xd8\xb4\xed\xde\x0e\xde\xe0" "\x7d\xf1\xda\xe4\x5f\x2f\x50\x5d\x49\xdb\xa0\xb3\x3f\xb7\xf2\xcd" "\x95\x00\xb9\x6e\xfa\x91\x31\x64\x4d\xaa\x02\x39\x5a\x2c\x80\xfd" "\x05\x59\xe7\xd5\xf7\x94\x9c\x24\xb8\x44\x59\xec\xc6\xd4\x43\x95" "\x26\xb5\x5b\x94\x87\x17\xec\x62\x83\x32\xf4\x15\x0f\xfb\x5b\x58" "\xd5\xdd\x85\x3a\xde\xdb\xa4\x37\xc9\x5b\xc3\x7c\xcd\x07\x23\x41" "\xfb\x88\xac\x59\x90\x60\x9b\xf4\xd5\x5c\x39\x72\xda\x11\x4f\x11" "\x57\x47\xe5\x54\xbd\x36\x82\x94\x73\x32\x72\x8e\x8a\xa0\xc5\x97" "\x0f\xd2\x2a\xa5\x2c\xaa\xbd\xb0\x05\xea\x49\x14\xc9\x4b\xe0\x3b" "\x14\xbe\x37\x8a\xdf\xbe\x3f\x87\x79\x54\xb1\x90\x40\x89\xb0\x67" "\xdd\x0d\xc8\xe0\x97\x90\x5d\x21\xfe\xbf\x65\x7e\x6e\x43\xe8\x09" "\x6d\x4d\x7a\xb8\x77\xb7\xbf\x55\xc7\xd2\xe1\x15\xd5\xcc\x89\x87" "\x16\x16\x23\xa9\x38\x44\x5a\xba\x08\xae\xf5\x75\xcf\x8c\xc0\x1f" "\x16\xef\x56\x4f\x18\x7c\x0c\x26\x01\x98\xee\x07\x8d\xb0\xca\x5d" "\x49\x00\xcb\xc3\xff\x97\x60\x69\x50\x6e\x2c\x2d\xf6\x5e\x53\x6e" "\xe5\xae\x40\xb0\x1c\xc2\xec\x69\x97\xab\x02\xee\xf0\xa5\xd8\x48" "\x17\xa7\x43\x6d\x61\x2a\x8c\x8b\x77\xa1\xb7\x59\xd6\x81\x89\xcf" "\xc1\x80\x21\xc3\xc2\x39\x7f\xc1\xd0\x68\x1c\x09\xa0\xde\x1c\x47" "\x20\x48\x9b\x9e\x68\xee\xa0\xc1\x01\xff\xc5\x2f\x79\x63\x2f\x62" "\x79\x55\xf6\xdb\xbd\x9e\xd9\x8e\x60\x92\x96\x76\xc4\x3a\xd3\x33" "\xd6\x82\xec\xd7\x79\x45\x5f\x4a\xf1\x21\xb7\xfd\xff\x98\x0a\x14" "\xd2\xbb\x72\x4f\x79\x37\x58\xcb\xb5\x84\x91\x95\xfc\xe2\x27\xe5" "\x0f\xd4\x60\x49\x5d\x21\xbb\xc5\x00\x8a\x2c\xba\x7c\x71\xff\xc2" "\xaf\x97\xc1\x0c\xd1\xa3\x41\xf2\x06\x7d\x09\x61\xdc\xa1\xbc\xa7" "\x0a\x2f\x9c\xe4\x1e\x63\x91\x0a\x01\x6e\x9a\xd4\x5a\xee\x16\xa2" "\xf1\xfa\x4a\xda\x7c\x74\x1c\x8d\x8a\x01\x00\x5e\x29\xa4\xed\xde" "\x1b\x93\xbf\x2f\x80\x38\xd6\xc5\xd6\x22\x3f\xd5\xb8\x17\xe3\x1a" "\xd8\xf3\x25\xf7\x18\x33\xa3\xd2\xed\x8b\xa3\xa7\xcb\xd1\xde\x19" "\x7a\x7a\xba\x5b\x43\x19\xba\x75\xd7\x60\xfe\x56\xa2\x04\xc6\x12" "\x24\x8f\xc4\x92\x7e\xb3\xd1\xed\x6d\xd6\xe6\x73\x68\x50\xd2\xb6" "\x74\xb9\x87\x65\xac\xd4\xbe\x79\xeb\xcd\x3f\x20\xf8\x37\x14\x0d" "\xa2\x5f\xd3\x94\xa6\xc8\xcb\x00\x9c\xcd\x18\xf7\x31\xd7\x39\x8a" "\x1b\x50\x11\xaf\xd6\x74\x5b\xcb\xb5\xc3\x73\xec\xf4\x81\xe5\xd2" "\xf2\x8f\xbf\x0c\xc6\x10\xee\x14\xc2\x9a\x05\xb7\x50\xe8\xf1\xa5" "\xcb\x81\xfa\x28\x0f\x21\x71\xa1\x96\x8c\x2a\xd2\x5f\x5a\x10\xbf" "\x40\xa5\x69\xd7\x2a\x4b\xa1\x55\xc3\x6a\xf8\x9f\xa8\xc0\x94\x42" "\x6f\x92\x4b\x3c\xf5\xdb\xe6\x54\x17\x4c\xb1\xd7\xdf\x5b\xfc\x0d" "\x1e\xed\x4f\x8c\x3e\x1c\x42\x9d\x0e\xaf\x5f\x8c\xeb\x98\xa0\x57" "\x38\x6b\xe5\xcf\x07\x25\x9e\x28\xa4\x6a\x72\x6f\xa3\xda\xc2\xa4" "\xd6\xe9\xb9\xbf\x79\xae\x7f\x05\xa1\xa1\x3e\x6b\x71\x6e\x3e\x94" "\xc3\x68\x06\xbc\x9d\x03\x07\x8f\x9d\x09\xb6\x64\x8e\x5c\x9e\xc1" "\x01\xf2\x04\x93\x79\xba\x88\x49\x4e\x5a\x5b\x61\xa8\x9e\x83\x3c" "\x58\x4d\x8e\xd2\xf2\x68\xd7\xa0\xc0\x7e\x16\x10\x5a\x85\xfc\xc3" "\xbb\xa1\xcd\x9d\x0a\x24\x6f\xa0\x20\x9a\x9f\x0d\xdd\xdc\x58\xdf" "\xa3\x84\x4c\xb5\x57\xb3\x27\x78\x2e\x27\xfd\x7e\xb9\x1a\xe2\x35" "\x60\x60\xcf\x78\x91\xc6\xae\x2d\xa7\x49\xee\x89\xf6\x68\x9b\xd6" "\xe4\x4e\x35\xf1\x3c\x3b\x64\xd7\xd7\xb6\xea\xaf\xbe\x49\x8b\xe6" "\x75\xac\x44\x66\x23\xeb\x5b\x38\xcd\x9d\x5e\x7f\xaa\xa9\x9f\xf2" "\x1b\x6b\x40\x6a\x25\x04\xe9\xc9\xc0\x01\x4b\x86\x3a\x19\xe1\xa7" "\xd7\x96\x08\x89\x66\x96\xc9\x23\x9d\x96\xd8\x48\xb9\x7e\x08\xfc" "\xe9\x15\x39\xf8\x50\x20\xcb\xf7\xc2\xb8\x10\xd5\x44\x11\x07\x07" "\x95\x22\xd1\x13\xa5\x1b\x48\x72\x3a\x84\x93\xb7\x82\x29\xb8\x59" "\xc0\x0b\x69\x68\x6e\x8b\xb4\xf2\xc4\xf0\x97\xee\xfe\xfb\x2f\x7a" "\xf0\xaf\x42\x68\xfe\xe2\x45\x7d\xff\x19\x3b\xa1\x7d\xb7\xa3\x14" "\xb5\x62\x5b\xb0\xb7\xcb\xa8\xba\x3e\xc6\x08\x35\x0e\x74\x67\x62" "\xd8\x5a\x2f\xa8\x09\x87\xe6\x6e\x91\xc1\x73\x12\x4d\xc0\x21\xe2" "\xed\x72\x88\x22\xad\x1a\x70\x80\x05\x67\xd1\xb8\xcf\xa1\xd0\xb8" "\xea\xb9\x44\xc3\x5b\x77\x92\x68\x21\x34\x80\x7a\x9f\x62\x90\x74" "\x44\xed\xc9\x7e\xd9\xd8\x05\x7a\x6b\x06\x58\x5b\xf9\xb2\xb2\x56" "\xf8\xcb\x9c\x08\x09\x4a\x34\x8c\x24\x51\x13\x12\xf3\x81\x6a\x0c" "\x98\x1c\xeb\x2b\xbf\xc6\xea\x70\x2a\x4c\x54\x1b\x7f\xdc\x9f\x07" "\x76\x64\x91\x1e\x58\x99\xa5\x2e\xf5\x38\x88\xd9\x1f\x75\xc2\xed" "\x65\xfc\x44\xed\xdc\x23\xd1\xaf\x9c\x42\x1d\x49\x77\x0d\x0a\x8d" "\xd0\x2f\x29\xb1\x66\x59\xc9\xee\xd8\xd8\x14\x14\x54\xac\x27\xa7" "\x79\x34\xdb\xc4\x9f\xfa\xb0\x32\x5b\x0