#ifndef __NR_mmap #define __NR_mmap 9 #endif #ifndef __NR_socket #define __NR_socket 41 #endif #ifndef __NR_bind #define __NR_bind 49 #endif #ifndef __NR_setsockopt #define __NR_setsockopt 54 #endif #ifndef __NR_dup2 #define __NR_dup2 33 #endif #ifndef __NR_sendto #define __NR_sendto 44 #endif #ifndef __NR_sendmsg #define __NR_sendmsg 46 #endif #define __STDC_VERSION__ 201112L #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include const int kFailStatus = 67; const int kErrorStatus = 68; const int kRetryStatus = 69; __attribute__((noreturn)) void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } __attribute__((noreturn)) void fail(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(e == ENOMEM ? kRetryStatus : kFailStatus); } __attribute__((noreturn)) void exitf(const char* msg, ...) { int e = errno; fflush(stdout); va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static int flag_debug; void debug(const char* msg, ...) { if (!flag_debug) return; va_list args; va_start(args, msg); vfprintf(stdout, msg, args); va_end(args); fflush(stdout); } __thread int skip_segv; __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { debug("SIGSEGV on %p, skipping\n", addr); _longjmp(segv_env, 1); } debug("SIGSEGV on %p, exiting\n", addr); doexit(sig); for (;;) { } } static void install_segv_handler() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); } #define BITMASK_LEN(type,bf_len) (type)((1ull << (bf_len)) - 1) #define BITMASK_LEN_OFF(type,bf_off,bf_len) (type)(BITMASK_LEN(type, (bf_len)) << (bf_off)) #define STORE_BY_BITMASK(type,addr,val,bf_off,bf_len) if ((bf_off) == 0 && (bf_len) == 0) { *(type*)(addr) = (type)(val); } else { type new_val = *(type*)(addr); new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); *(type*)(addr) = new_val; } static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7, uintptr_t a8) { switch (nr) { default: return syscall(nr, a0, a1, a2, a3, a4, a5); } } static void setup_main_process() { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); install_segv_handler(); char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); unshare(CLONE_NEWNS); unshare(CLONE_NEWIPC); unshare(CLONE_IO); } static int do_sandbox_setuid(int executor_pid, bool enable_tun) { int pid = fork(); if (pid) return pid; sandbox_common(); const int nobody = 65534; if (setgroups(0, NULL)) fail("failed to setgroups"); if (syscall(SYS_setresgid, nobody, nobody, nobody)) fail("failed to setresgid"); if (syscall(SYS_setresuid, nobody, nobody, nobody)) fail("failed to setresuid"); loop(); doexit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting"); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { debug("unlink(%s)\n", filename); if (unlink(filename) == 0) break; if (errno == EROFS) { debug("ignoring EROFS\n"); break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); debug("umount(%s)\n", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { debug("rmdir(%s)\n", dir); if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { debug("ignoring EROFS\n"); break; } if (errno == EBUSY) { debug("umount(%s)\n", dir); if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void test(); void loop() { int iter; for (iter = 