d\x73\x17\x96\x8e\xc3\x77" "\xe5\x40\x63\x58\x9d\xc8\xd6\xd7\x54\x63\xa9\x17\x58\x18\x32\x5c" "\x22\x92\xf1\x4c\xa2\x20\x0b\xa0\x84\x9c\xed\x7b\x4c\x80\x90\x2c" "\x8b\xad\xa7\xb7\xab\x22\x0d\x39\xcd\xa8\x2c\x78\x26\x16\xc8\x7b" "\xc1\x1c\x88\x7d\xe7\x64\x94\x34\x40\x79\xa5\x8c\xef\x97\x36\x5b" "\xb9\x93\xa0\x0f\x30\x39\x8c\x50\xbf\xdd\xe7\xc8\xc6\x38\x86\x4b" "\xca\x02\x5f\x19\xdc\x5a\xad\xfa\x41\x73\x06\x30\x22\x63\x8a\x95" "\xa3\x75\x6e\x21\xc1\xa6\xdf\x6a\x54\x44\x7e\x59\x1e\xff\x1a\x33" "\xe4\xd2\x83\x3e\xca\x7a\x29\x7d\xfa\xbb\x93\xd3\x6d\x5e\x7f\x62" "\x88\x56\x49\xb2\x6d\x4f\x70\x33\xea\xfd\x06\x79\x78\x64\xe3\x3f" "\x4a\x35\xf5\x3a\x9f\x41\xcc\xa9\xb5\xd3\x0b\x5f\xd6\x9c\x70\xaf" "\x62\x93\x7a\x08\x9b\x1b\x76\x14\x2a\xca\x93\x43\xf3\x9a\x0a\xeb" "\xc1\xdd\x9a\xa4\x2d\xa7\x73\xd8\xf6\x96\xc1\xb7\xed\xb5\x26\x41" "\xf6\x52\xdb\x64\xd9\x3f\xcb\x8c\x12\x69\xb8\xc6\x89\xbd\x71\x62" "\x70\x7d\x21\x2e\x21\x60\x28\x42\x37\xac\x9d\x17\x36\xbe\x37\xc3" "\xe0\x6a\x90\xbe\xa8\x64\x6c\x20\x0a\xf7\xa4\xc6\xe8\xfb\x49\x63" "\xdb\x5f\x02\x1b\x19\x3d\xf9\x89\x6d\xee\xe9\x6e\x9a\x50\x6f\xe3" "\x49\x47\xd2\xe6\xe9\x0e\x9a\xd1\xcc\xfa\x1b\x50\xf3\xef\x6e\x66" "\xfc\x32\xf6\xbb\x0b\xc5\x41\x05\xff\x52\xe2\x63\x31\x3b\x4e\x92" "\xbc\xf1\x0a\x83\x13\x50\x4d\xb3\xea\x73\x25\xe4\xe3\xe8\x56\x75" "\x7b\xc1\x9f\xe4\xf3\x0f\xf9\xe5\xef\xb8\x58\xea\xc2\xb1\xfc\x3e" "\x28\x05\x83\xab\x69\x43\x9d\x62\xd2\x9f\xf9\x50\x35\x8f\x89\x52" "\xc6\xf9\xfe\xc6\x14\x1a\x03\x4c\x52\x0b\x64\x22\xe2\xa8\xdf\x5e" "\xe1\xd3\x8b\xc5\xaf\xa6\x7d\x4a\x91\x1a\xbb\xbf\xae\x2b\x5f\x73" "\xab\xdc\x6d\xbf\x41\x8d\x9d\xa2\x23\x64\x19\xc2\x6b\x25\x06\xb0" "\x55\xb5\xe5\x28\x5a\x12\xed\x64\x02\x8e\x73\x16\xfc\x25\xb7\x3f" "\x6e\xf1\xbe\xb8\x3e\x21\x41\x34\x23\x82\xeb\x05\x75\xa7\xdf\xd4" "\xef\x8d\x9d\xf3\x1c\xe4\xbf\xcc\xc2\xf0\x74\x89\x17\x7a\xb0\x25" "\x11\xbd\x44\x32\xd3\x43\xd6\xb5\xda\x33\x00\xa1\xb8\x5b\xfc\xe2" "\x45\xf0\x86\xa4\x2c\x14\x16\x04\x9a\x6a\xa9\x0f\x77\x0f\x98\x13" "\xb4\x7e\x75\x89\x7f\x49\xbf\xd0\xf3\xe3\x21\x88\x67\x59\x75\x5b" "\x1b\xb5\x40\x7c\xa6\xb4\xc8\x4a\x76\xb7\x27\x3d\x7a\xc6\x32\x7b" "\xb1\xaa\xe8\x69\x97\xad\xdf\xd8\x26\x62\x53\x9e\x79\x9b\x51\x41" "\x2e\x77\x68\x0b\x66\x4d\xca\x1e\xdb\x80\x01\xdc\xf0\x05\x5d\x08" "\xff\x34\x72\x92\xac\xd4\x7f\xc5\x1d\x21\x15\x9a\x2c\x93\xf7\xe5" "\xcb\x8d\x50\x4e\x54\xb1\xf3\x37\x3e\x88\x2b\x02\xd9\xf4\x29\xb3" "\x8f\x01\xdf\xe7\xa6\xe4\x00\xe9\xf6\x07\xbc\x9d\xf1\xee\x75\x27" "\xa5\xa4\x72\x05\x3e\xbc\xfd\xd1\xbd\x04\xcd\xac\x97\xe9\x59\x76" "\x72\x03\xc9\x22\xa6\x19\x75\xf8\x6f\x45\xb6\x90\xdf\xf8\x06\x6e" "\x92\x29\x52\x9b\x8f\xeb\xf2\x57\xaf\xfb\x22\xbc\x3b\x15\x04\x02" "\xf0\xd2\x1f\x2e\xe6\xba\x47\x01\xe7\x7e\x96\x08\x40\x3f\x58\xeb" "\x21\x53\x94\x18\xe1\x4f\xc6\x6a\x4b\x4f\xdd\x3f\xd8\x34\xa1\xc7" "\xcc\xdd\x33\xcc\x8d\xee\x47\x2d\xdd\xa8\x1a\x62\xad\x33\x80\x71" "\xd3\x0e\x01\xef\xf2\xca\x72\x01\x12\x0b\x4b\xb2\x3d\xfb\xf2\xaa" "\xd6\x4f\xa6\x7a\x4d\xc9\xdf\x01\x3f\xc8\x20\x97\xec\xa2\x10\x54" "\x9a\x7f\xdf\x06\xd8\xb3\xae\x2b\xf9\x58\x8d\x1e\xa0\xd3\x8e\xe0" "\xb4\xc8\x2f\x50\x1f\x55\x92\x11\xbf\x2d\x3d\x17\x6d\xf6\x72\x20" "\x6a\xfe\x31\xe2\xd9\xef\x7d\xaa\xcd\xfa\x5c\x9a\xec\x4b\x99\xc0" "\x90\x11\xef\xe0\xbe\x72\x5d\x7d\x1d\x82\x17\xfd\xd9\xea\x75\x95" "\x0e\x2b\xb2\x83\x85\x0d\xc1\x09\xa2\xb9\xa6\x46\x38\x83\x86\x13" "\x1f\xc9\x1c\x96\xb3\xda\x26\xc0\xb5\x9d\x38\xef\x92\x17\x46\x53" "\x5a\xdb\x98\x4b\xd1\x77\x60\x91\x2f\xd6\xe7\x9f\x57\x9e\xf5\x68" "\x62\xed\xbc\x72\xaf\x7c\xf3\x2a\xe3\xdb\x9f\x62\xc0\x10\xb8\x09" "\x1d\x20\xbf\x87\x4b\x13\x04\x0a\xe1\x9a\xce\xa4\x98\x3a\x51\x50" "\x86\xa7\xc0\x8c\x42\x38\x46\x6b\xc0\xa6\x73\x67\xfd\x07\xcd\xa2" "\xbd\x45\xea\xb2\x31\x40\xeb\x42\xf2\x8b\x95\xa9\x7f\x4d\x5f\x02" "\xa0\x88\xe4\x5d\x61\xd0\xf0\xf1\xa9\x92\x5f\x54\xf8\x8a\xa8\xc0" "\xf3\xfb\x56\x32\x7f\x34\x6e\x31\x75\x0c\x62\x7a\xf0\x96\xb5\xd3" "\xac\xc0\x38\x88\x28\xda\x35\xb6\x23\xa3\x3a\xa0\xf1\xd5\x72\xc9" "\xcc\x50\x89\x9c\x0f\x2a\x51\x19\xcc\xd6\xf9\x4f\xf1\x36\x85\x47" "\x6a\xd1\xd4\x15\x09\xf5\x16\xc4\x0c\x76\x2d\x2e\x5a\x1d\x59\xd3" "\x7d\x62\x14\x56\x20\xcb\x14\x70\x1b\xfb\x88\xcf\xc3\x4c\x16\xbb" "\x31\x08\x3e\x20\x93\x75\x55\xd1\x90\x13\x1a\xf8\x43\xa7\x83\xe4" "\x96\x99\xf1\x89\x63\x0c\xb9\x94\x9f\x33\x43\x3a\x3c\x24\x36\xe0" "\x12\x28\xb7\x6f\x04\x1a\x24\xa1\x2d\xb9\xff\xd2\x42\xcc\x1f\x89" "\x4e\x2e\x05\x0b\xc5\x7e\x3e\x20\x6e\x91\x0c\x2e\x78\x89\x10\x87" "\x53\x53\x5e\x86\xc7\x5c\xc2\x9b\x3d\xa2\x5b\x5e\xa1\x35\x65\xcb" "\x04\xa6\x6d\x49\xaa\xca\xde\xc0\x2b\x5e\xac\xaf\xfe\x2a\x2b\xfb" "\xd1\xcf\x65\x18\x95\x91\x48\x54\x75\x51\x5e\x4e\xf9\xcd\xf9\x11" "\x1d\xa3\x6a\x62\x26\x77\xc6\x6a\xe2\x0a\x18\x19\x29\xf3\x8b\x69" "\xb3\x06\x8a\x56\x34\x2b\xeb\x2b\x6d\x34\x38\x47\x3f\xea\x7c\x80" "\xc8\xee\xb3\x26\xda\x0c\x56\x22\xeb\xc1\x83\x64\x6c\x5a\x0f\xcd" "\xd6\x2f\xd7\x96\x86\xb1\x06\x08\x63\x07\x25\xc2\x3d\x76\x32\x2b" "\x90\xf1\xd7\x38\x0f\x54\x07\x2f\x79\xd5\x94\x38\x49\x21\x3e\x38" "\xc2\xd3\xe2\xfd\x17\x7f\x1e\x64\x39\x31\xa9\x54\x68\x66\xbd\x5a" "\x78\x1f\xc5\x76\x45\x26\xac\xf2\xbb\xf0\x50\xd2\x8a\x4b\x4b\xe5" "\xcd\x96\x73\x30\xb6\x85\x22\xc1\x5f\x83\x66\xd8\x48\xf8\xa5\x18" "\x70\xbc\x6d\x63\x01\xfc\x4d\xc6\xc0\x2e\x33\x69\x44\x5e\x1f\x4a" "\xa6\x9d\x90\xfb\x11\x68\xcd\xfb\xef\xb2\x03\xc8\x0e\x1b\x38\x37" "\x0f\xc5\x20\x20\x70\x5a\xe0\xa1\x21\x6e\x53\xf2\x2d\xe5\x6e\x4f" "\xc2\xca\x66\x7e\x78\xab\x39\x97\x3c\xba\x96\xf0\x6d\xbd\x95\x09" "\xef\x13\x17\xa9\x39\x77\x1b\x36\xac\x79\x6b\x3d\xcd\x34\x76\xf6" "\xd8\xf4\xa8\x53\xd5\xa4\x7f\x7e\xe8\x8f\x29\xf9\xd0\x88\xdd\xaa" "\x07\x32\x59\x36\x39\x75\x87\xbc\xf4\xca\xc0\xfb\x31\x30\x16\x1a" "\x93\x33\xf7\x8d\x9e\x3d\xdb\x9e\xed\x68\x75\x19\xa6\x70\x4b\x95" "\xfa\x03\xb2\x3e\x07\x12\x3b\x15\x4f\xd2\xeb\x4b\x99\x92\x8e\x8a" "\x22\x0d\x83\x28\xd5\x84\xf5\xe3\xed\xf9\x08\xf2\x04\x9e\x88\x9a" "\x95\x66\x8a\x10\x63\xf6\x34\x8d\xe4\x13\x7b\x71\xca\xc6\xfe\x9c" "\x4a\xe5\x84\x66\x01\x00\xcd\x0b\xbf\x24\xb1\x15\x7b\xb3\xae\x69" "\xa8\x6f\x7b\xa8\x0e\xe7\x43\x35\xdf\x4a\xa7\x7d\x60\x32\xde\x95" "\x19\x4c\x64\x86\xb5\x03\x7f\xeb\x0b\x19\x38\x54\x48\x01\x2b\x5b" "\x59\x81\x5a\x2e\x11\x1b\x8a\xff\xff\x08\xd6\x42\x8e\xba\xb7\x44" "\x02\x38\xab\x08\xae\x8b\x91\x6c\x99\x2e\x58\x4e\xd9\x57\xee\x08" "\x2a\xb7\x48\xa5\x71\xa1\xc8\x15\x4c\xf4\x2d\xe6\x26\xa8\xfb\x46" "\xa0\x55\x1a\xce\x34\xf2\xed\xf7\x58\x1f\x82\x2b\xf3\xec\x1f\x13" "\x46\xfd\xd0\x0f\x2f\x7f\x99\x42\x08\x51\x2c\xf3\x5f\xc3\xee\xe4" "\xf8\x47\x4d\x49\xfa\xa5\x10\x03\x45\x5c\