0;; iter++) { char cwdbuf[256]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); test(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) break; usleep(1000); if (current_time_ms() - start > 5 * 1000) { kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } } remove_dir(cwdbuf); } } long r[103]; void *thr(void *arg) { switch ((long)arg) { case 0: r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0x26000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0); break; case 1: r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul, 0, 0, 0, 0, 0, 0); break; case 2: NONFAILING(*(uint16_t*)0x2000cff0 = (uint16_t)0x2); NONFAILING(*(uint16_t*)0x2000cff2 = (uint16_t)0x234e); NONFAILING(*(uint32_t*)0x2000cff4 = (uint32_t)0xffffffff); NONFAILING(*(uint8_t*)0x2000cff8 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cff9 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cffa = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cffb = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cffc = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cffd = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cffe = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x2000cfff = (uint8_t)0x0); r[13] = execute_syscall(__NR_bind, r[1], 0x2000cff0ul, 0x10ul, 0, 0, 0, 0, 0, 0); break; case 3: NONFAILING(*(uint32_t*)0x20012000 = (uint32_t)0x0); r[15] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x8ul, 0x20012000ul, 0x4ul, 0, 0, 0, 0); break; case 4: r[16] = execute_syscall(__NR_dup2, r[1], r[1], 0, 0, 0, 0, 0, 0, 0); break; case 5: NONFAILING(*(uint16_t*)0x20012ff0 = (uint16_t)0x2); NONFAILING(*(uint16_t*)0x20012ff2 = (uint16_t)0x234e); NONFAILING(*(uint32_t*)0x20012ff4 = (uint32_t)0x0); NONFAILING(*(uint8_t*)0x20012ff8 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012ff9 = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012ffa = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012ffb = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012ffc = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012ffd = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012ffe = (uint8_t)0x0); NONFAILING(*(uint8_t*)0x20012fff = (uint8_t)0x0); r[28] = execute_syscall(__NR_sendto, r[1], 0x2000afdful, 0x0ul, 0x2000c011ul, 0x20012ff0ul, 0x10ul, 0, 0, 0); break; case 6: NONFAILING(*(uint32_t*)0x2001fffc = (uint32_t)0xc38); r[30] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x7ul, 0x2001fffcul, 0x4ul, 0, 0, 0, 0); break; case 7: NONFAILING(memcpy((void*)0x2001b000, "\xb1\x05\x0b\xc4\xd8\x77\x1f\xdd\x61\xdc\x86\xd9\x4a\xd2\x0a\xc6\xda\xad\xc8\x05\x63\x24\x93\xc8\xf8\x97\xee\x3a\x47\x3b\xec\xc6\xe8\xec\xa8\xa4\x50\x28\xe0\x65\x5c\x32\x66\xc1\x7e\x1b\x93\x17\x5a\x97\xbf\x1a\x43\xb0\x44\x37\x72\x2f\xcf\x0b\x6f\xbe\x0f\x25\xdc\x1d\x8f\xd0\x40\xfe\x4b\x46\x18\xe1\xba\x79\x12\x3c\xef\x09\x25\xd4\xaf\xac\x48\x25\xa8\x02\xdb\x36\x3c\x83\xda\xa4\xff\xcf\x14\x92\x84\x48\x5e\x13\xf5\x70\xc2\x33\x4b\x1c\xbf\x8c\x52\x8c\x5e\x0e\x76\x67\x4a\x20\x95\x05\x08\x6e\x04\x64\xc8\xbb\xfb\xf9\xeb\xd0\xf5\xfe\x8b\x7d\x58\xc1\x8f\x20\xaa\x7a\x20\x0e\x53\xf8\x48\x9c\x8d\x53\x50\x70\x39\x67\x1b\xdc\x63\x69\xc3\xa5\x80\xa2\x91\xea\x3d\x36\x83\x0f\x09\xa2\xcc\x64\xbd\x05\x35\x6d\x