x0e\x45\xc8\x9f\xae\x3b" "\xa0\x4c\x66\x76\xa8\xc9\xc4\x06\x6e\x35\x09\x88\x27\xf3\x05\x00" "\xda\xc3\x29\x21\x9f\x4f\x3b\x27\xad\xda\xa8\xc5\x5a\x27\x08\xf4" "\x58\xed\x4b\xc9\x1e\xea\x14\x9b\x79\x71\x5e\xec\x45\xe7\x44\x0e" "\xb3\x46\x53\xed\xab\x8f\x47\x17\xcf\x0f\xc3\x04\xa2\xb4\x14\xad" "\xb4\x84\xbd\x5a\x99\x58\xd1\x7b\xd1\x31\xa3\xb2\x3e\xdd\x51\x5d" "\xbd\xb1\x72\xb7\x58\x2c\xb4\x69\xcf\x4f\xa4\x2d\x17\xb9\x1c\xdc" "\xb8\x27\x19\x48\xa7\x14\xa4\x64\x75\xf9\x27\x80\x7b\x14\x26\xdb" "\xed\xf4\xec\x51\x6c\x26\x92\x71\x30\x40\x72\x1d\xa6\x30\x91\x02" "\x42\xb8\x2e\x2f\x31\xdf\xc1\xf8\x6a\x6b\xd3\xaf\x40\xa6\xae\x80" "\x39\x0d\x87\x11\x39\x56\x3b\xb8\x86\x3e\x99\xa0\x4a\x5a\x43\xfc" "\x38\x83\xaf\x8a\xfe\x7c\x6d\x61\xf5\x24\x32\x61\x47\xd4\x6b\xde" "\x62\xe3\xd8\x8f\x59\xfc\x46\xf7\x34\x37\x4f\x16\x2c\x0b\x3b\x7f" "\x33\xb5\x5f\x85\x15\x04\xae\x7d\x2e\x1c\x93\xc4\xa9\xe8\x24\xc5" "\x38\x01\x4d\xcf\x56\x77\xaa\x2b\x1d\x71\xb7\x6a\x5c\x59\xd4\x8b" "\x37\x78\x8e\x29\x22\x3b\x21\x66\xcc\xec\x58\xcb\x4d\x31\x25\xe2" "\xe6\x29\xfa\xe7\x8f\x4d\xe4\xd3\x74\xb2\xa5\x95\x59\x1d\x1e\x66" "\x04\xbd\xbe\x92\x6f\xa7\x98\xcc\xf4\x95\x2e\x98\x91\x13\x84\x7c" "\xd1\x13\x7c\x1d\xfc\xcb\x8a\x24\x89\xd5\x0e\x52\x80\xcc\x0b\x75" "\xbd\x47\x27\x2a\x1d\xec\x15\xfb\x56\xe0\x43\xec\x24\x7a\x71\xaf" "\x92\xe8\xe9\x5c\x31\xec\xe6\x03\x4d\x7c\x3a\x6c\x07\x7d\x1e\x53" "\xd4\xd3\x66\xc3\x47\x8c\x30\x69\x85\x23\x02\xf0\xe9\x11\x04\xd7" "\x77\x1b\x03\x35\x05\xd3\xef\x0e\x35\x68\x21\x10\x70\xd4\xe7\x40" "\x71\xd5\x5b\xab\x2e\x74\x63\x60\xe3\x3a\x8c\x71\x62\x8e\xaf\xf5" "\xd1\x61\x7b\xef\xed\x26\x92\x8d\xf3\x9f\xf2\xf8\x09\x59\xbf\x2d" "\x0e\x47\x2a\x26\xc7\xf4\xe2\x86\x3c\xf0\x3b\xa4\x4d\xbd\x4b\x25" "\x35\x39\x45\xcd\x6c\x0c\x7e\xae\x61\xdf\x85\x7a\x20\x8b\x3b\xa8" "\x83\xeb\x4b\x8f\x24\x75\x6c\x8b\x8a\x72\x89\x33\x32\xd8\xe4\x66" "\x09\xbc\xac\x84\x0f\xf4\x5f\x5a\x5b\xfe\x16\x36\x00\xd0\x6e\x01" "\x45\xec\xf4\x3c\x86\x8e\x8a\x2b\x0b\xaf\xa8\x1a\xdc\x2a\xa8\x85" "\x65\xb8\x1c\x60\x86\xe2\x10\x6d\xa1\xdf\x32\x0e\x78\x57\x52\xcc" "\x35\xb4\xa9\x5c\xb6\x99\xad\x8a\x76\xc4\xee\x18\x9c\x3b\xee\xed" "\xd7\x9c\xff\x43\x2c\xa2\x26\x2c\x80\x05\x41\xa0\xcd\x78\x8d\x7e" "\x64\x41\x57\x0c\x03\x19\x4d\xe3\xdb\x4b\xf4\x34\x50\x10\x61\x20" "\x9f\xb0\xc6\x6c\x1e\x01\x14\x31\xfa\x4d\xe4\x08\xef\x7f\x1c\xaf" "\x33\x1a\xb8\xed\xbf\xc4\xe0\xd7\x18\xb6\xbb\x34\xfa\x7c\x12\xac" "\xcb\xd8\x16\x5c\x1c\x0b\xe3\x6d\x1b\xd9\x0b\x37\xd9\x44\x8d\xb7" "\xac\x62\xf8\x19\xdb\xcb\x2f\xee\x55\x7a\x70\x99\x30\xf6\x62\x16" "\x9b\x22\x1d\x60\x69\x58\x90\x75\xc5\x93\x68\xca\x8f\x98\x4c\xa5" "\x23\xdd\x91\xab\xff\xca\xd9\x5e\x43\x3f\xf0\x49\x04\x75\xd5\xc1" "\x04\x9b\xf6\xfa\xfb\x69\x9c\x10\x3b\x8b\x00\xe7\x98\x6b\x82\x07" "\xe3\x1c\x2a\x9a\xd9\x01\xc2\x0c\xfe\x51\x8b\x37\xdf\x4d\x68\x72" "\x73\x61\x34\xd6\xb5\x0e\x0b\xb1\x96\xff\xf5\xde\x59\x62\x6a\xff" "\xaa\xf2\x94\xde\x26\x3e\x88\x50\xe0\x04\x92\xc3\x57\x72\xe9\xf9" "\x5a\xf5\xa2\xa4\xbc\xd8\xdf\x3b\xda\x2e\xa0\xa1\xec\x4f\xb4\x9d" "\x8e\x23\x05\x53\x99\xb3\x58\xd5\x53\x83\x7f\x92\x4a\x26\xac\x5c" "\xf5\x31\x3e\x60\x62\x18\x00\xbb\x6b\x7d\xcd\x4f\x4b\x6e\x2d\xea" "\x3d\x94\xe8\x4d\x40\x47\xda\x7a\xd8\x75\x8f\x72\xb5\x27\xd7\x8b" "\xda\xbc\xc5\xe3\xb2\xf2\x52\x33\xc8\x0f\x64\x39\x72\xe0\x37\x27" "\x70\x86\x27\xfd\xbf\x9a\x04\x1c\x50\xb2\x66\x89\x75\x38\x57\xef" "\x62\x3c\xd1\xb1\x09\x4a\x11\x82\x1a\x2b\x62\x21\x40\x8b\x90\x95" "\xd5\xfe\x36\xdb\x71\xcc\x7e\x43\x4e\x8d\x12\x8d\xf1\x14\x44\x55" "\xb0\x81\xe9\x0f\x65\x69\xf0\xfd\x48\xd0\x20\x18\x8d\xce\x07\x4a" "\x24\x59\x02\x39\x98\x3e\x72\xb0\x5a\x73\xa5\x59\x68\xfe\x26\x74" "\xe0\xa7\x4a\x87\x67\xc0\x9f\xa3\xa0\xfb\x0f\xc9\xb6\x4e\x5d\x67" "\xd4\x59\xb5\x8d\x08\x02\x24\x84\x0b\xf4\x2b\xf9\xdd\x14\x14\x1e" "\xb8\xa0\xfb\x8d\x77\x8a\xee\x63\x33\x52\x91\x70\x15\x0f\xeb\x92" "\x09\x2c\xc6\x14\xe6\x10\x65\xf2\xf1\x7f\x78\x24\x62\x0a\x1a\x15" "\xf0\xcc\x78\x5c\x86\xbf\x05\x0f\x88\x38\xbe\x93\xb5\xfe\xa1\x3d" "\x46\xd9\x25\x7c\x62\xe6\x77\x91\xd4\x98\xef\xde\xf0\x5e\x39\xe1" "\x1b\xad\x28\x9a\xb1\x16\x4c\xbd\xb8\x02\x15\x02\x97\x3e\xb2\x5b" "\xce\xb5\xa0\xd0\x18\x1f\x39\xc2\x75\x67\xa0\x02\x30\x9b\x45\x86" "\xfe\x09\x12\xf2\x79\x2b\x40\x4b\x74\x46\x7c\x88\xeb\x0a\x54\xba" "\xa3\x20\x57\x05\x54\x44\x9f\x3c\xab\xa7\x21\x1b\x0c\x96\x94\x63" "\x24\x82\x62\x55\x59\xbe\xf6\x3c\x5a\x5d\xef\xb0\xfe\xf1\xcf\x5a" "\x77\x25\x4c\xe9\x58\x1e\x7e\xdc\xa6\x52\x43\x96\x11\x57\x47\x41" "\xe3\x1c\x0b\x36\xf2\x1f\xf5\x5f\x1b\x66\xe9\x67\x59\xe3\x39\x9c" "\xdc\x56\x79\x57\x40\x93\x76\x1c\x32\xc3\x45\x3f\x4c\xe8\x10\xf6" "\x4d\xf2\x5f\xbc\xbd\x82\x3a\x1f\x23\x80\x9c\x8a\xe4\x43\xe1\x79" "\x09\x5a\xdd\xa0\xa8\x12\xf3\x66\xc1\x37\xe8\xbd\x53\x7c\xbb\xdf" "\xe6\x23\x9c\x2f\xdb\xbf\x6a\xf2\xb5\x9b\x14\x72\xd1\xf5\x7d\x8a" "\xb6\x38\xb3\x4e\xa1\xb4\xa3\x7a\xee\x95\x30\x5f\xda\x18\x6f\xfc" "\x17\x9a\xc6\xd3\x8e\x1c\x34\x1f\xd2\xef\xfc\x1b\x78\xfa\xc3\x48" "\x38\x71\x8d\xba\x52\x57\x61\x07\x1a\xee\x86\x8c\xed\x28\xbb\xb6" "\x6a\x20\x88\xe2\x20\xca\x7e\x81\xcc\xfd\xb6\x51\x69\xf0\xc2\xc7" "\x77\xe8\xe5\x54\x27\xb5\xae\x5b\x8a\xf9\xd1\xee", 4092)); NONFAILING(*(uint16_t*)0x20000fe4 = (uint16_t)0xa); NONFAILING(*(uint16_t*)0x20000fe6 = (uint16_t)0x214e); NONFAILING(*(uint32_t*)0x20000fe8 = (uint32_t)0x100000001); NONFAILING(*(uint8_t*)0x20000fec = (uint8_t)0xfd); NONFAILING(*(uint8_t*)0x20000fed = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000fee = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000fef = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff0 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff1 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff2 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff3 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff4 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff5 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff6 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff7 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff8 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ff9 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffa = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20000ffb = (uint8_t)0xaa); NONFAILING(*(uint32_t*)0x20000ffc = (uint32_t)0x8); r[24] = execute_syscall(__NR_sendto, r[1], 0x20004000ul, 0xffcul, 0x800ul, 0x20000fe4ul, 0x1cul, 0, 0, 0); } int main() { setup_main_process(); int pid = do_sandbox_none(0, false); int status = 0; while (waitpid(pid, &status, __WALL) != pid) { } return 0; }