4b\x3b\x43\xd5\xd0\xf1\x61\x97\x35\xf4\x8b\x9a\xac\x54\x1a\xa7\x82\x19\x68\xb0\x6e\xda\x5f\x8f\xf5\x99\x67\x33\x7b\x35\xbc\x33\xd7\xb0\x7b\x0c\xa1\x05\xa3\x00\x9c\x78\xd5\x12\x04\xe0\x70\x15\x03\xde\xc3\xf0\xe5\x64\x38\x56\x33\x2a\x13\xc6\x3e\x58\x85\x54\xca\xb3\xe8\xaa\x91\xf8\x66\x37\xa2\x47\x64\x72\x99\x90\x3c\x41\x9c\x9d\x19\xe3\xc1\xca\xab\x5e\x56\xe0\x4a\x1a\x9c\x7f\x83\xbe\x56\x43\xde\x02\x00\xe8\x17\xa3\xc6\xe9\x6c\x6a\x1e\xb9\x56\xa1\x29\x5f\x21\x45\x37\x8b\x12\x92\xee\x0b\x1b\x6d\x37\x37\x24\xd2\x93\xf2\x5e\x08\xd7\x29\x40\xae\x2a\x77\xfb\x35\x3e\x4d\xb9\xd2\x5e\xc9\x4a\xb5\xba\x6f\x7d\x41\x77\xe6\x89\xfb\xa7\xf3\x25\x45\xa5\x43\xb1\x2a\x82\x06\x36\x16\x5d\xa9\xf8\x7a\x33\xab\x48\xbd\x47\xc3\x48\xec\xa8\xb0\x3f\xc6\x5a\x6c\xb6\x98\xbf\x2b\x06\xe9\xd3\x1c\x00\x60\x75\xfb\xdb\xd7\xb2\x1d\x2c\x73\x3d\xbe\x7a\x31\x24\x57\x88\xb0\xa0\x14\xd1\x1f\xad\xa5\x53\x28\xbb\x49\xa2\xd8\x92\x48\x00\x27\x2c\x88\x8d\x52\xc4\xc7\x72\xeb\xff\x9b\x09\x57\x66\x77\xc1\x19\x7e\xc7\xf2\xc6\xe7\x62\x1b\x74\x04\x59\x05\x2e\x2c\x88\x8c\x7f\x9b\xc4\xf1\xc1\x86\xeb\x20\x9f\x6f\x92\xe6\x2f\x85\xeb\x0c\x9e\x91\xa0\x0a\xb9\xc8\x63\x2e\x21\x3b\xcd\xdb\x3c\x0a\x41\xff\x1e\x6d\x2a\x7a\xde\xd2\x08\x87\xef\xec\x4c\xd7\x2a\xc8\xfe\xe3\x71\xaf\xbc\x29\x4b\x7e\xe2\x78\xbf\x0a\x67\x97\xb0\x2e\x97\xda\x58\xd2\xb2\xeb\x92\x3f\x0e\x35\x33\xc1\x8f\x66\x47\x86\x58\x4a\xee\x27\xe6\xc4\x5f\x22\x44\x1c\xc9\x98\x05\xa4\x9f\x5e\x39\xf3\xc6\x09\x61\xe7\xf7\x43\xce\x28\xb1\xec\xf3\xd1\x59\x3e\xec\x4e\x9e\x55\x5a\x74\x89\xb3\x61\x6e\x7b\x92\x3c\x8c\x4e\x8c\x64\x20\x33\x8d\xf1\x09\x09\x26\x2b\x48\x01\xc7\xdf\x98\x20\x70\xec\x30\x97\x49\x4c\xe7\x39\xb1\x8a\xcb\x52\x2e\x45\x20\xee\xf5\x17\x98\x2c\x05\xe9\x45\x90\xf1\xed\x4b\xc1\x1f\x0f\x85\x49\x8b\x57\x49\xbd\xee\x5a\x7e\x55\xf3\xbf\x86\x7e\x54\x7d\x7e\x52\x84\x22\x70\x10\xf1\x0b\xd4\xd3\x8f\x53\x04\xa5\xd2\x07\x67\xf2\xb0\xbc\x09\xa9\x04\xc5\x24\xbb\x3c\x0e\x50\x92\x35\xbb\xd9\x0e\x49\x7e\xef\x48\xca\xe4\xc4\x15\x56\x20\xd5\x23\x34\x2b\x08\xb1\xfd\x6e\x66\x90\xf8\x6d\x87\xd9\x98\xdc\xa9\x2d\x65\x11\xd8\xf8\x61\x8b\x4b\x70\xc6\xc7\xed\x9a\xc8\xc3\x99\x57\xf8\xde\xfe\x04\xfe\x40\x1a\x11\xc7\xf9\xd8\xe6\x31\x49\x1e\x6c\xbc\x2f\x1e\x38\xbb\xe4\xfa\x83\x06\xdc\xc1\x9f\xbf\xd0\xd1\x33\x86\x03\x88\xd7\x35\xf6\x12\xf4\x1c\xf8\xa8\xd3\xa0\x61\x29\x31\x69\x0c\x5b\x2b\x22\x10\x9b\x70\xc4\x00\x2d\x63\xb3\x99\xbf\xdc\x29\xcd\x0d\x17\x52\xbf\x82\x17\x8e\x55\xc1\xf4\x34\x0b\x72\xf3\x39\xf6\xfd\xb1\x82\xc9\x2d\x1a\xe0\x89\x7d\xfa\x54\xad\xde\xc9\x1d\xb2\xad\x27\xb9\xc7\xea\x61\xa1\x68\xf0\xdd\x90\xab\x02\xa4\xe7\xa9\x27\xa8\x0a\xba\xf8\xef\xa4\xf8\x5b\x10\x01\x88\x73\x73\x5c\x02\x52\x8f\x2c\x4f\x55\x06\x97\xc5\x48\x3d\x34\x3a\xf1\x87\x59\x4d\x33\x63\xd3\x58\x96\xc1\x90\xaf\x84\x8a\x80\x15\xfd\x65\xe3\x6b\x87\xbd\x8b\x0e\xfb\x5a\xf6\xb0\x48\x9b\x70\x3b\x08\xe8\x40\xa3\xce\xdb\x8c\x6a\x5a\x49\xa5\x06\xfe\x44\x3f\x5f\x29\xa4\x38\xaa\x1e\xa7\xb2\xa6\x67\xa7\x9b\x04\x9e\xc3\xdf\xaa\xc1\x3b\xdc\xf6\xd9\xfb\xe4\x0e\xc4\xe1\xd2\x44\x74\x4e\x33\x38\x44\x8f\xe0\xef\x8d\x38\xd7\x93\x33\xaa\xb7\x47\x26\x3c\xfc\xe0\x1b\x7d\x17\x59\x70\xad\xf5\xaf\x99\xe9\x96\x2f\x83\xe4\x83\x90\x57\xdc\xd9\xad\xce\x20\xbb\xa9\x77\xf4\x20\x05\x8e\x47\x07\x7e\x5b\x58\x83\xfe\xc8\xd1\x21\xff\xa0\x8f\x0c\xa2\xd0\x8a\x04\x5d\xbd\x5b\x2a\x36\x60\x43\x90\x44\x94\x9b\x97\xd7\xfb\x6e\x45\x12\xf9\x8d\x7d\x29\xdc\x1a\x1f\x36\x1d\x3e\x7d\xaa\x4a\x6c\x9b\x13\x4d\x28\xcd\x72\x64\xc1\xa2\xe3\x2a\x19\x38\xb6\xc7\x14\xc6\xcf\x0e\xc3\x35\x2e\xfc\x39\x9f\xde\x3e\x1d\xdc\x80\x17\x48\xe0\x55\xab\xe1\x85\x20\x26\x82\x9d\x8f\x68\xbe\xbb\xea\x43\x45\x5d\x83\xcf\x1a\x96\xf8\xef\xb7\x68\xb8\xe5\x57\x8c\x1c\x46\xc3\xe5\x17\x9a\xee\xf0\xbe\xd3\xef\xa6\xed\x2b\xa8\xac\xce\x44\xd9\xf2\x7a\x48\x7e\xda\xf3\xb2\x80\x26\x07\xa7\x27\xb8\x82\x58\x88\x4b\x6a\x6e\xb2\x16\xc0\x94\xb9\xbb\x1e\x47\xbe\xa7\x54\x0e\xa6\xce\x9d\xde\x95\x6a\x88\x0a\xe5\xf7\x7e\xd5\x04\xbb\xde\xa7\x8c\x6a\x98\xed\xf4\xdb\x11\xfd\x0c\xc8\xda\x09\xaf\xa4\x19\x8f\xb1\xa5\xae\xdb\xbc\xe1\xc4\xf9\xab\x0c\xd3\xd9\xf5\x99\xa5\x0d\xc5\xee\x28\xab\x89\x1b\x75\x17\x4a\xe7\x14\xa5\x0d\x2d\xba\x7e\x25\xd9\xff\x8a\x72\xd4\x00\xdd\x82\x50\x70\xc0\x39\x94\xfc\xd8\x17\x2a\x48\xa1\x3b\x8c\x9c\xa2\xfc\x04\x3e\x6c\x87\x43\x14\x85\x76\xa4\x09\x0f\xab\x59\x57\x00\x53\x42\x2c\xba\x69\x00\xf5\xd9\x1d\x9b\x0b\x24\x2d\x5f\xeb\xf1\x78\x8d\x2a\xa9\xa5\x55\x30\x5e\x0d\x99\x54\xf0\xf3\x17\x04\x45\xa9\xc1\x80\x8d\x5e\x7f\x5c\xec\x52\x8f\x1a\x35\x2d\xb8\x85\xdb\xd9\x89\x85\xc7\x16\xac\x04\x83\xe3\x49\x44\x40\xb2\x39\xa5\x6b\xc5\x4c\xee\x54\xf0\xe0\x26\x50\x8f\xd8\x5f\x27\x06\xa1\x33\x32\xfb\x7a\xba\xf0\x05\x16\xb4\x66\x48\x91\xfe\xc2\x67\x11\xa4\x58\xe2\x67\x97\x12\x6e\x9a\x7c\x8a\x02\x16\x2f\xb6\x55\x1d\x1f\xcf\x25\xad\x7b\xad\x01\x4f\x34\xef\xe7\x25\x0f\x49\x04\xfb\x4b\xea\xf6\x00\x42\x5e\xef\xa9\xd9\x31\xf7\x73\xb1\x56\x71\x4c\xe8\x0b\x05\x3f\xa8\x1f\x36\x7d\x7a\x76\x8c\x94\xbe\x5d\xa8\xa9\x13\x72\x17\x83\xe8\x39\x28\x47\x25\x4e\x62\x53\xad\x67\xfc\x48\x18\xaf\xc4\xad\xe1\xe0\x76\x6c\xac\xbb\x38\x37\x6c\x3c\xd4\x9d\x02\xba\x07\xc7\xc1\xca\xad\xa8\xff\x29\x91\x3a\x19\x21\x38\xbe\x33\x54\x26\xfa\x61\xd9\x70\xba\xe1\xe2\x42\x00\xdf\xaf\x05\xd6\x4e\xd8\xeb\xa3\x7d\xd6\x36\xbd\xb1\x44\xfe\x3b\xd6\x64\x6e\xdd\x5b\xbe\x68\x91\x4b\xca\xb6\xea\xdd\x98\x49\x53\x32\x30\xe2\xde\x5a\x78\x2f\x67\x5e\x88\x11\x8d\x42\x59\xc4\xd6\xce\xae\x47\x55\x78\xfe\xb3\xfa\xaa\xd3\x55\x6d\x9f\xb8\xb8\xc7\x5c\x47\x00\x24\x39\xe6\xd5\x87\x52\x0b\x7c\xe9\xc9\x7f\x92\x45\xdd\xe4\xd1\xe2\xa5\x3c\x1c\x3d\xf5\x2a\x44\xa6\xa6\x98\xe8\x33\xab\x97\x4c\x86\x29\x32\xd1\x88\x22\x6f\x5d\x45\x2f\xe9\x06\x74\xa0\x20\x19\x60\x08\xc6\x27\x6f\xc3\xe2\x74\xf6\x6f\x6d\x57\x0e\x33\xb8\xab\x05\x69\x05\x54\xfb\x1b\x49\xfd\xa8\xe7\x3f\x6b\xa6\x4f\x5a\xec\x9e\x71\xe8\xe9\x26\xfb\x32\xaa\x45\x96\xeb\xcf\x15\x0f\xbc\x33\x7f\xf9\x3a\xef\x5c\xcb\xba\x2b\xac\x9a\xa1\x8a\xfa\x72\x37\x17\x77\x5f\x0d\x8d\xda\x2a\x5b\x97\xa6\x70\xee\xf7\xc7\x81\x74\x8c\x9f\x49\x21\xaa\xe4\x7d\xc6\xfb\xb7\x95\xc2\x56\xe2\x3f\xa0\xe3\xc8\xcf\x96\x0f\xa6\xeb\xa7\xf5\x12\x8a\x6b\xac\xe5\x22\xc7\xfd\xf5\x38\xcf\x17\x7d\x93\x38\x6d\x92\xb3\x6f\xa1\x50\xd2\x5a\x2d\x93\x71\xf2\x61\xf5\xf2\x69\x76\x7b\xec\xd9\x1c\x0c\x82\x97\xfc\x2c\x71\xb4\x7b\x2d\xa2\x89\x92\xf2\x12\x69\x2e\xac\x6f\x92\xc5\xc5\x6b\x08\x94\x09\xeb\x3b\x7e\x8a\xcb\x58\x12\x9c\x1a\x6c\xcf\xf6\xe8\x41\xb5\xe7\x66\x4f\x86\x94\x92\x69\x02\xe2\x41\x26\x0c\xf4\xdb\x67\x40\x09\x70\x0e\x2c\x2a\x1d\xf3\xfe\x72\xb2\x8a\x8f\x0c\x4e\x23\x0b\x87\xd3\x9f\x6d\xfb\x7b\x65\xa6\xe0\x72\xe6\x62\x76\x3b\x84\xcd\xea\x2d\x60\x39\x36\x67\xef\x59\x91\xd0\x50\xb8\xd1\xbf\x28\x8c\x8c\xfd\x2f\xbf\x41\x7e\xbd\xc2\x30\xd5\xe6\x23\xe9\x29\x25\x37\x10\xf4\xaa\xb3\x72\xca\xa6\x8d\x10\x83\x4b\x7a\x71\x61\x5c\x08\x53\x29\x2c\xe3\x6a\xcf\x8c\x09\x63\x32\x61\x18\x96\xf6\xe1\x93\x7e\xa4\xc0\x9e\x2d\x06\xf5\xd8\xc0\x96\x42\x72\xf1\xe4\x1b\xaa\x69\xb3\x5a\xb2\x06\x32\xe8\x7b\xe9\x4a\x3c\x75\xb9\x5a\xd3\xc3\x75\x23\xe1\x66\x2f\x30\x7d\xeb\xcf\x3a\x25\x70\xbd\xe2\x25\x59\x7b\x2e\x1b\x3c\xbd\xf7\x00\xc6\x56\xee\x88\x15\xc0\xd2\x44\x9c\x65\xd4\x83\xdc\xaf\x1d\xdd\x54\x55\xa4\xa7\xb1\x87\x21\xb1\xfd\xa6\xb9\x59\x42\x72\x9c\x8d\x81\xdb\x9c\x78\xe5\x1d\xc5\x5e\x7c\x93\x2b\x95\x87\xa2\x82\x9a\x94\xb0\x9a\xd6\x55\x79\x7e\x67\xf2\xa3\x53\xe2\x13\x4f\xad\xe4\x4c\xcd\x63\xf3\xe4\xe4\x37\x76\xf4\x24\x4c\xd9\x07\x0c\x69\x9f\xfd\xec\x0a\x17\x3b\xd8\x37\x82\x8b\x7d\x43\x13\x83\xa3\xd9\x2e\xac\xbf\x03\x16\xb5\xe7\xa5\xad\xef\x96\xc8\xdd\xbc\x32\x50\xca\xa0\x6f\x1e\x16\xc4\x0f\xaf\xe3\x2e\x01\xd4\x1e\xb6\x2b\x54\xaf\x2d\x18\x93\xea\x48\xc3\x60\x74\x1e\x6c\x61\x44\x5a\x4e\xdd\xbd\x65\x86\x8f\x77\xbc\xb1\x4e\x26\x28\x4b\xc0\x63\x1d\xeb\x7b\x66\x2a\x30\xf5\x3f\x2d\x14\x90\x27\xb9\xd7\x57\xb4\x19\x9c\xda\xc8\x11\xf5\x61\xb7\xc5\x7e\x62\x59\x8d\x96\x98\x06\x37\xf5\xcb\x8e\x7c\x5b\xbe\xcb\xa1\xf3\x6f\x15\x56\xb3\x27\x7f\x9a\x82\x22\x87\x53\x66\xaa\x33\x85\x52\x7c\xcc\x68\xe6\x8a\x21\xaa\x68\xad\x99\x3a\xb5\xa4\x67\x24\x17\x2d\x00\x58\x9f\x94\xf8\x01\x58\x9f\x1b\x1b\x26\x81\x97\xc3\x9e\xeb\x2b\x5b\xe5\xe4\x81\x27\x95\x19\x36\xf2\x8b\xf0\x54\x85\x78\x83\x0a\x94\x1d\x5e\xa3\x12\xab\x2b\x4f\x0f\xfa\x0e\x99\x8e\x7e\xc6\x26\x40\xb7\xaf\xd1\x2b\xc4\xee\x89\x84\xa4\xb0\x91\x46\x22\x70\x0a\xd8\xf9\xd8\x63\x9f\xd9\x5d\x6c\xa2\x91\x98\xd0\xf8\xde\x57\xb4\xba\x48\x4d\x56\x41\x22\x43\x0d\x95\x07\xe7\xb1\x4d\xb5\x86\x0b\x41\x1d\xfe\xea\x89\x84\x3d\xa4\xab\xce\x41\xef\x92\x2d\x06\xe2\x5a\x71\xea\x47\x90\x9c\xcf\xc0\x82\x3d\x8c\xed\xdf\x0b\x6e\x46\x29\x76\x25\x38\x26\x0d\x0e\x85\x14\xcf\x86\x01\x0b\xed\xb6\xbd\x2a\x82\xce\x35\x6f\x6f\xa2\xf1\x1b\x72\xca\x4c\xa9\x36\x02\x10\xd8\x20\x6b\x4a\x99\xa2\x05\x70\xbb\xaf\xb0\x90\x16\xba\x78\xdc\xa2\xc0\xf6\xf3\x37\x6d\xb8\x0b\x6a\xd4\x18\x54\x3c\x28\xb9\xe2\x30\x13\x87\x3e\xed\xe9\x44\x8e\x02\x45\x9c\xc5\x35\x16\x56\x45\x0f\x20\x27\xdd\x48\xab\x06\xdd\xaa\x52\x1c\x6e\xac\xa1\xe5\xa3\x63\xfd\xa4\xc4\x30\x55\xe8\xca\x01\x2e\xe5\x4e\xd7\xf0\x16\x7b\x9c\x29\x52\x94\x7a\x15\xe7\xc9\x67\xc5\x4c\x0d\xa9\xc0\xd6\x4a\xb6\x95\x46\xc4\x57\x12\x57\x06\x2a\x0b\x05\x5c\x39\xe3\x3f\xba\x8d\x56\xce\x54\x3a\x80\x16\x62\x4c\xf0\x0d\xa5\x81\xed\xc4\x23\x3c\x50\x90\x97\xf4\xf1\x3b\xa7\x47\x75\xd7\x6a\xc5\xe7\xd4\x8c\x5e\xbe\x4a\x41\x0d\xe2\x38\x34\xb2\x41\x5b\x26\x30\x84\x60\x59\xa4\xe5\x78\x4e\xff\x32\xb9\xc6\x49\x1a\xe6\x23\x82\x2a\x3d\x1a\x74\x8c\x54\x8a\x6a\xd2\xc1\xd9\x55\xed\xce\x0e\x89\x52\xb2\x1a\x2a\xde\x29\xb3\x86\x71\xa0\x2e\xdc\xd0\x2c\x57\x6e\x30\xda\xe0\x87\x70\x39\x3b\xa7\x80\x85\x04\xfb\x9a\x56\x57\xb0\x64\x72\xa2\x47\x2f\xf5\xc7\xf7\xae\x7a\x24\x16\x27\xe4\x3e\x75\x00\xbc\x6c\xed\xe2\xd0\x67\xaa\xc3\x9b\x90\x61\xb0\x48\x6b\x1e\xd0\x4c\x33\x50\x56\x17\x56\xd7\xf2\x0a\x37\xa1\xb5\x49\x20\xc5\x27\x9d\xf4\xb3\x2b\x03\x7f\x9a\x47\x87\x51\x3d\x1f\xa3\x94\x74\x4e\x31\x6c\x00\xef\x99\xfd\xff\xa1\x0d\xb6\xf8\x75\xeb\x53\x2d\x74\xaa\x45\x60\x73\x26\x0a\xe2\xc6\x17\xf0\x4e\x06\x5b\x52\xac\xdb\xc3\x45\xdb\xd7\xfd\xe3\x10\x99\x76\xa7\x4c\xc9\x69\xe0\x7d\x5b\x84\x13\xa4\x37\x1b\x5a\xf0\x85\x04\x16\xe3\x95\x19\x2e\x11\x38\x64\x35\xe7\xfd\x6e\xac\xe3\x58\xd3\x4c\x4f\xf7\x3d\x09\xbf\xf8\xe6\xfe\x95\x76\xf8\x64\xaf\xd3\x79\x82\x36\x20\x4a\x33\x71\xc9\x0b\xf9\x91\xe5\x0a\xe8\xf0\x14\x48\x27\x57\xae\xa8\xd2\x23\xe3\x46\x51\xb9\xd4\x56\xc7\x8c\xc0\x80\xb8\x03\x06\x40\x79\x5d\x35\xfc\x2a\x3f\x85\x3e\xe4\xc3\x30\x69\x8b\x9b\x5d\x75\xe0\x78\xac\x50\xc8\x3f\x2f\x06\x22\xb6\xac\xcb\xf4\x7c\xed\x82\x0b\x3a\xb0\x2b\x96\xb9\x09\x85\x55\xe2\x09\xed\xdd\xff\xd7\x84\x92\xac\x75\x7e\x0e\x00\x0f\x60\x50\x49\x9f\xa8\x92\xba\xcc\x24\xb2\xd0\xf1\x3a\x6f\xfe\xe5\x14\x4b\xe7\xd3\xd0\x94\xfe\x0a\x33\xe4\xd5\x76\x8a\xb2\x5a\xf6\x01\x20\x8b\xe5\x37\xfe\xc8\xc7\xb8\x2b\x61\xe5\x0b\x95\x66\xc5\x46\x70\x41\x08\x2f\x3d\x22\xfa\x81\x40\x4a\x75\x85\x06\x7b\x9d\xac\x58\x78\x1b\xff\x9f\x3e\x89\x66\x97\xd5\x4c\x33\xdf\x12\xb2\x16\x8c\x04\xd8\xec\x33\x1f\x7f\x0f\x35\xc2\x7a\x31\x8c\xdd\xeb\x36\x2a\x99\xcf\x61\x8f\xf4\x84\x62\xcb\x5e\x9c\xbb\xd4\xbc\x85\xac\x4d\x18\xf1\x4c\x2c\xbf\xd4\x07\x67\x40\x63\x99\xee\xc7\xa9\x0c\x6d\x53\xb2\x8a\x91\x1a\x16\x15\x12\x16\x7f\x6c\x5c\x34\x10\x82\xb5\xfd\xf5\xf5\xc0\xc6\x93\x25\x30\xe9\x89\x15\x07\xf5\xdd\xf0\xa5\x19\x9b\x63\x3e\x21\x68\x4b\x7a\x32\x79\xdb\x16\x12\x1c\xb5\xe6\x4d\xf3\x61\x7c\xc7\xd3\xe5\x80\x4a\xc7\x0f\x1a\x19\xb9\xc3\x53\x93\xf7\xf1\xf2\x7a\x73\x1c\x55\x74\x09\x86\xa9\x4f\x5d\x98\x87\x1d\x75\x8a\x81\xe6\xe9\x54\x18\x69\x74\xb0\x98\x54\x91\x19\xb8\xfa\xab\xfa\xd1\x51\xe7\x6b\x1f\xa1\x4f\xf6\x06\x5e\x86\xf3\x5e\x35\x0d\xb3\xf6\xff\x82\x4a\xbc\xef\x7a\x6a\xb9\xec\x88\x5d\xbf\xd6\xf9\x6b\x3a\xcd\x0d\x7c\x06\x7f\x71\x98\xba\x5e\x90\xa7\x54\x42\x85\x46\xef\x07\x92\x37\xea\x99\xa5\x7d\x98\x2d\x48\x26\x22\x2d\x1f\x07\x82\xd6\x59\x30\x63\x69\x36\xd0\x2f\x98\xd2\x44\x00\x52\x45\xac\x81\x19\xae\xea\x3b\x55\x9e\xff\x80\x22\xba\x50\xb0\x42\x02\xe1\x85\x2a\xf0\x08\x0a\x92\xfd\x90\xb0\xe5\xa5\x51\x32\xc9\x18\x4a\xdc\x70\x6b\xe1\xd5\xc7\xb0\x2c\xba\x50\x4b\xee\xbe\x0d\x89\xdc\xe7\xcd\x76\xd6\xbf\x9a\x35\x1d\x79\xbb\xd3\xb2\x2e\xd8\x13\xf3\x78\xb6\xd9\xc2\xd8\xcb\x1b\x08\xa8\xb6\x8d\xed\x56\x10\xb3\x82\xae\xdd\x07\x40\x26\x37\x8c\x96\xea\x44\xdf\xff\xe3\x60\x5d\xea\x2c\x46\x63\x37\xdb\x3a\xb4\x74\x1f\x88\x37\x90\x1c\xfc\x84\x47\x33\xdf\x69\x28\x99\x7f\x1a\xf6\x15\xf6\x8f\xdb\xf0\x46\x26\x52\x5c\xb3\x0d\xbc\x78\xee\xdc\xbe\x3b\x8a\x39\x27\x97\xad\x65\xe4\xaf\x82\x23\x25\x92\x5c\x0e\x0d\xea\xf1\x17\x9c\xd3\xec\x0a\x9e\x3e\xbb\xe3\x54\x99\xb0\xf8\x1c\x2b\xe0\x6a\xb8\x89\x0d\x21\x8b\x6d\x17\x00\x17\x66\x51\xce\xa9\x98\x95\xc2\x3e\xfc\x10\xce\xf8\x4a\xc9\x8e\xf1\x2a\x18\x88\x4e\x8c\x7d\x57\xea\xa3\x31\xae\x90\xea\x16\x4a\xb6\xbb\x86\xfa\x73\xfc\x9e\xf6\x70\x4e\xd4\x1e\x20\xc2\xe8\x76\xe0\xa0\xea\xc6\xc2\x52\x8f\xb5\x58\x34\x14\xc2\x3d\x4a\xf5\x48\x0b\x95\x20\x95\xd0\xbd\x1e\x6b\x2d\xea\x52\x97\xaa\xa2\xe0\x4b\x3a\xa9\x10\x9f\xff\x0f\x5f\x9e\xf5\xfb\xad\x1e\x39\x29\x6e\x9c\xba\x25\xec\x80\x35\xb9\x89\xa7\x0f\x33\xba\x30\xe0\xe1\x5c\xaf\x82\xb5\x80\x11\x0b\x91\xbf\x45\xf6\x9a\xd1\x72\xaa\x04\xa9\x95\x1d\xb1\xc6\x02\x1f\x2a\x9f\x64\x96\xd5\x91\xdd\x1d\xda\xf1\x01\x5b\xac\x35\x25\xe7\x77\x6f\xbc\xf3\x3d\x14\x10\x12\xbb\x3f\x6f\x04\x23\xbd\xd7\xb1\x6e\x6e\xfd\xfd\x2e\x5f\x3f\xf0\xa4\xa9\x5e\x48\x8b\x9b\xbd\x93\x12\x88\xf1\x37\x78\xff\x60\xfd\x28\xb5\xad\xfa\x0c\x27\x6e\x94\x86\xd2\x9f\xc3\x94\xf4\xe8\xb7\x67\xb3\xee\x9f\xea\x14\xb0\xa6\xd3\x00\x2d\xba\x74\xbf\xa8\xb6\x46\xe0\x15\xd8\x1a\x15\xaa\xb1\x7b\xc0\x36\x86\x3f\x89\xfa\x91\xa4\x84\x8a\x8a\x66\xf5\xf6\xfd\xd4\x94\xfe\x85\xef\x86\x76\x9c\xb8\x55\xd1\xf6\x6a\x18\x1c\x54\x50\x3c\x63\x20\xb5\x7e\x03\xe2\x51\x01\x3c\x30\x00\xf0\x66\xd5\x9f\x76\x86\x68\x58\x98\x74\x0c\x19\xb2\x14\x08\x23\xa3\xf3\xb9\x60\xa8\x32\x3d\x38\x97\x93\x2a\x57\xbe\xfc\xcb\x00\x83\x95\x15\x8d\xb5\x61\x4a\x04\x45\xc5\x11\x9b\x35\x04\xcb\x54\xa9\x71\x6f\x11\xb0\x28\x3d\x75\xa9\x9f\x44\x24\x33\x4a\x61\x74\x0a\xd1\x2e\x25\x4e\x38\x24\x28\x96\x4c\x69\xfc\x8a\x4c\x6a\xdc\xf9\x07\xc0\x5d\x95\x53\xfc\x2a\x09\x61\x14\x39\xac\xb9\x58\xa9\x9f\x56\x39\x22\x41\xe7\x66\xe5\x2c\x26\x6b\xae\xef\xd9\xb6\x01\x26\x19\xcc\x6a\x22\x67\x9a\x38\x1f\x18\x61\xb2\x97\xe1\x7f\xb7\x57\x44\x9b\x4d\x73\xc6\x86\xc4\xf4\x99\x60\xf3\x34\x22\x65\xc4\xe2\x05\x54\x7f\x49\xb4\xbd\x46\x82\xc0\x91\x2b\x6a\x29\xab\x59\xc2\xbd\x57\xd3\x29\xbf\xae\x40\x31\x40\xc4\x1b\x94\xb2\x69\xda\x89\x2c\x6d\x78\xb7\xda\x23\x01\x90\x49\x3c\x6d\x94\x97\x82\xc2\xbc\x53\x28\xe4\xd2\xc0\x5d\xd0\x1d\xd0\xd0\x84\xdd\x8a\xae\x39\x1f\x31\x29\x61\xa6\xb2\x5b\x92\x88\xb3\x20\x6d\x1f\xa3\xee\xa4\x36\x1d\x53\x68\x08\xad\x8d\x96\xf3\x0b\xa9\x06\x00\x00\x00\x00\x00\x00\x00\x42\xb4\x93\xe2\xe6\x4d\x70\xa3\xe3\x1c\x8c\xac\x31\x1f\x8d\x3c\xdd\x88\xcc\x7f\x1d\x3a\xc5\x36\xc2\xba\x29\xd5\xaf\x1b\xe6\x7c\xcb\x2f\x51\x76\xae\x7e\xeb\xd1\xbf\x27\x6e\x8d\xf7\x00\x62\x2f\x29\x9a\xcf\xca\xeb\x9d\x7b\x42\xad\x7a\xe4\x8f\x27\x0f\x90\x80\x07\xa5\x52\x35", 3840)); r[32] = execute_syscall(__NR_sendto, r[1], 0x2001b000ul, 0xf00ul, 0x40000ul, 0x2001b000ul, 0x0ul, 0, 0, 0); break; case 8: NONFAILING(*(uint64_t*)0x2001c000 = (uint64_t)0x20023ff4); NONFAILING(*(uint32_t*)0x2001c008 = (uint32_t)0xc); NONFAILING(*(uint64_t*)0x2001c010 = (uint64_t)0x20024000); NONFAILING(*(uint64_t*)0x2001c018 = (uint64_t)0x0); NONFAILING(*(uint64_t*)0x2001c020 = (uint64_t)0x20022ed0); NONFAILING(*(uint64_t*)0x2001c028 = (uint64_t)0x9); NONFAILING(*(uint32_t*)0x2001c030 = (uint32_t)0x1); NONFAILING(*(uint16_t*)0x20023ff4 = (uint16_t)0x0); NONFAILING(*(uint16_t*)0x20023ff6 = (uint16_t)0x0); NONFAILING(*(uint32_t*)0x20023ff8 = (uint32_t)0x20); NONFAILING(*(uint32_t*)0x20023ffc = (uint32_t)0x6); NONFAILING(*(uint64_t*)0x20022ed0 = (uint64_t)0x20); NONFAILING(*(uint32_t*)0x20022ed8 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022edc = (uint32_t)0x2); NONFAILING(*(uint32_t*)0x20022ee0 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022ee4 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022ee8 = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x20022ef0 = (uint64_t)0x28); NONFAILING(*(uint32_t*)0x20022ef8 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022efc = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f00 = r[16]); NONFAILING(*(uint32_t*)0x20022f04 = r[16]); NONFAILING(*(uint32_t*)0x20022f08 = r[16]); NONFAILING(*(uint32_t*)0x20022f0c = r[1]); NONFAILING(*(uint32_t*)0x20022f10 = r[1]); NONFAILING(*(uint64_t*)0x20022f18 = (uint64_t)0x30); NONFAILING(*(uint32_t*)0x20022f20 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f24 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f28 = r[16]); NONFAILING(*(uint32_t*)0x20022f2c = r[16]); NONFAILING(*(uint32_t*)0x20022f30 = r[1]); NONFAILING(*(uint32_t*)0x20022f34 = r[16]); NONFAILING(*(uint32_t*)0x20022f38 = r[1]); NONFAILING(*(uint32_t*)0x20022f3c = r[16]); NONFAILING(*(uint32_t*)0x20022f40 = r[16]); NONFAILING(*(uint64_t*)0x20022f48 = (uint64_t)0x20); NONFAILING(*(uint32_t*)0x20022f50 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f54 = (uint32_t)0x2); NONFAILING(*(uint32_t*)0x20022f58 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022f5c = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022f60 = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x20022f68 = (uint64_t)0x20); NONFAILING(*(uint32_t*)0x20022f70 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f74 = (uint32_t)0x2); NONFAILING(*(uint32_t*)0x20022f78 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022f7c = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022f80 = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x20022f88 = (uint64_t)0x18); NONFAILING(*(uint32_t*)0x20022f90 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f94 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022f98 = r[1]); NONFAILING(*(uint64_t*)0x20022fa0 = (uint64_t)0x20); NONFAILING(*(uint32_t*)0x20022fa8 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022fac = (uint32_t)0x2); NONFAILING(*(uint32_t*)0x20022fb0 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022fb4 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022fb8 = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x20022fc0 = (uint64_t)0x20); NONFAILING(*(uint32_t*)0x20022fc8 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022fcc = (uint32_t)0x2); NONFAILING(*(uint32_t*)0x20022fd0 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022fd4 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022fd8 = (uint32_t)0x0); NONFAILING(*(uint64_t*)0x20022fe0 = (uint64_t)0x20); NONFAILING(*(uint32_t*)0x20022fe8 = (uint32_t)0x1); NONFAILING(*(uint32_t*)0x20022fec = (uint32_t)0x2); NONFAILING(*(uint32_t*)0x20022ff0 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022ff4 = (uint32_t)0x0); NONFAILING(*(uint32_t*)0x20022ff8 = (uint32_t)0x0); r[102] = execute_syscall(__NR_sendmsg, r[16], 0x2001c000ul, 0x20000000ul, 0, 0, 0, 0, 0, 0); break; } return 0; } void test() { long i; pthread_t th[18]; syscall(SYS_write, 1, "executing program\n", strlen("executing program\n")); memset(r, -1, sizeof(r)); srand(getpid()); for (i = 0; i < 9; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(10000); } for (i = 0; i < 9; i++) { pthread_create(&th[9+i], 0, thr, (void*)i); if (rand()%2) usleep(rand()%10000); } usleep(100000); } int main() { int i; for (i = 0; i < 4; i++) { if (fork() == 0) { setup_main_process(); int pid = do_sandbox_setuid(i, false); int status = 0; while (waitpid(pid, &status, __WALL) != pid) {} return 0; } } sleep(1000000); return 0; }